Commit dee76c90 authored by Timothy B. Terriberry's avatar Timothy B. Terriberry

Fix out-of-bounds read in serialno matching logic

We very carefully ensured _cur_link + 1 was in bounds, and then
 dereferenced nlinks + 1 (guaranteed to be out of bounds) instead.
Introduced in commit f83675eb.

Thanks to the Google Autfuzz project for the report.

Fixes #2326
parent 2c239ebc
......@@ -1835,7 +1835,7 @@ static int op_get_link_from_serialno(const OggOpusFile *_of,int _cur_link,
nlinks=_of->nlinks;
li_lo=0;
/*Start off by guessing we're just a multiplexed page in the current link.*/
li_hi=_cur_link+1<nlinks&&_page_offset<links[nlinks+1].offset?
li_hi=_cur_link+1<nlinks&&_page_offset<links[_cur_link+1].offset?
_cur_link+1:nlinks;
do{
if(_page_offset>=links[_cur_link].offset)li_lo=_cur_link;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment