From b877534a330a201e3b5c51d97daa8e01a5c1cd3a Mon Sep 17 00:00:00 2001 From: Dana Robinson Date: Mon, 12 Mar 2018 17:56:54 -0700 Subject: Added a fix for HDFFV-10358. --- release_docs/RELEASE.txt | 17 +++++++++++++++++ src/H5Gcache.c | 3 ++- src/H5Gent.c | 7 +++++-- src/H5Gpkg.h | 2 +- 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index a70802e..4ac4545 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -321,6 +321,23 @@ Bug Fixes since HDF5-1.10.1 release (DER - 2018/02/26, HDFFV-10357) + - If an HDF5 file contains a malformed symbol table node that declares + it contains more symbols than it actually contains, the library + can run off the end of the metadata cache buffer while processing + the symbol table node. + + This issue was reported to The HDF Group as issue #CVE-2017-17509. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + Performing bounds checks on the buffer while processing fixes the + problem. Instead of the segmentation fault, the normal HDF5 error + handling is invoked. + + (DER - 2018/03/12, HDFFV-10358) + Configuration ------------- - CMake diff --git a/src/H5Gcache.c b/src/H5Gcache.c index 65115a5..b447cad 100644 --- a/src/H5Gcache.c +++ b/src/H5Gcache.c @@ -170,6 +170,7 @@ H5G__cache_node_deserialize(const void *_image, size_t len, void *_udata, H5F_t *f = (H5F_t *)_udata; /* User data for callback */ H5G_node_t *sym = NULL; /* Symbol table node created */ const uint8_t *image = (const uint8_t *)_image; /* Pointer to image to deserialize */ + const uint8_t *image_end = image + len - 1; /* Pointer to end of image buffer */ void *ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -203,7 +204,7 @@ H5G__cache_node_deserialize(const void *_image, size_t len, void *_udata, UINT16DECODE(image, sym->nsyms); /* entries */ - if(H5G__ent_decode_vec(f, &image, sym->entry, sym->nsyms) < 0) + if(H5G__ent_decode_vec(f, &image, image_end, sym->entry, sym->nsyms) < 0) HGOTO_ERROR(H5E_SYM, H5E_CANTLOAD, NULL, "unable to decode symbol table entries") /* Set return value */ diff --git a/src/H5Gent.c b/src/H5Gent.c index 7987850..6e076ae 100644 --- a/src/H5Gent.c +++ b/src/H5Gent.c @@ -91,7 +91,7 @@ H5FL_BLK_EXTERN(str_buf); *------------------------------------------------------------------------- */ herr_t -H5G__ent_decode_vec(const H5F_t *f, const uint8_t **pp, H5G_entry_t *ent, unsigned n) +H5G__ent_decode_vec(const H5F_t *f, const uint8_t **pp, const uint8_t *p_end, H5G_entry_t *ent, unsigned n) { unsigned u; /* Local index variable */ herr_t ret_value = SUCCEED; /* Return value */ @@ -104,9 +104,12 @@ H5G__ent_decode_vec(const H5F_t *f, const uint8_t **pp, H5G_entry_t *ent, unsign HDassert(ent); /* decode entries */ - for(u = 0; u < n; u++) + for(u = 0; u < n; u++) { + if(*pp > p_end) + HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "ran off the end of the image buffer") if(H5G_ent_decode(f, pp, ent + u) < 0) HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "can't decode") + } done: FUNC_LEAVE_NOAPI(ret_value) diff --git a/src/H5Gpkg.h b/src/H5Gpkg.h index 76bf08b..20e595f 100644 --- a/src/H5Gpkg.h +++ b/src/H5Gpkg.h @@ -395,7 +395,7 @@ H5_DLL void H5G__ent_copy(H5G_entry_t *dst, const H5G_entry_t *src, H5_copy_depth_t depth); H5_DLL void H5G__ent_reset(H5G_entry_t *ent); H5_DLL herr_t H5G__ent_decode_vec(const H5F_t *f, const uint8_t **pp, - H5G_entry_t *ent, unsigned n); + const uint8_t *p_end, H5G_entry_t *ent, unsigned n); H5_DLL herr_t H5G__ent_encode_vec(const H5F_t *f, uint8_t **pp, const H5G_entry_t *ent, unsigned n); H5_DLL herr_t H5G__ent_convert(H5F_t *f, hid_t dxpl_id, H5HL_t *heap, -- cgit v0.12