diff options
| -rw-r--r-- | release_docs/RELEASE.txt | 13 | ||||
| -rw-r--r-- | src/H5Olink.c | 2 |
2 files changed, 15 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index a8e9011..8e4a3c2 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -172,6 +172,19 @@ Bug Fixes since HDF5-1.13.3 release =================================== Library ------- + - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx + + Make sure info block for external links has at least 3 bytes. + + According to the specification, the information block for external links + contains 1 byte of version/flag information and two 0 terminated strings + for the object linked to and the full path. + Although not very useful, the minimum string length for each (with + terminating 0) would be one byte. + Checking this helps to avoid SEGVs triggered by bogus files. + + (EFE - 2022/10/09 GH-2233) + - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf Validate location (offset) of the accumulated metadata when comparing. diff --git a/src/H5Olink.c b/src/H5Olink.c index 6146bbb..dabf87e 100644 --- a/src/H5Olink.c +++ b/src/H5Olink.c @@ -239,6 +239,8 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE /* A UD link. Get the user-supplied data */ UINT16DECODE(p, len) + if (lnk->type == H5L_TYPE_EXTERNAL && len < 3) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "external link information length < 3") lnk->u.ud.size = len; if (len > 0) { /* Make sure that length doesn't exceed buffer size, which could |