diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/H5Ofill.c | 27 | ||||
-rw-r--r-- | src/H5Olayout.c | 29 |
2 files changed, 36 insertions, 20 deletions
diff --git a/src/H5Ofill.c b/src/H5Ofill.c index 695673f..5068039 100644 --- a/src/H5Ofill.c +++ b/src/H5Ofill.c @@ -196,8 +196,9 @@ H5O__fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) { - H5O_fill_t *fill = NULL; - void * ret_value = NULL; /* Return value */ + H5O_fill_t * fill = NULL; + const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */ + void * ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -228,8 +229,11 @@ H5O__fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, INT32DECODE(p, fill->size); if (fill->size > 0) { H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t); - if ((size_t)fill->size > p_size) - HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small") + + /* Ensure that fill size doesn't exceed buffer size, due to possible data corruption */ + if (p + fill->size - 1 > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "fill size exceeds buffer size") + if (NULL == (fill->buf = H5MM_malloc((size_t)fill->size))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value") H5MM_memcpy(fill->buf, p, (size_t)fill->size); @@ -311,10 +315,11 @@ static void * H5O__fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) { - H5O_fill_t *fill = NULL; /* Decoded fill value message */ - htri_t exists = FALSE; - H5T_t * dt = NULL; - void * ret_value = NULL; /* Return value */ + H5O_fill_t * fill = NULL; /* Decoded fill value message */ + htri_t exists = FALSE; + H5T_t * dt = NULL; + const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */ + void * ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -335,8 +340,10 @@ H5O__fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flag /* Only decode the fill value itself if there is one */ if (fill->size > 0) { H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t); - if ((size_t)fill->size > p_size) - HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small") + + /* Ensure that fill size doesn't exceed buffer size, due to possible data corruption */ + if (p + fill->size - 1 > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "fill size exceeds buffer size") /* Get the datatype message */ if ((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0) diff --git a/src/H5Olayout.c b/src/H5Olayout.c index 4020b23..651e317 100644 --- a/src/H5Olayout.c +++ b/src/H5Olayout.c @@ -17,7 +17,7 @@ * Purpose: Messages related to data layout. */ -#define H5D_FRIEND /*suppress error about including H5Dpkg */ +#define H5D_FRIEND /*suppress error about including H5Dpkg */ #include "H5Omodule.h" /* This source code file is part of the H5O module */ #include "H5private.h" /* Generic Functions */ @@ -90,12 +90,13 @@ H5FL_DEFINE(H5O_layout_t); */ static void * H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, - unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) { - H5O_layout_t *mesg = NULL; - uint8_t * heap_block = NULL; - unsigned u; - void * ret_value = NULL; /* Return value */ + H5O_layout_t * mesg = NULL; + uint8_t * heap_block = NULL; + unsigned u; + const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */ + void * ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -179,6 +180,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU if (mesg->type == H5D_COMPACT) { UINT32DECODE(p, mesg->storage.u.compact.size); if (mesg->storage.u.compact.size > 0) { + /* Ensure that size doesn't exceed buffer size, due to possible data corruption */ + if (p + mesg->storage.u.compact.size - 1 > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "storage size exceeds buffer size") + if (NULL == (mesg->storage.u.compact.buf = H5MM_malloc(mesg->storage.u.compact.size))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for compact data buffer") @@ -198,6 +203,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU UINT16DECODE(p, mesg->storage.u.compact.size); if (mesg->storage.u.compact.size > 0) { + /* Ensure that size doesn't exceed buffer size, due to possible data corruption */ + if (p + mesg->storage.u.compact.size - 1 > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "storage size exceeds buffer size") + /* Allocate space for compact data */ if (NULL == (mesg->storage.u.compact.buf = H5MM_malloc(mesg->storage.u.compact.size))) HGOTO_ERROR(H5E_OHDR, H5E_CANTALLOC, NULL, @@ -887,13 +896,13 @@ done: } /* end H5O__layout_reset() */ /*------------------------------------------------------------------------- - * Function: H5O__layout_free + * Function: H5O__layout_free * - * Purpose: Free's the message + * Purpose: Free's the message * - * Return: Non-negative on success/Negative on failure + * Return: Non-negative on success/Negative on failure * - * Programmer: Quincey Koziol + * Programmer: Quincey Koziol * Saturday, March 11, 2000 * *------------------------------------------------------------------------- |