diff -urNp old/plug-ins/file-fli/fli.c new/plug-ins/file-fli/fli.c

--- old/plug-ins/file-fli/fli.c	2018-01-04 12:19:54.714139464 +0100

+++ new/plug-ins/file-fli/fli.c	2018-01-04 12:34:18.568323629 +0100

@@ -25,6 +25,8 @@

 #include "config.h"

+#include <glib/gstdio.h>

+

 #include <string.h>

 #include <stdio.h>

@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header

 	unsigned short yc;

 	unsigned char *pos;

 	for (yc=0; yc < fli_header->height; yc++) {

-		unsigned short xc, pc, pcnt;

+		unsigned short pc, pcnt;

+                size_t n, xc;

 		pc=fli_read_char(f);

 		xc=0;

 		pos=framebuf+(fli_header->width * yc);

+                n=(size_t)fli_header->width * (fli_header->height-yc);

 		for (pcnt=pc; pcnt>0; pcnt--) {

 			unsigned short ps;

 			ps=fli_read_char(f);

 			if (ps & 0x80) {

 				unsigned short len;

-				for (len=-(signed char)ps; len>0; len--) {

+				for (len=-(signed char)ps; len>0 && xc

 					pos[xc++]=fli_read_char(f);

 				}

 			} else {

 				unsigned char val;

+                                size_t len;

+                                len=MIN(n-xc,ps);

 				val=fli_read_char(f);

-				memset(&(pos[xc]), val, ps);

-				xc+=ps;

+				memset(&(pos[xc]), val, len);

+				xc+=len;

 			}

 		}

 	}

@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *

 	memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);

 	firstline = fli_read_short(f);

 	numline = fli_read_short(f);

+        if (numline > fli_header->height || fli_header->height-numline < firstline)

+                return;

+

 	for (yc=0; yc < numline; yc++) {

-		unsigned short xc, pc, pcnt;

+		unsigned short pc, pcnt;

+                size_t n, xc;

 		pc=fli_read_char(f);

 		xc=0;

 		pos=framebuf+(fli_header->width * (firstline+yc));

+                n=(size_t)fli_header->width * (fli_header->height-firstline-yc);

 		for (pcnt=pc; pcnt>0; pcnt--) {

 			unsigned short ps,skip;

 			skip=fli_read_char(f);

 			ps=fli_read_char(f);

-			xc+=skip;

+			xc+=MIN(n-xc,skip);

 			if (ps & 0x80) {

 				unsigned char val;

+                                size_t len;

 				ps=-(signed char)ps;

 				val=fli_read_char(f);

-				memset(&(pos[xc]), val, ps);

-				xc+=ps;

+                                len=MIN(n-xc,ps);

+				memset(&(pos[xc]), val, len);

+				xc+=len;

 			} else {

-				fread(&(pos[xc]), ps, 1, f);

-				xc+=ps;

+                                size_t len;

+                                len=MIN(n-xc,ps);

+				fread(&(pos[xc]), len, 1, f);

+				xc+=len;

 			}

 		}

 	}

@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header

 	yc=0;

 	numline = fli_read_short(f);

 	for (lc=0; lc < numline; lc++) {

-		unsigned short xc, pc, pcnt, lpf, lpn;

+		unsigned short pc, pcnt, lpf, lpn;

+                size_t n, xc;

 		pc=fli_read_short(f);

 		lpf=0; lpn=0;

 		while (pc & 0x8000) {

@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header

 			}

 			pc=fli_read_short(f);

 		}

+                yc=MIN(yc, fli_header->height);

 		xc=0;

 		pos=framebuf+(fli_header->width * yc);

+                n=(size_t)fli_header->width * (fli_header->height-yc);

 		for (pcnt=pc; pcnt>0; pcnt--) {

 			unsigned short ps,skip;

 			skip=fli_read_char(f);

 			ps=fli_read_char(f);

-			xc+=skip;

+			xc+=MIN(n-xc,skip);

 			if (ps & 0x80) {

 				unsigned char v1,v2;

 				ps=-(signed char)ps;

 				v1=fli_read_char(f);

 				v2=fli_read_char(f);

-				while (ps>0) {

+				while (ps>0 && xc+1

 					pos[xc++]=v1;

 					pos[xc++]=v2;

 					ps--;

 				}

 			} else {

-				fread(&(pos[xc]), ps, 2, f);

-				xc+=ps << 1;

+                                size_t len;

+                                len=MIN((n-xc)/2,ps);

+				fread(&(pos[xc]), len, 2, f);

+				xc+=len << 1;

 			}

 		}

 		if (lpf) pos[xc]=lpn;