[BUG, CVE-2021-45833] Stack Buffer Overflow in H5D__create_chunk_file_map_hyper()

[e4t]

Description The reproducer of CVE-2021-45833 causes a stack buffer overflow in H5D__create_chunk_file_map_hyper() in the line:

coords[curr_dim] += fm->chunk_dim[curr_dim];

This can be reproduced with gcc's address sanitizer or by using valgrind. curr_dim is set to a value that's obviously out of range:

 (gdb) p curr_dim
$20 = -1

It's value is set in:

curr_dim = (int)fm->f_ndims - 1;

which is set in:

fm->f_ndims = f_ndims = dataset->shared->layout.u.chunk.ndims - 1;

The specification states that for Data Layout Sections versions 1 & 2 for chunked storage the value stored in the data field is 1 greater than the number of dimensions in the dataspace. For version 3 this is not stated explicitly, however, the implementation suggests this. Thus the minimal value in this entry would be 2 - assuming a (pointless) dimension of 0 is not permitted. The overflow described happens while reading so it does not pose a risk, however, without the address sanitizer the code would continue. The same index is used to access arrays on the local stack.

Expected behavior Properly verify validity of values when decoding data layout messages.

Platform

• 1.10.7 and earlier
• openSUSE Leap 15.4/ SLE 15 SP4 / openSUSE Tumbleweed
• gcc7
• Autotools
• config --enable-fortran --enable-unsupported --enable-hl --enable-shared --enable-threadsafe --enable-build-mode=production --enable-cxx --with-pthread
• make CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" FCFLAGS="-g-fsanitize=address"