Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.4:Update
hdf5.26545
Compound-datatypes-may-not-have-members-of-size...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File Compound-datatypes-may-not-have-members-of-size-0.patch of Package hdf5.26545
From: Egbert Eich <eich@suse.com> Date: Wed Oct 5 15:47:54 2022 +0200 Subject: Compound datatypes may not have members of size 0 Patch-mainline: Not yet Git-repo: https://github.com/HDFGroup/hdf5 Git-commit: 332ed3e68df3b5365d51f0713c42b39813e5e23a References: A member size of 0 may lead to an FPE later on as reported in CVE-2021-46244. To avoid this, check for this as soon as the member is decoded. This should probably be done in H5O_dtype_decode_helper() already, however it is not clear whether all sizes are expected to be != 0. This fixes CVE-2021-46244. Signed-off-by: Egbert Eich <eich@suse.com> Signed-off-by: Egbert Eich <eich@suse.de> --- src/H5Odtype.c | 6 ++++++ src/H5T.c | 2 ++ 2 files changed, 8 insertions(+) diff --git a/src/H5Odtype.c b/src/H5Odtype.c index 1942585fac..a37b4ead1d 100644 --- a/src/H5Odtype.c +++ b/src/H5Odtype.c @@ -333,6 +333,12 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t ** H5MM_xfree(dt->shared->u.compnd.memb); HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode member type") } /* end if */ + if (temp_type->shared->size == 0) { + for (j = 0; j <= i; j++) + H5MM_xfree(dt->shared->u.compnd.memb[j].name); + H5MM_xfree(dt->shared->u.compnd.memb); + HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "invalid field size in member type") + } /* Upgrade the version if we can and it is necessary */ if (can_upgrade && temp_type->shared->version > version) { diff --git a/src/H5T.c b/src/H5T.c index 3185774353..b15a193403 100644 --- a/src/H5T.c +++ b/src/H5T.c @@ -3438,6 +3438,8 @@ H5T__complete_copy(H5T_t *new_dt, const H5T_t *old_dt, H5T_shared_t *reopened_fo if (new_dt->shared->u.compnd.memb[i].type->shared->size != old_dt->shared->u.compnd.memb[old_match].type->shared->size) { /* Adjust the size of the member */ + if (old_dt->shared->u.compnd.memb[old_match].size == 0) + HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "invalid field size in datatype") new_dt->shared->u.compnd.memb[i].size = (old_dt->shared->u.compnd.memb[old_match].size * tmp->shared->size) / old_dt->shared->u.compnd.memb[old_match].type->shared->size;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor