On 2018/12/16 0:23, Richard Weinberger wrote: > The rtime compressor assumes that at least two bytes are > compressed. > If we try to compress just one byte, the loop condition will > wrap around and an out-of-bounds write happens. > > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Richard Weinberger <richard@xxxxxx> > --- > fs/jffs2/compr_rtime.c | 3 +++ > 1 file changed, 3 insertions(+) > It seems that it doesn't incur any harm because the minimal allocated size will be 8-bytes and jffs2_rtime_compress() will write 2-bytes into the allocated buffer. > diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c > index 406d9cc84ba8..cbf700001fc9 100644 > --- a/fs/jffs2/compr_rtime.c > +++ b/fs/jffs2/compr_rtime.c > @@ -39,6 +39,9 @@ static int jffs2_rtime_compress(unsigned char *data_in, > > memset(positions,0,sizeof(positions)); > > + if (*dstlen < 2) > + return -1; > + > while (pos < (*sourcelen) && outpos <= (*dstlen)-2) { > int backpos, runlen=0; > unsigned char value; >