From 5e71d54c8fe9c13e6729a3274e36b61b94ed5822 Mon Sep 17 00:00:00 2001
From: Dana Robinson <43805+derobins@users.noreply.github.com>
Date: Wed, 30 Aug 2023 19:21:49 -0700
Subject: Fix CVE-2016-4332 (#3451)

---
 release_docs/RELEASE.txt | 12 ++++++++++++
 src/H5Omessage.c         |  5 ++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 2ec08b2..668c648 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -135,6 +135,18 @@ Bug Fixes since HDF5-1.10.10 release
 ===================================
     Library
     -------
+    - Fixed an assertion in a previous fix for CVE-2016-4332
+
+      An assert could fail when processing corrupt files that have invalid
+      shared message flags (as in CVE-2016-4332).
+
+      The assert statement in question has been replaced with pointer checks
+      that don't raise errors. Since the function is in cleanup code, we do
+      our best to close and free things, even when presented with partially
+      initialized structs.
+
+      Fixes CVE-2016-4332 and HDFFV-9950 (confirmed via the cve_hdf5 repo)
+
     - Seg fault on file close
 
       h5debug fails at file close with core dump on a file that has an
diff --git a/src/H5Omessage.c b/src/H5Omessage.c
index 43b068d..975767f 100644
--- a/src/H5Omessage.c
+++ b/src/H5Omessage.c
@@ -675,12 +675,11 @@ H5O__msg_free_real(const H5O_msg_class_t *type, void *msg_native)
 {
     FUNC_ENTER_PACKAGE_NOERR
 
-    /* check args */
-    HDassert(type);
+    /* Don't assert on args since this could be called in cleanup code */
 
     if (msg_native) {
         H5O__msg_reset_real(type, msg_native);
-        if (NULL != (type->free))
+        if (type && type->free)
             (type->free)(msg_native);
         else
             H5MM_xfree(msg_native);
-- 
cgit v0.12