From f4138013dbc6851e968ea3d37b32776538ef306b Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Tue, 15 Jan 2019 13:07:22 -0600
Subject: Fixed HDFFV-10578

Description:
    - HDFFV-10578 - CVE-2018-17234  Memory leak in H5O__chunk_deserialize()
        Actually, the leak was in h5tools_util.  Applied Neil's fix.
    - Changed an assert to if/HGOTO_ERROR to fail gracefully.
Platforms tested:
    Linux/64 (jelly)
    Linux/64 (platypus)
    Darwin (osx1010test)
---
 src/H5Ocache.c            |  3 ++-
 src/H5VM.c                |  2 +-
 tools/lib/h5tools_utils.c | 17 ++++++++++++++++-
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index 1d69028..1fa4b10 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1390,7 +1390,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
 
         /* Message size */
         UINT16DECODE(chunk_image, mesg_size);
-        HDassert(mesg_size == H5O_ALIGN_OH(oh, mesg_size));
+        if(mesg_size != H5O_ALIGN_OH(oh, mesg_size))
+            HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned")
 
         /* Message flags */
         flags = *chunk_image++;
diff --git a/src/H5VM.c b/src/H5VM.c
index 4c0b837..452d378 100644
--- a/src/H5VM.c
+++ b/src/H5VM.c
@@ -1548,7 +1548,7 @@ done:
  *
  * Purpose:	Given source and destination buffers in memory (SRC & DST)
  *              copy sequences of from the source buffer into the destination
- *              buffer.  Each set of sequnces has an array of lengths, an
+ *              buffer.  Each set of sequences has an array of lengths, an
  *              array of offsets, the maximum number of sequences and the
  *              current sequence to start at in the sequence.
  *
diff --git a/tools/lib/h5tools_utils.c b/tools/lib/h5tools_utils.c
index 8ac0d32..e7e017f 100644
--- a/tools/lib/h5tools_utils.c
+++ b/tools/lib/h5tools_utils.c
@@ -561,6 +561,8 @@ herr_t
 init_objs(hid_t fid, find_objs_t *info, table_t **group_table,
     table_t **dset_table, table_t **type_table)
 {
+    herr_t ret_value = SUCCEED;
+
     /* Initialize the tables */
     init_table(group_table);
     init_table(dset_table);
@@ -573,7 +575,20 @@ init_objs(hid_t fid, find_objs_t *info, table_t **group_table,
     info->dset_table = *dset_table;
 
     /* Find all shared objects */
-    return(h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info, H5O_INFO_BASIC));
+    if((ret_value = h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info, H5O_INFO_BASIC)) < 0)
+        HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "finding shared objects failed")
+
+done:
+    /* Release resources */
+    if(ret_value < 0) {
+        free_table(*group_table);
+        info->group_table = NULL;
+        free_table(*type_table);
+        info->type_table = NULL;
+        free_table(*dset_table);
+        info->dset_table = NULL;
+    }
+    return ret_value;
 }
 
 
-- 
cgit v0.12