[3.14] gh-149018: Use `XML_SetHashSalt16Bytes` in `pyexpat`/`_elementtree` when possible (GH-149023)#149646

StanFromIreland

(cherry picked from commit 24b8f12)

Issue: [CVE-2026-7210] Insufficient entropy in pyexpat with protection against hash flooding #149018

…lementtree` when possible (pythonGH-149023) (cherry picked from commit 24b8f12) Co-authored-by: Stan Ulbrych <stan@python.org>

StanFromIreland

@picnixz I think I had it confused with this one, I think this one needs a review since I fixed conflicts (SetBillionLaughsAttackProtectionMaximumAmplification wasn't backported to 3.14 and caused the issue IIRC)?

picnixz

Wait, SetBillionLaughsAttackProtectionMaximumAmplification isn't backported? Oh I think I totally forgot about it!

StanFromIreland

Wait, SetBillionLaughsAttackProtectionMaximumAmplification isn't backported? Oh I think I totally forgot about it!

We're all forgetting backports it seems ;-)

zpe-lucasc

Hi! Is there any ETA for a backport to 3.10?

hugovk

#150496 has been backported, this now has a conflict and is awaiting review.

miss-islington-app

Thanks @StanFromIreland for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

miss-islington-app

Sorry, @StanFromIreland, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker eeea765cb9d8f1fc3d8918b272ac3c477983f27a 3.13

miss-islington-app

Sorry, @StanFromIreland, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker eeea765cb9d8f1fc3d8918b272ac3c477983f27a 3.12

miss-islington-app

Sorry, @StanFromIreland, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker eeea765cb9d8f1fc3d8918b272ac3c477983f27a 3.11

miss-islington-app

Sorry, @StanFromIreland, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker eeea765cb9d8f1fc3d8918b272ac3c477983f27a 3.10

StanFromIreland

3.13 and co. blocked by #151151.

al20ov

I'm seeing a crash in FreeCAD since I updated to 3.14.6 when I open the CAM workbench (and possibly in other places) and it seems to be related. This did not happen in 3.14.5:

