gh-125010: Fix `use-after-free` in AST `repr()` (#125015)

diff --git a/Lib/test/test_ast/test_ast.py b/Lib/test/test_ast/test_ast.py
index f052822cb452738da0fa6c9d76786d3e328ee66a..01d2e392302e86e065926b4f9cbf5adba45b5883 100644 (file)
--- a/Lib/test/test_ast/test_ast.py
+++ b/Lib/test/test_ast/test_ast.py
@@ -789,6 +789,13 @@ class AST_Tests(unittest.TestCase):
             with self.subTest(test_input=test):
                 self.assertEqual(repr(ast.parse(test)), snapshot)
 
+    def test_repr_large_input_crash(self):
+        # gh-125010: Fix use-after-free in ast repr()
+        source = "0x0" + "e" * 10_000
+        with self.assertRaisesRegex(ValueError,
+                                    r"Exceeds the limit \(\d+ digits\)"):
+            repr(ast.Constant(value=eval(source)))
+
 
 class CopyTests(unittest.TestCase):
     """Test copying and pickling AST nodes."""

diff --git a/Parser/asdl_c.py b/Parser/asdl_c.py
index ab5fd229cc46ea47cbf66af10084faa09863cb70..f50c28afcfe2055a838c7f78f1d0e20f5ea5702a 100755 (executable)
--- a/Parser/asdl_c.py
+++ b/Parser/asdl_c.py
@@ -1608,7 +1608,6 @@ ast_repr_max_depth(AST_object *self, int depth)
 
         if (!value_repr) {
             Py_DECREF(name);
-            Py_DECREF(value);
             goto error;
         }
 

diff --git a/Python/Python-ast.c b/Python/Python-ast.c
index 4a58c0973d11182d349a145bfee54ef1733cf815..89c52b9dc73cacb47526f8817be38910b84af493 100644 (file)
--- a/Python/Python-ast.c
+++ b/Python/Python-ast.c
@@ -5809,7 +5809,6 @@ ast_repr_max_depth(AST_object *self, int depth)
 
         if (!value_repr) {
             Py_DECREF(name);
-            Py_DECREF(value);
             goto error;
         }