pptx-react-viewer 1.1.4 → 1.1.5

package/node_modules/emf-converter/dist/index.d.mts

@@ -48,7 +48,7 @@ interface EmfConvertOptions {
  *   a numeric DPI scale (for backward compatibility). Default DPI scale is 2.
  * @returns A `data:image/png;base64,…` string, or `null` on failure.
  */
-declare function convertEmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number): Promise<string | null>;
+declare function convertEmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number, recursionDepth?: number): Promise<string | null>;
 /**
  * Converts a WMF (Windows Metafile) binary buffer to a PNG data-URL string.
  *
@@ -70,7 +70,7 @@ declare function convertEmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, max
  *   a numeric DPI scale. Default DPI scale is 2.
  * @returns A `data:image/png;base64,…` string, or `null` on failure.
  */
-declare function convertWmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number): Promise<string | null>;
+declare function convertWmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number, recursionDepth?: number): Promise<string | null>;
 
 /**
  * Canvas creation, styling, string reading, stock objects, and export helpers.

package/node_modules/emf-converter/dist/index.d.ts

@@ -48,7 +48,7 @@ interface EmfConvertOptions {
  *   a numeric DPI scale (for backward compatibility). Default DPI scale is 2.
  * @returns A `data:image/png;base64,…` string, or `null` on failure.
  */
-declare function convertEmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number): Promise<string | null>;
+declare function convertEmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number, recursionDepth?: number): Promise<string | null>;
 /**
  * Converts a WMF (Windows Metafile) binary buffer to a PNG data-URL string.
  *
@@ -70,7 +70,7 @@ declare function convertEmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, max
  *   a numeric DPI scale. Default DPI scale is 2.
  * @returns A `data:image/png;base64,…` string, or `null` on failure.
  */
-declare function convertWmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number): Promise<string | null>;
+declare function convertWmfToDataUrl(buffer: ArrayBuffer, maxWidth?: number, maxHeight?: number, optionsOrDpiScale?: EmfConvertOptions | number, recursionDepth?: number): Promise<string | null>;
 
 /**
  * Canvas creation, styling, string reading, stock objects, and export helpers.

