* Remove duplicate code
Signed-off-by: Egbert Eich <eich@suse.com>
* Add test case for CVE-2021-37501
Bogus sizes in this test case causes the on-disk data size
calculation in H5O__attr_decode() to overflow so that the
calculated size becomes 0. This causes the read to overflow
and h5dump to segfault.
This test case was crafted, the test file was not directly
generated by HDF5.
Test case from:
https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.md
* Add fetchcontent for compression libs and fix cmake config
* MSDOS is a reserved define name
* Add release note and update install doc for FetchContent
* Add CI test for FetchContent
* Use LINK_COMP_LIBS instead of STATIC_LIBRARY for depends
* Use general link
* CMake generated pkg-config file is incorrect #2259
* Fix fortran pc template
* hdf5.pc is incorrect for debug builds #1546
* Correct pkg name and lib name
* Fix typo
* Fix missing space
* H5F_LIBVER_LATEST changes for move to 1.15
* Add new default api check
* Format fixes
* Fix default configure
* fix lib version tests
* Fix another version variable
* Add 1.14 doc link
* Fix for HDFFV-11052: h5debug fails on a corrupted file (h5_nrefs_POC) producing a core dump.
When h5debug closes the corrupted file, the library calls H5F__dest() which performs all the
closing operations for the file "f" (H5F_t *) but just keeping note of errors in "ret_value"
all the way till the end of the routine. The user-provided corrupted file has an illegal
file size causing failure when reading the image during the closing process.
At the end of this routine it sets f->shared to NULL and then frees "f".
This is done whether there is error or not in "ret_value".
Due to the failure in reading the file earlier, the routine then returns error.
The error return from H5F__dest() causes the file object "f" not being removed from the
ID node table. When the library finally exits, it will try to close the
file objects in the table. This causes assert failure when H5F_ID_EXISTS(f) or H5F_NREFS(f).
Fix:
a) H5F_dest(): free the f only when there is no error in "ret_value" at the end of the routine.
b) H5VL__native_file_close(): if f->shared is NULL, free "f"; otherwise, perform closing on "f" as before.
c) h5debug.c main(): track error return from H5Fclose().
* Committing clang-format changes
* Add test and release note info for fix to HDFFV-11052 which is merged via PR#2291.
* Committing clang-format changes
* Add the test file to Cmake.
Co-authored-by: vchoi <vchoi@jelly.ad.hdfgroup.org>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
* Compound datatypes may not have members of size 0
A member size of 0 may lead to an FPE later on as reported in
CVE-2021-46244. To avoid this, check for this as soon as the
member is decoded.
This should probably be done in H5O_dtype_decode_helper() already,
however it is not clear whether all sizes are expected to be != 0.
This fixes CVE-2021-46244 / Bug #2242.
Signed-off-by: Egbert Eich <eich@suse.com>
* Rework error recovery code in H5O__dtype_decode_helper() and
H5O__dtype_decode().
* Format changes for src/H5Odtype.c.
Signed-off-by: Egbert Eich <eich@suse.com>
Co-authored-by: Neil Fortner <nfortne2@hdfgroup.org>
Co-authored-by: Larry Knox <lrknox@hdfgroup.org>
* When evicting driver info block, NULL the corresponding entry
Since H5C_expunge_entry() called (from H5AC_expunge_entry()) sets the flag
H5C__FLUSH_INVALIDATE_FLAG, the driver info block will be freed. NULLing the
pointer in f->shared->drvinfo will prevent use-after-free when it is used in other
functions (like H5F__dest()) - as other places will check whether the pointer is
initialized before using its value.
This fixes CVE-2021-46242 / Bug #2254
Signed-off-by: Egbert Eich <eich@suse.com>
* When evicting the superblock, NULL the corresponding entry
The call to H5AC_expunge_entry() will free the corresonding structure,
to avoid a use-after-free, the corrsponding pointer entry will be NULLed.
