make sure that we don't read past the end of the compressed buffer

Bug: 10757
Change-Id: I30054c4a75ec86ea603cf78b702be5255c35f549
Reviewed-on: https://code.wireshark.org/review/5642
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>

1 files changed, 8 insertions, 6 deletions

diff --git a/epan/tvbuff_zlib.c b/epan/tvbuff_zlib.c
index 6ea50c4b05..3f359ba1ce 100644
--- a/epan/tvbuff_zlib.c
+++ b/epan/tvbuff_zlib.c
@@ -165,8 +165,8 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 			}
 
 		} else if (err == Z_DATA_ERROR && inits_done == 1
-			&& uncompr == NULL && (*compr  == 0x1f) &&
-			(*(compr + 1) == 0x8b)) {
+			&& uncompr == NULL && comprlen >= 2 &&
+			(*compr  == 0x1f) && (*(compr + 1) == 0x8b)) {
 			/*
 			 * inflate() is supposed to handle both gzip and deflate
 			 * streams automatically, but in reality it doesn't
@@ -181,12 +181,13 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 			 * fix to make it work (setting windowBits to 31)
 			 * doesn't work with all versions of the library.
 			 */
-			Bytef *c     = compr + 2;
+			Bytef *c = compr + 2;
 			Bytef  flags = 0;
 
-			if (*c == Z_DEFLATED) {
-				c++;
-			} else {
+			/* we read two bytes already (0x1f, 0x8b) and
+			   need at least Z_DEFLATED, 1 byte flags, 4
+			   bytes MTIME, 1 byte XFL, 1 byte OS */
+			if (comprlen < 10 || *c != Z_DEFLATED) {
 				inflateEnd(strm);
 				g_free(strm);
 				g_free(compr);
@@ -194,6 +195,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 				return NULL;
 			}
 
+			c++;
 			flags = *c;
 
 			/* Skip past the MTIME, XFL, and OS fields. */