From ac46a84391468dc886983955850060736404ee14 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@musicpd.org>
Date: Mon, 5 Oct 2020 20:10:26 +0200
Subject: [PATCH] playlist/cue/parser: fix off-by-one buffer overflow

cue_next_word() can return a pointer one past the end of the string if
the word is followed by the terminating null byte.
---
 NEWS                           | 2 ++
 src/playlist/cue/CueParser.cxx | 8 ++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index a8d8e763c..4dc6b4e06 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ ver 0.22.1 (not yet released)
 * output
   - alsa: don't deadlock when the ALSA driver is buggy
   - jack, pulse: reduce the delay when stopping or pausing playback
+* playlist
+  - cue: fix crash bug
 
 ver 0.22 (2020/09/23)
 * protocol
diff --git a/src/playlist/cue/CueParser.cxx b/src/playlist/cue/CueParser.cxx
index a402508e2..e5bd59af4 100644
--- a/src/playlist/cue/CueParser.cxx
+++ b/src/playlist/cue/CueParser.cxx
@@ -38,8 +38,12 @@ cue_next_word(char *p, char **pp)
 	while (!IsWhitespaceOrNull(*p))
 		++p;
 
-	*p = 0;
-	*pp = p + 1;
+	if (*p != 0) {
+		*p = 0;
+		*pp = p + 1;
+	} else
+		*pp = p;
+
 	return word;
 }