From f19ca292e83987b72a75106046260d076b070c6e Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 26 Jun 2019 05:21:37 -0400 Subject: [PATCH] builder: take size of the frame spa_pod_builder_frame() should return the position in the builder memory or NULL when the frame doesn't fit. Check the size of the frame instead of assuming the frame is already written to the buffer. --- spa/include/spa/pod/builder.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spa/include/spa/pod/builder.h b/spa/include/spa/pod/builder.h index 240c53ca0..fdc260d8c 100644 --- a/spa/include/spa/pod/builder.h +++ b/spa/include/spa/pod/builder.h @@ -101,7 +101,9 @@ spa_pod_builder_deref(struct spa_pod_builder *builder, uint32_t offset) static inline struct spa_pod * spa_pod_builder_frame(struct spa_pod_builder *builder, struct spa_pod_frame *frame) { - return spa_pod_builder_deref(builder, frame->offset); + if (frame->offset + SPA_POD_SIZE(&frame->pod) <= builder->size) + return SPA_MEMBER(builder->data, frame->offset, struct spa_pod); + return NULL; } static inline void @@ -162,7 +164,7 @@ static inline void *spa_pod_builder_pop(struct spa_pod_builder *builder, struct { struct spa_pod *pod; - if ((pod = (struct spa_pod *) spa_pod_builder_frame(builder, frame)) != NULL) + if ((pod = (struct spa_pod*)spa_pod_builder_frame(builder, frame)) != NULL) *pod = frame->pod; builder->state.frame = frame->parent;