Index: LibRaw-0.18.9/libraw/libraw_const.h
===================================================================
--- LibRaw-0.18.9.orig/libraw/libraw_const.h
+++ LibRaw-0.18.9/libraw/libraw_const.h
@@ -30,6 +30,11 @@ it under the terms of the one of two lic
 #define LIBRAW_MAX_THUMBNAIL_MB 512L
 #endif
 
+/* max data size for known foveon cameras: 30mpix * 3 channels * 2 bytes = 180Mb, so 512Mb is OK for everything until/if new cameras will arrive */
+#ifndef LIBRAW_X3F_ALLOC_LIMIT_MB
+#define LIBRAW_X3F_ALLOC_LIMIT_MB 512ULL
+#endif
+
 enum LibRaw_whitebalance_code
 {
 /*
@@ -205,7 +210,8 @@ enum LibRaw_exceptions
     LIBRAW_EXCEPTION_CANCELLED_BY_CALLBACK=6,
     LIBRAW_EXCEPTION_BAD_CROP =7,
     LIBRAW_EXCEPTION_IO_BADFILE =8,
-    LIBRAW_EXCEPTION_DECODE_JPEG2000=9
+    LIBRAW_EXCEPTION_DECODE_JPEG2000=9,
+    LIBRAW_EXCEPTION_TOOBIG = 10
 };
 
 enum LibRaw_progress
Index: LibRaw-0.18.9/internal/libraw_x3f.cpp
===================================================================
--- LibRaw-0.18.9.orig/internal/libraw_x3f.cpp
+++ LibRaw-0.18.9/internal/libraw_x3f.cpp
@@ -474,6 +474,37 @@ x3f_return_t x3f_delete(x3f_t *x3f);
 /* Reading and writing - assuming little endian in the file              */
 /* --------------------------------------------------------------------- */
 
+static void *x3f_limited_malloc(UINT64 sz)
+{
+  if (sz > LIBRAW_X3F_ALLOC_LIMIT_MB * 1024ULL * 1024ULL)
+    throw LIBRAW_EXCEPTION_TOOBIG;
+  void *ret = malloc(sz);
+  if (!ret)
+    throw LIBRAW_EXCEPTION_ALLOC;
+  return ret;
+}
+
+static void *x3f_limited_calloc(UINT64 n, UINT64 sz)
+{
+  if (sz * n > LIBRAW_X3F_ALLOC_LIMIT_MB * 1024ULL * 1024ULL)
+    throw LIBRAW_EXCEPTION_TOOBIG;
+  void *ret = calloc(n, sz);
+  if (!ret)
+    throw LIBRAW_EXCEPTION_ALLOC;
+  return ret;
+}
+
+static void *x3f_limited_realloc(void *ptr, UINT64 sz)
+{
+  if (sz > LIBRAW_X3F_ALLOC_LIMIT_MB * 1024ULL * 1024ULL)
+    throw LIBRAW_EXCEPTION_TOOBIG;
+  void *ret = realloc(ptr, sz);
+  if (!ret)
+    throw LIBRAW_EXCEPTION_ALLOC;
+  return ret;
+}
+
+
 static int x3f_get1(LibRaw_abstract_datastream *f)
 {
 	/* Little endian file */
@@ -583,7 +614,7 @@ static void new_huffman_tree(x3f_hufftre
 
   HTP->free_node_index = 0;
   HTP->nodes = (x3f_huffnode_t *)
-    calloc(1, HUF_TREE_MAX_NODES(leaves)*sizeof(x3f_huffnode_t));
+    x3f_limited_calloc(1, HUF_TREE_MAX_NODES(leaves)*sizeof(x3f_huffnode_t));
 }
 
 /* --------------------------------------------------------------------- */
@@ -608,7 +639,7 @@ static void cleanup_true(x3f_true_t **TR
 
 static x3f_true_t *new_true(x3f_true_t **TRUP)
 {
-  x3f_true_t *TRU = (x3f_true_t *)calloc(1, sizeof(x3f_true_t));
+  x3f_true_t *TRU = (x3f_true_t *)x3f_limited_calloc(1, sizeof(x3f_true_t));
 
   cleanup_true(TRUP);
 
