diff options
author | Larry Knox <lrknox@hdfgroup.org> | 2021-09-15 19:17:00 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-15 19:17:00 (GMT) |
commit | ff6ad09d309f5053a54069ecaaca96fc69b65b49 (patch) | |
tree | 4e3cd870b2d550e10cd3ead05af8978cebde6a51 /release_docs | |
parent | 26dc46b13a150ab58431ccd9924f7b378a62a534 (diff) | |
download | hdf5-ff6ad09d309f5053a54069ecaaca96fc69b65b49.zip hdf5-ff6ad09d309f5053a54069ecaaca96fc69b65b49.tar.gz hdf5-ff6ad09d309f5053a54069ecaaca96fc69b65b49.tar.bz2 |
Fixes a bad memory read and unfreed memory in fsinfo code (#893) (#1012)
* Fixes a bad memory read and unfreed memory in fsinfo code
The segfaul from CVE-2020-10810 was fixed some time ago, but the
illegal memory read and unfreed memory were not.
This fix tracks some buffer sizes and errors out gracefully on errors,
ensuring buffers are cleaned up and avoiding the H5FL infinite loop +
abort on library close.
* Committing clang-format changes
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Dana Robinson <43805+derobins@users.noreply.github.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Diffstat (limited to 'release_docs')
-rw-r--r-- | release_docs/RELEASE.txt | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 503caa7..994c345 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -205,6 +205,22 @@ Bug Fixes since HDF5-1.12.1 release (JWSB - 2021/09/13) + - Fixed an invalid read and memory leak when parsing corrupt file space + info messages + + When the corrupt file from CVE-2020-10810 was parsed by the library, + the code that imports the version 0 file space info object header + message to the version 1 struct could read past the buffer read from + the disk, causing an invalid memory read. Not catching this error would + cause downstream errors that eventually resulted in a previously + allocated buffer to be unfreed when the library shut down. In builds + where the free lists are in use, this could result in an infinite loop + and SIGABRT when the library shuts down. + + We now track the buffer size and raise an error on attempts to read + past the end of it. + + (DER - 2021/08/12, HDFFV-11053) Java Library ------------ |