From patchwork Mon Jul 24 12:27:06 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: foo86 <foobaz86@gmail.com>
X-Patchwork-Id: 4432
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.76 with SMTP id 73csp4198105vsb;
	Mon, 24 Jul 2017 05:29:26 -0700 (PDT)
X-Received: by 10.223.164.157 with SMTP id
	g29mr12217676wrb.105.1500899366133;
	Mon, 24 Jul 2017 05:29:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1500899366; cv=none;
	d=google.com; s=arc-20160816;
	b=U4lBikwc7PEW3oDSaYTG31wz+8dSnNwIm74WYw9DlFfyEbHfcSx6S5PdYYMcsbPAlJ
	cTOKP3El+mew/2jYO78H0K3x8CfEwYodNtwqQj4cqiu+Gu7lwm5ZGrwWkSzX8enlCX3u
	ewMYA3gJVPrPmY49NMUPekVR98M30QQQ4cqFR+NyIEOcn3oH5k+ZUFKjxp/snHXsHO6P
	XqIw56BnUN2IRY6fakXszJqWf4kJziRrot0Vf3qtRQRv2vMRgnJ3H6sKl+9tOTwTiHeJ
	tai2RVqRKxpssIs2jIGgqYMka5LWRoCasGxLFNLZcG4+dxHYa7E2scmjgrabqGGunRRK
	Cgug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:references:in-reply-to:message-id:date
	:to:from:dkim-signature:delivered-to:arc-authentication-results;
	bh=VXhSvHJnnNWscs8Y4XMf1E+aQq1tIryhnuQ/h7CKJeY=;
	b=voAuCVeyJLlQchR5z2lNtnVWjwNbqNGA9aQyxs+oET0FVmu1Hh0b6AT0MW0xy1eBjr
	oJNZI5KbghhDwpu4wOe+NtKD4g5sj4g5siJktAfA2YmzzT39b1jxDYnPvEc0rbaBgnoQ
	jscoj0k/KC8h8HV4SgfNQJDBhK2klUCtfarluPKmLLYW7iTxx/ZQX6eYP3kXiV5T5ZtB
	kRFECOgeHaE9IwYL3PgspeuQtQKMKYTCnZXyq1DxBshcSM5PaWbOAM2RJcojYGUm0rkV
	z9Yqx2PLnhDcvkcMtMSb+fnOGjC15adv1TPb3iG8Hzwh+Yivvh96CpcPPWRTFblNy2Vz
	6QIw==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.b=fT7lAJ82;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	s80si5521529wma.245.2017.07.24.05.29.25;
	Mon, 24 Jul 2017 05:29:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.b=fT7lAJ82;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 447CF689A2E;
	Mon, 24 Jul 2017 15:29:00 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-lf0-f49.google.com (mail-lf0-f49.google.com
	[209.85.215.49])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0266B6899DC
	for <ffmpeg-devel@ffmpeg.org>; Mon, 24 Jul 2017 15:28:52 +0300 (EEST)
Received: by mail-lf0-f49.google.com with SMTP id p2so27996606lfg.0
	for <ffmpeg-devel@ffmpeg.org>; Mon, 24 Jul 2017 05:29:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=Y6BFQg8JF3kbIvlf7hqJ+2Pq18VBy3mXvSnOoatycgs=;
	b=fT7lAJ82siAxpfPA2LUNKitL0ACnVFrlsyg5wTuELAtUXh8Em0lS/oCt3dkG4qdfZt
	y8zxqJKtohAhzvBtK5QPVheqZEGUbMZg7HQslyi6exlToC7viXVMNFosIH9SHeQaeXDi
	AjYR4XUSvO/7ULQpF7WWLqxoEzJb48Qshq/PPNsvjJ/gX78l7bt7mrEOe+UT+kN2yIJX
	gxlC1t38O4exkovt/7qZRJtOgvIemOaYwYm6S+utE45a64Z062RjW/Dhxniorg1+mvNG
	458x9HnPhrsCnmL3pzCDcBUzuzfwT2zV9b/ucZJcDAX/UcpGOUlNeuA6DiC/vEnwH3dc
	Vt9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=Y6BFQg8JF3kbIvlf7hqJ+2Pq18VBy3mXvSnOoatycgs=;
	b=t/jfx9ECIjUnBELtmykOFDHJ8/h8oMUxmK4rvfyczrmYu9PPn3TpC6YZSq2LP+Zjb5
	EXCOacR6KgcnbvTRGhR5s3rdIWIs+lJt2+3W5ndO/M0CuPUgdmNn+JiJeqkb2I3oJWb1
	qd4crpwJsMRNJIgfDmFxj6Z4+vnGIzxyBnWb3tFUjmOrF4fA0inB1+gr7LE2hOhrLH4/
	e6kwlCDjKXkSm1jm9MBzJwrYGqMjlrNi/Hv2x/5JbvEKOIUVPwItCnepXPCOX5qVqnJR
	7TeGAgCPZdlUZGztpRRXBGJ2uyw0XMccJn+g1GDiNCUHBQZ3/0nyBz5HK7FvFIGRnEf1
	PI0g==
X-Gm-Message-State: AIVw113whZXw37U38fs5DYx4bg94BNrlO/4nSGCeiFLVUu+b8w04vXwb
	x4p1GKy3Sd83rvrt
X-Received: by 10.46.5.193 with SMTP id 184mr4697886ljf.159.1500899341846;
	Mon, 24 Jul 2017 05:29:01 -0700 (PDT)
Received: from foohost.foodomain ([2001:470:28:661::4])
	by smtp.gmail.com with ESMTPSA id
	v25sm875162lja.11.2017.07.24.05.29.00 for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 24 Jul 2017 05:29:01 -0700 (PDT)
From: foo86 <foobaz86@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 24 Jul 2017 15:27:06 +0300
Message-Id: <20170724122706.3368-3-foobaz86@gmail.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20170724122706.3368-1-foobaz86@gmail.com>
References: <20170724122706.3368-1-foobaz86@gmail.com>
Subject: [FFmpeg-devel] [PATCH 3/3] avformat/s337m: fix potentially
	undefined pointer arithmetic
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Use integer position instead of pointer for loop variable. Also only
skip header fields after header has been fully validated.
---
 libavformat/s337m.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavformat/s337m.c b/libavformat/s337m.c
index 1f4ba5edaf..2e85d487b5 100644
--- a/libavformat/s337m.c
+++ b/libavformat/s337m.c
@@ -86,22 +86,21 @@ static int s337m_probe(AVProbeData *p)
 {
     uint64_t state = 0;
     int markers[3] = { 0 };
-    int i, sum, max, data_type, data_size, offset;
+    int i, pos, sum, max, data_type, data_size, offset;
     uint8_t *buf;
 
