diff -up libwebp-0.3.0/src/dec/buffer.c.old libwebp-0.3.0/src/dec/buffer.c
--- libwebp-0.3.0/src/dec/buffer.c.old	2021-05-17 12:37:43.268514218 +0200
+++ libwebp-0.3.0/src/dec/buffer.c	2021-05-17 12:38:27.435859390 +0200
@@ -35,6 +35,11 @@ static int IsValidColorspace(int webp_cs
   return (webp_csp_mode >= MODE_RGB && webp_csp_mode < MODE_LAST);
 }
 
+// strictly speaking, the very last (or first, if flipped) row
+// doesn't require padding.
+#define MIN_BUFFER_SIZE(WIDTH, HEIGHT, STRIDE)       \
+    ((uint64_t)(STRIDE) * ((HEIGHT) - 1) + (WIDTH))
+
 static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
   int ok = 1;
   const WEBP_CSP_MODE mode = buffer->colorspace;
@@ -64,7 +69,9 @@ static VP8StatusCode CheckDecBuffer(cons
     }
   } else {    // RGB checks
     const WebPRGBABuffer* const buf = &buffer->u.RGBA;
-    const uint64_t size = (uint64_t)buf->stride * height;
+    const int stride = abs(buf->stride);
+    const uint64_t size =
+        MIN_BUFFER_SIZE(width * kModeBpp[mode], height, stride);
     ok &= (size <= buf->size);
     ok &= (buf->stride >= width * kModeBpp[mode]);
     ok &= (buf->rgba != NULL);