diff options
author | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2019-01-24 23:07:57 (GMT) |
---|---|---|
committer | Binh-Minh Ribler <bmribler@hdfgroup.org> | 2019-01-24 23:07:57 (GMT) |
commit | 2fe69e7639198b174da393e47a029d0ac35b31c8 (patch) | |
tree | 0aa49b2d5f2161651a36e4eb0050ce79ca548681 /tools | |
parent | f0e2fc6c62943887944e9a1e5ca732d5f6a71b6e (diff) | |
parent | 25cd1ab02b9ddaf58a4f5422f4ab4fde411e050a (diff) | |
download | hdf5-2fe69e7639198b174da393e47a029d0ac35b31c8.zip hdf5-2fe69e7639198b174da393e47a029d0ac35b31c8.tar.gz hdf5-2fe69e7639198b174da393e47a029d0ac35b31c8.tar.bz2 |
Merge pull request #1479 in HDFFV/hdf5 from ~BMRIBLER/hdf5_bmr_fixbug:develop to develop
HDFFV-10586 and HDFFV-10588
* commit '25cd1ab02b9ddaf58a4f5422f4ab4fde411e050a':
Added test for HDFFV-10588
Fixed HDFFV-10684
Fixed HDFFV-10586 and HDFFV-10588 Description: HDFFV-10586 CVE-2018-17434 Divide by zero inh5repack_filters Added a check for zero value HDFFV-10588 CVE-2018-17437 Memory leak in H5O_dtype_decode_helper This is actually an Invalid read issue. It was found that the attribute name length in an attribute message was corrupted, which caused the buffer pointer to be advanced too far and later caused an invalid read. Added a check to detect attribute name and its length mismatch. The fix is not perfect, but it'll reduce the chance of this issue when a name length is corrupted or the attribute name is corrupted. Platforms tested: Linux/64 (jelly) Linux/64 (platypus) Darwin (osx1010test)
Diffstat (limited to 'tools')
-rw-r--r-- | tools/src/h5repack/h5repack_filters.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/tools/src/h5repack/h5repack_filters.c b/tools/src/h5repack/h5repack_filters.c index 0092abc..123263c 100644 --- a/tools/src/h5repack/h5repack_filters.c +++ b/tools/src/h5repack/h5repack_filters.c @@ -338,12 +338,13 @@ int apply_filters(const char* name, /* object name from traverse list */ sm_nbytes = msize; for (i = rank; i > 0; --i) { + if(sm_nbytes == 0) + HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "number of bytes per stripmine must be > 0"); hsize_t size = H5TOOLS_BUFSIZE / sm_nbytes; if (size == 0) /* datum size > H5TOOLS_BUFSIZE */ size = 1; sm_size[i - 1] = MIN(dims[i - 1], size); sm_nbytes *= sm_size[i - 1]; - HDassert(sm_nbytes > 0); } for (i = 0; i < rank; i++) { |