fix underflow in BER constrained bitstrings

this can happen and cause invalid memory accesses with incorrectly-large padding values Bug:10187 Change-Id: Ib9b2a2fa10766efb4d95d588f57354a56373c626 Reviewed-on: https://code.wireshark.org/review/2325 Reviewed-by: Evan Huus <eapache@gmail.com>
author: Evan Huus <evan.huus@jadedpixel.com> 2014-06-17 18:13:51 +0000
committer: Evan Huus <eapache@gmail.com> 2014-06-17 18:17:31 +0000
commit: 17a552666b50896a9b9dde8ee6a1052e7f9a622e (patch)
tree: ef0b60d1d0f1166c9f4392ba10f4198eef5b8a81
parent: c30df319547442b3847693c821844735fd692d9c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ber.c b/epan/dissectors/packet-ber.c
index f47b8b0a56..111dc770ca 100644
--- a/epan/dissectors/packet-ber.c
+++ b/epan/dissectors/packet-ber.c
@@ -3855,7 +3855,7 @@ dissect_ber_constrained_bitstring(gboolean implicit_tag, asn1_ctx_t *actx, proto
         bitstring = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, offset, len);
 
         while (nb->p_id) {
-            if ((len > 0) && (nb->bit < (8*len-pad))) {
+            if ((len > 0) && (pad < 8*len) && (nb->bit < (8*len-pad))) {
                 val = tvb_get_guint8(tvb, offset + nb->bit/8);
                 bitstring[(nb->bit/8)] &= ~(0x80 >> (nb->bit%8));
                 val &= 0x80 >> (nb->bit%8);
author	Evan Huus <evan.huus@jadedpixel.com>	2014-06-17 18:13:51 +0000
committer	Evan Huus <eapache@gmail.com>	2014-06-17 18:17:31 +0000
commit	17a552666b50896a9b9dde8ee6a1052e7f9a622e (patch)
tree	ef0b60d1d0f1166c9f4392ba10f4198eef5b8a81
parent	c30df319547442b3847693c821844735fd692d9c (diff)