[crash] Move control-offset check into loop

We checked this once outside the loop, but we need to check it on every iteration in case the interior control offsets are corrupt. @Manishearth: Here's one for the `cargo-fuzz` trophy case! It's working great now. I'll submit a PR with a list of everything I find.
emk · Mar 5, 2017 · 20e4301 · 20e4301
1 parent 5fb20f0
commit 20e4301
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/vobsub/src/sub.rs b/vobsub/src/sub.rs
@@ -304,12 +304,6 @@ fn subtitle(raw_data: &[u8], base_time: f64) -> Result<Subtitle> {
 
     // Figure out where our control data starts.
     let (_, initial_control_offset) = parse_be_u16_as_usize(&raw_data[2..])?;
-    if initial_control_offset >= raw_data.len() {
-        return Err(format!("control offset is 0x{:x}, but packet is only 0x{:x} \
-                            bytes",
-                           initial_control_offset,
-                           raw_data.len()).into());
-    }
 
     // Declare data we want to collect from our control packets.
     let mut start_time = None;
@@ -324,6 +318,13 @@ fn subtitle(raw_data: &[u8], base_time: f64) -> Result<Subtitle> {
     let mut control_offset = initial_control_offset;
     loop {
         trace!("looking for control sequence at: 0x{:x}", control_offset);
+        if control_offset >= raw_data.len() {
+            return Err(format!("control offset is 0x{:x}, but packet is only 0x{:x} \
+                                bytes",
+                               control_offset,
+                               raw_data.len()).into());
+        }
+
         let control_data = &raw_data[control_offset..];
         match control_sequence(control_data) {
             IResult::Done(_, control) => {