package/node_modules/emf-converter/dist/index.js

@@ -74,6 +74,8 @@ function createTempCanvas(width, height) {
   if (width <= 0 || height <= 0) {
     return null;
   }
+  width = Math.max(1, Math.min(Math.floor(width), 8192));
+  height = Math.max(1, Math.min(Math.floor(height), 8192));
   if (typeof OffscreenCanvas !== "undefined") {
     const canvas = new OffscreenCanvas(width, height);
     const ctx = canvas.getContext("2d");
@@ -134,18 +136,34 @@ function applyFont(ctx, state) {
   ctx.font = `${italic}${weight}${size}px ${state.fontFamily}`;
 }
 function readUtf16LE(view, offset, charCount) {
-  const chars = [];
-  for (let i = 0; i < charCount; i++) {
-    if (offset + i * 2 + 1 >= view.byteLength) {
-      break;
-    }
-    const code = view.getUint16(offset + i * 2, true);
-    if (code === 0) {
-      break;
+  if (charCount <= 0) {
+    return "";
+  }
+  const maxBytes = view.byteLength - offset;
+  if (maxBytes <= 0) {
+    return "";
+  }
+  const usableChars = Math.min(charCount, Math.floor(maxBytes / 2));
+  if (usableChars <= 0) {
+    return "";
+  }
+  let decoded;
+  try {
+    const bytes = new Uint8Array(view.buffer, view.byteOffset + offset, usableChars * 2);
+    decoded = new TextDecoder("utf-16le").decode(bytes);
+  } catch {
+    const chars = [];
+    for (let i = 0; i < usableChars; i++) {
+      const code = view.getUint16(offset + i * 2, true);
+      if (code === 0) {
+        return chars.join("");
+      }
+      chars.push(String.fromCharCode(code));
     }
-    chars.push(String.fromCharCode(code));
+    return chars.join("");
   }
-  return chars.join("");
+  const nul = decoded.indexOf(String.fromCharCode(0));
+  return nul === -1 ? decoded : decoded.slice(0, nul);
 }
 function getStockObject(index) {
   switch (index) {
@@ -2135,7 +2153,12 @@ function applyClipCombineMode(rCtx, combineMode, opName, clipFn) {
       return true;
   }
 }
-function traceRegionNodePath(ctx, node) {
+var MAX_REGION_TRACE_DEPTH = 64;
+function traceRegionNodePath(ctx, node, depth = 0) {
+  if (depth > MAX_REGION_TRACE_DEPTH) {
+    ctx.rect(0, 0, 0, 0);
+    return;
+  }
   switch (node.type) {
     case "rect":
       ctx.rect(node.x, node.y, node.width, node.height);
@@ -2150,7 +2173,7 @@ function traceRegionNodePath(ctx, node) {
       ctx.rect(0, 0, 0, 0);
       break;
     case "combine":
-      traceRegionNodePath(ctx, node.left);
+      traceRegionNodePath(ctx, node.left, depth + 1);
       if (node.combineMode !== 0) {
         emfWarn(
           `traceRegionNodePath: combine mode ${node.combineMode} not fully supported, using left subtree only`
@@ -2161,7 +2184,7 @@ function traceRegionNodePath(ctx, node) {
         } catch {
         }
         ctx.beginPath();
-        traceRegionNodePath(ctx, node.right);
+        traceRegionNodePath(ctx, node.right, depth + 1);
       }
       break;
   }
@@ -2959,19 +2982,23 @@ function handleEmfPlusObjectRecord(rCtx, recFlags, dataOff, recDataSize) {
     }
   }
 }
-function parseRegionNode(view, off, endOff) {
+var MAX_REGION_NODE_DEPTH = 64;
+function parseRegionNode(view, off, endOff, depth = 0) {
   if (off + 4 > endOff) {
     return null;
   }
+  if (depth > MAX_REGION_NODE_DEPTH) {
+    return null;
+  }
   const nodeType = view.getUint32(off, true);
   let cursor = off + 4;
   if (nodeType <= 4) {
-    const leftResult = parseRegionNode(view, cursor, endOff);
+    const leftResult = parseRegionNode(view, cursor, endOff, depth + 1);
     if (!leftResult) {
       return null;
     }
     cursor += leftResult.bytesRead;
-    const rightResult = parseRegionNode(view, cursor, endOff);
+    const rightResult = parseRegionNode(view, cursor, endOff, depth + 1);
     if (!rightResult) {
       return null;
     }
@@ -3361,18 +3388,22 @@ function replayEmfPlusRecords(view, offset, length, ctx, _canvasW, _canvasH, sta
             if (recDataSize >= 4) {
               const totalSize = view.getUint32(dataOff, true);
               const objectType = recFlags >> 8 & 127;
-              rCtx.continuationTotalSize = totalSize;
-              rCtx.continuationObjectId = objectId;
-              rCtx.continuationObjectType = objectType;
-              rCtx.continuationBuffer = new Uint8Array(totalSize);
-              const chunkSize = recDataSize - 4;
-              const chunk = new Uint8Array(
-                view.buffer,
-                view.byteOffset + dataOff + 4,
-                Math.min(chunkSize, totalSize)
-              );
-              rCtx.continuationBuffer.set(chunk, 0);
-              rCtx.continuationOffset = chunk.length;
+              const MAX_CONTINUATION_BYTES = 64 * 1024 * 1024;
+              const remainingEmfPlusBytes = view.byteLength - dataOff;
+              if (!Number.isFinite(totalSize) || totalSize <= 0 || totalSize > MAX_CONTINUATION_BYTES || totalSize > remainingEmfPlusBytes || recDataSize - 4 < 0) ; else {
+                rCtx.continuationTotalSize = totalSize;
+                rCtx.continuationObjectId = objectId;
+                rCtx.continuationObjectType = objectType;
+                rCtx.continuationBuffer = new Uint8Array(totalSize);
+                const chunkSize = recDataSize - 4;
+                const chunk = new Uint8Array(
+                  view.buffer,
+                  view.byteOffset + dataOff + 4,
+                  Math.min(chunkSize, totalSize)
+                );
+                rCtx.continuationBuffer.set(chunk, 0);
+                rCtx.continuationOffset = chunk.length;
+              }
             }
           } else {
             const remaining = rCtx.continuationTotalSize - rCtx.continuationOffset;
@@ -4017,8 +4048,11 @@ function replayWmfRecords(view, ctx, header, canvasW, canvasH) {
 }
 
