From 0b2e11d5c02303bcc3e762bb843a1d056258eac8 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Wed, 23 Aug 2023 21:35:06 +0200
Subject: Fix Heap-buffer-overflow WRITE in H5MM_memcpy (#3368)

---
 release_docs/RELEASE.txt | 4 ++++
 src/H5Oalloc.c           | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 7de4b18..2772dd8 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -589,6 +589,10 @@ Bug Fixes since HDF5-1.14.0 release
 
       Fixes Github issue #3034
 
+    - Fixed write buffer overflow in H5O__alloc_chunk
+
+      The overflow was found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58658
+
     Java Library
     ------------
     - Fixed switch case 'L' block missing a break statement.
diff --git a/src/H5Oalloc.c b/src/H5Oalloc.c
index 16bbab8..5e80685 100644
--- a/src/H5Oalloc.c
+++ b/src/H5Oalloc.c
@@ -946,6 +946,9 @@ H5O__alloc_chunk(H5F_t *f, H5O_t *oh, size_t size, size_t found_null, const H5O_
                     else {
                         assert(curr_msg->type->id != H5O_CONT_ID);
 
+                        if (size < curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh))
+                            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size");
+
                         /* Copy the raw data */
                         H5MM_memcpy(p, curr_msg->raw - (size_t)H5O_SIZEOF_MSGHDR_OH(oh),
                                     curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh));
-- 
cgit v0.12