Description
Three functions in hdf/src/vgp.c perform unbounded strcpy into
caller-supplied buffers with no length parameter:
Vgetname() — line 828: strcpy(vgname, vg->vgname)
Vgetclass() — similar pattern in Vgetclass()
Vinquire() — strcpy(vgname, vg->vgname) with no NULL check
on vg->vgname, adding a null pointer dereference on top
vg->vgname is heap-allocated from a uint16 length field read
directly from the HDF file, meaning a malicious HDF file can
supply a name up to 65535 bytes long.
A vulnerable caller in HDF-EOS2 (SWfinfo in SWapi.c) passes a
fixed 80-byte stack buffer, which a crafted file can overflow.
Suggested fix: add a maxlen parameter to all three functions and
replace strcpy with strncpy + explicit null terminator.
Description
Three functions in hdf/src/vgp.c perform unbounded strcpy into
caller-supplied buffers with no length parameter:
Vgetname() — line 828: strcpy(vgname, vg->vgname)
Vgetclass() — similar pattern in Vgetclass()
Vinquire() — strcpy(vgname, vg->vgname) with no NULL check
on vg->vgname, adding a null pointer dereference on top
vg->vgname is heap-allocated from a uint16 length field read
directly from the HDF file, meaning a malicious HDF file can
supply a name up to 65535 bytes long.
A vulnerable caller in HDF-EOS2 (SWfinfo in SWapi.c) passes a
fixed 80-byte stack buffer, which a crafted file can overflow.
Suggested fix: add a maxlen parameter to all three functions and
replace strcpy with strncpy + explicit null terminator.