From edcebff3113b5621d2e832c29251772436e84e81 Mon Sep 17 00:00:00 2001
From: Lephe <sebastien.michelland@protonmail.com>
Date: Tue, 8 Jun 2021 09:38:09 +0200
Subject: [PATCH] bopti: fix a VRAM overflow through the rightmost column

The checks for VRAM access account for image columns intersecting the
longword before the start of a VRAM line, but not the longword after the
start of a VRAM line. This is now fixed.
---
 src/render-fx/bopti.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/render-fx/bopti.c b/src/render-fx/bopti.c
index 370664a..c2f83ed 100644
--- a/src/render-fx/bopti.c
+++ b/src/render-fx/bopti.c
@@ -25,6 +25,8 @@ struct command
 	uint32_t *masks;
 	/* Whether the first column is real (ie. x>=0) or not */
 	int real_start;
+	/* Whether the last column is written to VRAM */
+	int real_end;
 
 	/* Ignored elements between two rendered grid rows */
 	int vram_stride;
@@ -103,7 +105,7 @@ void bopti_grid(void **layer, int rows, struct command *c)
 			offset++;
 		}
 
-		if(c->x) v1[offset] = pret.r;
+		if(c->real_end) v1[offset] = pret.r;
 
 		*layer += c->data_stride;
 		offset += c->vram_stride;
@@ -137,7 +139,7 @@ void bopti_grid(void **layer, int rows, struct command *c)
 			offset++;
 		}
 
-		if(c->x)
+		if(c->real_end)
 		{
 			v1[offset] = qret.r1;
 			v2[offset] = qret.r2;
@@ -201,6 +203,7 @@ void bopti_render(bopti_image_t const *img, struct rbox *rbox, uint32_t *v1,
 	  .columns      = rbox->columns,
 	  .masks        = masks + 2 * left_origin,
 	  .real_start   = (left_origin > 0),
+	  .real_end     = (rbox->x & 31) && (left_origin + img_columns < 5),
 	  .vram_stride  = 4 - rbox->columns,
 	  .data_stride  = ((img_columns - rbox->columns) << 2) * layers,
 	  .gray         = (v2 != NULL),