(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-wcp.c) |
| |
| 473 | | | static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pinfo, proto_tree *tree) { |
| 474 | | | |
| 475 | | | |
| 476 | | | |
| 477 | | | proto_tree *sub_tree; |
| 478 | | | proto_item *ti; |
| 479 | | | |
| 480 | | | int len=0, i = -1; |
| 481 | | | int cnt = tvb_reported_length( src_tvb)-1; |
| 482 | | | |
| 483 | | | guint8 *dst, *src, *buf_start, *buf_end, *tmp, comp_flag_bits = 0; |
| 484 | | | guint8 src_buf[ MAX_WCP_BUF_LEN]; |
| 485 | | | tvbuff_t *volatile tvb = 0; |
| 486 | | | wcp_window_t *buf_ptr = 0; |
| 487 | | | wcp_pdata_t *volatile pdata_ptr; |
| 488 | | | volatile gboolean bounds_error = FALSE; |
| 489 | | | |
| 490 | | | buf_ptr = get_wcp_window_ptr( pinfo); |
| 491 | | | |
| 492 | | | buf_start = buf_ptr->buffer; |
| 493 | | | buf_end = buf_start + MAX_WIN_BUF_LEN;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-wcp.c |
| |
113 | #define MAX_WIN_BUF_LEN 0x7fff /* storage size for decompressed data */ |
| |
|
| 494 | | | tmp = buf_ptr->buf_cur; |
| 495 | | | |
| 496 | | | if (cnt - offset > MAX_WCP_BUF_LEN) { |
Event 1:
Skipping " if". cnt - offset > 2048 evaluates to false.
hide
|
|
| 497 | | | if (tree) |
| 498 | | | proto_tree_add_text( tree, src_tvb, offset, -1, |
| 499 | | | "Compressed data exceeds maximum buffer length (%d > %d)", |
| 500 | | | cnt - offset, MAX_WCP_BUF_LEN); |
| 501 | | | return NULL; |
| 502 | | | } |
| 503 | | | |
| 504 | | | src = tvb_memcpy(src_tvb, src_buf, offset, cnt - offset); |
| 505 | | | dst = buf_ptr->buf_cur; |
| 506 | | | |
| 507 | | | while( offset++ < cnt){ |
Event 2:
Leaving loop. offset++ < cnt evaluates to false.
hide
|
|
| 508 | | | |
| 509 | | | if ( --i >= 0){ |
| 510 | | | if ( comp_flag_bits & 0x80){ |
| 511 | | | |
| 512 | | | if ( !pinfo->fd->flags.visited){ |
| 513 | | | dst = decompressed_entry( src, dst, &len, buf_start, buf_end); |
| 514 | | | } |
| 515 | | | if ((*src & 0xf0) == 0x10){ |
| 516 | | | if ( tree) { |
| 517 | | | ti = proto_tree_add_item( tree, hf_wcp_long_run, src_tvb, |
| 518 558 |  | | [ Lines 518 to 558 omitted. ] |
| 559 | | | |
| 560 | | | comp_flag_bits = *src++; |
| 561 | | | if (tree) |
| 562 | | | proto_tree_add_uint( tree, hf_wcp_comp_bits, src_tvb, offset-1, 1, |
| 563 | | | comp_flag_bits); |
| 564 | | | |
| 565 | | | i = 8; |
| 566 | | | } |
| 567 | | | } |
| 568 | | | |
| 569 | | | if ( pinfo->fd->flags.visited){ |
Event 3:
Taking true branch. pinfo->fd->flags.visited evaluates to true.
hide
|
|
| 570 | | | |
| 571 | [+] | | pdata_ptr = p_get_proto_data( pinfo->fd, proto_wcp); |
 |
| 572 | | | |
| 573 | | | if ( !pdata_ptr) |
Event 8:
Skipping " if". pdata_ptr evaluates to true.
hide
|
|
| 574 | | | return NULL; |
| 575 | | | len = pdata_ptr->len; |
Null Pointer Dereference
pdata_ptr is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| |