diff options
author | jhendersonHDF <jhenderson@hdfgroup.org> | 2023-04-15 01:30:21 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-15 01:30:21 (GMT) |
commit | 895ebf705ea5b830685424cbfe0ebef7cfd90d28 (patch) | |
tree | 09fc628a54d08ae47b9576aca9b99b9318137e34 /src | |
parent | e1f398a2cf390befda1140e1cdc88719060fc6d0 (diff) | |
download | hdf5-895ebf705ea5b830685424cbfe0ebef7cfd90d28.zip hdf5-895ebf705ea5b830685424cbfe0ebef7cfd90d28.tar.gz hdf5-895ebf705ea5b830685424cbfe0ebef7cfd90d28.tar.bz2 |
Fix a heap buffer overflow during H5D__compact_readvv (GitHub #2606) (#2664) (#2726)
Diffstat (limited to 'src')
-rw-r--r-- | src/H5Dint.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/src/H5Dint.c b/src/H5Dint.c index 24985f3..95be827 100644 --- a/src/H5Dint.c +++ b/src/H5Dint.c @@ -1764,6 +1764,33 @@ H5D__open_oid(H5D_t *dataset, hid_t dapl_id) /* Indicate that the layout information was initialized */ layout_init = TRUE; + /* + * Now that we've read the dataset's datatype, dataspace and + * layout information, perform a quick check for compact datasets + * to ensure that the size of the internal buffer that was + * allocated for the dataset's raw data matches the size of + * the data. A corrupted file can cause a mismatch between the + * two, which might result in buffer overflows during future + * I/O to the dataset. + */ + if (H5D_COMPACT == dataset->shared->layout.type) { + hssize_t dset_nelemts = 0; + size_t dset_type_size = H5T_GET_SIZE(dataset->shared->type); + size_t dset_data_size = 0; + + HDassert(H5D_COMPACT == dataset->shared->layout.storage.type); + + if ((dset_nelemts = H5S_GET_EXTENT_NPOINTS(dataset->shared->space)) < 0) + HGOTO_ERROR(H5E_DATASET, H5E_CANTGET, FAIL, "can't get number of elements in dataset's dataspace") + + dset_data_size = (size_t)dset_nelemts * dset_type_size; + + if (dataset->shared->layout.storage.u.compact.size != dset_data_size) + HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, + "bad value from dataset header - size of compact dataset's data buffer doesn't match " + "size of dataset data"); + } + /* Set up flush append property */ if (H5D__append_flush_setup(dataset, dapl_id)) HGOTO_ERROR(H5E_DATASET, H5E_CANTSET, FAIL, "unable to set up flush append property") |