[3.11] gh-145986: Avoid unbound C recursion in conv_content_model in pyexpat.c (CVE 2026-4224) (GH-145987) (#146000)

* [3.11] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987) Fix C stack overflow (CVE-2026-4224) when an Expat parser with a registered `ElementDeclHandler` parses inline DTD containing deeply nested content model. --------- (cherry picked from commit eb0e8be3a7) (cherry picked from commit e5caf45faa) Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> * Update Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst --------- Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
2026-05-06 12:49:07 -04:00 · 2026-04-08 11:27:39 +01:00
parent 0d046dec11
commit 642865ddf4
3 changed files with 30 additions and 1 deletions
@@ -675,6 +675,24 @@ class ChardataBufferTest(unittest.TestCase):
        parser.Parse(xml2, True)
        self.assertEqual(self.n, 4)

+class ElementDeclHandlerTest(unittest.TestCase):
+    def test_deeply_nested_content_model(self):
+        # This should raise a RecursionError and not crash.
+        # See https://github.com/python/cpython/issues/145986.
+        N = 500_000
+        data = (
+            b'<!DOCTYPE root [\n<!ELEMENT root '
+            + b'(a, ' * N + b'a' + b')' * N
+            + b'>\n]>\n<root/>\n'
+        )
+
+        parser = expat.ParserCreate()
+        parser.ElementDeclHandler = lambda _1, _2: None
+        with support.infinite_recursion():
+            with self.assertRaises(RecursionError):
+                parser.Parse(data)
+
+
 class MalformedInputTest(unittest.TestCase):
    def test1(self):
        xml = b"\0\r\n"
@@ -0,0 +1,4 @@
+:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
+converting deeply nested XML content models with
+:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
+This addresses `CVE-2026-4224 <https://www.cve.org/CVERecord?id=CVE-2026-4224>`_.
@@ -3,6 +3,7 @@
 #endif

 #include "Python.h"
+#include "pycore_ceval.h"           // _Py_EnterRecursiveCall()
 #include "pycore_runtime.h"         // _Py_ID()
 #include <ctype.h>

@@ -578,6 +579,10 @@ static PyObject *
 conv_content_model(XML_Content * const model,
                   PyObject *(*conv_string)(const XML_Char *))
 {
+    if (_Py_EnterRecursiveCall(" in conv_content_model")) {
+        return NULL;
+    }
+
    PyObject *result = NULL;
    PyObject *children = PyTuple_New(model->numchildren);
    int i;
@@ -589,7 +594,7 @@ conv_content_model(XML_Content * const model,
                                                 conv_string);
            if (child == NULL) {
                Py_XDECREF(children);
-                return NULL;
+                goto done;
            }
            PyTuple_SET_ITEM(children, i, child);
        }
@@ -597,6 +602,8 @@ conv_content_model(XML_Content * const model,
                               model->type, model->quant,
                               conv_string,model->name, children);
    }
+done:
+    _Py_LeaveRecursiveCall();
    return result;
 }