From 2c85013434852540695bfbb74915a023d0e252ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nils=20Wallm=C3=A9nius?= <nils@rockbox.org>
Date: Wed, 21 Dec 2011 15:47:21 +0000
Subject: [PATCH] libtremor: fix memory corruption bug introduced in r30728
 that could cause crashes or playback failures for some album art infested
 files. Closes FS#12448.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@31393 a1c6a512-1295-4272-9138-f99709370657
---
 apps/codecs/libtremor/vorbisfile.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/apps/codecs/libtremor/vorbisfile.c b/apps/codecs/libtremor/vorbisfile.c
index 44a6d6e78a..271e5a09e3 100644
--- a/apps/codecs/libtremor/vorbisfile.c
+++ b/apps/codecs/libtremor/vorbisfile.c
@@ -144,8 +144,11 @@ static int ogg_stream_discard_packet(OggVorbis_File *vf,ogg_page *og,
   }
   if (ret < 0)
     return -1;
-  if (vf->os.body_fill < og->body_len)
-    if(_os_body_expand(&vf->os, og->body_len))
+  /* We might be pretending to have filled in more of the buffer than there is
+     actual space, in this case the body storage must be expanded before we
+     start writing to it */
+  if (vf->os.body_fill < og->body_len || vf->os.body_storage < vf->os.body_fill)
+    if(_os_body_expand(&vf->os, vf->os.body_fill - vf->os.body_storage + og->body_len))
       return -1;
   memcpy(vf->os.body_data+vf->os.body_fill-og->body_len, og->body, og->body_len);
   return 1;