ref: 3ea8f34c86701f248525027b9c66b68e1b312f73
parent: a04e079b037ef0e506250e4619818557ae73368e
author: Mark Harris <mark.hsj@gmail.com>
date: Sat Dec 30 06:17:22 EST 2017
Avoid undefined behavior in oggp_get_next_page This effectively changes: oggp->buf + (p->buf_pos - header_size) to: oggp->buf + p->buf_pos - header_size When header_size > p->buf_pos the first subtraction results in a large unsigned value, as p->buf_pos is size_t. Signed-off-by: Jean-Marc Valin <jmvalin@jmvalin.ca>
--- a/src/ogg_packer.c
+++ b/src/ogg_packer.c
@@ -379,7 +379,8 @@
}
p = &oggp->pages[0];
header_size = 27 + p->lacing_size;
- ptr = &oggp->buf[p->buf_pos - header_size];
+ /* Don't use indexing in case header_size > p->buf_pos. */
+ ptr = oggp->buf + p->buf_pos - header_size;
len = p->buf_size + header_size;
memcpy(&ptr[27], &oggp->lacing[p->lacing_pos], p->lacing_size);
memcpy(ptr, "OggS", 4);