From 0f94940f1a9ae95de38b70709eb413511b76c73b Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Fri, 11 Nov 2022 07:05:00 +0100 Subject: H5O_dtype_decode_helper: Parent of enum needs to have same size as enum itself (#2237) The size of the enumeration values is determined by the size of the parent. Functions accessing the enumeration values use the size of the enumeration to determine the size of each element and how much data to copy. Thus the size of the enumeration and its parent need to match. Check here to avoid unpleasant surprises later. This fixes CVE-2018-14031 / Bug #2236. Signed-off-by: Egbert Eich --- release_docs/RELEASE.txt | 39 ++++++++++++++++++++++++++------------- src/H5Odtype.c | 2 ++ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 8e4a3c2..158472c 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -172,19 +172,6 @@ Bug Fixes since HDF5-1.13.3 release =================================== Library ------- - - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx - - Make sure info block for external links has at least 3 bytes. - - According to the specification, the information block for external links - contains 1 byte of version/flag information and two 0 terminated strings - for the object linked to and the full path. - Although not very useful, the minimum string length for each (with - terminating 0) would be one byte. - Checking this helps to avoid SEGVs triggered by bogus files. - - (EFE - 2022/10/09 GH-2233) - - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf Validate location (offset) of the accumulated metadata when comparing. @@ -199,6 +186,19 @@ Bug Fixes since HDF5-1.13.3 release member in the same structure is true the location is valid. (EFE - 2022/10/10 GH-2230) + + - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx + + Make sure info block for external links has at least 3 bytes. + + According to the specification, the information block for external links + contains 1 byte of version/flag information and two 0 terminated strings + for the object linked to and the full path. + Although not very useful, the minimum string length for each (with + terminating 0) would be one byte. + Checking this helps to avoid SEGVs triggered by bogus files. + + (EFE - 2022/10/09 GH-2233) - Fix CVE-2021-45830 / GHSA-5h2h-fjjr-x9m2 @@ -213,6 +213,19 @@ Bug Fixes since HDF5-1.13.3 release (EFE - 2022/10/05 GH-2228) + - Fix CVE-2018-14031 / GHSA-2xc7-724c-r36j + + Parent of enum datatype message must have the same size as the + enum datatype message itself. + Functions accessing the enumeration values use the size of the + enumeration datatype to determine the size of each element and + how much data to copy. + Thus the size of the enumeration and its parent need to match. + Check in H5O_dtype_decode_helper() to avoid unpleasant surprises + later. + + (EFE - 2022/09/28 GH-2236) + - Fix CVE-2018-17439 / GHSA-vcxv-vp43-rch7 H5IMget_image_info(): Make sure to not exceed local array size diff --git a/src/H5Odtype.c b/src/H5Odtype.c index 831344b..870aeac 100644 --- a/src/H5Odtype.c +++ b/src/H5Odtype.c @@ -470,6 +470,8 @@ H5O__dtype_decode_helper(unsigned *ioflags /*in,out*/, const uint8_t **pp, H5T_t HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, FAIL, "memory allocation failed") if (H5O__dtype_decode_helper(ioflags, pp, dt->shared->parent) < 0) HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode parent datatype") + if (dt->shared->parent->shared->size != dt->shared->size) + HGOTO_ERROR(H5E_DATATYPE, H5E_BADSIZE, FAIL, "ENUM datatype size does not match parent") /* Check if the parent of this enum has a version greater than the * enum itself. */ -- cgit v0.12