From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Tue, 30 Sep 2025 18:14:44 +0000 (+0200)
Subject: [3.13] gh-139210: Fix use-after-free in xml.etree.ElementTree.iterparse() (GH-139211... 
X-Git-Tag: v3.13.8~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f48128b6b3722ee2b2cef026e9679e37bd5b2517;p=thirdparty%2FPython%2Fcpython.git

[3.13] gh-139210: Fix use-after-free in xml.etree.ElementTree.iterparse() (GH-139211) (GH-139456)

(cherry picked from commit c86eb4d3ac5984efc1ea920ba643e3c4f02fdee8)

Co-authored-by: Ken Jin <kenjin@python.org>
---

diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
index 12efa006cd50..78598b35dae0 100644
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1750,6 +1750,8 @@ class XMLPullParserTest(unittest.TestCase):
     def test_unknown_event(self):
         with self.assertRaises(ValueError):
             ET.XMLPullParser(events=('start', 'end', 'bogus'))
+        with self.assertRaisesRegex(ValueError, "unknown event 'bogus'"):
+            ET.XMLPullParser(events=(x.decode() for x in (b'start', b'end', b'bogus')))
 
     @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
                      f'Expat {pyexpat.version_info} does not '
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst
new file mode 100644
index 000000000000..1227b29a68a9
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst
@@ -0,0 +1 @@
+Fix use-after-free when reporting unknown event in :func:`xml.etree.ElementTree.iterparse`. Patch by Ken Jin.
diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
index 3926ef3ef835..020b7454add2 100644
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -4180,8 +4180,8 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
                 (XML_ProcessingInstructionHandler) expat_pi_handler
                 );
         } else {
-            Py_DECREF(events_seq);
             PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name);
+            Py_DECREF(events_seq);
             return NULL;
         }
     }