[3.14] gh-141311: Avoid assertion in BytesIO.readinto() (GH-141333) (GH-141457)

Fix error in assertion which causes failure if pos is equal to PY_SSIZE_T_MAX.
Fix undefined behavior in read() and readinto() if pos is larger that the size
of the underlying buffer.
(cherry picked from commit 7d54374f9c7d91e0ef90c4ad84baf10073cf1d8a)

Co-authored-by: Cody Maloney <cmaloney@users.noreply.github.com>

diff --git a/Lib/test/test_memoryio.py b/Lib/test/test_memoryio.py
index 63998a86c45b53c61827396256b38cd76acb6d86..bb023735e213981c38a2ca1d82e6320575d296b7 100644 (file)
--- a/Lib/test/test_memoryio.py
+++ b/Lib/test/test_memoryio.py
@@ -54,6 +54,12 @@ class MemorySeekTestMixin:
         self.assertEqual(buf[3:], bytesIo.read())
         self.assertRaises(TypeError, bytesIo.seek, 0.0)
 
+        self.assertEqual(sys.maxsize, bytesIo.seek(sys.maxsize))
+        self.assertEqual(self.EOF, bytesIo.read(4))
+
+        self.assertEqual(sys.maxsize - 2, bytesIo.seek(sys.maxsize - 2))
+        self.assertEqual(self.EOF, bytesIo.read(4))
+
     def testTell(self):
         buf = self.buftype("1234567890")
         bytesIo = self.ioclass(buf)
@@ -552,6 +558,14 @@ class PyBytesIOTest(MemoryTestMixin, MemorySeekTestMixin, unittest.TestCase):
         memio.seek(1, 1)
         self.assertEqual(memio.read(), buf[1:])
 
+    def test_issue141311(self):
+        memio = self.ioclass()
+        # Seek allows PY_SSIZE_T_MAX, read should handle that.
+        # Past end of buffer read should always return 0 (EOF).
+        self.assertEqual(sys.maxsize, memio.seek(sys.maxsize))
+        buf = bytearray(2)
+        self.assertEqual(0, memio.readinto(buf))
+
     def test_unicode(self):
         memio = self.ioclass()
 

diff --git a/Misc/NEWS.d/next/Library/2025-11-09-18-55-13.gh-issue-141311.qZ3swc.rst b/Misc/NEWS.d/next/Library/2025-11-09-18-55-13.gh-issue-141311.qZ3swc.rst
new file mode 100644 (file)
index 0000000..bb425ce
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-11-09-18-55-13.gh-issue-141311.qZ3swc.rst
@@ -0,0 +1,2 @@
+Fix assertion failure in :func:`!io.BytesIO.readinto` and undefined behavior
+arising when read position is above capcity in :class:`io.BytesIO`.

diff --git a/Modules/_io/bytesio.c b/Modules/_io/bytesio.c
index 72f305d8a61f7797385e51e259aa150db9e60d6d..a3b653f30dd2cfb9f9fdf889d6f100efc9f85e8a 100644 (file)
--- a/Modules/_io/bytesio.c
+++ b/Modules/_io/bytesio.c
@@ -436,6 +436,13 @@ read_bytes_lock_held(bytesio *self, Py_ssize_t size)
         return Py_NewRef(self->buf);
     }
 
+    /* gh-141311: Avoid undefined behavior when self->pos (limit PY_SSIZE_T_MAX)
+       is beyond the size of self->buf. Assert above validates size is always in
+       bounds. When self->pos is out of bounds calling code sets size to 0. */
+    if (size == 0) {
+        return PyBytes_FromStringAndSize(NULL, 0);
+    }
+
     output = PyBytes_AS_STRING(self->buf) + self->pos;
     self->pos += size;
     return PyBytes_FromStringAndSize(output, size);
@@ -609,11 +616,14 @@ _io_BytesIO_readinto_impl(bytesio *self, Py_buffer *buffer)
     n = self->string_size - self->pos;
     if (len > n) {
         len = n;
-        if (len < 0)
-            len = 0;
+        if (len < 0) {
+            /* gh-141311: Avoid undefined behavior when self->pos (limit
+               PY_SSIZE_T_MAX) points beyond the size of self->buf. */
+            return PyLong_FromSsize_t(0);
+        }
     }
 
-    assert(self->pos + len < PY_SSIZE_T_MAX);
+    assert(self->pos + len <= PY_SSIZE_T_MAX);
     assert(len >= 0);
     memcpy(buffer->buf, PyBytes_AS_STRING(self->buf) + self->pos, len);
     self->pos += len;