skip the extra field in the gzip header

it consists of two bytes xsize + xsize bytes of data use an unsigned type for xsize fail gracefully if the field is present but truncated tvb_length_remaining > tvb_captured_length_remaining Change-Id: I7f5138743c2d88abdd4f5f18d3c0292612ddb559 Reviewed-on: https://code.wireshark.org/review/5654 Reviewed-by: Anders Broman <a.broman58@gmail.com>
2014-12-07 19:47:54 +01:00 · 2014-12-07 19:47:54 +01:00 · b7f8cd8a5d
parent 5570f8e24b
commit b7f8cd8a5d
1 changed files with 19 additions and 5 deletions
--- a/epan/tvbuff_zlib.c
+++ b/epan/tvbuff_zlib.c
@ -60,7 +60,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 	guint      bufsiz;
 #ifdef TVB_Z_DEBUG
 	guint      inflate_passes = 0;
-	guint      bytes_in       = tvb_length_remaining(tvb, offset);
+	guint      bytes_in       = tvb_captured_length_remaining(tvb, offset);
 #endif

 	if (tvb == NULL) {
@ -76,7 +76,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 	 * Assume that the uncompressed data is at least twice as big as
 	 * the compressed size.
 	 */
-	bufsiz = tvb_length_remaining(tvb, offset) * 2;
+	bufsiz = tvb_captured_length_remaining(tvb, offset) * 2;
 	bufsiz = CLAMP(bufsiz, TVB_Z_MIN_BUFSIZ, TVB_Z_MAX_BUFSIZ);

 #ifdef TVB_Z_DEBUG
@ -204,9 +204,23 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
 			c += 6;

 			if (flags & (1 << 2)) {
-				/* An Extra field is present. */
-				gint xsize = (gint)(*c |
-					(*(c + 1) << 8));
+				/* An Extra field is present. It
+				   consists of 2 bytes xsize and xsize
+				   bytes of data.
+				   Read byte-by-byte (least significant
+				   byte first) to make sure we abort
+				   cleanly when the xsize is truncated
+				   after the first byte. */
+				guint16 xsize = 0;
+
+				if (c-compr < comprlen) {
+					xsize += *c;
+					c++;
+				}
+				if (c-compr < comprlen) {
+					xsize += *c << 8;
+					c++;
+				}

 				c += xsize;
 			}