diff options
author | Peter Wu <peter@lekensteyn.nl> | 2018-05-15 16:08:04 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2018-05-15 17:16:12 +0000 |
commit | 9ee790e99c72ddb5b599b8076b4ecf74611b184e (patch) | |
tree | 6d029351e6b2f763a69b97e71c8fc2e684eb0da2 /epan/tvbuff_zlib.c | |
parent | e67283ddca70a7652b7dd41ef8883ee3278501d0 (diff) |
tvbuff_zlib: reject negative lengths to avoid buffer overrun
Negative lengths and empty buffers are not uncompressable, reject them.
A buffer overrun (read) could occur otherwise due to unsigned "avail_in"
becoming insanely large.
Bug: 14675
Change-Id: I20b686cc6ad6ef8a8d1975ed3d2f52c8eb1f1c76
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7166
Reviewed-on: https://code.wireshark.org/review/27561
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/tvbuff_zlib.c')
-rw-r--r-- | epan/tvbuff_zlib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/tvbuff_zlib.c b/epan/tvbuff_zlib.c index 77c2d5e096..0ed07ad4fd 100644 --- a/epan/tvbuff_zlib.c +++ b/epan/tvbuff_zlib.c @@ -55,7 +55,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) guint bytes_in = tvb_captured_length_remaining(tvb, offset); #endif - if (tvb == NULL) { + if (tvb == NULL || comprlen <= 0) { return NULL; } |