Check for overflow when calculating on-disk attribute data size (HDFG…

…roup#2459)

A bogus hdf5 file may contain dataspace messages with sizes
which lead to the on-disk data sizes to exceed what is addressable.
When calculating the size, make sure, the multiplication hasn't
overflown.
The test case was crafted in a way that the overflow caused the
size to be 0.

This fixes CVE-2021-37501 / Bug HDFGroup#2458.

Signed-off-by: Egbert Eich <eich@suse.com>
Co-authored-by: Allen Byrne <byrn@hdfgroup.org>

release_docs/RELEASE.txt

@@ -207,6 +207,19 @@ Bug Fixes since HDF5-1.13.3 release
 ===================================
     Library
     -------
+    - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+      Check for overflow when calculating on-disk attribute data size.
+
+      A bogus hdf5 file may contain dataspace messages with sizes
+      which lead to the on-disk data sizes to exceed what is addressable.
+      When calculating the size, make sure, the multiplication does not
+      overflow.
+      The test case was crafted in a way that the overflow caused the
+      size to be 0.
+
+      (EFE - 2023/02/11 GH-2458)
+
     - Fixed an issue with collective metadata writes of global heap data
 
       New test failures in parallel netCDF started occurring with debug

src/H5Oattr.c

@@ -230,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
 
     /* Compute the size of the data */
     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
+    /* Check if multiplication has overflown */
+    if ((attr->shared->data_size/dt_size) != ds_size)
+        HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range")
 
     /* Go get the data */
     if (attr->shared->data_size) {