sisfb: read buffer overflow

If called with mode_idx = 1, rate = 68, a read occurs from
sisfb_vrate[-1].refresh.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Cc: Thomas Winischhofer <thomas@winischhofer.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Roel Kluin 2009-09-22 16:47:07 -07:00 committed by Linus Torvalds
parent 2f93e8f482
commit d63870db3c

View File

@ -698,8 +698,8 @@ sisfb_search_refresh_rate(struct sis_video_info *ivideo, unsigned int rate, int
rate, sisfb_vrate[i].refresh);
ivideo->rate_idx = sisfb_vrate[i].idx;
ivideo->refresh_rate = sisfb_vrate[i].refresh;
} else if(((rate - sisfb_vrate[i-1].refresh) <= 2)
&& (sisfb_vrate[i].idx != 1)) {
} else if((sisfb_vrate[i].idx != 1) &&
((rate - sisfb_vrate[i-1].refresh) <= 2)) {
DPRINTK("sisfb: Adjusting rate from %d down to %d\n",
rate, sisfb_vrate[i-1].refresh);
ivideo->rate_idx = sisfb_vrate[i-1].idx;