2009-09-12 Robert Millan <rmh.grub@aybabtu.com>

        Fix memory corruption issue (spotted by Colin Watson).

        * kern/i386/pc/startup.S (grub_vbe_bios_getset_dac_palette): Fix bug
        causing returned size to be stored in an incorrect memory location.
        Fix use of uninitialized value when storing the returned size.

diff --git a/ChangeLog b/ChangeLog
index 0428aa72669c2f00b9320d415b256b8c29ac5da6..5eea781f7b48f793c35bf5c897ef157f75b382f5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-09-12  Robert Millan  <rmh.grub@aybabtu.com>
+
+       Fix memory corruption issue (spotted by Colin Watson).
+
+       * kern/i386/pc/startup.S (grub_vbe_bios_getset_dac_palette): Fix bug
+       causing returned size to be stored in an incorrect memory location.
+       Fix use of uninitialized value when storing the returned size.
+
 2009-09-12  Yves Blusseau  <blusseau@zetam.org>
 
        Change clean rules to properly remove files

diff --git a/kern/i386/pc/startup.S b/kern/i386/pc/startup.S
index 529662b93ab6938ed0b905a33b830a7bfb1ec348..da3624c894d5afabd9c0da21d816dbd73f416887 100644 (file)
--- a/kern/i386/pc/startup.S
+++ b/kern/i386/pc/startup.S
@@ -1761,18 +1761,18 @@ FUNCTION(grub_vbe_bios_getset_dac_palette_width)
        movw    $0x4f08, %ax
        int     $0x10
 
-       movw    %ax, %dx        /* real_to_prot destroys %eax.  */
+       movw    %ax, %cx        /* real_to_prot destroys %eax.  */
 
        DATA32 call     real_to_prot
        .code32
 
        /* Move result back to *dac_mask_size.  */
+       xorl    %eax, %eax
        movb    %bh, %al
        movl    %eax, (%edx)
 
        /* Return value in %eax.  */
-       xorl    %eax, %eax
-       movw    %dx, %ax
+       movw    %cx, %ax
 
        popl    %ebx
        popl    %ebp