From 72f5bf5795218dbaf1e4afe39ae70bffb78ac7d7 Mon Sep 17 00:00:00 2001
From: Snesrev <snesrev@protonmail.com>
Date: Sat, 11 Mar 2023 17:53:53 +0100
Subject: [PATCH] Samus_HandleScrewAttackSpeedBoostingPals reads bad addr
 (Fixes #18)

---
 src/sm_91.c        | 7 +++++--
 src/sm_cpu_infra.c | 4 ++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/sm_91.c b/src/sm_91.c
index 8dbda9b..462cc34 100644
--- a/src/sm_91.c
+++ b/src/sm_91.c
@@ -2709,7 +2709,7 @@ LABEL_18:
       uint16 v1 = *(uint16 *)RomPtr_91(R36 + special_samus_palette_frame);
       CopyToSamusSuitPalette(v1);
       uint16 v2 = special_samus_palette_frame + 2;
-      if (!sign16(special_samus_palette_frame - 10))
+      if (special_samus_palette_frame >= 10)
         v2 = 0;
       special_samus_palette_frame = v2;
       return 1;
@@ -2725,10 +2725,13 @@ LABEL_10:
   if (!special_samus_palette_timer || v3) {
     special_samus_palette_timer = 4;
     R36 = kSamusPal_SpeedBoost[samus_suit_palette_index >> 1];
+    // Bugfix: The original game can do an out of bounds read here.
+    if (special_samus_palette_frame > 6)
+      special_samus_palette_frame = 6;
     uint16 v4 = *(uint16 *)RomPtr_91(R36 + special_samus_palette_frame);
     CopyToSamusSuitPalette(v4);
     uint16 v5 = special_samus_palette_frame + 2;
-    if (!sign16(special_samus_palette_frame - 6))
+    if (special_samus_palette_frame >= 6)
       v5 = 6;
     special_samus_palette_frame = v5;
   }
diff --git a/src/sm_cpu_infra.c b/src/sm_cpu_infra.c
index cc8bba6..9d1f22e 100644
--- a/src/sm_cpu_infra.c
+++ b/src/sm_cpu_infra.c
@@ -314,6 +314,10 @@ uint32 PatchBugs(uint32 mode, uint32 addr) {
       g_cpu->mf = 0;
       return 0xA497CE;
     }
+  } else if (FixBugHook(0x91DA89)) {
+    // Samus_HandleScrewAttackSpeedBoostingPals reads OOB
+    if (special_samus_palette_frame > 6)
+      special_samus_palette_frame = 6;
   }
 
   return 0;