forked from osmocom/wireshark
ptvcursor: Fix crash with deeply nested subtrees
If the proto tree is more than 8 levels deep, the subtree_lvl array length is extended, by allocating a new area and copying everything into that new area. However the old array length wasn't calculated correctly, so only part of the subtree_lvl array was copied, causing a crash after two ptvcursor_pop_subtree() calls.
This commit is contained in:
parent
bbcc605ee2
commit
fa483ac191
|
@ -1113,6 +1113,7 @@ static void
|
|||
ptvcursor_new_subtree_levels(ptvcursor_t *ptvc)
|
||||
{
|
||||
subtree_lvl *pushed_tree;
|
||||
size_t pushed_tree_len = sizeof(subtree_lvl) * ptvc->pushed_tree_max;
|
||||
|
||||
DISSECTOR_ASSERT(ptvc->pushed_tree_max <= SUBTREE_MAX_LEVELS-SUBTREE_ONCE_ALLOCATION_NUMBER);
|
||||
ptvc->pushed_tree_max += SUBTREE_ONCE_ALLOCATION_NUMBER;
|
||||
|
@ -1120,7 +1121,7 @@ ptvcursor_new_subtree_levels(ptvcursor_t *ptvc)
|
|||
pushed_tree = (subtree_lvl *)wmem_alloc(wmem_packet_scope(), sizeof(subtree_lvl) * ptvc->pushed_tree_max);
|
||||
DISSECTOR_ASSERT(pushed_tree != NULL);
|
||||
if (ptvc->pushed_tree)
|
||||
memcpy(pushed_tree, ptvc->pushed_tree, ptvc->pushed_tree_max - SUBTREE_ONCE_ALLOCATION_NUMBER);
|
||||
memcpy(pushed_tree, ptvc->pushed_tree, pushed_tree_len);
|
||||
ptvc->pushed_tree = pushed_tree;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue