commit 44ddc25520
Author: Gerald Combs <gerald@wireshark.org>
Date:   Tue Jan 13 14:47:31 2026 -0800

    Prep for 4.4.13 [skip ci]

commit 825b83e1ed
Author: Gerald Combs <gerald@wireshark.org>
Date:   Mon Jan 12 17:01:48 2026 -0800

    SOME/IP-SD: Fix a buffer overflow

    Make sure we don't write past the end of our option port array. Make our
    option count unsigned.

    Fixes #20945

    (cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454)

    Conflicts:
            epan/dissectors/packet-someip-sd.c

commit e8f38ce4c6
Author: Pascal Quantin <pascal@wireshark.org>
Date:   Tue Jan 13 09:16:09 2026 +0100

    NAS 5GS: fix extended CAG information list dissection

    Some bits were inverted. Fixes #20946

    (cherry picked from commit f3ef7faabddbaaab92406461dd65b149227f0db0)

    Conflicts:
            epan/dissectors/packet-nas_5gs.c

commit f31123dcdb
Author: John Thacker <johnthacker@gmail.com>
Date:   Mon Jan 12 15:28:22 2026 +0000

    QUIC: Update reassembly ID for a new MSP

    When a QUIC frame has more than one MSP, the reassembly id for the
    second MSP has to be used when adding or looking it up, instead of
    the original reassembly id of the first MSP.

    Fixes reassembly of the file in #20944 in most cases, outside of issues
    with out of order UDP packets / QUIC packets.

    (cherry picked from commit 562c3c070c6f58d01904d42338489b1a64ad7655)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 5bfd4035f5
Author: John Thacker <johnthacker@gmail.com>
Date:   Sun Jan 11 03:11:02 2026 +0000

    ieee80211: Avoid using a fixed array for multi-link per-STA subelements

    Since this processes to the end of the TVB, there might be more than 16.
    Simplify the logic and only test for a set link_id in one place. This
    also gets rid of a possible use of an uninitialized value on error.

    Fix #20939, OSS-Fuzz 474458885

    (cherry picked from commit 4b48ee36f1829d6d3d009bf9871af523ce8e3ace)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit afda96c2dd
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Jan 11 10:17:56 2026 +0000

    [Automatic update for 2026-01-11]

    Update manuf, services enterprise numbers, translations, and other items.

commit b5ae6aaa25
Author: John Thacker <johnthacker@gmail.com>
Date:   Tue Jan 6 12:17:20 2026 -0500

    IDN: Use the 0 array index to avoid a buffer overrun

    Instead of starting a loop variable at 1 and ignoring index 0 of the
    precision array, start at 0 and test with less than. This fixes a
    buffer overrun.

    Add some comments.

    Fix #20936

    (backported from commit 06a915ef8c901e9d0eaf55cde4bd50cdbbe5696c)

commit e5065834c3
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Jan 4 10:17:28 2026 +0000

    [Automatic update for 2026-01-04]

    Update manuf, services enterprise numbers, translations, and other items.

commit 3c049ad03d
Author: John Thacker <johnthacker@gmail.com>
Date:   Sat Jan 3 13:23:51 2026 +0000

    QCustomPlot: Qt 6.9 deprecation of QImage::mirrored

    QImage::mirrored(bool, bool) has been replaced with
    QImage::flipped(Qt::Orientations) in Qt 6.9, and it warns
    when using the former. Scheduled for deprecation in Qt 6.13.

    This can be seen in the Fedora package CI pipelines.

    (cherry picked from commit b9427cf48111e6466935442c97695be941132a0f)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 63030db97c
Author: John Thacker <johnthacker@gmail.com>
Date:   Sat Jan 3 12:57:39 2026 +0000

    H.248: Fix a NULL pointer dereference

    dissect_ber_octet_string can return a non-NULL 0 zero length tvb.
    The code here checks for a zero length, but doesn't assign anything
    to curr_info.term->buffer or curr_info.term->str in the zero-length
    case, unlike in the NULL tvb case, where a zero length is also
    assigned.

