Do correct bounds checking in get/set/put cmap routines. A few of

these check were already OK but have been modified for consistency.
Problem found by Silvio Cesare.

3 files changed, 13 insertions, 13 deletions

diff --git a/sys/arch/sun3/dev/bt_subr.c b/sys/arch/sun3/dev/bt_subr.c
index d51468ad11e..17022d60069 100644
--- a/sys/arch/sun3/dev/bt_subr.c
+++ b/sys/arch/sun3/dev/bt_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bt_subr.c,v 1.2 1997/01/16 04:03:42 kstailey Exp $	*/
+/*	$OpenBSD: bt_subr.c,v 1.3 2002/08/02 16:13:07 millert Exp $	*/
 /*	$NetBSD: bt_subr.c,v 1.2 1995/04/10 22:12:48 gwr Exp $ */
 
 /*
@@ -74,7 +74,7 @@ bt_getcmap(p, cm, cmsize)
 
 	start = p->index;
 	count = p->count;
-	if (start >= cmsize || start + count > cmsize)
+	if (start >= cmsize || count > cmsize - start)
 		return (EINVAL);
 	if (!useracc(p->red, count, B_WRITE) ||
 	    !useracc(p->green, count, B_WRITE) ||
@@ -102,7 +102,7 @@ bt_putcmap(p, cm, cmsize)
 
 	start = p->index;
 	count = p->count;
-	if (start >= cmsize || start + count > cmsize)
+	if (start >= cmsize || count > cmsize - start)
 		return (EINVAL);
 	if (!useracc(p->red, count, B_READ) ||
 	    !useracc(p->green, count, B_READ) ||
diff --git a/sys/arch/sun3/dev/cg2.c b/sys/arch/sun3/dev/cg2.c
index 5422ac1fe7e..59c94827178 100644
--- a/sys/arch/sun3/dev/cg2.c
+++ b/sys/arch/sun3/dev/cg2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cg2.c,v 1.11 2002/03/14 03:16:01 millert Exp $	*/
+/*	$OpenBSD: cg2.c,v 1.12 2002/08/02 16:13:07 millert Exp $	*/
 /*	$NetBSD: cg2.c,v 1.7 1996/10/13 03:47:26 christos Exp $	*/
 
 /*
@@ -315,7 +315,7 @@ cg2getcmap(fb, cmap)
 	start = cmap->index;
 	count = cmap->count;
 	ecount = start + count;
-	if (start >= CMSIZE || ecount > CMSIZE)
+	if (start >= CMSIZE || count > CMSIZE - start)
 		return (EINVAL);
 
 	/* XXX - Wait for retrace? */
@@ -358,7 +358,7 @@ cg2putcmap(fb, cmap)
 	start = cmap->index;
 	count = cmap->count;
 	ecount = start + count;
-	if (start >= CMSIZE || ecount > CMSIZE)
+	if (start >= CMSIZE || count > CMSIZE - start)
 		return (EINVAL);
 
 	/* Copy from user space to local arrays. */
diff --git a/sys/arch/sun3/dev/cg4.c b/sys/arch/sun3/dev/cg4.c
index da050615dae..3b04679854d 100644
--- a/sys/arch/sun3/dev/cg4.c
+++ b/sys/arch/sun3/dev/cg4.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cg4.c,v 1.11 2002/03/14 01:26:46 millert Exp $	*/
+/*	$OpenBSD: cg4.c,v 1.12 2002/08/02 16:13:07 millert Exp $	*/
 /*	$NetBSD: cg4.c,v 1.11 1996/10/29 19:54:19 gwr Exp $	*/
 
 /*
@@ -403,12 +403,12 @@ cg4getcmap(fb, fbcm)
 {
 	struct cg4_softc *sc = fb->fb_private;
 	struct soft_cmap *cm = &sc->sc_cmap;
-	int error, start, count;
+	u_int start, count;
+	int error;
 
 	start = fbcm->index;
 	count = fbcm->count;
-	if ((start < 0) || (start >= CMAP_SIZE) ||
-	    (count < 0) || (start + count > CMAP_SIZE) )
+	if (start >= CMAP_SIZE || count > CMAP_SIZE - start)
 		return (EINVAL);
 
 	if ((error = copyout(&cm->r[start], fbcm->red, count)) != 0)
@@ -434,12 +434,12 @@ cg4putcmap(fb, fbcm)
 {
 	struct cg4_softc *sc = fb->fb_private;
 	struct soft_cmap *cm = &sc->sc_cmap;
-	int error, start, count;
+	u_int start, count;
+	int error;
 
 	start = fbcm->index;
 	count = fbcm->count;
-	if ((start < 0) || (start >= CMAP_SIZE) ||
-	    (count < 0) || (start + count > CMAP_SIZE) )
+	if (start >= CMAP_SIZE || count > CMAP_SIZE - start)
 		return (EINVAL);
 
 	if ((error = copyin(fbcm->red, &cm->r[start], count)) != 0)