From c731305ad3717924a9f48d4e4929956e80ce2cb3 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 21 Aug 2025 11:36:23 -0500 Subject: [PATCH 01/10] Fix issue5383 --- src/H5Centry.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/H5Centry.c b/src/H5Centry.c index 33728f33398..5dcd0f8f3b8 100644 --- a/src/H5Centry.c +++ b/src/H5Centry.c @@ -1052,9 +1052,11 @@ H5C__load_entry(H5F_t *f, */ do { if (actual_len != len) { - if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE))) - HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE); image = (uint8_t *)new_image; + if (NULL == image) + HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + #if H5C_DO_MEMORY_SANITY_CHECKS H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ @@ -1106,9 +1108,11 @@ H5C__load_entry(H5F_t *f, HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA"); /* Expand buffer to new size */ - if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE))) - HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE); image = (uint8_t *)new_image; + if (NULL == image) + HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + #if H5C_DO_MEMORY_SANITY_CHECKS H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ From e5247bebb08aab34576e5163de86225f08d774eb Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 21 Aug 2025 12:16:54 -0500 Subject: [PATCH 02/10] Add check for 0 --- src/H5Centry.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/H5Centry.c b/src/H5Centry.c index 5dcd0f8f3b8..8a07cb1141f 100644 --- a/src/H5Centry.c +++ b/src/H5Centry.c @@ -1052,11 +1052,14 @@ H5C__load_entry(H5F_t *f, */ do { if (actual_len != len) { - new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE); - image = (uint8_t *)new_image; - if (NULL == image) + /* Verify that the length isn't a bad value */ + if (actual_len <= 0) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value"); + + if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE))) HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); - + image = (uint8_t *)new_image; + #if H5C_DO_MEMORY_SANITY_CHECKS H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ @@ -1107,11 +1110,14 @@ H5C__load_entry(H5F_t *f, if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0) HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA"); + /* Verify that the length isn't 0 */ + if (actual_len <= 0) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value"); + /* Expand buffer to new size */ - new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE); - image = (uint8_t *)new_image; - if (NULL == image) + if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE))) HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + image = (uint8_t *)new_image; #if H5C_DO_MEMORY_SANITY_CHECKS H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); From 363d37c0cc46d4d3adbc56c54809bf74b3b11d9a Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 21 Aug 2025 12:57:05 -0500 Subject: [PATCH 03/10] Make Jordan's changes --- src/H5Centry.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/H5Centry.c b/src/H5Centry.c index 8a07cb1141f..88b426d6b6e 100644 --- a/src/H5Centry.c +++ b/src/H5Centry.c @@ -1053,7 +1053,7 @@ H5C__load_entry(H5F_t *f, do { if (actual_len != len) { /* Verify that the length isn't a bad value */ - if (actual_len <= 0) + if (len == 0) HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value"); if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE))) @@ -1111,7 +1111,7 @@ H5C__load_entry(H5F_t *f, HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA"); /* Verify that the length isn't 0 */ - if (actual_len <= 0) + if (actual_len == 0) HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value"); /* Expand buffer to new size */ From 21d8fc746f2d73bd2dd21c01f975ab20dbcdad5a Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 21 Aug 2025 17:43:03 +0000 Subject: [PATCH 04/10] Committing clang-format changes --- src/H5Centry.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5Centry.c b/src/H5Centry.c index 88b426d6b6e..851ea730a50 100644 --- a/src/H5Centry.c +++ b/src/H5Centry.c @@ -1118,7 +1118,7 @@ H5C__load_entry(H5F_t *f, if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE))) HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); image = (uint8_t *)new_image; - + #if H5C_DO_MEMORY_SANITY_CHECKS H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ From 831fad6d4811f76201a76f9fb41a7c829ffcd2a9 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Tue, 16 Sep 2025 16:03:13 -0500 Subject: [PATCH 05/10] Add release text --- release_docs/release_archive.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/release_docs/release_archive.txt b/release_docs/release_archive.txt index d7082a87139..8f17923e31a 100644 --- a/release_docs/release_archive.txt +++ b/release_docs/release_archive.txt @@ -700,6 +700,16 @@ New Features library behavior, and the connector ID and information could not be read back from that plist later. + - H5C__load_entry() now checks for an image buffer length of 0 before + calling realloc + + A bug was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being able to + be 0 due to bad inputs. When realloc was called, it freed image, but got sent + to done before new_image could be assigned to image. Because the pointer for + image wasn't null, it is freed again in done, causing a double free bug. + + Fixes issue Github issue #5383 + Parallel Library: ----------------- - From 