From Jakub Zawadzki via bug 4274:

Switch back to checking size instead of asize in emem_alloc_chunk. Make sure we don't try to cross the streams by allocating a negative amount of memory in the LTP dissector. svn path=/trunk/; revision=31132
2009-11-30 17:31:13 +00:00 · 2009-11-30 17:31:13 +00:00 · 9417a7c86f
parent 874657592c
commit 9417a7c86f
2 changed files with 4 additions and 1 deletions
--- a/epan/dissectors/packet-ltp.c
+++ b/epan/dissectors/packet-ltp.c
@ -322,6 +322,9 @@ dissect_report_segment(proto_tree *ltp_tree, tvbuff_t *tvb,int frame_offset){
 	}

 	rcpt_clm_cnt = evaluate_sdnv(tvb,frame_offset + segment_offset, &rcpt_clm_cnt_size);
+	if (rcpt_clm_cnt < 0){
+		return 0;
+	}
 	segment_offset += rcpt_clm_cnt_size;
 	if((unsigned)(frame_offset + segment_offset) > tvb_length(tvb)){
 		return 0;
--- a/epan/emem.c
+++ b/epan/emem.c
@ -723,7 +723,7 @@ emem_alloc_chunk(size_t size, emem_header_t *mem)
 #endif

 	/* make sure we dont try to allocate too much (arbitrary limit) */
-	DISSECTOR_ASSERT(asize<(EMEM_PACKET_CHUNK_SIZE>>2));
+	DISSECTOR_ASSERT(size<(EMEM_PACKET_CHUNK_SIZE>>2));

 	if (!mem->free_list)
 		emem_create_chunk(&mem->free_list, use_canary);