I found a bug in Surface::setPixel(), the checks to see if x and y are valid allow x to be equal to width and y equal to height. If x or y are width or height, the pixel set will be wrong, and if both are width and height, you will go past the end of the pixel buffer. See attached patch for the fix.
We actually do go past the end of the buffer when loading spks files. The culprit is Surface::setPixelIterative() in conjunction with Surface::loadSpk(). I am not for sure why people haven't been seeing a crash, I guess we got lucky with the memory past the pixel buffer. I will be looking in to why we are trying to write more pixel data than we allocated. I will also probably be rewriting the loadSpk() and loadScr(), as using setPixelIterative() and setPixel() aren't efficient ways to load the pixel data.
