[3.13] gh-151981: Make tarfile._Stream.seek break at EOF (GH-151982) (#151993)

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Tue, 23 Jun 2026 13:46:38 +0000 (15:46 +0200)

committer GitHub <noreply@github.com>

Tue, 23 Jun 2026 13:46:38 +0000 (14:46 +0100)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Tue, 23 Jun 2026 13:46:38 +0000 (15:46 +0200)
committer GitHub <noreply@github.com>
Tue, 23 Jun 2026 13:46:38 +0000 (14:46 +0100)
diff --git a/Lib/tarfile.py b/Lib/tarfile.py

index b22b2b38abb09c78883212a097d46f1e02ebc96d..79107326c9d1155a9d81b18115c84da09514c499 100755 (executable)
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -515,7 +515,9 @@ class _Stream:
          if pos - self.pos >= 0:
              blocks, remainder = divmod(pos - self.pos, self.bufsize)
              for i in range(blocks):
-                self.read(self.bufsize)
+                data = self.read(self.bufsize)
+                if not data:
+                    break
              self.read(remainder)
          else:
              raise StreamError("seeking backwards is not allowed")
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py

index e8b1eb8bc033fdcb19aff7d20dc30edb968acda1..6165241a229bef4946b88b8151e5891c5f3f9938 100644 (file)
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -4738,6 +4738,22 @@ class TestExtractionFilters(unittest.TestCase):
          with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter):
              self.expect_exception(TypeError)  # errorlevel is not int
  
+    @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT])
+    def test_getmembers_big_size(self, format):
+        # gh-151981: A loop in seek() for streaming files tried to read the
+        # declared number of blocks even at EOF
+        tinfo = tarfile.TarInfo("huge-file")
+        tinfo.size = 1 << 64
+        bio = io.BytesIO()
+        # Write header without data
+        bio.write(tinfo.tobuf(format))
+
+        # Reset & try to get contents
+        bio.seek(0)
+        with tarfile.open(fileobj=bio, mode="r|") as tar:
+            with self.assertRaises(tarfile.ReadError):
+                tar.getmembers()
+
  
  class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
      testdir = os.path.join(TEMPDIR, "testoverwrite")
diff --git a/Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst b/Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst

new file mode 100644 (file)

index 0000000..2123ab8
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst
@@ -0,0 +1,2 @@
+In :mod:`tarfile`, seeking a stream now stops when end of the stream is
+reached.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Tue, 23 Jun 2026 13:46:38 +0000 (15:46 +0200)
committer	GitHub <noreply@github.com>
	Tue, 23 Jun 2026 13:46:38 +0000 (14:46 +0100)
Lib/tarfile.py		patch \| blob \| blame \| history
Lib/test/test_tarfile.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst	[new file with mode: 0644]	patch \| blob