From: Egbert Eich <eich@suse.com>
Date: Wed Sep 28 19:11:16 2022 +0200
Subject: Report error if dimensions of chunked storage in data layout < 2
Patch-mainline: Not yet
Git-repo: ssh://eich@192.168.122.1:/home/eich/sources/HPC/hdf5
Git-commit: 34b621424504265cff3c33cf634a70efb52db180
References: 

For Data Layout Messages version 1 & 2 the specification state
that the value stored in the data field is 1 greater than the
number of dimensions in the dataspace. For version 3 this is
not explicitly stated but the implementation suggests it to be
the case.
Thus the set value needs to be at least 2. For dimensionality
< 2 an out-of-bounds access occurs as in CVE-2021-45833.

This fixes CVE-2021-45833.

Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
 src/H5Olayout.c |    4 ++++
 1 file changed, 4 insertions(+)
Index: hdf5-1.12.3/src/H5Olayout.c
===================================================================
--- hdf5-1.12.3.orig/src/H5Olayout.c
+++ hdf5-1.12.3/src/H5Olayout.c
@@ -291,6 +291,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_AT
                     if (mesg->u.chunk.ndims < 2)
                         HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "bad dimensions for chunked storage")
 
+                    if (mesg->u.chunk.ndims < 2)
+                        HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL,
+                                    "bad dimensions for chunked storage")
+
                     /* B-tree address */
                     if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_ADDR(f), p_end))
                         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL,