diff options
author | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2005-09-20 17:26:43 +0000 |
---|---|---|
committer | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2005-09-20 17:26:43 +0000 |
commit | 4680914215af36304f6495f796e89a0b00c8e469 (patch) | |
tree | 66ada6744e861d1ff6fa7140b958904bf163f813 /epan/sigcomp-udvm.c | |
parent | bf73bba1c4caa16c1856576fd31862faad4bca20 (diff) |
Be more paranoid about buffer overruns.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@15901 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/sigcomp-udvm.c')
-rw-r--r-- | epan/sigcomp-udvm.c | 44 |
1 files changed, 37 insertions, 7 deletions
diff --git a/epan/sigcomp-udvm.c b/epan/sigcomp-udvm.c index 53b6c7ae7b..664fad1b45 100644 --- a/epan/sigcomp-udvm.c +++ b/epan/sigcomp-udvm.c @@ -132,7 +132,7 @@ decompress_sigcomp_message(tvbuff_t *bytecode_tvb, tvbuff_t *message_tvb, packet { tvbuff_t *decomp_tvb; guint8 buff[UDVM_MEMORY_SIZE]; - char string[2],*strp; + char string[2]; guint8 *out_buff; /* Largest allowed size for a message is 65535 */ guint32 i = 0; guint16 n = 0; @@ -312,7 +312,7 @@ decompress_sigcomp_message(tvbuff_t *bytecode_tvb, tvbuff_t *message_tvb, packet i = udvm_mem_dest; if ( print_level_3 ) proto_tree_add_text(udvm_tree, bytecode_tvb, offset, 1,"Load bytecode into UDVM starting at %u",i); - while ( code_length > offset ) { + while ( code_length > offset && i < UDVM_MEMORY_SIZE ) { buff[i] = tvb_get_guint8(bytecode_tvb, offset); if ( print_level_3 ) proto_tree_add_text(udvm_tree, bytecode_tvb, offset, 1, @@ -879,7 +879,7 @@ execute_next_instruction: } if (k + handle_now >= UDVM_MEMORY_SIZE) - THROW(ReportedBoundsError); + goto decompression_failure; sha1_update( &ctx, &buff[k], handle_now ); k = ( k + handle_now ) & 0xffff; @@ -996,6 +996,9 @@ execute_next_instruction: lsb = value & 0xff; msb = value >> 8; + if (address >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; + buff[address] = msb; buff[address + 1] = lsb; /* debug @@ -1041,8 +1044,14 @@ execute_next_instruction: | buff[(stack_location+1) & 0xFFFF]; address = (stack_location + stack_fill * 2 + 2) & 0xFFFF; + if (address >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; + buff[address] = (value >> 8) & 0x00FF; buff[(address+1) & 0xFFFF] = value & 0x00FF; + + if (stack_location >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; stack_fill = (stack_fill + 1) & 0xFFFF; buff[stack_location] = (stack_fill >> 8) & 0x00FF; @@ -1084,15 +1093,23 @@ execute_next_instruction: goto decompression_failure; } + if (stack_location >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; + stack_fill = (stack_fill - 1) & 0xFFFF; buff[stack_location] = (stack_fill >> 8) & 0x00FF; buff[(stack_location+1) & 0xFFFF] = stack_fill & 0x00FF; + if (address >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; + address = (stack_location + stack_fill * 2 + 2) & 0xFFFF; value = (buff[address] << 8) | buff[(address+1) & 0xFFFF]; /* ... and store the popped value. */ + if (destination >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; buff[destination] = (value >> 8) & 0x00FF; buff[(destination+1) & 0xFFFF] = value & 0x00FF; @@ -1618,10 +1635,14 @@ execute_next_instruction: stack_fill = (buff[stack_location] << 8) | buff[(stack_location+1) & 0xFFFF]; address = (stack_location + stack_fill * 2 + 2) & 0xFFFF; + if (address >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; buff[address] = (current_address >> 8) & 0x00FF; buff[(address+1) & 0xFFFF] = current_address & 0x00FF; stack_fill = (stack_fill + 1) & 0xFFFF; + if (stack_location >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; buff[stack_location] = (stack_fill >> 8) & 0x00FF; buff[(stack_location+1) & 0xFFFF] = stack_fill & 0x00FF; @@ -1651,6 +1672,8 @@ execute_next_instruction: } stack_fill = (stack_fill - 1) & 0xFFFF; + if (stack_location >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; buff[stack_location] = (stack_fill >> 8) & 0x00FF; buff[(stack_location+1) & 0xFFFF] = stack_fill & 0x00FF; @@ -1793,7 +1816,7 @@ execute_next_instruction: } if (k + handle_now >= UDVM_MEMORY_SIZE) - THROW(ReportedBoundsError); + goto decompression_failure; result = crc16_ccitt_seed(&buff[k], handle_now, result ^ 0xffff); k = ( k + handle_now ) & 0xffff; @@ -2022,6 +2045,8 @@ execute_next_instruction: } msb = value >> 8; lsb = value & 0x00ff; + if (destination >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; buff[destination] = msb; buff[destination + 1]=lsb; if (print_level_1 ){ @@ -2206,6 +2231,8 @@ execute_next_instruction: H = H + uncompressed_n - lower_bound_n; msb = H >> 8; lsb = H & 0x00ff; + if (destination >= UDVM_MEMORY_SIZE - 1) + goto decompression_failure; buff[destination] = msb; buff[destination + 1]=lsb; if (print_level_1 ){ @@ -2435,7 +2462,7 @@ execute_next_instruction: if (print_level_3 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1, " Addr: %5u State value: %u (0x%x) ASCII(%s)", - k,buff[k],buff[k],string); + k,buff[k],buff[k],format_text(string, 1)); } k = ( k + 1 ) & 0xffff; n++; @@ -2553,11 +2580,10 @@ execute_next_instruction: out_buff[output_address] = buff[k]; string[0]= buff[k]; string[1]= '\0'; - strp = string; if (print_level_3 ){ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1, " Output value: %u (0x%x) ASCII(%s) from Addr: %u ,output to dispatcher position %u", - buff[k],buff[k],format_text(strp,1), k,output_address); + buff[k],buff[k],format_text(string,1), k,output_address); } k = ( k + 1 ) & 0xffff; output_address ++; @@ -2744,6 +2770,7 @@ decompression_failure: proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,"DECOMPRESSION FAILURE: %s", val_to_str(result_code, result_code_vals,"Unknown (%u)")); + THROW(ReportedBoundsError); g_free(out_buff); return NULL; @@ -2880,6 +2907,9 @@ dissect_udvm_reference_operand(guint8 *buff,guint operand_address, guint16 *valu offset ++; } + if (offset >= UDVM_MEMORY_SIZE || result_dest >= UDVM_MEMORY_SIZE - 1 ) + THROW(ReportedBoundsError); + return offset; } |