I found that the [cursor of `BufferReader`][cursor] may be set to a wrong position(maybe out of bound) if `Read()`, `Seek` then `Read()`. #### Example Assume a buffer has `10` bytes from address `0` to `10`, and we read `4` bytes (by `ReadU32()`) every time. 1. At the first, the cursor to read the buffer is set to `0`, and the remaining length is `10`. 2. After 2 rounds, the cursor will point to `8`. 3. At the 3 round, the call `ReadU32()` will fail since there are only `2` bytes left and the remaining length will be [set to `0`][remaining-zero]. - The `Offset()` now will be `10` since it's [calculated by *length* - *remaining*][offset], where *length* and *remaining* are `10` and `0` respectively. - However, the cursor isn't updated! It's still `8`. 4. When `Seek(0)` is called, the new cursor will be set to `-2` - the new cursor is [calculated by `new cursor = current cursor - current offset + new offset`][seek-cursor], where the *current cursor* is `8`, *current offset* is `10`, and the *new offset* is `0`. 5. If `Read()` is called again, we will read something from `-2` [cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#293 [read]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#149 [seek]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#224 [remaining-zero]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#151 [offset]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#47 [seek-cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#231
Bug 1521214 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I found that the [cursor of `BufferReader`][cursor] may be set to a wrong position(maybe out of bound) if `BufferReader::Seek` is called just after `BufferReader::Read()`. #### Example Assume a buffer has `10` bytes from address `0` to `10`, and we read `4` bytes (by `ReadU32()`) every time. 1. At the first, the cursor to read the buffer is set to `0`, and the remaining length is `10`. 2. After 2 rounds, the cursor will point to `8`. 3. At the 3 round, the call `ReadU32()` will fail since there are only `2` bytes left and the remaining length will be [set to `0`][remaining-zero]. - The `Offset()` now will be `10` since it's [calculated by *length* - *remaining*][offset], where *length* and *remaining* are `10` and `0` respectively. - However, the cursor isn't updated! It's still `8`. 4. When `Seek(0)` is called, the new cursor will be set to `-2` - the new cursor is [calculated by `new cursor = current cursor - current offset + new offset`][seek-cursor], where the *current cursor* is `8`, *current offset* is `10`, and the *new offset* is `0`. 5. If `Read()` is called again, we will read something from `-2` [cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#293 [read]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#149 [seek]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#224 [remaining-zero]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#151 [offset]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#47 [seek-cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#231
I found that the [cursor of `BufferReader`][cursor] may be set to a wrong position(maybe out of bound) if `BufferReader::Seek()` is called just after `BufferReader::Read()`. #### Example Assume a buffer has `10` bytes from address `0` to `10`, and we read `4` bytes (by `ReadU32()`) every time. 1. At the first, the cursor to read the buffer is set to `0`, and the remaining length is `10`. 2. After 2 rounds, the cursor will point to `8`. 3. At the 3 round, the call `ReadU32()` will fail since there are only `2` bytes left and the remaining length will be [set to `0`][remaining-zero]. - The `Offset()` now will be `10` since it's [calculated by *length* - *remaining*][offset], where *length* and *remaining* are `10` and `0` respectively. - However, the cursor isn't updated! It's still `8`. 4. When `Seek(0)` is called, the new cursor will be set to `-2` - the new cursor is [calculated by `new cursor = current cursor - current offset + new offset`][seek-cursor], where the *current cursor* is `8`, *current offset* is `10`, and the *new offset* is `0`. 5. If `Read()` is called again, we will read something from `-2` [cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#293 [read]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#149 [seek]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#224 [remaining-zero]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#151 [offset]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#47 [seek-cursor]: https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/dom/media/BufferReader.h#231