Bug report

Bug description:

Description

The sys.set_int_max_str_digits() function appears to not enforce the configured limit when converting a very large integer to a string. This could potentially bypass the intended denial-of-service protection that the limit is designed to provide.

When setting a limit, it is expected that any integer-to-string conversion that would result in a string with more digits than the limit will raise a ValueError. However, for certain large numbers, this check does not seem to occur, and the conversion succeeds without error. I tested this with the maximum number of digits set to 100,000. This allowed numbers with up to 100424 digits but threw an error for numbers with 100425 or more digits.
This doesn't seem to be an issue for all possible inputs to the sys.set_int_max_str_digits() method. For instance, I also tested it with the maximum number of digits set to 640. It correctly threw an error when I tried to do str(10**640).

Steps to Reproduce

10**100423 has 100424 digits, therefore str(10**100423) should throw a ValueError but it does not. Instead, the code below prints 100424.

import sys

sys.set_int_max_str_digits(100000)

number_str = str(10**100423)
print(len(number_str))

CPython versions tested on:

3.12

Operating systems tested on:

Windows

Linked PRs

• gh-136250: Clarify Integer string conversion length limitation #136279