A loop processing all the bytes in a tvbuff from a given offset to the

end of the data in the tvbuff should stop when the offset is >= the
total amount of data in the tvbuff, not when it's > the total amount in
the tvbuff following the starting offset.

In "unpack_digits()", return a null string, not a null pointer, if
there's nothing left in the tvbuff starting at the starting offset, so
that the caller doesn't have to check for a null pointer, and return an
ep_alloc()ed buffer, so the caller doesn't have to worry about freeing
the result.

If we see a filler digit, don't advance the offset in the string buffer;
we want to put the terminating '\0' right after the character we just
put into the string.

Fuzzed against some GSM captures.

svn path=/trunk/; revision=16002

1 files changed, 7 insertions, 9 deletions

diff --git a/asn1/gsmmap/packet-gsm_map-template.c b/asn1/gsmmap/packet-gsm_map-template.c
index d434f324d9..03fba0c0f7 100644
--- a/asn1/gsmmap/packet-gsm_map-template.c
+++ b/asn1/gsmmap/packet-gsm_map-template.c
@@ -37,6 +37,7 @@
 #include <epan/prefs.h>
 #include <epan/conversation.h>
 #include <epan/tap.h>
+#include <epan/emem.h>
 
 #include <stdio.h>
 #include <string.h>
@@ -131,14 +132,13 @@ unpack_digits(tvbuff_t *tvb, int offset){
 
 	length = tvb_length(tvb);
 	if (length < offset)
-		return NULL;
-	length = length - offset;
-	digit_str = g_malloc(length*2+1);
+		return "";
+	digit_str = ep_alloc((length - offset)*2+1);
 
-	while ( offset <= length ){
+	while ( offset < length ){
 
 		octet = tvb_get_guint8(tvb,offset);
-		digit_str[i] = ((octet & 0x0f) + 0x30);
+		digit_str[i] = ((octet & 0x0f) + '0');
 		i++;
 
 		/*
@@ -146,12 +146,10 @@ unpack_digits(tvbuff_t *tvb, int offset){
 		 */
 		octet = octet >> 4;
 
-		if (octet == 0x0f){	/* odd number bytes - hit filler */
-			i++; 
+		if (octet == 0x0f)	/* odd number bytes - hit filler */
 			break;
-		}
 
-		digit_str[i] = ((octet & 0x0f) + 0x30);
+		digit_str[i] = ((octet & 0x0f) + '0');
 		i++;
 		offset++;