diff options
author | Michael Mann <mmann78@netscape.net> | 2018-01-28 16:26:31 -0500 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2018-01-29 00:03:16 +0000 |
commit | 907d8ff41f37f8eaed5e4c64ab322f33ea2c6802 (patch) | |
tree | ee4681b85ffac9daa6a46703148e9f6f136be8fa /epan/uat.h | |
parent | 5c1247301461b842d8a624195bb057b534e0a17e (diff) |
Protect UAT color "datatype" from an empty string
UAT color "datatype" has the format of #XXXXXX so the XXXXXX is strduped
to pass to strtol(). The "pointer math" assumed the # was always present
and would result in large memory allocation if string was empty.
Bug: 14357
Change-Id: Idc43b17f0e07705880d0d77f106991d10e09f072
Reviewed-on: https://code.wireshark.org/review/25504
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/uat.h')
-rw-r--r-- | epan/uat.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/epan/uat.h b/epan/uat.h index f3305b4b5d..6e63fe5f51 100644 --- a/epan/uat.h +++ b/epan/uat.h @@ -632,10 +632,14 @@ static void basename ## _ ## field_name ## _tostr_cb(void* rec, char** out_ptr, /* * Color Macros, - * an boolean value contained in + * an #RRGGBB color value contained in */ #define UAT_COLOR_CB_DEF(basename,field_name,rec_t) \ static void basename ## _ ## field_name ## _set_cb(void* rec, const char* buf, guint len, const void* UNUSED_PARAMETER(u1), const void* UNUSED_PARAMETER(u2)) {\ + if (len < 1) { \ + ((rec_t*)rec)->field_name = 0; \ + return; \ + } \ char* tmp_str = g_strndup(buf+1,len-1); \ ((rec_t*)rec)->field_name = (guint)strtol(tmp_str,NULL,16); \ g_free(tmp_str); } \ |