Minor merges to 1.10 (#2579)

* Elaborate how cd_values get stored (#2522)

* Enclose MESG in do...while loop (#2576)

Enclose MSG macro in a do...while loop

* Add a clang-format comment about permissions (#2577)

* Check for overflow when calculating on-disk attribute data size (#2459)

* Remove duplicate code

Signed-off-by: Egbert Eich <eich@suse.com>

* Add test case for CVE-2021-37501

Bogus sizes in this test case causes the on-disk data size
calculation in H5O__attr_decode() to overflow so that the
calculated size becomes 0. This causes the read to overflow
and h5dump to segfault.
This test case was crafted, the test file was not directly
generated by HDF5.
Test case from:
https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.md

---------

Co-authored-by: Mark (he/his) C. Miller <miller86@llnl.gov>
Co-authored-by: glennsong09 <43005495+glennsong09@users.noreply.github.com>
Co-authored-by: Dana Robinson <43805+derobins@users.noreply.github.com>
Co-authored-by: Egbert Eich <eich@suse.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index e0ecfac..f08a7a3 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -198,6 +198,19 @@ Bug Fixes since HDF5-1.10.9 release
 ===================================
     Library
     -------
+    - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+      Check for overflow when calculating on-disk attribute data size.
+
+      A bogus hdf5 file may contain dataspace messages with sizes
+      which lead to the on-disk data sizes to exceed what is addressable.
+      When calculating the size, make sure, the multiplication does not
+      overflow.
+      The test case was crafted in a way that the overflow caused the
+      size to be 0.
+
+      (EFE - 2023/02/11 GH-2458)
+
     - Fixed an issue with variable length attributes
 
       Previously, if a variable length attribute was held open while its file