From 55132ea8c67a07ba5e3817858ea3422249f985e0 Mon Sep 17 00:00:00 2001
From: Toni Wilen <twilen@winuae.net>
Date: Sun, 11 Dec 2022 16:04:50 +0200
Subject: [PATCH] Fix out of bounds array access

---
 custom.cpp | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/custom.cpp b/custom.cpp
index 196d92e6..3678e649 100644
--- a/custom.cpp
+++ b/custom.cpp
@@ -405,6 +405,7 @@ int sprite_buffer_res;
 
 uae_u8 cycle_line_slot[MAX_CHIPSETSLOTS + RGA_PIPELINE_ADJUST];
 uae_u16 cycle_line_pipe[MAX_CHIPSETSLOTS + RGA_PIPELINE_ADJUST];
+static uae_u8 cycle_line_slot_last;
 
 static uae_s16 bpl1mod, bpl2mod, bpl1mod_prev, bpl2mod_prev;
 static int bpl1mod_hpos, bpl2mod_hpos;
@@ -11934,6 +11935,7 @@ static void hsync_handler_pre(bool onvsync)
 	else
 		lol = 0;
 
+	cycle_line_slot_last = cycle_line_slot[maxhpos - 1];
 	set_hpos();
 
 	// to record decisions correctly between end of scanline and start of hsync
@@ -13738,9 +13740,15 @@ writeonly:
 			// - if last cycle was DMA cycle: DMA cycle data
 			// - if last cycle was not DMA cycle: FFFF or some ANDed old data.
 			//
-			int hp = (hpos - 1) % maxhpos;
-			c = cycle_line_slot[hp] & CYCLE_MASK;
-			bmdma = bitplane_dma_access(hp, 0);
+			if (hpos == 0) {
+				int hp = maxhpos - 1;
+				c = cycle_line_slot_last & CYCLE_MASK;
+				bmdma = bitplane_dma_access(hp, 0);
+			} else {
+				int hp = hpos - 1;
+				c = cycle_line_slot[hp] & CYCLE_MASK;
+				bmdma = bitplane_dma_access(hp, 0);
+			}
 			if (aga_mode) {
 				if (bmdma || (c > CYCLE_REFRESH && c < CYCLE_CPU)) {
 					v = regs.chipset_latch_rw;
-- 
2.47.3