From 3f0c9e0910e7bf7b6cd0ebb217167a6a4ce7ec31 Mon Sep 17 00:00:00 2001
From: Matthew Hoops
Date: Fri, 7 Oct 2011 11:11:00 -0400
Subject: GRAPHICS: Fix PICT buffer overflow

---
 graphics/pict.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'graphics/pict.cpp')

diff --git a/graphics/pict.cpp b/graphics/pict.cpp
index b2d8140a5e..0f4dcd463f 100644
--- a/graphics/pict.cpp
+++ b/graphics/pict.cpp
@@ -337,7 +337,11 @@ void PictDecoder::unpackBitsRect(Common::SeekableReadStream *stream, bool hasPal
 
 	_outputSurface = new Graphics::Surface();
 	_outputSurface->create(width, height, (bytesPerPixel == 1) ? PixelFormat::createFormatCLUT8() : _pixelFormat);
-	byte *buffer = new byte[width * height * bytesPerPixel];
+
+	// Create an temporary buffer, but allocate a bit more than we need to avoid overflow
+	// (align it to the next highest two-byte packed boundary, which may be more unpacked,
+	// as m68k and therefore QuickDraw is word-aligned)
+	byte *buffer = new byte[width * height * bytesPerPixel + (8 * 2 / packBitsData.pixMap.pixelSize)];
 
 	// Read in amount of data per row
 	for (uint16 i = 0; i < packBitsData.pixMap.bounds.height(); i++) {
-- 
cgit v1.2.3