new file mode 100644
@@ -0,0 +1,37 @@
+From 3a6f6c1f57c09281d4a9d11a1ae809fd21b666dd Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Mon, 15 Sep 2025 07:56:54 -0500
+Subject: [PATCH] Fixes heap-based buffer overflow in H5HL__fl_deserialize by adding an overflow check.
+
+CVE: CVE-2025-2924
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/0a57195ca67d278f1cf7d01566c121048e337a59]
+
+(cherry picked from commit 0a57195ca67d278f1cf7d01566c121048e337a59)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5HLcache.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/H5HLcache.c b/src/H5HLcache.c
+index d0836fe..7f412d2 100644
+--- a/src/H5HLcache.c
++++ b/src/H5HLcache.c
+@@ -225,6 +225,7 @@ H5HL__fl_deserialize(H5HL_t *heap)
+ /* check arguments */
+ assert(heap);
+ assert(!heap->freelist);
++ HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
+
+ /* Build free list */
+ free_block = heap->free_block;
+@@ -232,6 +233,10 @@ H5HL__fl_deserialize(H5HL_t *heap)
+ const uint8_t *image; /* Pointer into image buffer */
+
+ /* Sanity check */
++
++ if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
++ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
++
+ if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
+ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
+
@@ -19,6 +19,7 @@ SRC_URI = " \
file://CVE-2025-2914.patch \
file://CVE-2025-2915.patch \
file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \
+ file://CVE-2025-2924.patch \
"
SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2924 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> --- .../hdf5/files/CVE-2025-2924.patch | 37 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2924.patch