2 files changed, 56 insertions, 7 deletions

diff --git a/src/H5HF.c b/src/H5HF.c
index c1a46e0..a457f52 100644
--- a/src/H5HF.c
+++ b/src/H5HF.c
@@ -196,7 +196,7 @@ HDfprintf(stderr, "%s: fh_addr = %a\n", FUNC, fh_addr);
         if(NULL == (hdr = H5AC_protect(f, dxpl_id, H5AC_FHEAP_HDR, fh_addr, NULL, NULL, H5AC_READ)))
             HGOTO_ERROR(H5E_HEAP, H5E_CANTLOAD, NULL, "unable to load fractal heap header")
 #ifdef QAK
-HDfprintf(stderr, "%s: hdr->rc = %u\n", FUNC, hdr->rc);
+HDfprintf(stderr, "%s: hdr->rc = %u, hdr->fspace = %p\n", FUNC, hdr->rc, hdr->fspace);
 #endif /* QAK */
 
         /* Create fractal heap info */
@@ -323,14 +323,15 @@ H5HF_insert(H5HF_t *fh, hid_t dxpl_id, size_t size, const void *obj,
 HDfprintf(stderr, "%s: size = %Zu\n", FUNC, size);
 #endif /* QAK */
 
-    /*
-     * Check arguments.
-     */
+    /* Sanity check */
     HDassert(fh);
-    HDassert(size > 0);
     HDassert(obj);
     HDassert(id);
 
+    /* Check arguments */
+    if(size == 0)
+        HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "can't insert 0-sized objects")
+
     /* Get the fractal heap header */
     hdr = fh->hdr;
 
diff --git a/src/H5HFman.c b/src/H5HFman.c
index abe01d1..8f0febe 100644
--- a/src/H5HFman.c
+++ b/src/H5HFman.c
@@ -173,6 +173,7 @@ HDfprintf(stderr, "%s: sec_node->u.single.dblock_size = %Zu\n", FUNC, sec_node->
     blk_off = sec_node->sect_info.addr - dblock->block_off;
 #ifdef QAK
 HDfprintf(stderr, "%s: blk_off = %Zu\n", FUNC, blk_off);
+HDfprintf(stderr, "%s: dblock->block_off = %Hu\n", FUNC, dblock->block_off);
 #endif /* QAK */
 
     /* Sanity checks */
@@ -264,14 +265,27 @@ H5HF_man_read(H5HF_hdr_t *hdr, hid_t dxpl_id, const uint8_t *id, void *obj)
     id++;
 
     /* Decode the object offset within the heap & it's length */
+#ifdef QAK
+HDfprintf(stderr, "%s: hdr->heap_off_size = %u, hdr->heap_len_size = %u\n", FUNC, (unsigned)hdr->heap_off_size, (unsigned)hdr->heap_len_size);
+#endif /* QAK */
     UINT64DECODE_VAR(id, obj_off, hdr->heap_off_size);
     UINT64DECODE_VAR(id, obj_len, hdr->heap_len_size);
 #ifdef QAK
 HDfprintf(stderr, "%s: obj_off = %Hu, obj_len = %Zu\n", FUNC, obj_off, obj_len);
+HDfprintf(stderr, "%s: hdr->man_size = %Hu, hdr->max_man_size = %u\n", FUNC, hdr->man_size, (unsigned)hdr->max_man_size);
+HDfprintf(stderr, "%s: hdr->man_dtable.cparam.max_direct_size = %Zu\n", FUNC, hdr->man_dtable.cparam.max_direct_size);
 #endif /* QAK */
     HDassert(obj_off > 0);
     HDassert(obj_len > 0);
 
+    /* Check for bad offset or length */
+    if(obj_off > hdr->man_size)
+        HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "fractal heap object offset too large")
+    if(obj_len > hdr->man_dtable.cparam.max_direct_size)
+        HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "fractal heap object size too large for direct block")
+    if(obj_len > hdr->max_man_size)
+        HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "fractal heap object should be standalone")
+
     /* Check for root direct block */
     if(hdr->man_dtable.curr_root_rows == 0) {
         /* Set direct block info */
@@ -298,9 +312,23 @@ HDfprintf(stderr, "%s: entry address = %a\n", FUNC, iblock->ents[entry].addr);
         dblock_addr =  iblock->ents[entry].addr;
         dblock_size =  hdr->man_dtable.row_block_size[entry / hdr->man_dtable.cparam.width];
 
