diff options
| author | Egbert Eich <eich@suse.com> | 2022-12-02 05:04:42 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-02 05:04:42 (GMT) |
| commit | 4e0277c35a5a6e8eb84058a905efa06bb3915985 (patch) | |
| tree | 08e110d8f92bdd3ecdb41ed42c075667e2b27145 | |
| parent | 96a4e101023d0926f714e2dbec2e4ffca45abc16 (diff) | |
| download | hdf5-4e0277c35a5a6e8eb84058a905efa06bb3915985.zip hdf5-4e0277c35a5a6e8eb84058a905efa06bb3915985.tar.gz hdf5-4e0277c35a5a6e8eb84058a905efa06bb3915985.tar.bz2 | |
Report error if dimensions of chunked storage in data layout < 2 (#2241)
For Data Layout Messages version 1 & 2 the specification state
that the value stored in the data field is 1 greater than the
number of dimensions in the dataspace. For version 3 this is
not explicitly stated but the implementation suggests it to be
the case.
Thus the set value needs to be at least 2. For dimensionality
< 2 an out-of-bounds access occurs as in CVE-2021-45833.
This fixes CVE-2021-45833 / Bug #2240.
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.com>
Co-authored-by: Larry Knox <lrknox@hdfgroup.org>
| -rw-r--r-- | release_docs/RELEASE.txt | 15 | ||||
| -rw-r--r-- | src/H5Olayout.c | 4 |
2 files changed, 18 insertions, 1 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 158472c..7013cbc 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -213,6 +213,20 @@ Bug Fixes since HDF5-1.13.3 release (EFE - 2022/10/05 GH-2228) + - Fix CVE-2021-45833 / GHSA-x57p-jwp6-4v79 + + Report error if dimensions of chunked storage in data layout < 2 + + For Data Layout Messages version 1 & 2 the specification state + that the value stored in the data field is 1 greater than the + number of dimensions in the dataspace. For version 3 this is + not explicitly stated but the implementation suggests it to be + the case. + Thus the set value needs to be at least 2. For dimensionality + < 2 an out-of-bounds access occurs. + + (EFE - 2022/09/28 GH-2240) + - Fix CVE-2018-14031 / GHSA-2xc7-724c-r36j Parent of enum datatype message must have the same size as the @@ -238,7 +252,6 @@ Bug Fixes since HDF5-1.13.3 release (EFE - 2022/09/27 HDFFV-10589, GH-2226) - Java Library ------------ - diff --git a/src/H5Olayout.c b/src/H5Olayout.c index f7bbb5b..595c73e 100644 --- a/src/H5Olayout.c +++ b/src/H5Olayout.c @@ -167,6 +167,8 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU p += ndims * 4; /* Skip over dimension sizes (32-bit quantities) */ } /* end if */ else { + if (ndims < 2) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "bad dimensions for chunked storage") mesg->u.chunk.ndims = ndims; for (u = 0; u < ndims; u++) UINT32DECODE(p, mesg->u.chunk.dim[u]); @@ -240,6 +242,8 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU mesg->u.chunk.ndims = *p++; if (mesg->u.chunk.ndims > H5O_LAYOUT_NDIMS) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is too large") + if (mesg->u.chunk.ndims < 2) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "bad dimensions for chunked storage") /* B-tree address */ H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr)); |