diff options
| author | Kobrin Eli <kobrineli@ispras.ru> | 2023-04-13 21:37:10 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-13 21:37:10 (GMT) |
| commit | 10d4a6d0941240702b5e8d77d57184a88bb69e6c (patch) | |
| tree | a166f5fa73f5d993b4a87c492f745774f912de34 /src/H5Gent.c | |
| parent | 65eff22348634144cd5a6e77159c27eb895d54b4 (diff) | |
| download | hdf5-10d4a6d0941240702b5e8d77d57184a88bb69e6c.zip hdf5-10d4a6d0941240702b5e8d77d57184a88bb69e6c.tar.gz hdf5-10d4a6d0941240702b5e8d77d57184a88bb69e6c.tar.bz2 | |
Fix out of bounds in `hdf5/src/H5Fint.c:2859` (#2691)
Diffstat (limited to 'src/H5Gent.c')
| -rw-r--r-- | src/H5Gent.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/src/H5Gent.c b/src/H5Gent.c index f58ef5c..096e13e 100644 --- a/src/H5Gent.c +++ b/src/H5Gent.c @@ -93,7 +93,7 @@ H5G__ent_decode_vec(const H5F_t *f, const uint8_t **pp, const uint8_t *p_end, H5 for (u = 0; u < n; u++) { if (*pp > p_end) HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "ran off the end of the image buffer") - if (H5G_ent_decode(f, pp, ent + u) < 0) + if (H5G_ent_decode(f, pp, ent + u, p_end) < 0) HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "can't decode") } @@ -117,7 +117,7 @@ done: *------------------------------------------------------------------------- */ herr_t -H5G_ent_decode(const H5F_t *f, const uint8_t **pp, H5G_entry_t *ent) +H5G_ent_decode(const H5F_t *f, const uint8_t **pp, H5G_entry_t *ent, const uint8_t *p_end) { const uint8_t *p_ret = *pp; uint32_t tmp; @@ -130,11 +130,22 @@ H5G_ent_decode(const H5F_t *f, const uint8_t **pp, H5G_entry_t *ent) HDassert(pp); HDassert(ent); + if (H5_IS_BUFFER_OVERFLOW(*pp, ent->name_off, p_end)) + HGOTO_ERROR(H5E_FILE, H5E_OVERFLOW, FAIL, "image pointer is out of bounds") + /* decode header */ H5F_DECODE_LENGTH(f, *pp, ent->name_off); + + if (H5_IS_BUFFER_OVERFLOW(*pp, H5F_SIZEOF_ADDR(f) + sizeof(uint32_t), p_end)) + HGOTO_ERROR(H5E_FILE, H5E_OVERFLOW, FAIL, "image pointer is out of bounds") + H5F_addr_decode(f, pp, &(ent->header)); UINT32DECODE(*pp, tmp); *pp += 4; /*reserved*/ + + if (H5_IS_BUFFER_OVERFLOW(*pp, 1, p_end)) + HGOTO_ERROR(H5E_FILE, H5E_OVERFLOW, FAIL, "image pointer is out of bounds") + ent->type = (H5G_cache_type_t)tmp; /* decode scratch-pad */ @@ -144,11 +155,15 @@ H5G_ent_decode(const H5F_t *f, const uint8_t **pp, H5G_entry_t *ent) case H5G_CACHED_STAB: HDassert(2 * H5F_SIZEOF_ADDR(f) <= H5G_SIZEOF_SCRATCH); + if (H5_IS_BUFFER_OVERFLOW(*pp, H5F_SIZEOF_ADDR(f) * 2, p_end)) + HGOTO_ERROR(H5E_FILE, H5E_OVERFLOW, FAIL, "image pointer is out of bounds") H5F_addr_decode(f, pp, &(ent->cache.stab.btree_addr)); H5F_addr_decode(f, pp, &(ent->cache.stab.heap_addr)); break; case H5G_CACHED_SLINK: + if (H5_IS_BUFFER_OVERFLOW(*pp, sizeof(uint32_t), p_end)) + HGOTO_ERROR(H5E_FILE, H5E_OVERFLOW, FAIL, "image pointer is out of bounds") UINT32DECODE(*pp, ent->cache.slink.lval_offset); break; |