3 files changed, 7 insertions, 4 deletions

diff --git a/src/gif.c b/src/gif.c
index 00fbf7eb..4a2bb847 100644
--- a/src/gif.c
+++ b/src/gif.c
@@ -814,7 +814,8 @@ static size_t Gif_do_img_desc(DilloGif *gif, void *Buf,
    gif->Height  = LM_to_uint(buf[6], buf[7]);
 
    /* check max image size */
-   if (gif->Width * gif->Height > IMAGE_MAX_W * IMAGE_MAX_H) {
+   if (gif->Width <= 0 || gif->Height <= 0 ||
+       gif->Width > (IMAGE_MAX_W * IMAGE_MAX_H) / gif->Height) {
       MSG("Gif_do_img_desc: suspicious image size request %ux%u\n",
           gif->Width, gif->Height);
       gif->state = 999;
diff --git a/src/jpeg.c b/src/jpeg.c
index 09bdfb3d..4a5f4118 100644
--- a/src/jpeg.c
+++ b/src/jpeg.c
@@ -280,8 +280,9 @@ static void Jpeg_write(DilloJpeg *jpeg, void *Buf, uint_t BufSize)
             jpeg->cinfo.buffered_image = TRUE;
 
          /* check max image size */
-         if ((uint_t)jpeg->cinfo.image_width *
-             (uint_t)jpeg->cinfo.image_height  > IMAGE_MAX_W * IMAGE_MAX_H) {
+         if (jpeg->cinfo.image_width <= 0 || jpeg->cinfo.image_height <= 0 ||
+             jpeg->cinfo.image_width > 
+             (IMAGE_MAX_W * IMAGE_MAX_H) / jpeg->cinfo.image_height) {
             MSG("Jpeg_write: suspicious image size request %ux%u\n",
                 (uint_t)jpeg->cinfo.image_width,
                 (uint_t)jpeg->cinfo.image_height);
diff --git a/src/png.c b/src/png.c
index 5f29553e..98211ffe 100644
--- a/src/png.c
+++ b/src/png.c
@@ -135,7 +135,8 @@ Png_datainfo_callback(png_structp png_ptr, png_infop info_ptr)
                 &bit_depth, &color_type, &interlace_type, NULL, NULL);
 
    /* check max image size */
-   if (abs(png->width*png->height) > IMAGE_MAX_W * IMAGE_MAX_H) {
+   if (png->width <= 0 || png->height <= 0 ||
+       png->width > (IMAGE_MAX_W * IMAGE_MAX_H) / png->height) {
       MSG("Png_datainfo_callback: suspicious image size request %ldx%ld\n",
           png->width, png->height);
       Png_error_handling(png_ptr, "Aborting...");