commit 54243cefdd3ab8133ebe7d3d705f35ca1d0b59eb · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[PATCH] tdfxfb: Fix buffer overrun

The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may
attempt to write more.

Coverity Bug 557

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by Antonino A. Daplas and committed by Linus Torvalds 20 years ago 54243cef d3015247

+23 -19

1 changed file

expand all

unified split

drivers

video

tdfxfb.c

+23 -19

drivers/video/tdfxfb.c

··· 786 if (regno >= info->cmap.len || regno > 255) return 1; 787 788 switch (info->fix.visual) { 789 - case FB_VISUAL_PSEUDOCOLOR: 790 - rgbcol =(((u32)red & 0xff00) << 8) | 791 - (((u32)green & 0xff00) << 0) | 792 - (((u32)blue & 0xff00) >> 8); 793 - do_setpalentry(par, regno, rgbcol); 794 - break; 795 - /* Truecolor has no hardware color palettes. */ 796 - case FB_VISUAL_TRUECOLOR: 797 rgbcol = (CNVT_TOHW( red, info->var.red.length) << 798 info->var.red.offset) | 799 - (CNVT_TOHW( green, info->var.green.length) << 800 - info->var.green.offset) | 801 - (CNVT_TOHW( blue, info->var.blue.length) << 802 - info->var.blue.offset) | 803 - (CNVT_TOHW( transp, info->var.transp.length) << 804 - info->var.transp.offset); 805 - par->palette[regno] = rgbcol; 806 - break; 807 - default: 808 - DPRINTK("bad depth %u\n", info->var.bits_per_pixel); 809 - break; 810 } 811 return 0; 812 } 813

··· 786 if (regno >= info->cmap.len || regno > 255) return 1; 787 788 switch (info->fix.visual) { 789 + case FB_VISUAL_PSEUDOCOLOR: 790 + rgbcol =(((u32)red & 0xff00) << 8) | 791 + (((u32)green & 0xff00) << 0) | 792 + (((u32)blue & 0xff00) >> 8); 793 + do_setpalentry(par, regno, rgbcol); 794 + break; 795 + /* Truecolor has no hardware color palettes. */ 796 + case FB_VISUAL_TRUECOLOR: 797 + if (regno < 16) { 798 rgbcol = (CNVT_TOHW( red, info->var.red.length) << 799 info->var.red.offset) | 800 + (CNVT_TOHW( green, info->var.green.length) << 801 + info->var.green.offset) | 802 + (CNVT_TOHW( blue, info->var.blue.length) << 803 + info->var.blue.offset) | 804 + (CNVT_TOHW( transp, info->var.transp.length) << 805 + info->var.transp.offset); 806 + par->palette[regno] = rgbcol; 807 + } 808 + 809 + break; 810 + default: 811 + DPRINTK("bad depth %u\n", info->var.bits_per_pixel); 812 + break; 813 } 814 + 815 return 0; 816 } 817