File Compound-datatypes-may-not-have-members-of-size-0.patch of Package hdf5.28370

From: Egbert Eich <eich@suse.com>
Date: Wed Oct 5 15:47:54 2022 +0200
Subject: Compound datatypes may not have members of size 0
Patch-mainline: Not yet
Git-repo: https://github.com/HDFGroup/hdf5
Git-commit: 332ed3e68df3b5365d51f0713c42b39813e5e23a
References: 

A member size of 0 may lead to an FPE later on as reported in
CVE-2021-46244. To avoid this, check for this as soon as the
member is decoded.
This should probably be done in H5O_dtype_decode_helper() already,
however it is not clear whether all sizes are expected to be != 0.
This fixes CVE-2021-46244.

Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
 src/H5Odtype.c | 6 ++++++
 src/H5T.c      | 2 ++
 2 files changed, 8 insertions(+)
diff --git a/src/H5Odtype.c b/src/H5Odtype.c
index 1942585fac..a37b4ead1d 100644
--- a/src/H5Odtype.c
+++ b/src/H5Odtype.c
@@ -333,6 +333,12 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t **
                     H5MM_xfree(dt->shared->u.compnd.memb);
                     HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "unable to decode member type")
                 } /* end if */
+		if (temp_type->shared->size == 0) {
+		  for (j = 0; j <= i; j++)
+                        H5MM_xfree(dt->shared->u.compnd.memb[j].name);
+		  H5MM_xfree(dt->shared->u.compnd.memb);
+		  HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "invalid field size in member type")
+		}
 
                 /* Upgrade the version if we can and it is necessary */
                 if (can_upgrade && temp_type->shared->version > version) {
diff --git a/src/H5T.c b/src/H5T.c
index 3185774353..b15a193403 100644
--- a/src/H5T.c
+++ b/src/H5T.c
@@ -3438,6 +3438,8 @@ H5T__complete_copy(H5T_t *new_dt, const H5T_t *old_dt, H5T_shared_t *reopened_fo
                     if (new_dt->shared->u.compnd.memb[i].type->shared->size !=
                         old_dt->shared->u.compnd.memb[old_match].type->shared->size) {
                         /* Adjust the size of the member */
+                        if (old_dt->shared->u.compnd.memb[old_match].size == 0)
+			    HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "invalid field size in datatype")
                         new_dt->shared->u.compnd.memb[i].size =
                             (old_dt->shared->u.compnd.memb[old_match].size * tmp->shared->size) /
                             old_dt->shared->u.compnd.memb[old_match].type->shared->size;
openSUSE Build Service is sponsored by