summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEgbert Eich <eich@suse.com>2022-11-11 06:05:00 (GMT)
committerGitHub <noreply@github.com>2022-11-11 06:05:00 (GMT)
commit0f94940f1a9ae95de38b70709eb413511b76c73b (patch)
tree6ddf84feb36d47b7849b024250dd2cd8321b8b26
parent34ec3bb7bc129f52bda4d82601f3bce65426459d (diff)
downloadhdf5-0f94940f1a9ae95de38b70709eb413511b76c73b.zip
hdf5-0f94940f1a9ae95de38b70709eb413511b76c73b.tar.gz
hdf5-0f94940f1a9ae95de38b70709eb413511b76c73b.tar.bz2
H5O_dtype_decode_helper: Parent of enum needs to have same size as enum itself (#2237)
The size of the enumeration values is determined by the size of the parent. Functions accessing the enumeration values use the size of the enumeration to determine the size of each element and how much data to copy. Thus the size of the enumeration and its parent need to match. Check here to avoid unpleasant surprises later. This fixes CVE-2018-14031 / Bug #2236. Signed-off-by: Egbert Eich <eich@suse.com>
-rw-r--r--release_docs/RELEASE.txt39
-rw-r--r--src/H5Odtype.c2
2 files changed, 28 insertions, 13 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 8e4a3c2..158472c 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -172,19 +172,6 @@ Bug Fixes since HDF5-1.13.3 release
===================================
Library
-------
- - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx
-
- Make sure info block for external links has at least 3 bytes.
-
- According to the specification, the information block for external links
- contains 1 byte of version/flag information and two 0 terminated strings
- for the object linked to and the full path.
- Although not very useful, the minimum string length for each (with
- terminating 0) would be one byte.
- Checking this helps to avoid SEGVs triggered by bogus files.
-
- (EFE - 2022/10/09 GH-2233)
-
- Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf
Validate location (offset) of the accumulated metadata when comparing.
@@ -199,6 +186,19 @@ Bug Fixes since HDF5-1.13.3 release
member in the same structure is true the location is valid.
(EFE - 2022/10/10 GH-2230)
+
+ - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx
+
+ Make sure info block for external links has at least 3 bytes.
+
+ According to the specification, the information block for external links
+ contains 1 byte of version/flag information and two 0 terminated strings
+ for the object linked to and the full path.
+ Although not very useful, the minimum string length for each (with
+ terminating 0) would be one byte.
+ Checking this helps to avoid SEGVs triggered by bogus files.
+
+ (EFE - 2022/10/09 GH-2233)
- Fix CVE-2021-45830 / GHSA-5h2h-fjjr-x9m2
@@ -213,6 +213,19 @@ Bug Fixes since HDF5-1.13.3 release
(EFE - 2022/10/05 GH-2228)
+ - Fix CVE-2018-14031 / GHSA-2xc7-724c-r36j
+
+ Parent of enum datatype message must have the same size as the
+ enum datatype message itself.
+ Functions accessing the enumeration values use the size of the
+ enumeration datatype to determine the size of each element and
+ how much data to copy.
+ Thus the size of the enumeration and its parent need to match.
+ Check in H5O_dtype_decode_helper() to avoid unpleasant surprises
+ later.
+
+ (EFE - 2022/09/28 GH-2236)
+
- Fix CVE-2018-17439 / GHSA-vcxv-vp43-rch7
H5IMget_image_info(): Make sure to not exceed local array size
diff --git a/src/H5Odtype.c b/src/H5Odtype.c
index 831344b..870aeac 100644
--- a/src/H5Odtype.c
+++ b/src/H5Odtype.c
@@ -470,6 +470,8 @@ H5O__dtype_decode_helper(unsigned *ioflags /*in,out*/, const uint8_t **pp, H5T_t
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, FAIL, "memory allocation failed")
if (H5O__dtype_decode_helper(ioflags, pp, dt->shared->parent) < 0)
HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode parent datatype")
+ if (dt->shared->parent->shared->size != dt->shared->size)
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADSIZE, FAIL, "ENUM datatype size does not match parent")
/* Check if the parent of this enum has a version greater than the
* enum itself. */