From 0a7128c0d5bd035288be7b02ca9cf9bba321aadd Mon Sep 17 00:00:00 2001 From: Dana Robinson Date: Mon, 26 Feb 2018 20:16:13 -0800 Subject: Fix for HDFFV-10357 (CVE-2017-17508). --- release_docs/RELEASE.txt | 15 +++++++++++++++ src/H5T.c | 5 +++++ 2 files changed, 20 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index ebdb5f8..549b8a2 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -174,6 +174,21 @@ Bug Fixes since HDF5-1.8.20 (DER - 2018/02/26, HDFFV-10355) + - If an HDF5 file contains a malformed compound type which contains + a member of size zero, a division by zero error will occur while + processing the type. + + This issue was reported to The HDF Group as issue #CVE-2017-17508. + + NOTE: The HDF5 C library cannot produce such a file. This condition + should only occur in a corrupt (or deliberately altered) file + or a file created by third-party software. + + Checking for zero before dividing fixes the problem. Instead of the + division by zero, the normal HDF5 error handling is invoked. + + (DER - 2018/02/26, HDFFV-10357) + Configuration ------------- - CMake diff --git a/src/H5T.c b/src/H5T.c index 36b4c63..f4c10a5 100644 --- a/src/H5T.c +++ b/src/H5T.c @@ -5174,6 +5174,11 @@ H5T_set_loc(H5T_t *dt, H5F_t *f, H5T_loc_t loc) /* Check if the field changed size */ if(old_size != memb_type->shared->size) { + + /* Fail if the old_size is zero */ + if (0 == old_size) + HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "old_size of zero would cause division by zero"); + /* Adjust the size of the member */ dt->shared->u.compnd.memb[i].size = (dt->shared->u.compnd.memb[i].size*memb_type->shared->size)/old_size; -- cgit v0.12