From patchwork Thu Apr 9 06:18:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85565 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22E40E98FC7 for ; Thu, 9 Apr 2026 06:19:11 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126483.1775715549138480234 for ; Wed, 08 Apr 2026 23:19:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=C+VGsW2v; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6394sSA81739891 for ; Thu, 9 Apr 2026 06:19:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=A9Ms0tQdkb6ZnKHb5zf4nsTuc9oNwvKPNoJBreSK7+Y=; b=C+VGsW2vObU4 kqDIj70PuSQWSIvFO8GQdY5JebnCLopADNmH+5JzYWCgp7AQ3QHFZ8haaBdIXwuO QtgPZa5UjNPPxBrCKxzvJtdnN34/FDnfZHz726ln54HJqxwRp7uYkn+wJgN9k9Zs //1PYpYxvFHm8wI8K3fnM0hR/zQxrBIqcNjmFbRN/e1dIV0RTx4tWRqASup7JU7O +xVssd/v/J30OEdk539uopFMuLcSTfxQs6dq9BDLy+kYf8BEkzqfoy6CJTCQxiOE gIIfTF9exCsvj6o08D4PhASup8wKHiBY4Axx7xct5yDDtKLOTqnW+ryuYVt1s9H9 OJT5bLzjPw== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrybrbb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:07 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:06 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:06 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 01/11] yasm: fix CVE-2021-33454 Date: Thu, 9 Apr 2026 14:18:54 +0800 Message-ID: <20260409061904.1694992-2-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=QoduG1yd c=1 sm=1 tr=0 ts=69d744dc cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=UqCG9HQmAAAA:8 a=uXtSGE2kdRKVYVFo3EAA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: zL5ILRFYZ1jpJ99P_aVhMPLgM8xe9y7s X-Proofpoint-ORIG-GUID: zL5ILRFYZ1jpJ99P_aVhMPLgM8xe9y7s X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfXx2LTlhHTAQWp n1+ntY4HlBm4zQq9QfSytzdiQFAYWebnXfaZz+nP4Q8Q1ddzUMN3ZjQOqStBejTE7vPJeypynZK /K/5j4gIL8Q2Jjh2oehWn9lxebsrDkkpLfMB6Kuvg2o/zJeRLgjbP+Y00ncjOqNeVftW3xbsyJy p4FQxoDh0dBo9wLlZ3xOGc3x3SSCkpnhqVGEUgqVODwaSfCdhpCvU9GVo7hb1D4ZN46x/WrPQVP LeH7mBorzL8HvJf0eFdbnsaWnoKfOgwrNMdU5scyBXCpvMgAcfIHP4dzcK2NxBzGGU9TnqKSmHA CHadi9OwZwsBmaS+JL44DRs5Vn/bpaeo1lc3jfBGap6EkPs1yleDaUgDPbJ73r1fIEprTHyPz5u NsvxztGjVMEI3gOpMxRXRnDAqngBHL5V7Zjtd42Q9TUH4cyEBYoC9ioFOPwL1zCvqwNuPFUSVZ1 hNPwOpYgpofKBQVefcg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 bulkscore=0 adultscore=0 priorityscore=1501 phishscore=0 suspectscore=0 lowpriorityscore=0 clxscore=1011 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126112 From: Guocai He An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in yasm_expr_get_intnum() in libyasm/expr.c. Backport patch to fix CVE-2021-33454 per reference [1]. [1]: https://security-tracker.debian.org/tracker/CVE-2021-33454 Signed-off-by: Guocai He Signed-off-by: Jinfeng Wang --- .../yasm/yasm/CVE-2021-33454.patch | 29 +++++++++++++++++++ meta-oe/recipes-devtools/yasm/yasm_git.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33454.patch diff --git a/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33454.patch b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33454.patch new file mode 100644 index 0000000000..735be93a3f --- /dev/null +++ b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33454.patch @@ -0,0 +1,29 @@ +From 9defefae9fbcb6958cddbfa778c1ea8605da8b8b Mon Sep 17 00:00:00 2001 +From: dataisland +Date: Fri, 22 Sep 2023 00:21:20 -0500 +Subject: [PATCH] Fix null-pointer-dereference in yasm_expr_get_intnum (#244) + +CVE: CVE-2021-33454 +Upstream-Status: Backport [https://github.com/yasm/yasm/commit/9defefae9f] + +Signed-off-by: Guocai He +--- + libyasm/expr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libyasm/expr.c b/libyasm/expr.c +index 5b0c418b..09ae1121 100644 +--- a/libyasm/expr.c ++++ b/libyasm/expr.c +@@ -1264,7 +1264,7 @@ yasm_expr_get_intnum(yasm_expr **ep, int calc_bc_dist) + { + *ep = yasm_expr_simplify(*ep, calc_bc_dist); + +- if ((*ep)->op == YASM_EXPR_IDENT && (*ep)->terms[0].type == YASM_EXPR_INT) ++ if (*ep && (*ep)->op == YASM_EXPR_IDENT && (*ep)->terms[0].type == YASM_EXPR_INT) + return (*ep)->terms[0].data.intn; + else + return (yasm_intnum *)NULL; +-- +2.34.1 + diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 5ba4f67628..84503e9a8a 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \ file://CVE-2023-29579.patch \ file://CVE-2021-33464.patch \ file://CVE-2021-33456.patch \ + file://CVE-2021-33454.patch \ " S = "${WORKDIR}/git" From patchwork Thu Apr 9 06:18:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85567 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 398BCE98FCB for ; Thu, 9 Apr 2026 06:19:11 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.126137.1775715549710545354 for ; Wed, 08 Apr 2026 23:19:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=KSWbPHtx; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6394sSA91739891 for ; Thu, 9 Apr 2026 06:19:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=gHnXYOvRyGgHFmT2ezap0Bm919NJUxJTEpMcoGGOxFU=; b=KSWbPHtxQ6zQ 6AzZOrfPk+WAR2SVH5g6bQGsZtoVKZ0GSdlcuaUKSLXiKh1wKHjAVe2b3eE7Y8XG fpGDhovYo5Zk4+fWAHe2ItTlt2IOXTXQWIOp41rmHnImMyEp6gSMxQZl6+TpCbUv ua0LNmapkCW6vLHTlO/fsWFSlOvcF6/YG+zj9XzuSjGGeJkAPLOYI3B77YT9lelT 7QmYYTRATe75EugT0PSbh/ecoVFuX627B+h781E7Gf4Sqf2KFEhCxiFJStN0ZHAQ RjKeAr7WdqPVmL0PFUwQdAF5vkYTU85wH1eS3Le2MgPDej9pScstxDhEdyB+6c8p iaZO42shjg== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrybrbb-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:08 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:07 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:07 -0700 From: To: Subject: [meta-python][scarthgap][PATCH 02/11] python3-django: fix CVE-2025-64459 Date: Thu, 9 Apr 2026 14:18:55 +0800 Message-ID: <20260409061904.1694992-3-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=QoduG1yd c=1 sm=1 tr=0 ts=69d744dc cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=PYnjg3YJAAAA:8 a=is1M7v0WAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=avUYmXgeZf36Ky6ssdIA:9 a=43mYI5ShwYkO3IWxqTDg:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: kPNvo2Vs9-8QklYCGgKI6J6ad1ZKMAAU X-Proofpoint-ORIG-GUID: kPNvo2Vs9-8QklYCGgKI6J6ad1ZKMAAU X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfX75GTLBsspjoh wGVK38dFIhOHYl/KHsON8uAfrbruLCUWksuGlvn5To3qrEc1zYUOSKh4wIq58T0sLKQ9M54GXs8 BCV+6Hk1IQ/QrNLznqoWzQqowloMRKmbFHa1H6FzRmhugJuig7g+TtupTAVlLAn4al8mkX8v/do iv6jZr1rT96upyK8JfE7TXBOO71X30g7iAJq5o4E3JCZaZMS7J4An0+9AJjZdrIbOtyWIcWYP7f OWKfXplj0lE6ManSVc1enR0dV2mlwzcxKhtg3Ccb3yqffSY/jymng8mQEc0TP+L8JuQBilJYhgg cEt0m40LSGBaCE3LlrQLKvFU8SfLIw3mboxxsrJyJZI6I8oJjuqwMcPjl41wzhxkr/XosQtxFb0 kZOCltQiq2XdGgcMKRvmdBfi7l9Nn6FcWoXI/Y/8i0gPrugl2NlctK3zRg1NeDZgiSLRFvJijgh xZ5A6kmSJ/5E97q5otQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 bulkscore=0 adultscore=0 priorityscore=1501 phishscore=0 suspectscore=0 lowpriorityscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126114 From: Haixiao Yan The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch: https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241 https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671 Signed-off-by: Haixiao Yan Signed-off-by: Jinfeng Wang --- .../CVE-2025-64459-1.patch | 57 +++++++++++++++++ .../CVE-2025-64459-2.patch | 63 +++++++++++++++++++ .../python/python3-django_5.0.14.bb | 5 +- 3 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch create mode 100644 meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch new file mode 100644 index 0000000000..6c42adfa42 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-1.patch @@ -0,0 +1,57 @@ +From 45f5d17986f70f0aaf4a666b2d71ae6750beeb88 Mon Sep 17 00:00:00 2001 +From: Jacob Walls +Date: Wed, 24 Sep 2025 15:54:51 -0400 +Subject: [PATCH] [5.1.x] Fixed CVE-2025-64459 -- Prevented SQL injections + in Q/QuerySet via the _connector kwarg. + +Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon +Charette, and Jake Howard for the reviews. + +Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main. + +CVE: CVE-2025-64459 + +Upstream-Status: Backport [https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241] + +Signed-off-by: Haixiao Yan +--- + django/db/models/query_utils.py | 4 ++++ + tests/queries/test_q.py | 5 +++++ + 2 files changed, 9 insertions(+) + +diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py +index a04bbad5e7f8..d8610bc54d46 100644 +--- a/django/db/models/query_utils.py ++++ b/django/db/models/query_utils.py +@@ -47,8 +47,12 @@ class Q(tree.Node): + XOR = "XOR" + default = AND + conditional = True ++ connectors = (None, AND, OR, XOR) + + def __init__(self, *args, _connector=None, _negated=False, **kwargs): ++ if _connector not in self.connectors: ++ connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:]) ++ raise ValueError(f"_connector must be one of {connector_reprs}, or None.") + super().__init__( + children=[*args, *sorted(kwargs.items())], + connector=_connector, +diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py +index f7192a430a12..b21ec929a2ec 100644 +--- a/tests/queries/test_q.py ++++ b/tests/queries/test_q.py +@@ -264,6 +264,11 @@ class QTests(SimpleTestCase): + Q(*items, _connector=connector), + ) + ++ def test_connector_validation(self): ++ msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None." ++ with self.assertRaisesMessage(ValueError, msg): ++ Q(_connector="evil") ++ + def test_referenced_base_fields(self): + # Make sure Q.referenced_base_fields retrieves all base fields from + # both filters and F expressions. +-- +2.34.1 + diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch new file mode 100644 index 0000000000..5a207f8f11 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64459-2.patch @@ -0,0 +1,63 @@ +From 415912be531179e90e69f0be2e8bca301de53765 Mon Sep 17 00:00:00 2001 +From: Jacob Walls +Date: Wed, 24 Sep 2025 15:56:03 -0400 +Subject: [PATCH] [5.1.x] Refs CVE-2025-64459 -- Avoided propagating + invalid arguments to Q on dictionary expansion. + +Backport of 3c3f46357718166069948625354b8315a8505262 from main. + +CVE: CVE-2025-64459 + +Upstream-Status: Backport [https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671] + +Signed-off-by: Haixiao Yan +--- + django/db/models/query.py | 5 +++++ + tests/queries/tests.py | 8 ++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/django/db/models/query.py b/django/db/models/query.py +index 153fb1193ebf..3308cd48db00 100644 +--- a/django/db/models/query.py ++++ b/django/db/models/query.py +@@ -42,6 +42,8 @@ MAX_GET_RESULTS = 21 + # The maximum number of items to display in a QuerySet.__repr__ + REPR_OUTPUT_SIZE = 20 + ++PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"]) ++ + + class BaseIterable: + def __init__( +@@ -1495,6 +1497,9 @@ class QuerySet(AltersData): + return clone + + def _filter_or_exclude_inplace(self, negate, args, kwargs): ++ if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs): ++ invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs)) ++ raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}") + if negate: + self._query.add_q(~Q(*args, **kwargs)) + else: +diff --git a/tests/queries/tests.py b/tests/queries/tests.py +index 20665ab2cda3..5df231949194 100644 +--- a/tests/queries/tests.py ++++ b/tests/queries/tests.py +@@ -4481,6 +4481,14 @@ class TestInvalidValuesRelation(SimpleTestCase): + Annotation.objects.filter(tag__in=[123, "abc"]) + + ++class TestInvalidFilterArguments(TestCase): ++ def test_filter_rejects_invalid_arguments(self): ++ school = School.objects.create() ++ msg = "The following kwargs are invalid: '_connector', '_negated'" ++ with self.assertRaisesMessage(TypeError, msg): ++ School.objects.filter(pk=school.pk, _negated=True, _connector="evil") ++ ++ + class TestTicket24605(TestCase): + def test_ticket_24605(self): + """ +-- +2.34.1 + diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb index c2c44b4cc7..84dd9dd5f4 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb @@ -4,7 +4,10 @@ inherit setuptools3 # Windows-specific DoS via NFKC normalization, not applicable to Linux CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows" -SRC_URI += "file://CVE-2025-64460.patch" +SRC_URI += "file://CVE-2025-64460.patch \ + file://CVE-2025-64459-1.patch \ + file://CVE-2025-64459-2.patch \ + " SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11" RDEPENDS:${PN} += "\ From patchwork Thu Apr 9 06:18:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85566 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DD72E98FC2 for ; Thu, 9 Apr 2026 06:19:11 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.126138.1775715549879275241 for ; Wed, 08 Apr 2026 23:19:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=haoBDIKM; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6394hjMf267603 for ; Wed, 8 Apr 2026 23:19:09 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=O+Wzmce37w6AKQgYXRbD1Ag6dk9X1K/obxO//Op7vwc=; b=haoBDIKMa4Fq vDfOaLZtMoGaEDgzsaw+JY6uNcmOulBtAS+A39xNbiZKNdGPQnlabkM+Rz/Hjb2+ Kvf4gUGMXR/gcwVBWiRUXADi411Qhoc7119LH88bGn9cVBtzyirtVI2IlQR7VX2t vMk7R/Z9coJ+agy+izqMqZJTiSK9/M23aFhDpM5UdUCs5pW/Fho+dvBM/FabwbYn TZFdttpnOVp/ffEoAxSDCwLGYzfrKaheGjTVCyV73A1LTMtkE8ExIwKX9odz2foq huVASKbD0MyLp5w1rlaCvDGP5odOgVux1U8F94ppiQrQv0sq0i79FC7VszRPU2WY HRKxuj8Jdw== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrmkpqc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 08 Apr 2026 23:19:09 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:08 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:08 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 03/11] hdf5: fix CVE-2025-6857 Date: Thu, 9 Apr 2026 14:18:56 +0800 Message-ID: <20260409061904.1694992-4-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: QxvfN94qPdojBwX_t4lcvyl2SL6s1dsb X-Proofpoint-GUID: QxvfN94qPdojBwX_t4lcvyl2SL6s1dsb X-Authority-Analysis: v=2.4 cv=PpWjqQM3 c=1 sm=1 tr=0 ts=69d744dd cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=iKiJcTA2PjBS6x5JeXcw:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=fM0o_JtyA1Roca-_o2UA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfX4eY0s9ol2aZh wa8h7aCcJ+7/6V64AveCAEY3MkA/RjQmVqt9boqC7l8avU+4GXImO4tQYvevq7MA8gNbuFPq7Jd O3P+OvE+1Jq7Ktdh4zSSzNa4NbTCBw1616EELOAiYj5S+PYD0uf+5P4tdlazSDVKMQKz2B4PCl8 pGQmiZgBpHLlELr3uqoL4/gF329KJ49XRkk1B9Y5IMx94i0jGtDTzd9ou/yyFbdVnOZotMsbVkl GAdr1mBJPDS36bVaziB/acGYFoHDxmcm1WbGPESk6wU8qBOP/FQoug5OYr3I3ZLx/hzxGE7uXyC tCnaSx84PeLYpKQ4hsp6//97oVLCfd3VjbZHxigdEwmvtIC1DfE4NdSe/Rs7ScrSnE29f2PKkc7 2DWxp9cEFhiMewKqMrMyv8PhnIJ6CW+pZrW+JAsOF+LE5XQvAkZcIAsBcETQJcSzgly1y3hn8ZA H6dgd4oWUbbvTLGNcaA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 malwarescore=0 spamscore=0 priorityscore=1501 adultscore=0 suspectscore=0 lowpriorityscore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126113 From: Libo Chen According to [1], A vulnerability has been found in HDF5 1.14.6 and classified as problematic. Affected by this vulnerability is the function H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-6857 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6857 [2] https://github.com/HDFGroup/hdf5/commit/a8ceb1d95bb997f548c1129363dad53c18540096 Signed-off-by: Libo Chen Signed-off-by: Jinfeng Wang --- .../hdf5/files/CVE-2025-6857.patch | 248 ++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 249 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-6857.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-6857.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-6857.patch new file mode 100644 index 0000000000..8b40d0e946 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-6857.patch @@ -0,0 +1,248 @@ +From eb3af284cc0ac8c758c65f492fc693ed50539592 Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Thu, 29 Jan 2026 13:59:39 +0800 +Subject: [PATCH] Fix CVE-2025-6857 + +Add additional checks for v1 B-tree corruption + +An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks. + +CVE: CVE-2025-6857 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/a8ceb1d95bb997f548c1129363dad53c18540096] + +Signed-off-by: Libo Chen +--- + src/H5B.c | 92 +++++++++++++++++++++++++++++++++++++++++++--------- + src/H5Bpkg.h | 6 ++++ + 2 files changed, 83 insertions(+), 15 deletions(-) + +diff --git a/src/H5B.c b/src/H5B.c +index 5a7a238..4efa679 100644 +--- a/src/H5B.c ++++ b/src/H5B.c +@@ -140,6 +140,8 @@ typedef struct H5B_ins_ud_t { + /********************/ + /* Local Prototypes */ + /********************/ ++static herr_t H5B_find_helper(H5F_t *f, const H5B_class_t *type, haddr_t addr, int exp_level, bool *found, ++ void *udata); + static H5B_ins_t H5B__insert_helper(H5F_t *f, H5B_ins_ud_t *bt_ud, const H5B_class_t *type, uint8_t *lt_key, + bool *lt_key_changed, uint8_t *md_key, void *udata, uint8_t *rt_key, + bool *rt_key_changed, H5B_ins_ud_t *split_bt_ud /*out*/); +@@ -252,26 +254,67 @@ done: + } /* end H5B_create() */ + + /*------------------------------------------------------------------------- +- * Function: H5B_find ++ * Function: H5B_find + * +- * Purpose: Locate the specified information in a B-tree and return +- * that information by filling in fields of the caller-supplied +- * UDATA pointer depending on the type of leaf node +- * requested. The UDATA can point to additional data passed +- * to the key comparison function. ++ * Purpose: Locate the specified information in a B-tree and return ++ * that information by filling in fields of the ++ * caller-supplied UDATA pointer depending on the type of leaf ++ * node requested. The UDATA can point to additional data ++ * passed to the key comparison function. + * +- * Note: This function does not follow the left/right sibling +- * pointers since it assumes that all nodes can be reached +- * from the parent node. ++ * Note: This function does not follow the left/right sibling ++ * pointers since it assumes that all nodes can be reached ++ * from the parent node. + * +- * Return: Non-negative (true/false) on success (if found, values returned +- * through the UDATA argument). Negative on failure (if not found, +- * UDATA is undefined). ++ * Return: Non-negative (true/false) on success (if found, values ++ * returned through the UDATA argument). Negative on failure ++ * (if not found, UDATA is undefined). + * + *------------------------------------------------------------------------- + */ + herr_t + H5B_find(H5F_t *f, const H5B_class_t *type, haddr_t addr, bool *found, void *udata) ++{ ++ herr_t ret_value = SUCCEED; ++ ++ FUNC_ENTER_NOAPI(FAIL) ++ ++ /* ++ * Check arguments. ++ */ ++ assert(f); ++ assert(type); ++ assert(type->decode); ++ assert(type->cmp3); ++ assert(type->found); ++ assert(H5_addr_defined(addr)); ++ ++ if ((ret_value = H5B_find_helper(f, type, addr, H5B_UNKNOWN_NODELEVEL, found, udata)) < 0) ++ HGOTO_ERROR(H5E_BTREE, H5E_NOTFOUND, FAIL, "can't lookup key"); ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) ++} /* end H5B_find() */ ++ ++/*------------------------------------------------------------------------- ++ * Function: H5B_find_helper ++ * ++ * Purpose: Recursive helper routine for H5B_find used to track node ++ * levels and attempt to detect B-tree corruption during ++ * lookups. ++ * ++ * Note: This function does not follow the left/right sibling ++ * pointers since it assumes that all nodes can be reached ++ * from the parent node. ++ * ++ * Return: Non-negative on success (if found, values returned through ++ * the UDATA argument). Negative on failure (if not found, ++ * UDATA is undefined). ++ * ++ *------------------------------------------------------------------------- ++ */ ++static herr_t ++H5B_find_helper(H5F_t *f, const H5B_class_t *type, haddr_t addr, int exp_level, bool *found, void *udata) + { + H5B_t *bt = NULL; + H5UC_t *rc_shared; /* Ref-counted shared info */ +@@ -281,7 +324,7 @@ H5B_find(H5F_t *f, const H5B_class_t *type, haddr_t addr, bool *found, void *uda + int cmp = 1; /* Key comparison value */ + herr_t ret_value = SUCCEED; /* Return value */ + +- FUNC_ENTER_NOAPI(FAIL) ++ FUNC_ENTER_NOAPI_NOINIT + + /* + * Check arguments. +@@ -306,6 +349,7 @@ H5B_find(H5F_t *f, const H5B_class_t *type, haddr_t addr, bool *found, void *uda + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = exp_level; + if (NULL == (bt = (H5B_t *)H5AC_protect(f, H5AC_BT, addr, &cache_udata, H5AC__READ_ONLY_FLAG))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, FAIL, "unable to load B-tree node"); + +@@ -329,7 +373,17 @@ H5B_find(H5F_t *f, const H5B_class_t *type, haddr_t addr, bool *found, void *uda + assert(idx < bt->nchildren); + + if (bt->level > 0) { +- if ((ret_value = H5B_find(f, type, bt->child[idx], found, udata)) < 0) ++ /* Sanity check to catch the case where the current node points to ++ * itself and the current node was loaded with an expected node level ++ * of H5B_UNKNOWN_NODELEVEL, thus bypassing the expected node level ++ * check during deserialization and in the future if the node was ++ * cached. ++ */ ++ if (bt->child[idx] == addr) ++ HGOTO_ERROR(H5E_BTREE, H5E_BADVALUE, FAIL, "cyclic B-tree detected"); ++ ++ if ((ret_value = H5B_find_helper(f, type, bt->child[idx], (int)(bt->level - 1), found, udata)) < ++ 0) + HGOTO_ERROR(H5E_BTREE, H5E_NOTFOUND, FAIL, "can't lookup key in subtree"); + } /* end if */ + else { +@@ -343,7 +397,7 @@ done: + HDONE_ERROR(H5E_BTREE, H5E_CANTUNPROTECT, FAIL, "unable to release node"); + + FUNC_LEAVE_NOAPI(ret_value) +-} /* end H5B_find() */ ++} /* end H5B_find_helper() */ + + /*------------------------------------------------------------------------- + * Function: H5B__split +@@ -425,6 +479,7 @@ H5B__split(H5F_t *f, H5B_ins_ud_t *bt_ud, unsigned idx, void *udata, H5B_ins_ud_ + cache_udata.f = f; + cache_udata.type = shared->type; + cache_udata.rc_shared = bt_ud->bt->rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + if (NULL == (split_bt_ud->bt = + (H5B_t *)H5AC_protect(f, H5AC_BT, split_bt_ud->addr, &cache_udata, H5AC__NO_FLAGS_SET))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, FAIL, "unable to protect B-tree"); +@@ -532,6 +587,7 @@ H5B_insert(H5F_t *f, const H5B_class_t *type, haddr_t addr, void *udata) + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + bt_ud.addr = addr; + if (NULL == (bt_ud.bt = (H5B_t *)H5AC_protect(f, H5AC_BT, addr, &cache_udata, H5AC__NO_FLAGS_SET))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, FAIL, "unable to locate root of B-tree"); +@@ -789,6 +845,7 @@ H5B__insert_helper(H5F_t *f, H5B_ins_ud_t *bt_ud, const H5B_class_t *type, uint8 + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + + if (0 == bt->nchildren) { + /* +@@ -1077,6 +1134,7 @@ H5B__iterate_helper(H5F_t *f, const H5B_class_t *type, haddr_t addr, H5B_operato + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + if (NULL == (bt = (H5B_t *)H5AC_protect(f, H5AC_BT, addr, &cache_udata, H5AC__READ_ONLY_FLAG))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, H5_ITER_ERROR, "unable to load B-tree node"); + +@@ -1190,6 +1248,7 @@ H5B__remove_helper(H5F_t *f, haddr_t addr, const H5B_class_t *type, int level, u + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + if (NULL == (bt = (H5B_t *)H5AC_protect(f, H5AC_BT, addr, &cache_udata, H5AC__NO_FLAGS_SET))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, H5B_INS_ERROR, "unable to load B-tree node"); + +@@ -1542,6 +1601,7 @@ H5B_delete(H5F_t *f, const H5B_class_t *type, haddr_t addr, void *udata) + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + if (NULL == (bt = (H5B_t *)H5AC_protect(f, H5AC_BT, addr, &cache_udata, H5AC__NO_FLAGS_SET))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, FAIL, "unable to load B-tree node"); + +@@ -1782,6 +1842,7 @@ H5B__get_info_helper(H5F_t *f, const H5B_class_t *type, haddr_t addr, const H5B_ + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + if (NULL == (bt = (H5B_t *)H5AC_protect(f, H5AC_BT, addr, &cache_udata, H5AC__READ_ONLY_FLAG))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, FAIL, "unable to load B-tree node"); + +@@ -1923,6 +1984,7 @@ H5B_valid(H5F_t *f, const H5B_class_t *type, haddr_t addr) + cache_udata.f = f; + cache_udata.type = type; + cache_udata.rc_shared = rc_shared; ++ cache_udata.exp_level = H5B_UNKNOWN_NODELEVEL; + if (NULL == (bt = (H5B_t *)H5AC_protect(f, H5AC_BT, addr, &cache_udata, H5AC__READ_ONLY_FLAG))) + HGOTO_ERROR(H5E_BTREE, H5E_CANTPROTECT, FAIL, "unable to protect B-tree node"); + +diff --git a/src/H5Bpkg.h b/src/H5Bpkg.h +index d1ad647..f75e857 100644 +--- a/src/H5Bpkg.h ++++ b/src/H5Bpkg.h +@@ -39,6 +39,11 @@ + /* # of bits for node level: 1 byte */ + #define LEVEL_BITS 8 + ++/* Indicates that the level of the current node is unknown. When the level ++ * is known, it can be used to detect corrupted level during decoding ++ */ ++#define H5B_UNKNOWN_NODELEVEL -1 ++ + /****************************/ + /* Package Private Typedefs */ + /****************************/ +@@ -60,6 +65,7 @@ typedef struct H5B_t { + typedef struct H5B_cache_ud_t { + H5F_t *f; /* File that B-tree node is within */ + const struct H5B_class_t *type; /* Type of tree */ ++ int exp_level; /* Expected level of the current node */ + H5UC_t *rc_shared; /* Ref-counted shared info */ + } H5B_cache_ud_t; + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index e8432f0d6b..1b9f0fcfa8 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -24,6 +24,7 @@ SRC_URI = " \ file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch \ file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch \ file://CVE-2025-2926.patch \ + file://CVE-2025-6857.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Thu Apr 9 06:18:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85574 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC863E98FD2 for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126484.1775715552172343645 for ; Wed, 08 Apr 2026 23:19:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=F7KEdh5G; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6395BB7I3624839 for ; Thu, 9 Apr 2026 06:19:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=ua+CkW458HQZY8VuSYFTbHrKWh2p0K8bPi7y0en36EM=; b=F7KEdh5GfwCj sPUNDRNb6Yinpq292QMTR49aINhdY63j0OoWfdMZAX4t6Zs7vsOjp4LyW45mzuyA Cc+7ibJQjWW5wSMCSRvPT+TLXsbHX5ybKYUENzsxb9sB1iGPwxsI7RePHvRv7ml8 DYAI91yVV+GX7Kz0+bTNV9GYD8N9qHXZxSP5+W5dJ3nNiGvBzBekjjpDJHQA86wY 146c49+AEqXkSNKE+Sr5RmTuX2ttq53tDbi3TULqa87Q0QM8hhbvOWN7E3p8ZGfW 1I0lABhYU/E6GaNK+a9JEedl0eIMatPhgVaMGU8FlhrQ2/97wCa5YZ1WBTyaYmxB r9ea9pUwKw== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrqkrf0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:11 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:09 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:09 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 04/11] hdf5: fix CVE-2025-2153 Date: Thu, 9 Apr 2026 14:18:57 +0800 Message-ID: <20260409061904.1694992-5-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=RPCD2Yi+ c=1 sm=1 tr=0 ts=69d744df cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=klDOsUkWDRETUCZYPvoE:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1UTvrjLGKP7plThKwisA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: zQeW9MsAQuKdr9QE0g8x4WcggWi8BqzK X-Proofpoint-GUID: zQeW9MsAQuKdr9QE0g8x4WcggWi8BqzK X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfX60TTqNK17GaP Ez6uwk05VGP+smE5Kd6rk2UpB61iDQPSNxQBN8jHDCdGT/uEbGzgcZf7tPRFzsdWkyunFwJJeDM GoPCh72+ibm3pQz/k+Hv8gtRMeN6yNJ3+GI8y4//8OvZW0ai4yBJf9Q7k47vpDgZEFzAH/1K2H8 1LVtfzJmVDtk+UAJVPb7n1bernYFXkX5ItUSW7stAzE25H3/Se0jbObMYhbBNYzZ5HA3G7pREmY VBZwF5Zn8rdYTxV8XrI7tmdViK8DCezkIQL15XtXn0J2yiHHDPYc6VQIrrLvM5nTcNCW7iD72RC lpo2rFZ78Z9L3AYXH/B1VismjTPlRjUsgRfyv/igEpTSPiEyqX4xqZBQAsbA0MYD6XApwZ7A/Bo YunsUQj10b1K0gbANs3w5tA417LBIrRUiI9IKIm+dkoEF7FgiDBfEobJJ16u5d84eZLmO5YWGiN r3wzjgQCYNeBYQjPr9Q== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 clxscore=1011 bulkscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126115 From: Libo Chen According to [1], A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-2153 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2153 [2] https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0 Signed-off-by: Libo Chen Signed-off-by: Jinfeng Wang --- .../hdf5/files/CVE-2025-2153.patch | 51 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch new file mode 100644 index 0000000000..6f77ad330b --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch @@ -0,0 +1,51 @@ +From 586f01d74f23dabcd733c82a05cf26bf123a91dc Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Fri, 30 Jan 2026 11:42:10 +0800 +Subject: [PATCH] Fix CVE-2025-2153 + +This PR fixes #5329. Previously, the message flags field was able to be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t could be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they indicate they can be shared. + +The bug was first reproduced using the fuzzer and the POC file from #5329. With this change, the heap based buffer overflow no longer occurs. + +CVE: CVE-2025-2153 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0] + +Signed-off-by: Libo Chen +--- + src/H5Ocache.c | 4 ++-- + src/H5Omessage.c | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/H5Ocache.c b/src/H5Ocache.c +index 9b82509..7203490 100644 +--- a/src/H5Ocache.c ++++ b/src/H5Ocache.c +@@ -1422,8 +1422,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t + else { + /* Check for message of unshareable class marked as "shareable" + */ +- if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] && +- !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) ++ if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) && ++ H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) + HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, + "message of unshareable class flagged as shareable"); + +diff --git a/src/H5Omessage.c b/src/H5Omessage.c +index 7190e46..fb9006c 100644 +--- a/src/H5Omessage.c ++++ b/src/H5Omessage.c +@@ -354,6 +354,9 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m + */ + assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); + ++ /* Sanity check to see if the type is not sharable */ ++ assert(type->share_flags & H5O_SHARE_IS_SHARABLE); ++ + /* Remove the old message from the SOHM index */ + /* (It would be more efficient to try to share the message first, then + * delete it (avoiding thrashing the index in the case the ref. +-- +2.34.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 1b9f0fcfa8..715f14ccae 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -25,6 +25,7 @@ SRC_URI = " \ file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch \ file://CVE-2025-2926.patch \ file://CVE-2025-6857.patch \ + file://CVE-2025-2153.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Thu Apr 9 06:18:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85568 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B04BE98FCD for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126485.1775715553052716424 for ; Wed, 08 Apr 2026 23:19:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=TSyRJuU7; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6395BB7J3624839 for ; Thu, 9 Apr 2026 06:19:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=qrrX5DpF/lOFIlU9urPQp5tVk+L4kwwZQfw6mtxRKSE=; b=TSyRJuU7eVfr kjQYZn4AD0BbyJC7D4xcRlmrm9t3hV6O/xSVdTkBoqJcelbTytzQWK0vWxGUq4yA jyVM83E2sbPeeLWrodYuJ98VCQNNKQn39QXMYbU4Esn5qQNVFGz3X4Q+GQHbQgI3 KdE78X9H/pBft+8/hUA404lZYX+sJFBQwg3XUcdT5dHjg1CDnJaLcHTxJbk/GCFU PVx0FKqaMPgelbtguugASNMmSFnhGvRzbLf+fkAqKvVfjUYCPu+LaEzwt0TPd8e0 vOPH+vKAGNXSz9c+Ov65jkLnwl9d8GYF2EXr+OUA3RGkXQfoLBHH7oNHeJtnrZQr pWmLzu3gHg== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrqkrf0-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:11 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:10 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:10 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 05/11] hdf5: fix CVE-2025-2310 Date: Thu, 9 Apr 2026 14:18:58 +0800 Message-ID: <20260409061904.1694992-6-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=RPCD2Yi+ c=1 sm=1 tr=0 ts=69d744df cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=klDOsUkWDRETUCZYPvoE:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=yGWg0Mz01TQhIeDDkRoA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: jzzG_nhhBCaMEnRpZ7nh9Ng5hDR4VCW9 X-Proofpoint-GUID: jzzG_nhhBCaMEnRpZ7nh9Ng5hDR4VCW9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfX6oSRJypSEIjM GLZl0ZI2enUBgMH5oSY43Rqw0axGXcEgT7esgfXdiq/BFYgWFS+LxfAgP8JXULGM/Sm8yDZyzmW MM6WlZkJ8wHy46l+vnirysYsWEMI9lyw1LIgFOn7YWNNE9sl6fu/skwgx17JPENzMR5vXZcZMvc fsZ9ZI8h7fR1858nGzBgWslhDVuUw9kIpsxNGnyjP+sZPGAeJbF30M8C39TTPMNks/gUd8XY/FV H1/laGZIXTefez5gV8IxbfaizuSkqMVitMBnZc9Mv24o08ebnNjFtcTDOKCj8RfYloC8DU1HNJO a/iQZjGkSQFLVmw8P4GHWND1oA89+oxxf8d1z07GGWGEMug52ZCD3b1r0JHgbY7UEBPL/3hf5qq sKeNMu4K7pSTU17TltnvROFvHBDwFUalMpAs73qJJ/aqrLSFRhx53Nxf42MdnPgOn65btNbghRj 9j6Gu7bH3a056xQNyJw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 clxscore=1015 bulkscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126116 From: Libo Chen According to [1], A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-2310 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310 [2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4 Signed-off-by: Libo Chen Signed-off-by: Jinfeng Wang --- .../hdf5/files/CVE-2025-2310.patch | 37 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch new file mode 100644 index 0000000000..8ac74737d8 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2310.patch @@ -0,0 +1,37 @@ +From 89a4466d72f688f4da6521e82a466c183ebe1d08 Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Fri, 30 Jan 2026 14:05:54 +0800 +Subject: [PATCH] Fix CVE-2025-2310 + +Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read. + +Check that name length is not too small in addition to checking for an overflow directly. + +CVE: CVE-2025-2310 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4] + +Signed-off-by: Libo Chen +--- + src/H5Oattr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/H5Oattr.c b/src/H5Oattr.c +index 6d1d237..7b7ebb0 100644 +--- a/src/H5Oattr.c ++++ b/src/H5Oattr.c +@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + UINT16DECODE(p, name_len); /* Including null */ ++ ++ /* Verify that retrieved name length (including null byte) is valid */ ++ if (name_len <= 1) ++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid"); ++ + if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + UINT16DECODE(p, attr->shared->dt_size); +-- +2.34.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 715f14ccae..653c32ab4a 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -26,6 +26,7 @@ SRC_URI = " \ file://CVE-2025-2926.patch \ file://CVE-2025-6857.patch \ file://CVE-2025-2153.patch \ + file://CVE-2025-2310.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Thu Apr 9 06:18:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85570 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B221AE98FD5 for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126486.1775715553931392036 for ; Wed, 08 Apr 2026 23:19:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=jblVOws0; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6395BB7K3624839 for ; Thu, 9 Apr 2026 06:19:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=J4uYXMpBnzj58QDXST8FPxT7FWu9WR/1+iVC/0XgAtI=; b=jblVOws0onPJ OdXCVR8bqIAZ3VJWop3xhfD8Wf5cl3Sz//7QRCNHMPbVxxv1a3eCMwNbPXfvHugs U1IHsEUzaPvgmOnoni3MuYxhsLH6NhP04QIDuFCKxBu+14bc94s6Fm7la7DkTXqJ QLaXDDWmtMs4nu9oGMJh23UKUBhXFDSRcI0XfrzkYjimfhNggxkLGbJZz0+WHK3a jCNn+dKs0uyrNAz6QGQUIzJOWSe5hEAdRdO6vaB2Kl/RNNQBT2YY7vgr3NfMo4Gd JRhvSVdX1ROe2QENGpCIK6jDhaSfQma7ZOSHsfgSCNQMx8rQ0L0cKTZANIEHTrpe foCe0KLn8w== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrqkrf0-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:12 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:11 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:11 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 06/11] hdf5: fix CVE-2025-44905 Date: Thu, 9 Apr 2026 14:18:59 +0800 Message-ID: <20260409061904.1694992-7-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=RPCD2Yi+ c=1 sm=1 tr=0 ts=69d744e0 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=klDOsUkWDRETUCZYPvoE:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=fsqS_kxPcqjdks22YjMA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: yWXTyA3RZU43xLFBJvr-HjZLWl99lnBh X-Proofpoint-GUID: yWXTyA3RZU43xLFBJvr-HjZLWl99lnBh X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfXy3Z+iLtEGPbz XEoWZ4nj+fF7alqJrN1NVHTEVJPkaIV6eNn6+9VWtwSRyRgcfU9rxCP/oPjvY+u9DQ31coHm+Xn 0sEf+qCsBjNXRC4syhnYO31NrJnAhvCVGY+fXgaS1rAf5etKkdssBnjRO++B4XHomWTozgyUWb5 Sxmjm+sTQ4S8fUWFQaYmsve0El5mhGXrBmVbFzp6Hx2+iLyS2kYyQGU7OfLgepsZxyPiccInGqD bvWWOcJvsyR5AX0oZPgiKEcQKT6b0cBSx2yxodaLe8eWLOf2+2AMYMw+n0cDonSa5R/UlykHkUU gtzhkfoXFTodbt+nvLWisvwrguHpHtgtOIF59cbnfjhchgPE8NNOWkVCPggAkkL3YDz++XIitFo reaSzt5wnwqrTiUFlMVIkadWGAPnMTRDoCkB5yiAvIVUHJHUx5/0XfRpj1E42V95T5G30HPeelc o3bSo/RHZGyLHV+zygw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 clxscore=1015 bulkscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126118 From: Libo Chen According to [1], hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5Z__filter_scaleoffset function. Backport patch [2] from upstream to fix CVE-2025-44905 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-44905 [2] https://github.com/HDFGroup/hdf5/commit/42588aeba786a121fec1fbad72cf39d8f60a4983 Signed-off-by: Libo Chen Signed-off-by: Jinfeng Wang --- .../hdf5/files/CVE-2025-44905.patch | 46 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-44905.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-44905.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-44905.patch new file mode 100644 index 0000000000..91ad655760 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-44905.patch @@ -0,0 +1,46 @@ +From d7ed737287ef2ecc6efd006fa11c3f784cdbdba6 Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Fri, 30 Jan 2026 14:37:09 +0800 +Subject: [PATCH] H5Zscaleoffset: add buffer size check to prevent + out-of-bounds reads + +Adds a buffer size check in H5Z__filter_scaleoffset to prevent out-of-bounds reads with malformed HDF5 files. + +Fixes CVE-2025-44905. + +CVE: CVE-2025-44905 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/42588aeba786a121fec1fbad72cf39d8f60a4983] + +Signed-off-by: Libo Chen +--- + src/H5Zscaleoffset.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c +index 048344b..fbf12d6 100644 +--- a/src/H5Zscaleoffset.c ++++ b/src/H5Zscaleoffset.c +@@ -1205,6 +1205,9 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu + unsigned minval_size = 0; + + minbits = 0; ++ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char *)*buf + *buf_size - 1)) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short"); ++ + for (i = 0; i < 4; i++) { + minbits_mask = ((unsigned char *)*buf)[i]; + minbits_mask <<= i * 8; +@@ -1220,6 +1223,9 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu + minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long) + : ((unsigned char *)*buf)[4]; + minval = 0; ++ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size, ++ (unsigned char *)*buf + *buf_size - 1)) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short"); + for (i = 0; i < minval_size; i++) { + minval_mask = ((unsigned char *)*buf)[5 + i]; + minval_mask <<= i * 8; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 653c32ab4a..9cf3f98fe3 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -27,6 +27,7 @@ SRC_URI = " \ file://CVE-2025-6857.patch \ file://CVE-2025-2153.patch \ file://CVE-2025-2310.patch \ + file://CVE-2025-44905.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Thu Apr 9 06:19:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85571 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9BA7AE98FD0 for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126487.1775715554074501796 for ; Wed, 08 Apr 2026 23:19:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=FfLTBCNR; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6394JQgY4051211 for ; Wed, 8 Apr 2026 23:19:13 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=bn3Xx66lhWaVT66wufHLO2BOPXpThGfCYH7envO5SuE=; b=FfLTBCNRPc2l WyjYIZmGfLaRKyjkE09ztt5fl3MRF+yUPs7PWzt77/9oM9WqslGgHE0YYx9e+/L6 eCT/hwJzg5mSFLt16GpdEhWLUX7tDCyFSb/ckO7kkUFyTKVZOYGJFD8hS3tvqY+Q ypgvu7vmyg/NQPf0m6s5bwT2wplpjQ74EVqHROT0QrOTw1FkCFDdjYI71ComrG2m cPRgFsS3+5BDJL6e/WmbXLDbzOE+M5roxUtQbMf52HDzX8bC/vu7+NEIZM+/UHK1 pk0/KF97cc5R94p45PiQyzf5tnxyMK1xiuDydng3SxLENhQnxZkUdYMHnzUnh8Kg w/ENzczv4w== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmryknny-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 08 Apr 2026 23:19:13 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:13 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:12 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 07/11] hdf5: fix CVE-2025-2309 Date: Thu, 9 Apr 2026 14:19:00 +0800 Message-ID: <20260409061904.1694992-8-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: Ga4x7CepKAw3cKzAtRwWqQV8clfheCbj X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfXwdzI7JcfhTrf 7tdpxOD27OtVisQ+8bFB17froPOag5y3g0mAZEVUog5fAXi8mem7iphFkOE/JVuj9SPI3SDRdAJ 9foyC/kakgdu+qCeditKwGdXEZ/APc/al0QbcoqjheJUsKocG/GnpDjxGgmY7gPHhB9yrT1ABJV 6YvDPslwruOUZktgPyfGDmQvoyYFXGpoiv4Dc/Os4deZpdYrbNCBv4PTzkcugXgT1IiAZDTSCuU 76Vj6/cA9n+RzVDYhXzP2pc0D+civUG3rtUtJTn9m5XuwfwYPStdj43EIAuYbZj8+kA24iXWiI9 TT1BvePLG2steVsNJ9vJpqlr3+ltem36GDeA/Bzyr+WoMY+KR4gz7vRdfVxESSf1ymxxlYdXDW6 PE1J3QkuG09HANIyVcF8qTEiO8/VwmWpHmX9yTGYYoE8SD1DseoFRoujE+QPX5BUT1cXKLu3hnU RmVxDr4pVGsPS/oplbg== X-Proofpoint-GUID: Ga4x7CepKAw3cKzAtRwWqQV8clfheCbj X-Authority-Analysis: v=2.4 cv=Wcg8rUhX c=1 sm=1 tr=0 ts=69d744e1 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=HK-ge7EqtdluswH-FwHe:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=nkXCzIGPx5NjI-_UGwcA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1011 lowpriorityscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126117 From: Libo Chen According to [1], A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor plans to fix this issue in an upcoming release. Backport patch [2] from upstream to fix CVE-2025-2309 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2309 [2] https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1 Signed-off-by: Libo Chen Signed-off-by: Jinfeng Wang --- .../hdf5/files/CVE-2025-2309.patch | 41 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch new file mode 100644 index 0000000000..d14cb2589f --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2309.patch @@ -0,0 +1,41 @@ +From 6b24925c5fae3e2d7f47e9e7c879816673a48cd5 Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Fri, 30 Jan 2026 15:04:26 +0800 +Subject: [PATCH] Fix CVE-2025-2309 + +A malformed file can trigger bit field type conversions that can (due to missing boundary checks in the conversion step) cause a heap buffer overflow. This PR adds a check on the defined conversion to ensure it does not read beyond the size of a single bit field element. Thus, H5T__bit_copy does not result in a buffer overflow. There are several other calls to H5T__bit_copy which might be subject to a similar issue. + +This PR fixes CVE-2025-2309. + +CVE: CVE-2025-2309 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1] + +Signed-off-by: Libo Chen +--- + src/H5Odtype.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/H5Odtype.c b/src/H5Odtype.c +index 24671b0..085ce24 100644 +--- a/src/H5Odtype.c ++++ b/src/H5Odtype.c +@@ -307,6 +307,15 @@ H5O__dtype_decode_helper(unsigned *ioflags /*in,out*/, const uint8_t **pp, H5T_t + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding"); + UINT16DECODE(*pp, dt->shared->u.atomic.offset); + UINT16DECODE(*pp, dt->shared->u.atomic.prec); ++ ++ /* Sanity checks */ ++ if (dt->shared->u.atomic.offset >= (dt->shared->size * 8)) ++ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "bitfield offset out of bounds"); ++ if (0 == dt->shared->u.atomic.prec) ++ HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "bitfield precision is zero"); ++ if (((dt->shared->u.atomic.offset + dt->shared->u.atomic.prec) - 1) >= (dt->shared->size * 8)) ++ HGOTO_ERROR(H5E_DATATYPE, H5E_BADRANGE, FAIL, "bitfield offset+precision out of bounds"); ++ + break; + + case H5T_OPAQUE: { +-- +2.34.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 9cf3f98fe3..d821fb8f34 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -28,6 +28,7 @@ SRC_URI = " \ file://CVE-2025-2153.patch \ file://CVE-2025-2310.patch \ file://CVE-2025-44905.patch \ + file://CVE-2025-2309.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Thu Apr 9 06:19:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85575 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE3FFE98FD7 for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126489.1775715556900566449 for ; Wed, 08 Apr 2026 23:19:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=LzmVe/Pi; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 638NUVwR1189662 for ; Thu, 9 Apr 2026 06:19:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=wOkthnVHnTDHtB58hgBx7pAEdmREM0mtNAXdguxoqKc=; b=LzmVe/Pi9+gC OgkMBw+a3bn5PhSW0x8uQtGrgwJgSHZk9O7Vxo2ilItnVgOZTJx6fO7I6DwvH5Xe aPmZq5MSPyXlmgwwil8KISy+W0oihAyYigN5NUwI3ROM3K2BQnwmMhsQCi9p0kXW 2Cs2OajNKnVCLUKItBZ4U0xkRz/ykJJGUholsspZOZX+UhoI4m6HlcWuHjQig+4S cbloz0U+vJaE6xB55ZSjJ3qORHWryKxccQoJ1ckiTnW8jbrGkLVGxcQcEjdsFG7+ SNvZoPiiXhv19E+sshWB8dYtaF7yzM58Q660Ho+G0AKgAuGkcVGoege7eK80A6vv YbbjiTXB+Q== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrybrbm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:15 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:13 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:13 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 08/11] hdf5: fix CVE-2025-2308 Date: Thu, 9 Apr 2026 14:19:01 +0800 Message-ID: <20260409061904.1694992-9-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=QoduG1yd c=1 sm=1 tr=0 ts=69d744e3 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=a4ZxNzwYAAAA:8 a=t7CeM3EgAAAA:8 a=lhiV5AYGl4gicwPNKAwA:9 a=ye-Csp9iz97B4shCVKju:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: opdmKCNNnLJtec3vRBQ7c8aLLpZePYVB X-Proofpoint-ORIG-GUID: opdmKCNNnLJtec3vRBQ7c8aLLpZePYVB X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfX6PTSpEtbxO5T GMpUu9tfOAvHoUP1V6vzMlI5KmBy3Oz6Oid2QfoE09Fvmfs4ixKbJENE63uQspknijzPUdZkq0f a2o9QlMMdDjPe61kEJGrWERIHJjAVKrd1ylxqWoichY3JpchtTg/Xra/vu0ZGHANwlct8pb35PE WJeJeXIPjJ8YGhRWD2n+Iq9Qch9VA3OGykYAMicd7PULLNfH9VQRIdpIUCc2bqbN1aYm48TpawT +jghAHoMpVLs8nUiFKI2X1V2gdfeabPXVUImrCC+uR2fMvjMSdh20k9VHNypjxPvZZXnQz9dfr3 OXv8ss95liuE7IAASEOeFJ4Jrla0psmeATxAeN051/HQqZ3+MtpsWXvBXQ18VP9dJbF6V11TlUy Ph6/GqJTgDQyLr6LzlOt8rNelbL5YTbKkDZB4QWjRxyFGOXvZQS1N02Yj4hyCqh2RZfl/2kNOri X705H9o1cnIsM45y7bw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 bulkscore=0 adultscore=0 priorityscore=1501 phishscore=0 suspectscore=0 lowpriorityscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126119 From: Libo Chen According to [1], A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release. Backport patch [2] from upstream to fix CVE-2025-2308 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2308 [2] https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40 Signed-off-by: Libo Chen Signed-off-by: Jinfeng Wang --- .../hdf5/files/CVE-2025-2308.patch | 2120 +++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 2121 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch new file mode 100644 index 0000000000..13b04bf8a1 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch @@ -0,0 +1,2120 @@ +From cbce4c2ecf6f5557605890eec125ecfaa4371131 Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Fri, 30 Jan 2026 16:43:04 +0800 +Subject: [PATCH] Fix CVE-2025-2308 (#5960) + +A malformed file can cause the scale-offset filter to have too little input data causing a heap buffer overflow. Additional checks on the maximum buffer length are required during the decompression. + +This PR fixes CVE-2025-2308. + +CVE: CVE-2025-2308 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40] + +Signed-off-by: Libo Chen +--- + src/H5Zscaleoffset.c | 177 ++-- + src/H5Zscaleoffset.c.orig | 1781 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 1886 insertions(+), 72 deletions(-) + create mode 100644 src/H5Zscaleoffset.c.orig + +diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c +index fbf12d6..8355b13 100644 +--- a/src/H5Zscaleoffset.c ++++ b/src/H5Zscaleoffset.c +@@ -69,21 +69,22 @@ static herr_t H5Z__scaleoffset_precompress_fd(void *data, unsigned d_nelmts, enu + static herr_t H5Z__scaleoffset_postdecompress_fd(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, + unsigned filavail, const unsigned cd_values[], + uint32_t minbits, unsigned long long minval, double D_val); +-static void H5Z__scaleoffset_next_byte(size_t *j, unsigned *buf_len); +-static void H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k, +- unsigned begin_i, const unsigned char *buffer, size_t *j, +- unsigned *buf_len, parms_atomic p, unsigned dtype_len); ++static void H5Z__scaleoffset_next_byte(size_t *j, unsigned *bits_to_fill); ++static herr_t H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k, ++ unsigned begin_i, const unsigned char *buffer, ++ size_t buf_size, size_t *j, unsigned *bits_to_fill, ++ parms_atomic p, unsigned dtype_len); + static void H5Z__scaleoffset_compress_one_byte(const unsigned char *data, size_t data_offset, unsigned k, + unsigned begin_i, unsigned char *buffer, size_t *j, +- unsigned *buf_len, parms_atomic p, unsigned dtype_len); +-static void H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, +- unsigned char *buffer, size_t *j, unsigned *buf_len, +- parms_atomic p); ++ unsigned *bits_to_fill, parms_atomic p, unsigned dtype_len); ++static herr_t H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, ++ unsigned char *buffer, size_t buf_size, size_t *j, ++ unsigned *bits_to_fill, parms_atomic p); + static void H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset, +- unsigned char *buffer, size_t *j, unsigned *buf_len, ++ unsigned char *buffer, size_t *j, unsigned *bits_to_fill, + parms_atomic p); +-static void H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, +- parms_atomic p); ++static herr_t H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, ++ size_t buf_size, parms_atomic p); + static void H5Z__scaleoffset_compress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, + size_t buffer_size, parms_atomic p); + +@@ -1261,8 +1262,11 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu + } + + /* decompress the buffer if minbits not equal to zero */ +- if (minbits != 0) +- H5Z__scaleoffset_decompress(outbuf, d_nelmts, (unsigned char *)(*buf) + buf_offset, p); ++ if (minbits != 0) { ++ if (H5Z__scaleoffset_decompress(outbuf, d_nelmts, (unsigned char *)(*buf) + buf_offset, ++ *buf_size - buf_offset, p)) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Scaleoffset decompression failed"); ++ } + else { + /* fill value is not defined and all data elements have the same value */ + for (i = 0; i < size_out; i++) +@@ -1603,55 +1607,69 @@ done: + } + + static void +-H5Z__scaleoffset_next_byte(size_t *j, unsigned *buf_len) ++H5Z__scaleoffset_next_byte(size_t *j, unsigned *bits_to_fill) + { + ++(*j); +- *buf_len = 8 * sizeof(unsigned char); ++ *bits_to_fill = 8 * sizeof(unsigned char); + } + +-static void ++static herr_t + H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k, unsigned begin_i, +- const unsigned char *buffer, size_t *j, unsigned *buf_len, +- parms_atomic p, unsigned dtype_len) ++ const unsigned char *buffer, size_t buf_size, size_t *j, ++ unsigned *bits_to_fill, parms_atomic p, unsigned dtype_len) + { +- unsigned dat_len; /* dat_len is the number of bits to be copied in each data byte */ +- unsigned char val; /* value to be copied in each data byte */ ++ unsigned bits_to_copy; /* bits_to_copy is the number of bits to be copied in each data byte */ ++ unsigned char val; /* value to be copied in each data byte */ ++ herr_t ret_value = SUCCEED; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ if (*j >= buf_size) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Buffer too short"); + + /* initialize value and bits of unsigned char to be copied */ + val = buffer[*j]; + if (k == begin_i) +- dat_len = 8 - (dtype_len - p.minbits) % 8; ++ bits_to_copy = 8 - (dtype_len - p.minbits) % 8; + else +- dat_len = 8; ++ bits_to_copy = 8; + +- if (*buf_len > dat_len) { +- data[data_offset + k] = +- (unsigned char)((unsigned)(val >> (*buf_len - dat_len)) & (unsigned)(~((unsigned)~0 << dat_len))); +- *buf_len -= dat_len; ++ if (*bits_to_fill > bits_to_copy) { ++ data[data_offset + k] = (unsigned char)((unsigned)(val >> (*bits_to_fill - bits_to_copy)) & ++ (unsigned)(~((unsigned)~0 << bits_to_copy))); ++ *bits_to_fill -= bits_to_copy; + } /* end if */ + else { + data[data_offset + k] = +- (unsigned char)((val & ~((unsigned)(~0) << *buf_len)) << (dat_len - *buf_len)); +- dat_len -= *buf_len; +- H5Z__scaleoffset_next_byte(j, buf_len); +- if (dat_len == 0) +- return; ++ (unsigned char)((val & ~((unsigned)(~0) << *bits_to_fill)) << (bits_to_copy - *bits_to_fill)); ++ bits_to_copy -= *bits_to_fill; ++ H5Z__scaleoffset_next_byte(j, bits_to_fill); ++ if (bits_to_copy == 0) ++ goto done; ++ else if (*j >= buf_size) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Buffer too short"); + + val = buffer[*j]; +- data[data_offset + k] |= +- (unsigned char)((unsigned)(val >> (*buf_len - dat_len)) & ~((unsigned)(~0) << dat_len)); +- *buf_len -= dat_len; ++ data[data_offset + k] |= (unsigned char)((unsigned)(val >> (*bits_to_fill - bits_to_copy)) & ++ ~((unsigned)(~0) << bits_to_copy)); ++ *bits_to_fill -= bits_to_copy; + } /* end else */ ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) + } + +-static void ++static herr_t + H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, unsigned char *buffer, +- size_t *j, unsigned *buf_len, parms_atomic p) ++ size_t buf_size, size_t *j, unsigned *bits_to_fill, parms_atomic p) + { + /* begin_i: the index of byte having first significant bit */ + unsigned begin_i; + unsigned dtype_len; + int k; ++ herr_t ret_value = SUCCEED; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE + + assert(p.minbits > 0); + +@@ -1661,8 +1679,9 @@ H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, + begin_i = p.size - 1 - (dtype_len - p.minbits) / 8; + + for (k = (int)begin_i; k >= 0; k--) +- H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, +- p, dtype_len); ++ if (H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, ++ buf_size, j, bits_to_fill, p, dtype_len)) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Atomic decompression failed"); + } + else { /* big endian */ + assert(p.mem_order == H5Z_SCALEOFFSET_ORDER_BE); +@@ -1670,67 +1689,81 @@ H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, + begin_i = (dtype_len - p.minbits) / 8; + + for (k = (int)begin_i; k <= (int)(p.size - 1); k++) +- H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, +- p, dtype_len); ++ if (H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, ++ buf_size, j, bits_to_fill, p, dtype_len)) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Atomic decompression failed"); + } ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) + } + +-static void +-H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, parms_atomic p) ++static herr_t ++H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, size_t buf_size, ++ parms_atomic p) + { + /* i: index of data, j: index of buffer, +- buf_len: number of bits to be filled in current byte */ ++ bits_to_fill: number of bits to be filled in current byte */ + size_t i, j; +- unsigned buf_len; ++ unsigned bits_to_fill; ++ herr_t ret_value = SUCCEED; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE + + /* must initialize to zeros */ + for (i = 0; i < d_nelmts * (size_t)p.size; i++) + data[i] = 0; + + /* initialization before the loop */ +- j = 0; +- buf_len = sizeof(unsigned char) * 8; ++ j = 0; ++ bits_to_fill = sizeof(unsigned char) * 8; + + /* decompress */ + for (i = 0; i < d_nelmts; i++) +- H5Z__scaleoffset_decompress_one_atomic(data, i * p.size, buffer, &j, &buf_len, p); ++ if (H5Z__scaleoffset_decompress_one_atomic(data, i * p.size, buffer, buf_size, &j, &bits_to_fill, p)) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Scaleoffset