osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

tvbuff_zlib: Check if the given offset and compressed length are indeed valid before trying to allocate memory 

g_malloc() may abort(3) the program when the comprlen is insanely large so use tvb_memdup() instead.

Change-Id: I23fbdc2362900030c41da1c297ab0c787de7c5ca
Reviewed-on: https://code.wireshark.org/review/18043
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
PHO 2016-10-03 08:52:08 +09:00 committed by Michael Mann
parent 257abd9121
commit cb959510d2
1 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
epan/tvbuff_zlib.c
View File

@ -71,11 +71,10 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
return NULL;
}
compr = (guint8 *)g_malloc(comprlen);
tvb_memcpy(tvb, compr, offset, comprlen);
if (!compr)
compr = (guint8 *)tvb_memdup(NULL, tvb, offset, comprlen);
if (compr == NULL) {
return NULL;
}
/*
* Assume that the uncompressed data is at least twice as big as
@ -103,7 +102,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
if (err != Z_OK) {
inflateEnd(strm);
g_free(strm);
g_free(compr);
wmem_free(NULL, compr);
g_free(strmbuf);
return NULL;
}
@ -165,7 +164,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
if (uncompr != NULL) {
break;
} else {
g_free(compr);
wmem_free(NULL, compr);
return NULL;
}
@ -195,7 +194,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
if (comprlen < 10 || *c != Z_DEFLATED) {
inflateEnd(strm);
g_free(strm);
g_free(compr);
wmem_free(NULL, compr);
g_free(strmbuf);
return NULL;
}
@ -254,7 +253,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
if (c - compr > comprlen) {
inflateEnd(strm);
g_free(strm);
g_free(compr);
wmem_free(NULL, compr);
g_free(strmbuf);
return NULL;
}
@ -298,7 +297,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
if (err != Z_OK) {
g_free(strm);
g_free(strmbuf);
g_free(compr);
wmem_free(NULL, compr);
g_free(uncompr);
return NULL;
@ -309,7 +308,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
g_free(strmbuf);
if (uncompr == NULL) {
g_free(compr);
wmem_free(NULL, compr);
return NULL;
}
@ -326,7 +325,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
uncompr_tvb = tvb_new_real_data((guint8*) uncompr, bytes_out, bytes_out);
tvb_set_free_cb(uncompr_tvb, g_free);
}
g_free(compr);
wmem_free(NULL, compr);
return uncompr_tvb;
}
#else