diff options
| author | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2020-07-29 00:08:19 (GMT) |
|---|---|---|
| committer | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2020-07-29 00:08:19 (GMT) |
| commit | cf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e (patch) | |
| tree | f49ec5ebfc617029883542356cdfcc5f571b4485 /src | |
| parent | b201a78b33bd572f401c7d1693d06af0103e1a96 (diff) | |
| parent | 707e30c6be1954c0027374124207e46caae68cbc (diff) | |
| download | hdf5-cf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e.zip hdf5-cf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e.tar.gz hdf5-cf4e78b3c9d1f1ed6687b24bbd738a63b9812a9e.tar.bz2 | |
Merge pull request #2711 in HDFFV/hdf5 from bmr-HDFFV-11120 to develop
Fix HDFFV-11120 and HDFFV-11121 (CVE-2018-13870 and CVE-2018-13869)
* commit '707e30c6be1954c0027374124207e46caae68cbc':
Fixed typos in error messages.
Fix HDFFV-11120 and HDFFV-11121 (CVE-2018-13870 and CVE-2018-13869)
Diffstat (limited to 'src')
| -rw-r--r-- | src/H5Olink.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/H5Olink.c b/src/H5Olink.c index 1f0c6c7..c27b51f 100644 --- a/src/H5Olink.c +++ b/src/H5Olink.c @@ -119,11 +119,12 @@ H5FL_DEFINE_STATIC(H5O_link_t); static void * H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, - size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + size_t p_size, const uint8_t *p) { H5O_link_t *lnk = NULL; /* Pointer to link message */ size_t len = 0; /* Length of a string in the message */ unsigned char link_flags; /* Flags for encoding link info */ + const uint8_t *p_end = p + p_size; /* End of the p buffer */ void *ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -199,6 +200,11 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, if(len == 0) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "invalid name length") + /* Make sure that length doesn't exceed buffer size, which could occur + when the file is corrupted */ + if(p + len > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer") + /* Get the link's name */ if(NULL == (lnk->name = (char *)H5MM_malloc(len + 1))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") @@ -218,6 +224,12 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, UINT16DECODE(p, len) if(len == 0) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "invalid link length") + + /* Make sure that length doesn't exceed buffer size, which could occur + when the file is corrupted */ + if(p + len > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer") + if(NULL == (lnk->u.soft.name = (char *)H5MM_malloc((size_t)len + 1))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") H5MM_memcpy(lnk->u.soft.name, p, len); @@ -238,6 +250,11 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, lnk->u.ud.size = len; if(len > 0) { + /* Make sure that length doesn't exceed buffer size, which could + occur when the file is corrupted */ + if(p + len > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer") + if(NULL == (lnk->u.ud.udata = H5MM_malloc((size_t)len))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") H5MM_memcpy(lnk->u.ud.udata, p, len); |