From 99487d9e45c8245a829f18a060fa472d0422edbb Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Fri, 11 Nov 2022 06:01:45 +0100 Subject: H5IMget_image_info(): Make sure to not exceed local array size (#2227) Malformed hdf5 files may provide more dimensions than the array dim[] in H5IMget_image_info() is able to hold. Check number of elements first by calling H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments. This will cause the function to return only the number of dimensions. The fix addresse a stack overflow on write. This fixes CVE-2018-17439 / HDFFV-10589 / Bug #2226. Signed-off-by: Egbert Eich Signed-off-by: Egbert Eich --- hl/src/H5IM.c | 2 ++ release_docs/RELEASE.txt | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/hl/src/H5IM.c b/hl/src/H5IM.c index a3b04ce..43e5bed 100644 --- a/hl/src/H5IM.c +++ b/hl/src/H5IM.c @@ -281,6 +281,8 @@ H5IMget_image_info(hid_t loc_id, const char *dset_name, hsize_t *width, hsize_t if ((sid = H5Dget_space(did)) < 0) goto out; + if (H5Sget_simple_extent_dims(sid, NULL, NULL) > IMAGE24_RANK) + goto out; /* Get dimensions */ if (H5Sget_simple_extent_dims(sid, dims, NULL) < 0) goto out; diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 1b6999d..48fcc3b 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -172,8 +172,18 @@ Bug Fixes since HDF5-1.13.3 release =================================== Library ------- - - - + + - Fix CVE-2018-17439 / GHSA-vcxv-vp43-rch7 + + H5IMget_image_info(): Make sure to not exceed local array size + + Malformed hdf5 files may provide more dimensions than the array dim[] in + H5IMget_image_info() is able to hold. Check number of elements first by calling + H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments. + This will cause the function to return only the number of dimensions. + The fix addresses a stack overflow on write. + + (EFE - 2022/09/27 HDFFV-10589, GH-2226) Java Library ------------ -- cgit v0.12