From b8c05fd084db5606b687955c142dee3bb7689994 Mon Sep 17 00:00:00 2001
From: AJR <ajrhacker@users.noreply.github.com>
Date: Sun, 1 May 2016 10:26:28 -0400
Subject: [PATCH] Workaround for MT 06194 (potential segfault during floppy
 load)

---
 src/devices/imagedev/floppy.cpp | 8 +++++++-
 src/lib/formats/upd765_dsk.cpp  | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/devices/imagedev/floppy.cpp b/src/devices/imagedev/floppy.cpp
index d31c67f6072..67ccf6e198c 100644
--- a/src/devices/imagedev/floppy.cpp
+++ b/src/devices/imagedev/floppy.cpp
@@ -412,7 +412,13 @@ bool floppy_image_device::call_load()
 	}
 
 	image = global_alloc(floppy_image(tracks, sides, form_factor));
-	best_format->load(&io, form_factor, image);
+	if (!best_format->load(&io, form_factor, image))
+	{
+		seterror(IMAGE_ERROR_UNSUPPORTED, "Incompatible image format or corrupted data");
+		global_free(image);
+		image = nullptr;
+		return IMAGE_INIT_FAIL;
+	}
 	output_format = is_readonly() ? nullptr : best_format;
 
 	revolution_start_time = mon ? attotime::never : machine().time();
diff --git a/src/lib/formats/upd765_dsk.cpp b/src/lib/formats/upd765_dsk.cpp
index d9da1c5bd21..97d0daa7d6a 100644
--- a/src/lib/formats/upd765_dsk.cpp
+++ b/src/lib/formats/upd765_dsk.cpp
@@ -180,7 +180,13 @@ bool upd765_format::load(io_generic *io, UINT32 form_factor, floppy_image *image
 	if(type == -1)
 		return false;
 
+	// format shouldn't exceed image geometry
 	const format &f = formats[type];
+	int img_tracks, img_heads;
+	image->get_maximal_geometry(img_tracks, img_heads);
+	if (f.track_count > img_tracks || f.head_count > img_heads)
+		return false;
+
 	floppy_image_format_t::desc_e *desc;
 	int current_size;
 	int end_gap_index;