From d55785943e9435c35ca8fa8e9494dc74cafc3ecc Mon Sep 17 00:00:00 2001
From: jhendersonHDF <jhenderson@hdfgroup.org>
Date: Fri, 29 Mar 2024 07:43:59 -0500
Subject: [PATCH] Fix potential buffer read overflows in H5PB_read (#4279)

H5PB_read previously did not account for the fact that the size of the
read it's performing could overflow the page buffer pointer, depending
on the calculated offset for the read. This has been fixed by adjusting
the size of the read if it's determined that it would overflow the page.
---
 release_docs/RELEASE.txt |  7 +++++++
 src/H5PB.c               | 11 ++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 0ff94a7d7a3..d10c6d7f0b3 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -461,6 +461,13 @@ Bug Fixes since HDF5-1.14.3 release
 
     Library
     -------
+    - Fixed potential buffer read overflows in H5PB_read
+
+      H5PB_read previously did not account for the fact that the size of the
+      read it's performing could overflow the page buffer pointer, depending
+      on the calculated offset for the read. This has been fixed by adjusting
+      the size of the read if it's determined that it would overflow the page.
+
     - Fixed CVE-2017-17507
 
       This CVE was previously declared fixed, but later testing with a static
diff --git a/src/H5PB.c b/src/H5PB.c
index fc09cd56e96..69707d14cba 100644
--- a/src/H5PB.c
+++ b/src/H5PB.c
@@ -726,7 +726,7 @@ H5PB_read(H5F_shared_t *f_sh, H5FD_mem_t type, haddr_t addr, size_t size, void *
     if (H5FD_MEM_DRAW == type) {
         last_page_addr = ((addr + size - 1) / page_buf->page_size) * page_buf->page_size;
 
-        /* How many pages does this write span */
+        /* How many pages does this read span */
         num_touched_pages =
             (last_page_addr / page_buf->page_size + 1) - (first_page_addr / page_buf->page_size);
         if (first_page_addr == last_page_addr) {
@@ -835,6 +835,10 @@ H5PB_read(H5F_shared_t *f_sh, H5FD_mem_t type, haddr_t addr, size_t size, void *
                 offset     = (0 == i ? addr - page_entry->addr : 0);
                 buf_offset = (0 == i ? 0 : size - access_size);
 
+                /* Account for reads that would overflow a page */
+                if (offset + access_size > page_buf->page_size)
+                    access_size = page_buf->page_size - offset;
+
                 /* copy the requested data from the page into the input buffer */
                 H5MM_memcpy((uint8_t *)buf + buf_offset, (uint8_t *)page_entry->page_buf_ptr + offset,
                             access_size);
@@ -905,6 +909,11 @@ H5PB_read(H5F_shared_t *f_sh, H5FD_mem_t type, haddr_t addr, size_t size, void *
                 /* Copy the requested data from the page into the input buffer */
                 offset     = (0 == i ? addr - search_addr : 0);
                 buf_offset = (0 == i ? 0 : size - access_size);
+
+                /* Account for reads that would overflow a page */
+                if (offset + access_size > page_buf->page_size)
+                    access_size = page_buf->page_size - offset;
+
                 H5MM_memcpy((uint8_t *)buf + buf_offset, (uint8_t *)new_page_buf + offset, access_size);
 
                 /* Create the new PB entry */