diff --git a/src/mux/muxi.h b/src/mux/muxi.h

index 6b57eea..14fd6e2 100644

--- a/src/mux/muxi.h

+++ b/src/mux/muxi.h

@@ -14,6 +14,7 @@

 #ifndef WEBP_MUX_MUXI_H_

 #define WEBP_MUX_MUXI_H_

+#include <assert.h>

 #include <stdlib.h>

 #include "src/dec/vp8i_dec.h"

 #include "src/dec/vp8li_dec.h"

@@ -143,13 +144,13 @@

 // Returns size of the chunk including chunk header and padding byte (if any).

 static WEBP_INLINE size_t SizeWithPadding(size_t chunk_size) {

+  assert(chunk_size <= MAX_CHUNK_PAYLOAD);

   return CHUNK_HEADER_SIZE + ((chunk_size + 1) & ~1U);

 }

 // Size of a chunk including header and padding.

 static WEBP_INLINE size_t ChunkDiskSize(const WebPChunk* chunk) {

   const size_t data_size = chunk->data_.size;

-  assert(data_size < MAX_CHUNK_PAYLOAD);

   return SizeWithPadding(data_size);

 }

diff --git a/src/mux/muxread.c b/src/mux/muxread.c

index eb5070b..ef50dae 100644

--- a/src/mux/muxread.c

+++ b/src/mux/muxread.c

@@ -59,6 +59,7 @@

   // Sanity checks.

   if (data_size < CHUNK_HEADER_SIZE) return WEBP_MUX_NOT_ENOUGH_DATA;

   chunk_size = GetLE32(data + TAG_SIZE);

+  if (chunk_size > MAX_CHUNK_PAYLOAD) return WEBP_MUX_BAD_DATA;

   {

     const size_t chunk_disk_size = SizeWithPadding(chunk_size);

@@ -203,9 +204,14 @@

     goto Err;  // First chunk should be VP8, VP8L or VP8X.

   }

-  riff_size = SizeWithPadding(GetLE32(data + TAG_SIZE));

+  riff_size = GetLE32(data + TAG_SIZE);

+  if (riff_size > MAX_CHUNK_PAYLOAD) goto Err;

+

+  // Note this padding is historical and differs from demux.c which does not

+  // pad the file size.

+  riff_size = SizeWithPadding(riff_size);

   if (riff_size < CHUNK_HEADER_SIZE) goto Err;

-  if (riff_size > MAX_CHUNK_PAYLOAD || riff_size > size) goto Err;

+  if (riff_size > size) goto Err;

   // There's no point in reading past the end of the RIFF chunk.

   if (size > riff_size + CHUNK_HEADER_SIZE) {

     size = riff_size + CHUNK_HEADER_SIZE;