8 files changed, 46 insertions, 10 deletions

diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml
index bb4d685..feaa3d0 100644
--- a/.github/workflows/clang-format-fix.yml
+++ b/.github/workflows/clang-format-fix.yml
@@ -1,3 +1,12 @@
+# NOTE: This action requires write permissions to be set in your GitHub
+#       repo/fork for it to be able to commit changes.
+#
+# This is currently enabled via:
+#
+#   settings > Actions > General > Workflow permissions
+#
+# which you will need to set to "Read and write permissions"
+#
 name: clang-format Commit Changes
 on: 
   workflow_dispatch:
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index e0ecfac..f08a7a3 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -198,6 +198,19 @@ Bug Fixes since HDF5-1.10.9 release
 ===================================
     Library
     -------
+    - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+      Check for overflow when calculating on-disk attribute data size.
+
+      A bogus hdf5 file may contain dataspace messages with sizes
+      which lead to the on-disk data sizes to exceed what is addressable.
+      When calculating the size, make sure, the multiplication does not
+      overflow.
+      The test case was crafted in a way that the overflow caused the
+      size to be 0.
+
+      (EFE - 2023/02/11 GH-2458)
+
     - Fixed an issue with variable length attributes
 
       Previously, if a variable length attribute was held open while its file
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index d5adb81..1523572 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -221,10 +221,6 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
     else
         p += attr->shared->ds_size;
 
-    /* Get the datatype's size */
-    if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
-        HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
-
     /* Get the datatype & dataspace sizes */
     if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
         HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
@@ -234,6 +230,9 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
 
     /* Compute the size of the data */
     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
+    /* Check if multiplication has overflown */
+    if ((attr->shared->data_size / dt_size) != ds_size)
+        HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range")
 
     /* Go get the data */
     if (attr->shared->data_size) {
diff --git a/src/H5Ppublic.h b/src/H5Ppublic.h
index a99894d..49483b5 100644
--- a/src/H5Ppublic.h
+++ b/src/H5Ppublic.h
@@ -2257,10 +2257,13 @@ H5_DLL herr_t H5Pset_deflate(hid_t plist_id, unsigned level);
  *          (#H5Z_FILTER_DEFLATE) and the Fletcher32 error detection filter
  *          (#H5Z_FILTER_FLETCHER32).
  *
- *          The array \p c_values contains \p cd_nelmts integers which are
- *          auxiliary data for the filter. The integer values will be
- *          stored in the dataset object header as part of the filter
- *          information.
+ *          The array \p cd_values contains \p cd_nelmts unsigned integers
+ *          which are auxiliary data for the filter. The values are typically
+ *          used as parameters to control the filter. In a filter's
+ *          \p set_local method (called from \p H5Dcreate), the values are
+ *          interpreted and possibly modified before they are used to control
+ *          the filter. These, possibly modified values, are then stored in
+ *          the dataset object header as auxiliary data for the filter.
  *
  *          The \p flags argument is a bit vector with the following
  *          fields specifying certain general properties of the filter:
diff --git a/testpar/testpar.h b/testpar/testpar.h
index 6c380a9..58bcab4 100644
--- a/testpar/testpar.h
+++ b/testpar/testpar.h
@@ -30,8 +30,11 @@
  * mesg is not an empty string.
  */
 #define MESG(mesg)                                                                                           \
-    if (VERBOSE_MED && *mesg != '\0')                                                                        \
-    HDprintf("%s\n", mesg)
+    do {                                                                                                     \
+        if (VERBOSE_MED && *mesg != '\0') {                                                                  \
+            HDprintf("%s\n", mesg);                                                                          \
+        }                                                                                                    \
+    } while (0)
 
 /*
  * VRFY: Verify if the condition val is true.
diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake
index 8dc815a..509d29a 100644
--- a/tools/test/h5dump/CMakeTests.cmake
+++ b/tools/test/h5dump/CMakeTests.cmake
@@ -327,6 +327,7 @@
       ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5
       ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5
       ${HDF5_TOOLS_DIR}/testfiles/zerodim.h5
+      ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5
   )
   set (HDF5_ERROR_REFERENCE_TEST_FILES
       ${PROJECT_SOURCE_DIR}/errfiles/filter_fail.err
@@ -1145,6 +1146,9 @@
   # test to verify HDFFV-10480: out of bounds read in H5O_fill_new[old]_decode
   ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5)
   ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5)
+  # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+  # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+  ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5)
 
 ##############################################################################
 ###    P L U G I N  T E S T S
diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in
index cf1b92d..8d0e03f 100644
--- a/tools/test/h5dump/testh5dump.sh.in
+++ b/tools/test/h5dump/testh5dump.sh.in
@@ -180,6 +180,7 @@ $SRC_H5DUMP_TESTFILES/tvlstr.h5
 $SRC_H5DUMP_TESTFILES/tvms.h5
 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5
 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5
+$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5
 "
 
 LIST_OTHER_TEST_FILES="
@@ -1475,6 +1476,10 @@ TOOLTEST3 non_existing.ddl --enable-error-stack tgroup.h5 non_existing.h5
 TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5
 TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5
 
+# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5
+
 # Clean up temporary files/directories
 CLEAN_TESTFILES_AND_TESTDIR
 
diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5
new file mode 100644
index 0000000..331b05b
--- /dev/null
+++ b/tools/testfiles/tCVE-2021-37501_attr_decode.h5