summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorVailin Choi <vchoi@jam.ad.hdfgroup.org>2018-07-11 03:00:14 (GMT)
committerVailin Choi <vchoi@jam.ad.hdfgroup.org>2018-07-11 03:00:14 (GMT)
commitcf38292064a0c3ffc6971de31573bbd1dab25b80 (patch)
tree3de4fb27cbdf847cf18462c866b2902a61930275 /src
parent832aced6c17f40ae19eab2e8e8ca47e1fb304688 (diff)
downloadhdf5-cf38292064a0c3ffc6971de31573bbd1dab25b80.zip
hdf5-cf38292064a0c3ffc6971de31573bbd1dab25b80.tar.gz
hdf5-cf38292064a0c3ffc6971de31573bbd1dab25b80.tar.bz2
Fix for HDFFV-10333:
1) Check for valid object header version for a refcount messge 2) Check for invalid fill value size 3) Check for invalid dimension size in a layout message 4) Add --enable-error-stack option to h5stat 5) Add error checks to h5stat.c 6) Add tests to h5stat and h5dump
Diffstat (limited to 'src')
-rw-r--r--src/H5Ocache.c28
-rw-r--r--src/H5Ofill.c22
-rw-r--r--src/H5Olayout.c4
-rw-r--r--src/H5Sselect.c2
4 files changed, 41 insertions, 15 deletions
diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index 3607839..d65942b 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1430,9 +1430,10 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
/* Check for combining two adjacent 'null' messages */
if((udata->file_intent & H5F_ACC_RDWR) &&
- H5O_NULL_ID == id && oh->nmesgs > 0 &&
- H5O_NULL_ID == oh->mesg[oh->nmesgs - 1].type->id &&
- oh->mesg[oh->nmesgs - 1].chunkno == chunkno) {
+ H5O_NULL_ID == id && oh->nmesgs > 0 &&
+ H5O_NULL_ID == oh->mesg[oh->nmesgs - 1].type->id &&
+ oh->mesg[oh->nmesgs - 1].chunkno == chunkno) {
+
size_t mesgno; /* Current message to operate on */
/* Combine adjacent null messages */
@@ -1467,13 +1468,13 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
/* Point unknown messages at 'unknown' message class */
/* (Usually from future versions of the library) */
- if(id >= H5O_UNKNOWN_ID ||
+ if(id >= H5O_UNKNOWN_ID ||
#ifdef H5O_ENABLE_BOGUS
- id == H5O_BOGUS_VALID_ID ||
+ id == H5O_BOGUS_VALID_ID ||
#endif
- NULL == H5O_msg_class_g[id]) {
+ NULL == H5O_msg_class_g[id]) {
- H5O_unknown_t *unknown; /* Pointer to "unknown" message info */
+ H5O_unknown_t *unknown; /* Pointer to "unknown" message info */
/* Allocate "unknown" message info */
if(NULL == (unknown = H5FL_MALLOC(H5O_unknown_t)))
@@ -1490,9 +1491,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
/* Check for "fail if unknown" message flags */
if(((udata->file_intent & H5F_ACC_RDWR) &&
- (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE))
- || (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_ALWAYS))
- HGOTO_ERROR(H5E_OHDR, H5E_BADMESG, FAIL, "unknown message with 'fail if unknown' flag found")
+ (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE))
+ || (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_ALWAYS))
+ HGOTO_ERROR(H5E_OHDR, H5E_BADMESG, FAIL, "unknown message with 'fail if unknown' flag found")
/* Check for "mark if unknown" message flag, etc. */
else if((flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN) &&
!(flags & H5O_MSG_FLAG_WAS_UNKNOWN) &&
@@ -1543,7 +1544,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
H5O_refcount_t *refcount;
/* Decode ref. count message */
- HDassert(oh->version > H5O_VERSION_1);
+ if(oh->version <= H5O_VERSION_1)
+ HGOTO_ERROR(H5E_OHDR, H5E_VERSION, FAIL, "object header version does not support reference count message")
refcount = (H5O_refcount_t *)(H5O_MSG_REFCOUNT->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
