|
|
@@ -0,0 +1,36 @@
|
|
|
+From f76c5adea55edec75680fdd7365cc97abc112d0e Mon Sep 17 00:00:00 2001
|
|
|
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
|
|
|
+Date: Mon, 15 Sep 2025 07:56:54 -0500
|
|
|
+Subject: [PATCH] Fix CVE-2025-2924 (#5814)
|
|
|
+
|
|
|
+CVE: CVE-2025-2924
|
|
|
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/0a57195ca67d278f1cf7d01566c121048e337a59]
|
|
|
+
|
|
|
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
|
|
+---
|
|
|
+ src/H5HLcache.c | 5 +++++
|
|
|
+ 1 file changed, 5 insertions(+)
|
|
|
+
|
|
|
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
|
|
|
+index d0836fe..7f412d2 100644
|
|
|
+--- a/src/H5HLcache.c
|
|
|
++++ b/src/H5HLcache.c
|
|
|
+@@ -225,6 +225,7 @@ H5HL__fl_deserialize(H5HL_t *heap)
|
|
|
+ /* check arguments */
|
|
|
+ assert(heap);
|
|
|
+ assert(!heap->freelist);
|
|
|
++ HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
|
|
|
+
|
|
|
+ /* Build free list */
|
|
|
+ free_block = heap->free_block;
|
|
|
+@@ -232,6 +233,10 @@ H5HL__fl_deserialize(H5HL_t *heap)
|
|
|
+ const uint8_t *image; /* Pointer into image buffer */
|
|
|
+
|
|
|
+ /* Sanity check */
|
|
|
++
|
|
|
++ if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
|
|
|
++ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
|
|
|
++
|
|
|
+ if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
|
|
|
+ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
|
|
|
+
|
Gyorgy Sarvari