Sanitize B-tree k ohdr message decode call (#2754)

* Check buffer bounds * Clean up memory on errors
2025-04-12 17:31:09 +08:00 · 2023-04-16 18:58:47 -07:00 · 2023-04-16 18:58:47 -07:00 · cba64e16f7
commit cba64e16f7
parent 41b61bfe53
1 changed files with 20 additions and 13 deletions
--- a/src/H5Obtreek.c
+++ b/src/H5Obtreek.c
@ -59,33 +59,32 @@ const H5O_msg_class_t H5O_MSG_BTREEK[1] = {{
 #define H5O_BTREEK_VERSION 0

 /*-------------------------------------------------------------------------
- * Function:	H5O__btreek_decode
+ * Function:    H5O__btreek_decode
 *
- * Purpose:	Decode a shared message table message and return a pointer
+ * Purpose:     Decode a shared message table message and return a pointer
 *              to a newly allocated H5O_btreek_t struct.
 *
- * Return:	Success:	Ptr to new message in native struct.
- *		Failure:	NULL
- *
- * Programmer:  Quincey Koziol
- *              Mar  1, 2007
- *
+ * Return:      Success:    Pointer to new message in native struct
+ *              Failure:    NULL
 *-------------------------------------------------------------------------
 */
 static void *
-H5O__btreek_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,
-                   unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+H5O__btreek_decode(H5F_t H5_ATTR_NDEBUG_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh,
+                   unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, size_t p_size,
+                   const uint8_t *p)
 {
-    H5O_btreek_t *mesg;             /* Native message */
-    void         *ret_value = NULL; /* Return value */
+    const uint8_t *p_end     = p + p_size - 1; /* End of input buffer */
+    H5O_btreek_t  *mesg      = NULL;           /* Native message */
+    void          *ret_value = NULL;           /* Return value */

    FUNC_ENTER_PACKAGE

-    /* Sanity check */
    HDassert(f);
    HDassert(p);

    /* Version of message */
+    if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
    if (*p++ != H5O_BTREEK_VERSION)
        HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "bad version number for message")

@ -94,14 +93,22 @@ H5O__btreek_decode(H5F_t H5_ATTR_UNUSED *f, H5O_t H5_ATTR_UNUSED *open_oh, unsig
        HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed for v1 B-tree 'K' message")

    /* Retrieve non-default B-tree 'K' values */
+    if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
    UINT16DECODE(p, mesg->btree_k[H5B_CHUNK_ID]);
+    if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
    UINT16DECODE(p, mesg->btree_k[H5B_SNODE_ID]);
+    if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
    UINT16DECODE(p, mesg->sym_leaf_k);

    /* Set return value */
    ret_value = (void *)mesg;

 done:
+    if (NULL == ret_value)
+        H5MM_free(mesg);
    FUNC_LEAVE_NOAPI(ret_value)
 } /* end H5O__btreek_decode() */