--- a/libfreerdp/gdi/graphics.c	2018-08-01 21:27:31.000000000 +0800
+++ b/libfreerdp/gdi/graphics.c	2019-04-04 18:48:18.411000000 +0800
@@ -141,11 +141,19 @@ static BOOL gdi_Bitmap_Decompress(rdpCon
 	UINT32 SrcSize = length;
 	UINT32 SrcFormat;
 	rdpGdi* gdi = context->gdi;
+	UINT32 size = DstWidth * DstHeight;
 	bitmap->compressed = FALSE;
 	bitmap->format = gdi->dstFormat;
-	bitmap->length = DstWidth * DstHeight * GetBytesPerPixel(bitmap->format);
 	bitmap->data = (BYTE*) _aligned_malloc(bitmap->length, 16);
 
+	if ((GetBytesPerPixel(bitmap->format) == 0) ||
+	    (DstWidth == 0) || (DstHeight == 0) || (DstWidth > UINT32_MAX / DstHeight) ||
+	    (size > (UINT32_MAX / GetBytesPerPixel(bitmap->format))))
+		return FALSE;
+
+	size *= GetBytesPerPixel(bitmap->format);
+	bitmap->length = size;
+
 	if (!bitmap->data)
 		return FALSE;