Program received signal SIGSEGV, Segmentation fault.
#0  /usr/lib/libc.so.6(+0x40110) [0x14abe7056110]
#1  /usr/lib/libexpat.so.1(XML_SetHashSalt16Bytes+0x13) [0x14abe61cad73]
#2  /usr/lib/python3.14/lib-dynload/_elementtree.cpython-314-x86_64-linux-gnu.so(+0x9567) [0x14abc3f82567]
#3  /usr/lib/libpython3.14.so.1.0(+0x1dc6b3) [0x14abe91dc6b3]
#4  /usr/lib/libpython3.14.so.1.0(_PyObject_MakeTpCall+0x71) [0x14abe91ade71]
#5  /usr/lib/libpython3.14.so.1.0(_PyEval_EvalFrameDefault+0xdda) [0x14abe91fdafa]
#6  /usr/lib/libpython3.14.so.1.0(+0x1b3d40) [0x14abe91b3d40]
#7  /usr/lib/python3.14/lib-dynload/_asyncio.cpython-314-x86_64-linux-gnu.so(+0x80c4) [0x14ab850620c4]
#8  /usr/lib/python3.14/lib-dynload/_asyncio.cpython-314-x86_64-linux-gnu.so(+0x8ce4) [0x14ab85062ce4]
#9  /usr/lib/libpython3.14.so.1.0(_PyObject_MakeTpCall+0x71) [0x14abe91ade71]
#10  /usr/lib/libpython3.14.so.1.0(+0x131652) [0x14abe9131652]
#11  /usr/lib/libpython3.14.so.1.0(_PyEval_EvalFrameDefault+0x4958) [0x14abe9201678]
#12  /usr/lib/libpython3.14.so.1.0(+0x1fbd77) [0x14abe91fbd77]
#13  /usr/lib/libpython3.14.so.1.0(+0x1af3e8) [0x14abe91af3e8]
#14  0x14abe9e1c36b in App::FeaturePythonImp::onDocumentRestored() from /usr/lib/freecad/lib64/libFreeCADApp.so+0x1ab
#15  0x14ab87323130 in App::FeaturePythonT<Part::Feature>::onDocumentRestored() from /usr/lib/freecad/lib64/Part.so+0x10
#16  0x14abe9d2a820 in App::Document::afterRestore(std::vector<App::DocumentObject*, std::allocator<App::DocumentObject*> > const&, bool) from /usr/lib/freecad/lib64/libFreeCADApp.so+0x680
#17  0x14abe9d2baa2 in App::Document::afterRestore(bool) from /usr/lib/freecad/lib64/libFreeCADApp.so+0x62
#18  0x14abe9f8cb8c in App::Application::openDocuments(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, App::DocumentInitFlags) from /usr/lib/freecad/lib64/libFreeCADApp.so+0x15cc
#19  0x14abe9f8dcb7 in App::Application::openDocument(char const*, App::DocumentInitFlags) from /usr/lib/freecad/lib64/libFreeCADApp.so+0x107
#20  0x14abe9fc0a93 in App::Application::sOpenDocument(_object*, _object*, _object*) from /usr/lib/freecad/lib64/libFreeCADApp.so+0x113
#21  /usr/lib/libpython3.14.so.1.0(+0x1cf321) [0x14abe91cf321]
#22  /usr/lib/libpython3.14.so.1.0(_PyObject_MakeTpCall+0x71) [0x14abe91ade71]
#23  /usr/lib/libpython3.14.so.1.0(_PyEval_EvalFrameDefault+0xc9f) [0x14abe91fd9bf]
#24  /usr/lib/libpython3.14.so.1.0(+0x1fbd77) [0x14abe91fbd77]
#25  /usr/lib/libpython3.14.so.1.0(PyEval_EvalCode+0xc4) [0x14abe929eb84]
#26  /usr/lib/libpython3.14.so.1.0(+0x2c0d63) [0x14abe92c0d63]
#27  /usr/lib/libpython3.14.so.1.0(+0x2c084a) [0x14abe92c084a]
#28  0x14abe97d7692 in Base::InterpreterSingleton::runString[abi:cxx11](char const*) from /usr/lib/freecad/lib64/libFreeCADBase.so+0x62
#29  0x14abeabe6302 in Gui::Command::_runCommand(char const*, int, Gui::Command::DoCmd_Type, char const*) from /usr/lib/freecad/lib64/libFreeCADGui.so+0x92
#30  0x14abeabe64a7 in Gui::Command::_doCommand(char const*, int, Gui::Command::DoCmd_Type, char const*, ...) from /usr/lib/freecad/lib64/libFreeCADGui.so+0xf7
#31  0x14abeaa7f927 in Gui::Application::open(char const*, char const*) from /usr/lib/freecad/lib64/libFreeCADGui.so+0x4f7
#32  0x14abeab86b63 in Gui::ModuleIO::openFile(QString const&) from /usr/lib/freecad/lib64/libFreeCADGui.so+0xd3
#33  0x14abeabd4518 in Gui::RecentFilesAction::activateFile(int) from /usr/lib/freecad/lib64/libFreeCADGui.so+0x1b8
#34  0x14abeabecf97 in Gui::Command::_invoke(int, bool) from /usr/lib/freecad/lib64/libFreeCADGui.so+0x207
#35  0x14abeabed3a6 in Gui::Command::invoke(int, Gui::Command::TriggerSource) from /usr/lib/freecad/lib64/libFreeCADGui.so+0x126
#36  /usr/lib/libQt6Core.so.6(+0x1e3eff) [0x14abe77e3eff]
#37  0x14abe83a0103 in QActionGroup::triggered(QAction*) from /usr/lib/libQt6Gui.so.6+0x43
#38  /usr/lib/libQt6Core.so.6(+0x1e3eff) [0x14abe77e3eff]
#39  0x14abe839b966 in QAction::triggered(bool) from /usr/lib/libQt6Gui.so.6+0x46
#40  0x14abe839e576 in QAction::activate(QAction::ActionEvent) from /usr/lib/libQt6Gui.so.6+0x106
#41  /usr/lib/libQt6Widgets.so.6(+0x38772c) [0x14abe8b8772c]
#42  /usr/lib/libQt6Widgets.so.6(+0x3901a9) [0x14abe8b901a9]
#43  0x14abe89f0878 in QWidget::event(QEvent*) from /usr/lib/libQt6Widgets.so.6+0x2a8
#44  0x14abe89888ea in QApplicationPrivate::notify_helper(QObject*, QEvent*) from /usr/lib/libQt6Widgets.so.6+0x8a
#45  0x14abe8992ec4 in QApplication::notify(QObject*, QEvent*) from /usr/lib/libQt6Widgets.so.6+0xdd4
#46  0x14abeab750c8 in Gui::GUIApplication::notify(QObject*, QEvent*) from /usr/lib/freecad/lib64/libFreeCADGui.so+0xc8
#47  0x14abe7788b08 in QCoreApplication::notifyInternal2(QObject*, QEvent*) from /usr/lib/libQt6Core.so.6+0x168
#48  0x14abe8991953 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) from /usr/lib/libQt6Widgets.so.6+0x5c3
#49  /usr/lib/libQt6Widgets.so.6(+0x20522d) [0x14abe8a0522d]
#50  /usr/lib/libQt6Widgets.so.6(+0x2079c0) [0x14abe8a079c0]
#51  0x14abe89888ea in QApplicationPrivate::notify_helper(QObject*, QEvent*) from /usr/lib/libQt6Widgets.so.6+0x8a
#52  0x14abeab750c8 in Gui::GUIApplication::notify(QObject*, QEvent*) from /usr/lib/freecad/lib64/libFreeCADGui.so+0xc8
#53  0x14abe7788b08 in QCoreApplication::notifyInternal2(QObject*, QEvent*) from /usr/lib/libQt6Core.so.6+0x168
#54  0x14abe802f43c in QWindowPrivate::forwardToPopup(QEvent*, QWindow const*) from /usr/lib/libQt6Gui.so.6+0x45c
#55  0x14abe7fd6de6 in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) from /usr/lib/libQt6Gui.so.6+0xbc6
#56  0x14abe80372fc in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) from /usr/lib/libQt6Gui.so.6+0xac
#57  /usr/lib/qt6/plugins/platforms/../../../../lib/libQt6XcbQpa.so.6(+0x5d7ce) [0x14abe372a7ce]
#58  /usr/lib/libglib-2.0.so.0(+0x5aaf6) [0x14abe5d04af6]
#59  /usr/lib/libglib-2.0.so.0(+0x5e077) [0x14abe5d08077]
#60  /usr/lib/libglib-2.0.so.0(g_main_context_iteration+0x2c) [0x14abe5d087cc]
#61  0x14abe7a309f3 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) from /usr/lib/libQt6Core.so.6+0x73
#62  0x14abe7794fe2 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) from /usr/lib/libQt6Core.so.6+0x132
#63  0x14abe779091c in QCoreApplication::exec() from /usr/lib/libQt6Core.so.6+0xac
#64  0x14abeaa8ddbf in Gui::Application::runApplication() from /usr/lib/freecad/lib64/libFreeCADGui.so+0xb1f
#65  FreeCAD(+0x8243) [0x55aa831e5243]
#66  /usr/lib/libc.so.6(+0x2abfc) [0x14abe7040bfc]
#67  /usr/lib/libc.so.6(__libc_start_main+0x85) [0x14abe7040cb5]
#68  FreeCAD(+0x8581) [0x55aa831e5581]

