>From d335821a1f814eb3059ab5e6a7cd771360b698c4 Mon Sep 17 00:00:00 2001 From: Oblivionsage <[email protected]> Date: Tue, 10 Feb 2026 13:33:25 +0100 Subject: [PATCH] block/vmdk: fix OOB read in vmdk_read_extent() To: [email protected] Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Bounds check for marker.size doesn't account for the 12-byte marker header, allowing zlib to read past the allocated buffer. Move the check inside the has_marker block and subtract the marker size. Fixes: CVE-2026-2243 Reported-by: Halil Oktay (oblivionsage) <[email protected]> Signed-off-by: Halil Oktay (oblivionsage) <[email protected]> --- block/vmdk.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/block/vmdk.c b/block/vmdk.c index 89e89cd10e..cd8b4ec7c8 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset, marker = (VmdkGrainMarker *)cluster_buf; compressed_data = marker->data; data_len = le32_to_cpu(marker->size); - } - if (!data_len || data_len > buf_bytes) { - ret = -EINVAL; - goto out; + if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) { + ret = -EINVAL; + goto out; + } } ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len); if (ret != Z_OK) { -- 2.47.3
