diff options
author | Peter Wu <peter@lekensteyn.nl> | 2015-11-22 18:16:46 +0100 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2015-11-25 12:41:43 +0000 |
commit | ff0220fda472b0b08796dbd8aa4c22dd665d9223 (patch) | |
tree | e90b65e9aaa5a89c7b8401b3c4d413d662637648 | |
parent | 7f90e4eaf36e15a1b29ad399ac4e6b81508511a0 (diff) | |
download | wireshark-ff0220fda472b0b08796dbd8aa4c22dd665d9223.tar.gz |
Fix buffer overrun in zlib decompression
After updating next_in (to remove the gzip header), avail_in must also
be updated. Failing to do makes zlib read past the input buffer. In
theory this would resukt in a buffer overrun of at most double the input
length, in practice zlib returns as soon as the compression fails (after
reading a few bytes).
Bug: 11548
Change-Id: If71691a2846338f46d866964a77cc4e74a9b61dd
Reviewed-on: https://code.wireshark.org/review/12038
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
(cherry picked from commit cec0593ae6c3bca65eff65741c2a10f3de3e0afe)
Reviewed-on: https://code.wireshark.org/review/12138
-rw-r--r-- | epan/tvbuff_zlib.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/epan/tvbuff_zlib.c b/epan/tvbuff_zlib.c index 176e2daf12..74fec91858 100644 --- a/epan/tvbuff_zlib.c +++ b/epan/tvbuff_zlib.c @@ -228,9 +228,6 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) } - inflateReset(strm); - next = c; - strm->next_in = next; if (c - compr > comprlen) { inflateEnd(strm); g_free(strm); @@ -238,7 +235,13 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) g_free(strmbuf); return NULL; } + /* Drop gzip header */ comprlen -= (int) (c - compr); + next = c; + + inflateReset(strm); + strm->next_in = next; + strm->avail_in = comprlen; inflateEnd(strm); inflateInit2(strm, wbits); |