Back out r30376, which introduced a buffer overrun. Fixes bug 4285.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@31157 f5534014-38df-0310-8fa8-9805f1628bb7
author: gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> 2009-12-02 22:29:06 +0000
committer: gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> 2009-12-02 22:29:06 +0000
commit: c12762ca1fcafb4ece6355aee6a71f7f2156a0f0 (patch)
tree: 897d574cbc0333d12867b2ce79e9814976949b06 /epan/dissectors/packet-icq.c
parent: b2b9e9747f931f7346c13274280b5d6630546e93 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/epan/dissectors/packet-icq.c b/epan/dissectors/packet-icq.c
index de3b5f4b4b..8061de437d 100644
--- a/epan/dissectors/packet-icq.c
+++ b/epan/dissectors/packet-icq.c
@@ -1503,7 +1503,9 @@ dissect_icqv5Client(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
      * bytes in the buffer.
      */
     rounded_size = ((((capturedsize - ICQ5_CL_SESSIONID) + 3)/4)*4) + ICQ5_CL_SESSIONID;
-    decr_pd = tvb_memdup(tvb, 0, capturedsize);
+    /* rounded_size might exceed the tvb bounds so we can't just use tvb_memdup here. */
+    decr_pd = g_malloc(rounded_size);
+    tvb_memcpy(tvb, decr_pd, 0, capturedsize);
     decrypt_v5(decr_pd, rounded_size, key);
 
     /* Allocate a new tvbuff, referring to the decrypted data. */
author	gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>	2009-12-02 22:29:06 +0000
committer	gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>	2009-12-02 22:29:06 +0000
commit	c12762ca1fcafb4ece6355aee6a71f7f2156a0f0 (patch)
tree	897d574cbc0333d12867b2ce79e9814976949b06 /epan/dissectors/packet-icq.c
parent	b2b9e9747f931f7346c13274280b5d6630546e93 (diff)