Blame SOURCES/wireshark-1.10.14-CVE-2015-3813.patch

dbc6ab
diff --git a/epan/reassemble.c b/epan/reassemble.c
dbc6ab
index 5ff9dcf..0838cb1 100644
dbc6ab
--- a/epan/reassemble.c
dbc6ab
+++ b/epan/reassemble.c
dbc6ab
@@ -1008,9 +1008,11 @@ fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
dbc6ab
 
dbc6ab
 	/* If we have reached this point, the packet is not defragmented yet.
dbc6ab
 	 * Save all payload in a buffer until we can defragment.
dbc6ab
-	 * XXX - what if we didn't capture the entire fragment due
dbc6ab
-	 * to a too-short snapshot length?
dbc6ab
 	 */
dbc6ab
+	if (!tvb_bytes_exist(tvb, offset, fd->len)) {
dbc6ab
+		g_slice_free(fragment_data, fd);
dbc6ab
+		THROW(BoundsError);
dbc6ab
+	}
dbc6ab
 	fd->data = (unsigned char *)g_malloc(fd->len);
dbc6ab
 	tvb_memcpy(tvb, fd->data, offset, fd->len);
dbc6ab
 	LINK_FRAG(fd_head,fd);