diff options
author | Martin Kaiser <wireshark@kaiser.cx> | 2014-12-06 18:28:37 +0100 |
---|---|---|
committer | Martin Kaiser <wireshark@kaiser.cx> | 2014-12-07 18:52:30 +0000 |
commit | ade2beffeb29a1fe062ea0a571e10c120bc772eb (patch) | |
tree | 56515aa92cd6e1f7c2e918ac43def1086cdb168a /epan/tvbuff_zlib.c | |
parent | 1bc8791fe69fdf5cf14925d067d21bc313142b0a (diff) |
make sure that we don't read past the end of the compressed buffer
Bug: 10757
Change-Id: I30054c4a75ec86ea603cf78b702be5255c35f549
Reviewed-on: https://code.wireshark.org/review/5642
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
Diffstat (limited to 'epan/tvbuff_zlib.c')
-rw-r--r-- | epan/tvbuff_zlib.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/epan/tvbuff_zlib.c b/epan/tvbuff_zlib.c index 6ea50c4b05..3f359ba1ce 100644 --- a/epan/tvbuff_zlib.c +++ b/epan/tvbuff_zlib.c @@ -165,8 +165,8 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) } } else if (err == Z_DATA_ERROR && inits_done == 1 - && uncompr == NULL && (*compr == 0x1f) && - (*(compr + 1) == 0x8b)) { + && uncompr == NULL && comprlen >= 2 && + (*compr == 0x1f) && (*(compr + 1) == 0x8b)) { /* * inflate() is supposed to handle both gzip and deflate * streams automatically, but in reality it doesn't @@ -181,12 +181,13 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) * fix to make it work (setting windowBits to 31) * doesn't work with all versions of the library. */ - Bytef *c = compr + 2; + Bytef *c = compr + 2; Bytef flags = 0; - if (*c == Z_DEFLATED) { - c++; - } else { + /* we read two bytes already (0x1f, 0x8b) and + need at least Z_DEFLATED, 1 byte flags, 4 + bytes MTIME, 1 byte XFL, 1 byte OS */ + if (comprlen < 10 || *c != Z_DEFLATED) { inflateEnd(strm); g_free(strm); g_free(compr); @@ -194,6 +195,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) return NULL; } + c++; flags = *c; /* Skip past the MTIME, XFL, and OS fields. */ |