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.com>
For Data Layout Messages version 1 & 2 the specification state
that the value stored in the data field is 1 greater than the
number of dimensions in the dataspace. For version 3 this is
not explicitly stated but the implementation suggests it to be
the case.
Thus the set value needs to be at least 2. For dimensionality
< 2 an out-of-bounds access occurs as in CVE-2021-45833.
This fixes CVE-2021-45833 / Bug #2240.
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.com>
Co-authored-by: Larry Knox <lrknox@hdfgroup.org>
The size of the enumeration values is determined by the size of the parent.
Functions accessing the enumeration values use the size of the enumeration
to determine the size of each element and how much data to copy. Thus the
size of the enumeration and its parent need to match.
Check here to avoid unpleasant surprises later.
This fixes CVE-2018-14031 / Bug #2236.
Signed-off-by: Egbert Eich <eich@suse.com>
According to the specification, the information block for external links
contains 1 byte of version/flag information and two 0 terminated strings
for the object linked to and the full path.
Although not very useful, the minimum string length for each (with
terminating 0) would be one byte.
Checking this will help to avoid SEGVs triggered by bogus files.
This fixes CVE-2018-16438 / Bug #2233.
Signed-off-by: Egbert Eich <eich@suse.com>
Initially, the accumulated metadata location is initialized to HADDR_UNDEF
- the highest available address. Bogus input files may provide a location
or size matching this value. Comparing this address against such bogus
values may provide false positives. This make sure, the value has been
initilized or fail the comparison early and let other parts of the
code deal with the bogus address/size.
Note: To avoid unnecessary checks, we have assumed that if the 'dirty'
member in the same structure is true the location is valid.
This fixes CVE-2018-13867 / Bug #2230.
Signed-off-by: Egbert Eich <eich@suse.com>
When decoding a file space info message in H5O__fsinfo_decode() make
sure each element to be decoded is still within the message. Malformed
hdf5 files may have trunkated content which does not match the
expected size. Checking this will prevent attempting to decode
unrelated data and heap overflows. So far, only free space manager
address data was checked before decoding.
This fixes CVE-2021-45830 / Bug #2228.
Signed-off-by: Egbert Eich <eich@suse.com>
Additions
Co-authored-by: Larry Knox <lrknox@hdfgroup.org>
Malformed hdf5 files may provide more dimensions than the array dim[] in
H5IMget_image_info() is able to hold. Check number of elements first by calling
H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments.
This will cause the function to return only the number of dimensions.
The fix addresse a stack overflow on write.
This fixes CVE-2018-17439 / HDFFV-10589 / Bug #2226.
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.com>
* Removes MPE instrumentation support.
The Autotools will no longer accept --with-mpe= and the logging commands
have been removed from the FUNC_ENTER macros. CMake has never supported
instrumenting for MPE.
* Committing clang-format changes
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
This has not been used to debug the library in a very long time. Most
developers use valgrind, -fsanitize=address, or some other memory checker
instead of this library.
This removes:
* dmalloc.h include from H5private.h
* --with-dmalloc= Autotools configure option
* HDF5_ENABLE_USING_DMALLOC CMake option
* Update link for Software Changes in RELEASE.txt.
Add RELEASE.txt contents from 1.13.3 release to HISTORY-1_13.txt.
* Reverse order of entries in HISTORY-1_13.txt to match the order in previous HISTORY
files.
* Some Javadoc warning fixes
* Updated javadoc fixes
* # WARNING: head commit changed in the meantime
HDFFV-11229 Fix long double usage in tools and java
Changed h5dump and h5ls to just print 128-bit for long double type.
Added test and file for dataset and attributes with all three float
types.
