The functions read_rle8() and read_rle16() didn't check if the addresses to which they wrote are in bounds when expanding runlength encoded data. (cherry picked from commit 4d9724f2)