From 586dea0e0473483f34b3fd2c0a30c6a4c77b33bc Mon Sep 17 00:00:00 2001
From: Evan Huus <eapache@gmail.com>
Date: Tue, 15 Oct 2013 13:05:31 +0000
Subject: Check the length *before* accessing the array, and cap the
 length-retrieved-from-packet at the size of the array we have.

Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9270

svn path=/trunk/; revision=52616
---
 epan/dissectors/packet-gsm_cbch.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/epan/dissectors/packet-gsm_cbch.c b/epan/dissectors/packet-gsm_cbch.c
index 0af0228d82..28959a9389 100644
--- a/epan/dissectors/packet-gsm_cbch.c
+++ b/epan/dissectors/packet-gsm_cbch.c
@@ -260,7 +260,13 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree
             sched_subtree = proto_item_add_subtree(item, ett_schedule_new_msg);
             for (k=0; offset < len; j++)
             {
-                while ((other_slots[k]!=0xFFFF) && (k<sched_end))
+                /* XXX I don't know if a message can validly contain more than
+                 * 48 slots, but that's the size of the array we create so cap
+                 * it there to avoid uninitialized memory errors (see bug
+                 * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9270) */
+                if (sched_end > 48)
+                    sched_end = 48;
+                while ((k<sched_end) && (other_slots[k]!=0xFFFF))
                 {
                     k++;
                 }
-- 
cgit v1.2.3