Atri Bhattacharya
a0635c9ad7
- Fix CVEs:
* CVE-2021-46244 (bsc#1195215)
Compound-datatypes-may-not-have-members-of-size-0.patch
* CVE-2018-13867 (bsc#1101906)
Validate-location-offset-of-the-accumulated-metadata-when-comparing.patch
* CVE-2018-16438 (bsc#1107069)
Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch
* CVE-2020-10812 (bsc#1167400)
Hot-fix-for-CVE-2020-10812.patch
* CVE-2021-45830 (bsc#1194375)
H5O_fsinfo_decode-Make-more-resilient-to-out-of-bounds-read.patch
* CVE-2019-8396 (bsc#1125882)
H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch
* CVE-2018-11205 (bsc#1093663)
Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch
* CVE-2021-46242 (bsc#1195212)
When-evicting-driver-info-block-NULL-the-corresponding-entry.patch
* CVE-2021-45833 (bsc#1194366)
Report-error-if-dimensions-of-chunked-storage-in-data-layout-2.patch
* CVE-2018-14031 (bsc#1101475)
H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch
* CVE-2018-17439 (bsc#1111598)
H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch
- Fix an error message:
Fix-error-message-not-the-name-but-the-link-information-is-parsed.patch
OBS-URL: https://build.opensuse.org/request/show/1030627
OBS-URL: https://build.opensuse.org/package/show/science/hdf5?expand=0&rev=159
49 lines
2.1 KiB
Diff
49 lines
2.1 KiB
Diff
From: Egbert Eich <eich@suse.com>
|
|
Date: Wed Sep 28 19:11:16 2022 +0200
|
|
Subject: Report error if dimensions of chunked storage in data layout < 2
|
|
Patch-mainline: Not yet
|
|
Git-repo: ssh://eich@192.168.122.1:/home/eich/sources/HPC/hdf5
|
|
Git-commit: 34b621424504265cff3c33cf634a70efb52db180
|
|
References:
|
|
|
|
For Data Layout Messages version 1 & 2 the specification state
|
|
that the value stored in the data field is 1 greater than the
|
|
number of dimensions in the dataspace. For version 3 this is
|
|
not explicitly stated but the implementation suggests it to be
|
|
the case.
|
|
Thus the set value needs to be at least 2. For dimensionality
|
|
< 2 an out-of-bounds access occurs as in CVE-2021-45833.
|
|
|
|
This fixes CVE-2021-45833.
|
|
|
|
Signed-off-by: Egbert Eich <eich@suse.com>
|
|
Signed-off-by: Egbert Eich <eich@suse.de>
|
|
---
|
|
src/H5Olayout.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
|
|
index c939e72744..9fa9e36e8c 100644
|
|
--- a/src/H5Olayout.c
|
|
+++ b/src/H5Olayout.c
|
|
@@ -168,6 +168,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
|
|
p += ndims * 4; /* Skip over dimension sizes (32-bit quantities) */
|
|
} /* end if */
|
|
else {
|
|
+ if (ndims < 2)
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL,
|
|
+ "bad dimensions for chunked storage")
|
|
+
|
|
mesg->u.chunk.ndims = ndims;
|
|
for (u = 0; u < ndims; u++)
|
|
UINT32DECODE(p, mesg->u.chunk.dim[u]);
|
|
@@ -241,6 +245,9 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
|
|
mesg->u.chunk.ndims = *p++;
|
|
if (mesg->u.chunk.ndims > H5O_LAYOUT_NDIMS)
|
|
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is too large")
|
|
+ if (mesg->u.chunk.ndims < 2)
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL,
|
|
+ "bad dimensions for chunked storage")
|
|
|
|
/* B-tree address */
|
|
H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr));
|