Fix CVE-2025-2926

[bmribler]

An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image being copied to the buffer. This PR adds the image size check.

Fixes #5384

---

Important

Fixes CVE-2025-2926 by adding an image size check in H5O__cache_chk_get_initial_load_size() to prevent NULL pointer dereference.

• Security Fix:
  • Fixes CVE-2025-2926 by adding a check for image size in H5O__cache_chk_get_initial_load_size() in H5Ocache.c to prevent NULL pointer dereference.
• Documentation:
  • Updated CHANGELOG.md to include details of the fix for CVE-2025-2926.

^{This description was created by for eed45d8. You can customize this summary. It will automatically update as commits are pushed.}

[bmribler]

Umm, FYI, this PR only has the changes in H5Centry.c and RELEASE.txt. Sorry!

[derobins]

Should use hyphens in the name, like other CVE issues

[bmribler]

Hmm, I don't know how that happened. I always have hyphens... Thanks, Dana.

[derobins]

Why not make this a real error check instead of an assert?

[fortnern]

If H5C__decode_cache_image_header checks for overflow an assert is appropriate here. And if it doesn't, it should.

[bmribler]

This change was merged into this PR by accident and that was fixed now. I'll check out about H5C__decode_cache_image_header() and create another PR instead.

[bmribler]

This PR #5884 adds the missing overflow checks, @fortnern.

[fortnern]

Seems to me this should really be checked in the callbacks, and left as an assert here.

[fortnern]

Do you know why the callback is returning len=0 without returning an error?

[bmribler]

I fixed it and push the change soon

[fortnern]

See questions about get_initial_load_size returning len==0

[fortnern]

So the CVE is already fixed without this PR? I think the check in this PR should just be an assertion (unless there's some case where we really can't catch it before here)

[fortnern]

We should only do enough non-assert checking as is necessary to guarantee a consistent internal state. Additional checking should be in the form of assertions.

[bmribler]

@fortnern The assert was already put back in the commit I mentioned in #5841 (comment). Sorry, I forgot that I did.

[fortnern]

There is no assert in H5O__cache_chk_get_initial_load_size() currently and this PR adds an error check instead of an assert. Is there a reason you think this should not be an assert instead?

[fortnern]

Please change this to an assertion or explain why it needs to be an error check. My understanding is the CVE was fixed by a different PR that added the check in the appropriate place, correct? Did that PR add a Changelog.md note? If so, no need for this one.

[bmribler]

Hmm, I don't know how this entry got into my commit... I hope I didn't cause anything bad.

[fortnern]

It seems to already be in develop, hopefully it gets fixed when it's merged

[mattjala]

Unused variable is causing the -Werror builds to fail

/home/runner/work/hdf5/hdf5/src/H5Ocache.c:599:31: error: unused variable ‘ret_value’ [-Werror=unused-variable]
  599 |     herr_t                    ret_value = SUCCEED;
      |                               ^~~~~~~~~

[bmribler]

Unused variable is causing the -Werror builds to fail

/home/runner/work/hdf5/hdf5/src/H5Ocache.c:599:31: error: unused variable ‘ret_value’ [-Werror=unused-variable]
  599 |     herr_t                    ret_value = SUCCEED;
      |                               ^~~~~~~~~

I'll fix it. Thank you!

[lrknox]

Committed a conflict in CHANGELOG.md. Previously reviews and approvals by fortnern, glennsong09, and mattjala dismissed by the non-code commit. Will approve and merge as soon as tests pass.