From 1660a1ca78995ae279efb78897d34cd20c4b09ea Mon Sep 17 00:00:00 2001
From: ChrisCoxArt <ccox@comcast.net>
Date: Wed, 10 Jun 2026 17:07:45 -0700
Subject: [PATCH] check calculated sizes to prevent overflow

Fixes #1287
---
 IccProfLib/IccTagLut.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/IccProfLib/IccTagLut.cpp b/IccProfLib/IccTagLut.cpp
index 4e397f071..23c124cdd 100644
--- a/IccProfLib/IccTagLut.cpp
+++ b/IccProfLib/IccTagLut.cpp
@@ -1951,11 +1951,20 @@ bool CIccCLUT::Init(const icUInt8Number *pGridPoints, icUInt32Number nMaxSize, i
   m_DimSize[i] = m_nOutput;
   nNumPoints = m_GridPoints[i];
   for (i--; i>=0; i--) {
-    m_DimSize[i] = m_DimSize[i+1] * m_GridPoints[i+1];
+    size_t dim1 = m_DimSize[i+1];
+    size_t fullSize = dim1 * m_GridPoints[i+1];
+    if (fullSize > 0xFFFFFFFFu)
+        return false;
+    m_DimSize[i] = (icUInt32Number)fullSize;
     nNumPoints *= m_GridPoints[i];
-    if (nMaxSize && nNumPoints * m_nOutput * nBytesPerPoint > nMaxSize)
+    // carefullly protect against 64 bit overflow
+    if (nMaxSize && (nNumPoints > nMaxSize || nNumPoints * m_nOutput > nMaxSize
+            || nNumPoints * m_nOutput * nBytesPerPoint > nMaxSize) )
       return false;
   }
+
+  if (nNumPoints > 0xFFFFFFFFu)
+    return false;
   m_nNumPoints = (icUInt32Number)nNumPoints;
 
   // Use 64-bit math to catch overflows even when no nMaxSize was