CVE-2010-1773
The math was slightly off here, and we wound up trying to access an 
array at index 1 in some cases. We need to decrement numberShadow 
rather than subtracting one from the result of the modulo 
operation.

diff chrome-5.0.375.54/src/third_party/WebKit/WebCore/rendering/RenderListMarker.cpp chrome-5.0.375.70/src/third_party/WebKit/WebCore/rendering/RenderListMarker.cpp
104,105c104,107
<         while ((numberShadow /= sequenceSize) > 0)
<             letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize - 1];
---
>         while ((numberShadow /= sequenceSize) > 0) {
>             --numberShadow;
>             letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
>         }


CVE-2010-1772
http://trac.webkit.org/changeset/59859/trunk/WebCore/page/Geolocation.cpp
chrome-5.0.375.54/src/third_party/WebKit/WebCore/page/Geolocation.cpp
Line 225 inserted
      if (m_frame && m_frame->page() && m_allowGeolocation == InProgress)
          m_frame->page()->chrome()->cancelGeolocationPermissionRequestForFrame(m_frame, this);
+     stopTimers();
      stopUpdating();


CVE-2010-2302
http://code.google.com/p/chromium/issues/detail?id=44740
Use-after-free hence SecSeverity-High
https://bugs.webkit.org/show_bug.cgi?id=39453
Fixed in <http://trac.webkit.org/projects/webkit/changeset/59876>.

When a remote font is loaded, CSSFontSelector forces a style recalc, which replaces all RenderSyles that have FontFallbackLists referencing the placeholder font with fresh RenderStyles. However, it does not descend into shadow DOM trees, so those may end up with styles that still reference the placeholder font.

The fix is to add RenderObject::requiresForcedStyleRecalcPropagation() and have it return true from renderers that maintain shadow DOM trees or otherwise keep their own RenderStyles.



--- chrome-5.0.375.54/src/third_party/WebKit//WebCore/dom/Element.cpp
+++ chrome-5.0.375.70/src/third_party/WebKit//trunk/WebCore/dom/Element.cpp
@@ -937,5 +937,5 @@
         }
 
-        if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get())) {
+        if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get()) || change == Force && renderer() && renderer()->requiresForcedStyleRecalcPropagation()) {
             setRenderStyle(newStyle);
         } else if (needsStyleRecalc() && (styleChangeType() != SyntheticStyleChange) && (document()->usesSiblingRules() || document()->usesDescendantRules())) {

CVE-2010-2301
HTML Entity Escape the contents of a textarea node when accessed via the innerHTML and outerHTML node properties
http://trac.webkit.org/changeset/59241
chrome-5.0.375.54/src/third_party/WebKit/WebCore/editing/markup.cpp chrome-5.0.375.70/src/third_party/WebKit/WebCore/editing/markup.cpp
@@ -405,7 +405,9 @@
                 if (parent->hasTagName(scriptTag)
                     || parent->hasTagName(styleTag)
-                    || parent->hasTagName(textareaTag)
                     || parent->hasTagName(xmpTag)) {
                     appendUCharRange(result, ucharRange(node, range));
+                    break;
+                } else if (parent->hasTagName(textareaTag)) {
+                    appendEscapedContent(result, ucharRange(node, range), documentIsHTML);                    
                     break;
                 }

CVE-2010-2300
http://trac.webkit.org/changeset/59109
The normalize() method may be called on DOM elements to merge adjacent text nodes within the element's heirarchy. This includes merging child text nodes as well as attribute text modes. Attributes are handled by the Element::normalizeAttributes() function, which inspects each attribute node of a given element and if it contains child text nodes, they will be merged. Internally, an element holds attributes within a vector (m_attributes). When Element::normalizeAttributes() is called, the length of this vector is determined, and then a loop is entered where attributes are accessed one at a time and normalized. However, the normalization process can cause text nodes to be modified or deleted, resulting in DOM mutation events being fired. If handlers for these events are installed that remove the attributes from the element being normalized, then normalizeAttributes() will access m_attribute elements past the end of the vector. Removing elements from m_attributes does not actually cause it to be relocated in memory, so accessing elements past the end of the vector will result in utilzing stale pointers of the removed attribute nodes.  These stale pointers are passed to normalize() and will potentially be written to, resulting in memory corruption and arbitrary execution.

Fix: Copy attributes to a vector before iterating.

diff chrome-5.0.375.54/src/third_party/WebKit/WebCore/dom/Element.cpp chrome-5.0.375.70/src/third_party/WebKit/WebCore/dom/Element.cpp
1424,1426c1424,1432
<     unsigned numAttrs = attrs->length();
<     for (unsigned i = 0; i < numAttrs; i++) {
<         if (Attr* attr = attrs->attributeItem(i)->attr())
              attr->normalize();
      }
---
> 
>     if (attrs->isEmpty())
>         return;
> 
>     Vector<RefPtr<Attribute> > attributeVector;
>     attrs->copyAttributesToVector(attributeVector);
>     size_t numAttrs = attributeVector.size();
>     for (size_t i = 0; i < numAttrs; ++i) {
>         if (Attr* attr = attributeVector[i]->attr())
              attr->normalize();
      }

CVE-2010-2299
http://code.google.com/p/chromium/issues/detail?id=43307
http://src.chromium.org/viewvc/chrome?view=rev&revision=46639
The DispatchObject() function reads a series of clipboard objects from the untrusted renderer process and stores them in the clipboard object in the browser process. One particular object type, CBF_SMBITMAP, contains a vector<char> input parameter, whose contents are simply interpreted as a pointer to a SharedMemory object (ie. the character buffer's contents are really a pointer, not a byte stream). Normally, this would be a dangerous operation, as an arbitrary pointer supplied by the untrusted renderer process could be misinterpreted leading to potential illegal memory accesses and so forth.  However, the renderer ordinarily doesn't supply this pointer directly. Instead, that parameter is replaced on the browser side in Clipboard::ReplaceSharedMemHandle() with a pointer to an object created within the browser process. However, ClipboardReplaceSharedMemHandle() is only called when processing the ViewHostMsg_ClipboardWriteObjectsSync message, not when processing ViewHostMsg_ClipboardWriteObjectsAsync messages. Therefore, if CBF_SMBITMAP objects are included in a ViewHostMsg_ClipboardWriteObjectsAsync message, no replacement is done on the input parameters, hence allowing the renderer to supply an arbitrary SharedMemoryHandle pointer. This can potentially lead to illegal memory accesses and arbitrary execution.

    // the write on the UI thread.
    Clipboard::ObjectMap* long_living_objects = new Clipboard::ObjectMap(objects);
  
+   // This async message doesn't support shared-memory based bitmaps; they must
+   // be removed otherwise we might dereference a rubbish pointer.
+   long_living_objects->erase(Clipboard::CBF_SMBITMAP);
+ 

CVE-2010-2298
http://code.google.com/p/chromium/issues/detail?id=43304

Sandbox escape caused by the interaction of the renderer message 
ViewHostMsg_DatabaseOpenFile and chroot()-based sandboxing. In OS_POSIX-
based systems, the browser sends a directory file descriptor over the 
browser<->renderer IPC channel. Unfortunately, this enables easy escaping 
of the sandbox via:
fchdir(dir_fd);
chdir("..")

Fix: Don't return the directory descriptor for SQLite.

diff chrome-5.0.375.54/src/chrome/browser/renderer_host/database_dispatcher_host.cc chrome-5.0.375.70/src/chrome/browser/renderer_host/database_dispatcher_host.cc
178a179,184
+ #if defined(OS_POSIX)
+   if (target_dir_handle >= 0)
+     close(target_dir_handle);
+   target_dir_handle = -1;
+ #endif
+ 


CVE-2010-2297
http://code.google.com/p/chromium/issues/detail?id=42723
m_width is a vector.
Line 87 of FixedTableLayout.cpp: m_width.resize(nEffCols);

In v8/src/checks.h:
/ The ASSERT macro is equivalent to CHECK except that it only
// generates code in debug builds.  Ditto STATIC_ASSERT.

Analysis
--------

chrome-5.0.375.54/src/third_party/WebKit/WebCore/rendering/FixedTableLayout.cpp

                int usedSpan = 0;
                int i = 0;
                while (usedSpan < span) {
                    //ASSERT(cCol + i < nEffCols);
                    int eSpan = m_table->spanOfEffCol(cCol + i);
                    // Only set if no col element has already set it.
                    if (m_width[cCol + i].isAuto() && w.type() != Auto) {
                        m_width[cCol + i].setRawValue(w.type(), 
w.rawValue() * eSpan / span);
                        usedWidth += effWidth * eSpan / span;
                    }
                    usedSpan += eSpan;
                    i++;
                }

The repro causes "i" to go large and out-of-bounds.
A debug build will crash on the ASSERT() that I commented out.
An optimized build will typically crash due to an out-of-bounds array read 
due to the large "i" value.

