AMQP: fix a stack overflow when offset goes back and forth

Previous code assumed that list decoding was successful and that some
bytes were consumed. Let's explicitly check this.

Bug: 13780
Change-Id: I3546b093f309f2b8096f01bc9987ac5ad9e029eb
Reviewed-on: https://code.wireshark.org/review/22235
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 246cbbc2ea6dd0a3a69a1aaa94db244a77565353)
Reviewed-on: https://code.wireshark.org/review/22248

1 files changed, 7 insertions, 1 deletions

diff --git a/epan/dissectors/packet-amqp.c b/epan/dissectors/packet-amqp.c
index 44899370a6..303bd3bbd2 100644
--- a/epan/dissectors/packet-amqp.c
+++ b/epan/dissectors/packet-amqp.c
@@ -9978,7 +9978,13 @@ get_amqp_1_0_value_formatter(tvbuff_t *tvb,
                                                      item,
                                                      hf_amqp_type,
                                                      hf_amqp_subtype_count,
-                                                     hf_amqp_subtypes, name)-1; /* "-1" due to decode type again in the method */
+                                                     hf_amqp_subtypes, name);
+                if (*length_size == 0) {
+                    /* something went wrong during list dissection; let's stop here */
+                    *length_size = tvb_reported_length_remaining(tvb, offset);
+                } else {
+                    *length_size -= 1; /* "-1" due to decode type again in the method */
+                }
                 break;
             case AMQP_1_0_TYPE_MAP8:
             case AMQP_1_0_TYPE_MAP32: