Merge pull request #2609 in HDFFV/hdf5 from ~BMRIBLER/hdf5-bmr:develop to develop

Fix HDFFV-11053 (CVE-2020-10810)

* commit 'b155a777629e991374fa2f8609719cb861de4cc2':
  Changed wording in comment.
  - added comment to explain a kluge - added the associated entry to release notes
  Fix HDFFV-11053

2 files changed, 15 insertions, 1 deletions

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 72cab28..d9267e8 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -631,7 +631,15 @@ Bug Fixes since HDF5-1.10.3 release
 
     Library
     -------
-    - Fixed the decoding of an attribute message to prevent a segfault by h52gif
+    - Fixed CVE-2020-10810
+
+      The tool h5clear produced a segfault during an error recovery in
+      the superblock decoding.  An internal pointer was reset to prevent
+      further accessing when it is not assigned with a value.
+
+      (BMR - 2020/6/29, HDFFV-11053)
+
+    - Fixed CVE-2018-17435
 
       The tool h52gif produced a segfault when the size of an attribute
       message was corrupted and caused a buffer overflow.
diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
index e5d4cde..9fd2831 100644
--- a/src/H5Fsuper.c
+++ b/src/H5Fsuper.c
@@ -897,7 +897,13 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, hbool_t initial_read)
                     }
                     else {
                         if(H5F__super_ext_remove_msg(f, H5O_FSINFO_ID) < 0)
+                        {
+#if 1 /* bug fix test code -- tidy this up if all goes well */ /* JRM */
+                            f->shared->sblock = NULL;
+#endif /* JRM */
+
                             HGOTO_ERROR(H5E_FILE, H5E_CANTDELETE, FAIL,  "error in removing message from superblock extension")
+                        }
 
                         if(H5F__super_ext_write_msg(f, H5O_FSINFO_ID, &fsinfo, TRUE, H5O_MSG_FLAG_MARK_IF_UNKNOWN) < 0)
                             HGOTO_ERROR(H5E_FILE, H5E_WRITEERROR, FAIL, "error in writing fsinfo message to superblock extension")