From 69c777b219a8da1d6004be6c5bda8f590283318e Mon Sep 17 00:00:00 2001
From: Kenpachi Developer <Kenpachi.Developer@gmx.de>
Date: Sat, 4 Jul 2020 00:16:30 +0200
Subject: Validate return value of status_get_element(src) before using it as
 array index

---
 src/map/battle.c | 50 ++++++++++++++++++++++++++++++--------------------
 1 file changed, 30 insertions(+), 20 deletions(-)

diff --git a/src/map/battle.c b/src/map/battle.c
index 956cc4a49..98569f436 100644
--- a/src/map/battle.c
+++ b/src/map/battle.c
@@ -1070,15 +1070,20 @@ static int64 battle_calc_cardfix(int attack_type, struct block_list *src, struct
 					}
 
 					// Apply bMagicSubDefEle damage reduction.
-					switch (src->type) {
-					case BL_MOB:
-						ele_fix += tsd->magic_sub_def_ele[status_get_element(src)].rate_mob;
-						break;
-					case BL_PC:
-						ele_fix += tsd->magic_sub_def_ele[status_get_element(src)].rate_pc;
-						break;
-					default:
-						break;
+					enum elements def_ele = status_get_element(src);
+
+					if ((src->type == BL_MOB || src->type == BL_PC)
+					    && !Assert_chk(def_ele >= ELE_NEUTRAL && def_ele < ELE_MAX)) {
+						switch (src->type) {
+						case BL_MOB:
+							ele_fix += tsd->magic_sub_def_ele[def_ele].rate_mob;
+							break;
+						case BL_PC:
+							ele_fix += tsd->magic_sub_def_ele[def_ele].rate_pc;
+							break;
+						default:
+							break;
+						}
 					}
 
 					cardfix = cardfix * (100 - ele_fix) / 100;
@@ -1249,18 +1254,23 @@ static int64 battle_calc_cardfix(int attack_type, struct block_list *src, struct
 						}
 
 						// Apply bSubDefEle damage reduction.
-						switch (src->type) {
-						case BL_MOB:
-							ele_fix = tsd->sub_def_ele[status_get_element(src)].rate_mob;
-							break;
-						case BL_PC:
-							ele_fix = tsd->sub_def_ele[status_get_element(src)].rate_pc;
-							break;
-						default:
-							break;
-						}
+						enum elements def_ele = status_get_element(src);
 
-						cardfix = cardfix * (100 - ele_fix) / 100;
+						if ((src->type == BL_MOB || src->type == BL_PC)
+						    && !Assert_chk(def_ele >= ELE_NEUTRAL && def_ele < ELE_MAX)) {
+							switch (src->type) {
+							case BL_MOB:
+								ele_fix = tsd->sub_def_ele[def_ele].rate_mob;
+								break;
+							case BL_PC:
+								ele_fix = tsd->sub_def_ele[def_ele].rate_pc;
+								break;
+							default:
+								break;
+							}
+
+							cardfix = cardfix * (100 - ele_fix) / 100;
+						}
 					}
 					cardfix = cardfix * (100-tsd->subsize[sstatus->size]) / 100;
 					cardfix = cardfix * (100-tsd->subrace2[s_race2]) / 100;
-- 
cgit v1.2.3-60-g2f50