From 332df929a9966fda2cd3aa30a5a107e5b2bfa360 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Tue, 27 Nov 2018 13:38:10 -0800
Subject: [PATCH] IxVeriWave: Fix a buffer boundary.

Pass the correct buffer size to find_signature so that we don't read
past it.

Bug: 15279
Change-Id: I822ed0fe8b48196dadd9c0062ed53fa1c4f6f404
Reviewed-on: https://code.wireshark.org/review/30809
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
---
 wiretap/vwr.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/wiretap/vwr.c b/wiretap/vwr.c
index d5b93fa..1e01add 100644
--- a/wiretap/vwr.c
+++ b/wiretap/vwr.c
@@ -2142,9 +2142,10 @@ static gboolean vwr_read_s3_W_rec(vwr_t *vwr, wtap_rec *record,
         end_time = e_time / NS_IN_US;                       /* convert to microseconds first */
 
         /* extract the 32 LSBs of the signature timestamp field */
-        m_ptr = &(rec[stats_offset+8+12]);
+        int m_ptr_offset = stats_offset + 8 + 12;
+        m_ptr = rec + m_ptr_offset;
         pay_off = 42;         /* 24 (MAC) + 8 (SNAP) + IP */
-        sig_off = find_signature(m_ptr, rec_size - 20, pay_off, flow_id, flow_seq);
+        sig_off = find_signature(m_ptr, rec_size - m_ptr_offset, pay_off, flow_id, flow_seq);
         if (m_ptr[sig_off] == 0xdd)
             sig_ts = get_signature_ts(m_ptr, sig_off, rec_size - vVW510021_W_STATS_TRAILER_LEN);
         else
-- 
1.7.12.4