Here's gdb when it crashes:

Thread 1 "FreeCAD" received signal SIGSEGV, Segmentation fault.
0x000015554e9dbd73 in XML_SetHashSalt16Bytes () from /usr/lib/libexpat.so.1
(gdb) disassemble /m XML_SetHashSalt16Bytes
Dump of assembler code for function XML_SetHashSalt16Bytes:
   0x000015554e9dbd60 <+0>:	test   %rdi,%rdi
   0x000015554e9dbd63 <+3>:	je     0x15554e9dbdd0 <XML_SetHashSalt16Bytes+112>
   0x000015554e9dbd65 <+5>:	test   %rsi,%rsi
   0x000015554e9dbd68 <+8>:	je     0x15554e9dbdd0 <XML_SetHashSalt16Bytes+112>
   0x000015554e9dbd6a <+10>:	nopw   0x0(%rax,%rax,1)
   0x000015554e9dbd70 <+16>:	mov    %rdi,%rax
=> 0x000015554e9dbd73 <+19>:	mov    0x3b0(%rdi),%rdi
   0x000015554e9dbd7a <+26>:	test   %rdi,%rdi
   0x000015554e9dbd7d <+29>:	jne    0x15554e9dbd70 <XML_SetHashSalt16Bytes+16>
   0x000015554e9dbd7f <+31>:	mov    0x3b8(%rax),%edx
   0x000015554e9dbd85 <+37>:	xor    %ecx,%ecx
   0x000015554e9dbd87 <+39>:	and    $0xfffffffd,%edx
   0x000015554e9dbd8a <+42>:	cmp    $0x1,%edx
   0x000015554e9dbd8d <+45>:	je     0x15554e9dbdd2 <XML_SetHashSalt16Bytes+114>
   0x000015554e9dbd8f <+47>:	push   %rbp
   0x000015554e9dbd90 <+48>:	lea    0x18314(%rip),%rdi        # 0x15554e9f40ab
   0x000015554e9dbd97 <+55>:	push   %rbx
   0x000015554e9dbd98 <+56>:	sub    $0x8,%rsp
   0x000015554e9dbd9c <+60>:	mov    (%rsi),%rbx
   0x000015554e9dbd9f <+63>:	mov    %rbx,0x3c8(%rax)
   0x000015554e9dbda6 <+70>:	mov    0x8(%rsi),%rbp
   0x000015554e9dbdaa <+74>:	movb   $0x1,0x3d8(%rax)
   0x000015554e9dbdb1 <+81>:	mov    %rbp,0x3d0(%rax)
   0x000015554e9dbdb8 <+88>:	call   0x15554e9d68c0
   0x000015554e9dbdbd <+93>:	test   %rax,%rax
   0x000015554e9dbdc0 <+96>:	jne    0x15554e9dbdd8 <XML_SetHashSalt16Bytes+120>
   0x000015554e9dbdc2 <+98>:	add    $0x8,%rsp
   0x000015554e9dbdc6 <+102>:	mov    $0x1,%eax
   0x000015554e9dbdcb <+107>:	pop    %rbx
   0x000015554e9dbdcc <+108>:	pop    %rbp
   0x000015554e9dbdcd <+109>:	ret
   0x000015554e9dbdce <+110>:	xchg   %ax,%ax
   0x000015554e9dbdd0 <+112>:	xor    %ecx,%ecx
   0x000015554e9dbdd2 <+114>:	mov    %ecx,%eax
   0x000015554e9dbdd4 <+116>:	ret
   0x000015554e9dbdd5 <+117>:	nopl   (%rax)
   0x000015554e9dbdd8 <+120>:	mov    0x23201(%rip),%rax        # 0x15554e9fefe0
   0x000015554e9dbddf <+127>:	mov    %rbp,%r9
   0x000015554e9dbde2 <+130>:	mov    %rbx,%r8
   0x000015554e9dbde5 <+133>:	lea    0x182df(%rip),%rcx        # 0x15554e9f40cb
   0x000015554e9dbdec <+140>:	lea    0x18bbd(%rip),%rdx        # 0x15554e9f49b0
   0x000015554e9dbdf3 <+147>:	mov    $0x1,%esi
   0x000015554e9dbdf8 <+152>:	mov    (%rax),%rdi
   0x000015554e9dbdfb <+155>:	xor    %eax,%eax
   0x000015554e9dbdfd <+157>:	call   0x15554e9d6190 <__fprintf_chk@plt>
   0x000015554e9dbe02 <+162>:	add    $0x8,%rsp
   0x000015554e9dbe06 <+166>:	mov    $0x1,%eax
   0x000015554e9dbe0b <+171>:	pop    %rbx
   0x000015554e9dbe0c <+172>:	pop    %rbp
   0x000015554e9dbe0d <+173>:	ret
End of assembler dump.
(gdb) info registers
rax            0x2578232065747962  2699946598656670050
rbx            0x155468ff2480      23452282987648
rcx            0x0                 0
rdx            0x1554ea676a30      23454454082096
rsi            0x155551debb90      23456189954960
rdi            0x2578232065747962  2699946598656670050
rbp            0x1554690cdfc0      0x1554690cdfc0
rsp            0x7fffffff6b78      0x7fffffff6b78
r8             0x2                 2
r9             0x6                 6
r10            0x55555b9c6ba8      93825097558952
r11            0x55555b9c6ba0      93825097558944
r12            0x1554ea6d97f0      23454454487024
r13            0x0                 0
r14            0x1555519dc5c0      23456185697728
r15            0x155551d43230      23456189264432
rip            0x15554e9dbd73      0x15554e9dbd73 <XML_SetHashSalt16Bytes+19>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
k0             0x82100             532736
k1             0x0                 0
k2             0xff                255
k3             0x0                 0
k4             0xffffdfff          4294959103
k5             0x100047            1048647
k6             0x3a0007            3801095
k7             0x0                 0
pl3_ssp        <unavailable>
fs_base        0x15554c8a0940      23456100518208
gs_base        0x0                 0

