Merge pull request #60 from bmribler/develop

Fix HDFFV-10590
2025-03-31 17:10:47 +08:00 · 2020-11-12 11:22:10 -06:00 · 2020-11-12 11:22:10 -06:00 · fa40c6c59a
commit fa40c6c59a
parent cfb82afb80 9cde5c52b8
5 changed files with 53 additions and 7 deletions
--- a/1
+++ b/1
@ -2760,6 +2760,7 @@
 ./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_test.ddl
 ./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_version_test.ddl
 ./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_zero.ddl
+./tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5
 ./tools/test/h5repack/testfiles/GS.h5repack_paged_nopersist.h5.ddl
 ./tools/test/h5repack/testfiles/S.h5repack_fsm_aggr_persist.h5.ddl
 ./tools/test/h5repack/testfiles/SP.h5repack_fsm_aggr_nopersist.h5.ddl
--- a/src/H5Osdspace.c
+++ b/src/H5Osdspace.c
@ -138,8 +138,11 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN
    flags = *p++;

    /* Get or determine the type of the extent */
-    if (version >= H5O_SDSPACE_VERSION_2)
+    if (version >= H5O_SDSPACE_VERSION_2) {
        sdim->type = (H5S_class_t)*p++;
+        if (sdim->type != H5S_SIMPLE && sdim->rank > 0)
+            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid rank for scalar or NULL dataspace")
+    } /* end if */
    else {
        /* Set the dataspace type to be simple or scalar as appropriate */
        if (sdim->rank > 0)
@ -248,13 +251,15 @@ H5O__sdspace_encode(H5F_t *f, uint8_t *p, const void *_mesg)
        *p++ = 0; /*reserved*/
    }             /* end else */

-    /* Current & maximum dimensions */
-    if (sdim->rank > 0) {
-        for (u = 0; u < sdim->rank; u++)
-            H5F_ENCODE_LENGTH(f, p, sdim->size[u]);
-        if (flags & H5S_VALID_MAX) {
+    /* Encode dataspace dimensions for simple dataspaces */
+    if (H5S_SIMPLE == sdim->type) {
+        /* Encode current & maximum dimensions */
+        if (sdim->rank > 0) {
            for (u = 0; u < sdim->rank; u++)
-                H5F_ENCODE_LENGTH(f, p, sdim->max[u]);
+                H5F_ENCODE_LENGTH(f, p, sdim->size[u]);
+            if (flags & H5S_VALID_MAX)
+                for (u = 0; u < sdim->rank; u++)
+                    H5F_ENCODE_LENGTH(f, p, sdim->max[u]);
        } /* end if */
    }     /* end if */

--- a/tools/test/h5repack/CMakeTests.cmake
+++ b/tools/test/h5repack/CMakeTests.cmake
@ -51,6 +51,7 @@
      ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_named_dtypes.h5
      ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nested_8bit_enum.h5
      ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nested_8bit_enum_deflated.h5
+      ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5
      ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nbit.h5
      ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_objs.h5
      ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_refs.h5
@ -1549,6 +1550,11 @@
 # Note: this test is experimental for sharing test file among tools
  ADD_H5_TEST (HDFFV-7840 "TEST" h5diff_attr1.h5)

+# test CVE-2018-17432 fix
+  set (arg h5repack_HDFFV-10590_CVE-2018-17432.h5 h5repack_HDFFV-10590_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6)
+  set (TESTTYPE "TEST")
+  ADD_H5_FILTER_TEST (HDFFV-10590 "" ${TESTTYPE} 1 ${arg})
+
 # tests for metadata block size option ('-M')
  ADD_H5_TEST_META (meta_short h5repack_layout.h5 -M 8192)
  ADD_H5_TEST_META (meta_long h5repack_layout.h5 --metadata_block_size=8192)
--- a/tools/test/h5repack/h5repack.sh.in
+++ b/tools/test/h5repack/h5repack.sh.in
@ -128,6 +128,8 @@ $SRC_H5REPACK_TESTFILES/h5repack_paged_nopersist.h5
 $SRC_H5REPACK_TESTFILES/h5repack_paged_persist.h5
 ########h5diff/testfile########
 $SRC_H5DIFF_TESTFILES/h5diff_attr1.h5
+########test#HDFFV-10590########
+$SRC_H5REPACK_TESTFILES/h5repack_HDFFV-10590_CVE-2018-17432.h5
 ########tools/testfiles#for#external#links########
 $SRC_TOOLS_TESTFILES/tsoftlinks.h5
 $SRC_TOOLS_TESTFILES/textlinkfar.h5
@ -865,6 +867,34 @@ TOOLTESTV()
   rm -f $outfile
 }

+# Same as TOOLTEST, but expects h5repack fails
+#
+TOOLTEST_FAIL()
+{
+    infile=$1
+    outfile=$2
+    expect="$TESTDIR/$2-$1.ddl"
+    actual="$TESTDIR/$2-$1.out"
+    actual_err="$TESTDIR/$2-$1.err"
+    shift
+    shift
+
+    # Run test.
+    TESTING $H5REPACK $@
+    (
+        cd $TESTDIR
+        $ENVCMD $RUNSERIAL $H5REPACK_BIN "$@" $infile $outfile
+    ) >$actual
+    RET=$?
+    if [ $RET == 0 ] ; then
+        nerrors="`expr $nerrors + 1`"
+        echo " FAILED"
+    else
+        echo " PASSED"
+    fi
+    rm -f $outfile
+}
+
 # This is same as TOOLTESTV() with comparing display output
 # with actual filename swapped
 #
@ -1681,6 +1711,10 @@ TOOLTEST HDFFV-5932 h5repack_attr_refs.h5
 # Note: this test is experimental for sharing test file among tools
 TOOLTEST HDFFV-7840 h5diff_attr1.h5

+# test HDFFV-10590
+arg="h5repack_HDFFV-10590_CVE-2018-17432.h5 h5repack_HDFFV-10590_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6"
+TOOLTEST_FAIL $arg
+
 # tests for metadata block size option
 TOOLTEST_META meta_short h5repack_layout.h5 -M 8192
 TOOLTEST_META meta_long h5repack_layout.h5 --metadata_block_size=8192
--- a/tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5
+++ b/tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5