Note that isAuto() and setRawValue() are non-virtual, otherwise this would 
be clearly exploitable due to using an out-of-bounds vtable.

setRawValue() is under some conditions writing out-of-bounds to an array so 
this is still likely exploitable. Assigning SecSeverity-High out of an 
abundance of caution.

http://src.chromium.org/viewvc/chrome?view=rev&revision=48059 
--- branches/WebKit/375/WebCore/rendering/FixedTableLayout.cpp	2010/05/24 18:22:34	48058
+++ branches/WebKit/375/WebCore/rendering/FixedTableLayout.cpp	2010/05/24 18:26:34	48059
@@ -166,8 +166,7 @@
                 
                 int usedSpan = 0;
                 int i = 0;
-                while (usedSpan < span) {
-                    ASSERT(cCol + i < nEffCols);
+                while (usedSpan < span && cCol + i < nEffCols) {
                     int eSpan = m_table->spanOfEffCol(cCol + i);
                     // Only set if no col element has already set it.
                     if (m_width[cCol + i].isAuto() && w.type() != Auto) {


CVE-2010-2295
Revision 48067
        https://bugs.webkit.org/show_bug.cgi?id=26824
        <rdar://problem/7018610> EventHandler can operate on a wrong frame if focus changes during
        keyboard event dispatch.

        EventHandler object is tied to a frame, so it's wrong for it to continue processing a keyboard
        event if focused frame changes between keydown and keypress.

        * manualtests/focuschangebetweenkeyevents.html: Added.

        * page/EventHandler.cpp: (WebCore::EventHandler::keyEvent): Bail out early if focused frame
        changes while dispatching keydown. Also made similar changes for Windows to maintain matching
        behavior, even though EventHandler was reentered anyway due to WM_KEYDOWN and WM_CHAR being
        separate events.

--- branches/WebKit/375/WebCore/page/EventHandler.cpp	2010/05/24 19:30:45	48066
+++ branches/WebKit/375/WebCore/page/EventHandler.cpp	2010/05/24 19:33:39	48067
@@ -2162,7 +2162,9 @@
 
     if (initialKeyEvent.type() == PlatformKeyboardEvent::RawKeyDown) {
         node->dispatchEvent(keydown, ec);
-        return keydown->defaultHandled() || keydown->defaultPrevented();
+        // If frame changed as a result of keydown dispatch, then return true to avoid sending a subsequent keypress message to the new frame.
+        bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame();
+        return keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame;
     }
 
     // Run input method in advance of DOM event handling.  This may result in the IM
@@ -2182,7 +2184,9 @@
     }
 
     node->dispatchEvent(keydown, ec);
-    bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented();
+    // If frame changed as a result of keydown dispatch, then return early to avoid sending a subsequent keypress message to the new frame.
+    bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame();
+    bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame;
     if (handledByInputMethod || (keydownResult && !backwardCompatibilityMode))
         return keydownResult;
     

CVE-2010-2287
Bug 4837
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4837
Revision 33087
http://anonsvn.wireshark.org/viewvc?revision=33087&view=revision
-	out_buff = g_malloc(65535);
+	out_buff = g_malloc(UDVM_MEMORY_SIZE);

CVE-2010-2286
Bug 4826
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4826
Revision 33061
http://anonsvn.wireshark.org/viewvc?view=revision&revision=33061
Index: epan/sigcomp-udvm.c
===================================================================
--- epan/sigcomp-udvm.c	(revision 33054)
+++ epan/sigcomp-udvm.c	(working copy)
@@ -333,11 +333,11 @@
 		result_code = 15;
 		goto decompression_failure;
 	}
+	used_udvm_cycles++;
 	current_instruction = buff[current_address];
 
 	switch ( current_instruction ) {
 	case SIGCOMP_INSTR_DECOMPRESSION_FAILURE:
-		used_udvm_cycles++;
 		if ( result_code == 0 )
 			result_code = 9;
 		proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
@@ -365,7 +365,6 @@
 		break;
 
 	case SIGCOMP_INSTR_AND: /* 1 AND ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## AND(1) (operand_1, operand_2)",
@@ -407,7 +406,6 @@
 		break;
 
 	case SIGCOMP_INSTR_OR: /* 2 OR ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## OR(2) (operand_1, operand_2)",
@@ -449,7 +447,6 @@
 		break;
 
 	case SIGCOMP_INSTR_NOT: /* 3 NOT ($operand_1) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## NOT(3) ($operand_1)",
@@ -483,7 +480,6 @@
 		break;
 
 	case SIGCOMP_INSTR_LSHIFT: /* 4 LSHIFT ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## LSHIFT(4) ($operand_1, operand_2)",
@@ -524,7 +520,6 @@
 
 		break;
 	case SIGCOMP_INSTR_RSHIFT: /* 5 RSHIFT ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## RSHIFT(5) (operand_1, operand_2)",
@@ -564,7 +559,6 @@
 		goto execute_next_instruction;
 		break;
 	case SIGCOMP_INSTR_ADD: /* 6 ADD ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## ADD(6) (operand_1, operand_2)",
@@ -604,7 +598,6 @@
 		goto execute_next_instruction;
 
 	case SIGCOMP_INSTR_SUBTRACT: /* 7 SUBTRACT ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## SUBTRACT(7) (operand_1, operand_2)",
@@ -645,7 +638,6 @@
 		break;
 
 	case SIGCOMP_INSTR_MULTIPLY: /* 8 MULTIPLY ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ##MULTIPLY(8) (operand_1, operand_2)",
@@ -693,7 +685,6 @@
 		break;
 
 	case SIGCOMP_INSTR_DIVIDE: /* 9 DIVIDE ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## DIVIDE(9) (operand_1, operand_2)",
@@ -743,7 +734,6 @@
 		break;
 
 	case SIGCOMP_INSTR_REMAINDER: /* 10 REMAINDER ($operand_1, %operand_2) */
-		used_udvm_cycles++;
 		if (show_instr_detail_level == 2 ){
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,
 				"Addr: %u ## REMAINDER(10) (operand_1, operand_2)",
@@ -849,7 +839,7 @@
 				operand_address, ref_destination);
 		}
 		current_address = next_operand_address;
-		used_udvm_cycles = used_udvm_cycles + 1 + length;
+		used_udvm_cycles = used_udvm_cycles + length;
 
 		n = 0;
 		k = position;
@@ -944,7 +934,6 @@
 			proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,"     Loading bytes at %u Value %u 0x%x",
 					addr, value, value);
 		}
-		used_udvm_cycles++;
 		current_address = next_operand_address;
 		goto execute_next_instruction;
 		break;
@@ -982,7 +971,7 @@
 				current_address, addr, n, n-1);
 		}
 		operand_address = next_operand_address;
-		used_udvm_cycles = used_udvm_cycles + 1 + n;
+		used_udvm_cycles = used_udvm_cycles + n;
 		while ( n > 0) {
 			n = n - 1;
 			/* %value */
@@ -1051,7 +1040,6 @@
 		buff[stack_location] = (stack_fill >> 8) & 0x00FF;
 		buff[(stack_location+1) & 0xFFFF] = stack_fill & 0x00FF;
 
-		used_udvm_cycles++;
 		goto execute_next_instruction;
 
 		break;
@@ -1108,7 +1096,6 @@
 		buff[destination] = (value >> 8) & 0x00FF;
 		buff[(destination+1) & 0xFFFF] = value & 0x00FF;
 
-		used_udvm_cycles++;
 		goto execute_next_instruction;
 
 		break;
@@ -1196,7 +1183,7 @@
 				position = byte_copy_left;
 			}
 		}
-		used_udvm_cycles = used_udvm_cycles + 1 + length;
+		used_udvm_cycles = used_udvm_cycles + length;
 		goto execute_next_instruction;
 		break;
 
@@ -1290,7 +1277,7 @@
 		buff[result_dest] = k >> 8;
 		buff[result_dest + 1] = k & 0x00ff;
 
-		used_udvm_cycles = used_udvm_cycles + 1 + length;
+		used_udvm_cycles = used_udvm_cycles + length;
 		goto execute_next_instruction;
 		break;
 
