From 7f62b23dfb0f073003017aedcb149d34c516e7fb Mon Sep 17 00:00:00 2001
From: uwezkhan06 <uwezkhan055@gmail.com>
Date: Sat, 28 Mar 2026 04:11:08 +0530
Subject: [PATCH] fix overflow in buffer allocation

---
 src/cgif_raw.c | 5 +++++
 src/cgif_rgb.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/src/cgif_raw.c b/src/cgif_raw.c
index 4b6b111..0aefd5f 100644
--- a/src/cgif_raw.c
+++ b/src/cgif_raw.c
@@ -330,6 +330,11 @@ static int LZW_GenerateStream(LZWResult* pResult, const uint32_t numPixel, const
   // where N = max dictionary resets = numPixel / (MAX_DICT_LEN - initDictLen - 2)
   entriesPerCycle = MAX_DICT_LEN - initDictLen - 2; // maximum added number of dictionary entries per cycle: -2 to account for start and end code
   maxResets = numPixel / entriesPerCycle;
+  // check for integer overflow in malloc
+  if (numPixel > (SIZE_MAX / sizeof(uint16_t) - 2 - maxResets)) {
+    r = CGIF_EALLOC;
+    goto LZWGENERATE_Cleanup;
+  }
   pContext->pLZWData   = malloc(sizeof(uint16_t) * ((size_t)numPixel + 2 + maxResets));
   if(pContext->pLZWData == NULL) {
     r = CGIF_EALLOC;
diff --git a/src/cgif_rgb.c b/src/cgif_rgb.c
index 8b9a043..d2a49b6 100644
--- a/src/cgif_rgb.c
+++ b/src/cgif_rgb.c
@@ -542,6 +542,11 @@ static int quantize_and_dither(colHashTable* colhash, const uint8_t* pImageDataR
     if(root == NULL) {
       return -1;
     }
+    // check for integer overflow in malloc
+    if (numPixel > (SIZE_MAX / (fmtChan * sizeof(float)))) {
+      free_decision_tree(root);
+      return -1;
+    }
     float* pImageDataRGBfloat = malloc(fmtChan * numPixel * sizeof(float)); // TBD fmtChan + only when hasAlpha
     if(pImageDataRGBfloat == NULL) {
       free_decision_tree(root);