commit 2409f991667283f8fa1dacc66f245950693495aa
Author: Neil Fortner <nfortne2@hdfgroup.org>
Date: Thu Sep 8 10:48:54 2016 -0500
Fix issues in H5Znbit.c where the decompression algorithm would not check the compressed data for validity, potentially causing a buffer overflow.
Index: hdf5/src/H5Znbit.c
===================================================================
--- hdf5.orig/src/H5Znbit.c
+++ hdf5/src/H5Znbit.c
@@ -62,11 +62,11 @@ static void H5Z_nbit_decompress_one_noop
unsigned char *buffer, size_t *j, int *buf_len, unsigned size);
static void H5Z_nbit_decompress_one_atomic(unsigned char *data, size_t data_offset,
unsigned char *buffer, size_t *j, int *buf_len, parms_atomic p);
-static void H5Z_nbit_decompress_one_array(unsigned char *data, size_t data_offset,
+static herr_t H5Z__nbit_decompress_one_array(unsigned char *data, size_t data_offset,
unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[]);
-static void H5Z_nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
+static herr_t H5Z__nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[]);
-static void H5Z_nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
+static herr_t H5Z__nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
const unsigned parms[]);
static void H5Z_nbit_compress_one_nooptype(unsigned char *data, size_t data_offset,
unsigned char *buffer, size_t *j, int *buf_len, unsigned size);
@@ -899,7 +899,8 @@ H5Z_filter_nbit(unsigned flags, size_t c
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, 0, "memory allocation failed for nbit decompression")
/* decompress the buffer */
- H5Z_nbit_decompress(outbuf, d_nelmts, (unsigned char *)*buf, cd_values);
+ if(H5Z__nbit_decompress(outbuf, d_nelmts, (unsigned char *)*buf, cd_values) < 0)
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, 0, "can't decompress buffer")
} /* end if */
/* output; compress */
else {
@@ -1048,12 +1049,15 @@ H5Z_nbit_decompress_one_atomic(unsigned
}
}
-static void
-H5Z_nbit_decompress_one_array(unsigned char *data, size_t data_offset,
+static herr_t
+H5Z__nbit_decompress_one_array(unsigned char *data, size_t data_offset,
unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[])
{
unsigned i, total_size, base_class, base_size, n, begin_index;
parms_atomic p;
+ herr_t ret_value = SUCCEED; /* Return value */
+
+ FUNC_ENTER_STATIC
total_size = parms[parms_index++];
base_class = parms[parms_index++];
@@ -1064,6 +1068,11 @@ H5Z_nbit_decompress_one_array(unsigned c
p.order = parms[parms_index++];
p.precision = parms[parms_index++];
p.offset = parms[parms_index++];
+
+ /* Check values of precision and offset */
+ if(p.precision > p.size * 8 || (p.precision + p.offset) > p.size * 8)
+ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "invalid datatype precision/offset")
+
n = total_size/p.size;
for(i = 0; i < n; i++)
H5Z_nbit_decompress_one_atomic(data, data_offset + i*p.size,
@@ -1074,8 +1083,9 @@ H5Z_nbit_decompress_one_array(unsigned c
n = total_size/base_size; /* number of base_type elements inside the array datatype */
begin_index = parms_index;
for(i = 0; i < n; i++) {
- H5Z_nbit_decompress_one_array(data, data_offset + i*base_size,
- buffer, j, buf_len, parms);
+ if(H5Z__nbit_decompress_one_array(data, data_offset + i * base_size,
+ buffer, j, buf_len, parms) < 0)
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress array")
parms_index = begin_index;
}
break;
@@ -1084,8 +1094,9 @@ H5Z_nbit_decompress_one_array(unsigned c
n = total_size/base_size; /* number of base_type elements inside the array datatype */
begin_index = parms_index;
for(i = 0; i < n; i++) {
- H5Z_nbit_decompress_one_compound(data, data_offset + i*base_size,
- buffer, j, buf_len, parms);
+ if(H5Z__nbit_decompress_one_compound(data, data_offset + i * base_size,
+ buffer, j, buf_len, parms) < 0)
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress compound")
parms_index = begin_index;
}
break;
@@ -1096,40 +1107,62 @@ H5Z_nbit_decompress_one_array(unsigned c
default:
HDassert(0 && "This Should never be executed!");
} /* end switch */
+
+done:
+ FUNC_LEAVE_NOAPI(ret_value)
}
-static void
-H5Z_nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
+static herr_t
+H5Z__nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[])
{