@@ -1420,7 +1407,7 @@
 		}
 		buff[result_dest] = k >> 8;
 		buff[result_dest + 1] = k & 0x00ff;
-		used_udvm_cycles = used_udvm_cycles + 1 + length;
+		used_udvm_cycles = used_udvm_cycles + length;
 		goto execute_next_instruction;
 
 		break;
@@ -1497,7 +1484,7 @@
 			k = ( k + 1 ) & 0xffff;
 			n++;
 		}/* end while */
-		used_udvm_cycles = used_udvm_cycles + 1 + length;
+		used_udvm_cycles = used_udvm_cycles + length;
 		goto execute_next_instruction;
 		break;
 
@@ -1523,7 +1510,6 @@
 				current_address, at_address);
 		}
 		current_address = at_address;
-		used_udvm_cycles++;
 		goto execute_next_instruction;
 		break;
 
@@ -1600,7 +1586,6 @@
 			current_address = at_address_2;
 		if ( value_1 > value_2 )
 			current_address = at_address_3;
-		used_udvm_cycles++;
 		goto execute_next_instruction;
 		break;
 
@@ -1644,7 +1629,6 @@
 		/* ... and jump to the destination address */
 		current_address = at_address;
 
-		used_udvm_cycles++;
 		goto execute_next_instruction;
 
 		break;
@@ -1679,7 +1663,6 @@
 		/* ... and set the PC to the popped value */
 		current_address = at_address;
 
-		used_udvm_cycles++;
 		goto execute_next_instruction;
 
 		break;
@@ -1741,7 +1724,7 @@
 			result_code = 6;
 			goto decompression_failure;
 		}
-		used_udvm_cycles = used_udvm_cycles + 1 + n;
+		used_udvm_cycles = used_udvm_cycles + n;
 
 		goto execute_next_instruction;
 
@@ -1787,7 +1770,7 @@
 				operand_address, at_address);
 		}
 		 /* operand_value = (memory_address_of_instruction + D) modulo 2^16 */
-		used_udvm_cycles = used_udvm_cycles + 1 + length;
+		used_udvm_cycles = used_udvm_cycles + length;
 
 		n = 0;
 		k = position;
@@ -1943,7 +1926,7 @@
 			k = ( k + 1 ) & 0xffff;
 			n++;
 		}
-		used_udvm_cycles = used_udvm_cycles + 1 + length;
+		used_udvm_cycles = used_udvm_cycles + length;
 		current_address = next_operand_address;
 		goto execute_next_instruction;
 		break;
@@ -2034,7 +2017,6 @@
 				buff, &old_input_bit_order, &remaining_bits,
 				&input_bits, &input_address, length, &result_code, msg_end);
 		if ( result_code == 11 ){
-			used_udvm_cycles = used_udvm_cycles + 1;
 			current_address = at_address;
 			goto execute_next_instruction;
 		}
@@ -2049,7 +2031,6 @@
 			"               Loading value: %u (0x%x) at Addr: %u, remaining_bits: %u", value, value, destination, remaining_bits);
 		}
 
-		used_udvm_cycles = used_udvm_cycles + 1;
 		goto execute_next_instruction;
 		break;
 	case SIGCOMP_INSTR_INPUT_HUFFMAN: /* 30 */
@@ -2096,7 +2077,7 @@
 				current_address, destination, at_address, n, n, n, n, n);
 		}
 
-		used_udvm_cycles = used_udvm_cycles + 1 + n;
+		used_udvm_cycles = used_udvm_cycles + n;
 
 		/*
 		 * Note that if n = 0 then the INPUT-HUFFMAN instruction is ignored and
@@ -2338,7 +2319,7 @@
 		if ( result_code != 0 ){
 			goto decompression_failure;
 		}
-		used_udvm_cycles = used_udvm_cycles + 1 + state_length;
+		used_udvm_cycles = used_udvm_cycles + state_length;
 		goto execute_next_instruction;
 		break;
 	case SIGCOMP_INSTR_STATE_CREATE: /* 32 */
@@ -2440,7 +2421,7 @@
 		state_instruction_buff[no_of_state_create] = state_instruction;
 		state_minimum_access_length_buff[no_of_state_create] = minimum_access_length;
 		state_state_retention_priority_buff[no_of_state_create] = state_retention_priority;
-		used_udvm_cycles = used_udvm_cycles + 1 + state_length;
+		used_udvm_cycles = used_udvm_cycles + state_length;
 		/* Debug */
 		byte_copy_right = buff[66] << 8;
 		byte_copy_right = byte_copy_right | buff[67];
@@ -2507,7 +2488,6 @@
 		 * TODO implement it
 		 */
 		udvm_state_free(buff,p_id_start,p_id_length);
-		used_udvm_cycles++;
 
 		goto execute_next_instruction;
 		break;
@@ -2584,7 +2564,7 @@
 			output_address ++;
 			n++;
 		}
-		used_udvm_cycles = used_udvm_cycles + 1 + output_length;
+		used_udvm_cycles = used_udvm_cycles + output_length;
 		goto execute_next_instruction;
 		break;
 	case SIGCOMP_INSTR_END_MESSAGE: /* 35 */
@@ -2752,7 +2732,7 @@
 		/*
 		proto_tree_add_text(udvm_tree, decomp_tvb, 0, -1,"SigComp message Decompressed");
 		*/
-		used_udvm_cycles = used_udvm_cycles + 1 + state_length;
+		used_udvm_cycles = used_udvm_cycles + state_length;
 		proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,"maximum_UDVM_cycles %u used_udvm_cycles %u",
 			maximum_UDVM_cycles, used_udvm_cycles);
 		return decomp_tvb;

CVE-2010-2285
wireshark-1.2.9/epan/dissectors/packet-smb-pipe.c, line 2141
-	string);
+	string ? string : "(null)");

CVE-2010-2284
2 fixes: Rev 32922, Rev 33046 - Fix a stack overrun in the BER dissector.
--- trunk/epan/dissectors/packet-ber.c	2010/05/23 22:23:33	32921
+++ trunk/epan/dissectors/packet-ber.c	2010/06/02 13:33:37	33046
@@ -820,20 +820,24 @@
 	return offset;
 }
 
-/* this function gets the length octets of the BER TLV.
- * We only handle (TAGs and) LENGTHs that fit inside 32 bit integers.
+/** Try to get the length octets of the BER TLV.
+ * Only (TAGs and) LENGTHs that fit inside 32 bit integers are supported.
+ *
+ * @return TRUE if we have the entire length, FALSE if we're in the middle of
+ * an indefinite length and haven't reached EOC.
  */
 /* 8.1.3 Length octets */
-int
-get_ber_length(tvbuff_t *tvb, int offset, guint32 *length, gboolean *ind) {
+static gboolean
+try_get_ber_length(tvbuff_t *tvb, int *bl_offset, guint32 *length, gboolean *ind) {
+	int offset = *bl_offset;
 	guint8 oct, len;
-	guint32 tmp_len;
+	guint32 tmp_len; 
 	guint32 tmp_length;
 	gboolean tmp_ind;
-	int tmp_offset,s_offset;
+	int tmp_offset;
 	gint8 tclass;
-	gboolean tpc;
 	gint32 ttag;
+
 	tmp_length = 0;
 	tmp_ind = FALSE;
 
@@ -855,24 +859,21 @@
 		} else {
 			/* 8.1.3.6 */
 
+			/* indefinite length encoded - must be constructed */
 			tmp_offset = offset;
-			/* ok in here we can traverse the BER to find the length, this will fix most indefinite length issues */
-			/* Assumption here is that indefinite length is always used on constructed types*/
-			/* check for EOC */
-			while (tvb_get_guint8(tvb, offset) || tvb_get_guint8(tvb, offset+1)) {
-				/* not an EOC at offset */
-				s_offset=offset;
-				offset= get_ber_identifier(tvb, offset, &tclass, &tpc, &ttag);
-				offset= get_ber_length(tvb,offset, &tmp_len, NULL);
-				tmp_length += tmp_len+(offset-s_offset); /* length + tag and length */
-				offset += tmp_len;
-                                /* Make sure we've moved forward in the packet */
-				if (offset <= s_offset)
-					THROW(ReportedBoundsError);
-			}
-			tmp_length += 2;
+			
+			do {
+				tmp_offset = get_ber_identifier(tvb, tmp_offset, &tclass, NULL, &ttag);
+				
+				try_get_ber_length(tvb, &tmp_offset, &tmp_len, &tmp_ind);
+
+				tmp_offset += tmp_len;
+
+			} while (!((tclass == BER_CLASS_UNI) && (ttag == 0) && (tmp_len == 0))); 
+
+			tmp_length = tmp_offset - offset;
 			tmp_ind = TRUE;
-			offset = tmp_offset;
+
 		}
 	}
 
@@ -885,7 +886,22 @@
 printf("get BER length %d, offset %d (remaining %d)\n", tmp_length, offset, tvb_length_remaining(tvb, offset));
 #endif
 
-	return offset;
+	*bl_offset = offset;
+	return TRUE;
+}
+
+int
+get_ber_length(tvbuff_t *tvb, int offset, guint32 *length, gboolean *ind) 
+{
+	int bl_offset = offset;
+	guint32 bl_length;
+
+	try_get_ber_length(tvb, &bl_offset, &bl_length, ind);
+
+	if (length)
+		*length = bl_length;
+
+	return bl_offset;
 }
 
 /* this function dissects the length octets of the BER TLV.