/* Save 'native' form of ref. count message */
@@ -1614,6 +1616,10 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
} /* end if */
done:
+ if(ret_value < 0 && udata->cont_msg_info->msgs) {
+ udata->cont_msg_info->msgs = (H5O_chunk_t *)H5FL_SEQ_FREE(H5O_cont_t, udata->cont_msg_info->msgs);
+ udata->cont_msg_info->alloc_nmsgs = 0;
+ }
FUNC_LEAVE_NOAPI(ret_value)
} /* H5O__chunk_deserialize() */
diff --git a/src/H5Ofill.c b/src/H5Ofill.c
index 932241f..3ce2e4f 100644
--- a/src/H5Ofill.c
+++ b/src/H5Ofill.c
@@ -19,6 +19,7 @@
*/
#include "H5Omodule.h" /* This source code file is part of the H5O module */
+#define H5T_FRIEND /*prevent warning from including H5Tpkg */
#include "H5private.h" /* Generic Functions */
@@ -31,6 +32,7 @@
#include "H5Pprivate.h" /* Property lists */
#include "H5Sprivate.h" /* Dataspaces */
+#include "H5Tpkg.h" /* Datatypes */
static void *H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned mesg_flags,
unsigned *ioflags, size_t p_size, const uint8_t *p);
@@ -307,11 +309,13 @@ done:
*-------------------------------------------------------------------------
*/
static void *
-H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
+H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh,
unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
{
H5O_fill_t *fill = NULL; /* Decoded fill value message */
+ htri_t exists = FALSE;
+ H5T_t *dt = NULL;
void *ret_value = NULL; /* Return value */
FUNC_ENTER_NOAPI_NOINIT
@@ -332,6 +336,19 @@ H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
/* Only decode the fill value itself if there is one */
if(fill->size > 0) {
+ H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t);
+
+ /* Get the datatype message */
+ if((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0)
+ HGOTO_ERROR(H5E_SYM, H5E_NOTFOUND, NULL, "unable to read object header")
+ if(exists) {
+ if((dt = H5O_msg_read_oh(f, open_oh, H5O_DTYPE_ID, NULL)) < 0)
+ HGOTO_ERROR(H5E_SYM, H5E_CANTGET, NULL, "can't read DTYPE message")
+ /* Verify size */
+ if(fill->size != dt->shared->size)
+ HGOTO_ERROR(H5E_SYM, H5E_CANTGET, NULL, "inconsistent fill value size")
+ }
+
if(NULL == (fill->buf = H5MM_malloc((size_t)fill->size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value")
HDmemcpy(fill->buf, p, (size_t)fill->size);
@@ -344,6 +361,9 @@ H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
ret_value = (void*)fill;
done:
+ if(dt)
+ H5O_msg_free(H5O_DTYPE_ID, dt);
+
if(!ret_value && fill) {
if(fill->buf)
H5MM_xfree(fill->buf);
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
index d8f05f0..5f16837 100644
--- a/src/H5Olayout.c
+++ b/src/H5Olayout.c
@@ -125,8 +125,8 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh,
/* Dimensionality */
ndims = *p++;
- if(ndims > H5O_LAYOUT_NDIMS)
- HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is too large")
+ if(!ndims || ndims > H5O_LAYOUT_NDIMS)
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is out of range")
/* Layout class */
mesg->type = (H5D_layout_t)*p++;
diff --git a/src/H5Sselect.c b/src/H5Sselect.c
index 4462295..8cd73d9 100644
--- a/src/H5Sselect.c
+++ b/src/H5Sselect.c
@@ -160,7 +160,7 @@ H5S_select_release(H5S_t *ds)
HDassert(ds);
/* Call the selection type's release function */
- if((ret_value = (*ds->select.type->release)(ds)) < 0)
+ if((ds->select.type) && ((ret_value = (*ds->select.type->release)(ds)) < 0))
HGOTO_ERROR(H5E_DATASPACE, H5E_CANTRELEASE, FAIL, "unable to release selection")
done: