From b780615b6def50373c37b2f5d1dfd649c85b61d2 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 23 Aug 2023 21:35:06 +0200 Subject: [PATCH] Fix Heap-buffer-overflow WRITE in H5MM_memcpy (#3368) --- release_docs/RELEASE.txt | 4 ++++ src/H5Oalloc.c | 3 +++ 2 files changed, 7 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 7de4b18539b..2772dd8aa61 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -589,6 +589,10 @@ Bug Fixes since HDF5-1.14.0 release Fixes Github issue #3034 + - Fixed write buffer overflow in H5O__alloc_chunk + + The overflow was found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58658 + Java Library ------------ - Fixed switch case 'L' block missing a break statement. diff --git a/src/H5Oalloc.c b/src/H5Oalloc.c index 16bbab839f5..5e80685e1d5 100644 --- a/src/H5Oalloc.c +++ b/src/H5Oalloc.c @@ -946,6 +946,9 @@ H5O__alloc_chunk(H5F_t *f, H5O_t *oh, size_t size, size_t found_null, const H5O_ else { assert(curr_msg->type->id != H5O_CONT_ID); + if (size < curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh)) + HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size"); + /* Copy the raw data */ H5MM_memcpy(p, curr_msg->raw - (size_t)H5O_SIZEOF_MSGHDR_OH(oh), curr_msg->raw_size + (size_t)H5O_SIZEOF_MSGHDR_OH(oh));