An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malicious data.