python · ashm-dev · Nov 2, 2025 · Nov 2, 2025 · Nov 2, 2025 · Nov 2, 2025
diff --git a/Lib/test/test_cmd_line.py b/Lib/test/test_cmd_line.py
@@ -201,6 +201,15 @@ def test_run_module_bug1764407(self):
         self.assertTrue(data.find(b'1 loop') != -1)
         self.assertTrue(data.find(b'__main__.Timer') != -1)
 
+    @support.cpython_only
+    def test_null_byte_in_interactive_mode(self):
+        # gh-140594: heap-buffer-overflow in PyOS_StdioReadline when a NULL
+        # is present in interactive input. The test ensures that feeding a null
+        # byte to the interactive prompt does not crash the interpreter.
+        proc = spawn_python('-i')
+        proc.communicate(b'\x00', timeout=10)
+        self.assertEqual(proc.returncode, 0)
+
     def test_relativedir_bug46421(self):
         # Test `python -m unittest` with a relative directory beginning with ./
         # Note: We have to switch to the project's top module's directory, as per

diff --git a/Misc/NEWS.d/next/Security/2025-11-02-16-23-17.gh-issue-140594.YIWUpl.rst b/Misc/NEWS.d/next/Security/2025-11-02-16-23-17.gh-issue-140594.YIWUpl.rst
@@ -0,0 +1,2 @@
+Fix a buffer overflow when a single NULL character is read from the standard input.
+Patch by Shamil Abdulaev.
@@ -344,7 +344,7 @@ PyOS_StdioReadline(FILE *sys_stdin, FILE *sys_stdout, const char *prompt)
             break;
         }
         n += strlen(p + n);
-    } while (p[n-1] != '\n');
+    } while (n == 0 || p[n-1] != '\n');
-    } while (n == 0 || p[n-1] != '\n');
+    } while (n != 0 && p[n-1] != '\n');
-    } while (n == 0 || p[n-1] != '\n');
+    } while (n != 0 && p[n-1] != '\n');
 
     pr = (char *)PyMem_RawRealloc(p, n+1);
     if (pr == NULL) {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Fix a buffer overflow when a single NULL character is read from the standard input.
		Patch by Shamil Abdulaev.