From 14a9ef9cb2a627e488821b43678e1a67b12fa5d7 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Fri, 13 May 2011 17:12:44 +0000
Subject: From Huzaifa Sidhpurwala of the Red Hat Security Response Team: Fix
 an integer overflow in wiretap/visual.c.

svn path=/trunk/; revision=37128
---
 wiretap/visual.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'wiretap/visual.c')

diff --git a/wiretap/visual.c b/wiretap/visual.c
index 306fb0211b..9c48fe22be 100644
--- a/wiretap/visual.c
+++ b/wiretap/visual.c
@@ -420,6 +420,15 @@ static gboolean visual_read(wtap *wth, int *err, gchar **err_info,
        break;
     }
 
+    if (wth->phdr.len > WTAP_MAX_PACKET_SIZE) {
+    /* Check if wth->phdr.len is sane, small values of wth.phdr.len before
+       the case loop above can cause integer underflows */ 
+        *err = WTAP_ERR_BAD_RECORD;
+        *err_info = g_strdup_printf("visual: File has %u-byte original packet, bigger than maximum of %u",
+                    wth->phdr.len, WTAP_MAX_PACKET_SIZE);
+        return FALSE;
+    }
+
     /* Sanity check */
     if (wth->phdr.len < wth->phdr.caplen)
     {
-- 
cgit v1.2.1