sigcomp: Shift operand should be limited to 16 bits

Change-Id: I5a6fbcacf874962c361e68fef7402dc775aca658
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1154
Bug: 13610
Reviewed-on: https://code.wireshark.org/review/21250
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>

1 files changed, 13 insertions, 3 deletions

diff --git a/epan/dissectors/packet-sigcomp.c b/epan/dissectors/packet-sigcomp.c
index 52bda8e283..d5bb66d050 100644
--- a/epan/dissectors/packet-sigcomp.c
+++ b/epan/dissectors/packet-sigcomp.c
@@ -159,6 +159,7 @@ static gint ett_raw_text            = -1;
 
 static expert_field ei_sigcomp_nack_failed_op_code = EI_INIT;
 static expert_field ei_sigcomp_invalid_instruction = EI_INIT;
+static expert_field ei_sigcomp_invalid_shift_value = EI_INIT;
 /* Generated from convert_proto_tree_add_text.pl */
 static expert_field ei_sigcomp_tcp_fragment = EI_INIT;
 static expert_field ei_sigcomp_decompression_failure = EI_INIT;
@@ -1785,7 +1786,7 @@ decompress_sigcomp_message(tvbuff_t *bytecode_tvb, tvbuff_t *message_tvb, packet
     guint8        *sha1buff;
     unsigned char  sha1_digest_buf[STATE_BUFFER_SIZE];
     gcry_md_hd_t   sha1_handle;
-    proto_item    *addr_item = NULL;
+    proto_item    *addr_item = NULL, *ti = NULL;
 
 
     /* UDVM operand variables */
@@ -2114,9 +2115,13 @@ execute_next_instruction:
         /* %operand_2*/
         next_operand_address = decode_udvm_multitype_operand(buff, operand_address, &operand_2);
         if (show_instr_detail_level == 2 ) {
-            proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2,
+            ti = proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2,
                                 "Addr: %u      operand_2 %u", operand_address, operand_2);
         }
+        if (operand_2 > 15) {
+            expert_add_info(pinfo, ti, &ei_sigcomp_invalid_shift_value);
+            break;
+        }
         offset += (next_operand_address-operand_address);
         if (show_instr_detail_level == 1)
         {
@@ -2157,9 +2162,13 @@ execute_next_instruction:
         /* %operand_2*/
         next_operand_address = decode_udvm_multitype_operand(buff, operand_address, &operand_2);
         if (show_instr_detail_level == 2 ) {
-            proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2,
+            ti = proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2,
                                 "Addr: %u      operand_2 %u", operand_address, operand_2);
         }
+        if (operand_2 > 15) {
+            expert_add_info(pinfo, ti, &ei_sigcomp_invalid_shift_value);
+            break;
+        }
         offset += (next_operand_address-operand_address);
         if (show_instr_detail_level == 1)
         {
@@ -6670,6 +6679,7 @@ proto_register_sigcomp(void)
     static ei_register_info ei[] = {
         { &ei_sigcomp_nack_failed_op_code, { "sigcomp.nack.failed_op_code.expert", PI_SEQUENCE, PI_WARN, "SigComp NACK", EXPFILL }},
         { &ei_sigcomp_invalid_instruction, { "sigcomp.invalid_instruction", PI_PROTOCOL, PI_WARN, "Invalid instruction", EXPFILL }},
+        { &ei_sigcomp_invalid_shift_value, { "sigcomp.invalid_shift_value", PI_PROTOCOL, PI_WARN, "Invalid shift value", EXPFILL }},
         /* Generated from convert_proto_tree_add_text.pl */
         { &ei_sigcomp_sigcomp_message_decompression_failure, { "sigcomp.message_decompression_failure", PI_PROTOCOL, PI_WARN, "SigComp message Decompression failure", EXPFILL }},
         { &ei_sigcomp_execution_of_this_instruction_is_not_implemented, { "sigcomp.execution_of_this_instruction_is_not_implemented", PI_UNDECODED, PI_WARN, "Execution of this instruction is NOT implemented", EXPFILL }},