diff options
| author | mattjala <124107509+mattjala@users.noreply.github.com> | 2023-05-18 16:13:34 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-18 16:13:34 (GMT) |
| commit | 8dcc7dc17ff4e797edc5570a6eaa1d8da691b97e (patch) | |
| tree | 53b1f43c643978533a0e679aa07a8169f4367ee0 /src/H5Sall.c | |
| parent | d5143567c8f08f6f6de80ffcffa3ede98634ca78 (diff) | |
| download | hdf5-8dcc7dc17ff4e797edc5570a6eaa1d8da691b97e.zip hdf5-8dcc7dc17ff4e797edc5570a6eaa1d8da691b97e.tar.gz hdf5-8dcc7dc17ff4e797edc5570a6eaa1d8da691b97e.tar.bz2 | |
Prevent buffer overrun in H5S_select_deserialize (#2956)
Diffstat (limited to 'src/H5Sall.c')
| -rw-r--r-- | src/H5Sall.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/src/H5Sall.c b/src/H5Sall.c index a1ae04e..00ab1e2 100644 --- a/src/H5Sall.c +++ b/src/H5Sall.c @@ -50,7 +50,7 @@ static herr_t H5S__all_release(H5S_t *space); static htri_t H5S__all_is_valid(const H5S_t *space); static hssize_t H5S__all_serial_size(H5S_t *space); static herr_t H5S__all_serialize(H5S_t *space, uint8_t **p); -static herr_t H5S__all_deserialize(H5S_t **space, const uint8_t **p); +static herr_t H5S__all_deserialize(H5S_t **space, const uint8_t **p, const size_t p_size, hbool_t skip); static herr_t H5S__all_bounds(const H5S_t *space, hsize_t *start, hsize_t *end); static herr_t H5S__all_offset(const H5S_t *space, hsize_t *off); static int H5S__all_unlim_dim(const H5S_t *space); @@ -637,13 +637,13 @@ H5S__all_serialize(H5S_t *space, uint8_t **p) REVISION LOG --------------------------------------------------------------------------*/ static herr_t -H5S__all_deserialize(H5S_t **space, const uint8_t **p) +H5S__all_deserialize(H5S_t **space, const uint8_t **p, const size_t p_size, hbool_t skip) { - uint32_t version; /* Version number */ - H5S_t *tmp_space = NULL; /* Pointer to actual dataspace to use, - either *space or a newly allocated one */ - herr_t ret_value = SUCCEED; /* return value */ - + uint32_t version; /* Version number */ + H5S_t *tmp_space = NULL; /* Pointer to actual dataspace to use, + either *space or a newly allocated one */ + herr_t ret_value = SUCCEED; /* return value */ + const uint8_t *p_end = *p + p_size - 1; /* Pointer to last valid byte in buffer */ FUNC_ENTER_STATIC HDassert(p); @@ -663,12 +663,16 @@ H5S__all_deserialize(H5S_t **space, const uint8_t **p) tmp_space = *space; /* Decode version */ + if (H5_IS_KNOWN_BUFFER_OVERFLOW(skip, *p, sizeof(uint32_t), p_end)) + HGOTO_ERROR(H5E_DATASPACE, H5E_OVERFLOW, FAIL, "buffer overflow while decoding selection version") UINT32DECODE(*p, version); if (version < H5S_ALL_VERSION_1 || version > H5S_ALL_VERSION_LATEST) HGOTO_ERROR(H5E_DATASPACE, H5E_BADVALUE, FAIL, "bad version number for all selection") /* Skip over the remainder of the header */ + if (H5_IS_KNOWN_BUFFER_OVERFLOW(skip, *p, 8, p_end)) + HGOTO_ERROR(H5E_DATASPACE, H5E_OVERFLOW, FAIL, "buffer overflow while decoding header") *p += 8; /* Change to "all" selection */ |