Commit 54243cef authored by Antonino A. Daplas's avatar Antonino A. Daplas Committed by Linus Torvalds

[PATCH] tdfxfb: Fix buffer overrun

The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may
attempt to write more.

Coverity Bug 557
Signed-off-by: default avatarAntonino Daplas <adaplas@pol.net>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent d3015247
...@@ -786,28 +786,32 @@ static int tdfxfb_setcolreg(unsigned regno, unsigned red, unsigned green, ...@@ -786,28 +786,32 @@ static int tdfxfb_setcolreg(unsigned regno, unsigned red, unsigned green,
if (regno >= info->cmap.len || regno > 255) return 1; if (regno >= info->cmap.len || regno > 255) return 1;
switch (info->fix.visual) { switch (info->fix.visual) {
case FB_VISUAL_PSEUDOCOLOR: case FB_VISUAL_PSEUDOCOLOR:
rgbcol =(((u32)red & 0xff00) << 8) | rgbcol =(((u32)red & 0xff00) << 8) |
(((u32)green & 0xff00) << 0) | (((u32)green & 0xff00) << 0) |
(((u32)blue & 0xff00) >> 8); (((u32)blue & 0xff00) >> 8);
do_setpalentry(par, regno, rgbcol); do_setpalentry(par, regno, rgbcol);
break; break;
/* Truecolor has no hardware color palettes. */ /* Truecolor has no hardware color palettes. */
case FB_VISUAL_TRUECOLOR: case FB_VISUAL_TRUECOLOR:
if (regno < 16) {
rgbcol = (CNVT_TOHW( red, info->var.red.length) << rgbcol = (CNVT_TOHW( red, info->var.red.length) <<
info->var.red.offset) | info->var.red.offset) |
(CNVT_TOHW( green, info->var.green.length) << (CNVT_TOHW( green, info->var.green.length) <<
info->var.green.offset) | info->var.green.offset) |
(CNVT_TOHW( blue, info->var.blue.length) << (CNVT_TOHW( blue, info->var.blue.length) <<
info->var.blue.offset) | info->var.blue.offset) |
(CNVT_TOHW( transp, info->var.transp.length) << (CNVT_TOHW( transp, info->var.transp.length) <<
info->var.transp.offset); info->var.transp.offset);
par->palette[regno] = rgbcol; par->palette[regno] = rgbcol;
break; }
default:
DPRINTK("bad depth %u\n", info->var.bits_per_pixel); break;
break; default:
DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
break;
} }
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment