coco3: graphics: correct bounds checking, gfxioc_read semantics

diff --git a/Kernel/platform-coco3/video.c b/Kernel/platform-coco3/video.c
index 181f55a..427722a 100644 (file)
--- a/Kernel/platform-coco3/video.c
+++ b/Kernel/platform-coco3/video.c
@@ -12,8 +12,11 @@ extern video_cmd( char *rlt_data);
 
 */
 
+static int irq;
+
 static void map_for_video()
 {
+       irq=di();
        *( uint8_t *)0xffa9 = 8;
        *( uint8_t *)0xffaa = 9;
 }
@@ -22,6 +25,7 @@ static void map_for_kernel()
 {
        *( uint8_t *)0xffa9 = 1;
        *( uint8_t *)0xffaa = 2;
+       irqrestore(irq);
 }
 
 static uint8_t *char_addr(unsigned int y1, unsigned char x1)
@@ -127,12 +131,11 @@ int gfx_draw_op(uarg_t arg, char *ptr)
                err = EINVAL;
                goto ret;
        }
-       if (arg != GFXIOC_READ){
+       if (arg != GFXIOC_READ)
                c = l;
-               if (uget(ptr + 2, (char *)0x5e00, c)){
-                       err = EFAULT;
-                       goto ret;
-               }
+       if (uget(ptr + 2, (char *)0x5e00, c)){
+               err = EFAULT;
+               goto ret;
        }
        switch(arg) {
        case GFXIOC_DRAW:
@@ -149,17 +152,16 @@ int gfx_draw_op(uarg_t arg, char *ptr)
                }
                l -= 8;
                if (p[0] > 191 || p[1] > 31 || p[2] > 191 || p[3] > 31 ||
-                   p[0] + p[2] > 191 || p[1] + p[3] > 31 ||
+                   p[0] + p[2] > 192 || p[1] + p[3] > 32 ||
                    (p[2] * p[3]) > l) {
                        err = -EFAULT;
                        break;
                }
                if (arg == GFXIOC_READ) {
                        video_read( (char *)0x5e00 );
-                       if (uput( (char *)0x5e00 + 8, ptr, l)){
+                       if (uput( (char *)0x5e00 + 8, ptr+10, l-2))
                                err = EFAULT;
-                               break;
-                       }
+                       break;
                }
                video_write( (char *)0x5e00 );
        }