diff options
author | Evan Huus <evan.huus@jadedpixel.com> | 2014-06-17 18:13:51 +0000 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2014-06-17 18:17:31 +0000 |
commit | 17a552666b50896a9b9dde8ee6a1052e7f9a622e (patch) | |
tree | ef0b60d1d0f1166c9f4392ba10f4198eef5b8a81 | |
parent | c30df319547442b3847693c821844735fd692d9c (diff) |
fix underflow in BER constrained bitstrings
this can happen and cause invalid memory accesses with incorrectly-large padding
values
Bug:10187
Change-Id: Ib9b2a2fa10766efb4d95d588f57354a56373c626
Reviewed-on: https://code.wireshark.org/review/2325
Reviewed-by: Evan Huus <eapache@gmail.com>
-rw-r--r-- | epan/dissectors/packet-ber.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ber.c b/epan/dissectors/packet-ber.c index f47b8b0a56..111dc770ca 100644 --- a/epan/dissectors/packet-ber.c +++ b/epan/dissectors/packet-ber.c @@ -3855,7 +3855,7 @@ dissect_ber_constrained_bitstring(gboolean implicit_tag, asn1_ctx_t *actx, proto bitstring = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, offset, len); while (nb->p_id) { - if ((len > 0) && (nb->bit < (8*len-pad))) { + if ((len > 0) && (pad < 8*len) && (nb->bit < (8*len-pad))) { val = tvb_get_guint8(tvb, offset + nb->bit/8); bitstring[(nb->bit/8)] &= ~(0x80 >> (nb->bit%8)); val &= 0x80 >> (nb->bit%8); |