[PATCH] staging: sm750fb: fix off-by-one in lynxfb_ops_setcolreg

Next message: Chuck Lever: "Re: [PATCH 08/24] nfsd: update the fsnotify mark when setting or removing a dir delegation"
Previous message: Paolo Bonzini: "[PATCH 6/7] KVM: VMX: switch to RESTORE_GUEST_SPEC_CTRL_BODY"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ahmet Sezgin Duran

Date: Wed Apr 08 2026 - 14:24:53 EST

The bounds check used regno > 256 instead of regno >= 256,
allowing regno == 256. Valid indices are 0–255, resulting
in an out-of-bounds write.

Also remove the regno < 256 check in the truecolor path,
as it is always true with the corrected guard.

Signed-off-by: Ahmet Sezgin Duran <ahmet@xxxxxxxxxxxxxxx>
---
drivers/staging/sm750fb/sm750.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
index 9f3e3d37e82a..ea077c7c89cd 100644
--- a/drivers/staging/sm750fb/sm750.c
+++ b/drivers/staging/sm750fb/sm750.c
@@ -531,7 +531,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
var = &info->var;
ret = 0;

- if (regno > 256) {
+ if (regno >= 256) {
dev_err(info->device, "regno = %d\n", regno);
return -EINVAL;
}
@@ -553,7 +553,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
goto exit;
}

- if (info->fix.visual == FB_VISUAL_TRUECOLOR && regno < 256) {
+ if (info->fix.visual == FB_VISUAL_TRUECOLOR) {
u32 val;

if (var->bits_per_pixel == 16 ||
--
2.53.0