mkfs.jffs2 aborts with MALLOC_CHECK_=2 on x86_64
Stefan Seyfried
seife at suse.de
Sun Mar 8 12:46:10 EDT 2009
On Fri, Jan 16, 2009 at 10:47:29PM +0100, Stefan Seyfried wrote:
> Hi,
>
> current mtd-utils' mkfs.jffs2 aborts on me:
> seife at stoetzler:~> /dev/shm/mtd-utils/mkfs.jffs2 -L
> mkfs.jffs2:
> lzo priority:80 disabled
> zlib priority:60 enabled
> rtime priority:50 enabled
>
> seife at stoetzler:~> MALLOC_CHECK_=2 /dev/shm/mtd-utils/mkfs.jffs2 -U -b -e
> 131072 -p -r . -o /tmp/img.jffs2
> Aborted
> I looked around and found out that it happens, when both enabled compressors
> return -1 in compr.c line 246, and then the free in line 258 aborts.
>
> doing
>
> #define STREAM_END_SPACE 20
>
> instead of the default of 12 in compr_zlib.c fixes it for me. However, I'm
> neither shure if this has any bad side effects, nor _why_ it fixes it.
> My host is 64bits (x86_64), maybe this is affecting the buffer sizes or
> something like that.
> Hope this is helpful.
valgrind was much more helpful than gdb in this case.
I'm pretty sure it's an integer underflow: it happens when
jffs2_rtime_compress is called with *dstlen = 1
The same in compr_zlib has not triggered for me yet, but is probably
worth fixing anyway.
diff --git a/compr_rtime.c b/compr_rtime.c
index 131536c..7353024 100644
--- a/compr_rtime.c
+++ b/compr_rtime.c
@@ -32,7 +32,7 @@ static int jffs2_rtime_compress(unsigned char *data_in, unsigned char *cpage_out
memset(positions,0,sizeof(positions));
- while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
+ while (pos < (*sourcelen) && outpos+2 <= *dstlen) {
int backpos, runlen=0;
unsigned char value;
diff --git a/compr_zlib.c b/compr_zlib.c
index 400b18a..eb415b9 100644
--- a/compr_zlib.c
+++ b/compr_zlib.c
@@ -71,7 +71,7 @@ int jffs2_zlib_compress(unsigned char *data_in, unsigned char *cpage_out,
strm.next_out = cpage_out;
strm.total_out = 0;
- while (strm.total_out < *dstlen - STREAM_END_SPACE && strm.total_in < *sourcelen) {
+ while (strm.total_out + STREAM_END_SPACE < *dstlen && strm.total_in < *sourcelen) {
strm.avail_out = *dstlen - (strm.total_out + STREAM_END_SPACE);
strm.avail_in = min((unsigned)(*sourcelen-strm.total_in), strm.avail_out);
ret = deflate(&strm, Z_PARTIAL_FLUSH);
--
Stefan Seyfried
R&D Team Mobile Devices | "Any ideas, John?"
SUSE LINUX Products GmbH, Nürnberg | "Well, surrounding them's out."
This footer brought to you by insane German lawmakers:
SUSE Linux Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
More information about the linux-mtd
mailing list