diff options
| author | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2019-01-06 07:44:40 (GMT) |
|---|---|---|
| committer | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2019-01-06 07:44:40 (GMT) |
| commit | e1b59919bb96f68f3b372a73790ecbe4ac3b395a (patch) | |
| tree | 902f79acaaee687f4fb60926c271fee0cf7e6469 | |
| parent | 40c55f24ecbdd322fba527d768689fbdbd268374 (diff) | |
| download | hdf5-e1b59919bb96f68f3b372a73790ecbe4ac3b395a.zip hdf5-e1b59919bb96f68f3b372a73790ecbe4ac3b395a.tar.gz hdf5-e1b59919bb96f68f3b372a73790ecbe4ac3b395a.tar.bz2 | |
HDFFV-10578 and HDFFV-10676
Description:
HDFFV-10578 - CVE-2018-17234
The file has some issue, however, there was a bug in h5dump that caused
memory leaks after the problem in the file was encountered. The bug
was that an if statement was missing in the function table_list_add()
resulting in the memory not being freed at a later time.
After the fix had been applied, there were no more leaks after h5dump
detected the issue in the file and reported the error.
In H5O__chunk_deserialize, replaced an assert with an if statement
and reporting error, per Neil's recommendation
HDFFV-10676 - CVE-2018-13873
Also in H5O__chunk_deserialize, added an assertion to detect
out of bound ids
| -rw-r--r-- | src/H5Ocache.c | 5 | ||||
| -rw-r--r-- | tools/src/h5dump/h5dump.c | 7 |
2 files changed, 8 insertions, 4 deletions
diff --git a/src/H5Ocache.c b/src/H5Ocache.c index fba4f6e..034048f 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1390,7 +1390,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image /* Message size */ UINT16DECODE(chunk_image, mesg_size); - HDassert(mesg_size == H5O_ALIGN_OH(oh, mesg_size)); + if(mesg_size != H5O_ALIGN_OH(oh, mesg_size)) + HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned") /* Message flags */ flags = *chunk_image++; @@ -1402,6 +1403,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message") if((flags & H5O_MSG_FLAG_WAS_UNKNOWN) && !(flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN)) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message") + + HDassert(id < NELMTS(H5O_msg_class_g)); if((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) diff --git a/tools/src/h5dump/h5dump.c b/tools/src/h5dump/h5dump.c index b9e37e8..5267188 100644 --- a/tools/src/h5dump/h5dump.c +++ b/tools/src/h5dump/h5dump.c @@ -407,9 +407,10 @@ table_list_add(hid_t oid, unsigned long file_no) } if(init_objs(oid, &info, &table_list.tables[idx].group_table, &table_list.tables[idx].dset_table, &table_list.tables[idx].type_table) < 0) { - H5Idec_ref(oid); - table_list.nused--; - return -1; + if (H5Idec_ref(oid) < 0) { + table_list.nused--; + return -1; + } } #ifdef H5DUMP_DEBUG |