From 9adb6f2e3f0231d33c624b3f0569e69bb4e50bd2 Mon Sep 17 00:00:00 2001
From: Jukka Heinonen <jhei@iki.fi>
Date: Mon, 25 Aug 2003 00:53:35 +0000
Subject: [PATCH] Replace some magic numbers with symbols. Add sanity checks so
 that VGA window cannot be used to access memory outside framebuffer.

---
 dlls/winedos/vga.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/dlls/winedos/vga.c b/dlls/winedos/vga.c
index 5cc7dbf5870..e8710dd5401 100644
--- a/dlls/winedos/vga.c
+++ b/dlls/winedos/vga.c
@@ -42,6 +42,16 @@ static DDSURFACEDESC sdesc;
 static BOOL vga_retrace_vertical;
 static BOOL vga_retrace_horizontal;
 
+/*
+ * Size and location of VGA controller window to framebuffer.
+ *
+ * Note: We support only single window even though some
+ *       controllers support two. This should not be changed unless
+ *       there are programs that depend on having two windows.
+ */
+#define VGA_WINDOW_SIZE  (64 * 1024)
+#define VGA_WINDOW_START ((char *)0xa0000)
+
 /*
  * VGA controller memory is emulated using linear framebuffer.
  * This frambuffer also acts as an interface
@@ -593,15 +603,17 @@ void VGA_SetWindowStart(int start)
 
     if(vga_fb_window == -1)
         FIXME("Remove VGA memory emulation.\n");
-    else
-        memmove(vga_fb_data + vga_fb_window, (char *)0xa0000, 64 * 1024);
+    else if(vga_fb_window + VGA_WINDOW_SIZE < vga_fb_size)
+        memmove(vga_fb_data + vga_fb_window, VGA_WINDOW_START,
+                VGA_WINDOW_SIZE);
 
     vga_fb_window = start;
 
     if(vga_fb_window == -1)
         FIXME("Install VGA memory emulation.\n");
-    else
-        memmove( (char *)0xa0000, vga_fb_data + vga_fb_window, 64 * 1024);
+    else if(vga_fb_window + VGA_WINDOW_SIZE < vga_fb_size)
+        memmove( VGA_WINDOW_START, vga_fb_data + vga_fb_window, 
+                 VGA_WINDOW_SIZE);
 
     LeaveCriticalSection(&vga_lock);
 }
@@ -913,8 +925,9 @@ static void VGA_Poll_Graphics(void)
   /*
    * Synchronize framebuffer contents.
    */
-  if(vga_fb_window != -1)
-    memmove(vga_fb_data + vga_fb_window, (char *)0xa0000, 64 * 1024);
+  if(vga_fb_window != -1 && vga_fb_window + VGA_WINDOW_SIZE < vga_fb_size)
+    memmove(vga_fb_data + vga_fb_window, VGA_WINDOW_START,
+            VGA_WINDOW_SIZE);
 
   /*
    * Double VGA framebuffer (320x200 -> 640x400), if needed.