summaryrefslogtreecommitdiffstats
path: root/src/H5HLcache.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/H5HLcache.c')
-rw-r--r--src/H5HLcache.c78
1 files changed, 50 insertions, 28 deletions
diff --git a/src/H5HLcache.c b/src/H5HLcache.c
index d7c7ce8..dcf1249 100644
--- a/src/H5HLcache.c
+++ b/src/H5HLcache.c
@@ -81,7 +81,8 @@ static herr_t H5HL__cache_datablock_notify(H5C_notify_action_t action, void *_th
static herr_t H5HL__cache_datablock_free_icr(void *thing);
/* Header deserialization */
-static herr_t H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, H5HL_cache_prfx_ud_t *udata);
+static herr_t H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, size_t len,
+ H5HL_cache_prfx_ud_t *udata);
/* Free list de/serialization */
static herr_t H5HL__fl_deserialize(H5HL_t *heap);
@@ -148,9 +149,10 @@ const H5AC_class_t H5AC_LHEAP_DBLK[1] = {{
*-------------------------------------------------------------------------
*/
static herr_t
-H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, H5HL_cache_prfx_ud_t *udata)
+H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, size_t len, H5HL_cache_prfx_ud_t *udata)
{
- herr_t ret_value = SUCCEED; /* Return value */
+ const uint8_t *p_end = image + len - 1; /* End of image buffer */
+ herr_t ret_value = SUCCEED;
FUNC_ENTER_STATIC
@@ -159,16 +161,22 @@ H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, H5HL_cache_prfx_ud_t *
HDassert(image);
HDassert(udata);
- /* Check magic number */
+ /* Magic number */
+ if (H5_IS_BUFFER_OVERFLOW(image, H5_SIZEOF_MAGIC, p_end))
+ HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
if (HDmemcmp(image, H5HL_MAGIC, (size_t)H5_SIZEOF_MAGIC) != 0)
- HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad local heap signature")
+ HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad local heap signature");
image += H5_SIZEOF_MAGIC;
/* Version */
+ if (H5_IS_BUFFER_OVERFLOW(image, 1, p_end))
+ HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
if (H5HL_VERSION != *image++)
- HGOTO_ERROR(H5E_HEAP, H5E_VERSION, FAIL, "wrong version number in local heap")
+ HGOTO_ERROR(H5E_HEAP, H5E_VERSION, FAIL, "wrong version number in local heap");
/* Reserved */
+ if (H5_IS_BUFFER_OVERFLOW(image, 3, p_end))
+ HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
image += 3;
/* Store the prefix's address & length */
@@ -176,16 +184,28 @@ H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, H5HL_cache_prfx_ud_t *
heap->prfx_size = udata->sizeof_prfx;
/* Heap data size */
+ if (H5_IS_BUFFER_OVERFLOW(image, udata->sizeof_size, p_end))
+ HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
H5F_DECODE_LENGTH_LEN(image, heap->dblk_size, udata->sizeof_size);
/* Free list head */
+ if (H5_IS_BUFFER_OVERFLOW(image, udata->sizeof_size, p_end))
+ HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
H5F_DECODE_LENGTH_LEN(image, heap->free_block, udata->sizeof_size);
if (heap->free_block != H5HL_FREE_NULL && heap->free_block >= heap->dblk_size)
- HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad heap free list")
+ HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad heap free list");
/* Heap data address */
+ if (H5_IS_BUFFER_OVERFLOW(image, udata->sizeof_addr, p_end))
+ HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
H5F_addr_decode_len(udata->sizeof_addr, &image, &(heap->dblk_addr));
+ /* Check that the datablock address is valid (might not be true
+ * in a corrupt file)
+ */
+ if (!H5F_addr_defined(heap->dblk_addr))
+ HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad datablock address");
+
done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5HL__hdr_deserialize() */
@@ -222,11 +242,11 @@ H5HL__fl_deserialize(H5HL_t *heap)
/* Sanity check */
if (free_block >= heap->dblk_size)
- HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list")
+ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
/* Allocate & initialize free list node */
if (NULL == (fl = H5FL_MALLOC(H5HL_free_t)))
- HGOTO_ERROR(H5E_HEAP, H5E_CANTALLOC, FAIL, "memory allocation failed")
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTALLOC, FAIL, "memory allocation failed");
fl->offset = (size_t)free_block;
fl->prev = tail;
fl->next = NULL;
@@ -235,12 +255,12 @@ H5HL__fl_deserialize(H5HL_t *heap)
image = heap->dblk_image + free_block;
H5F_DECODE_LENGTH_LEN(image, free_block, heap->sizeof_size);
if (0 == free_block)
- HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "free block size is zero?")
+ HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "free block size is zero?");
/* Decode length of this free block */
H5F_DECODE_LENGTH_LEN(image, fl->size, heap->sizeof_size);
if ((fl->offset + fl->size) > heap->dblk_size)
- HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list")
+ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
/* Append node onto list */
if (tail)
@@ -344,8 +364,7 @@ H5HL__cache_prefix_get_initial_load_size(void H5_ATTR_UNUSED *_udata, size_t *im
*-------------------------------------------------------------------------
*/
static herr_t
-H5HL__cache_prefix_get_final_load_size(const void *_image, size_t H5_ATTR_NDEBUG_UNUSED image_len,
- void *_udata, size_t *actual_len)
+H5HL__cache_prefix_get_final_load_size(const void *_image, size_t image_len, void *_udata, size_t *actual_len)
{
const uint8_t *image = (const uint8_t *)_image; /* Pointer into raw data buffer */
H5HL_cache_prfx_ud_t *udata = (H5HL_cache_prfx_ud_t *)_udata; /* User data for callback */
@@ -361,8 +380,8 @@ H5HL__cache_prefix_get_final_load_size(const void *_image, size_t H5_ATTR_NDEBUG
HDassert(*actual_len == image_len);
/* Deserialize the heap's header */
- if (H5HL__hdr_deserialize(&heap, (const uint8_t *)image, udata) < 0)
- HGOTO_ERROR(H5E_HEAP, H5E_CANTDECODE, FAIL, "can't decode local heap header")
+ if (H5HL__hdr_deserialize(&heap, (const uint8_t *)image, image_len, udata) < 0)
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTDECODE, FAIL, "can't decode local heap header");
/* Set the final size for the cache image */
*actual_len = heap.prfx_size;
@@ -394,12 +413,12 @@ done:
*-------------------------------------------------------------------------
*/
static void *
-H5HL__cache_prefix_deserialize(const void *_image, size_t H5_ATTR_NDEBUG_UNUSED len, void *_udata,
- hbool_t H5_ATTR_UNUSED *dirty)
+H5HL__cache_prefix_deserialize(const void *_image, size_t len, void *_udata, hbool_t H5_ATTR_UNUSED *dirty)
{
H5HL_t *heap = NULL; /* Local heap */
H5HL_prfx_t *prfx = NULL; /* Heap prefix deserialized */
const uint8_t *image = (const uint8_t *)_image; /* Pointer into decoding buffer */
+ const uint8_t *p_end = image + len - 1; /* End of image buffer */
H5HL_cache_prfx_ud_t *udata = (H5HL_cache_prfx_ud_t *)_udata; /* User data for callback */
void *ret_value = NULL; /* Return value */
@@ -420,8 +439,8 @@ H5HL__cache_prefix_deserialize(const void *_image, size_t H5_ATTR_NDEBUG_UNUSED
HGOTO_ERROR(H5E_HEAP, H5E_CANTALLOC, NULL, "can't allocate local heap structure");
/* Deserialize the heap's header */
- if (H5HL__hdr_deserialize(heap, (const uint8_t *)image, udata) < 0)
- HGOTO_ERROR(H5E_HEAP, H5E_CANTDECODE, NULL, "can't decode local heap header")
+ if (H5HL__hdr_deserialize(heap, (const uint8_t *)image, len, udata) < 0)
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTDECODE, NULL, "can't decode local heap header");
/* Allocate the heap prefix */
if (NULL == (prfx = H5HL__prfx_new(heap)))
@@ -436,7 +455,7 @@ H5HL__cache_prefix_deserialize(const void *_image, size_t H5_ATTR_NDEBUG_UNUSED
/* Allocate space for the heap data image */
if (NULL == (heap->dblk_image = H5FL_BLK_MALLOC(lheap_chunk, heap->dblk_size)))
- HGOTO_ERROR(H5E_HEAP, H5E_CANTALLOC, NULL, "memory allocation failed")
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTALLOC, NULL, "memory allocation failed");
/* Set image to the start of the data block. This is necessary
