[PATCH] jffs2: Fix integer underflow in jffs2_rtime_compress

The rtime compressor assumes that at least two bytes are compressed. If we try to compress just one byte, the loop condition will wrap around and an out-of-bounds write happens.

Cc: stable@vger.kernel.org Signed-off-by: Richard Weinberger richard@nod.at --- fs/jffs2/compr_rtime.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c index 406d9cc84ba8..cbf700001fc9 100644 --- a/fs/jffs2/compr_rtime.c +++ b/fs/jffs2/compr_rtime.c @@ -39,6 +39,9 @@ static int jffs2_rtime_compress(unsigned char *data_in,

memset(positions,0,sizeof(positions));

+ if (*dstlen < 2) + return -1; + while (pos < (*sourcelen) && outpos <= (*dstlen)-2) { int backpos, runlen=0; unsigned char value;