File Compound-datatypes-may-not-have-members-of-size-0.patch of Package hdf5.28370
From: Egbert Eich <eich@suse.com>
Date: Wed Oct 5 15:47:54 2022 +0200
Subject: Compound datatypes may not have members of size 0
Patch-mainline: Not yet
Git-repo: https://github.com/HDFGroup/hdf5
Git-commit: 332ed3e68df3b5365d51f0713c42b39813e5e23a
References:
A member size of 0 may lead to an FPE later on as reported in
CVE-2021-46244. To avoid this, check for this as soon as the
member is decoded.
This should probably be done in H5O_dtype_decode_helper() already,
however it is not clear whether all sizes are expected to be != 0.
This fixes CVE-2021-46244.
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
src/H5Odtype.c | 6 ++++++
src/H5T.c | 2 ++
2 files changed, 8 insertions(+)
diff --git a/src/H5Odtype.c b/src/H5Odtype.c
index 1942585fac..a37b4ead1d 100644
--- a/src/H5Odtype.c
+++ b/src/H5Odtype.c
@@ -333,6 +333,12 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t **
H5MM_xfree(dt->shared->u.compnd.memb);
HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode member type")
} /* end if */
+ if (temp_type->shared->size == 0) {
+ for (j = 0; j <= i; j++)
+ H5MM_xfree(dt->shared->u.compnd.memb[j].name);
+ H5MM_xfree(dt->shared->u.compnd.memb);
+ HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "invalid field size in member type")
+ }
/* Upgrade the version if we can and it is necessary */
if (can_upgrade && temp_type->shared->version > version) {
diff --git a/src/H5T.c b/src/H5T.c
index 3185774353..b15a193403 100644
--- a/src/H5T.c
+++ b/src/H5T.c
@@ -3438,6 +3438,8 @@ H5T__complete_copy(H5T_t *new_dt, const H5T_t *old_dt, H5T_shared_t *reopened_fo
if (new_dt->shared->u.compnd.memb[i].type->shared->size !=
old_dt->shared->u.compnd.memb[old_match].type->shared->size) {
/* Adjust the size of the member */
+ if (old_dt->shared->u.compnd.memb[old_match].size == 0)
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "invalid field size in datatype")
new_dt->shared->u.compnd.memb[i].size =
(old_dt->shared->u.compnd.memb[old_match].size * tmp->shared->size) /
old_dt->shared->u.compnd.memb[old_match].type->shared->size;