From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Date: Tue, 24 Feb 2026 00:53:17 +0000 (+0000) Subject: `_struct.c`: Fix UB from integer overflow in `prepare_s` (GH-145158) X-Git-Tag: v3.15.0a7~167 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd0400585eb957c7d10812d87a8cb9e1f3c72519;p=thirdparty%2FPython%2Fcpython.git `_struct.c`: Fix UB from integer overflow in `prepare_s` (GH-145158) Avoid possible undefined behaviour from signed overflow in `struct` module As discovered via oss-fuzz. --- diff --git a/Lib/test/test_struct.py b/Lib/test/test_struct.py index bffbcb1a6075..aa793a2c223d 100644 --- a/Lib/test/test_struct.py +++ b/Lib/test/test_struct.py @@ -552,6 +552,9 @@ class StructTest(ComplexesAreIdenticalMixin, unittest.TestCase): hugecount2 = '{}b{}H'.format(sys.maxsize//2, sys.maxsize//2) self.assertRaises(struct.error, struct.calcsize, hugecount2) + hugecount3 = '{}i{}q'.format(sys.maxsize // 4, sys.maxsize // 8) + self.assertRaises(struct.error, struct.calcsize, hugecount3) + def test_trailing_counter(self): store = array.array('b', b' '*100) diff --git a/Misc/NEWS.d/next/Library/2026-02-23-20-52-55.gh-issue-145158.vWJtxI.rst b/Misc/NEWS.d/next/Library/2026-02-23-20-52-55.gh-issue-145158.vWJtxI.rst new file mode 100644 index 000000000000..60a5e4ad1f0c --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-02-23-20-52-55.gh-issue-145158.vWJtxI.rst @@ -0,0 +1,2 @@ +Avoid undefined behaviour from signed integer overflow when parsing format +strings in the :mod:`struct` module. diff --git a/Modules/_struct.c b/Modules/_struct.c index 7d2dfc591a2a..ae8a8ffb3c00 100644 --- a/Modules/_struct.c +++ b/Modules/_struct.c @@ -1678,7 +1678,15 @@ prepare_s(PyStructObject *self) case 's': _Py_FALLTHROUGH; case 'p': len++; ncodes++; break; case 'x': break; - default: len += num; if (num) ncodes++; break; + default: + if (num > PY_SSIZE_T_MAX - len) { + goto overflow; + } + len += num; + if (num) { + ncodes++; + } + break; } itemsize = e->size;