diff options
author | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2009-12-02 22:29:06 +0000 |
---|---|---|
committer | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2009-12-02 22:29:06 +0000 |
commit | c12762ca1fcafb4ece6355aee6a71f7f2156a0f0 (patch) | |
tree | 897d574cbc0333d12867b2ce79e9814976949b06 /epan/dissectors/packet-icq.c | |
parent | b2b9e9747f931f7346c13274280b5d6630546e93 (diff) |
Back out r30376, which introduced a buffer overrun. Fixes bug 4285.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@31157 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/dissectors/packet-icq.c')
-rw-r--r-- | epan/dissectors/packet-icq.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/epan/dissectors/packet-icq.c b/epan/dissectors/packet-icq.c index de3b5f4b4b..8061de437d 100644 --- a/epan/dissectors/packet-icq.c +++ b/epan/dissectors/packet-icq.c @@ -1503,7 +1503,9 @@ dissect_icqv5Client(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) * bytes in the buffer. */ rounded_size = ((((capturedsize - ICQ5_CL_SESSIONID) + 3)/4)*4) + ICQ5_CL_SESSIONID; - decr_pd = tvb_memdup(tvb, 0, capturedsize); + /* rounded_size might exceed the tvb bounds so we can't just use tvb_memdup here. */ + decr_pd = g_malloc(rounded_size); + tvb_memcpy(tvb, decr_pd, 0, capturedsize); decrypt_v5(decr_pd, rounded_size, key); /* Allocate a new tvbuff, referring to the decrypted data. */ |