From 848f8c316e3bfd1210f44d26a26780b09b496083 Mon Sep 17 00:00:00 2001
From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
Date: Tue, 21 May 2013 05:36:01 +0900
Subject: [PATCH] Changed behavior of ByteVector::toNumber() when overrun

---
 taglib/toolkit/tbytevector.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/taglib/toolkit/tbytevector.cpp b/taglib/toolkit/tbytevector.cpp
index b3c8897f..84d3f004 100644
--- a/taglib/toolkit/tbytevector.cpp
+++ b/taglib/toolkit/tbytevector.cpp
@@ -299,10 +299,8 @@ ulonglong byteSwap<ulonglong>(ulonglong x)
 template <class T>
 T toNumber(const ByteVector &v, size_t offset, bool mostSignificantByteFirst)
 {
-  if(offset + sizeof(T) > v.size()) {
-    debug("toNumber<T>() -- offset is out of range. Returning 0.");
-    return 0;
-  }
+  if(offset + sizeof(T) > v.size()) 
+    return toNumber<T>(v, offset, v.size() - offset, mostSignificantByteFirst);
 
   // Uses memcpy instead of reinterpret_cast to avoid an alignment exception.
   T tmp;
@@ -322,11 +320,13 @@ T toNumber(const ByteVector &v, size_t offset, bool mostSignificantByteFirst)
 template <class T>
 T toNumber(const ByteVector &v, size_t offset, size_t length, bool mostSignificantByteFirst)
 {
-  if(offset + length > v.size()) {
-    debug("toNumber<T>() -- offset and/or length is out of range. Returning 0.");
+  if(offset >= v.size()) {
+    debug("toNumber<T>() -- No data to convert. Returning 0.");
     return 0;
   }
 
+  length = std::min(length, v.size() - offset);
+
   T sum = 0;
   for(size_t i = 0; i < length; i++) {
     const size_t shift = (mostSignificantByteFirst ? length - 1 - i : i) * 8;