Skip to content

Commit

Permalink
jffs2: Prevent rtime decompress memory corruption
Browse files Browse the repository at this point in the history 
The rtime decompression routine does not fully check bounds during the
entirety of the decompression pass and can corrupt memory outside the
decompression buffer if the compressed data is corrupted. This adds the
required check to prevent this failure mode.

Cc: stable@vger.kernel.org
Signed-off-by: Kinsey Moore <kinsey.moore@oarcorp.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
  • Loading branch information
@KinseyMoore @richardweinberger
KinseyMoore authored and richardweinberger committed Nov 14, 2024
1 parent 7c8e694 commit fe05155
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions fs/jffs2/compr_rtime.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,9 @@ static int jffs2_rtime_decompress(unsigned char *data_in,

positions[value]=outpos;
if (repeat) {
if ((outpos + repeat) >= destlen) {
return 1;
}
if (backoffs + repeat >= outpos) {
while(repeat) {
cpage_out[outpos++] = cpage_out[backoffs++];
Expand Down

0 comments on commit fe05155

Please sign in to comment.