CVE-2010-2283
--- trunk/epan/dissectors/packet-smb.c	2010/05/03 19:08:11	32649
+++ trunk/epan/dissectors/packet-smb.c	2010/05/03 19:33:23	32650
@@ -8222,8 +8222,9 @@
 	case NT_TRANS_IOCTL:
 		/* ioctl data */
 		ioctl_tvb=tvb_new_subset(tvb, offset, MIN((int)bc, tvb_length_remaining(tvb, offset)), bc);
-		dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree_global, nti->ioctl_function, TRUE);
-
+		if (nti){
+			dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree_global, nti->ioctl_function, TRUE);
+		}
 
 		offset += bc;

CVE-2010-1455
Rev 32396 - Bug 4644 - Don't crash on DOCSIS Baseline Privacy Key Management Response packets with a bad code
Rev 32398 and Rev 32400 - Bug 4646 - Don't crash on invalid DOCSIS regrsp packet

Other patches are similar to this one:
--- trunk/plugins/docsis/packet-bpkmrsp.c	2010/04/06 00:58:05	32395
+++ trunk/plugins/docsis/packet-bpkmrsp.c	2010/04/06 02:49:18	32396
@@ -76,7 +76,7 @@
   code = tvb_get_guint8 (tvb, 0);
 
   col_add_fstr (pinfo->cinfo, COL_INFO, "BPKM Response (%s)",
-	    val_to_str (code, code_field_vals, "%s"));
+	    val_to_str (code, code_field_vals, "Unknown code %u"));
 
   if (tree)
     {

CVE-2010-0304
The weakness description contains just line 523.
[[But nothing relevant reported by tools anyway]]
http://anonsvn.wireshark.org/viewvc?revision=31524&view=revision
The patch here:
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-lwres.c?r1=31524&r2=31523&pathrev=31524&view=patch
Fix several buffer overflows found by babi babi. Replace a lot of manual
fetching and displaying with proto_tree_add_item().

Use get_dns_name() instead of lwres_get_dns_name(), which fixes a separate
issue.

This is a part of the patch:
--- trunk/epan/dissectors/packet-lwres.c	2010/01/13 21:41:28	31523
+++ trunk/epan/dissectors/packet-lwres.c	2010/01/14 01:22:00	31524

...

 static void dissect_getnamebyaddr_request(tvbuff_t* tvb, proto_tree* lwres_tree)
 {
 	guint32 flags,family;
@@ -423,10 +256,9 @@
 
 static void dissect_getnamebyaddr_response(tvbuff_t* tvb, proto_tree* lwres_tree)
 {
-	guint32 flags,i, offset;
+	guint32 i, offset;
 	guint16 naliases,realnamelen,aliaslen;
-	char aliasname[120];
-	char realname[120];
+	gchar *aliasname; 
 	
 
 	proto_item* nba_resp_item;
@@ -442,38 +274,35 @@
 	}
 	else return;
 
-	flags = tvb_get_ntohl(tvb, LWRES_LWPACKET_LENGTH);
 	naliases = tvb_get_ntohs(tvb, LWRES_LWPACKET_LENGTH + 4);
 	realnamelen = tvb_get_ntohs(tvb,LWRES_LWPACKET_LENGTH + 4 + 2);
-	tvb_get_nstringz(tvb, LWRES_LWPACKET_LENGTH + 4 + 2 + 2, realnamelen, (guint8*)realname);
-	realname[realnamelen]='\0';
 
-	proto_tree_add_uint(nba_resp_tree,
+	proto_tree_add_item(nba_resp_tree,
 						hf_adn_flags,
 						tvb,
 						LWRES_LWPACKET_LENGTH,
 						4,
-						flags);
-	proto_tree_add_uint(nba_resp_tree,
+						FALSE);
+	proto_tree_add_item(nba_resp_tree,
 						hf_adn_naliases,
 						tvb,
 						LWRES_LWPACKET_LENGTH + 4,
 						2,
-						naliases);
+						FALSE);
 
-	proto_tree_add_uint(nba_resp_tree,
+	proto_tree_add_item(nba_resp_tree,
 						hf_adn_namelen,
 						tvb,
 						LWRES_LWPACKET_LENGTH + 6,
 						2, 
-						realnamelen);
+						FALSE);
 
-	proto_tree_add_string(nba_resp_tree,
-						  hf_adn_realname,
-						  tvb,
-						  LWRES_LWPACKET_LENGTH + 8,
-						  realnamelen,
-						  realname);
+	proto_tree_add_item(nba_resp_tree,
+						hf_adn_realname,
+						tvb,
+						LWRES_LWPACKET_LENGTH + 8,
+						realnamelen,
+						FALSE);
 
 	offset=LWRES_LWPACKET_LENGTH + 8 + realnamelen;
 
@@ -482,25 +311,24 @@
 		for(i=0; i<naliases; i++)
 		{
 			aliaslen = tvb_get_ntohs(tvb, offset);
-			tvb_get_nstringz(tvb, offset + 2, aliaslen, (guint8*)aliasname);
-			aliasname[aliaslen]='\0';
+			aliasname = tvb_get_ephemeral_string(tvb, offset + 2, aliaslen);
 
 			alias_item = proto_tree_add_text(nba_resp_tree, tvb, offset, 2 + aliaslen, "Alias %s",aliasname);
 			alias_tree = proto_item_add_subtree(alias_item, ett_adn_alias);
 
-			proto_tree_add_uint(alias_tree,
+			proto_tree_add_item(alias_tree,
 								hf_adn_namelen,
 								tvb,
 								offset,
 								2,
-								aliaslen);
+								FALSE);
 
-			proto_tree_add_string(alias_tree,
+			proto_tree_add_item(alias_tree,
 								hf_adn_aliasname,
 								tvb,
 								offset + 2,
 								aliaslen,
-								aliasname);
+								FALSE);
 
 			offset+=(2 + aliaslen + 1);
 		}
@@ -509,18 +337,12 @@
 
 static void dissect_getaddrsbyname_request(tvbuff_t* tvb, proto_tree* lwres_tree)
 {
-	guint32 flags,addrtype;
 	guint16 namelen;
-	guint8  name[120];
 
 	proto_item* adn_request_item;
 	proto_tree* adn_request_tree;
 	
-	flags = tvb_get_ntohl(tvb, LWRES_LWPACKET_LENGTH);
-	addrtype = tvb_get_ntohl(tvb, LWRES_LWPACKET_LENGTH + 4);
 	namelen  = tvb_get_ntohs(tvb, LWRES_LWPACKET_LENGTH + 8);
-	tvb_get_nstringz(tvb, LWRES_LWPACKET_LENGTH+10, namelen, name);
-        name[namelen]='\0';
 
 	if(lwres_tree)
 	{
@@ -533,45 +355,44 @@
 		return;
 
 
-	proto_tree_add_uint(adn_request_tree,
+	proto_tree_add_item(adn_request_tree,
 				hf_adn_flags,
 				tvb,
 				LWRES_LWPACKET_LENGTH+0,
 				sizeof(guint32),
-				flags);
+				FALSE);
 
-	proto_tree_add_uint(adn_request_tree,
+	proto_tree_add_item(adn_request_tree,
 				hf_adn_addrtype,
 				tvb,
 				LWRES_LWPACKET_LENGTH+4,
 				sizeof(guint32),
-				addrtype);
+				FALSE);
 
