From d301524772be3eef5fae1bcd5ca76fac69bb3b6e Mon Sep 17 00:00:00 2001
From: "Antonino A. Daplas" <adaplas@gmail.com>
Date: Sat, 11 Mar 2006 03:27:26 -0800
Subject: [PATCH] intelfb: Fix buffer overrun

The pseudo_palette has room only for 16 entries, but intelfb_setcolreg will
attempt to write more.

Coverity Bug 558

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 drivers/video/intelfb/intelfbdrv.c | 50 ++++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

(limited to 'drivers')

diff --git a/drivers/video/intelfb/intelfbdrv.c b/drivers/video/intelfb/intelfbdrv.c
index 6b8bd3cdf9c0..995b47c165a7 100644
--- a/drivers/video/intelfb/intelfbdrv.c
+++ b/drivers/video/intelfb/intelfbdrv.c
@@ -1333,33 +1333,35 @@ intelfb_setcolreg(unsigned regno, unsigned red, unsigned green,
 	if (regno > 255)
 		return 1;
 
-	switch (dinfo->depth) {
-	case 8:
-		{
-			red >>= 8;
-			green >>= 8;
-			blue >>= 8;
+	if (dinfo->depth == 8) {
+		red >>= 8;
+		green >>= 8;
+		blue >>= 8;
+
+		intelfbhw_setcolreg(dinfo, regno, red, green, blue,
+				    transp);
+	}
 
-			intelfbhw_setcolreg(dinfo, regno, red, green, blue,
-					    transp);
+	if (regno < 16) {
+		switch (dinfo->depth) {
+		case 15:
+			dinfo->pseudo_palette[regno] = ((red & 0xf800) >>  1) |
+				((green & 0xf800) >>  6) |
+				((blue & 0xf800) >> 11);
+			break;
+		case 16:
+			dinfo->pseudo_palette[regno] = (red & 0xf800) |
+				((green & 0xfc00) >>  5) |
+				((blue  & 0xf800) >> 11);
+			break;
+		case 24:
+			dinfo->pseudo_palette[regno] = ((red & 0xff00) << 8) |
+				(green & 0xff00) |
+				((blue  & 0xff00) >> 8);
+			break;
 		}
-		break;
-	case 15:
-		dinfo->pseudo_palette[regno] = ((red & 0xf800) >>  1) |
-					       ((green & 0xf800) >>  6) |
-					       ((blue & 0xf800) >> 11);
-		break;
-	case 16:
-		dinfo->pseudo_palette[regno] = (red & 0xf800) |
-					       ((green & 0xfc00) >>  5) |
-					       ((blue  & 0xf800) >> 11);
-		break;
-	case 24:
-		dinfo->pseudo_palette[regno] = ((red & 0xff00) << 8) |
-					       (green & 0xff00) |
-					       ((blue  & 0xff00) >> 8);
-		break;
 	}
+
 	return 0;
 }
 
-- 
cgit v1.2.3