From d63870db3c41086d7f13ec8b41def4331db32327 Mon Sep 17 00:00:00 2001 From: Roel Kluin Date: Tue, 22 Sep 2009 16:47:07 -0700 Subject: sisfb: read buffer overflow If called with mode_idx = 1, rate = 68, a read occurs from sisfb_vrate[-1].refresh. Signed-off-by: Roel Kluin Cc: Krzysztof Helt Cc: Thomas Winischhofer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/video/sis/sis_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/video') diff --git a/drivers/video/sis/sis_main.c b/drivers/video/sis/sis_main.c index 4a067f0d0ce..a4e05e4d750 100644 --- a/drivers/video/sis/sis_main.c +++ b/drivers/video/sis/sis_main.c @@ -698,8 +698,8 @@ sisfb_search_refresh_rate(struct sis_video_info *ivideo, unsigned int rate, int rate, sisfb_vrate[i].refresh); ivideo->rate_idx = sisfb_vrate[i].idx; ivideo->refresh_rate = sisfb_vrate[i].refresh; - } else if(((rate - sisfb_vrate[i-1].refresh) <= 2) - && (sisfb_vrate[i].idx != 1)) { + } else if((sisfb_vrate[i].idx != 1) && + ((rate - sisfb_vrate[i-1].refresh) <= 2)) { DPRINTK("sisfb: Adjusting rate from %d down to %d\n", rate, sisfb_vrate[i-1].refresh); ivideo->rate_idx = sisfb_vrate[i-1].idx; -- cgit v1.2.3-70-g09d2