From 54243cefdd3ab8133ebe7d3d705f35ca1d0b59eb Mon Sep 17 00:00:00 2001
From: "Antonino A. Daplas" <adaplas@gmail.com>
Date: Sat, 11 Mar 2006 03:27:26 -0800
Subject: [PATCH] tdfxfb: Fix buffer overrun

The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may
attempt to write more.

Coverity Bug 557

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 drivers/video/tdfxfb.c | 42 +++++++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

(limited to 'drivers/video/tdfxfb.c')

diff --git a/drivers/video/tdfxfb.c b/drivers/video/tdfxfb.c
index 3e7baf4c9fa8..5e5328d682db 100644
--- a/drivers/video/tdfxfb.c
+++ b/drivers/video/tdfxfb.c
@@ -786,28 +786,32 @@ static int tdfxfb_setcolreg(unsigned regno, unsigned red, unsigned green,
 	if (regno >= info->cmap.len || regno > 255) return 1;
    
 	switch (info->fix.visual) {
-		case FB_VISUAL_PSEUDOCOLOR:
-			rgbcol =(((u32)red   & 0xff00) << 8) |
-				(((u32)green & 0xff00) << 0) |
-				(((u32)blue  & 0xff00) >> 8);
-			do_setpalentry(par, regno, rgbcol);
-			break;
-		/* Truecolor has no hardware color palettes. */
-		case FB_VISUAL_TRUECOLOR:
+	case FB_VISUAL_PSEUDOCOLOR:
+		rgbcol =(((u32)red   & 0xff00) << 8) |
+			(((u32)green & 0xff00) << 0) |
+			(((u32)blue  & 0xff00) >> 8);
+		do_setpalentry(par, regno, rgbcol);
+		break;
+	/* Truecolor has no hardware color palettes. */
+	case FB_VISUAL_TRUECOLOR:
+		if (regno < 16) {
 			rgbcol = (CNVT_TOHW( red, info->var.red.length) <<
 				  info->var.red.offset) |
-				 (CNVT_TOHW( green, info->var.green.length) <<
-				  info->var.green.offset) |
-				 (CNVT_TOHW( blue, info->var.blue.length) <<
-				  info->var.blue.offset) |
-				 (CNVT_TOHW( transp, info->var.transp.length) <<
-				  info->var.transp.offset);
-				par->palette[regno] = rgbcol;
-			break;
-		default:
-			DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
-			break;
+				(CNVT_TOHW( green, info->var.green.length) <<
+				 info->var.green.offset) |
+				(CNVT_TOHW( blue, info->var.blue.length) <<
+				 info->var.blue.offset) |
+				(CNVT_TOHW( transp, info->var.transp.length) <<
+				 info->var.transp.offset);
+			par->palette[regno] = rgbcol;
+		}
+
+		break;
+	default:
+		DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
+		break;
 	}
+
 	return 0;
 }
 
-- 
cgit v1.2.3