diff options
author | Larry Knox <lrknox@hdfgroup.org> | 2021-06-03 21:07:23 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-03 21:07:23 (GMT) |
commit | 061b23ac0011d3a26f660a7f4d07c40f41d63f10 (patch) | |
tree | c2e38994fbd770e503266a1dc2390f8b590bdb33 /src/H5Osdspace.c | |
parent | 3b5163fa8170647d99bd00e180651cb7b103ed19 (diff) | |
download | hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.zip hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.tar.gz hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.tar.bz2 |
Partial merge issue #642 develop branch PRs to Hdf5 1 10 (#718)
* Revert addition of & to 2 parameters in DSetCreatPropList::setVirtual to
maintain binary compatibility.
* Fix H5Eget_auto2/H5Eauto_is_v2 to not clear error stack (#625)
* Removes gratuitous (double)x.yF casts (#632)
* Committing clang-format changes
* Removes gratuitous (double)x.yF casts
* Committing clang-format changes
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
* Cleans up a const warning left over from previous constification (#633)
* Committing clang-format changes
* Adds consts to a few global variables
* Cleans up a const warning left over from previous constification
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
* Purges UFAIL from the library (#637)
* Committing clang-format changes
* Purges UFAIL from the library
* H5HL_insert change requested in PR
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
* Bmr dev hdffv 11223 (#640)
* Fixed HDFFV-11223 (CVE-2018-14460)
Description
- Added checks against buffer size to prevent segfault, in case of data
corruption, for sdim->size and sdim->max.
- Renamed data files in an existing test to shorten their length
as agreed with other developers previously.
Platforms tested:
Linux/64 (jelly)
* Committing clang-format changes
* Updated for test files
* Updated for HDFFV-11223
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
* Committing clang-format changes
* Restore "error:" in line 2666.
* Revert "Fix H5Eget_auto2/H5Eauto_is_v2 to not clear error stack (#625)"
This reverts commit 426b50484841118cf633fd6147302a63a30fd746.
Co-authored-by: jhendersonHDF <jhenderson@hdfgroup.org>
Co-authored-by: Dana Robinson <43805+derobins@users.noreply.github.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: bmribler <39579120+bmribler@users.noreply.github.com>
Diffstat (limited to 'src/H5Osdspace.c')
-rw-r--r-- | src/H5Osdspace.c | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/src/H5Osdspace.c b/src/H5Osdspace.c index c715df8..6a2557f 100644 --- a/src/H5Osdspace.c +++ b/src/H5Osdspace.c @@ -106,12 +106,13 @@ H5FL_ARR_EXTERN(hsize_t); --------------------------------------------------------------------------*/ static void * H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, - unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) { - H5S_extent_t *sdim = NULL; /* New extent dimensionality structure */ - unsigned flags, version; - unsigned i; /* Local counting variable */ - void * ret_value = NULL; /* Return value */ + H5S_extent_t * sdim = NULL; /* New extent dimensionality structure */ + unsigned flags, version; + unsigned i; /* Local counting variable */ + const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */ + void * ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -158,6 +159,13 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN /* Decode dimension sizes */ if (sdim->rank > 0) { + /* Ensure that rank doesn't cause reading passed buffer's end, + due to possible data corruption */ + uint8_t sizeof_size = H5F_SIZEOF_SIZE(f); + if (p + (sizeof_size * sdim->rank - 1) > p_end) { + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end") + } + if (NULL == (sdim->size = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") @@ -167,6 +175,11 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN if (flags & H5S_VALID_MAX) { if (NULL == (sdim->max = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + + /* Ensure that rank doesn't cause reading passed buffer's end */ + if (p + (sizeof_size * sdim->rank - 1) > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end") + for (i = 0; i < sdim->rank; i++) H5F_DECODE_LENGTH(f, p, sdim->max[i]); } /* end if */ |