2022-10-24 08:53:22 +02:00
|
|
|
From: Egbert Eich <eich@suse.com>
|
|
|
|
|
Date: Wed Sep 28 19:11:16 2022 +0200
|
|
|
|
|
Subject: Report error if dimensions of chunked storage in data layout < 2
|
|
|
|
|
Patch-mainline: Not yet
|
|
|
|
|
Git-repo: ssh://eich@192.168.122.1:/home/eich/sources/HPC/hdf5
|
|
|
|
|
Git-commit: 34b621424504265cff3c33cf634a70efb52db180
|
|
|
|
|
References:
|
|
|
|
|
|
|
|
|
|
For Data Layout Messages version 1 & 2 the specification state
|
|
|
|
|
that the value stored in the data field is 1 greater than the
|
|
|
|
|
number of dimensions in the dataspace. For version 3 this is
|
|
|
|
|
not explicitly stated but the implementation suggests it to be
|
|
|
|
|
the case.
|
|
|
|
|
Thus the set value needs to be at least 2. For dimensionality
|
|
|
|
|
< 2 an out-of-bounds access occurs as in CVE-2021-45833.
|
|
|
|
|
|
|
|
|
|
This fixes CVE-2021-45833.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Egbert Eich <eich@suse.com>
|
|
|
|
|
Signed-off-by: Egbert Eich <eich@suse.de>
|
|
|
|
|
---
|
2024-05-14 17:19:49 +02:00
|
|
|
src/H5Olayout.c | 4 ++++
|
|
|
|
|
1 file changed, 4 insertions(+)
|
|
|
|
|
Index: hdf5-1.12.3/src/H5Olayout.c
|
|
|
|
|
===================================================================
|
|
|
|
|
--- hdf5-1.12.3.orig/src/H5Olayout.c
|
|
|
|
|
+++ hdf5-1.12.3/src/H5Olayout.c
|
|
|
|
|
@@ -291,6 +291,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_AT
|
|
|
|
|
if (mesg->u.chunk.ndims < 2)
|
|
|
|
|
HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "bad dimensions for chunked storage")
|
|
|
|
|
|
2022-10-24 08:53:22 +02:00
|
|
|
+ if (mesg->u.chunk.ndims < 2)
|
|
|
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL,
|
|
|
|
|
+ "bad dimensions for chunked storage")
|
2024-05-14 17:19:49 +02:00
|
|
|
+
|
2022-10-24 08:53:22 +02:00
|
|
|
/* B-tree address */
|
2024-05-14 17:19:49 +02:00
|
|
|
if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_ADDR(f), p_end))
|
|
|
|
|
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL,
|
