gh-144100: Fix crash for POINTER(str) used in ctypes argtypes (#144108)
(cherry picked from commit 8f459255eba2b6639f1912e5c5e318a7cdafada1)
Co-authored-by: VanshAgarwal24036 <148854295+VanshAgarwal24036@users.noreply.github.com>
[3.13] gh-144023: Prevent follow_symlinks from being allowed with an fd of 0 (GH-144022)
The check was (fd > 0), should be (fd >= 0).
(cherry picked from commit fa44efa0ef1972ac1e2f66996303154be11f605e)
Co-authored-by: AZero13 <gfunni234@gmail.com>
Update struct.__doc__: _Bool available unconditionally (GH-143716)
This amends commit a9296e7f3be4d6c22271b25c86467ff867c63bbb.
(cherry picked from commit 31c81ab0a2fb7009a76426617991a9b539ab0180)
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
gh-143249: Fix buffer leak when overlapped operation fails to start on windows (GH-143250)
(cherry picked from commit 103a384bfdeafc68ab39ea9bf8838a8b2eec83dd)
Co-authored-by: Yongtao Huang <yongtaoh2022@gmail.com>
gh-143544: Fix possible use-after-free in the JSON decoder when JSONDecodeError disappears during raising it (GH-143561)
(cherry picked from commit c3157480601499565fd42a8afbdb0207328ac484)
Co-authored-by: VanshAgarwal24036 <148854295+VanshAgarwal24036@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
PyObject_GetBuffer() can execute user code (e.g. via __buffer__), which may
close or otherwise mutate a BytesIO object while write() or writelines()
is in progress. This could invalidate the internal buffer and lead to a
use-after-free.
Ensure that PyObject_GetBuffer() is called before validation checks.
(cherry picked from commit 6d54b6ac7d5744e1f59d784c8e020d632d2959a3)
Co-authored-by: zhong <60600792+superboy-zjc@users.noreply.github.com>
Previously, this could cause crash or data corruption, now concurrent calls
of methods of the same object raise RuntimeError.
(cherry picked from commit d1282efb2b847bf9274d78c5f15ea00499b2c894)
[3.13] gh-143309: fix UAF in `os.execve` when the environment is concurrently mutated (GH-143314) (#143431)
(cherry picked from commit 9609574e7fd36edfaa8b575558a82cc14e65bfbc)
(cherry picked from commit c99f7667436d8978b4077704333e2a351f2a026f)
gh-143200: fix UAFs in `Element.__{set,get}item__` when the element is concurrently mutated (GH-143226)
(cherry picked from commit b6b0e14b3d4aa9e9b89bef9a516177238883e1a7)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
The result tuple was leaked if __ctypes_from_outparam__() failed for any item.
(cherry picked from commit 579c5b496b467a2b175cb30caa4f6873cb13c9a1)
Signed-off-by: Yongtao Huang <yongtaoh2022@gmail.com>
Co-authored-by: Yongtao Huang <yongtaoh2022@gmail.com>
This happened when the Counter was mutated when incrementing
the value for an existing key.
(cherry picked from commit 86d904588e8c84c7fccb8faf84b343f03461970d)
Co-authored-by: kaushal trivedi <155625932+Kaushalt2004@users.noreply.github.com>
gh-122431: Correct the non-negative error message in `readline.append_history_file` (GH-143075)
"positive" -> "non-negative", since zero is included.
(cherry picked from commit a273bc99d2ff853f59ee6da4d897b1be72a03975)
Co-authored-by: Zheng Yu <dataisland@outlook.com>
gh-143012: use `Py_ssize_t` cast for `PyBytes_FromStringAndSize` (GH-143013)
(cherry picked from commit 5989095dfd08735525f2b615066bc3c231b09388)
Co-authored-by: AZero13 <gfunni234@gmail.com>
gh-141801: Use accessors for ASN1_STRING fields in libssl (GH-141802)
* gh-141801: Use accessors for ASN1_STRING fields
While ASN1_STRING is currently exposed, it is better to use the
accessors. See https://github.com/openssl/openssl/issues/29117 where, if
the type were opaque, OpenSSL's X509 objects could be much more
memory-efficient.
