Commit aadf96ea authored by Richard Weinberger's avatar Richard Weinberger Committed by Yongjian Sun
Browse files

jffs2: Fix rtime decompressor 

mainline inclusion
from mainline-v6.12-rc3
commit b29bf7119d6bbfd04aabb8d82b060fe2a33ef890
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBHWWI
CVE: CVE-2024-57850

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b29bf7119d6bbfd04aabb8d82b060fe2a33ef890



--------------------------------

The fix for a memory corruption contained a off-by-one error and
caused the compressor to fail in legit cases.

Cc: Kinsey Moore <kinsey.moore@oarcorp.com>
Cc: stable@vger.kernel.org
Fixes: fe051552f5078 ("jffs2: Prevent rtime decompress memory corruption")
Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
Signed-off-by: default avatarYongjian Sun <sunyongjian1@huawei.com>
parent 9aa81fd4

fs/jffs2/compr_rtime.c

+1 −1
Original line number Diff line number Diff line
@@ -95,7 +95,7 @@ static int jffs2_rtime_decompress(unsigned char *data_in, 


		positions[value]=outpos;

		if (repeat) {

			if ((outpos + repeat) >= destlen) {

			if ((outpos + repeat) > destlen) {

				return 1;

			}

			if (backoffs + repeat >= outpos) {