On 2018/12/16 0:23, Richard Weinberger wrote:
The rtime compressor assumes that at least two bytes are compressed. If we try to compress just one byte, the loop condition will wrap around and an out-of-bounds write happens.
Cc: stable@vger.kernel.org Signed-off-by: Richard Weinberger richard@nod.at
fs/jffs2/compr_rtime.c | 3 +++ 1 file changed, 3 insertions(+) It seems that it doesn't incur any harm because the minimal allocated
size will be 8-bytes and jffs2_rtime_compress() will write 2-bytes into the allocated buffer.
diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c index 406d9cc84ba8..cbf700001fc9 100644 --- a/fs/jffs2/compr_rtime.c +++ b/fs/jffs2/compr_rtime.c @@ -39,6 +39,9 @@ static int jffs2_rtime_compress(unsigned char *data_in, memset(positions,0,sizeof(positions));
- if (*dstlen < 2)
return -1;- while (pos < (*sourcelen) && outpos <= (*dstlen)-2) { int backpos, runlen=0; unsigned char value;