neofb: Fix pseudo_palette array overrun in neofb_setcolreg

The pseudo_palette has room for 16 entries only, but in truecolor mode, it
attempts to write 256.

Signed-off-by: Antonino Daplas <adaplas@gmail.com>
Acked-by: Tero Roponen <teanropo@jyu.fi>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/video/neofb.c b/drivers/video/neofb.c
index bd30aba..731d7a5 100644 (file)
--- a/drivers/video/neofb.c
+++ b/drivers/video/neofb.c
@@ -1286,34 +1286,36 @@ static int neofb_setcolreg(u_int regno, u_int red, u_int green, u_int blue,
        if (regno >= fb->cmap.len || regno > 255)
                return -EINVAL;
 
-       switch (fb->var.bits_per_pixel) {
-       case 8:
+       if (fb->var.bits_per_pixel <= 8) {
                outb(regno, 0x3c8);
 
                outb(red >> 10, 0x3c9);
                outb(green >> 10, 0x3c9);
                outb(blue >> 10, 0x3c9);
-               break;
-       case 16:
-               ((u32 *) fb->pseudo_palette)[regno] =
+       } else if (regno < 16) {
+               switch (fb->var.bits_per_pixel) {
+               case 16:
+                       ((u32 *) fb->pseudo_palette)[regno] =
                                ((red & 0xf800)) | ((green & 0xfc00) >> 5) |
                                ((blue & 0xf800) >> 11);
-               break;
-       case 24:
-               ((u32 *) fb->pseudo_palette)[regno] =
+                       break;
+               case 24:
+                       ((u32 *) fb->pseudo_palette)[regno] =
                                ((red & 0xff00) << 8) | ((green & 0xff00)) |
                                ((blue & 0xff00) >> 8);
-               break;
+                       break;
 #ifdef NO_32BIT_SUPPORT_YET
-       case 32:
-               ((u32 *) fb->pseudo_palette)[regno] =
+               case 32:
+                       ((u32 *) fb->pseudo_palette)[regno] =
                                ((transp & 0xff00) << 16) | ((red & 0xff00) << 8) |
                                ((green & 0xff00)) | ((blue & 0xff00) >> 8);
-               break;
+                       break;
 #endif
-       default:
-               return 1;
+               default:
+                       return 1;
+               }
        }
+
        return 0;
 }