[PATCH] neofb: Fix pseudo_palette array overrun in neofb_setcolreg

[Antonino A. Daplas]

The pseudo_palette has room for 16 entries only, but in truecolor mode, it
attempts to write 256.

Signed-off-by: Antonino Daplas <adaplas@xxxxxxxxx>
Acked-by: Tero Roponen <teanropo@xxxxxx>
---

Tero Roponen wrote:
> On Thu, 31 May 2007, Antonino A. Daplas wrote:
> 
>> On Wed, 2007-05-30 at 19:33 -0700, Linus Torvalds wrote:
>>> On Tue, 29 May 2007, Michal Piotrowski wrote:
>>>> TTY
>>>>
>>>> Subject    : tty-related oops in latest kernel(s)
>>>> References : http://lkml.org/lkml/2007/5/27/104
>>>> Submitter  : Tero Roponen <teanropo@xxxxxx>
>>>> Status     : problem is being debugged
>>> People seem to have debugged this to neofb palette handling, but I haven't 
>>> seen a patch. Antonino?
>>>
>> Already posted one for testing. I'm waiting for Tero to confirm.
>>
>> Tony
>>
> 
> Ok, I tested all the cases I have reported: no corruption
> and nothing in slabinfo -v. This seems to be the right fix.
> 

Okay, thanks for testing.

Tony

 drivers/video/neofb.c |   30 ++++++++++++++++--------------
 1 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/drivers/video/neofb.c b/drivers/video/neofb.c
index bd30aba..731d7a5 100644
--- a/drivers/video/neofb.c
+++ b/drivers/video/neofb.c
@@ -1286,34 +1286,36 @@ static int neofb_setcolreg(u_int regno, 
 	if (regno >= fb->cmap.len || regno > 255)
 		return -EINVAL;
 
-	switch (fb->var.bits_per_pixel) {
-	case 8:
+	if (fb->var.bits_per_pixel <= 8) {
 		outb(regno, 0x3c8);
 
 		outb(red >> 10, 0x3c9);
 		outb(green >> 10, 0x3c9);
 		outb(blue >> 10, 0x3c9);
-		break;
-	case 16:
-		((u32 *) fb->pseudo_palette)[regno] =
+	} else if (regno < 16) {
+		switch (fb->var.bits_per_pixel) {
+		case 16:
+			((u32 *) fb->pseudo_palette)[regno] =
 				((red & 0xf800)) | ((green & 0xfc00) >> 5) |
 				((blue & 0xf800) >> 11);
-		break;
-	case 24:
-		((u32 *) fb->pseudo_palette)[regno] =
+			break;
+		case 24:
+			((u32 *) fb->pseudo_palette)[regno] =
 				((red & 0xff00) << 8) | ((green & 0xff00)) |
 				((blue & 0xff00) >> 8);
-		break;
+			break;
 #ifdef NO_32BIT_SUPPORT_YET
-	case 32:
-		((u32 *) fb->pseudo_palette)[regno] =
+		case 32:
+			((u32 *) fb->pseudo_palette)[regno] =
 				((transp & 0xff00) << 16) | ((red & 0xff00) << 8) |
 				((green & 0xff00)) | ((blue & 0xff00) >> 8);
-		break;
+			break;
 #endif
-	default:
-		return 1;
+		default:
+			return 1;
+		}
 	}
+
 	return 0;
 }
 

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/