[3.14] pythongh-140471: Fix buffer overflow in AST node initialization with malformed _fields (pythonGH-140506) (python#140509)

miss-islington · StanFromIreland · web-flow · commit 8285bc7ea2a9 · 2025-10-23T10:20:21.000-07:00
pythongh-140471: Fix buffer overflow in AST node initialization with malformed `_fields` (pythonGH-140506) (cherry picked from commit 95953b6) Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
diff --git a/Lib/test/test_ast/test_ast.py b/Lib/test/test_ast/test_ast.py
@@ -3309,6 +3309,15 @@ class MoreFieldsThanTypes(ast.AST):
         self.assertEqual(obj.a, 1)
         self.assertEqual(obj.b, 2)
 
+    def test_malformed_fields_with_bytes(self):
+        class BadFields(ast.AST):
+            _fields = (b'\xff'*64,)
+            _field_types = {'a': int}
+
+        # This should not crash
+        with self.assertWarnsRegex(DeprecationWarning, r"Field b'\\xff\\xff.*' .*"):
+            obj = BadFields()
+
     def test_complete_field_types(self):
         class _AllFieldTypes(ast.AST):
             _fields = ('a', 'b')
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-10-23-16-05-50.gh-issue-140471.Ax_aXn.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-10-23-16-05-50.gh-issue-140471.Ax_aXn.rst
@@ -0,0 +1,2 @@
+Fix potential buffer overflow in :class:`ast.AST` node initialization when
+encountering malformed :attr:`~ast.AST._fields` containing non-:class:`str`.
diff --git a/Parser/asdl_c.py b/Parser/asdl_c.py
@@ -1009,7 +1009,7 @@ def visitModule(self, mod):
                 else {
                     if (PyErr_WarnFormat(
                         PyExc_DeprecationWarning, 1,
-                        "Field '%U' is missing from %.400s._field_types. "
+                        "Field %R is missing from %.400s._field_types. "
                         "This will become an error in Python 3.15.",
                         name, Py_TYPE(self)->tp_name
                     ) < 0) {
@@ -1044,7 +1044,7 @@ def visitModule(self, mod):
                 // simple field (e.g., identifier)
                 if (PyErr_WarnFormat(
                     PyExc_DeprecationWarning, 1,
-                    "%.400s.__init__ missing 1 required positional argument: '%U'. "
+                    "%.400s.__init__ missing 1 required positional argument: %R. "
                     "This will become an error in Python 3.15.",
                     Py_TYPE(self)->tp_name, name
                 ) < 0) {
diff --git a/Python/Python-ast.c b/Python/Python-ast.c

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix potential buffer overflow in :class:`ast.AST` node initialization when
	`2`	+encountering malformed :attr:`~ast.AST._fields` containing non-:class:`str`.