From 740f7a0f66a1dc78af39db981dcc332bab8bdff6 Mon Sep 17 00:00:00 2001
From: Jeffrey Pfau <jeffrey@endrift.com>
Date: Mon, 12 Sep 2016 12:49:19 -0700
Subject: [PATCH] GB: Check for LY when loading state

---
 src/gb/serialize.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/gb/serialize.c b/src/gb/serialize.c
index 145296161..53d1210e4 100644
--- a/src/gb/serialize.c
+++ b/src/gb/serialize.c
@@ -88,6 +88,7 @@ bool GBDeserialize(struct GB* gb, const struct GBSerializedState* state) {
 	bool error = false;
 	int32_t check;
 	uint32_t ucheck;
+	int16_t check16;
 	LOAD_32LE(ucheck, 0, &state->versionMagic);
 	if (ucheck > GB_SAVESTATE_MAGIC + GB_SAVESTATE_VERSION) {
 		mLOG(GB_STATE, WARN, "Invalid or too new savestate: expected %08X, got %08X", GB_SAVESTATE_MAGIC + GB_SAVESTATE_VERSION, ucheck);
@@ -125,6 +126,11 @@ bool GBDeserialize(struct GB* gb, const struct GBSerializedState* state) {
 		mLOG(GB_STATE, WARN, "Savestate is corrupted: video eventDiff is negative");
 		error = true;
 	}
+	LOAD_32LE(check16, 0, &state->video.ly);
+	if (check16 < 0 || check16 > GB_VIDEO_VERTICAL_TOTAL_PIXELS) {
+		mLOG(GB_STATE, WARN, "Savestate is corrupted: video y is out of range");
+		error = true;
+	}
 	if (error) {
 		return false;
 	}