From 367ea390f772e3b3915ebaaed5e0599d1ef999d4 Mon Sep 17 00:00:00 2001 From: Dana Robinson Date: Mon, 1 Apr 2024 11:45:27 -0700 Subject: [PATCH 1/2] Fix divide-by-zero when page buf page size is 0 If a corrupt file sets the page buffer size in the superblock to zero, the library could attempt to divide by zero when allocating space in the file. The library now checks for valid page buffer sizes when reading the superblock message. Fixes oss-fuzz issue 58762 --- release_docs/RELEASE.txt | 9 +++++++++ src/H5Fsuper.c | 7 +++++-- src/H5MFsection.c | 2 ++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 677300420ff..08e7a9e05c3 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -746,6 +746,15 @@ Bug Fixes since HDF5-1.14.0 release Library ------- + - Fixed a divide-by-zero issue when a corrupt file sets the page size to 0 + + If a corrupt file sets the page buffer size in the superblock to zero, + the library could attempt to divide by zero when allocating space in + the file. The library now checks for valid page buffer sizes when + reading the superblock message. + + Fixes oss-fuzz issue 58762 + - Fixed a bug when using array datatypes with certain parent types Array datatype conversion would never use a background buffer, even if the diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c index 18492486700..6eb465ed9d1 100644 --- a/src/H5Fsuper.c +++ b/src/H5Fsuper.c @@ -800,8 +800,11 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read) HGOTO_ERROR(H5E_FILE, H5E_CANTSET, FAIL, "unable to set file space strategy"); } /* end if */ - assert(f->shared->fs_page_size >= H5F_FILE_SPACE_PAGE_SIZE_MIN); - assert(fsinfo.page_size >= H5F_FILE_SPACE_PAGE_SIZE_MIN); + if (f->shared->fs_page_size < H5F_FILE_SPACE_PAGE_SIZE_MIN) + HGOTO_ERROR(H5E_FILE, H5E_BADVALUE, FAIL, "file space page size too small"); + if (fsinfo.page_size < H5F_FILE_SPACE_PAGE_SIZE_MIN) + HGOTO_ERROR(H5E_FILE, H5E_BADVALUE, FAIL, "file space page size too small"); + if (f->shared->fs_page_size != fsinfo.page_size) { f->shared->fs_page_size = fsinfo.page_size; diff --git a/src/H5MFsection.c b/src/H5MFsection.c index 03d1112624e..61b2f1730fb 100644 --- a/src/H5MFsection.c +++ b/src/H5MFsection.c @@ -606,6 +606,8 @@ H5MF__sect_small_add(H5FS_section_info_t **_sect, unsigned *flags, void *_udata) HGOTO_DONE(ret_value); sect_end = (*sect)->sect_info.addr + (*sect)->sect_info.size; + if (0 == udata->f->shared->fs_page_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_BADVALUE, FAIL, "page size of zero would result in division by zero"); rem = sect_end % udata->f->shared->fs_page_size; prem = udata->f->shared->fs_page_size - rem; From 5e2ea2bcdb860c7c15150fbd3725405d6366c1b2 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 18:49:33 +0000 Subject: [PATCH 2/2] Committing clang-format changes --- src/H5MFsection.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/H5MFsection.c b/src/H5MFsection.c index 61b2f1730fb..a3b3988b38c 100644 --- a/src/H5MFsection.c +++ b/src/H5MFsection.c @@ -608,8 +608,8 @@ H5MF__sect_small_add(H5FS_section_info_t **_sect, unsigned *flags, void *_udata) sect_end = (*sect)->sect_info.addr + (*sect)->sect_info.size; if (0 == udata->f->shared->fs_page_size) HGOTO_ERROR(H5E_RESOURCE, H5E_BADVALUE, FAIL, "page size of zero would result in division by zero"); - rem = sect_end % udata->f->shared->fs_page_size; - prem = udata->f->shared->fs_page_size - rem; + rem = sect_end % udata->f->shared->fs_page_size; + prem = udata->f->shared->fs_page_size - rem; /* Drop the section if it is at page end and its size is <= pgend threshold */ if (!rem && (*sect)->sect_info.size <= H5F_PGEND_META_THRES(udata->f) &&