fix overflow checking in PyString_Repr (closes #22519)
diff --git a/Misc/NEWS b/Misc/NEWS
index 686db0f..47de844 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@
Core and Builtins
-----------------
+- Issue #22519: Fix overflow checking in PyString_Repr.
+
- Issue #22518: Fix integer overflow issues in latin-1 encoding.
- Issue #22379: Fix empty exception message in a TypeError raised in
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index f95857a..46f46db 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -926,13 +926,14 @@
PyString_Repr(PyObject *obj, int smartquotes)
{
register PyStringObject* op = (PyStringObject*) obj;
- size_t newsize = 2 + 4 * Py_SIZE(op);
+ size_t newsize;
PyObject *v;
- if (newsize > PY_SSIZE_T_MAX || newsize / 4 != Py_SIZE(op)) {
+ if (Py_SIZE(op) > (PY_SSIZE_T_MAX - 2)/4) {
PyErr_SetString(PyExc_OverflowError,
"string is too large to make repr");
return NULL;
}
+ newsize = 2 + 4*Py_SIZE(op);
v = PyString_FromStringAndSize((char *)NULL, newsize);
if (v == NULL) {
return NULL;