## Summary In Wireshark-3.5.1rc0, the SDP dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0. ## Steps to reproduce  In line **1727**, the third parameter `tid_request->continuation_state_length` of memcpy is read from the data packet without length check. The bug requires the construction of two data packets, a *request* data packet and a *response* data packet.  - First, the *request* packet inserts the object `tid_request` into the global object `tid_requests`. The field `tid_request->continuation_state_length` is read from the packet by `continuation_state_length = tvb_get_guint8(tvb, offset)`.  - Second, the *response* packet obtains the object `tid_request` by `wmem_tree_lookup32_array_le(tid_requests, key)`. When the value of variable `tid_request->continuation_state_length` is greater than 20, a heap overflow is caused. ## What is the current bug behavior? The bug can cause out-of-bounds memory reads and writes. ## Relevant logs and/or screenshots The Crash State with ASAN: