draw_bmp: fix out of bounds access in mark_rect

When the width is exactly a multiple of SLICE_W (currently 256),
heap buffer overflow is reported by Address Sanitizer. So adjust
the maximum index for the line array accordingly.

1 files changed, 3 insertions, 3 deletions

diff --git a/sub/draw_bmp.c b/sub/draw_bmp.c
index 37e57a1991..2765ceb759 100644
--- a/sub/draw_bmp.c
+++ b/sub/draw_bmp.c
@@ -260,8 +260,8 @@ static void mark_rect(struct mp_draw_sub_cache *p, int x0, int y0, int x1, int y
     assert(x0 >= 0 && x0 <= x1 && x1 <= p->w);
     assert(y0 >= 0 && y0 <= y1 && y1 <= p->h);
 
-    int sx0 = x0 / SLICE_W;
-    int sx1 = x1 / SLICE_W;
+    const int sx0 = x0 / SLICE_W;
+    const int sx1 = MPMIN(x1 / SLICE_W, p->s_w - 1);
 
     for (int y = y0; y < y1; y++) {
         struct slice *line = &p->slices[y * p->s_w];
@@ -270,7 +270,7 @@ static void mark_rect(struct mp_draw_sub_cache *p, int x0, int y0, int x1, int y
         struct slice *s1 = &line[sx1];
 
         s0->x0 = MPMIN(s0->x0, x0 % SLICE_W);
-        s1->x1 = MPMAX(s1->x1, x1 % SLICE_W);
+        s1->x1 = MPMAX(s1->x1, ((x1 - 1) % SLICE_W) + 1);
 
         if (s0 != s1) {
             s0->x1 = SLICE_W;