tvbuff_zlib: Check if the given offset and compressed length are indeed valid before trying to allocate memory
g_malloc() may abort(3) the program when the comprlen is insanely large so use tvb_memdup() instead. Change-Id: I23fbdc2362900030c41da1c297ab0c787de7c5ca Reviewed-on: https://code.wireshark.org/review/18043 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
parent
257abd9121
commit
cb959510d2
|
@ -71,11 +71,10 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
compr = (guint8 *)g_malloc(comprlen);
|
compr = (guint8 *)tvb_memdup(NULL, tvb, offset, comprlen);
|
||||||
tvb_memcpy(tvb, compr, offset, comprlen);
|
if (compr == NULL) {
|
||||||
|
|
||||||
if (!compr)
|
|
||||||
return NULL;
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Assume that the uncompressed data is at least twice as big as
|
* Assume that the uncompressed data is at least twice as big as
|
||||||
|
@ -103,7 +102,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
if (err != Z_OK) {
|
if (err != Z_OK) {
|
||||||
inflateEnd(strm);
|
inflateEnd(strm);
|
||||||
g_free(strm);
|
g_free(strm);
|
||||||
g_free(compr);
|
wmem_free(NULL, compr);
|
||||||
g_free(strmbuf);
|
g_free(strmbuf);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
@ -165,7 +164,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
if (uncompr != NULL) {
|
if (uncompr != NULL) {
|
||||||
break;
|
break;
|
||||||
} else {
|
} else {
|
||||||
g_free(compr);
|
wmem_free(NULL, compr);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -195,7 +194,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
if (comprlen < 10 || *c != Z_DEFLATED) {
|
if (comprlen < 10 || *c != Z_DEFLATED) {
|
||||||
inflateEnd(strm);
|
inflateEnd(strm);
|
||||||
g_free(strm);
|
g_free(strm);
|
||||||
g_free(compr);
|
wmem_free(NULL, compr);
|
||||||
g_free(strmbuf);
|
g_free(strmbuf);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
@ -254,7 +253,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
if (c - compr > comprlen) {
|
if (c - compr > comprlen) {
|
||||||
inflateEnd(strm);
|
inflateEnd(strm);
|
||||||
g_free(strm);
|
g_free(strm);
|
||||||
g_free(compr);
|
wmem_free(NULL, compr);
|
||||||
g_free(strmbuf);
|
g_free(strmbuf);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
@ -298,7 +297,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
if (err != Z_OK) {
|
if (err != Z_OK) {
|
||||||
g_free(strm);
|
g_free(strm);
|
||||||
g_free(strmbuf);
|
g_free(strmbuf);
|
||||||
g_free(compr);
|
wmem_free(NULL, compr);
|
||||||
g_free(uncompr);
|
g_free(uncompr);
|
||||||
|
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -309,7 +308,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
g_free(strmbuf);
|
g_free(strmbuf);
|
||||||
|
|
||||||
if (uncompr == NULL) {
|
if (uncompr == NULL) {
|
||||||
g_free(compr);
|
wmem_free(NULL, compr);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -326,7 +325,7 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
|
||||||
uncompr_tvb = tvb_new_real_data((guint8*) uncompr, bytes_out, bytes_out);
|
uncompr_tvb = tvb_new_real_data((guint8*) uncompr, bytes_out, bytes_out);
|
||||||
tvb_set_free_cb(uncompr_tvb, g_free);
|
tvb_set_free_cb(uncompr_tvb, g_free);
|
||||||
}
|
}
|
||||||
g_free(compr);
|
wmem_free(NULL, compr);
|
||||||
return uncompr_tvb;
|
return uncompr_tvb;
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
|
|
Loading…
Reference in New Issue