diff --git a/ChangeLog b/ChangeLog
index 1374ffad..b7fad021 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,7 @@
 - prevent over-pre-shrink in thumbnail [kleisauke]
 - fix sharpen with sigma 0.5 [2h4dl]
 - sharpen restores input colourspace
+- verify bands/format for coded images
 
 24/5/19 started 8.8.1
 - improve realpath() use on older libc
diff --git a/libvips/iofuncs/vips.c b/libvips/iofuncs/vips.c
index 9924587d..5b43f101 100644
--- a/libvips/iofuncs/vips.c
+++ b/libvips/iofuncs/vips.c
@@ -25,6 +25,8 @@
  * 	- use O_TMPFILE, if available
  * 23/7/18
  * 	- escape ASCII control characters in XML
+ * 29/8/19
+ * 	- verify bands/format for coded images
  */
 
 /*
@@ -348,8 +350,8 @@ vips__read_header_bytes( VipsImage *im, unsigned char *from )
 	from += 4;
 	if( im->magic != VIPS_MAGIC_INTEL && 
 		im->magic != VIPS_MAGIC_SPARC ) {
-		vips_error( "VipsImage", _( "\"%s\" is not a VIPS image" ), 
-			im->filename );
+		vips_error( "VipsImage", 
+			_( "\"%s\" is not a VIPS image" ), im->filename );
 		return( -1 );
 	}
 
@@ -398,6 +400,36 @@ vips__read_header_bytes( VipsImage *im, unsigned char *from )
 	 * pixel interpretation, don't clip them.
 	 */
 
+	/* Coding values imply Bands and BandFmt settings --- make sure they
+	 * are sane.
+	 */
+	switch( im->Coding ) {
+	case VIPS_CODING_NONE:
+		break;
+
+	case VIPS_CODING_LABQ:
+		if( im->Bands != 4 ||
+			im->BandFmt != VIPS_FORMAT_UCHAR ) {
+			vips_error( "VipsImage", 
+				"%s", _( "malformed LABQ image" ) ); 
+			return( -1 );
+		}
+		break;
+
+	case VIPS_CODING_RAD:
+		if( im->Bands != 4 ||
+			im->BandFmt != VIPS_FORMAT_UCHAR ) {
+			vips_error( "VipsImage", 
+				"%s", _( "malformed RAD image" ) ); 
+			return( -1 );
+		}
+		break;
+
+	default:
+		g_assert_not_reached();
+		break;
+	}
+
 	return( 0 );
 }