Skip to content

Fix heap buffer overflow in NDCELL decompression path#785

Open
saddamr3e wants to merge 1 commit into
Blosc:mainfrom
saddamr3e:ndcell-blockshape-validation
Open

Fix heap buffer overflow in NDCELL decompression path#785
saddamr3e wants to merge 1 commit into
Blosc:mainfrom
saddamr3e:ndcell-blockshape-validation

Conversation

@saddamr3e

@saddamr3e saddamr3e commented Jun 11, 2026

Copy link
Copy Markdown

Fix a heap buffer overflow in the NDCELL filter caused by insufficient validation of block geometry embedded in the attacker-controlled b2nd metalayer.

Root Cause

ndcell_forward() and ndcell_backward() computed:

int32_t blocksize = (int32_t) typesize;
for (i = 0; i < ndim; i++) {
    blocksize *= blockshape[i];
}

using 32-bit arithmetic. A crafted blockshape could cause the product to wrap around and match the supplied block length, allowing malformed metadata to bypass validation.

Subsequent index calculations used the actual block dimensions, which could lead to out-of-bounds memory accesses during filter processing.

Fix

  • Compute block size using int64_t.
  • Reject non-positive typesize values.
  • Reject non-positive blockshape dimensions.
  • Abort processing when the running product exceeds the block length.
  • Update validation checks to compare against the 64-bit block size.

Tests

Added a dedicated regression test covering:

  • Blockshape values whose 32-bit product wraps onto the supplied block length.
  • Zero block dimensions.
  • Negative block dimensions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saddamr3e @metsw24-max