packages/hdf5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hdf5/CVE-2018-17435.patch
guoxiaoqi 91fb3ff44d fix cves
2020-12-14 10:54:55 +08:00

115 lines
3.9 KiB
Diff
Raw Blame History

From c12da4884f18dda4c9dbc23efd10eb053ec7cf0d Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Fri, 19 Jun 2020 10:53:32 -0500
Subject: [PATCH] Fix HDFFV-10591
Description:
h52gif produced a segfault when a buffer overflow occurred because
the data size was corrupted and became very large. This commit
added
a check on the data size against the buffer size to prevent the
segfault.
It also added error reporting to h52gif to display an error message
instead of silently exiting when the failure occurred.
Platforms tested:
Linux/64 (jelly)
SunOS 5.11 (emu)
---
hl/src/H5IM.c | 3 ++-
hl/tools/gif2h5/hdf2gif.c | 19 +++++++++++++++----
src/H5Oattr.c | 5 +++++
3 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/hl/src/H5IM.c b/hl/src/H5IM.c
index f76f029ae2..495f296625 100644
--- a/hl/src/H5IM.c
+++ b/hl/src/H5IM.c
@@ -274,7 +274,8 @@ herr_t H5IMget_image_info( hid_t loc_id,
return -1;
/* Try to find the attribute "INTERLACE_MODE" on the >>image<< dataset */
- has_attr = H5LT_find_attribute(did, "INTERLACE_MODE");
+ if ((has_attr = H5LT_find_attribute(did, "INTERLACE_MODE")) < 0)
+ goto out;
/* It exists, get it */
if(has_attr == 1)
diff --git a/hl/tools/gif2h5/hdf2gif.c b/hl/tools/gif2h5/hdf2gif.c
index ce9d8786f8..ec81194a71 100644
--- a/hl/tools/gif2h5/hdf2gif.c
+++ b/hl/tools/gif2h5/hdf2gif.c
@@ -143,17 +143,22 @@ int main(int argc , char **argv)
goto out;
}
- /* read image */
+ /* get image's information */
if ( H5IMget_image_info( fid, image_name, &width, &height, &planes, interlace, &npals ) < 0 )
+ {
+ fprintf(stderr , "Unable to get information of the image. Aborting.\n");
goto out;
+ }
- if (width > IMAGE_WIDTH_MAX || height > IMAGE_HEIGHT_MAX){
+ if (width > IMAGE_WIDTH_MAX || height > IMAGE_HEIGHT_MAX)
+ {
fprintf(stderr, "HDF5 image is too large. Limit is %d by %d.\n", IMAGE_WIDTH_MAX, IMAGE_HEIGHT_MAX);
goto out;
}
/* tool can handle single plane images only. */
- if (planes > 1){
+ if (planes > 1)
+ {
fprintf(stderr, "Cannot handle multiple planes image\n");
goto out;
}
@@ -161,12 +166,18 @@ int main(int argc , char **argv)
Image = (BYTE*) malloc( (size_t) width * (size_t) height );
if ( H5IMread_image( fid, image_name, Image ) < 0 )
+ {
+ fprintf(stderr , "Unable to read the image. Aborting.\n");
goto out;
+ }
if (npals)
{
if ( H5IMget_palette_info( fid, image_name, 0, pal_dims ) < 0 )
+ {
+ fprintf(stderr , "Unable to get information of the palette. Aborting.\n");
goto out;
+ }
pal = (BYTE*) malloc( (size_t) pal_dims[0] * (size_t) pal_dims[1] );
@@ -240,7 +251,7 @@ int main(int argc , char **argv)
if (j==i)
{
/* wasn't found */
- pc2nc[i] = (BYTE)nc;
+ pc2nc[i] = (BYTE)nc;
r1[nc] = Red[i];
g1[nc] = Green[i];
b1[nc] = Blue[i];
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index 882912155a..a13c944264 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -225,6 +225,11 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
/* Go get the data */
if(attr->shared->data_size) {
+ /* Ensure that data size doesn't exceed buffer size, in case of
+ it's being corrupted in the file */
+ if(attr->shared->data_size > p_size)
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds buffer size")
+
if(NULL == (attr->shared->data = H5FL_BLK_MALLOC(attr_buf, attr->shared->data_size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
HDmemcpy(attr->shared->data, p, attr->shared->data_size);
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink