H5O_dtype_decode_helper: Parent of enum needs to have same size as enum itself (#2237)

The size of the enumeration values is determined by the size of the parent.
Functions accessing the enumeration values use the size of the enumeration
to determine the size of each element and how much data to copy. Thus the
size of the enumeration and its parent need to match.
Check here to avoid unpleasant surprises later.

This fixes CVE-2018-14031 / Bug #2236.

Signed-off-by: Egbert Eich <eich@suse.com>

2 files changed, 28 insertions, 13 deletions

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 8e4a3c2..158472c 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -172,19 +172,6 @@ Bug Fixes since HDF5-1.13.3 release
 ===================================
     Library
     -------
-    -  Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx
-
-       Make sure info block for external links has at least 3 bytes.
-    
-       According to the specification, the information block for external links
-       contains 1 byte of version/flag information and two 0 terminated strings
-       for the object linked to and the full path.
-       Although not very useful, the minimum string length for each (with
-       terminating 0) would be one byte.
-       Checking this helps to avoid SEGVs triggered by bogus files.
-
-       (EFE - 2022/10/09 GH-2233)
-
     - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf
  
       Validate location (offset) of the accumulated metadata when comparing.
@@ -199,6 +186,19 @@ Bug Fixes since HDF5-1.13.3 release
       member in the same structure is true the location is valid.
 
       (EFE - 2022/10/10 GH-2230)
+      
+    - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx
+
+      Make sure info block for external links has at least 3 bytes.
+    
+      According to the specification, the information block for external links
+      contains 1 byte of version/flag information and two 0 terminated strings
+      for the object linked to and the full path.
+      Although not very useful, the minimum string length for each (with
+      terminating 0) would be one byte.
+      Checking this helps to avoid SEGVs triggered by bogus files.
+
+      (EFE - 2022/10/09 GH-2233)
 
     - Fix CVE-2021-45830 / GHSA-5h2h-fjjr-x9m2
 
@@ -213,6 +213,19 @@ Bug Fixes since HDF5-1.13.3 release
 
       (EFE - 2022/10/05 GH-2228)
 
+    - Fix CVE-2018-14031 / GHSA-2xc7-724c-r36j
+
+      Parent of enum datatype message must have the same size as the
+      enum datatype message itself.
+      Functions accessing the enumeration values use the size of the
+      enumeration datatype to determine the size of each element and
+      how much data to copy.
+      Thus the size of the enumeration and its parent need to match.
+      Check in H5O_dtype_decode_helper()  to avoid unpleasant surprises
+      later.
+
+      (EFE - 2022/09/28 GH-2236)
+
     - Fix CVE-2018-17439 / GHSA-vcxv-vp43-rch7
 
       H5IMget_image_info(): Make sure to not exceed local array size
diff --git a/src/H5Odtype.c b/src/H5Odtype.c
index 831344b..870aeac 100644
--- a/src/H5Odtype.c
+++ b/src/H5Odtype.c
@@ -470,6 +470,8 @@ H5O__dtype_decode_helper(unsigned *ioflags /*in,out*/, const uint8_t **pp, H5T_t
                 HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, FAIL, "memory allocation failed")
             if (H5O__dtype_decode_helper(ioflags, pp, dt->shared->parent) < 0)
                 HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode parent datatype")
+            if (dt->shared->parent->shared->size != dt->shared->size)
+                HGOTO_ERROR(H5E_DATATYPE, H5E_BADSIZE, FAIL, "ENUM datatype size does not match parent")
 
             /* Check if the parent of this enum has a version greater than the
              * enum itself. */