| Bug ID |
8603
|
| Summary |
Endless loop in vnc_hextile_encoding
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
1.8.6
|
| Hardware |
All
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Normal
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Created attachment 10635 [details]
patch for the infinite loop in vnc_hextile_encoding
Build Information:
--
Hi,
While investigating a capture wireshark hung. Investigating it turned out that
in epan/dissectors/packet-vnc.c:vnc_hextile_encoding num_subrects was actually
256.
As we have "for(i = 0; i < num_subrects; i++) {" this made for a nice infinite
loop.
I did a stupid fix:
diff --git a/epan/dissectors/packet-vnc.c b/epan/dissectors/packet-vnc.c
index 2da117a..83147f9 100644
--- a/epan/dissectors/packet-vnc.c
+++ b/epan/dissectors/packet-vnc.c
@@ -1896,8 +1896,8 @@ vnc_hextile_encoding(tvbuff_t *tvb, packet_info *pinfo,
gint *offset,
proto_tree *tree, const guint16 width, const guint16
height)
{
guint8 bytes_per_pixel = vnc_get_bytes_per_pixel(pinfo);
- guint8 i, subencoding_mask, num_subrects, subrect_len,
tile_height, tile_width;
- guint32 raw_length;
+ guint8 subencoding_mask, num_subrects, subrect_len, tile_height,
tile_width;
+ guint32 i, raw_length;
proto_tree *tile_tree, *subencoding_mask_tree, *subrect_tree,
*num_subrects_tree;
proto_item *ti, *tile_item;
guint16 current_height = 0, current_width;
which fixed the loop by making 'i' 32 bit.
The patched version worked without problem.
As the capture contains customer information I fear that I cannot attach it.
Sorry.
You are receiving this mail because:
- You are watching all bug changes.