Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:GA
hdf5.27828
H5O_fsinfo_decode-Make-more-resilient-to-out-of...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File H5O_fsinfo_decode-Make-more-resilient-to-out-of-bounds-read.patch of Package hdf5.27828
From: Egbert Eich <eich@suse.com> Date: Wed Oct 5 07:17:24 2022 +0200 Subject: H5O_fsinfo_decode() Make more resilient to out-of-bounds read Patch-mainline: Not yet Git-repo: https://github.com/HDFGroup/hdf5 Git-commit: 46763e3c6111a0eb20e9198a99f4dbbfa6845af5 References: Malformed hdf5 files may have trunkated content which does not match the expected size. This function attempts to decode these it will read past the end of the allocated space which may lead to a crash. Make sure each element is within bounds before reading. This fixes CVE-2021-45830. Signed-off-by: Egbert Eich <eich@suse.com> Additions Signed-off-by: Egbert Eich <eich@suse.de> --- src/H5Ofsinfo.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c index 5628350d72..f50077470b 100644 --- a/src/H5Ofsinfo.c +++ b/src/H5Ofsinfo.c @@ -78,6 +78,13 @@ H5FL_DEFINE_STATIC(H5O_fsinfo_t); * *------------------------------------------------------------------------- */ +static char err[] = "ran off end of input buffer while decoding"; +#define VERIFY_LIMIT(p,s,l) \ + if (p + s - 1 > l) { \ + HCOMMON_ERROR(H5E_RESOURCE, H5E_NOSPACE, err); \ + HGOTO_DONE(NULL) \ + } + static void * H5O_fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) @@ -102,6 +109,7 @@ H5O_fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUS fsinfo->fs_addr[ptype - 1] = HADDR_UNDEF; /* Version of message */ + VERIFY_LIMIT(p,1,p_end) vers = *p++; if (vers == H5O_FSINFO_VERSION_0) { @@ -115,6 +123,7 @@ H5O_fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUS fsinfo->pgend_meta_thres = H5F_FILE_SPACE_PGEND_META_THRES; fsinfo->eoa_pre_fsm_fsalloc = HADDR_UNDEF; + VERIFY_LIMIT(p, 1 + H5F_SIZEOF_SIZE(f), p_end); strategy = (H5F_file_space_type_t)*p++; /* File space strategy */ H5F_DECODE_LENGTH(f, p, threshold); /* Free-space section threshold */ @@ -160,6 +169,7 @@ H5O_fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUS HDassert(vers >= H5O_FSINFO_VERSION_1); fsinfo->version = vers; + VERIFY_LIMIT(p, 1 + 1 + 2 * H5F_SIZEOF_SIZE(f) + 2 + H5F_SIZEOF_ADDR(f), p_end); fsinfo->strategy = (H5F_fspace_strategy_t)*p++; /* File space strategy */ fsinfo->persist = *p++; /* Free-space persist or not */ H5F_DECODE_LENGTH(f, p, fsinfo->threshold); /* Free-space section threshold */ @@ -171,9 +181,11 @@ H5O_fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUS /* Decode addresses of free space managers, if persisting */ if (fsinfo->persist) - for (ptype = H5F_MEM_PAGE_SUPER; ptype < H5F_MEM_PAGE_NTYPES; ptype++) + for (ptype = H5F_MEM_PAGE_SUPER; ptype < H5F_MEM_PAGE_NTYPES; ptype++) { + VERIFY_LIMIT(p, H5F_SIZEOF_SIZE(f), p_end); H5F_addr_decode(f, &p, &(fsinfo->fs_addr[ptype - 1])); + } fsinfo->mapped = FALSE; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor