From 04942319a53169a55b26414f92af3d6d53e876b6 Mon Sep 17 00:00:00 2001
From: George Wu <uiharu@buaa.edu.cn>
Date: Thu, 21 Feb 2019 12:49:34 +0100
Subject: [PATCH] Fixed invalid element access in CHcaData

---
 src/lib/kawashima/hca/CHcaDecoder.cpp       |  2 +-
 src/lib/kawashima/hca/internal/CHcaData.cpp | 13 ++++++++-----
 src/lib/kawashima/hca/internal/CHcaData.h   |  3 ++-
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/lib/kawashima/hca/CHcaDecoder.cpp b/src/lib/kawashima/hca/CHcaDecoder.cpp
index e1c66ad..1ea6d07 100644
--- a/src/lib/kawashima/hca/CHcaDecoder.cpp
+++ b/src/lib/kawashima/hca/CHcaDecoder.cpp
@@ -252,7 +252,7 @@ CGSS_NS_BEGIN
         // Decrypt block if needed.
         _cipher->Decrypt(hcaBlockBuffer, hcaInfo.blockSize);
 
-        CHcaData data(hcaBlockBuffer, hcaInfo.blockSize);
+        CHcaData data(hcaBlockBuffer, hcaInfo.blockSize, hcaInfo.blockSize);
 
         const auto magic = data.GetBit(16);
         if (magic != 0xffff) {
diff --git a/src/lib/kawashima/hca/internal/CHcaData.cpp b/src/lib/kawashima/hca/internal/CHcaData.cpp
index 93f8a62..bd9fbe7 100644
--- a/src/lib/kawashima/hca/internal/CHcaData.cpp
+++ b/src/lib/kawashima/hca/internal/CHcaData.cpp
@@ -2,24 +2,27 @@
 
 CGSS_NS_BEGIN
 
-    CHcaData::CHcaData(uint8_t *data, uint32_t size) {
+    CHcaData::CHcaData(uint8_t *data, uint32_t dataSize, uint32_t size) {
         _data = data;
+        _dataSize = dataSize;
         _size = size * 8 - 16;
         _bit = 0;
     }
 
     int32_t CHcaData::CheckBit(int32_t bitSize) {
+#define SAFE_ACCESS(array, length, index) ((0 <= (index) && (index) < (length)) ? (array)[(index)] : 0)
         int32_t v = 0;
         if (_bit + bitSize <= _size) {
             static int32_t mask[] = {0xFFFFFF, 0x7FFFFF, 0x3FFFFF, 0x1FFFFF, 0x0FFFFF, 0x07FFFF, 0x03FFFF, 0x01FFFF};
-            uint8_t *data = &_data[_bit >> 3];
-            v = data[0];
-            v = (v << 8) | data[1];
-            v = (v << 8) | data[2];
+            int32_t i = _bit >> 3;
+            v = SAFE_ACCESS(_data, _dataSize, i);
+            v = (v << 8) | SAFE_ACCESS(_data, _dataSize, i + 1);
+            v = (v << 8) | SAFE_ACCESS(_data, _dataSize, i + 2);
             v &= mask[_bit & 7];
             v >>= 24 - (_bit & 7) - bitSize;
         }
         return v;
+#undef SAFE_ACCESS
     }
 
     int32_t CHcaData::GetBit(int32_t bitSize) {
diff --git a/src/lib/kawashima/hca/internal/CHcaData.h b/src/lib/kawashima/hca/internal/CHcaData.h
index c1fae69..f820ac4 100644
--- a/src/lib/kawashima/hca/internal/CHcaData.h
+++ b/src/lib/kawashima/hca/internal/CHcaData.h
@@ -8,7 +8,7 @@ CGSS_NS_BEGIN
 
     public:
 
-        CHcaData(uint8_t *data, uint32_t size);
+        CHcaData(uint8_t *data, uint32_t dataSize, uint32_t size);
 
         CHcaData(CHcaData &) = default;
 
@@ -21,6 +21,7 @@ CGSS_NS_BEGIN
     private:
 
         uint8_t *_data;
+        uint32_t _dataSize;
         int32_t _size;
         int32_t _bit;