 // src/emf-converter.ts
-async function processDeferredImages(ctx, deferredImages) {
-  emfLog(`processDeferredImages: processing ${deferredImages.length} deferred images...`);
+var MAX_METAFILE_RECURSION = 3;
+async function processDeferredImages(ctx, deferredImages, recursionDepth = 0) {
+  emfLog(
+    `processDeferredImages: processing ${deferredImages.length} deferred images (recursionDepth=${recursionDepth})...`
+  );
   for (let idx = 0; idx < deferredImages.length; idx++) {
     const img = deferredImages[idx];
     emfLog(
@@ -4037,8 +4071,26 @@ async function processDeferredImages(ctx, deferredImages) {
         img.transform[5]
       );
       if (img.isMetafile) {
+        if (recursionDepth >= MAX_METAFILE_RECURSION) {
+          emfWarn(
+            `  Deferred image [${idx}]: skipping embedded metafile \u2014 recursion depth ${recursionDepth} >= ${MAX_METAFILE_RECURSION}`
+          );
+          continue;
+        }
         emfLog(`  Deferred image [${idx}]: recursively converting embedded metafile...`);
-        const metafileDataUrl = await convertEmfToDataUrl(plainBuffer) ?? await convertWmfToDataUrl(plainBuffer);
+        const metafileDataUrl = await convertEmfToDataUrl(
+          plainBuffer,
+          void 0,
+          void 0,
+          void 0,
+          recursionDepth + 1
+        ) ?? await convertWmfToDataUrl(
+          plainBuffer,
+          void 0,
+          void 0,
+          void 0,
+          recursionDepth + 1
+        );
         if (metafileDataUrl) {
           emfLog(
             `  Deferred image [${idx}]: metafile converted, dataUrl length=${metafileDataUrl.length}`
@@ -4083,7 +4135,10 @@ async function processDeferredImages(ctx, deferredImages) {
   }
   ctx.setTransform(1, 0, 0, 1, 0, 0);
 }
-async function convertEmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale) {
+async function convertEmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale, recursionDepth = 0) {
+  if (recursionDepth > MAX_METAFILE_RECURSION) {
+    return null;
+  }
   const opts = typeof optionsOrDpiScale === "number" ? { dpiScale: optionsOrDpiScale } : optionsOrDpiScale ?? {};
   const dpiScale = opts.dpiScale ?? DEFAULT_DPI_SCALE;
   const effectiveMaxWidth = maxWidth ?? opts.maxWidth;
@@ -4152,7 +4207,10 @@ async function convertEmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScal
     return null;
   }
 }
-async function convertWmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale) {
+async function convertWmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale, recursionDepth = 0) {
+  if (recursionDepth > MAX_METAFILE_RECURSION) {
+    return null;
+  }
   const opts = typeof optionsOrDpiScale === "number" ? { dpiScale: optionsOrDpiScale } : optionsOrDpiScale ?? {};
   const dpiScale = opts.dpiScale ?? DEFAULT_DPI_SCALE;
   const effectiveMaxWidth = maxWidth ?? opts.maxWidth;

