From: "Antonino A. Daplas" <adaplas@gmail.com>
To: Andrew Morton <akpm@osdl.org>
Cc: Linux Fbdev development list
<linux-fbdev-devel@lists.sourceforge.net>,
Hannu Mallat <hmallat@cc.hut.fi>
Subject: [PATCH 14/18] tdfxfb: Fix buffer overrun
Date: Sat, 11 Mar 2006 09:51:23 +0800 [thread overview]
Message-ID: <44122D1B.9010007@gmail.com> (raw)
The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may
attempt to write more.
Coverity Bug 557
Signed-off-by: Antonino Daplas <adaplas@pol.net>
---
drivers/video/tdfxfb.c | 42 +++++++++++++++++++++++-------------------
1 files changed, 23 insertions(+), 19 deletions(-)
diff --git a/drivers/video/tdfxfb.c b/drivers/video/tdfxfb.c
index 3e7baf4..5e5328d 100644
--- a/drivers/video/tdfxfb.c
+++ b/drivers/video/tdfxfb.c
@@ -786,28 +786,32 @@ static int tdfxfb_setcolreg(unsigned reg
if (regno >= info->cmap.len || regno > 255) return 1;
switch (info->fix.visual) {
- case FB_VISUAL_PSEUDOCOLOR:
- rgbcol =(((u32)red & 0xff00) << 8) |
- (((u32)green & 0xff00) << 0) |
- (((u32)blue & 0xff00) >> 8);
- do_setpalentry(par, regno, rgbcol);
- break;
- /* Truecolor has no hardware color palettes. */
- case FB_VISUAL_TRUECOLOR:
+ case FB_VISUAL_PSEUDOCOLOR:
+ rgbcol =(((u32)red & 0xff00) << 8) |
+ (((u32)green & 0xff00) << 0) |
+ (((u32)blue & 0xff00) >> 8);
+ do_setpalentry(par, regno, rgbcol);
+ break;
+ /* Truecolor has no hardware color palettes. */
+ case FB_VISUAL_TRUECOLOR:
+ if (regno < 16) {
rgbcol = (CNVT_TOHW( red, info->var.red.length) <<
info->var.red.offset) |
- (CNVT_TOHW( green, info->var.green.length) <<
- info->var.green.offset) |
- (CNVT_TOHW( blue, info->var.blue.length) <<
- info->var.blue.offset) |
- (CNVT_TOHW( transp, info->var.transp.length) <<
- info->var.transp.offset);
- par->palette[regno] = rgbcol;
- break;
- default:
- DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
- break;
+ (CNVT_TOHW( green, info->var.green.length) <<
+ info->var.green.offset) |
+ (CNVT_TOHW( blue, info->var.blue.length) <<
+ info->var.blue.offset) |
+ (CNVT_TOHW( transp, info->var.transp.length) <<
+ info->var.transp.offset);
+ par->palette[regno] = rgbcol;
+ }
+
+ break;
+ default:
+ DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
+ break;
}
+
return 0;
}
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
reply other threads:[~2006-03-11 2:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44122D1B.9010007@gmail.com \
--to=adaplas@gmail.com \
--cc=akpm@osdl.org \
--cc=hmallat@cc.hut.fi \
--cc=linux-fbdev-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.