[FFmpeg-cvslog] avformat/s337m: fix potentially undefined pointer arithmetic
foo86
git at videolan.org
Wed Jul 26 23:17:38 EEST 2017
ffmpeg | branch: master | foo86 <foobaz86 at gmail.com> | Sat Jul 22 17:27:28 2017 +0300| [6029b8a6bbc8bbf7799108582e71078ec0bde1cf] | committer: foo86
avformat/s337m: fix potentially undefined pointer arithmetic
Use integer position instead of pointer for loop variable. Also only
skip header fields after header has been fully validated.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6029b8a6bbc8bbf7799108582e71078ec0bde1cf
---
libavformat/s337m.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/libavformat/s337m.c b/libavformat/s337m.c
index 1f4ba5edaf..2e85d487b5 100644
--- a/libavformat/s337m.c
+++ b/libavformat/s337m.c
@@ -86,22 +86,21 @@ static int s337m_probe(AVProbeData *p)
{
uint64_t state = 0;
int markers[3] = { 0 };
- int i, sum, max, data_type, data_size, offset;
+ int i, pos, sum, max, data_type, data_size, offset;
uint8_t *buf;
- for (buf = p->buf; buf < p->buf + p->buf_size; buf++) {
- state = (state << 8) | *buf;
+ for (pos = 0; pos < p->buf_size; pos++) {
+ state = (state << 8) | p->buf[pos];
if (!IS_LE_MARKER(state))
continue;
+ buf = p->buf + pos + 1;
if (IS_16LE_MARKER(state)) {
- data_type = AV_RL16(buf + 1);
- data_size = AV_RL16(buf + 3);
- buf += 4;
+ data_type = AV_RL16(buf );
+ data_size = AV_RL16(buf + 2);
} else {
- data_type = AV_RL24(buf + 1);
- data_size = AV_RL24(buf + 4);
- buf += 6;
+ data_type = AV_RL24(buf );
+ data_size = AV_RL24(buf + 3);
}
if (s337m_get_offset_and_codec(NULL, state, data_type, data_size, &offset, NULL))
@@ -110,7 +109,8 @@ static int s337m_probe(AVProbeData *p)
i = IS_16LE_MARKER(state) ? 0 : IS_20LE_MARKER(state) ? 1 : 2;
markers[i]++;
- buf += offset;
+ pos += IS_16LE_MARKER(state) ? 4 : 6;
+ pos += offset;
state = 0;
}
More information about the ffmpeg-cvslog
mailing list