From 2c7551c2bdbeee73e579f7f2f07aafd14fa6cf28 Mon Sep 17 00:00:00 2001
From: Jim Dishaw <jim@dishaw.org>
Date: Wed, 17 Jun 2015 10:43:34 -0400
Subject: [PATCH 3/3] Corrects an off by 1 error in plbuf.c identified by Greg
 Jung

- In wr_command() and wr_data() the check_buffer_size() was called with
  size of the data being written without considering the two-byte alignment
  padding.
- On odd data sizes (e.g. 1 byte), the check_buffer_size() call would be
  one byte smaller than what is required to maintain alignment.
- This could result in unpredictable memory access boundary errors.
---
 src/plbuf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/plbuf.c b/src/plbuf.c
index fd0f0c3..dcd2e2f 100644
--- a/src/plbuf.c
+++ b/src/plbuf.c
@@ -1643,7 +1643,7 @@ check_buffer_size( PLStream *pls, size_t data_size )
 static void
 wr_command( PLStream *pls, U_CHAR c )
 {
-    check_buffer_size( pls, sizeof ( U_CHAR ) );
+    check_buffer_size( pls, sizeof ( uint16_t ) );
 
     *(U_CHAR *) ( (uint8_t *) pls->plbuf_buffer + pls->plbuf_top ) = c;
 
@@ -1662,7 +1662,7 @@ wr_command( PLStream *pls, U_CHAR c )
 static void
 wr_data( PLStream *pls, void *buf, size_t buf_size )
 {
-    check_buffer_size( pls, buf_size );
+    check_buffer_size( pls, buf_size + ( buf_size % sizeof ( uint16_t ) ) );
     memcpy( (uint8_t *) pls->plbuf_buffer + pls->plbuf_top, buf, buf_size );
 
     // Advance position but maintain alignment
-- 
2.3.2 (Apple Git-55)