summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorBinh-Minh Ribler <bmribler@hdfgroup.org>2020-07-29 00:08:19 (GMT)
committerBinh-Minh Ribler <bmribler@hdfgroup.org>2020-07-29 00:08:19 (GMT)
commitcf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e (patch)
treef49ec5ebfc617029883542356cdfcc5f571b4485 /src
parentb201a78b33bd572f401c7d1693d06af0103e1a96 (diff)
parent707e30c6be1954c0027374124207e46caae68cbc (diff)
downloadhdf5-cf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e.zip
hdf5-cf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e.tar.gz
hdf5-cf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e.tar.bz2
Merge pull request #2711 in HDFFV/hdf5 from bmr-HDFFV-11120 to develop
Fix HDFFV-11120 and HDFFV-11121 (CVE-2018-13870 and CVE-2018-13869) * commit '707e30c6be1954c0027374124207e46caae68cbc': Fixed typos in error messages. Fix HDFFV-11120 and HDFFV-11121 (CVE-2018-13870 and CVE-2018-13869)
Diffstat (limited to 'src')
-rw-r--r--src/H5Olink.c19
1 files changed, 18 insertions, 1 deletions
diff --git a/src/H5Olink.c b/src/H5Olink.c
index 1f0c6c7..c27b51f 100644
--- a/src/H5Olink.c
+++ b/src/H5Olink.c
@@ -119,11 +119,12 @@ H5FL_DEFINE_STATIC(H5O_link_t);
static void *
H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh,
unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
- size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+ size_t p_size, const uint8_t *p)
{
H5O_link_t *lnk = NULL; /* Pointer to link message */
size_t len = 0; /* Length of a string in the message */
unsigned char link_flags; /* Flags for encoding link info */
+ const uint8_t *p_end = p + p_size; /* End of the p buffer */
void *ret_value = NULL; /* Return value */
FUNC_ENTER_STATIC
@@ -199,6 +200,11 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh,
if(len == 0)
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "invalid name length")
+ /* Make sure that length doesn't exceed buffer size, which could occur
+ when the file is corrupted */
+ if(p + len > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer")
+
/* Get the link's name */
if(NULL == (lnk->name = (char *)H5MM_malloc(len + 1)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
@@ -218,6 +224,12 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh,
UINT16DECODE(p, len)
if(len == 0)
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "invalid link length")
+
+ /* Make sure that length doesn't exceed buffer size, which could occur
+ when the file is corrupted */
+ if(p + len > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer")
+
if(NULL == (lnk->u.soft.name = (char *)H5MM_malloc((size_t)len + 1)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
H5MM_memcpy(lnk->u.soft.name, p, len);
@@ -238,6 +250,11 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh,
lnk->u.ud.size = len;
if(len > 0)
{
+ /* Make sure that length doesn't exceed buffer size, which could
+ occur when the file is corrupted */
+ if(p + len > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer")
+
if(NULL == (lnk->u.ud.udata = H5MM_malloc((size_t)len)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
H5MM_memcpy(lnk->u.ud.udata, p, len);