diff options
author | foo86 <foobaz86@gmail.com> | 2017-07-22 17:27:28 +0300 |
---|---|---|
committer | foo86 <foobaz86@gmail.com> | 2017-07-26 21:23:07 +0300 |
commit | 6029b8a6bbc8bbf7799108582e71078ec0bde1cf (patch) | |
tree | ddfdb2949ce8627b49bce5ffabaabe82bbb02b37 | |
parent | 5e715b583dab85735660b15a8d217a69164675fe (diff) | |
download | ffmpeg-6029b8a6bbc8bbf7799108582e71078ec0bde1cf.tar.gz |
avformat/s337m: fix potentially undefined pointer arithmetic
Use integer position instead of pointer for loop variable. Also only
skip header fields after header has been fully validated.
-rw-r--r-- | libavformat/s337m.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/libavformat/s337m.c b/libavformat/s337m.c index 1f4ba5edaf..2e85d487b5 100644 --- a/libavformat/s337m.c +++ b/libavformat/s337m.c @@ -86,22 +86,21 @@ static int s337m_probe(AVProbeData *p) { uint64_t state = 0; int markers[3] = { 0 }; - int i, sum, max, data_type, data_size, offset; + int i, pos, sum, max, data_type, data_size, offset; uint8_t *buf; - for (buf = p->buf; buf < p->buf + p->buf_size; buf++) { - state = (state << 8) | *buf; + for (pos = 0; pos < p->buf_size; pos++) { + state = (state << 8) | p->buf[pos]; if (!IS_LE_MARKER(state)) continue; + buf = p->buf + pos + 1; if (IS_16LE_MARKER(state)) { - data_type = AV_RL16(buf + 1); - data_size = AV_RL16(buf + 3); - buf += 4; + data_type = AV_RL16(buf ); + data_size = AV_RL16(buf + 2); } else { - data_type = AV_RL24(buf + 1); - data_size = AV_RL24(buf + 4); - buf += 6; + data_type = AV_RL24(buf ); + data_size = AV_RL24(buf + 3); } if (s337m_get_offset_and_codec(NULL, state, data_type, data_size, &offset, NULL)) @@ -110,7 +109,8 @@ static int s337m_probe(AVProbeData *p) i = IS_16LE_MARKER(state) ? 0 : IS_20LE_MARKER(state) ? 1 : 2; markers[i]++; - buf += offset; + pos += IS_16LE_MARKER(state) ? 4 : 6; + pos += offset; state = 0; } |