[3.14] gh-148441: Avoid integer overflow in Expat's CharacterDataHandler (GH-148904...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Sun, 10 May 2026 14:08:59 +0000 (16:08 +0200)

committer GitHub <noreply@github.com>

Sun, 10 May 2026 14:08:59 +0000 (14:08 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Sun, 10 May 2026 14:08:59 +0000 (16:08 +0200)
committer GitHub <noreply@github.com>
Sun, 10 May 2026 14:08:59 +0000 (14:08 +0000)
diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py

index 465f65a03b9e15a980151126e98af92bd3735496..6eda89ad2cdf2a662604008e77830c324ded2f32 100644 (file)
--- a/Lib/test/test_pyexpat.py
+++ b/Lib/test/test_pyexpat.py
@@ -672,6 +672,20 @@ class ChardataBufferTest(unittest.TestCase):
          parser.Parse(xml2, True)
          self.assertEqual(self.n, 4)
  
+    @support.requires_resource('cpu')
+    @support.requires_resource('walltime')
+    @support.bigmemtest(size=2**31, memuse=4, dry_run=False)
+    def test_large_character_data_does_not_crash(self):
+        # See https://github.com/python/cpython/issues/148441
+        parser = expat.ParserCreate()
+        parser.buffer_text = True
+        parser.buffer_size = 2**31 - 1  # INT_MAX
+        N = 2049 * (1 << 20) - 3  # Character data greater than INT_MAX
+        self.assertGreater(N, parser.buffer_size)
+        parser.CharacterDataHandler = lambda text: None
+        xml_data = b"<r>" + b"A" * N + b"</r>"
+        self.assertEqual(parser.Parse(xml_data, True), 1)
+
  class ElementDeclHandlerTest(unittest.TestCase):
      def test_trigger_leak(self):
          # Unfixed, this test would leak the memory of the so-called
diff --git a/Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst b/Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst

new file mode 100644 (file)

index 0000000..7628152
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst
@@ -0,0 +1,4 @@
+:mod:`xml.parsers.expat`: prevent a crash in
+:meth:`~xml.parsers.expat.xmlparser.CharacterDataHandler`
+when the character data size exceeds the parser's
+:attr:`buffer size <xml.parsers.expat.xmlparser.buffer_size>`.
diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c

index f82f8456e489ebc1ae5a2762c5d2b52c6a66efbf..c9dc5e2211ecd55321f039e7ab3f20ac8eccb2e1 100644 (file)
--- a/Modules/pyexpat.c
+++ b/Modules/pyexpat.c
@@ -389,7 +389,7 @@ my_CharacterDataHandler(void *userData, const XML_Char *data, int len)
      if (self->buffer == NULL)
          call_character_handler(self, data, len);
      else {
-        if ((self->buffer_used + len) > self->buffer_size) {
+        if (len > (self->buffer_size - self->buffer_used)) {
              if (flush_character_buffer(self) < 0)
                  return;
              /* handler might have changed; drop the rest on the floor
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Sun, 10 May 2026 14:08:59 +0000 (16:08 +0200)
committer	GitHub <noreply@github.com>
	Sun, 10 May 2026 14:08:59 +0000 (14:08 +0000)
Lib/test/test_pyexpat.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst	[new file with mode: 0644]	patch \| blob
Modules/pyexpat.c		patch \| blob \| blame \| history