Make sure the offset doesn't overflow.
It'd only overflow if the value is *so* large that it won't fit in the packet (given that we have a 2^32-1-byte limit on the packet size), so use tvb_ensure_bytes_exist() to ensure we have the entire value before processing the value. (The real problem is that we don't handle the case where there's a value multiplicity > 1 for some types; in those cases, we should loop, processing all the values, which would cause us to eventually throw an exception when we ran past the end of the packet. This is just a quick fix.) Bug: 14742 Change-Id: I447ece81d1c84d3b1d218faeb2c155f910208c29 Reviewed-on: https://code.wireshark.org/review/27853 Reviewed-by: Guy Harris <guy@alum.mit.edu>
This commit is contained in:
parent
101b692569
commit
25118898a9
|
@ -5758,6 +5758,11 @@ dissect_dcm_tag_value(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, dcm_s
|
|||
guint encoding = (pdv->syntax == DCM_EBE) ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN;
|
||||
|
||||
|
||||
/* Make sure we have all the bytes of the item; this should throw
|
||||
and exception if vl_max is so large that it causes the offset
|
||||
to overflow. */
|
||||
tvb_ensure_bytes_exist(tvb, offset, vl_max);
|
||||
|
||||
/* ---------------------------------------------------------------------------
|
||||
Potentially long types. Obey vl_max
|
||||
---------------------------------------------------------------------------
|
||||
|
|
Loading…
Reference in New Issue