diff options
| author | bmribler <39579120+bmribler@users.noreply.github.com> | 2021-05-12 19:35:53 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-12 19:35:53 (GMT) |
| commit | 9fb2c24c2eb2454430701247a984780654ca0544 (patch) | |
| tree | 2927a320a7dcc7800b3470d178aa9dff3682e0f1 /src | |
| parent | 78f0728d1b675e675f4dfb0112fc128535e10071 (diff) | |
| download | hdf5-9fb2c24c2eb2454430701247a984780654ca0544.zip hdf5-9fb2c24c2eb2454430701247a984780654ca0544.tar.gz hdf5-9fb2c24c2eb2454430701247a984780654ca0544.tar.bz2 | |
Bmr dev hdffv 11223 (#640)
* Fixed HDFFV-11223 (CVE-2018-14460)
Description
- Added checks against buffer size to prevent segfault, in case of data
corruption, for sdim->size and sdim->max.
- Renamed data files in an existing test to shorten their length
as agreed with other developers previously.
Platforms tested:
Linux/64 (jelly)
* Committing clang-format changes
* Updated for test files
* Updated for HDFFV-11223
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/H5Osdspace.c | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/src/H5Osdspace.c b/src/H5Osdspace.c index 2cdf6ec..dab989f 100644 --- a/src/H5Osdspace.c +++ b/src/H5Osdspace.c @@ -106,12 +106,13 @@ H5FL_ARR_EXTERN(hsize_t); --------------------------------------------------------------------------*/ static void * H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, - unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) { - H5S_extent_t *sdim = NULL; /* New extent dimensionality structure */ - unsigned flags, version; - unsigned i; /* Local counting variable */ - void * ret_value = NULL; /* Return value */ + H5S_extent_t * sdim = NULL; /* New extent dimensionality structure */ + unsigned flags, version; + unsigned i; /* Local counting variable */ + const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */ + void * ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -161,6 +162,13 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN /* Decode dimension sizes */ if (sdim->rank > 0) { + /* Ensure that rank doesn't cause reading passed buffer's end, + due to possible data corruption */ + uint8_t sizeof_size = H5F_SIZEOF_SIZE(f); + if (p + (sizeof_size * sdim->rank - 1) > p_end) { + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end") + } + if (NULL == (sdim->size = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") @@ -170,6 +178,11 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN if (flags & H5S_VALID_MAX) { if (NULL == (sdim->max = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + + /* Ensure that rank doesn't cause reading passed buffer's end */ + if (p + (sizeof_size * sdim->rank - 1) > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end") + for (i = 0; i < sdim->rank; i++) H5F_DECODE_LENGTH(f, p, sdim->max[i]); } /* end if */ |