Wireshark ASN.1 aligned PER dissector g_malloc() crash (wnpa-sec-2013-52)

Bug Report and Pcap / Update

The "dissect_per_restricted_character_string_sorted()" function ins packet-per.c fails to check the return value of g_malloc() in line 638:

    buf = (guint8 *)g_malloc(length+1);

If a large value for the length variable is set e.g 0xffffffff, the malloc fails and the application crashes with a segmentation fault (invalid write, tested on Linux).

This may result in a write to the address 0x00000000 later in the same function at multiple locations (assignments to buf):

        if((bits_per_char==8) || (alphabet==NULL)){
here ->         buf[char_pos]=val;
        } else {
            if (val < alphabet_length){
here ->             buf[char_pos]=alphabet[val];
            } else {
here ->             buf[char_pos] = '?';    /* XXX - how to mark this? */

This bug was found by fuzzing the ULP protocol against the latest git version of Wireshark.