diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index d08176bc677..f84213bba01 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -557,6 +557,12 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file ## Library +### Fixed security issue CVE-2025-7067 + + Fixed a heap buffer overflow in H5FS__sinfo_serialize_node_cb() by discarding file free space sections from the file free space manager when they are found to be invalid. Specifically crafted HDF5 files can result in an attempt to insert duplicate or overlapping file free space sections into a file free space manager, later resulting in a buffer overflow when the same free space section is serialized to the file multiple times. + + Fixes GitHub issue #5577 + ### Fixed security issue CVE-2025-2915 and OSV-2024-381 Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition. @@ -622,6 +628,12 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file Fixes GitHub issue [#5382](https://github.com/HDFGroup/hdf5/issues/5382) +### Fixed security issues CVE-2025-2913 and CVE-2025-2926 + + The size of a continuation message was decoded as 0, causing multiple vulnerabilities. An error check was added to return failure to prevent further processing of invalid data. + + Fixes GitHub issue #5376 and #5384 + ### Revised handling of Unicode filenames on Windows In the HDF5 1.14.4 release, a change was made to address some issues with the library's handling of code pages and file paths on Windows. This change introduced other issues with the handling of UTF-8 file names that caused breakage for software using the 1.14.4 and 1.14.5 releases of HDF5. That change was reverted for the 1.14.6 release and the behavior has been slightly modified for this release. diff --git a/src/H5Ocache.c b/src/H5Ocache.c index b67ac9a3759..8f0928f290e 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -602,6 +602,7 @@ H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len) assert(udata); assert(udata->oh); assert(image_len); + assert(udata->size); /* Set the image length size */ *image_len = udata->size;