Skip to content

gh-148441: Fix heap buffer overflow in pyexpat CharacterDataHandler #148904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ByteFlowing1337 wants to merge 9 commits into
base: main
Choose a base branch
from
+19 −1
Open

gh-148441: Fix heap buffer overflow in pyexpat CharacterDataHandler #148904

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
6138a78
gh-148535: Fix heap buffer overflow in pyexpat CharacterDataHandler
ByteFlowing1337 Apr 23, 2026
8f8884b
Add test for heap overflow in expat parser's CharacterDataHandler
ByteFlowing1337 Apr 23, 2026
588fa76
Update Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.z…
ByteFlowing1337 Apr 25, 2026
2e070e9
Update Lib/test/test_pyexpat.py
ByteFlowing1337 Apr 25, 2026
22edd46
Update test_pyexpat.py
ByteFlowing1337 Apr 25, 2026
9c3c841
Add bigmemtest decorator for test
ByteFlowing1337 Apr 26, 2026
01cf649
Merge branch 'main' into fix-148441
ByteFlowing1337 Apr 26, 2026
9e84a9b
Merge branch 'main' into fix-148441
ByteFlowing1337 Apr 26, 2026
98dd6f8
Increase memory usage in bigmemtest decorator
ByteFlowing1337 Apr 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions Lib/test/test_pyexpat.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -712,6 +712,20 @@ def test_change_size_2(self):
parser.Parse(xml2, True)
self.assertEqual(self.n, 4)

@support.requires_resource('cpu')
@support.requires_resource('walltime')
def test_heap_overflow(self):
Comment thread
ByteFlowing1337 marked this conversation as resolved.
Outdated
# See https://github.com/python/cpython/issues/148441
parser = expat.ParserCreate()
parser.buffer_text = True
parser.buffer_size = 2**31 - 1 # INT_MAX
Comment thread
ByteFlowing1337 marked this conversation as resolved.
Outdated
def handler(text):
pass
N = 2049 * (1 << 20) - 3 # 2,148,532,221 bytes of character data
parser.CharacterDataHandler = handler
Comment thread
ByteFlowing1337 marked this conversation as resolved.
Outdated
xml_data = b"<r>" + b"A" * N + b"</r>"
self.assertEqual(parser.Parse(xml_data, True), 1)

class ElementDeclHandlerTest(unittest.TestCase):
def test_trigger_leak(self):
# Unfixed, this test would leak the memory of the so-called
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix heap buffer overflow in pyexpat CharacterDataHandler, which is caused by
two signed intergets added up.
Comment thread
ByteFlowing1337 marked this conversation as resolved.
Outdated
2 changes: 1 addition & 1 deletion Modules/pyexpat.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -393,7 +393,7 @@ my_CharacterDataHandler(void *userData, const XML_Char *data, int len)
if (self->buffer == NULL)
call_character_handler(self, data, len);
else {
if ((self->buffer_used + len) > self->buffer_size) {
if (len > (self->buffer_size - self->buffer_used)) {
if (flush_character_buffer(self) < 0)
return;
/* handler might have changed; drop the rest on the floor
Expand Down
Loading