From 86ddedf522aa8a72cfe03b9275ae16800d1fb5b9 Mon Sep 17 00:00:00 2001 From: Dana Robinson <43805+derobins@users.noreply.github.com> Date: Wed, 2 Aug 2023 15:44:19 -0700 Subject: Fix CVE-2018-13867 (#3336) --- release_docs/RELEASE.txt | 9 +++++++++ src/H5HLcache.c | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index c76a66a..d9c907b 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -265,6 +265,15 @@ Bug Fixes since HDF5-1.14.0 release =================================== Library ------- + - Fixed CVE-2018-13867 + + A corrupt file containing an invalid local heap datablock address + could trigger an assert failure when the metadata cache attempted + to load the datablock from storage. + + The local heap now verifies that the datablock address is valid + when the local heap header information is parsed. + - Fixed CVE-2018-11202 A malformed file could result in chunk index memory leaks. Under most diff --git a/src/H5HLcache.c b/src/H5HLcache.c index 653590d..377bc0f 100644 --- a/src/H5HLcache.c +++ b/src/H5HLcache.c @@ -194,6 +194,12 @@ H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, size_t len, H5HL_cache HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding"); H5F_addr_decode_len(udata->sizeof_addr, &image, &(heap->dblk_addr)); + /* Check that the datablock address is valid (might not be true + * in a corrupt file) + */ + if (!H5_addr_defined(heap->dblk_addr)) + HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad datablock address"); + done: FUNC_LEAVE_NOAPI(ret_value) } /* end H5HL__hdr_deserialize() */ -- cgit v0.12