decompression failed"); ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) + } + + static void + H5Z__scaleoffset_compress_one_byte(const unsigned char *data, size_t data_offset, unsigned k, +- unsigned begin_i, unsigned char *buffer, size_t *j, unsigned *buf_len, ++ unsigned begin_i, unsigned char *buffer, size_t *j, unsigned *bits_to_fill, + parms_atomic p, unsigned dtype_len) + { +- unsigned dat_len; /* dat_len is the number of bits to be copied in each data byte */ +- unsigned char val; /* value to be copied in each data byte */ ++ unsigned bits_to_copy; /* bits_to_copy is the number of bits to be copied in each data byte */ ++ unsigned char val; /* value to be copied in each data byte */ + + /* initialize value and bits of unsigned char to be copied */ + val = data[data_offset + k]; + if (k == begin_i) +- dat_len = 8 - (dtype_len - p.minbits) % 8; ++ bits_to_copy = 8 - (dtype_len - p.minbits) % 8; + else +- dat_len = 8; ++ bits_to_copy = 8; + +- if (*buf_len > dat_len) { +- buffer[*j] |= (unsigned char)((val & ~((unsigned)(~0) << dat_len)) << (*buf_len - dat_len)); +- *buf_len -= dat_len; ++ if (*bits_to_fill > bits_to_copy) { ++ buffer[*j] |= ++ (unsigned char)((val & ~((unsigned)(~0) << bits_to_copy)) << (*bits_to_fill - bits_to_copy)); ++ *bits_to_fill -= bits_to_copy; + } + else { +- buffer[*j] |= +- (unsigned char)((unsigned)(val >> (dat_len - *buf_len)) & ~((unsigned)(~0) << *buf_len)); +- dat_len -= *buf_len; +- H5Z__scaleoffset_next_byte(j, buf_len); +- if (dat_len == 0) ++ buffer[*j] |= (unsigned char)((unsigned)(val >> (bits_to_copy - *bits_to_fill)) & ++ ~((unsigned)(~0) << *bits_to_fill)); ++ bits_to_copy -= *bits_to_fill; ++ H5Z__scaleoffset_next_byte(j, bits_to_fill); ++ if (bits_to_copy == 0) + return; + +- buffer[*j] = (unsigned char)((val & ~((unsigned)(~0) << dat_len)) << (*buf_len - dat_len)); +- *buf_len -= dat_len; ++ buffer[*j] = ++ (unsigned char)((val & ~((unsigned)(~0) << bits_to_copy)) << (*bits_to_fill - bits_to_copy)); ++ *bits_to_fill -= bits_to_copy; + } /* end else */ + } + + static void + H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset, unsigned char *buffer, +- size_t *j, unsigned *buf_len, parms_atomic p) ++ size_t *j, unsigned *bits_to_fill, parms_atomic p) + { + /* begin_i: the index of byte having first significant bit */ + unsigned begin_i; +@@ -1745,16 +1778,16 @@ H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset, un + begin_i = p.size - 1 - (dtype_len - p.minbits) / 8; + + for (k = (int)begin_i; k >= 0; k--) +- H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, p, +- dtype_len); ++ H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, ++ bits_to_fill, p, dtype_len); + } + else { /* big endian */ + assert(p.mem_order == H5Z_SCALEOFFSET_ORDER_BE); + begin_i = (dtype_len - p.minbits) / 8; + + for (k = (int)begin_i; k <= (int)(p.size - 1); k++) +- H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, p, +- dtype_len); ++ H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, ++ bits_to_fill, p, dtype_len); + } + } + +@@ -1763,19 +1796,19 @@ H5Z__scaleoffset_compress(unsigned char *data, unsigned d_nelmts, unsigned char + parms_atomic p) + { + /* i: index of data, j: index of buffer, +- buf_len: number of bits to be filled in current byte */ ++ bits_to_fill: number of bits to be filled in current byte */ + size_t i, j; +- unsigned buf_len; ++ unsigned bits_to_fill; + + /* must initialize buffer to be zeros */ + for (j = 0; j < buffer_size; j++) + buffer[j] = 0; + + /* initialization before the loop */ +- j = 0; +- buf_len = sizeof(unsigned char) * 8; ++ j = 0; ++ bits_to_fill = sizeof(unsigned char) * 8; + + /* compress */ + for (i = 0; i < d_nelmts; i++) +- H5Z__scaleoffset_compress_one_atomic(data, i * p.size, buffer, &j, &buf_len, p); ++ H5Z__scaleoffset_compress_one_atomic(data, i * p.size, buffer, &j, &bits_to_fill, p); + } +diff --git a/src/H5Zscaleoffset.c.orig b/src/H5Zscaleoffset.c.orig +new file mode 100644 +index 0000000..fbf12d6 +--- /dev/null ++++ b/src/H5Zscaleoffset.c.orig +@@ -0,0 +1,1781 @@ ++/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ++ * Copyright by The HDF Group. * ++ * All rights reserved. * ++ * * ++ * This file is part of HDF5. The full HDF5 copyright notice, including * ++ * terms governing use, modification, and redistribution, is contained in * ++ * the COPYING file, which can be found at the root of the source code * ++ * distribution tree, or in https://www.hdfgroup.org/licenses. * ++ * If you do not have access to either file, you may request a copy from * ++ * help@hdfgroup.org. * ++ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ ++ ++#include "H5Zmodule.h" /* This source code file is part of the H5Z module */ ++ ++#include "H5private.h" /* Generic Functions */ ++#include "H5Eprivate.h" /* Error handling */ ++#include "H5Iprivate.h" /* IDs */ ++#include "H5MMprivate.h" /* Memory management */ ++#include "H5Pprivate.h" /* Property lists */ ++#include "H5Oprivate.h" /* Object headers */ ++#include "H5Sprivate.h" /* Dataspaces */ ++#include "H5Tprivate.h" /* Datatypes */ ++#include "H5Zpkg.h" /* Data filters */ ++ ++/* Struct of parameters needed for compressing/decompressing one atomic datatype */ ++typedef struct { ++ unsigned size; /* datatype size */ ++ uint32_t minbits; /* minimum bits to compress one value of such datatype */ ++ unsigned mem_order; /* current memory endianness order */ ++} parms_atomic; ++ ++enum H5Z_scaleoffset_t { ++ t_bad = 0, ++ t_uchar = 1, ++ t_ushort, ++ t_uint, ++ t_ulong, ++ t_ulong_long, ++ t_schar, ++ t_short, ++ t_int, ++ t_long, ++ t_long_long, ++ t_float, ++ t_double ++}; ++ ++/* Local function prototypes */ ++static htri_t H5Z__can_apply_scaleoffset(hid_t dcpl_id, hid_t type_id, hid_t space_id); ++static enum H5Z_scaleoffset_t H5Z__scaleoffset_get_type(unsigned dtype_class, unsigned dtype_size, ++ unsigned dtype_sign); ++static herr_t H5Z__scaleoffset_set_parms_fillval(H5P_genplist_t *dcpl_plist, H5T_t *type, ++ enum H5Z_scaleoffset_t scale_type, unsigned cd_values[], ++ int need_convert); ++static herr_t H5Z__set_local_scaleoffset(hid_t dcpl_id, hid_t type_id, hid_t space_id); ++static size_t H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_values[], ++ size_t nbytes, size_t *buf_size, void **buf); ++static void H5Z__scaleoffset_convert(void *buf, unsigned d_nelmts, unsigned dtype_size); ++static H5_ATTR_CONST unsigned H5Z__scaleoffset_log2(unsigned long long num); ++static void H5Z__scaleoffset_precompress_i(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, ++ unsigned filavail, const unsigned cd_values[], uint32_t *minbits, ++ unsigned long long *minval); ++static void H5Z__scaleoffset_postdecompress_i(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, ++ unsigned filavail, const unsigned cd_values[], uint32_t minbits, ++ unsigned long long minval); ++static herr_t H5Z__scaleoffset_precompress_fd(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, ++ unsigned filavail, const unsigned cd_values[], ++ uint32_t *minbits, unsigned long long *minval, double D_val); ++static herr_t H5Z__scaleoffset_postdecompress_fd(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, ++ unsigned filavail, const unsigned cd_values[], ++ uint32_t minbits, unsigned long long minval, double D_val); ++static void H5Z__scaleoffset_next_byte(size_t *j, unsigned *buf_len); ++static void H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k, ++ unsigned begin_i, const unsigned char *buffer, size_t *j, ++ unsigned *buf_len, parms_atomic p, unsigned dtype_len); ++static void H5Z__scaleoffset_compress_one_byte(const unsigned char *data, size_t data_offset, unsigned k, ++ unsigned begin_i, unsigned char *buffer, size_t *j, ++ unsigned *buf_len, parms_atomic p, unsigned dtype_len); ++static void H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, ++ unsigned char *buffer, size_t *j, unsigned *buf_len, ++ parms_atomic p); ++static void H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset, ++ unsigned char *buffer, size_t *j, unsigned *buf_len, ++ parms_atomic p); ++static void H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, ++ parms_atomic p); ++static void H5Z__scaleoffset_compress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, ++ size_t buffer_size, parms_atomic p); ++ ++/* This message derives from H5Z */ ++H5Z_class2_t H5Z_SCALEOFFSET[1] = {{ ++ H5Z_CLASS_T_VERS, /* H5Z_class_t version */ ++ H5Z_FILTER_SCALEOFFSET, /* Filter id number */ ++ 1, /* Assume encoder present: check before registering */ ++ 1, /* decoder_present flag (set to true) */ ++ "scaleoffset", /* Filter name for debugging */ ++ H5Z__can_apply_scaleoffset, /* The "can apply" callback */ ++ H5Z__set_local_scaleoffset, /* The "set local" callback */ ++ H5Z__filter_scaleoffset, /* The actual filter function */ ++}}; ++ ++/* Local macros */ ++#define H5Z_SCALEOFFSET_TOTAL_NPARMS 20 /* Total number of parameters for filter */ ++#define H5Z_SCALEOFFSET_PARM_SCALETYPE 0 /* "User" parameter for scale type */ ++#define H5Z_SCALEOFFSET_PARM_SCALEFACTOR 1 /* "User" parameter for scale factor */ ++#define H5Z_SCALEOFFSET_PARM_NELMTS 2 /* "Local" parameter for number of elements in the chunk */ ++#define H5Z_SCALEOFFSET_PARM_CLASS 3 /* "Local" parameter for datatype class */ ++#define H5Z_SCALEOFFSET_PARM_SIZE 4 /* "Local" parameter for datatype size */ ++#define H5Z_SCALEOFFSET_PARM_SIGN 5 /* "Local" parameter for integer datatype sign */ ++#define H5Z_SCALEOFFSET_PARM_ORDER 6 /* "Local" parameter for datatype byte order */ ++#define H5Z_SCALEOFFSET_PARM_FILAVAIL 7 /* "Local" parameter for dataset fill value existence */ ++#define H5Z_SCALEOFFSET_PARM_FILVAL 8 /* "Local" parameter for start location to store dataset fill value */ ++ ++#define H5Z_SCALEOFFSET_CLS_INTEGER 0 /* Integer (datatype class) */ ++#define H5Z_SCALEOFFSET_CLS_FLOAT 1 /* Floatig-point (datatype class) */ ++ ++#define H5Z_SCALEOFFSET_SGN_NONE 0 /* Unsigned integer type */ ++#define H5Z_SCALEOFFSET_SGN_2 1 /* Two's complement signed integer type */ ++ ++#define H5Z_SCALEOFFSET_ORDER_LE 0 /* Little endian (datatype byte order) */ ++#define H5Z_SCALEOFFSET_ORDER_BE 1 /* Big endian (datatype byte order) */ ++ ++#define H5Z_SCALEOFFSET_FILL_UNDEFINED 0 /* Fill value is not defined */ ++#define H5Z_SCALEOFFSET_FILL_DEFINED 1 /* Fill value is defined */ ++ ++/* Store fill value in cd_values[] */ ++#define H5Z_scaleoffset_save_filval(type, cd_values, fill_val) \ ++ { \ ++ unsigned _i = H5Z_SCALEOFFSET_PARM_FILVAL; /* index into cd_values */ \ ++ uint32_t _cd_value; /* Current cd_value */ \ ++ char *_fv_p; /* Pointer to current byte in fill_val */ \ ++ size_t _copy_size = 4; /* # of bytes to copy this iteration */ \ ++ size_t _size_rem = sizeof(type); /* # of bytes left to copy to cd_values */ \ ++ \ ++ /* Store the fill value as the last entry in cd_values[] \ ++ * Store byte by byte from least significant byte to most significant byte \ ++ * Plenty of space left for the fill value (from index 8 to 19) \ ++ * H5O_pline_encode will byte-swap each individual cd value, but we still \ ++ * need to swap the cd values as a whole if we are on a BE machine. Note \ ++ * that we need to make sure to put the data only in the lowest 4 bytes of \ ++ * each, if sizeof(unsigned) > 4. \ ++ */ \ ++ if (H5T_native_order_g == H5T_ORDER_LE) { \ ++ _fv_p = (char *)&(fill_val); \ ++ /* Copy 4 bytes at a time to each cd value */ \ ++ do { \ ++ if (_size_rem < 4) { \ ++ /* Amount left to copy is smaller than a cd_value, adjust copy \ ++ * size and initialize cd_value as it will not be fully \ ++ * overwritten */ \ ++ _copy_size = _size_rem; \ ++ _cd_value = (uint32_t)0; \ ++ } /* end if */ \ ++ \ ++ /* Copy the value */ \ ++ H5MM_memcpy(&_cd_value, _fv_p, _copy_size); \ ++ (cd_values)[_i] = (unsigned)_cd_value; \ ++ \ ++ /* Next field */ \ ++ _i++; \ ++ _fv_p += _copy_size; \ ++ _size_rem -= _copy_size; \ ++ } while (_size_rem); \ ++ } /* end if */ \ ++ else { \ ++ assert(H5T_native_order_g == H5T_ORDER_BE); \ ++ \ ++ /* Copy 4 bytes at a time to each cd value, but start at the end \ ++ * (highest address) of fill_val */ \ ++ _fv_p = ((char *)&(fill_val)) + sizeof(type) - MIN(4, _size_rem); \ ++ while (_size_rem >= 4) { \ ++ /* Copy the value */ \ ++ H5MM_memcpy(&_cd_value, _fv_p, _copy_size); \ ++ (cd_values)[_i] = (unsigned)_cd_value; \ ++ \ ++ /* Next field */ \ ++ _i++; \ ++ _size_rem -= 4; \ ++ if (_size_rem >= 4) \ ++ _fv_p -= 4; \ ++ else \ ++ _fv_p -= _size_rem; \ ++ } /* end while */ \ ++ \ ++ assert(_fv_p == (char *)&(fill_val)); \ ++ if (_size_rem) { \ ++ /* Amount left to copy is smaller than a cd_value, initialize \ ++ * _cd_value as it will not be fully overwritten and copy to the end \ ++ * of _cd value as it is BE. */ \ ++ _cd_value = (uint32_t)0; \ ++ H5MM_memcpy((char *)&_cd_value + 4 - _size_rem, _fv_p, _size_rem); \ ++ (cd_values)[_i] = (unsigned)_cd_value; \ ++ } /* end if */ \ ++ } /* end else */ \ ++ } ++ ++/* Set the fill value parameter in cd_values[] for unsigned integer type */ ++#define H5Z_scaleoffset_set_filval_1(type, dcpl_plist, dt, cd_values, need_convert) \ ++ do { \ ++ type fill_val; \ ++ \ ++ /* Get dataset fill value */ \ ++ if (H5P_get_fill_value(dcpl_plist, dt, &fill_val) < 0) \ ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTGET, FAIL, "unable to get fill value"); \ ++ \ ++ if (need_convert) \ ++ H5Z__scaleoffset_convert(&fill_val, 1, sizeof(type)); \ ++ \ ++ H5Z_scaleoffset_save_filval(type, cd_values, fill_val) \ ++ } while (0) ++ ++/* Set the fill value parameter in cd_values[] for signed integer type */ ++#define H5Z_scaleoffset_set_filval_2(type, dcpl_plist, dt, cd_values, need_convert) \ ++ do { \ ++ type fill_val; \ ++ \ ++ /* Get dataset fill value */ \ ++ if (H5P_get_fill_value(dcpl_plist, dt, &fill_val) < 0) \ ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTGET, FAIL, "unable to get fill value"); \ ++ \ ++ if (need_convert) \ ++ H5Z__scaleoffset_convert(&fill_val, 1, sizeof(type)); \ ++ \ ++ H5Z_scaleoffset_save_filval(unsigned type, cd_values, fill_val) \ ++ } while (0) ++ ++/* Set the fill value parameter in cd_values[] for character integer type */ ++#define H5Z_scaleoffset_set_filval_3(type, dcpl_plist, dt, cd_values, need_convert) \ ++ do { \ ++ type fill_val; \ ++ \ ++ /* Get dataset fill value */ \ ++ if (H5P_get_fill_value(dcpl_plist, dt, &fill_val) < 0) \ ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTGET, FAIL, "unable to get fill value"); \ ++ \ ++ /* Store the fill value as the last entry in cd_values[] */ \ ++ (cd_values)[H5Z_SCALEOFFSET_PARM_FILVAL] = (unsigned)((unsigned char)fill_val); \ ++ } while (0) ++ ++/* Set the fill value parameter in cd_values[] for floating-point type */ ++#define H5Z_scaleoffset_set_filval_4(type, dcpl_plist, dt, cd_values, need_convert) \ ++ do { \ ++ type fill_val; \ ++ \ ++ /* Get dataset fill value */ \ ++ if (H5P_get_fill_value(dcpl_plist, dt, &fill_val) < 0) \ ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTGET, FAIL, "unable to get fill value"); \ ++ \ ++ if (need_convert) \ ++ H5Z__scaleoffset_convert(&fill_val, 1, sizeof(type)); \ ++ \ ++ H5Z_scaleoffset_save_filval(type, cd_values, fill_val) \ ++ } while (0) ++ ++/* Get the fill value for integer type */ ++#define H5Z_scaleoffset_get_filval_1(type, cd_values, fill_val) \ ++ do { \ ++ unsigned _i = H5Z_SCALEOFFSET_PARM_FILVAL; /* index into cd_values */ \ ++ uint32_t _cd_value; /* Current cd_value */ \ ++ char *_fv_p; /* Pointer to current byte in fill_val */ \ ++ size_t _copy_size = 4; /* # of bytes to copy this iteration */ \ ++ size_t _size_rem = sizeof(type); /* # of bytes left to copy to filval */ \ ++ \ ++ /* Retrieve the fill value from the last entry in cd_values[] \ ++ * Store byte by byte from least significant byte to most significant byte \ ++ * Plenty of space left for the fill value (from index 8 to 19) \ ++ * H5O_pline_encode will byte-swap each individual cd value, but we still \ ++ * need to swap the cd values as a whole if we are on a BE machine. Note \ ++ * that we need to make sure to put the data only in the lowest 4 bytes of \ ++ * each, if sizeof(unsigned) > 4. \ ++ */ \ ++ if (H5T_native_order_g == H5T_ORDER_LE) { \ ++ _fv_p = (char *)&(fill_val); \ ++ /* Copy 4 bytes at a time to each cd value */ \ ++ do { \ ++ if (_size_rem < 4) \ ++ /* Amount left to copy is smaller than a cd_value, adjust copy \ ++ * size and initialize cd_value as it will not be fully \ ++ * overwritten */ \ ++ _copy_size = _size_rem; \ ++ \ ++ /* Copy the value */ \ ++ _cd_value = (uint32_t)(cd_values)[_i]; \ ++ H5MM_memcpy(_fv_p, &_cd_value, _copy_size); \ ++ \ ++ /* Next field */ \ ++ _i++; \ ++ _fv_p += _copy_size; \ ++ _size_rem -= _copy_size; \ ++ } while (_size_rem); \ ++ } /* end if */ \ ++ else { \ ++ assert(H5T_native_order_g == H5T_ORDER_BE); \ ++ \ ++ /* Copy 4 bytes at a time to each cd value, but start at the end \ ++ * (highest address) of fill_val */ \ ++ _fv_p = ((char *)&(fill_val)) + sizeof(type) - MIN(4, _size_rem); \ ++ while (_size_rem >= 4) { \ ++ /* Copy the value */ \ ++ _cd_value = (uint32_t)(cd_values)[_i]; \ ++ H5MM_memcpy(_fv_p, &_cd_value, _copy_size); \ ++ \ ++ /* Next field */ \ ++ _i++; \ ++ _size_rem -= 4; \ ++ if (_size_rem >= 4) \ ++ _fv_p -= 4; \ ++ else \ ++ _fv_p -= _size_rem; \ ++ } /* end while */ \ ++ \ ++ assert(_fv_p == (char *)&(fill_val)); \ ++ if (_size_rem) { \ ++ /* Amount left to copy is smaller than a cd_value, initialize \ ++ * _cd_value as it will not be fully overwritten and copy to the end \ ++ * of _cd value as it is BE. */ \ ++ _cd_value = (uint32_t)(cd_values)[_i]; \ ++ H5MM_memcpy(_fv_p, (char *)&_cd_value + 4 - _size_rem, _size_rem); \ ++ } /* end if */ \ ++ } /* end else */ \ ++ } while (0) ++ ++/* Get the fill value for floating-point type */ ++#define H5Z_scaleoffset_get_filval_2(type, cd_values, filval) \ ++ do { \ ++ if (sizeof(type) <= sizeof(long long)) \ ++ H5Z_scaleoffset_get_filval_1(type, cd_values, filval); \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } while (0) ++ ++/* Find maximum and minimum values of a buffer with fill value defined for integer type */ ++#define H5Z_scaleoffset_max_min_1(i, d_nelmts, buf, filval, max, min) \ ++ { \ ++ i = 0; \ ++ while (i < d_nelmts && buf[i] == filval) \ ++ i++; \ ++ if (i < d_nelmts) \ ++ min = max = buf[i]; \ ++ for (; i < d_nelmts; i++) { \ ++ if (buf[i] == filval) \ ++ continue; /* ignore fill value */ \ ++ if (buf[i] > max) \ ++ max = buf[i]; \ ++ if (buf[i] < min) \ ++ min = buf[i]; \ ++ } \ ++ } ++ ++/* Find maximum and minimum values of a buffer with fill value undefined */ ++#define H5Z_scaleoffset_max_min_2(i, d_nelmts, buf, max, min) \ ++ { \ ++ min = max = buf[0]; \ ++ for (i = 0; i < d_nelmts; i++) { \ ++ if (buf[i] > max) \ ++ max = buf[i]; \ ++ if (buf[i] < min) \ ++ min = buf[i]; \ ++ } \ ++ } ++ ++/* Find maximum and minimum values of a buffer with fill value defined for floating-point type */ ++#define H5Z_scaleoffset_max_min_3(i, d_nelmts, buf, filval, max, min, D_val) \ ++ { \ ++ i = 0; \ ++ while (i < d_nelmts && fabs((double)(buf[i] - filval)) < pow(10.0, -D_val)) \ ++ i++; \ ++ if (i < d_nelmts) \ ++ min = max = buf[i]; \ ++ for (; i < d_nelmts; i++) { \ ++ if (fabs((double)(buf[i] - filval)) < pow(10.0, -D_val)) \ ++ continue; /* ignore fill value */ \ ++ if (buf[i] > max) \ ++ max = buf[i]; \ ++ if (buf[i] < min) \ ++ min = buf[i]; \ ++ } \ ++ } ++ ++/* Find minimum value of a buffer with fill value defined for integer type */ ++#define H5Z_scaleoffset_min_1(i, d_nelmts, buf, filval, min) \ ++ { \ ++ i = 0; \ ++ while (i < d_nelmts && buf[i] == filval) \ ++ i++; \ ++ if (i < d_nelmts) \ ++ min = buf[i]; \ ++ for (; i < d_nelmts; i++) { \ ++ if (buf[i] == filval) \ ++ continue; /* ignore fill value */ \ ++ if (buf[i] < min) \ ++ min = buf[i]; \ ++ } \ ++ } ++ ++/* Find minimum value of a buffer with fill value undefined */ ++#define H5Z_scaleoffset_min_2(i, d_nelmts, buf, min) \ ++ { \ ++ min = buf[0]; \ ++ for (i = 0; i < d_nelmts; i++) \ ++ if (buf[i] < min) \ ++ min = buf[i]; \ ++ } ++ ++/* Check and handle special situation for unsigned integer type */ ++#define H5Z_scaleoffset_check_1(type, max, min, minbits) \ ++ { \ ++ if (max - min > (type)(~(type)0 - 2)) { \ ++ *minbits = sizeof(type) * 8; \ ++ return; \ ++ } \ ++ } ++ ++/* Check and handle special situation for signed integer type */ ++#define H5Z_scaleoffset_check_2(type, max, min, minbits) \ ++ { \ ++ if ((unsigned type)(max - min) > (unsigned type)(~(unsigned type)0 - 2)) { \ ++ *minbits = sizeof(type) * 8; \ ++ return; \ ++ } \ ++ } ++ ++/* Check and handle special situation for floating-point type */ ++#define H5Z_scaleoffset_check_3(i, type, pow_fun, round_fun, max, min, minbits, D_val) \ ++ { \ ++ if (sizeof(type) == sizeof(int)) { \ ++ if (round_fun(max * pow_fun((type)10, (type)D_val) - min * pow_fun((type)10, (type)D_val)) > \ ++ pow_fun((type)2, (type)(sizeof(int) * 8 - 1))) { \ ++ *minbits = sizeof(int) * 8; \ ++ goto done; \ ++ } \ ++ } \ ++ else if (sizeof(type) == sizeof(long)) { \ ++ if (round_fun(max * pow_fun((type)10, (type)D_val) - min * pow_fun((type)10, (type)D_val)) > \ ++ pow_fun((type)2, (type)(sizeof(long) * 8 - 1))) { \ ++ *minbits = sizeof(long) * 8; \ ++ goto done; \ ++ } \ ++ } \ ++ else if (sizeof(type) == sizeof(long long)) { \ ++ if (round_fun(max * pow_fun((type)10, (type)D_val) - min * pow_fun((type)10, (type)D_val)) > \ ++ pow_fun((type)2, (type)(sizeof(long long) * 8 - 1))) { \ ++ *minbits = sizeof(long long) * 8; \ ++ goto done; \ ++ } \ ++ } \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } ++ ++/* Precompress for unsigned integer type */ ++#define H5Z_scaleoffset_precompress_1(type, data, d_nelmts, filavail, cd_values, minbits, minval) \ ++ do { \ ++ type *buf = (type *)data, min = 0, max = 0, span, filval = 0; \ ++ unsigned i; \ ++ \ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ \ ++ H5Z_scaleoffset_get_filval_1(type, cd_values, filval); \ ++ if (*minbits == \ ++ H5Z_SO_INT_MINBITS_DEFAULT) { /* minbits not set yet, calculate max, min, and minbits */ \ ++ H5Z_scaleoffset_max_min_1(i, d_nelmts, buf, filval, max, min) \ ++ H5Z_scaleoffset_check_1(type, max, min, minbits) span = (type)(max - min + 1); \ ++ *minbits = H5Z__scaleoffset_log2((unsigned long long)(span + 1)); \ ++ } \ ++ else /* minbits already set, only calculate min */ \ ++ H5Z_scaleoffset_min_1(i, d_nelmts, buf, filval, min); \ ++ if (*minbits != sizeof(type) * 8) /* change values if minbits != full precision */ \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = (type)((buf[i] == filval) ? (((type)1 << *minbits) - 1) : (buf[i] - min)); \ ++ } \ ++ else { /* fill value undefined */ \ ++ if (*minbits == \ ++ H5Z_SO_INT_MINBITS_DEFAULT) { /* minbits not set yet, calculate max, min, and minbits */ \ ++ H5Z_scaleoffset_max_min_2(i, d_nelmts, buf, max, min); \ ++ H5Z_scaleoffset_check_1(type, max, min, minbits); \ ++ span = (type)(max - min + 1); \ ++ *minbits = H5Z__scaleoffset_log2((unsigned long long)span); \ ++ } \ ++ else /* minbits already set, only calculate min */ \ ++ H5Z_scaleoffset_min_2(i, d_nelmts, buf, min); \ ++ if (*minbits != sizeof(type) * 8) /* change values if minbits != full precision */ \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = (type)(buf[i] - min); \ ++ } \ ++ *minval = min; \ ++ } while (0) ++ ++/* Precompress for signed integer type */ ++#define H5Z_scaleoffset_precompress_2(type, data, d_nelmts, filavail, cd_values, minbits, minval) \ ++ do { \ ++ type *buf = (type *)data, min = 0, max = 0, filval = 0; \ ++ unsigned type span; \ ++ unsigned i; \ ++ \ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ \ ++ H5Z_scaleoffset_get_filval_1(type, cd_values, filval); \ ++ if (*minbits == \ ++ H5Z_SO_INT_MINBITS_DEFAULT) { /* minbits not set yet, calculate max, min, and minbits */ \ ++ H5Z_scaleoffset_max_min_1(i, d_nelmts, buf, filval, max, min) \ ++ H5Z_scaleoffset_check_2(type, max, min, minbits) span = (unsigned type)(max - min + 1); \ ++ *minbits = H5Z__scaleoffset_log2((unsigned long long)(span + 1)); \ ++ } \ ++ else /* minbits already set, only calculate min */ \ ++ H5Z_scaleoffset_min_1(i, d_nelmts, buf, filval, min); \ ++ if (*minbits != sizeof(type) * 8) /* change values if minbits != full precision */ \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = (type)((buf[i] == filval) ? (type)(((unsigned type)1 << *minbits) - 1) \ ++ : (buf[i] - min)); \ ++ } \ ++ else { /* fill value undefined */ \ ++ if (*minbits == \ ++ H5Z_SO_INT_MINBITS_DEFAULT) { /* minbits not set yet, calculate max, min, and minbits */ \ ++ H5Z_scaleoffset_max_min_2(i, d_nelmts, buf, max, min) \ ++ H5Z_scaleoffset_check_2(type, max, min, minbits) span = (unsigned type)(max - min + 1); \ ++ *minbits = H5Z__scaleoffset_log2((unsigned long long)span); \ ++ } \ ++ else /* minbits already set, only calculate min */ \ ++ H5Z_scaleoffset_min_2( \ ++ i, d_nelmts, buf, \ ++ min) if (*minbits != sizeof(type) * 8) /* change values if minbits != full precision */ \ ++ for (i = 0; i < d_nelmts; i++) buf[i] = (type)(buf[i] - min); \ ++ } \ ++ *minval = (unsigned long long)min; \ ++ } while (0) ++ ++/* Modify values of data in precompression if fill value defined for floating-point type */ ++#define H5Z_scaleoffset_modify_1(i, type, pow_fun, abs_fun, lround_fun, llround_fun, buf, d_nelmts, filval, \ ++ minbits, min, D_val) \ ++ { \ ++ if (sizeof(type) == sizeof(int)) \ ++ for (i = 0; i < d_nelmts; i++) { \ ++ if (abs_fun(buf[i] - filval) < pow_fun((type)10, (type)-D_val)) \ ++ *(int *)((void *)&buf[i]) = (int)(((unsigned int)1 << *minbits) - 1); \ ++ else \ ++ *(int *)((void *)&buf[i]) = (int)lround_fun(buf[i] * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)); \ ++ } \ ++ else if (sizeof(type) == sizeof(long)) \ ++ for (i = 0; i < d_nelmts; i++) { \ ++ if (abs_fun(buf[i] - filval) < pow_fun((type)10, (type)-D_val)) \ ++ *(long *)((void *)&buf[i]) = (long)(((unsigned long)1 << *minbits) - 1); \ ++ else \ ++ *(long *)((void *)&buf[i]) = lround_fun(buf[i] * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)); \ ++ } \ ++ else if (sizeof(type) == sizeof(long long)) \ ++ for (i = 0; i < d_nelmts; i++) { \ ++ if (abs_fun(buf[i] - filval) < pow_fun((type)10, (type)-D_val)) \ ++ *(long long *)((void *)&buf[i]) = (long long)(((unsigned long long)1 << *minbits) - 1); \ ++ else \ ++ *(long long *)((void *)&buf[i]) = llround_fun(buf[i] * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)); \ ++ } \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } ++ ++/* Modify values of data in precompression if fill value undefined for floating-point type */ ++#define H5Z_scaleoffset_modify_2(i, type, pow_fun, lround_fun, llround_fun, buf, d_nelmts, min, D_val) \ ++ { \ ++ if (sizeof(type) == sizeof(int)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ *(int *)((void *)&buf[i]) = (int)lround_fun(buf[i] * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)); \ ++ else if (sizeof(type) == sizeof(long)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ *(long *)((void *)&buf[i]) = lround_fun(buf[i] * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)); \ ++ else if (sizeof(type) == sizeof(long long)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ *(long long *)((void *)&buf[i]) = llround_fun(buf[i] * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)); \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } ++ ++/* Save the minimum value for floating-point type */ ++#define H5Z_scaleoffset_save_min(i, type, minval, min) \ ++ { \ ++ if (sizeof(type) <= sizeof(long long)) \ ++ /* Save min value to corresponding position \ ++ * byte-order will be swapped as appropriate, but be sure to \ ++ * account for offset in BE if sizes differ \ ++ */ \ ++ if (H5T_native_order_g == H5T_ORDER_LE) \ ++ H5MM_memcpy(minval, &min, sizeof(type)); \ ++ else { \ ++ assert(H5T_native_order_g == H5T_ORDER_BE); \ ++ H5MM_memcpy(((char *)minval) + (sizeof(long long) - sizeof(type)), &min, sizeof(type)); \ ++ } /* end else */ \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } ++ ++/* Precompress for floating-point type using variable-minimum-bits method */ ++#define H5Z_scaleoffset_precompress_3(type, pow_fun, abs_fun, round_fun, lround_fun, llround_fun, data, \ ++ d_nelmts, filavail, cd_values, minbits, minval, D_val) \ ++ do { \ ++ type *buf = (type *)data, min = 0, max = 0, filval = 0; \ ++ unsigned long long span; \ ++ unsigned i; \ ++ \ ++ *minval = 0; \ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ \ ++ H5Z_scaleoffset_get_filval_2(type, cd_values, filval); \ ++ H5Z_scaleoffset_max_min_3(i, d_nelmts, buf, filval, max, min, D_val); \ ++ H5Z_scaleoffset_check_3(i, type, pow_fun, round_fun, max, min, minbits, D_val); \ ++ span = (unsigned long long)(llround_fun(max * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)) + \ ++ 1); \ ++ *minbits = H5Z__scaleoffset_log2(span + 1); \ ++ if (*minbits != sizeof(type) * 8) /* change values if minbits != full precision */ \ ++ H5Z_scaleoffset_modify_1(i, type, pow_fun, abs_fun, lround_fun, llround_fun, buf, d_nelmts, \ ++ filval, minbits, min, D_val); \ ++ } \ ++ else { /* fill value undefined */ \ ++ H5Z_scaleoffset_max_min_2(i, d_nelmts, buf, max, min); \ ++ H5Z_scaleoffset_check_3(i, type, pow_fun, round_fun, max, min, minbits, D_val); \ ++ span = (unsigned long long)(llround_fun(max * pow_fun((type)10, (type)D_val) - \ ++ min * pow_fun((type)10, (type)D_val)) + \ ++ 1); \ ++ *minbits = H5Z__scaleoffset_log2(span); \ ++ if (*minbits != sizeof(type) * 8) /* change values if minbits != full precision */ \ ++ H5Z_scaleoffset_modify_2(i, type, pow_fun, lround_fun, llround_fun, buf, d_nelmts, min, \ ++ D_val); \ ++ } \ ++ H5Z_scaleoffset_save_min(i, type, minval, min); \ ++ } while (0) ++ ++/* Postdecompress for unsigned integer type */ ++#define H5Z_scaleoffset_postdecompress_1(type, data, d_nelmts, filavail, cd_values, minbits, minval) \ ++ do { \ ++ type *buf = (type *)data, filval = 0; \ ++ unsigned i; \ ++ \ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ \ ++ H5Z_scaleoffset_get_filval_1(type, cd_values, filval); \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = (type)((buf[i] == (((type)1 << minbits) - 1)) ? filval : (buf[i] + minval)); \ ++ } \ ++ else /* fill value undefined */ \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = (type)(buf[i] + (type)(minval)); \ ++ } while (0) ++ ++/* Postdecompress for signed integer type */ ++#define H5Z_scaleoffset_postdecompress_2(type, data, d_nelmts, filavail, cd_values, minbits, minval) \ ++ do { \ ++ type *buf = (type *)data, filval = 0; \ ++ unsigned i; \ ++ \ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ \ ++ H5Z_scaleoffset_get_filval_1(type, cd_values, filval); \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = (type)(((unsigned type)buf[i] == (((unsigned type)1 << minbits) - 1)) \ ++ ? filval \ ++ : (buf[i] + minval)); \ ++ } \ ++ else /* fill value undefined */ \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = (type)(buf[i] + (type)(minval)); \ ++ } while (0) ++ ++/* Retrieve minimum value of floating-point type */ ++#define H5Z_scaleoffset_get_min(type, minval, min) \ ++ do { \ ++ if (sizeof(type) <= sizeof(long long)) \ ++ /* retrieve min value from corresponding position \ ++ * byte-order has already been swapped as appropriate, but be sure to \ ++ * account for offset in BE if sizes differ \ ++ */ \ ++ if (H5T_native_order_g == H5T_ORDER_LE) \ ++ H5MM_memcpy(&min, &minval, sizeof(type)); \ ++ else { \ ++ assert(H5T_native_order_g == H5T_ORDER_BE); \ ++ H5MM_memcpy(&min, ((char *)&minval) + (sizeof(long long) - sizeof(type)), sizeof(type)); \ ++ } /* end else */ \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } while (0) ++ ++/* Modify values of data in postdecompression if fill value defined for floating-point type */ ++#define H5Z_scaleoffset_modify_3(i, type, pow_fun, buf, d_nelmts, filval, minbits, min, D_val) \ ++ do { \ ++ if (sizeof(type) == sizeof(int)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = \ ++ (type)((*(int *)((void *)&buf[i]) == (int)(((unsigned int)1 << minbits) - 1)) \ ++ ? filval \ ++ : (type)(*(int *)((void *)&buf[i])) / pow_fun((type)10, (type)D_val) + min); \ ++ else if (sizeof(type) == sizeof(long)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = \ ++ (type)((*(long *)((void *)&buf[i]) == (long)(((unsigned long)1 << minbits) - 1)) \ ++ ? filval \ ++ : (type)(*(long *)((void *)&buf[i])) / pow_fun((type)10, (type)D_val) + min); \ ++ else if (sizeof(type) == sizeof(long long)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = \ ++ (type)((*(long long *)((void *)&buf[i]) == \ ++ (long long)(((unsigned long long)1 << minbits) - 1)) \ ++ ? filval \ ++ : (type)(*(long long *)((void *)&buf[i])) / pow_fun((type)10, (type)D_val) + \ ++ min); \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } while (0) ++ ++/* Modify values of data in postdecompression if fill value undefined for floating-point type */ ++#define H5Z_scaleoffset_modify_4(i, type, pow_fun, buf, d_nelmts, min, D_val) \ ++ do { \ ++ if (sizeof(type) == sizeof(int)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = ((type)(*(int *)((void *)&buf[i])) / pow_fun((type)10, (type)D_val) + min); \ ++ else if (sizeof(type) == sizeof(long)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = ((type)(*(long *)((void *)&buf[i])) / pow_fun((type)10, (type)D_val) + min); \ ++ else if (sizeof(type) == sizeof(long long)) \ ++ for (i = 0; i < d_nelmts; i++) \ ++ buf[i] = ((type)(*(long long *)((void *)&buf[i])) / pow_fun((type)10, (type)D_val) + min); \ ++ else \ ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot find matched integer datatype"); \ ++ } while (0) ++ ++/* Postdecompress for floating-point type using variable-minimum-bits method */ ++#define H5Z_scaleoffset_postdecompress_3(type, pow_fun, data, d_nelmts, filavail, cd_values, minbits, \ ++ minval, D_val) \ ++ do { \ ++ type *buf = (type *)data, filval = 0, min = 0; \ ++ unsigned i; \ ++ \ ++ H5Z_scaleoffset_get_min(type, minval, min); \ ++ \ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ \ ++ H5Z_scaleoffset_get_filval_2(type, cd_values, filval); \ ++ H5Z_scaleoffset_modify_3(i, type, pow_fun, buf, d_nelmts, filval, minbits, min, D_val); \ ++ } \ ++ else /* fill value undefined */ \ ++ H5Z_scaleoffset_modify_4(i, type, pow_fun, buf, d_nelmts, min, D_val); \ ++ } while (0) ++ ++/*------------------------------------------------------------------------- ++ * Function: H5Z__can_apply_scaleoffset ++ * ++ * Purpose: Check the parameters for scaleoffset compression for ++ * validity and whether they fit a particular dataset. ++ * ++ * Return: Success: Non-negative ++ * Failure: Negative ++ * ++ *------------------------------------------------------------------------- ++ */ ++static htri_t ++H5Z__can_apply_scaleoffset(hid_t H5_ATTR_UNUSED dcpl_id, hid_t type_id, hid_t H5_ATTR_UNUSED space_id) ++{ ++ const H5T_t *type; /* Datatype */ ++ H5T_class_t dtype_class; /* Datatype's class */ ++ H5T_order_t dtype_order; /* Datatype's endianness order */ ++ htri_t ret_value = true; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ /* Get datatype */ ++ if (NULL == (type = (H5T_t *)H5I_object_verify(type_id, H5I_DATATYPE))) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADTYPE, FAIL, "not a datatype"); ++ ++ /* Get datatype's class, for checking the "datatype class" */ ++ if ((dtype_class = H5T_get_class(type, true)) == H5T_NO_CLASS) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad datatype class"); ++ ++ /* Get datatype's size, for checking the "datatype size" */ ++ if (H5T_get_size(type) == 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad datatype size"); ++ ++ if (dtype_class == H5T_INTEGER || dtype_class == H5T_FLOAT) { ++ /* Get datatype's endianness order */ ++ if ((dtype_order = H5T_get_order(type)) == H5T_ORDER_ERROR) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "can't retrieve datatype endianness order"); ++ ++ /* Range check datatype's endianness order */ ++ if (dtype_order != H5T_ORDER_LE && dtype_order != H5T_ORDER_BE) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, false, "bad datatype endianness order"); ++ } ++ else ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, false, "datatype class not supported by scaleoffset"); ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) ++} /* end H5Z__can_apply_scaleoffset() */ ++ ++/*------------------------------------------------------------------------- ++ * Function: H5Z__scaleoffset_get_type ++ * ++ * Purpose: Get the specific integer type based on datatype size and sign ++ * or floating-point type based on size ++ * ++ * Return: Success: id number of integer type ++ * Failure: 0 ++ * ++ *------------------------------------------------------------------------- ++ */ ++static enum H5Z_scaleoffset_t ++H5Z__scaleoffset_get_type(unsigned dtype_class, unsigned dtype_size, unsigned dtype_sign) ++{ ++ enum H5Z_scaleoffset_t type = t_bad; /* integer type */ ++ enum H5Z_scaleoffset_t ret_value = t_bad; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_INTEGER) { ++ if (dtype_sign == H5Z_SCALEOFFSET_SGN_NONE) { /* unsigned integer */ ++ if (dtype_size == sizeof(unsigned char)) ++ type = t_uchar; ++ else if (dtype_size == sizeof(unsigned short)) ++ type = t_ushort; ++ else if (dtype_size == sizeof(unsigned int)) ++ type = t_uint; ++ else if (dtype_size == sizeof(unsigned long)) ++ type = t_ulong; ++#if H5_SIZEOF_LONG != H5_SIZEOF_LONG_LONG ++ else if (dtype_size == sizeof(unsigned long long)) ++ type = t_ulong_long; ++#endif /* H5_SIZEOF_LONG != H5_SIZEOF_LONG_LONG */ ++ else ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, t_bad, "cannot find matched memory datatype"); ++ } ++ ++ if (dtype_sign == H5Z_SCALEOFFSET_SGN_2) { /* signed integer */ ++ if (dtype_size == sizeof(signed char)) ++ type = t_schar; ++ else if (dtype_size == sizeof(short)) ++ type = t_short; ++ else if (dtype_size == sizeof(int)) ++ type = t_int; ++ else if (dtype_size == sizeof(long)) ++ type = t_long; ++#if H5_SIZEOF_LONG != H5_SIZEOF_LONG_LONG ++ else if (dtype_size == sizeof(long long)) ++ type = t_long_long; ++#endif /* H5_SIZEOF_LONG != H5_SIZEOF_LONG_LONG */ ++ else ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, t_bad, "cannot find matched memory datatype"); ++ } ++ } ++ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_FLOAT) { ++ if (dtype_size == sizeof(float)) ++ type = t_float; ++ else if (dtype_size == sizeof(double)) ++ type = t_double; ++ else ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, t_bad, "cannot find matched memory datatype"); ++ } ++ ++ /* Set return value */ ++ ret_value = type; ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) ++} ++ ++/*------------------------------------------------------------------------- ++ * Function: H5Z__scaleoffset_set_parms_fillval ++ * ++ * Purpose: Get the fill value of the dataset and store in cd_values[] ++ * ++ * Return: Success: Non-negative ++ * Failure: Negative ++ * ++ *------------------------------------------------------------------------- ++ */ ++static herr_t ++H5Z__scaleoffset_set_parms_fillval(H5P_genplist_t *dcpl_plist, H5T_t *type, enum H5Z_scaleoffset_t scale_type, ++ unsigned cd_values[], int need_convert) ++{ ++ herr_t ret_value = SUCCEED; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ if (scale_type == t_uchar) ++ H5Z_scaleoffset_set_filval_3(unsigned char, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_ushort) ++ H5Z_scaleoffset_set_filval_1(unsigned short, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_uint) ++ H5Z_scaleoffset_set_filval_1(unsigned int, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_ulong) ++ H5Z_scaleoffset_set_filval_1(unsigned long, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_ulong_long) ++ H5Z_scaleoffset_set_filval_1(unsigned long long, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_schar) ++ H5Z_scaleoffset_set_filval_3(signed char, dcpl_plist, type, cd_values, need_convertd); ++ else if (scale_type == t_short) ++ H5Z_scaleoffset_set_filval_2(short, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_int) ++ H5Z_scaleoffset_set_filval_2(int, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_long) ++ H5Z_scaleoffset_set_filval_2(long, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_long_long) ++ H5Z_scaleoffset_set_filval_2(long long, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_float) ++ H5Z_scaleoffset_set_filval_4(float, dcpl_plist, type, cd_values, need_convert); ++ else if (scale_type == t_double) ++ H5Z_scaleoffset_set_filval_4(double, dcpl_plist, type, cd_values, need_convert); ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) ++} /* end H5Z__scaleoffset_set_parms_fillval() */ ++ ++/*------------------------------------------------------------------------- ++ * Function: H5Z__set_local_scaleoffset ++ * ++ * Purpose: Set the "local" dataset parameters for scaleoffset ++ * compression. ++ * ++ * Return: Success: Non-negative ++ * Failure: Negative ++ * ++ *------------------------------------------------------------------------- ++ */ ++static herr_t ++H5Z__set_local_scaleoffset(hid_t dcpl_id, hid_t type_id, hid_t space_id) ++{ ++ H5P_genplist_t *dcpl_plist; /* Property list pointer */ ++ H5T_t *type; /* Datatype */ ++ const H5S_t *ds; /* Dataspace */ ++ unsigned flags; /* Filter flags */ ++ size_t cd_nelmts = H5Z_SCALEOFFSET_USER_NPARMS; /* Number of filter parameters */ ++ unsigned cd_values[H5Z_SCALEOFFSET_TOTAL_NPARMS]; /* Filter parameters */ ++ hssize_t npoints; /* Number of points in the dataspace */ ++ H5T_class_t dtype_class; /* Datatype's class */ ++ H5T_order_t dtype_order; /* Datatype's endianness order */ ++ size_t dtype_size; /* Datatype's size (in bytes) */ ++ H5T_sign_t dtype_sign; /* Datatype's sign */ ++ enum H5Z_scaleoffset_t scale_type; /* Specific datatype */ ++ H5D_fill_value_t status; /* Status of fill value in property list */ ++ herr_t ret_value = SUCCEED; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ /* Get the plist structure */ ++ if (NULL == (dcpl_plist = H5P_object_verify(dcpl_id, H5P_DATASET_CREATE))) ++ HGOTO_ERROR(H5E_ID, H5E_BADID, FAIL, "can't find object for ID"); ++ ++ /* Get datatype */ ++ if (NULL == (type = (H5T_t *)H5I_object_verify(type_id, H5I_DATATYPE))) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADTYPE, FAIL, "not a datatype"); ++ ++ /* Initialize the parameters to a known state */ ++ memset(cd_values, 0, sizeof(cd_values)); ++ ++ /* Get the filter's current parameters */ ++ if (H5P_get_filter_by_id(dcpl_plist, H5Z_FILTER_SCALEOFFSET, &flags, &cd_nelmts, cd_values, (size_t)0, ++ NULL, NULL) < 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTGET, FAIL, "can't get scaleoffset parameters"); ++ ++ /* Get dataspace */ ++ if (NULL == (ds = (H5S_t *)H5I_object_verify(space_id, H5I_DATASPACE))) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADTYPE, FAIL, "not a dataspace"); ++ ++ /* Get total number of elements in the chunk */ ++ if ((npoints = H5S_GET_EXTENT_NPOINTS(ds)) < 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTGET, FAIL, "unable to get number of points in the dataspace"); ++ ++ /* Set "local" parameter for this dataset's number of elements */ ++ H5_CHECKED_ASSIGN(cd_values[H5Z_SCALEOFFSET_PARM_NELMTS], unsigned, npoints, hssize_t); ++ ++ /* Get datatype's class */ ++ if ((dtype_class = H5T_get_class(type, true)) == H5T_NO_CLASS) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad datatype class"); ++ ++ /* Set "local" parameter for datatype's class */ ++ switch (dtype_class) { ++ case H5T_INTEGER: ++ cd_values[H5Z_SCALEOFFSET_PARM_CLASS] = H5Z_SCALEOFFSET_CLS_INTEGER; ++ break; ++ ++ case H5T_FLOAT: ++ cd_values[H5Z_SCALEOFFSET_PARM_CLASS] = H5Z_SCALEOFFSET_CLS_FLOAT; ++ break; ++ ++ case H5T_NO_CLASS: ++ case H5T_TIME: ++ case H5T_STRING: ++ case H5T_BITFIELD: ++ case H5T_OPAQUE: ++ case H5T_COMPOUND: ++ case H5T_REFERENCE: ++ case H5T_ENUM: ++ case H5T_VLEN: ++ case H5T_ARRAY: ++ case H5T_NCLASSES: ++ default: ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "datatype class not supported by scaleoffset"); ++ } /* end switch */ ++ ++ /* Get datatype's size */ ++ if ((dtype_size = H5T_get_size(type)) == 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad datatype size"); ++ ++ /* Set "local" parameter for datatype size */ ++ H5_CHECK_OVERFLOW(dtype_size, size_t, unsigned); ++ cd_values[H5Z_SCALEOFFSET_PARM_SIZE] = (unsigned)dtype_size; ++ ++ if (dtype_class == H5T_INTEGER) { ++ /* Get datatype's sign */ ++ if ((dtype_sign = H5T_get_sign(type)) == H5T_SGN_ERROR) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad datatype sign"); ++ ++ /* Set "local" parameter for integer datatype sign */ ++ switch (dtype_sign) { ++ case H5T_SGN_NONE: ++ cd_values[H5Z_SCALEOFFSET_PARM_SIGN] = H5Z_SCALEOFFSET_SGN_NONE; ++ break; ++ ++ case H5T_SGN_2: ++ cd_values[H5Z_SCALEOFFSET_PARM_SIGN] = H5Z_SCALEOFFSET_SGN_2; ++ break; ++ ++ case H5T_SGN_ERROR: ++ case H5T_NSGN: ++ default: ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad integer sign"); ++ } /* end switch */ ++ } /* end if */ ++ ++ /* Get datatype's endianness order */ ++ if ((dtype_order = H5T_get_order(type)) == H5T_ORDER_ERROR) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad datatype endianness order"); ++ ++ /* Set "local" parameter for datatype endianness */ ++ switch (dtype_order) { ++ case H5T_ORDER_LE: /* Little-endian byte order */ ++ cd_values[H5Z_SCALEOFFSET_PARM_ORDER] = H5Z_SCALEOFFSET_ORDER_LE; ++ break; ++ ++ case H5T_ORDER_BE: /* Big-endian byte order */ ++ cd_values[H5Z_SCALEOFFSET_PARM_ORDER] = H5Z_SCALEOFFSET_ORDER_BE; ++ break; ++ ++ case H5T_ORDER_ERROR: ++ case H5T_ORDER_VAX: ++ case H5T_ORDER_MIXED: ++ case H5T_ORDER_NONE: ++ default: ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "bad datatype endianness order"); ++ } /* end switch */ ++ ++ /* Check whether fill value is defined for dataset */ ++ if (H5P_fill_value_defined(dcpl_plist, &status) < 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTGET, FAIL, "unable to determine if fill value is defined"); ++ ++ /* Set local parameter for availability of fill value */ ++ if (status == H5D_FILL_VALUE_UNDEFINED) ++ cd_values[H5Z_SCALEOFFSET_PARM_FILAVAIL] = H5Z_SCALEOFFSET_FILL_UNDEFINED; ++ else { ++ int need_convert = false; /* Flag indicating conversion of byte order */ ++ ++ cd_values[H5Z_SCALEOFFSET_PARM_FILAVAIL] = H5Z_SCALEOFFSET_FILL_DEFINED; ++ ++ /* Check if memory byte order matches dataset datatype byte order */ ++ if (H5T_native_order_g != dtype_order) ++ need_convert = true; ++ ++ /* Before getting fill value, get its type */ ++ if ((scale_type = H5Z__scaleoffset_get_type(cd_values[H5Z_SCALEOFFSET_PARM_CLASS], ++ cd_values[H5Z_SCALEOFFSET_PARM_SIZE], ++ cd_values[H5Z_SCALEOFFSET_PARM_SIGN])) == 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "cannot use C integer datatype for cast"); ++ ++ /* Get dataset fill value and store in cd_values[] */ ++ if (H5Z__scaleoffset_set_parms_fillval(dcpl_plist, type, scale_type, cd_values, need_convert) < 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTSET, FAIL, "unable to set fill value"); ++ } /* end else */ ++ ++ /* Modify the filter's parameters for this dataset */ ++ if (H5P_modify_filter(dcpl_plist, H5Z_FILTER_SCALEOFFSET, flags, (size_t)H5Z_SCALEOFFSET_TOTAL_NPARMS, ++ cd_values) < 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_CANTSET, FAIL, "can't set local scaleoffset parameters"); ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) ++} /* end H5Z__set_local_scaleoffset() */ ++ ++/*------------------------------------------------------------------------- ++ * Function: H5Z__filter_scaleoffset ++ * ++ * Purpose: Implement an I/O filter for storing packed integer ++ * data using scale and offset method. ++ * ++ * Return: Success: Size of buffer filtered ++ * Failure: 0 ++ * ++ *------------------------------------------------------------------------- ++ */ ++static size_t ++H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_values[], size_t nbytes, ++ size_t *buf_size, void **buf) ++{ ++ size_t ret_value = 0; /* return value */ ++ size_t size_out = 0; /* size of output buffer */ ++ unsigned d_nelmts = 0; /* number of data elements in the chunk */ ++ unsigned dtype_class; /* datatype class */ ++ unsigned dtype_sign; /* integer datatype sign */ ++ unsigned filavail; /* flag indicating if fill value is defined or not */ ++ H5Z_SO_scale_type_t scale_type = H5Z_SO_FLOAT_DSCALE; /* scale type */ ++ int scale_factor = 0; /* scale factor */ ++ double D_val = 0.0; /* decimal scale factor */ ++ uint32_t minbits = 0; /* minimum number of bits to store values */ ++ unsigned long long minval = 0; /* minimum value of input buffer */ ++ enum H5Z_scaleoffset_t type; /* memory type corresponding to dataset datatype */ ++ int need_convert = false; /* flag indicating conversion of byte order */ ++ unsigned char *outbuf = NULL; /* pointer to new output buffer */ ++ unsigned buf_offset = 21; /* buffer offset because of parameters stored in file */ ++ unsigned i; /* index */ ++ parms_atomic p; /* parameters needed for compress/decompress functions */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ /* check arguments */ ++ if (cd_nelmts != H5Z_SCALEOFFSET_TOTAL_NPARMS) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "invalid scaleoffset number of parameters"); ++ ++ /* Check if memory byte order matches dataset datatype byte order */ ++ switch (H5T_native_order_g) { ++ case H5T_ORDER_LE: /* memory is little-endian byte order */ ++ if (cd_values[H5Z_SCALEOFFSET_PARM_ORDER] == H5Z_SCALEOFFSET_ORDER_BE) ++ need_convert = true; ++ break; ++ ++ case H5T_ORDER_BE: /* memory is big-endian byte order */ ++ if (cd_values[H5Z_SCALEOFFSET_PARM_ORDER] == H5Z_SCALEOFFSET_ORDER_LE) ++ need_convert = true; ++ break; ++ ++ case H5T_ORDER_ERROR: ++ case H5T_ORDER_VAX: ++ case H5T_ORDER_MIXED: ++ case H5T_ORDER_NONE: ++ default: ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, 0, "bad H5T_NATIVE_INT endianness order"); ++ } /* end switch */ ++ ++ /* copy filter parameters to local variables */ ++ d_nelmts = cd_values[H5Z_SCALEOFFSET_PARM_NELMTS]; ++ dtype_class = cd_values[H5Z_SCALEOFFSET_PARM_CLASS]; ++ dtype_sign = cd_values[H5Z_SCALEOFFSET_PARM_SIGN]; ++ filavail = cd_values[H5Z_SCALEOFFSET_PARM_FILAVAIL]; ++ scale_factor = (int)cd_values[H5Z_SCALEOFFSET_PARM_SCALEFACTOR]; ++ scale_type = (H5Z_SO_scale_type_t)cd_values[H5Z_SCALEOFFSET_PARM_SCALETYPE]; ++ ++ /* check and assign proper values set by user to related parameters ++ * scale type can be H5Z_SO_FLOAT_DSCALE (0), H5Z_SO_FLOAT_ESCALE (1) or H5Z_SO_INT (other) ++ * H5Z_SO_FLOAT_DSCALE : floating-point type, variable-minimum-bits method, ++ * scale factor is decimal scale factor ++ * H5Z_SO_FLOAT_ESCALE : floating-point type, fixed-minimum-bits method, ++ * scale factor is the fixed minimum number of bits ++ * H5Z_SO_INT : integer type, scale_factor is minimum number of bits ++ */ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_FLOAT) { /* floating-point type */ ++ if (scale_type != H5Z_SO_FLOAT_DSCALE && scale_type != H5Z_SO_FLOAT_ESCALE) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "invalid scale type"); ++ } ++ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_INTEGER) { /* integer type */ ++ if (scale_type != H5Z_SO_INT) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "invalid scale type"); ++ ++ /* if scale_factor is less than 0 for integer, library will reset it to 0 ++ * in this case, library will calculate the minimum-bits ++ */ ++ if (scale_factor < 0) ++ scale_factor = 0; ++ } ++ ++ /* fixed-minimum-bits method is not implemented and is forbidden */ ++ if (scale_type == H5Z_SO_FLOAT_ESCALE) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "E-scaling method not supported"); ++ ++ if (scale_type == H5Z_SO_FLOAT_DSCALE) { /* floating-point type, variable-minimum-bits */ ++ D_val = (double)scale_factor; ++ } ++ else { /* integer type, or floating-point type with fixed-minimum-bits method */ ++ if (scale_factor > (int)(cd_values[H5Z_SCALEOFFSET_PARM_SIZE] * 8)) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "minimum number of bits exceeds maximum"); ++ ++ /* no need to process data */ ++ if (scale_factor == (int)(cd_values[H5Z_SCALEOFFSET_PARM_SIZE] * 8)) { ++ ret_value = *buf_size; ++ goto done; ++ } ++ minbits = (uint32_t)scale_factor; ++ } ++ ++ /* prepare parameters to pass to compress/decompress functions */ ++ p.size = cd_values[H5Z_SCALEOFFSET_PARM_SIZE]; ++ p.mem_order = (unsigned)H5T_native_order_g; ++ ++ /* input; decompress */ ++ if (flags & H5Z_FLAG_REVERSE) { ++ /* retrieve values of minbits and minval from input compressed buffer ++ * retrieve them corresponding to how they are stored during compression ++ */ ++ uint32_t minbits_mask = 0; ++ unsigned long long minval_mask = 0; ++ unsigned minval_size = 0; ++ ++ minbits = 0; ++ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char *)*buf + *buf_size - 1)) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short"); ++ ++ for (i = 0; i < 4; i++) { ++ minbits_mask = ((unsigned char *)*buf)[i]; ++ minbits_mask <<= i * 8; ++ minbits |= minbits_mask; ++ } ++ if (minbits >= p.size * 8) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "minimum number of bits exceeds size of type"); ++ ++ /* retrieval of minval takes into consideration situation where sizeof ++ * unsigned long long (datatype of minval) may change from compression ++ * to decompression, only smaller size is used ++ */ ++ minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long) ++ : ((unsigned char *)*buf)[4]; ++ minval = 0; ++ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size, ++ (unsigned char *)*buf + *buf_size - 1)) ++ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short"); ++ for (i = 0; i < minval_size; i++) { ++ minval_mask = ((unsigned char *)*buf)[5 + i]; ++ minval_mask <<= i * 8; ++ minval |= minval_mask; ++ } ++ ++ assert(minbits <= p.size * 8); ++ p.minbits = minbits; ++ ++ /* calculate size of output buffer after decompression */ ++ size_out = d_nelmts * (size_t)p.size; ++ ++ /* allocate memory space for decompressed buffer */ ++ if (NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out))) ++ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, 0, ++ "memory allocation failed for scaleoffset decompression"); ++ ++ /* special case: minbits equal to full precision */ ++ if (minbits == p.size * 8) { ++ H5MM_memcpy(outbuf, (unsigned char *)(*buf) + buf_offset, size_out); ++ /* free the original buffer */ ++ H5MM_xfree(*buf); ++ ++ /* convert to dataset datatype endianness order if needed */ ++ if (need_convert) ++ H5Z__scaleoffset_convert(outbuf, d_nelmts, p.size); ++ ++ *buf = outbuf; ++ outbuf = NULL; ++ *buf_size = size_out; ++ ret_value = size_out; ++ goto done; ++ } ++ ++ /* decompress the buffer if minbits not equal to zero */ ++ if (minbits != 0) ++ H5Z__scaleoffset_decompress(outbuf, d_nelmts, (unsigned char *)(*buf) + buf_offset, p); ++ else { ++ /* fill value is not defined and all data elements have the same value */ ++ for (i = 0; i < size_out; i++) ++ outbuf[i] = 0; ++ } ++ ++ /* before postprocess, get memory type */ ++ if ((type = H5Z__scaleoffset_get_type(dtype_class, p.size, dtype_sign)) == 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, 0, "cannot use C integer datatype for cast"); ++ ++ /* postprocess after decompression */ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_INTEGER) ++ H5Z__scaleoffset_postdecompress_i(outbuf, d_nelmts, type, filavail, cd_values, minbits, minval); ++ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_FLOAT) ++ if (scale_type == 0) { /* variable-minimum-bits method */ ++ if (H5Z__scaleoffset_postdecompress_fd(outbuf, d_nelmts, type, filavail, cd_values, minbits, ++ minval, D_val) == FAIL) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, 0, "post-decompression failed"); ++ } ++ ++ /* after postprocess, convert to dataset datatype endianness order if needed */ ++ if (need_convert) ++ H5Z__scaleoffset_convert(outbuf, d_nelmts, p.size); ++ } ++ /* output; compress */ ++ else { ++ size_t used_bytes; ++ size_t unused_bytes; ++ ++ assert(nbytes == d_nelmts * p.size); ++ ++ /* before preprocess, convert to memory endianness order if needed */ ++ if (need_convert) ++ H5Z__scaleoffset_convert(*buf, d_nelmts, p.size); ++ ++ /* before preprocess, get memory type */ ++ if ((type = H5Z__scaleoffset_get_type(dtype_class, p.size, dtype_sign)) == 0) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, 0, "cannot use C integer datatype for cast"); ++ ++ /* preprocess before compression */ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_INTEGER) ++ H5Z__scaleoffset_precompress_i(*buf, d_nelmts, type, filavail, cd_values, &minbits, &minval); ++ ++ if (dtype_class == H5Z_SCALEOFFSET_CLS_FLOAT) ++ if (scale_type == 0) { /* variable-minimum-bits method */ ++ if (H5Z__scaleoffset_precompress_fd(*buf, d_nelmts, type, filavail, cd_values, &minbits, ++ &minval, D_val) == FAIL) ++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, 0, "pre-compression failed"); ++ } ++ ++ assert(minbits <= p.size * 8); ++ ++ /* calculate buffer size after compression ++ * minbits and minval are stored in the front of the compressed buffer ++ */ ++ p.minbits = minbits; ++ size_out = buf_offset + nbytes * p.minbits / (p.size * 8) + 1; /* may be 1 larger */ ++ ++ /* allocate memory space for compressed buffer */ ++ if (NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out))) ++ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, 0, "memory allocation failed for scaleoffset compression"); ++ ++ /* store minbits and minval in the front of output compressed buffer ++ * store byte by byte from least significant byte to most significant byte ++ * constant buffer size (21 bytes) is left for these two parameters ++ * 4 bytes for minbits, 1 byte for size of minval, 16 bytes for minval ++ */ ++ for (i = 0; i < 4; i++) ++ ((unsigned char *)outbuf)[i] = (unsigned char)((minbits & ((uint32_t)0xff << i * 8)) >> i * 8); ++ ++ ((unsigned char *)outbuf)[4] = sizeof(unsigned long long); ++ ++ for (i = 0; i < sizeof(unsigned long long); i++) ++ ((unsigned char *)outbuf)[5 + i] = ++ (unsigned char)((minval & ((unsigned long long)0xff << i * 8)) >> i * 8); ++ ++ /* Zero out remaining, unused bytes */ ++ /* (Looks like an error in the original determination of how many ++ * bytes would be needed for parameters. - QAK, 2010/08/19) ++ */ ++ used_bytes = 4 + 1 + sizeof(unsigned long long); ++ assert(used_bytes <= size_out); ++ unused_bytes = size_out - used_bytes; ++ memset(outbuf + 13, 0, unused_bytes); ++ ++ /* special case: minbits equal to full precision */ ++ if (minbits == p.size * 8) { ++ H5MM_memcpy(outbuf + buf_offset, *buf, nbytes); ++ /* free the original buffer */ ++ H5MM_xfree(*buf); ++ ++ *buf = outbuf; ++ outbuf = NULL; ++ *buf_size = size_out; ++ ret_value = buf_offset + nbytes; ++ goto done; ++ } ++ ++ /* compress the buffer if minbits not equal to zero ++ * minbits equal to zero only when fill value is not defined and ++ * all data elements have the same value ++ */ ++ if (minbits != 0) ++ H5Z__scaleoffset_compress((unsigned char *)*buf, d_nelmts, outbuf + buf_offset, ++ size_out - buf_offset, p); ++ } ++ ++ /* free the input buffer */ ++ H5MM_xfree(*buf); ++ ++ /* set return values */ ++ *buf = outbuf; ++ outbuf = NULL; ++ *buf_size = size_out; ++ ret_value = size_out; ++ ++done: ++ if (outbuf) ++ H5MM_xfree(outbuf); ++ FUNC_LEAVE_NOAPI(ret_value) ++} ++ ++/* ============ Scaleoffset Algorithm =============================================== ++ * assume one byte has 8 bit ++ * assume padding bit is 0 ++ * assume size of unsigned char is one byte ++ * assume one data item of certain datatype is stored continuously in bytes ++ * atomic datatype is treated on byte basis ++ */ ++ ++/* change byte order of input buffer either from little-endian to big-endian ++ * or from big-endian to little-endian 2/21/2005 ++ */ ++static void ++H5Z__scaleoffset_convert(void *buf, unsigned d_nelmts, unsigned dtype_size) ++{ ++ if (dtype_size > 1) { ++ size_t i, j; ++ unsigned char *buffer, temp; ++ ++ buffer = (unsigned char *)buf; ++ for (i = 0; i < d_nelmts * (size_t)dtype_size; i += dtype_size) ++ for (j = 0; j < dtype_size / 2; j++) { ++ /* swap pair of bytes */ ++ temp = buffer[i + j]; ++ buffer[i + j] = buffer[i + dtype_size - 1 - j]; ++ buffer[i + dtype_size - 1 - j] = temp; ++ } /* end for */ ++ } /* end if */ ++} /* end H5Z__scaleoffset_convert() */ ++ ++/* return ceiling of floating-point log2 function ++ * receive unsigned integer as argument 3/10/2005 ++ */ ++static unsigned ++H5Z__scaleoffset_log2(unsigned long long num) ++{ ++ unsigned v = 0; ++ unsigned long long lower_bound = 1; /* is power of 2, largest value <= num */ ++ unsigned long long val = num; ++ ++ while (val >>= 1) { ++ v++; ++ lower_bound <<= 1; ++ } ++ ++ if (num == lower_bound) ++ return v; ++ else ++ return v + 1; ++} ++ ++/* precompress for integer type */ ++static void ++H5Z__scaleoffset_precompress_i(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, unsigned filavail, ++ const unsigned cd_values[], uint32_t *minbits, unsigned long long *minval) ++{ ++ if (type == t_uchar) ++ H5Z_scaleoffset_precompress_1(unsigned char, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_ushort) ++ H5Z_scaleoffset_precompress_1(unsigned short, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_uint) ++ H5Z_scaleoffset_precompress_1(unsigned int, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_ulong) ++ H5Z_scaleoffset_precompress_1(unsigned long, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_ulong_long) ++ H5Z_scaleoffset_precompress_1(unsigned long long, data, d_nelmts, filavail, cd_values, minbits, ++ minval); ++ else if (type == t_schar) { ++ signed char *buf = (signed char *)data, min = 0, max = 0, filval = 0; ++ unsigned char span; ++ unsigned i; ++ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ ++ H5Z_scaleoffset_get_filval_1(signed char, cd_values, filval); ++ if (*minbits == ++ H5Z_SO_INT_MINBITS_DEFAULT) { /* minbits not set yet, calculate max, min, and minbits */ ++ H5Z_scaleoffset_max_min_1(i, d_nelmts, buf, filval, max, ++ min) if ((unsigned char)(max - min) > ++ (unsigned char)(~(unsigned char)0 - 2)) ++ { ++ *minbits = sizeof(signed char) * 8; ++ return; ++ } ++ span = (unsigned char)(max - min + 1); ++ *minbits = H5Z__scaleoffset_log2((unsigned long long)(span + 1)); ++ } ++ else /* minbits already set, only calculate min */ ++ H5Z_scaleoffset_min_1(i, d_nelmts, buf, filval, ++ min) if (*minbits != ++ sizeof(signed char) * ++ 8) /* change values if minbits != full precision */ ++ for (i = 0; i < d_nelmts; i++) buf[i] = ++ (signed char)((buf[i] == filval) ? (((unsigned char)1 << *minbits) - 1) ++ : (buf[i] - min)); ++ } ++ else { /* fill value undefined */ ++ if (*minbits == ++ H5Z_SO_INT_MINBITS_DEFAULT) { /* minbits not set yet, calculate max, min, and minbits */ ++ H5Z_scaleoffset_max_min_2(i, d_nelmts, buf, max, ++ min) if ((unsigned char)(max - min) > ++ (unsigned char)(~(unsigned char)0 - 2)) ++ { ++ *minbits = sizeof(signed char) * 8; ++ *minval = (unsigned long long)min; ++ return; ++ } ++ span = (unsigned char)(max - min + 1); ++ *minbits = H5Z__scaleoffset_log2((unsigned long long)span); ++ } ++ else /* minbits already set, only calculate min */ ++ H5Z_scaleoffset_min_2(i, d_nelmts, buf, ++ min) if (*minbits != ++ sizeof(signed char) * ++ 8) /* change values if minbits != full precision */ ++ for (i = 0; i < d_nelmts; i++) buf[i] = (signed char)(buf[i] - min); ++ } ++ *minval = (unsigned long long)min; ++ } ++ else if (type == t_short) ++ H5Z_scaleoffset_precompress_2(short, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_int) ++ H5Z_scaleoffset_precompress_2(int, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_long) ++ H5Z_scaleoffset_precompress_2(long, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_long_long) ++ H5Z_scaleoffset_precompress_2(long long, data, d_nelmts, filavail, cd_values, minbits, minval); ++} ++ ++/* postdecompress for integer type */ ++static void ++H5Z__scaleoffset_postdecompress_i(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, ++ unsigned filavail, const unsigned cd_values[], uint32_t minbits, ++ unsigned long long minval) ++{ ++ long long sminval = *(long long *)&minval; /* for signed integer types */ ++ ++ if (type == t_uchar) ++ H5Z_scaleoffset_postdecompress_1(unsigned char, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_ushort) ++ H5Z_scaleoffset_postdecompress_1(unsigned short, data, d_nelmts, filavail, cd_values, minbits, ++ minval); ++ else if (type == t_uint) ++ H5Z_scaleoffset_postdecompress_1(unsigned int, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_ulong) ++ H5Z_scaleoffset_postdecompress_1(unsigned long, data, d_nelmts, filavail, cd_values, minbits, minval); ++ else if (type == t_ulong_long) ++ H5Z_scaleoffset_postdecompress_1(unsigned long long, data, d_nelmts, filavail, cd_values, minbits, ++ minval); ++ else if (type == t_schar) { ++ signed char *buf = (signed char *)data, filval = 0; ++ unsigned i; ++ ++ if (filavail == H5Z_SCALEOFFSET_FILL_DEFINED) { /* fill value defined */ ++ H5Z_scaleoffset_get_filval_1(signed char, cd_values, filval); ++ for (i = 0; i < d_nelmts; i++) ++ buf[i] = (signed char)((buf[i] == (((unsigned char)1 << minbits) - 1)) ? filval ++ : (buf[i] + sminval)); ++ } ++ else /* fill value undefined */ ++ for (i = 0; i < d_nelmts; i++) ++ buf[i] = (signed char)(buf[i] + sminval); ++ } ++ else if (type == t_short) ++ H5Z_scaleoffset_postdecompress_2(short, data, d_nelmts, filavail, cd_values, minbits, sminval); ++ else if (type == t_int) ++ H5Z_scaleoffset_postdecompress_2(int, data, d_nelmts, filavail, cd_values, minbits, sminval); ++ else if (type == t_long) ++ H5Z_scaleoffset_postdecompress_2(long, data, d_nelmts, filavail, cd_values, minbits, sminval); ++ else if (type == t_long_long) ++ H5Z_scaleoffset_postdecompress_2(long long, data, d_nelmts, filavail, cd_values, minbits, sminval); ++} ++ ++/* precompress for floating-point type, variable-minimum-bits method ++ success: non-negative, failure: negative 4/15/05 */ ++static herr_t ++H5Z__scaleoffset_precompress_fd(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, unsigned filavail, ++ const unsigned cd_values[], uint32_t *minbits, unsigned long long *minval, ++ double D_val) ++{ ++ herr_t ret_value = SUCCEED; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ if (type == t_float) ++ H5Z_scaleoffset_precompress_3(float, powf, fabsf, roundf, lroundf, llroundf, data, d_nelmts, filavail, ++ cd_values, minbits, minval, D_val); ++ else if (type == t_double) ++ H5Z_scaleoffset_precompress_3(double, pow, fabs, round, lround, llround, data, d_nelmts, filavail, ++ cd_values, minbits, minval, D_val); ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) ++} ++ ++/* postdecompress for floating-point type, variable-minimum-bits method ++ success: non-negative, failure: negative 4/15/05 */ ++static herr_t ++H5Z__scaleoffset_postdecompress_fd(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type, ++ unsigned filavail, const unsigned cd_values[], uint32_t minbits, ++ unsigned long long minval, double D_val) ++{ ++ long long sminval = (long long)minval; /* for signed integer types */ ++ herr_t ret_value = SUCCEED; /* Return value */ ++ ++ FUNC_ENTER_PACKAGE ++ ++ if (type == t_float) ++ H5Z_scaleoffset_postdecompress_3(float, powf, data, d_nelmts, filavail, cd_values, minbits, sminval, ++ D_val); ++ else if (type == t_double) ++ H5Z_scaleoffset_postdecompress_3(double, pow, data, d_nelmts, filavail, cd_values, minbits, sminval, ++ D_val); ++ ++done: ++ FUNC_LEAVE_NOAPI(ret_value) ++} ++ ++static void ++H5Z__scaleoffset_next_byte(size_t *j, unsigned *buf_len) ++{ ++ ++(*j); ++ *buf_len = 8 * sizeof(unsigned char); ++} ++ ++static void ++H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k, unsigned begin_i, ++ const unsigned char *buffer, size_t *j, unsigned *buf_len, ++ parms_atomic p, unsigned dtype_len) ++{ ++ unsigned dat_len; /* dat_len is the number of bits to be copied in each data byte */ ++ unsigned char val; /* value to be copied in each data byte */ ++ ++ /* initialize value and bits of unsigned char to be copied */ ++ val = buffer[*j]; ++ if (k == begin_i) ++ dat_len = 8 - (dtype_len - p.minbits) % 8; ++ else ++ dat_len = 8; ++ ++ if (*buf_len > dat_len) { ++ data[data_offset + k] = ++ (unsigned char)((unsigned)(val >> (*buf_len - dat_len)) & (unsigned)(~((unsigned)~0 << dat_len))); ++ *buf_len -= dat_len; ++ } /* end if */ ++ else { ++ data[data_offset + k] = ++ (unsigned char)((val & ~((unsigned)(~0) << *buf_len)) << (dat_len - *buf_len)); ++ dat_len -= *buf_len; ++ H5Z__scaleoffset_next_byte(j, buf_len); ++ if (dat_len == 0) ++ return; ++ ++ val = buffer[*j]; ++ data[data_offset + k] |= ++ (unsigned char)((unsigned)(val >> (*buf_len - dat_len)) & ~((unsigned)(~0) << dat_len)); ++ *buf_len -= dat_len; ++ } /* end else */ ++} ++ ++static void ++H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, unsigned char *buffer, ++ size_t *j, unsigned *buf_len, parms_atomic p) ++{ ++ /* begin_i: the index of byte having first significant bit */ ++ unsigned begin_i; ++ unsigned dtype_len; ++ int k; ++ ++ assert(p.minbits > 0); ++ ++ dtype_len = p.size * 8; ++ ++ if (p.mem_order == H5Z_SCALEOFFSET_ORDER_LE) { /* little endian */ ++ begin_i = p.size - 1 - (dtype_len - p.minbits) / 8; ++ ++ for (k = (int)begin_i; k >= 0; k--) ++ H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, ++ p, dtype_len); ++ } ++ else { /* big endian */ ++ assert(p.mem_order == H5Z_SCALEOFFSET_ORDER_BE); ++ ++ begin_i = (dtype_len - p.minbits) / 8; ++ ++ for (k = (int)begin_i; k <= (int)(p.size - 1); k++) ++ H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, ++ p, dtype_len); ++ } ++} ++ ++static void ++H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, parms_atomic p) ++{ ++ /* i: index of data, j: index of buffer, ++ buf_len: number of bits to be filled in current byte */ ++ size_t i, j; ++ unsigned buf_len; ++ ++ /* must initialize to zeros */ ++ for (i = 0; i < d_nelmts * (size_t)p.size; i++) ++ data[i] = 0; ++ ++ /* initialization before the loop */ ++ j = 0; ++ buf_len = sizeof(unsigned char) * 8; ++ ++ /* decompress */ ++ for (i = 0; i < d_nelmts; i++) ++ H5Z__scaleoffset_decompress_one_atomic(data, i * p.size, buffer, &j, &buf_len, p); ++} ++ ++static void ++H5Z__scaleoffset_compress_one_byte(const unsigned char *data, size_t data_offset, unsigned k, ++ unsigned begin_i, unsigned char *buffer, size_t *j, unsigned *buf_len, ++ parms_atomic p, unsigned dtype_len) ++{ ++ unsigned dat_len; /* dat_len is the number of bits to be copied in each data byte */ ++ unsigned char val; /* value to be copied in each data byte */ ++ ++ /* initialize value and bits of unsigned char to be copied */ ++ val = data[data_offset + k]; ++ if (k == begin_i) ++ dat_len = 8 - (dtype_len - p.minbits) % 8; ++ else ++ dat_len = 8; ++ ++ if (*buf_len > dat_len) { ++ buffer[*j] |= (unsigned char)((val & ~((unsigned)(~0) << dat_len)) << (*buf_len - dat_len)); ++ *buf_len -= dat_len; ++ } ++ else { ++ buffer[*j] |= ++ (unsigned char)((unsigned)(val >> (dat_len - *buf_len)) & ~((unsigned)(~0) << *buf_len)); ++ dat_len -= *buf_len; ++ H5Z__scaleoffset_next_byte(j, buf_len); ++ if (dat_len == 0) ++ return; ++ ++ buffer[*j] = (unsigned char)((val & ~((unsigned)(~0) << dat_len)) << (*buf_len - dat_len)); ++ *buf_len -= dat_len; ++ } /* end else */ ++} ++ ++static void ++H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset, unsigned char *buffer, ++ size_t *j, unsigned *buf_len, parms_atomic p) ++{ ++ /* begin_i: the index of byte having first significant bit */ ++ unsigned begin_i; ++ unsigned dtype_len; ++ int k; ++ ++ assert(p.minbits > 0); ++ ++ dtype_len = p.size * 8; ++ ++ if (p.mem_order == H5Z_SCALEOFFSET_ORDER_LE) { /* little endian */ ++ begin_i = p.size - 1 - (dtype_len - p.minbits) / 8; ++ ++ for (k = (int)begin_i; k >= 0; k--) ++ H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, p, ++ dtype_len); ++ } ++ else { /* big endian */ ++ assert(p.mem_order == H5Z_SCALEOFFSET_ORDER_BE); ++ begin_i = (dtype_len - p.minbits) / 8; ++ ++ for (k = (int)begin_i; k <= (int)(p.size - 1); k++) ++ H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, p, ++ dtype_len); ++ } ++} ++ ++static void ++H5Z__scaleoffset_compress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, size_t buffer_size, ++ parms_atomic p) ++{ ++ /* i: index of data, j: index of buffer, ++ buf_len: number of bits to be filled in current byte */ ++ size_t i, j; ++ unsigned buf_len; ++ ++ /* must initialize buffer to be zeros */ ++ for (j = 0; j < buffer_size; j++) ++ buffer[j] = 0; ++ ++ /* initialization before the loop */ ++ j = 0; ++ buf_len = sizeof(unsigned char) * 8; ++ ++ /* compress */ ++ for (i = 0; i < d_nelmts; i++) ++ H5Z__scaleoffset_compress_one_atomic(data, i * p.size, buffer, &j, &buf_len, p); ++} +-- +2.34.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index d821fb8f34..47955c876e 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -29,6 +29,7 @@ SRC_URI = " \ file://CVE-2025-2310.patch \ file://CVE-2025-44905.patch \ file://CVE-2025-2309.patch \ + file://CVE-2025-2308.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Thu Apr 9 06:19:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85569 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60CB4E98FC9 for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126490.1775715557531827189 for ; Wed, 08 Apr 2026 23:19:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=YMBGKYg5; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 638NUVwS1189662 for ; Thu, 9 Apr 2026 06:19:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=bpZFYDAKrOmQyrTfJT6mxbr/Eo9DxwxKOoH7gN78aow=; b=YMBGKYg50UXb X1h4KQVaXhqHTSw8EJPbim14+Wcn9OUJCxtOEKEwit4uNur/0Vc1y31RYES/71R8 ETx0mCiqPPxByls2maSUw3Ux/nAyLlxSnghY/L2xSeyWpdkbHFrPiEjpXMxILloC aLZguG9+/0GmrDBGRMHoOliCD8xqgXAXh+o40sSqlGsse6JaT3eHyphhmz2nzxwU xgRKP4XHyoqCVRw2naDUmUM8Dx3r3xwkHhVw8JFikLCC8bH7BPEMredYP0IuMp5/ 5uDaWljI3S/lYHDfOnJB4N/NpvilJc666p+GziY4AXyWbszzi6AC+y5kMHhRwbiH GiVePyIvaA== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrybrbm-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:16 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:15 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:14 -0700 From: To: Subject: [meta-python][scarthgap][PATCH 09/11] python3-django: fix CVE-2025-57833 Date: Thu, 9 Apr 2026 14:19:02 +0800 Message-ID: <20260409061904.1694992-10-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=QoduG1yd c=1 sm=1 tr=0 ts=69d744e4 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=VWcOui0qAAAA:8 a=QVxT2wuq3_Tkpv4swMoA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=QrT887owLcKFfbcY6Lji:22 X-Proofpoint-GUID: SB6gxyXnYcXIKLsW-iNNlumUFhHKlkP3 X-Proofpoint-ORIG-GUID: SB6gxyXnYcXIKLsW-iNNlumUFhHKlkP3 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfX+CyY+0XMdNqz IxSFFBygIZhcyEguxw390Fa9Zf6otFGDMx4csTtr4RA4CJPyke4ZB0+miuaVABpGrczj+Px62d3 gVTrnNQXHwyzQCY8RMZlsFyCIoN2UFiwbNhVLtxQmGE2/yz1DcJQTrWqVRUjCSNfcP/1oPLBtkG P+r97HJEci4FA3uKTkuBzLfjFyeNr5NCapehvR1l/pA3y5WhjB0+yPmrihbuLeac53SEtkOdRMl wEEb3+OCYQnWOZY8iDN1ZE0FY5ohn6wDod/vXrrBuzpvK/7SsDoLS4UlEhF60gjOlPxGgcohc3h 8LSTrT7fTgPg5AJN+bYor5Qmfa7NOsB+U6IlCRz+OHDoGwQXENFJND58yC92D8+JN+1EpOTDH2Q 0B6tVE9LXVe1X1JzDygqOWP86ENoBbBAbYHTHfuFfFhD34zJmYfjgl/VqJyD6jaLX7lg+cCldi4 aFBkV17kmcTuBNQAn4A== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 bulkscore=0 adultscore=0 priorityscore=1501 phishscore=0 suspectscore=0 lowpriorityscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126120 From: Haixiao Yan FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-57833 Upstream-patch: https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 Signed-off-by: Haixiao Yan Signed-off-by: Jinfeng Wang --- .../CVE-2025-57833.patch | 88 +++++++++++++++++++ .../python/python3-django_5.0.14.