From ccf720d95daf410ecd5d9bd0c45db5e642e1c3c3 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 20 Aug 2022 13:25:06 -0400
Subject: [PATCH] epan: Handle subset tvbuffs with non-zero offets and length
 -1

According to tvbuff.h, tvb_new_subset_length() with length -1
should behave like tvb_new_subset_remaining(). That means that
the reported length should subtract off the offset into the
original tvb.
---
 epan/tvbuff_subset.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/epan/tvbuff_subset.c b/epan/tvbuff_subset.c
index 52a332d878..ecbe03bf2d 100644
--- a/epan/tvbuff_subset.c
+++ b/epan/tvbuff_subset.c
@@ -211,6 +211,16 @@ tvb_new_subset_length(tvbuff_t *backing, const gint backing_offset, const gint r
 			        &subset_tvb_offset,
 			        &subset_tvb_length);
 
+	/*
+         * If the requested reported length is "to the end of the buffer",
+         * subtract the offset from the total length. We do this now, because
+         * the user might have passed in a negative offset.
+         */
+	if (reported_length == -1) {
+		THROW_ON(backing->reported_length < subset_tvb_offset, ReportedBoundsError);
+		actual_reported_length -= subset_tvb_offset;
+	}
+
 	tvb = tvb_new_with_subset(backing, (guint)actual_reported_length,
 	    subset_tvb_offset, subset_tvb_length);