Wireshark-bugs: [Wireshark-bugs] [Bug 6351] Buildbot crash output: fuzz-2011-09-16-19550.pcap
Date: Tue, 20 Sep 2011 10:31:23 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6351

Sylvain Munaut <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[email protected]

--- Comment #4 from Sylvain Munaut <[email protected]> 2011-09-20 10:31:22 PDT ---
I couldn't reproduce the crash on my machine.

But I can imagine what happens. When the CSN_END 'pDescr' is created, it
assumes that the '.type' field is the only one that will be accessed. Which is
true except if the is a specific type of error in the recursive call that make
the dissector try to consume more bits than there is. Then remaining bits
becomes < 0, which cause the do { } while (remaining_bits >= 0) to exit and
calls ProcessError(...) and that call tries to print a good error message using
the (.sz fields if it's != NULL)

I think the solution is simply to properly initialize the descr[1] entry using
a memset (all fields to 0 is a valid entry). The attached patch does that.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.