picnixz

cc @hartwork

hartwork

@picnixz I'm not sure why the call to XML_SetHashSalt16Bytes would crash and I'm not sure what to read from the crash output up there. There are no other reports like that that I would be aware of. @al20ov if you can, please try this again with line based debugging symbols including libexpat and or help us interpret the cause of the crash please and open a dedicated issue to either libexpat upstream or cpython depending on what you find for a cause after in-depth analysis. Thank you!

hartwork

@picnixz @al20ov PS: when I fed these logs to AI for help it was hinting at the parser pointer being corrupted which could mean that libexpat is the explosion site but the cause is prior and outside. Maybe there is a chance to run this instrumented with e.g. AddressSanitizer to get closer to a cause of prior memory corruption. Just thinking aloud here.

CC @Smattr @berkayurun

al20ov

Sorry, I didn't know if this was the best place to report this but I couldn't find any similar issues and the combination of a recent CPython update then XML_SetHashSalt16Bytes and expat in the crash logs led me here. I'll try to run this with instrumentation tomorrow and report back if I find anything of value.

al20ov

I installed python3-dbg and expat-dbg for debug symbols and here's what that looks like:

Thread 1 "FreeCAD" received signal SIGSEGV, Segmentation fault.
0x00007ffff0431d73 in getRootParserOf (parser=<optimized out>, outLevelDiff=<optimized out>) at ./lib/xmlparse.c:8653
⚠️ warning: 8653	./lib/xmlparse.c: No such file or directory
(gdb) disassemble /m XML_SetHashSalt16Bytes
Dump of assembler code for function XML_SetHashSalt16Bytes:
1068	in ./lib/xmlparse.c
1069	in ./lib/xmlparse.c
   0x00007ffff0431d90 <+48>:	lea    0x18314(%rip),%rdi        # 0x7ffff044a0ab
   0x00007ffff0431db8 <+88>:	call   0x7ffff042c8c0 <getDebugLevel>
   0x00007ffff0431dbd <+93>:	test   %rax,%rax
   0x00007ffff0431dc0 <+96>:	jne    0x7ffff0431dd8 <XML_SetHashSalt16Bytes+120>

1070	in ./lib/xmlparse.c
1071	in ./lib/xmlparse.c
1072	in ./lib/xmlparse.c
1073	in ./lib/xmlparse.c
1074	in ./lib/xmlparse.c
1075	in ./lib/xmlparse.c
1076	in ./lib/xmlparse.c
1077	in ./lib/xmlparse.c
[...]




