mirror/hdf5
2
0
Fork 0
mirror of https://github.com/HDFGroup/hdf5.git synced 2025-04-18 17:40:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix Heap-buffer-overflow WRITE in H5MM_memcpy (#3368)

Browse Source
This commit is contained in:
Alex 2023-08-23 21:35:06 +02:00 committed by GitHub
parent e1602a287b
commit 0b2e11d5c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
release_docs/RELEASE.txt
View File

@ -589,6 +589,10 @@ Bug Fixes since HDF5-1.14.0 release
Fixes Github issue #3034
- Fixed write buffer overflow in H5O__alloc_chunk
The overflow was found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58658
Java Library
------------
- Fixed switch case 'L' block missing a break statement.

3
src/H5Oalloc.c
View File

@ -946,6 +946,9 @@ H5O__alloc_chunk(H5F_t *f, H5O_t *oh, size_t size, size_t found_null, const H5O_
else {
assert(curr_msg->type->id != H5O_CONT_ID);
if (size < curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh))
HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size");
/* Copy the raw data */
H5MM_memcpy(p, curr_msg->raw - (size_t)H5O_SIZEOF_MSGHDR_OH(oh),
curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh));