diff -Nru hdf5-1.10.0-patch1+docs/debian/changelog hdf5-1.10.0-patch1+docs/debian/changelog --- hdf5-1.10.0-patch1+docs/debian/changelog 2023-09-13 19:23:56.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/changelog 2023-09-17 21:49:26.000000000 +0000 @@ -1,22 +1,47 @@ -hdf5 (1.10.0-patch1+docs-4build2~16.04.sav0) xenial; urgency=medium +hdf5 (1.10.0-patch1+docs-4ubuntu0.1~esm2+16.04.sav0) xenial; urgency=medium * Backport to Xenial * Build against libgfortran5 from GCC >= 8 (consistency with newer series): - d/control: Set gfortran (>= 4:8.4.0-1~) BD (ppa:savoury1/gcc-defaults-8) + * Backport commit c0312f5d from Debian hdf5 1.10.4+repack-2 package: + - Automatically insert the correct libversion into pkg-config files - -- Rob Savoury Wed, 13 Sep 2023 12:23:56 -0700 + -- Rob Savoury Sun, 17 Sep 2023 14:49:26 -0700 -hdf5 (1.10.0-patch1+docs-4build2) cosmic; urgency=medium +hdf5 (1.10.0-patch1+docs-4ubuntu0.1~esm2) bionic-security; urgency=medium - * No-change rebuild for libgfortran soname change. + * SECURITY UPDATE: Divide By Zero and Segmentation Fault + - debian/patches/CVE-2018-17233.patch: Fixed HDFFV-10577 and similar + issues found in H5Dchunk.c. + - debian/patches/CVE-2018-17237.patch: HDFFV-10571: Divided by Zero + vulnerability, issues with chunk cache hash value, patches for warnings + in the core libraries. HDF5 library segmentation fault with + H5Sselect_element. + - CVE-2018-17233 + - CVE-2018-17237 + * SECURITY UPDATE: Memory Leak + - debian/patches/CVE-2018-17234.patch: Memory leak in + H5O__chunk_deserialize(). + - CVE-2018-17234 + + -- David Fernandez Gonzalez Tue, 19 Jul 2022 12:53:17 +0200 + +hdf5 (1.10.0-patch1+docs-4ubuntu0.1~esm1) bionic-security; urgency=medium + + * SECURITY UPDATE: Null pointer dereference when opening a crafted + hdf5 file + - debian/patches/CVE-2017-17505.patch: fix in H5Opline.c + - CVE-2017-17505 + * SECURITY UPDATE: Out of bounds read vulnerability when opening a + crafted hdf5 file. + - debian/patches/CVE-2017-17506.patch: fix decode functions. + - CVE-2017-17506 + * SECURITY UPDATE: Divide by zero vulnerability when opening a crafted + hdf5 file + - debian/patches/CVE-2017-17508.patch: fix in H5T.c + - CVE-2017-17508 - -- Matthias Klose Tue, 17 Jul 2018 12:26:11 +0000 - -hdf5 (1.10.0-patch1+docs-4build1) cosmic; urgency=medium - - * No-change rebuild for dune openmpi soname change. - - -- Matthias Klose Sun, 13 May 2018 17:01:14 +0000 + -- Eduardo Barretto Wed, 19 Sep 2018 11:27:18 -0300 hdf5 (1.10.0-patch1+docs-4) unstable; urgency=medium diff -Nru hdf5-1.10.0-patch1+docs/debian/control hdf5-1.10.0-patch1+docs/debian/control --- hdf5-1.10.0-patch1+docs/debian/control 2023-09-13 19:23:50.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/control 2023-09-17 21:49:26.000000000 +0000 @@ -1,7 +1,8 @@ Source: hdf5 Section: science Priority: optional -Maintainer: Debian GIS Project +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GIS Project Uploaders: Francesco Paolo Lovergine , Gilles Filippini Build-Depends: debhelper (>= 10~), mpi-default-dev, libmpich-dev, zlib1g-dev, diff -Nru hdf5-1.10.0-patch1+docs/debian/control.in hdf5-1.10.0-patch1+docs/debian/control.in --- hdf5-1.10.0-patch1+docs/debian/control.in 2023-09-13 19:23:47.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/control.in 2023-09-17 21:49:26.000000000 +0000 @@ -1,7 +1,8 @@ Source: hdf5 Section: science Priority: optional -Maintainer: Debian GIS Project +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GIS Project Uploaders: Francesco Paolo Lovergine , Gilles Filippini Build-Depends: debhelper (>= 10~), mpi-default-dev, libmpich-dev, zlib1g-dev, diff -Nru hdf5-1.10.0-patch1+docs/debian/hdf5-mpich.pc hdf5-1.10.0-patch1+docs/debian/hdf5-mpich.pc --- hdf5-1.10.0-patch1+docs/debian/hdf5-mpich.pc 2016-04-21 11:39:48.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/hdf5-mpich.pc 2018-12-18 19:28:40.000000000 +0000 @@ -1,6 +1,6 @@ Name: HDF5 Description: Hierarchical Data Format 5 (HDF5) - MPICH version -Version: 1.8.13 +Version: @VERSION@ Requires: mpich Cflags: -I/usr/include/hdf5/mpich Libs: -L/usr/lib/@MULTIARCH@/hdf5/mpich -lhdf5 diff -Nru hdf5-1.10.0-patch1+docs/debian/hdf5-openmpi.pc hdf5-1.10.0-patch1+docs/debian/hdf5-openmpi.pc --- hdf5-1.10.0-patch1+docs/debian/hdf5-openmpi.pc 2016-04-21 11:39:48.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/hdf5-openmpi.pc 2018-12-18 19:28:40.000000000 +0000 @@ -1,6 +1,6 @@ Name: HDF5 Description: Hierarchical Data Format 5 (HDF5) - OpenMPI version -Version: 1.8.13 +Version: @VERSION@ Requires: Cflags: -I/usr/include/openmpi -I/usr/include/hdf5/openmpi Libs: -L/usr/lib/@MULTIARCH@/hdf5/openmpi -lhdf5 -L/usr/lib/openmpi/lib -lmpi diff -Nru hdf5-1.10.0-patch1+docs/debian/hdf5-serial.pc hdf5-1.10.0-patch1+docs/debian/hdf5-serial.pc --- hdf5-1.10.0-patch1+docs/debian/hdf5-serial.pc 2016-04-21 11:39:48.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/hdf5-serial.pc 2018-12-18 19:28:40.000000000 +0000 @@ -1,6 +1,6 @@ Name: HDF5 Description: Hierarchical Data Format 5 (HDF5) -Version: 1.8.13 +Version: @VERSION@ Requires: Cflags: -I/usr/include/hdf5/serial Libs: -L/usr/lib/@MULTIARCH@/hdf5/serial -lhdf5 diff -Nru hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17505.patch hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17505.patch --- hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17505.patch 1970-01-01 00:00:00.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17505.patch 2018-09-19 09:21:22.000000000 +0000 @@ -0,0 +1,76 @@ +From: Dana Robinson +Subject: Fix for HDFFV-10354 (CVE-2017-17505). +Origin: upstream, https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/1e5b67c1dc8 +--- + src/H5Opline.c | 44 +++++++++++++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/src/H5Opline.c b/src/H5Opline.c +index 1a2baa0..5825f6f 100644 +--- a/src/H5Opline.c ++++ b/src/H5Opline.c +@@ -134,8 +134,15 @@ H5O_pline_decode(H5F_t UNUSED *f, hid_t UNUSED dxpl_id, H5O_t UNUSED *open_oh, + + /* Number of filters */ + pline->nused = *p++; +- if(pline->nused > H5Z_MAX_NFILTERS) +- HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "filter pipeline message has too many filters") ++ if(pline->nused > H5Z_MAX_NFILTERS) { ++ ++ /* Reset the number of filters used to avoid array traversal in error ++ * handling code. ++ */ ++ pline->nused = 0; ++ ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTLOAD, NULL, "filter pipeline message has too many filters") ++ } + + /* Reserved */ + if(pline->version == H5O_PLINE_VERSION_1) +@@ -500,23 +507,30 @@ H5O_pline_reset(void *mesg) + + FUNC_ENTER_NOAPI_NOINIT_NOERR + ++ /* NOTE: This function can be called during error processing from ++ * other API calls so DO NOT ASSUME THAT ANY VALUES ARE SANE. ++ */ ++ + HDassert(pline); + +- /* Free information for each filter */ +- for(i = 0; i < pline->nused; i++) { +- if(pline->filter[i].name && pline->filter[i].name != pline->filter[i]._name) +- HDassert((HDstrlen(pline->filter[i].name) + 1) > H5Z_COMMON_NAME_LEN); +- if(pline->filter[i].name != pline->filter[i]._name) +- pline->filter[i].name = (char *)H5MM_xfree(pline->filter[i].name); +- if(pline->filter[i].cd_values && pline->filter[i].cd_values != pline->filter[i]._cd_values) +- HDassert(pline->filter[i].cd_nelmts > H5Z_COMMON_CD_VALUES); +- if(pline->filter[i].cd_values != pline->filter[i]._cd_values) +- pline->filter[i].cd_values = (unsigned *)H5MM_xfree(pline->filter[i].cd_values); +- } /* end for */ ++ /* Free the filter information and array */ ++ if (pline->filter) { ++ ++ /* Free information for each filter */ ++ for(i = 0; i < pline->nused; i++) { ++ if(pline->filter[i].name && pline->filter[i].name != pline->filter[i]._name) ++ HDassert((HDstrlen(pline->filter[i].name) + 1) > H5Z_COMMON_NAME_LEN); ++ if(pline->filter[i].name != pline->filter[i]._name) ++ pline->filter[i].name = (char *)H5MM_xfree(pline->filter[i].name); ++ if(pline->filter[i].cd_values && pline->filter[i].cd_values != pline->filter[i]._cd_values) ++ HDassert(pline->filter[i].cd_nelmts > H5Z_COMMON_CD_VALUES); ++ if(pline->filter[i].cd_values != pline->filter[i]._cd_values) ++ pline->filter[i].cd_values = (unsigned *)H5MM_xfree(pline->filter[i].cd_values); ++ } /* end for */ + +- /* Free filter array */ +- if(pline->filter) ++ /* Free filter array */ + pline->filter = (H5Z_filter_info_t *)H5MM_xfree(pline->filter); ++ } + + /* Reset # of filters */ + pline->nused = pline->nalloc = 0; +-- +2.17.1 + diff -Nru hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17506.patch hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17506.patch --- hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17506.patch 1970-01-01 00:00:00.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17506.patch 2018-09-19 14:27:18.000000000 +0000 @@ -0,0 +1,1037 @@ +From: Dana Robinson +Subject: Fix for HDFFV-10355 (CVE-2017-17506). +Origin: upstream, https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/302053f978e +--- + src/H5Abtree2.c | 4 ++-- + src/H5Adense.c | 4 ++-- + src/H5Gbtree2.c | 4 ++-- + src/H5Gdense.c | 20 ++++++++++---------- + src/H5HFcache.c | 2 +- + src/H5Oainfo.c | 5 +++-- + src/H5Oattr.c | 8 ++++---- + src/H5Obogus.c | 5 +++-- + src/H5Obtreek.c | 5 +++-- + src/H5Ocache.c | 4 ++-- + src/H5Ocont.c | 5 +++-- + src/H5Odrvinfo.c | 5 +++-- + src/H5Odtype.c | 4 ++-- + src/H5Oefl.c | 5 +++-- + src/H5Ofill.c | 10 ++++++---- + src/H5Ofsinfo.c | 6 ++++-- + src/H5Oginfo.c | 5 +++-- + src/H5Olayout.c | 5 +++-- + src/H5Olinfo.c | 5 +++-- + src/H5Olink.c | 5 +++-- + src/H5Omessage.c | 4 ++-- + src/H5Omtime.c | 10 ++++++---- + src/H5Oname.c | 5 +++-- + src/H5Opkg.h | 4 ++-- + src/H5Opline.c | 21 ++++++++++++++------- + src/H5Oprivate.h | 2 +- + src/H5Orefcount.c | 5 +++-- + src/H5Osdspace.c | 5 +++-- + src/H5Oshared.c | 2 +- + src/H5Oshared.h | 4 ++-- + src/H5Oshmesg.c | 5 +++-- + src/H5Ostab.c | 5 +++-- + src/H5Pdcpl.c | 2 +- + src/H5S.c | 2 +- + src/H5SM.c | 14 +++++++++----- + src/H5T.c | 13 +++++++++---- + src/H5Tprivate.h | 2 +- + 37 files changed, 129 insertions(+), 92 deletions(-) + +diff --git a/src/H5Abtree2.c b/src/H5Abtree2.c +index a9c77d2..285b7ab 100644 +--- a/src/H5Abtree2.c ++++ b/src/H5Abtree2.c +@@ -160,7 +160,7 @@ const H5B2_class_t H5A_BT2_CORDER[1]={{ /* B-tree class information */ + *------------------------------------------------------------------------- + */ + static herr_t +-H5A__dense_fh_name_cmp(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5A__dense_fh_name_cmp(const void *obj, size_t obj_len, void *_udata) + { + H5A_fh_ud_cmp_t *udata = (H5A_fh_ud_cmp_t *)_udata; /* User data for 'op' callback */ + H5A_t *attr = NULL; /* Pointer to attribute created from heap object */ +@@ -170,7 +170,7 @@ H5A__dense_fh_name_cmp(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_ud + FUNC_ENTER_STATIC + + /* Decode attribute information */ +- if(NULL == (attr = (H5A_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_ATTR_ID, (const unsigned char *)obj))) ++ if(NULL == (attr = (H5A_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_ATTR_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode attribute") + + /* Compare the string values */ +diff --git a/src/H5Adense.c b/src/H5Adense.c +index 148977d..0a6cf5d 100644 +--- a/src/H5Adense.c ++++ b/src/H5Adense.c +@@ -846,7 +846,7 @@ done: + *------------------------------------------------------------------------- + */ + static herr_t +-H5A__dense_copy_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5A__dense_copy_fh_cb(const void *obj, size_t obj_len, void *_udata) + { + H5A_fh_ud_cp_t *udata = (H5A_fh_ud_cp_t *)_udata; /* User data for fractal heap 'op' callback */ + herr_t ret_value = SUCCEED; /* Return value */ +@@ -860,7 +860,7 @@ H5A__dense_copy_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_uda + * HDF5 routine, it could attempt to re-protect that direct block for the + * heap, causing the HDF5 routine called to fail) + */ +- if(NULL == (udata->attr = (H5A_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_ATTR_ID, (const unsigned char *)obj))) ++ if(NULL == (udata->attr = (H5A_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_ATTR_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_ATTR, H5E_CANTDECODE, FAIL, "can't decode attribute") + + /* Set the creation order index for the attribute */ +diff --git a/src/H5Gbtree2.c b/src/H5Gbtree2.c +index ff7e200..cec02a0 100644 +--- a/src/H5Gbtree2.c ++++ b/src/H5Gbtree2.c +@@ -157,7 +157,7 @@ const H5B2_class_t H5G_BT2_CORDER[1]={{ /* B-tree class information */ + *------------------------------------------------------------------------- + */ + static herr_t +-H5G_dense_fh_name_cmp(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5G_dense_fh_name_cmp(const void *obj, size_t obj_len, void *_udata) + { + H5G_fh_ud_cmp_t *udata = (H5G_fh_ud_cmp_t *)_udata; /* User data for 'op' callback */ + H5O_link_t *lnk; /* Pointer to link created from heap object */ +@@ -166,7 +166,7 @@ H5G_dense_fh_name_cmp(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_uda + FUNC_ENTER_NOAPI_NOINIT + + /* Decode link information */ +- if(NULL == (lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, (const unsigned char *)obj))) ++ if(NULL == (lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "can't decode link") + + /* Compare the string values */ +diff --git a/src/H5Gdense.c b/src/H5Gdense.c +index e8fa237..8bb44a2 100644 +--- a/src/H5Gdense.c ++++ b/src/H5Gdense.c +@@ -601,7 +601,7 @@ done: + *------------------------------------------------------------------------- + */ + static herr_t +-H5G_dense_lookup_by_idx_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5G_dense_lookup_by_idx_fh_cb(const void *obj, size_t obj_len, void *_udata) + { + H5G_fh_ud_lbi_t *udata = (H5G_fh_ud_lbi_t *)_udata; /* User data for fractal heap 'op' callback */ + H5O_link_t *tmp_lnk = NULL; /* Temporary pointer to link */ +@@ -610,7 +610,7 @@ H5G_dense_lookup_by_idx_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, vo + FUNC_ENTER_NOAPI_NOINIT + + /* Decode link information & keep a copy */ +- if(NULL == (tmp_lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, (const unsigned char *)obj))) ++ if(NULL == (tmp_lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "can't decode link") + + /* Copy link information */ +@@ -891,7 +891,7 @@ done: + *------------------------------------------------------------------------- + */ + static herr_t +-H5G_dense_iterate_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5G_dense_iterate_fh_cb(const void *obj, size_t obj_len, void *_udata) + { + H5G_fh_ud_it_t *udata = (H5G_fh_ud_it_t *)_udata; /* User data for fractal heap 'op' callback */ + herr_t ret_value = SUCCEED; /* Return value */ +@@ -905,7 +905,7 @@ H5G_dense_iterate_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_u + * HDF5 routine, it could attempt to re-protect that direct block for the + * heap, causing the HDF5 routine called to fail - QAK) + */ +- if(NULL == (udata->lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, (const unsigned char *)obj))) ++ if(NULL == (udata->lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "can't decode link") + + done: +@@ -1103,7 +1103,7 @@ done: + *------------------------------------------------------------------------- + */ + static herr_t +-H5G_dense_get_name_by_idx_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5G_dense_get_name_by_idx_fh_cb(const void *obj, size_t obj_len, void *_udata) + { + H5G_fh_ud_gnbi_t *udata = (H5G_fh_ud_gnbi_t *)_udata; /* User data for fractal heap 'op' callback */ + H5O_link_t *lnk; /* Pointer to link created from heap object */ +@@ -1112,7 +1112,7 @@ H5G_dense_get_name_by_idx_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, + FUNC_ENTER_NOAPI_NOINIT + + /* Decode link information */ +- if(NULL == (lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, (const unsigned char *)obj))) ++ if(NULL == (lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "can't decode link") + + /* Get the length of the name */ +@@ -1310,7 +1310,7 @@ done: + *------------------------------------------------------------------------- + */ + static herr_t +-H5G_dense_remove_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5G_dense_remove_fh_cb(const void *obj, size_t obj_len, void *_udata) + { + H5G_fh_ud_rm_t *udata = (H5G_fh_ud_rm_t *)_udata; /* User data for fractal heap 'op' callback */ + H5O_link_t *lnk = NULL; /* Pointer to link created from heap object */ +@@ -1320,7 +1320,7 @@ H5G_dense_remove_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_ud + FUNC_ENTER_NOAPI_NOINIT + + /* Decode link information */ +- if(NULL == (lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, (const unsigned char *)obj))) ++ if(NULL == (lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, FAIL, "can't decode link") + + /* Check for removing the link from the creation order index */ +@@ -1487,7 +1487,7 @@ done: + *------------------------------------------------------------------------- + */ + static herr_t +-H5G_dense_remove_by_idx_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, void *_udata) ++H5G_dense_remove_by_idx_fh_cb(const void *obj, size_t obj_len, void *_udata) + { + H5G_fh_ud_rmbi_t *udata = (H5G_fh_ud_rmbi_t *)_udata; /* User data for fractal heap 'op' callback */ + herr_t ret_value = SUCCEED; /* Return value */ +@@ -1495,7 +1495,7 @@ H5G_dense_remove_by_idx_fh_cb(const void *obj, size_t H5_ATTR_UNUSED obj_len, vo + FUNC_ENTER_NOAPI_NOINIT + + /* Decode link information */ +- if(NULL == (udata->lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, (const unsigned char *)obj))) ++ if(NULL == (udata->lnk = (H5O_link_t *)H5O_msg_decode(udata->f, udata->dxpl_id, NULL, H5O_LINK_ID, obj_len, (const unsigned char *)obj))) + HGOTO_ERROR(H5E_SYM, H5E_CANTDECODE, H5_ITER_ERROR, "can't decode link") + + /* Can't operate on link here because the fractal heap block is locked */ +diff --git a/src/H5HFcache.c b/src/H5HFcache.c +index b14b7fc..f311342 100644 +--- a/src/H5HFcache.c ++++ b/src/H5HFcache.c +@@ -600,7 +600,7 @@ H5HF__cache_hdr_deserialize(const void *_image, size_t len, void *_udata, + UINT32DECODE(image, hdr->pline_root_direct_filter_mask); + + /* Decode I/O filter information */ +- if(NULL == (pline = (H5O_pline_t *)H5O_msg_decode(hdr->f, udata->dxpl_id, NULL, H5O_PLINE_ID, image))) ++ if(NULL == (pline = (H5O_pline_t *)H5O_msg_decode(hdr->f, udata->dxpl_id, NULL, H5O_PLINE_ID, len, image))) + HGOTO_ERROR(H5E_HEAP, H5E_CANTDECODE, NULL, "can't decode I/O pipeline filters") + + image += hdr->filter_len; +diff --git a/src/H5Oainfo.c b/src/H5Oainfo.c +index 44c6611..9114d09 100644 +--- a/src/H5Oainfo.c ++++ b/src/H5Oainfo.c +@@ -37,7 +37,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_ainfo_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_ainfo_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_ainfo_copy(const void *_mesg, void *_dest); + static size_t H5O_ainfo_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -107,7 +107,8 @@ H5FL_DEFINE_STATIC(H5O_ainfo_t); + */ + static void * + H5O_ainfo_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_ainfo_t *ainfo = NULL; /* Attribute info */ + unsigned char flags; /* Flags for encoding attribute info */ +diff --git a/src/H5Oattr.c b/src/H5Oattr.c +index 9cbcdc4..c88d68f 100644 +--- a/src/H5Oattr.c ++++ b/src/H5Oattr.c +@@ -28,7 +28,7 @@ + /* PRIVATE PROTOTYPES */ + static herr_t H5O_attr_encode(H5F_t *f, uint8_t *p, const void *mesg); + static void *H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static void *H5O_attr_copy(const void *_mesg, void *_dest); + static size_t H5O_attr_size(const H5F_t *f, const void *_mesg); + static herr_t H5O_attr_free(void *mesg); +@@ -123,7 +123,7 @@ H5FL_EXTERN(H5S_extent_t); + --------------------------------------------------------------------------*/ + static void * + H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, +- unsigned *ioflags, const uint8_t *p) ++ unsigned *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5A_t *attr = NULL; + H5S_extent_t *extent; /*extent dimensionality information */ +@@ -184,7 +184,7 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED + + /* Decode the attribute's datatype */ + if(NULL == (attr->shared->dt = (H5T_t *)(H5O_MSG_DTYPE->decode)(f, dxpl_id, open_oh, +- ((flags & H5O_ATTR_FLAG_TYPE_SHARED) ? H5O_MSG_FLAG_SHARED : 0), ioflags, p))) ++ ((flags & H5O_ATTR_FLAG_TYPE_SHARED) ? H5O_MSG_FLAG_SHARED : 0), ioflags, attr->shared->dt_size, p))) + HGOTO_ERROR(H5E_ATTR, H5E_CANTDECODE, NULL, "can't decode attribute datatype") + if(attr->shared->version < H5O_ATTR_VERSION_2) + p += H5O_ALIGN_OLD(attr->shared->dt_size); +@@ -199,7 +199,7 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED + + /* Decode attribute's dataspace extent */ + if((extent = (H5S_extent_t *)(H5O_MSG_SDSPACE->decode)(f, dxpl_id, open_oh, +- ((flags & H5O_ATTR_FLAG_SPACE_SHARED) ? H5O_MSG_FLAG_SHARED : 0), ioflags, p)) == NULL) ++ ((flags & H5O_ATTR_FLAG_SPACE_SHARED) ? H5O_MSG_FLAG_SHARED : 0), ioflags, attr->shared->ds_size, p)) == NULL) + HGOTO_ERROR(H5E_ATTR, H5E_CANTDECODE, NULL, "can't decode attribute dataspace") + + /* Copy the extent information to the dataspace */ +diff --git a/src/H5Obogus.c b/src/H5Obogus.c +index d1085c8..dcad979 100644 +--- a/src/H5Obogus.c ++++ b/src/H5Obogus.c +@@ -40,7 +40,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_bogus_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_bogus_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static size_t H5O_bogus_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); + static herr_t H5O_bogus_debug(H5F_t *f, hid_t dxpl_id, const void *_mesg, FILE * stream, +@@ -113,7 +113,8 @@ const H5O_msg_class_t H5O_MSG_BOGUS_INVALID[1] = {{ + */ + static void * + H5O_bogus_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_bogus_t *mesg = NULL; + void *ret_value; /* Return value */ +diff --git a/src/H5Obtreek.c b/src/H5Obtreek.c +index ac6fe37..166ae61 100644 +--- a/src/H5Obtreek.c ++++ b/src/H5Obtreek.c +@@ -30,7 +30,7 @@ + #include "H5MMprivate.h" /* Memory management */ + + static void *H5O_btreek_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_btreek_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_btreek_copy(const void *_mesg, void *_dest); + static size_t H5O_btreek_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -81,7 +81,8 @@ const H5O_msg_class_t H5O_MSG_BTREEK[1] = {{ + */ + static void * + H5O_btreek_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_btreek_t *mesg; /* Native message */ + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Ocache.c b/src/H5Ocache.c +index eab0fd2..5a506fd 100644 +--- a/src/H5Ocache.c ++++ b/src/H5Ocache.c +@@ -1589,7 +1589,7 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image + unsigned ioflags = 0; /* Flags for decode routine */ + + /* Decode continuation message */ +- cont = (H5O_cont_t *)(H5O_MSG_CONT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw); ++ cont = (H5O_cont_t *)(H5O_MSG_CONT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw_size, oh->mesg[curmesg].raw); + cont->chunkno = udata->cont_msg_info->nmsgs + 1; /*the next continuation message/chunk */ + + /* Save 'native' form of continuation message */ +@@ -1613,7 +1613,7 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image + + /* Decode ref. count message */ + HDassert(oh->version > H5O_VERSION_1); +- refcount = (H5O_refcount_t *)(H5O_MSG_REFCOUNT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw); ++ refcount = (H5O_refcount_t *)(H5O_MSG_REFCOUNT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw_size, oh->mesg[curmesg].raw); + + /* Save 'native' form of ref. count message */ + oh->mesg[curmesg].native = refcount; +diff --git a/src/H5Ocont.c b/src/H5Ocont.c +index 63002c5..b4dcd65 100644 +--- a/src/H5Ocont.c ++++ b/src/H5Ocont.c +@@ -39,7 +39,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_cont_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_cont_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static size_t H5O_cont_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); + static herr_t H5O_cont_free(void *mesg); +@@ -92,7 +92,8 @@ H5FL_DEFINE(H5O_cont_t); + */ + static void * + H5O_cont_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_cont_t *cont = NULL; + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Odrvinfo.c b/src/H5Odrvinfo.c +index 2fdf494..e96c12f 100644 +--- a/src/H5Odrvinfo.c ++++ b/src/H5Odrvinfo.c +@@ -30,7 +30,7 @@ + #include "H5MMprivate.h" /* Memory management */ + + static void *H5O_drvinfo_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_drvinfo_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_drvinfo_copy(const void *_mesg, void *_dest); + static size_t H5O_drvinfo_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -82,7 +82,8 @@ const H5O_msg_class_t H5O_MSG_DRVINFO[1] = {{ + */ + static void * + H5O_drvinfo_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_drvinfo_t *mesg; /* Native message */ + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Odtype.c b/src/H5Odtype.c +index 799f475..77310db 100644 +--- a/src/H5Odtype.c ++++ b/src/H5Odtype.c +@@ -32,7 +32,7 @@ + /* PRIVATE PROTOTYPES */ + static herr_t H5O_dtype_encode(H5F_t *f, uint8_t *p, const void *mesg); + static void *H5O_dtype_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static void *H5O_dtype_copy(const void *_mesg, void *_dest); + static size_t H5O_dtype_size(const H5F_t *f, const void *_mesg); + static herr_t H5O_dtype_reset(void *_mesg); +@@ -1096,7 +1096,7 @@ done: + --------------------------------------------------------------------------*/ + static void * + H5O_dtype_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, +- unsigned *ioflags/*in,out*/, const uint8_t *p) ++ unsigned *ioflags/*in,out*/, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5T_t *dt = NULL; + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Oefl.c b/src/H5Oefl.c +index 149c8b2..4b601b6 100644 +--- a/src/H5Oefl.c ++++ b/src/H5Oefl.c +@@ -30,7 +30,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_efl_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_efl_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_efl_copy(const void *_mesg, void *_dest); + static size_t H5O_efl_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -90,7 +90,8 @@ const H5O_msg_class_t H5O_MSG_EFL[1] = {{ + */ + static