fix: prevent integer overflow and OOB write in PSDDecoder

libs/image/src/LinearImage.cpp

@@ -16,14 +16,22 @@
 
 #include <image/LinearImage.h>
 
+#include <utils/Panic.h>
+
 #include <cstring> // for memset
 #include <memory>
 
+#include <new>
+#include <limits>
+
 namespace image  {
 
 struct LinearImage::SharedReference {
     SharedReference(uint32_t width, uint32_t height, uint32_t channels) {
-        const uint32_t nfloats = width * height * channels;
+        const uint64_t nfloats64 = (uint64_t)width * (uint64_t)height * (uint64_t)channels;
+        FILAMENT_CHECK_PRECONDITION(nfloats64 <= UINT32_MAX && nfloats64 <= (std::numeric_limits<size_t>::max() / sizeof(float)))
+                << "LinearImage allocation size is too large";
+        const uint32_t nfloats = (uint32_t)nfloats64;
         float* floats = new float[nfloats];
         memset(floats, 0, sizeof(float) * nfloats);
         pixels = std::shared_ptr<float>(floats, std::default_delete<float[]>());

libs/imageio/src/ImageDecoder.cpp

@@ -373,6 +373,19 @@ LinearImage PSDDecoder::decode() {
         uint32_t width = ntohl(h.width);
         uint32_t height = ntohl(h.height);
 
+        if (width == 0 || height == 0) {
+            throw std::runtime_error("invalid PSD dimensions: width and height must be non-zero");
+        }
+
+        // According to the PSD format specification, the maximum supported dimension 
+        // for a PSD file is 30,000 pixels. Images larger than 30,000 pixels require 
+        // the PSB (Photoshop Big) format, which is currently not supported.
+        // Enforcing this limit natively prevents integer overflow vulnerabilities 
+        // during subsequent memory allocation.
+        if (width > 30000 || height > 30000) {
+            throw std::runtime_error("PSD dimensions exceed maximum allowed size (30,000 pixels)");
+        }
+
         uint32_t length;
 
         // color mode data section