From patchwork Thu Jun 24 13:02:40 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
X-Patchwork-Id: 56788
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 51D62B6F16
	for <incoming@patchwork.ozlabs.org>;
	Thu, 24 Jun 2010 23:11:16 +1000 (EST)
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux))
	id 1ORmAc-0008Ol-GE; Thu, 24 Jun 2010 13:08:42 +0000
Received: from mail.cvg.de ([62.153.82.30])
	by bombadil.infradead.org with esmtps (Exim 4.72 #1 (Red Hat Linux))
	id 1ORmAY-0008No-Ds
	for linux-mtd@lists.infradead.org; Thu, 24 Jun 2010 13:08:39 +0000
Received: from ensc-virt.intern.sigma-chemnitz.de
	(ensc-virt.intern.sigma-chemnitz.de [192.168.3.24])
	by mail.cvg.de (8.14.3/8.14.3) with ESMTP id o5OD8MpR028344
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-mtd@lists.infradead.org>; Thu, 24 Jun 2010 15:08:23 +0200
Received: from ensc by ensc-virt.intern.sigma-chemnitz.de with local (Exim
	4.72) (envelope-from <ensc@sigma-chemnitz.de>) id 1ORmAI-00042y-4y
	for linux-mtd@lists.infradead.org; Thu, 24 Jun 2010 15:08:22 +0200
Resent-To: linux-mtd@lists.infradead.org
Resent-From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Resent-Date: Thu, 24 Jun 2010 15:08:22 +0200
Resent-Message-ID: <lytyoso9x5.fsf@ensc-virt.intern.sigma-chemnitz.de>
Received: from mail.cvg.de (mail.cvg.de [62.153.82.30])
	by mailbox.sigma-chemnitz.de (Cyrus v2.3.16-2.sigma) with LMTPA;
	Thu, 24 Jun 2010 15:02:52 +0200
X-Sieve: CMU Sieve 2.3
X-Envelope-From: ensc@sigma-chemnitz.de
Received: from ensc-virt.intern.sigma-chemnitz.de
	(ensc-virt.intern.sigma-chemnitz.de [192.168.3.24])
	by mail.cvg.de (8.14.3/8.14.3) with ESMTP id o5OD2gVv027103
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 24 Jun 2010 15:02:42 +0200
Received: from ensc by ensc-virt.intern.sigma-chemnitz.de with local (Exim
	4.72) (envelope-from <ensc@sigma-chemnitz.de>)
	id 1ORm4o-0003zk-88; Thu, 24 Jun 2010 15:02:42 +0200
From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
To: inux-mtd@lists.infradead.org
Subject: [PATCH/mtd-utils] fix integer underflow in jffs2_rtime_compress()
Date: Thu, 24 Jun 2010 15:02:40 +0200
Message-Id: 
 <1277384560-15329-1-git-send-email-enrico.scholz@sigma-chemnitz.de>
X-Mailer: git-send-email 1.7.0.1
X-Spam-Score: -2.7
X-Spam-Score: -1.4
X-Spam-Level: --
X-Spam-Level: -
X-Spam-Tests: AWL,BAYES_00,RCVD_IN_DNSWL_MED,SPF_NEUTRAL,T_RP_MATCHES_RCVD
X-Spam-Tests: AWL,BAYES_00,SPF_NEUTRAL,T_RP_MATCHES_RCVD
X-Scanned-By: MIMEDefang 2.68 on 62.153.82.30
X-Scanned-By: MIMEDefang 2.68 on 62.153.82.30
Resent-Sender: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
X-CRM114-Version: 20090807-BlameThorstenAndJenny ( TRE 0.7.6 (BSD) )
	MR-646709E3
X-CRM114-CacheID: sfid-20100624_090838_808610_40E9EFA9 
X-CRM114-Status: GOOD (  10.28  )
X-Spam-Score: -2.3 (--)
X-Spam-Report: SpamAssassin version 3.3.1 on bombadil.infradead.org summary:
	Content analysis details:   (-2.3 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
	medium trust [62.153.82.30 listed in list.dnswl.org]
Cc: Artem.Bityutskiy@nokia.com,
	Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: linux-mtd-bounces@lists.infradead.org
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

When '*dstlen' is 0 or 1, comparison will return wrong result.  Reported
by valgrind as

==5919== Invalid write of size 1
==5919==    at 0x40564E: jffs2_rtime_compress (compr_rtime.c:51)
==5919==    by 0x40676B: jffs2_compress (compr.c:246)
==5919==    by 0x403EE4: recursive_populate_directory (mkfs.jffs2.c:884)
==5919==  Address 0x4e1bdb1 is 0 bytes after a block of size 1 alloc'd
==5919==    at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==5919==    by 0x40671C: jffs2_compress (compr.c:229)
==5919==    by 0x403EE4: recursive_populate_directory (mkfs.jffs2.c:884)

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
---
 compr_rtime.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/compr_rtime.c b/compr_rtime.c
index 131536c..5613963 100644
--- a/compr_rtime.c
+++ b/compr_rtime.c
@@ -32,7 +32,7 @@ static int jffs2_rtime_compress(unsigned char *data_in, unsigned char *cpage_out
 
 	memset(positions,0,sizeof(positions));
 
-	while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
+	while (pos < (*sourcelen) && outpos+2 <= (*dstlen)) {
 		int backpos, runlen=0;
 		unsigned char value;