Skip to content

Commit

Permalink
Fix Heap-buffer-overflow WRITE in H5MM_memcpy (HDFGroup#3368)
Browse files Browse the repository at this point in the history
  • Loading branch information
sashashura authored and qkoziol committed Sep 30, 2023
1 parent 53c1e6a commit b780615
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
4 changes: 4 additions & 0 deletions release_docs/RELEASE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -589,6 +589,10 @@ Bug Fixes since HDF5-1.14.0 release

Fixes Github issue #3034

- Fixed write buffer overflow in H5O__alloc_chunk

The overflow was found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58658

Java Library
------------
- Fixed switch case 'L' block missing a break statement.
Expand Down
3 changes: 3 additions & 0 deletions src/H5Oalloc.c
Original file line number Diff line number Diff line change
Expand Up @@ -946,6 +946,9 @@ H5O__alloc_chunk(H5F_t *f, H5O_t *oh, size_t size, size_t found_null, const H5O_
else {
assert(curr_msg->type->id != H5O_CONT_ID);

if (size < curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh))
HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size");

/* Copy the raw data */
H5MM_memcpy(p, curr_msg->raw - (size_t)H5O_SIZEOF_MSGHDR_OH(oh),
curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh));
Expand Down

0 comments on commit b780615

Please sign in to comment.