# HG changeset patch
# User Matti Hamalainen <ccr@tnsp.org>
# Date 1558925997 -10800
# Node ID 59bde9a7220d3feeef7ee84dc869fab0ba5bc420
# Parent  f12ac487954ba91fdbbb884dbedc227513085e3c
Add few out of bounds checks.

diff -r f12ac487954b -r 59bde9a7220d tools/lib64gfx.c
--- a/tools/lib64gfx.c	Mon May 27 00:04:02 2019 +0300
+++ b/tools/lib64gfx.c	Mon May 27 05:59:57 2019 +0300
@@ -1317,8 +1317,16 @@
                 const int scroffs = scroffsy + x;
                 const int xshift = 7 - (xc & 7);
                 const int chr = src->screen[0].data[scroffs];
+                const size_t chrOffs = (chr * C64_CHR_SIZE) + yb;
 
-                if ((src->charData[0].data[chr * C64_CHR_SIZE + yb] >> xshift) & 1)
+                if (chrOffs >= src->charData[0].size)
+                {
+                    return dmError(DMERR_INVALID_DATA,
+                        "Character map index #%d out of bounds for char ROM data.\n",
+                        chr);
+                }
+
+                if ((src->charData[0].data[chrOffs] >> xshift) & 1)
                     *dp++ = src->color[0].data[scroffs];
                 else
                     *dp++ = src->bgcolor;
@@ -1331,8 +1339,16 @@
                 const int scroffs = scroffsy + x;
                 const int xshift = 7 - (xc & 7);
                 const int chr = src->screen[0].data[scroffs];
+                const size_t chrOffs = ((chr & 0x3f) * C64_CHR_SIZE) + yb;
 
-                if ((src->charData[0].data[(chr & 0x3f) * C64_CHR_SIZE + yb] >> xshift) & 1)
+                if (chrOffs >= src->charData[0].size)
+                {
+                    return dmError(DMERR_INVALID_DATA,
+                        "Character map index #%d out of bounds for char ROM data.\n",
+                        chr);
+                }
+
+                if ((src->charData[0].data[chrOffs] >> xshift) & 1)
                     *dp++ = src->color[0].data[scroffs] & 15;
                 else
                 switch ((chr >> 6) & 3)
@@ -1351,11 +1367,19 @@
                 const int scroffs = scroffsy + x;
                 const int chr = src->screen[0].data[scroffs];
                 const int col = src->color[0].data[scroffs];
+                const size_t chrOffs = (chr * C64_CHR_SIZE) + yb;
+
+                if (chrOffs >= src->charData[0].size)
+                {
+                    return dmError(DMERR_INVALID_DATA,
+                        "Character map index #%d out of bounds for char ROM data.\n",
+                        chr);
+                }
 
                 if (col & 8)
                 {
                     const int xshift = 6 - ((xc * 2) & 6);
-                    switch ((src->charData[0].data[chr * C64_CHR_SIZE + yb] >> xshift) & 3)
+                    switch ((src->charData[0].data[chrOffs] >> xshift) & 3)
                     {
                         case 0: *dp++ = src->bgcolor; break;
                         case 1: *dp++ = src->d022; break;
@@ -1366,7 +1390,7 @@
                 else
                 {
                     const int xshift = 7 - (xc & 7);
-                    if ((src->charData[0].data[chr * C64_CHR_SIZE + yb] >> xshift) & 1)
+                    if ((src->charData[0].data[chrOffs] >> xshift) & 1)
                         *dp++ = col & 7;
                     else
                         *dp++ = src->bgcolor;