From 235530cec884ef81310fce8e97ba42deb5d470f5 Mon Sep 17 00:00:00 2001
From: Sergey Lipskiy <gonetz@ngs.ru>
Date: Tue, 1 Mar 2016 16:49:54 +0600
Subject: [PATCH] Fix out of range read/write in _copyPixelsFromRdram when
 address in input array is outside of current frame buffer.

---
 src/FrameBuffer.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/FrameBuffer.cpp b/src/FrameBuffer.cpp
index 80d425c6..dffb4f65 100644
--- a/src/FrameBuffer.cpp
+++ b/src/FrameBuffer.cpp
@@ -1620,9 +1620,13 @@ bool _copyPixelsFromRdram(u32 _address, const vector<u32> & _vecAddress, u32* _d
 	u32 summ = 0;
 	u32 idx, w, h;
 	for (size_t i = 0; i < numPixels; ++i) {
+		if (_vecAddress[i] < _address)
+			return false;
 		idx = (_vecAddress[i] - _address) / szPixel;
 		w = idx % _width;
 		h = idx / _width;
+		if (h > _height)
+			return false;
 		col = src[idx];
 		summ += col;
 		_dst[(w + (_height - h)*_width) ^ _xor] = converter(col, _bCFB);