Fix out-of-bounds read in serialno matching logic

Timothy B. Terriberry · Timothy B. Terriberry · commit dee76c90f321 · 2017-09-12T15:00:40.000-07:00
We very carefully ensured _cur_link + 1 was in bounds, and then dereferenced nlinks + 1 (guaranteed to be out of bounds) instead. Introduced in commit f83675e. Thanks to the Google Autfuzz project for the report. Fixes #2326
diff --git a/src/opusfile.c b/src/opusfile.c
@@ -1835,7 +1835,7 @@ static int op_get_link_from_serialno(const OggOpusFile *_of,int _cur_link,
   nlinks=_of->nlinks;
   li_lo=0;
   /*Start off by guessing we're just a multiplexed page in the current link.*/
-  li_hi=_cur_link+1<nlinks&&_page_offset<links[nlinks+1].offset?
+  li_hi=_cur_link+1<nlinks&&_page_offset<links[_cur_link+1].offset?
    _cur_link+1:nlinks;
   do{
     if(_page_offset>=links[_cur_link].offset)li_lo=_cur_link;
