diff mbox

[FFmpeg-devel,3/3] avformat/s337m: fix potentially undefined pointer arithmetic

Message ID 20170724122706.3368-3-foobaz86@gmail.com
State Accepted
Commit 6029b8a6bbc8bbf7799108582e71078ec0bde1cf
Headers show

Commit Message

foo86 July 24, 2017, 12:27 p.m. UTC 
Use integer position instead of pointer for loop variable. Also only
skip header fields after header has been fully validated.
---
 libavformat/s337m.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

Comments

foo86 July 26, 2017, 8:19 p.m. UTC | #1 
On Mon, Jul 24, 2017 at 03:27:06PM +0300, foo86 wrote:
> 
> Use integer position instead of pointer for loop variable. Also only
> skip header fields after header has been fully validated.
> ---
>  libavformat/s337m.c | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)

Patchset pushed.
diff mbox

Patch

diff --git a/libavformat/s337m.c b/libavformat/s337m.c
index 1f4ba5edaf..2e85d487b5 100644
--- a/libavformat/s337m.c
+++ b/libavformat/s337m.c
@@ -86,22 +86,21 @@  static int s337m_probe(AVProbeData *p)
 {
     uint64_t state = 0;
     int markers[3] = { 0 };
-    int i, sum, max, data_type, data_size, offset;
+    int i, pos, sum, max, data_type, data_size, offset;
     uint8_t *buf;
 
-    for (buf = p->buf; buf < p->buf + p->buf_size; buf++) {
-        state = (state << 8) | *buf;
+    for (pos = 0; pos < p->buf_size; pos++) {
+        state = (state << 8) | p->buf[pos];
         if (!IS_LE_MARKER(state))
             continue;
 
+        buf = p->buf + pos + 1;
         if (IS_16LE_MARKER(state)) {
-            data_type = AV_RL16(buf + 1);
-            data_size = AV_RL16(buf + 3);
-            buf += 4;
+            data_type = AV_RL16(buf    );
+            data_size = AV_RL16(buf + 2);
         } else {
-            data_type = AV_RL24(buf + 1);
-            data_size = AV_RL24(buf + 4);
-            buf += 6;
+            data_type = AV_RL24(buf    );
+            data_size = AV_RL24(buf + 3);
         }
 
         if (s337m_get_offset_and_codec(NULL, state, data_type, data_size, &offset, NULL))
@@ -110,7 +109,8 @@  static int s337m_probe(AVProbeData *p)
         i = IS_16LE_MARKER(state) ? 0 : IS_20LE_MARKER(state) ? 1 : 2;
         markers[i]++;
 
-        buf  += offset;
+        pos  += IS_16LE_MARKER(state) ? 4 : 6;
+        pos  += offset;
         state = 0;
     }