pcx: don't overflow buffer if bytes-per-line is less than image width.

icculus · icculus · commit f6769997411b · 2018-02-07T15:43:51.000-05:00
diff --git a/IMG_pcx.c b/IMG_pcx.c
@@ -147,7 +147,7 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *src)
     if (bpl > surface->pitch) {
         error = "bytes per line is too large (corrupt?)";
     }
-    buf = (Uint8 *)SDL_malloc(bpl);
+    buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
     row = (Uint8 *)surface->pixels;
     for ( y=0; y<surface->h; ++y ) {
         /* decode a scan line to a temporary buffer first */

Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,7 @@ SDL_Surface IMG_LoadPCX_RW(SDL_RWops src)`
`147`	`147`	`if (bpl > surface->pitch) {`
`148`	`148`	`error = "bytes per line is too large (corrupt?)";`
`149`	`149`	`}`
`150`		`- buf = (Uint8 *)SDL_malloc(bpl);`
	`150`	`+ buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);`
`151`	`151`	`row = (Uint8 *)surface->pixels;`
`152`	`152`	`for ( y=0; y<surface->h; ++y ) {`
`153`	`153`	`/* decode a scan line to a temporary buffer first */`