diff options
author | Vailin Choi <vchoi@jam.ad.hdfgroup.org> | 2018-07-11 03:00:14 (GMT) |
---|---|---|
committer | Vailin Choi <vchoi@jam.ad.hdfgroup.org> | 2018-07-11 03:00:14 (GMT) |
commit | cf38292064a0c3ffc6971de31573bbd1dab25b80 (patch) | |
tree | 3de4fb27cbdf847cf18462c866b2902a61930275 /src | |
parent | 832aced6c17f40ae19eab2e8e8ca47e1fb304688 (diff) | |
download | hdf5-cf38292064a0c3ffc6971de31573bbd1dab25b80.zip hdf5-cf38292064a0c3ffc6971de31573bbd1dab25b80.tar.gz hdf5-cf38292064a0c3ffc6971de31573bbd1dab25b80.tar.bz2 |
Fix for HDFFV-10333:
1) Check for valid object header version for a refcount messge
2) Check for invalid fill value size
3) Check for invalid dimension size in a layout message
4) Add --enable-error-stack option to h5stat
5) Add error checks to h5stat.c
6) Add tests to h5stat and h5dump
Diffstat (limited to 'src')
-rw-r--r-- | src/H5Ocache.c | 28 | ||||
-rw-r--r-- | src/H5Ofill.c | 22 | ||||
-rw-r--r-- | src/H5Olayout.c | 4 | ||||
-rw-r--r-- | src/H5Sselect.c | 2 |
4 files changed, 41 insertions, 15 deletions
diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 3607839..d65942b 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1430,9 +1430,10 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image /* Check for combining two adjacent 'null' messages */ if((udata->file_intent & H5F_ACC_RDWR) && - H5O_NULL_ID == id && oh->nmesgs > 0 && - H5O_NULL_ID == oh->mesg[oh->nmesgs - 1].type->id && - oh->mesg[oh->nmesgs - 1].chunkno == chunkno) { + H5O_NULL_ID == id && oh->nmesgs > 0 && + H5O_NULL_ID == oh->mesg[oh->nmesgs - 1].type->id && + oh->mesg[oh->nmesgs - 1].chunkno == chunkno) { + size_t mesgno; /* Current message to operate on */ /* Combine adjacent null messages */ @@ -1467,13 +1468,13 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image /* Point unknown messages at 'unknown' message class */ /* (Usually from future versions of the library) */ - if(id >= H5O_UNKNOWN_ID || + if(id >= H5O_UNKNOWN_ID || #ifdef H5O_ENABLE_BOGUS - id == H5O_BOGUS_VALID_ID || + id == H5O_BOGUS_VALID_ID || #endif - NULL == H5O_msg_class_g[id]) { + NULL == H5O_msg_class_g[id]) { - H5O_unknown_t *unknown; /* Pointer to "unknown" message info */ + H5O_unknown_t *unknown; /* Pointer to "unknown" message info */ /* Allocate "unknown" message info */ if(NULL == (unknown = H5FL_MALLOC(H5O_unknown_t))) @@ -1490,9 +1491,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image /* Check for "fail if unknown" message flags */ if(((udata->file_intent & H5F_ACC_RDWR) && - (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE)) - || (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_ALWAYS)) - HGOTO_ERROR(H5E_OHDR, H5E_BADMESG, FAIL, "unknown message with 'fail if unknown' flag found") + (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE)) + || (flags & H5O_MSG_FLAG_FAIL_IF_UNKNOWN_ALWAYS)) + HGOTO_ERROR(H5E_OHDR, H5E_BADMESG, FAIL, "unknown message with 'fail if unknown' flag found") /* Check for "mark if unknown" message flag, etc. */ else if((flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN) && !