    Use the same default values for the zero-length tvb case.

    Fixes a NULL pointer dereference in #20932

    (cherry picked from commit 2988e4b91c5a44445abbe6815b7b66995774c912)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 0cfb509d28
Author: Stig Bjørlykke <stig@bjorlykke.org>
Date:   Thu Jan 1 11:03:48 2026 +0000

    Happy New Year 2026

    (cherry picked from commit 6fd52d7432accfb0a491f479c0181abdc381859a)

    Co-authored-by: Stig Bjørlykke <stig@bjorlykke.org>

commit 303efedef2
Author: John Thacker <johnthacker@gmail.com>
Date:   Sun Dec 28 21:40:23 2025 +0000

    thrift: Check for failure in dissect_thrift_t_map

    dissect_thrift_t_field_header can return a failure value that
    needs to be checked here as done elseewhere in the dissector.

    Coverity CID 1677843

    (cherry picked from commit 5d3b200a7a42a99d9ee1ad759a461d2e52e77b93)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit bfe9d00e0b
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Dec 28 10:17:29 2025 +0000

    [Automatic update for 2025-12-28]

    Update manuf, services enterprise numbers, translations, and other items.

commit f21c559d0d
Author: John Thacker <johnthacker@gmail.com>
Date:   Sat Dec 27 20:44:12 2025 +0000

    DCT2000: Fix uninitialized variable

    In the unlikely case of a frame going from IPv4 to IPv6, fix the
    test of which address length is checked in one place.

    Coverity CID 1677954

    (cherry picked from commit 8aec610670a1f2b8fdf1b9a6b5059719edd3fbcc)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit b15e208cd6
Author: John Thacker <johnthacker@gmail.com>
Date:   Tue Dec 23 16:00:07 2025 +0000

    dfilter: Convert FT_SCALAR to FT_UINT64 for non Number types

    Character constants, and literals and strings (the latter two if
    there's a value string) can be converted to FT_INT64 but not
    FT_DOUBLE. So if a FT_SCALAR is requested, try to convert to
    FT_INT64. This prevents some crashes with filters that try to
    divide a FT_ABSOLUTE_TIME or FT_RELATIVE_TIME by character constants,
    literals, or strings:

    frame.time_relative > ${frame.time_relative} / 0.:5
    frame.time_relative > ${frame.time_relative} / "foo"
    frame.time_relative > ${frame.time_relative} / '\x47'

    Before:
            [(none) ERROR] epan/ftypes/ftypes.c:503 -- fvalue_new(): assertion failed: ftype < FT_NUM_TYPES

    [Compiled in Debug mode; a different error if compiled in Release mode
    where asserts are not compiled in]

    for all three.

    After:
    $ ./run/dftest $(cat bad-filter-crash2)
    Filter:
     frame.time_relative > ${frame.time_relative} / "foo"

    Error: Signed integer (64 bits) cannot be converted from a string ("foo").
      frame.time_relative > ${frame.time_relative} / "foo"
                                                     ^~~~~

    for the first two and success for the third:

    ./run/dftest $(cat bad-filter-crash3)
    Filter:
     frame.time_relative > ${frame.time_relative} / '\x47'

    Instructions:
     0000 READ_TREE        frame.time_relative -> R0
     0001 IF_FALSE_GOTO    6
     0002 READ_REFERENCE   ${frame.time_relative} -> R1
     0003 IF_FALSE_GOTO    6
     0004 DIVIDE           R1 / 71          -> R2
     0005 ANY_GT           R0 > R2
     0006 RETURN

    The error messages are perhaps not ideal, but this is better than
    crashing.

    (cherry picked from commit 86e6a478b071b068f718742bdfa57eb72e9d5b4d)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 251d065a8c
Author: John Thacker <johnthacker@gmail.com>
Date:   Mon Dec 22 00:28:43 2025 +0000

    H.265: Fix unintentional integer truncation

    Rec. ITU-T H.265 5.2 Arithmetic operators

            / Integer division with truncation of the result toward zero.
            ÷ Used to denote division in mathematical equations where no
                    truncation or rounding is intended

    7.4.3.2.1 General sequence parameter set RBSP semantics

            PicWidthInCtbsY = Ceil( pic_width_in_luma_samples ÷ CtbSizeY ) (7-15)
            PicHeightInCtbsY = Ceil( pic_height_in_luma_samples ÷ CtbSizeY ) (7-17)

    As this indicates that no truncation or rounding is intended, cast to double
    first to avoid integer truncation.

    Coverity CID 1450796

    (cherry picked from commit 34a022afe8f88b3ea282a38428be10fd0fc7bbef)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 8dbc762c70
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Dec 21 10:17:24 2025 +0000

    [Automatic update for 2025-12-21]

    Update manuf, services enterprise numbers, translations, and other items.

commit 82ef856b14
Author: John Thacker <johnthacker@gmail.com>
Date:   Sat Dec 20 11:51:44 2025 +0000

    Qt: Fix QCustomPlot adaptive sampling in one more place

    The fix in 92e652ebfaa65fc31747cf1036fa4ca6832d4527 made two correct
    changes in one branch but missed one of the changes in the second
    branch. Make a change to avoid a possibility of dividing by zero.

    (cherry picked from commit 74f51240d0af7c262e26a0776cdcb98e3ed7a6c5)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 43e159aa5c
Author: John Thacker <johnthacker@gmail.com>
Date:   Sun Dec 14 16:00:37 2025 +0000

    netscreen: Fix return value of parse_netscreen_packet in one case

    Commit 6a140eca7b78b230f1f90a739a32257476513c78 changed a return
    value from an int, with -1 representing failure, to a boolean, but
    -1 is still returned in one place.

    Thanks to Fatih Çelik for reporting this.

    (cherry picked from commit d801ac3b780c809b859cde019cd196e5dad95aa4)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 9e851855ee
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Dec 14 10:17:42 2025 +0000

    [Automatic update for 2025-12-14]

    Update manuf, services enterprise numbers, translations, and other items.

commit 6290eabc5b
Author: John Thacker <johnthacker@gmail.com>
Date:   Mon Dec 8 13:31:55 2025 +0000

    observer: Fix saving files

    The tlv_time_info struct does not need to contain the type and length
    fields, which are already contained in the tlv_header struct. They
    are never initialized, and their size is erroneously used to increase
    the TLV size indicated in the TLV header that is written before the
    extra type and length fields. This causes any file written by libwiretap
    to fail to open, with a message like:

            The file "observer_bad.bfr" appears to be damaged or corrupt.
            (Observer: bad record (time information TLV length 12 != 8))

    Cf. with the other tlv value structures, like tlv_network_load,
    tlv_wireless_info, and tlv_capture_start_stop, none of which contain
    the T or L from the TLV, just the V.

    Fix writing Network Instruments/JDSU/Viavi Observer files

    Coverity CID 1499434

    (cherry picked from commit 7ce96f017a72299f92e175a7732532382f4951ca)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 4810187195
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Dec 7 10:17:29 2025 +0000

    [Automatic update for 2025-12-07]

    Update manuf, services enterprise numbers, translations, and other items.

commit 17d44bba93
Author: Gerald Combs <gerald@wireshark.org>
Date:   Fri Dec 5 12:30:48 2025 -0800

    Add back "BLF: Validate length of uncompressed segments."

    This reverts commit a76a30a5b099db5e104bd2e25c1bce2e6e8dd250, which
    reverted c99f1188693ddad1e6ff0244ca0cd095619bdda7.

commit 316ae7383f
Author: Gerald Combs <gerald@wireshark.org>
Date:   Fri Dec 5 12:26:47 2025 -0800

    Version: 4.4.12 → 4.4.13 [skip ci]
