File Report-error-if-dimensions-of-chunked-storage-in-data-layout-2.patch of Package hdf5.26545
From: Egbert Eich <eich@suse.com>
Date: Wed Sep 28 19:11:16 2022 +0200
Subject: Report error if dimensions of chunked storage in data layout < 2
Patch-mainline: Not yet
Git-repo: https://github.com/HDFGroup/hdf5
Git-commit: 2e0615b3e5a478b7f0a700cad229816880d84d4e
References:
For Data Layout Messages version 1 & 2 the specification state
that the value stored in the data field is 1 greater than the
number of dimensions in the dataspace. For version 3 this is
not explicitly stated but the implementation suggests it to be
the case.
Thus the set value needs to be at least 2. For dimensionality
< 2 an out-of-bounds access occurs as in CVE-2021-45833.
This fixes CVE-2021-45833.
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
src/H5Olayout.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
index 651e317a2c..c55523307d 100644
--- a/src/H5Olayout.c
+++ b/src/H5Olayout.c
@@ -168,6 +168,10 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
p += ndims * 4; /* Skip over dimension sizes (32-bit quantities) */
} /* end if */
else {
+ if (ndims < 2)
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL,
+ "bad dimensions for chunked storage")
+
mesg->u.chunk.ndims = ndims;
for (u = 0; u < ndims; u++)
UINT32DECODE(p, mesg->u.chunk.dim[u]);
@@ -241,6 +245,9 @@ H5O__layout_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
mesg->u.chunk.ndims = *p++;
if (mesg->u.chunk.ndims > H5O_LAYOUT_NDIMS)
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "dimensionality is too large")
+ if (mesg->u.chunk.ndims < 2)
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL,
+ "bad dimensions for chunked storage")
/* B-tree address */
H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr));