diff options
author | Quincey Koziol <koziol@hdfgroup.org> | 2007-03-16 09:59:31 (GMT) |
---|---|---|
committer | Quincey Koziol <koziol@hdfgroup.org> | 2007-03-16 09:59:31 (GMT) |
commit | 05af9a85f8315fefc743c9210113d71e04715389 (patch) | |
tree | dcfd87efd85070b5d5c7b92a480ac0825707d470 /src/H5Ocache.c | |
parent | 24fb6ed7c69e5a3f372c6b65eae8fa4ccba8db13 (diff) | |
download | hdf5-05af9a85f8315fefc743c9210113d71e04715389.zip hdf5-05af9a85f8315fefc743c9210113d71e04715389.tar.gz hdf5-05af9a85f8315fefc743c9210113d71e04715389.tar.bz2 |
[svn-r13518] Description:
Add some sanity checking to improve the resilience of the object header
decoding in the face of a bad reference, or a corrupted file.
Tested on:
Mac OS X/32 10.4.9 (amazon)
Diffstat (limited to 'src/H5Ocache.c')
-rw-r--r-- | src/H5Ocache.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 5259a8e..b2e86c9 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -301,6 +301,8 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1, if(oh->flags & H5O_HDR_ATTR_STORE_PHASE_CHANGE) { UINT16DECODE(p, oh->max_compact); UINT16DECODE(p, oh->min_dense); + if(oh->max_compact < oh->min_dense) + HGOTO_ERROR(H5E_OHDR, H5E_VERSION, NULL, "bad object header attribute phase change values") } /* end if */ else { oh->max_compact = H5O_CRT_ATTR_MAX_COMPACT_DEF; @@ -328,6 +330,8 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1, default: HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "bad size for chunk 0") } /* end switch */ + if(chunk_size > 0 && chunk_size < H5O_SIZEOF_MSGHDR_OH(oh)) + HGOTO_ERROR(H5E_OHDR, H5E_VERSION, NULL, "bad object header chunk size") } /* end if */ else { /* Version */ @@ -356,6 +360,9 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1, /* First chunk size */ UINT32DECODE(p, chunk_size); + if((nmesgs > 0 && chunk_size < H5O_SIZEOF_MSGHDR_OH(oh)) || + (nmesgs == 0 && chunk_size > 0)) + HGOTO_ERROR(H5E_OHDR, H5E_VERSION, NULL, "bad object header chunk size") /* Reserved, in version 1 */ p += 4; @@ -369,7 +376,7 @@ H5O_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, const void UNUSED * _udata1, chunk_addr = addr + (hsize_t)prefix_size; /* Allocate the message array */ - oh->alloc_nmesgs = nmesgs; + oh->alloc_nmesgs = (nmesgs > 0) ? nmesgs : 1; if(NULL == (oh->mesg = H5FL_SEQ_MALLOC(H5O_mesg_t, oh->alloc_nmesgs))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") |