sisfb: read buffer overflow
Roel Kluin [Tue, 22 Sep 2009 23:47:07 +0000 (16:47 -0700)]
If called with mode_idx = 1, rate = 68, a read occurs from
sisfb_vrate[-1].refresh.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Cc: Thomas Winischhofer <thomas@winischhofer.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

drivers/video/sis/sis_main.c

index 4a067f0..a4e05e4 100644 (file)
@@ -698,8 +698,8 @@ sisfb_search_refresh_rate(struct sis_video_info *ivideo, unsigned int rate, int
                                                rate, sisfb_vrate[i].refresh);
                                        ivideo->rate_idx = sisfb_vrate[i].idx;
                                        ivideo->refresh_rate = sisfb_vrate[i].refresh;
-                               } else if(((rate - sisfb_vrate[i-1].refresh) <= 2)
-                                               && (sisfb_vrate[i].idx != 1)) {
+                               } else if((sisfb_vrate[i].idx != 1) &&
+                                               ((rate - sisfb_vrate[i-1].refresh) <= 2)) {
                                        DPRINTK("sisfb: Adjusting rate from %d down to %d\n",
                                                rate, sisfb_vrate[i-1].refresh);
                                        ivideo->rate_idx = sisfb_vrate[i-1].idx;