GRAPHICS: Fix PICT buffer overflow

author: Matthew Hoops 2011-10-07 11:11:00 -0400
committer: Matthew Hoops 2011-10-07 11:34:56 -0400
commit: 3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31 (patch)
tree: 952cbcc5be83404c02445eabc263dc53b9a3d878 /graphics/pict.cpp
parent: 6a54c7953a03b901e928c1a4c95bbcead1342c20 (diff)
download: scummvm-rg350-3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31.tar.gz
scummvm-rg350-3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31.tar.bz2
scummvm-rg350-3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/graphics/pict.cpp b/graphics/pict.cpp
index b2d8140a5e..0f4dcd463f 100644
--- a/graphics/pict.cpp
+++ b/graphics/pict.cpp
@@ -337,7 +337,11 @@ void PictDecoder::unpackBitsRect(Common::SeekableReadStream *stream, bool hasPal
 
 	_outputSurface = new Graphics::Surface();
 	_outputSurface->create(width, height, (bytesPerPixel == 1) ? PixelFormat::createFormatCLUT8() : _pixelFormat);
-	byte *buffer = new byte[width * height * bytesPerPixel];
+
+	// Create an temporary buffer, but allocate a bit more than we need to avoid overflow
+	// (align it to the next highest two-byte packed boundary, which may be more unpacked,
+	// as m68k and therefore QuickDraw is word-aligned)
+	byte *buffer = new byte[width * height * bytesPerPixel + (8 * 2 / packBitsData.pixMap.pixelSize)];
 
 	// Read in amount of data per row
 	for (uint16 i = 0; i < packBitsData.pixMap.bounds.height(); i++) {
author	Matthew Hoops	2011-10-07 11:11:00 -0400
committer	Matthew Hoops	2011-10-07 11:34:56 -0400
commit	3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31 (patch)
tree	952cbcc5be83404c02445eabc263dc53b9a3d878 /graphics/pict.cpp
parent	6a54c7953a03b901e928c1a4c95bbcead1342c20 (diff)
download	scummvm-rg350-3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31.tar.gz scummvm-rg350-3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31.tar.bz2 scummvm-rg350-3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31.zip