From 728bd7ee92ac697bfdc5b25dc47d2f0529fcd8a1 Mon Sep 17 00:00:00 2001
From: Brett Gordon <beretta42@gmail.com>
Date: Fri, 23 Oct 2015 23:56:25 -0400
Subject: [PATCH] coco3: graphics: correct bounds checking, gfxioc_read
 semantics

---
 Kernel/platform-coco3/video.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/Kernel/platform-coco3/video.c b/Kernel/platform-coco3/video.c
index 181f55ab..427722a3 100644
--- a/Kernel/platform-coco3/video.c
+++ b/Kernel/platform-coco3/video.c
@@ -12,8 +12,11 @@ extern video_cmd( char *rlt_data);
 
 */
 
+static int irq;
+
 static void map_for_video()
 {
+	irq=di();
 	*( uint8_t *)0xffa9 = 8;
 	*( uint8_t *)0xffaa = 9;
 }
@@ -22,6 +25,7 @@ static void map_for_kernel()
 {
 	*( uint8_t *)0xffa9 = 1;
 	*( uint8_t *)0xffaa = 2;
+	irqrestore(irq);
 }
 
 static uint8_t *char_addr(unsigned int y1, unsigned char x1)
@@ -127,12 +131,11 @@ int gfx_draw_op(uarg_t arg, char *ptr)
 		err = EINVAL;
 		goto ret;
 	}
-	if (arg != GFXIOC_READ){
+	if (arg != GFXIOC_READ)
 		c = l;
-		if (uget(ptr + 2, (char *)0x5e00, c)){
-			err = EFAULT;
-			goto ret;
-		}
+	if (uget(ptr + 2, (char *)0x5e00, c)){
+		err = EFAULT;
+		goto ret;
 	}
 	switch(arg) {
 	case GFXIOC_DRAW:
@@ -149,17 +152,16 @@ int gfx_draw_op(uarg_t arg, char *ptr)
 		}
 		l -= 8;
 		if (p[0] > 191 || p[1] > 31 || p[2] > 191 || p[3] > 31 ||
-		    p[0] + p[2] > 191 || p[1] + p[3] > 31 ||
+		    p[0] + p[2] > 192 || p[1] + p[3] > 32 ||
 		    (p[2] * p[3]) > l) {
 			err = -EFAULT;
 			break;
 		}
 		if (arg == GFXIOC_READ) {
 			video_read( (char *)0x5e00 );
-			if (uput( (char *)0x5e00 + 8, ptr, l)){
+			if (uput( (char *)0x5e00 + 8, ptr+10, l-2))
 				err = EFAULT;
-				break;
-			}
+			break;
 		}
 		video_write( (char *)0x5e00 );
 	}
-- 
2.34.1