Index: vm_x86.c
===================================================================
--- vm_x86.c	(revision 1962)
+++ vm_x86.c	(working copy)
@@ -126,11 +126,18 @@
 	jl		systemCall
 	// calling another vm function
 	shl		eax,2
+	cmp		eax, [callMask]
+	jae		badAddr
 	add		eax, dword ptr [instructionPointers]
 	call	dword ptr [eax]
 	mov		eax, dword ptr [edi]
-	and		eax, [callMask]
 	ret
+badAddr:
+	// leave something on the opstack
+	add		edi, 4
+	mov		dword ptr [edi], 0
+	ret
+
 systemCall:
 
 	// convert negative num to system call number
@@ -213,11 +220,16 @@
 	"testl %eax, %eax\n\t"
 	"jl    0f\n\t"
 	"shll  $2, %eax\n\t"
+	"cmpl  " CMANGVAR(callMask) ", %eax\n\t"
+	"jae   1f\n\t"
 	"addl  " CMANGVAR(instructionPointers) ", %eax\n\t"
 	"call  *(%eax)\n\t"
 	"movl  (%edi), %eax\n\t"
-	"andl  " CMANGVAR(callMask) ", %eax\n\t"
 	"ret\n"
+	"1:\n\t" // bad address, leave something on the opstack
+	"addl  $4, %edi\n\t"
+	"movl  $0, (%edi)\n\t"
+	"ret\n\t"
 	"0:\n\t" // system call
 	"notl  %eax\n\t"
 	"pushl %ebp\n\t"
@@ -1083,7 +1095,7 @@
 			Emit4( (int)vm->instructionPointers );
 			break;
 		default:
-		        VMFREE_BUFFERS();
+		    VMFREE_BUFFERS();
 			Com_Error(ERR_DROP, "VM_CompileX86: bad opcode %i at offset %i", op, pc);
 		}
 		pop0 = pop1;
@@ -1159,8 +1171,10 @@
 	byte	*image;
 	void	*opStack;
 	int		*oldInstructionPointers;
+	int		oldCallMask;
 
 	oldInstructionPointers = instructionPointers;
+	oldCallMask	= callMask;
 
 	currentVM = vm;
 	instructionPointers = vm->instructionPointers;
@@ -1168,7 +1182,7 @@
 	// interpret the code
 	vm->currentlyInterpreting = qtrue;
 
-	callMask = vm->dataMask;
+	callMask = vm->codeLength;
 
 	// we might be called recursively, so this might not be the very top
 	programStack = vm->programStack;
@@ -1239,6 +1253,7 @@
 
 	// in case we were recursively called by another vm
 	instructionPointers = oldInstructionPointers;
+	callMask = oldCallMask;
 
 	return *(int *)opStack;
 }