diff options
| author | Gerald Combs <gerald@wireshark.org> | 2010-06-25 17:14:41 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2010-06-25 17:14:41 +0000 |
| commit | 5f932275b08158ae96a4ffdcfc8a17bde04cfe2e (patch) | |
| tree | b16a18d20e5b0d61b300d2c18cde7fbe67b3d593 /epan/sigcomp-udvm.c | |
| parent | 5a69e41f6e67b78108de9e5439526d1dc908ae9d (diff) | |
Make sure our addresses are modulo 2^16 in a lot of places. Fixes a
crash found while fuzzing, and hopefully fixes bug 4867.
In sigcomp_init_udvm() initialize the first 8 bytes of our buffers,
which squelches a valgrind complaint.
svn path=/trunk/; revision=33321
Diffstat (limited to 'epan/sigcomp-udvm.c')
| -rw-r--r-- | epan/sigcomp-udvm.c | 64 |
1 files changed, 33 insertions, 31 deletions
diff --git a/epan/sigcomp-udvm.c b/epan/sigcomp-udvm.c index fd12892e9c..386624f0ef 100644 --- a/epan/sigcomp-udvm.c +++ b/epan/sigcomp-udvm.c @@ -334,7 +334,7 @@ execute_next_instruction: goto decompression_failure; } used_udvm_cycles++; - current_instruction = buff[current_address]; + current_instruction = buff[current_address & 0xffff]; switch ( current_instruction ) { case SIGCOMP_INSTR_DECOMPRESSION_FAILURE: @@ -395,7 +395,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -436,7 +436,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -470,7 +470,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -510,7 +510,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -550,7 +550,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -589,7 +589,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -628,7 +628,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -675,7 +675,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -724,7 +724,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -773,7 +773,7 @@ execute_next_instruction: lsb = result & 0xff; msb = result >> 8; buff[result_dest] = msb; - buff[result_dest+1] = lsb; + buff[(result_dest+1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1," Loading result %u at %u", result, result_dest); @@ -926,7 +926,7 @@ execute_next_instruction: msb = value >> 8; buff[addr] = msb; - buff[addr + 1] = lsb; + buff[(addr + 1) & 0xffff] = lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,"Addr: %u Value %u", @@ -983,7 +983,7 @@ execute_next_instruction: goto decompression_failure; buff[addr] = msb; - buff[addr + 1] = lsb; + buff[(addr + 1) & 0xffff] = lsb; /* debug */ length = next_operand_address - operand_address; @@ -1275,7 +1275,7 @@ execute_next_instruction: } } buff[result_dest] = k >> 8; - buff[result_dest + 1] = k & 0x00ff; + buff[(result_dest + 1) & 0xffff] = k & 0x00ff; used_udvm_cycles = used_udvm_cycles + length; goto execute_next_instruction; @@ -2025,7 +2025,7 @@ execute_next_instruction: if (destination >= UDVM_MEMORY_SIZE - 1) goto decompression_failure; buff[destination] = msb; - buff[destination + 1]=lsb; + buff[(destination + 1) & 0xffff]=lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, message_tvb, input_address, 1, " Loading value: %u (0x%x) at Addr: %u, remaining_bits: %u", value, value, destination, remaining_bits); @@ -2210,7 +2210,7 @@ execute_next_instruction: if (destination >= UDVM_MEMORY_SIZE - 1) goto decompression_failure; buff[destination] = msb; - buff[destination + 1]=lsb; + buff[(destination + 1) & 0xffff]=lsb; if (print_level_1 ){ proto_tree_add_text(udvm_tree, message_tvb, input_address, 1, " Loading H: %u (0x%x) at Addr: %u,j = %u remaining_bits: %u", @@ -2785,7 +2785,7 @@ decode_udvm_literal_operand(guint8 *buff,guint operand_address, guint16 *value) */ temp_data = buff[operand_address] & 0x1f; operand = temp_data << 8; - temp_data = buff[operand_address + 1]; + temp_data = buff[(operand_address + 1) & 0xffff]; operand = operand | temp_data; *value = operand; offset = offset + 2; @@ -2797,7 +2797,7 @@ decode_udvm_literal_operand(guint8 *buff,guint operand_address, guint16 *value) offset ++; temp_data = buff[operand_address] & 0x1f; operand = temp_data << 8; - temp_data = buff[operand_address + 1]; + temp_data = buff[(operand_address + 1) & 0xffff]; operand = operand | temp_data; *value = operand; offset = offset + 2; @@ -2850,12 +2850,12 @@ dissect_udvm_reference_operand(guint8 *buff,guint operand_address, guint16 *valu */ temp_data = buff[operand_address] & 0x3f; operand = temp_data << 8; - temp_data = buff[operand_address + 1]; + temp_data = buff[(operand_address + 1) & 0xffff]; operand = operand | temp_data; operand = (operand * 2); *result_dest = operand; temp_data16 = buff[operand] << 8; - temp_data16 = temp_data16 | buff[operand+1]; + temp_data16 = temp_data16 | buff[(operand+1) & 0xffff]; *value = temp_data16; offset = offset + 2; @@ -2865,10 +2865,10 @@ dissect_udvm_reference_operand(guint8 *buff,guint operand_address, guint16 *valu */ operand_address++; operand = buff[operand_address] << 8; - operand = operand | buff[operand_address + 1]; + operand = operand | buff[(operand_address + 1) & 0xffff]; *result_dest = operand; temp_data16 = buff[operand] << 8; - temp_data16 = temp_data16 | buff[operand+1]; + temp_data16 = temp_data16 | buff[(operand+1) & 0xffff]; *value = temp_data16; offset = offset + 3; @@ -2881,7 +2881,7 @@ dissect_udvm_reference_operand(guint8 *buff,guint operand_address, guint16 *valu operand = (operand * 2); *result_dest = operand; temp_data16 = buff[operand] << 8; - temp_data16 = temp_data16 | buff[operand+1]; + temp_data16 = temp_data16 | buff[(operand+1) & 0xffff]; *value = temp_data16; offset ++; } @@ -2917,6 +2917,8 @@ decode_udvm_multitype_operand(guint8 *buff,guint operand_address, guint16 *value guint8 temp_data; guint16 temp_data16; guint16 memmory_addr = 0; + +*value = 0; bytecode = buff[operand_address]; test_bits = ( bytecode & 0xc0 ) >> 6; @@ -2938,7 +2940,7 @@ decode_udvm_multitype_operand(guint8 *buff,guint operand_address, guint16 *value */ memmory_addr = ( bytecode & 0x3f) * 2; temp_data16 = buff[memmory_addr] << 8; - temp_data16 = temp_data16 | buff[memmory_addr+1]; + temp_data16 = temp_data16 | buff[(memmory_addr+1) & 0xffff]; *value = temp_data16; offset ++; break; @@ -2951,7 +2953,7 @@ decode_udvm_multitype_operand(guint8 *buff,guint operand_address, guint16 *value */ temp_data = buff[operand_address] & 0x1f; operand = temp_data << 8; - temp_data = buff[operand_address + 1]; + temp_data = buff[(operand_address + 1) & 0xffff]; operand = operand | temp_data; *value = operand; offset = offset + 2; @@ -2963,7 +2965,7 @@ decode_udvm_multitype_operand(guint8 *buff,guint operand_address, guint16 *value */ temp_data = buff[operand_address] & 0x0f; operand = temp_data << 8; - temp_data = buff[operand_address + 1]; + temp_data = buff[(operand_address + 1) & 0xffff]; operand = operand | temp_data; operand = operand + 61440; *value = operand; @@ -2995,15 +2997,15 @@ decode_udvm_multitype_operand(guint8 *buff,guint operand_address, guint16 *value * 1000 0001 nnnnnnnn nnnnnnnn memory[N] 0 - 65535 */ offset ++; - temp_data16 = buff[operand_address + 1] << 8; - temp_data16 = temp_data16 | buff[operand_address + 2]; + temp_data16 = buff[(operand_address + 1) & 0xffff] << 8; + temp_data16 = temp_data16 | buff[(operand_address + 2) & 0xffff]; /* debug * g_warning("Reading 0x%x From address %u",temp_data16,operand_address); */ if ( (bytecode & 0x01) == 1 ){ memmory_addr = temp_data16; temp_data16 = buff[memmory_addr] << 8; - temp_data16 = temp_data16 | buff[memmory_addr+1]; + temp_data16 = temp_data16 | buff[(memmory_addr+1) & 0xffff]; } *value = temp_data16; offset = offset +2; @@ -3030,9 +3032,9 @@ decode_udvm_multitype_operand(guint8 *buff,guint operand_address, guint16 *value */ memmory_addr = buff[operand_address] & 0x1f; memmory_addr = memmory_addr << 8; - memmory_addr = memmory_addr | buff[operand_address + 1]; + memmory_addr = memmory_addr | buff[(operand_address + 1) & 0xffff]; temp_data16 = buff[memmory_addr] << 8; - temp_data16 = temp_data16 | buff[memmory_addr+1]; + temp_data16 = temp_data16 | buff[(memmory_addr+1) & 0xffff]; *value = temp_data16; /* debug * g_warning("Reading 0x%x From address %u",temp_data16,memmory_addr); |