From 4fd127651d9177a8a32b3a5415654ff741f8c459 Mon Sep 17 00:00:00 2001
From: Magnus Norddahl <dpjudas@users.noreply.github.com>
Date: Sun, 26 Jun 2016 06:54:32 +0200
Subject: [PATCH] Fixed fuzz drawer crash

---
 src/r_draw_rgba.cpp | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/r_draw_rgba.cpp b/src/r_draw_rgba.cpp
index 2576cfeda2..a0f534164b 100644
--- a/src/r_draw_rgba.cpp
+++ b/src/r_draw_rgba.cpp
@@ -826,7 +826,10 @@ public:
 		// Handle the case where we would go out of bounds at the top:
 		if (yl < fuzzstep)
 		{
-			uint32_t bg = dest[fuzzoffset[fuzz] * fuzzstep + pitch];
+			uint32_t *srcdest = dest + fuzzoffset[fuzz] * fuzzstep + pitch;
+			//assert(static_cast<int>((srcdest - (uint32_t*)dc_destorg) / (_pitch)) < viewheight);
+
+			uint32_t bg = *srcdest;
 
 			uint32_t red = RPART(bg) * 3 / 4;
 			uint32_t green = GPART(bg) * 3 / 4;
@@ -842,7 +845,7 @@ public:
 				return;
 		}
 
-		bool lowerbounds = (yl + count * fuzzstep > _fuzzviewheight);
+		bool lowerbounds = (yl + (count + fuzzstep - 1) * fuzzstep > _fuzzviewheight);
 		if (lowerbounds)
 			count--;
 
@@ -858,7 +861,10 @@ public:
 			count -= cnt;
 			do
 			{
-				uint32_t bg = dest[fuzzoffset[fuzz] * fuzzstep];
+				uint32_t *srcdest = dest + fuzzoffset[fuzz] * fuzzstep;
+				//assert(static_cast<int>((srcdest - (uint32_t*)dc_destorg) / (_pitch)) < viewheight);
+
+				uint32_t bg = *srcdest;
 
 				uint32_t red = RPART(bg) * 3 / 4;
 				uint32_t green = GPART(bg) * 3 / 4;
@@ -875,7 +881,10 @@ public:
 		// Handle the case where we would go out of bounds at the bottom
 		if (lowerbounds)
 		{
-			uint32_t bg = dest[fuzzoffset[fuzz] * fuzzstep - pitch];
+			uint32_t *srcdest = dest + fuzzoffset[fuzz] * fuzzstep - pitch;
+			//assert(static_cast<int>((srcdest - (uint32_t*)dc_destorg) / (_pitch)) < viewheight);
+
+			uint32_t bg = *srcdest;
 
 			uint32_t red = RPART(bg) * 3 / 4;
 			uint32_t green = GPART(bg) * 3 / 4;