Fix out-of-bounds read in serialno matching logic (!1) · Merge requests · Xiph.Org / Opusfile

Timothy B. Terriberry requested to merge tterribe/opusfile:fix-insane-chain-fix1 into master Sep 12, 2017

We very carefully ensured _cur_link + 1 was in bounds, and then dereferenced nlinks + 1 (guaranteed to be out of bounds) instead. Introduced in commit f83675eb.

Thanks to the Google Autfuzz project for the report.

Fixes #2326

Edited Sep 12, 2017 by Timothy B. Terriberry

Fix out-of-bounds read in serialno matching logic

Merge request reports