gh-125010: Fix `use-after-free` in AST `repr()` (#125015)

3 files changed, 7 insertions, 2 deletions

diff --git a/Lib/test/test_ast/test_ast.py b/Lib/test/test_ast/test_ast.py
index f052822..01d2e39 100644
--- a/Lib/test/test_ast/test_ast.py
+++ b/Lib/test/test_ast/test_ast.py
@@ -789,6 +789,13 @@ class AST_Tests(unittest.TestCase):
             with self.subTest(test_input=test):
                 self.assertEqual(repr(ast.parse(test)), snapshot)
 
+    def test_repr_large_input_crash(self):
+        # gh-125010: Fix use-after-free in ast repr()
+        source = "0x0" + "e" * 10_000
+        with self.assertRaisesRegex(ValueError,
+                                    r"Exceeds the limit \(\d+ digits\)"):
+            repr(ast.Constant(value=eval(source)))
+
 
 class CopyTests(unittest.TestCase):
     """Test copying and pickling AST nodes."""
diff --git a/Parser/asdl_c.py b/Parser/asdl_c.py
index ab5fd22..f50c28a 100755
--- a/Parser/asdl_c.py
+++ b/Parser/asdl_c.py
@@ -1608,7 +1608,6 @@ ast_repr_max_depth(AST_object *self, int depth)
 
         if (!value_repr) {
             Py_DECREF(name);
-            Py_DECREF(value);
             goto error;
         }
 
diff --git a/Python/Python-ast.c b/Python/Python-ast.c
index 4a58c09..89c52b9 100644
--- a/Python/Python-ast.c
+++ b/Python/Python-ast.c
@@ -5809,7 +5809,6 @@ ast_repr_max_depth(AST_object *self, int depth)
 
         if (!value_repr) {
             Py_DECREF(name);
-            Py_DECREF(value);
             goto error;
         }