void * + H5O_efl_decode(H5F_t *f, hid_t dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_efl_t *mesg = NULL; + int version; +diff --git a/src/H5Ofill.c b/src/H5Ofill.c +index 745d027..9898577 100644 +--- a/src/H5Ofill.c ++++ b/src/H5Ofill.c +@@ -35,11 +35,11 @@ + + + static void *H5O_fill_old_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_fill_old_encode(H5F_t *f, uint8_t *p, const void *_mesg); + static size_t H5O_fill_old_size(const H5F_t *f, const void *_mesg); + static void *H5O_fill_new_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_fill_new_encode(H5F_t *f, uint8_t *p, const void *_mesg); + static size_t H5O_fill_new_size(const H5F_t *f, const void *_mesg); + static void *H5O_fill_copy(const void *_mesg, void *_dest); +@@ -186,7 +186,8 @@ H5FL_BLK_EXTERN(type_conv); + */ + static void * + H5O_fill_new_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_fill_t *fill = NULL; + void *ret_value = NULL; /* Return value */ +@@ -300,7 +301,8 @@ done: + */ + static void * + H5O_fill_old_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_fill_t *fill = NULL; /* Decoded fill value message */ + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c +index 1712857..ecac361 100644 +--- a/src/H5Ofsinfo.c ++++ b/src/H5Ofsinfo.c +@@ -33,7 +33,8 @@ + #include "H5Opkg.h" /* Object headers */ + + /* PRIVATE PROTOTYPES */ +-static void *H5O_fsinfo_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++static void *H5O_fsinfo_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags, ++ unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_fsinfo_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_fsinfo_copy(const void *_mesg, void *_dest); + static size_t H5O_fsinfo_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -86,7 +87,8 @@ H5FL_DEFINE_STATIC(H5O_fsinfo_t); + */ + static void * + H5O_fsinfo_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_fsinfo_t *fsinfo = NULL; /* free-space manager info */ + H5FD_mem_t type; /* Memory type for iteration */ +diff --git a/src/H5Oginfo.c b/src/H5Oginfo.c +index 9cd0dc1..105cc9b 100644 +--- a/src/H5Oginfo.c ++++ b/src/H5Oginfo.c +@@ -35,7 +35,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_ginfo_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_ginfo_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_ginfo_copy(const void *_mesg, void *_dest); + static size_t H5O_ginfo_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -97,7 +97,8 @@ H5FL_DEFINE_STATIC(H5O_ginfo_t); + */ + static void * + H5O_ginfo_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_ginfo_t *ginfo = NULL; /* Pointer to group information message */ + unsigned char flags; /* Flags for encoding group info */ +diff --git a/src/H5Olayout.c b/src/H5Olayout.c +index 31a60e3..c11341a 100644 +--- a/src/H5Olayout.c ++++ b/src/H5Olayout.c +@@ -42,7 +42,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O__layout_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O__layout_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O__layout_copy(const void *_mesg, void *_dest); + static size_t H5O__layout_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -102,7 +102,8 @@ H5FL_DEFINE(H5O_layout_t); + */ + static void * + H5O__layout_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_layout_t *mesg = NULL; + uint8_t *heap_block = NULL; +diff --git a/src/H5Olinfo.c b/src/H5Olinfo.c +index 62e63d4..51905e1 100644 +--- a/src/H5Olinfo.c ++++ b/src/H5Olinfo.c +@@ -39,7 +39,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_linfo_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_linfo_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_linfo_copy(const void *_mesg, void *_dest); + static size_t H5O_linfo_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -116,7 +116,8 @@ H5FL_DEFINE_STATIC(H5O_linfo_t); + */ + static void * + H5O_linfo_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_linfo_t *linfo = NULL; /* Link info */ + unsigned char index_flags; /* Flags for encoding link index info */ +diff --git a/src/H5Olink.c b/src/H5Olink.c +index fd4ee88..1479f50 100644 +--- a/src/H5Olink.c ++++ b/src/H5Olink.c +@@ -41,7 +41,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_link_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_link_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_link_copy(const void *_mesg, void *_dest); + static size_t H5O_link_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -120,7 +120,8 @@ H5FL_DEFINE_STATIC(H5O_link_t); + */ + static void * + H5O_link_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_link_t *lnk = NULL; /* Pointer to link message */ + size_t len = 0; /* Length of a string in the message */ +diff --git a/src/H5Omessage.c b/src/H5Omessage.c +index d42896c..87a38e5 100644 +--- a/src/H5Omessage.c ++++ b/src/H5Omessage.c +@@ -1814,7 +1814,7 @@ done: + */ + void * + H5O_msg_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned type_id, +- const unsigned char *buf) ++ size_t buf_size, const unsigned char *buf) + { + const H5O_msg_class_t *type; /* Actual H5O class type for the ID */ + unsigned ioflags = 0; /* Flags for decode routine */ +@@ -1829,7 +1829,7 @@ H5O_msg_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned type_id, + HDassert(type); + + /* decode */ +- if((ret_value = (type->decode)(f, dxpl_id, open_oh, 0, &ioflags, buf)) == NULL) ++ if((ret_value = (type->decode)(f, dxpl_id, open_oh, 0, &ioflags, buf_size, buf)) == NULL) + HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "unable to decode message") + + done: +diff --git a/src/H5Omtime.c b/src/H5Omtime.c +index c61fa66..60d90f8 100644 +--- a/src/H5Omtime.c ++++ b/src/H5Omtime.c +@@ -30,12 +30,12 @@ + + + static void *H5O_mtime_new_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_mtime_new_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static size_t H5O_mtime_new_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); + + static void *H5O_mtime_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_mtime_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_mtime_copy(const void *_mesg, void *_dest); + static size_t H5O_mtime_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -121,7 +121,8 @@ H5FL_DEFINE(time_t); + */ + static void * + H5O_mtime_new_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + time_t *mesg; + uint32_t tmp_time; /* Temporary copy of the time */ +@@ -177,7 +178,8 @@ done: + */ + static void * + H5O_mtime_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + time_t *mesg, the_time; + struct tm tm; +diff --git a/src/H5Oname.c b/src/H5Oname.c +index 6c4f76f..55b4dca 100644 +--- a/src/H5Oname.c ++++ b/src/H5Oname.c +@@ -35,7 +35,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_name_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_name_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_name_copy(const void *_mesg, void *_dest); + static size_t H5O_name_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -86,7 +86,8 @@ const H5O_msg_class_t H5O_MSG_NAME[1] = {{ + */ + static void * + H5O_name_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_name_t *mesg; + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Opkg.h b/src/H5Opkg.h +index 0fefa21..25cc5e1 100644 +--- a/src/H5Opkg.h ++++ b/src/H5Opkg.h +@@ -199,7 +199,7 @@ + \ + /* Decode the message */ \ + HDassert(msg_type->decode); \ +- if(NULL == ((MSG)->native = (msg_type->decode)((F), (DXPL), (OH), (MSG)->flags, &ioflags, (MSG)->raw))) \ ++ if(NULL == ((MSG)->native = (msg_type->decode)((F), (DXPL), (OH), (MSG)->flags, &ioflags, (MSG)->raw_size, (MSG)->raw))) \ + HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, ERR, "unable to decode message") \ + \ + /* Mark the message dirty if it was changed by decoding */ \ +@@ -235,7 +235,7 @@ struct H5O_msg_class_t { + const char *name; /*for debugging */ + size_t native_size; /*size of native message */ + unsigned share_flags; /* Message sharing settings */ +- void *(*decode)(H5F_t *, hid_t, H5O_t *, unsigned, unsigned *, const uint8_t *); ++ void *(*decode)(H5F_t *, hid_t, H5O_t *, unsigned, unsigned *, size_t, const uint8_t *); + herr_t (*encode)(H5F_t *, hbool_t, uint8_t *, const void *); + void *(*copy)(const void *, void *); /*copy native value */ + size_t (*raw_size)(const H5F_t *, hbool_t, const void *);/*sizeof encoded message */ +diff --git a/src/H5Opline.c b/src/H5Opline.c +index 95a82b5..56fd353 100644 +--- a/src/H5Opline.c ++++ b/src/H5Opline.c +@@ -36,7 +36,7 @@ + /* PRIVATE PROTOTYPES */ + static herr_t H5O_pline_encode(H5F_t *f, uint8_t *p, const void *mesg); + static void *H5O_pline_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static void *H5O_pline_copy(const void *_mesg, void *_dest); + static size_t H5O_pline_size(const H5F_t *f, const void *_mesg); + static herr_t H5O_pline_reset(void *_mesg); +@@ -111,12 +111,14 @@ H5FL_DEFINE(H5O_pline_t); + */ + static void * + H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t p_size, const uint8_t *p) + { + H5O_pline_t *pline = NULL; /* Pipeline message */ + H5Z_filter_info_t *filter; /* Filter to decode */ + size_t name_length; /* Length of filter name */ + size_t i; /* Local index variable */ ++ const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */ + void *ret_value = NULL; /* Return value */ + + FUNC_ENTER_NOAPI_NOINIT +@@ -201,11 +203,16 @@ H5O_pline_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5 + else + filter->cd_values = filter->_cd_values; + +- /* +- * Read the client data values and the padding +- */ +- for(j = 0; j < filter->cd_nelmts; j++) +- UINT32DECODE(p, filter->cd_values[j]); ++ /* ++ * Read the client data values and the padding ++ */ ++ for (j = 0; j < filter->cd_nelmts; j++) { ++ if (p + 4 - 1 <= p_end) ++ UINT32DECODE(p, filter->cd_values[j]) ++ else ++ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "ran off the end of the buffer: current p = %p, p_size = %zu, p_end = %p", p, p_size, p_end) ++ } ++ + if(pline->version == H5O_PLINE_VERSION_1) + if(filter->cd_nelmts % 2) + p += 4; /*padding*/ +diff --git a/src/H5Oprivate.h b/src/H5Oprivate.h +index 956c00d..21180b9 100644 +--- a/src/H5Oprivate.h ++++ b/src/H5Oprivate.h +@@ -900,7 +900,7 @@ H5_DLL herr_t H5O_msg_get_crt_index(unsigned type_id, const void *mesg, + H5_DLL herr_t H5O_msg_encode(H5F_t *f, unsigned type_id, hbool_t disable_shared, + unsigned char *buf, const void *obj); + H5_DLL void* H5O_msg_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned type_id, const unsigned char *buf); ++ unsigned type_id, size_t buf_size, const unsigned char *buf); + H5_DLL herr_t H5O_msg_delete(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, + unsigned type_id, void *mesg); + H5_DLL int H5O_msg_get_chunkno(const H5O_loc_t *loc, unsigned type_id, hid_t dxpl_id); +diff --git a/src/H5Orefcount.c b/src/H5Orefcount.c +index ff7dfee..d31f8d1 100644 +--- a/src/H5Orefcount.c ++++ b/src/H5Orefcount.c +@@ -35,7 +35,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_refcount_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_refcount_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_refcount_copy(const void *_mesg, void *_dest); + static size_t H5O_refcount_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -92,7 +92,8 @@ H5FL_DEFINE_STATIC(H5O_refcount_t); + */ + static void * + H5O_refcount_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_refcount_t *refcount = NULL; /* Reference count */ + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Osdspace.c b/src/H5Osdspace.c +index 28021de..454cf27 100644 +--- a/src/H5Osdspace.c ++++ b/src/H5Osdspace.c +@@ -28,7 +28,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_sdspace_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_sdspace_encode(H5F_t *f, uint8_t *p, const void *_mesg); + static void *H5O_sdspace_copy(const void *_mesg, void *_dest); + static size_t H5O_sdspace_size(const H5F_t *f, const void *_mesg); +@@ -112,7 +112,8 @@ H5FL_ARR_EXTERN(hsize_t); + --------------------------------------------------------------------------*/ + static void * + H5O_sdspace_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5S_extent_t *sdim = NULL;/* New extent dimensionality structure */ + unsigned flags, version; +diff --git a/src/H5Oshared.c b/src/H5Oshared.c +index 25baa88..cd62c5f 100644 +--- a/src/H5Oshared.c ++++ b/src/H5Oshared.c +@@ -158,7 +158,7 @@ H5O_shared_read(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned *ioflags, + HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "can't read message from fractal heap.") + + /* Decode the message */ +- if(NULL == (ret_value = (type->decode)(f, dxpl_id, open_oh, 0, ioflags, mesg_ptr))) ++ if(NULL == (ret_value = (type->decode)(f, dxpl_id, open_oh, 0, ioflags, mesg_size, mesg_ptr))) + HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "can't decode shared message.") + } /* end if */ + else { +diff --git a/src/H5Oshared.h b/src/H5Oshared.h +index e8d620a..831feba 100644 +--- a/src/H5Oshared.h ++++ b/src/H5Oshared.h +@@ -49,7 +49,7 @@ + */ + static H5_INLINE void * + H5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags, +- unsigned *ioflags, const uint8_t *p) ++ unsigned *ioflags, size_t p_size, const uint8_t *p) + { + void *ret_value = NULL; /* Return value */ + +@@ -81,7 +81,7 @@ H5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags, + } /* end if */ + else { + /* Decode native message directly */ +- if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p))) ++ if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p_size, p))) + HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "unable to decode native message") + } /* end else */ + +diff --git a/src/H5Oshmesg.c b/src/H5Oshmesg.c +index a506ce2..9ac0fa2 100644 +--- a/src/H5Oshmesg.c ++++ b/src/H5Oshmesg.c +@@ -30,7 +30,7 @@ + #include "H5MMprivate.h" /* Memory management */ + + static void *H5O_shmesg_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_shmesg_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_shmesg_copy(const void *_mesg, void *_dest); + static size_t H5O_shmesg_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -78,7 +78,8 @@ const H5O_msg_class_t H5O_MSG_SHMESG[1] = {{ + */ + static void * + H5O_shmesg_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_shmesg_table_t *mesg; /* Native message */ + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Ostab.c b/src/H5Ostab.c +index bb39e58..8e3cf8b 100644 +--- a/src/H5Ostab.c ++++ b/src/H5Ostab.c +@@ -38,7 +38,7 @@ + + /* PRIVATE PROTOTYPES */ + static void *H5O_stab_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, +- unsigned mesg_flags, unsigned *ioflags, const uint8_t *p); ++ unsigned mesg_flags, unsigned *ioflags, size_t p_size, const uint8_t *p); + static herr_t H5O_stab_encode(H5F_t *f, hbool_t disable_shared, uint8_t *p, const void *_mesg); + static void *H5O_stab_copy(const void *_mesg, void *_dest); + static size_t H5O_stab_size(const H5F_t *f, hbool_t disable_shared, const void *_mesg); +@@ -99,7 +99,8 @@ H5FL_DEFINE_STATIC(H5O_stab_t); + */ + static void * + H5O_stab_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, +- unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) ++ unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, ++ size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + { + H5O_stab_t *stab = NULL; + void *ret_value = NULL; /* Return value */ +diff --git a/src/H5Pdcpl.c b/src/H5Pdcpl.c +index f729e68..e9c3014 100644 +--- a/src/H5Pdcpl.c ++++ b/src/H5Pdcpl.c +@@ -1123,7 +1123,7 @@ H5P__dcrt_fill_value_dec(const void **_pp, void *_value) + dt_size = (size_t)enc_value; + + /* Decode type */ +- if(NULL == (fill->type = H5T_decode(*pp))) ++ if(NULL == (fill->type = H5T_decode(dt_size, *pp))) + HGOTO_ERROR(H5E_PLIST, H5E_CANTDECODE, FAIL, "can't decode fill value datatype") + *pp += dt_size; + } /* end if */ +diff --git a/src/H5S.c b/src/H5S.c +index 738a7da..3e518ef 100644 +--- a/src/H5S.c ++++ b/src/H5S.c +@@ -1725,7 +1725,7 @@ H5S_decode(const unsigned char **p) + + /* Decode the extent part of dataspace */ + /* (pass mostly bogus file pointer and bogus DXPL) */ +- if((extent = (H5S_extent_t *)H5O_msg_decode(f, H5P_DEFAULT, NULL, H5O_SDSPACE_ID, pp))==NULL) ++ if((extent = (H5S_extent_t *)H5O_msg_decode(f, H5P_DEFAULT, NULL, H5O_SDSPACE_ID, extent_size, pp)) == NULL) + HGOTO_ERROR(H5E_DATASPACE, H5E_CANTDECODE, NULL, "can't decode object") + pp += extent_size; + +diff --git a/src/H5SM.c b/src/H5SM.c +index 0b72e40..9881e4b 100644 +--- a/src/H5SM.c ++++ b/src/H5SM.c +@@ -72,7 +72,7 @@ static herr_t H5SM_write_mesg(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, + static herr_t H5SM_decr_ref(void *record, void *op_data, hbool_t *changed); + static herr_t H5SM_delete_from_index(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, + H5SM_index_header_t *header, const H5O_shared_t * mesg, +- unsigned *cache_flags, void ** /*out*/ encoded_mesg); ++ unsigned *cache_flags, size_t * /*out*/ mesg_size, void ** /*out*/ encoded_mesg); + static herr_t H5SM_type_to_flag(unsigned type_id, unsigned *type_flag); + static herr_t H5SM_read_iter_op(H5O_t *oh, H5O_mesg_t *mesg, unsigned sequence, + unsigned *oh_modified, void *_udata); +@@ -1551,6 +1551,7 @@ H5SM_delete(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, H5O_shared_t *sh_mesg) + unsigned cache_flags = H5AC__NO_FLAGS_SET; + H5SM_table_cache_ud_t cache_udata; /* User-data for callback */ + ssize_t index_num; ++ size_t mesg_size = 0; + void *mesg_buf = NULL; + void *native_mesg = NULL; + unsigned type_id; /* Message type ID to operate on */ +@@ -1580,7 +1581,7 @@ H5SM_delete(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, H5O_shared_t *sh_mesg) + * zero and any file space it uses needs to be freed. mesg_buf holds the + * serialized form of the message. + */ +- if(H5SM_delete_from_index(f, dxpl_id, open_oh, &(table->indexes[index_num]), sh_mesg, &cache_flags, &mesg_buf) < 0) ++ if(H5SM_delete_from_index(f, dxpl_id, open_oh, &(table->indexes[index_num]), sh_mesg, &cache_flags, &mesg_size, &mesg_buf) < 0) + HGOTO_ERROR(H5E_SOHM, H5E_CANTDELETE, FAIL, "unable to delete mesage from SOHM index") + + /* Release the master SOHM table */ +@@ -1593,7 +1594,7 @@ H5SM_delete(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, H5O_shared_t *sh_mesg) + * master table needs to be unprotected when we do this. + */ + if(mesg_buf) { +- if(NULL == (native_mesg = H5O_msg_decode(f, dxpl_id, open_oh, type_id, (const unsigned char *)mesg_buf))) ++ if(NULL == (native_mesg = H5O_msg_decode(f, dxpl_id, open_oh, type_id, mesg_size, (const unsigned char *)mesg_buf))) + HGOTO_ERROR(H5E_SOHM, H5E_CANTDECODE, FAIL, "can't decode shared message.") + + if(H5O_msg_delete(f, dxpl_id, open_oh, type_id, native_mesg) < 0) +@@ -1780,7 +1781,7 @@ H5SM_decr_ref(void *record, void *op_data, hbool_t *changed) + static herr_t + H5SM_delete_from_index(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, + H5SM_index_header_t *header, const H5O_shared_t *mesg, +- unsigned *cache_flags, void ** /*out*/ encoded_mesg) ++ unsigned *cache_flags, size_t * /*out*/ mesg_size, void ** /*out*/ encoded_mesg) + { + H5SM_list_t *list = NULL; + H5SM_mesg_key_t key; +@@ -1912,6 +1913,7 @@ H5SM_delete_from_index(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, + + /* Return the message's encoding so anything it references can be freed */ + *encoded_mesg = encoding_buf; ++ *mesg_size = buf_size; + + /* If there are no messages left in the index, delete it */ + if(header->num_messages == 0) { +@@ -1953,8 +1955,10 @@ done: + /* Free the message encoding, if we're not returning it in encoded_mesg + * or if there's been an error. + */ +- if(encoding_buf && (NULL == *encoded_mesg || ret_value < 0)) ++ if(encoding_buf && (NULL == *encoded_mesg || ret_value < 0)) { + encoding_buf = H5MM_xfree(encoding_buf); ++ *mesg_size = 0; ++ } + + FUNC_LEAVE_NOAPI_TAG(ret_value, FAIL) + } /* end H5SM_delete_from_index() */ +diff --git a/src/H5T.c b/src/H5T.c +index 194fa87..f153017 100644 +--- a/src/H5T.c ++++ b/src/H5T.c +@@ -2827,8 +2827,13 @@ H5Tdecode(const void *buf) + if(buf == NULL) + HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, FAIL, "empty buffer") + +- /* Create datatype by decoding buffer */ +- if(NULL == (dt = H5T_decode((const unsigned char *)buf))) ++ /* Create datatype by decoding buffer ++ * There is no way to get the size of the buffer, so we pass in ++ * SIZE_MAX and assume the caller knows what they are doing. ++ * Really fixing this will require an H5Tdecode2() call that ++ * takes a size parameter. ++ */ ++ if(NULL == (dt = H5T_decode(SIZE_MAX, (const unsigned char *)buf))) + HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, FAIL, "can't decode object") + + /* Register the type and return the ID */ +@@ -2919,7 +2924,7 @@ done: + *------------------------------------------------------------------------- + */ + H5T_t * +-H5T_decode(const unsigned char *buf) ++H5T_decode(size_t buf_size, const unsigned char *buf) + { + H5F_t *f = NULL; /* Fake file structure*/ + H5T_t *ret_value = NULL; /* Return value */ +@@ -2939,7 +2944,7 @@ H5T_decode(const unsigned char *buf) + HGOTO_ERROR(H5E_DATATYPE, H5E_VERSION, NULL, "unknown version of encoded datatype") + + /* Decode the serialized datatype message */ +- if(NULL == (ret_value = (H5T_t *)H5O_msg_decode(f, H5AC_noio_dxpl_id, NULL, H5O_DTYPE_ID, buf))) ++ if(NULL == (ret_value = (H5T_t *)H5O_msg_decode(f, H5AC_noio_dxpl_id, NULL, H5O_DTYPE_ID, buf_size, buf))) + HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, "can't decode object") + + /* Mark datatype as being in memory now */ +diff --git a/src/H5Tprivate.h b/src/H5Tprivate.h +index 93fe599..f7f7da7 100644 +--- a/src/H5Tprivate.h ++++ b/src/H5Tprivate.h +@@ -114,7 +114,7 @@ H5_DLL htri_t H5T_detect_class(const H5T_t *dt, H5T_class_t cls, hbool_t from_ap + H5_DLL size_t H5T_get_size(const H5T_t *dt); + H5_DLL int H5T_cmp(const H5T_t *dt1, const H5T_t *dt2, hbool_t superset); + H5_DLL herr_t H5T_encode(H5T_t *obj, unsigned char *buf, size_t *nalloc); +-H5_DLL H5T_t *H5T_decode(const unsigned char *buf); ++H5_DLL H5T_t *H5T_decode(size_t buf_size, const unsigned char *buf); + H5_DLL herr_t H5T_debug(const H5T_t *dt, FILE * stream); + H5_DLL struct H5O_loc_t *H5T_oloc(H5T_t *dt); + H5_DLL H5G_name_t *H5T_nameof(H5T_t *dt); +-- +2.17.1 + diff -Nru hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17508.patch hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17508.patch --- hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17508.patch 1970-01-01 00:00:00.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/patches/CVE-2017-17508.patch 2018-09-19 14:27:00.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dana Robinson +Subject: Fix for HDFFV-10357 (CVE-2017-17508). +Origin: upstream, https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/ce005900d6a +--- + src/H5T.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/H5T.c b/src/H5T.c +index 172b6e6..5684b42 100644 +--- a/src/H5T.c ++++ b/src/H5T.c +@@ -5149,6 +5149,11 @@ H5T_set_loc(H5T_t *dt, H5F_t *f, H5T_loc_t loc) + + /* Check if the field changed size */ + if(old_size != memb_type->shared->size) { ++ ++ /* Fail if the old_size is zero */ ++ if (0 == old_size) ++ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "old_size of zero would cause division by zero"); ++ + /* Adjust the size of the member */ + dt->shared->u.compnd.memb[i].size = (dt->shared->u.compnd.memb[i].size*memb_type->shared->size)/old_size; + +-- +2.17.1 + diff -Nru hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17233.patch hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17233.patch --- hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17233.patch 1970-01-01 00:00:00.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17233.patch 2022-07-19 10:38:12.000000000 +0000 @@ -0,0 +1,116 @@ +From f891c38c6e724e9032a534512618b9650be76377 Mon Sep 17 00:00:00 2001 +From: Binh-Minh Ribler +Date: Fri, 4 Jan 2019 11:46:29 -0600 +Subject: [PATCH] Fixed CVE division-by-zero issues Description: Fixed + HDFFV-10577 and similar issues found in H5Dchunk.c. All the occurrences + are in: H5D__create_chunk_map_single + H5D__create_chunk_file_map_hyper H5D__chunk_allocate + H5D__chunk_update_old_edge_chunks H5D__chunk_prune_by_extent + H5D__chunk_copy_cb H5D__chunk_collective_fill Also updated + RELEASE.txt for the chunk query functions and removed some blank lines in + chunk_info.c. Platforms tested: Linux/64 (jelly) Linux/64 (platypus) + Darwin (osx1010test) + +--- + release_docs/RELEASE.txt | 22 +++++++++++++++++++--- + src/H5Dchunk.c | 30 ++++++++++++++++++++++++++---- + test/chunk_info.c | 8 ++++---- + 3 files changed, 49 insertions(+), 11 deletions(-) + +Index: hdf5-1.10.0-patch1+docs/src/H5Dchunk.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5Dchunk.c ++++ hdf5-1.10.0-patch1+docs/src/H5Dchunk.c +@@ -1302,6 +1302,9 @@ H5D__create_chunk_map_single(H5D_chunk_m + + /* Set chunk location & hyperslab size */ + for(u = 0; u < fm->f_ndims; u++) { ++ /* Validate this chunk dimension */ ++ if(fm->layout->u.chunk.dim[u] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u) + HDassert(sel_start[u] == sel_end[u]); + chunk_info->scaled[u] = sel_start[u] / fm->layout->u.chunk.dim[u]; + coords[u] = chunk_info->scaled[u] * fm->layout->u.chunk.dim[u]; +@@ -1389,6 +1392,9 @@ H5D__create_chunk_file_map_hyper(H5D_chu + + /* Set initial chunk location & hyperslab size */ + for(u = 0; u < fm->f_ndims; u++) { ++ /* Validate this chunk dimension */ ++ if(fm->layout->u.chunk.dim[u] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u) + scaled[u] = start_scaled[u] = sel_start[u] / fm->layout->u.chunk.dim[u]; + coords[u] = start_coords[u] = scaled[u] * fm->layout->u.chunk.dim[u]; + end[u] = (coords[u] + fm->chunk_dim[u]) - 1; +@@ -3851,6 +3857,9 @@ H5D__chunk_allocate(const H5D_io_info_t + * assume here that all elements of space_dim are > 0. This is checked at + * the top of this function. */ + for(op_dim=0; op_dim 0, dim = %u ", op_dim) + min_unalloc[op_dim] = (old_dim[op_dim] + chunk_dim[op_dim] - 1) / chunk_dim[op_dim]; + max_unalloc[op_dim] = (space_dim[op_dim] - 1) / chunk_dim[op_dim]; + +@@ -4285,13 +4294,17 @@ H5D__chunk_update_old_edge_chunks(H5D_t + /* Start off with this dimension marked as not needing to be modified */ + new_full_dim[op_dim] = FALSE; + ++ /* Validate this chunk dimension */ ++ if(chunk_dim[op_dim] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim) ++ + /* Calulate offset of first previously incomplete chunk in this + * dimension */ +- old_edge_chunk_sc[op_dim] = (old_dim[op_dim] / chunk_dim[op_dim]); ++ old_edge_chunk_sc[op_dim] = (old_dim[op_dim] / chunk_dim[op_dim]); + + /* Calculate the largest offset of chunks that might need to be + * modified in this dimension */ +- max_edge_chunk_sc[op_dim] = MIN((old_dim[op_dim] - 1) / chunk_dim[op_dim], ++ max_edge_chunk_sc[op_dim] = MIN((old_dim[op_dim] - 1) / chunk_dim[op_dim], + MAX((space_dim[op_dim] / chunk_dim[op_dim]), 1) - 1); + + /* Check for old_dim aligned with chunk boundary in this dimension, if +@@ -4302,7 +4315,7 @@ H5D__chunk_update_old_edge_chunks(H5D_t + + /* Check if the dataspace expanded enough to cause the old edge chunks + * in this dimension to become full */ +- if((space_dim[op_dim]/chunk_dim[op_dim]) >= (old_edge_chunk_sc[op_dim] + 1)) ++ if((space_dim[op_dim]/chunk_dim[op_dim]) >= (old_edge_chunk_sc[op_dim] + 1)) + new_full_dim[op_dim] = TRUE; + } /* end for */ + +@@ -4430,6 +4443,8 @@ H5D__chunk_collective_fill(const H5D_t * + HGOTO_ERROR(H5E_PLIST, H5E_CANTCOPY, FAIL, "can't copy property list") + + /* Distribute evenly the number of blocks between processes. */ ++ if(mpi_size == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "Resulted in division by zero") + num_blocks = chunk_info->num_io / mpi_size; /* value should be the same on all procs */ + + /* after evenly distributing the blocks between processes, are +@@ -4876,6 +4891,10 @@ H5D__chunk_prune_by_extent(H5D_t *dset, + HDmemset(min_mod_chunk_sc, 0, sizeof(min_mod_chunk_sc)); + HDmemset(max_mod_chunk_sc, 0, sizeof(max_mod_chunk_sc)); + for(op_dim = 0; op_dim < (unsigned)space_ndims; op_dim++) { ++ /* Validate this chunk dimension */ ++ if(chunk_dim[op_dim] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim) ++ + /* Calculate the largest offset of chunks that might need to be + * modified in this dimension */ + max_mod_chunk_sc[op_dim] = (old_dim[op_dim] - 1) / chunk_dim[op_dim]; +@@ -5498,9 +5517,12 @@ H5D__chunk_copy_cb(const H5D_chunk_rec_t + /* (background buffer has already been zeroed out, if not expanding) */ + if(udata->cpy_info->expand_ref) { + size_t ref_count; ++ size_t dt_size; + + /* Determine # of reference elements to copy */ +- ref_count = nbytes / H5T_get_size(udata->dt_src); ++ if((dt_size = H5T_get_size(udata->dt_src)) == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "size must not be 0") ++ ref_count = nbytes / dt_size; + + /* Copy the reference elements */ + if(H5O_copy_expand_ref(udata->file_src, buf, udata->idx_info_dst->dxpl_id, udata->idx_info_dst->f, bkg, ref_count, H5T_get_ref_type(udata->dt_src), udata->cpy_info) < 0) diff -Nru hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17234.patch hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17234.patch --- hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17234.patch 1970-01-01 00:00:00.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17234.patch 2022-07-19 10:53:17.000000000 +0000 @@ -0,0 +1,81 @@ +From f4138013dbc6851e968ea3d37b32776538ef306b Mon Sep 17 00:00:00 2001 +From: Binh-Minh Ribler +Date: Tue, 15 Jan 2019 13:07:22 -0600 +Subject: [PATCH] Fixed HDFFV-10578 + +Description: + - HDFFV-10578 - CVE-2018-17234 Memory leak in H5O__chunk_deserialize() + Actually, the leak was in h5tools_util. Applied Neil's fix. + - Changed an assert to if/HGOTO_ERROR to fail gracefully. +Platforms tested: + Linux/64 (jelly) + Linux/64 (platypus) + Darwin (osx1010test) +--- + src/H5Ocache.c | 3 ++- + src/H5VM.c | 2 +- + tools/lib/h5tools_utils.c | 17 ++++++++++++++++- + 3 files changed, 19 insertions(+), 3 deletions(-) + +Index: hdf5-1.10.0-patch1+docs/src/H5Ocache.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5Ocache.c ++++ hdf5-1.10.0-patch1+docs/src/H5Ocache.c +@@ -1421,7 +1421,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_ + + /* Message size */ + UINT16DECODE(chunk_image, mesg_size); +- HDassert(mesg_size == H5O_ALIGN_OH(oh, mesg_size)); ++ if(mesg_size != H5O_ALIGN_OH(oh, mesg_size)) ++ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned") + + /* Message flags */ + flags = *chunk_image++; +Index: hdf5-1.10.0-patch1+docs/src/H5VM.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5VM.c ++++ hdf5-1.10.0-patch1+docs/src/H5VM.c +@@ -1550,7 +1550,7 @@ done: + * + * Purpose: Given source and destination buffers in memory (SRC & DST) + * copy sequences of from the source buffer into the destination +- * buffer. Each set of sequnces has an array of lengths, an ++ * buffer. Each set of sequences has an array of lengths, an + * array of offsets, the maximum number of sequences and the + * current sequence to start at in the sequence. + * +Index: hdf5-1.10.0-patch1+docs/tools/lib/h5tools_utils.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/tools/lib/h5tools_utils.c ++++ hdf5-1.10.0-patch1+docs/tools/lib/h5tools_utils.c +@@ -647,6 +647,8 @@ herr_t + init_objs(hid_t fid, find_objs_t *info, table_t **group_table, + table_t **dset_table, table_t **type_table) + { ++ herr_t ret_value = SUCCEED; ++ + /* Initialize the tables */ + init_table(group_table); + init_table(dset_table); +@@ -659,7 +661,20 @@ init_objs(hid_t fid, find_objs_t *info, + info->dset_table = *dset_table; + + /* Find all shared objects */ +- return(h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info)); ++ if((ret_value = h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info)) < 0) ++ HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "finding shared objects failed") ++ ++done: ++ /* Release resources */ ++ if(ret_value < 0) { ++ free_table(*group_table); ++ info->group_table = NULL; ++ free_table(*type_table); ++ info->type_table = NULL; ++ free_table(*dset_table); ++ info->dset_table = NULL; ++ } ++ return ret_value; + } + + diff -Nru hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17237.patch hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17237.patch --- hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17237.patch 1970-01-01 00:00:00.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/patches/CVE-2018-17237.patch 2022-07-19 10:52:18.000000000 +0000 @@ -0,0 +1,288 @@ +From 4e31361dad4add06792b652dbe5b97e501f9031d Mon Sep 17 00:00:00 2001 +From: Songyu Lu +Date: Tue, 12 Feb 2019 13:48:49 -0600 +Subject: [PATCH] I'm bringing the fixes for the following Jira issues from the + develop branch to 1.10 branch: HDFFV-10571: Divided by Zero vulnerability. + HDFFV-10601: Issues with chunk cache hash value calcuation. HDFFV-10607: + Patches for warnings in the core libraries. HDFFV-10635: HDF5 library + segmentation fault with H5Sselect_element. + +--- + src/H5Dchunk.c | 25 ++++++------ + src/H5HG.c | 8 +++- + src/H5Ocache.c | 2 +- + src/H5Olayout.c | 8 +++- + src/H5RS.c | 4 +- + src/H5RSprivate.h | 2 +- + test/tvlstr.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++ + 7 files changed, 133 insertions(+), 18 deletions(-) + +Index: hdf5-1.10.0-patch1+docs/src/H5Dchunk.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5Dchunk.c ++++ hdf5-1.10.0-patch1+docs/src/H5Dchunk.c +@@ -517,6 +517,9 @@ H5D__chunk_set_info_real(H5O_layout_chun + + /* Compute the # of chunks in dataset dimensions */ + for(u = 0, layout->nchunks = 1, layout->max_nchunks = 1; u < ndims; u++) { ++ /* Sanity check */ ++ HDassert(layout->dim[u] > 0); ++ + /* Round up to the next integer # of chunks, to accomodate partial chunks */ + layout->chunks[u] = ((curr_dims[u] + layout->dim[u]) - 1) / layout->dim[u]; + layout->max_chunks[u] = ((max_dims[u] + layout->dim[u]) - 1) / layout->dim[u]; +@@ -764,7 +767,10 @@ H5D__chunk_init(H5F_t *f, hid_t dxpl_id, + + for(u = 0; u < dset->shared->ndims; u++) { + /* Initial scaled dimension sizes */ +- rdcc->scaled_dims[u] = dset->shared->curr_dims[u] / dset->shared->layout.u.chunk.dim[u]; ++ ++ /* Round up to the next integer # of chunks, to accommodate partial chunks */ ++ rdcc->scaled_dims[u] = (dset->shared->curr_dims[u] + dset->shared->layout.u.chunk.dim[u] - 1) / ++ dset->shared->layout.u.chunk.dim[u]; + + /* Inital 'power2up' values for scaled dimensions */ + rdcc->scaled_power2up[u] = H5VM_power2up(rdcc->scaled_dims[u]); +@@ -2635,6 +2641,7 @@ H5D__chunk_hash_val(const H5D_shared_t * + hsize_t val; /* Intermediate value */ + unsigned ndims = shared->ndims; /* Rank of dataset */ + unsigned ret = 0; /* Value to return */ ++ unsigned u; /* Local index variable */ + + FUNC_ENTER_STATIC_NOERR + +@@ -2645,17 +2652,11 @@ H5D__chunk_hash_val(const H5D_shared_t * + /* If the fastest changing dimension doesn't have enough entropy, use + * other dimensions too + */ +- if(ndims > 1 && shared->cache.chunk.scaled_dims[ndims - 1] <= shared->cache.chunk.nslots) { +- unsigned u; /* Local index variable */ +- +- val = scaled[0]; +- for(u = 1; u < ndims; u++) { +- val <<= shared->cache.chunk.scaled_encode_bits[u]; +- val ^= scaled[u]; +- } /* end for */ +- } /* end if */ +- else +- val = scaled[ndims - 1]; ++ val = scaled[0]; ++ for(u = 1; u < ndims; u++) { ++ val <<= shared->cache.chunk.scaled_encode_bits[u]; ++ val ^= scaled[u]; ++ } /* end for */ + + /* Modulo value against the number of array slots */ + ret = (unsigned)(val % shared->cache.chunk.nslots); +Index: hdf5-1.10.0-patch1+docs/src/H5HG.