Skip to content

ticket #TSP-8629412 bug fix #3187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6,529 commits into from
Closed

ticket #TSP-8629412 bug fix #3187

wants to merge 6,529 commits into from

Conversation

@dkjsone
Copy link
Contributor

@dkjsone dkjsone commented Oct 17, 2025

A total of 8 vulnerabilities were fixed, including 5 integer overflows, 2 division-by-zero crashes, and 1 null pointer crash.

WardF and others added 30 commits December 18, 2024 16:17
@WardF
A more reasonable, simpler approach
23ed79a
@WardF
Allow error catching.
f9ce9e3
@WardF
Revert to hdf5 1.14.3
abfb2c4
@WardF
Add more diagnostic info
4b79492
@WardF
Additional cache checking.
2db3eb3
@WardF
Updated to remove custom mpich installation.
28478b3
@WardF
Following a hunch
636dc4a
@WardF
Update cache
4a82eb9
@WardF
Correct misuse of github runner variable.
4a26307
@WardF
Merge pull request Unidata#3052 from Unidata/v4.9.3-rc2-wellspring.wif
7a1417d 
v4.9.3-rc2 wellspring changes
@WardF
Merging in main branch.
e9ef44e
@WardF
Add job name to avoid namespace collision
6632468
@WardF
Correct logic to avoid a namespace conflict.
b48480f
@WardF
Merge pull request Unidata#3065 from WardF/update-artifact-action.wif
b84d4eb 
Update upload-artifact/download-artifact for github actions
@WardF
Merge branch 'main' of https://github.com/Unidata/netcdf-c into srcdir
6145523
@WardF
Merge pull request Unidata#3060 from opoplawski/srcdir
eac7d2a 
Fix out-of-tree builds generating netcdf_json.h and netcdf_proplist.h
@WardF
Update all-error-codes.md in support of Unidata#3072
b282699
@WardF
Remove final error code placeholder.
137ea36
@WardF
Merge pull request Unidata#3073 from WardF/gh3072-fix-error-codes.wif
4990485 
Update error code list.
@WardF
Add stanza so that autoconf-based log files artifacts are captured pa…
a1441d2 
…ss or fail.
@WardF
Correct indentation error.
bb85ee3
@WardF
Merge pull request Unidata#3074 from WardF/ac-artifacts.wif
7afe659 
Capture ac-based log artifacts
@WardF
Clean up a couple small things while I'm looking at them.
691b906
@WardF
Merge branch 'main' into tiny-cleanup.wif
fe0336e
@WardF
Avoid name conflict in artifact upload.
29d9021
@WardF
Merge pull request Unidata#3076 from WardF/tiny-cleanup.wif
d4b7ff6 
Clean up a couple small things while I'm looking at them.
@WardF
Update default chunk_cache_size in support of https://github.com/Unid…
3042579 
…ata/netcdf-c/3067
@WardF
Add cache fix to configure.ac
e314d0b
@WardF
Fix an error in the cygwin workflows
4ae8dfe
@WardF
Attempted fix for a cygwin artifact name collision
3ade8e8
DennisHeimbigner and others added 15 commits October 11, 2025 18:47
@DennisHeimbigner
nclist
e9f4c32
@DennisHeimbigner
alloc fix
e0ef3f3
@DennisHeimbigner
test10
3098520
@DennisHeimbigner
push1
64848f1
@DennisHeimbigner
test1
bd0743b
@DennisHeimbigner
test2
edee9bc
@DennisHeimbigner
ckp
371de07
@DennisHeimbigner
Fix the problems around ncdap_test/test_manyurls.c.
6cdc4cc 
## Primary Changes
1. The ncdap_test/test_manyurls.c build in ncdap_test/Makefile.am caused some makefile warnings. These were fixed.
2. Make the test program ncdap_test/test_manyurls.c be operable.
3. After 1 and 2, it turns out that the test case is probably useless, so disable it.

