Fix for HDFFV-10333:

1) Check for valid object header version for a refcount messge
2) Check for invalid fill value size
3) Check for invalid dimension size in a layout message
4) Add --enable-error-stack option to h5stat
5) Add error checks to h5stat.c
6) Add tests to h5stat and h5dump

4 files changed, 41 insertions, 15 deletions

diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index 3607839..d65942b 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1430,9 +1430,10 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
 
         /* Check for combining two adjacent 'null' messages */
         if((udata->file_intent & H5F_ACC_RDWR) &&
-                H5O_NULL_ID == id && oh->nmesgs > 0 &&
-                H5O_NULL_ID == oh->mesg[oh->nmesgs - 1].type->id &&
-                oh->mesg[oh->nmesgs - 1].chunkno == chunkno) {
+            H5O_NULL_ID == id && oh->nmesgs > 0 &&
+            H5O_NULL_ID == oh->mesg[oh->nmesgs - 1].type->id &&
+            oh->mesg[oh->nmesgs - 1].chunkno == chunkno) {
+
             size_t mesgno;          /* Current message to operate on */
 
             /* Combine adjacent null messages */
@@ -1467,13 +1468,13 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
 
             /* Point unknown messages at 'unknown' message class */
             /* (Usually from future versions of the library) */
-	    if(id >= H5O_UNKNOWN_ID ||
+            if(id >= H5O_UNKNOWN_ID ||
 #ifdef H5O_ENABLE_BOGUS
-                    id == H5O_BOGUS_VALID_ID ||
+               id == H5O_BOGUS_VALID_ID ||
 #endif
-                    NULL == H5O_msg_class_g[id]) {
+               NULL == H5O_msg_class_g[id]) {
 
-		H5O_unknown_t *unknown;     /* Pointer to "unknown" message info */
+                H5O_unknown_t *unknown;     /* Pointer to "unknown" message info */
 
                 /* Allocate "unknown" message info */
                 if(NULL == (unknown = H5FL_MALLOC(H5O_unknown_t)))
@@ -1490,9 +1491,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
 
                 /* Check for "fail if unknown" message flags */
                 if(((udata->file_intent & H5F_ACC_RDWR) && 
-                       (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE))
-                        || (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_ALWAYS))
-                    HGOTO_ERROR(H5E_OHDR, H5E_BADMESG, FAIL, "unknown message with 'fail if unknown' flag found")
+                    (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE))
+                    || (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_ALWAYS))
+                        HGOTO_ERROR(H5E_OHDR, H5E_BADMESG, FAIL, "unknown message with 'fail if unknown' flag found")
                 /* Check for "mark if unknown" message flag, etc. */
                 else if((flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN) &&
                         !(flags & H5O_MSG_FLAG_WAS_UNKNOWN) &&
@@ -1543,7 +1544,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
                 H5O_refcount_t *refcount;
 
                 /* Decode ref. count message */
-                HDassert(oh->version > H5O_VERSION_1);
+                if(oh->version <= H5O_VERSION_1)
+                    HGOTO_ERROR(H5E_OHDR, H5E_VERSION, FAIL, "object header version does not support reference count message")
                 refcount = (H5O_refcount_t *)(H5O_MSG_REFCOUNT->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
 
                 /* Save 'native' form of ref. count message */
@@ -1614,6 +1616,10 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
     } /* end if */
 
 done:
+    if(ret_value < 0 && udata->cont_msg_info->msgs) {
+        udata->cont_msg_info->msgs = (H5O_chunk_t *)H5FL_SEQ_FREE(H5O_cont_t, udata->cont_msg_info->msgs);
+        udata->cont_msg_info->alloc_nmsgs = 0;
+    }
     FUNC_LEAVE_NOAPI(ret_value)
 } /* H5O__chunk_deserialize() */
 
diff --git a/src/H5Ofill.c b/src/H5Ofill.c
index 932241f..3ce2e4f 100644
--- a/src/H5Ofill.c
+++ b/src/H5Ofill.c
@@ -19,6 +19,7 @@
  */
 
 #include "H5Omodule.h"          /* This source code file is part of the H5O module */
+#define H5T_FRIEND      /*prevent warning from including H5Tpkg   */
 
 
 #include "H5private.h"      /* Generic Functions    */
@@ -31,6 +32,7 @@
 #include "H5Pprivate.h"     /* Property lists       */
 #include "H5Sprivate.h"     /* Dataspaces           */
 
+#include "H5Tpkg.h"         /* Datatypes            */
 
 static void  *H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned mesg_flags,
     unsigned *ioflags, size_t p_size, const uint8_t *p);
@@ -307,11 +309,13 @@ done:
  *-------------------------------------------------------------------------
  */
 static void *
-H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
+H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh,
     unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
     size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
 {
     H5O_fill_t *fill = NULL;	/* Decoded fill value message */
+    htri_t exists = FALSE;
+    H5T_t *dt = NULL;
     void *ret_value = NULL;     /* Return value */
 
     FUNC_ENTER_NOAPI_NOINIT
@@ -332,6 +336,19 @@ H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
 
     /* Only decode the fill value itself if there is one */
     if(fill->size > 0) {
+        H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t);
+
+        /* Get the datatype message  */
+        if((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0)
+            HGOTO_ERROR(H5E_SYM, H5E_NOTFOUND, NULL, "unable to read object header")
+        if(exists) {
+            if((dt = H5O_msg_read_oh(f, open_oh, H5O_DTYPE_ID, NULL)) < 0)
+                HGOTO_ERROR(H5E_SYM, H5E_CANTGET, NULL, "can't read DTYPE message")
+            /* Verify size */
+            if(fill->size != dt->shared->size)
+                HGOTO_ERROR(H5E_SYM, H5E_CANTGET, NULL, "inconsistent fill value size")
+        }
+
         if(NULL == (fill->buf = H5MM_malloc((size_t)fill->size)))
             HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value")
         HDmemcpy(fill->buf, p, (size_t)fill->size);
@@ -344,6 +361,9 @@ H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
     ret_value = (void*)fill;
 
 done:
+    if(dt)
+        H5O_msg_free(H5O_DTYPE_ID, dt);
+
     if(!ret_value && fill) {
         if(fill->buf)
             H5MM_xfree(fill->buf);
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
index afaddfa..c880435 100644
--- a/src/H5Olayout.c
+++ b/src/H5Olayout.c
@@ -125,8 +125,8 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh,
 
         /* Dimensionality */
         ndims = *p++;
-        if(ndims > H5O_LAYOUT_NDIMS)
-            HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is too large")
+        if(!ndims || ndims > H5O_LAYOUT_NDIMS)
+            HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is out of range")
 
         /* Layout class */
         mesg->type = (H5D_layout_t)*p++;
diff --git a/src/H5Sselect.c b/src/H5Sselect.c
index 873f555..d452a5d 100644
--- a/src/H5Sselect.c
+++ b/src/H5Sselect.c
@@ -160,7 +160,7 @@ H5S_select_release(H5S_t *ds)
     HDassert(ds);
 
     /* Call the selection type's release function */
-    if((ret_value = (*ds->select.type->release)(ds)) < 0)
+    if((ds->select.type) && ((ret_value = (*ds->select.type->release)(ds)) < 0))
         HGOTO_ERROR(H5E_DATASPACE, H5E_CANTRELEASE, FAIL, "unable to release selection")
 
 done: