gh-148441: Avoid integer overflow in Expat's CharacterDataHandler

Lib/test/test_pyexpat.py

@@ -712,6 +712,20 @@ def test_change_size_2(self):
         parser.Parse(xml2, True)
         self.assertEqual(self.n, 4)
 
+    @support.requires_resource('cpu')
+    @support.requires_resource('walltime')
+    def test_heap_overflow(self):
+        # See https://github.com/python/cpython/issues/148441
+        parser = expat.ParserCreate()
+        parser.buffer_text = True
+        parser.buffer_size = 2**31 - 1 # INT_MAX
+        def handler(text):
+            pass
+        N = 2049 * (1 << 20) - 3  # 2,148,532,221 bytes of character data
+        parser.CharacterDataHandler = handler
+        xml_data = b"<r>" + b"A" * N + b"</r>"
+        self.assertEqual(parser.Parse(xml_data, True), 1)
+
 class ElementDeclHandlerTest(unittest.TestCase):
     def test_trigger_leak(self):
         # Unfixed, this test would leak the memory of the so-called

Misc/NEWS.d/next/Library/2026-04-23-12-50-15.gh-issue-148441.zvpCkR.rst

@@ -0,0 +1,2 @@
+Fix heap buffer overflow in pyexpat CharacterDataHandler, which is caused by
+two signed intergets added up.

Modules/pyexpat.c

@@ -393,7 +393,7 @@ my_CharacterDataHandler(void *userData, const XML_Char *data, int len)
     if (self->buffer == NULL)
         call_character_handler(self, data, len);
     else {
-        if ((self->buffer_used + len) > self->buffer_size) {
+        if (len > (self->buffer_size - self->buffer_used)) {
             if (flush_character_buffer(self) < 0)
                 return;
             /* handler might have changed; drop the rest on the floor