diff options
-rw-r--r-- | release_docs/RELEASE.txt | 10 | ||||
-rw-r--r-- | src/H5Opline.c | 17 | ||||
-rw-r--r-- | src/H5private.h | 3 |
3 files changed, 28 insertions, 2 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index c938ce0..61a2d40 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -223,6 +223,16 @@ Bug Fixes since HDF5-1.12.1 release =================================== Library ------- + - Fix for CVE-2019-8396 + + Malformed HDF5 files may have truncated content which does not match + the expected size. When H5O__pline_decode() attempts to decode these it + may read past the end of the allocated space leading to heap overflows + as bounds checking is incomplete. + + The fix ensures each element is within bounds before reading. + + (2023/04/13 - HDFFV-10712, CVE-2019-8396, GitHub #2209) - Memory leak diff --git a/src/H5Opline.c b/src/H5Opline.c index 1ef18ee..2babcc0 100644 --- a/src/H5Opline.c +++ b/src/H5Opline.c @@ -109,6 +109,7 @@ H5FL_DEFINE(H5O_pline_t); * *------------------------------------------------------------------------- */ + static void * H5O__pline_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) @@ -130,6 +131,9 @@ H5O__pline_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsign HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") /* Version */ + if (p + 4 - 1 > p_end) /* 4 byte is minimum for all versions */ + HGOTO_ERROR(H5E_OHDR, H5E_NOSPACE, NULL, "ran off the end of the buffer: current p = %p, p_end = %p", + p + 4, p_end) pline->version = *p++; if (pline->version < H5O_PLINE_VERSION_1 || pline->version > H5O_PLINE_VERSION_LATEST) HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "bad version number for filter pipeline message") @@ -158,6 +162,9 @@ H5O__pline_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsign /* Decode filters */ for (i = 0, filter = &pline->filter[0]; i < pline->nused; i++, filter++) { /* Filter ID */ + if (p + 6 - 1 > p_end) /* 6 bytes minimum */ + HGOTO_ERROR(H5E_OHDR, H5E_NOSPACE, NULL, + "ran off the end of the buffer: current p = %p, p_end = %p", p + 6, p_end) UINT16DECODE(p, filter->id); /* Length of filter name */ @@ -167,6 +174,9 @@ H5O__pline_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsign UINT16DECODE(p, name_length); if (pline->version == H5O_PLINE_VERSION_1 && name_length % 8) HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "filter name length is not a multiple of eight") + if (p + 4 - 1 > p_end) /* with name_length 4 bytes to go */ + HGOTO_ERROR(H5E_OHDR, H5E_NOSPACE, NULL, + "ran off the end of the buffer: current p = %p, p_end = %p", p + 4, p_end) } /* end if */ /* Filter flags */ @@ -178,9 +188,12 @@ H5O__pline_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsign /* Filter name, if there is one */ if (name_length) { size_t actual_name_length; /* Actual length of name */ - + size_t len = (size_t)(p_end - p + 1); /* Determine actual name length (without padding, but with null terminator) */ - actual_name_length = HDstrlen((const char *)p) + 1; + actual_name_length = HDstrnlen((const char *)p, len); + if (actual_name_length == len) + HGOTO_ERROR(H5E_OHDR, H5E_NOSPACE, NULL, "filter name not null terminated") + actual_name_length += 1; /* include \0 byte */ HDassert(actual_name_length <= name_length); /* Allocate space for the filter name, or use the internal buffer */ diff --git a/src/H5private.h b/src/H5private.h index 3929ac3..a82796e 100644 --- a/src/H5private.h +++ b/src/H5private.h @@ -1469,6 +1469,9 @@ H5_DLL H5_ATTR_CONST int Nflock(int fd, int operation); #ifndef HDstrlen #define HDstrlen(S) strlen(S) #endif +#ifndef HDstrnlen +#define HDstrnlen(S, L) strnlen(S, L) +#endif #ifndef HDstrncat #define HDstrncat(X, Y, Z) strncat(X, Y, Z) #endif |