proper overflow checks for mymemreplace (closes #24708)

1 files changed, 9 insertions, 2 deletions

diff --git a/Modules/stropmodule.c b/Modules/stropmodule.c
index 913bef8..10d3013 100644
--- a/Modules/stropmodule.c
+++ b/Modules/stropmodule.c
@@ -1094,7 +1094,7 @@ mymemreplace(const char *str, Py_ssize_t len,           /* input string */
 {
     char *out_s;
     char *new_s;
-    Py_ssize_t nfound, offset, new_len;
+    Py_ssize_t nfound, offset, new_len, delta_len, abs_delta;
 
     if (len == 0 || pat_len > len)
         goto return_same;
@@ -1108,7 +1108,14 @@ mymemreplace(const char *str, Py_ssize_t len,           /* input string */
     if (nfound == 0)
         goto return_same;
 
-    new_len = len + nfound*(sub_len - pat_len);
+    delta_len = sub_len - pat_len;
+    abs_delta = (delta_len < 0) ? -delta_len : delta_len;
+    if (PY_SSIZE_T_MAX/nfound < abs_delta)
+        return NULL;
+    delta_len *= nfound;
+    if (PY_SSIZE_T_MAX - len < delta_len)
+        return NULL;
+    new_len = len + delta_len;
     if (new_len == 0) {
         /* Have to allocate something for the caller to free(). */
         out_s = (char *)PyMem_MALLOC(1);