[Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>]

URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4413d43962e1aed72a285ae8fb68780bb64a11fe
Submitter: Peter Wu (peter@xxxxxxxxxxxxx)
Changed: branch: master
Repository: wireshark

Commits:

4413d43 by Peter Wu (peter@xxxxxxxxxxxxx):

    rtcp: fix buffer overflow in transport-cc dissection
    
    When the packet status chunks cover more packets than advertised in the
    packet status count field, fail rather than writing past the end.
    https://tools.ietf.org/html/draft-holmer-rmcat-transport-wide-cc-extensions-01#section-3.1.2
    
    Bug: 14673
    Change-Id: If90baef3610d8f884b0772a4b81d6dcb4ebc9227
    Fixes: v2.5.0rc0-2533-ga584eab239 ("New RTCP dissector for transport-cc")
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6464
    Reviewed-on: https://code.wireshark.org/review/27527
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Rui Zhang <rzhang@xxxxxxxxxxxxxx>
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    

Actions performed:

    from  10306f9   Free g_array_free-related memory leaks
    adds  4413d43   rtcp: fix buffer overflow in transport-cc dissection


Summary of changes:
 epan/dissectors/packet-rtcp.c | 41 +++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)