From 3cd5ac36e20d56a43e002b926aec3b99488c85a1 Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Sat, 26 Jan 2019 17:10:53 +0100
Subject: [PATCH] BER: don't use invalid time offsets.

4 digits values could overflow the destination buffer. Skip them
since they're invalid and can only from tainted data.

Bug: 15447
Change-Id: Ice6d4f144597499483160ecaa63702025ab86f61
Reviewed-on: https://code.wireshark.org/review/31751
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
---
 epan/dissectors/packet-ber.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/epan/dissectors/packet-ber.c b/epan/dissectors/packet-ber.c
index 93291d2..925d4c1 100644
--- a/epan/dissectors/packet-ber.c
+++ b/epan/dissectors/packet-ber.c
@@ -3658,7 +3658,7 @@ dissect_ber_GeneralizedTime(gboolean implicit_tag, asn1_ctx_t *actx, proto_tree
 
     first_delim[0]  = 0;
     second_delim[0] = 0;
-    ret = sscanf( tmpstr, "%14d%1[.,+-Z]%4d%1[+-Z]%4d", &tmp_int, first_delim, &first_digits, second_delim, &second_digits);
+    ret = sscanf(tmpstr, "%14d%1[.,+-Z]%4d%1[+-Z]%4d", &tmp_int, first_delim, &first_digits, second_delim, &second_digits);
     /* tmp_int does not contain valid value because of overflow but we use it just for format checking */
     if (ret < 1) {
         /* Nothing matched */
@@ -3684,9 +3684,11 @@ dissect_ber_GeneralizedTime(gboolean implicit_tag, asn1_ctx_t *actx, proto_tree
             /*
              * Fraction of a minute or an hour.
              */
-            if (ret == 2) {
+            if (ret == 2 || first_digits < 0 || first_digits > 999) {
                 /*
-                 * We saw the decimal sign, but didn't see the fraction.
+                 * We saw the decimal sign, but didn't see the fraction
+                 * or
+                 * we got a number outside the valid range.
                  */
                 goto invalid;
             }
-- 
1.7.12.4