package/node_modules/emf-converter/dist/index.mjs

@@ -72,6 +72,8 @@ function createTempCanvas(width, height) {
   if (width <= 0 || height <= 0) {
     return null;
   }
+  width = Math.max(1, Math.min(Math.floor(width), 8192));
+  height = Math.max(1, Math.min(Math.floor(height), 8192));
   if (typeof OffscreenCanvas !== "undefined") {
     const canvas = new OffscreenCanvas(width, height);
     const ctx = canvas.getContext("2d");
@@ -132,18 +134,34 @@ function applyFont(ctx, state) {
   ctx.font = `${italic}${weight}${size}px ${state.fontFamily}`;
 }
 function readUtf16LE(view, offset, charCount) {
-  const chars = [];
-  for (let i = 0; i < charCount; i++) {
-    if (offset + i * 2 + 1 >= view.byteLength) {
-      break;
-    }
-    const code = view.getUint16(offset + i * 2, true);
-    if (code === 0) {
-      break;
+  if (charCount <= 0) {
+    return "";
+  }
+  const maxBytes = view.byteLength - offset;
+  if (maxBytes <= 0) {
+    return "";
+  }
+  const usableChars = Math.min(charCount, Math.floor(maxBytes / 2));
+  if (usableChars <= 0) {
+    return "";
+  }
+  let decoded;
+  try {
+    const bytes = new Uint8Array(view.buffer, view.byteOffset + offset, usableChars * 2);
+    decoded = new TextDecoder("utf-16le").decode(bytes);
+  } catch {
+    const chars = [];
+    for (let i = 0; i < usableChars; i++) {
+      const code = view.getUint16(offset + i * 2, true);
+      if (code === 0) {
+        return chars.join("");
+      }
+      chars.push(String.fromCharCode(code));
     }
-    chars.push(String.fromCharCode(code));
+    return chars.join("");
   }
-  return chars.join("");
+  const nul = decoded.indexOf(String.fromCharCode(0));
+  return nul === -1 ? decoded : decoded.slice(0, nul);
 }
 function getStockObject(index) {
   switch (index) {
@@ -2133,7 +2151,12 @@ function applyClipCombineMode(rCtx, combineMode, opName, clipFn) {
       return true;
   }
 }
-function traceRegionNodePath(ctx, node) {
+var MAX_REGION_TRACE_DEPTH = 64;
+function traceRegionNodePath(ctx, node, depth = 0) {
+  if (depth > MAX_REGION_TRACE_DEPTH) {
+    ctx.rect(0, 0, 0, 0);
+    return;
+  }
   switch (node.type) {
     case "rect":
       ctx.rect(node.x, node.y, node.width, node.height);
@@ -2148,7 +2171,7 @@ function traceRegionNodePath(ctx, node) {
       ctx.rect(0, 0, 0, 0);
       break;
     case "combine":
-      traceRegionNodePath(ctx, node.left);
+      traceRegionNodePath(ctx, node.left, depth + 1);
       if (node.combineMode !== 0) {
         emfWarn(
           `traceRegionNodePath: combine mode ${node.combineMode} not fully supported, using left subtree only`
@@ -2159,7 +2182,7 @@ function traceRegionNodePath(ctx, node) {
         } catch {
         }
         ctx.beginPath();
-        traceRegionNodePath(ctx, node.right);
+        traceRegionNodePath(ctx, node.right, depth + 1);
       }
       break;
   }
@@ -2957,19 +2980,23 @@ function handleEmfPlusObjectRecord(rCtx, recFlags, dataOff, recDataSize) {
     }
   }
 }
-function parseRegionNode(view, off, endOff) {
+var MAX_REGION_NODE_DEPTH = 64;
+function parseRegionNode(view, off, endOff, depth = 0) {
   if (off + 4 > endOff) {
     return null;
   }
+  if (depth > MAX_REGION_NODE_DEPTH) {
+    return null;
+  }
   const nodeType = view.getUint32(off, true);
   let cursor = off + 4;
   if (nodeType <= 4) {
-    const leftResult = parseRegionNode(view, cursor, endOff);
+    const leftResult = parseRegionNode(view, cursor, endOff, depth + 1);
     if (!leftResult) {
       return null;
     }
     cursor += leftResult.bytesRead;
-    const rightResult = parseRegionNode(view, cursor, endOff);
+    const rightResult = parseRegionNode(view, cursor, endOff, depth + 1);
     if (!rightResult) {
       return null;
     }
@@ -3359,18 +3386,22 @@ function replayEmfPlusRecords(view, offset, length, ctx, _canvasW, _canvasH, sta
             if (recDataSize >= 4) {
               const totalSize = view.getUint32(dataOff, true);
               const objectType = recFlags >> 8 & 127;
-              rCtx.continuationTotalSize = totalSize;
-              rCtx.continuationObjectId = objectId;
-              rCtx.continuationObjectType = objectType;
-              rCtx.continuationBuffer = new Uint8Array(totalSize);
-              const chunkSize = recDataSize - 4;
-              const chunk = new Uint8Array(
-                view.buffer,
-                view.byteOffset + dataOff + 4,
-                Math.min(chunkSize, totalSize)
-              );
-              rCtx.continuationBuffer.set(chunk, 0);
-              rCtx.continuationOffset = chunk.length;
+              const MAX_CONTINUATION_BYTES = 64 * 1024 * 1024;
+              const remainingEmfPlusBytes = view.byteLength - dataOff;
+              if (!Number.isFinite(totalSize) || totalSize <= 0 || totalSize > MAX_CONTINUATION_BYTES || totalSize > remainingEmfPlusBytes || recDataSize - 4 < 0) ; else {
+                rCtx.continuationTotalSize = totalSize;
+                rCtx.continuationObjectId = objectId;
+                rCtx.continuationObjectType = objectType;
+                rCtx.continuationBuffer = new Uint8Array(totalSize);
+                const chunkSize = recDataSize - 4;
+                const chunk = new Uint8Array(
+                  view.buffer,
+                  view.byteOffset + dataOff + 4,
+                  Math.min(chunkSize, totalSize)
+                );
+                rCtx.continuationBuffer.set(chunk, 0);
+                rCtx.continuationOffset = chunk.length;
+              }
             }
           } else {
             const remaining = rCtx.continuationTotalSize - rCtx.continuationOffset;
@@ -4015,8 +4046,11 @@ function replayWmfRecords(view, ctx, header, canvasW, canvasH) {
 }
 
