Unverified Commit 3ea8f34c authored by Mark Harris's avatar Mark Harris Committed by Jean-Marc Valin
Browse files

Avoid undefined behavior in oggp_get_next_page



This effectively changes:
  oggp->buf + (p->buf_pos - header_size)
to:
  oggp->buf + p->buf_pos - header_size

When header_size > p->buf_pos the first subtraction results in a large
unsigned value, as p->buf_pos is size_t.
Signed-off-by: Jean-Marc Valin's avatarJean-Marc Valin <jmvalin@jmvalin.ca>
parent a04e079b
......@@ -379,7 +379,8 @@ int oggp_get_next_page(oggpacker *oggp, unsigned char **page, oggp_int32 *bytes)
}
p = &oggp->pages[0];
header_size = 27 + p->lacing_size;
ptr = &oggp->buf[p->buf_pos - header_size];
/* Don't use indexing in case header_size > p->buf_pos. */
ptr = oggp->buf + p->buf_pos - header_size;
len = p->buf_size + header_size;
memcpy(&ptr[27], &oggp->lacing[p->lacing_pos], p->lacing_size);
memcpy(ptr, "OggS", 4);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment