num_of_devs = tvb_get_ntohl(tvb, offset);
offset += 4;
if (num_of_devs == 0)
return expected_size;
if (tvb_captured_length_remaining(tvb, offset) < (gint) (0x138 * num_of_devs))
return 0;
for (i = 0; i < num_of_devs; i++) {
guint8 num_of_intf = tvb_get_guint8(tvb, offset + 0x137);
int skip = num_of_intf * 4;
expected_size += 0x138 + skip;
offset += 0x138 + skip;
}
return expected_size;
Integer overflow with 0x138 * num_of_devs.
Does it lead to memory corruption? I'm not sure. Perhaps, perhaps not. I'm really more looking for the presence of input validation bugs as opposed to what they can affect.
