diff options
| author | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2020-10-26 13:36:27 (GMT) |
|---|---|---|
| committer | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2020-10-26 13:36:27 (GMT) |
| commit | 7bfa10018ecf5efe54b4a699bb684d31468c8b42 (patch) | |
| tree | 46ae17c8595a0f1ba500b48ec760eac0e6f78bb5 /src/H5Osdspace.c | |
| parent | 58d8eae182ac764ef15c3ed040a12a96aa4d16f0 (diff) | |
| download | hdf5-7bfa10018ecf5efe54b4a699bb684d31468c8b42.zip hdf5-7bfa10018ecf5efe54b4a699bb684d31468c8b42.tar.gz hdf5-7bfa10018ecf5efe54b4a699bb684d31468c8b42.tar.bz2 | |
Fix HDFFV-10590
Description
This is to fix the CVE issue CVE-2018-17432.
h5repack produced a segfault on a corrupted file. This fix modified the
dataspace encode and decode functions per Quincey's suggestion to prevent
the segfault. h5repack only failed for the corrupted file now.
Platforms tested:
Linux/64 (jelly)
Diffstat (limited to 'src/H5Osdspace.c')
| -rw-r--r-- | src/H5Osdspace.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/H5Osdspace.c b/src/H5Osdspace.c index b34eb76..e3ec4b0 100644 --- a/src/H5Osdspace.c +++ b/src/H5Osdspace.c @@ -138,8 +138,11 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN flags = *p++; /* Get or determine the type of the extent */ - if (version >= H5O_SDSPACE_VERSION_2) + if (version >= H5O_SDSPACE_VERSION_2) { sdim->type = (H5S_class_t)*p++; + if(sdim->type != H5S_SIMPLE && sdim->rank > 0) + HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid rank for scalar or NULL dataspace") + } /* end if */ else { /* Set the dataspace type to be simple or scalar as appropriate */ if (sdim->rank > 0) @@ -248,15 +251,17 @@ H5O__sdspace_encode(H5F_t *f, uint8_t *p, const void *_mesg) *p++ = 0; /*reserved*/ } /* end else */ - /* Current & maximum dimensions */ - if (sdim->rank > 0) { - for (u = 0; u < sdim->rank; u++) - H5F_ENCODE_LENGTH(f, p, sdim->size[u]); - if (flags & H5S_VALID_MAX) { - for (u = 0; u < sdim->rank; u++) - H5F_ENCODE_LENGTH(f, p, sdim->max[u]); + /* Encode dataspace dimensions for simple dataspaces */ + if(H5S_SIMPLE == sdim->type) { + /* Encode current & maximum dimensions */ + if(sdim->rank > 0) { + for(u = 0; u < sdim->rank; u++) + H5F_ENCODE_LENGTH(f, p, sdim->size[u]); + if(flags & H5S_VALID_MAX) + for(u = 0; u < sdim->rank; u++) + H5F_ENCODE_LENGTH(f, p, sdim->max[u]); } /* end if */ - } /* end if */ + } /* end if */ FUNC_LEAVE_NOAPI(SUCCEED) } /* end H5O__sdspace_encode() */ |