2 files changed, 28 insertions, 13 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 8e4a3c2..158472c 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -172,19 +172,6 @@ Bug Fixes since HDF5-1.13.3 release
 ===================================
     Library
     -------
-    -  Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx
-
-       Make sure info block for external links has at least 3 bytes.
-    
-       According to the specification, the information block for external links
-       contains 1 byte of version/flag information and two 0 terminated strings
-       for the object linked to and the full path.
-       Although not very useful, the minimum string length for each (with
-       terminating 0) would be one byte.
-       Checking this helps to avoid SEGVs triggered by bogus files.
-
-       (EFE - 2022/10/09 GH-2233)
-
     - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf
  
       Validate location (offset) of the accumulated metadata when comparing.
@@ -199,6 +186,19 @@ Bug Fixes since HDF5-1.13.3 release
       member in the same structure is true the location is valid.
 
       (EFE - 2022/10/10 GH-2230)
+      
+    - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx
+
+      Make sure info block for external links has at least 3 bytes.
+    
+      According to the specification, the information block for external links
+      contains 1 byte of version/flag information and two 0 terminated strings
+      for the object linked to and the full path.
+      Although not very useful, the minimum string length for each (with
+      terminating 0) would be one byte.
+      Checking this helps to avoid SEGVs triggered by bogus files.
+
+      (EFE - 2022/10/09 GH-2233)
 
     - Fix CVE-2021-45830 / GHSA-5h2h-fjjr-x9m2
 
@@ -213,6 +213,19 @@ Bug Fixes since HDF5-1.13.3 release
 
       (EFE - 2022/10/05 GH-2228)
 
+    - Fix CVE-2018-14031 / GHSA-2xc7-724c-r36j
+
+      Parent of enum datatype message must have the same size as the
+      enum datatype message itself.
+      Functions accessing the enumeration values use the size of the
+      enumeration datatype to determine the size of each element and
+      how much data to copy.
+      Thus the size of the enumeration and its parent need to match.
+      Check in H5O_dtype_decode_helper()  to avoid unpleasant surprises
+      later.
+
+      (EFE - 2022/09/28 GH-2236)
+
     - Fix CVE-2018-17439 / GHSA-vcxv-vp43-rch7
 
       H5IMget_image_info(): Make sure to not exceed local array size
diff --git a/src/H5Odtype.c b/src/H5Odtype.c
index 831344b..870aeac 100644
--- a/src/H5Odtype.c
+++ b/src/H5Odtype.c
@@ -470,6 +470,8 @@ H5O__dtype_decode_helper(unsigned *ioflags /*in,out*/, const uint8_t **pp, H5T_t
                 HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, FAIL, "memory allocation failed")
             if (H5O__dtype_decode_helper(ioflags, pp, dt->shared->parent) < 0)
                 HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode parent datatype")
+            if (dt->shared->parent->shared->size != dt->shared->size)
+                HGOTO_ERROR(H5E_DATATYPE, H5E_BADSIZE, FAIL, "ENUM datatype size does not match parent")
 
             /* Check if the parent of this enum has a version greater than the
              * enum itself. */