I found that the [cursor of `BufferReader`][cursor] may be set to a wrong position(maybe out of bound) if `Read()`, `Seek` then `Read()`.
#### Example
Assume a buffer has `10` bytes from address `0` to `10`, and we read `4` bytes (by `ReadU32()`) every time.
1. At the first, the cursor to read the buffer is set to `0`, and the remaining length is `10`.
2. After 2 rounds, the cursor will point to `8`.
3. At the 3 round, the call `ReadU32()` will fail since there are only `2` bytes left and the remaining length will be [set to `0`][remaining-zero].
- The `Offset()` now will be `10` since it's [calculated by *length* - *remaining*][offset], where *length* and *remaining* are `10` and `0` respectively.
- However, the cursor isn't updated! It's still `8`.
4. When `Seek(0)` is called, the new cursor will be set to `-2`
- the new cursor is [calculated by `new cursor = current cursor - current offset + new offset`][seek-cursor], where the *current cursor* is `8`, *current offset* is `10`, and the *new offset* is `0`.
5. If `Read()` is called again, we will read something from `-2`
[cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#293
[read]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#149
[seek]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#224
[remaining-zero]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#151
[offset]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#47
[seek-cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#231
Bug 1521214 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I found that the [cursor of `BufferReader`][cursor] may be set to a wrong position(maybe out of bound) if `BufferReader::Seek` is called just after `BufferReader::Read()`.
#### Example
Assume a buffer has `10` bytes from address `0` to `10`, and we read `4` bytes (by `ReadU32()`) every time.
1. At the first, the cursor to read the buffer is set to `0`, and the remaining length is `10`.
2. After 2 rounds, the cursor will point to `8`.
3. At the 3 round, the call `ReadU32()` will fail since there are only `2` bytes left and the remaining length will be [set to `0`][remaining-zero].
- The `Offset()` now will be `10` since it's [calculated by *length* - *remaining*][offset], where *length* and *remaining* are `10` and `0` respectively.
- However, the cursor isn't updated! It's still `8`.
4. When `Seek(0)` is called, the new cursor will be set to `-2`
- the new cursor is [calculated by `new cursor = current cursor - current offset + new offset`][seek-cursor], where the *current cursor* is `8`, *current offset* is `10`, and the *new offset* is `0`.
5. If `Read()` is called again, we will read something from `-2`
[cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#293
[read]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#149
[seek]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#224
[remaining-zero]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#151
[offset]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#47
[seek-cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#231
I found that the [cursor of `BufferReader`][cursor] may be set to a wrong position(maybe out of bound) if `BufferReader::Seek()` is called just after `BufferReader::Read()`.
#### Example
Assume a buffer has `10` bytes from address `0` to `10`, and we read `4` bytes (by `ReadU32()`) every time.
1. At the first, the cursor to read the buffer is set to `0`, and the remaining length is `10`.
2. After 2 rounds, the cursor will point to `8`.
3. At the 3 round, the call `ReadU32()` will fail since there are only `2` bytes left and the remaining length will be [set to `0`][remaining-zero].
- The `Offset()` now will be `10` since it's [calculated by *length* - *remaining*][offset], where *length* and *remaining* are `10` and `0` respectively.
- However, the cursor isn't updated! It's still `8`.
4. When `Seek(0)` is called, the new cursor will be set to `-2`
- the new cursor is [calculated by `new cursor = current cursor - current offset + new offset`][seek-cursor], where the *current cursor* is `8`, *current offset* is `10`, and the *new offset* is `0`.
5. If `Read()` is called again, we will read something from `-2`
[cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#293
[read]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#149
[seek]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#224
[remaining-zero]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#151
[offset]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#47
[seek-cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#231