@@ -639,7 +670,7 @@ static void cleanup_quattro(x3f_quattro_
 
 static x3f_quattro_t *new_quattro(x3f_quattro_t **QP)
 {
-  x3f_quattro_t *Q = (x3f_quattro_t *)calloc(1, sizeof(x3f_quattro_t));
+  x3f_quattro_t *Q = (x3f_quattro_t *)x3f_limited_calloc(1, sizeof(x3f_quattro_t));
   int i;
 
   cleanup_quattro(QP);
@@ -682,7 +713,7 @@ static void cleanup_huffman(x3f_huffman_
 
 static x3f_huffman_t *new_huffman(x3f_huffman_t **HUFP)
 {
-  x3f_huffman_t *HUF = (x3f_huffman_t *)calloc(1, sizeof(x3f_huffman_t));
+  x3f_huffman_t *HUF = (x3f_huffman_t *)x3f_limited_calloc(1, sizeof(x3f_huffman_t));
 
   cleanup_huffman(HUFP);
 
@@ -1570,7 +1601,7 @@ static uint32_t read_data_block(void **d
 	if (fpos + size > I->input.file->size())
 		throw LIBRAW_EXCEPTION_IO_CORRUPT;
 
-	*data = (void *)malloc(size);
+	*data = (void *)x3f_limited_malloc(size);
 
 	GETN(*data, size);
 
@@ -1703,35 +1734,35 @@ static void x3f_load_true(x3f_info_t *I,
 			uint32_t columns = Q->plane[0].columns;
 			uint32_t rows = Q->plane[0].rows;
 			uint32_t channels = 3;
-			uint32_t size = columns * rows * channels;
+			UINT64 size = UINT64(columns) * UINT64(rows) * UINT64(channels);
 
 			TRU->x3rgb16.columns = columns;
 			TRU->x3rgb16.rows = rows;
 			TRU->x3rgb16.channels = channels;
 			TRU->x3rgb16.row_stride = columns * channels;
-			TRU->x3rgb16.buf = malloc(sizeof(uint16_t)*size);
+			TRU->x3rgb16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
 			TRU->x3rgb16.data = (uint16_t *) TRU->x3rgb16.buf;
 
 			columns = Q->plane[2].columns;
 			rows = Q->plane[2].rows;
 			channels = 1;
-			size = columns * rows * channels;
+			size = UINT64(columns) * UINT64(rows) * UINT64(channels);
 
 			Q->top16.columns = columns;
 			Q->top16.rows = rows;
 			Q->top16.channels = channels;
 			Q->top16.row_stride = columns * channels;
-			Q->top16.buf = malloc(sizeof(uint16_t)*size);
+			Q->top16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
 			Q->top16.data = (uint16_t *)Q->top16.buf;
 				
 	} else {
-		uint32_t size = ID->columns * ID->rows * 3;
+		UINT64 size = UINT64(ID->columns) * UINT64(ID->rows) * 3ULL;
 
 		TRU->x3rgb16.columns = ID->columns;
 		TRU->x3rgb16.rows = ID->rows;
 		TRU->x3rgb16.channels = 3;
 		TRU->x3rgb16.row_stride = ID->columns * 3;
-		TRU->x3rgb16.buf =malloc(sizeof(uint16_t)*size);
+		TRU->x3rgb16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
 		TRU->x3rgb16.data = (uint16_t *)TRU->x3rgb16.buf;		
 	}
 
@@ -1786,7 +1817,7 @@ static void x3f_load_huffman(x3f_info_t
 	x3f_directory_entry_header_t *DEH = &DE->header;
 	x3f_image_data_t *ID = &DEH->data_subsection.image_data;
 	x3f_huffman_t *HUF = new_huffman(&ID->huffman);
-	uint32_t size;
+	UINT64 size;
 
 	if (use_map_table) {
 		int table_size = 1<<bits;
@@ -1797,21 +1828,21 @@ static void x3f_load_huffman(x3f_info_t
 	switch (ID->type_format) {
 	case X3F_IMAGE_RAW_HUFFMAN_X530:
 	case X3F_IMAGE_RAW_HUFFMAN_10BIT:
-		size = ID->columns * ID->rows * 3;
+		size = UINT64(ID->columns) * UINT64(ID->rows) * 3ULL;
 		HUF->x3rgb16.columns = ID->columns;
 		HUF->x3rgb16.rows = ID->rows;
 		HUF->x3rgb16.channels = 3;
 		HUF->x3rgb16.row_stride = ID->columns * 3;
-		HUF->x3rgb16.buf = malloc(sizeof(uint16_t)*size);
+		HUF->x3rgb16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
 		HUF->x3rgb16.data = (uint16_t *)HUF->x3rgb16.buf;
 		break;
 	case X3F_IMAGE_THUMB_HUFFMAN:
-		size = ID->columns * ID->rows * 3;
+		size = UINT64(ID->columns) * UINT64(ID->rows) * 3ULL;
 		HUF->rgb8.columns = ID->columns;
 		HUF->rgb8.rows = ID->rows;
 		HUF->rgb8.channels = 3;
 		HUF->rgb8.row_stride = ID->columns * 3;
-		HUF->rgb8.buf = malloc(sizeof(uint8_t)*size);
+		HUF->rgb8.buf = x3f_limited_malloc(sizeof(uint8_t)*size);
 		HUF->rgb8.data = (uint8_t *)HUF->rgb8.buf;
 		break;
 	default:
@@ -1851,6 +1882,9 @@ static void x3f_load_image(x3f_info_t *I
 	x3f_directory_entry_header_t *DEH = &DE->header;
 	x3f_image_data_t *ID = &DEH->data_subsection.image_data;
 
