staging: sm750fb: fix off-by-one in lynxfb_ops_setcolreg

The bounds check used regno > 256 instead of regno >= 256,
allowing regno == 256. Valid indices are 0–255, resulting
in an out-of-bounds write.

Also remove the regno < 256 check in the truecolor path,
as it is always true with the corrected guard.

Signed-off-by: Ahmet Sezgin Duran <ahmet@sezginduran.net>
Link: https://patch.msgid.link/20260408181210.9672-1-ahmet@sezginduran.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
index f91d08b90f8f6b4690bdf8d406c84e62bb4e1d70..8f43eea2868bdf7bad01e2918f4203d4afafb973 100644 (file)
--- a/drivers/staging/sm750fb/sm750.c
+++ b/drivers/staging/sm750fb/sm750.c
@@ -531,7 +531,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
        var = &info->var;
        ret = 0;
 
-       if (regno > 256) {
+       if (regno >= 256) {
                dev_err(info->device, "regno = %d\n", regno);
                return -EINVAL;
        }
@@ -553,7 +553,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
                goto exit;
        }
 
-       if (info->fix.visual == FB_VISUAL_TRUECOLOR && regno < 256) {
+       if (info->fix.visual == FB_VISUAL_TRUECOLOR) {
                u32 val;
 
                if (var->bits_per_pixel == 16 ||