* Update Modules/_ssl.c
* Update Modules/_ssl.c
---------
(cherry picked from commit c41fce08a5d7aae8fd9e3fa25e0ba521600e097c)
Co-authored-by: David Benjamin <davidben@davidben.net>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
[3.14] gh-137109: refactor warning about threads when forking (GH-141438) (GH-141614)
This splits the OS API specific functionality to get the number of threads out
from the fallback Python method and warning raising code itself. This way the
OS APIs can be queried before we've run
`os.register_at_fork(after_in_parent=...)` registered functions which
themselves may (re)start threads that would otherwise be detected.
This is best effort. If the OS APIs are either unavailable or fail, the
warning generating code still falls back to looking at the Python threading
state after the CPython interpreter world has been restarted and the
after_in_parent calls have been made. The common case for most Linux and macOS
environments should work today.
This also lines up with the existing TODO refactoring, we may choose to expose
this API to get the number of OS threads in the `os` module in the future.
Note: This is a simplified backport that maintains the void return type
for warn_about_fork_with_threads() and keeps PyErr_Clear() in the warning path,
as the error handling changes from fd8f42d3d1 are not needed in 3.14.
(cherry picked from commit 0d8fb0b8523769e24f249d19dab3781a10b50e8b)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Fix error in assertion which causes failure if pos is equal to PY_SSIZE_T_MAX.
Fix undefined behavior in read() and readinto() if pos is larger that the size
of the underlying buffer.
(cherry picked from commit 7d54374f9c7d91e0ef90c4ad84baf10073cf1d8a)
gh-132657: add regression test for `PySet_Contains` with unhashable type (GH-141411)
(cherry picked from commit 2ac738d325a6934e39fecb097f43d4d4ed97a2b9)
Co-authored-by: M Bussonnier <bussonniermatthias@gmail.com>
Previously, socket.if_nametoindex() and socket.if_indextoname() could raise
an `OSError` with a `None` errno. Now, the errno from libc is propagated.
(cherry picked from commit 3ce2d57b2f02030353af314d89c5f6215d2f5c96)
* Refer to bytes objects or bytes-like objects instead of strings.
* Remove backticks -- they do not have effect on formatting.
* Re-wrap lines to ensure the pydoc output fits in 80 columns.
(cherry picked from commit 610377056bad696915d70590429e68002bee9006)
(cherry picked from commit 1a080199aff6d98b476ab19e409d7ca4d56cb3c6)
Fix a compiler warning in _randommodule.c (GH-141058)
The test just before the cast ensures that the cast cannot overflow.
Fix the warning on 32-bit Windows:
Modules\_randommodule.c(525,28): warning C4244: '=': conversion
from 'uint64_t' to 'Py_ssize_t', possible loss of data
(cherry picked from commit 4ac16dd10950fad2d3e58e8b0ba5f2e621af3cc1)
Co-authored-by: Victor Stinner <vstinner@python.org>
It was too lenient and allowed MARK opcodes with too large value.
(cherry picked from commit 1326d2a808245e5f2de9e515460bab30556e8f05)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (#139234)
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
(cherry picked from commit f04bea44c37793561d753dd4ca6e7cd658137553)
(cherry picked from commit 68a1778b7721f3fb853cd3aa674f7039c2a4df36)
* [3.13] gh-140607: Validate returned byte count in RawIOBase.read (GH-140611)
While `RawIOBase.readinto` should return a count of bytes between 0 and
the length of the given buffer, it is not required to. Add validation
inside RawIOBase.read() that the returned byte count is valid.
(cherry picked from commit 0f0a362768aecb4c791724cce486d8317533a94d)
Co-authored-by: Cody Maloney <cmaloney@users.noreply.github.com>
Co-authored-by: Shamil <ashm.tech@proton.me>
Co-authored-by: Victor Stinner <vstinner@python.org>
* fixup: Use older attribute name
---------
Co-authored-by: Shamil <ashm.tech@proton.me>
Co-authored-by: Victor Stinner <vstinner@python.org>
[3.13] gh-140593: Fix a memory leak in function `my_ElementDeclHandler` of `pyexpat` (GH-140602)
Ensure that the memory allocated for the content model
passed to `my_ElementDeclHandler` is freed in all error
paths.
(cherry picked from commit e34a5e33049ce845de646cf24a498766a2da3586)
