diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 61184d1e3e9..d08176bc677 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -557,6 +557,12 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file ## Library +### Fixed security issue CVE-2025-2915 and OSV-2024-381 + + Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition. + + Fixes GitHub issue #5380 + ### Fixed security issue CVE-2025-7068 Failures during the discard process on a metadata cache entry could cause the library to skip calling the callback to free the cache entry. This could result in resource leaks and issues with flushing and closing the metadata cache during file close. This has been fixed by noting errors during the discard process, but attempting to fully free a cache entry before signalling that an error has occurred. diff --git a/src/H5Faccum.c b/src/H5Faccum.c index 4d713576ca6..5aefc5340e4 100644 --- a/src/H5Faccum.c +++ b/src/H5Faccum.c @@ -879,6 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr /* Calculate the size of the overlap with the accumulator, etc. */ H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t); + /* Sanity check */ + /* Overlap size should not result in "negative" value after subtraction */ + assert(overlap_size < accum->size); new_accum_size = accum->size - overlap_size; /* Move the accumulator buffer information to eliminate the freed block */ diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c index 30f0732d671..e7c6765d32e 100644 --- a/src/H5Ocache_image.c +++ b/src/H5Ocache_image.c @@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); H5F_DECODE_LENGTH(f, p, mesg->size); + if (mesg->addr >= (HADDR_UNDEF - mesg->size)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows"); + if (mesg->addr == HADDR_UNDEF) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined"); + if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_SUPER)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa"); + /* Set return value */ ret_value = (void *)mesg;