diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c index 3a6030703..7a396fb1f 100644 --- a/src/libImaging/FliDecode.c +++ b/src/libImaging/FliDecode.c @@ -223,8 +223,15 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt break; case 16: /* COPY chunk */ - if (state->xsize > bytes / state->ysize) { + if (INT32_MAX / state->xsize < state->ysize) { + /* Integer overflow, bail */ + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } + /* Note, have to check Data + size, not just ptr + size) */ + if (data + (state->xsize * state->ysize) > ptr + bytes) { /* not enough data for frame */ + /* UNDONE Unclear that we're actually going to leave the buffer at the right place. */ return ptr - buf; /* bytes consumed */ } for (y = 0; y < state->ysize; y++) {