summaryrefslogtreecommitdiffstats
path: root/src/H5Olayout.c
diff options
context:
space:
mode:
authorbmribler <39579120+bmribler@users.noreply.github.com>2020-12-03 16:07:16 (GMT)
committerGitHub <noreply@github.com>2020-12-03 16:07:16 (GMT)
commit87ed76d8992aa6939cbe99910058dbad0efed0d6 (patch)
treed49081fcc017f28aa9d8778a75767a6dcdee4155 /src/H5Olayout.c
parent753f98c0c93945d4154c7ae0eaec6e970c87fa46 (diff)
downloadhdf5-87ed76d8992aa6939cbe99910058dbad0efed0d6.zip
hdf5-87ed76d8992aa6939cbe99910058dbad0efed0d6.tar.gz
hdf5-87ed76d8992aa6939cbe99910058dbad0efed0d6.tar.bz2
Fixed HDFFV-10480 and HDFFV-11159 (#145)
* Fixed HDFFV-10480 and HDFFV-11159 Description Checked against buffer size to prevent segfault, in case of data corruption. + HDFFV-11159 CVE-2018-14033 Buffer over-read in H5O_layout_decode + HDFFV-10480 CVE-2018-11206 Buffer over-read in H5O_fill_new[/old]_decode and A user's patch was applied to this previously, but it is redone for a more correct fix, that is the check now accounted for the previous advance of the buffer pointer. Platforms tested: Linux/64 (jelly) * Fixed typo
Diffstat (limited to 'src/H5Olayout.c')
-rw-r--r--src/H5Olayout.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
index 4466940..b9b8cc6 100644
--- a/src/H5Olayout.c
+++ b/src/H5Olayout.c
@@ -90,10 +90,11 @@ H5FL_DEFINE(H5O_layout_t);
static void *
H5O_layout_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh,
unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
- size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+ size_t p_size, const uint8_t *p)
{
H5O_layout_t *mesg = NULL;
unsigned u;
+ const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */
void * ret_value = NULL; /* Return value */
FUNC_ENTER_NOAPI_NOINIT
@@ -174,6 +175,10 @@ H5O_layout_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *
if (mesg->type == H5D_COMPACT) {
UINT32DECODE(p, mesg->storage.u.compact.size);
if (mesg->storage.u.compact.size > 0) {
+ /* Ensure that size doesn't exceed buffer size, due to possible data corruption */
+ if (p + mesg->storage.u.compact.size - 1 > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "storage fill size exceeds buffer size")
+
if (NULL == (mesg->storage.u.compact.buf = H5MM_malloc(mesg->storage.u.compact.size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL,
"memory allocation failed for compact data buffer")
@@ -191,6 +196,10 @@ H5O_layout_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *
case H5D_COMPACT:
UINT16DECODE(p, mesg->storage.u.compact.size);
if (mesg->storage.u.compact.size > 0) {
+ /* Ensure that size doesn't exceed buffer size, due to possible data corruption */
+ if (p + mesg->storage.u.compact.size - 1 > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "storage size exceeds buffer size")
+
if (NULL == (mesg->storage.u.compact.buf = H5MM_malloc(mesg->storage.u.compact.size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL,
"memory allocation failed for compact data buffer")