diff options
author | Gerald Combs <gerald@wireshark.org> | 2010-12-31 22:24:06 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2010-12-31 22:24:06 +0000 |
commit | b3a56f1691a59b361b2882fa59ffc5b7205b0477 (patch) | |
tree | 6404a02d05ce021765ea45d2b8d47a33add87fd3 /epan/dissectors/packet-enttec.c | |
parent | 2cd8459ddb9a42c8c93bd7db688a913a0ac038b2 (diff) |
From FRAsse via bug 5539:
There's a buffer overflow in ENTTEC DMX Data RLE, leading to crashes and
potential code execution.
From me: ep_allocate our buffers.
svn path=/trunk/; revision=35318
Diffstat (limited to 'epan/dissectors/packet-enttec.c')
-rw-r--r-- | epan/dissectors/packet-enttec.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/epan/dissectors/packet-enttec.c b/epan/dissectors/packet-enttec.c index 6e6ccccb19..66d3e18bee 100644 --- a/epan/dissectors/packet-enttec.c +++ b/epan/dissectors/packet-enttec.c @@ -193,8 +193,8 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree) "%3u: %s" }; - static guint8 dmx_data[512]; - static guint16 dmx_data_offset[513]; /* 1 extra for last offset */ + guint8 *dmx_data = ep_alloc(512 * sizeof(guint8)); + guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */ emem_strbuf_t *dmx_epstr; proto_tree *hi,*si; @@ -225,10 +225,10 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree) length = 512; if (type == ENTTEC_DATA_TYPE_RLE) { - /* uncompres the DMX data */ + /* uncompress the DMX data */ ui = 0; ci = 0; - while (ci < length) { + while (ci < length && ui < 512) { v = tvb_get_guint8(tvb, offset+ci); if (v == 0xFE) { ci++; @@ -236,7 +236,7 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree) ci++; v = tvb_get_guint8(tvb, offset+ci); ci++; - for (i=0;i < count;i++) { + for (i=0;i < count && ui < 512;i++) { dmx_data[ui] = v; dmx_data_offset[ui] = ci-3; ui++; |