diff options
| author | Dana Robinson <43805+derobins@users.noreply.github.com> | 2023-08-02 20:59:26 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-02 20:59:26 (GMT) |
| commit | 11e28fe8b84586eb6d99339f45ff3e502e2c5b60 (patch) | |
| tree | b17c281c30e1946d6d062551f07a6b4bc196d781 | |
| parent | f5c3963c18ef148622d620691dc9d202aa0b95ed (diff) | |
| download | hdf5-11e28fe8b84586eb6d99339f45ff3e502e2c5b60.zip hdf5-11e28fe8b84586eb6d99339f45ff3e502e2c5b60.tar.gz hdf5-11e28fe8b84586eb6d99339f45ff3e502e2c5b60.tar.bz2 | |
Fix CVE-2018-11202 (#3330)
A malformed file could result in chunk index memory leaks. Under most
conditions (i.e., when the --enable-using-memchecker option is NOT
used), this would result in a small memory leak and and infinite loop
and abort when shutting down the library. The infinite loop would be
due to the "free list" package not being able to clear its resources
so the library couldn't shut down. When the "using a memory checker"
option is used, the free lists are disabled so there is just a memory
leak with no abort on library shutdown.
The chunk index resources are now correctly cleaned up when reading
misparsed files and valgrind confirms no memory leaks.
| -rw-r--r-- | release_docs/RELEASE.txt | 14 | ||||
| -rw-r--r-- | src/H5Dchunk.c | 9 |
2 files changed, 23 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index ab9f569..c76a66a 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -265,6 +265,20 @@ Bug Fixes since HDF5-1.14.0 release =================================== Library ------- + - Fixed CVE-2018-11202 + + A malformed file could result in chunk index memory leaks. Under most + conditions (i.e., when the --enable-using-memchecker option is NOT + used), this would result in a small memory leak and and infinite loop + and abort when shutting down the library. The infinite loop would be + due to the "free list" package not being able to clear its resources + so the library couldn't shut down. When the "using a memory checker" + option is used, the free lists are disabled so there is just a memory + leak with no abort on library shutdown. + + The chunk index resources are now correctly cleaned up when reading + misparsed files and valgrind confirms no memory leaks. + - Fixed an issue where an assert statement was converted to an incorrect error check statement diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c index 7eba50c..be8ded4 100644 --- a/src/H5Dchunk.c +++ b/src/H5Dchunk.c @@ -880,6 +880,7 @@ H5D__chunk_init(H5F_t *f, const H5D_t *const dset, hid_t dapl_id) H5D_rdcc_t *rdcc = &(dset->shared->cache.chunk); /* Convenience pointer to dataset's chunk cache */ H5P_genplist_t *dapl; /* Data access property list object pointer */ H5O_storage_chunk_t *sc = &(dset->shared->layout.storage.u.chunk); + bool idx_init = false; herr_t ret_value = SUCCEED; /* Return value */ FUNC_ENTER_PACKAGE @@ -955,12 +956,20 @@ H5D__chunk_init(H5F_t *f, const H5D_t *const dset, hid_t dapl_id) /* Allocate any indexing structures */ if (sc->ops->init && (sc->ops->init)(&idx_info, dset->shared->space, dset->oloc.addr) < 0) HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, "can't initialize indexing information"); + idx_init = true; /* Set the number of chunks in dataset, etc. */ if (H5D__chunk_set_info(dset) < 0) HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, "unable to set # of chunks for dataset"); done: + if (FAIL == ret_value) { + if (rdcc->slot) + rdcc->slot = H5FL_SEQ_FREE(H5D_rdcc_ent_ptr_t, rdcc->slot); + + if (idx_init && sc->ops->dest && (sc->ops->dest)(&idx_info) < 0) + HDONE_ERROR(H5E_DATASET, H5E_CANTFREE, FAIL, "unable to release chunk index info"); + } FUNC_LEAVE_NOAPI(ret_value) } /* end H5D__chunk_init() */ |