aa78456748
* Update to version 1.12.3. * Drop upstreamed patches: Remove-duplicate-code.patch, H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch, H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch, Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch, Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch, Compound-datatypes-may-not-have-members-of-size-0.patch, H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch, Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch * New BuildRequires: hostname. * Work around an sed hack in upstream configure file by dropping "-Werror=return-type" from RPM %optflags. OBS-URL: https://build.opensuse.org/request/show/1173662 OBS-URL: https://build.opensuse.org/package/show/science/hdf5?expand=0&rev=174
77 lines
3.2 KiB
Diff
77 lines
3.2 KiB
Diff
From: Egbert Eich <eich@suse.com>
|
|
Date: Wed Oct 5 07:17:24 2022 +0200
|
|
Subject: H5O_fsinfo_decode() Make more resilient to out-of-bounds read
|
|
Patch-mainline: Not yet
|
|
Git-repo: ssh://eich@192.168.122.1:/home/eich/sources/HPC/hdf5
|
|
Git-commit: 8aee14b3a19858a08e3fabdef6ff925b47d4ce2c
|
|
References:
|
|
|
|
Malformed hdf5 files may have trunkated content which does not match
|
|
the expected size. This function attempts to decode these it will read
|
|
past the end of the allocated space which may lead to a crash. Make sure
|
|
each element is within bounds before reading.
|
|
|
|
This fixes CVE-2021-45830.
|
|
|
|
Signed-off-by: Egbert Eich <eich@suse.com>
|
|
Additions
|
|
Signed-off-by: Egbert Eich <eich@suse.de>
|
|
---
|
|
src/H5Ofsinfo.c | 14 +++++++++++++-
|
|
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
Index: hdf5-1.12.3/src/H5Ofsinfo.c
|
|
===================================================================
|
|
--- hdf5-1.12.3.orig/src/H5Ofsinfo.c
|
|
+++ hdf5-1.12.3/src/H5Ofsinfo.c
|
|
@@ -87,6 +87,13 @@ H5FL_DEFINE_STATIC(H5O_fsinfo_t);
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
+static char err[] = "ran off end of input buffer while decoding";
|
|
+#define VERIFY_LIMIT(p,s,l) \
|
|
+ if (p + s - 1 > l) { \
|
|
+ HCOMMON_ERROR(H5E_RESOURCE, H5E_NOSPACE, err); \
|
|
+ HGOTO_DONE(NULL) \
|
|
+ }
|
|
+
|
|
static void *
|
|
H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,
|
|
unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p)
|
|
@@ -111,6 +118,7 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_AT
|
|
fsinfo->fs_addr[ptype - 1] = HADDR_UNDEF;
|
|
|
|
/* Version of message */
|
|
+ VERIFY_LIMIT(p,1,p_end)
|
|
vers = *p++;
|
|
|
|
if (vers == H5O_FSINFO_VERSION_0) {
|
|
@@ -124,6 +132,7 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_AT
|
|
fsinfo->pgend_meta_thres = H5F_FILE_SPACE_PGEND_META_THRES;
|
|
fsinfo->eoa_pre_fsm_fsalloc = HADDR_UNDEF;
|
|
|
|
+ VERIFY_LIMIT(p, 1 + H5F_SIZEOF_SIZE(f), p_end);
|
|
strategy = (H5F_file_space_type_t)*p++; /* File space strategy */
|
|
H5F_DECODE_LENGTH(f, p, threshold); /* Free-space section threshold */
|
|
|
|
@@ -169,6 +178,7 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_AT
|
|
HDassert(vers >= H5O_FSINFO_VERSION_1);
|
|
|
|
fsinfo->version = vers;
|
|
+ VERIFY_LIMIT(p, 1 + 1 + 2 * H5F_SIZEOF_SIZE(f) + 2 + H5F_SIZEOF_ADDR(f), p_end);
|
|
fsinfo->strategy = (H5F_fspace_strategy_t)*p++; /* File space strategy */
|
|
fsinfo->persist = *p++; /* Free-space persist or not */
|
|
H5F_DECODE_LENGTH(f, p, fsinfo->threshold); /* Free-space section threshold */
|
|
@@ -180,9 +190,11 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_AT
|
|
|
|
/* Decode addresses of free space managers, if persisting */
|
|
if (fsinfo->persist)
|
|
- for (ptype = H5F_MEM_PAGE_SUPER; ptype < H5F_MEM_PAGE_NTYPES; ptype++)
|
|
+ for (ptype = H5F_MEM_PAGE_SUPER; ptype < H5F_MEM_PAGE_NTYPES; ptype++) {
|
|
+ VERIFY_LIMIT(p, H5F_SIZEOF_SIZE(f), p_end);
|
|
H5F_addr_decode(f, &p, &(fsinfo->fs_addr[ptype - 1]));
|
|
|
|
+ }
|
|
fsinfo->mapped = FALSE;
|
|
}
|
|
|