Wireshark-dev: [Wireshark-dev] Memory corruption on x86_64 / GCC 4.2.3

From: Alexey Neyman <avn@xxxxxxxxxxxxxxx>
Date: Sat, 2 Aug 2008 03:04:17 -0700
Howdy,

While testing the changes, I stumbled over canaries in epan/emem.c 
signaling memory corruption. It happened during the fuzz testing 
approximately once in 30 passes. The capture file triggering this bug 
is attached.

The problem is with the time_secs_to_str_buf() function. If this 
function is supplied with the time value of -2147483648 (0x80000000), 
the "time = -time" statement has no effect - the value of 'time' 
remains 0x80000000. The conditional below which checks for that 
particular value ("Unable to cope with time value"), however, gets 
optimized away. As a result, the values of 'secs', 'mins' and 'hours' 
are negative; when these values are converted to unsigned, they become 
large 10-digit positive integers, which overflow the buffer allocated 
by the time_secs_to_str() function (which is only 51 bytes).

A quick fix is to add "-fno-strict-overflow" to CFLAGS; it will prevent 
GCC from optimizing out this conditional. Perhaps, configure should be 
modified to check if this flag is supported and use it if it is. 
Perhaps, the code in time_secs_to_str_buf() needs to be re-written to 
avoid such optimization.

FWIW, I am running Ubuntu Hardy Heron (8.04.1), x86_64 architecture.

Best regards,
Alexey Neyman.

Attachment: fuzz.pcap
Description: Binary data