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5HG.c ++++ hdf5-1.10.0-patch1+docs/src/H5HG.c +@@ -805,7 +805,13 @@ H5HG_remove (H5F_t *f, hid_t dxpl_id, H5 + HGOTO_ERROR(H5E_HEAP, H5E_CANTPROTECT, FAIL, "unable to protect global heap") + + HDassert(hobj->idx < heap->nused); +- HDassert(heap->obj[hobj->idx].begin); ++ /* When the application selects the same location to rewrite the VL element by using H5Sselect_elements, ++ * it can happen that the entry has been removed by first rewrite. Here we simply skip the removal of ++ * the entry and let the second rewrite happen (see HDFFV-10635). In the future, it'd be nice to handle ++ * this situation in H5T_conv_vlen in H5Tconv.c instead of this level (HDFFV-10648). */ ++ if(heap->obj[hobj->idx].nrefs == 0 && heap->obj[hobj->idx].size == 0 && !heap->obj[hobj->idx].begin) ++ HGOTO_DONE(ret_value) ++ + obj_start = heap->obj[hobj->idx].begin; + /* Include object header size */ + need = H5HG_ALIGN(heap->obj[hobj->idx].size) + H5HG_SIZEOF_OBJHDR(f); +Index: hdf5-1.10.0-patch1+docs/src/H5Olayout.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5Olayout.c ++++ hdf5-1.10.0-patch1+docs/src/H5Olayout.c +@@ -248,9 +248,15 @@ H5O__layout_decode(H5F_t *f, hid_t H5_AT + H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr)); + + /* Chunk dimensions */ +- for(u = 0; u < mesg->u.chunk.ndims; u++) ++ for(u = 0; u < mesg->u.chunk.ndims; u++) { + UINT32DECODE(p, mesg->u.chunk.dim[u]); + ++ /* Just in case that something goes very wrong, such as file corruption. */ ++ if(mesg->u.chunk.dim[u] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, NULL, "chunk dimension must be positive: mesg->u.chunk.dim[%u] = %u", ++ u, mesg->u.chunk.dim[u]) ++ } /* end for */ ++ + /* Compute chunk size */ + for(u = 1, mesg->u.chunk.size = mesg->u.chunk.dim[0]; u < mesg->u.chunk.ndims; u++) + mesg->u.chunk.size *= mesg->u.chunk.dim[u]; +Index: hdf5-1.10.0-patch1+docs/src/H5RS.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5RS.c ++++ hdf5-1.10.0-patch1+docs/src/H5RS.c +@@ -139,7 +139,7 @@ done: + REVISION LOG + --------------------------------------------------------------------------*/ + H5RS_str_t * +-H5RS_wrap(char *s) ++H5RS_wrap(const char *s) + { + H5RS_str_t *ret_value; /* Return value */ + +@@ -150,7 +150,7 @@ H5RS_wrap(char *s) + HGOTO_ERROR(H5E_RS, H5E_NOSPACE, NULL, "memory allocation failed") + + /* Set the internal fields */ +- ret_value->s = s; ++ ret_value->s = (char *)s; + ret_value->wrapped = 1; + ret_value->n = 1; + +Index: hdf5-1.10.0-patch1+docs/src/H5RSprivate.h +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/src/H5RSprivate.h ++++ hdf5-1.10.0-patch1+docs/src/H5RSprivate.h +@@ -46,7 +46,7 @@ typedef struct H5RS_str_t H5RS_str_t; + /* Private routines */ + /********************/ + H5_DLL H5RS_str_t *H5RS_create(const char *s); +-H5_DLL H5RS_str_t *H5RS_wrap(char *s); ++H5_DLL H5RS_str_t *H5RS_wrap(const char *s); + H5_DLL H5RS_str_t *H5RS_own(char *s); + H5_DLL herr_t H5RS_decr(H5RS_str_t *rs); + H5_DLL herr_t H5RS_incr(H5RS_str_t *rs); +Index: hdf5-1.10.0-patch1+docs/test/tvlstr.c +=================================================================== +--- hdf5-1.10.0-patch1+docs.orig/test/tvlstr.c ++++ hdf5-1.10.0-patch1+docs/test/tvlstr.c +@@ -27,10 +27,14 @@ + + #define DATAFILE "tvlstr.h5" + #define DATAFILE2 "tvlstr2.h5" ++#define DATAFILE3 "sel2el.h5" ++ ++#define DATASET "1Darray" + + /* 1-D dataset with fixed dimensions */ + #define SPACE1_RANK 1 + #define SPACE1_DIM1 4 ++#define NUMP 4 + + #define VLSTR_TYPE "vl_string_type" + +@@ -850,6 +854,101 @@ static void test_vl_rewrite(void) + } /* end test_vl_rewrite() */ + + /**************************************************************** ++ ** ++ ** test_write_same_element(): ++ ** Tests writing to the same element of VL string using ++ ** H5Sselect_element. ++ ** ++ ****************************************************************/ ++static void test_write_same_element(void) ++{ ++ hid_t file1, dataset1; ++ hid_t mspace, fspace, dtype; ++ hsize_t fdim[] = {SPACE1_DIM1}; ++ char *val[SPACE1_DIM1] = {"But", "reuniting", "is a", "great joy"}; ++ hsize_t marray[] = {NUMP}; ++ hsize_t coord[SPACE1_RANK][NUMP]; ++ herr_t ret; ++ ++ char *wdata[SPACE1_DIM1] = {"Parting", "is such a", "sweet", "sorrow."}; ++ ++ file1 = H5Fcreate(DATAFILE3, H5F_ACC_TRUNC, H5P_DEFAULT, H5P_DEFAULT); ++ CHECK(file1, FAIL, "H5Fcreate"); ++ ++ dtype = H5Tcopy(H5T_C_S1); ++ CHECK(dtype, FAIL, "H5Tcopy"); ++ ++ ret = H5Tset_size(dtype, H5T_VARIABLE); ++ CHECK(ret, FAIL, "H5Tset_size"); ++ ++ fspace = H5Screate_simple(SPACE1_RANK, fdim, NULL); ++ CHECK(fspace, FAIL, "H5Screate_simple"); ++ ++ dataset1 = H5Dcreate(file1, DATASET, dtype, fspace, H5P_DEFAULT, ++ H5P_DEFAULT, H5P_DEFAULT); ++ CHECK(dataset1, FAIL, "H5Dcreate"); ++ ++ ret = H5Dwrite(dataset1, dtype, H5S_ALL, H5S_ALL, H5P_DEFAULT, wdata); ++ CHECK(ret, FAIL, "H5Dwrite"); ++ ++ ret = H5Dclose(dataset1); ++ CHECK(ret, FAIL, "H5Dclose"); ++ ++ ret = H5Tclose(dtype); ++ CHECK(ret, FAIL, "H5Tclose"); ++ ++ ret = H5Sclose(fspace); ++ CHECK(ret, FAIL, "H5Sclose"); ++ ++ ret = H5Fclose(file1); ++ CHECK(ret, FAIL, "H5Fclose"); ++ ++ /* ++ * Open the file. Select the same points, write values to those point locations. ++ */ ++ file1 = H5Fopen(DATAFILE3, H5F_ACC_RDWR, H5P_DEFAULT); ++ CHECK(file1, FAIL, "H5Fopen"); ++ ++ dataset1 = H5Dopen(file1, DATASET, H5P_DEFAULT); ++ CHECK(dataset1, FAIL, "H5Dopen"); ++ ++ fspace = H5Dget_space(dataset1); ++ CHECK(fspace, FAIL, "H5Dget_space"); ++ ++ dtype = H5Dget_type(dataset1); ++ CHECK(dtype, FAIL, "H5Dget_type"); ++ ++ mspace = H5Screate_simple(1, marray, NULL); ++ CHECK(mspace, FAIL, "H5Screate_simple"); ++ ++ coord[0][0] = 0; ++ coord[0][1] = 2; ++ coord[0][2] = 2; ++ coord[0][3] = 0; ++ ++ ret = H5Sselect_elements(fspace, H5S_SELECT_SET, NUMP, (const hsize_t *)&coord); ++ CHECK(ret, FAIL, "H5Sselect_elements"); ++ ++ ret = H5Dwrite(dataset1, dtype, mspace, fspace, H5P_DEFAULT, val); ++ CHECK(ret, FAIL, "H5Dwrite"); ++ ++ ret = H5Tclose(dtype); ++ CHECK(ret, FAIL, "H5Tclose"); ++ ++ ret = H5Dclose(dataset1); ++ CHECK(ret, FAIL, "H5Dclose"); ++ ++ ret = H5Sclose(fspace); ++ CHECK(ret, FAIL, "H5Dclose"); ++ ++ ret = H5Sclose(mspace); ++ CHECK(ret, FAIL, "H5Sclose"); ++ ++ ret = H5Fclose(file1); ++ CHECK(ret, FAIL, "H5Fclose"); ++} /* test_write_same_element */ ++ ++/**************************************************************** + ** + ** test_vlstrings(): Main VL string testing routine. + ** +@@ -873,6 +972,8 @@ test_vlstrings(void) + + /* Test writing VL datasets in files with lots of unlinking */ + test_vl_rewrite(); ++ /* Test writing to the same element more than once using H5Sselect_elements */ ++ test_write_same_element(); + } /* test_vlstrings() */ + + +@@ -895,5 +996,6 @@ cleanup_vlstrings(void) + { + HDremove(DATAFILE); + HDremove(DATAFILE2); ++ HDremove(DATAFILE3); + } + diff -Nru hdf5-1.10.0-patch1+docs/debian/patches/series hdf5-1.10.0-patch1+docs/debian/patches/series --- hdf5-1.10.0-patch1+docs/debian/patches/series 2017-02-10 15:25:45.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/patches/series 2022-07-19 10:39:25.000000000 +0000 @@ -8,3 +8,9 @@ CVE-2016-4332.patch CVE-2016-4333.patch java-runtime-exception.patch +CVE-2017-17505.patch +CVE-2017-17506.patch +CVE-2017-17508.patch +CVE-2018-17233.patch +CVE-2018-17234.patch +CVE-2018-17237.patch diff -Nru hdf5-1.10.0-patch1+docs/debian/rules hdf5-1.10.0-patch1+docs/debian/rules --- hdf5-1.10.0-patch1+docs/debian/rules 2017-08-13 13:43:00.000000000 +0000 +++ hdf5-1.10.0-patch1+docs/debian/rules 2023-09-17 21:32:37.000000000 +0000 @@ -258,7 +258,9 @@ dh_install_%: dh_install $(foreach pkg,$(PACKAGES_$(flavor)),-p$(pkg)) --sourcedir=$(destdir) install -d debian/$(devpkg)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig - sed 's/@MULTIARCH@/$(DEB_HOST_MULTIARCH)/g' debian/hdf5-$(flavor).pc >debian/$(devpkg)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig/hdf5-$(flavor).pc + sed -e 's/@MULTIARCH@/$(DEB_HOST_MULTIARCH)/g' \ + -e 's/@VERSION@/$(libversion)/g' \ + debian/hdf5-$(flavor).pc >debian/$(devpkg)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig/hdf5-$(flavor).pc $(if $(findstring mpi,$(flavor)),$(rename_h5p_helpers),) define rename_h5p_helpers cd debian/$(devpkg)/usr/bin && \