diff -up rabbitmq-c-0.8.0/librabbitmq/amqp_connection.c.me rabbitmq-c-0.8.0/librabbitmq/amqp_connection.c
--- rabbitmq-c-0.8.0/librabbitmq/amqp_connection.c.me	2020-03-04 14:23:48.842930475 +0100
+++ rabbitmq-c-0.8.0/librabbitmq/amqp_connection.c	2020-03-04 14:27:56.678381483 +0100
@@ -296,11 +296,21 @@ int amqp_handle_input(amqp_connection_st
   case CONNECTION_STATE_HEADER: {
     amqp_channel_t channel;
     amqp_pool_t *channel_pool;
-    /* frame length is 3 bytes in */
+    uint32_t frame_size;
+
     channel = amqp_d16(raw_frame, 1);
 
-    state->target_size
-      = amqp_d32(raw_frame, 3) + HEADER_SIZE + FOOTER_SIZE;
+    /* frame length is 3 bytes in */
+    frame_size = amqp_d32(raw_frame, 3);
+    /* To prevent the target_size calculation below from overflowing, check
+     * that the stated frame_size is smaller than a signed 32-bit. Given
+     * the library only allows configuring frame_max as an int32_t, and
+     * frame_size is uint32_t, the math below is safe from overflow. */
+    if (frame_size >= INT32_MAX) {
+      return AMQP_STATUS_BAD_AMQP_DATA;
+    }
+
+    state->target_size = frame_size + HEADER_SIZE + FOOTER_SIZE;
 
     if ((size_t)state->frame_max < state->target_size) {
       return AMQP_STATUS_BAD_AMQP_DATA;