gh-139210: Fix use-after-free in xml.etree.ElementTree.iterparse() (GH-139211)

Author: Fidget-Spinner

Lib/test/test_xml_etree.py

@@ -1749,6 +1749,8 @@ def __next__(self):
     def test_unknown_event(self):
         with self.assertRaises(ValueError):
             ET.XMLPullParser(events=('start', 'end', 'bogus'))
+        with self.assertRaisesRegex(ValueError, "unknown event 'bogus'"):
+            ET.XMLPullParser(events=(x.decode() for x in (b'start', b'end', b'bogus')))
 
     @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
                      f'Expat {pyexpat.version_info} does not '

Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst

@@ -0,0 +1 @@
+Fix use-after-free when reporting unknown event in :func:`xml.etree.ElementTree.iterparse`. Patch by Ken Jin.

Modules/_elementtree.c

@@ -4214,8 +4214,8 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
                 (XML_ProcessingInstructionHandler) expat_pi_handler
                 );
         } else {
-            Py_DECREF(events_seq);
             PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name);
+            Py_DECREF(events_seq);
             return NULL;
         }
     }