(gdb) frame 2
#2  0x00007fffc410d567 in _elementtree_XMLParser___init___impl (self=0x7ffef84fe480, target=0x7ffef85ddfc0, encoding=<optimized out>)
    at ./Modules/_elementtree.c:3733
⚠️ warning: 3733	./Modules/_elementtree.c: No such file or directory
(gdb) info locals
st = 0x7fff871f17f0
st = <optimized out>
_tmp_op_ptr = <optimized out>
_tmp_old_op = <optimized out>
_tmp_op_ptr = <optimized out>
_tmp_old_op = <optimized out>
_tmp_op_ptr = <optimized out>
_tmp_old_op = <optimized out>
_tmp_op_ptr = <optimized out>
_tmp_old_op = <optimized out>
_tmp_op_ptr = <optimized out>
_tmp_old_op = <optimized out>
(gdb) info args
self = 0x7ffef84fe480
target = 0x7ffef85ddfc0
encoding = <optimized out>
(gdb) p self->parser
$1 = (XML_Parser) 0x55555b9c80c0
(gdb) p self
$2 = (XMLParserObject *) 0x7ffef84fe480





(gdb) frame 0
#0  0x00007ffff0431d73 in getRootParserOf (parser=<optimized out>, outLevelDiff=<optimized out>) at ./lib/xmlparse.c:8653
⚠️ warning: 8653	./lib/xmlparse.c: No such file or directory
(gdb) p *(XML_Parser)0x55555b9c80c0
$3 = {m_userData = 0x0, m_handlerArg = 0x0, m_buffer = 0x0, m_mem = {malloc_fcn = 0x7ffff45d1ff0 <PyMem_Malloc>, 
    realloc_fcn = 0x7ffff45d24c0 <PyMem_Realloc>, free_fcn = 0x7ffff45d2180 <PyMem_Free>}, m_bufferPtr = 0x0, m_bufferEnd = 0x0, 
  m_bufferLim = 0x0, m_parseEndByteIndex = 0, m_parseEndPtr = 0x0, m_partialTokenBytesBefore = 93825098000736, 
  m_reparseDeferralEnabled = 96 '`', m_lastBufferRequestSize = 21845, m_dataBuf = 0x0, m_dataBufEnd = 0x0, m_startElementHandler = 0x0, 
  m_endElementHandler = 0x0, m_characterDataHandler = 0x0, m_processingInstructionHandler = 0x0, m_commentHandler = 0x0, 
  m_startCdataSectionHandler = 0x0, m_endCdataSectionHandler = 0x0, m_defaultHandler = 0x0, m_startDoctypeDeclHandler = 0x0, 
  m_endDoctypeDeclHandler = 0x0, m_unparsedEntityDeclHandler = 0x0, m_notationDeclHandler = 0x0, m_startNamespaceDeclHandler = 0x0, 
  m_endNamespaceDeclHandler = 0x0, m_notStandaloneHandler = 0x55555b9c80c0, m_externalEntityRefHandler = 0x0, 
  m_externalEntityRefHandlerArg = 0x0, m_skippedEntityHandler = 0x0, m_unknownEncodingHandler = 0x0, m_elementDeclHandler = 0x0, 
  m_attlistDeclHandler = 0x0, m_entityDeclHandler = 0x55555b9c81e8, m_xmlDeclHandler = 0x7ffff1df8570, m_encoding = 0x7ffff1df8550, 
  m_initEncoding = {initEnc = {scanners = {0x7ffef843ce30, 0x7ffef85d0df0, 0x7ffef843cf30, 0x7ffef843d030}, literalScanners = {
        0x7ffef85d0f50, 0x7ffef85d10b0}, nameMatchesAscii = 0x7ffef843d130, nameLength = 0x7ffef85d1210, skipS = 0x7ffef85d1370, 
      getAtts = 0x7ffff1df7e50, charRefNumber = 0x7ffef866f6d0, predefinedEntityName = 0x7ffef866f800, updatePosition = 0x7ffef85c2730, 
      isPublicId = 0x6555b9c31e0, utf8Convert = 0x55555b9c81e0, utf16Convert = 0x7ffff2273a80, minBytesPerChar = 0, isUtf8 = 0 '\000', 
      isUtf16 = 0 '\000'}, encPtr = 0x55555b9c0001}, m_internalEncoding = 0x0, m_protocolEncodingName = 0x0, m_ns = 0 '\000', 
  m_ns_triplets = 0 '\000', m_unknownEncodingMem = 0x0, m_unknownEncodingData = 0x7ffff1df4bd0, 
  m_unknownEncodingHandlerData = 0x55555b9c6a50, m_unknownEncodingRelease = 0x7ffff1df1ec0, m_prologState = {handler = 0x555500000000, 
    level = 0, role_none = 0, includeLevel = 0, documentEntity = 0, inEntityValue = 0}, m_processor = 0x0, m_errorCode = XML_ERROR_NONE, 
  m_eventPtr = 0xf493fa01 <error: Cannot access memory at address 0xf493fa01>, m_eventEndPtr = 0x0, m_positionPtr = 0x0, 
  m_openInternalEntities = 0x0, m_freeInternalEntities = 0x0, m_openAttributeEntities = 0x0, m_freeAttributeEntities = 0x0, 
  m_openValueEntities = 0x0, m_freeValueEntities = 0x0, m_defaultExpandInternalEntities = 0 '\000', m_tagLevel = 0, 
  m_declEntity = 0x7ffff4930000 <_PyRuntime+12256>, m_doctypeName = 0x7ffef833d430 "", m_doctypeSysid = 0x0, m_doctypePubid = 0x0, 
  m_declAttributeType = 0x0, m_declNotationName = 0x0, m_declNotationPublicId = 0x0, m_declElementType = 0x10, 
