diff options
| author | mattjala <124107509+mattjala@users.noreply.github.com> | 2023-05-16 17:54:55 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-16 17:54:55 (GMT) |
| commit | 196078958c0c48f63aa8202e9447f3c75c98c26a (patch) | |
| tree | a89a00c90eed0ac070afcd4db99586b50c98c545 /src/H5Olayout.c | |
| parent | f49a728a08ddc6f9915fd846aed1bc5f28978e64 (diff) | |
| download | hdf5-196078958c0c48f63aa8202e9447f3c75c98c26a.zip hdf5-196078958c0c48f63aa8202e9447f3c75c98c26a.tar.gz hdf5-196078958c0c48f63aa8202e9447f3c75c98c26a.tar.bz2 | |
Prevent buffer overrun in H5S_select_deserialize (#2953)
Diffstat (limited to 'src/H5Olayout.c')
| -rw-r--r-- | src/H5Olayout.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/H5Olayout.c b/src/H5Olayout.c index f784f24..645ad73 100644 --- a/src/H5Olayout.c +++ b/src/H5Olayout.c @@ -634,13 +634,27 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU heap_block_p += tmp_size; /* Source selection */ - if (H5S_SELECT_DESERIALIZE(&mesg->storage.u.virt.list[i].source_select, - &heap_block_p) < 0) + avail_buffer_space = heap_block_p_end - heap_block_p + 1; + + if (avail_buffer_space <= 0) + HGOTO_ERROR(H5E_DATASPACE, H5E_OVERFLOW, NULL, + "buffer overflow while decoding layout") + + if (H5S_SELECT_DESERIALIZE(&mesg->storage.u.virt.list[i].source_select, &heap_block_p, + (size_t)(avail_buffer_space)) < 0) HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "can't decode source space selection") /* Virtual selection */ + + /* Buffer space must be updated after previous deserialization */ + avail_buffer_space = heap_block_p_end - heap_block_p + 1; + + if (avail_buffer_space <= 0) + HGOTO_ERROR(H5E_DATASPACE, H5E_OVERFLOW, NULL, + "buffer overflow while decoding layout") + if (H5S_SELECT_DESERIALIZE(&mesg->storage.u.virt.list[i].source_dset.virtual_select, - &heap_block_p) < 0) + &heap_block_p, (size_t)(avail_buffer_space)) < 0) HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "can't decode virtual space selection") |