Make sure the offset doesn't overflow.

It'd only overflow if the value is *so* large that it won't fit in the
packet (given that we have a 2^32-1-byte limit on the packet size), so
use tvb_ensure_bytes_exist() to ensure we have the entire value before
processing the value.

(The real problem is that we don't handle the case where there's a value
multiplicity > 1 for some types; in those cases, we should loop,
processing all the values, which would cause us to eventually throw an
exception when we ran past the end of the packet.  This is just a quick
fix.)

Bug: 14742
Change-Id: I447ece81d1c84d3b1d218faeb2c155f910208c29
Reviewed-on: https://code.wireshark.org/review/27853
Reviewed-by: Guy Harris <guy@alum.mit.edu>

1 files changed, 5 insertions, 0 deletions

diff --git a/epan/dissectors/packet-dcm.c b/epan/dissectors/packet-dcm.c
index 3dd26e0093..e7b7904bac 100644
--- a/epan/dissectors/packet-dcm.c
+++ b/epan/dissectors/packet-dcm.c
@@ -5758,6 +5758,11 @@ dissect_dcm_tag_value(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, dcm_s
     guint encoding = (pdv->syntax == DCM_EBE) ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN;
 
 
+    /* Make sure we have all the bytes of the item; this should throw
+       and exception if vl_max is so large that it causes the offset
+       to overflow. */
+    tvb_ensure_bytes_exist(tvb, offset, vl_max);
+
     /* ---------------------------------------------------------------------------
        Potentially long types. Obey vl_max
        ---------------------------------------------------------------------------