From 86ddedf522aa8a72cfe03b9275ae16800d1fb5b9 Mon Sep 17 00:00:00 2001
From: Dana Robinson <43805+derobins@users.noreply.github.com>
Date: Wed, 2 Aug 2023 15:44:19 -0700
Subject: Fix CVE-2018-13867 (#3336)

---
 release_docs/RELEASE.txt | 9 +++++++++
 src/H5HLcache.c          | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index c76a66a..d9c907b 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -265,6 +265,15 @@ Bug Fixes since HDF5-1.14.0 release
 ===================================
     Library
     -------
+    - Fixed CVE-2018-13867
+
+      A corrupt file containing an invalid local heap datablock address
+      could trigger an assert failure when the metadata cache attempted
+      to load the datablock from storage.
+
+      The local heap now verifies that the datablock address is valid
+      when the local heap header information is parsed.
+
     - Fixed CVE-2018-11202
 
       A malformed file could result in chunk index memory leaks. Under most
diff --git a/src/H5HLcache.c b/src/H5HLcache.c
index 653590d..377bc0f 100644
--- a/src/H5HLcache.c
+++ b/src/H5HLcache.c
@@ -194,6 +194,12 @@ H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, size_t len, H5HL_cache
         HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
     H5F_addr_decode_len(udata->sizeof_addr, &image, &(heap->dblk_addr));
 
+    /* Check that the datablock address is valid (might not be true
+     * in a corrupt file)
+     */
+    if (!H5_addr_defined(heap->dblk_addr))
+        HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad datablock address");
+
 done:
     FUNC_LEAVE_NOAPI(ret_value)
 } /* end H5HL__hdr_deserialize() */
-- 
cgit v0.12