From: Tomas R. <tomas.roun8@gmail.com>
Date: Sun, 6 Oct 2024 19:46:03 +0000 (+0200)
Subject: gh-125010: Fix `use-after-free` in AST `repr()` (#125015)
X-Git-Tag: v3.14.0a1~174
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a1be83dae311e4a1a6e66ed5e128b1ad8794f72f;p=thirdparty%2FPython%2Fcpython.git

gh-125010: Fix `use-after-free` in AST `repr()` (#125015)
---

diff --git a/Lib/test/test_ast/test_ast.py b/Lib/test/test_ast/test_ast.py
index f052822cb452..01d2e392302e 100644
--- a/Lib/test/test_ast/test_ast.py
+++ b/Lib/test/test_ast/test_ast.py
@@ -789,6 +789,13 @@ class AST_Tests(unittest.TestCase):
             with self.subTest(test_input=test):
                 self.assertEqual(repr(ast.parse(test)), snapshot)
 
+    def test_repr_large_input_crash(self):
+        # gh-125010: Fix use-after-free in ast repr()
+        source = "0x0" + "e" * 10_000
+        with self.assertRaisesRegex(ValueError,
+                                    r"Exceeds the limit \(\d+ digits\)"):
+            repr(ast.Constant(value=eval(source)))
+
 
 class CopyTests(unittest.TestCase):
     """Test copying and pickling AST nodes."""
diff --git a/Parser/asdl_c.py b/Parser/asdl_c.py
index ab5fd229cc46..f50c28afcfe2 100755
--- a/Parser/asdl_c.py
+++ b/Parser/asdl_c.py
@@ -1608,7 +1608,6 @@ ast_repr_max_depth(AST_object *self, int depth)
 
         if (!value_repr) {
             Py_DECREF(name);
-            Py_DECREF(value);
             goto error;
         }
 
diff --git a/Python/Python-ast.c b/Python/Python-ast.c
index 4a58c0973d11..89c52b9dc73c 100644
--- a/Python/Python-ast.c
+++ b/Python/Python-ast.c
@@ -5809,7 +5809,6 @@ ast_repr_max_depth(AST_object *self, int depth)
 
         if (!value_repr) {
             Py_DECREF(name);
-            Py_DECREF(value);
             goto error;
         }