diff --git a/ChangeLog b/ChangeLog
index 0428aa726..5eea781f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-09-12  Robert Millan  <rmh.grub@aybabtu.com>
+
+	Fix memory corruption issue (spotted by Colin Watson).
+
+	* kern/i386/pc/startup.S (grub_vbe_bios_getset_dac_palette): Fix bug
+	causing returned size to be stored in an incorrect memory location.
+	Fix use of uninitialized value when storing the returned size.
+
 2009-09-12  Yves Blusseau  <blusseau@zetam.org>
 
 	Change clean rules to properly remove files
diff --git a/kern/i386/pc/startup.S b/kern/i386/pc/startup.S
index 529662b93..da3624c89 100644
--- a/kern/i386/pc/startup.S
+++ b/kern/i386/pc/startup.S
@@ -1761,18 +1761,18 @@ FUNCTION(grub_vbe_bios_getset_dac_palette_width)
 	movw	$0x4f08, %ax
 	int	$0x10
 
-	movw	%ax, %dx	/* real_to_prot destroys %eax.  */
+	movw	%ax, %cx	/* real_to_prot destroys %eax.  */
 
 	DATA32 call	real_to_prot
 	.code32
 
 	/* Move result back to *dac_mask_size.  */
+	xorl	%eax, %eax
 	movb	%bh, %al
 	movl	%eax, (%edx)
 
 	/* Return value in %eax.  */
-	xorl	%eax, %eax
-	movw	%dx, %ax
+	movw	%cx, %ax
 
 	popl	%ebx
 	popl	%ebp