tvbuff_composite: fix buffer overflow due to wrong offset adjustment

The tvb_offset method should return the offset of the buffer within the
backing tvb (ds_tvb). The currently returned non-zero offset is valid
for tvbuff_subset.c, but not for the composite TVB. The backing tvb is
the tvb itself, so the offset should be zero (or "counter" for
consistency with tvbuff_real.c and others).

This bug is observable with the capture from the bug. In tshark, the
data field in the PDML output has value "field length invalid!" and the
position attribute ("pos") is too large. With the -V option it even
crashes with a buffer overflow (read). In the GUI, the bytes tab shows
range 3199-19642 even if the data source is only 16444 bytes while the
selection should have been 0-16443.

Bug: 14466
Change-Id: I01399ff500321dba262eb60b67c4cddb173b4679
Reviewed-on: https://code.wireshark.org/review/30124
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 2 insertions, 5 deletions

diff --git a/epan/tvbuff_composite.c b/epan/tvbuff_composite.c
index f77aace029..53cdbca619 100644
--- a/epan/tvbuff_composite.c
+++ b/epan/tvbuff_composite.c
@@ -51,12 +51,9 @@ composite_free(tvbuff_t *tvb)
 }
 
 static guint
-composite_offset(const tvbuff_t *tvb, const guint counter)
+composite_offset(const tvbuff_t *tvb _U_, const guint counter)
 {
-	const struct tvb_composite *composite_tvb = (const struct tvb_composite *) tvb;
-	const tvbuff_t *member = (const tvbuff_t *)composite_tvb->composite.tvbs->data;
-
-	return tvb_offset_from_real_beginning_counter(member, counter);
+	return counter;
 }
 
 static const guint8*