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-57833.patch diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-57833.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-57833.patch new file mode 100644 index 0000000000..cef0b30a59 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-57833.patch @@ -0,0 +1,88 @@ +From 61b7449dc4ed51ce1fecd7b5a22b52fbc961c5bf Mon Sep 17 00:00:00 2001 +From: Jake Howard +Date: Wed, 13 Aug 2025 14:13:42 +0200 +Subject: [PATCH 1/2] [4.2.x] Fixed CVE-2025-57833 -- Protected + FilteredRelation against SQL injection in column aliases. + +Thanks Eyal Gabay (EyalSec) for the report. + +Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main. + +CVE: CVE-2025-57833 + +Upstream-Status: Backport [https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92] + +Signed-off-by: Haixiao Yan +--- + django/db/models/sql/query.py | 1 + + tests/annotations/tests.py | 24 ++++++++++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index fe6baca607a9..6a86a184d8b4 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -1663,6 +1663,7 @@ class Query(BaseExpression): + return target_clause, needed_inner + + def add_filtered_relation(self, filtered_relation, alias): ++ self.check_alias(alias) + filtered_relation.alias = alias + relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( + filtered_relation.relation_name +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index f1260b41926b..01fa6958db7b 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -12,6 +12,7 @@ from django.db.models import ( + Exists, + ExpressionWrapper, + F, ++ FilteredRelation, + FloatField, + Func, + IntegerField, +@@ -1132,6 +1133,15 @@ class NonAggregateAnnotationTestCase(TestCase): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) ++ + def test_alias_forbidden_chars(self): + tests = [ + 'al"ias', +@@ -1157,6 +1167,11 @@ class NonAggregateAnnotationTestCase(TestCase): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate( ++ **{crafted_alias: FilteredRelation("authors")} ++ ) ++ + + class AliasTests(TestCase): + @classmethod +@@ -1429,3 +1444,12 @@ class AliasTests(TestCase): + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) ++ ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) +-- +2.34.1 + diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb index 84dd9dd5f4..0f6a55a0b3 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb @@ -7,6 +7,7 @@ CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Win SRC_URI += "file://CVE-2025-64460.patch \ file://CVE-2025-64459-1.patch \ file://CVE-2025-64459-2.patch \ + file://CVE-2025-57833.patch \ " SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11" From patchwork Thu Apr 9 06:19:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85573 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C9E0E98FC2 for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126491.1775715558137051577 for ; Wed, 08 Apr 2026 23:19:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=NMzrGpyA; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 638NUVwT1189662 for ; Thu, 9 Apr 2026 06:19:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=S6cEZu8OnH8CASPsmIJ4Z91GuNJHYBJmPx2/xN4LNV0=; b=NMzrGpyAeDY9 9e7xUPvYTuOEcpaOtpBeMFS8mrc0gD5WzujC7kjkOkvCBL+yEdooDDDTKw58SDi1 XXM9u5nfuIW1mpeXyqT8742G6j1aHmerWkTSfKwRtOzCnKbhLDTA2AXCaLqt7Qpj hCxgnzndWXHDO9CMTPDlE6PxIyjqRBW4gG4QU89F/Dq9CPmdVOpMps7wF8U0JTDK TL8hhL44X8XqT06cLjMfZdafE86LXvvo/1tbc7eDpdGSvwFdhl2qIx+BbpEc7k5D FWHVSQiyJOBKd9oS1DMW2+JsMaLoI+NA7Yc/94xdGONBfE2BSxD7egwjvhED4kos vLA9FOZ7Yw== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrybrbm-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:16 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:16 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:15 -0700 From: To: Subject: [meta-python][scarthgap][PATCH 10/11] python3-django: fix CVE-2025-59681 Date: Thu, 9 Apr 2026 14:19:03 +0800 Message-ID: <20260409061904.1694992-11-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=QoduG1yd c=1 sm=1 tr=0 ts=69d744e5 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=epTmVMiNAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=4iZjGnfvTQSL3jFuhDIA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: DJuP6HI-S2rUGkSSVYZQyuaBYwGrinC3 X-Proofpoint-ORIG-GUID: DJuP6HI-S2rUGkSSVYZQyuaBYwGrinC3 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfX5GGwQY/VqZ8O 3spYaiCiRUmLLJP7j3yanI1lY6nASQIz3ZgL2FXP9TYFBHqtLxMd0qDbqsQPqI2gMK9ZMySRRZ3 Q3DCGlqQ1yBKOfEH9msF9mekF+1soL+NX1tTm7PgvVF4giaxVQI5V8aaG1+CLW48Tl10oMztpPw NUVzvYL2QfFxPDVXWnmHsYjDYyEpSnPYmKlLx+rta29dTB4hZu3IGSM52FPWLgxKQgaT8g4rkuz TWqIpxCHCVOiCA++LEi+IUYPlawv6xggPDGFDAhE7rwATuzJj7Kmr5UN12Pu77NZ6PIPz9rAeb6 NveNEGMhFdrikTIi4uOfSD9yoak2PqXnz3WgMbydF41QU9omuvZY2gb+qr1TSCNYsdQ2wOpdlW1 wYd+dSZ7S03Kk9qI1ZtSu6kAK56PgqfdmJQUlQM9nBBGystx1jP0GAXSnGKNOp3/zL1ELNBMKf7 i7hdGxTIH6da8Db8pqw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 bulkscore=0 adultscore=0 priorityscore=1501 phishscore=0 suspectscore=0 lowpriorityscore=0 clxscore=1011 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126121 From: Haixiao Yan QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-59681 Upstream-patch: https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 Signed-off-by: Haixiao Yan Signed-off-by: Jinfeng Wang --- .../CVE-2025-59681.patch | 179 ++++++++++++++++++ .../python/python3-django_5.0.14.bb | 1 + 2 files changed, 180 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch new file mode 100644 index 0000000000..c62a848aa7 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch @@ -0,0 +1,179 @@ +From 3626cf164dd785625a5f8402c621019707094782 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Wed, 10 Sep 2025 09:53:52 +0200 +Subject: [PATCH 2/2] [4.2.x] Fixed CVE-2025-59681 -- Protected + QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection + in column aliases on MySQL/MariaDB. + +Thanks sw0rd1ight for the report. + +Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. + +Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. + +CVE: CVE-2025-59681 + +Upstream-Status: Backport [https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e +0063f33d5] + +Signed-off-by: Haixiao Yan +--- + django/db/models/sql/query.py | 8 ++++---- + tests/aggregation/tests.py | 4 ++-- + tests/annotations/tests.py | 23 ++++++++++++----------- + tests/expressions/test_queryset_values.py | 8 ++++---- + tests/queries/tests.py | 4 ++-- + 5 files changed, 24 insertions(+), 23 deletions(-) + +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 6a86a184d8b4..aa348ddf5ff8 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -47,9 +47,9 @@ from django.utils.tree import Node + + __all__ = ["Query", "RawQuery"] + +-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline ++# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline + # SQL comments are forbidden in column aliases. +-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") ++FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") + + # Inspired from + # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS +@@ -1188,8 +1188,8 @@ class Query(BaseExpression): + def check_alias(self, alias): + if FORBIDDEN_ALIAS_PATTERN.search(alias): + raise ValueError( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, " ++ "quotation marks, semicolons, or SQL comments." + ) + + def add_annotation(self, annotation, alias, select=True): +diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py +index 48266d97746b..277c0507f7d9 100644 +--- a/tests/aggregation/tests.py ++++ b/tests/aggregation/tests.py +@@ -2090,8 +2090,8 @@ class AggregateTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "aggregation_author"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Author.objects.aggregate(**{crafted_alias: Avg("age")}) +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index 01fa6958db7b..ac40408977ae 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -1127,8 +1127,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) +@@ -1136,8 +1136,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) +@@ -1154,13 +1154,14 @@ class NonAggregateAnnotationTestCase(TestCase): + "ali/*as", + "alias*/", + "alias;", +- # [] are used by MSSQL. ++ # [] and # are used by MSSQL. + "alias[", + "alias]", ++ "ali#as", + ] + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + for crafted_alias in tests: + with self.subTest(crafted_alias): +@@ -1439,8 +1440,8 @@ class AliasTests(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) +@@ -1448,8 +1449,8 @@ class AliasTests(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) +diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py +index 47bd1358de54..080ee06183dc 100644 +--- a/tests/expressions/test_queryset_values.py ++++ b/tests/expressions/test_queryset_values.py +@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Company.objects.values(**{crafted_alias: F("ceo__salary")}) +@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") +diff --git a/tests/queries/tests.py b/tests/queries/tests.py +index 5df231949194..91dce6170361 100644 +--- a/tests/queries/tests.py ++++ b/tests/queries/tests.py +@@ -1942,8 +1942,8 @@ class Queries5Tests(TestCase): + def test_extra_select_alias_sql_injection(self): + crafted_alias = """injected_name" from "queries_note"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Note.objects.extra(select={crafted_alias: "1"}) +-- +2.34.1 + diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb index 0f6a55a0b3..8a7cd2be16 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb @@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2025-64460.patch \ file://CVE-2025-64459-1.patch \ file://CVE-2025-64459-2.patch \ file://CVE-2025-57833.patch \ + file://CVE-2025-59681.patch \ " SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11" From patchwork Thu Apr 9 06:19:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wang, Jinfeng (CN)" X-Patchwork-Id: 85572 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9CAB2E98FD1 for ; Thu, 9 Apr 2026 06:19:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126492.1775715558639351704 for ; Wed, 08 Apr 2026 23:19:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=lNWjlAby; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 638NUVwU1189662 for ; Thu, 9 Apr 2026 06:19:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=tDnZ/ESZ0/dV3+K8Z8rWZN8IXiiNMMXTN06AKepqxVY=; b=lNWjlAbyJtGl musW6Qq0+2Zrft4TxO8MyrKMjF6YpKi5BTD4PNe1elMLbLrMENCw+HY10ZP+hJNc m4C31ur89elAQemcrXj9F9xCbdfEnMfswXtqTKfIAjQ+10vurB6y+M1n4ApCpZnz XORAg072tjshIIHIiWku6vC3a2yFQ0UE4xasMIDE2QFThbNzZBHkHyfBxSu3Bjd3 Bw+UpZ8SLJ9abe74oQoJ7wvLh0TeHTpJT9GPDJOCuPmrMwj8RYoBf60SA55OyeZV Au9y5X+yXMZORWr5Jj1T0qh7vOYkofIydLSusux7t8EpodwJv34VZqkyNU2zYhXJ FY+/YN1OWQ== Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4dcmrybrbm-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 09 Apr 2026 06:19:17 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 8 Apr 2026 23:19:16 -0700 Received: from pek-lpg-core4.wrs.com (10.11.232.110) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Wed, 8 Apr 2026 23:19:16 -0700 From: To: Subject: [meta-oe][scarthgap][PATCH 11/11] nmap: rename enum PCAP_SOCKET Date: Thu, 9 Apr 2026 14:19:04 +0800 Message-ID: <20260409061904.1694992-12-jinfeng.wang.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> References: <20260409061904.1694992-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=QoduG1yd c=1 sm=1 tr=0 ts=69d744e5 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=auHYCxwYAAAA:8 a=t7CeM3EgAAAA:8 a=z-s7J8Uy6d8aGQUi-5sA:9 a=67XU6oJk2Lrwzah0vfu5:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: kcg-B0Cdgl0sNq5mwaPfTDqFg_hfrh0a X-Proofpoint-ORIG-GUID: kcg-B0Cdgl0sNq5mwaPfTDqFg_hfrh0a X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDA1NCBTYWx0ZWRfXyGP0So39i0u7 gExwcEpvJlGTCPgwjsJjwft2JnknV7x60+mL8sjOqRehKoMdsrbUrBRTxlGpFENZPh3eye8z+kk 1KuoAEY0qDJOTicH1GroPEgA9skzLM6EnC6iVSn0eSh7DhK16CFITWm7UnXDQz3DJmsORILJzD6 4mf2NYz0z0CPf8cRtOdIYHJOEustGLglMGORZQqr9a4nGnO7TwCbdixRnazt/tnqaWaBCOt2Usn 7zDL1brZ4oEhvMQ4pYUZT8eKfJQApjmjhM8b0gtzPq7nGgF1+N03i0z9zsi29FLTJOEm8Waopeq s1RXdhIimJRvVF/IY6Nod7R9q2GHKQhixBlp2tlR8mIDzhzLzGHTZokPzGvqEjcFWERdbnwTZ1t Yc4KcJ9EPtWNb3IcLQ4//igl0thOCh3TuP1fV7TUY32lsa8KwuycXxaa3ZPZ7dBLfC6eD9LcHtH ubIwzeqj6PR7s/l2mDg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_01,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 bulkscore=0 adultscore=0 priorityscore=1501 phishscore=0 suspectscore=0 lowpriorityscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604090054 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 06:19:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126122 From: Kai Kang It fails to build nmap after upgrade libpcap to 1.10.6 which defines the macro PCAP_SOCKET already. Rename the enum PCAP_SOCKET to NM_PCAP_SOCKET for nmap to make it work with libpcap 1.10.6. Signed-off-by: Kai Kang Signed-off-by: Jinfeng Wang --- .../files/nmap-rename-enum-PCAP_SOCKET.patch | 86 +++++++++++++++++++ meta-oe/recipes-security/nmap/nmap_7.80.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta-oe/recipes-security/nmap/files/nmap-rename-enum-PCAP_SOCKET.patch diff --git a/meta-oe/recipes-security/nmap/files/nmap-rename-enum-PCAP_SOCKET.patch b/meta-oe/recipes-security/nmap/files/nmap-rename-enum-PCAP_SOCKET.patch new file mode 100644 index 0000000000..e6bf26ebb6 --- /dev/null +++ b/meta-oe/recipes-security/nmap/files/nmap-rename-enum-PCAP_SOCKET.patch @@ -0,0 +1,86 @@ +The enum PCAP_SOCKET conflicts with the one from libpcap 1.10.6 and fails to +compile: + +In file included from /path_to/tmp-glibc/work/corei7-64-wrs-linux/nmap/7.80/recipe-sysroot/usr/include/pcap/pcap.h:130, + from /path_to/tmp-glibc/work/corei7-64-wrs-linux/nmap/7.80/recipe-sysroot/usr/include/pcap.h:43, + from tcpip.h:140, + from nse_nsock.cc:4: +nse_nsock.cc:36:3: error: expected identifier before 'int' + 36 | PCAP_SOCKET = lua_upvalueindex(3), /* pcap socket metatable */ + | ^~~~~~~~~~~ +nse_nsock.cc:36:3: error: expected '}' before 'int' +nse_nsock.cc:33:6: note: to match this '{' + 33 | enum { + | ^ +nse_nsock.cc:36:15: error: expected unqualified-id before '=' token + 36 | PCAP_SOCKET = lua_upvalueindex(3), /* pcap socket metatable */ + | ^ +nse_nsock.cc:40:1: error: expected declaration before '}' token + 40 | }; + | ^ + +The enum PCAP_SOCKET is removed in nmap later version. But the removal commit +involves extra logic change, so just rename the enum PCAP_SOCKET to +NM_PCAP_SOCKET to make it work with libpcap 1.10.6. + +Upstream-Status: Inappropriate [local fix to work with libpcap 1.10.6] + +Signed-off-by: Kai Kang +--- + nse_nsock.cc | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/nse_nsock.cc b/nse_nsock.cc +index df98666..9cecac6 100644 +--- a/nse_nsock.cc ++++ b/nse_nsock.cc +@@ -33,7 +33,7 @@ + enum { + NSOCK_POOL = lua_upvalueindex(1), + NSOCK_SOCKET = lua_upvalueindex(2), /* nsock socket metatable */ +- PCAP_SOCKET = lua_upvalueindex(3), /* pcap socket metatable */ ++ NM_PCAP_SOCKET = lua_upvalueindex(3), /* pcap socket metatable */ + THREAD_SOCKETS = lua_upvalueindex(4), /* */ + CONNECT_WAITING = lua_upvalueindex(5), /* Threads waiting to lock */ + KEY_PCAP = lua_upvalueindex(6) /* Keys to pcap sockets */ +@@ -959,7 +959,7 @@ static int nsock_gc (lua_State *L) + } + + +-/****************** PCAP_SOCKET ***********************************************/ ++/****************** NM_PCAP_SOCKET ***********************************************/ + + static void dnet_to_pcap_device_name (lua_State *L, const char *device) + { +@@ -1026,7 +1026,7 @@ static int l_pcap_open (lua_State *L) + nsock_iod_delete(*nsiod, NSOCK_PENDING_ERROR); + luaL_error(L, "can't open pcap reader on %s", device); + } +- lua_pushvalue(L, PCAP_SOCKET); ++ lua_pushvalue(L, NM_PCAP_SOCKET); + lua_setmetatable(L, -2); + lua_pushvalue(L, 7); /* the pcap socket key */ + lua_pushvalue(L, -2); /* the pcap socket nsiod */ +@@ -1134,7 +1134,7 @@ LUALIB_API int luaopen_nsock (lua_State *L) + /* library upvalues */ + nsock_pool nsp = new_pool(L); /* NSOCK_POOL */ + lua_newtable(L); /* NSOCK_SOCKET */ +- lua_newtable(L); /* PCAP_SOCKET */ ++ lua_newtable(L); /* NM_PCAP_SOCKET */ + nseU_weaktable(L, 0, MAX_PARALLELISM, "k"); /* THREAD_SOCKETS */ + nseU_weaktable(L, 0, 1000, "k"); /* CONNECT_WAITING */ + nseU_weaktable(L, 0, 0, "v"); /* KEY_PCAP */ +@@ -1154,11 +1154,11 @@ LUALIB_API int luaopen_nsock (lua_State *L) + lua_pop(L, 1); /* NSOCK_SOCKET */ + + /* Create the nsock pcap metatable */ +- lua_pushvalue(L, top+3); /* PCAP_SOCKET */ ++ lua_pushvalue(L, top+3); /* NM_PCAP_SOCKET */ + for (i = top+1; i <= top+nupvals; i++) lua_pushvalue(L, i); + lua_pushcclosure(L, pcap_gc, nupvals); + lua_setfield(L, top+3, "__gc"); +- lua_pop(L, 1); /* PCAP_SOCKET */ ++ lua_pop(L, 1); /* NM_PCAP_SOCKET */ + + #if HAVE_OPENSSL + /* Set up the SSL certificate userdata code in nse_ssl_cert.cc. */ diff --git a/meta-oe/recipes-security/nmap/nmap_7.80.bb b/meta-oe/recipes-security/nmap/nmap_7.80.bb index f9fe82a91d..18b1a50246 100644 --- a/meta-oe/recipes-security/nmap/nmap_7.80.bb +++ b/meta-oe/recipes-security/nmap/nmap_7.80.bb @@ -12,6 +12,7 @@ SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \ file://0002-Fix-building-with-libc.patch \ file://0001-Make-ndiff-support-python3.patch \ file://0001-configure.ac-make-ndiff-depend-on-python3.patch \ + file://nmap-rename-enum-PCAP_SOCKET.patch \ " SRC_URI[md5sum] = "d37b75b06d1d40f27b76d60db420a1f5"