Evan Huus
changed
bug 10844
Comment # 1
on bug 10844
from Evan Huus
All these have the same root cause: src_buf (packet-wcp.c:479) is only being
partially initialized (packet-wcp.c:499) depending on the amount of data
available. There appear to be *some* validity checks in place but they are
clearly not sufficient, as we are ending up running past the end of the
initialized data in frame 28 of the fuzzed capture.
It's not immediately obvious to me (not knowing the format) where the logic bug
is.
You are receiving this mail because:
- You are watching all bug changes.