Partial merge issue #642 develop branch PRs to Hdf5 1 10 (#718)

* Revert addition of & to 2 parameters in DSetCreatPropList::setVirtual to maintain binary compatibility. * Fix H5Eget_auto2/H5Eauto_is_v2 to not clear error stack (#625) * Removes gratuitous (double)x.yF casts (#632) * Committing clang-format changes * Removes gratuitous (double)x.yF casts * Committing clang-format changes Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * Cleans up a const warning left over from previous constification (#633) * Committing clang-format changes * Adds consts to a few global variables * Cleans up a const warning left over from previous constification Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * Purges UFAIL from the library (#637) * Committing clang-format changes * Purges UFAIL from the library * H5HL_insert change requested in PR Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * Bmr dev hdffv 11223 (#640) * Fixed HDFFV-11223 (CVE-2018-14460) Description - Added checks against buffer size to prevent segfault, in case of data corruption, for sdim->size and sdim->max. - Renamed data files in an existing test to shorten their length as agreed with other developers previously. Platforms tested: Linux/64 (jelly) * Committing clang-format changes * Updated for test files * Updated for HDFFV-11223 Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * Committing clang-format changes * Restore "error:" in line 2666. * Revert "Fix H5Eget_auto2/H5Eauto_is_v2 to not clear error stack (#625)" This reverts commit 426b50484841118cf633fd6147302a63a30fd746. Co-authored-by: jhendersonHDF <jhenderson@hdfgroup.org> Co-authored-by: Dana Robinson <43805+derobins@users.noreply.github.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: bmribler <39579120+bmribler@users.noreply.github.com>
author: Larry Knox <lrknox@hdfgroup.org> 2021-06-03 21:07:23 (GMT)
committer: GitHub <noreply@github.com> 2021-06-03 21:07:23 (GMT)
commit: 061b23ac0011d3a26f660a7f4d07c40f41d63f10 (patch)
tree: c2e38994fbd770e503266a1dc2390f8b590bdb33 /src/H5Osdspace.c
parent: 3b5163fa8170647d99bd00e180651cb7b103ed19 (diff)
download: hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.zip
hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.tar.gz
hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.tar.bz2
1 files changed, 18 insertions, 5 deletions
diff --git a/src/H5Osdspace.c b/src/H5Osdspace.c
index c715df8..6a2557f 100644
--- a/src/H5Osdspace.c
+++ b/src/H5Osdspace.c
@@ -106,12 +106,13 @@ H5FL_ARR_EXTERN(hsize_t);
 --------------------------------------------------------------------------*/
 static void *
 H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,
-                    unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+                    unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p)
 {
-    H5S_extent_t *sdim = NULL; /* New extent dimensionality structure */
-    unsigned      flags, version;
-    unsigned      i;                /* Local counting variable */
-    void *        ret_value = NULL; /* Return value */
+    H5S_extent_t * sdim = NULL; /* New extent dimensionality structure */
+    unsigned       flags, version;
+    unsigned       i;                          /* Local counting variable */
+    const uint8_t *p_end     = p + p_size - 1; /* End of the p buffer */
+    void *         ret_value = NULL;           /* Return value */
 
     FUNC_ENTER_STATIC
 
@@ -158,6 +159,13 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN
 
     /* Decode dimension sizes */
     if (sdim->rank > 0) {
+        /* Ensure that rank doesn't cause reading passed buffer's end,
+           due to possible data corruption */
+        uint8_t sizeof_size = H5F_SIZEOF_SIZE(f);
+        if (p + (sizeof_size * sdim->rank - 1) > p_end) {
+            HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end")
+        }
+
         if (NULL == (sdim->size = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank)))
             HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
 
@@ -167,6 +175,11 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN
         if (flags & H5S_VALID_MAX) {
             if (NULL == (sdim->max = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank)))
                 HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
+
+            /* Ensure that rank doesn't cause reading passed buffer's end */
+            if (p + (sizeof_size * sdim->rank - 1) > p_end)
+                HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end")
+
             for (i = 0; i < sdim->rank; i++)
                 H5F_DECODE_LENGTH(f, p, sdim->max[i]);
         } /* end if */
author	Larry Knox <lrknox@hdfgroup.org>	2021-06-03 21:07:23 (GMT)
committer	GitHub <noreply@github.com>	2021-06-03 21:07:23 (GMT)
commit	061b23ac0011d3a26f660a7f4d07c40f41d63f10 (patch)
tree	c2e38994fbd770e503266a1dc2390f8b590bdb33 /src/H5Osdspace.c
parent	3b5163fa8170647d99bd00e180651cb7b103ed19 (diff)
download	hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.zip hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.tar.gz hdf5-061b23ac0011d3a26f660a7f4d07c40f41d63f10.tar.bz2