staging: sm750fb: fix off-by-one in lynxfb_ops_setcolreg

[PATCH] staging: sm750fb: fix off-by-one in lynxfb_ops_setcolreg

Ahmet Sezgin Duran posted 1 patch 2 months, 1 week ago

Download mbox

drivers/staging/sm750fb/sm750.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Expand all Fold all

[PATCH] staging: sm750fb: fix off-by-one in lynxfb_ops_setcolreg

Posted by Ahmet Sezgin Duran 2 months, 1 week ago

The bounds check used regno > 256 instead of regno >= 256,
allowing regno == 256. Valid indices are 0–255, resulting
in an out-of-bounds write.

Also remove the regno < 256 check in the truecolor path,
as it is always true with the corrected guard.

Signed-off-by: Ahmet Sezgin Duran <ahmet@sezginduran.net>
---
 drivers/staging/sm750fb/sm750.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
index 9f3e3d37e82a..ea077c7c89cd 100644
--- a/drivers/staging/sm750fb/sm750.c
+++ b/drivers/staging/sm750fb/sm750.c
@@ -531,7 +531,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
 	var = &info->var;
 	ret = 0;
 
-	if (regno > 256) {
+	if (regno >= 256) {
 		dev_err(info->device, "regno = %d\n", regno);
 		return -EINVAL;
 	}
@@ -553,7 +553,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
 		goto exit;
 	}
 
-	if (info->fix.visual == FB_VISUAL_TRUECOLOR && regno < 256) {
+	if (info->fix.visual == FB_VISUAL_TRUECOLOR) {
 		u32 val;
 
 		if (var->bits_per_pixel == 16 ||
-- 
2.53.0