From 3d63b355eae892afa0a8992c73b11a87fdfcd335 Mon Sep 17 00:00:00 2001
From: Gordon Williams <gw@pur3.co.uk>
Date: Mon, 22 Oct 2018 10:48:58 +0100
Subject: [PATCH] Fix potential out of bounds Graphics.scroll

---
 ChangeLog                |  1 +
 libs/graphics/graphics.c |  2 +-
 test_graphics_scroll.js  | 10 ++++++++++
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 test_graphics_scroll.js

diff --git a/ChangeLog b/ChangeLog
index cfa12eec1..d85ba7aa2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
             Fix issues with Class Extends
             Improve Tab Completions for extended classes
             Fix Storage.readJSON/readArrayBuffer memory leak (fix #1532)
+            Fix potential out of bounds Graphics.scroll
 
      2v00 : Allow changeInterval with large (>32 bit) intervals (fix #1438)
             changeInterval now changes the interval immediately when it's called inside the interval it is changing (fix #1440)
diff --git a/libs/graphics/graphics.c b/libs/graphics/graphics.c
index 9c7c3f3d4..73bdd11b0 100644
--- a/libs/graphics/graphics.c
+++ b/libs/graphics/graphics.c
@@ -73,7 +73,7 @@ void graphicsFallbackScroll(JsGraphics *gfx, int xdir, int ydir) {
   if (xdir==0 && ydir==0) return;
   int y;
   if (ydir<=0) {
-    int h = gfx->data.height+xdir;
+    int h = gfx->data.height+ydir;
     for (y=0;y<h;y++)
       graphicsFallbackScrollX(gfx, xdir, y-ydir, y);
   } else { // >0
diff --git a/test_graphics_scroll.js b/test_graphics_scroll.js
new file mode 100644
index 000000000..f84ff0409
--- /dev/null
+++ b/test_graphics_scroll.js
@@ -0,0 +1,10 @@
+g = Graphics.createArrayBuffer(128,64,1);
+g.drawString("Hello");
+var before = g.buffer.toString(); 
+g.scroll(0,5);
+g.scroll(0,-5);
+g.scroll(5,0);
+g.scroll(-5,0);
+
+var after = g.buffer.toString(); 
+result = before == after;