Skip to content

Commit

Permalink
Merges from develop Aug 2-4 (HDFGroup#3354)
Browse files Browse the repository at this point in the history
* Fix CVE-2018-11202 (HDFGroup#3330)

A malformed file could result in chunk index memory leaks. Under most
conditions (i.e., when the --enable-using-memchecker option is NOT
used), this would result in a small memory leak and and infinite loop
and abort when shutting down the library. The infinite loop would be
due to the "free list" package not being able to clear its resources
so the library couldn't shut down. When the "using a memory checker"
option is used, the free lists are disabled so there is just a memory
leak with no abort on library shutdown.

The chunk index resources are now correctly cleaned up when reading
misparsed files and valgrind confirms no memory leaks.

* Fix CVE-2018-13867 (HDFGroup#3336)

* Windows runtime items go into the bin folder (HDFGroup#3320)
  • Loading branch information
lrknox committed Aug 4, 2023
1 parent ff02bfb commit 526aeac
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 1 deletion.
2 changes: 1 addition & 1 deletion java/src/jni/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ if (HDF5_EXPORTED_TARGETS)
${HDF5_EXPORTED_TARGETS}
LIBRARY DESTINATION ${HDF5_INSTALL_LIB_DIR} COMPONENT libraries
ARCHIVE DESTINATION ${HDF5_INSTALL_LIB_DIR} COMPONENT libraries
RUNTIME DESTINATION ${HDF5_INSTALL_LIB_DIR} COMPONENT libraries
RUNTIME DESTINATION ${HDF5_INSTALL_BIN_DIR} COMPONENT libraries
FRAMEWORK DESTINATION ${HDF5_INSTALL_FWRK_DIR} COMPONENT libraries
INCLUDES DESTINATION include
)
Expand Down
23 changes: 23 additions & 0 deletions release_docs/RELEASE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,29 @@ Bug Fixes since HDF5-1.14.1 release
===================================
Library
-------
- Fixed CVE-2018-13867

A corrupt file containing an invalid local heap datablock address
could trigger an assert failure when the metadata cache attempted
to load the datablock from storage.

The local heap now verifies that the datablock address is valid
when the local heap header information is parsed.

- Fixed CVE-2018-11202

A malformed file could result in chunk index memory leaks. Under most
conditions (i.e., when the --enable-using-memchecker option is NOT
used), this would result in a small memory leak and and infinite loop
and abort when shutting down the library. The infinite loop would be
due to the "free list" package not being able to clear its resources
so the library couldn't shut down. When the "using a memory checker"
option is used, the free lists are disabled so there is just a memory
leak with no abort on library shutdown.

The chunk index resources are now correctly cleaned up when reading
misparsed files and valgrind confirms no memory leaks.

- Fixed an issue where an assert statement was converted to an
incorrect error check statement

Expand Down
9 changes: 9 additions & 0 deletions src/H5Dchunk.c
Original file line number Diff line number Diff line change
Expand Up @@ -880,6 +880,7 @@ H5D__chunk_init(H5F_t *f, const H5D_t *const dset, hid_t dapl_id)
H5D_rdcc_t *rdcc = &(dset->shared->cache.chunk); /* Convenience pointer to dataset's chunk cache */
H5P_genplist_t *dapl; /* Data access property list object pointer */
H5O_storage_chunk_t *sc = &(dset->shared->layout.storage.u.chunk);
bool idx_init = false;
herr_t ret_value = SUCCEED; /* Return value */

FUNC_ENTER_PACKAGE
Expand Down Expand Up @@ -955,12 +956,20 @@ H5D__chunk_init(H5F_t *f, const H5D_t *const dset, hid_t dapl_id)
/* Allocate any indexing structures */
if (sc->ops->init && (sc->ops->init)(&idx_info, dset->shared->space, dset->oloc.addr) < 0)
HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, "can't initialize indexing information");
idx_init = true;

/* Set the number of chunks in dataset, etc. */
if (H5D__chunk_set_info(dset) < 0)
HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, "unable to set # of chunks for dataset");

done:
if (FAIL == ret_value) {
if (rdcc->slot)
rdcc->slot = H5FL_SEQ_FREE(H5D_rdcc_ent_ptr_t, rdcc->slot);

if (idx_init && sc->ops->dest && (sc->ops->dest)(&idx_info) < 0)
HDONE_ERROR(H5E_DATASET, H5E_CANTFREE, FAIL, "unable to release chunk index info");
}
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5D__chunk_init() */

Expand Down
6 changes: 6 additions & 0 deletions src/H5HLcache.c
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,12 @@ H5HL__hdr_deserialize(H5HL_t *heap, const uint8_t *image, size_t len, H5HL_cache
HGOTO_ERROR(H5E_HEAP, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
H5F_addr_decode_len(udata->sizeof_addr, &image, &(heap->dblk_addr));

/* Check that the datablock address is valid (might not be true
* in a corrupt file)
*/
if (!H5_addr_defined(heap->dblk_addr))
HGOTO_ERROR(H5E_HEAP, H5E_BADVALUE, FAIL, "bad datablock address");

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5HL__hdr_deserialize() */
Expand Down

0 comments on commit 526aeac

Please sign in to comment.