hdf5/CVE-2018-13873.patch

From e1b59919bb96f68f3b372a73790ecbe4ac3b395a Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Sun, 6 Jan 2019 01:44:40 -0600
Subject: [PATCH] HDFFV-10578 and HDFFV-10676 Description:     HDFFV-10578 -
 CVE-2018-17234         The file has some issue, however, there was a bug in
 h5dump that caused         memory leaks after the problem in the file was
 encountered. The bug         was that an if statement was missing in the
 function table_list_add()         resulting in the memory not being freed at
 a later time.         After the fix had been applied, there were no more
 leaks after h5dump         detected the issue in the file and reported the
 error.

        In H5O__chunk_deserialize, replaced an assert with an if statement
        and reporting error, per Neil's recommendation

    HDFFV-10676 - CVE-2018-13873
        Also in H5O__chunk_deserialize, added an assertion to detect
        out of bound ids
---
 src/H5Ocache.c            | 5 ++++-
 tools/src/h5dump/h5dump.c | 7 ++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index fba4f6e586..034048fd4e 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1129,6 +1129,8 @@ H5O_chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
             HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
         if((flags & H5O_MSG_FLAG_WAS_UNKNOWN) && !(flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN))
             HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
+
+        HDassert(id < NELMTS(H5O_msg_class_g));
         if((flags & H5O_MSG_FLAG_SHAREABLE)
                 && H5O_msg_class_g[id]
                 && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
diff --git a/tools/src/h5dump/h5dump.c b/tools/src/h5dump/h5dump.c
index b9e37e8379..5267188dad 100644
--- a/tools/h5dump/h5dump.c
+++ b/tools/h5dump/h5dump.c
@@ -403,9 +403,10 @@ table_list_add(hid_t oid, unsigned long file_no)
     }
     if(init_objs(oid, &info, &table_list.tables[idx].group_table,
                  &table_list.tables[idx].dset_table, &table_list.tables[idx].type_table) < 0) {
-        H5Idec_ref(oid);
-        table_list.nused--;
-        return -1;
+        if (H5Idec_ref(oid) < 0) {
+            table_list.nused--;
+            return -1;
+        }
     }
 
 #ifdef H5DUMP_DEBUG
fix cves 2020-12-14 10:46:04 +08:00			`From e1b59919bb96f68f3b372a73790ecbe4ac3b395a Mon Sep 17 00:00:00 2001`
			`From: Binh-Minh Ribler <bmribler@hdfgroup.org>`
			`Date: Sun, 6 Jan 2019 01:44:40 -0600`
			`Subject: [PATCH] HDFFV-10578 and HDFFV-10676 Description: HDFFV-10578 -`
			`CVE-2018-17234 The file has some issue, however, there was a bug in`
			`h5dump that caused memory leaks after the problem in the file was`
			`encountered. The bug was that an if statement was missing in the`
			`function table_list_add() resulting in the memory not being freed at`
			`a later time. After the fix had been applied, there were no more`
			`leaks after h5dump detected the issue in the file and reported the`
			`error.`

			`In H5O__chunk_deserialize, replaced an assert with an if statement`
			`and reporting error, per Neil's recommendation`

			`HDFFV-10676 - CVE-2018-13873`
			`Also in H5O__chunk_deserialize, added an assertion to detect`
			`out of bound ids`
			`---`
			`src/H5Ocache.c \| 5 ++++-`
			`tools/src/h5dump/h5dump.c \| 7 ++++---`
			`2 files changed, 8 insertions(+), 4 deletions(-)`

			`diff --git a/src/H5Ocache.c b/src/H5Ocache.c`
			`index fba4f6e586..034048fd4e 100644`
			`--- a/src/H5Ocache.c`
			`+++ b/src/H5Ocache.c`
			`@@ -1129,6 +1129,8 @@ H5O_chunk_deserialize(H5O_t oh, haddr_t addr, size_t len, const uint8_t image`
			`HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")`
			`if((flags & H5O_MSG_FLAG_WAS_UNKNOWN) && !(flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN))`
			`HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")`
			`+`
			`+ HDassert(id < NELMTS(H5O_msg_class_g));`
			`if((flags & H5O_MSG_FLAG_SHAREABLE)`
			`&& H5O_msg_class_g[id]`
			`&& !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))`
			`diff --git a/tools/src/h5dump/h5dump.c b/tools/src/h5dump/h5dump.c`
			`index b9e37e8379..5267188dad 100644`
			`--- a/tools/h5dump/h5dump.c`
			`+++ b/tools/h5dump/h5dump.c`
			`@@ -403,9 +403,10 @@ table_list_add(hid_t oid, unsigned long file_no)`
			`}`
			`if(init_objs(oid, &info, &table_list.tables[idx].group_table,`
			`&table_list.tables[idx].dset_table, &table_list.tables[idx].type_table) < 0) {`
			`- H5Idec_ref(oid);`
			`- table_list.nused--;`
			`- return -1;`
			`+ if (H5Idec_ref(oid) < 0) {`
			`+ table_list.nused--;`
			`+ return -1;`
			`+ }`
			`}`

			`#ifdef H5DUMP_DEBUG`