diff options
| author | vchoi-hdfgroup <55293060+vchoi-hdfgroup@users.noreply.github.com> | 2023-05-11 19:03:09 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-11 19:03:09 (GMT) |
| commit | 2a3d2ef785541135e4f10e4c4a89feb001baf832 (patch) | |
| tree | 218e9767650fcb4b976eed81fc54ddff6b3ea59c /release_docs | |
| parent | 811f5b5c9d8907658a6c883e9fa3bd20831b4054 (diff) | |
| download | hdf5-2a3d2ef785541135e4f10e4c4a89feb001baf832.zip hdf5-2a3d2ef785541135e4f10e4c4a89feb001baf832.tar.gz hdf5-2a3d2ef785541135e4f10e4c4a89feb001baf832.tar.bz2 | |
New 1 10 hdffv 11052 (#2932)
Fix for HDFFV-11052: h5debug fails on a corrupted file (h5_nrefs_POC) producing a core dump.
When h5debug closes the corrupted file, the library calls H5F__dest() which performs all the
closing operations for the file "f" (H5F_t *) but just keeping note of errors in "ret_value"
all the way till the end of the routine. The user-provided corrupted file has an illegal
file size causing failure when reading the image during the closing process.
At the end of this routine it sets f->shared to NULL and then frees "f".
This is done whether there is error or not in "ret_value".
Due to the failure in reading the file earlier, the routine then returns error.
The error return from H5F__dest() causes the file object "f" not being removed from the
ID node table. When the library finally exits, it will try to close the
file objects in the table. This causes assertion failure for f->file_id > 0.
Fix:
a) H5F_dest(): free the f only when there is no error in "ret_value" at the end of the routine.
b) H5F__close_cb(): if f->shared is NULL, free "f"; otherwise, perform closing on "f" as before.
c) h5debug.c main(): track error return from H5Fclose().
Diffstat (limited to 'release_docs')
| -rw-r--r-- | release_docs/RELEASE.txt | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index e2b87fc..7a21f8b 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -117,6 +117,25 @@ Bug Fixes since HDF5-1.10.10 release =================================== Library ------- + - Seg fault on file close + + h5debug fails at file close with core dump on a file that has an + illegal file size in its cache image. In H5F__dest(), the library + performs all the closing operations for the file and keeps track of + the error encountered when reading the file cache image. + At the end of the routine, it frees the file's file structure and + returns error. Due to the error return, the file object is not removed + from the ID node table. This eventually causes assertion failure in + H5F__close_cb() when the library finally exits and tries to + access that file object in the table for closing. + + The closing routine, H5F__dest(), will not free the file structure if + there is error, keeping a valid file structure in the ID node table. + It will be freed later in H5F__close_cb() when the library exits and + terminates the file package. + + Fix for HDFFV-11052, CVE-2020-10812 + - Fixed memory leaks that could occur when reading a dataset from a malformed file |