starred/qemu
1
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2026-04-05 22:00:58 +00:00
Code Issues 380 Packages Projects Releases Wiki Activity

block/vmdk: fix OOB read in vmdk_read_extent()

Browse Source 
Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.

Move the check inside the has_marker block and subtract the marker size.

Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
Halil Oktay (oblivionsage)
2026-02-10 13:33:25 +01:00
committed by Kevin Wolf
parent 3fb456e9a0
commit cfda94eddb
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
block/vmdk.c
View File

@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset,
marker = (VmdkGrainMarker *)cluster_buf;
compressed_data = marker->data;
data_len = le32_to_cpu(marker->size);
}
if (!data_len || data_len > buf_bytes) {
ret = -EINVAL;
goto out;
if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
ret = -EINVAL;
goto out;
}
}
ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
if (ret != Z_OK) {