Fix bug #8936: Fuzz failure: attempt to allocate -1 bytes from packet-bacapp.c and/or tvb_generic_clone_offset_len()

Revert r50556: Add new function: validate_offset() which checks if offset is within bounds of tvb.

svn path=/trunk/; revision=50633

1 files changed, 33 insertions, 4 deletions

diff --git a/epan/tvbuff.c b/epan/tvbuff.c
index be666e834b..5e4bee8dcc 100644
--- a/epan/tvbuff.c
+++ b/epan/tvbuff.c
@@ -202,15 +202,44 @@ validate_offset(const tvbuff_t *tvb, const guint abs_offset)
 static int
 compute_offset(const tvbuff_t *tvb, const gint offset, guint *offset_ptr)
 {
+	int exception;
+
 	if (offset >= 0) {
 		/* Positive offset - relative to the beginning of the packet. */
-		*offset_ptr = offset;
-	} else {
+		if ((guint) offset > tvb->reported_length) {
+			if (tvb->flags & TVBUFF_FRAGMENT) {
+				exception = FragmentBoundsError;
+			} else {
+				exception = ReportedBoundsError;
+			}
+			return exception;
+		}
+		else if ((guint) offset > tvb->length) {
+			return BoundsError;
+		}
+		else {
+			*offset_ptr = offset;
+		}
+	}
+	else {
 		/* Negative offset - relative to the end of the packet. */
-		*offset_ptr = tvb->length + offset;
+		if ((guint) -offset > tvb->reported_length) {
+			if (tvb->flags & TVBUFF_FRAGMENT) {
+				exception = FragmentBoundsError;
+			} else {
+				exception = ReportedBoundsError;
+			}
+			return exception;
+		}
+		else if ((guint) -offset > tvb->length) {
+			return BoundsError;
+		}
+		else {
+			*offset_ptr = tvb->length + offset;
+		}
 	}
 
-	return validate_offset(tvb, *offset_ptr);
+	return 0;
 }
 
 static int