packet-bzr.c: Prevent infinite loop

Bug: 13599
Change-Id: If85588099d7c6635865614f8778a903a5e971789
Reviewed-on: https://code.wireshark.org/review/21410
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/epan/dissectors/packet-bzr.c b/epan/dissectors/packet-bzr.c
index b89d7d160b..ce567a9e86 100644
--- a/epan/dissectors/packet-bzr.c
+++ b/epan/dissectors/packet-bzr.c
@@ -85,7 +85,7 @@ static guint
 get_bzr_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
 {
     int    next_offset;
-    gint   len = 0;
+    gint   len = 0, current_len;
     gint   protocol_version_len;
     guint8 cmd = 0;
 
@@ -98,7 +98,10 @@ get_bzr_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
     len += protocol_version_len + 1;
 
     /* Headers */
+    current_len = len;
     len += get_bzr_prefixed_len(tvb, next_offset);
+    if (current_len > len) /* Make sure we're not going backwards */
+        return -1;
 
     while (tvb_reported_length_remaining(tvb, offset + len) > 0) {
         cmd = tvb_get_guint8(tvb, offset + len);
@@ -107,7 +110,10 @@ get_bzr_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
         switch (cmd) {
         case 's':
         case 'b':
+            current_len = len;
             len += get_bzr_prefixed_len(tvb, offset + len);
+            if (current_len > len) /* Make sure we're not going backwards */
+                return -1;
             break;
         case 'o':
             len += 1;