Fix the very long loop fuzz failure reported in https://bugs.wireshark.org/bugzilla...
authorJeff Morriss <jeff.morriss.ws@gmail.com>
Thu, 11 Jul 2013 14:46:30 +0000 (14:46 -0000)
committerJeff Morriss <jeff.morriss.ws@gmail.com>
Thu, 11 Jul 2013 14:46:30 +0000 (14:46 -0000)
Apply the fix for https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3290
to proto_tree_add_bits_item().  That is, test that we have offset+length bytes
left in the TVB before trying to fake the item.

svn path=/trunk/; revision=50504

epan/proto.c

index a6b0325515f33fb265a2e3fbb069413212cef628..5f2a504314cc0f559280a4f551d1c674d94f2ae2 100644 (file)
@@ -6854,7 +6854,19 @@ proto_tree_add_bits_item(proto_tree *tree, const int hf_index, tvbuff_t *tvb,
                         const guint encoding)
 {
        header_field_info *hfinfo;
+       gint              octet_length;
+       gint              octet_offset;
 
+       PROTO_REGISTRAR_GET_NTH(hf_index, hfinfo);
+
+       octet_length = (no_of_bits + 7) >> 3;
+       octet_offset = bit_offset >> 3;
+       test_length(hfinfo, tree, tvb, octet_offset, octet_length, encoding);
+
+       /* Yes, we try to fake this item again in proto_tree_add_bits_ret_val()
+        * but only after doing a bunch more work (which we can, in the common
+        * case, shortcut here).
+        */
        TRY_TO_FAKE_THIS_ITEM(tree, hf_index, hfinfo);
 
        return proto_tree_add_bits_ret_val(tree, hf_index, tvb, bit_offset, no_of_bits, NULL, encoding);
@@ -6901,10 +6913,7 @@ _proto_tree_add_bits_ret_val(proto_tree *tree, const int hf_index, tvbuff_t *tvb
         * Calculate the number of octets used to hold the bits
         */
        tot_no_bits = ((bit_offset&0x7) + no_of_bits);
-       length = tot_no_bits>>3;
-       /* If we are using part of the next octet, increase length by 1 */
-       if (tot_no_bits & 0x07)
-               length++;
+       length = (tot_no_bits + 7) >> 3;
 
        if (no_of_bits < 65) {
                value = tvb_get_bits64(tvb, bit_offset, no_of_bits, encoding);