-	proto_tree_add_uint(adn_request_tree,
+	proto_tree_add_item(adn_request_tree,
 				hf_adn_namelen,
 				tvb,
 				LWRES_LWPACKET_LENGTH+8,
 				sizeof(guint16),
-				namelen);
+				FALSE);
 
-	proto_tree_add_string(adn_request_tree,
+	proto_tree_add_item(adn_request_tree,
 				hf_adn_name,
 				tvb,
 				LWRES_LWPACKET_LENGTH+10,
 				namelen,
-			        (gchar*)name);
+			        FALSE);
 	
 }
 
 
 static void dissect_getaddrsbyname_response(tvbuff_t* tvb, proto_tree* lwres_tree)
 {
-	guint32 flags, family ,i, offset;
+	guint32 family ,i, offset;
 	guint16 naliases, naddrs, realnamelen, length, aliaslen;
 	const gchar* addr;
 	guint slen;
-	char realname[120];
-	char aliasname[120];
+	gchar *aliasname;
 
 	proto_item* adn_resp_item;
 	proto_tree* adn_resp_tree;
@@ -589,48 +410,45 @@
 	}
 	else return;
 
-	flags = tvb_get_ntohl(tvb, LWRES_LWPACKET_LENGTH);
 	naliases = tvb_get_ntohs(tvb, LWRES_LWPACKET_LENGTH + 4);
 	naddrs   = tvb_get_ntohs(tvb, LWRES_LWPACKET_LENGTH + 6);
 	realnamelen = tvb_get_ntohs(tvb, LWRES_LWPACKET_LENGTH + 8);
-	tvb_get_nstringz(tvb, LWRES_LWPACKET_LENGTH + 10, realnamelen, (guint8*)realname);
-	realname[realnamelen]='\0';
 
 	
-	proto_tree_add_uint(adn_resp_tree,
+	proto_tree_add_item(adn_resp_tree,
 						hf_adn_flags,
 						tvb, 
 						LWRES_LWPACKET_LENGTH,
 						4,
-						flags);
+						FALSE);
 
-	proto_tree_add_uint(adn_resp_tree,
+	proto_tree_add_item(adn_resp_tree,
 						hf_adn_naliases,
 						tvb, 
 						LWRES_LWPACKET_LENGTH + 4,
 						2,
-						naliases);
+						FALSE);
 
-	proto_tree_add_uint(adn_resp_tree,
+	proto_tree_add_item(adn_resp_tree,
 						hf_adn_naddrs,
 						tvb,
 						LWRES_LWPACKET_LENGTH + 6,
 						2,
-						naddrs);
+						FALSE);
 
-	proto_tree_add_uint(adn_resp_tree,
+	proto_tree_add_item(adn_resp_tree,
 						hf_adn_namelen,
 						tvb,
 						LWRES_LWPACKET_LENGTH + 8,
 						2, 
-						realnamelen);
+						FALSE);
 	
-	proto_tree_add_string(adn_resp_tree,
+	proto_tree_add_item(adn_resp_tree,
 						hf_adn_realname,
 						tvb,
 						LWRES_LWPACKET_LENGTH + 10,
 						realnamelen,
-						realname);
+						FALSE);
 
 	offset = LWRES_LWPACKET_LENGTH + 10 + realnamelen + 1;
 
@@ -639,8 +457,7 @@
 		for(i=0; i<naliases; i++)
 		{
 			aliaslen = tvb_get_ntohs(tvb, offset);
-			tvb_get_nstringz(tvb, offset + 2, aliaslen, (guint8*)aliasname);
-			aliasname[aliaslen]='\0';
+			aliasname = tvb_get_ephemeral_string(tvb, offset + 2, aliaslen);
 
 			alias_item = proto_tree_add_text(adn_resp_tree, tvb, offset, 2 + aliaslen, "Alias %s",aliasname);
 			alias_tree = proto_item_add_subtree(alias_item, ett_adn_alias);
@@ -652,12 +469,12 @@
 								2,
 								aliaslen);
 
-			proto_tree_add_string(alias_tree,
+			proto_tree_add_item(alias_tree,
 								hf_adn_aliasname,
 								tvb,
 								offset + 2,
 								aliaslen,
-								aliasname);
+								FALSE);
 
 			offset+=(2 + aliaslen + 1);
 		}

CVE-2009-4378
Rev 31223 - Bug 4319 - Fix crash in IPMI dissector when trying to display date/time (on Windows). 
--- trunk/epan/dissectors/packet-ipmi.c	2009/12/10 19:15:37	31222
+++ trunk/epan/dissectors/packet-ipmi.c	2009/12/10 20:26:39	31223
@@ -789,7 +789,7 @@
 				d, h, m, s);
 	} else {
 		time_t t = ts;
-		strftime(buf, sizeof(buf), "%F %T", gmtime(&t));
+		strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S", gmtime(&t));
 		proto_tree_add_uint_format_value(tree, hf, tvb, offset, 4,
 				ts, "%s", buf);
 	}

CVE-2009-4377
Rev 31187 - Bug 4301 - Fix a crash in the SMB dissector.
http://anonsvn.wireshark.org/viewvc?revision=31187&view=revision
CVE-2009-4377 (2):
--- trunk/epan/dissectors/packet-smb.c	2009/12/07 12:17:13	31186
+++ trunk/epan/dissectors/packet-smb.c	2009/12/07 15:07:38	31187
@@ -8443,7 +8443,7 @@
 	proto_tree *tree = NULL;
 	int old_offset = offset;
 	smb_info_t *si;
-	smb_nt_transact_info_t *nti;
+	smb_nt_transact_info_t *nti = NULL;
 	smb_saved_info_t *sip;
 
 
@@ -8451,8 +8451,9 @@
 	DISSECTOR_ASSERT(si);
 	sip = si->sip;
 	DISSECTOR_ASSERT(sip);
-	nti=sip->extra_info;
-
+	if (sip->extra_info_type == SMB_EI_NTI) {
+	  nti=sip->extra_info;
+	}
 
 	if(parent_tree){
 		tvb_ensure_bytes_exist(tvb, offset, len);
@@ -8469,7 +8470,7 @@
 		guint16 fid;
 
 		/* function code */
-		offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &nti->ioctl_function);
+		offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, nti ? &nti->ioctl_function : NULL);
 
 		/* fid */
 		fid = tvb_get_letohs(tvb, offset);

CVE-2009-4377 (1):
--- trunk/epan/dissectors/packet-smb2.c	2009/12/07 12:17:13	31186
+++ trunk/epan/dissectors/packet-smb2.c	2009/12/07 15:07:38	31187
@@ -951,7 +951,8 @@
 	}
 
 	ioctl_function=tvb_get_letohl(tvb, offset);
-	*ioctlfunc=ioctl_function;
+	if (ioctlfunc) 
+		*ioctlfunc=ioctl_function;
 	if(ioctl_function){
 		/* device */
 		proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, TRUE);

CVE-2009-4376
Rev 31172, Rev 31173 - Bug 4294- Fix daintree-sna potential buffer overflow (crash ?)
--- trunk/wiretap/daintree-sna.c	2009/12/04 15:21:48	31171
+++ trunk/wiretap/daintree-sna.c	2009/12/04 16:56:34	31173
@@ -76,12 +76,18 @@
 
 #define DAINTREE_MAGIC_TEXT_SIZE (sizeof daintree_magic_text)
 #define DAINTREE_MAX_LINE_SIZE 512
+#define READDATA_BUF_SIZE (DAINTREE_MAX_LINE_SIZE/2)
+#define SEEKDATA_BUF_SIZE (DAINTREE_MAX_LINE_SIZE/2)
+#define READDATA_MAX_FIELD_SIZE "255"  /* DAINTREE_MAX_LINE_SIZE/2 -1 */
+#define SEEKDATA_MAX_FIELD_SIZE "255"  /* DAINTREE_MAX_LINE_SIZE/2 -1 */
+
 #define COMMENT_LINE daintree_magic_text[0]
 
 static char readLine[DAINTREE_MAX_LINE_SIZE];
 static char seekLine[DAINTREE_MAX_LINE_SIZE];
-static char readData[DAINTREE_MAX_LINE_SIZE/2];
-static char seekData[DAINTREE_MAX_LINE_SIZE/2];
+
+static char readData[READDATA_BUF_SIZE];
+static char seekData[SEEKDATA_BUF_SIZE];
 
 static gboolean daintree_sna_read(wtap *wth, int *err, gchar **err_info _U_,
 	gint64 *data_offset);
@@ -146,7 +152,7 @@
 	} while (readLine[0] == COMMENT_LINE);
 
