HDFGroup · bmribler · Sep 16, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -493,6 +493,12 @@ Simple example programs showing how to use complex number datatypes have been ad
 
 ## Library
 
+### Fixed security issue CVE-2025-2926
+
+   An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image was being copied to the buffer.  This has been fixed with additional image size check.
+
+   Fixes GitHub issue #5384
+
 ### Fixed a problem with the scale-offset filter
 
 A security fix added to 1.14.6 introduced a regression where certain data values could trigger a library error (not a crash or segfault).

@@ -595,18 +595,22 @@ H5O__cache_free_icr(void *_thing)
 static herr_t
 H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len)
 {
-    const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
+    const H5O_chk_cache_ud_t *udata     = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
+    herr_t                    ret_value = SUCCEED;
 
-    FUNC_ENTER_PACKAGE_NOERR
+    FUNC_ENTER_PACKAGE
 
     assert(udata);
     assert(udata->oh);
     assert(image_len);
 
     /* Set the image length size */
+    if (udata->size == 0)
+        HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size of image");
     *image_len = udata->size;
 
-    FUNC_LEAVE_NOAPI(SUCCEED)
+done:
+    FUNC_LEAVE_NOAPI(ret_value)
 } /* end H5O__cache_chk_get_initial_load_size() */
 
 /*-------------------------------------------------------------------------