var dopts []s2.ReaderOption
			if off > 0 || decOff > 0 {
				// We are not starting at the beginning, so ignore stream identifiers.
				dopts = append(dopts, s2.ReaderIgnoreStreamIdentifier())
			}
			s2Reader := s2.NewReader(inputReader, dopts...)
			// Apply the skipLen and limit on the decompressed stream.
			if decOff > 0 {
				if err = s2Reader.Skip(decOff); err != nil {
					// Call the cleanup funcs

	)

	var objectSize int64
	for _, partInfo := range objInfo.Parts {
		if isSSEC {
			hr, err = hash.NewReader(ctx, io.LimitReader(r, partInfo.Size), partInfo.Size, "", "", partInfo.ActualSize)
		} else {
			hr, err = hash.NewReader(ctx, io.LimitReader(r, partInfo.ActualSize), partInfo.ActualSize, "", "", partInfo.ActualSize)
		}
		if err != nil {
			return err
		}

### Go 1.20

Go 1.20 introduced support for rejecting insecure paths in tar and zip archives,
controlled by the [`tarinsecurepath` setting](/pkg/archive/tar/#Reader.Next)
and the [`zipinsecurepath` setting](/pkg/archive/zip/#NewReader).
These default to `tarinsecurepath=1` and `zipinsecurepath=1`,
preserving the behavior of earlier versions of Go.
A future version of Go may change the defaults to
`tarinsecurepath=0` and `zipinsecurepath=0`.

	if err != nil {
		t.Fatal(err)
	}

	testKMSPolicyName := "testKMSPolicy"
	if p != "" {
		p = `{"Version":"2012-10-17","Statement":[` + p + `]}`
		policyData, err := policy.ParseConfig(strings.NewReader(p))
		if err != nil {
			t.Fatal(err)
		}
		_, err = globalIAMSys.SetPolicy(ctx, testKMSPolicyName, *policyData)
		if err != nil {
			t.Fatal(err)
		}

			return
		}
		if sameTarget && bucket == clnt.Bucket {
			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrBucketRemoteIdenticalToSource), r.URL)
			return
		}

		reader := bytes.NewReader(buf)
		// fake a PutObject and RemoveObject call to validate permissions
		c := &minio.Core{Client: clnt.Client}
		putOpts := minio.PutObjectOptions{
			Internal: minio.AdvancedPutOptions{

	xioutil.SafeClose(saverQuitCh)

	// Notify expire jobs final status to the configured endpoint
	buf, _ := json.Marshal(ri)
	if err := r.Notify(context.Background(), bytes.NewReader(buf)); err != nil {
		batchLogIf(context.Background(), fmt.Errorf("unable to notify %v", err))
	}

	return nil
}

//msgp:ignore batchExpireJobError
type batchExpireJobError struct {

	log.Infof("Running %s with the following input:\n%v", iptVer.CmdToString(cmd), strings.TrimSpace(data))
	// --noflush to prevent flushing/deleting previous contents from table
	return cfg.ext.Run(cmd, iptVer, strings.NewReader(data), "--noflush", "-v")
}

func (cfg *IptablesConfigurator) addLoopbackRoute() error {
	return cfg.nlDeps.AddLoopbackRoutes(cfg.cfg)
}

func (cfg *IptablesConfigurator) delLoopbackRoute() error {

			return &GetObjectReader{
				ObjInfo: objInfo,
			}, err
		}

		// Zero byte objects don't even need to further initialize pipes etc.
		return NewGetObjectReaderFromReader(bytes.NewReader(nil), objInfo, opts)
	}

	if objInfo.IsRemote() {
		gr, err := getTransitionedObjectReader(ctx, bucket, object, rs, h, objInfo, opts)
		if err != nil {
			return nil, err
		}
		unlockOnDefer = false

		// do some validation.
		newReplCfgBytes, err := xml.Marshal(replicationConfig)
		if err != nil {
			return err
		}
		newReplicationConfig, err := sreplication.ParseConfig(bytes.NewReader(newReplCfgBytes))
		if err != nil {
			return err
		}
		sameTarget, apiErr := validateReplicationDestination(ctx, bucket, newReplicationConfig, &validateReplicationDestinationOptions{CheckRemoteBucket: true})

}

func decryptData(data []byte, objPath string) ([]byte, error) {
	if utf8.Valid(data) {
		return data, nil
	}

	pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
	if err == nil {
		return pdata, nil
	}
	if GlobalKMS != nil {
		pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
			minioMetaBucket: path.Join(minioMetaBucket, objPath),
		})