Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is

set beyond size.  Based on patch by John Leitch.

3 files changed, 21 insertions, 1 deletions

diff --git a/Lib/test/test_memoryio.py b/Lib/test/test_memoryio.py
index df4ff7a..44d66c3 100644
--- a/Lib/test/test_memoryio.py
+++ b/Lib/test/test_memoryio.py
@@ -166,6 +166,10 @@ class MemoryTestMixin:
         memio.seek(0)
         self.assertEqual(memio.read(None), buf)
         self.assertRaises(TypeError, memio.read, '')
+        memio.seek(len(buf) + 1)
+        self.assertEqual(memio.read(1), self.EOF)
+        memio.seek(len(buf) + 1)
+        self.assertEqual(memio.read(), self.EOF)
         memio.close()
         self.assertRaises(ValueError, memio.read)
 
@@ -185,6 +189,9 @@ class MemoryTestMixin:
         self.assertEqual(memio.readline(-1), buf)
         memio.seek(0)
         self.assertEqual(memio.readline(0), self.EOF)
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 2 + 1)
+        self.assertEqual(memio.readline(), self.EOF)
 
         buf = self.buftype("1234567890\n")
         memio = self.ioclass((buf * 3)[:-1])
@@ -217,6 +224,9 @@ class MemoryTestMixin:
         memio.seek(0)
         self.assertEqual(memio.readlines(None), [buf] * 10)
         self.assertRaises(TypeError, memio.readlines, '')
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 10 + 1)
+        self.assertEqual(memio.readlines(), [])
         memio.close()
         self.assertRaises(ValueError, memio.readlines)
 
@@ -238,6 +248,9 @@ class MemoryTestMixin:
             self.assertEqual(line, buf)
             i += 1
         self.assertEqual(i, 10)
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 10 + 1)
+        self.assertEqual(list(memio), [])
         memio = self.ioclass(buf * 2)
         memio.close()
         self.assertRaises(ValueError, memio.__next__)
diff --git a/Misc/NEWS b/Misc/NEWS
index d52a9e7..f638f69 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -167,6 +167,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is
+  set beyond size.  Based on patch by John Leitch.
+
 - Issue #24847: Removes vcruntime140.dll dependency from Tcl/Tk.
 
 - Issue #24839: platform._syscmd_ver raises DeprecationWarning
diff --git a/Modules/_io/bytesio.c b/Modules/_io/bytesio.c
index d46430d..31cc1f7 100644
--- a/Modules/_io/bytesio.c
+++ b/Modules/_io/bytesio.c
@@ -57,14 +57,18 @@ scan_eol(bytesio *self, Py_ssize_t len)
     Py_ssize_t maxlen;
 
     assert(self->buf != NULL);
+    assert(self->pos >= 0);
+
+    if (self->pos >= self->string_size)
+        return 0;
 
     /* Move to the end of the line, up to the end of the string, s. */
-    start = PyBytes_AS_STRING(self->buf) + self->pos;
     maxlen = self->string_size - self->pos;
     if (len < 0 || len > maxlen)
         len = maxlen;
 
     if (len) {
+        start = PyBytes_AS_STRING(self->buf) + self->pos;
         n = memchr(start, '\n', len);
         if (n)
             /* Get the length from the current position to the end of