From: Justin Applegate <70449145+Legoclones@users.noreply.github.com>
Date: Wed, 11 Jun 2025 10:15:12 +0000 (-0400)
Subject: gh-135321: Always raise a correct exception for BINSTRING argument > 0x7fffffff in... 
X-Git-Tag: v3.15.0a1~1330
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2b8b4774d29a707330d463f226630185cbd3ceff;p=thirdparty%2FPython%2Fcpython.git

gh-135321: Always raise a correct exception for BINSTRING argument > 0x7fffffff in pickle (GH-135322)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---

diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py
index 9d6ae3e4d00e..9a3a26a84008 100644
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@@ -1100,6 +1100,11 @@ class AbstractUnpickleTests:
         self.check_unpickling_error((pickle.UnpicklingError, OverflowError),
                                     dumped)
 
+    def test_large_binstring(self):
+        errmsg = 'BINSTRING pickle has negative byte count'
+        with self.assertRaisesRegex(pickle.UnpicklingError, errmsg):
+            self.loads(b'T\0\0\0\x80')
+
     def test_get(self):
         pickled = b'((lp100000\ng100000\nt.'
         unpickled = self.loads(pickled)
diff --git a/Misc/NEWS.d/next/Library/2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst b/Misc/NEWS.d/next/Library/2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst
new file mode 100644
index 000000000000..9e63d8e28b76
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst
@@ -0,0 +1 @@
+Raise a correct exception for values greater than 0x7fffffff for the ``BINSTRING`` opcode in the C implementation of :mod:`pickle`.
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index 86d8b38620cb..cf3ceb43fb3f 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -5543,17 +5543,16 @@ static int
 load_counted_binstring(PickleState *st, UnpicklerObject *self, int nbytes)
 {
     PyObject *obj;
-    Py_ssize_t size;
+    long size;
     char *s;
 
     if (_Unpickler_Read(self, st, &s, nbytes) < 0)
         return -1;
 
-    size = calc_binsize(s, nbytes);
+    size = calc_binint(s, nbytes);
     if (size < 0) {
-        PyErr_Format(st->UnpicklingError,
-                     "BINSTRING exceeds system's maximum size of %zd bytes",
-                     PY_SSIZE_T_MAX);
+        PyErr_SetString(st->UnpicklingError,
+                     "BINSTRING pickle has negative byte count");
         return -1;
     }