CVE-2019-10672
Description
libmysofa before 0.7 has an integer overflow in treeRead() due to missing validation of multiplications and additions, leading to potential out-of-bounds write.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libmysofa before 0.7 has an integer overflow in treeRead() due to missing validation of multiplications and additions, leading to potential out-of-bounds write.
Vulnerability
The vulnerability is in the treeRead function in hdf/btree.c of libmysofa versions before 0.7. The function fails to properly validate multiplications and additions when computing array indices, leading to integer overflow and potential out-of-bounds writes. The affected code handles 1D, 2D, and 3D data arrays. The fix was introduced in commit d39a171 [3] and released in version 0.7 [2]; the changes are visible in the comparison [1].
Exploitation
An attacker can exploit this by providing a crafted HDF file that triggers the vulnerable code path. No authentication or special privileges are required; the attacker only needs to supply the malicious file to an application using libmysofa. The missing bounds checks (e.g., if (j>=0 && j < elements * size)) were added in the fix [3].
Impact
Successful exploitation allows an attacker to write data outside the allocated buffer, causing memory corruption. This can lead to arbitrary code execution or denial of service, depending on the context. The vulnerability is considered a security issue with high severity.
Mitigation
The vulnerability is fixed in libmysofa version 0.7 [2]. Users should upgrade to this version or later. No workarounds are available for earlier versions. The fix includes proper bounds checking on the computed index [3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Integer overflow in multiplication during index computation in treeRead allows out-of-bounds write."
Attack vector
An attacker supplies a crafted HDF file that triggers integer overflow during the index computation in `treeRead`. Because the original bounds checks (`x < sx`, `y < sy`, `z < sz`) were performed *before* the multiplication, a carefully chosen `size` or `b` value can cause `x * size + b` to wrap around to a small positive number, bypassing the subsequent bounds check and writing out-of-bounds into `data->data`. This can lead to heap corruption or information disclosure. [CWE-190]
Affected code
The vulnerability resides in `hdf/btree.c` within the `treeRead` function. The patch modifies three blocks that compute an index `j` used to write into `data->data` — the original code checked boundary variables (`x < sx`, `y < sy`, `z < sz`) *before* computing `j`, but the multiplication in `j = x * size + b` (and the higher-dimensional variants) could overflow before the bounds check was applied.
What the fix does
The patch moves the bounds check to *after* the index `j` is computed and changes the condition to `j>=0 && j < elements * size`. This ensures that even if the multiplication overflows, the resulting wrapped value will either be negative or exceed the valid range, causing the write to be skipped. The fix also removes the earlier checks on `x`, `y`, `z` which were insufficient to prevent overflow.
Preconditions
- inputThe attacker must provide a crafted HDF file that triggers integer overflow in the index computation within treeRead.
- configThe victim must open the malicious file using a version of libmysofa before 0.7.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- usn.ubuntu.com/4033-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/hoene/libmysofa/commit/d39a171e9c6a1c44dbdf43f9db6c3fbd887e38c1mitrex_refsource_MISC
- github.com/hoene/libmysofa/compare/49aa1c7...2ed84bbmitrex_refsource_MISC
- github.com/hoene/libmysofa/releases/tag/v0.7mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.