diff --git a/doc/contributions.txt b/doc/contributions.txt
index 1d591e2ec2b88f4ac3c2f3420712c3b893daf639..6e4cd76d775d7486bbd6964b5efb5f4076e6c500 100755
--- a/doc/contributions.txt
+++ b/doc/contributions.txt
@@ -1304,6 +1304,7 @@ Sovereign Engineer
     MAINT-6218
     MAINT-6913
     STORM-2143
+    STORM-2148
 SpacedOut Frye
 	VWR-34
 	VWR-45
diff --git a/indra/llimage/llimagepng.cpp b/indra/llimage/llimagepng.cpp
index a299602d790ddf9fab46d366187bfd92bddfd145..a4823ed859d7a1e4fced1f677bece0cf9b379697 100644
--- a/indra/llimage/llimagepng.cpp
+++ b/indra/llimage/llimagepng.cpp
@@ -124,12 +124,12 @@ bool LLImagePNG::encode(const LLImageRaw* raw_image, F32 encode_time)
 
 	// Temporary buffer to hold the encoded image. Note: the final image
 	// size should be much smaller due to compression.
-	U32 bufferSize = getWidth() * getHeight() * getComponents() + 1024;
+	U32 bufferSize = getWidth() * getHeight() * getComponents() + 8192;
     U8* tmpWriteBuffer = new U8[ bufferSize ];
 
 	// Delegate actual encoding work to wrapper
 	LLPngWrapper pngWrapper;
-	if (! pngWrapper.writePng(raw_image, tmpWriteBuffer))
+	if (!pngWrapper.writePng(raw_image, tmpWriteBuffer, bufferSize))
 	{
 		setLastError(pngWrapper.getErrorMessage());
 		delete[] tmpWriteBuffer;
diff --git a/indra/llimage/llpngwrapper.cpp b/indra/llimage/llpngwrapper.cpp
index da289ea889f796f15a3ba5dcd082b1f0dd33acdb..b2fa0ed3155ef0acaf11b5dd2adff752a91bf697 100644
--- a/indra/llimage/llpngwrapper.cpp
+++ b/indra/llimage/llpngwrapper.cpp
@@ -112,6 +112,11 @@ void LLPngWrapper::readDataCallback(png_structp png_ptr, png_bytep dest, png_siz
 void LLPngWrapper::writeDataCallback(png_structp png_ptr, png_bytep src, png_size_t length)
 {
 	PngDataInfo *dataInfo = (PngDataInfo *) png_get_io_ptr(png_ptr);
+	if (dataInfo->mOffset + length > dataInfo->mDataSize)
+	{
+		png_error(png_ptr, "Data write error. Requested data size exceeds available data size.");
+		return;
+	}
 	U8 *dest = &dataInfo->mData[dataInfo->mOffset];
 	memcpy(dest, src, length);
 	dataInfo->mOffset += static_cast<U32>(length);
@@ -272,7 +277,7 @@ void LLPngWrapper::updateMetaData()
 
 // Method to write raw image into PNG at dest. The raw scanline begins
 // at the bottom of the image per SecondLife conventions.
-BOOL LLPngWrapper::writePng(const LLImageRaw* rawImage, U8* dest)
+BOOL LLPngWrapper::writePng(const LLImageRaw* rawImage, U8* dest, size_t destSize)
 {
 	try
 	{
@@ -313,6 +318,7 @@ BOOL LLPngWrapper::writePng(const LLImageRaw* rawImage, U8* dest)
 		PngDataInfo dataPtr;
 		dataPtr.mData = dest;
 		dataPtr.mOffset = 0;
+		dataPtr.mDataSize = destSize;
 		png_set_write_fn(mWritePngPtr, &dataPtr, &writeDataCallback, &writeFlush);
 
 		// Setup image params
diff --git a/indra/llimage/llpngwrapper.h b/indra/llimage/llpngwrapper.h
index 27d7df3bef9a9af161542a7b2d4077908cbfcd50..8d42317b0f05469d8a3939d35f8c7515b6775f27 100644
--- a/indra/llimage/llpngwrapper.h
+++ b/indra/llimage/llpngwrapper.h
@@ -45,7 +45,7 @@ public:
 
 	BOOL isValidPng(U8* src);
 	BOOL readPng(U8* src, S32 dataSize, LLImageRaw* rawImage, ImageInfo *infop = NULL);
-	BOOL writePng(const LLImageRaw* rawImage, U8* dst);
+	BOOL writePng(const LLImageRaw* rawImage, U8* dst, size_t destSize);
 	U32  getFinalSize();
 	const std::string& getErrorMessage();