diff options
| author | Matthew Hoops | 2011-10-07 11:11:00 -0400 |
|---|---|---|
| committer | Matthew Hoops | 2011-10-07 11:12:39 -0400 |
| commit | deab5b28753155863062746ef1239535f562fd0b (patch) | |
| tree | 8eca05355b78768c3af6bfc0fb5a57fd81f955d7 | |
| parent | 172e97da155aecbbee77fcd68f8f0b089523dab7 (diff) | |
| download | scummvm-rg350-deab5b28753155863062746ef1239535f562fd0b.tar.gz scummvm-rg350-deab5b28753155863062746ef1239535f562fd0b.tar.bz2 scummvm-rg350-deab5b28753155863062746ef1239535f562fd0b.zip | |
GRAPHICS: Fix PICT buffer overflow
| -rw-r--r-- | graphics/pict.cpp | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/graphics/pict.cpp b/graphics/pict.cpp index b2d8140a5e..0f4dcd463f 100644 --- a/graphics/pict.cpp +++ b/graphics/pict.cpp @@ -337,7 +337,11 @@ void PictDecoder::unpackBitsRect(Common::SeekableReadStream *stream, bool hasPal _outputSurface = new Graphics::Surface(); _outputSurface->create(width, height, (bytesPerPixel == 1) ? PixelFormat::createFormatCLUT8() : _pixelFormat); - byte *buffer = new byte[width * height * bytesPerPixel]; + + // Create an temporary buffer, but allocate a bit more than we need to avoid overflow + // (align it to the next highest two-byte packed boundary, which may be more unpacked, + // as m68k and therefore QuickDraw is word-aligned) + byte *buffer = new byte[width * height * bytesPerPixel + (8 * 2 / packBitsData.pixMap.pixelSize)]; // Read in amount of data per row for (uint16 i = 0; i < packBitsData.pixMap.bounds.height(); i++) { |