summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBinh-Minh Ribler <bmribler@hdfgroup.org>2018-07-17 01:28:27 (GMT)
committerBinh-Minh Ribler <bmribler@hdfgroup.org>2018-07-17 01:28:27 (GMT)
commit073e0b1f0312ac93927e511e2c48d89728e91987 (patch)
tree735b8c9e1798a7163c300751829229c8e64799aa
parent55666ace551369b3d72430c090ab9f1571e1be75 (diff)
downloadhdf5-073e0b1f0312ac93927e511e2c48d89728e91987.zip
hdf5-073e0b1f0312ac93927e511e2c48d89728e91987.tar.gz
hdf5-073e0b1f0312ac93927e511e2c48d89728e91987.tar.bz2
Fixed HDFFV-10476, HDFFV-10478, HDFFV-10480
Description: Fixed potential out of bound read and NULL pointer dereferences. Platforms tested: Linux/64 (jelly) Linux/32 (jam) Darwin (osx1010test)
-rw-r--r--src/H5Ocache.c2
-rw-r--r--src/H5Ofill.c8
-rw-r--r--src/H5Shyper.c5
3 files changed, 11 insertions, 4 deletions
diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index d65942b..59e1705 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1553,6 +1553,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
/* Set object header values */
oh->has_refcount_msg = TRUE;
+ if(!refcount)
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount")
oh->nlink = *refcount;
} /* end if */
/* Check if message is a link message */
diff --git a/src/H5Ofill.c b/src/H5Ofill.c
index da9829b..8a6004d 100644
--- a/src/H5Ofill.c
+++ b/src/H5Ofill.c
@@ -194,7 +194,7 @@ H5FL_BLK_EXTERN(type_conv);
static void *
H5O_fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
- size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+ size_t p_size, const uint8_t *p)
{
H5O_fill_t *fill = NULL;
void *ret_value = NULL; /* Return value */
@@ -228,6 +228,8 @@ H5O_fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
INT32DECODE(p, fill->size);
if(fill->size > 0) {
H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t);
+ if((size_t)fill->size > p_size)
+ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small")
if(NULL == (fill->buf = H5MM_malloc((size_t)fill->size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value")
HDmemcpy(fill->buf, p, (size_t)fill->size);
@@ -309,7 +311,7 @@ done:
static void *
H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh,
unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
- size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+ size_t p_size, const uint8_t *p)
{
H5O_fill_t *fill = NULL; /* Decoded fill value message */
htri_t exists = FALSE;
@@ -335,6 +337,8 @@ H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh,
/* Only decode the fill value itself if there is one */
if(fill->size > 0) {
H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t);
+ if((size_t)fill->size > p_size)
+ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small")
/* Get the datatype message */
if((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0)
diff --git a/src/H5Shyper.c b/src/H5Shyper.c
index 5653209..e1587b9 100644
--- a/src/H5Shyper.c
+++ b/src/H5Shyper.c
@@ -5903,7 +5903,7 @@ H5S__hyper_make_spans(unsigned rank, const hsize_t *start, const hsize_t *stride
last_span = NULL;
/* Generate all the span segments for this dimension */
- for(u = 0, stride_iter = 0; u < count[i]; u++, stride_iter += stride[i]) {
+ for(u = 0, stride_iter = 0; u < count[i]; u++, stride_iter += stride[i]) {
H5S_hyper_span_t *span; /* New hyperslab span */
/* Allocate a span node */
@@ -5945,7 +5945,8 @@ H5S__hyper_make_spans(unsigned rank, const hsize_t *start, const hsize_t *stride
} /* end for */
/* Indicate that there is a pointer to this tree */
- down->count = 1;
+ if(down)
+ down->count = 1;
/* Success! Return the head of the list in the slowest changing dimension */
ret_value = down;