python
diff --git a/‎Lib/test/test_io.py
Lines changed: 16 additions & 0 deletions b/‎Lib/test/test_io.py
Lines changed: 16 additions & 0 deletions
diff --git a/‎Misc/NEWS
Lines changed: 5 additions & 0 deletions b/‎Misc/NEWS
Lines changed: 5 additions & 0 deletions
diff --git a/‎Modules/_io/iobase.c
Lines changed: 9 additions & 4 deletions b/‎Modules/_io/iobase.c
Lines changed: 9 additions & 4 deletions
diff --git a/‎Modules/cjkcodecs/multibytecodec.c
Lines changed: 3 additions & 0 deletions b/‎Modules/cjkcodecs/multibytecodec.c
Lines changed: 3 additions & 0 deletions
diff --git a/‎Modules/posixmodule.c
Lines changed: 4 additions & 1 deletion b/‎Modules/posixmodule.c
Lines changed: 4 additions & 1 deletion
@@ -396,6 +396,22 @@ def test_readline(self):
         with self.open(support.TESTFN, "r") as f:
             self.assertRaises(TypeError, f.readline, 5.3)
 
+    def test_readline_nonsizeable(self):
+        # Issue #30061
+        # Crash when readline() returns an object without __len__
+        class R(self.IOBase):
+            def readline(self):
+                return None
+        self.assertRaises((TypeError, StopIteration), next, R())
+
+    def test_next_nonsizeable(self):
+        # Issue #30061
+        # Crash when next() returns an object without __len__
+        class R(self.IOBase):
+            def next(self):
+                return None
+        self.assertRaises(TypeError, R().readlines, 1)
+
     def test_raw_bytes_io(self):
         f = self.BytesIO()
         self.write_ops(f)
 
@@ -42,6 +42,11 @@ Extension Modules
 Library
 -------
 
+- bpo-30061: Fixed crashes in IOBase methods next() and readlines() when
+  readline() or next() respectively return non-sizeable object.
+  Fixed possible other errors caused by not checking results of PyObject_Size(),
+  PySequence_Size(), or PyMapping_Size().
+
 - bpo-30011: Fixed race condition in HTMLParser.unescape().
 
 - bpo-30068: _io._IOBase.readlines will check if it's closed first when
 
@@ -571,7 +571,8 @@ iobase_iternext(PyObject *self)
     if (line == NULL)
         return NULL;
 
-    if (PyObject_Size(line) == 0) {
+    if (PyObject_Size(line) <= 0) {
+        /* Error or empty */
         Py_DECREF(line);
         return NULL;
     }
@@ -618,6 +619,7 @@ iobase_readlines(PyObject *self, PyObject *args)
     }
 
     while (1) {
+        Py_ssize_t line_length;
         PyObject *line = PyIter_Next(it);
         if (line == NULL) {
             if (PyErr_Occurred()) {
@@ -631,11 +633,14 @@ iobase_readlines(PyObject *self, PyObject *args)
             Py_DECREF(line);
             goto error;
         }
-        length += PyObject_Size(line);
+        line_length = PyObject_Size(line);
         Py_DECREF(line);
-
-        if (length > hint)
+        if (line_length < 0) {
+            goto error;
+        }
+        if (line_length > hint - length)
             break;
+        length += line_length;
     }
 
     Py_DECREF(it);
 
@@ -1604,6 +1604,9 @@ mbstreamwriter_writelines(MultibyteStreamWriterObject *self, PyObject *lines)
         if (r == -1)
             return NULL;
     }
+    /* PySequence_Length() can fail */
+    if (PyErr_Occurred())
+        return NULL;
 
     Py_RETURN_NONE;
 }
 
@@ -6077,14 +6077,17 @@ Set the groups of the current process to list.");
 static PyObject *
 posix_setgroups(PyObject *self, PyObject *groups)
 {
-    int i, len;
+    Py_ssize_t i, len;
     gid_t grouplist[MAX_GROUPS];
 
     if (!PySequence_Check(groups)) {
         PyErr_SetString(PyExc_TypeError, "setgroups argument must be a sequence");
         return NULL;
     }
     len = PySequence_Size(groups);
+    if (len < 0) {
+        return NULL;
+    }
     if (len > MAX_GROUPS) {
         PyErr_SetString(PyExc_ValueError, "too many groups");
         return NULL;
Original file line number	Diff line number	Diff line change
`@@ -1604,6 +1604,9 @@ mbstreamwriter_writelines(MultibyteStreamWriterObject self, PyObject lines)`
`1604`	`1604`	`if (r == -1)`
`1605`	`1605`	`return NULL;`
`1606`	`1606`	`}`
	`1607`	`+ /* PySequence_Length() can fail */`
	`1608`	`+ if (PyErr_Occurred())`
	`1609`	`+ return NULL;`
`1607`	`1610`
`1608`	`1611`	`Py_RETURN_NONE;`
`1609`	`1612`	`}`