fix overflow checking in PyString_Repr (closes #22519)

diff --git a/Misc/NEWS b/Misc/NEWS
index 686db0fee07a3c35012c5729644433c1f327643e..47de8444256781c82c692bc9c2653ca2e6756be9 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 2.7.9?
 Core and Builtins
 -----------------
 
+- Issue #22519: Fix overflow checking in PyString_Repr.
+
 - Issue #22518: Fix integer overflow issues in latin-1 encoding.
 
 - Issue #22379: Fix empty exception message in a TypeError raised in

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index f95857ab83eab13023f8f934a0eaae869f4eac4b..46f46db0e0fce9ff2c0992422912fe18d1fd2c8a 100644 (file)
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -926,13 +926,14 @@ PyObject *
 PyString_Repr(PyObject *obj, int smartquotes)
 {
     register PyStringObject* op = (PyStringObject*) obj;
-    size_t newsize = 2 + 4 * Py_SIZE(op);
+    size_t newsize;
     PyObject *v;
-    if (newsize > PY_SSIZE_T_MAX || newsize / 4 != Py_SIZE(op)) {
+    if (Py_SIZE(op) > (PY_SSIZE_T_MAX - 2)/4) {
         PyErr_SetString(PyExc_OverflowError,
             "string is too large to make repr");
         return NULL;
     }
+    newsize = 2 + 4*Py_SIZE(op);
     v = PyString_FromStringAndSize((char *)NULL, newsize);
     if (v == NULL) {
         return NULL;