diff options
| author | Dana Robinson <43805+derobins@users.noreply.github.com> | 2023-04-17 01:58:47 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-17 01:58:47 (GMT) |
| commit | cba64e16f79bcfa352197c6956f9cfe246bb49e0 (patch) | |
| tree | 5b5c7ec9e2f092f2c116872739fb91e1545569e9 | |
| parent | 41b61bfe530a3cce3a89beff18a916e0e543e882 (diff) | |
| download | hdf5-cba64e16f79bcfa352197c6956f9cfe246bb49e0.zip hdf5-cba64e16f79bcfa352197c6956f9cfe246bb49e0.tar.gz hdf5-cba64e16f79bcfa352197c6956f9cfe246bb49e0.tar.bz2 | |
Sanitize B-tree k ohdr message decode call (#2754)
* Check buffer bounds
* Clean up memory on errors
| -rw-r--r-- | src/H5Obtreek.c | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/src/H5Obtreek.c b/src/H5Obtreek.c index ff157da..c21b3b9 100644 --- a/src/H5Obtreek.c +++ b/src/H5Obtreek.c @@ -59,33 +59,32 @@ const H5O_msg_class_t H5O_MSG_BTREEK[1] = {{ #define H5O_BTREEK_VERSION 0 /*------------------------------------------------------------------------- - * Function: H5O__btreek_decode + * Function: H5O__btreek_decode * - * Purpose: Decode a shared message table message and return a pointer + * Purpose: Decode a shared message table message and return a pointer * to a newly allocated H5O_btreek_t struct. * - * Return: Success: Ptr to new message in native struct. - * Failure: NULL - * - * Programmer: Quincey Koziol - * Mar 1, 2007 - * + * Return: Success: Pointer to new message in native struct + * Failure: NULL *------------------------------------------------------------------------- */ static void * -H5O__btreek_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, - unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) +H5O__btreek_decode(H5F_t H5_ATTR_NDEBUG_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, + unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, + const uint8_t *p) { - H5O_btreek_t *mesg; /* Native message */ - void *ret_value = NULL; /* Return value */ + const uint8_t *p_end = p + p_size - 1; /* End of input buffer */ + H5O_btreek_t *mesg = NULL; /* Native message */ + void *ret_value = NULL; /* Return value */ FUNC_ENTER_PACKAGE - /* Sanity check */ HDassert(f); HDassert(p); /* Version of message */ + if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); if (*p++ != H5O_BTREEK_VERSION) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "bad version number for message") @@ -94,14 +93,22 @@ H5O__btreek_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsig HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for v1 B-tree 'K' message") /* Retrieve non-default B-tree 'K' values */ + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); UINT16DECODE(p, mesg->btree_k[H5B_CHUNK_ID]); + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); UINT16DECODE(p, mesg->btree_k[H5B_SNODE_ID]); + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); UINT16DECODE(p, mesg->sym_leaf_k); /* Set return value */ ret_value = (void *)mesg; done: + if (NULL == ret_value) + H5MM_free(mesg); FUNC_LEAVE_NOAPI(ret_value) } /* end H5O__btreek_decode() */ |