From 6029b8a6bbc8bbf7799108582e71078ec0bde1cf Mon Sep 17 00:00:00 2001
From: foo86 <foobaz86@gmail.com>
Date: Sat, 22 Jul 2017 17:27:28 +0300
Subject: [PATCH] avformat/s337m: fix potentially undefined pointer arithmetic

Use integer position instead of pointer for loop variable. Also only
skip header fields after header has been fully validated.
---
 libavformat/s337m.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavformat/s337m.c b/libavformat/s337m.c
index 1f4ba5edaf..2e85d487b5 100644
--- a/libavformat/s337m.c
+++ b/libavformat/s337m.c
@@ -86,22 +86,21 @@ static int s337m_probe(AVProbeData *p)
 {
     uint64_t state = 0;
     int markers[3] = { 0 };
-    int i, sum, max, data_type, data_size, offset;
+    int i, pos, sum, max, data_type, data_size, offset;
     uint8_t *buf;
 
-    for (buf = p->buf; buf < p->buf + p->buf_size; buf++) {
-        state = (state << 8) | *buf;
+    for (pos = 0; pos < p->buf_size; pos++) {
+        state = (state << 8) | p->buf[pos];
         if (!IS_LE_MARKER(state))
             continue;
 
+        buf = p->buf + pos + 1;
         if (IS_16LE_MARKER(state)) {
-            data_type = AV_RL16(buf + 1);
-            data_size = AV_RL16(buf + 3);
-            buf += 4;
+            data_type = AV_RL16(buf    );
+            data_size = AV_RL16(buf + 2);
         } else {
-            data_type = AV_RL24(buf + 1);
-            data_size = AV_RL24(buf + 4);
-            buf += 6;
+            data_type = AV_RL24(buf    );
+            data_size = AV_RL24(buf + 3);
         }
 
         if (s337m_get_offset_and_codec(NULL, state, data_type, data_size, &offset, NULL))
@@ -110,7 +109,8 @@ static int s337m_probe(AVProbeData *p)
         i = IS_16LE_MARKER(state) ? 0 : IS_20LE_MARKER(state) ? 1 : 2;
         markers[i]++;
 
-        buf  += offset;
+        pos  += IS_16LE_MARKER(state) ? 4 : 6;
+        pos  += offset;
         state = 0;
     }