- unsigned i, nmembers, member_offset, member_class, size;
+ unsigned i, nmembers, member_offset, member_class, member_size, used_size = 0, size;
parms_atomic p;
+ herr_t ret_value = SUCCEED; /* Return value */
+
+ FUNC_ENTER_STATIC
- parms_index++; /* skip total size of compound datatype */
+ size = parms[parms_index++];
nmembers = parms[parms_index++];
for(i = 0; i < nmembers; i++) {
member_offset = parms[parms_index++];
member_class = parms[parms_index++];
+
+ /* Check for overflow */
+ member_size = parms[parms_index];
+ used_size += member_size;
+ if(used_size > size)
+ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "compound member offset overflowed compound size")
switch(member_class) {
case H5Z_NBIT_ATOMIC:
- p.size = parms[parms_index++];
+ p.size = member_size;
+ /* Advance past member size */
+ parms_index++;
p.order = parms[parms_index++];
p.precision = parms[parms_index++];
p.offset = parms[parms_index++];
+
+ /* Check values of precision and offset */
+ if(p.precision > p.size * 8 || (p.precision + p.offset) > p.size * 8)
+ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "invalid datatype precision/offset")
+
H5Z_nbit_decompress_one_atomic(data, data_offset + member_offset,
buffer, j, buf_len, p);
break;
case H5Z_NBIT_ARRAY:
- H5Z_nbit_decompress_one_array(data, data_offset + member_offset,
- buffer, j, buf_len, parms);
+ if(H5Z__nbit_decompress_one_array(data, data_offset + member_offset,
+ buffer, j, buf_len, parms) < 0)
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress array")
break;
case H5Z_NBIT_COMPOUND:
- H5Z_nbit_decompress_one_compound(data, data_offset+member_offset,
- buffer, j, buf_len, parms);
+ if(H5Z__nbit_decompress_one_compound(data, data_offset+member_offset,
+ buffer, j, buf_len, parms) < 0)
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress compound")
break;
case H5Z_NBIT_NOOPTYPE:
- size = parms[parms_index++];
+ /* Advance past member size */
+ parms_index++;
H5Z_nbit_decompress_one_nooptype(data, data_offset+member_offset,
buffer, j, buf_len, size);
break;
@@ -1137,10 +1170,13 @@ H5Z_nbit_decompress_one_compound(unsigne
HDassert(0 && "This Should never be executed!");
} /* end switch */
}
+
+done:
+ FUNC_LEAVE_NOAPI(ret_value)
}
-static void
-H5Z_nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
+static herr_t
+H5Z__nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
const unsigned parms[])
{
/* i: index of data, j: index of buffer,
@@ -1148,6 +1184,9 @@ H5Z_nbit_decompress(unsigned char *data,
size_t i, j, size;
int buf_len;
parms_atomic p;
+ herr_t ret_value = SUCCEED; /* Return value */
+
+ FUNC_ENTER_STATIC
/* may not have to initialize to zeros */
for(i = 0; i < d_nelmts*parms[4]; i++) data[i] = 0;
@@ -1163,6 +1202,11 @@ H5Z_nbit_decompress(unsigned char *data,
p.order = parms[5];
p.precision = parms[6];
p.offset = parms[7];
+
+ /* Check values of precision and offset */
+ if(p.precision > p.size * 8 || (p.precision + p.offset) > p.size * 8)
+ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "invalid datatype precision/offset")
+
for(i = 0; i < d_nelmts; i++) {
H5Z_nbit_decompress_one_atomic(data, i*p.size, buffer, &j, &buf_len, p);
}
@@ -1171,7 +1215,8 @@ H5Z_nbit_decompress(unsigned char *data,
size = parms[4];
parms_index = 4;
for(i = 0; i < d_nelmts; i++) {
- H5Z_nbit_decompress_one_array(data, i*size, buffer, &j, &buf_len, parms);
+ if(H5Z__nbit_decompress_one_array(data, i * size, buffer, &j, &buf_len, parms) < 0)
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress array")
parms_index = 4;
}
break;
@@ -1179,13 +1224,17 @@ H5Z_nbit_decompress(unsigned char *data,
size = parms[4];
parms_index = 4;
for(i = 0; i < d_nelmts; i++) {
- H5Z_nbit_decompress_one_compound(data, i*size, buffer, &j, &buf_len, parms);
+ if(H5Z__nbit_decompress_one_compound(data, i * size, buffer, &j, &buf_len, parms) < 0)
+ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress compound")
parms_index = 4;
}
break;
default:
HDassert(0 && "This Should never be executed!");
} /* end switch */
+
+done:
+ FUNC_LEAVE_NOAPI(ret_value)
}
static void H5Z_nbit_compress_one_byte(unsigned char *data, size_t data_offset, int k, int begin_i,
distrib
>
Mageia
>
5
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
b2a9cff828d5d72e3b98199430d30945
>
files
>
3
