Index: Objects/stringobject.c
===================================================================
--- Objects/stringobject.c	(revision 67412)
+++ Objects/stringobject.c	(working copy)
@@ -4,6 +4,7 @@
 
 #include "Python.h"
 #include <ctype.h>
+#include <stddef.h>
 
 #ifdef COUNT_ALLOCS
 int null_strings, one_strings;
@@ -74,13 +75,14 @@
 		return (PyObject *)op;
 	}
 
-	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+	if (size > PY_SSIZE_T_MAX - offsetof(PyStringObject, ob_sval) - 1) {
 		PyErr_SetString(PyExc_OverflowError, "string is too large");
 		return NULL;
 	}
 
 	/* Inline PyObject_NewVar */
-	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+	op = (PyStringObject *)PyObject_MALLOC(
+		offsetof(PyStringObject, ob_sval) + size + 1);
 	if (op == NULL)
 		return PyErr_NoMemory();
 	PyObject_INIT_VAR(op, &PyString_Type, size);
@@ -114,7 +116,7 @@
 
 	assert(str != NULL);
 	size = strlen(str);
-	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+	if (size > PY_SSIZE_T_MAX - offsetof(PyStringObject, ob_sval) - 1) {
 		PyErr_SetString(PyExc_OverflowError,
 			"string is too long for a Python string");
 		return NULL;
@@ -135,7 +137,8 @@
 	}
 
 	/* Inline PyObject_NewVar */
-	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+	op = (PyStringObject *)PyObject_MALLOC(
+		offsetof(PyStringObject, ob_sval) + size + 1);
 	if (op == NULL)
 		return PyErr_NoMemory();
 	PyObject_INIT_VAR(op, &PyString_Type, size);
@@ -994,12 +997,13 @@
 	}
 	  
 	/* Inline PyObject_NewVar */
-	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+	if (size > PY_SSIZE_T_MAX - offsetof(PyStringObject, ob_sval) - 1) {
 		PyErr_SetString(PyExc_OverflowError,
 				"strings are too large to concat");
 		return NULL;
 	}
-	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+	op = (PyStringObject *)PyObject_MALLOC(
+		offsetof(PyStringObject, ob_sval) + size + 1);
 	if (op == NULL)
 		return PyErr_NoMemory();
 	PyObject_INIT_VAR(op, &PyString_Type, size);
@@ -1036,13 +1040,14 @@
 		return (PyObject *)a;
 	}
 	nbytes = (size_t)size;
-	if (nbytes + sizeof(PyStringObject) <= nbytes) {
+	if (nbytes > PY_SSIZE_T_MAX - offsetof(PyStringObject, ob_sval) - 1) {
 		PyErr_SetString(PyExc_OverflowError,
 			"repeated string is too long");
 		return NULL;
 	}
 	op = (PyStringObject *)
-		PyObject_MALLOC(sizeof(PyStringObject) + nbytes);
+		PyObject_MALLOC(
+			offsetof(PyStringObject, ob_sval) + nbytes + 1);
 	if (op == NULL)
 		return PyErr_NoMemory();
 	PyObject_INIT_VAR(op, &PyString_Type, size);