From 81a11efdafd5de1cd14efcbdc279cc2f404eb3d5 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 22 Jul 2013 07:12:26 +0000
Subject: [PATCH] Correct an inequality sign causing the bounds check in
 Windows palette_set() to be bogus. Fortunately, this isn't exploitable
 through the terminal emulator, because the palette escape sequence parser
 contains its own bounds check before even calling palette_set().

While I'm at it, fix the same goof in the OS X version! That port is
more or less abandoned, but that's no excuse for leaving obviously
wrong code lying around.

[originally from svn r9965]
---
 macosx/osxwin.m  | 2 +-
 windows/window.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/macosx/osxwin.m b/macosx/osxwin.m
index 169ae648..b58742d9 100644
--- a/macosx/osxwin.m
+++ b/macosx/osxwin.m
@@ -957,7 +957,7 @@ void palette_set(void *frontend, int n, int r, int g, int b)
 
     if (n >= 16)
 	n += 256 - 16;
-    if (n > NALLCOLOURS)
+    if (n >= NALLCOLOURS)
 	return;
     [win setColour:n r:r/255.0 g:g/255.0 b:b/255.0];
 
diff --git a/windows/window.c b/windows/window.c
index b477d6ae..f1f72525 100644
--- a/windows/window.c
+++ b/windows/window.c
@@ -4805,7 +4805,7 @@ void palette_set(void *frontend, int n, int r, int g, int b)
 {
     if (n >= 16)
 	n += 256 - 16;
-    if (n > NALLCOLOURS)
+    if (n >= NALLCOLOURS)
 	return;
     real_palette_set(n, r, g, b);
     if (pal) {