diff options
| author | Dana Robinson <43805+derobins@users.noreply.github.com> | 2021-08-12 12:21:50 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-12 12:21:50 (GMT) |
| commit | b5c66529e9709839f336d2b6f0d453139a0744b5 (patch) | |
| tree | 9926fba600f73eb479127773fd9a5dfe5e799b1c /src/H5Ofsinfo.c | |
| parent | 7c918e685fea4d58b632389999f092b1f4b33d17 (diff) | |
| download | hdf5-b5c66529e9709839f336d2b6f0d453139a0744b5.zip hdf5-b5c66529e9709839f336d2b6f0d453139a0744b5.tar.gz hdf5-b5c66529e9709839f336d2b6f0d453139a0744b5.tar.bz2 | |
Fixes a bad memory read and unfreed memory in fsinfo code (#893)
* Fixes a bad memory read and unfreed memory in fsinfo code
The segfaul from CVE-2020-10810 was fixed some time ago, but the
illegal memory read and unfreed memory were not.
This fix tracks some buffer sizes and errors out gracefully on errors,
ensuring buffers are cleaned up and avoiding the H5FL infinite loop +
abort on library close.
* Committing clang-format changes
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Diffstat (limited to 'src/H5Ofsinfo.c')
| -rw-r--r-- | src/H5Ofsinfo.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c index 44c4985..b60f589 100644 --- a/src/H5Ofsinfo.c +++ b/src/H5Ofsinfo.c @@ -91,11 +91,12 @@ H5FL_DEFINE_STATIC(H5O_fsinfo_t); */ static void * H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, - unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) { - H5O_fsinfo_t * fsinfo = NULL; /* File space info message */ - H5F_mem_page_t ptype; /* Memory type for iteration */ - unsigned vers; /* message version */ + H5O_fsinfo_t * fsinfo = NULL; /* File space info message */ + H5F_mem_page_t ptype; /* Memory type for iteration */ + unsigned vers; /* message version */ + const uint8_t *p_end = p + p_size; void * ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -136,8 +137,12 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU fsinfo->threshold = threshold; if (HADDR_UNDEF == (fsinfo->eoa_pre_fsm_fsalloc = H5F_get_eoa(f, H5FD_MEM_DEFAULT))) HGOTO_ERROR(H5E_FILE, H5E_CANTGET, NULL, "unable to get file size") - for (type = H5FD_MEM_SUPER; type < H5FD_MEM_NTYPES; type++) + for (type = H5FD_MEM_SUPER; type < H5FD_MEM_NTYPES; type++) { + if (p + H5_SIZEOF_HADDR_T > p_end) + HGOTO_ERROR(H5E_FILE, H5E_CANTDECODE, NULL, + "ran off end of input buffer while decoding") H5F_addr_decode(f, &p, &(fsinfo->fs_addr[type - 1])); + } break; case H5F_FILE_SPACE_ALL: |