diff options
| author | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2018-07-17 01:28:27 (GMT) |
|---|---|---|
| committer | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2018-07-17 01:28:27 (GMT) |
| commit | 073e0b1f0312ac93927e511e2c48d89728e91987 (patch) | |
| tree | 735b8c9e1798a7163c300751829229c8e64799aa /src/H5Ofill.c | |
| parent | 55666ace551369b3d72430c090ab9f1571e1be75 (diff) | |
| download | hdf5-073e0b1f0312ac93927e511e2c48d89728e91987.zip hdf5-073e0b1f0312ac93927e511e2c48d89728e91987.tar.gz hdf5-073e0b1f0312ac93927e511e2c48d89728e91987.tar.bz2 | |
Fixed HDFFV-10476, HDFFV-10478, HDFFV-10480
Description:
Fixed potential out of bound read and NULL pointer dereferences.
Platforms tested:
Linux/64 (jelly)
Linux/32 (jam)
Darwin (osx1010test)
Diffstat (limited to 'src/H5Ofill.c')
| -rw-r--r-- | src/H5Ofill.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/H5Ofill.c b/src/H5Ofill.c index da9829b..8a6004d 100644 --- a/src/H5Ofill.c +++ b/src/H5Ofill.c @@ -194,7 +194,7 @@ H5FL_BLK_EXTERN(type_conv); static void * H5O_fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, - size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + size_t p_size, const uint8_t *p) { H5O_fill_t *fill = NULL; void *ret_value = NULL; /* Return value */ @@ -228,6 +228,8 @@ H5O_fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, INT32DECODE(p, fill->size); if(fill->size > 0) { H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t); + if((size_t)fill->size > p_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small") if(NULL == (fill->buf = H5MM_malloc((size_t)fill->size))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value") HDmemcpy(fill->buf, p, (size_t)fill->size); @@ -309,7 +311,7 @@ done: static void * H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, - size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + size_t p_size, const uint8_t *p) { H5O_fill_t *fill = NULL; /* Decoded fill value message */ htri_t exists = FALSE; @@ -335,6 +337,8 @@ H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, /* Only decode the fill value itself if there is one */ if(fill->size > 0) { H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t); + if((size_t)fill->size > p_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small") /* Get the datatype message */ if((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0) |