From bc22abd920a468cfa51385831f7d64a53ef1da7e Mon Sep 17 00:00:00 2001
From: lamtung-monash <lam.nguyentung@monash.edu>
Date: Thu, 22 Jan 2026 21:45:33 +0800
Subject: [PATCH] Potential Vulnerability in Cloned Code

---
 rtengine/dcraw.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rtengine/dcraw.cc b/rtengine/dcraw.cc
index b52019e2a..2f1d15762 100644
--- a/rtengine/dcraw.cc
+++ b/rtengine/dcraw.cc
@@ -3867,7 +3867,7 @@ void CLASS foveon_huff (ushort *huff)
 void CLASS foveon_dp_load_raw()
 {
   unsigned c, roff[4], row, col, diff;
-  ushort huff[512], vpred[2][2], hpred[2];
+  ushort huff[1024], vpred[2][2], hpred[2];
 
   fseek (ifp, 8, SEEK_CUR);
   foveon_huff (huff);
@@ -3891,12 +3891,16 @@ void CLASS foveon_dp_load_raw()
 void CLASS foveon_load_camf()
 {
   unsigned type, wide, high, i, j, row, col, diff;
-  ushort huff[258], vpred[2][2] = {{512,512},{512,512}}, hpred[2];
+  ushort huff[1024], vpred[2][2] = {{512,512},{512,512}}, hpred[2];
 
   fseek (ifp, meta_offset, SEEK_SET);
   type = get4();  get4();  get4();
   wide = get4();
   high = get4();
+#ifdef LIBRAW_LIBRARY_BUILD
+  if(wide>32767 || high > 32767 || wide*high > 20000000)
+     throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
   if (type == 2) {
     fread (meta_data, 1, meta_length, ifp);
     for (i=0; i < meta_length; i++) {