File CVE-2026-4224-expat-unbound-C-recursion.patch of Package python314
From aa98922b108265ae67e18cea85174f1fd2af51aa Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Date: Sun, 15 Mar 2026 21:46:06 +0000
Subject: [PATCH] gh-145986: Avoid unbound C recursion in `conv_content_model`
in `pyexpat.c` (CVE 2026-4224) (GH-145987)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix C stack overflow (CVE-2026-4224) when an Expat parser
with a registered `ElementDeclHandler` parses inline DTD
containing deeply nested content model.
---------
(cherry picked from commit eb0e8be3a7e11b87d198a2c3af1ed0eccf532768)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
---
Lib/test/test_pyexpat.py | 19 ++++++++++
Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst | 4 ++
Modules/pyexpat.c | 9 ++++
3 files changed, 31 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
Index: Python-3.14.3/Lib/test/test_pyexpat.py
===================================================================
--- Python-3.14.3.orig/Lib/test/test_pyexpat.py 2026-03-24 09:27:25.034071315 +0100
+++ Python-3.14.3/Lib/test/test_pyexpat.py 2026-03-24 09:27:25.175636507 +0100
@@ -689,6 +689,25 @@
parser.ElementDeclHandler = lambda _1, _2: None
self.assertRaises(TypeError, parser.Parse, data, True)
+ @support.skip_if_unlimited_stack_size
+ @support.skip_emscripten_stack_overflow()
+ @support.skip_wasi_stack_overflow()
+ def test_deeply_nested_content_model(self):
+ # This should raise a RecursionError and not crash.
+ # See https://github.com/python/cpython/issues/145986.
+ N = 500_000
+ data = (
+ b'<!DOCTYPE root [\n<!ELEMENT root '
+ + b'(a, ' * N + b'a' + b')' * N
+ + b'>\n]>\n<root/>\n'
+ )
+
+ parser = expat.ParserCreate()
+ parser.ElementDeclHandler = lambda _1, _2: None
+ with support.infinite_recursion():
+ with self.assertRaises(RecursionError):
+ parser.Parse(data)
+
class MalformedInputTest(unittest.TestCase):
def test1(self):
xml = b"\0\r\n"
Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst 2026-03-24 09:27:25.175848336 +0100
@@ -0,0 +1,4 @@
+:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
+converting deeply nested XML content models with
+:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
+This addresses :cve:`2026-4224`.
Index: Python-3.14.3/Modules/pyexpat.c
===================================================================
--- Python-3.14.3.orig/Modules/pyexpat.c 2026-02-03 16:32:20.000000000 +0100
+++ Python-3.14.3/Modules/pyexpat.c 2026-03-24 09:27:25.176330576 +0100
@@ -3,6 +3,7 @@
#endif
#include "Python.h"
+#include "pycore_ceval.h" // _Py_EnterRecursiveCall()
#include "pycore_import.h" // _PyImport_SetModule()
#include "pycore_pyhash.h" // _Py_HashSecret
#include "pycore_traceback.h" // _PyTraceback_Add()
@@ -603,6 +604,10 @@
conv_content_model(XML_Content * const model,
PyObject *(*conv_string)(void *))
{
+ if (_Py_EnterRecursiveCall(" in conv_content_model")) {
+ return NULL;
+ }
+
PyObject *result = NULL;
PyObject *children = PyTuple_New(model->numchildren);
int i;
@@ -614,7 +619,7 @@
conv_string);
if (child == NULL) {
Py_XDECREF(children);
- return NULL;
+ goto done;
}
PyTuple_SET_ITEM(children, i, child);
}
@@ -622,6 +627,8 @@
model->type, model->quant,
conv_string, model->name, children);
}
+done:
+ _Py_LeaveRecursiveCall();
return result;
}
