Avoid possible undefined behaviour from signed overflow.

diff --git a/Lib/test/test_struct.py b/Lib/test/test_struct.py
index b9faa28d73b01c6a2de2ec4991b925933e2674e9..70eed6ece538a2373fb65f1706e06c81d48b0ec6 100644 (file)
--- a/Lib/test/test_struct.py
+++ b/Lib/test/test_struct.py
@@ -506,6 +506,11 @@ class StructTest(unittest.TestCase):
             for c in [b'\x01', b'\x7f', b'\xff', b'\x0f', b'\xf0']:
                 self.assertTrue(struct.unpack('>?', c)[0])
 
+    def test_count_overflow(self):
+        hugecount = '{}b'.format(sys.maxsize+1)
+        self.assertRaises(struct.error, struct.calcsize, hugecount)
+
+
     if IS32BIT:
         def test_crasher(self):
             self.assertRaises(MemoryError, struct.pack, "357913941b", "a")

diff --git a/Modules/_struct.c b/Modules/_struct.c
index 2e594e8f783d490acb42ea3ee94fcb3e0e40ed8a..e05fb730ef60427efe890eb8e80a75b4e9f8f033 100644 (file)
--- a/Modules/_struct.c
+++ b/Modules/_struct.c
@@ -1186,14 +1186,17 @@ prepare_s(PyStructObject *self)
         if ('0' <= c && c <= '9') {
             num = c - '0';
             while ('0' <= (c = *s++) && c <= '9') {
-                x = num*10 + (c - '0');
-                if (x/10 != num) {
+                /* overflow-safe version of
+                   if (num*10 + (c - '0') > PY_SSIZE_T_MAX) { ... } */
+                if (num >= PY_SSIZE_T_MAX / 10 && (
+                        num > PY_SSIZE_T_MAX / 10 ||
+                        (c - '0') > PY_SSIZE_T_MAX % 10)) {
                     PyErr_SetString(
                         StructError,
                         "overflow in item count");
                     return -1;
                 }
-                num = x;
+                num = num*10 + (c - '0');
             }
             if (c == '\0') {
                 PyErr_SetString(StructError,