From 9f8f3279bec03a8925ec7d425bc8b57081f7a464 Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Tue, 14 Oct 2025 16:55:29 +0200
Subject: [PATCH] hdf5: patch CVE-2025-6750

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-6750

Pick the patch that is marked to resolve the issue linked in
the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../files/0001-Fixes-CVE-2025-6750-5856.patch | 87 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb   |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch

diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch
new file mode 100644
index 0000000000..cf8687f010
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch
@@ -0,0 +1,87 @@
+From 7159488b73fb429a78f79763f7b3775a3c160fad Mon Sep 17 00:00:00 2001
+From: bmribler <39579120+bmribler@users.noreply.github.com>
+Date: Fri, 26 Sep 2025 11:46:50 -0400
+Subject: [PATCH] Fixes CVE-2025-6750 (#5856)
+
+* Fixes CVE-2025-6750
+
+A heap buffer overflow occurred because an mtime message was not properly decoded, resulting in a buffer of size 0 being passed into the encoder.
+
+This PR added decoding for both old and new mtime messages which will allow invalid message size to be detected.
+
+Fixes #5549
+
+CVE: CVE-2025-6750
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/H5Ocache.c | 41 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
+index 12c30cf..e6095a7 100644
+--- a/src/H5Ocache.c
++++ b/src/H5Ocache.c
+@@ -1265,6 +1265,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+         if (mesg_size != H5O_ALIGN_OH(oh, mesg_size))
+             HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned");
+ 
++        if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end))
++            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end");
++
+         /* Message flags */
+         if (H5_IS_BUFFER_OVERFLOW(chunk_image, 1, p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
+@@ -1297,12 +1300,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+             }
+         }
+ 
+-        /* Try to detect invalidly formatted object header message that
+-         *  extends past end of chunk.
+-         */
+-        if (chunk_image + mesg_size > eom_ptr)
+-            HGOTO_ERROR(H5E_OHDR, H5E_CANTINIT, FAIL, "corrupt object header");
+-
+         /* Increment count of null messages */
+         if (H5O_NULL_ID == id)
+             nullcnt++;
+@@ -1449,6 +1446,38 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+                     HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount");
+                 oh->nlink = *refcount;
+             }
++            /* Check if message is an old mtime message */
++            else if (H5O_MTIME_ID == id) {
++                time_t *mtime = NULL;
++
++                /* Decode mtime message */
++                mtime =
++                    (time_t *)(H5O_MSG_MTIME->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
++
++                /* Save the decoded old format mtime */
++                if (!mtime)
++                    HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode old format mtime");
++
++                /* Save 'native' form of mtime message and its value */
++                mesg->native = mtime;
++                oh->ctime    = *mtime;
++            }
++            /* Check if message is an new mtime message */
++            else if (H5O_MTIME_NEW_ID == id) {
++                time_t *mtime = NULL;
++
++                /* Decode mtime message */
++                mtime = (time_t *)(H5O_MSG_MTIME_NEW->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size,
++                                                              mesg->raw);
++
++                /* Save the decoded new format mtime */
++                if (!mtime)
++                    HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode new format mtime");
++
++                /* Save 'native' form of mtime message and its value */
++                mesg->native = mtime;
++                oh->ctime    = *mtime;
++            }
+             /* Check if message is a link message */
+             else if (H5O_LINK_ID == id) {
+                 /* Increment the count of link messages */
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
index 3ff96d7301..7d75f0e7dc 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
            file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \
            file://0001-Fix-CVE-2025-2924-5814.patch \
            file://0001-Fix-CVE-2025-2925-5739.patch \
+           file://0001-Fixes-CVE-2025-6750-5856.patch \
            "
 SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"