Fix buffer overrun in zlib decompression
authorPeter Wu <peter@lekensteyn.nl>
Sun, 22 Nov 2015 17:16:46 +0000 (18:16 +0100)
committerPeter Wu <peter@lekensteyn.nl>
Wed, 25 Nov 2015 12:35:52 +0000 (12:35 +0000)
After updating next_in (to remove the gzip header), avail_in must also
be updated. Failing to do makes zlib read past the input buffer. In
theory this would resukt in a buffer overrun of at most double the input
length, in practice zlib returns as soon as the compression fails (after
reading a few bytes).

Bug: 11548
Change-Id: If71691a2846338f46d866964a77cc4e74a9b61dd
Reviewed-on: https://code.wireshark.org/review/12038
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
epan/tvbuff_zlib.c

index 0e6be80d0a0db9a3ce354a9ed94f8d17a6414ae9..c92a5d506d763c405b33f18a1f3b8b822de94490 100644 (file)
@@ -246,9 +246,6 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
                        }
 
 
-                       inflateReset(strm);
-                       next = c;
-                       strm->next_in = next;
                        if (c - compr > comprlen) {
                                inflateEnd(strm);
                                g_free(strm);
@@ -256,7 +253,13 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen)
                                g_free(strmbuf);
                                return NULL;
                        }
+                       /* Drop gzip header */
                        comprlen -= (int) (c - compr);
+                       next = c;
+
+                       inflateReset(strm);
+                       strm->next_in   = next;
+                       strm->avail_in  = comprlen;
 
                        inflateEnd(strm);
                        inflateInit2(strm, wbits);