Fix CVE-2025-2924 (#5814)

glennsong09 · web-flow · commit 0a57195ca67d · 2025-09-15T07:56:54.000-05:00
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
@@ -894,6 +894,13 @@ Bug Fixes since HDF5-2.0.0 release
 
       Fixes GitHub issue #4952
 
+    - Check for overflow in decoded heap block addresses
+
+      Currently, we do not check for overflow when decoding addresses from
+      the heap, which can cause overflow problems. We've added a check in 
+      H5HL__fl_deserialize to ensure no overflow can occur.
+
+      Fixes GitHub issue #5382
 
     Java Library
     ------------
diff --git a/src/H5HLcache.c b/src/H5HLcache.c
@@ -225,13 +225,18 @@ H5HL__fl_deserialize(H5HL_t *heap)
     /* check arguments */
     assert(heap);
     assert(!heap->freelist);
+    HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
 
     /* Build free list */
     free_block = heap->free_block;
     while (H5HL_FREE_NULL != free_block) {
         const uint8_t *image; /* Pointer into image buffer */
 
         /* Sanity check */
+
+        if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
+            HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
+
         if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
             HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
 
