From 6d70ff65c742f06d88fe2645743e079eaffd5436 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Mon, 15 Sep 2025 19:29:15 +0300
Subject: [PATCH 1/2] gh-130567: Fix possible crash in locale.strxfrm()

On some macOS versions there was an off-by-one error in wcsxfrm() which
caused writing past the end of the array if its size was not calculated
by running wcsxfrm() first.

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
---
 .../Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst    | 2 ++
 Modules/_localemodule.c                                       | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst

diff --git a/Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst b/Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst
new file mode 100644
index 00000000000000..c194b2331e5f4a
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst
@@ -0,0 +1,2 @@
+Fix possible crash in :func:`locale.strxfrm` due to a platform bug on
+macOS.
diff --git a/Modules/_localemodule.c b/Modules/_localemodule.c
index e86d5b17d1759d..84891c0ec5add0 100644
--- a/Modules/_localemodule.c
+++ b/Modules/_localemodule.c
@@ -457,7 +457,9 @@ _locale_strxfrm_impl(PyObject *module, PyObject *str)
 
     /* assume no change in size, first */
     n1 = n1 + 1;
-    buf = PyMem_New(wchar_t, n1);
+    /* Yet one +1 is needed to work around a platform bug in wcsxfrm()
+     * on macOS. See gh-130567. */
+    buf = PyMem_New(wchar_t, n1+1);
     if (!buf) {
         PyErr_NoMemory();
         goto exit;

From 72d196a45d449a6a45e11d09ac9cd6b87e4714fc Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Tue, 23 Sep 2025 16:41:40 +0200
Subject: [PATCH 2/2] Update comment in Modules/_localemodule.c

---
 Modules/_localemodule.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/_localemodule.c b/Modules/_localemodule.c
index 84891c0ec5add0..cb448b14d8cd63 100644
--- a/Modules/_localemodule.c
+++ b/Modules/_localemodule.c
@@ -457,7 +457,7 @@ _locale_strxfrm_impl(PyObject *module, PyObject *str)
 
     /* assume no change in size, first */
     n1 = n1 + 1;
-    /* Yet one +1 is needed to work around a platform bug in wcsxfrm()
+    /* Yet another +1 is needed to work around a platform bug in wcsxfrm()
      * on macOS. See gh-130567. */
     buf = PyMem_New(wchar_t, n1+1);
     if (!buf) {