gh-148535: Fix heap buffer overflow in pyexpat CharacterDataHandler

ByteFlowing1337 · ByteFlowing1337 · commit 6138a7822c28 · 2026-04-23T13:05:18.000+08:00
diff --git a/Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst b/Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst
@@ -0,0 +1,2 @@
+Fix heap buffer overflow in pyexpat CharacterDataHandler, which is caused by
+two signed intergets added up.
diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
@@ -393,7 +393,7 @@ my_CharacterDataHandler(void *userData, const XML_Char *data, int len)
     if (self->buffer == NULL)
         call_character_handler(self, data, len);
     else {
-        if ((self->buffer_used + len) > self->buffer_size) {
+        if (len > (self->buffer_size - self->buffer_used)) {
             if (flush_character_buffer(self) < 0)
                 return;
             /* handler might have changed; drop the rest on the floor

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Fix heap buffer overflow in pyexpat CharacterDataHandler, which is caused by`
	`2`	`+two signed intergets added up.`