From ce005900d6ad539cc7556ab225b771d24632f4f1 Mon Sep 17 00:00:00 2001 From: Dana Robinson Date: Mon, 26 Feb 2018 20:16:13 -0800 Subject: Fix for HDFFV-10357 (CVE-2017-17508). --- release_docs/RELEASE.txt | 15 +++++++++++++++ src/H5T.c | 5 +++++ 2 files changed, 20 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 4675423..480bb14 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -232,6 +232,21 @@ Bug Fixes since HDF5-1.10.1 release (DER - 2017/11/21, HDFFV-10330) + - If an HDF5 file contains a malformed compound type which contains + a member of size zero, a division by zero error will occur while + processing the type. + + This issue was reported to The HDF Group as issue #CVE-2017-17508. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + Checking for zero before dividing fixes the problem. Instead of the + division by zero, the normal HDF5 error handling is invoked. + + (DER - 2018/02/26, HDFFV-10357) + Configuration ------------- - CMake diff --git a/src/H5T.c b/src/H5T.c index eca0132..ffa7bcb 100644 --- a/src/H5T.c +++ b/src/H5T.c @@ -5211,6 +5211,11 @@ H5T_set_loc(H5T_t *dt, H5F_t *f, H5T_loc_t loc) /* Check if the field changed size */ if(old_size != memb_type->shared->size) { + + /* Fail if the old_size is zero */ + if (0 == old_size) + HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "old_size of zero would cause division by zero"); + /* Adjust the size of the member */ dt->shared->u.compnd.memb[i].size = (dt->shared->u.compnd.memb[i].size*memb_type->shared->size)/old_size; -- cgit v0.12