From b5f1552ed813bd729598cb8a9b5aa5d148453431 Mon Sep 17 00:00:00 2001
From: Flyinghead <raphael.jean@gmail.com>
Date: Mon, 6 Jun 2022 15:54:25 +0200
Subject: [PATCH] elan: don't crash on invalid texture xfer size

Issue #647: fixes initdv3jb area conquered crash
---
 core/hw/pvr/elan.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/core/hw/pvr/elan.cpp b/core/hw/pvr/elan.cpp
index 0fba16add..70c29e381 100644
--- a/core/hw/pvr/elan.cpp
+++ b/core/hw/pvr/elan.cpp
@@ -1582,6 +1582,12 @@ static void executeCommand(u8 *data, int size)
 					if (link->offset & 0x80000000)
 					{
 						// elan v10 only
+						if (link->size > VRAM_SIZE)
+						{
+							WARN_LOG(PVR, "Texture DMA from %x to %x (%x invalid)", DMAC_SAR(2), link->vramAddress & 0x1ffffff8, link->size);
+							size = 0;
+							break;
+						}
 						DEBUG_LOG(PVR, "Texture DMA from %x to %x (%x)", DMAC_SAR(2), link->vramAddress & 0x1ffffff8, link->size);
 						memcpy(&vram[link->vramAddress & VRAM_MASK], &mem_b[DMAC_SAR(2) & RAM_MASK], link->size);
 						reg74 |= 1;
@@ -1589,6 +1595,12 @@ static void executeCommand(u8 *data, int size)
 					else if (link->offset & 0x20000000)
 					{
 						// elan v10 only
+						if (link->size > VRAM_SIZE)
+						{
+							WARN_LOG(PVR, "Texture DMA from eram %x -> %x (%x invalid)", link->offset & ELAN_RAM_MASK, link->vramAddress & VRAM_MASK, link->size);
+							size = 0;
+							break;
+						}
 						DEBUG_LOG(PVR, "Texture DMA from eram %x -> %x (%x)", link->offset & ELAN_RAM_MASK, link->vramAddress & VRAM_MASK, link->size);
 						memcpy(&vram[link->vramAddress & VRAM_MASK], &RAM[link->offset & ELAN_RAM_MASK], link->size);
 						reg74 |= 1;