* because there may be a gap between the used portion of the
@@ -444,11 +463,13 @@ H5HL__cache_prefix_deserialize(const void *_image, size_t H5_ATTR_NDEBUG_UNUSED
image = ((const uint8_t *)_image) + heap->prfx_size;
/* Copy the heap data from the speculative read buffer */
+ if (H5_IS_BUFFER_OVERFLOW(image, heap->dblk_size, p_end))
+ HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
H5MM_memcpy(heap->dblk_image, image, heap->dblk_size);
/* Build free list */
if (H5HL__fl_deserialize(heap) < 0)
- HGOTO_ERROR(H5E_HEAP, H5E_CANTINIT, NULL, "can't initialize free list")
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTINIT, NULL, "can't initialize free list");
}
else
/* Note that the heap should _NOT_ be a single
@@ -538,7 +559,6 @@ H5HL__cache_prefix_serialize(const H5_ATTR_NDEBUG_UNUSED H5F_t *f, void *_image,
H5HL_prfx_t *prfx = (H5HL_prfx_t *)_thing; /* Pointer to local heap prefix to query */
H5HL_t *heap; /* Pointer to the local heap */
uint8_t *image = (uint8_t *)_image; /* Pointer into image buffer */
- size_t buf_size; /* expected size of the image buffer */
FUNC_ENTER_STATIC_NOERR
@@ -555,11 +575,13 @@ H5HL__cache_prefix_serialize(const H5_ATTR_NDEBUG_UNUSED H5F_t *f, void *_image,
heap = prfx->heap;
HDassert(heap);
+#ifndef NDEBUG
/* Compute the buffer size */
- buf_size = heap->prfx_size;
+ size_t buf_size = heap->prfx_size; /* expected size of the image buffer */
if (heap->single_cache_obj)
buf_size += heap->dblk_size;
HDassert(len == buf_size);
+#endif
/* Update the free block value from the free list */
heap->free_block = heap->freelist ? heap->freelist->offset : H5HL_FREE_NULL;
@@ -647,7 +669,7 @@ H5HL__cache_prefix_free_icr(void *_thing)
/* Destroy local heap prefix */
if (H5HL__prfx_dest(prfx) < 0)
- HGOTO_ERROR(H5E_HEAP, H5E_CANTRELEASE, FAIL, "can't destroy local heap prefix")
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTRELEASE, FAIL, "can't destroy local heap prefix");
done:
FUNC_LEAVE_NOAPI(ret_value)
@@ -865,7 +887,7 @@ H5HL__cache_datablock_notify(H5C_notify_action_t action, void *_thing)
/* Pin the heap's prefix */
if (FAIL == H5AC_pin_protected_entry(dblk->heap->prfx))
- HGOTO_ERROR(H5E_HEAP, H5E_CANTPIN, FAIL, "unable to pin local heap prefix")
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTPIN, FAIL, "unable to pin local heap prefix");
break;
case H5AC_NOTIFY_ACTION_AFTER_FLUSH:
@@ -885,11 +907,11 @@ H5HL__cache_datablock_notify(H5C_notify_action_t action, void *_thing)
/* Unpin the local heap prefix */
if (FAIL == H5AC_unpin_entry(dblk->heap->prfx))
- HGOTO_ERROR(H5E_HEAP, H5E_CANTUNPIN, FAIL, "unable to unpin local heap prefix")
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTUNPIN, FAIL, "unable to unpin local heap prefix");
break;
default:
- HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, FAIL, "unknown action from metadata cache")
+ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, FAIL, "unknown action from metadata cache");
break;
}
@@ -929,7 +951,7 @@ H5HL__cache_datablock_free_icr(void *_thing)
/* Destroy the data block */
if (H5HL__dblk_dest(dblk) < 0)
- HGOTO_ERROR(H5E_HEAP, H5E_CANTFREE, FAIL, "unable to destroy local heap data block")
+ HGOTO_ERROR(H5E_HEAP, H5E_CANTFREE, FAIL, "unable to destroy local heap data block");
done:
FUNC_LEAVE_NOAPI(ret_value)
generated by cgit v0.12 at 2024-08-26 01:25:43 (GMT)