  m_declAttributeId = 0x7ffff4940080 <_PyRuntime+77920>, m_declAttributeIsCdata = 48 '0', m_declAttributeIsId = 204 '\314', m_dtd = 0x0, 
  m_curBase = 0x0, m_tagStack = 0x7ffff4941300 <_PyRuntime+82656>, m_freeTagList = 0x0, m_inheritedBindings = 0x0, 
  m_freeBindingList = 0x0, m_attsSize = 0, m_nSpecifiedAtts = 0, m_idAttIndex = 0, m_atts = 0x0, m_nsAtts = 0x0, 
  m_nsAttsVersion = 93825097564376, m_nsAttsPower = 0 '\000', m_position = {lineNumber = 0, columnNumber = 0}, m_tempPool = {
    blocks = 0x0, freeBlocks = 0x0, end = 0x55555b9c80d8 "\360\037]\364\377\177", ptr = 0x0, 
    start = 0x557d00000000 <error: Cannot access memory at address 0x557d00000000>, parser = 0x0}, m_temp2Pool = {
    blocks = 0x7ffe00000000, freeBlocks = 0x0, end = 0x7ffff49044c0 <_Py_NoneStruct> "", 
    ptr = 0x251 <error: Cannot access memory at address 0x251>, start = 0x1 <error: Cannot access memory at address 0x1>, 
    parser = 0x7ffff48f0260 <PyCode_Type>}, m_groupConnector = 0xb6 <error: Cannot access memory at address 0xb6>, 
  m_groupSize = 4165263632, m_namespaceSeparator = -2 '\376', m_parentParser = 0x7ffef84294d0, m_parsingStatus = {parsing = 4103284688, 
    finalBuffer = 255 '\377'}, m_isParamEntity = 3 '\003', m_useForeignDTD = 0 '\000', 
  m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_UNLESS_STANDALONE, m_hash_secret_salt_128 = {k = {0, 1198295875592}}, 
  m_hash_secret_salt_set = 3 '\003', m_accounting = {countBytesDirect = 3, countBytesIndirect = 55366423412736, 
    debugLevel = 140733063684608, maximumAmplificationFactor = -1.56324889e+34, activationThresholdBytes = 140733063601712}, 
  m_alloc_tracker = {bytesAllocated = 140733063683632, peakBytesAllocated = 140733063684672, debugLevel = 140733063428944, 
    maximumAmplificationFactor = 0, activationThresholdBytes = 0}, m_entity_stats = {countEverOpened = 0, currentDepth = 0, 
    maximumDepthSeen = 0, debugLevel = 0}, m_reenter = 3 '\003'}
(gdb) p *(XML_Parser)0x7ffef84294d0
$5 = {m_userData = 0x1, m_handlerArg = 0x7ffff4908420 <PyTuple_Type>, m_buffer = 0x8 <error: Cannot access memory at address 0x8>, 
  m_mem = {malloc_fcn = 0xffffffffffffffff, realloc_fcn = 0x7fffeefacb40, free_fcn = 0x7ffef844acf0}, 
  m_bufferPtr = 0x7ffff493c768 <_PyRuntime+63304> "", m_bufferEnd = 0x7ffff493bb38 <_PyRuntime+60184> "", 
  m_bufferLim = 0x7fff9be17ef0 "", m_parseEndByteIndex = 140733063670256, m_parseEndPtr = 0x7ffef840acd0 "", 
  m_partialTokenBytesBefore = 140733063665520, m_reparseDeferralEnabled = 1 '\001', m_lastBufferRequestSize = 0, 
  m_dataBuf = 0x7ffff490ca40 <PyUnicode_Type> "", m_dataBufEnd = 0x3e <error: Cannot access memory at address 0x3e>, 
  m_startElementHandler = 0xffffffffffffffff, m_endElementHandler = 0x6e10570064, m_characterDataHandler = 0x2020202020202020, 
  m_processingInstructionHandler = 0x7261747320202020, m_commentHandler = 0x4e3d6b72616d5f74, 
  m_startCdataSectionHandler = 0x646e65202c656e6f, m_endCdataSectionHandler = 0x6f4e3d6b72616d5f, m_defaultHandler = 0x776f6c66202c656e, 
  m_startDoctypeDeclHandler = 0x4e3d656c7974735f, m_endDoctypeDeclHandler = 0xa3a29656e6f, m_unparsedEntityDeclHandler = 0x0, 
  m_notationDeclHandler = 0x1, m_startNamespaceDeclHandler = 0x7ffff490ca40 <PyUnicode_Type>, m_endNamespaceDeclHandler = 0x3a, 
  m_notStandaloneHandler = 0xffffffffffffffff, m_externalEntityRefHandler = 0x64, m_externalEntityRefHandlerArg = 0x2066656420202020, 
  m_skippedEntityHandler = 0x5f5f74696e695f5f, m_unknownEncodingHandler = 0x74202c666c657328, m_elementDeclHandler = 0x756c6176202c6761, 
  m_attlistDeclHandler = 0x7472617473202c65, m_entityDeclHandler = 0x65202c6b72616d5f, m_xmlDeclHandler = 0x296b72616d5f646e, 
  m_encoding = 0xa3a, m_initEncoding = {initEnc = {scanners = {0x0, 0x7ffef84fa080, 0x7ffef84f9fd0, 0x1}, literalScanners = {
        0x7ffff4908420 <PyTuple_Type>, 0x7}, nameMatchesAscii = 0xffffffffffffffff, nameLength = 0x7ffff49044c0 <_Py_NoneStruct>, 
      skipS = 0x55555b9fed80, getAtts = 0x7ffff49044c0 <_Py_NoneStruct>, charRefNumber = 0x7ffff49044c0 <_Py_NoneStruct>, 
