From 4b10c195698279b5b0a2386a296e9617c48a6ff4 Mon Sep 17 00:00:00 2001
From: Greyson Parrelli <greyson@signal.org>
Date: Wed, 18 Mar 2026 13:30:01 -0400
Subject: [PATCH] Validate individual APNG frame dimensions.

---
 .../signal/glide/common/decode/FrameSeqDecoder.java |  2 +-
 .../load/resource/apng/decode/APNGDecoder.java      | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/glide/src/main/java/org/signal/glide/common/decode/FrameSeqDecoder.java b/lib/glide/src/main/java/org/signal/glide/common/decode/FrameSeqDecoder.java
index 040a3686b6..f3379d3dad 100644
--- a/lib/glide/src/main/java/org/signal/glide/common/decode/FrameSeqDecoder.java
+++ b/lib/glide/src/main/java/org/signal/glide/common/decode/FrameSeqDecoder.java
@@ -106,7 +106,7 @@ public abstract class FrameSeqDecoder<R extends Reader, W extends Writer> {
         Bitmap ret = null;
         Iterator<Bitmap> iterator = cacheBitmaps.iterator();
         while (iterator.hasNext()) {
-            int reuseSize = width * height * 4;
+            long reuseSize = (long) width * height * 4;
             ret = iterator.next();
 
             if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
diff --git a/lib/glide/src/main/java/org/signal/glide/load/resource/apng/decode/APNGDecoder.java b/lib/glide/src/main/java/org/signal/glide/load/resource/apng/decode/APNGDecoder.java
index a108443aa9..6ec22b57e8 100644
--- a/lib/glide/src/main/java/org/signal/glide/load/resource/apng/decode/APNGDecoder.java
+++ b/lib/glide/src/main/java/org/signal/glide/load/resource/apng/decode/APNGDecoder.java
@@ -97,7 +97,18 @@ public class APNGDecoder extends FrameSeqDecoder<APNGReader, APNGWriter> {
                 mLoopCount = ((ACTLChunk) chunk).num_plays;
                 actl = true;
             } else if (chunk instanceof FCTLChunk) {
-                APNGFrame frame = new APNGFrame(reader, (FCTLChunk) chunk);
+                FCTLChunk fctl = (FCTLChunk) chunk;
+                if (fctl.width <= 0 || fctl.height <= 0 ||
+                    fctl.width > MAX_DIMENSION || fctl.height > MAX_DIMENSION ||
+                    fctl.x_offset < 0 || fctl.y_offset < 0 ||
+                    (long) fctl.x_offset + fctl.width > canvasWidth ||
+                    (long) fctl.y_offset + fctl.height > canvasHeight) {
+                    throw new IOException("APNG frame has invalid dimensions: " +
+                        fctl.width + "x" + fctl.height + " at offset (" +
+                        fctl.x_offset + ", " + fctl.y_offset + ") for canvas " +
+                        canvasWidth + "x" + canvasHeight);
+                }
+                APNGFrame frame = new APNGFrame(reader, fctl);
                 frame.prefixChunks = otherChunks;
                 frame.ihdrData = ihdrData;
                 frames.add(frame);