## Secondary Changes
1. Fix the fact that the --enable-dap-long-tests option was not generating a corresponding NETCDF_ENABLE_DAP_LONG_TESTS flag in config.h.
2. Add NETCDF_ENABLE_DAP_LONG_TESTS to config.h.cmake.in to make it visible.
3. Discovered and fixed an obscure error in libdispatch/nclist.c function nameed nclistsetalloc.
4. Add support for CURLOPT_VERBOSE (as an environment variable) to libsrc/httpio.c.
@DennisHeimbigner
test1
7dacee1
@DennisHeimbigner
unpush
97d6fc6
@DennisHeimbigner
Fix bug in ncdump when printing dimension FQN
3e36bed 
re: Issue Unidata#3184

When ncdump attempts to find a dimension's Fully Qualified Name (FQN),
it uses a two step process.
1. Search up the group tree starting at the group in which the dimension the referenced.
2. If not found, then do a breadth first search of the whole group tree looking for the dimension.

Once located, a FQN is constructed with respect to the group in which the dimension was found.

It turns out there was a bug in the ncdump function "searchgroupdim" such that it always returned the top level group as the one containing the dimension.
This, of course is erroneous for nested dimension.

So the "searchgroupdim" function was fixed to properly fail if the dimension was not actually in the root group.
@WardF
Merge pull request Unidata#3185 from DennisHeimbigner/dimidsearch.dmh
51a55bc 
Fix bug in ncdump when printing dimension FQN
@WardF
Merge branch 'main' into manyurls.dmh
5171dd6
@WardF
Merge pull request Unidata#3182 from DennisHeimbigner/manyurls.dmh
b5c9ba0 
Fix the problems around ncdap_test/test_manyurls.c.
@dkjsone
Merge branch 'main' into bugfix
4a42dae
@CLAassistant
Copy link

CLAassistant commented Oct 17, 2025
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
4 out of 5 committers have signed the CLA.

✅ WardF
✅ Dave-Allured
✅ dkjsone
✅ DennisHeimbigner
❌ johnwparent
You have signed the CLA already but the status is still pending? Let us recheck it.

DennisHeimbigner
DennisHeimbigner reviewed Oct 17, 2025
View reviewed changes
Copy link
Collaborator

@DennisHeimbigner DennisHeimbigner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line and similar lines use size_t as a constant, but it fails in many cases.
What is the supposed value of size_t as a constant?

#define SIZE_MAX ((size_t)-1)

@DennisHeimbigner
Copy link
Collaborator

Can you please annotate the code changes to indicate what error they are fixing?

@dkjsone
Copy link
Contributor Author

dkjsone commented Oct 18, 2025

This line and similar lines use size_t as a constant, but it fails in many cases. What is the supposed value of size_t as a constant?

#define SIZE_MAX ((size_t)-1)

(size_t)-1 is used to obtain the platform-independent maximum value of size_t. On 32-bit systems, it is 0xFFFFFFFF, and on 64-bit systems, it is 0xFFFFFFFFFFFFFFFF.
Initially, I did not define this macro, and during Checks, the macOS platform encountered an issue of the macro being undefined. Therefore, I added this macro definition.

@dkjsone
Copy link
Contributor Author

dkjsone commented Oct 18, 2025

Can you please annotate the code changes to indicate what error they are fixing?

The changes I made to the code are relatively minor and quite similar, pertaining to routine security checks. I believe comments may not be strictly necessary in this case.
I have provided a detailed description of the issue and the reproduction method in this link. If there are any questions regarding the vulnerability, you can refer to this link for clarification.
https://support.unidata.ucar.edu/tickets/view/TSP-8629412

@WardF
Copy link
Member

WardF commented Oct 23, 2025

Hi @dkjsone, thanks for submitting this. I'm reviewing it now as well. In the meantime, do you mind accepting the CLA here so that we can clear that 'pending check'? Thanks!

@dkjsone
Copy link
Contributor Author

dkjsone commented Oct 24, 2025

Sorry, my mistake — I'm going to close this one and start over with a new pull request.

@dkjsone dkjsone closed this Oct 24, 2025
@dkjsone dkjsone deleted the bugfix branch October 24, 2025 08:45
@dkjsone
Copy link
Contributor Author

dkjsone commented Oct 24, 2025

Please review this new pull request.
#3191

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DennisHeimbigner DennisHeimbigner DennisHeimbigner left review comments

@WardF WardF Awaiting requested review from WardF WardF is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.