diff --git a/rdbmp.c b/rdbmp.c
index 56470c37..17f0f9cd 100644
--- a/rdbmp.c
+++ b/rdbmp.c
@@ -450,7 +450,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
   if (!ReadOK(source->pub.input_file, bmpinfoheader, 4))
     ERREXIT(cinfo, JERR_INPUT_EOF);
   headerSize = GET_4B(bmpinfoheader, 0);
-  if (headerSize < 12 || headerSize > 64)
+  if (headerSize < 12 || headerSize > 64 || (headerSize + 14) > bfOffBits)
     ERREXIT(cinfo, JERR_BMP_BADHEADER);
   if (!ReadOK(source->pub.input_file, bmpinfoheader + 4, headerSize - 4))
     ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -577,7 +577,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
       ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
     if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
       ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
-    row_width = (JDIMENSION)(biWidth * 3);
+    row_width = (JDIMENSION)biWidth * 3;
     break;
   case 32:
     if (cinfo->in_color_space == JCS_UNKNOWN)
@@ -590,7 +590,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
       ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
     if ((unsigned long long)biWidth * 4ULL > 0xFFFFFFFFULL)
       ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
-    row_width = (JDIMENSION)(biWidth * 4);
+    row_width = (JDIMENSION)biWidth * 4;
     break;
   default:
     ERREXIT(cinfo, JERR_BMP_BADDEPTH);