Previous

199869 Revisions

Next

r25339 Sunday 15th September, 2013 at 23:49:35 UTC by Angelo Salese
Fixed fb out-of-bounds writes

[src/mame/video]	powervr2.c
[src/mess/drivers]	dccons.c

trunk/src/mame/video/powervr2.c

r25338	r25339
2996	2996	UINT32 *fbaddr;
2997	2997	UINT32 c;
2998	2998	UINT32 r,g,b;
2999		//INT32 vo_horz_start_pos = vo_startx & 0x3ff;
3000	2999	UINT8 interlace_on = ((spg_control & 0x10) >> 4);
3001	3000	INT32 ystart_f1 = (vo_starty & 0x3ff) << interlace_on;
3002	3001	//INT32 ystart_f2 = (vo_starty >> 16) & 0x3ff;
3003	3002	INT32 hstart = (vo_startx & 0x3ff);
	3003	int res_x,res_y;
	3004	//   rectangle fbclip;
3004	3005
3005	3006	UINT8 unpackmode = (fb_r_ctrl & 0x0000000c) >>2;  // aka fb_depth
3006	3007	UINT8 enable = (fb_r_ctrl & 0x00000001);
r25338	r25339
3017	3018
3018	3019	//   popmessage("%d %d %d %d %d",ystart_f1,ystart_f2,interlace_on,spg_vblank & 0x3ff,(spg_vblank >> 16) & 0x3ff);
3019	3020
	3021	#if 0
	3022	fbclip.min_x = hstart;
	3023	fbclip.min_y = ystart_f1;
	3024	fbclip.max_x = hstart + (xi << ((vo_control & 0x100) >> 8));
	3025	fbclip.max_y = ystart_f1 + dy;
	3026
	3027	popmessage("%d %d %d %d",fbclip.min_x,fbclip.min_y,fbclip.max_x,fbclip.max_y);
	3028	#endif
	3029
3020	3030	switch (unpackmode)
3021	3031	{
3022	3032	case 0x00: // 0555 RGB 16-bit, Cleo Fortune Plus
r25338	r25339
3028	3038	{
3029	3039	for (x=0;x < xi;x++)
3030	3040	{
3031		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+0 + hstart);
	3041	res_x = x*2+0 + hstart;
	3042	res_y = y + ystart_f1;
	3043
	3044	fbaddr=&bitmap.pix32(res_y, res_x);
3032	3045	c=*((reinterpret_cast<UINT16 *>(dc_framebuffer_ram)) + (WORD2_XOR_LE(addrp) >> 1));
3033	3046
3034	3047	b = (c & 0x001f) << 3;
3035	3048	g = (c & 0x03e0) >> 2;
3036	3049	r = (c & 0x7c00) >> 7;
3037	3050
3038		if (y<=cliprect.max_y)
	3051	if (cliprect.contains(res_x, res_y))
3039	3052	*fbaddr = b | (g<<8) | (r<<16);
3040	3053
3041		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+1 + hstart);
3042		if (y<=cliprect.max_y)
	3054	res_x = x*2+1 + hstart;
	3055
	3056	fbaddr=&bitmap.pix32(res_y, res_x);
	3057	if (cliprect.contains(res_x, res_y))
3043	3058	*fbaddr = b | (g<<8) | (r<<16);
3044	3059	addrp+=2;
3045	3060	}
r25338	r25339
3048	3063	{
3049	3064	for (x=0;x < xi;x++)
3050	3065	{
3051		fbaddr=&bitmap.pix32(y + ystart_f1, x + hstart);
	3066	res_x = x + hstart;
	3067	res_y = y + ystart_f1;
	3068
	3069	fbaddr=&bitmap.pix32(res_y, res_x);
3052	3070	c=*((reinterpret_cast<UINT16 *>(dc_framebuffer_ram)) + (WORD2_XOR_LE(addrp) >> 1));
3053	3071
3054	3072	b = (c & 0x001f) << 3;
3055	3073	g = (c & 0x03e0) >> 2;
3056	3074	r = (c & 0x7c00) >> 7;
3057	3075
3058		if (y<=cliprect.max_y)
	3076	if (cliprect.contains(res_x, res_y))
3059	3077	*fbaddr = b | (g<<8) | (r<<16);
3060	3078	addrp+=2;
