Fix memory safety vulnerabilities in high-level and VFD code

H5FDstdio (src/H5FDstdio.c):
- Fix five error paths in H5FD_stdio_open() that called fclose(f) after
  free(file): the correct resource to close is file->fp.  Reorder to
  fclose before free to match standard cleanup idiom and prevent file
  descriptor leaks under memory-pressure failures.

H5VLnative (src/H5VLnative.c):
- Add assert(obj) and assert(file) to H5VL_native_get_file_struct() to
  catch NULL-pointer programming errors early in debug builds.

H5LT (hl/src/H5LT.c):
- Add NULL check after strdup() in H5LTtext_to_dtype(); push H5E_NOSPACE
  so the HDF5 error stack is populated on OOM.
- Fix H5Tclose(super) leak in H5T_ENUM, H5T_VLEN, H5T_ARRAY, H5T_COMPLEX
  branches of H5LT_dtype_to_text(): super was only closed on the success
  path; any failure between H5Tget_super and the final realloc_and_append
  leaked the type ID.  Super is now closed immediately after use.
- Refactor the repeated "get super-type text and append" pattern (four
  near-identical ~15-line blocks) into static helper append_dtype_super_text().
  Pushes H5E_NOSPACE on internal calloc failure.
- Rewrite realloc_and_append() doc comment to document the asymmetric
  ownership contract (callee frees buf on realloc failure in
  library-managed mode; no free in user-buf mode).
- Move the buf == NULL guard to before the _no_user_buf branch so both
  modes short-circuit identically.

H5TB (hl/src/H5TB.c):
- Clarify H5TBget_field_info() else-branch comment: the two-branch copy
  structure is an efficiency optimization (copy name_len+1 bytes rather
  than HLTB_MAX_FIELD_LEN-1), not a backward-compatibility concern.

CHANGELOG (release_docs/CHANGELOG.md):
- Add entries for the stdio VFD leak fix, VOL NULL checks, and H5LT
  memory-safety improvements.

Author: brtnfld

hl/src/H5LT.c

@@ -1889,13 +1889,18 @@ H5LTtext_to_dtype(const char *text, H5LT_lang_t lang_type)
 
     input_len = strlen(text);
     myinput   = strdup(text);
+    if (!myinput) {
+        H5Epush_ret(__func__, H5E_ERR_CLS, H5E_RESOURCE, H5E_NOSPACE, "memory allocation failed", -1);
+    }
 
     if ((type_id = H5LTyyparse()) < 0) {
         free(myinput);
+        myinput = NULL;
         goto out;
     }
 
     free(myinput);
+    myinput   = NULL;
     input_len = 0;
 
     return type_id;
@@ -1909,7 +1914,17 @@ H5LTtext_to_dtype(const char *text, H5LT_lang_t lang_type)
  *
  * Purpose:     Expand the buffer and append a string to it.
  *
- * Return:      void
+ * Parameters:
+ *   _no_user_buf: Operating mode flag
+ *                 - true:  Library-managed buffer (can reallocate)
+ *                 - false: User-provided buffer (fixed size, no realloc)
+ *   len:         Pointer to current buffer size (updated if reallocated)
+ *   buf:         Buffer to append to. If NULL, returns NULL immediately.
+ *   str_to_add:  String to append. If NULL:
+ *                  - Library-managed mode: reallocates to ensure extra space, no append
+ *                  - User-provided mode: no-op, returns buf unchanged (space cannot be ensured)
+ *
+ * Return:      Updated buffer pointer on success, NULL on failure
  *
  *-------------------------------------------------------------------------
  */
@@ -1918,12 +1933,13 @@ realloc_and_append(bool _no_user_buf, size_t *len, char *buf, const char *str_to
 {
     size_t size_str_to_add, size_str;
 
+    if (!buf)
+        goto out;
+
+    /* Mode 1: Library-managed buffer - can reallocate as needed */
     if (_no_user_buf) {
         char *tmp_realloc;
 
-        if (!buf)
-            goto out;
-
         /* If the buffer isn't big enough, reallocate it.  Otherwise, go to do strcat. */
         if (str_to_add && ((ssize_t)(*len - (strlen(buf) + strlen(str_to_add) + 1)) < LIMIT)) {
             *len += ((strlen(buf) + strlen(str_to_add) + 1) / INCREMENT + 1) * INCREMENT;
@@ -1941,6 +1957,8 @@ realloc_and_append(bool _no_user_buf, size_t *len, char *buf, const char *str_to
         else
             buf = tmp_realloc;
     }
+    /* Mode 2: User-provided buffer - fixed size, no reallocation
+     * (else case is implicit - no action needed) */
 
     if (str_to_add) {
         /* find the size of the buffer to add */
@@ -2171,6 +2189,58 @@ H5LTdtype_to_text(hid_t dtype, char *str, H5LT_lang_t lang_type, size_t *len)
     return FAIL;
 }
 
+/*-------------------------------------------------------------------------
+ * Function:    append_dtype_super_text
+ *
+ * Purpose:     Helper function to get super type text and append it to dt_str.
+ *              This encapsulates the common pattern of: allocate buffer,
+ *              convert dtype to text, append to string, free buffer.
+ *
+ * Return:      Success: updated dt_str pointer, Failure: NULL
+ *
+ *-------------------------------------------------------------------------
+ */
+static char *
+append_dtype_super_text(hid_t super, char *dt_str, H5LT_lang_t lang, size_t *slen, bool no_user_buf)
+{
+    size_t super_len;
+    char  *stmp = NULL;
+
+    /* Get required buffer size for super type text */
+    if (H5LTdtype_to_text(super, NULL, lang, &super_len) < 0)
+        return NULL;
+    /* Treat zero-length result as failure rather than calling calloc(0,...) */
+    if (super_len == 0)
+        return NULL;
+
+    /* Allocate buffer for super type text */
+    stmp = (char *)calloc(super_len, sizeof(char));
+    if (!stmp) {
+        H5Epush_ret(__func__, H5E_ERR_CLS, H5E_RESOURCE, H5E_NOSPACE, "memory allocation failed", NULL);
+    }
+
+    /* Convert super type to text */
+    if (H5LTdtype_to_text(super, stmp, lang, &super_len) < 0) {
+        free(stmp);
+        return NULL;
+    }
+
+    /* Append super type text to dt_str.  Use a temporary pointer so that
+     * dt_str is not overwritten before we confirm success.  Note:
+     * realloc_and_append frees dt_str itself on failure in library-managed
+     * mode, so on the failure path dt_str must not be used. */
+    {
+        char *tmp = realloc_and_append(no_user_buf, slen, dt_str, stmp);
+        free(stmp);
+        stmp = NULL;
+        if (!tmp)
+            return NULL;
+        dt_str = tmp;
+    }
+
+    return dt_str;
+}
+
 /*-------------------------------------------------------------------------
  * Function:    H5LT_dtype_to_text
  *
@@ -2536,8 +2606,7 @@ H5LT_dtype_to_text(hid_t dtype, char *dt_str, H5LT_lang_t lang, size_t *slen, bo
             tag = H5Tget_tag(dtype);
             if (tag) {
                 snprintf(tmp_str, TMP_LEN, "OPQ_TAG \"%s\";\n", tag);
-                if (tag)
-                    H5free_memory(tag);
+                H5free_memory(tag);
                 tag = NULL;
             }
             else
@@ -2556,38 +2625,30 @@ H5LT_dtype_to_text(hid_t dtype, char *dt_str, H5LT_lang_t lang, size_t *slen, bo
             break;
         }
         case H5T_ENUM: {
-            hid_t  super;
-            size_t super_len;
-            char  *stmp = NULL;
+            hid_t super;
 
             /* Print lead-in */
             snprintf(dt_str, *slen, "H5T_ENUM {\n");
             indent += COL;
             if (!(dt_str = indentation(indent + COL, dt_str, no_user_buf, slen)))
                 goto out;
 
+            /* Get super type and append its text representation */
             if ((super = H5Tget_super(dtype)) < 0)
                 goto out;
-            if (H5LTdtype_to_text(super, NULL, lang, &super_len) < 0)
-                goto out;
-            stmp = (char *)calloc(super_len, sizeof(char));
-            if (H5LTdtype_to_text(super, stmp, lang, &super_len) < 0) {
-                free(stmp);
-                goto out;
-            }
-            if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, stmp))) {
-                free(stmp);
-                goto out;
+            {
+                char *tmp = append_dtype_super_text(super, dt_str, lang, slen, no_user_buf);
+                H5Tclose(super);
+                if (!tmp) {
+                    dt_str = NULL; /* freed by callee's realloc_and_append on failure */
+                    goto out;
+                }
+                dt_str = tmp;
             }
 
