diff options
| author | Dana Robinson <43805+derobins@users.noreply.github.com> | 2023-04-14 22:17:24 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-14 22:17:24 (GMT) |
| commit | f9c16de8a7f50afd6f5ef14df68074552388dae6 (patch) | |
| tree | 6a1277c0ddfcda8f2ac09c26cc5889fda4fd8b25 /src/H5Ocache.c | |
| parent | 88257af73ddb814665f077d840c19dd928c5f440 (diff) | |
| download | hdf5-f9c16de8a7f50afd6f5ef14df68074552388dae6.zip hdf5-f9c16de8a7f50afd6f5ef14df68074552388dae6.tar.gz hdf5-f9c16de8a7f50afd6f5ef14df68074552388dae6.tar.bz2 | |
Fix memory leaks when processing OH cont messages (#2723)
Malformed object header continuation messages can result in a too-small
buffer being passed to the decode function, which could lead to reading
past the end of the buffer. Additionally, errors in processing these
malformed messages can lead to allocated memory not being cleaned up.
This fix adds bounds checking and cleanup code to the object header
continuation message processing.
Fixes #2604
Diffstat (limited to 'src/H5Ocache.c')
| -rw-r--r-- | src/H5Ocache.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 0851493..42d8f35 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1510,8 +1510,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t H5O_cont_t *cont; /* Decode continuation message */ - cont = (H5O_cont_t *)(H5O_MSG_CONT->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, - mesg->raw); + if (NULL == (cont = (H5O_cont_t *)(H5O_MSG_CONT->decode)(udata->f, NULL, 0, &ioflags, + mesg->raw_size, mesg->raw))) + HGOTO_ERROR(H5E_OHDR, H5E_BADMESG, FAIL, "bad continuation message found") H5_CHECKED_ASSIGN(cont->chunkno, unsigned, udata->cont_msg_info->nmsgs + 1, size_t); /* the next continuation message/chunk */ |