diff options
author | Dana Robinson <derobins@hdfgroup.org> | 2018-02-27 04:16:13 (GMT) |
---|---|---|
committer | Dana Robinson <derobins@hdfgroup.org> | 2018-02-27 04:16:13 (GMT) |
commit | ce005900d6ad539cc7556ab225b771d24632f4f1 (patch) | |
tree | fe1eedb554b5024f911ab39994ccd4db8e63687d | |
parent | 9ea358d971ae45698dba6794583a39c4023085ad (diff) | |
download | hdf5-ce005900d6ad539cc7556ab225b771d24632f4f1.zip hdf5-ce005900d6ad539cc7556ab225b771d24632f4f1.tar.gz hdf5-ce005900d6ad539cc7556ab225b771d24632f4f1.tar.bz2 |
Fix for HDFFV-10357 (CVE-2017-17508).
-rw-r--r-- | release_docs/RELEASE.txt | 15 | ||||
-rw-r--r-- | src/H5T.c | 5 |
2 files changed, 20 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 4675423..480bb14 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -232,6 +232,21 @@ Bug Fixes since HDF5-1.10.1 release (DER - 2017/11/21, HDFFV-10330) + - If an HDF5 file contains a malformed compound type which contains + a member of size zero, a division by zero error will occur while + processing the type. + + This issue was reported to The HDF Group as issue #CVE-2017-17508. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + Checking for zero before dividing fixes the problem. Instead of the + division by zero, the normal HDF5 error handling is invoked. + + (DER - 2018/02/26, HDFFV-10357) + Configuration ------------- - CMake @@ -5211,6 +5211,11 @@ H5T_set_loc(H5T_t *dt, H5F_t *f, H5T_loc_t loc) /* Check if the field changed size */ if(old_size != memb_type->shared->size) { + + /* Fail if the old_size is zero */ + if (0 == old_size) + HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "old_size of zero would cause division by zero"); + /* Adjust the size of the member */ dt->shared->u.compnd.memb[i].size = (dt->shared->u.compnd.memb[i].size*memb_type->shared->size)/old_size; |