Skip to content

Fix CVE-2025-2310 #5872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 9, 2025
Merged

Fix CVE-2025-2310 #5872

merged 4 commits into from
Oct 9, 2025

Conversation

@mattjala
Copy link
Contributor

@mattjala mattjala commented Sep 24, 2025
edited by ellipsis-dev bot
Loading

Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read.

Check that name length is not too small in addition to checking for an overflow directly.

Important

Fixes overflow and out-of-bounds read in H5O__attr_decode() by ensuring name_len is greater than 1 in H5Oattr.c.

  • Security Fix:
    • In H5O__attr_decode() in H5Oattr.c, added a check to ensure name_len is greater than 1 to prevent overflow and out-of-bounds read.
    • This prevents processing of malformed files with zero-length names.

This description was created by Ellipsis for a5a0b30. You can customize this summary. It will automatically update as commits are pushed.

@mattjala mattjala added the Component - C Library Core C library issues (usually in the src directory) label Sep 24, 2025
@github-project-automation github-project-automation bot moved this to To be triaged in HDF5 - TRIAGE & TRACK Sep 24, 2025
jhendersonHDF
jhendersonHDF reviewed Sep 24, 2025
View reviewed changes
@mattjala mattjala marked this pull request as draft September 24, 2025 22:11
@nbagha1 nbagha1 added this to the Release 2.0.0 milestone Sep 26, 2025
@mattjala mattjala marked this pull request as ready for review September 26, 2025 23:07
bmribler
bmribler previously approved these changes Oct 6, 2025
View reviewed changes
bmribler
bmribler reviewed Oct 6, 2025
View reviewed changes
src/H5Oattr.c Outdated
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");

/* Verify that retrieved name length (including null byte) is valid */
if (name_len <= 1)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we find where name_len was decoded?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was decoded earlier in this function - UINT16DECODE(p, name_len); at H5Oattr.c:169. I wanted to put this check next to the other name_len value check.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I think this check is more appropriate right after the value being decoded.

jhendersonHDF
jhendersonHDF requested changes Oct 8, 2025
View reviewed changes
Copy link
Collaborator

@jhendersonHDF jhendersonHDF left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should add a note to the CHANGELOG.md, but otherwise looks good

@github-project-automation github-project-automation bot moved this from To be triaged to In progress in HDF5 - TRIAGE & TRACK Oct 8, 2025
@jhendersonHDF jhendersonHDF linked an issue Oct 9, 2025 that may be closed by this pull request
Malformed file leads to buffer overflow during attribute metadata decoding #5871
Closed
@bmribler bmribler self-requested a review October 9, 2025 17:16
@mattjala mattjala requested a review from jhendersonHDF October 9, 2025 19:06
@lrknox lrknox merged commit 6c86f97 into HDFGroup:develop Oct 9, 2025
90 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in HDF5 - TRIAGE & TRACK Oct 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhendersonHDF jhendersonHDF jhendersonHDF approved these changes

@bmribler bmribler bmribler approved these changes

@lrknox lrknox Awaiting requested review from lrknox lrknox is a code owner

@derobins derobins Awaiting requested review from derobins derobins is a code owner

@byrnHDF byrnHDF Awaiting requested review from byrnHDF byrnHDF is a code owner

@fortnern fortnern Awaiting requested review from fortnern fortnern is a code owner

@qkoziol qkoziol Awaiting requested review from qkoziol qkoziol is a code owner

@vchoi-hdfgroup vchoi-hdfgroup Awaiting requested review from vchoi-hdfgroup vchoi-hdfgroup is a code owner

@glennsong09 glennsong09 Awaiting requested review from glennsong09 glennsong09 is a code owner

@brtnfld brtnfld Awaiting requested review from brtnfld brtnfld is a code owner

Assignees

@bmribler bmribler

Labels

Component - C Library Core C library issues (usually in the src directory)

Projects

HDF5 - TRIAGE & TRACK
Status: Done

Milestone

Release 2.0.0

Development

Successfully merging this pull request may close these issues.

Malformed file leads to buffer overflow during attribute metadata decoding

5 participants

@mattjala @jhendersonHDF @bmribler @lrknox @nbagha1