ref: dee76c90f3211734564ff2ee4f34fa64be403777
parent: 2c239ebc90d6c105c52b266ad4664a76a4cc2261
author: Timothy B. Terriberry <tterribe@xiph.org>
date: Tue Sep 12 10:29:25 EDT 2017
Fix out-of-bounds read in serialno matching logic We very carefully ensured _cur_link + 1 was in bounds, and then dereferenced nlinks + 1 (guaranteed to be out of bounds) instead. Introduced in commit f83675ebbd79. Thanks to the Google Autfuzz project for the report. Fixes #2326
--- a/src/opusfile.c
+++ b/src/opusfile.c
@@ -1835,7 +1835,7 @@
nlinks=_of->nlinks;
li_lo=0;
/*Start off by guessing we're just a multiplexed page in the current link.*/
- li_hi=_cur_link+1<nlinks&&_page_offset<links[nlinks+1].offset?
+ li_hi=_cur_link+1<nlinks&&_page_offset<links[_cur_link+1].offset?
_cur_link+1:nlinks;
do{if(_page_offset>=links[_cur_link].offset)li_lo=_cur_link;