skip the extra field in the gzip header

it consists of two bytes xsize + xsize bytes of data

use an unsigned type for xsize

fail gracefully if the field is present but truncated

tvb_length_remaining > tvb_captured_length_remaining

Change-Id: I7f5138743c2d88abdd4f5f18d3c0292612ddb559
Reviewed-on: https://code.wireshark.org/review/5654
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 19 insertions, 5 deletions

diff --git a/epan/tvbuff_zlib.c b/epan/tvbuff_zlib.c
index 17093222eb..0e6be80d0a 100644
--- a/epan/tvbuff_zlib.c
+++ b/epan/tvbuff_zlib.c
@@ -60,7 +60,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 	guint      bufsiz;
 #ifdef TVB_Z_DEBUG
 	guint      inflate_passes = 0;
-	guint      bytes_in       = tvb_length_remaining(tvb, offset);
+	guint      bytes_in       = tvb_captured_length_remaining(tvb, offset);
 #endif
 
 	if (tvb == NULL) {
@@ -76,7 +76,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 	 * Assume that the uncompressed data is at least twice as big as
 	 * the compressed size.
 	 */
-	bufsiz = tvb_length_remaining(tvb, offset) * 2;
+	bufsiz = tvb_captured_length_remaining(tvb, offset) * 2;
 	bufsiz = CLAMP(bufsiz, TVB_Z_MIN_BUFSIZ, TVB_Z_MAX_BUFSIZ);
 
 #ifdef TVB_Z_DEBUG
@@ -204,9 +204,23 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 			c += 6;
 
 			if (flags & (1 << 2)) {
-				/* An Extra field is present. */
-				gint xsize = (gint)(*c |
-					(*(c + 1) << 8));
+				/* An Extra field is present. It
+				   consists of 2 bytes xsize and xsize
+				   bytes of data.
+				   Read byte-by-byte (least significant
+				   byte first) to make sure we abort
+				   cleanly when the xsize is truncated
+				   after the first byte. */
+				guint16 xsize = 0;
+
+				if (c-compr < comprlen) {
+					xsize += *c;
+					c++;
+				}
+				if (c-compr < comprlen) {
+					xsize += *c << 8;
+					c++;
+				}
 
 				c += xsize;
 			}