Fix bug #8936: Fuzz failure: attempt to allocate -1 bytes from packet-bacapp.c and/or tvb_generic_clone_offset_len()

Revert r50556: Add new function: validate_offset() which checks if offset is within bounds of tvb. svn path=/trunk/; revision=50633
2013-07-15 18:32:11 +00:00 · 2013-07-15 18:32:11 +00:00 · fec836d697
parent 7c5b471584
commit fec836d697
1 changed files with 33 additions and 4 deletions
--- a/epan/tvbuff.c
+++ b/epan/tvbuff.c
@ -202,15 +202,44 @@ validate_offset(const tvbuff_t *tvb, const guint abs_offset)
 static int
 compute_offset(const tvbuff_t *tvb, const gint offset, guint *offset_ptr)
 {
+	int exception;
+
 	if (offset >= 0) {
 		/* Positive offset - relative to the beginning of the packet. */
-		*offset_ptr = offset;
-	} else {
+		if ((guint) offset > tvb->reported_length) {
+			if (tvb->flags & TVBUFF_FRAGMENT) {
+				exception = FragmentBoundsError;
+			} else {
+				exception = ReportedBoundsError;
+			}
+			return exception;
+		}
+		else if ((guint) offset > tvb->length) {
+			return BoundsError;
+		}
+		else {
+			*offset_ptr = offset;
+		}
+	}
+	else {
 		/* Negative offset - relative to the end of the packet. */
-		*offset_ptr = tvb->length + offset;
+		if ((guint) -offset > tvb->reported_length) {
+			if (tvb->flags & TVBUFF_FRAGMENT) {
+				exception = FragmentBoundsError;
+			} else {
+				exception = ReportedBoundsError;
+			}
+			return exception;
+		}
+		else if ((guint) -offset > tvb->length) {
+			return BoundsError;
+		}
+		else {
+			*offset_ptr = tvb->length + offset;
+		}
 	}

-	return validate_offset(tvb, *offset_ptr);
+	return 0;
 }

 static int