Skip to content

Fix CVE-2025-2926 #5841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Fix CVE-2025-2926 #5841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b36c123
Fix CVE-2025-2926
bmribler Sep 16, 2025
a717eb1
Moved the detection of invalid image len to where the value is obtained.
bmribler Sep 25, 2025
7cc1f4e
Merge branch 'develop' into fix_CVE-2025-2926
bmribler Sep 25, 2025
05369d0
Committing clang-format changes
github-actions[bot] Sep 25, 2025
daf6618
Merge branch 'develop' into fix_CVE-2025-2926
lrknox Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions release_docs/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,12 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file

## Library

### Fixed security issue CVE-2025-2926

An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image was being copied to the buffer. This has been fixed with additional image size check.

Fixes GitHub issue #5384

### Fixed security issue CVE-2025-2915 and OSV-2024-381

Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition.
Expand Down
10 changes: 7 additions & 3 deletions src/H5Ocache.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -595,18 +595,22 @@ H5O__cache_free_icr(void *_thing)
static herr_t
H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len)
{
const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
const H5O_chk_cache_ud_t *udata = (const H5O_chk_cache_ud_t *)_udata; /* User data for callback */
herr_t ret_value = SUCCEED;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

assert(udata);
assert(udata->oh);
assert(image_len);

/* Set the image length size */
if (udata->size == 0)
HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "invalid size of image");
*image_len = udata->size;

FUNC_LEAVE_NOAPI(SUCCEED)
done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5O__cache_chk_get_initial_load_size() */

/*-------------------------------------------------------------------------
Expand Down
Loading