From 2ef1dc37f02b08536b677dd23ec51541a60effd7 Mon Sep 17 00:00:00 2001
From: Radislav Chugunov <52372310+chgnrdv@users.noreply.github.com>
Date: Sat, 8 Jul 2023 10:47:01 +0300
Subject: gh-106524: Fix a crash in _sre.template() (GH-106525)

Some items remained uninitialized if _sre.template() was called with invalid
indices. Then attempt to clear them in the destructor led to dereferencing
of uninitialized pointer.
---
 Lib/test/test_re.py                                            | 10 ++++++++++
 .../Library/2023-07-07-17-44-03.gh-issue-106524.XkBV8h.rst     |  1 +
 Modules/_sre/sre.c                                             |  2 ++
 3 files changed, 13 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2023-07-07-17-44-03.gh-issue-106524.XkBV8h.rst

diff --git a/Lib/test/test_re.py b/Lib/test/test_re.py
index e4d1435..8f26d0a 100644
--- a/Lib/test/test_re.py
+++ b/Lib/test/test_re.py
@@ -2418,6 +2418,16 @@ class ReTests(unittest.TestCase):
                 p.terminate()
                 p.join()
 
+    def test_sre_template_invalid_group_index(self):
+        # see gh-106524
+        import _sre
+        with self.assertRaises(TypeError) as cm:
+            _sre.template("", ["", -1, ""])
+        self.assertIn("invalid template", str(cm.exception))
+        with self.assertRaises(TypeError) as cm:
+            _sre.template("", ["", (), ""])
+        self.assertIn("an integer is required", str(cm.exception))
+
 
 def get_debug_out(pat):
     with captured_stdout() as out:
diff --git a/Misc/NEWS.d/next/Library/2023-07-07-17-44-03.gh-issue-106524.XkBV8h.rst b/Misc/NEWS.d/next/Library/2023-07-07-17-44-03.gh-issue-106524.XkBV8h.rst
new file mode 100644
index 0000000..f3fd070
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-07-07-17-44-03.gh-issue-106524.XkBV8h.rst
@@ -0,0 +1 @@
+Fix crash in :func:`!_sre.template` with templates containing invalid group indices.
diff --git a/Modules/_sre/sre.c b/Modules/_sre/sre.c
index 3f11916..98602b4 100644
--- a/Modules/_sre/sre.c
+++ b/Modules/_sre/sre.c
@@ -1544,10 +1544,12 @@ _sre_template_impl(PyObject *module, PyObject *pattern, PyObject *template)
     for (Py_ssize_t i = 0; i < n; i++) {
         Py_ssize_t index = PyLong_AsSsize_t(PyList_GET_ITEM(template, 2*i+1));
         if (index == -1 && PyErr_Occurred()) {
+            Py_SET_SIZE(self, i);
             Py_DECREF(self);
             return NULL;
         }
         if (index < 0) {
+            Py_SET_SIZE(self, i);
             goto bad_template;
         }
         self->items[i].index = index;
-- 
cgit v0.12