An issue exists in psd-tools prior to 1.9.4. The Cython implementation of RLE decoding did not check for malicious data.
psd-tools project psd-tools