diff options
author | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2019-01-15 17:48:31 (GMT) |
---|---|---|
committer | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2019-01-15 17:48:31 (GMT) |
commit | bc3d878add940845a2ec5b8873f2d45a00926ce8 (patch) | |
tree | 2d021b79914677ebe82be9f57e41351f1cf8835a | |
parent | 90d13bef33f9e2e80b23996a0c39f16f7c34ecf8 (diff) | |
download | hdf5-bc3d878add940845a2ec5b8873f2d45a00926ce8.zip hdf5-bc3d878add940845a2ec5b8873f2d45a00926ce8.tar.gz hdf5-bc3d878add940845a2ec5b8873f2d45a00926ce8.tar.bz2 |
Fixed HDFFV-10586 and HDFFV-10588
Description:
HDFFV-10586 CVE-2018-17434 Divide by zero inh5repack_filters
Added a check for zero value
HDFFV-10588 CVE-2018-17437 Memory leak in H5O_dtype_decode_helper
This is actually an Invalid read issue. It was found that the
attribute name length in an attribute message was corrupted,
which caused the buffer pointer to be advanced too far and later
caused an invalid read.
Added a check to detect attribute name and its length mismatch. The
fix is not perfect, but it'll reduce the chance of this issue when a
name length is corrupted or the attribute name is corrupted.
Platforms tested:
Linux/64 (jelly)
Linux/64 (platypus)
Darwin (osx1010test)
-rw-r--r-- | src/H5Oattr.c | 7 | ||||
-rw-r--r-- | tools/src/h5repack/h5repack_filters.c | 3 |
2 files changed, 8 insertions, 2 deletions
diff --git a/src/H5Oattr.c b/src/H5Oattr.c index c93bf32..c420046 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -176,7 +176,12 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, /* Decode and store the name */ if(NULL == (attr->shared->name = H5MM_strdup((const char *)p))) - HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + + /* Make an attempt to detect corrupted name or name length - HDFFV-10588 */ + if(name_len != (HDstrlen(attr->shared->name) + 1)) + HGOTO_ERROR(H5E_ATTR, H5E_CANTDECODE, NULL, "attribute name has different length than stored length") + if(attr->shared->version < H5O_ATTR_VERSION_2) p += H5O_ALIGN_OLD(name_len); /* advance the memory pointer */ else diff --git a/tools/src/h5repack/h5repack_filters.c b/tools/src/h5repack/h5repack_filters.c index 0092abc..123263c 100644 --- a/tools/src/h5repack/h5repack_filters.c +++ b/tools/src/h5repack/h5repack_filters.c @@ -338,12 +338,13 @@ int apply_filters(const char* name, /* object name from traverse list */ sm_nbytes = msize; for (i = rank; i > 0; --i) { + if(sm_nbytes == 0) + HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "number of bytes per stripmine must be > 0"); hsize_t size = H5TOOLS_BUFSIZE / sm_nbytes; if (size == 0) /* datum size > H5TOOLS_BUFSIZE */ size = 1; sm_size[i - 1] = MIN(dims[i - 1], size); sm_nbytes *= sm_size[i - 1]; - HDassert(sm_nbytes > 0); } for (i = 0; i < rank; i++) { |