matplotlib · arshsmith · Jun 9, 2026
diff --git a/lib/matplotlib/tests/test_ft2font.py b/lib/matplotlib/tests/test_ft2font.py
@@ -35,6 +35,18 @@ def test_ft2image_draw_rect_filled():
             assert np.sum(a) == 255 * filled
 
 
+def test_ft2image_dimension_overflow():
+    import ctypes
+    # Pick width == height such that width * height overflows the C `unsigned
+    # long` used to size the buffer (2**32 on LP64, 2**16 on a 32-bit long).
+    # Without the overflow guard, calloc would under-allocate and
+    # draw_rect_filled would write out of bounds.
+    n = 1 << (ctypes.sizeof(ctypes.c_ulong) * 8 // 2)
+    with pytest.warns(mpl.MatplotlibDeprecationWarning):
+        with pytest.raises((OverflowError, MemoryError)):
+            ft2font.FT2Image(n, n)
+
+
 def test_ft2font_dejavu_attrs():
     file = fm.findfont('DejaVu Sans')
     font = ft2font.FT2Font(file)

diff --git a/src/ft2font.cpp b/src/ft2font.cpp
@@ -6,7 +6,9 @@
 #include <algorithm>
 #include <cstdio>
 #include <iterator>
+#include <limits>
 #include <map>
+#include <new>
 #include <set>
 #include <stdexcept>
 #include <string>
@@ -19,8 +21,18 @@
 FT_Library _ft2Library;
 
 FT2Image::FT2Image(unsigned long width, unsigned long height)
-    : m_buffer((unsigned char *)calloc(width * height, 1)), m_width(width), m_height(height)
+    : m_buffer(nullptr), m_width(width), m_height(height)
 {
+    // Guard against width * height overflowing unsigned long, which would make
+    // calloc allocate a buffer far smaller than m_width * m_height and let
+    // draw_rect_filled write out of bounds.
+    if (width != 0 && height > std::numeric_limits<unsigned long>::max() / width) {
+        throw std::overflow_error("FT2Image dimensions are too large");
+    }
+    m_buffer = (unsigned char *)calloc(width * height, 1);
+    if (m_buffer == nullptr && width != 0 && height != 0) {
+        throw std::bad_alloc();
+    }
 }
 
 FT2Image::~FT2Image()