 	/* parse one line of capture data */
-	if (sscanf(readLine, "%*s %" G_GINT64_MODIFIER "u.%d %u %s",
+	if (sscanf(readLine, "%*s %" G_GINT64_MODIFIER "u.%d %u %" READDATA_MAX_FIELD_SIZE "s",
 		&seconds, &wth->phdr.ts.nsecs,
 		&wth->phdr.len, readData) != 4) {
 			*err = WTAP_ERR_BAD_RECORD;
@@ -202,7 +208,7 @@
 	} while (seekLine[0] == COMMENT_LINE);
 
 	/* ignore all but packet data, since the sequential read pass stored everything else */
-	if (sscanf(seekLine, "%*s %*u.%*u %*u %s", seekData) != 1) {
+	if (sscanf(seekLine, "%*s %*u.%*u %*u %" SEEKDATA_MAX_FIELD_SIZE "s", seekData) != 1) {
 		*err = WTAP_ERR_BAD_RECORD;
 		*err_info = g_strdup("daintree_sna: corrupted seek record");
 		return FALSE;


CVE-2009-3829
Rev 29364, Rev 29366 - Bug 3849 - Fix a crash in ERF file support. 
Don't try to allocate more than WTAP_MAX_PACKET_SIZE. Fixes a crash
reported in bug 3849.

--- trunk/wiretap/erf.c	2009/04/22 03:07:37	28117
+++ trunk/wiretap/erf.c	2009/08/10 16:12:55	29364
@@ -218,6 +218,13 @@
 
     /* The file_seek function do not return an error if the end of file
        is reached whereas the record is truncated */
+    if (packet_size > WTAP_MAX_PACKET_SIZE) {
+      /*
+       * Probably a corrupt capture file; don't blow up trying
+       * to allocate space for an immensely-large packet.
+       */
+      return 0;
+    }
     buffer=g_malloc(packet_size);
     r = file_read(buffer, 1, packet_size, wth->fh);
     g_free(buffer);

CVE-2009-3551
Revision 30595
http://anonsvn.wireshark.org/viewvc?revision=30595&view=revision
--- trunk/epan/dissectors/packet-smb.c	2009/10/18 13:36:01	30594
+++ trunk/epan/dissectors/packet-smb.c	2009/10/18 14:46:39	30595
@@ -2206,7 +2206,7 @@
 
 	if (si->sip && si->sip->extra_info_type==SMB_EI_DIALECTS) {
 		dialects = si->sip->extra_info;
-		if (dialect <= dialects->num) {
+		if (dialect < dialects->num) {
 			dialect_name = dialects->name[dialect];
 		}
 	}

CVE-2009-3550
Revision 30208
http://anonsvn.wireshark.org/viewvc?revision=30208&view=revision
Revision Log:
The dcerpc dissectors used to walk the list of items upward parent by 
parent in order to push teh display of extra interesting fields in the 
packet to higher up in the decode tree. This was useful for making sure 
that things like DomainNames etc are clearly visible without having to 
drill down 500 layers of NDR.

This code used to just blindly walk the indicated number of parents, and 
then attach the string to that item.
This relied on the "unsafe" assumption that the topmost item would have 
pointer point to itself, so this was "safe".

This is no longer safe since the root object in the tree now has NULL as 
parent, and thus some of these dcerpc interfaces can now cause a SEGV 
trying to dereference NULL->parent.

I added a macro to safely walk to the parent object, or remain at the 
current object if parent is NULL.

This was a serious bug, where dcerpc traffic could cause a SEGV.
Please merge into all stable versions.

--- trunk/epan/dissectors/packet-dcerpc-nt.c	2009/09/30 07:47:47	30207
+++ trunk/epan/dissectors/packet-dcerpc-nt.c	2009/09/30 07:53:12	30208
@@ -39,6 +39,14 @@
 #include "packet-dcerpc-nt.h"
 #include "packet-windows-common.h"
 
+
+/* This is used to safely walk the decode tree up, one item at a time safely.
+   This is used by dcerpc dissectors that want to push the display of a string
+   higher up in the tree for greater visibility.
+*/
+#define GET_ITEM_PARENT(x) \
+	((x->parent!=NULL)?x->parent:x)
+
 /*
  * This file contains helper routines that are used by the DCERPC over SMB
  * dissectors for wireshark.
@@ -245,15 +253,15 @@
 
 	if (levels > 0 && item && s && s[0]) {
 		proto_item_append_text(item, ": %s", s);
-		item = item->parent;
+		item = GET_ITEM_PARENT(item);
 		levels--;
 		if (levels > 0) {
 			proto_item_append_text(item, ": %s", s);
-			item = item->parent;
+			item = GET_ITEM_PARENT(item);
 			levels--;
 			while (levels > 0) {
 				proto_item_append_text(item, " %s", s);
-				item = item->parent;
+				item = GET_ITEM_PARENT(item);
 				levels--;
 			}
 		}
@@ -1132,18 +1140,17 @@
 	}
 
 	/* Append string to upper-level proto_items */
-
 	if (levels > 0 && item && s && s[0]) {
 		proto_item_append_text(item, ": %s", s);
-		item = item->parent;
+		item = GET_ITEM_PARENT(item);
 		levels--;
 		if (levels > 0) {
 			proto_item_append_text(item, ": %s", s);
-			item = item->parent;
+			item = GET_ITEM_PARENT(item);
 			levels--;
 			while (levels > 0) {
 				proto_item_append_text(item, " %s", s);
-				item = item->parent;
+				item = GET_ITEM_PARENT(item);
 				levels--;
 			}
 		}
@@ -1198,15 +1205,15 @@
 
 	if (levels > 0 && item && s && s[0]) {
 		proto_item_append_text(item, ": %s", s);
-		item = item->parent;
+		item = GET_ITEM_PARENT(item);
 		levels--;
 		if (levels > 0) {
 			proto_item_append_text(item, ": %s", s);
-			item = item->parent;
+			item = GET_ITEM_PARENT(item);
 			levels--;
 			while (levels > 0) {
 				proto_item_append_text(item, " %s", s);
-				item = item->parent;
+				item = GET_ITEM_PARENT(item);
 				levels--;
 			}
 		}
@@ -1311,15 +1318,15 @@
 
 		if (levels > 0 && item && s && s[0]) {
 			proto_item_append_text(item, ": %s", s);
-			item = item->parent;
+			item = GET_ITEM_PARENT(item);
 			levels--;
 			if (levels > 0) {
 				proto_item_append_text(item, ": %s", s);
-				item = item->parent;
+				item = GET_ITEM_PARENT(item);
 				levels--;
 				while (levels > 0) {
 					proto_item_append_text(item, " %s", s);
-					item = item->parent;
+					item = GET_ITEM_PARENT(item);
 					levels--;
 				}
 			}

CVE-2009-3549
Rev 29064 - Bug 3689 - Possibly-unaligned dereference and big/little endian issue in packet-paltalk.c
Note: IPV4 big/little endian issue is not relevant
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3689

Not a complete patch:

--- trunk/epan/dissectors/packet-paltalk.c	2009/07/11 09:50:09	29063
+++ trunk/epan/dissectors/packet-paltalk.c	2009/07/11 15:36:18	29064

...

