From d319c3f426f5fc60da0b4809bcd2c2647a98c1fa Mon Sep 17 00:00:00 2001
From: Niladri Das <125604915+bniladridas@users.noreply.github.com>
Date: Mon, 4 May 2026 19:57:32 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 3235:
 Multiplication result converted to larger type

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 include/stb_image.h | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/include/stb_image.h b/include/stb_image.h
index be243a51..f5bc154a 100644
--- a/include/stb_image.h
+++ b/include/stb_image.h
@@ -7723,39 +7723,50 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
         u = 0; // end of animated gif marker
 
       if (u) {
+        size_t alloc_size;
+        size_t delays_alloc;
         *x = g.w;
         *y = g.h;
         ++layers;
         stride = g.w * g.h * 4;
+        alloc_size = (size_t) layers * (size_t) stride;
+        if (alloc_size > (size_t) INT_MAX)
+          return stbi__load_gif_main_outofmem(&g, out, delays);
 
         if (out) {
           void *tmp =
-              (stbi_uc *)STBI_REALLOC_SIZED(out, out_size, layers * stride);
+              (stbi_uc *)STBI_REALLOC_SIZED(out, out_size, alloc_size);
           if (!tmp)
             return stbi__load_gif_main_outofmem(&g, out, delays);
           else {
             out = (stbi_uc *)tmp;
-            out_size = layers * stride;
+            out_size = (int) alloc_size;
           }
 
           if (delays) {
+            delays_alloc = (size_t) layers * sizeof(int);
+            if (delays_alloc > (size_t) INT_MAX)
+              return stbi__load_gif_main_outofmem(&g, out, delays);
             int *new_delays = (int *)STBI_REALLOC_SIZED(*delays, delays_size,
-                                                        sizeof(int) * layers);
+                                                        delays_alloc);
             if (!new_delays)
               return stbi__load_gif_main_outofmem(&g, out, delays);
             *delays = new_delays;
-            delays_size = layers * sizeof(int);
+            delays_size = (int) delays_alloc;
           }
         } else {
-          out = (stbi_uc *)stbi__malloc(layers * stride);
+          out = (stbi_uc *)stbi__malloc(alloc_size);
           if (!out)
             return stbi__load_gif_main_outofmem(&g, out, delays);
-          out_size = layers * stride;
+          out_size = (int) alloc_size;
           if (delays) {
-            *delays = (int *)stbi__malloc(layers * sizeof(int));
+            delays_alloc = (size_t) layers * sizeof(int);
+            if (delays_alloc > (size_t) INT_MAX)
+              return stbi__load_gif_main_outofmem(&g, out, delays);
+            *delays = (int *)stbi__malloc(delays_alloc);
             if (!*delays)
               return stbi__load_gif_main_outofmem(&g, out, delays);
-            delays_size = layers * sizeof(int);
+            delays_size = (int) delays_alloc;
           }
         }
         memcpy(out + ((layers - 1) * stride), u, stride);