Fixed allocation-size-too-big error in H5MM.c

A decoded length appeared to be corrupted and had a very large value. This PR added a check to detect such potential data corruption.
bmribler · Nov 6, 2024 · 99d0d99 · 99d0d99
1 parent ef39882
commit 99d0d99
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/src/H5Centry.c b/src/H5Centry.c
@@ -944,13 +944,18 @@ H5C__verify_len_eoa(H5F_t *f, const H5C_class_t *type, haddr_t addr, size_t *len
         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "address of object past end of allocation");
 
     /* Check if the amount of data to read will be past the EOA */
-    if (H5_addr_gt((addr + *len), eoa)) {
-        if (actual)
-            HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "actual len exceeds EOA");
-        else
-            /* Trim down the length of the metadata */
-            *len = (size_t)(eoa - addr);
-    } /* end if */
+    if ((ULONG_MAX - *len) >= addr) {
+        if (H5_addr_gt((addr + *len), eoa)) {
+            if (actual)
+                HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "actual len exceeds EOA");
+            else
+                /* Trim down the length of the metadata */
+                *len = (size_t)(eoa - addr);
+        } /* end if */
+    }
+    else {
+        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "total of addr and len exceeds max possible value (potential corrupted data)");
+    }
 
     if (*len <= 0)
         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "len not positive after adjustment for EOA");