summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/H5Ofill.c27
-rw-r--r--src/H5Olayout.c29
-rw-r--r--src/H5Tconv.c20
3 files changed, 46 insertions, 30 deletions
diff --git a/src/H5Ofill.c b/src/H5Ofill.c
index 2882ff4..2314a84 100644
--- a/src/H5Ofill.c
+++ b/src/H5Ofill.c
@@ -195,8 +195,9 @@ H5O__fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t p_size,
const uint8_t *p)
{
- H5O_fill_t *fill = NULL;
- void * ret_value = NULL; /* Return value */
+ H5O_fill_t * fill = NULL;
+ const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */
+ void * ret_value = NULL; /* Return value */
FUNC_ENTER_STATIC
@@ -227,8 +228,11 @@ H5O__fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
INT32DECODE(p, fill->size);
if (fill->size > 0) {
H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t);
- if ((size_t)fill->size > p_size)
- HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small")
+
+ /* Ensure that fill size doesn't exceed buffer size, due to possible data corruption */
+ if (p + fill->size - 1 > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "fill size exceeds buffer size")
+
if (NULL == (fill->buf = H5MM_malloc((size_t)fill->size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value")
H5MM_memcpy(fill->buf, p, (size_t)fill->size);
@@ -310,10 +314,11 @@ static void *
H5O__fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,
unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p)
{
- H5O_fill_t *fill = NULL; /* Decoded fill value message */
- htri_t exists = FALSE;
- H5T_t * dt = NULL;
- void * ret_value = NULL; /* Return value */
+ H5O_fill_t * fill = NULL; /* Decoded fill value message */
+ htri_t exists = FALSE;
+ H5T_t * dt = NULL;
+ const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */
+ void * ret_value = NULL; /* Return value */
FUNC_ENTER_STATIC
@@ -334,8 +339,10 @@ H5O__fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flag
/* Only decode the fill value itself if there is one */
if (fill->size > 0) {
H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t);
- if ((size_t)fill->size > p_size)
- HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small")
+
+ /* Ensure that fill size doesn't exceed buffer size, due to possible data corruption */
+ if (p + fill->size - 1 > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "fill size exceeds buffer size")
/* Get the datatype message */
if ((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0)
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
index 4020b23..651e317 100644
--- a/src/H5Olayout.c
+++ b/src/H5Olayout.c
@@ -17,7 +17,7 @@
* Purpose: Messages related to data layout.
*/
-#define H5D_FRIEND /*suppress error about including H5Dpkg */
+#define H5D_FRIEND /*suppress error about including H5Dpkg */
#include "H5Omodule.h" /* This source code file is part of the H5O module */
#include "H5private.h" /* Generic Functions */
@@ -90,12 +90,13 @@ H5FL_DEFINE(H5O_layout_t);
*/
static void *
H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,
- unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+ unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p)
{
- H5O_layout_t *mesg = NULL;
- uint8_t * heap_block = NULL;
- unsigned u;
- void * ret_value = NULL; /* Return value */
+ H5O_layout_t * mesg = NULL;
+ uint8_t * heap_block = NULL;
+ unsigned u;
+ const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */
+ void * ret_value = NULL; /* Return value */
FUNC_ENTER_STATIC
@@ -179,6 +180,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
if (mesg->type == H5D_COMPACT) {
UINT32DECODE(p, mesg->storage.u.compact.size);
if (mesg->storage.u.compact.size > 0) {
+ /* Ensure that size doesn't exceed buffer size, due to possible data corruption */
+ if (p + mesg->storage.u.compact.size - 1 > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "storage size exceeds buffer size")
+
if (NULL == (mesg->storage.u.compact.buf = H5MM_malloc(mesg->storage.u.compact.size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL,
"memory allocation failed for compact data buffer")
@@ -198,6 +203,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
UINT16DECODE(p, mesg->storage.u.compact.size);
if (mesg->storage.u.compact.size > 0) {
+ /* Ensure that size doesn't exceed buffer size, due to possible data corruption */
