From 37c73a572eccfb9b1bae363c089e7f6c49f3e75c Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <sezero@users.noreply.github.com>
Date: Wed, 24 May 2017 11:28:05 -0400
Subject: [PATCH] timidity.c: fix potential buffer overrun in RWgets

(num_read check was off-by-one.) also simplify the procedure a bit.
---
 decoders/timidity/timidity.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/decoders/timidity/timidity.c b/decoders/timidity/timidity.c
index 0ccd77a..4215a16 100644
--- a/decoders/timidity/timidity.c
+++ b/decoders/timidity/timidity.c
@@ -54,28 +54,30 @@ static char def_instr_name[256] = "";
 static char *RWgets(SDL_RWops *rw, char *s, int size)
 {
     int num_read = 0;
-    int newline = 0;
+    char *p = s;
 
-    while (num_read < size && !newline)
+    --size;/* so that we nul terminate properly */
+
+    for (; num_read < size; ++p)
     {
-	if (SDL_RWread(rw, &s[num_read], 1, 1) != 1)
+	if (SDL_RWread(rw, p, 1, 1) != 1)
 	    break;
 
+	num_read++;
+
 	/* Unlike fgets(), don't store newline. Under Windows/DOS we'll
 	 * probably get an extra blank line for every line that's being
 	 * read, but that should be ok.
 	 */
-	if (s[num_read] == '\n' || s[num_read] == '\r')
+	if (*p == '\n' || *p == '\r')
 	{
-	    s[num_read] = '\0';
-	    newline = 1;
+	    *p = '\0';
+	    return s;
 	}
-	
-	num_read++;
     }
 
-    s[num_read] = '\0';
-    
+    *p = '\0';
+
     return (num_read != 0) ? s : NULL;
 }