File Patch-H5Odtype.c.patch of Package hdf5.34857
From: Egbert Eich <eich@suse.com>
Date: Wed May 22 09:14:42 2024 +0200
Subject: Patch H5Odtype.c
Patch-mainline: Upstream
Git-repo: https://github.com/HDFGroup/hdf5
Git-commit: 962fa008916519bf39ef38eb01c1f48ef744aa1a
References: bsc#1224158
Signed-off-by: Egbert Eich <eich@suse.de>
---
src/H5Odtype.c | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/src/H5Odtype.c b/src/H5Odtype.c
index ee462e376c..101f9520fb 100644
--- a/src/H5Odtype.c
+++ b/src/H5Odtype.c
@@ -182,6 +182,14 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t **
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
UINT16DECODE(*pp, dt->shared->u.atomic.offset);
UINT16DECODE(*pp, dt->shared->u.atomic.prec);
+
+ /* Sanity checks */
+ if (dt->shared->u.atomic.offset >= (dt->shared->size * 8))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "integer offset out of bounds");
+ if (0 == dt->shared->u.atomic.prec)
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "precision is zero");
+ if (((dt->shared->u.atomic.offset + dt->shared->u.atomic.prec) - 1) >= (dt->shared->size * 8))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "integer offset+precision out of bounds");
break;
case H5T_FLOAT:
@@ -218,6 +226,8 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t **
HGOTO_ERROR(H5E_DATATYPE, H5E_UNSUPPORTED, FAIL, "unknown floating-point normalization")
} /* end switch */
dt->shared->u.atomic.u.f.sign = (flags >> 8) & 0xff;
+ if (dt->shared->u.atomic.u.f.sign >= (dt->shared->size * 8))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "sign bit position out of bounds");
if (H5_IS_KNOWN_BUFFER_OVERFLOW(skip, *pp, 2 + 2, p_end))
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
@@ -230,6 +240,10 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t **
dt->shared->u.atomic.u.f.esize = *(*pp)++;
if (dt->shared->u.atomic.u.f.esize == 0)
HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "exponent size can't be zero")
+ if (dt->shared->u.atomic.u.f.epos >= (dt->shared->size * 8))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "exponent starting position out of bounds");
+ if (((dt->shared->u.atomic.u.f.epos + dt->shared->u.atomic.u.f.esize) - 1) >= (dt->shared->size * 8))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "exponent range out of bounds");
if (H5_IS_KNOWN_BUFFER_OVERFLOW(skip, *pp, 1 + 1, p_end))
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
@@ -237,10 +251,22 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t **
dt->shared->u.atomic.u.f.msize = *(*pp)++;
if (dt->shared->u.atomic.u.f.msize == 0)
HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "mantissa size can't be zero")
+ if (dt->shared->u.atomic.u.f.mpos >= (dt->shared->size * 8))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "mantissa starting position out of bounds");
+ if (((dt->shared->u.atomic.u.f.mpos + dt->shared->u.atomic.u.f.msize) - 1) >= (dt->shared->size * 8))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "mantissa range out of bounds");
if (H5_IS_KNOWN_BUFFER_OVERFLOW(skip, *pp, 4, p_end))
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
UINT32DECODE(*pp, dt->shared->u.atomic.u.f.ebias);
+
+ /* Sanity check bits don't overlap */
+ if (H5_RANGE_OVERLAP(dt->shared->u.atomic.u.f.sign, dt->shared->u.atomic.u.f.sign, dt->shared->u.atomic.u.f.epos, ((dt->shared->u.atomic.u.f.epos + dt->shared->u.atomic.u.f.esize) - 1)))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "exponent and sign positions overlap");
+ if (H5_RANGE_OVERLAP(dt->shared->u.atomic.u.f.sign, dt->shared->u.atomic.u.f.sign, dt->shared->u.atomic.u.f.mpos, ((dt->shared->u.atomic.u.f.mpos + dt->shared->u.atomic.u.f.msize) - 1)))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "mantissa and sign positions overlap");
+ if (H5_RANGE_OVERLAP(dt->shared->u.atomic.u.f.epos, ((dt->shared->u.atomic.u.f.epos + dt->shared->u.atomic.u.f.esize) - 1), dt->shared->u.atomic.u.f.mpos, ((dt->shared->u.atomic.u.f.mpos + dt->shared->u.atomic.u.f.msize) - 1)))
+ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "mantissa and exponent positions overlap");
break;
case H5T_TIME: /* Time datatypes */
@@ -453,6 +479,11 @@ H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags /*in,out*/, const uint8_t **
}
if (temp_type->shared->size == 0)
HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "type size can't be zero")
+ if ((dt->shared->u.compnd.memb[dt->shared->u.compnd.nmembs].offset + temp_type->shared->size) > dt->shared->size) {
+ if (H5T_close_real(temp_type) < 0)
+ HDONE_ERROR(H5E_DATATYPE, H5E_CANTRELEASE, FAIL, "can't release datatype info");
+ HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "member type extends outside its parent compound type");
+ }
/* Upgrade the version if we can and it is necessary */
if (can_upgrade && temp_type->shared->version > version) {
@@ -1310,6 +1341,17 @@ H5O_dtype_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
*/
skip = (p_size == SIZE_MAX ? TRUE : FALSE);
+ /* Indicate if the object header has a checksum, or if the
+ * H5F_RFIC_UNUSUAL_NUM_UNUSED_NUMERIC_BITS flag is set */
+ if (open_oh) {
+ if (H5O_SIZEOF_CHKSUM_OH(open_oh) > 0 ||
+ (f && (H5F_RFIC_FLAGS(f) & H5F_RFIC_UNUSUAL_NUM_UNUSED_NUMERIC_BITS)))
+ *ioflags |= H5O_DECODEIO_RFIC_UNUBNT;
+ }
+ else
+ /* Decode operations from non-object headers are assumed to be checksummed */
+ *ioflags |= H5O_DECODEIO_RFIC_UNUBNT;
+
/* Perform actual decode of message */
if (H5O_dtype_decode_helper(f, ioflags, &p, dt, skip, p_end) < 0)
HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, "can't decode type")
