diff options
author | Dana Robinson <derobins@hdfgroup.org> | 2018-02-27 02:31:40 (GMT) |
---|---|---|
committer | lrknox <lrknox> | 2018-05-10 21:43:47 (GMT) |
commit | b1a6873b1021c967b661727edae9de87d194f744 (patch) | |
tree | 81deb9506f7616af37caeeebaff525b7ef74aa0f /src/H5T.c | |
parent | 11a188a4b6f1da0bd81c54976e6ceb8530d71aa1 (diff) | |
download | hdf5-b1a6873b1021c967b661727edae9de87d194f744.zip hdf5-b1a6873b1021c967b661727edae9de87d194f744.tar.gz hdf5-b1a6873b1021c967b661727edae9de87d194f744.tar.bz2 |
Fix for HDFFV-10355 (CVE-2017-17506).
(cherry picked from commit 302053f978e38a8d4306a7c1233cdf8fd2ec28dd)
Diffstat (limited to 'src/H5T.c')
-rw-r--r-- | src/H5T.c | 13 |
1 files changed, 9 insertions, 4 deletions
@@ -2801,8 +2801,13 @@ H5Tdecode(const void *buf) if(buf == NULL) HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, FAIL, "empty buffer") - /* Create datatype by decoding buffer */ - if(NULL == (dt = H5T_decode((const unsigned char *)buf))) + /* Create datatype by decoding buffer + * There is no way to get the size of the buffer, so we pass in + * SIZE_MAX and assume the caller knows what they are doing. + * Really fixing this will require an H5Tdecode2() call that + * takes a size parameter. + */ + if(NULL == (dt = H5T_decode(SIZE_MAX, (const unsigned char *)buf))) HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "can't decode object") /* Register the type and return the ID */ @@ -2891,7 +2896,7 @@ done: *------------------------------------------------------------------------- */ static H5T_t * -H5T_decode(const unsigned char *buf) +H5T_decode(size_t buf_size, const unsigned char *buf) { H5F_t *f = NULL; /* Fake file structure*/ H5T_t *ret_value = NULL; /* Return value */ @@ -2911,7 +2916,7 @@ H5T_decode(const unsigned char *buf) HGOTO_ERROR(H5E_DATATYPE, H5E_VERSION, NULL, "unknown version of encoded datatype") /* Decode the serialized datatype message */ - if(NULL == (ret_value = (H5T_t *)H5O_msg_decode(f, H5AC_ind_dxpl_id, NULL, H5O_DTYPE_ID, buf))) + if(NULL == (ret_value = (H5T_t *)H5O_msg_decode(f, H5AC_noio_dxpl_id, NULL, H5O_DTYPE_ID, buf_size, buf))) HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, "can't decode object") /* Mark datatype as being in memory now */ |