From b36c123a68f9f67f5a6de07fcd9caaf8586289c8 Mon Sep 17 00:00:00 2001 From: Binh-Minh Date: Tue, 16 Sep 2025 11:57:03 -0400 Subject: [PATCH 1/3] Fix CVE-2025-2926 An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image being copied to the buffer. The invalid image size was caught in the PR #5710. This change catches right before the copying. Fixes GH issue #5384 --- src/H5Centry.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/H5Centry.c b/src/H5Centry.c index 33728f33398..ac1544f0018 100644 --- a/src/H5Centry.c +++ b/src/H5Centry.c @@ -1007,7 +1007,8 @@ H5C__load_entry(H5F_t *f, /* Call the get_initial_load_size callback, to retrieve the initial size of image */ if (type->get_initial_load_size(udata, &len) < 0) HGOTO_ERROR(H5E_CACHE, H5E_CANTGET, NULL, "can't retrieve image size"); - assert(len > 0); + if (len == 0) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid size of image"); /* Check for possible speculative read off the end of the file */ if (type->flags & H5C__CLASS_SPECULATIVE_LOAD_FLAG) From a717eb16d87db3c22a64e7e5680619f59c8753f3 Mon Sep 17 00:00:00 2001 From: Binh-Minh Date: Thu, 25 Sep 2025 10:40:52 -0400 Subject: [PATCH 2/3] Moved the detection of invalid image len to where the value is obtained. Added change entry --- release_docs/CHANGELOG.md | 6 ++++++ src/H5Centry.c | 3 +-- src/H5Ocache.c | 8 ++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 1a9617a1115..ed16d8bccb2 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -495,6 +495,12 @@ Simple example programs showing how to use complex number datatypes have been ad ## Library +### Fixed security issue CVE-2025-2926 + + An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image was being copied to the buffer. This has been fixed with additional image size check. + + Fixes GitHub issue #5384 + ### Fixed security issue CVE-2025-6857 An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks. diff --git a/src/H5Centry.c b/src/H5Centry.c index ac1544f0018..33728f33398 100644 --- a/src/H5Centry.c +++ b/src/H5Centry.c @@ -1007,8 +1007,7 @@ H5C__load_entry(H5F_t *f, /* Call the get_initial_load_size callback, to retrieve the initial size of image */ if (type->get_initial_load_size(udata, &len) < 0) HGOTO_ERROR(H5E_CACHE, H5E_CANTGET, NULL, "can't retrieve image size"); - if (len == 0) - HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid size of image"); + assert(len > 0); /* Check for possible speculative read off the end of the file */ if (type->flags & H5C__CLASS_SPECULATIVE_LOAD_FLAG) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 7c24851e753..9f55a8a6449 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -596,17 +596,21 @@ static herr_t H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len) { const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */ + herr_t ret_value = SUCCEED; - FUNC_ENTER_PACKAGE_NOERR + FUNC_ENTER_PACKAGE assert(udata); assert(udata->oh); assert(image_len); /* Set the image length size */ + if (udata->size == 0) + HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size of image"); *image_len = udata->size; - FUNC_LEAVE_NOAPI(SUCCEED) +done: + FUNC_LEAVE_NOAPI(ret_value) } /* end H5O__cache_chk_get_initial_load_size() */ /*------------------------------------------------------------------------- From 05369d07ba84e12b18cc4ae997fbdc53e1531745 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 25 Sep 2025 15:49:11 +0000 Subject: [PATCH 3/3] Committing clang-format changes --- src/H5Ocache.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 9f55a8a6449..8f6b807047e 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -595,8 +595,8 @@ H5O__cache_free_icr(void *_thing) static herr_t H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len) { - const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */ - herr_t ret_value = SUCCEED; + const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */ + herr_t ret_value = SUCCEED; FUNC_ENTER_PACKAGE