From d27f653a3ad37d847178c437da614ce0fdaed6bf Mon Sep 17 00:00:00 2001 From: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Date: Sun, 21 Sep 2025 16:56:24 +0100 Subject: [PATCH 1/4] Fix use-after-free in _elementtree_XMLParser__setevents_impl --- Modules/_elementtree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c index b9e12ab2026f65..9263f14b57f972 100644 --- a/Modules/_elementtree.c +++ b/Modules/_elementtree.c @@ -4214,8 +4214,8 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self, (XML_ProcessingInstructionHandler) expat_pi_handler ); } else { - Py_DECREF(events_seq); PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name); + Py_DECREF(events_seq); return NULL; } } From 81de8325fefcaff8614d4d4d2c3b1321638b2db8 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Sun, 21 Sep 2025 15:59:03 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst new file mode 100644 index 00000000000000..7470cceff09897 --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst @@ -0,0 +1 @@ +Fix use after free when handling unicode characters in ``xml.etree.ElementTree.iterparse``. Patch by Ken Jin. From dd2d1f708c178728eee97e7527663a482992b0cb Mon Sep 17 00:00:00 2001 From: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Date: Thu, 25 Sep 2025 18:18:48 +0100 Subject: [PATCH 3/4] Address Serhiy's review Co-Authored-By: Serhiy Storchaka <3659035+serhiy-storchaka@users.noreply.github.com> --- Lib/test/test_xml_etree.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py index bf6d5074fdebd8..f65baa0cfae2ad 100644 --- a/Lib/test/test_xml_etree.py +++ b/Lib/test/test_xml_etree.py @@ -1749,6 +1749,8 @@ def __next__(self): def test_unknown_event(self): with self.assertRaises(ValueError): ET.XMLPullParser(events=('start', 'end', 'bogus')) + with self.assertRaisesRegex(ValueError, "unknown event 'bogus'"): + ET.XMLPullParser(events=(x.decode() for x in (b'start', b'end', b'bogus'))) @unittest.skipIf(pyexpat.version_info < (2, 6, 0), f'Expat {pyexpat.version_info} does not ' From 810865e1999b9d9b567fbf02bd1dc9502b64031b Mon Sep 17 00:00:00 2001 From: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Date: Tue, 30 Sep 2025 16:12:29 +0100 Subject: [PATCH 4/4] Update 2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst --- .../2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst index 7470cceff09897..1227b29a68a9d7 100644 --- a/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst +++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst @@ -1 +1 @@ -Fix use after free when handling unicode characters in ``xml.etree.ElementTree.iterparse``. Patch by Ken Jin. +Fix use-after-free when reporting unknown event in :func:`xml.etree.ElementTree.iterparse`. Patch by Ken Jin.