packet-bzr.c: Prevent infinite loop

Bug: 13599
Change-Id: If85588099d7c6635865614f8778a903a5e971789
Reviewed-on: https://code.wireshark.org/review/21410
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit afb4de370a4c54e08e9367b55ae142414efc6e8f)
Reviewed-on: https://code.wireshark.org/review/21459

1 files changed, 7 insertions, 1 deletions

diff --git a/epan/dissectors/packet-bzr.c b/epan/dissectors/packet-bzr.c
index 6f8a5111f5..b2df6fea11 100644
--- a/epan/dissectors/packet-bzr.c
+++ b/epan/dissectors/packet-bzr.c
@@ -84,7 +84,7 @@ static guint
 get_bzr_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
 {
     int    next_offset;
-    gint   len = 0;
+    gint   len = 0, current_len;
     gint   protocol_version_len;
     guint8 cmd = 0;
 
@@ -97,7 +97,10 @@ get_bzr_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
     len += protocol_version_len + 1;
 
     /* Headers */
+    current_len = len;
     len += get_bzr_prefixed_len(tvb, next_offset);
+    if (current_len > len) /* Make sure we're not going backwards */
+        return -1;
 
     while (tvb_reported_length_remaining(tvb, offset + len) > 0) {
         cmd = tvb_get_guint8(tvb, offset + len);
@@ -106,7 +109,10 @@ get_bzr_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
         switch (cmd) {
         case 's':
         case 'b':
+            current_len = len;
             len += get_bzr_prefixed_len(tvb, offset + len);
+            if (current_len > len) /* Make sure we're not going backwards */
+                return -1;
             break;
         case 'o':
             len += 1;