From 55b6bb4d5afe249677c3f276094a0a0fa1f103d7 Mon Sep 17 00:00:00 2001
From: alhudz <al.hudz.k@gmail.com>
Date: Fri, 5 Jun 2026 20:32:11 +0530
Subject: [PATCH] fix int overflow in pcx image buffer sizing

---
 .../apache/commons/imaging/formats/pcx/PcxImageParser.java  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/apache/commons/imaging/formats/pcx/PcxImageParser.java b/src/main/java/org/apache/commons/imaging/formats/pcx/PcxImageParser.java
index a158ac8d4d..625ecda992 100644
--- a/src/main/java/org/apache/commons/imaging/formats/pcx/PcxImageParser.java
+++ b/src/main/java/org/apache/commons/imaging/formats/pcx/PcxImageParser.java
@@ -311,7 +311,7 @@ private BufferedImage readImage(final PcxHeader pcxHeader, final InputStream is,
         if ((pcxHeader.bitsPerPixel == 1 || pcxHeader.bitsPerPixel == 2 || pcxHeader.bitsPerPixel == 4 || pcxHeader.bitsPerPixel == 8)
                 && pcxHeader.nPlanes == 1) {
             final int bytesPerImageRow = (xSize * pcxHeader.bitsPerPixel + 7) / 8;
-            final byte[] image = Allocator.byteArray(ySize * bytesPerImageRow);
+            final byte[] image = Allocator.byteArray((long) ySize * bytesPerImageRow);
             for (int y = 0; y < ySize; y++) {
                 rleReader.read(is, scanline);
                 System.arraycopy(scanline, 0, image, y * bytesPerImageRow, bytesPerImageRow);
@@ -370,7 +370,7 @@ private BufferedImage readImage(final PcxHeader pcxHeader, final InputStream is,
         }
         if (pcxHeader.bitsPerPixel == 8 && pcxHeader.nPlanes == 3) {
             final byte[][] image = new byte[3][];
-            final int xySize = xSize * ySize;
+            final long xySize = (long) xSize * ySize;
             image[0] = Allocator.byteArray(xySize);
             image[1] = Allocator.byteArray(xySize);
             image[2] = Allocator.byteArray(xySize);
@@ -390,7 +390,7 @@ private BufferedImage readImage(final PcxHeader pcxHeader, final InputStream is,
             throw new ImagingException("Invalid/unsupported image with bitsPerPixel " + pcxHeader.bitsPerPixel + " and planes " + pcxHeader.nPlanes);
         }
         final int rowLength = 3 * xSize;
-        final byte[] image = Allocator.byteArray(rowLength * ySize);
+        final byte[] image = Allocator.byteArray((long) rowLength * ySize);
         for (int y = 0; y < ySize; y++) {
             rleReader.read(is, scanline);
             if (pcxHeader.bitsPerPixel == 24) {