tvbuff: make tvb_bytes_exist fail with negative values

tvb_generic_clone_offset_len uses tvb_bytes_exist to check that the requested tvb data is actually available. It did not expect negative values, that would result in an overly large memory allocation. Bug: 14678 Change-Id: Ie80095a381e55ca5dbbd5c9d835243549d0b212e Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7179 Reviewed-on: https://code.wireshark.org/review/27526 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
author: Peter Wu <peter@lekensteyn.nl> 2018-05-14 12:27:15 +0200
committer: Anders Broman <a.broman58@gmail.com> 2018-05-14 13:07:23 +0000
commit: d80acae40d14efeb857258ca923637b590dd6be9 (patch)
tree: 3370154fb920d7ab0f9b80e8226eaaec3dd157fe /epan/tvbuff.c
parent: 17647c4041cfe05dbd5e08d68662007b1e8e4146 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/epan/tvbuff.c b/epan/tvbuff.c
index 44eff8415f..2711b8e202 100644
--- a/epan/tvbuff.c
+++ b/epan/tvbuff.c
@@ -552,6 +552,13 @@ tvb_bytes_exist(const tvbuff_t *tvb, const gint offset, const gint length)
 
 	DISSECTOR_ASSERT(tvb && tvb->initialized);
 
+	/*
+	 * Negative lengths are not possible and indicate a bug (e.g. arithmetic
+	 * error or an overly large value from packet data).
+	 */
+	if (length < 0)
+		return FALSE;
+
 	exception = check_offset_length_no_exception(tvb, offset, length, &abs_offset, &abs_length);
 	if (exception)
 		return FALSE;
author	Peter Wu <peter@lekensteyn.nl>	2018-05-14 12:27:15 +0200
committer	Anders Broman <a.broman58@gmail.com>	2018-05-14 13:07:23 +0000
commit	d80acae40d14efeb857258ca923637b590dd6be9 (patch)
tree	3370154fb920d7ab0f9b80e8226eaaec3dd157fe /epan/tvbuff.c
parent	17647c4041cfe05dbd5e08d68662007b1e8e4146 (diff)