diff options
| -rw-r--r-- | release_docs/RELEASE.txt | 9 | ||||
| -rw-r--r-- | src/H5HLcache.c | 6 |
2 files changed, 15 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index c76a66a..d9c907b 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -265,6 +265,15 @@ Bug Fixes since HDF5-1.14.0 release =================================== Library ------- + - Fixed CVE-2018-13867 + + A corrupt file containing an invalid local heap datablock address + could trigger an assert failure when the metadata cache attempted + to load the datablock from storage. + + The local heap now verifies that the datablock address is valid + when the local heap header information is parsed. + - Fixed CVE-2018-11202 A malformed file could result in chunk index memory leaks. Under most diff --git a/src/H5HLcache.c b/src/H5HLcache.c index 653590d..377bc0f 100644 --- a/src/H5HLcache.c +++ b/src/H5HLcache.c @@ -194,6 +194,12 @@ H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, size_t len, H5HL_cache HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding"); H5F_addr_decode_len(udata->sizeof_addr, &image, &(heap->dblk_addr)); + /* Check that the datablock address is valid (might not be true + * in a corrupt file) + */ + if (!H5_addr_defined(heap->dblk_addr)) + HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad datablock address"); + done: FUNC_LEAVE_NOAPI(ret_value) } /* end H5HL__hdr_deserialize() */ |