summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAntonino A. Daplas <adaplas@gmail.com>2007-05-31 10:04:57 +0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-05-31 18:48:27 +0400
commita2b7d2e97edcad0e95ae0d3c253d3f2f69254fa4 (patch)
tree26b392f8aa430a2715f40f54290952ea1e070436
parent3f0a6766e0cc5a577805732e5adb50a585c58175 (diff)
downloadlinux-a2b7d2e97edcad0e95ae0d3c253d3f2f69254fa4.tar.xz
neofb: Fix pseudo_palette array overrun in neofb_setcolreg
The pseudo_palette has room for 16 entries only, but in truecolor mode, it attempts to write 256. Signed-off-by: Antonino Daplas <adaplas@gmail.com> Acked-by: Tero Roponen <teanropo@jyu.fi> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/video/neofb.c30
1 files changed, 16 insertions, 14 deletions
diff --git a/drivers/video/neofb.c b/drivers/video/neofb.c
index bd30aba242d0..731d7a5c5aa2 100644
--- a/drivers/video/neofb.c
+++ b/drivers/video/neofb.c
@@ -1286,34 +1286,36 @@ static int neofb_setcolreg(u_int regno, u_int red, u_int green, u_int blue,
if (regno >= fb->cmap.len || regno > 255)
return -EINVAL;
- switch (fb->var.bits_per_pixel) {
- case 8:
+ if (fb->var.bits_per_pixel <= 8) {
outb(regno, 0x3c8);
outb(red >> 10, 0x3c9);
outb(green >> 10, 0x3c9);
outb(blue >> 10, 0x3c9);
- break;
- case 16:
- ((u32 *) fb->pseudo_palette)[regno] =
+ } else if (regno < 16) {
+ switch (fb->var.bits_per_pixel) {
+ case 16:
+ ((u32 *) fb->pseudo_palette)[regno] =
((red & 0xf800)) | ((green & 0xfc00) >> 5) |
((blue & 0xf800) >> 11);
- break;
- case 24:
- ((u32 *) fb->pseudo_palette)[regno] =
+ break;
+ case 24:
+ ((u32 *) fb->pseudo_palette)[regno] =
((red & 0xff00) << 8) | ((green & 0xff00)) |
((blue & 0xff00) >> 8);
- break;
+ break;
#ifdef NO_32BIT_SUPPORT_YET
- case 32:
- ((u32 *) fb->pseudo_palette)[regno] =
+ case 32:
+ ((u32 *) fb->pseudo_palette)[regno] =
((transp & 0xff00) << 16) | ((red & 0xff00) << 8) |
((green & 0xff00)) | ((blue & 0xff00) >> 8);
- break;
+ break;
#endif
- default:
- return 1;
+ default:
+ return 1;
+ }
}
+
return 0;
}