diff options
author | Peter Wu <peter@lekensteyn.nl> | 2018-05-14 12:27:15 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2018-05-14 13:07:23 +0000 |
commit | d80acae40d14efeb857258ca923637b590dd6be9 (patch) | |
tree | 3370154fb920d7ab0f9b80e8226eaaec3dd157fe /epan/tvbuff.c | |
parent | 17647c4041cfe05dbd5e08d68662007b1e8e4146 (diff) |
tvbuff: make tvb_bytes_exist fail with negative values
tvb_generic_clone_offset_len uses tvb_bytes_exist to check that the
requested tvb data is actually available. It did not expect negative
values, that would result in an overly large memory allocation.
Bug: 14678
Change-Id: Ie80095a381e55ca5dbbd5c9d835243549d0b212e
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7179
Reviewed-on: https://code.wireshark.org/review/27526
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/tvbuff.c')
-rw-r--r-- | epan/tvbuff.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/epan/tvbuff.c b/epan/tvbuff.c index 44eff8415f..2711b8e202 100644 --- a/epan/tvbuff.c +++ b/epan/tvbuff.c @@ -552,6 +552,13 @@ tvb_bytes_exist(const tvbuff_t *tvb, const gint offset, const gint length) DISSECTOR_ASSERT(tvb && tvb->initialized); + /* + * Negative lengths are not possible and indicate a bug (e.g. arithmetic + * error or an overly large value from packet data). + */ + if (length < 0) + return FALSE; + exception = check_offset_length_no_exception(tvb, offset, length, &abs_offset, &abs_length); if (exception) return FALSE; |