      predefinedEntityName = 0x7ffff49044c0 <_Py_NoneStruct>, updatePosition = 0x7ffff49044c0 <_Py_NoneStruct>, 
      isPublicId = 0x7ffff49044c0 <_Py_NoneStruct>, utf8Convert = 0x63, utf16Convert = 0x0, minBytesPerChar = 0, isUtf8 = 0 '\000', 
      isUtf16 = 0 '\000'}, encPtr = 0x1}, m_internalEncoding = 0x7ffff4908420 <PyTuple_Type>, 
  m_protocolEncodingName = 0x7 <error: Cannot access memory at address 0x7>, m_ns = 255 '\377', m_ns_triplets = 255 '\377', 
  m_unknownEncodingMem = 0x7fffeedbc780, m_unknownEncodingData = 0x7ffff4936f10 <_PyRuntime+40688>, 
  m_unknownEncodingHandlerData = 0x7fffeec1e880, m_unknownEncodingRelease = 0x7fffeec04d50, m_prologState = {handler = 0x7ffef8448b70, 
    level = 4165242032, role_none = 32766, includeLevel = 4165242096, documentEntity = 32766, inEntityValue = 0}, m_processor = 0x0, 
  m_errorCode = XML_ERROR_NONE, m_eventPtr = 0x1 <error: Cannot access memory at address 0x1>, 
  m_eventEndPtr = 0x7ffff4908420 <PyTuple_Type> "", m_positionPtr = 0x7 <error: Cannot access memory at address 0x7>, 
  m_openInternalEntities = 0xffffffffffffffff, m_freeInternalEntities = 0x7fffeedbc780, 
  m_openAttributeEntities = 0x7ffff4936f10 <_PyRuntime+40688>, m_freeAttributeEntities = 0x7fffeec1e880, 
  m_openValueEntities = 0x7fffeec04d50, m_freeValueEntities = 0x7ffef8448b70, m_defaultExpandInternalEntities = 112 'p', 
  m_tagLevel = 32766, m_declEntity = 0x7ffef8448cf0, m_doctypeName = 0x0, m_doctypeSysid = 0x0, m_doctypePubid = 0x0, 
  m_declAttributeType = 0x2 <error: Cannot access memory at address 0x2>, m_declNotationName = 0x7ffff4908420 <PyTuple_Type> "", 
  m_declNotationPublicId = 0x7 <error: Cannot access memory at address 0x7>, m_declElementType = 0xffffffffffffffff, 
  m_declAttributeId = 0x7fffeedbc780, m_declAttributeIsCdata = 16 '\020', m_declAttributeIsId = 111 'o', m_dtd = 0x7fffeec1e880, 
  m_curBase = 0x7fffeec04d50 "", m_tagStack = 0x7ffef8448b70, m_freeTagList = 0x7fff931ffdf0, m_inheritedBindings = 0x7ffef8448cf0, 
  m_freeBindingList = 0x0, m_attsSize = 1, m_nSpecifiedAtts = 0, m_idAttIndex = -191837632, m_atts = 0x38, 
  m_nsAtts = 0xffffffffffffffff, m_nsAttsVersion = 100, m_nsAttsPower = 35 '#', m_position = {lineNumber = 7306080452898615328, 
    columnNumber = 8027139005750714483}, m_tempPool = {blocks = 0x20676e69776f6c6c, freeBlocks = 0x2073646f6874656d, 
    end = 0x7274746120646e61 <error: Cannot access memory at address 0x7274746120646e61>, 
    ptr = 0xa3a736574756269 <error: Cannot access memory at address 0xa3a736574756269>, start = 0x0, parser = 0x301000402}, 
  m_temp2Pool = {blocks = 0x1, freeBlocks = 0x7ffff490ca40 <PyUnicode_Type>, end = 0x3e <error: Cannot access memory at address 0x3e>, 
    ptr = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, 
    start = 0x64 <error: Cannot access memory at address 0x64>, parser = 0x646f632027732527}, 
  m_groupConnector = 0x74276e6163206365 <error: Cannot access memory at address 0x74276e6163206365>, m_groupSize = 1667589152, 
  m_namespaceSeparator = 111 'o', m_parentParser = 0x2578232065747962, m_parsingStatus = {parsing = 980955696, finalBuffer = 32 ' '}, 
  m_isParamEntity = 32 ' ', m_useForeignDTD = 32 ' ', m_paramEntityParsing = (unknown: 0x73252220), m_hash_secret_salt_128 = {k = {
      8388362703413980194, 110110620675945}}, m_hash_secret_salt_set = 0 '\000', m_accounting = {countBytesDirect = 1, 
    countBytesIndirect = 140737296517696, debugLevel = 56, maximumAmplificationFactor = -nan(0x7fffff), activationThresholdBytes = 100}, 
  m_alloc_tracker = {bytesAllocated = 8390317583334731381, peakBytesAllocated = 7018969010048623201, debugLevel = 2531148770652152178, 
    maximumAmplificationFactor = 1.64049084e-07, activationThresholdBytes = 2459086794333882995}, m_entity_stats = {
    countEverOpened = 740455205, currentDepth = 1936683040, maximumDepthSeen = 1869182057, debugLevel = 0}, m_reenter = 0 '\000'}

