Closed schwehr closed 9 years ago
count is used to index into test_sizes[3]. The loop was <= 3, such that test_sizes[3] was past the end of the array.
--- a/src/gsf_dec.c
+++ b/src/gsf_dec.c
@@ -861,7 +861,7 @@ gsfDecodeSwathBathymetryPing(gsfSwathBathyPing *ping, unsigned char *sptr, GSF_F
/* Verification check on the next sub record id and size. */
sr_size = subrecord_size;
count = 0;
- while (((record_size - bytes - sr_size) > 4) && (count <= 3))
+ while (((record_size - bytes - sr_size) > 4) && (count < 3))
{
int test_sizes[3] = {1, 2, 4};
I don't think my prior fix is correct. This might be a better fix. However, it's not clear what is really going on here.
--- a/src/gsf_dec.c
+++ b/src/gsf_dec.c
@@ -863,8 +863,7 @@ gsfDecodeSwathBathymetryPing(gsfSwathBathyPing *ping, unsigned char *sptr, GSF_F
count = 0;
while (((record_size - bytes - sr_size) > 4) && (count <= 3))
{
-
- int test_sizes[3] = {1, 2, 4};
+ int test_sizes[4] = {1, 2, 4, -1};
int test_fs;
memcpy(<emp, (p + sr_size), 4);