Check the length *before* accessing the array, and cap the

length-retrieved-from-packet at the size of the array we have. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9270 svn path=/trunk/; revision=52616
author: Evan Huus <eapache@gmail.com> 2013-10-15 13:05:31 +0000
committer: Evan Huus <eapache@gmail.com> 2013-10-15 13:05:31 +0000
commit: 586dea0e0473483f34b3fd2c0a30c6a4c77b33bc (patch)
tree: 218b97131896ca7883ce1a0c9be3ac800851403c
parent: a6d8e1888c74c9e88957c1e663caec2bab16551e (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/epan/dissectors/packet-gsm_cbch.c b/epan/dissectors/packet-gsm_cbch.c
index 0af0228d82..28959a9389 100644
--- a/epan/dissectors/packet-gsm_cbch.c
+++ b/epan/dissectors/packet-gsm_cbch.c
@@ -260,7 +260,13 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree
             sched_subtree = proto_item_add_subtree(item, ett_schedule_new_msg);
             for (k=0; offset < len; j++)
             {
-                while ((other_slots[k]!=0xFFFF) && (k<sched_end))
+                /* XXX I don't know if a message can validly contain more than
+                 * 48 slots, but that's the size of the array we create so cap
+                 * it there to avoid uninitialized memory errors (see bug
+                 * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9270) */
+                if (sched_end > 48)
+                    sched_end = 48;
+                while ((k<sched_end) && (other_slots[k]!=0xFFFF))
                 {
                     k++;
                 }
author	Evan Huus <eapache@gmail.com>	2013-10-15 13:05:31 +0000
committer	Evan Huus <eapache@gmail.com>	2013-10-15 13:05:31 +0000
commit	586dea0e0473483f34b3fd2c0a30c6a4c77b33bc (patch)
tree	218b97131896ca7883ce1a0c9be3ac800851403c
parent	a6d8e1888c74c9e88957c1e663caec2bab16551e (diff)