Avoid undefined behaviour negating PY_SSIZE_T_MIN width in str/bytes formatting

aisk · aisk · commit 31f63dec7291 · 2026-06-21T22:44:54.000+09:00
diff --git a/Lib/test/test_format.py b/Lib/test/test_format.py
@@ -318,6 +318,8 @@ def test_common_format(self):
                         "format argument 1: too big for width")
         test_exc_common('%*r', (-2**1000, 1), OverflowError,
                         "format argument 1: too big for width")
+        test_exc_common('%*r', (-maxsize - 1, 1), OverflowError,
+                        "format argument 1: too big for width")
         test_exc_common('%.*r', (2**1000, 1), OverflowError,
                         "format argument 1: too big for precision")
         test_exc_common('%.*r', (-2**1000, 1), OverflowError,
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
@@ -803,6 +803,11 @@ _PyBytes_FormatEx(const char *format, Py_ssize_t format_len,
                 }
                 if (width < 0) {
                     flags |= F_LJUST;
+                    if (width < -PY_SSIZE_T_MAX) {
+                        FORMAT_ERROR(PyExc_OverflowError,
+                                     "too big for width%s", "");
+                        goto error;
+                    }
                     width = -width;
                 }
                 if (--fmtcnt >= 0)
diff --git a/Objects/unicode_format.c b/Objects/unicode_format.c
@@ -560,6 +560,10 @@ unicode_format_arg_parse(struct unicode_formatter_t *ctx,
         }
         if (arg->width < 0) {
             arg->flags |= F_LJUST;
+            if (arg->width < -PY_SSIZE_T_MAX) {
+                FORMAT_ERROR(PyExc_OverflowError, "too big for width%s", "");
+                return -1;
+            }
             arg->width = -arg->width;
         }
         if (--ctx->fmtcnt >= 0) {

Original file line number	Diff line number	Diff line change
`@@ -803,6 +803,11 @@ _PyBytes_FormatEx(const char *format, Py_ssize_t format_len,`
`803`	`803`	`}`
`804`	`804`	`if (width < 0) {`
`805`	`805`	`flags \|= F_LJUST;`
	`806`	`+ if (width < -PY_SSIZE_T_MAX) {`
	`807`	`+ FORMAT_ERROR(PyExc_OverflowError,`
	`808`	`+ "too big for width%s", "");`
	`809`	`+ goto error;`
	`810`	`+ }`
`806`	`811`	`width = -width;`
`807`	`812`	`}`
`808`	`813`	`if (--fmtcnt >= 0)`
Original file line number	Diff line number	Diff line change
`@@ -560,6 +560,10 @@ unicode_format_arg_parse(struct unicode_formatter_t *ctx,`
`560`	`560`	`}`
`561`	`561`	`if (arg->width < 0) {`
`562`	`562`	`arg->flags \|= F_LJUST;`
	`563`	`+ if (arg->width < -PY_SSIZE_T_MAX) {`
	`564`	`+ FORMAT_ERROR(PyExc_OverflowError, "too big for width%s", "");`
	`565`	`+ return -1;`
	`566`	`+ }`
`563`	`567`	`arg->width = -arg->width;`
`564`	`568`	`}`
`565`	`569`	`if (--ctx->fmtcnt >= 0) {`