Merge branch 'main' into fix-compression-block-decompress-error-handling

Author: greateggsgreg

Lib/test/test_decimal.py

@@ -3963,15 +3963,21 @@ def test_flag_comparisons(self):
         d.update(c.flags)
         self.assertEqual(d, c.flags)
         self.assertEqual(c.flags, d)
+        self.assertEqual(frozendict(d), c.flags)
+        self.assertEqual(c.flags, frozendict(d))
 
         d[Inexact] = True
         self.assertNotEqual(d, c.flags)
         self.assertNotEqual(c.flags, d)
+        self.assertNotEqual(frozendict(d), c.flags)
+        self.assertNotEqual(c.flags, frozendict(d))
 
         # Invalid SignalDict
         d = {Inexact:False}
         self.assertNotEqual(d, c.flags)
         self.assertNotEqual(c.flags, d)
+        self.assertNotEqual(frozendict(d), c.flags)
+        self.assertNotEqual(c.flags, frozendict(d))
 
         d = ["xyz"]
         self.assertNotEqual(d, c.flags)

Lib/test/test_source_encoding.py

@@ -65,6 +65,23 @@ def test_issue7820(self):
         # two bytes in common with the UTF-8 BOM
         self.assertRaises(SyntaxError, eval, b'\xef\xbb\x20')
 
+    def test_truncated_utf8_at_eof(self):
+        # Regression test for https://issues.oss-fuzz.com/issues/451112368
+        # Truncated multi-byte UTF-8 sequences at end of input caused an
+        # out-of-bounds read in Parser/tokenizer/helpers.c:valid_utf8().
+        truncated = [
+            b'\xc2',              # 2-byte lead, missing 1 continuation
+            b'\xdf',              # 2-byte lead, missing 1 continuation
+            b'\xe0',              # 3-byte lead, missing 2 continuations
+            b'\xe0\xa0',          # 3-byte lead, missing 1 continuation
+            b'\xf0\x90',          # 4-byte lead, missing 2 continuations
+            b'\xf0\x90\x80',      # 4-byte lead, missing 1 continuation
+            b'\xf3',              # 4-byte lead, missing 3 (the oss-fuzz reproducer)
+        ]
+        for seq in truncated:
+            with self.subTest(seq=seq):
+                self.assertRaises(SyntaxError, compile, seq, '<test>', 'exec')
+
     @support.requires_subprocess()
     def test_20731(self):
         sub = subprocess.Popen([sys.executable,

Misc/NEWS.d/next/Core_and_Builtins/2026-02-16-12-28-43.gh-issue-144872.k9_Q30.rst

@@ -0,0 +1 @@
+Fix heap buffer overflow in the parser found by OSS-Fuzz.

Modules/_decimal/_decimal.c

@@ -552,7 +552,7 @@ dict_as_flags(decimal_state *state, PyObject *val)
     uint32_t flags = 0;
     int x;
 
-    if (!PyDict_Check(val)) {
+    if (!PyAnyDict_Check(val)) {
         PyErr_SetString(PyExc_TypeError,
             "argument must be a signal dict");
         return DEC_INVALID_SIGNALS;
@@ -802,7 +802,7 @@ signaldict_richcompare(PyObject *v, PyObject *w, int op)
         if (PyDecSignalDict_Check(state, w)) {
             res = (SdFlags(v)==SdFlags(w)) ^ (op==Py_NE) ? Py_True : Py_False;
         }
-        else if (PyDict_Check(w)) {
+        else if (PyAnyDict_Check(w)) {
             uint32_t flags = dict_as_flags(state, w);
             if (flags & DEC_ERRORS) {
                 if (flags & DEC_INVALID_SIGNALS) {

Parser/tokenizer/helpers.c

@@ -494,9 +494,11 @@ valid_utf8(const unsigned char* s)
         return 0;
     }
     length = expected + 1;
-    for (; expected; expected--)
-        if (s[expected] < 0x80 || s[expected] >= 0xC0)
+    for (int i = 1; i <= expected; i++) {
+        if (s[i] < 0x80 || s[i] >= 0xC0) {
             return 0;
+        }
+    }
     return length;
 }