-    for (buf = p->buf; buf < p->buf + p->buf_size; buf++) {
-        state = (state << 8) | *buf;
+    for (pos = 0; pos < p->buf_size; pos++) {
+        state = (state << 8) | p->buf[pos];
         if (!IS_LE_MARKER(state))
             continue;
 
+        buf = p->buf + pos + 1;
         if (IS_16LE_MARKER(state)) {
-            data_type = AV_RL16(buf + 1);
-            data_size = AV_RL16(buf + 3);
-            buf += 4;
+            data_type = AV_RL16(buf    );
+            data_size = AV_RL16(buf + 2);
         } else {
-            data_type = AV_RL24(buf + 1);
-            data_size = AV_RL24(buf + 4);
-            buf += 6;
+            data_type = AV_RL24(buf    );
+            data_size = AV_RL24(buf + 3);
         }
 
         if (s337m_get_offset_and_codec(NULL, state, data_type, data_size, &offset, NULL))
@@ -110,7 +109,8 @@ static int s337m_probe(AVProbeData *p)
         i = IS_16LE_MARKER(state) ? 0 : IS_20LE_MARKER(state) ? 1 : 2;
         markers[i]++;
 
-        buf  += offset;
+        pos  += IS_16LE_MARKER(state) ? 4 : 6;
+        pos  += offset;
         state = 0;
     }