summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRay Lu <songyulu@hdfgroup.org>2018-11-19 23:20:06 (GMT)
committerRay Lu <songyulu@hdfgroup.org>2018-11-19 23:20:06 (GMT)
commit160107a97c30a759ffd4ba7fe13284d24d349301 (patch)
treef602b020e31b620c09936ada9ce0d3e5bf024b49
parente9125d6a9960a588244998e959598a27d3c8d352 (diff)
parentc923cdad6e515c842f3795a5b6d754ad94021e09 (diff)
downloadhdf5-160107a97c30a759ffd4ba7fe13284d24d349301.zip
hdf5-160107a97c30a759ffd4ba7fe13284d24d349301.tar.gz
hdf5-160107a97c30a759ffd4ba7fe13284d24d349301.tar.bz2
Merge pull request #1335 in HDFFV/hdf5 from ~SONGYULU/hdf5_ray:bugfix/HDFFV-10571-cve-2018-17237-divided-by-zero to develop
* commit 'c923cdad6e515c842f3795a5b6d754ad94021e09': HDFFV-10571: Minor format changes. HDFFV-10571: Minor change - reformatting the error check. HDFFV-10571: Minor change - adding the error check right after decoding of chunk dimension for safeguard. HDFFV-10571: Minor change - revised the comment to be clearer. HDFFV-10571 Divided by Zero vulnerability. Minor fix: I added an error check to make sure the chunk size is not zero.
-rw-r--r--src/H5Dchunk.c3
-rw-r--r--src/H5Olayout.c8
2 files changed, 10 insertions, 1 deletions
diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c
index cb6b925..91f3b91 100644
--- a/src/H5Dchunk.c
+++ b/src/H5Dchunk.c
@@ -695,6 +695,9 @@ H5D__chunk_set_info_real(H5O_layout_chunk_t *layout, unsigned ndims,
/* Compute the # of chunks in dataset dimensions */
for(u = 0, layout->nchunks = 1, layout->max_nchunks = 1; u < ndims; u++) {
+ /* Sanity check */
+ HDassert(layout->dim[u] > 0);
+
/* Round up to the next integer # of chunks, to accommodate partial chunks */
layout->chunks[u] = ((curr_dims[u] + layout->dim[u]) - 1) / layout->dim[u];
if(H5S_UNLIMITED == max_dims[u])
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
index 5f16837..2b65e0c 100644
--- a/src/H5Olayout.c
+++ b/src/H5Olayout.c
@@ -243,9 +243,15 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh,
H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr));
/* Chunk dimensions */
- for(u = 0; u < mesg->u.chunk.ndims; u++)
+ for(u = 0; u < mesg->u.chunk.ndims; u++) {
UINT32DECODE(p, mesg->u.chunk.dim[u]);
+ /* Just in case that something goes very wrong, such as file corruption. */
+ if(mesg->u.chunk.dim[u] == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, NULL, "chunk dimension must be positive: mesg->u.chunk.dim[%u] = %u",
+ u, mesg->u.chunk.dim[u])
+ } /* end for */
+
/* Compute chunk size */
for(u = 1, mesg->u.chunk.size = mesg->u.chunk.dim[0]; u < mesg->u.chunk.ndims; u++)
mesg->u.chunk.size *= mesg->u.chunk.dim[u];