WCP: Add a length check.

Add a bounds check for the current window. Blind attempt at fixing bug
14251.

Bug: 14251
Change-Id: Ia3775bcabb2dc633b6994547125e53a4fe23451e
Reviewed-on: https://code.wireshark.org/review/25230
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/epan/dissectors/packet-wcp.c b/epan/dissectors/packet-wcp.c
index 9094c48900..6241276305 100644
--- a/epan/dissectors/packet-wcp.c
+++ b/epan/dissectors/packet-wcp.c
@@ -644,10 +644,16 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin
 		}
 		len = pdata_ptr->len;
 	} else {
+		if (buf_ptr->buf_cur + len > buf_end) {
+			expert_add_info_format(pinfo, cd_item, &ei_wcp_invalid_window_offset,
+				"Uncompressed data exceeds available buffer length (%d > %d)",
+				len, (int) (buf_end - buf_ptr->buf_cur));
+			return NULL;
+		}
 
-	/* save the new data as per packet data */
+		/* save the new data as per packet data */
 		pdata_ptr = wmem_new(wmem_file_scope(), wcp_pdata_t);
-		memcpy( &pdata_ptr->buffer, buf_ptr->buf_cur,  len);
+		memcpy( &pdata_ptr->buffer, buf_ptr->buf_cur, len);
 		pdata_ptr->len = len;
 
 		p_add_proto_data(wmem_file_scope(), pinfo, proto_wcp, 0, (void*)pdata_ptr);