From ceee21db98c76c602f17b154beb09e8f4966bd66 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sun, 22 Nov 2015 18:16:46 +0100 Subject: [PATCH 6/6] Fix buffer overrun in zlib decompression After updating next_in (to remove the gzip header), avail_in must also be updated. Failing to do makes zlib read past the input buffer. In theory this would resukt in a buffer overrun of at most double the input length, in practice zlib returns as soon as the compression fails (after reading a few bytes). Conflicts: epan/tvbuff_zlib.c Bug: 11548 Change-Id: If71691a2846338f46d866964a77cc4e74a9b61dd Reviewed-on: https://code.wireshark.org/review/12038 Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu (cherry picked from commit cec0593ae6c3bca65eff65741c2a10f3de3e0afe) Reviewed-on: https://code.wireshark.org/review/12138 (cherry picked from commit ff0220fda472b0b08796dbd8aa4c22dd665d9223) Reviewed-on: https://code.wireshark.org/review/13759 Reviewed-by: Balint Reczey Reviewed-on: https://code.wireshark.org/review/14249 --- epan/tvbuff.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/epan/tvbuff.c b/epan/tvbuff.c index efc2f84..3a9a133 100644 --- a/epan/tvbuff.c +++ b/epan/tvbuff.c @@ -3522,9 +3522,6 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) } - inflateReset(strm); - next = c; - strm->next_in = next; if (c - compr > comprlen) { inflateEnd(strm); g_free(strm); @@ -3533,6 +3530,11 @@ tvb_uncompress(tvbuff_t *tvb, const int offset, int comprlen) return NULL; } comprlen -= (int) (c - compr); + next = c; + + inflateReset(strm); + strm->next_in = next; + strm->avail_in = comprlen; inflateEnd(strm); inflateInit2(strm, wbits); -- 2.1.4