diff options
| author | Larry Knox <lrknox@hdfgroup.org> | 2018-05-11 19:53:26 (GMT) |
|---|---|---|
| committer | Larry Knox <lrknox@hdfgroup.org> | 2018-05-11 19:53:26 (GMT) |
| commit | 00f42b152636696f59adb41c527424196c747e2c (patch) | |
| tree | e2e73a79bcbc8f3c1d2087e83d3ebc6d6d604396 | |
| parent | ab70b0e7c2fabe222f3c2093164f9e29f2c22c66 (diff) | |
| parent | 878537c9cb639e84ae67c65729620cee541c253b (diff) | |
| download | hdf5-00f42b152636696f59adb41c527424196c747e2c.zip hdf5-00f42b152636696f59adb41c527424196c747e2c.tar.gz hdf5-00f42b152636696f59adb41c527424196c747e2c.tar.bz2 | |
Merge pull request #1053 in HDFFV/hdf5 from ~LRKNOX/hdf5_lrk:hdf5_1_8 to hdf5_1_8
* commit '878537c9cb639e84ae67c65729620cee541c253b':
Added a "won't fix" RELEASE.txt entry for HDFFV-10356.
Fix for HDFFV-10357 (CVE-2017-17508).
| -rw-r--r-- | release_docs/RELEASE.txt | 35 | ||||
| -rw-r--r-- | src/H5T.c | 5 |
2 files changed, 40 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index ebdb5f8..30b148a 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -174,6 +174,41 @@ Bug Fixes since HDF5-1.8.20 (DER - 2018/02/26, HDFFV-10355) + - If an HDF5 file contains a malformed compound datatype with a + suitably large offset, the type conversion code can run off + the end of the type conversion buffer, causing a segmentation + fault. + + This issue was reported to The HDF Group as issue #CVE-2017-17507. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + THE HDF GROUP WILL NOT FIX THIS BUG AT THIS TIME + + Fixing this problem would involve updating the publicly visible + H5T_conv_t function pointer typedef and versioning the API calls + which use it. We normally only modify the public API during + major releases, so this bug will not be fixed at this time. + + (DER - 2018/02/26, HDFFV-10356) + + - If an HDF5 file contains a malformed compound type which contains + a member of size zero, a division by zero error will occur while + processing the type. + + This issue was reported to The HDF Group as issue #CVE-2017-17508. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + Checking for zero before dividing fixes the problem. Instead of the + division by zero, the normal HDF5 error handling is invoked. + + (DER - 2018/02/26, HDFFV-10357) + Configuration ------------- - CMake @@ -5174,6 +5174,11 @@ H5T_set_loc(H5T_t *dt, H5F_t *f, H5T_loc_t loc) /* Check if the field changed size */ if(old_size != memb_type->shared->size) { + + /* Fail if the old_size is zero */ + if (0 == old_size) + HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "old_size of zero would cause division by zero"); + /* Adjust the size of the member */ dt->shared->u.compnd.memb[i].size = (dt->shared->u.compnd.memb[i].size*memb_type->shared->size)/old_size; |