Commit 2d28006d1 for imagemagick.org

commit 2d28006d198cb0c1748d7e79d8b4d6a2e12aae16
Author: Cristy <urban-warrior@imagemagick.org>
Date:   Sun Jul 5 09:30:35 2026 -0400

    check for insufficient image data

diff --git a/coders/wpg.c b/coders/wpg.c
index 126949d87..e1f813ebc 100644
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -1466,6 +1466,10 @@ static Image *ReadWPGImage(const ImageInfo *image_info,ExceptionInfo *exception)
               image->rows=Bitmap2Header1.Height;
               if (image_info->ping != MagickFalse)
                 return(image);
+              if ((image->columns > GetBlobSize(image)) ||
+                  (image->rows > GetBlobSize(image)))
+                ThrowReaderException(CorruptImageError,
+                  "InsufficientImageDataInFile");
               status=SetImageExtent(image,image->columns,image->rows,exception);
               if (status != MagickFalse)
                 status=ResetImagePixels(image,exception);
diff --git a/coders/xcf.c b/coders/xcf.c
index 99b9d37c1..05c48ce25 100644
--- a/coders/xcf.c
+++ b/coders/xcf.c
@@ -1031,6 +1031,14 @@ static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image,
   if (outLayer->image == (Image *) NULL)
     return(MagickFalse);
   outLayer->width=outLayer->image->columns;
+  if ((outLayer->image->columns > GetBlobSize(image)) ||
+      (outLayer->image->rows > GetBlobSize(image)))
+    {
+      outLayer->image=DestroyImageList(outLayer->image);
+      (void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError,
+        "InsufficientImageDataInFile","`%s'",image->filename);
+      return(MagickFalse);
+    }
   status=SetImageExtent(outLayer->image,outLayer->image->columns,
     outLayer->image->rows,exception);
   if (status != MagickFalse)
@@ -1186,6 +1194,9 @@ static Image *ReadXCFImage(const ImageInfo *image_info,ExceptionInfo *exception)
   doc_info.file_size=(size_t) GetBlobSize(image);
   image->compression=NoCompression;
   image->depth=8;
+  if ((image->columns > GetBlobSize(image)) ||
+      (image->rows > GetBlobSize(image)))
+    ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
   status=SetImageExtent(image,image->columns,image->rows,exception);
   if (status == MagickFalse)
     return(DestroyImageList(image));