Wireshark-bugs: [Wireshark-bugs] [Bug 10978] Buildbot crash output: fuzz-2015-02-17-560.pcap
Date: Sat, 21 Mar 2015 17:00:43 +0000

Comment # 8 on bug 10978 from
> but I think it's with byte 49 of frame

I calculated byte 38 by putting a print statement in for every byte index, and
then seeing after which byte the valgrind errors occurred, but I'm inclined to
trust your method more.

> so the src pointer is incremented by MAX_WIN_BUF_LEN

This whole code is really weird, but as far as I can tell it decompresses
in-place (the decompressed bytes are written in the same buffer as the
compressed bytes are read) and this is handled by treating it as a circular
buffer. If my understanding is correct, then the increment makes some sense, as
it is just "we walked backwards past the front of the buffer, so wrap around".

If it is true that "src < buf_start" at this point, and buf_start points to a
buffer of length MAX_WIN_BUF_LEN, then "src + MAX_WIN_BUF_LEN" should result in
a pointer into the buffer somewhere, shouldn't it?


You are receiving this mail because:
  • You are watching all bug changes.