From df6b544ff6f342e8a64056e627867a70413bfdb0 Mon Sep 17 00:00:00 2001
From: Brett Cannon <brett@python.org>
Date: Thu, 3 Sep 2015 10:15:03 -0700
Subject: Issue #24913: Fix overrun error in deque.index().

Reported by John Leitch and Bryce Darling, patch by Raymond Hettinger.
---
 Lib/test/test_deque.py       | 5 +++++
 Misc/NEWS                    | 3 +++
 Modules/_collectionsmodule.c | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/Lib/test/test_deque.py b/Lib/test/test_deque.py
index b858509..8718716 100644
--- a/Lib/test/test_deque.py
+++ b/Lib/test/test_deque.py
@@ -289,6 +289,11 @@ class TestBasic(unittest.TestCase):
                     else:
                         self.assertEqual(d.index(element, start, stop), target)
 
+    def test_insert_bug_24913(self):
+        d = deque('A' * 3)
+        with self.assertRaises(ValueError):
+            i = d.index("Hello world", 0, 4)
+
     def test_insert(self):
         # Test to make sure insert behaves like lists
         elements = 'ABCDEFGHI'
diff --git a/Misc/NEWS b/Misc/NEWS
index 8f34c54..b1beeec 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -15,6 +15,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #24913: Fix overrun error in deque.index().
+  Found by John Leitch and Bryce Darling.
+
 
 What's New in Python 3.5.0 release candidate 2?
 ===============================================
diff --git a/Modules/_collectionsmodule.c b/Modules/_collectionsmodule.c
index 830c5b8..3856d83 100644
--- a/Modules/_collectionsmodule.c
+++ b/Modules/_collectionsmodule.c
@@ -924,6 +924,8 @@ deque_index(dequeobject *deque, PyObject *args)
         if (stop < 0)
             stop = 0;
     }
+    if (stop > Py_SIZE(deque))
+        stop = Py_SIZE(deque);
 
     for (i=0 ; i<stop ; i++) {
         if (i >= start) {
-- 
cgit v0.12


From 4e63f7a2b4e3602c420c8ae59a16020b14f8ee13 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Fri, 4 Sep 2015 07:48:19 +0300
Subject: Issue #24989: Fixed buffer overread in BytesIO.readline() if a
 position is set beyond size.  Based on patch by John Leitch.

---
 Lib/test/test_memoryio.py | 13 +++++++++++++
 Misc/NEWS                 |  3 +++
 Modules/_io/bytesio.c     |  6 +++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/Lib/test/test_memoryio.py b/Lib/test/test_memoryio.py
index df4ff7a..44d66c3 100644
--- a/Lib/test/test_memoryio.py
+++ b/Lib/test/test_memoryio.py
@@ -166,6 +166,10 @@ class MemoryTestMixin:
         memio.seek(0)
         self.assertEqual(memio.read(None), buf)
         self.assertRaises(TypeError, memio.read, '')
+        memio.seek(len(buf) + 1)
+        self.assertEqual(memio.read(1), self.EOF)
+        memio.seek(len(buf) + 1)
+        self.assertEqual(memio.read(), self.EOF)
         memio.close()
         self.assertRaises(ValueError, memio.read)
 
@@ -185,6 +189,9 @@ class MemoryTestMixin:
         self.assertEqual(memio.readline(-1), buf)
         memio.seek(0)
         self.assertEqual(memio.readline(0), self.EOF)
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 2 + 1)
+        self.assertEqual(memio.readline(), self.EOF)
 
         buf = self.buftype("1234567890\n")
         memio = self.ioclass((buf * 3)[:-1])
@@ -217,6 +224,9 @@ class MemoryTestMixin:
         memio.seek(0)
         self.assertEqual(memio.readlines(None), [buf] * 10)
         self.assertRaises(TypeError, memio.readlines, '')
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 10 + 1)
+        self.assertEqual(memio.readlines(), [])
         memio.close()
         self.assertRaises(ValueError, memio.readlines)
 
@@ -238,6 +248,9 @@ class MemoryTestMixin:
             self.assertEqual(line, buf)
             i += 1
         self.assertEqual(i, 10)
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 10 + 1)
+        self.assertEqual(list(memio), [])
         memio = self.ioclass(buf * 2)
         memio.close()
         self.assertRaises(ValueError, memio.__next__)
diff --git a/Misc/NEWS b/Misc/NEWS
index b1beeec..3dc2435 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -15,6 +15,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is
+  set beyond size.  Based on patch by John Leitch.
+
 - Issue #24913: Fix overrun error in deque.index().
   Found by John Leitch and Bryce Darling.
 
diff --git a/Modules/_io/bytesio.c b/Modules/_io/bytesio.c
index d46430d..31cc1f7 100644
--- a/Modules/_io/bytesio.c
+++ b/Modules/_io/bytesio.c
@@ -57,14 +57,18 @@ scan_eol(bytesio *self, Py_ssize_t len)
     Py_ssize_t maxlen;
 
     assert(self->buf != NULL);
+    assert(self->pos >= 0);
+
+    if (self->pos >= self->string_size)
+        return 0;
 
     /* Move to the end of the line, up to the end of the string, s. */
-    start = PyBytes_AS_STRING(self->buf) + self->pos;
     maxlen = self->string_size - self->pos;
     if (len < 0 || len > maxlen)
         len = maxlen;
 
     if (len) {
+        start = PyBytes_AS_STRING(self->buf) + self->pos;
         n = memchr(start, '\n', len);
         if (n)
             /* Get the length from the current position to the end of
-- 
cgit v0.12