[3.13] _struct.c: Fix UB from integer overflow in prepare_s (GH-145158) (#145163)

`_struct.c`: Fix UB from integer overflow in `prepare_s` (GH-145158) Avoid possible undefined behaviour from signed overflow in `struct` module As discovered via oss-fuzz. (cherry picked from commit fd0400585e) Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
2026-04-14 07:41:00 +00:00 · 2026-02-24 02:16:45 +01:00 · 2026-02-24 02:16:45 +01:00 · dd355045f6
commit dd355045f6
parent 0acd41f398
3 changed files with 14 additions and 1 deletions
--- a/Lib/test/test_struct.py
+++ b/Lib/test/test_struct.py
@ -547,6 +547,9 @@ def test_count_overflow(self):
        hugecount2 = '{}b{}H'.format(sys.maxsize//2, sys.maxsize//2)
        self.assertRaises(struct.error, struct.calcsize, hugecount2)

+        hugecount3 = '{}i{}q'.format(sys.maxsize // 4, sys.maxsize // 8)
+        self.assertRaises(struct.error, struct.calcsize, hugecount3)
+
    def test_trailing_counter(self):
        store = array.array('b', b' '*100)

--- a/Misc/NEWS.d/next/Library/2026-02-23-20-52-55.gh-issue-145158.vWJtxI.rst
+++ b/Misc/NEWS.d/next/Library/2026-02-23-20-52-55.gh-issue-145158.vWJtxI.rst
@ -0,0 +1,2 @@
+Avoid undefined behaviour from signed integer overflow when parsing format
+strings in the :mod:`struct` module.
--- a/Modules/_struct.c
+++ b/Modules/_struct.c
@ -1478,7 +1478,15 @@ prepare_s(PyStructObject *self)
            case 's': /* fall through */
            case 'p': len++; ncodes++; break;
            case 'x': break;
-            default: len += num; if (num) ncodes++; break;
+            default:
+                if (num > PY_SSIZE_T_MAX - len) {
+                    goto overflow;
+                }
+                len += num;
+                if (num) {
+                    ncodes++;
+                }
+                break;
        }

        itemsize = e->size;