+        /* Check for offset of invalid direct block */
+        if(!H5F_addr_defined(dblock_addr)) {
+            /* Unlock indirect block */
+            if(H5HF_man_iblock_unprotect(iblock, dxpl_id, H5AC__NO_FLAGS_SET, did_protect) < 0)
+                HGOTO_ERROR(H5E_HEAP, H5E_CANTUNPROTECT, FAIL, "unable to release fractal heap indirect block")
+
+            HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "fractal heap ID not in allocated direct block")
+        } /* end if */
+
         /* Lock direct block */
-        if(NULL == (dblock = H5HF_man_dblock_protect(hdr, dxpl_id, dblock_addr, dblock_size, iblock, entry, H5AC_READ)))
+        if(NULL == (dblock = H5HF_man_dblock_protect(hdr, dxpl_id, dblock_addr, dblock_size, iblock, entry, H5AC_READ))) {
+            /* Unlock indirect block */
+            if(H5HF_man_iblock_unprotect(iblock, dxpl_id, H5AC__NO_FLAGS_SET, did_protect) < 0)
+                HGOTO_ERROR(H5E_HEAP, H5E_CANTUNPROTECT, FAIL, "unable to release fractal heap indirect block")
+
             HGOTO_ERROR(H5E_HEAP, H5E_CANTPROTECT, FAIL, "unable to protect fractal heap direct block")
+        } /* end if */
 
         /* Unlock indirect block */
         if(H5HF_man_iblock_unprotect(iblock, dxpl_id, H5AC__NO_FLAGS_SET, did_protect) < 0)
@@ -315,6 +343,14 @@ HDfprintf(stderr, "%s: dblock_addr = %a, dblock_size = %Zu\n", FUNC, dblock_addr
     HDassert((obj_off - dblock->block_off) < (hsize_t)dblock_size);
     blk_off = (size_t)(obj_off - dblock->block_off);
 
+    /* Check for object's offset in the direct block prefix information */
+    if(blk_off < H5HF_MAN_ABS_DIRECT_OVERHEAD(hdr))
+        HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "object located in prefix of direct block")
+
+    /* Check for object's length overrunning the end of the direct block */
+    if((blk_off + obj_len) > dblock_size)
+        HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "object overruns end of direct block")
+
     /* Point to location for object */
     p = dblock->blk + blk_off;
 
@@ -369,12 +405,14 @@ H5HF_man_remove(H5HF_hdr_t *hdr, hid_t dxpl_id, const uint8_t *id)
 
     /* Decode the object offset within the heap & it's length */
 #ifdef QAK
-HDfprintf(stderr, "%s: fh->hdr->heap_off_size = %u, fh->hdr->heap_len_size = %u\n", FUNC, (unsigned)fh->hdr->heap_off_size, (unsigned)fh->hdr->heap_len_size);
+HDfprintf(stderr, "%s: hdr->heap_off_size = %u, hdr->heap_len_size = %u\n", FUNC, (unsigned)hdr->heap_off_size, (unsigned)hdr->heap_len_size);
 #endif /* QAK */
     UINT64DECODE_VAR(id, obj_off, hdr->heap_off_size);
     UINT64DECODE_VAR(id, obj_len, hdr->heap_len_size);
 #ifdef QAK
 HDfprintf(stderr, "%s: obj_off = %Hu, obj_len = %Zu\n", FUNC, obj_off, obj_len);
+HDfprintf(stderr, "%s: hdr->man_size = %Hu, hdr->max_man_size = %u\n", FUNC, hdr->man_size, (unsigned)hdr->max_man_size);
+HDfprintf(stderr, "%s: hdr->man_dtable.cparam.max_direct_size = %Zu\n", FUNC, hdr->man_dtable.cparam.max_direct_size);
 #endif /* QAK */
     HDassert(obj_off > 0);
     HDassert(obj_len > 0);
@@ -465,6 +503,16 @@ HDfprintf(stderr, "%s: blk_off = %Zu\n", FUNC, blk_off);
     if(NULL == (sec_node = H5HF_sect_single_new(obj_off, obj_len,
             dblock->parent, dblock->par_entry, dblock_addr, dblock_size)))
         HGOTO_ERROR(H5E_HEAP, H5E_CANTINIT, FAIL, "can't create section for direct block's free space")
+#ifdef QAK
+HDfprintf(stderr, "%s: sec_node->sect_info.addr = %a\n", FUNC, sec_node->sect_info.addr);
+HDfprintf(stderr, "%s: sec_node->sect_info.size = %Hu\n", FUNC, sec_node->sect_info.size);
+HDfprintf(stderr, "%s: sec_node->u.single.parent = %p\n", FUNC, sec_node->u.single.parent);
+if(sec_node->u.single.parent)
+    HDfprintf(stderr, "%s: sec_node->u.single.parent->addr = %a\n", FUNC, sec_node->u.single.parent->addr);
+HDfprintf(stderr, "%s: sec_node->u.single.par_entry = %u\n", FUNC, sec_node->u.single.par_entry);
+HDfprintf(stderr, "%s: sec_node->u.single.dblock_addr = %a\n", FUNC, sec_node->u.single.dblock_addr);
+HDfprintf(stderr, "%s: sec_node->u.single.dblock_size = %Zu\n", FUNC, sec_node->u.single.dblock_size);
+#endif /* QAK */
 
     /* Unlock direct block */
     if(H5AC_unprotect(hdr->f, dxpl_id, H5AC_FHEAP_DBLOCK, dblock_addr, dblock, H5AC__NO_FLAGS_SET) < 0)