From bcf39f8e3a4ef9f12a9d9395f642cdf590fdd90f Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@ulbrych.org>
Date: Tue, 10 Mar 2026 14:12:58 +0000
Subject: [PATCH 1/2] `_struct.c`: Fix UB from integer overflow in `prepare_s`

---
 Lib/test/test_struct.py | 6 ++++++
 Modules/_struct.c       | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/Lib/test/test_struct.py b/Lib/test/test_struct.py
index 4cbfd7ad8b1e48..8ab7d8022136e3 100644
--- a/Lib/test/test_struct.py
+++ b/Lib/test/test_struct.py
@@ -555,6 +555,12 @@ def test_count_overflow(self):
         hugecount3 = '{}i{}q'.format(sys.maxsize // 4, sys.maxsize // 8)
         self.assertRaises(struct.error, struct.calcsize, hugecount3)
 
+        hugecount4 = '{}?s'.format(sys.maxsize)
+        self.assertRaises(struct.error, struct.calcsize, hugecount4)
+
+        hugecount5 = '{}?p'.format(sys.maxsize)
+        self.assertRaises(struct.error, struct.calcsize, hugecount5)
+
     def test_trailing_counter(self):
         store = array.array('b', b' '*100)
 
diff --git a/Modules/_struct.c b/Modules/_struct.c
index dcc3c7ec63e9e0..a7e72207de89cb 100644
--- a/Modules/_struct.c
+++ b/Modules/_struct.c
@@ -1676,7 +1676,13 @@ prepare_s(PyStructObject *self)
 
         switch (c) {
             case 's': _Py_FALLTHROUGH;
-            case 'p': len++; ncodes++; break;
+            case 'p':
+                if (len == PY_SSIZE_T_MAX) {
+                    goto overflow;
+                }
+                len++;
+                ncodes++;
+                break;
             case 'x': break;
             default:
                 if (num > PY_SSIZE_T_MAX - len) {

From ac6685b0c229b6c0ef8da90cd731cd88bb3cf7c9 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@ulbrych.org>
Date: Tue, 10 Mar 2026 14:13:19 +0000
Subject: [PATCH 2/2] News

---
 .../Library/2026-03-10-14-13-12.gh-issue-145750.iQsTeX.rst     | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2026-03-10-14-13-12.gh-issue-145750.iQsTeX.rst

diff --git a/Misc/NEWS.d/next/Library/2026-03-10-14-13-12.gh-issue-145750.iQsTeX.rst b/Misc/NEWS.d/next/Library/2026-03-10-14-13-12.gh-issue-145750.iQsTeX.rst
new file mode 100644
index 00000000000000..a909bea2caffe9
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-03-10-14-13-12.gh-issue-145750.iQsTeX.rst
@@ -0,0 +1,3 @@
+Avoid undefined behaviour from signed integer overflow when parsing format
+strings in the :mod:`struct` module. Found by OSS Fuzz in
+:oss-fuzz:`488466741`.