* Committing clang-format changes
* HDFFV-11229 Add release note
* HDFFV-11229 windows testfile needed
* fix typo
* Remove non supported message text
* HDFFV-11229 - change ldouble test to check both native and general
* HDFFV-11229 add second file compare
* HDFFV-11229 fix reference file
* HDFFV-11229 autotools check two refs
* HDFFV-11229 revert back to removal of NATIVE_LDOUBLE in tools output
* Committing clang-format changes
* Update release note
* Update attribute type of ref file
* Change source of ninja for macs
* try port instead of brew
* Recommended is to use brew.
* Undo non long double changes
* remove unneeded file
* Fix perl and doxygen CMake code
* Add "option" command for clang options
* Rework CMake add_custom to use the BYPRODUCTS argument
* Add stamp files to BYPRODUCTS
* Only one copy of file exists
* Fix custom cmmand depends targets
* Fix fortran custom command DEPENDS
* Add LD_LIBRARY_PATH to tests
* Add custom target for DEPENDS
* Add h5detect conditionaly to generated target DEPENDS
* Correct DEPENDS targets
* Parallel builds need the mpi compiler for pkgconfig scripts.
* install only if MPI build
* Fortran target depends
* Remove incorrect source attribute
* doxygen adjustments
* doxygen build updates
* Correct version
* Correct function version - function has been merged to 1.12
* Correct version string for map functions
* Cleanup warnings for tools debug builds
* TRILAB-227 - fix indexing for h5diff selections
* Correct location of pos to index function call
* TRILAB-227 Enable test
* Quote subset args
* Use MATCHES because of AppleClang
* if blocks needed for build modes
* Update list of DT platforms
* VS2019 correctly displays float values
* revert VS2019 change
* Issue #669 remove version from pkgcfg filename
* remove version from h5cc script
* Java reference functions updated
enabled fortran in cmake gcc action yaml file
java reference test changed to correctly test refs
jni reference functions that create ids changed to use jni id logging
* Correct BYPRODUCTS argument
* Correct more genereated files BYPRODUCTS
* BYPRODUCTS must have unique locations
* Fix typo
* Fix fortran configure checks
* Rework H5_PAC_C_MAX_REAL_PRECISION setting logic
* Add note about fortran configure change
* Adds a quick for for some egregious chunk_info badness (#722)
* Fixes issue with ccmake that prevents building Fortran (#723)
ccmake runs iteratively, and the check_fortran_source_runs
macros were clobbering a single output file that did not
get updated on further configure iterations
* Fix conflicts with merge
* Move MAX_PRECISION back to HDF5UseFortran.cmake
* Use STREQUAL to test macro argument
* Move C language test to ConfigureChecks from HDF5UseFortran
* MAX_PRECISION defines must be defined
* Organize flags and align autotools and cmake
* Fix comment in no-error-general warnings files.
* Flag cleanup and fix typos
* Add comment
* Correct VAR used to find configure time file
* Set the path correctly
* Update missing release note info.
* Update code owners
* Correct JIRA note
* add known problem.
* Use only core library for testing dynamic plugins.
* Committing clang-format changes
* Update main.yml
* Update HISTORY-1_13.txt
Missing release note added for changed location of CMake configuration files.
* Update HISTORY-1_13.txt
Fix typo
* Update main.yml
revert change
* Updated version to 1.13.4-1 after creating hdf5_1_13_3 branch for 1.13.3
release.
Added new version to exceptions in lines 74-5 of src/H5.c
* Cleared RELEASE.txt entries following HDF5 1.13.3 release.
Co-authored-by: Allen Byrne <byrn@hdfgroup.org>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Allen Byrne <50328838+byrnHDF@users.noreply.github.com>
Co-authored-by: Dana Robinson <43805+derobins@users.noreply.github.com>
* Fix for HDFFV-10840: Instead of using fill->buf for datatype conversion
if it is large enough, a buffer is allocated regardless so that the element
in fill->buf can later be reclaimed.
Valgrind is run on test/set_extent.c and there is no memory leak.
* Add information of this fix to release notes.
Co-authored-by: vchoi <vchoi@jelly.ad.hdfgroup.org>
