diff options
author | Jakub Zawadzki <darkjames-ws@darkjames.pl> | 2013-07-15 18:32:11 +0000 |
---|---|---|
committer | Jakub Zawadzki <darkjames-ws@darkjames.pl> | 2013-07-15 18:32:11 +0000 |
commit | fec836d697436a3d62327a9c039f595b686619c1 (patch) | |
tree | f47aa6348cd1c0c5b5aebb11594409fff67a5d07 /epan/tvbuff.c | |
parent | 7c5b4715847ac775ec3d4b418e313d2f6b7fbc5c (diff) | |
download | wireshark-fec836d697436a3d62327a9c039f595b686619c1.tar.gz |
Fix bug #8936: Fuzz failure: attempt to allocate -1 bytes from packet-bacapp.c and/or tvb_generic_clone_offset_len()
Revert r50556: Add new function: validate_offset() which checks if offset is within bounds of tvb.
svn path=/trunk/; revision=50633
Diffstat (limited to 'epan/tvbuff.c')
-rw-r--r-- | epan/tvbuff.c | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/epan/tvbuff.c b/epan/tvbuff.c index be666e834b..5e4bee8dcc 100644 --- a/epan/tvbuff.c +++ b/epan/tvbuff.c @@ -202,15 +202,44 @@ validate_offset(const tvbuff_t *tvb, const guint abs_offset) static int compute_offset(const tvbuff_t *tvb, const gint offset, guint *offset_ptr) { + int exception; + if (offset >= 0) { /* Positive offset - relative to the beginning of the packet. */ - *offset_ptr = offset; - } else { + if ((guint) offset > tvb->reported_length) { + if (tvb->flags & TVBUFF_FRAGMENT) { + exception = FragmentBoundsError; + } else { + exception = ReportedBoundsError; + } + return exception; + } + else if ((guint) offset > tvb->length) { + return BoundsError; + } + else { + *offset_ptr = offset; + } + } + else { /* Negative offset - relative to the end of the packet. */ - *offset_ptr = tvb->length + offset; + if ((guint) -offset > tvb->reported_length) { + if (tvb->flags & TVBUFF_FRAGMENT) { + exception = FragmentBoundsError; + } else { + exception = ReportedBoundsError; + } + return exception; + } + else if ((guint) -offset > tvb->length) { + return BoundsError; + } + else { + *offset_ptr = tvb->length + offset; + } } - return validate_offset(tvb, *offset_ptr); + return 0; } static int |