Skip to content

Commit e0dffc5

Browse files
picnixzpicnixz
authored
gh-132097: fix runtime UB when calling expat handlers (#132265)
1 parent e1f93ff commit e0dffc5

File tree

1 file changed

+45
-38
lines changed

1 file changed

+45
-38
lines changed

Modules/_elementtree.c

Lines changed: 45 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -3082,8 +3082,7 @@ typedef struct {
30823082
PyObject *elementtree_module;
30833083
} XMLParserObject;
30843084

3085-
3086-
#define _XMLParser_CAST(op) ((XMLParserObject *)(op))
3085+
#define XMLParserObject_CAST(op) ((XMLParserObject *)(op))
30873086

30883087
/* helpers */
30893088

@@ -3207,12 +3206,12 @@ expat_set_error(elementtreestate *st, enum XML_Error error_code,
32073206
/* handlers */
32083207

32093208
static void
3210-
expat_default_handler(XMLParserObject* self, const XML_Char* data_in,
3211-
int data_len)
3209+
expat_default_handler(void *op, const XML_Char *data_in, int data_len)
32123210
{
3213-
PyObject* key;
3214-
PyObject* value;
3215-
PyObject* res;
3211+
XMLParserObject *self = XMLParserObject_CAST(op);
3212+
PyObject *key;
3213+
PyObject *value;
3214+
PyObject *res;
32163215

32173216
if (data_len < 2 || data_in[0] != '&')
32183217
return;
@@ -3254,12 +3253,13 @@ expat_default_handler(XMLParserObject* self, const XML_Char* data_in,
32543253
}
32553254

32563255
static void
3257-
expat_start_handler(XMLParserObject* self, const XML_Char* tag_in,
3256+
expat_start_handler(void *op, const XML_Char *tag_in,
32583257
const XML_Char **attrib_in)
32593258
{
3260-
PyObject* res;
3261-
PyObject* tag;
3262-
PyObject* attrib;
3259+
XMLParserObject *self = XMLParserObject_CAST(op);
3260+
PyObject *res;
3261+
PyObject *tag;
3262+
PyObject *attrib;
32633263
int ok;
32643264

32653265
if (PyErr_Occurred())
@@ -3278,13 +3278,13 @@ expat_start_handler(XMLParserObject* self, const XML_Char* tag_in,
32783278
return;
32793279
}
32803280
while (attrib_in[0] && attrib_in[1]) {
3281-
PyObject* key = makeuniversal(self, attrib_in[0]);
3281+
PyObject *key = makeuniversal(self, attrib_in[0]);
32823282
if (key == NULL) {
32833283
Py_DECREF(attrib);
32843284
Py_DECREF(tag);
32853285
return;
32863286
}
3287-
PyObject* value = PyUnicode_DecodeUTF8(attrib_in[1], strlen(attrib_in[1]), "strict");
3287+
PyObject *value = PyUnicode_DecodeUTF8(attrib_in[1], strlen(attrib_in[1]), "strict");
32883288
if (value == NULL) {
32893289
Py_DECREF(key);
32903290
Py_DECREF(attrib);
@@ -3331,11 +3331,12 @@ expat_start_handler(XMLParserObject* self, const XML_Char* tag_in,
33313331
}
33323332

33333333
static void
3334-
expat_data_handler(XMLParserObject* self, const XML_Char* data_in,
3334+
expat_data_handler(void *op, const XML_Char *data_in,
33353335
int data_len)
33363336
{
3337-
PyObject* data;
3338-
PyObject* res;
3337+
XMLParserObject *self = XMLParserObject_CAST(op);
3338+
PyObject *data;
3339+
PyObject *res;
33393340

33403341
if (PyErr_Occurred())
33413342
return;
@@ -3359,10 +3360,11 @@ expat_data_handler(XMLParserObject* self, const XML_Char* data_in,
33593360
}
33603361

33613362
static void
3362-
expat_end_handler(XMLParserObject* self, const XML_Char* tag_in)
3363+
expat_end_handler(void *op, const XML_Char *tag_in)
33633364
{
3364-
PyObject* tag;
3365-
PyObject* res = NULL;
3365+
XMLParserObject *self = XMLParserObject_CAST(op);
3366+
PyObject *tag;
3367+
PyObject *res = NULL;
33663368

33673369
if (PyErr_Occurred())
33683370
return;
@@ -3386,12 +3388,13 @@ expat_end_handler(XMLParserObject* self, const XML_Char* tag_in)
33863388
}
33873389

33883390
static void
3389-
expat_start_ns_handler(XMLParserObject* self, const XML_Char* prefix_in,
3391+
expat_start_ns_handler(void *op, const XML_Char *prefix_in,
33903392
const XML_Char *uri_in)
33913393
{
3392-
PyObject* res = NULL;
3393-
PyObject* uri;
3394-
PyObject* prefix;
3394+
XMLParserObject *self = XMLParserObject_CAST(op);
3395+
PyObject *res = NULL;
3396+
PyObject *uri;
3397+
PyObject *prefix;
33953398