 // src/emf-converter.ts
-async function processDeferredImages(ctx, deferredImages) {
-  emfLog(`processDeferredImages: processing ${deferredImages.length} deferred images...`);
+var MAX_METAFILE_RECURSION = 3;
+async function processDeferredImages(ctx, deferredImages, recursionDepth = 0) {
+  emfLog(
+    `processDeferredImages: processing ${deferredImages.length} deferred images (recursionDepth=${recursionDepth})...`
+  );
   for (let idx = 0; idx < deferredImages.length; idx++) {
     const img = deferredImages[idx];
     emfLog(
@@ -4035,8 +4069,26 @@ async function processDeferredImages(ctx, deferredImages) {
         img.transform[5]
       );
       if (img.isMetafile) {
+        if (recursionDepth >= MAX_METAFILE_RECURSION) {
+          emfWarn(
+            `  Deferred image [${idx}]: skipping embedded metafile \u2014 recursion depth ${recursionDepth} >= ${MAX_METAFILE_RECURSION}`
+          );
+          continue;
+        }
         emfLog(`  Deferred image [${idx}]: recursively converting embedded metafile...`);
-        const metafileDataUrl = await convertEmfToDataUrl(plainBuffer) ?? await convertWmfToDataUrl(plainBuffer);
+        const metafileDataUrl = await convertEmfToDataUrl(
+          plainBuffer,
+          void 0,
+          void 0,
+          void 0,
+          recursionDepth + 1
+        ) ?? await convertWmfToDataUrl(
+          plainBuffer,
+          void 0,
+          void 0,
+          void 0,
+          recursionDepth + 1
+        );
         if (metafileDataUrl) {
           emfLog(
             `  Deferred image [${idx}]: metafile converted, dataUrl length=${metafileDataUrl.length}`
@@ -4081,7 +4133,10 @@ async function processDeferredImages(ctx, deferredImages) {
   }
   ctx.setTransform(1, 0, 0, 1, 0, 0);
 }
-async function convertEmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale) {
+async function convertEmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale, recursionDepth = 0) {
+  if (recursionDepth > MAX_METAFILE_RECURSION) {
+    return null;
+  }
   const opts = typeof optionsOrDpiScale === "number" ? { dpiScale: optionsOrDpiScale } : optionsOrDpiScale ?? {};
   const dpiScale = opts.dpiScale ?? DEFAULT_DPI_SCALE;
   const effectiveMaxWidth = maxWidth ?? opts.maxWidth;
@@ -4150,7 +4205,10 @@ async function convertEmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScal
     return null;
   }
 }
-async function convertWmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale) {
+async function convertWmfToDataUrl(buffer, maxWidth, maxHeight, optionsOrDpiScale, recursionDepth = 0) {
+  if (recursionDepth > MAX_METAFILE_RECURSION) {
+    return null;
+  }
   const opts = typeof optionsOrDpiScale === "number" ? { dpiScale: optionsOrDpiScale } : optionsOrDpiScale ?? {};
   const dpiScale = opts.dpiScale ?? DEFAULT_DPI_SCALE;
   const effectiveMaxWidth = maxWidth ?? opts.maxWidth;

