Skip to content

Fix CVE-2025-2926 #5841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: develop
Choose a base branch
from
+13 −0
Open

Fix CVE-2025-2926 #5841

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b36c123
Fix CVE-2025-2926
bmribler Sep 16, 2025
a717eb1
Moved the detection of invalid image len to where the value is obtained.
bmribler Sep 25, 2025
7cc1f4e
Merge branch 'develop' into fix_CVE-2025-2926
bmribler Sep 25, 2025
05369d0
Committing clang-format changes
github-actions[bot] Sep 25, 2025
daf6618
Merge branch 'develop' into fix_CVE-2025-2926
lrknox Oct 20, 2025
f805585
Change error checking of size to assert
bmribler Oct 28, 2025
f9a8267
Add this issue to the correct fix
bmribler Oct 29, 2025
1662fb3
Removed a leftover line
bmribler Oct 30, 2025
eed45d8
Committing clang-format changes
github-actions[bot] Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions release_docs/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,12 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file

## Library

### Fixed security issue CVE-2025-2926

An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image was being copied to the buffer. This has been fixed with additional image size check.

Fixes GitHub issue #5384

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I don't know how this entry got into my commit... I hope I didn't cause anything bad.

### Fixed security issue CVE-2025-2915 and OSV-2024-381

Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition.
Expand Down
10 changes: 7 additions & 3 deletions src/H5Ocache.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -595,18 +595,22 @@ H5O__cache_free_icr(void *_thing)
static herr_t
H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len)
{
const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
herr_t ret_value = SUCCEED;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

assert(udata);
assert(udata->oh);
assert(image_len);

/* Set the image length size */
if (udata->size == 0)
HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size of image");
*image_len = udata->size;

FUNC_LEAVE_NOAPI(SUCCEED)
done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5O__cache_chk_get_initial_load_size() */

/*-------------------------------------------------------------------------
Expand Down
Loading