playlist/cue/parser: fix off-by-one buffer overflow

cue_next_word() can return a pointer one past the end of the string if the word is followed by the terminating null byte.

playlist/cue/parser: fix off-by-one buffer overflow
ac46a843 · Max Kellermann · dffd5831 · ac46a843 · ac46a843
Commit ac46a843 authored Oct 05, 2020 by Max Kellermann
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

NEWS NEWS +2 -0

CueParser.cxx src/playlist/cue/CueParser.cxx +6 -2

No files found.
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ ver 0.22.1 (not yet released)
 * output
  - alsa: don't deadlock when the ALSA driver is buggy
  - jack, pulse: reduce the delay when stopping or pausing playback
+* playlist
+  - cue: fix crash bug

 ver 0.22 (2020/09/23)
 * protocol

--- a/src/playlist/cue/CueParser.cxx
+++ b/src/playlist/cue/CueParser.cxx
@@ -38,8 +38,12 @@ cue_next_word(char *p, char **pp)
 	while (!IsWhitespaceOrNull(*p))
 		++p;

-	*p = 0;
-	*pp = p + 1;
+	if (*p != 0) {
+		*p = 0;
+		*pp = p + 1;
+	} else
+		*pp = p;
+
 	return word;
 }