package/node_modules/emf-converter/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "emf-converter",
-	"version": "1.1.4",
+	"version": "1.1.5",
 	"description": "Convert EMF/WMF metafile binaries to PNG data URLs using Canvas",
 	"keywords": [
 		"canvas",

package/node_modules/mtx-decompressor/dist/index.js

@@ -593,14 +593,8 @@ function decodeSimpleGlyph(numContours, streams, out, calcBBox, minX, minY, maxX
     const flag = flagBytes[i];
     onCurve[i] = flag & 128 ? 0 : 1;
     const enc = TRIPLET_ENCODINGS[flag & 127];
-    const extraBytes = enc.byteCount - 1;
-    const subBuf = new Uint8Array(extraBytes);
-    for (let b = 0; b < extraBytes; b++) {
-      subBuf[b] = sGlyph.readU8();
-    }
-    const sub = new Stream(subBuf, extraBytes);
-    let dx = sub.readNBits(enc.xBits) + enc.deltaX;
-    let dy = sub.readNBits(enc.yBits) + enc.deltaY;
+    let dx = sGlyph.readNBits(enc.xBits) + enc.deltaX;
+    let dy = sGlyph.readNBits(enc.yBits) + enc.deltaY;
     if (enc.xSign !== 0) {
       dx *= enc.xSign;
     }
@@ -1158,6 +1152,8 @@ var MAX_2BYTE_DIST = 512;
 var PRELOAD_SIZE = 2 * 32 * 96 + 4 * 256;
 var LEN_MIN = 2;
 var DIST_MIN = 1;
+var MAX_OUT_LEN = 4 * 1024 * 1024;
+var MAX_OUT = 16 * 1024 * 1024;
 var RLE_INITIAL = 0;
 var RLE_NORMAL = 1;
 var RLE_SEEN_ESCAPE = 2;
@@ -1167,6 +1163,9 @@ function setDistRange(length) {
   let distMax = DIST_MIN + ((1 << DIST_WIDTH * numDistRanges) - 1);
   while (distMax < length) {
     numDistRanges++;
+    if (numDistRanges > 8) {
+      throw new Error("LZCOMP setDistRange: numDistRanges exceeds bound (8)");
+    }
     distMax = DIST_MIN + ((1 << DIST_WIDTH * numDistRanges) - 1);
   }
   const DUP2 = 256 + (1 << LEN_WIDTH) * numDistRanges;
@@ -1197,7 +1196,11 @@ function decodeLength(lenEcoder, symbol, numDistRangesOut) {
   let firstTime = true;
   let value = 0;
   let done;
+  let iters = 0;
   do {
+    if (++iters > 16) {
+      throw new Error("LZCOMP decodeLength: iteration cap exceeded");
+    }
     let bits;
     if (firstTime) {
       bits = symbol - 256;
@@ -1236,6 +1239,9 @@ function lzcompDecompress(data, size, version) {
   const distEcoder = new AHuff(bio, 1 << DIST_WIDTH);
   const lenEcoder = new AHuff(bio, 1 << LEN_WIDTH);
   const outLen = bio.readValue(24);
+  if (outLen > MAX_OUT_LEN) {
+    throw new Error(`LZCOMP outLen ${outLen} exceeds maximum (${MAX_OUT_LEN})`);
+  }
   const { DUP2, DUP4, DUP6, NUM_SYMS } = setDistRange(outLen);
   const symEcoder = new AHuff(bio, NUM_SYMS);
   const windowSize = PRELOAD_SIZE + outLen;
@@ -1252,6 +1258,9 @@ function lzcompDecompress(data, size, version) {
