diff options
| author | PHO <pho@cielonegro.org> | 2016-10-03 08:52:08 +0900 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2016-10-05 03:28:31 +0000 |
| commit | cb959510d2d25a41a142b01659d62f19b6b1c1ac (patch) | |
| tree | 06960661e329feb6b27de6cf6db659d3eea75153 /epan/tvbuff_zlib.c | |
| parent | 257abd91217c8f5512689be5cc568a500fda3b54 (diff) | |
tvbuff_zlib: Check if the given offset and compressed length are indeed valid before trying to allocate memory
g_malloc() may abort(3) the program when the comprlen is insanely large so use tvb_memdup() instead.
Change-Id: I23fbdc2362900030c41da1c297ab0c787de7c5ca
Reviewed-on: https://code.wireshark.org/review/18043
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/tvbuff_zlib.c')
| -rw-r--r-- | epan/tvbuff_zlib.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/epan/tvbuff_zlib.c b/epan/tvbuff_zlib.c index c1a6a1092c..43ffe6b51b 100644 --- a/epan/tvbuff_zlib.c +++ b/epan/tvbuff_zlib.c @@ -71,11 +71,10 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) return NULL; } - compr = (guint8 *)g_malloc(comprlen); - tvb_memcpy(tvb, compr, offset, comprlen); - - if (!compr) + compr = (guint8 *)tvb_memdup(NULL, tvb, offset, comprlen); + if (compr == NULL) { return NULL; + } /* * Assume that the uncompressed data is at least twice as big as @@ -103,7 +102,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) if (err != Z_OK) { inflateEnd(strm); g_free(strm); - g_free(compr); + wmem_free(NULL, compr); g_free(strmbuf); return NULL; } @@ -165,7 +164,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) if (uncompr != NULL) { break; } else { - g_free(compr); + wmem_free(NULL, compr); return NULL; } @@ -195,7 +194,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) if (comprlen < 10 || *c != Z_DEFLATED) { inflateEnd(strm); g_free(strm); - g_free(compr); + wmem_free(NULL, compr); g_free(strmbuf); return NULL; } @@ -254,7 +253,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) if (c - compr > comprlen) { inflateEnd(strm); g_free(strm); - g_free(compr); + wmem_free(NULL, compr); g_free(strmbuf); return NULL; } @@ -298,7 +297,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) if (err != Z_OK) { g_free(strm); g_free(strmbuf); - g_free(compr); + wmem_free(NULL, compr); g_free(uncompr); return NULL; @@ -309,7 +308,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) g_free(strmbuf); if (uncompr == NULL) { - g_free(compr); + wmem_free(NULL, compr); return NULL; } @@ -326,7 +325,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) uncompr_tvb = tvb_new_real_data((guint8*) uncompr, bytes_out, bytes_out); tvb_set_free_cb(uncompr_tvb, g_free); } - g_free(compr); + wmem_free(NULL, compr); return uncompr_tvb; } #else |