[3.13] gh-139210: Fix use-after-free in xml.etree.ElementTree.iterparse() (GH-139211) (GH-139456)

(cherry picked from commit c86eb4d3ac) Co-authored-by: Ken Jin <kenjin@python.org>
2025-12-23 09:19:18 +00:00 · 2025-09-30 20:14:44 +02:00 · 2025-09-30 20:14:44 +02:00 · f48128b6b3
commit f48128b6b3
parent 0ef302e019
3 changed files with 4 additions and 1 deletions
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@ -1750,6 +1750,8 @@ class XMLPullParserTest(unittest.TestCase):
    def test_unknown_event(self):
        with self.assertRaises(ValueError):
            ET.XMLPullParser(events=('start', 'end', 'bogus'))
+        with self.assertRaisesRegex(ValueError, "unknown event 'bogus'"):
+            ET.XMLPullParser(events=(x.decode() for x in (b'start', b'end', b'bogus')))

    @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
                     f'Expat {pyexpat.version_info} does not '
--- a/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst
@ -0,0 +1 @@
+Fix use-after-free when reporting unknown event in :func:`xml.etree.ElementTree.iterparse`. Patch by Ken Jin.
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@ -4180,8 +4180,8 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
                (XML_ProcessingInstructionHandler) expat_pi_handler
                );
        } else {
-            Py_DECREF(events_seq);
            PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name);
+            Py_DECREF(events_seq);
            return NULL;
        }
    }
				`@ -0,0 +1 @@`
				Fix use-after-free when reporting unknown event in :func:`xml.etree.ElementTree.iterparse`. Patch by Ken Jin.