H5IMget_image_info(): Make sure to not exceed local array size (#2227)

Malformed hdf5 files may provide more dimensions than the array dim[] in H5IMget_image_info() is able to hold. Check number of elements first by calling H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments. This will cause the function to return only the number of dimensions. The fix addresse a stack overflow on write. This fixes CVE-2018-17439 / HDFFV-10589 / Bug #2226. Signed-off-by: Egbert Eich <eich@suse.com> Signed-off-by: Egbert Eich <eich@suse.com>
author: Egbert Eich <eich@suse.com> 2022-11-11 05:01:45 (GMT)
committer: GitHub <noreply@github.com> 2022-11-11 05:01:45 (GMT)
commit: 99487d9e45c8245a829f18a060fa472d0422edbb (patch)
tree: b8dee533715c39c87347a1395f9a13933b4be450 /hl
parent: 5985d0e0b14d7df406ac7818f4b52b6fdbcc9b1b (diff)
download: hdf5-99487d9e45c8245a829f18a060fa472d0422edbb.zip
hdf5-99487d9e45c8245a829f18a060fa472d0422edbb.tar.gz
hdf5-99487d9e45c8245a829f18a060fa472d0422edbb.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/hl/src/H5IM.c b/hl/src/H5IM.c
index a3b04ce..43e5bed 100644
--- a/hl/src/H5IM.c
+++ b/hl/src/H5IM.c
@@ -281,6 +281,8 @@ H5IMget_image_info(hid_t loc_id, const char *dset_name, hsize_t *width, hsize_t
     if ((sid = H5Dget_space(did)) < 0)
         goto out;
 
+    if (H5Sget_simple_extent_dims(sid, NULL, NULL) > IMAGE24_RANK)
+        goto out;
     /* Get dimensions */
     if (H5Sget_simple_extent_dims(sid, dims, NULL) < 0)
         goto out;
author	Egbert Eich <eich@suse.com>	2022-11-11 05:01:45 (GMT)
committer	GitHub <noreply@github.com>	2022-11-11 05:01:45 (GMT)
commit	99487d9e45c8245a829f18a060fa472d0422edbb (patch)
tree	b8dee533715c39c87347a1395f9a13933b4be450 /hl
parent	5985d0e0b14d7df406ac7818f4b52b6fdbcc9b1b (diff)
download	hdf5-99487d9e45c8245a829f18a060fa472d0422edbb.zip hdf5-99487d9e45c8245a829f18a060fa472d0422edbb.tar.gz hdf5-99487d9e45c8245a829f18a060fa472d0422edbb.tar.bz2