From e5bde79c0327c98b94610dcdcc968e3deb5b15dd Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Thu, 4 Dec 2025 09:55:18 +0800
Subject: [PATCH] fix CVE-2025-13946

---
 CVE-2025-13946.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++
 wireshark.spec       |  6 +++++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-13946.patch

diff --git a/CVE-2025-13946.patch b/CVE-2025-13946.patch
new file mode 100644
index 0000000..be77c9f
--- /dev/null
+++ b/CVE-2025-13946.patch
@@ -0,0 +1,46 @@
+From e4f3706e1bb9ea0cc710193762be9ab36c18d207 Mon Sep 17 00:00:00 2001
+From: AndersBroman <a.broman58@gmail.com>
+Date: Mon, 1 Dec 2025 08:41:55 +0100
+Subject: [PATCH] MEGACO: Handle tvb_get_uint8 returning -1
+
+When dissecting a media descriptor, handle tvb_get_uint8 returning
+-1 when searching for a left or right bracket and not finding it
+by setting the bracket offset to the end offset so that the loop
+will exit. Leaving it at -1 can cause going backwards and at worst
+infinite loops.
+
+Fix #20884
+
+
+(cherry picked from commit aba1fbe6266beb6bf9b887b6eab008e4f4841c9b)
+
+Co-authored-by: John Thacker <johnthacker@gmail.com>
+---
+ epan/dissectors/packet-megaco.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/packet-megaco.c b/epan/dissectors/packet-megaco.c
+index 011e3398f2e..42b606f512a 100644
+--- a/epan/dissectors/packet-megaco.c
++++ b/epan/dissectors/packet-megaco.c
+@@ -1772,8 +1772,15 @@ dissect_megaco_mediadescriptor(tvbuff_t *tvb, proto_tree *megaco_tree_command_li
+         mediaParm = find_megaco_mediaParm_names(tvb, tvb_current_offset, tokenlen);
+ 
+         tvb_LBRKT = tvb_find_uint8(tvb, tvb_next_offset , tvb_last_RBRKT, '{');
+-        tvb_next_offset = tvb_find_uint8(tvb, tvb_current_offset+1 , tvb_last_RBRKT, '}');
+-        tvb_RBRKT = tvb_next_offset;
++        if (tvb_LBRKT == -1) {
++            // Not found, use the end offset.
++            tvb_LBRKT = tvb_last_RBRKT;
++        }
++        tvb_RBRKT = tvb_find_uint8(tvb, tvb_current_offset+1 , tvb_last_RBRKT, '}');
++        if (tvb_RBRKT == -1) {
++            // Not found, use the end offset.
++            tvb_RBRKT = tvb_last_RBRKT;
++        }
+ 
+         switch ( mediaParm ){
+         case MEGACO_LOCAL_TOKEN:
+-- 
+GitLab
+
diff --git a/wireshark.spec b/wireshark.spec
index 84f844b..9d4808e 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -4,7 +4,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	4.4.10
-Release:	2
+Release:	3
 Epoch:		1
 License:	BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause AND MIT AND GPL-2.0-or-later AND LGPL-2.0-or-later AND Zlib AND ISC AND (BSD-3-Clause OR GPL-2.0-only) AND (GPL-2.0-or-later AND Zlib)
 Url:		https://www.wireshark.org/
@@ -21,6 +21,7 @@ Patch6:         wireshark-0006-Move-tmp-to-var-tmp.patch
 Patch7:         wireshark-0007-cmakelists.patch
 Patch8:         wireshark-0008-pkgconfig.patch
 Patch9:         CVE-2025-13499.patch
+Patch10:        CVE-2025-13946.patch
 
 Requires:	xdg-utils
 Requires:	hicolor-icon-theme
@@ -198,6 +199,9 @@ fi
 %{_mandir}/man?/*
 
 %changelog
+* Thu Dec 04 2025 Funda Wang <fundawang@yeah.net> - 1:4.4.10-3
+- fix CVE-2025-13946
+
 * Mon Nov 24 2025 yaoxin <1024769339@qq.com> - 1:4.4.10-2
 - Fix CVE-2025-13499
 
-- 
Gitee