3061	3079	}
r25338	r25339
3072	3090	{
3073	3091	for (x=0;x < xi;x++)
3074	3092	{
3075		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+0 + hstart);
	3093	res_x = x*2+0 + hstart;
	3094	res_y = y + ystart_f1;
	3095	fbaddr=&bitmap.pix32(res_y, res_x);
3076	3096	c=*((reinterpret_cast<UINT16 *>(dc_framebuffer_ram)) + (WORD2_XOR_LE(addrp) >> 1));
3077	3097
3078	3098	b = (c & 0x001f) << 3;
3079	3099	g = (c & 0x07e0) >> 3;
3080	3100	r = (c & 0xf800) >> 8;
3081	3101
3082		if (y<=cliprect.max_y)
	3102	if (cliprect.contains(res_x, res_y))
3083	3103	*fbaddr = b | (g<<8) | (r<<16);
3084	3104
3085		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+1 + hstart);
	3105	res_x = x*2+1 + hstart;
	3106	//res_y = y + ystart_f1;
	3107	fbaddr=&bitmap.pix32(res_y, res_x);
3086	3108
3087		if (y<=cliprect.max_y)
	3109	if (cliprect.contains(res_x, res_y))
3088	3110	*fbaddr = b | (g<<8) | (r<<16);
3089	3111
3090	3112	addrp+=2;
r25338	r25339
3094	3116	{
3095	3117	for (x=0;x < xi;x++)
3096	3118	{
3097		fbaddr=&bitmap.pix32(y + ystart_f1, x + hstart);
	3119	res_x = x + hstart;
	3120	res_y = y + ystart_f1;
	3121	fbaddr=&bitmap.pix32(res_y, res_x);
3098	3122	c=*((reinterpret_cast<UINT16 *>(dc_framebuffer_ram)) + (WORD2_XOR_LE(addrp) >> 1));
3099	3123
3100	3124	b = (c & 0x001f) << 3;
3101	3125	g = (c & 0x07e0) >> 3;
3102	3126	r = (c & 0xf800) >> 8;
3103	3127
3104		if (y<=cliprect.max_y)
	3128	if (cliprect.contains(res_x, res_y))
3105	3129	*fbaddr = b | (g<<8) | (r<<16);
3106	3130	addrp+=2;
3107	3131	}
r25338	r25339
3118	3142	{
3119	3143	for (x=0;x < xi;x++)
3120	3144	{
3121		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+0 + hstart);
	3145	res_x = x*2+0 + hstart;
	3146	res_y = y + ystart_f1;
3122	3147
	3148	fbaddr=&bitmap.pix32(res_y, res_x);
	3149
3123	3150	c =*(UINT8 *)((reinterpret_cast<UINT8 *>(dc_framebuffer_ram)) + BYTE8_XOR_LE(addrp));
3124	3151	b = c;
3125	3152
r25338	r25339
3129	3156	c =*(UINT8 *)((reinterpret_cast<UINT8 *>(dc_framebuffer_ram)) + BYTE8_XOR_LE(addrp+2));
3130	3157	r = c;
3131	3158
3132		if (y<=cliprect.max_y)
	3159	if (cliprect.contains(res_x, res_y))
3133	3160	*fbaddr = b | (g<<8) | (r<<16);
3134	3161
3135		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+1 + hstart);
3136		if (y<=cliprect.max_y)
	3162	res_x = x*2+1 + hstart;
	3163
	3164	fbaddr=&bitmap.pix32(res_y, res_x);
	3165	if (cliprect.contains(res_x, res_y))
3137	3166	*fbaddr = b | (g<<8) | (r<<16);
3138	3167
3139	3168	addrp+=3;
r25338	r25339
3143	3172	{
3144	3173	for (x=0;x < xi;x++)
3145	3174	{
3146		fbaddr=&bitmap.pix32(y + ystart_f1, x + hstart);
	3175	res_x = x + hstart;
	3176	res_y = y + ystart_f1;
	3177	fbaddr=&bitmap.pix32(res_y, res_x);
3147	3178
3148	3179	c =*(UINT8 *)((reinterpret_cast<UINT8 *>(dc_framebuffer_ram)) + BYTE8_XOR_LE(addrp));
3149	3180	b = c;
r25338	r25339
3154	3185	c =*(UINT8 *)((reinterpret_cast<UINT8 *>(dc_framebuffer_ram)) + BYTE8_XOR_LE(addrp+2));
3155	3186	r = c;
3156	3187
3157		if (y<=cliprect.max_y)
	3188	if (cliprect.contains(res_x, res_y))
3158	3189	*fbaddr = b | (g<<8) | (r<<16);
3159	3190
3160	3191	addrp+=3;
r25338	r25339
3172	3203	{
3173	3204	for (x=0;x < xi;x++)
3174	3205	{
3175		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+0 + hstart);
	3206	res_x = x*2+0 + hstart;
	3207	res_y = y + ystart_f1;
	3208
	3209	fbaddr=&bitmap.pix32(res_y, res_x);
3176	3210	c =*((reinterpret_cast<UINT32 *>(dc_framebuffer_ram)) + (WORD2_XOR_LE(addrp) >> 2));
3177	3211
3178	3212	b = (c & 0x0000ff) >> 0;
3179	3213	g = (c & 0x00ff00) >> 8;
3180	3214	r = (c & 0xff0000) >> 16;
3181	3215
3182		if (y<=cliprect.max_y)
	3216	if (cliprect.contains(res_x, res_y))
3183	3217	*fbaddr = b | (g<<8) | (r<<16);
3184	3218
3185		fbaddr=&bitmap.pix32(y + ystart_f1, x*2+1 + hstart);
3186		if (y<=cliprect.max_y)
	3219	res_x = x*2+1 + hstart;
	3220
	3221	fbaddr=&bitmap.pix32(res_y, res_x);
	3222	if (cliprect.contains(res_x, res_y))
3187	3223	*fbaddr = b | (g<<8) | (r<<16);
3188	3224
3189	3225	addrp+=4;
r25338	r25339
3193	3229	{
3194	3230	for (x=0;x < xi;x++)
3195	3231	{
3196		fbaddr=&bitmap.pix32(y + ystart_f1, x + hstart);
	3232	res_x = x + hstart;
	3233	res_y = y + ystart_f1;
	3234	fbaddr=&bitmap.pix32(res_y, res_x);
3197	3235	c =*((reinterpret_cast<UINT32 *>(dc_framebuffer_ram)) + (WORD2_XOR_LE(addrp) >> 2));
3198	3236
3199	3237	b = (c & 0x0000ff) >> 0;
3200	3238	g = (c & 0x00ff00) >> 8;
3201	3239	r = (c & 0xff0000) >> 16;
3202	3240
3203		if (y<=cliprect.max_y)
	3241	if (cliprect.contains(res_x, res_y))
3204	3242	*fbaddr = b | (g<<8) | (r<<16);
3205	3243
3206	3244	addrp+=4;
r25338	r25339
3734	3772	UINT8 interlace_on = ((spg_control & 0x10) >> 4);
3735	3773	dc_state *state = machine().driver_data<dc_state>();
3736	3774
3737		if(interlace_on)
3738		{
3739		vbin_line <<= 1;
3740		vbout_line <<= 1;
3741		}
	3775	vbin_line <<= interlace_on;
	3776	vbout_line <<= interlace_on;
3742	3777
3743	3778	if(vbin_line-(1+interlace_on) == vpos)
3744	3779	state->m_maple->maple_hw_trigger();

trunk/src/mess/drivers/dccons.c

r25338	r25339
20	20	TODO:
21	21	- RTC error always pops up at start-up, no flash plus bug with ticks (needs rewrite)
22	22	- Inputs doesn't work most of the time;
	23	- Candy Stripe: fills the log with "ATAPI_FEATURES_FLAG_OVL not supported", black screen
	24	- Carrier: Jaleco logo uses YUV, but y size is halved?
23	25	- F355 Challenge: black screen after Sega logo;
24	26	- Idol Janshi wo Tsukucchaou: pixel aspect is way wrong (stretched and offsetted horizontally)
25	27	- Power Stone: hangs at Capcom logo;

Previous

199869 Revisions

Next

---

© 1997-2024 The MAME Team