15da7a31b7f1fd694a003af5f7867401842a9ef8 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Wed, 24 Sep 2025 14:31:08 -0500 Subject: [PATCH 06/10] Add to changelog --- release_docs/CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 1a9617a1115..4bbad7f7388 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -495,6 +495,11 @@ Simple example programs showing how to use complex number datatypes have been ad ## Library +### Fixed security issue CCVE-2025-2925 + H5C__load_entry() now checks for an image buffer length of 0 before calling realloc. A bug was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being able to be 0 due to bad inputs. When realloc was called, it freed image, but got sent to done before new_image could be assigned to image. Because the pointer for image wasn't null, it is freed again in done, causing a double free bug. + + Fixes issue Github issue #5383 + ### Fixed security issue CVE-2025-6857 An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks. From 2f5a1eef2765577cc3e3b02aaf7880f8a236d83b Mon Sep 17 00:00:00 2001 From: Glenn Song <43005495+glennsong09@users.noreply.github.com> Date: Thu, 2 Oct 2025 14:27:55 -0500 Subject: [PATCH 07/10] Update release_docs/CHANGELOG.md Co-authored-by: jhendersonHDF --- release_docs/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 4bbad7f7388..e1eae28b709 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -495,7 +495,7 @@ Simple example programs showing how to use complex number datatypes have been ad ## Library -### Fixed security issue CCVE-2025-2925 +### Fixed security issue CVE-2025-2925 H5C__load_entry() now checks for an image buffer length of 0 before calling realloc. A bug was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being able to be 0 due to bad inputs. When realloc was called, it freed image, but got sent to done before new_image could be assigned to image. Because the pointer for image wasn't null, it is freed again in done, causing a double free bug. Fixes issue Github issue #5383 From 58cc0a3b0c7fb9cb5b331e75f58936bb8748a7e1 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Fri, 3 Oct 2025 12:40:50 -0500 Subject: [PATCH 08/10] Remove additions to release_archive --- release_docs/release_archive.txt | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/release_docs/release_archive.txt b/release_docs/release_archive.txt index 8f17923e31a..d7082a87139 100644 --- a/release_docs/release_archive.txt +++ b/release_docs/release_archive.txt @@ -700,16 +700,6 @@ New Features library behavior, and the connector ID and information could not be read back from that plist later. - - H5C__load_entry() now checks for an image buffer length of 0 before - calling realloc - - A bug was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being able to - be 0 due to bad inputs. When realloc was called, it freed image, but got sent - to done before new_image could be assigned to image. Because the pointer for - image wasn't null, it is freed again in done, causing a double free bug. - - Fixes issue Github issue #5383 - Parallel Library: ----------------- - From cdfdc51ab2712878b692cc22e7319cc4273bad50 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Mon, 6 Oct 2025 12:57:55 -0500 Subject: [PATCH 09/10] Update CHANGELOG.md entry --- release_docs/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index e1eae28b709..97d9a750bac 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -496,7 +496,7 @@ Simple example programs showing how to use complex number datatypes have been ad ## Library ### Fixed security issue CVE-2025-2925 - H5C__load_entry() now checks for an image buffer length of 0 before calling realloc. A bug was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being able to be 0 due to bad inputs. When realloc was called, it freed image, but got sent to done before new_image could be assigned to image. Because the pointer for image wasn't null, it is freed again in done, causing a double free bug. + Actual_len + H5C_IMAGE_EXTRA_SPACE, which was used by H5MM_realloc as the size input, could equal 0 due to bad inputs. When H5MM_realloc was called, it freed image, but then could get sent to done before new_image could be assigned to image. Because the pointer for image wasn't null, it was freed again in done, causing a double-free vulnerability. H5C__load_entry() now checks for an image buffer length of 0 before calling H5MM_realloc. Fixes issue Github issue #5383 From d7e66e8ed2e88152442b2779f64c4ab0fa0147a8 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Mon, 6 Oct 2025 13:20:22 -0500 Subject: [PATCH 10/10] Fix typo --- release_docs/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 97d9a750bac..0a25a433231 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -498,7 +498,7 @@ Simple example programs showing how to use complex number datatypes have been ad ### Fixed security issue CVE-2025-2925 Actual_len + H5C_IMAGE_EXTRA_SPACE, which was used by H5MM_realloc as the size input, could equal 0 due to bad inputs. When H5MM_realloc was called, it freed image, but then could get sent to done before new_image could be assigned to image. Because the pointer for image wasn't null, it was freed again in done, causing a double-free vulnerability. H5C__load_entry() now checks for an image buffer length of 0 before calling H5MM_realloc. - Fixes issue Github issue #5383 + Fixes Github issue #5383 ### Fixed security issue CVE-2025-6857