Howdy,
While testing the changes, I stumbled over canaries in epan/emem.c
signaling memory corruption. It happened during the fuzz testing
approximately once in 30 passes. The capture file triggering this bug
is attached.
The problem is with the time_secs_to_str_buf() function. If this
function is supplied with the time value of -2147483648 (0x80000000),
the "time = -time" statement has no effect - the value of 'time'
remains 0x80000000. The conditional below which checks for that
particular value ("Unable to cope with time value"), however, gets
optimized away. As a result, the values of 'secs', 'mins' and 'hours'
are negative; when these values are converted to unsigned, they become
large 10-digit positive integers, which overflow the buffer allocated
by the time_secs_to_str() function (which is only 51 bytes).
A quick fix is to add "-fno-strict-overflow" to CFLAGS; it will prevent
GCC from optimizing out this conditional. Perhaps, configure should be
modified to check if this flag is supported and use it if it is.
Perhaps, the code in time_secs_to_str_buf() needs to be re-written to
avoid such optimization.
FWIW, I am running Ubuntu Hardy Heron (8.04.1), x86_64 architecture.
Best regards,
Alexey Neyman.
Attachment:
fuzz.pcap
Description: Binary data
