summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--release_docs/RELEASE.txt13
-rw-r--r--src/H5Olink.c2
2 files changed, 15 insertions, 0 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index a8e9011..8e4a3c2 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -172,6 +172,19 @@ Bug Fixes since HDF5-1.13.3 release
===================================
Library
-------
+ - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx
+
+ Make sure info block for external links has at least 3 bytes.
+
+ According to the specification, the information block for external links
+ contains 1 byte of version/flag information and two 0 terminated strings
+ for the object linked to and the full path.
+ Although not very useful, the minimum string length for each (with
+ terminating 0) would be one byte.
+ Checking this helps to avoid SEGVs triggered by bogus files.
+
+ (EFE - 2022/10/09 GH-2233)
+
- Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf
Validate location (offset) of the accumulated metadata when comparing.
diff --git a/src/H5Olink.c b/src/H5Olink.c
index 6146bbb..dabf87e 100644
--- a/src/H5Olink.c
+++ b/src/H5Olink.c
@@ -239,6 +239,8 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
/* A UD link. Get the user-supplied data */
UINT16DECODE(p, len)
+ if (lnk->type == H5L_TYPE_EXTERNAL && len < 3)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "external link information length < 3")
lnk->u.ud.size = len;
if (len > 0) {
/* Make sure that length doesn't exceed buffer size, which could