From 9a976b4d40f9178023254ba0522907aed84cdf7f Mon Sep 17 00:00:00 2001
From: Duncan Frost <duncans_pumpkin@hotmail.co.uk>
Date: Thu, 29 Jan 2015 17:41:09 +0000
Subject: [PATCH 1/3] Fix #728 bug caused by accessing map_elements below -1

---
 src/ride/ride_ratings.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ride/ride_ratings.c b/src/ride/ride_ratings.c
index 0f54794a0b..570bfd1dad 100644
--- a/src/ride/ride_ratings.c
+++ b/src/ride/ride_ratings.c
@@ -733,8 +733,8 @@ static int ride_ratings_get_scenery_score(rct_ride *ride)
 
 	// Count surrounding scenery items
 	numSceneryItems = 0;
-	for (yy = y - 5; yy <= y + 5; yy++) {
-		for (xx = x - 5; xx <= x + 5; xx++) {
+	for (yy = max(y - 5, 0); yy <= y + 5; yy++) {
+		for (xx = max(x - 5, 0); xx <= x + 5; xx++) {
 			// Count scenery items on this tile
 			mapElement = map_get_first_element_at(xx, yy);
 			do {

From fddcfc69e0700e3b3c4f62197c442faf86cdd49c Mon Sep 17 00:00:00 2001
From: Duncan Frost <duncans_pumpkin@hotmail.co.uk>
Date: Thu, 29 Jan 2015 17:45:08 +0000
Subject: [PATCH 2/3] Add error logging to get_first_element_at

---
 src/world/map.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/world/map.c b/src/world/map.c
index 301bf95e35..d6693ba64c 100644
--- a/src/world/map.c
+++ b/src/world/map.c
@@ -88,6 +88,11 @@ void map_element_iterator_restart_for_tile(map_element_iterator *it)
 
 rct_map_element *map_get_first_element_at(int x, int y)
 {
+	if (x < 0 || y < 0)
+	{ 
+		log_error("Trying to access element outside of range"); 
+		return NULL;
+	}
 	return TILE_MAP_ELEMENT_POINTER(x + y * 256);
 }
 

From 359cc9aa991080b24020d84b89be24ba98131848 Mon Sep 17 00:00:00 2001
From: Duncan Frost <duncans_pumpkin@hotmail.co.uk>
Date: Thu, 29 Jan 2015 17:47:35 +0000
Subject: [PATCH 3/3] Add upper bounds

---
 src/world/map.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/world/map.c b/src/world/map.c
index d6693ba64c..adc0f219e3 100644
--- a/src/world/map.c
+++ b/src/world/map.c
@@ -88,7 +88,7 @@ void map_element_iterator_restart_for_tile(map_element_iterator *it)
 
 rct_map_element *map_get_first_element_at(int x, int y)
 {
-	if (x < 0 || y < 0)
+	if (x < 0 || y < 0 || x > 255 || y > 255)
 	{ 
 		log_error("Trying to access element outside of range"); 
 		return NULL;