     if (!usingRunLength) {
       if (outIdx >= outBufSize) {
         outBufSize += outBufSize >>> 1;
+        if (outBufSize > MAX_OUT) {
+          throw new Error("LZCOMP output exceeds maximum size budget");
+        }
         const tmp = new Uint8Array(outBufSize);
         tmp.set(outBuf);
         outBuf = tmp;
@@ -1270,6 +1279,9 @@ function lzcompDecompress(data, size, version) {
         } else {
           if (outIdx >= outBufSize) {
             outBufSize += outBufSize >>> 1;
+            if (outBufSize > MAX_OUT) {
+              throw new Error("LZCOMP output exceeds maximum size budget");
+            }
             const tmp = new Uint8Array(outBufSize);
             tmp.set(outBuf);
             outBuf = tmp;
@@ -1282,6 +1294,9 @@ function lzcompDecompress(data, size, version) {
         if (rleCount === 0) {
           if (outIdx >= outBufSize) {
             outBufSize += outBufSize >>> 1;
+            if (outBufSize > MAX_OUT) {
+              throw new Error("LZCOMP output exceeds maximum size budget");
+            }
             const tmp = new Uint8Array(outBufSize);
             tmp.set(outBuf);
             outBuf = tmp;
@@ -1295,6 +1310,9 @@ function lzcompDecompress(data, size, version) {
       case RLE_NEED_BYTE: {
         if (outIdx + rleCount > outBufSize) {
           outBufSize = outIdx + rleCount + (outBufSize >>> 1);
+          if (outBufSize > MAX_OUT) {
+            throw new Error("LZCOMP output exceeds maximum size budget");
+          }
           const tmp = new Uint8Array(outBufSize);
           tmp.set(outBuf);
           outBuf = tmp;
@@ -1458,11 +1476,23 @@ function dumpContainer(ctr) {
 // src/mtx-decompress.ts
 var ENCRYPTION_KEY = 80;
 function unpackMtx(data, size) {
+  if (size < 10 || data.length < 10) {
+    throw new Error("MTX data too small: header requires at least 10 bytes");
+  }
   const versionMagic = data[0];
   const offset2 = data[4] << 16 | data[5] << 8 | data[6];
   const offset3 = data[7] << 16 | data[8] << 8 | data[9];
+  if (offset2 < 10 || offset3 < offset2 || offset3 > size) {
+    throw new Error(
+      `MTX header offsets out of bounds: offset2=${offset2}, offset3=${offset3}, size=${size}`
+    );
+  }
   const offsets = [10, offset2, offset3];
-  const blockSizes = [offset2 - 10, offset3 - offset2, size - offset3];
+  const blockSizes = [
+    Math.max(0, offset2 - 10),
+    Math.max(0, offset3 - offset2),
+    Math.max(0, size - offset3)
+  ];
   const streams = [];
   const decompressedSizes = [];
   for (let i = 0; i < 3; i++) {