Treat the debug offset tables read from a target process as untrusted input
and validate them before the unwinder uses any reported sizes or offsets.
Add a shared validator in debug_offsets_validation.h and run it once when
_Py_DebugOffsets is loaded and once when AsyncioDebug is loaded. The checks
cover section sizes used for fixed local buffers and every offset that is
later dereferenced against a local buffer or local object view. This keeps
the bounds checks out of the sampling hot path while rejecting malformed
tables up front.
(cherry picked from commit 289fd2c97a)
Instead of reading past the end of the empty buffer.
(cherry picked from commit 0c6d2f64c0)
Co-authored-by: Maurycy Pawłowski-Wieroński <maurycy@maurycy.com>
* Document that 's' and 'p' accept bytes and bytearray.
* Fix some footnotes.
* Clarify that "string" is a byte string.
* Fix the module docstring.
(cherry picked from commit 3e5a3cb2bd)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-146578: _zstd: Fix printf format for pledged size errors (GH-146576)
Use %llu instead of %ull for unsigned long long in zstd_contentsize_converter ValueError messages.
(cherry picked from commit 09233bd198)
Co-authored-by: cui <cuiweixie@gmail.com>
gh-148651: Fix refcount leak in _zstd decompressor options (GH-148657)
The option parsing in Modules/_zstd/decompressor.c had a missing Py_DECREF(value) before the early return -1 when PyLong_AsInt(key) fails. The identical code in Modules/_zstd/compressor.c line 158 has the fix.
(cherry picked from commit 446edda209)
Co-authored-by: Michael Bommarito <michael.bommarito@gmail.com>
gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396)
Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress
(cherry picked from commit 8fc66aef6d)
Co-authored-by: Stan Ulbrych <stan@python.org>
gh-145105: Fix crash in csv.reader with re-entrant iterator (GH-145106)
When a custom iterator calls next() on the same csv.reader from
within __next__, the inner iteration sets self->fields to NULL.
The outer iteration then crashes in parse_save_field() by passing
NULL to PyList_Append.
Add a guard after PyIter_Next() to detect that fields was set to
NULL by a re-entrant call, and raise csv.Error instead of crashing.
(cherry picked from commit 20994b1809)
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
gh-148274: properly handle result from `PyObject_VisitManagedDict` (GH-148275)
(cherry picked from commit ee2775cfae)
Co-authored-by: Max Bachmann <kontakt@maxbachmann.de>
gh-143050: Correct PyLong_FromString() to use _PyLong_Negate() (GH-145901)
The long_from_string_base() might return a small integer, when the
_pylong.py is used to do conversion. Hence, we must be careful here to
not smash it "small int" bit by using the _PyLong_FlipSign().
(cherry picked from commit db5936c5b8)
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
The TypeError in _zstd_set_d_parameters incorrectly referred to
compression options; say decompression options instead.
(cherry picked from commit 4d0e8ee649)
Co-authored-by: cui <cuiweixie@gmail.com>
gh-146480: Override the exception in _PyErr_SetKeyError() (GH-146486)
If _PyErr_SetKeyError() is called with an exception set, it now
replaces the current exception with KeyError (as expected), instead
of setting a SystemError or failing with a fatal error (in debug
mode).
(cherry picked from commit d4153a9f76)
Co-authored-by: Victor Stinner <vstinner@python.org>
Use uniform standard signature syntax in the tutorial and in
the array and collections modules documentation.
(cherry picked from commit 17070f41d4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-146059: Call fast_save_leave() in pickle save_frozenset() (GH-146173)
Add more pickle tests: test also nested structures.
(cherry picked from commit 5c0dcb3e0d)
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-145633: Fix struct.pack('f') on s390x (GH-146422)
Use PyFloat_Pack4() to raise OverflowError.
Add more tests on packing/unpacking floats.
(cherry picked from commit 8de70b31c5)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc)
no longer ignores excess data after the first padded quad in non-strict
(default) mode. Instead, in conformance with RFC 4648, it ignores the
pad character, "=", if it is present before the end of the encoded data.
(cherry picked from commit 4561f6418a)
gh-146092: Raise MemoryError on allocation failure in _zoneinfo (GH-146165)
(cherry picked from commit 6450b1d142)
Co-authored-by: Victor Stinner <vstinner@python.org>
Add tests for corner cases: NULL pointers and out of range values.
(cherry picked from commit ab47892c32)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-146093: Fix csv _set_str(): check if PyUnicode_DecodeASCII() failed (GH-146113)
The function can fail on a memory allocation failure.
Bug reported by devdanzin.
(cherry picked from commit 724c7c8146)
Co-authored-by: Victor Stinner <vstinner@python.org>
* Add the c_init_default attribute which is used to initialize the C variable
if the default is not explicitly provided.
* Add the c_default_init() method which is used to derive c_default from
default if c_default is not explicitly provided.
* Explicit c_default and py_default are now almost always have precedence
over the generated value.
* Add support for bytes literals as default values.
* Improve support for str literals as default values (support non-ASCII
and non-printable characters and special characters like backslash or quotes).
* Fix support for str and bytes literals containing trigraphs, "/*" and "*/".
* Improve support for default values in converters "char" and "int(accept={str})".
* Converter "int(accept={str})" now requires 1-character string instead of
integer as default value.
* Add support for non-None default values in converter "Py_buffer": NULL,
str and bytes literals.
* Improve error handling for invalid default values.
* Rename Null to NullType for consistency.
(cherry picked from commit 99e2c5eccd)
gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987)
Fix C stack overflow (CVE-2026-4224) when an Expat parser
with a registered `ElementDeclHandler` parses inline DTD
containing deeply nested content model.
---------
(cherry picked from commit eb0e8be3a7)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Pablo Galindo Salgado