========================================================
Barbara Jones, The HDF Group Helpdesk, help@hdfgroup.org
Support Services: https://www.hdfgroup.org/services/

From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Court, Alex
Sent: Tuesday, October 27, 2015 1:54 PM
To: hdf-forum@lists.hdfgroup.org
Subject: [Hdf-forum] Missing assignment operator in H5::ArrayType causes potential double-free

Hello,

I have stumbled upon a bug in the C++ API for the ArrayType class. It has a copy constructor, but not an explicitly defined assignment operator. By default the compiler will generate an assignment operator that copies over the dimensions pointer value but not the data. Therefore, when both objects are destroyed the data will be freed the first time, and then an attempt to free it will happen again the second time leading to a hard crash. Here is some code to exercise this:

    H5::DataType getArr() {
       hsize_t *dims = new hsize_t;
       *dims = 5;
       H5::ArrayType ret;
       ret = H5::ArrayType(H5::PredType::NATIVE_INT, 1, dims);
       delete[] dims;
       return ret;
    }

    const std::string FILE_NAME("h5files/test.h5");

    H5::CompType compType((size_t)24);
    compType.insertMember("intMem", 0, H5::PredType::NATIVE_INT);
    compType.insertMember("arrMem", 4, getArr());

    H5::DataSpace space(0, 0);

    H5::H5File file("h5files/test.h5", H5F_ACC_TRUNC);
    file.createDataSet("dset", compType, space);
    file.close();

The solution is to define an assignment operator for ArrayType that performs exactly the same function as the existing assignment constructor.

Thanks,
Alex

This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.

From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Barbara Jones
Sent: Wednesday, October 28, 2015 7:34 AM
To: HDF Users Discussion List
Subject: Re: [Hdf-forum] Missing assignment operator in H5::ArrayType causes potential double-free

Thank you, Alex!
I entered bug HDFFV-9562 for this issue.

-Barbara

========================================================
Barbara Jones, The HDF Group Helpdesk, help@hdfgroup.org<mailto:help@hdfgroup.org>
Support Services: https://www.hdfgroup.org/services/

From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Court, Alex
Sent: Tuesday, October 27, 2015 1:54 PM
To: hdf-forum@lists.hdfgroup.org<mailto:hdf-forum@lists.hdfgroup.org>
Subject: [Hdf-forum] Missing assignment operator in H5::ArrayType causes potential double-free

Hello,

I have stumbled upon a bug in the C++ API for the ArrayType class. It has a copy constructor, but not an explicitly defined assignment operator. By default the compiler will generate an assignment operator that copies over the dimensions pointer value but not the data. Therefore, when both objects are destroyed the data will be freed the first time, and then an attempt to free it will happen again the second time leading to a hard crash. Here is some code to exercise this:

    H5::DataType getArr() {
       hsize_t *dims = new hsize_t;
       *dims = 5;
       H5::ArrayType ret;
       ret = H5::ArrayType(H5::PredType::NATIVE_INT, 1, dims);
       delete[] dims;
       return ret;
    }

    const std::string FILE_NAME("h5files/test.h5");

    H5::CompType compType((size_t)24);
    compType.insertMember("intMem", 0, H5::PredType::NATIVE_INT);
    compType.insertMember("arrMem", 4, getArr());

    H5::DataSpace space(0, 0);

    H5::H5File file("h5files/test.h5", H5F_ACC_TRUNC);
    file.createDataSet("dset", compType, space);
    file.close();

The solution is to define an assignment operator for ArrayType that performs exactly the same function as the existing assignment constructor.

Thanks,
Alex

This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.

This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Elena Pourmal The HDF Group http://hdfgroup.org
1800 So. Oak St., Suite 203, Champaign IL 61820
217.531.6112
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Jan 29, 2016, at 4:11 PM, Court, Alex <acourt@ball.com<mailto:acourt@ball.com>> wrote:

Hello,

This bug has still not been addressed in 1.10-alpha1.

Thanks,
Alex

From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Barbara Jones
Sent: Wednesday, October 28, 2015 7:34 AM
To: HDF Users Discussion List
Subject: Re: [Hdf-forum] Missing assignment operator in H5::ArrayType causes potential double-free

Thank you, Alex!
I entered bug HDFFV-9562 for this issue.

-Barbara

========================================================
Barbara Jones, The HDF Group Helpdesk, help@hdfgroup.org<mailto:help@hdfgroup.org>
Support Services: https://www.hdfgroup.org/services/

From: Hdf-forum [mailto:hdf-forum-bounces@lists.hdfgroup.org] On Behalf Of Court, Alex
Sent: Tuesday, October 27, 2015 1:54 PM
To: hdf-forum@lists.hdfgroup.org<mailto:hdf-forum@lists.hdfgroup.org>
Subject: [Hdf-forum] Missing assignment operator in H5::ArrayType causes potential double-free

Hello,

I have stumbled upon a bug in the C++ API for the ArrayType class. It has a copy constructor, but not an explicitly defined assignment operator. By default the compiler will generate an assignment operator that copies over the dimensions pointer value but not the data. Therefore, when both objects are destroyed the data will be freed the first time, and then an attempt to free it will happen again the second time leading to a hard crash. Here is some code to exercise this:

    H5::DataType getArr() {
       hsize_t *dims = new hsize_t;
       *dims = 5;
       H5::ArrayType ret;
       ret = H5::ArrayType(H5::PredType::NATIVE_INT, 1, dims);
       delete[] dims;
       return ret;
    }

    const std::string FILE_NAME("h5files/test.h5");

    H5::CompType compType((size_t)24);
    compType.insertMember("intMem", 0, H5::PredType::NATIVE_INT);
    compType.insertMember("arrMem", 4, getArr());

    H5::DataSpace space(0, 0);

    H5::H5File file("h5files/test.h5", H5F_ACC_TRUNC);
    file.createDataSet("dset", compType, space);
    file.close();

The solution is to define an assignment operator for ArrayType that performs exactly the same function as the existing assignment constructor.

Thanks,
Alex

This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.

This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
_______________________________________________
Hdf-forum is for HDF software users discussion.
Hdf-forum@lists.hdfgroup.org<mailto:Hdf-forum@lists.hdfgroup.org>
http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org
Twitter: https://twitter.com/hdf5