[Python-checkins] bpo-45507: EOFErrors should be thrown for truncated gzip members (GH-29029)

ambv webhook-mailer at python.org
Fri Nov 19 13:07:16 EST 2021


https://github.com/python/cpython/commit/0ff3d95b9875805ac03aeffc37ae4458ce3b8ac0
commit: 0ff3d95b9875805ac03aeffc37ae4458ce3b8ac0
branch: main
author: Ruben Vorderman <r.h.p.vorderman at lumc.nl>
committer: ambv <lukasz at langa.pl>
date: 2021-11-19T19:07:05+01:00
summary:

bpo-45507: EOFErrors should be thrown for truncated gzip members (GH-29029)

files:
A Misc/NEWS.d/next/Library/2021-10-18-14-00-01.bpo-45507.lDotNV.rst
M Lib/gzip.py
M Lib/test/test_gzip.py

diff --git a/Lib/gzip.py b/Lib/gzip.py
index ac1781042b264..6773ea3eef097 100644
--- a/Lib/gzip.py
+++ b/Lib/gzip.py
@@ -603,6 +603,9 @@ def decompress(data):
         do = zlib.decompressobj(wbits=-zlib.MAX_WBITS)
         # Read all the data except the header
         decompressed = do.decompress(data[fp.tell():])
+        if not do.eof or len(do.unused_data) < 8:
+            raise EOFError("Compressed file ended before the end-of-stream "
+                           "marker was reached")
         crc, length = struct.unpack("<II", do.unused_data[:8])
         if crc != zlib.crc32(decompressed):
             raise BadGzipFile("CRC check failed")
diff --git a/Lib/test/test_gzip.py b/Lib/test/test_gzip.py
index f86e767ac0e59..aa66d2f07f508 100644
--- a/Lib/test/test_gzip.py
+++ b/Lib/test/test_gzip.py
@@ -562,6 +562,14 @@ def test_decompress(self):
             datac = gzip.compress(data)
             self.assertEqual(gzip.decompress(datac), data)
 
+    def test_decompress_truncated_trailer(self):
+        compressed_data = gzip.compress(data1)
+        self.assertRaises(EOFError, gzip.decompress, compressed_data[:-4])
+
+    def test_decompress_missing_trailer(self):
+        compressed_data = gzip.compress(data1)
+        self.assertRaises(EOFError, gzip.decompress, compressed_data[:-8])
+
     def test_read_truncated(self):
         data = data1*50
         # Drop the CRC (4 bytes) and file size (4 bytes).
diff --git a/Misc/NEWS.d/next/Library/2021-10-18-14-00-01.bpo-45507.lDotNV.rst b/Misc/NEWS.d/next/Library/2021-10-18-14-00-01.bpo-45507.lDotNV.rst
new file mode 100644
index 0000000000000..a69ccdaa7e26b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-10-18-14-00-01.bpo-45507.lDotNV.rst
@@ -0,0 +1 @@
+Add tests for truncated/missing trailers in gzip.decompress implementation.



More information about the Python-checkins mailing list