cramfs segfault bug

Found in cramfsck.c of project http://cramfs.sourceforge.net/
At version 1.1

Line 355 of cramfsck.c is:

die(FSCK_UNCORRECTED, 0, "decompression error %p(%d): %s",
zError(err), src, len);

Must be:

die(FSCK_UNCORRECTED, 0, "decompression error %p(%d): %s",
src, len, zError(err))

Arbitrary memory dump :)

Update: seems linux kernel not affected by this implementation:

printk("ZLIB Error %d while decompressing!\n", err);
    printk("%p(%d)->%p(%d)\n", src, srclen, dst, dstle

---

Posted at BinaryCell