[PATCH 1/1] fbdev: atyfb: Fix buffer overflow

Denis Arefev Thu, 27 Mar 2025 03:26:35 -0700

The value LCD_MISC_CNTL is used in the 'aty_st_lcd()' function to
calculate an index for accessing an array element of size 9.
This may cause a buffer overflow.


Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Denis Arefev <are...@swemel.ru>
---
 drivers/video/fbdev/aty/atyfb_base.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/video/fbdev/aty/atyfb_base.c 
b/drivers/video/fbdev/aty/atyfb_base.c
index 210fd3ac18a4..93eb5eb6042b 100644
--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -149,6 +149,8 @@ static const u32 lt_lcd_regs[] = {
 void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
 {
        if (M64_HAS(LT_LCD_REGS)) {
+               if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
+                       return;
                aty_st_le32(lt_lcd_regs[index], val, par);
        } else {
                unsigned long temp;
@@ -164,6 +166,8 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par 
*par)
 u32 aty_ld_lcd(int index, const struct atyfb_par *par)
 {
        if (M64_HAS(LT_LCD_REGS)) {
+               if ((u32)index >= ARRAY_SIZE(lt_lcd_regs))
+                       return 0;
                return aty_ld_le32(lt_lcd_regs[index], par);
        } else {
                unsigned long temp;
-- 
2.43.0

[PATCH 1/1] fbdev: atyfb: Fix buffer overflow

Reply via email to