Address Neil's comments and move check to when the value is read

Glenn Song · Glenn Song · commit 1508f3f15c2b · 2025-10-16T17:02:23.000-05:00
diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md
@@ -496,7 +496,7 @@ Simple example programs showing how to use complex number datatypes have been ad
 ## Library
 
 ### Fixed security issue CVE-2025-2915
-   In H5F__accum_free, a heap-based buffer overflow issue was occurring due to calculating a new_accum_size that did not make sense due to an integer overflow. A new check has been added to make sure that accum->size - overlap_size can't result in a negative number, which prevents strange behavior later. 
+   Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition.
 
    Fixes GitHub issue #5380
 
diff --git a/src/H5Faccum.c b/src/H5Faccum.c
@@ -879,8 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr
 
                 /* Calculate the size of the overlap with the accumulator, etc. */
                 H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t);
-                if (overlap_size > accum->size)
-                    HGOTO_ERROR(H5E_IO, H5E_BADVALUE, FAIL, "new accumulator size negative");
+                /* Sanity check */
+                /* Overlap size should not result in "negative" value after subtraction */
+                assert(overlap_size > accum->size);
                 new_accum_size = accum->size - overlap_size;
 
                 /* Move the accumulator buffer information to eliminate the freed block */
diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c
@@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
     H5F_DECODE_LENGTH(f, p, mesg->size);
 
+    if (mesg->addr >= (HADDR_UNDEF - mesg->size))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows");
+    if (mesg->addr == HADDR_UNDEF)
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined");
+    if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_DEFAULT))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa");
+
     /* Set return value */
     ret_value = (void *)mesg;
 
