[PATCH] tdfxfb: Fix buffer overrun

The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may attempt to write more. Coverity Bug 557 Signed-off-by: Antonino Daplas <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] tdfxfb: Fix buffer overrun
The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may attempt to write more. Coverity Bug 557 Signed-off-by: Antonino Daplas <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
54243cef · Antonino A. Daplas · Linus Torvalds · d3015247 · 54243cef
Commit 54243cef authored Mar 11, 2006 by Antonino A. Daplas Committed by Linus Torvalds Mar 11, 2006
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 19 deletions

drivers/video/tdfxfb.c drivers/video/tdfxfb.c +23 -19

No files found.
--- a/drivers/video/tdfxfb.c
+++ b/drivers/video/tdfxfb.c
@@ -794,6 +794,7 @@ static int tdfxfb_setcolreg(unsigned regno, unsigned red, unsigned green,
 		break;
 	/* Truecolor has no hardware color palettes. */
 	case FB_VISUAL_TRUECOLOR:
+		if (regno < 16) {
 			rgbcol = (CNVT_TOHW( red, info->var.red.length) <<
 				  info->var.red.offset) |
 				(CNVT_TOHW( green, info->var.green.length) <<
@@ -803,11 +804,14 @@ static int tdfxfb_setcolreg(unsigned regno, unsigned red, unsigned green,
 				(CNVT_TOHW( transp, info->var.transp.length) <<
 				 info->var.transp.offset);
 			par->palette[regno] = rgbcol;
+		}
 		break;
 	default:
 		DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
 		break;
 	}
 	return 0;
 }