+        if (ID->rows > 65535 || ID->columns > 65535)
+          throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
 	read_data_set_offset(I, DE, X3F_IMAGE_HEADER_SIZE);
 
 	switch (ID->type_format) {
@@ -1907,7 +1941,7 @@ static void x3f_load_camf_decode_type2(x
 	int i;
 
 	CAMF->decoded_data_size = CAMF->data_size;
-	CAMF->decoded_data = malloc(CAMF->decoded_data_size);
+	CAMF->decoded_data = x3f_limited_malloc(CAMF->decoded_data_size);
 
 	for (i=0; i<CAMF->data_size; i++) {
 		uint8_t old, _new;
@@ -1947,7 +1981,7 @@ static void camf_decode_type4(x3f_camf_t
 
   CAMF->decoded_data_size = dst_size;
 
-  CAMF->decoded_data = malloc(CAMF->decoded_data_size);
+  CAMF->decoded_data = x3f_limited_malloc(CAMF->decoded_data_size);
   memset(CAMF->decoded_data, 0, CAMF->decoded_data_size);
 
   dst = (uint8_t *)CAMF->decoded_data;
@@ -2061,7 +2095,7 @@ static void camf_decode_type5(x3f_camf_t
   int32_t i;
 
   CAMF->decoded_data_size = CAMF->t5.decoded_data_size;
-  CAMF->decoded_data = malloc(CAMF->decoded_data_size);
+  CAMF->decoded_data = x3f_limited_malloc(CAMF->decoded_data_size);
 
   dst = (uint8_t *)CAMF->decoded_data;
 
@@ -2084,7 +2118,7 @@ static void x3f_load_camf_decode_type5(x
   for (i=0, p = (uint8_t*)CAMF->data; *p != 0; i++) {
     /* TODO: Is this too expensive ??*/
     element =
-      (x3f_true_huffman_element_t *)realloc(element, (i+1)*sizeof(*element));
+      (x3f_true_huffman_element_t *)x3f_limited_realloc(element, (i+1)*sizeof(*element));
 
     element[i].code_size = *p++;
     element[i].code = *p++;
@@ -2128,8 +2162,8 @@ static void x3f_setup_camf_property_entr
     entry->property_num = *(uint32_t *)v;
   uint32_t off = *(uint32_t *)(v + 4);
 
-  entry->property_name = (char **)malloc(num*sizeof(uint8_t*));
-  entry->property_value = (uint8_t **)malloc(num*sizeof(uint8_t*));
+  entry->property_name = (char **)x3f_limited_malloc(num*sizeof(uint8_t*));
+  entry->property_value = (uint8_t **)x3f_limited_malloc(num*sizeof(uint8_t*));
 
   for (i=0; i<num; i++) {
     uint32_t name_off = off + *(uint32_t *)(v + 8 + 8*i);
@@ -2182,7 +2216,7 @@ static void get_matrix_copy(camf_entry_t
 		 sizeof(double) :
 		 sizeof(uint32_t)) * elements;
 
-  entry->matrix_decoded = malloc(size);
+  entry->matrix_decoded = x3f_limited_malloc(size);
 
   switch (element_size) {
   case 4:
@@ -2255,7 +2289,7 @@ static void x3f_setup_camf_matrix_entry(
 		entry->matrix_data_off = *(uint32_t *)(v + 8);
 	camf_dim_entry_t *dentry =
 		entry->matrix_dim_entry =
-		(camf_dim_entry_t*)malloc(dim*sizeof(camf_dim_entry_t));
+		(camf_dim_entry_t*)x3f_limited_malloc(dim*sizeof(camf_dim_entry_t));
 
 	for (i=0; i<dim; i++) {
 		uint32_t size =
@@ -2304,7 +2338,7 @@ static void x3f_setup_camf_entries(x3f_c
 		}
 
 		/* TODO: lots of realloc - may be inefficient */
-		entry = (camf_entry_t *)realloc(entry, (i+1)*sizeof(camf_entry_t));
+		entry = (camf_entry_t *)x3f_limited_realloc(entry, (i+1)*sizeof(camf_entry_t));
 
 		/* Pointer */
 		entry[i].entry = p;