diff options
author | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-07-11 14:46:30 +0000 |
---|---|---|
committer | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-07-11 14:46:30 +0000 |
commit | b6ee11e928a3a5bd8b4518540a9da28669e56d5d (patch) | |
tree | bf5a834d09af6b2bcdf653c8d407cb81a6097017 | |
parent | c38a7508212893a03d56f8246a8a1d80b2d8acef (diff) | |
download | wireshark-b6ee11e928a3a5bd8b4518540a9da28669e56d5d.tar.gz |
Fix the very long loop fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8923 :
Apply the fix for https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3290
to proto_tree_add_bits_item(). That is, test that we have offset+length bytes
left in the TVB before trying to fake the item.
svn path=/trunk/; revision=50504
-rw-r--r-- | epan/proto.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/epan/proto.c b/epan/proto.c index a6b0325515..5f2a504314 100644 --- a/epan/proto.c +++ b/epan/proto.c @@ -6854,7 +6854,19 @@ proto_tree_add_bits_item(proto_tree *tree, const int hf_index, tvbuff_t *tvb, const guint encoding) { header_field_info *hfinfo; + gint octet_length; + gint octet_offset; + PROTO_REGISTRAR_GET_NTH(hf_index, hfinfo); + + octet_length = (no_of_bits + 7) >> 3; + octet_offset = bit_offset >> 3; + test_length(hfinfo, tree, tvb, octet_offset, octet_length, encoding); + + /* Yes, we try to fake this item again in proto_tree_add_bits_ret_val() + * but only after doing a bunch more work (which we can, in the common + * case, shortcut here). + */ TRY_TO_FAKE_THIS_ITEM(tree, hf_index, hfinfo); return proto_tree_add_bits_ret_val(tree, hf_index, tvb, bit_offset, no_of_bits, NULL, encoding); @@ -6901,10 +6913,7 @@ _proto_tree_add_bits_ret_val(proto_tree *tree, const int hf_index, tvbuff_t *tvb * Calculate the number of octets used to hold the bits */ tot_no_bits = ((bit_offset&0x7) + no_of_bits); - length = tot_no_bits>>3; - /* If we are using part of the next octet, increase length by 1 */ - if (tot_no_bits & 0x07) - length++; + length = (tot_no_bits + 7) >> 3; if (no_of_bits < 65) { value = tvb_get_bits64(tvb, bit_offset, no_of_bits, encoding); |