riscv
/
qemu
mirror of https://gitea.goldendeliverer.com/riscv/qemu.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

block/vmdk: fix OOB read in vmdk_read_extent() 

Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.

Move the check inside the has_marker block and subtract the marker size.

Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
master
Halil Oktay (oblivionsage) 2 months ago
committed by Kevin Wolf
parent
3fb456e9a0
commit
cfda94eddb
1 changed files with 4 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      block/vmdk.c

8
block/vmdk.c
View File

@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluster_offset,
marker = (VmdkGrainMarker *)cluster_buf; marker = (VmdkGrainMarker *)cluster_buf;
compressed_data = marker->data; compressed_data = marker->data;
data_len = le32_to_cpu(marker->size); data_len = le32_to_cpu(marker->size);
} if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
if (!data_len || data_len > buf_bytes) { ret = -EINVAL;
ret = -EINVAL; goto out;
goto out; }
} }
ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len); ret = uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
if (ret != Z_OK) { if (ret != Z_OK) {

Write Preview
Loading…
Cancel
Save