From 992a199f90fec31e0ad72ed76ed279a3ccea59e4 Mon Sep 17 00:00:00 2001 From: Binh-Minh Ribler Date: Mon, 16 Jul 2018 20:28:27 -0500 Subject: Fixed HDFFV-10476, HDFFV-10478, HDFFV-10480 Description: Fixed potential out of bound read and NULL pointer dereferences. Platforms tested: Linux/64 (jelly) Linux/32 (jam) Darwin (osx1010test) --- src/H5Ocache.c | 2 ++ src/H5Ofill.c | 8 ++++++-- src/H5Shyper.c | 5 +++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index d65942b..59e1705 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1553,6 +1553,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image /* Set object header values */ oh->has_refcount_msg = TRUE; + if(!refcount) + HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount") oh->nlink = *refcount; } /* end if */ /* Check if message is a link message */ diff --git a/src/H5Ofill.c b/src/H5Ofill.c index da9829b..8a6004d 100644 --- a/src/H5Ofill.c +++ b/src/H5Ofill.c @@ -194,7 +194,7 @@ H5FL_BLK_EXTERN(type_conv); static void * H5O_fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, - size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + size_t p_size, const uint8_t *p) { H5O_fill_t *fill = NULL; void *ret_value = NULL; /* Return value */ @@ -228,6 +228,8 @@ H5O_fill_new_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, INT32DECODE(p, fill->size); if(fill->size > 0) { H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t); + if((size_t)fill->size > p_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small") if(NULL == (fill->buf = H5MM_malloc((size_t)fill->size))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for fill value") HDmemcpy(fill->buf, p, (size_t)fill->size); @@ -309,7 +311,7 @@ done: static void * H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, - size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + size_t p_size, const uint8_t *p) { H5O_fill_t *fill = NULL; /* Decoded fill value message */ htri_t exists = FALSE; @@ -335,6 +337,8 @@ H5O_fill_old_decode(H5F_t *f, H5O_t *open_oh, /* Only decode the fill value itself if there is one */ if(fill->size > 0) { H5_CHECK_OVERFLOW(fill->size, ssize_t, size_t); + if((size_t)fill->size > p_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "destination buffer too small") /* Get the datatype message */ if((exists = H5O_msg_exists_oh(open_oh, H5O_DTYPE_ID)) < 0) diff --git a/src/H5Shyper.c b/src/H5Shyper.c index c84d5f3..8e2e979 100644 --- a/src/H5Shyper.c +++ b/src/H5Shyper.c @@ -6082,7 +6082,7 @@ H5S__hyper_make_spans(unsigned rank, const hsize_t *start, const hsize_t *stride last_span = NULL; /* Generate all the span segments for this dimension */ - for(u = 0, stride_iter = 0; u < count[i]; u++, stride_iter += stride[i]) { + for(u = 0, stride_iter = 0; u < count[i]; u++, stride_iter += stride[i]) { H5S_hyper_span_t *span; /* New hyperslab span */ /* Allocate a span node */ @@ -6124,7 +6124,8 @@ H5S__hyper_make_spans(unsigned rank, const hsize_t *start, const hsize_t *stride } /* end for */ /* Indicate that there is a pointer to this tree */ - down->count = 1; + if(down) + down->count = 1; /* Success! Return the head of the list in the slowest changing dimension */ ret_value = down; -- cgit v0.12