From 5d5bfcc1479bdb3e6f0a5497b98cec46d236b20f Mon Sep 17 00:00:00 2001
From: Sergey Lipskiy <gonetz@ngs.ru>
Date: Sat, 11 Mar 2017 13:07:24 +0700
Subject: [PATCH] Correct read from RDRAM in FrameBuffer::isValid

Fixed out of bounds read in Pokemon Stadium 2.
---
 src/FrameBuffer.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/FrameBuffer.cpp b/src/FrameBuffer.cpp
index 071e58f4..24253e07 100644
--- a/src/FrameBuffer.cpp
+++ b/src/FrameBuffer.cpp
@@ -261,11 +261,16 @@ bool FrameBuffer::isValid(bool _forceCheck) const
 
 	if (m_cleared) {
 		const u32 testColor = m_clearParams.fillcolor & 0xFFFEFFFE;
+		const u32 stride = m_width << m_size >> 1;
+		const u32 lry = _cutHeight(m_startAddress, m_clearParams.lry, stride);
+		if (lry == 0)
+			return false;
+
 		const u32 ci_width_in_dwords = m_width >> (3 - m_size);
 		const u32 start = (m_startAddress >> 2) + m_clearParams.uly * ci_width_in_dwords;
 		const u32 * dst = pData + start;
 		u32 wrongPixels = 0;
-		for (u32 y = m_clearParams.uly; y < m_clearParams.lry; ++y) {
+		for (u32 y = m_clearParams.uly; y < lry; ++y) {
 			for (u32 x = m_clearParams.ulx; x < m_clearParams.lrx; ++x) {
 				if ((dst[x] & 0xFFFEFFFE) != testColor)
 					++wrongPixels;