Fix memory safety vulnerabilities in high-level and VFD code #6140
Conversation
Address multiple CWE-415 (double-free), CWE-416 (use-after-free),
and CWE-122 (buffer overflow) vulnerabilities identified by static analysis:
- hl/src/H5DS.c: Fix double-free in H5DSis_scale() by setting buf to NULL
after free and adding NULL check in cleanup path
- hl/src/H5LT.c: Fix multiple memory issues:
* Set myinput to NULL after free in H5LTtext_to_dtype()
* Add NULL check in realloc_and_append() to prevent use-after-free
* Refactor duplicated stmp handling by creating H5LT_append_dtype_super_text()
helper function, eliminating ~50 lines of repeated code across 4 case blocks
- hl/src/H5TB.c: Replace unsafe strcpy() with strncpy() in H5TBget_field_info()
using HLTB_MAX_FIELD_LEN constant to prevent buffer overflow
- hl/src/H5TBpublic.h: Document buffer size requirements for field_names parameter
- src/H5FDstdio.c: Fix inconsistent resource cleanup in H5FD_stdio_open() by
using file->fp instead of f throughout error paths
- src/H5VLnative.c: Add assert checks for obj and file parameters in
H5VL_native_get_file_struct() following internal API conventions
brtnfld
requested review from
byrnHDF,
derobins,
fortnern and
lrknox
as code owners
brtnfld
added
the
Component - C Library
brtnfld
requested review from
bmribler,
jhendersonHDF,
qkoziol and
vchoi-hdfgroup
as code owners
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| /* Use the value in the property list */ | ||
| if (H5Pget_file_locking(fapl_id, &unused, &file->ignore_disabled_file_locks) < 0) { | ||
| fclose(file->fp); |
There was a problem hiding this comment.
What was the issue with these close calls? file->fp should be the same as f at this point
There was a problem hiding this comment.
Snyk flags it for clarity on resource ownership. The concern is that it's not explicit which pointer "owns" the resource after the assignment. Once you've assigned file->fp = f, the FILE* is conceptually owned by the file structure, and using file->fp in cleanup makes this ownership clear.
| buf = tmp_realloc; | ||
| } | ||
|
|
||
| if (!buf) |
There was a problem hiding this comment.
The intent of the _no_user_buf parameter isn't really obvious, but it seems like this check overlaps with the same check inside that block, which seems like it would imply buf being allowed to be passed in as NULL in the false case. But I'm guessing this check was added due to the strlen(buf) below. This seems like we should determine whether it was ever intended for buf to be allowed as NULL.
| #define HLTB_MAX_FIELD_LEN 255 | ||
| #define TABLE_CLASS "TABLE" | ||
| #define TABLE_VERSION "3.0" | ||
| /* HLTB_MAX_FIELD_LEN is now defined in H5TBpublic.h */ |
There was a problem hiding this comment.
Harmless, but it's probably unnecessary to document that a macro used to be in this file
3 participants
Address multiple CWE-415 (double-free), CWE-416 (use-after-free), and CWE-122 (buffer overflow) vulnerabilities identified by static analysis:
hl/src/H5DS.c: Fix double-free in H5DSis_scale() by setting buf to NULL after free and adding NULL check in cleanup path
hl/src/H5LT.c: Fix multiple memory issues:
hl/src/H5TB.c: Replace unsafe strcpy() with strncpy() in H5TBget_field_info() using HLTB_MAX_FIELD_LEN constant to prevent buffer overflow
hl/src/H5TBpublic.h: Document buffer size requirements for field_names parameter
src/H5FDstdio.c: Fix inconsistent resource cleanup in H5FD_stdio_open() by using file->fp instead of f throughout error paths
src/H5VLnative.c: Add assert checks for obj and file parameters in H5VL_native_get_file_struct() following internal API conventions
SAFE project work.
Important
Fixes memory safety vulnerabilities in HDF5 codebase, addressing double-free, use-after-free, and buffer overflow issues across multiple files.
H5DS.c: Fix double-free inH5DSis_scale()by settingbufto NULL after free and adding NULL check in cleanup.H5LT.c: Setmyinputto NULL after free inH5LTtext_to_dtype(), add NULL check inrealloc_and_append(), refactorH5LT_append_dtype_super_text()to reduce code duplication.H5TB.c: Replacestrcpy()withstrncpy()inH5TBget_field_info()to prevent buffer overflow.H5TBpublic.h: Document buffer size requirements forfield_namesparameter.H5FDstdio.c: Usefile->fpconsistently inH5FD_stdio_open()for error paths.H5VLnative.c: Add assert checks forobjandfileparameters inH5VL_native_get_file_struct().This description was created by
for 7b22833. You can customize this summary. It will automatically update as commits are pushed.