diff --git a/src/rla.imageio/rlainput.cpp b/src/rla.imageio/rlainput.cpp
index ebc2ad2a29..68ef176f9f 100644
--- a/src/rla.imageio/rlainput.cpp
+++ b/src/rla.imageio/rlainput.cpp
@@ -502,17 +502,22 @@ RLAInput::decode_rle_span(span<unsigned char> buf, int n, int stride,
         int count = (signed char)encoded[e++];
         if (count >= 0) {
             // run count positive: value repeated count+1 times
-            if (count + 1 > n)
+            ++count;
+            if (count > n)
                 break;  // asking for a count that will overrun the buffer
-            for (int i = 0; i <= count; ++i, b += stride, --n)
+            if (e + 1 > elen)
+                break;  // asking for a count will run out of encoded bytes
+            for (int i = 0; i < count; ++i, b += stride, --n)
                 buf[b] = encoded[e];
-            ++e;
+            ++e;  // we consumed exactly one encoded byte
         } else {
             // run count negative: repeat bytes literally
             count = -count;  // make it positive
             if (count > n)
                 break;  // asking for a count that will overrun the buffer
-            for (; count && n > 0 && e < elen; --count, b += stride, --n)
+            if (e + count > elen)
+                break;  // asking for a count will run out of encoded bytes
+            for (int i = 0; i < count; ++i, b += stride, --n)
                 buf[b] = encoded[e++];
         }
     }
diff --git a/testsuite/rla/ref/out.txt b/testsuite/rla/ref/out.txt
index 6e79e9dfc2..8ec7ddff8c 100644
--- a/testsuite/rla/ref/out.txt
+++ b/testsuite/rla/ref/out.txt
@@ -328,5 +328,8 @@ Full command line was:
 oiiotool ERROR: read : "src/crash-5159.rla": Read error: couldn't read RLE data span
 Full command line was:
 > oiiotool src/crash-5159.rla -o crash7.exr
+oiiotool ERROR: read : "src/crash-badrle.rla": Read error: malformed RLE record
+Full command line was:
+> oiiotool src/crash-badrle.rla -o crash8.exr
 Comparing "rlacrop.rla" and "ref/rlacrop.rla"
 PASS
diff --git a/testsuite/rla/run.py b/testsuite/rla/run.py
index e756620863..172efdca7d 100755
--- a/testsuite/rla/run.py
+++ b/testsuite/rla/run.py
@@ -25,5 +25,6 @@
 command += oiiotool("src/crash-1.rla -o crash5.exr", failureok = True)
 command += oiiotool("src/crash-5152.rla -o crash6.exr", failureok = True)
 command += oiiotool("src/crash-5159.rla -o crash7.exr", failureok = True)
+command += oiiotool("src/crash-badrle.rla -o crash8.exr", failureok = True)
 
 outputs = [ "rlacrop.rla", 'out.txt' ]
diff --git a/testsuite/rla/src/crash-badrle.rla b/testsuite/rla/src/crash-badrle.rla
new file mode 100644
index 0000000000..75f256a0e0
Binary files /dev/null and b/testsuite/rla/src/crash-badrle.rla differ