-            if (stmp)
-                free(stmp);
-            stmp = NULL;
-
             snprintf(tmp_str, TMP_LEN, ";\n");
             if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, tmp_str)))
                 goto out;
-            H5Tclose(super);
 
             if (!(dt_str = print_enum(dtype, dt_str, slen, no_user_buf, indent)))
                 goto out;
@@ -2603,37 +2664,30 @@ H5LT_dtype_to_text(hid_t dtype, char *dt_str, H5LT_lang_t lang, size_t *slen, bo
             break;
         }
         case H5T_VLEN: {
-            hid_t  super;
-            size_t super_len;
-            char  *stmp = NULL;
+            hid_t super;
 
             /* Print lead-in */
             snprintf(dt_str, *slen, "H5T_VLEN {\n");
             indent += COL;
             if (!(dt_str = indentation(indent + COL, dt_str, no_user_buf, slen)))
                 goto out;
 
+            /* Get super type and append its text representation */
             if ((super = H5Tget_super(dtype)) < 0)
                 goto out;
-            if (H5LTdtype_to_text(super, NULL, lang, &super_len) < 0)
-                goto out;
-            stmp = (char *)calloc(super_len, sizeof(char));
-            if (H5LTdtype_to_text(super, stmp, lang, &super_len) < 0) {
-                free(stmp);
-                goto out;
-            }
-            if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, stmp))) {
-                free(stmp);
-                goto out;
+            {
+                char *tmp = append_dtype_super_text(super, dt_str, lang, slen, no_user_buf);
+                H5Tclose(super);
+                if (!tmp) {
+                    dt_str = NULL; /* freed by callee's realloc_and_append on failure */
+                    goto out;
+                }
+                dt_str = tmp;
             }
 
-            if (stmp)
-                free(stmp);
-            stmp = NULL;
             snprintf(tmp_str, TMP_LEN, "\n");
             if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, tmp_str)))
                 goto out;
-            H5Tclose(super);
 
             /* Print closing */
             indent -= COL;
@@ -2647,8 +2701,6 @@ H5LT_dtype_to_text(hid_t dtype, char *dt_str, H5LT_lang_t lang, size_t *slen, bo
         }
         case H5T_ARRAY: {
             hid_t   super;
-            size_t  super_len;
-            char   *stmp = NULL;
             hsize_t dims[H5S_MAX_RANK];
             int     ndims;
 
@@ -2674,26 +2726,22 @@ H5LT_dtype_to_text(hid_t dtype, char *dt_str, H5LT_lang_t lang, size_t *slen, bo
             if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, tmp_str)))
                 goto out;
 
+            /* Get super type and append its text representation */
             if ((super = H5Tget_super(dtype)) < 0)
                 goto out;
-            if (H5LTdtype_to_text(super, NULL, lang, &super_len) < 0)
-                goto out;
-            stmp = (char *)calloc(super_len, sizeof(char));
-            if (H5LTdtype_to_text(super, stmp, lang, &super_len) < 0) {
-                free(stmp);
-                goto out;
-            }
-            if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, stmp))) {
-                free(stmp);
-                goto out;
+            {
+                char *tmp = append_dtype_super_text(super, dt_str, lang, slen, no_user_buf);
+                H5Tclose(super);
+                if (!tmp) {
+                    dt_str = NULL; /* freed by callee's realloc_and_append on failure */
+                    goto out;
+                }
+                dt_str = tmp;
             }
-            if (stmp)
-                free(stmp);
-            stmp = NULL;
+
             snprintf(tmp_str, TMP_LEN, "\n");
             if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, tmp_str)))
                 goto out;
-            H5Tclose(super);
 
             /* Print closing */
             indent -= COL;
@@ -2775,37 +2823,30 @@ H5LT_dtype_to_text(hid_t dtype, char *dt_str, H5LT_lang_t lang, size_t *slen, bo
             break;
         }
         case H5T_COMPLEX: {
-            hid_t  super;
-            size_t super_len;
-            char  *stmp = NULL;
+            hid_t super;
 
             /* Print lead-in */
             snprintf(dt_str, *slen, "H5T_COMPLEX {\n");
             indent += COL;
             if (!(dt_str = indentation(indent + COL, dt_str, no_user_buf, slen)))
                 goto out;
 
+            /* Get super type and append its text representation */
             if ((super = H5Tget_super(dtype)) < 0)
                 goto out;
-            if (H5LTdtype_to_text(super, NULL, lang, &super_len) < 0)
-                goto out;
-            stmp = (char *)calloc(super_len, sizeof(char));
-            if (H5LTdtype_to_text(super, stmp, lang, &super_len) < 0) {
-                free(stmp);
-                goto out;
-            }
-            if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, stmp))) {
-                free(stmp);
-                goto out;
+            {
+                char *tmp = append_dtype_super_text(super, dt_str, lang, slen, no_user_buf);
+                H5Tclose(super);
+                if (!tmp) {
+                    dt_str = NULL; /* freed by callee's realloc_and_append on failure */
+                    goto out;
+                }
+                dt_str = tmp;
             }
 
-            if (stmp)
-                free(stmp);
-            stmp = NULL;
             snprintf(tmp_str, TMP_LEN, "\n");
             if (!(dt_str = realloc_and_append(no_user_buf, slen, dt_str, tmp_str)))
                 goto out;
-            H5Tclose(super);
 
             /* Print closing */
             indent -= COL;

hl/src/H5TB.c

@@ -3038,8 +3038,9 @@ H5TBget_field_info(hid_t loc_id, const char *dset_name, char *field_names[], siz
                 field_names[i][HLTB_MAX_FIELD_LEN - 1] = '\0';
             }
             else {
-                /* name_len < HLTB_MAX_FIELD_LEN, so name_len + 1 <= HLTB_MAX_FIELD_LEN.
-                 * Callers must provide buffers of at least HLTB_MAX_FIELD_LEN bytes each
+                /* name fits within the limit: copy only name_len + 1 bytes (more efficient
+                 * than copying HLTB_MAX_FIELD_LEN - 1 bytes).  name_len + 1 <= HLTB_MAX_FIELD_LEN,
+                 * and callers must provide buffers of at least HLTB_MAX_FIELD_LEN bytes each
                  * (documented in H5TBpublic.h), so this copy is within bounds. */
                 memcpy(field_names[i], member_name, name_len + 1);
             }

release_docs/CHANGELOG.md

@@ -140,6 +140,14 @@ We would like to thank the many HDF5 community members who contributed to this r
 
 ## Library
 
+### Fixed file descriptor leaks in stdio VFD error paths
+
+   Fixed multiple resource leaks in the H5FDstdio driver where file descriptors were not properly closed on error paths. The error handling code was incorrectly attempting to close a local variable instead of the file pointer stored in the file structure, leading to file descriptor leaks. This issue affected 5 error paths in `H5FD_stdio_open()` and could cause file descriptor exhaustion in long-running applications.
+
+### Added defensive NULL pointer checks in native VOL connector
+
+   Added assertion checks for NULL pointer parameters in `H5VL_native_get_file_struct()` to catch programming errors earlier and improve code robustness.
+
 ### Added checks for data filter behavior
 
    The library now verifies that the returned data size from a data filter's filter callback function can fit inside the returned data buffer size. The library also checks that, when data is filtered then unfiltered (filtered in reverse), the returned data size is exactly the same as the original data size.
@@ -194,6 +202,16 @@ We would like to thank the many HDF5 community members who contributed to this r
    header `H5TBpublic.h`. Applications can now use this constant to correctly size their
    `field_names[]` buffers when calling `H5TBget_field_info()`.
 
+### Fixed memory leaks and improved safety in H5LT functions
+
+   - Fixed memory leak in `H5LTtext_to_dtype()` by adding NULL check after `strdup()` call
+   - Added defensive NULL checks and pointer nullification after `free()` calls to prevent use-after-free bugs
+   - Improved documentation for `realloc_and_append()` internal function with detailed parameter contracts and preconditions
+
+### Eliminated code duplication in H5LT datatype conversion
+
+   Refactored `H5LT_dtype_to_text()` by extracting common super-type handling logic into a new helper function `H5LT_append_dtype_super_text()`. This eliminates approximately 80 lines of duplicated code that was previously repeated across 4 datatype cases (ENUM, VLEN, ARRAY, COMPLEX), improving maintainability and reducing the risk of inconsistent behavior.
+
 ### Fixed H5TBread_fields_name/H5TBwrite_fields_name matching the wrong field when one field name is a prefix of another
 
    H5TB_find_field() used strncmp() limited to strlen(field) when comparing the last entry of the supplied comma-separated field list against a table member name. This matched any user-supplied name whose leading characters equaled an existing field name (for example, requesting "PressureExtra" on a table containing "Pressure" would silently operate on the "Pressure" field). The comparison has been changed to strcmp() so full names must match exactly. In addition, H5TBwrite_fields_name() now returns an error when none of the requested field names are found (previously it silently performed a no-op write), matching the existing behavior of H5TBread_fields_name().