From 0c50fa41c639b7523f9a09f48928c72ea1f0bbcc Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Date: Sun, 15 Mar 2026 21:46:06 +0000
Subject: [PATCH 1/2] [3.10] gh-145986: Avoid unbound C recursion in
 `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix C stack overflow (CVE-2026-4224) when an Expat parser
with a registered `ElementDeclHandler` parses inline DTD
containing deeply nested content model.

---------
(cherry picked from commit eb0e8be3a7e11b87d198a2c3af1ed0eccf532768)
(cherry picked from commit e5caf45faac74b0ed869e3336420cffd3510ce6e)

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
---
 Lib/test/test_pyexpat.py                      | 20 ++++++++++++++++++-
 ...-03-14-17-31-39.gh-issue-145986.ifSSr8.rst |  4 ++++
 Modules/pyexpat.c                             |  8 +++++++-
 3 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst

diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
index 54be69656fab7a..1024e20e6c36b2 100644
--- a/Lib/test/test_pyexpat.py
+++ b/Lib/test/test_pyexpat.py
@@ -16,7 +16,7 @@
 from xml.parsers import expat
 from xml.parsers.expat import errors
 
-from test.support import import_helper
+from test.support import import_helper, infinite_recursion
 from test.support import sortdict
 
 
@@ -648,6 +648,24 @@ def test_change_size_2(self):
         parser.Parse(xml2, True)
         self.assertEqual(self.n, 4)
 
+class ElementDeclHandlerTest(unittest.TestCase):
+    def test_deeply_nested_content_model(self):
+        # This should raise a RecursionError and not crash.
+        # See https://github.com/python/cpython/issues/145986.
+        N = 500_000
+        data = (
+            b'<!DOCTYPE root [\n<!ELEMENT root '
+            + b'(a, ' * N + b'a' + b')' * N
+            + b'>\n]>\n<root/>\n'
+        )
+
+        parser = expat.ParserCreate()
+        parser.ElementDeclHandler = lambda _1, _2: None
+        with infinite_recursion():
+            with self.assertRaises(RecursionError):
+                parser.Parse(data)
+
+
 class MalformedInputTest(unittest.TestCase):
     def test1(self):
         xml = b"\0\r\n"
diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
new file mode 100644
index 00000000000000..79536d1fef543f
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
@@ -0,0 +1,4 @@
+:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
+converting deeply nested XML content models with
+:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
+This addresses :cve:`2026-4224`.
diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
index 8838c32889f73a..a679ed08cf4620 100644
--- a/Modules/pyexpat.c
+++ b/Modules/pyexpat.c
@@ -574,6 +574,10 @@ static PyObject *
 conv_content_model(XML_Content * const model,
                    PyObject *(*conv_string)(const XML_Char *))
 {
+    if (Py_EnterRecursiveCall(" in conv_content_model")) {
+        return NULL;
+    }
+
     PyObject *result = NULL;
     PyObject *children = PyTuple_New(model->numchildren);
     int i;
@@ -585,7 +589,7 @@ conv_content_model(XML_Content * const model,
                                                  conv_string);
             if (child == NULL) {
                 Py_XDECREF(children);
-                return NULL;
+                goto done;
             }
             PyTuple_SET_ITEM(children, i, child);
         }
@@ -593,6 +597,8 @@ conv_content_model(XML_Content * const model,
                                model->type, model->quant,
                                conv_string,model->name, children);
     }
+done:
+    Py_LeaveRecursiveCall();
     return result;
 }
 

From d013b14aec4fce7d4619a8fb4fbdb241d529456e Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Date: Sun, 15 Mar 2026 22:20:18 +0000
Subject: [PATCH 2/2] Update
 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst

---
 .../Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
index 79536d1fef543f..cb9dbadb72d976 100644
--- a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
@@ -1,4 +1,4 @@
 :mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
 converting deeply nested XML content models with
 :meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
-This addresses :cve:`2026-4224`.
+This addresses `CVE-2026-4224 <https://www.cve.org/CVERecord?id=CVE-2026-4224>`_.