1 files changed, 37 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
new file mode 100644
index 0000000000..01099f3438
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
@@ -0,0 +1,37 @@
+From 602015eacc53bf2699bf4c4e5420b63c3f067547 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Mon, 11 Sep 2023 14:01:37 +0800
+Subject: [PATCH] Check for overflow when calculating on-disk attribute data
+ size
+
+Bogus sizes in this test case causes the on-disk data size
+calculation in H5O_attr_decode() to overflow so that the
+calculated size becomes 0. This causes the read to overflow
+and h5dump to segfault.
+
+CVE: CVE-2021-37501
+
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/H5Oattr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index c2c0fe3..c289344 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -217,6 +217,9 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
+ 
+     /* Compute the size of the data */
+     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, H5S_GET_EXTENT_NPOINTS(attr->shared->ds) * H5T_get_size(attr->shared->dt), hsize_t);
++    /* Check if multiplication has overflown */
++    if ((attr->shared->data_size / H5T_get_size(attr->shared->dt)) != H5S_GET_EXTENT_NPOINTS(attr->shared->ds))
++        HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range");
+ 
+     /* Go get the data */
+     if(attr->shared->data_size) {
+-- 
+2.25.1
+