From 34ec3bb7bc129f52bda4d82601f3bce65426459d Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Fri, 11 Nov 2022 06:41:53 +0100 Subject: Make sure info block for external links has at least 3 bytes (#2234) According to the specification, the information block for external links contains 1 byte of version/flag information and two 0 terminated strings for the object linked to and the full path. Although not very useful, the minimum string length for each (with terminating 0) would be one byte. Checking this will help to avoid SEGVs triggered by bogus files. This fixes CVE-2018-16438 / Bug #2233. Signed-off-by: Egbert Eich --- release_docs/RELEASE.txt | 13 +++++++++++++ src/H5Olink.c | 2 ++ 2 files changed, 15 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index a8e9011..8e4a3c2 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -172,6 +172,19 @@ Bug Fixes since HDF5-1.13.3 release =================================== Library ------- + - Fix CVE-2018-16438 / GHSA-9xmm-cpf8-rgmx + + Make sure info block for external links has at least 3 bytes. + + According to the specification, the information block for external links + contains 1 byte of version/flag information and two 0 terminated strings + for the object linked to and the full path. + Although not very useful, the minimum string length for each (with + terminating 0) would be one byte. + Checking this helps to avoid SEGVs triggered by bogus files. + + (EFE - 2022/10/09 GH-2233) + - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf Validate location (offset) of the accumulated metadata when comparing. diff --git a/src/H5Olink.c b/src/H5Olink.c index 6146bbb..dabf87e 100644 --- a/src/H5Olink.c +++ b/src/H5Olink.c @@ -239,6 +239,8 @@ H5O__link_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE /* A UD link. Get the user-supplied data */ UINT16DECODE(p, len) + if (lnk->type == H5L_TYPE_EXTERNAL && len < 3) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "external link information length < 3") lnk->u.ud.size = len; if (len > 0) { /* Make sure that length doesn't exceed buffer size, which could -- cgit v0.12