From: "Halil Oktay (oblivionsage)" <[email protected]>
Bounds check for marker.size doesn't account for the 12-byte marker header, allowing zlib to read past the allocated buffer. Move the check inside the has_marker block and subtract the marker size. Fixes: CVE-2026-2243 Reported-by: Halil Oktay (oblivionsage) <[email protected]> Signed-off-by: Halil Oktay (oblivionsage) <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> --- block/vmdk.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/block/vmdk.c b/block/vmdk.c index 89e89cd10e3..cd8b4ec7c88 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset, marker = (VmdkGrainMarker *)cluster_buf; compressed_data = marker->data; data_len = le32_to_cpu(marker->size); - } - if (!data_len || data_len > buf_bytes) { - ret = -EINVAL; - goto out; + if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) { + ret = -EINVAL; + goto out; + } } ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len); if (ret != Z_OK) { -- 2.53.0
