diff options
author | Ray Lu <songyulu@hdfgroup.org> | 2018-11-19 23:20:06 (GMT) |
---|---|---|
committer | Ray Lu <songyulu@hdfgroup.org> | 2018-11-19 23:20:06 (GMT) |
commit | 160107a97c30a759ffd4ba7fe13284d24d349301 (patch) | |
tree | f602b020e31b620c09936ada9ce0d3e5bf024b49 | |
parent | e9125d6a9960a588244998e959598a27d3c8d352 (diff) | |
parent | c923cdad6e515c842f3795a5b6d754ad94021e09 (diff) | |
download | hdf5-160107a97c30a759ffd4ba7fe13284d24d349301.zip hdf5-160107a97c30a759ffd4ba7fe13284d24d349301.tar.gz hdf5-160107a97c30a759ffd4ba7fe13284d24d349301.tar.bz2 |
Merge pull request #1335 in HDFFV/hdf5 from ~SONGYULU/hdf5_ray:bugfix/HDFFV-10571-cve-2018-17237-divided-by-zero to develop
* commit 'c923cdad6e515c842f3795a5b6d754ad94021e09':
HDFFV-10571: Minor format changes.
HDFFV-10571: Minor change - reformatting the error check.
HDFFV-10571: Minor change - adding the error check right after decoding of chunk dimension for safeguard.
HDFFV-10571: Minor change - revised the comment to be clearer.
HDFFV-10571 Divided by Zero vulnerability. Minor fix: I added an error check to make sure the chunk size is not zero.
-rw-r--r-- | src/H5Dchunk.c | 3 | ||||
-rw-r--r-- | src/H5Olayout.c | 8 |
2 files changed, 10 insertions, 1 deletions
diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c index cb6b925..91f3b91 100644 --- a/src/H5Dchunk.c +++ b/src/H5Dchunk.c @@ -695,6 +695,9 @@ H5D__chunk_set_info_real(H5O_layout_chunk_t *layout, unsigned ndims, /* Compute the # of chunks in dataset dimensions */ for(u = 0, layout->nchunks = 1, layout->max_nchunks = 1; u < ndims; u++) { + /* Sanity check */ + HDassert(layout->dim[u] > 0); + /* Round up to the next integer # of chunks, to accommodate partial chunks */ layout->chunks[u] = ((curr_dims[u] + layout->dim[u]) - 1) / layout->dim[u]; if(H5S_UNLIMITED == max_dims[u]) diff --git a/src/H5Olayout.c b/src/H5Olayout.c index 5f16837..2b65e0c 100644 --- a/src/H5Olayout.c +++ b/src/H5Olayout.c @@ -243,9 +243,15 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr)); /* Chunk dimensions */ - for(u = 0; u < mesg->u.chunk.ndims; u++) + for(u = 0; u < mesg->u.chunk.ndims; u++) { UINT32DECODE(p, mesg->u.chunk.dim[u]); + /* Just in case that something goes very wrong, such as file corruption. */ + if(mesg->u.chunk.dim[u] == 0) + HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, NULL, "chunk dimension must be positive: mesg->u.chunk.dim[%u] = %u", + u, mesg->u.chunk.dim[u]) + } /* end for */ + /* Compute chunk size */ for(u = 1, mesg->u.chunk.size = mesg->u.chunk.dim[0]; u < mesg->u.chunk.ndims; u++) mesg->u.chunk.size *= mesg->u.chunk.dim[u]; |