33963399
if (PyErr_Occurred())
33973400
return;
@@ -3430,7 +3433,7 @@ expat_start_ns_handler(XMLParserObject* self, const XML_Char* prefix_in,
34303433
return;
34313434
}
34323435

3433-
PyObject* args[2] = {prefix, uri};
3436+
PyObject *args[2] = {prefix, uri};
34343437
res = PyObject_Vectorcall(self->handle_start_ns, args, 2, NULL);
34353438
Py_DECREF(uri);
34363439
Py_DECREF(prefix);
@@ -3440,10 +3443,11 @@ expat_start_ns_handler(XMLParserObject* self, const XML_Char* prefix_in,
34403443
}
34413444

34423445
static void
3443-
expat_end_ns_handler(XMLParserObject* self, const XML_Char* prefix_in)
3446+
expat_end_ns_handler(void *op, const XML_Char *prefix_in)
34443447
{
3448+
XMLParserObject *self = XMLParserObject_CAST(op);
34453449
PyObject *res = NULL;
3446-
PyObject* prefix;
3450+
PyObject *prefix;
34473451

34483452
if (PyErr_Occurred())
34493453
return;
@@ -3472,10 +3476,11 @@ expat_end_ns_handler(XMLParserObject* self, const XML_Char* prefix_in)
34723476
}
34733477

34743478
static void
3475-
expat_comment_handler(XMLParserObject* self, const XML_Char* comment_in)
3479+
expat_comment_handler(void *op, const XML_Char *comment_in)
34763480
{
3477-
PyObject* comment;
3478-
PyObject* res;
3481+
XMLParserObject *self = XMLParserObject_CAST(op);
3482+
PyObject *comment;
3483+
PyObject *res;
34793484

34803485
if (PyErr_Occurred())
34813486
return;
@@ -3504,12 +3509,13 @@ expat_comment_handler(XMLParserObject* self, const XML_Char* comment_in)
35043509
}
35053510

35063511
static void
3507-
expat_start_doctype_handler(XMLParserObject *self,
3512+
expat_start_doctype_handler(void *op,
35083513
const XML_Char *doctype_name,
35093514
const XML_Char *sysid,
35103515
const XML_Char *pubid,
35113516
int has_internal_subset)
35123517
{
3518+
XMLParserObject *self = XMLParserObject_CAST(op);
35133519
PyObject *doctype_name_obj, *sysid_obj, *pubid_obj;
35143520
PyObject *res;
35153521

@@ -3562,12 +3568,13 @@ expat_start_doctype_handler(XMLParserObject *self,
35623568
}
35633569

35643570
static void
3565-
expat_pi_handler(XMLParserObject* self, const XML_Char* target_in,
3566-
const XML_Char* data_in)
3571+
expat_pi_handler(void *op, const XML_Char *target_in,
3572+
const XML_Char *data_in)
35673573
{
3568-
PyObject* pi_target;
3569-
PyObject* data;
3570-
PyObject* res;
3574+
XMLParserObject *self = XMLParserObject_CAST(op);
3575+
PyObject *pi_target;
3576+
PyObject *data;
3577+
PyObject *res;
35713578

35723579
if (PyErr_Occurred())
35733580
return;
@@ -3597,7 +3604,7 @@ expat_pi_handler(XMLParserObject* self, const XML_Char* target_in,
35973604
if (!data)
35983605
goto error;
35993606

3600-
PyObject* args[2] = {pi_target, data};
3607+
PyObject *args[2] = {pi_target, data};
36013608
res = PyObject_Vectorcall(self->handle_pi, args, 2, NULL);
36023609
Py_XDECREF(res);
36033610
Py_DECREF(data);
@@ -3777,7 +3784,7 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target,
37773784
static int
37783785
xmlparser_gc_traverse(PyObject *op, visitproc visit, void *arg)
37793786
{
3780-
XMLParserObject *self = _XMLParser_CAST(op);
3787+
XMLParserObject *self = XMLParserObject_CAST(op);
37813788
Py_VISIT(Py_TYPE(self));
37823789
Py_VISIT(self->handle_close);
37833790
Py_VISIT(self->handle_pi);
@@ -3799,7 +3806,7 @@ xmlparser_gc_traverse(PyObject *op, visitproc visit, void *arg)
37993806
static int
38003807
xmlparser_gc_clear(PyObject *op)
38013808
{
3802-
XMLParserObject *self = _XMLParser_CAST(op);
3809+
XMLParserObject *self = XMLParserObject_CAST(op);
38033810
elementtreestate *st = self->state;
38043811
if (self->parser != NULL) {
38053812
XML_Parser parser = self->parser;

0 commit comments

Comments
 (0)