Fix crash in conv_content_model function in pyexpat

StanFromIreland · StanFromIreland · commit d3dd83794717 · 2026-03-14T17:35:27.000Z
diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
@@ -701,6 +701,20 @@ def test_trigger_leak(self):
         parser.ElementDeclHandler = lambda _1, _2: None
         self.assertRaises(TypeError, parser.Parse, data, True)
 
+    def test_deeply_nested_content_model(self):
+        data = ('<!DOCTYPE root [\n<!ELEMENT root '
+              + '(a, ' * 200000 + 'a'
+              + ')' * 200000
+              + '>\n]>\n<root/>\n').encode('UTF-8')
+
+        parser = expat.ParserCreate()
+        parser.ElementDeclHandler = lambda _1, _2: None
+        # This shouldn't crash:
+        try:
+            parser.ParseFile(BytesIO(data))
+        except RecursionError:
+            pass
+
 class MalformedInputTest(unittest.TestCase):
     def test1(self):
         xml = b"\0\r\n"
diff --git a/Misc/NEWS.d/next/Library/2026-03-14-17-31-39.gh-issue-111111.ifSSr8.rst b/Misc/NEWS.d/next/Library/2026-03-14-17-31-39.gh-issue-111111.ifSSr8.rst
@@ -0,0 +1,3 @@
+:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
+converting deeply nested XML content models with
+:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
@@ -607,6 +607,10 @@ static PyObject *
 conv_content_model(XML_Content * const model,
                    PyObject *(*conv_string)(void *))
 {
+    if (Py_EnterRecursiveCall(" in conv_content_model")) {
+        return NULL;
+    }
+
     PyObject *result = NULL;
     PyObject *children = PyTuple_New(model->numchildren);
     int i;
@@ -618,14 +622,16 @@ conv_content_model(XML_Content * const model,
                                                  conv_string);
             if (child == NULL) {
                 Py_XDECREF(children);
-                return NULL;
+                goto done;
             }
             PyTuple_SET_ITEM(children, i, child);
         }
         result = Py_BuildValue("(iiO&N)",
                                model->type, model->quant,
                                conv_string, model->name, children);
     }
+done:
+    Py_LeaveRecursiveCall();
     return result;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
	`2`	`+converting deeply nested XML content models with`
	`3`	+:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
Original file line number	Diff line number	Diff line change
`@@ -607,6 +607,10 @@ static PyObject *`
`607`	`607`	`conv_content_model(XML_Content * const model,`
`608`	`608`	`PyObject (conv_string)(void *))`
`609`	`609`	`{`
	`610`	`+ if (Py_EnterRecursiveCall(" in conv_content_model")) {`
	`611`	`+ return NULL;`
	`612`	`+ }`
	`613`	`+`
`610`	`614`	`PyObject *result = NULL;`
`611`	`615`	`PyObject *children = PyTuple_New(model->numchildren);`
`612`	`616`	`int i;`
`@@ -618,14 +622,16 @@ conv_content_model(XML_Content * const model,`
`618`	`622`	`conv_string);`
`619`	`623`	`if (child == NULL) {`
`620`	`624`	`Py_XDECREF(children);`
`621`		`- return NULL;`
	`625`	`+ goto done;`
`622`	`626`	`}`
`623`	`627`	`PyTuple_SET_ITEM(children, i, child);`
`624`	`628`	`}`
`625`	`629`	`result = Py_BuildValue("(iiO&N)",`
`626`	`630`	`model->type, model->quant,`
`627`	`631`	`conv_string, model->name, children);`
`628`	`632`	`}`
	`633`	`+done:`
	`634`	`+ Py_LeaveRecursiveCall();`
`629`	`635`	`return result;`
`630`	`636`	`}`
`631`	`637`