From: Ahmet Sezgin Duran <ahmet@sezginduran.net>
Date: Wed, 8 Apr 2026 18:12:10 +0000 (+0000)
Subject: staging: sm750fb: fix off-by-one in lynxfb_ops_setcolreg
X-Git-Tag: v7.2-rc1~66^2~192
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=1121e3084095d162eb68bde350016e8257a37eb5;p=thirdparty%2Flinux.git

staging: sm750fb: fix off-by-one in lynxfb_ops_setcolreg

The bounds check used regno > 256 instead of regno >= 256,
allowing regno == 256. Valid indices are 0–255, resulting
in an out-of-bounds write.

Also remove the regno < 256 check in the truecolor path,
as it is always true with the corrected guard.

Signed-off-by: Ahmet Sezgin Duran <ahmet@sezginduran.net>
Link: https://patch.msgid.link/20260408181210.9672-1-ahmet@sezginduran.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
index f91d08b90f8f6..8f43eea2868bd 100644
--- a/drivers/staging/sm750fb/sm750.c
+++ b/drivers/staging/sm750fb/sm750.c
@@ -531,7 +531,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
 	var = &info->var;
 	ret = 0;
 
-	if (regno > 256) {
+	if (regno >= 256) {
 		dev_err(info->device, "regno = %d\n", regno);
 		return -EINVAL;
 	}
@@ -553,7 +553,7 @@ static int lynxfb_ops_setcolreg(unsigned int regno,
 		goto exit;
 	}
 
-	if (info->fix.visual == FB_VISUAL_TRUECOLOR && regno < 256) {
+	if (info->fix.visual == FB_VISUAL_TRUECOLOR) {
 		u32 val;
 
 		if (var->bits_per_pixel == 16 ||