# HG changeset patch
# User hle@debian.org
# Date 1559053244 -7200
#      Tue May 28 16:20:44 2019 +0200
# Node ID d93d18889767496be64e1e10449a92d2cbbc8a45
# Parent  4775f98ff2501e7a3a28d5cd87031398ef7c96fd
pcx: cast size and check calloc return value

bpl is stored as a signed integer. If it happens to be negative, calloc
will be called with surface->pitch (since bpl < surface->pitch). Later we
call SDL_RWread(src, buf, bpl, 1). bpl is thus cast to size_t (becoming a
very large positive value), leading to obvious oob write.

We should fail early in this case. It doesn't make sense to continue
processing such files with corrupted bpl.

+ (size_t) cast bpl in SDL_max so that it is preferred over surface->pitch
if it is negative
+ check calloc return value to catch allocation failures
+ make sure we don't free unallocated buf in done section

diff -r 4775f98ff250 -r d93d18889767 IMG_pcx.c
--- a/IMG_pcx.c	Sat May 25 13:24:54 2019 +0200
+++ b/IMG_pcx.c	Tue May 28 16:20:44 2019 +0200
@@ -144,7 +144,9 @@
         goto done;
 
     bpl = pcxh.NPlanes * pcxh.BytesPerLine;
-    buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
+    buf = (Uint8 *)SDL_calloc(SDL_max((size_t) bpl, surface->pitch), 1);
+    if (buf == NULL)
+        goto done;
     row = (Uint8 *)surface->pixels;
     for ( y=0; y<surface->h; ++y ) {
         /* decode a scan line to a temporary buffer first */
@@ -250,7 +252,9 @@
     }
 
 done:
-    SDL_free(buf);
+    if (buf) {
+        SDL_free(buf);
+    }
     if ( error ) {
         SDL_RWseek(src, start, RW_SEEK_SET);
         if ( surface ) {