From 2adcb11cf2696bff390ddc0fe682f8537da4e500 Mon Sep 17 00:00:00 2001
From: Justin Applegate <70449145+Legoclones@users.noreply.github.com>
Date: Wed, 11 Jun 2025 06:15:12 -0400
Subject: [PATCH] gh-135321: Always raise a correct exception for BINSTRING
 argument > 0x7fffffff in pickle (GH-135322) (cherry picked from commit
 2b8b4774d29a707330d463f226630185cbd3ceff)

Co-authored-by: Justin Applegate <70449145+Legoclones@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
 Lib/test/pickletester.py                                 | 5 +++++
 .../2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst       | 1 +
 Modules/_pickle.c                                        | 9 ++++-----
 3 files changed, 10 insertions(+), 5 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst

diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py
index 0cd236ab249b1e..c0d4c8f43b9656 100644
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@@ -1080,6 +1080,11 @@ def test_large_32b_binunicode8(self):
         self.check_unpickling_error((pickle.UnpicklingError, OverflowError),
                                     dumped)
 
+    def test_large_binstring(self):
+        errmsg = 'BINSTRING pickle has negative byte count'
+        with self.assertRaisesRegex(pickle.UnpicklingError, errmsg):
+            self.loads(b'T\0\0\0\x80')
+
     def test_get(self):
         pickled = b'((lp100000\ng100000\nt.'
         unpickled = self.loads(pickled)
diff --git a/Misc/NEWS.d/next/Library/2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst b/Misc/NEWS.d/next/Library/2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst
new file mode 100644
index 00000000000000..9e63d8e28b7696
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-06-10-00-42-30.gh-issue-135321.UHh9jT.rst
@@ -0,0 +1 @@
+Raise a correct exception for values greater than 0x7fffffff for the ``BINSTRING`` opcode in the C implementation of :mod:`pickle`.
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index 1ef380d1cd7933..409b31872d5bdd 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -5453,17 +5453,16 @@ static int
 load_counted_binstring(PickleState *st, UnpicklerObject *self, int nbytes)
 {
     PyObject *obj;
-    Py_ssize_t size;
+    long size;
     char *s;
 
     if (_Unpickler_Read(self, st, &s, nbytes) < 0)
         return -1;
 
-    size = calc_binsize(s, nbytes);
+    size = calc_binint(s, nbytes);
     if (size < 0) {
-        PyErr_Format(st->UnpicklingError,
-                     "BINSTRING exceeds system's maximum size of %zd bytes",
-                     PY_SSIZE_T_MAX);
+        PyErr_SetString(st->UnpicklingError,
+                     "BINSTRING pickle has negative byte count");
         return -1;
     }