From d3780c0d7d45e64531c16f916e9ea088ccc59998 Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Sat, 7 Nov 2020 16:00:08 +0100
Subject: [PATCH] Fix buffer overflow on GsLoadFont

LoadImage accesses img[0..15] when w=16, h=1, causing it to read past `pal`.
---
 libpsx/src/gpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libpsx/src/gpu.c b/libpsx/src/gpu.c
index 6a59c72..beb6560 100644
--- a/libpsx/src/gpu.c
+++ b/libpsx/src/gpu.c
@@ -1045,7 +1045,7 @@ void GsSetDispEnvSimple(int x, int y)
 
 void GsLoadFont(int fb_x, int fb_y, int cx, int cy)
 {
-	unsigned short pal[2] = {0x0, 0x7fff};
+	const unsigned short pal[16] = {0x0, 0x7fff};
 
 	LoadImage(psxsdk_font_data, fb_x, fb_y, 16, 128);
 	while(GsIsDrawing());