From Huzaifa Sidhpurwala of the Red Hat Security Response Team: Fix an

integer overflow in wiretap/visual.c. svn path=/trunk/; revision=37128
author: Gerald Combs <gerald@wireshark.org> 2011-05-13 17:12:44 +0000
committer: Gerald Combs <gerald@wireshark.org> 2011-05-13 17:12:44 +0000
commit: 14a9ef9cb2a627e488821b43678e1a67b12fa5d7 (patch)
tree: d58322add8ecdaf5bd09ed5d288c97fd7ce2611a /wiretap/visual.c
parent: dece07c8f3971c176c819337277f5fdfefe071c0 (diff)
download: wireshark-14a9ef9cb2a627e488821b43678e1a67b12fa5d7.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/wiretap/visual.c b/wiretap/visual.c
index 306fb0211b..9c48fe22be 100644
--- a/wiretap/visual.c
+++ b/wiretap/visual.c
@@ -420,6 +420,15 @@ static gboolean visual_read(wtap *wth, int *err, gchar **err_info,
        break;
     }
 
+    if (wth->phdr.len > WTAP_MAX_PACKET_SIZE) {
+    /* Check if wth->phdr.len is sane, small values of wth.phdr.len before
+       the case loop above can cause integer underflows */ 
+        *err = WTAP_ERR_BAD_RECORD;
+        *err_info = g_strdup_printf("visual: File has %u-byte original packet, bigger than maximum of %u",
+                    wth->phdr.len, WTAP_MAX_PACKET_SIZE);
+        return FALSE;
+    }
+
     /* Sanity check */
     if (wth->phdr.len < wth->phdr.caplen)
     {
author	Gerald Combs <gerald@wireshark.org>	2011-05-13 17:12:44 +0000
committer	Gerald Combs <gerald@wireshark.org>	2011-05-13 17:12:44 +0000
commit	14a9ef9cb2a627e488821b43678e1a67b12fa5d7 (patch)
tree	d58322add8ecdaf5bd09ed5d288c97fd7ce2611a /wiretap/visual.c
parent	dece07c8f3971c176c819337277f5fdfefe071c0 (diff)
download	wireshark-14a9ef9cb2a627e488821b43678e1a67b12fa5d7.tar.gz