cpukit/libfs/jffs2: Prevent memory corruption due to corrupted data

The rtime decompression routine does not fully check bounds during the entirety of the decompression pass and can corrupt memory outside the decompression buffer if the compressed data is corrupted. This adds the required check to prevent this failure mode. Updates #5072
2025-12-26 14:18:20 +00:00 · 2024-07-23 08:30:45 -05:00
parent a5f64ff27d
commit 83c1a305f7
1 changed files with 5 additions and 0 deletions
--- a/cpukit/libfs/src/jffs2/src/compr_rtime.c
+++ b/cpukit/libfs/src/jffs2/src/compr_rtime.c
@@ -113,6 +113,11 @@ int rtems_jffs2_compressor_rtime_decompress(

 		positions[value]=outpos;
 		if (repeat) {
+#ifdef __rtems__
+			if ((repeat + outpos) >= destlen) {
+				return 1;
+			}
+#endif
 			if (backoffs + repeat >= outpos) {
 				while(repeat) {
 					cpage_out[outpos++] = cpage_out[backoffs++];