Skip to content

gh-148731: Fix crash in Element.iter() on allocation failure#152120

Open
timurmamedov1 wants to merge 1 commit into
python:mainfrom
timurmamedov1:gh-148731-fix-elementiter-oom-crash
Open

gh-148731: Fix crash in Element.iter() on allocation failure#152120
timurmamedov1 wants to merge 1 commit into
python:mainfrom
timurmamedov1:gh-148731-fix-elementiter-oom-crash

Conversation

@timurmamedov1

@timurmamedov1 timurmamedov1 commented Jun 24, 2026

Copy link
Copy Markdown

create_elementiter allocates an ElementIterObject via PyObject_GC_New, then attempts to allocate parent_stack via PyMem_New. If that second allocation fails, Py_DECREF(it) triggers elementiter_dealloc, which reads parent_stack_used (uninitialized garbage from PyObject_GC_New) and dereferences parent_stack (NULL), causing a segfault.

Fix by initializing parent_stack to NULL and parent_stack_used to 0 immediately after PyObject_GC_New, before any operations that can fail.

Copilot AI review requested due to automatic review settings June 24, 2026 19:43

This comment was marked as abuse.

Sign in to view

@bedevere-app bedevere-app Bot mentioned this pull request Jun 24, 2026
Open
@timurmamedov1 timurmamedov1 force-pushed the gh-148731-fix-elementiter-oom-crash branch from 01f8b62 to ca5e3fa Compare June 24, 2026 20:00
StanFromIreland
StanFromIreland reviewed Jun 24, 2026
View reviewed changes
Comment thread Modules/_elementtree.c Outdated

@StanFromIreland StanFromIreland Jun 24, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is redundant now.

@timurmamedov1 timurmamedov1 Jun 24, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yeah. Fixed.

@StanFromIreland StanFromIreland requested a review from picnixz June 24, 2026 20:44
@timurmamedov1
pythongh-148731: Fix crash in Element.iter() on allocation failure
54c73d2 
Initialize parent_stack and parent_stack_used before the fallible
PyMem_New call so that elementiter_dealloc does not dereference
an uninitialized pointer when the allocation fails.
@timurmamedov1 timurmamedov1 force-pushed the gh-148731-fix-elementiter-oom-crash branch from ca5e3fa to 54c73d2 Compare June 24, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StanFromIreland StanFromIreland StanFromIreland left review comments

Copilot code review Copilot Copilot left review comments

@picnixz picnixz Awaiting requested review from picnixz

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@timurmamedov1 @StanFromIreland