+ if (p + mesg->storage.u.compact.size - 1 > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "storage size exceeds buffer size")
+
/* Allocate space for compact data */
if (NULL == (mesg->storage.u.compact.buf = H5MM_malloc(mesg->storage.u.compact.size)))
HGOTO_ERROR(H5E_OHDR, H5E_CANTALLOC, NULL,
@@ -887,13 +896,13 @@ done:
} /* end H5O__layout_reset() */
/*-------------------------------------------------------------------------
- * Function: H5O__layout_free
+ * Function: H5O__layout_free
*
- * Purpose: Free's the message
+ * Purpose: Free's the message
*
- * Return: Non-negative on success/Negative on failure
+ * Return: Non-negative on success/Negative on failure
*
- * Programmer: Quincey Koziol
+ * Programmer: Quincey Koziol
* Saturday, March 11, 2000
*
*-------------------------------------------------------------------------
diff --git a/src/H5Tconv.c b/src/H5Tconv.c
index 7b5fce1..0c98633 100644
--- a/src/H5Tconv.c
+++ b/src/H5Tconv.c
@@ -1668,7 +1668,7 @@ H5T__conv_b_b(hid_t src_id, hid_t dst_id, H5T_cdata_t *cdata, size_t nelmts, siz
size_t olap; /*num overlapping elements */
size_t half_size; /*1/2 of total size for swapping*/
uint8_t * s, *sp, *d, *dp; /*source and dest traversal ptrs*/
- uint8_t dbuf[256]; /*temp destination buffer */
+ uint8_t dbuf[256] = {0}; /*temp destination buffer */
size_t msb_pad_offset; /*offset for dest MSB padding */
size_t i;
uint8_t * src_rev = NULL; /*order-reversed source buffer */
@@ -3843,8 +3843,8 @@ H5T__conv_i_i(hid_t src_id, hid_t dst_id, H5T_cdata_t *cdata, size_t nelmts, siz
size_t half_size; /*half the type size */
size_t olap; /*num overlapping elements */
uint8_t * s, *sp, *d, *dp; /*source and dest traversal ptrs*/
- uint8_t * src_rev = NULL; /*order-reversed source buffer */
- uint8_t dbuf[64]; /*temp destination buffer */
+ uint8_t * src_rev = NULL; /*order-reversed source buffer */
+ uint8_t dbuf[64] = {0}; /*temp destination buffer */
size_t first;
ssize_t sfirst; /*a signed version of `first' */
size_t i; /*Local index variables */
@@ -4286,8 +4286,8 @@ H5T__conv_f_f(hid_t src_id, hid_t dst_id, H5T_cdata_t *cdata, size_t nelmts, siz
size_t olap; /*num overlapping elements */
ssize_t bitno = 0; /*bit number */
uint8_t * s, *sp, *d, *dp; /*source and dest traversal ptrs*/
- uint8_t * src_rev = NULL; /*order-reversed source buffer */
- uint8_t dbuf[64]; /*temp destination buffer */
+ uint8_t * src_rev = NULL; /*order-reversed source buffer */
+ uint8_t dbuf[64] = {0}; /*temp destination buffer */
uint8_t tmp1, tmp2; /*temp variables for swapping bytes*/
/* Conversion-related variables */
@@ -4947,7 +4947,7 @@ H5T__conv_s_s(hid_t src_id, hid_t dst_id, H5T_cdata_t *cdata, size_t nelmts, siz
dst_delta = (ssize_t)direction * (ssize_t)(buf_stride ? buf_stride : dst->shared->size);
/* Allocate the overlap buffer */
- if (NULL == (dbuf = (uint8_t *)H5MM_malloc(dst->shared->size)))
+ if (NULL == (dbuf = (uint8_t *)H5MM_calloc(dst->shared->size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, FAIL, "memory allocation failed for string conversion")
/* The conversion loop. */
@@ -8401,8 +8401,8 @@ H5T__conv_f_i(hid_t src_id, hid_t dst_id, H5T_cdata_t *cdata, size_t nelmts, siz
size_t tsize; /*type size for swapping bytes */
size_t olap; /*num overlapping elements */
uint8_t * s, *sp, *d, *dp; /*source and dest traversal ptrs*/
- uint8_t * src_rev = NULL; /*order-reversed source buffer */
- uint8_t dbuf[64]; /*temp destination buffer */
+ uint8_t * src_rev = NULL; /*order-reversed source buffer */
+ uint8_t dbuf[64] = {0}; /*temp destination buffer */
uint8_t tmp1, tmp2; /*temp variables for swapping bytes*/
/* Conversion-related variables */
@@ -9027,8 +9027,8 @@ H5T__conv_i_f(hid_t src_id, hid_t dst_id, H5T_cdata_t *cdata, size_t nelmts, siz
size_t tsize; /*type size for swapping bytes */
size_t olap; /*num overlapping elements */
uint8_t * s, *sp, *d, *dp; /*source and dest traversal ptrs*/
- uint8_t * src_rev = NULL; /*order-reversed source buffer */
- uint8_t dbuf[64]; /*temp destination buffer */
+ uint8_t * src_rev = NULL; /*order-reversed source buffer */
+ uint8_t dbuf[64] = {0}; /*temp destination buffer */
uint8_t tmp1, tmp2; /*temp variables for swapping bytes*/
/* Conversion-related variables */
generated by cgit v0.12 at 2024-07-08 18:17:17 (GMT)