diff options
author | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2020-07-05 21:15:28 (GMT) |
---|---|---|
committer | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2020-07-05 21:15:28 (GMT) |
commit | bf3ef96e9d5a28e824d7e89b5af590b61f530944 (patch) | |
tree | 4f92d9bd0dc4430e586a1ce7ab937059a0229a8c /src | |
parent | 37f6de1b3037a2b7a569c2edb08f58f8ba323af0 (diff) | |
download | hdf5-bf3ef96e9d5a28e824d7e89b5af590b61f530944.zip hdf5-bf3ef96e9d5a28e824d7e89b5af590b61f530944.tar.gz hdf5-bf3ef96e9d5a28e824d7e89b5af590b61f530944.tar.bz2 |
Fix HDFFV-10591
Description:
h52gif produced a segfault when a buffer overflow occurred because
the data size was corrupted and became very large. This commit added
a check on the data size against the buffer size to prevent the segfault.
It also added error reporting to h52gif to display an error message
instead of silently exiting when the failure occurred.
Platforms tested:
Linux/64 (jelly)
Diffstat (limited to 'src')
-rw-r--r-- | src/H5Oattr.c | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/src/H5Oattr.c b/src/H5Oattr.c index 7a17c6a..c8dd822 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -109,7 +109,10 @@ H5FL_EXTERN(H5S_extent_t); USAGE void *H5O_attr_decode(f, mesg_flags, p) H5F_t *f; IN: pointer to the HDF5 file struct - unsigned mesg_flags; IN: Message flags to influence decoding + H5O_t *open_oh; IN: pointer to the object header + unsigned mesg_flags; IN: message flags to influence decoding + unsigned *ioflags; IN: flags for decoding + size_t p_size; IN: size of buffer *p const uint8_t *p; IN: the raw information buffer RETURNS Pointer to the new message in native order on success, NULL on failure @@ -120,16 +123,16 @@ H5FL_EXTERN(H5S_extent_t); --------------------------------------------------------------------------*/ static void * H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, - unsigned *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + unsigned *ioflags, size_t p_size, const uint8_t *p) { - H5A_t *attr = NULL; - H5S_extent_t *extent; /*extent dimensionality information */ - size_t name_len; /*attribute name length */ - size_t dt_size; /* Datatype size */ - hssize_t sds_size; /* Signed Dataspace size */ - hsize_t ds_size; /* Dataspace size */ - unsigned flags = 0; /* Attribute flags */ - H5A_t *ret_value = NULL; /* Return value */ + H5A_t *attr = NULL; + H5S_extent_t *extent; /*extent dimensionality information */ + size_t name_len; /*attribute name length */ + size_t dt_size; /* Datatype size */ + hssize_t sds_size; /* Signed Dataspace size */ + hsize_t ds_size; /* Dataspace size */ + unsigned flags = 0; /* Attribute flags */ + H5A_t *ret_value = NULL; /* Return value */ FUNC_ENTER_NOAPI_NOINIT @@ -138,7 +141,7 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, HDassert(p); if(NULL == (attr = H5FL_CALLOC(H5A_t))) - HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") if(NULL == (attr->shared = H5FL_CALLOC(H5A_shared_t))) HGOTO_ERROR(H5E_FILE, H5E_NOSPACE, NULL, "can't allocate shared attr structure") @@ -146,7 +149,7 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, /* Version number */ attr->shared->version = *p++; if(attr->shared->version < H5O_ATTR_VERSION_1 || attr->shared->version > H5O_ATTR_VERSION_LATEST) - HGOTO_ERROR(H5E_ATTR, H5E_CANTLOAD, NULL, "bad version number for attribute message") + HGOTO_ERROR(H5E_ATTR, H5E_CANTLOAD, NULL, "bad version number for attribute message") /* Get the flags byte if we have a later version of the attribute */ if(attr->shared->version >= H5O_ATTR_VERSION_2) { @@ -176,7 +179,7 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, /* Decode and store the name */ if(NULL == (attr->shared->name = H5MM_strdup((const char *)p))) - HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") /* Make an attempt to detect corrupted name or name length - HDFFV-10588 */ if(name_len != (HDstrlen(attr->shared->name) + 1)) @@ -200,7 +203,7 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, * What's actually shared, though, is only the extent. */ if(NULL == (attr->shared->ds = H5FL_CALLOC(H5S_t))) - HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") /* Decode attribute's dataspace extent */ if((extent = (H5S_extent_t *)(H5O_MSG_SDSPACE->decode)(f, open_oh, @@ -238,6 +241,11 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, /* Go get the data */ if(attr->shared->data_size) { + /* Ensure that data size doesn't exceed buffer size, in case of + it's being corrupted in the file */ + if(attr->shared->data_size > p_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds buffer size") + if(NULL == (attr->shared->data = H5FL_BLK_MALLOC(attr_buf, attr->shared->data_size))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") H5MM_memcpy(attr->shared->data, p, attr->shared->data_size); |