pictordec: break out of both decoding loops when y drops below 0

Otherwise picmemset can get called with negative y, resulting in an
invalid write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

libavcodec/pictordec.c

@@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx,
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, frame, val, run, &x, &y);
                     if (y < 0)
-                        break;
+                        goto finish;
                 } else {
                     picmemset(s, frame, val, run, &x, &y, &plane, bits_per_plane);
                 }
@@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
         avpriv_request_sample(s, "Uncompressed image");
         return avpkt->size;
     }
+finish:
 
     *got_frame      = 1;
     return avpkt->size;