HDF5 Heap-Based Buffer Overflow Vulnerability in H5F_addr_encode_len Function

A heap-based buffer overflow vulnerability has been identified in the HDF5 library, affecting versions prior to 1.14.6. The issue arises in the H5F_addr_encode_len function within the file src/H5Fint.c. The vulnerability is caused by improper handling of the pp argument, which leads to a heap-based buffer overflow. This vulnerability requires local exploitation.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by compiling the HDF5 library with AddressSanitizer enabled, using Clang as the compiler. After building the library, the H5_extended_fuzzer.c file can be compiled as a fuzzing harness. This harness opens a file, writes fuzzed data into it, and then attempts to read an attribute from a dataset, which triggers the buffer overflow. The AddressSanitizer will report a segmentation fault, indicating the occurrence of the heap-buffer-overflow.

Remediation

Users are advised to update to HDF5 version 1.14.6 or later, where this vulnerability has been addressed.