summaryrefslogtreecommitdiffstats
path: root/src/H5Opline.c
diff options
context:
space:
mode:
authorDana Robinson <derobins@hdfgroup.org>2018-02-27 02:31:40 (GMT)
committerDana Robinson <derobins@hdfgroup.org>2018-02-27 02:31:40 (GMT)
commit302053f978e38a8d4306a7c1233cdf8fd2ec28dd (patch)
tree969544258f45fab8be9a71d1b7ce367bc520c141 /src/H5Opline.c
parent9ea358d971ae45698dba6794583a39c4023085ad (diff)
downloadhdf5-302053f978e38a8d4306a7c1233cdf8fd2ec28dd.zip
hdf5-302053f978e38a8d4306a7c1233cdf8fd2ec28dd.tar.gz
hdf5-302053f978e38a8d4306a7c1233cdf8fd2ec28dd.tar.bz2
Fix for HDFFV-10355 (CVE-2017-17506).
Diffstat (limited to 'src/H5Opline.c')
-rw-r--r--src/H5Opline.c51
1 files changed, 29 insertions, 22 deletions
diff --git a/src/H5Opline.c b/src/H5Opline.c
index e817f9a..7bc8f19 100644
--- a/src/H5Opline.c
+++ b/src/H5Opline.c
@@ -34,7 +34,7 @@
/* PRIVATE PROTOTYPES */
static herr_t H5O_pline_encode(H5F_t *f, uint8_t *p, const void *mesg);
static void *H5O_pline_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh,
- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p);
+ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p);
static void *H5O_pline_copy(const void *_mesg, void *_dest);
static size_t H5O_pline_size(const H5F_t *f, const void *_mesg);
static herr_t H5O_pline_reset(void *_mesg);
@@ -115,12 +115,14 @@ H5FL_DEFINE(H5O_pline_t);
*/
static void *
H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh,
- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p)
+ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
+ size_t p_size, const uint8_t *p)
{
H5O_pline_t *pline = NULL; /* Pipeline message */
H5Z_filter_info_t *filter; /* Filter to decode */
size_t name_length; /* Length of filter name */
size_t i; /* Local index variable */
+ const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */
void *ret_value = NULL; /* Return value */
FUNC_ENTER_NOAPI_NOINIT
@@ -130,17 +132,17 @@ H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5
/* Allocate space for I/O pipeline message */
if(NULL == (pline = H5FL_CALLOC(H5O_pline_t)))
- HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
+ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
/* Version */
pline->version = *p++;
if(pline->version < H5O_PLINE_VERSION_1 || pline->version > H5O_PLINE_VERSION_LATEST)
- HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "bad version number for filter pipeline message")
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "bad version number for filter pipeline message")
/* Number of filters */
pline->nused = *p++;
if(pline->nused > H5Z_MAX_NFILTERS)
- HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "filter pipeline message has too many filters")
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "filter pipeline message has too many filters")
/* Reserved */
if(pline->version == H5O_PLINE_VERSION_1)
@@ -149,12 +151,12 @@ H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5
/* Allocate array for filters */
pline->nalloc = pline->nused;
if(NULL == (pline->filter = (H5Z_filter_info_t *)H5MM_calloc(pline->nalloc * sizeof(pline->filter[0]))))
- HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
+ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
/* Decode filters */
for(i = 0, filter = &pline->filter[0]; i < pline->nused; i++, filter++) {
/* Filter ID */
- UINT16DECODE(p, filter->id);
+ UINT16DECODE(p, filter->id);
/* Length of filter name */
if(pline->version > H5O_PLINE_VERSION_1 && filter->id < H5Z_FILTER_RESERVED)
@@ -166,18 +168,18 @@ H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5
} /* end if */
/* Filter flags */
- UINT16DECODE(p, filter->flags);
+ UINT16DECODE(p, filter->flags);
/* Number of filter parameters ("client data elements") */
- UINT16DECODE(p, filter->cd_nelmts);
+ UINT16DECODE(p, filter->cd_nelmts);
/* Filter name, if there is one */
- if(name_length) {
+ if(name_length) {
size_t actual_name_length; /* Actual length of name */
/* Determine actual name length (without padding, but with null terminator) */
- actual_name_length = HDstrlen((const char *)p) + 1;
- HDassert(actual_name_length <= name_length);
+ actual_name_length = HDstrlen((const char *)p) + 1;
+ HDassert(actual_name_length <= name_length);
/* Allocate space for the filter name, or use the internal buffer */
if(actual_name_length > H5Z_COMMON_NAME_LEN) {
@@ -188,12 +190,12 @@ H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5
else
filter->name = filter->_name;
- HDstrncpy(filter->name, (const char *)p, actual_name_length);
- p += name_length;
- } /* end if */
+ HDstrncpy(filter->name, (const char *)p, actual_name_length);
+ p += name_length;
+ } /* end if */
/* Filter parameters */
- if(filter->cd_nelmts) {
+ if(filter->cd_nelmts) {
size_t j; /* Local index variable */
/* Allocate space for the client data elements, or use the internal buffer */
@@ -205,15 +207,20 @@ H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5
else
filter->cd_values = filter->_cd_values;
- /*
- * Read the client data values and the padding
- */
- for(j = 0; j < filter->cd_nelmts; j++)
- UINT32DECODE(p, filter->cd_values[j]);
+ /*
+ * Read the client data values and the padding
+ */
+ for (j = 0; j < filter->cd_nelmts; j++) {
+ if (p + 4 - 1 <= p_end)
+ UINT32DECODE(p, filter->cd_values[j])
+ else
+ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "ran off the end of the buffer: current p = %p, p_size = %zu, p_end = %p", p, p_size, p_end)
+ }
+
if(pline->version == H5O_PLINE_VERSION_1)
if(filter->cd_nelmts % 2)
p += 4; /*padding*/
- } /* end if */
+ } /* end if */
} /* end for */
/* Set return value */