Fix a couple of integer underflows.
svn path=/trunk/; revision=23398
This commit is contained in:
parent
ee3d03b7ae
commit
4105173f0e
|
@ -95,6 +95,19 @@ Wireshark Info
|
|||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
The NCP dissector could cause a crash.
|
||||
<!-- Fixed in r23398 -->
|
||||
</para>
|
||||
<para>Versions affected: 0.99.6</para>
|
||||
<para>
|
||||
<!-- <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-????">CVE-2007-????</ulink> -->
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<!-- iSeries -->
|
||||
<!-- rtsp? -->
|
||||
</itemizedlist>
|
||||
|
||||
</para>
|
||||
|
|
|
@ -2447,12 +2447,12 @@ align_4(tvbuff_t *tvb, guint32 aoffset)
|
|||
static void
|
||||
get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
|
||||
{
|
||||
guint32 i;
|
||||
gint i;
|
||||
guint16 c_char;
|
||||
guint32 length_remaining = 0;
|
||||
gint length_remaining = 0;
|
||||
|
||||
length_remaining = tvb_length_remaining(tvb, offset);
|
||||
if(str_length > length_remaining)
|
||||
if((gint)str_length > length_remaining)
|
||||
{
|
||||
THROW(ReportedBoundsError);
|
||||
}
|
||||
|
@ -2461,7 +2461,7 @@ get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
|
|||
{
|
||||
return;
|
||||
}
|
||||
for ( i = 0; i < str_length; i++ )
|
||||
for ( i = 0; i < (gint)str_length; i++ )
|
||||
{
|
||||
c_char = tvb_get_guint8(tvb, offset );
|
||||
if (c_char<0x20 || c_char>0x7e)
|
||||
|
@ -2493,6 +2493,9 @@ get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
|
|||
break; /* If string is too long just return the first 1K. */
|
||||
}
|
||||
}
|
||||
if (i < 0) {
|
||||
i = 0;
|
||||
}
|
||||
dest_buf[i] = '\0';
|
||||
return;
|
||||
}
|
||||
|
@ -2500,9 +2503,9 @@ get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
|
|||
static void
|
||||
uni_to_string(char * data, guint32 str_length, char *dest_buf)
|
||||
{
|
||||
guint32 i;
|
||||
gint i;
|
||||
guint16 c_char;
|
||||
guint32 length_remaining = 0;
|
||||
gint length_remaining = 0;
|
||||
|
||||
length_remaining = str_length;
|
||||
dest_buf[0] = '\0';
|
||||
|
@ -2510,7 +2513,7 @@ uni_to_string(char * data, guint32 str_length, char *dest_buf)
|
|||
{
|
||||
return;
|
||||
}
|
||||
for ( i = 0; i < str_length; i++ )
|
||||
for ( i = 0; i < (gint) str_length; i++ )
|
||||
{
|
||||
c_char = data[i];
|
||||
if (c_char<0x20 || c_char>0x7e)
|
||||
|
@ -2538,6 +2541,9 @@ uni_to_string(char * data, guint32 str_length, char *dest_buf)
|
|||
return;
|
||||
}
|
||||
}
|
||||
if (i < 0) {
|
||||
i = 0;
|
||||
}
|
||||
dest_buf[i] = '\0';
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue