From 8709bbad89f447afdb2b8c3dd93b5b9f55cfab4c Mon Sep 17 00:00:00 2001
From: angelosa <salese_corp_ltd@email.it>
Date: Fri, 25 Aug 2017 06:40:05 +0200
Subject: [PATCH] nightgal.cpp: Fix Night Gal Summer GFX ROM out of bounds
 accesses [Angelo Salese]

---
 src/devices/video/jangou_blitter.cpp | 24 +++++++++++++++++++++++-
 src/mame/drivers/nightgal.cpp        |  7 +++++--
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/devices/video/jangou_blitter.cpp b/src/devices/video/jangou_blitter.cpp
index 9f6cc6ddca3..93c3afe9031 100644
--- a/src/devices/video/jangou_blitter.cpp
+++ b/src/devices/video/jangou_blitter.cpp
@@ -17,6 +17,7 @@
 #include "jangou_blitter.h"
 
 
+#define DEBUG_OUT_OF_MASK 0
 
 //**************************************************************************
 //  GLOBAL VARIABLES
@@ -125,12 +126,25 @@ void jangou_blitter_device::trigger_write(void)
 	int src, x, y, h, w, flipx;
 	int count = 0;
 	int xcount, ycount;
-
+#if DEBUG_OUT_OF_MASK
+	bool debug_flag;
+#endif
+	
 	w = (m_width & 0xff) + 1;
 	h = (m_height & 0xff) + 1;
 	src = m_src_addr & m_gfxrommask;
 	if(m_src_addr & ~m_gfxrommask)
+	{
 		logerror("%s: Warning blit src address = %08x above ROM mask %08x\n",this->tag(),m_src_addr,m_gfxrommask);
+#if DEBUG_OUT_OF_MASK
+		debug_flag = true;
+#endif
+	}
+#if DEBUG_OUT_OF_MASK
+	else
+		debug_flag = false;
+#endif
+
 	x = (m_x & 0xff);
 	y = (m_y & 0xff);
 
@@ -150,6 +164,10 @@ void jangou_blitter_device::trigger_write(void)
 			int drawy = (y + ycount) & 0xff;
 			uint8_t dat = gfx_nibble(src + count);
 			uint8_t cur_pen = m_pen_data[dat & 0x0f];
+#if DEBUG_OUT_OF_MASK
+			if(debug_flag == true)
+				cur_pen = machine().rand() & 0xf;
+#endif
 			//dat = cur_pen_lo | (cur_pen_hi << 4);
 
 			if ((cur_pen & 0xff) != 0)
@@ -202,20 +220,24 @@ WRITE8_MEMBER( jangou_blitter_device::src_lo_address_w )
 	m_src_addr &= ~0xff;
 	m_src_addr |= data & 0xff;
 }
+
 WRITE8_MEMBER( jangou_blitter_device::src_md_address_w )
 {
 	m_src_addr &= ~0xff00;
 	m_src_addr |= data << 8;
 }
+
 WRITE8_MEMBER( jangou_blitter_device::src_hi_address_w )
 {
 	m_src_addr &= ~0xff0000;
 	m_src_addr |= data << 16;
 }
+
 WRITE8_MEMBER( jangou_blitter_device::width_w )
 {
 	m_width = data;
 }
+
 WRITE8_MEMBER( jangou_blitter_device::height_and_trigger_w )
 {
 	m_height = data;
diff --git a/src/mame/drivers/nightgal.cpp b/src/mame/drivers/nightgal.cpp
index f801d5de830..7447d83867d 100644
--- a/src/mame/drivers/nightgal.cpp
+++ b/src/mame/drivers/nightgal.cpp
@@ -1033,14 +1033,17 @@ ROM_START( ngalsumr )
 	ROM_LOAD( "2s.ic6", 0x04000, 0x04000, CRC(ca2a735f) SHA1(5980525a67fb0ffbfa04b82d805eee2463236ce3) )
 	ROM_LOAD( "3s.ic5", 0x08000, 0x04000, CRC(5cf15267) SHA1(72e4b2aa59a50af6b1b25d5279b3b125bfe06d86) )
 
-	ROM_REGION( 0x20000, "gfx", ROMREGION_ERASEFF )
+	ROM_REGION( 0x40000, "gfx", ROMREGION_ERASEFF )
 	ROM_LOAD( "1.3a",  0x00000, 0x04000, CRC(9626f812) SHA1(ca7162811a0ba05dfaa2aa8cc93a2e898b326e9e) )
 	ROM_LOAD( "3.3d",  0x04000, 0x04000, CRC(2fb2ec0b) SHA1(2f1735e33906783b8c0b283455a2a079431e6f11) )
 	ROM_LOAD( "5.3h",  0x08000, 0x04000, CRC(feaca6a3) SHA1(6658c01ac5769e8317a1c7eec6802e7c96885710) )
 	ROM_LOAD( "2.3c",  0x10000, 0x04000, CRC(0d59cf7a) SHA1(600bc70d29853fb936f8adaef048d925cbae0ce9) )
+	ROM_RELOAD(        0x20000, 0x04000 )
 	ROM_LOAD( "4.3f",  0x14000, 0x04000, CRC(c7b85199) SHA1(1c4ed2faf82f45d8a23c168793b02969f1201df6) )
+	ROM_RELOAD(        0x24000, 0x04000 )
 	ROM_LOAD( "6.3l",  0x18000, 0x04000, CRC(de9e05f8) SHA1(724468eade222b513b7f39f0a24515f343428130) )
-
+	ROM_RELOAD(        0x28000, 0x04000 )
+	
 	ROM_REGION( 0x20, "proms", 0 )
 	ROM_LOAD( "ng2.6u", 0x00, 0x20, CRC(0162a24a) SHA1(f7e1623c5bca3725f2e59ae2096b9bc42e0363bf) )
 ROM_END