Fix out-of-bounds read in serialno matching logic master
authorTimothy B. Terriberry <tterribe@xiph.org>
Tue, 12 Sep 2017 21:29:25 +0000 (14:29 -0700)
committerTimothy B. Terriberry <tterribe@xiph.org>
Tue, 12 Sep 2017 22:00:40 +0000 (15:00 -0700)
We very carefully ensured _cur_link + 1 was in bounds, and then
 dereferenced nlinks + 1 (guaranteed to be out of bounds) instead.
Introduced in commit f83675ebbd79.

Thanks to the Google Autfuzz project for the report.

Fixes #2326

src/opusfile.c

index 972a35f..72f1272 100644 (file)
@@ -1835,7 +1835,7 @@ static int op_get_link_from_serialno(const OggOpusFile *_of,int _cur_link,
   nlinks=_of->nlinks;
   li_lo=0;
   /*Start off by guessing we're just a multiplexed page in the current link.*/
-  li_hi=_cur_link+1<nlinks&&_page_offset<links[nlinks+1].offset?
+  li_hi=_cur_link+1<nlinks&&_page_offset<links[_cur_link+1].offset?
    _cur_link+1:nlinks;
   do{
     if(_page_offset>=links[_cur_link].offset)li_lo=_cur_link;