From: Charles Manning <cdhmanning@gmail.com>
Date: Thu, 1 Jul 2010 22:33:26 +0000 (+1200)
Subject: yaffs Fix scan problem for corrupted tags
X-Git-Tag: pre-name-change~44
X-Git-Url: http://www.aleph1.co.uk/gitweb/?p=yaffs2.git;a=commitdiff_plain;h=25f6e492e7010f585367a4f6abf4d2e17c5c0e1a

yaffs Fix scan problem for corrupted tags

Check that the tags are within reasonable bounds. Without this, subsequent
checks can fail causing a mount failure.

Signed-off-by: Charles Manning <cdhmanning@gmail.com>
---

diff --git a/yaffs_guts.h b/yaffs_guts.h
index ca18503..c6e49c4 100644
--- a/yaffs_guts.h
+++ b/yaffs_guts.h
@@ -52,7 +52,6 @@
 
 #define YAFFS_MAX_CHUNK_ID		0x000FFFFF
 
-#define YAFFS_UNUSED_OBJECT_ID		0x0003FFFF
 
 #define YAFFS_ALLOCATION_NOBJECTS	100
 #define YAFFS_ALLOCATION_NTNODES	100
@@ -62,6 +61,7 @@
 
 
 #define YAFFS_OBJECT_SPACE		0x40000
+#define YAFFS_MAX_OBJECT_ID		(YAFFS_OBJECT_SPACE -1)
 
 #define YAFFS_CHECKPOINT_VERSION 	4
 
diff --git a/yaffs_yaffs2.c b/yaffs_yaffs2.c
index 40d9771..90646fd 100644
--- a/yaffs_yaffs2.c
+++ b/yaffs_yaffs2.c
@@ -1130,6 +1130,15 @@ int yaffs2_ScanBackwards(yaffs_Device *dev)
 
 				  dev->nFreeChunks++;
 
+			} else if (tags.objectId > YAFFS_MAX_OBJECT_ID ||
+				tags.chunkId > YAFFS_MAX_CHUNK_ID ||
+				(tags.chunkId > 0 && tags.byteCount > dev->nDataBytesPerChunk)) {
+				T(YAFFS_TRACE_SCAN,
+				  (TSTR("Chunk (%d:%d) with bad tags:obj = %d, chunkId = %d, byteCount = %d, ignored"TENDSTR),
+				  blk, c,tags.objectId, tags.chunkId, tags.byteCount));
+
+				  dev->nFreeChunks++;
+
 			} else if (tags.chunkId > 0) {
 				/* chunkId > 0 so it is a data chunk... */
 				unsigned int endpos;