gh-144984: Fix crash in ExternalEntityParserCreate() error paths

When ExternalEntityParserCreate() hits an error path (allocation
failure), Py_DECREF(new_parser) triggers xmlparse_dealloc() on a
partially-initialized object:

1. handlers is NULL, so clear_handlers dereferences NULL (SEGV).
2. Py_CLEAR(parent) in dealloc already decrements the parent's
   refcount, so the explicit Py_DECREF(self) is a double-decrement.

Fix by adding a NULL guard in clear_handlers and setting parent to
NULL before Py_DECREF(new_parser) in each error path so that dealloc
does not over-decrement the parent's refcount.

Author: raminfp

Lib/test/test_pyexpat.py

@@ -824,6 +824,35 @@ def test_parent_parser_outlives_its_subparsers__chain(self):
         del subparser
 
 
+class ExternalEntityParserCreateErrorTest(unittest.TestCase):
+    """ExternalEntityParserCreate error paths should not crash or leak
+    refcounts on the parent parser.
+
+    See https://github.com/python/cpython/issues/144984.
+    """
+
+    def test_error_path_no_crash(self):
+        # When an allocation inside ExternalEntityParserCreate fails,
+        # the partially-initialized subparser is deallocated.  This
+        # must not dereference NULL handlers or double-decrement the
+        # parent parser's refcount.
+        _testcapi = import_helper.import_module('_testcapi')
+        parser = expat.ParserCreate()
+        parser.buffer_text = True
+        rc_before = sys.getrefcount(parser)
+
+        _testcapi.set_nomemory(1, 10)
+        try:
+            parser.ExternalEntityParserCreate(None)
+        except MemoryError:
+            pass
+        finally:
+            _testcapi.remove_mem_hooks()
+
+        rc_after = sys.getrefcount(parser)
+        self.assertEqual(rc_after, rc_before)
+
+
 class ReparseDeferralTest(unittest.TestCase):
     def test_getter_setter_round_trip(self):
         parser = expat.ParserCreate()

Misc/NEWS.d/next/Library/2026-02-19-12-00-00.gh-issue-144984.b93995c982.rst

@@ -0,0 +1,3 @@
+Fix crash in :meth:`xml.parsers.expat.xmlparser.ExternalEntityParserCreate`
+when an allocation fails. The error paths could dereference NULL ``handlers``
+and double-decrement the parent parser's reference count.

Modules/pyexpat.c

@@ -1097,12 +1097,14 @@ pyexpat_xmlparser_ExternalEntityParserCreate_impl(xmlparseobject *self,
     if (self->buffer != NULL) {
         new_parser->buffer = PyMem_Malloc(new_parser->buffer_size);
         if (new_parser->buffer == NULL) {
+            new_parser->parent = NULL;
             Py_DECREF(new_parser);
             Py_DECREF(self);
             return PyErr_NoMemory();
         }
     }
     if (!new_parser->itself) {
+        new_parser->parent = NULL;
         Py_DECREF(new_parser);
         Py_DECREF(self);
         return PyErr_NoMemory();
@@ -1117,6 +1119,7 @@ pyexpat_xmlparser_ExternalEntityParserCreate_impl(xmlparseobject *self,
 
     new_parser->handlers = PyMem_New(PyObject *, i);
     if (!new_parser->handlers) {
+        new_parser->parent = NULL;
         Py_DECREF(new_parser);
         Py_DECREF(self);
         return PyErr_NoMemory();
@@ -2489,6 +2492,9 @@ PyInit_pyexpat(void)
 static void
 clear_handlers(xmlparseobject *self, int initial)
 {
+    if (self->handlers == NULL) {
+        return;
+    }
     for (size_t i = 0; handler_info[i].name != NULL; i++) {
         if (initial) {
             self->handlers[i] = NULL;