From a689bcc9f7ea7dfeb77211c081ee1d151735bbc4a5cccdcd27b7f284dae2b122 Mon Sep 17 00:00:00 2001
From: Egbert Eich <eich@suse.com>
Date: Thu, 16 Feb 2023 18:31:53 +0000
Subject: [PATCH] Accepting request 1066178 from home:eeich:branches:science

- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus
  input file (bsc#1207973).
  https://github.com/HDFGroup/hdf5/issues/2458
  https://github.com/HDFGroup/hdf5/pull/2459
  Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
  Remove-duplicate-code.patch

OBS-URL: https://build.opensuse.org/request/show/1066178
OBS-URL: https://build.opensuse.org/package/show/science/hdf5?expand=0&rev=162
---
 ...ing-on-disk-attribute-data-size-2459.patch | 66 +++++++++++++++++++
 Remove-duplicate-code.patch                   | 28 ++++++++
 hdf5.changes                                  | 10 +++
 hdf5.spec                                     |  8 ++-
 4 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
 create mode 100644 Remove-duplicate-code.patch

diff --git a/Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch b/Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
new file mode 100644
index 0000000..caeb187
--- /dev/null
+++ b/Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
@@ -0,0 +1,66 @@
+From: Egbert Eich <eich@suse.com>
+Date: Sat Feb 11 13:54:17 2023 +0100
+Subject: Check for overflow when calculating on-disk attribute data size (#2459)
+Patch-mainline: Not yet
+Git-repo: https://github.com/HDFGroup/hdf5
+Git-commit: 0d026daa13a81be72495872f651c036fdc84ae5e
+References: 
+
+A bogus hdf5 file may contain dataspace messages with sizes
+which lead to the on-disk data sizes to exceed what is addressable.
+When calculating the size, make sure, the multiplication does not
+overflow.
+The test case was crafted in a way that the overflow caused the
+size to be 0.
+
+This fixes CVE-2021-37501 / Bug #2458.
+
+Signed-off-by: Egbert Eich <eich@suse.com>
+Signed-off-by: Egbert Eich <eich@suse.de>
+---
+ src/H5Oattr.c   |  3 +++
+ src/H5private.h | 18 ++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index 4dee7aa187..3ef0b99aa4 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -235,6 +235,9 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
+ 
+     /* Compute the size of the data */
+     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
++    H5_CHECK_MUL_OVERFLOW(attr->shared->data_size, ds_size, dt_size,
++			  HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL,
++				      "data size exceeds addressable range"))
+ 
+     /* Go get the data */
+     if (attr->shared->data_size) {
+diff --git a/src/H5private.h b/src/H5private.h
+index 931d7b9046..a115aee1a4 100644
+--- a/src/H5private.h
++++ b/src/H5private.h
+@@ -1605,6 +1605,24 @@ H5_DLL int     HDvasprintf(char **bufp, const char *fmt, va_list _ap);
+ #define H5_CHECK_OVERFLOW(var, vartype, casttype)
+ #endif /* NDEBUG */
+ 
++/*
++ * A macro for checking whether a multiplication has overflown
++ * r is assumed to be the result of a prior multiplication of a and b
++ */
++#define H5_CHECK_MUL_OVERFLOW(r, a, b, err)                                                                  \
++    {                                                                                                        \
++        bool mul_overflow = false;                                                                           \
++        if (r != 0) {                                                                                        \
++            if (r / a != b)                                                                                  \
++                mul_overflow = true;                                                                         \
++        } else {                                                                                             \
++            if (a != 0 && b != 0)                                                                            \
++                mul_overflow = true;                                                                         \
++        }                                                                                                    \
++        if (mul_overflow)                                                                                    \
++            err                                                                                              \
++    }
++
+ /*
+  * A macro for detecting over/under-flow when assigning between types
+  */
diff --git a/Remove-duplicate-code.patch b/Remove-duplicate-code.patch
new file mode 100644
index 0000000..04f5f17
--- /dev/null
+++ b/Remove-duplicate-code.patch
@@ -0,0 +1,28 @@
+From: Egbert Eich <eich@suse.com>
+Date: Sat Feb 11 18:08:15 2023 +0100
+Subject: Remove duplicate code
+Patch-mainline: Not yet
+Git-repo: https://github.com/HDFGroup/hdf5
+Git-commit: 539bca81e2b5713b1c6c5723d742377fb92c1ac1
+References: 
+
+Signed-off-by: Egbert Eich <eich@suse.com>
+Signed-off-by: Egbert Eich <eich@suse.de>
+---
+ src/H5Oattr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index 3ef0b99aa4..19d3abfb4c 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -222,10 +222,6 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
+     else
+         p += attr->shared->ds_size;
+ 
+-    /* Get the datatype's size */
+-    if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
+-        HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
+-
+     /* Get the datatype & dataspace sizes */
+     if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
+         HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
diff --git a/hdf5.changes b/hdf5.changes
index c1dacb7..7013194 100644
--- a/hdf5.changes
+++ b/hdf5.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Feb 13 09:18:05 UTC 2023 - Egbert Eich <eich@suse.com>
+
+- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus
+  input file (bsc#1207973).
+  https://github.com/HDFGroup/hdf5/issues/2458
+  https://github.com/HDFGroup/hdf5/pull/2459
+  Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
+  Remove-duplicate-code.patch
+
 -------------------------------------------------------------------
 Tue Nov 15 04:52:12 UTC 2022 - Atri Bhattacharya <badshah400@gmail.com>
 
diff --git a/hdf5.spec b/hdf5.spec
index 849fb1a..c178e9b 100644
--- a/hdf5.spec
+++ b/hdf5.spec
@@ -1,7 +1,7 @@
 #
-# spec file for package hdf5
+# spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -450,6 +450,8 @@ Patch108:       Make-sure-info-block-for-external-links-has-at-least-3-bytes.pat
 Patch109:       Hot-fix-for-CVE-2020-10812.patch
 Patch110:       Compound-datatypes-may-not-have-members-of-size-0.patch
 Patch111:       H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch
+Patch112:       Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
+Patch113:       Remove-duplicate-code.patch
 
 BuildRequires:  fdupes
 %if 0%{?use_sz2}
@@ -704,6 +706,8 @@ library packages.
 %patch109 -p1
 %patch110 -p1
 %patch111 -p1
+%patch112 -p1
+%patch113 -p1
 
 %if %{without hpc}
 # baselibs looks different for different flavors - generate it on the fly