Fix for buffer overrun caused by ALLOC_STATE not having args surrounded by parenthesis. Can you see it? HINT: Anything texture related should now work slightly better. And yes it took me several hours to find it.
diff --git a/src/mesa/drivers/dri/r300/r300_cmdbuf.c b/src/mesa/drivers/dri/r300/r300_cmdbuf.c
index c515b60..c9cd137 100644
--- a/src/mesa/drivers/dri/r300/r300_cmdbuf.c
+++ b/src/mesa/drivers/dri/r300/r300_cmdbuf.c
@@ -183,7 +183,6 @@
 	}
 }
 
-
 /**
  * Copy dirty hardware state atoms into the command buffer.
  *
@@ -197,7 +196,7 @@
 
 	if (r300->cmdbuf.count_used && !r300->hw.is_dirty && !r300->hw.all_dirty)
 		return;
-
+	
 	/* To avoid going across the entire set of states multiple times, just check
 	 * for enough space for the case of emitting all state, and inline the
 	 * r300AllocCmdBuf code here without all the checks.
@@ -270,13 +269,13 @@
 
 #define ALLOC_STATE( ATOM, CHK, SZ, NM, IDX )				\
    do {									\
-      r300->hw.ATOM.cmd_size = SZ;					\
-      r300->hw.ATOM.cmd = (uint32_t*)CALLOC(SZ * sizeof(uint32_t));	\
-      r300->hw.ATOM.name = NM;						\
-      r300->hw.ATOM.idx = IDX;						\
+      r300->hw.ATOM.cmd_size = (SZ);					\
+      r300->hw.ATOM.cmd = (uint32_t*)CALLOC((SZ) * sizeof(uint32_t));	\
+      r300->hw.ATOM.name = (NM);					\
+      r300->hw.ATOM.idx = (IDX);					\
       r300->hw.ATOM.check = check_##CHK;				\
       r300->hw.ATOM.dirty = GL_FALSE;					\
-      r300->hw.max_state_size += SZ;					\
+      r300->hw.max_state_size += (SZ);					\
    } while (0)
 
 
@@ -287,7 +286,7 @@
 void r300InitCmdBuf(r300ContextPtr r300)
 {
 	int size, i, mtu;
-
+	
 	r300->hw.max_state_size = 0;
 
 	mtu = r300->radeon.glCtx->Const.MaxTextureUnits;
diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h
index 48822d3..18dc9d1 100644
--- a/src/mesa/drivers/dri/r300/r300_context.h
+++ b/src/mesa/drivers/dri/r300/r300_context.h
@@ -414,7 +414,6 @@
 #ifdef EXP_C
 	struct r300_state_atom lsf;	/* line stipple factor */
 #endif
-	struct r300_state_atom dummy[4];
 	struct r300_state_atom unk4260; /* (4260) */
 	struct r300_state_atom unk4274; /* (4274) */
 	struct r300_state_atom unk4288; /* (4288) */
@@ -456,7 +455,6 @@
 	struct r300_state_atom vpi;	/* vp instructions */
 	struct r300_state_atom vpp;	/* vp parameters */
 	struct r300_state_atom vps;	/* vertex point size (?) */
-
 		/* 8 texture units */
 		/* the state is grouped by function and not by
 		   texture unit. This makes single unit updates
diff --git a/src/mesa/drivers/dri/r300/r300_render.c b/src/mesa/drivers/dri/r300/r300_render.c
index 71977e7..2a57828 100644
--- a/src/mesa/drivers/dri/r300/r300_render.c
+++ b/src/mesa/drivers/dri/r300/r300_render.c
@@ -614,10 +614,10 @@
    struct vertex_buffer *VB = &tnl->vb;
    int i, j;
    LOCAL_VARS
-
+   
 	if (RADEON_DEBUG & DEBUG_PRIMS)
 		fprintf(stderr, "%s\n", __FUNCTION__);
-
+	
 
 	r300ReleaseArrays(ctx);
 	r300EmitArrays(ctx, GL_FALSE);
@@ -634,7 +634,6 @@
 
 	reg_start(0x4f18,0);
 	e32(0x00000003);
-
 	r300EmitState(rmesa);
 
