From 15a1973e2862832c99062f7d660f07ee3c795d05 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max.kellermann@gmail.com>
Date: Tue, 17 Jan 2023 17:38:19 +0100
Subject: [PATCH] decoder/mad: fix integer underflow with very small files

When drop_start_samples and drop_end_samples overlap and are greater
than the actual number of samples, the `num_samples` calculation in
SubmitPCM() could underflow.

Closes https://github.com/MusicPlayerDaemon/MPD/issues/1712
---
 NEWS                                     | 2 ++
 src/decoder/plugins/MadDecoderPlugin.cxx | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index f940f5988..ec219f9f5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 ver 0.23.12 (not yet released)
 * input
   - curl: require CURL 7.55.0 or later
+* decoder
+  - mad: fix integer underflow with very small files
 * tags
   - fix crash bug due to race condition
 * output
diff --git a/src/decoder/plugins/MadDecoderPlugin.cxx b/src/decoder/plugins/MadDecoderPlugin.cxx
index b76a93a29..2fede13d4 100644
--- a/src/decoder/plugins/MadDecoderPlugin.cxx
+++ b/src/decoder/plugins/MadDecoderPlugin.cxx
@@ -843,7 +843,7 @@ MadDecoder::SynthAndSubmit() noexcept
 	size_t pcm_length = synth.pcm.length;
 	if (drop_end_samples &&
 	    current_frame == max_frames - drop_end_frames - 1) {
-		if (drop_end_samples >= pcm_length)
+		if (i + drop_end_samples >= pcm_length)
 			return DecoderCommand::STOP;
 
 		pcm_length -= drop_end_samples;