Check for overflow when calculating on-disk attribute data size (HDFG…

…roup#2459) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication does not overflow. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <eich@suse.com>
e4t · Feb 13, 2023 · 6f25c82 · 6f25c82
1 parent e8ecd84
commit 6f25c82
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
@@ -207,6 +207,19 @@ Bug Fixes since HDF5-1.13.3 release
 ===================================
     Library
     -------
+    - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+      Check for overflow when calculating on-disk attribute data size.
+
+      A bogus hdf5 file may contain dataspace messages with sizes
+      which lead to the on-disk data sizes to exceed what is addressable.
+      When calculating the size, make sure, the multiplication does not
+      overflow.
+      The test case was crafted in a way that the overflow caused the
+      size to be 0.
+
+      (EFE - 2023/02/11 GH-2458)
+
     - Seg fault on file close
 
       h5debug fails at file close with core dump on a file that has an

diff --git a/src/H5Oattr.c b/src/H5Oattr.c
@@ -230,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
 
     /* Compute the size of the data */
     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
+    H5_CHECK_MUL_OVERFLOW(attr->shared->data_size, ds_size, dt_size,
+			  HGOTO_ERROR(H5E_ATTR, H5E_OVERFLOW, NULL,
+				      "data size exceeds addressable range"))
 
     /* Go get the data */
     if (attr->shared->data_size) {

diff --git a/src/H5private.h b/src/H5private.h
@@ -1562,6 +1562,24 @@ H5_DLL int HDvasprintf(char **bufp, const char *fmt, va_list _ap);
 #define H5_CHECK_OVERFLOW(var, vartype, casttype)
 #endif /* NDEBUG */
 
+/*
+ * A macro for checking whether a multiplication has overflown
+ * r is assumed to be the result of a prior multiplication of a and b
+ */
+#define H5_CHECK_MUL_OVERFLOW(r, a, b, err)                                                                  \
+    {                                                                                                        \
+        bool mul_overflow = false;                                                                           \
+        if (r != 0) {                                                                                        \
+            if (r / a != b)                                                                                  \
+                mul_overflow = true;                                                                         \
+        } else {                                                                                             \
+            if (a != 0 && b != 0)                                                                            \
+                mul_overflow = true;                                                                         \
+        }                                                                                                    \
+        if (mul_overflow)                                                                                    \
+            err                                                                                              \
+    }
+
 /*
  * A macro for detecting over/under-flow when assigning between types
  */