It's hard to read but the struct doesn't look so great. Some of these addresses look they were overwritten with strings?
m_characterDataHandler = 0x2020202020202020 looks like a bunch of ascii space characters, m_commentHandler = 0x4e3d6b72616d5f74 spells out "t_mark=N", etc... Or am I looking in the wrong place?

I'll try to run it with ASan next which means rebuilding FreeCAD with -fsanitize=address -fno-omit-frame-pointer correct?

hartwork

I'll try to run it with ASan next which means rebuilding FreeCAD with -fsanitize=address -fno-omit-frame-pointer correct?

@al20ov thanks! Yes, but it needs to be passed to both the compiler and the linker.

al20ov

I can't reproduce the issue when compiled and linked with ASan...... (CFLAGS/CXXFLAGS+=" -fsanitize=address -fno-omit-frame-pointer" LDFLAGS+="-fsanitize=address" and libsanitizer-devel).
But then as soon as I recompile without it, and I enter the CAM workbench, same thing that happened above. I'd love to help narrow it down but I don't know how at this point. Maybe valgrind?

[3.14] pythongh-149018: Use XML_SetHashSalt16Bytes in pyexpat/`_e… …

ad6d59f

…lementtree` when possible (pythonGH-149023) (cherry picked from commit 24b8f12) Co-authored-by: Stan Ulbrych <stan@python.org>

StanFromIreland requested review from gpshead, picnixz and tiran as code owners May 10, 2026 17:40

This was referenced May 10, 2026

[CVE-2026-7210] Insufficient entropy in pyexpat with protection against hash flooding #149018

Open

gh-149018: Use XML_SetHashSalt16Bytes in pyexpat/_elementtree when possible #149023

Merged

bedevere-app Bot added the awaiting core review label May 10, 2026

StanFromIreland added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes and removed awaiting core review labels May 10, 2026

picnixz reviewed May 24, 2026

View reviewed changes

Merge branch '3.14' into backport-24b8f12-3.14

07575d8

StanFromIreland requested a review from picnixz June 9, 2026 12:50

picnixz reviewed Jun 9, 2026

View reviewed changes

picnixz approved these changes Jun 9, 2026

View reviewed changes

bedevere-app Bot added the awaiting merge label Jun 9, 2026

bedevere-app Bot removed the awaiting merge label Jun 9, 2026

miss-islington-app Bot assigned StanFromIreland Jun 9, 2026

StanFromIreland deleted the backport-24b8f12-3.14 branch June 9, 2026 14:09

StanFromIreland removed needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jun 9, 2026

al20ov mentioned this pull request Jun 14, 2026

freecad: update to 1.1.1. void-linux/void-packages#59581

Open

Conversation

StanFromIreland commented May 10, 2026 • edited by bedevere-app Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

StanFromIreland commented May 24, 2026

Uh oh!

picnixz commented May 24, 2026

Uh oh!

StanFromIreland commented May 24, 2026

Uh oh!

zpe-lucasc commented Jun 5, 2026

Uh oh!

hugovk commented Jun 9, 2026

Uh oh!

Uh oh!

miss-islington-app Bot commented Jun 9, 2026

Uh oh!

miss-islington-app Bot commented Jun 9, 2026

Uh oh!

miss-islington-app Bot commented Jun 9, 2026

Uh oh!

miss-islington-app Bot commented Jun 9, 2026

Uh oh!

miss-islington-app Bot commented Jun 9, 2026

Uh oh!

StanFromIreland commented Jun 9, 2026

Uh oh!

al20ov commented Jun 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

picnixz commented Jun 14, 2026

Uh oh!

hartwork commented Jun 14, 2026

Uh oh!

hartwork commented Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

al20ov commented Jun 15, 2026

Uh oh!

al20ov commented Jun 15, 2026

Uh oh!

hartwork commented Jun 15, 2026

Uh oh!

al20ov commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

StanFromIreland commented May 10, 2026 •

edited by bedevere-app Bot

Loading

al20ov commented Jun 14, 2026 •

edited

Loading

hartwork commented Jun 15, 2026 •

edited

Loading