From e1b59919bb96f68f3b372a73790ecbe4ac3b395a Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Sun, 6 Jan 2019 01:44:40 -0600
Subject: HDFFV-10578 and HDFFV-10676 Description:     HDFFV-10578 -
 CVE-2018-17234         The file has some issue, however, there was a bug in
 h5dump that caused         memory leaks after the problem in the file was
 encountered. The bug         was that an if statement was missing in the
 function table_list_add()         resulting in the memory not being freed at
 a later time.         After the fix had been applied, there were no more
 leaks after h5dump         detected the issue in the file and reported the
 error.

        In H5O__chunk_deserialize, replaced an assert with an if statement
        and reporting error, per Neil's recommendation

    HDFFV-10676 - CVE-2018-13873
        Also in H5O__chunk_deserialize, added an assertion to detect
        out of bound ids
---
 src/H5Ocache.c            | 5 ++++-
 tools/src/h5dump/h5dump.c | 7 ++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index fba4f6e..034048f 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1390,7 +1390,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
 
         /* Message size */
         UINT16DECODE(chunk_image, mesg_size);
-        HDassert(mesg_size == H5O_ALIGN_OH(oh, mesg_size));
+        if(mesg_size != H5O_ALIGN_OH(oh, mesg_size))
+            HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned")
 
         /* Message flags */
         flags = *chunk_image++;
@@ -1402,6 +1403,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
             HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
         if((flags & H5O_MSG_FLAG_WAS_UNKNOWN) && !(flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN))
             HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
+
+        HDassert(id < NELMTS(H5O_msg_class_g));
         if((flags & H5O_MSG_FLAG_SHAREABLE)
                 && H5O_msg_class_g[id]
                 && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
diff --git a/tools/src/h5dump/h5dump.c b/tools/src/h5dump/h5dump.c
index b9e37e8..5267188 100644
--- a/tools/src/h5dump/h5dump.c
+++ b/tools/src/h5dump/h5dump.c
@@ -407,9 +407,10 @@ table_list_add(hid_t oid, unsigned long file_no)
     }
     if(init_objs(oid, &info, &table_list.tables[idx].group_table,
                  &table_list.tables[idx].dset_table, &table_list.tables[idx].type_table) < 0) {
-        H5Idec_ref(oid);
-        table_list.nused--;
-        return -1;
+        if (H5Idec_ref(oid) < 0) {
+            table_list.nused--;
+            return -1;
+        }
     }
 
 #ifdef H5DUMP_DEBUG
-- 
cgit v0.12