Hdf5 1 8 (#169)

* Fixed HDFFV-10480 and HDFFV-11159

Description
    Checked against buffer size to prevent segfault, in case of data corruption.

    + HDFFV-11159 CVE-2018-14033 Buffer over-read in H5O_layout_decode
    + HDFFV-10480 CVE-2018-11206 Buffer over-read in H5O_fill_new[/old]_decode and
        A user's patch was applied to this previously, but it is redone
        for a more correct fix, that is the check now accounted for the
        previous advance of the buffer pointer.

Platforms tested:
    Linux/64 (jelly)

* Fixed typo

* Fixed HDFFV-11150

Description
    Replaced an HDassert with a check for null pointer in H5O_dec_rc() to
    catch null pointer in corrupted data situation.
    Reversed the fix in svn-r24463 in which a check for null pointer prior
    to calling H5O_dec_rc()
Platforms tested:
    Linux/64 (jelly)

2 files changed, 3 insertions, 2 deletions

diff --git a/src/H5O.c b/src/H5O.c
index 6b55df1..2adc27c 100644
--- a/src/H5O.c
+++ b/src/H5O.c
@@ -3345,7 +3345,8 @@ H5O_dec_rc(H5O_t *oh)
     FUNC_ENTER_NOAPI(FAIL)
 
     /* check args */
-    HDassert(oh);
+    if (!oh)
+        HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, FAIL, "no name")
 
     /* Decrement reference count */
     oh->rc--;
diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index 4a2debc..9f1ed3f 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1432,7 +1432,7 @@ H5O_chunk_proxy_dest(H5O_chunk_proxy_t *chk_proxy)
     HDassert(chk_proxy);
 
     /* Decrement reference count of object header */
-    if (chk_proxy->oh && H5O_dec_rc(chk_proxy->oh) < 0)
+    if (H5O_dec_rc(chk_proxy->oh) < 0)
         HGOTO_ERROR(H5E_OHDR, H5E_CANTDEC, FAIL, "can't decrement reference count on object header")
 
     /* Release the chunk proxy object */