gh-145633: Fix struct.pack('f') on s390x (GH-146422)
Use PyFloat_Pack4() to raise OverflowError.
Add more tests on packing/unpacking floats.
(cherry picked from commit 8de70b31c5)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc)
no longer ignores excess data after the first padded quad in non-strict
(default) mode. Instead, in conformance with RFC 4648, it ignores the
pad character, "=", if it is present before the end of the encoded data.
(cherry picked from commit 4561f6418a)
gh-146092: Raise MemoryError on allocation failure in _zoneinfo (GH-146165)
(cherry picked from commit 6450b1d142)
Co-authored-by: Victor Stinner <vstinner@python.org>
Add tests for corner cases: NULL pointers and out of range values.
(cherry picked from commit ab47892c32)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-146093: Fix csv _set_str(): check if PyUnicode_DecodeASCII() failed (GH-146113)
The function can fail on a memory allocation failure.
Bug reported by devdanzin.
(cherry picked from commit 724c7c8146)
Co-authored-by: Victor Stinner <vstinner@python.org>
* Add the c_init_default attribute which is used to initialize the C variable
if the default is not explicitly provided.
* Add the c_default_init() method which is used to derive c_default from
default if c_default is not explicitly provided.
* Explicit c_default and py_default are now almost always have precedence
over the generated value.
* Add support for bytes literals as default values.
* Improve support for str literals as default values (support non-ASCII
and non-printable characters and special characters like backslash or quotes).
* Fix support for str and bytes literals containing trigraphs, "/*" and "*/".
* Improve support for default values in converters "char" and "int(accept={str})".
* Converter "int(accept={str})" now requires 1-character string instead of
integer as default value.
* Add support for non-None default values in converter "Py_buffer": NULL,
str and bytes literals.
* Improve error handling for invalid default values.
* Rename Null to NullType for consistency.
(cherry picked from commit 99e2c5eccd)
gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987)
Fix C stack overflow (CVE-2026-4224) when an Expat parser
with a registered `ElementDeclHandler` parses inline DTD
containing deeply nested content model.
---------
(cherry picked from commit eb0e8be3a7)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
(cherry picked from commit 2d35f9bc1c)
Includes test fix-up from GH-145788
(cherry picked from commit aa4240ebea)
Co-authored-by: Thomas Kowalski <thom.kowa@gmail.com>
Co-authored-by: Matt Van Horn <mvanhorn@users.noreply.github.com>
Only set the format attribute after successful (re-)initialization.
(cherry picked from commit 3f33bf83e8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-145376: Fix crashes in `md5module.c` and `hmacmodule.c` (GH-145422)
Fix a possible NULL pointer dereference in `md5module.c` and a double-free in `hmacmodule.c`.
Those crashes only occur in error paths taken when the interpreter fails to allocate memory.
(cherry picked from commit c1d7768321)
Co-authored-by: Pieter Eendebak <pieter.eendebak@gmail.com>
gh-145335: Fix crash when passing -1 as fd in os.pathconf (GH-145390)
(cherry picked from commit 5c3a47b94a)
Co-authored-by: AN Long <aisk@users.noreply.github.com>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
`_struct.c`: Fix UB from integer overflow in `prepare_s` (GH-145158)
Avoid possible undefined behaviour from signed overflow in `struct` module
As discovered via oss-fuzz.
(cherry picked from commit fd0400585e)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Fix an issue where passing invalid arguments to `os.posix_spawn[p]` functions
raised a SystemError instead of a TypeError, and allow to explicitly use `None`
for `scheduler` and `setpgroup` as specified in the docs.
(cherry picked from commit 347fc438cf)
gh-144601: Avoid sharing exception objects raised in a `PyInit` function across multiple interpreters (GH-144602)
(cherry picked from commit fd6b639a49)
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843)
In newPySSLSocket(), when SSL_new() returns NULL, Py_DECREF(self)
was called before _setSSLError(get_state_ctx(self), ...), causing
a use-after-free. Additionally, get_state_ctx() was called with
self (PySSLSocket*) instead of sslctx (PySSLContext*), which is
a type confusion bug.
Fix by calling _setSSLError() before Py_DECREF() and using
sslctx instead of self for get_state_ctx().
(cherry picked from commit c91638ca06)
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
[3.14] gh-144551: Update CI to use latest OpenSSL versions
Also update _ssl_data_35.h to include an added symbol from 3.5.5.
(cherry picked from commit b933ef9261)
Lookup for CJK ideograms and Hangul syllables is now case-insensitive,
as is the case for other character names.
(cherry picked from commit e66f4a5a9c)
Co-authored-by: James <snoopjedi@gmail.com>
This was causing ucd_3_2_0.numeric() to pick up only decimal
changes between Unicode 3.2.0 and the current version.
(cherry picked from commit 3e0322ff16)
Co-authored-by: William Meehan <wmeehan@fb.com>
gh-144629: Add test for the PyFunction_GetAnnotations() function (GH-144630)
(cherry picked from commit cc81707e40)
Co-authored-by: Nybblista <170842536+nybblista@users.noreply.github.com>
(cherry picked from commit d5cb9f6a9b)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