@@ -54,14 +58,27 @@
 static gboolean
 dissect_paltalk(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 {
+	guint32 src32, dst32;
+
 	/* Detect if this TCP session is a Paltalk one */
 	/* TODO: Optimize detection logic if possible */
-	if (pinfo->net_src.type != AT_IPv4 || pinfo->net_dst.type != AT_IPv4
-			|| pinfo->net_src.len != 4 || pinfo->net_dst.len != 4
-			|| !pinfo->net_src.data || !pinfo->net_dst.data
-			|| (((*(guint32*) pinfo->net_src.data) & PALTALK_SERVERS_NETMASK) != PALTALK_SERVERS_ADDRESS
-			 && ((*(guint32*) pinfo->net_dst.data) & PALTALK_SERVERS_NETMASK) != PALTALK_SERVERS_ADDRESS))
+
+	if ((pinfo->net_src.type != AT_IPv4) 
+	    || (pinfo->net_dst.type != AT_IPv4)
+	    || (pinfo->net_src.len != 4)
+	    || (pinfo->net_dst.len != 4)
+	    || !pinfo->net_src.data 
+	    || !pinfo->net_dst.data)
 		return FALSE;
+
+	memcpy((guint8 *)&src32, pinfo->net_src.data, 4); /* *Network* order */
+	memcpy((guint8 *)&dst32, pinfo->net_dst.data, 4); /* *Network* order */
+
+	if ( ((src32 & PALTALK_SERVERS_NETMASK) != PALTALK_SERVERS_ADDRESS) 
+	     &&
+	     ((dst32 & PALTALK_SERVERS_NETMASK) != PALTALK_SERVERS_ADDRESS))
+		return FALSE;
+
 	/* Dissect result of desegmented TCP data */
 	tcp_dissect_pdus(tvb, pinfo, tree, TRUE, PALTALK_HEADER_LENGTH
 			, dissect_paltalk_get_len, dissect_paltalk_desegmented);



CVE-2009-3243
[[gcry_md_open - pinpointed previously - was from Revision 29392 - Fix memoryleak causing crash with long SSL traces. - appears unrelated to the CVE]]
Bug 4008
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4008
Revision 29906
http://anonsvn.wireshark.org/viewvc?revision=29906&view=revision

Code moved between these files, 1 line added
wireshark-1.2.0/epan/dissectors/packet-ssl.c, 275
wireshark-1.2.9/epan/dissectors/packet-ssl-utils.c, 46

	const gchar* ssl_version_short_names[] = {
		"SSL",
 		"SSLv2",
 		"SSLv3",
		"TLSv1",
 		"TLSv1.1",
 		"DTLSv1.0",
 		"PCT",
+ 		"TLSv1.2"
	};

Omitted line - this should be in <location ...>:
wireshark-1.2.0/epan/dissectors/packet-ssl.c, 282

This should be in <textoutput>:
Crash on TLSv1.2 packets, caused by ssl_short_name array overrun.

CVE-2009-3242
This is a fix, but not clear how it is related to the locations

Rev 29403 - Bug 3893 - Fix crash due to an initialized dissector handle.
--- trunk/epan/dissectors/packet-gsm_a_rr.c	2009/08/13 11:12:35	29402
+++ trunk/epan/dissectors/packet-gsm_a_rr.c	2009/08/13 12:17:20	29403
@@ -10154,6 +10154,7 @@
 void
 proto_reg_handoff_gsm_a_rr(void)
 {
+    data_handle = find_dissector("data");
     rrc_irat_ho_info_handle = find_dissector("rrc.irat.irat_ho_info");
     rrc_irat_ho_to_utran_cmd_handle = find_dissector("rrc.irat.ho_to_utran_cmd");
 }

CVE-2009-3241
* This is different from our location info
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3986
Rev 31294 - Bug 3986 - Fix string compares (A correction for part of the previous fix for this bug) 
Also Rev 29813
http://anonsvn.wireshark.org/viewvc/trunk/plugins/opcua/opcua.c?view=log&pathrev=31294

CVE-2009-2563
https://bugzilla.redhat.com/show_bug.cgi?id=512992
A NULL pointer dereference flaw was found in the Wireshark's InfiniBand
dissector. A remote attacker could provide a specially-crafted InfiniBand
packet capture file, which once opened by an unsuspecting user would
lead to denial of service (Wireshark crash).

http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-infiniband.c?r1=28839&r2=28838&pathrev=28839&view=patch

--- trunk/epan/dissectors/packet-infiniband.c	2009/06/24 20:27:58	28838
+++ trunk/epan/dissectors/packet-infiniband.c	2009/06/25 01:50:56	28839
@@ -940,9 +940,6 @@
                 proto_tree_add_uint(PAYLOAD_header_tree, hf_infiniband_reserved16_RWH, tvb,
                             local_offset, 2, tvb_get_ntohs(tvb, local_offset));
 
-
-            } else {
-                tvb_free(next_tvb);
             }
                 
         }

CVE-2009-2562
[[No relevant warnings from tools]]
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3564
Revision 28815
https://bugzilla.redhat.com/show_bug.cgi?id=512987
This really is caused by an integer overflow as indicated in comment #0. 
i_orxs value is read from the dump.  It's later passed to tvb_get_ptr() for
sanity-checking, however, that does not report a problem when i_orxs is
0xFFFFFFFF.  The reason is that this value is casted from unsigned to signed
integer type in compute_offset_length(), i.e. it becomes -1 and that is a
special value in compute_offset_length() - which means "to the end of the
data".

Later, ep_alloc() is called as ep_alloc(i_orxs+1), hence with size equal to 0,
allocating buffer of insufficient size.  That buffer is later filled with
memcpy as memcpy(tmp_orxs, p_orxs, i_orxs).  This attempts to copy ~4 gig of
data and is likely to trigger SEGV when trying to read or write from an
unmapped memory.

--- trunk/epan/dissectors/packet-afs.c	2009/06/22 20:57:09	28814
+++ trunk/epan/dissectors/packet-afs.c	2009/06/22 22:38:29	28815
@@ -415,17 +415,10 @@
    4 bytes - length, then char data */
 #define OUT_RXString(field) \
 	{	guint32 i_orxs,len_orxs; \
-		char *tmp_orxs; \
-		const guint8 *p_orxs; \
 		i_orxs = tvb_get_ntohl(tvb, offset); \
-		offset += 4; \
-		p_orxs = tvb_get_ptr(tvb,offset,i_orxs); \
-		len_orxs = ((i_orxs+4-1)/4)*4; \
-		tmp_orxs = ep_alloc(i_orxs+1); \
-		memcpy(tmp_orxs, p_orxs, i_orxs); \
-		tmp_orxs[i_orxs] = '\0'; \
-		proto_tree_add_string(tree, field, tvb, offset-4, len_orxs+4, \
-		(void *)tmp_orxs); \
+		len_orxs = ((i_orxs+4-1)/4)*4 + 4; \
+		proto_tree_add_item(tree, field, tvb, offset-4, len_orxs, \
+		FALSE); \
 		offset += len_orxs; \
 	}
 
@@ -825,7 +818,8 @@
 		OUT_RXString(hf_afs_kauth_realm); \
 	}
 
-#define GETSTR ((const char *)tvb_get_ptr(tvb,offset,tvb_ensure_length_remaining(tvb,offset)))
+#define MAX_GETSTR_LEN 200 /* Arbitrary */
+#define GETSTR (tvb_format_text(tvb,offset,tvb_length_remaining(tvb,offset)))
 
 #define VALID_OPCODE(opcode) ((opcode >= OPCODE_LOW && opcode <= OPCODE_HIGH) || \
 		(opcode >= VOTE_LOW && opcode <= VOTE_HIGH) || \

CVE-2009-2561
[[No related warnings from tools]]
Rev 28897 - Bug 3570 - Fix excessive CPU usage in sFlow.
--- trunk/epan/dissectors/packet-sflow.c	2009/06/30 20:28:26	28896
+++ trunk/epan/dissectors/packet-sflow.c	2009/06/30 20:59:51	28897
@@ -54,6 +54,7 @@
 #include <epan/prefs.h>
 #include <epan/ipproto.h>
 #include <epan/sminmpec.h>
+#include <epan/expert.h>
 
 #define SFLOW_UDP_PORTS "6343"
 
@@ -1115,7 +1116,7 @@
 
 /* dissect a counters sample */
 static gint
-dissect_sflow_counters_sample(tvbuff_t *tvb, proto_tree *tree,
+dissect_sflow_counters_sample(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
 	gint offset, proto_item *parent, guint32 version)
 {
 	guint32	sequence_number, num_records, counters_type, record_length, j;
@@ -1129,6 +1130,11 @@
 		proto_tree_add_item(tree, hf_sflow_sample_length, tvb, offset, 4, FALSE);
 		offset += 4;
 		return_offset = offset + sample_length;
+		if (return_offset < offset) {
+			expert_add_info_format(pinfo, tree, PI_MALFORMED,
+					       PI_ERROR, "Huge sample length");
+			return offset;
+		}
 	}
 	sequence_number = tvb_get_ntohl(tvb, offset);
 	proto_tree_add_item(tree, hf_sflow_cs_seqno, tvb, offset, 4, FALSE);
@@ -1173,6 +1179,11 @@
 			proto_tree_add_item(record_tree, hf_sflow_cs_recordlength, tvb, offset, 4, FALSE);
 			offset += 4;
 			nextoffset = offset + record_length;
+			if (nextoffset < offset) {
+				expert_add_info_format(pinfo, record_tree, PI_MALFORMED,
+						       PI_ERROR, "Huge record length");
+				return offset;
+			}
 		}
 	
