pyexpat.c: Disallow collection of in-use parent parsers

hartwork · hartwork · commit e1c047039b72 · 2025-09-29T00:17:48.000+02:00
Within libexpat, a parser created via XML_ExternalEntityParserCreate
is relying on its parent parser throughout its entire lifetime.
Prior to this fix, is was possible for the parent parser
to be garbage-collected by CPython. This fixes related reference
counting, to stop that from happening.
diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
@@ -72,10 +72,11 @@ pyexpat_get_state(PyObject *module)
 
 /* Declarations for objects of type xmlparser */
 
-typedef struct {
+typedef struct xmlparseobject_ {
     PyObject_HEAD
 
     XML_Parser itself;
+    struct xmlparseobject_ * parent;
     int ordered_attributes;     /* Return attributes as a list. */
     int specified_attributes;   /* Report only specified attributes. */
     int in_callback;            /* Is a callback active? */
@@ -1065,6 +1066,11 @@ pyexpat_xmlparser_ExternalEntityParserCreate_impl(xmlparseobject *self,
         return NULL;
     }
 
+    // The new subparser will make use of the parent XML_Parser inside of Expat.
+    // So we need to take subparsers into account with the reference counting
+    // of their parent parser.
+    Py_INCREF(self);
+
     new_parser->buffer_size = self->buffer_size;
     new_parser->buffer_used = 0;
     new_parser->buffer = NULL;
@@ -1074,18 +1080,21 @@ pyexpat_xmlparser_ExternalEntityParserCreate_impl(xmlparseobject *self,
     new_parser->ns_prefixes = self->ns_prefixes;
     new_parser->itself = XML_ExternalEntityParserCreate(self->itself, context,
                                                         encoding);
+    new_parser->parent = self;
     new_parser->handlers = 0;
     new_parser->intern = Py_XNewRef(self->intern);
 
     if (self->buffer != NULL) {
         new_parser->buffer = PyMem_Malloc(new_parser->buffer_size);
         if (new_parser->buffer == NULL) {
             Py_DECREF(new_parser);
+            Py_DECREF(self);
             return PyErr_NoMemory();
         }
     }
     if (!new_parser->itself) {
         Py_DECREF(new_parser);
+        Py_DECREF(self);
         return PyErr_NoMemory();
     }
 
@@ -1099,6 +1108,7 @@ pyexpat_xmlparser_ExternalEntityParserCreate_impl(xmlparseobject *self,
     new_parser->handlers = PyMem_New(PyObject *, i);
     if (!new_parser->handlers) {
         Py_DECREF(new_parser);
+        Py_DECREF(self);
         return PyErr_NoMemory();
     }
     clear_handlers(new_parser, 1);
@@ -1479,6 +1489,7 @@ newxmlparseobject(pyexpat_state *state, const char *encoding,
     /* namespace_separator is either NULL or contains one char + \0 */
     self->itself = XML_ParserCreate_MM(encoding, &ExpatMemoryHandler,
                                        namespace_separator);
+    self->parent = NULL;
     if (self->itself == NULL) {
         PyErr_SetString(PyExc_RuntimeError,
                         "XML_ParserCreate failed");
@@ -1538,6 +1549,10 @@ xmlparse_dealloc(PyObject *op)
         XML_ParserFree(self->itself);
     }
     self->itself = NULL;
+    if (self->parent != NULL) {
+        Py_DECREF(self->parent);
+        self->parent = NULL;
+    }
 
     if (self->handlers != NULL) {
         PyMem_Free(self->handlers);
