From 3a911e2b39bb4bf5c06dd4d0a99a847ddd87ce5e Mon Sep 17 00:00:00 2001
From: David Young <dyoung@hdfgroup.org>
Date: Fri, 10 Jan 2020 11:26:33 -0600
Subject: Change the blah_blah_blah_md_header `index_length` member from
 `uint64_t` to `size_t` because it describes the size of an in-core structure
 as well as an on-disk one, and `size_t` is wide enough to store the size of
 any in-core structure, while `uint64_t` may be much too wide.  Check that
 `index_length` is no more than SIZE_MAX after we read it.

---
 src/H5FDprivate.h  | 2 +-
 src/H5FDvfd_swmr.c | 8 +++++++-
 src/H5Ftest.c      | 6 +++++-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/H5FDprivate.h b/src/H5FDprivate.h
index fdcca1b..2aba759 100644
--- a/src/H5FDprivate.h
+++ b/src/H5FDprivate.h
@@ -200,7 +200,7 @@ typedef struct H5FD_vfd_swmr_md_header {
         uint32_t fs_page_size;
         uint64_t tick_num;
         uint64_t index_offset;
-        uint64_t index_length;
+        size_t index_length;
 } H5FD_vfd_swmr_md_header;
 
 static inline H5FD_vfd_swmr_idx_entry_t *
diff --git a/src/H5FDvfd_swmr.c b/src/H5FDvfd_swmr.c
index c804fb7..3fa172d 100644
--- a/src/H5FDvfd_swmr.c
+++ b/src/H5FDvfd_swmr.c
@@ -1294,6 +1294,7 @@ H5FD__vfd_swmr_header_deserialize(H5FD_t *_file,
         H5FD_VFD_SWMR_MD_HEADER_RETRY_MAX; 
     uint8_t *p = NULL;                      /* Pointer to buffer */
     herr_t ret_value = SUCCEED;             /* Return value */
+    uint64_t index_length;
 
     FUNC_ENTER_STATIC
 
@@ -1364,7 +1365,12 @@ H5FD__vfd_swmr_header_deserialize(H5FD_t *_file,
     UINT32DECODE(p, md_header->fs_page_size);
     UINT64DECODE(p, md_header->tick_num);
     UINT64DECODE(p, md_header->index_offset);
-    UINT64DECODE(p, md_header->index_length);
+    if ((index_length = uint64_decode(&p)) > SIZE_MAX) {
+        HGOTO_ERROR(H5E_VFL, H5E_BADVALUE, FAIL,
+                     "index is too large to hold in core");
+    }
+
+    md_header->index_length = (size_t)index_length;
 
     /* Checksum is already valid */
     UINT32DECODE(p, stored_chksum);
diff --git a/src/H5Ftest.c b/src/H5Ftest.c
index 90657ef..ed3fec1 100644
--- a/src/H5Ftest.c
+++ b/src/H5Ftest.c
@@ -349,6 +349,7 @@ done:
 static herr_t
 H5F__vfd_swmr_decode_md_hdr(int md_fd, H5FD_vfd_swmr_md_header *md_hdr)
 {
+    uint64_t index_length;
     uint8_t image[H5FD_MD_HEADER_SIZE];     /* Buffer for the header image */
     uint8_t *p = NULL;                      /* Points to the image */
     herr_t  ret_value = SUCCEED;            /* Return value */
@@ -375,7 +376,10 @@ H5F__vfd_swmr_decode_md_hdr(int md_fd, H5FD_vfd_swmr_md_header *md_hdr)
     UINT32DECODE(p, md_hdr->fs_page_size);
     UINT64DECODE(p, md_hdr->tick_num);
     UINT64DECODE(p, md_hdr->index_offset);
-    UINT64DECODE(p, md_hdr->index_length);
+    if ((index_length = uint64_decode(&p)) > SIZE_MAX) {
+        HGOTO_ERROR(H5E_FILE, H5E_BADVALUE, FAIL, "index is too long")
+    }
+    md_hdr->index_length = (size_t)index_length;
 
 done:
     FUNC_LEAVE_NOAPI(ret_value)
-- 
cgit v0.12