 	rmesa->state.Elts = VB->Elts;
diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c
index a811215..a386564 100644
--- a/src/mesa/drivers/dri/r300/r300_state.c
+++ b/src/mesa/drivers/dri/r300/r300_state.c
@@ -1337,7 +1337,7 @@
 	R300_STATECHANGE(r300, tex.offset);
 	R300_STATECHANGE(r300, tex.unknown4);
 	R300_STATECHANGE(r300, tex.border_color);
-
+	
 	r300->state.texture.tc_count=0;
 
 	r300->hw.txe.cmd[R300_TXE_ENABLE]=0x0;
@@ -1346,35 +1346,43 @@
 	if (RADEON_DEBUG & DEBUG_STATE)
 		fprintf(stderr, "mtu=%d\n", mtu);
 
-	if(mtu>R300_MAX_TEXTURE_UNITS){
+	if(mtu > R300_MAX_TEXTURE_UNITS) {
 		fprintf(stderr, "Aiiee ! mtu=%d is greater than R300_MAX_TEXTURE_UNITS=%d\n",
 			mtu, R300_MAX_TEXTURE_UNITS);
 		exit(-1);
-		}
-	for(i=0;i<mtu;i++){
+	}
+	
+	for(i=0; i < mtu; i++) {
+		
 		if( ((r300->state.render_inputs & (_TNL_BIT_TEX0<<i))!=0) != ((ctx->Texture.Unit[i].Enabled)!=0) ) {
 			WARN_ONCE("Mismatch between render_inputs and ctx->Texture.Unit[i].Enabled value.\n");
-			}
-		if(r300->state.render_inputs & (_TNL_BIT_TEX0<<i)){
+		}
+		
+		if(r300->state.render_inputs & (_TNL_BIT_TEX0<<i)) {
 			t=r300->state.texture.unit[i].texobj;
 			//fprintf(stderr, "format=%08x\n", r300->state.texture.unit[i].format);
 			r300->state.texture.tc_count++;
-			if(t==NULL){
+			
+			if(t == NULL){
 				fprintf(stderr, "Texture unit %d enabled, but corresponding texobj is NULL, using default object.\n", i);
 				//exit(-1);
 				t=&default_tex_obj;
-				}
+			}
+			
 			//fprintf(stderr, "t->format=%08x\n", t->format);
-			if((t->format & 0xffffff00)==0xffffff00){
+			if((t->format & 0xffffff00)==0xffffff00) {
 				WARN_ONCE("unknown texture format (entry %x) encountered. Help me !\n", t->format & 0xff);
 				//fprintf(stderr, "t->format=%08x\n", t->format);
-				}
+			}
+			
 			if (RADEON_DEBUG & DEBUG_STATE)
 				fprintf(stderr, "Activating texture unit %d\n", i);
 			max_texture_unit=i;
 			r300->hw.txe.cmd[R300_TXE_ENABLE]|=(1<<i);
-
+			
 			r300->hw.tex.filter.cmd[R300_TEX_VALUE_0+i]=gen_fixed_filter(t->filter);
+			r300->hw.tex.unknown1.cmd[R300_TEX_VALUE_0+i]=0x0;
+			
 			/* No idea why linear filtered textures shake when puting random data */
 			/*r300->hw.tex.unknown1.cmd[R300_TEX_VALUE_0+i]=(rand()%0xffffffff) & (~0x1fff);*/
 			r300->hw.tex.size.cmd[R300_TEX_VALUE_0+i]=t->size;
@@ -1383,8 +1391,9 @@
 			r300->hw.tex.offset.cmd[R300_TEX_VALUE_0+i]=r300->radeon.radeonScreen->fbLocation+t->offset;
 			r300->hw.tex.unknown4.cmd[R300_TEX_VALUE_0+i]=0x0;
 			r300->hw.tex.border_color.cmd[R300_TEX_VALUE_0+i]=t->pp_border_color;
-			}
 		}
+	}
+	
 	((drm_r300_cmd_header_t*)r300->hw.tex.filter.cmd)->unchecked_state.count = max_texture_unit+1;
 	((drm_r300_cmd_header_t*)r300->hw.tex.unknown1.cmd)->unchecked_state.count = max_texture_unit+1;
 	((drm_r300_cmd_header_t*)r300->hw.tex.size.cmd)->unchecked_state.count = max_texture_unit+1;