File CVE-2026-4224-expat-unbound-C-recursion.patch of Package python.43465
From d3dd83794717ad183a9de1cd9bff7940e6b024f4 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@ulbrych.org>
Date: Sat, 14 Mar 2026 17:35:27 +0000
Subject: [PATCH 1/7] Fix crash in `conv_content_model` function in `pyexpat`
---
Lib/test/test_pyexpat.py | 18 ++++++++++
Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst | 4 ++
Modules/pyexpat.c | 10 ++++-
3 files changed, 30 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2026-03-14-17-31-39.gh-issue-111111.ifSSr8.rst
Index: Python-2.7.18/Lib/test/test_pyexpat.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_pyexpat.py 2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/test/test_pyexpat.py 2026-03-24 14:17:53.935801335 +0100
@@ -597,6 +597,28 @@
parser.Parse(xml2, 1)
self.assertEqual(self.n, 4)
+class ElementDeclHandlerTest(unittest.TestCase):
+ def test_deeply_nested_content_model(self):
+ # This should raise a RuntimeError and not crash.
+ # See https://github.com/python/cpython/issues/145986.
+ limit = 500
+ n = 2000
+ data = (
+ b'<!DOCTYPE root [\n<!ELEMENT root '
+ + b'(a, ' * n + b'a' + b')' * n
+ + b'>\n]>\n<root/>\n'
+ )
+
+ parser = expat.ParserCreate()
+ parser.ElementDeclHandler = lambda _1, _2: None
+ old_limit = sys.getrecursionlimit()
+ try:
+ sys.setrecursionlimit(limit)
+ self.assertRaises(RuntimeError, parser.Parse, data)
+ finally:
+ sys.setrecursionlimit(old_limit)
+
+
class MalformedInputText(unittest.TestCase):
def test1(self):
xml = "\0\r\n"
@@ -676,6 +698,7 @@
PositionTest,
sf1296433Test,
ChardataBufferTest,
+ ElementDeclHandlerTest,
MalformedInputText,
ForeignDTDTests)
Index: Python-2.7.18/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-2.7.18/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst 2026-03-24 10:04:08.906370619 +0100
@@ -0,0 +1,4 @@
+:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
+converting deeply nested XML content models with
+:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
+This addresses :cve:`2026-4224`.
Index: Python-2.7.18/Modules/pyexpat.c
===================================================================
--- Python-2.7.18.orig/Modules/pyexpat.c 2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Modules/pyexpat.c 2026-03-24 11:46:11.581148140 +0100
@@ -691,6 +691,10 @@
conv_content_model(XML_Content * const model,
PyObject *(*conv_string)(const XML_Char *))
{
+ if (Py_EnterRecursiveCall(" in conv_content_model")) {
+ return NULL;
+ }
+
PyObject *result = NULL;
PyObject *children = PyTuple_New(model->numchildren);
int i;
@@ -702,14 +706,16 @@
conv_string);
if (child == NULL) {
Py_XDECREF(children);
- return NULL;
+ goto done;
}
PyTuple_SET_ITEM(children, i, child);
}
result = Py_BuildValue("(iiO&N)",
model->type, model->quant,
- conv_string,model->name, children);
+ conv_string, model->name, children);
}
+done:
+ Py_LeaveRecursiveCall();
return result;
}
