blob: cf9fa8ce50a3ea056b623d0fd7bb10eb34f53fe0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
$NetBSD: patch-SA42767,v 1.1.2.2 2011/01/05 21:34:34 sbd Exp $
Patch for security vulnerability reported in SA42767.
The patch was taken from the Wireshark SVN repository:
http://anonsvn.wireshark.org/viewvc?view=rev&revision=35318
--- epan/dissectors/packet-enttec.c.orig 2010-11-18 21:30:35.000000000 +0000
+++ epan/dissectors/packet-enttec.c 2011-01-04 14:30:58.000000000 +0000
@@ -193,8 +193,8 @@
"%3u: %s"
};
- static guint8 dmx_data[512];
- static guint16 dmx_data_offset[513]; /* 1 extra for last offset */
+ guint8 *dmx_data = ep_alloc(512 * sizeof(guint8));
+ guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */
emem_strbuf_t *dmx_epstr;
proto_tree *hi,*si;
@@ -225,10 +225,10 @@
length = 512;
if (type == ENTTEC_DATA_TYPE_RLE) {
- /* uncompres the DMX data */
+ /* uncompress the DMX data */
ui = 0;
ci = 0;
- while (ci < length) {
+ while (ci < length && ui < 512) {
v = tvb_get_guint8(tvb, offset+ci);
if (v == 0xFE) {
ci++;
@@ -236,7 +236,7 @@
ci++;
v = tvb_get_guint8(tvb, offset+ci);
ci++;
- for (i=0;i < count;i++) {
+ for (i=0;i < count && ui < 512;i++) {
dmx_data[ui] = v;
dmx_data_offset[ui] = ci-3;
ui++;
|