diff --git a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
index b9a1a6729..774129a9c 100644
--- a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
+++ b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
@@ -35,6 +35,7 @@ import org.apache.poi.hpsf.MutablePropertySet;
 import org.apache.poi.hpsf.SummaryInformation;
 import org.apache.poi.hpsf.DocumentSummaryInformation;
 
+import org.apache.poi.hslf.exceptions.CorruptPowerPointFileException;
 import org.apache.poi.hslf.exceptions.EncryptedPowerPointFileException;
 import org.apache.poi.hslf.record.*;
 import org.apache.poi.hslf.usermodel.PictureData;
@@ -272,6 +273,13 @@ public class HSLFSlideShow extends POIDocument
             byte[] imgdata = new byte[imgsize];
             System.arraycopy(pictstream, pos, imgdata, 0, imgdata.length);
 
+			// The image size must be 0 or greater
+			// (0 is allowed, but odd, since we do wind on by the header each
+			//  time, so we won't get stuck)
+			if(imgsize < 0) {
+				throw new CorruptPowerPointFileException("The file contains a picture, at position " + p.size() + ", which has a negatively sized data length, so we can't trust any of the picture data");
+			}
+
 			// If they type (including the bonus 0xF018) is 0, skip it
 			if(type == 0) {
 				System.err.println("Problem reading picture: Invalid image type 0, on picture with length" + imgsize + ".\nYou document will probably become corrupted if you save it!");