If the reply length is < 32, that's an overflow, not a bug in the

dissector (unless you consider the calculation not being done in 64 bits as a bug). For now, toss a ReportedBoundsError. svn path=/trunk/; revision=37946
author: Guy Harris <guy@alum.mit.edu> 2011-07-09 18:56:21 +0000
committer: Guy Harris <guy@alum.mit.edu> 2011-07-09 18:56:21 +0000
commit: a53bf09cc1ab8c93f51d3969c0bf4e7430a3e86e (patch)
tree: 4045dff360e32b3c71aaf0c2fc9fcca842dcd1d0 /epan/dissectors/packet-x11.c
parent: f93d3aeeb15cfd94c62aa88125eb06af52b71709 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/epan/dissectors/packet-x11.c b/epan/dissectors/packet-x11.c
index 3a22dbd7ee..18f61c4513 100644
--- a/epan/dissectors/packet-x11.c
+++ b/epan/dissectors/packet-x11.c
@@ -4764,7 +4764,9 @@ dissect_x11_replies(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
                               /* replylength is in units of four. */
                               tmp_plen = plen = 32 + VALUE32(tvb, offset + 4) * 4;
-                              DISSECTOR_ASSERT(tmp_plen >= 32);
+                              /* If tmp_plen < 32, we got an overflow;
+                               * the reply length is too long. */
+                              THROW_ON(tmp_plen < 32, ReportedBoundsError);
                               HANDLE_REPLY(plen, length_remaining,
                                            "Reply", dissect_x11_reply);
                               break;
author	Guy Harris <guy@alum.mit.edu>	2011-07-09 18:56:21 +0000
committer	Guy Harris <guy@alum.mit.edu>	2011-07-09 18:56:21 +0000
commit	a53bf09cc1ab8c93f51d3969c0bf4e7430a3e86e (patch)
tree	4045dff360e32b3c71aaf0c2fc9fcca842dcd1d0 /epan/dissectors/packet-x11.c
parent	f93d3aeeb15cfd94c62aa88125eb06af52b71709 (diff)