(flags & H5O_MSG_FLAG_WAS_UNKNOWN) && @@ -1543,7 +1544,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image H5O_refcount_t *refcount; /* Decode ref. count message */ - HDassert(oh->version > H5O_VERSION_1); + if(oh->version <= H5O_VERSION_1) + HGOTO_ERROR(H5E_OHDR, H5E_VERSION, FAIL, "object header version does not support reference count message") refcount = (H5O_refcount_t *)(H5O_MSG_REFCOUNT->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw); /* Save 'native' form of ref. count message */ @@ -1614,6 +1616,10 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image } /* end if */ done: + if(ret_value < 0 && udata->cont_msg_info->msgs) { + udata->cont_msg_info->msgs = (H5O_chunk_t *)H5FL_SEQ_FREE(H5O_cont_t, udata->cont_msg_info->msgs); + udata->cont_msg_info->alloc_nmsgs = 0; + } FUNC_LEAVE_NOAPI(ret_value) } /* H5O__chunk_deserialize() */ diff --git a/src/H5Ofill.c b/src/H5Ofill.c index 932241f..3ce2e4f 100644 --- a/src/H5Ofill.c +++ b/src/H5Ofill.c @@ -19,6 +19,7 @@ */ #include "H5Omodule.h" /* This source code file is part of the H5O module */ +#define H5T_FRIEND /*prevent warning from including H5Tpkg */ #include "H5private.h" /* Generic Functions */ @@ -31,6 +32,7 @@ #include "H5Pprivate.h" /* Property lists */ #include "H5Sprivate.h" /* Dataspaces */ +#include "H5Tpkg.h" /* Datatypes */ static void *H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); @@ -307,11 +309,13 @@ done: *------------------------------------------------------------------------- */ static void * -H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, +H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) { H5O_fill_t *fill = NULL; /* Decoded fill value message */ + htri_t exists = FALSE; + H5T_t *dt = NULL; void *ret_value = NULL; /* Return value */ FUNC_ENTER_NOAPI_NOINIT @@ -332,6 +336,19 @@ H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, /* Only decode the fill value itself if there is one */ if(fill->size > 0) { + H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t); + + /* Get the datatype message */ + if((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0) + HGOTO_ERROR(H5E_SYM, H5E_NOTFOUND, NULL, "unable to read object header") + if(exists) { + if((dt = H5O_msg_read_oh(f, open_oh, H5O_DTYPE_ID, NULL)) < 0) + HGOTO_ERROR(H5E_SYM, H5E_CANTGET, NULL, "can't read DTYPE message") + /* Verify size */ + if(fill->size != dt->shared->size) + HGOTO_ERROR(H5E_SYM, H5E_CANTGET, NULL, "inconsistent fill value size") + } + if(NULL == (fill->buf = H5MM_malloc((size_t)fill->size))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value") HDmemcpy(fill->buf, p, (size_t)fill->size); @@ -344,6 +361,9 @@ H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, ret_value = (void*)fill; done: + if(dt) + H5O_msg_free(H5O_DTYPE_ID, dt); + if(!ret_value && fill) { if(fill->buf) H5MM_xfree(fill->buf); diff --git a/src/H5Olayout.c b/src/H5Olayout.c index d8f05f0..5f16837 100644 --- a/src/H5Olayout.c +++ b/src/H5Olayout.c @@ -125,8 +125,8 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, /* Dimensionality */ ndims = *p++; - if(ndims > H5O_LAYOUT_NDIMS) - HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is too large") + if(!ndims || ndims > H5O_LAYOUT_NDIMS) + HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is out of range") /* Layout class */ mesg->type = (H5D_layout_t)*p++; diff --git a/src/H5Sselect.c b/src/H5Sselect.c index 4462295..8cd73d9 100644 --- a/src/H5Sselect.c +++ b/src/H5Sselect.c @@ -160,7 +160,7 @@ H5S_select_release(H5S_t *ds) HDassert(ds); /* Call the selection type's release function */ - if((ret_value = (*ds->select.type->release)(ds)) < 0) + if((ds->select.type) && ((ret_value = (*ds->select.type->release)(ds)) < 0)) HGOTO_ERROR(H5E_DATASPACE, H5E_CANTRELEASE, FAIL, "unable to release selection") done: |