blob: 01099f3438c1229407b5a532d31bb29fff7ac6bd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 602015eacc53bf2699bf4c4e5420b63c3f067547 Mon Sep 17 00:00:00 2001
From: Mingli Yu <mingli.yu@windriver.com>
Date: Mon, 11 Sep 2023 14:01:37 +0800
Subject: [PATCH] Check for overflow when calculating on-disk attribute data
size
Bogus sizes in this test case causes the on-disk data size
calculation in H5O_attr_decode() to overflow so that the
calculated size becomes 0. This causes the read to overflow
and h5dump to segfault.
CVE: CVE-2021-37501
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
src/H5Oattr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index c2c0fe3..c289344 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -217,6 +217,9 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
/* Compute the size of the data */
H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, H5S_GET_EXTENT_NPOINTS(attr->shared->ds) * H5T_get_size(attr->shared->dt), hsize_t);
+ /* Check if multiplication has overflown */
+ if ((attr->shared->data_size / H5T_get_size(attr->shared->dt)) != H5S_GET_EXTENT_NPOINTS(attr->shared->ds))
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range");
/* Go get the data */
if(attr->shared->data_size) {
--
2.25.1
|
