Description: xcf: check for some potential integer overflows.
Origin: upstream, https://hg.libsdl.org/SDL_image/rev/fb643e371806

--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -555,6 +555,18 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
   SDL_RWseek (src, layer->hierarchy_file_offset, RW_SEEK_SET);
   hierarchy = read_xcf_hierarchy (src);
 
+  if (hierarchy->bpp > 4) {  /* unsupported. */
+    fprintf(stderr, "Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);
+    free_xcf_hierarchy(hierarchy);
+    return 1;
+  }
+
+  if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) {  /* arbitrary limit to avoid integer overflow. */
+    fprintf(stderr, "Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height);
+    free_xcf_hierarchy(hierarchy);
+    return 1;
+  }
+
   level = NULL;
   for (i = 0; hierarchy->level_file_offsets [i]; i++) {
     SDL_RWseek (src, hierarchy->level_file_offsets [i], RW_SEEK_SET);