 		/* most counters types have the "generic" counters first */
@@ -1337,7 +1348,7 @@
 		break;
 	case COUNTERSSAMPLE:
 	case EXPCOUNTERSAMPLES:
-		offset = dissect_sflow_counters_sample(tvb, sflow_sample_tree, offset, ti, version);
+		offset = dissect_sflow_counters_sample(tvb, pinfo, sflow_sample_tree, offset, ti, version);
 		break;
 	default:
 		break;
@@ -1357,7 +1368,7 @@
 	guint32		version, sub_agent_id, seqnum;
 	guint32		agent_address_type;
 	guint32		numsamples;
-	volatile guint	offset=0;
+	guint		offset = 0, old_offset;
 	guint 		i=0;
 	union {
 		guint8	v4[4];
@@ -1438,8 +1449,15 @@
 	 */
 
 	i = 0;
-	while (i++ < numsamples)
+	while (i++ < numsamples) {
+		old_offset = offset;
 		offset = dissect_sflow_samples(tvb, pinfo, sflow_tree, offset, version);
+		if (old_offset >= offset) {
+			expert_add_info_format(pinfo, sflow_tree, PI_MALFORMED,
+					       PI_ERROR, "Bad offset");
+			return offset;
+		}
+	}
 
 	return tvb_length(tvb);
 }

CVE-2009-2560 (1)
[[There seems to be a 3rd issue here - with MIOP dissector!!!]]
This differs from our xml file
[[No related tool warnings]]
https://bugzilla.redhat.com/show_bug.cgi?id=513008
Issue b) Integer overflow in the Bluetooth L2CAP dissector:
-----------------------------------------------------------

An integer overflow flaw, leading to heap-based buffer overflow was found
in the Wireshark's Bluetooth L2CAP dissector. A remote attacker could
provide a specially-crafted L2CAP packet capture file, which once opened
by an unsuspecting user would lead to denial of service (Wireshark crash).

http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-btl2cap.c?r1=28884&r2=28883&pathrev=28884&view=patch
--- trunk/epan/dissectors/packet-btl2cap.c	2009/06/29 20:35:47	28883
+++ trunk/epan/dissectors/packet-btl2cap.c	2009/06/29 20:59:26	28884
@@ -36,6 +36,7 @@
 #include <epan/packet.h>
 #include <etypes.h>
 #include <epan/emem.h>
+#include <epan/expert.h>
 #include "packet-bthci_acl.h"
 #include "packet-btl2cap.h"
 
@@ -875,10 +876,19 @@
 
 	/*Segmented frames with SAR = start have an extra SDU length header field*/
 	if(segment == 0x01) {
+		proto_item *pi;;
 		sdulen = tvb_get_letohs(tvb, offset);
-		proto_tree_add_item(btl2cap_tree, hf_btl2cap_sdulength, tvb, offset, 2, TRUE);
+		pi = proto_tree_add_item(btl2cap_tree, hf_btl2cap_sdulength, tvb, offset, 2, TRUE);
 		offset += 2;
 		length -= 6; /*Control, SDUlength, FCS*/
+
+		/* Detect malformed data */
+		if (sdulen < length) {
+			sdulen = length;
+			expert_add_info_format(pinfo, pi, PI_MALFORMED, PI_WARN, 
+					"SDU length less than length of first packet");
+		}
+
 		if(!pinfo->fd->flags.visited){
 			mfp=se_alloc(sizeof(sdu_reassembly_t));
 			mfp->first_frame=pinfo->fd->num;

CVE-2009-2560 (2)
Rev 28891 - Bug 3578 - Fix crash caused by packet-radius.c attribute list/pair incorrect error handlling
Log Message: 	

packet-radius: Fix exception CLEANUP handling when malformed attribute list/pair seen;
Fixes crash reported in Bug #3578. [https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3578]
Essentially: CLEANUP_CALL_AND_POP wasn't being executed for certain error exits from
 dissect_attribute_pairs() thus leaving a CLEANUP entry on the exception stack.
Also: vsa_buffer_table wasn't being destroyed if an exception occurred in dissect_attribute_pairs.


--- trunk/epan/dissectors/packet-radius.c	2009/06/30 12:26:11	28890
+++ trunk/epan/dissectors/packet-radius.c	2009/06/30 13:57:26	28891
@@ -854,13 +854,14 @@
 	return TRUE;
 }
 
-static void vsa_buffer_table_destroy(GHashTable *table) {
+static void vsa_buffer_table_destroy(void *table) {
 	if (table) {
-		g_hash_table_foreach_remove(table, vsa_buffer_destroy, NULL);
-		g_hash_table_destroy(table);
+		g_hash_table_foreach_remove((GHashTable *)table, vsa_buffer_destroy, NULL);
+		g_hash_table_destroy((GHashTable *)table);
 	}
 }
 
+
 static void dissect_attribute_value_pairs(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, int offset, guint length) {
     proto_item* item;
     gboolean last_eap = FALSE;
@@ -878,6 +879,7 @@
      * allocated (if any).
      */
     CLEANUP_PUSH(g_free, eap_buffer);
+    CLEANUP_PUSH(vsa_buffer_table_destroy, (void *)vsa_buffer_table);
 
     while (length > 0) {
         radius_attr_info_t* dictionary_entry = NULL;
@@ -894,7 +896,7 @@
             item = proto_tree_add_text(tree, tvb, offset, 0,
                         "Not enough room in packet for AVP header");
             PROTO_ITEM_SET_GENERATED(item);
-            return;
+            break;  /* exit outer loop, then cleanup & return */
         }
         avp_type = tvb_get_guint8(tvb,offset);
         avp_length = tvb_get_guint8(tvb,offset+1);
@@ -903,14 +905,14 @@
             item = proto_tree_add_text(tree, tvb, offset, 0,
                         "AVP too short: length %u < 2", avp_length);
             PROTO_ITEM_SET_GENERATED(item);
-            return;
+            break;  /* exit outer loop, then cleanup & return */
         }
 
         if (length < avp_length) {
             item = proto_tree_add_text(tree, tvb, offset, 0,
                         "Not enough room in packet for AVP");
             PROTO_ITEM_SET_GENERATED(item);
-            return;
+            break;  /* exit outer loop, then cleanup & return */
         }
 
         length -= avp_length;
@@ -939,7 +941,7 @@
             if (avp_length < 4) {
                 proto_item_append_text(avp_item, " [AVP too short; no room for vendor ID]");
                 offset += avp_length;
-                continue;
+                continue; /* while (length > 0) */
             }
             vendor_id = tvb_get_ntohl(tvb,offset);
 
@@ -1002,7 +1004,7 @@
                 if (avp_vsa_len < avp_vsa_header_len) {
                     proto_tree_add_text(tree, tvb, offset+1, 1,
                                             "[VSA too short]");
-                    return;
+                    break; /* exit while (offset < max_offset) loop */
                 }
 
                 avp_vsa_len -= avp_vsa_header_len;
@@ -1084,8 +1086,8 @@
 		}
 
                 offset += avp_vsa_len;
-            };
-            continue;
+            }; /* while (offset < max_offset) */
+            continue;  /* while (length > 0) */
         }
 
         avp_tree = proto_item_add_subtree(avp_item,dictionary_entry->ett);
@@ -1222,9 +1224,10 @@
             offset += avp_length;
         }
 
-    }
+    }  /* while (length > 0) */
+
+    CLEANUP_CALL_AND_POP; /* vsa_buffer_table_destroy(vsa_buffer_table) */
 
-    vsa_buffer_table_destroy(vsa_buffer_table);
     /*
      * Call the cleanup handler to free any reassembled data we haven't
      * attached to a tvbuff, and pop the handler.

CVE-2009-2559
Rev 28801 - Bug 3559 - Don't let the index run over the array boundary. 
--- trunk/epan/dissectors/packet-ipmi-se.c	2009/06/22 05:45:00	28800
+++ trunk/epan/dissectors/packet-ipmi-se.c	2009/06/22 05:57:44	28801
@@ -2740,7 +2740,7 @@
 	int len = tvb_length(tvb);
 	int i, j, val, msk;
 
-	for (i = 0; offs < len; i++, offs++) {
+	for (i = 0; (offs < len) && (i < 4); i++, offs++) {
 		val = tvb_get_guint8(tvb, offs);
 		ti = proto_tree_add_text(tree, tvb, offs, 1, "%s (byte %d)", desc, i);
 		s_tree = proto_item_add_subtree(ti, *tsel[i]);

