diff options
| author | Egbert Eich <eich@suse.com> | 2022-11-11 05:41:53 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-11 05:41:53 (GMT) |
| commit | 34ec3bb7bc129f52bda4d82601f3bce65426459d (patch) | |
| tree | 27aa5c9065a21991f3aa539c3cc2ac305163eb04 | |
| parent | 1750b4b0af5158009aa2f861c65fb4bf8fc364de (diff) | |
| download | hdf5-34ec3bb7bc129f52bda4d82601f3bce65426459d.zip hdf5-34ec3bb7bc129f52bda4d82601f3bce65426459d.tar.gz hdf5-34ec3bb7bc129f52bda4d82601f3bce65426459d.tar.bz2 | |
Make sure info block for external links has at least 3 bytes (#2234)
According to the specification, the information block for external links
contains 1 byte of version/flag information and two 0 terminated strings
for the object linked to and the full path.
Although not very useful, the minimum string length for each (with
terminating 0) would be one byte.
Checking this will help to avoid SEGVs triggered by bogus files.
This fixes CVE-2018-16438 / Bug #2233.
Signed-off-by: Egbert Eich <eich@suse.com>
| -rw-r--r-- | release_docs/RELEASE.txt | 13 | ||||
| -rw-r--r-- | src/H5Olink.c | 2 |
2 files changed, 15 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index a8e9011..8e4a3c2 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -172,6 +172,19 @@ Bug Fixes since HDF5-1.13.3 release =================================== Library ------- + - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx + + Make sure info block for external links has at least 3 bytes. + + According to the specification, the information block for external links + contains 1 byte of version/flag information and two 0 terminated strings + for the object linked to and the full path. + Although not very useful, the minimum string length for each (with + terminating 0) would be one byte. + Checking this helps to avoid SEGVs triggered by bogus files. + + (EFE - 2022/10/09 GH-2233) + - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf Validate location (offset) of the accumulated metadata when comparing. diff --git a/src/H5Olink.c b/src/H5Olink.c index 6146bbb..dabf87e 100644 --- a/src/H5Olink.c +++ b/src/H5Olink.c @@ -239,6 +239,8 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE /* A UD link. Get the user-supplied data */ UINT16DECODE(p, len) + if (lnk->type == H5L_TYPE_EXTERNAL && len < 3) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "external link information length < 3") lnk->u.ud.size = len; if (len > 0) { /* Make sure that length doesn't exceed buffer size, which could |