diff --git a/src/iff.imageio/iffoutput.cpp b/src/iff.imageio/iffoutput.cpp
index 75d15dcba1..a6106d5f09 100644
--- a/src/iff.imageio/iffoutput.cpp
+++ b/src/iff.imageio/iffoutput.cpp
@@ -679,8 +679,7 @@ IffOutput::compress_verbatim(const uint8_t*& in, uint8_t*& out, int size,
     // copy
     OIIO_DASSERT(out >= out_span.begin() && out < out_span.end());
     *out++ = count - 1;
-    OIIO_DASSERT(out >= out_span.begin() && out + count <= out_span.end());
-    memcpy(out, in, count);
+    span_memcpy(out, in, size_t(count), out_span, in_span);
 
     out += count;
     in += count;
diff --git a/src/include/OpenImageIO/span.h b/src/include/OpenImageIO/span.h
index aa794e427d..d92e78e14b 100644
--- a/src/include/OpenImageIO/span.h
+++ b/src/include/OpenImageIO/span.h
@@ -531,6 +531,22 @@ spancpy(span<T> dst, size_t dstoffset, cspan<T> src, size_t srcoffset = 0,
 
 
 
+/// Perform a safe `memcpy(dst, src, n*sizeof(T))` but ensuring that the
+/// memory accesses stay within the boundaries of spans `dst_span` and
+/// `src_span`.
+///
+/// This is intended to be used as a memory-safe replacement for memcpy if
+/// you know the spans representing safe areas.
+template<typename T>
+inline size_t
+span_memcpy(T* dst, const T* src, size_t n, span<T> dst_span, cspan<T> src_span)
+{
+    return spancpy(dst_span, dst - dst_span.begin(), src_span,
+                   src - src_span.begin(), n);
+}
+
+
+
 /// Try to write `n` copies of `val` into `dst[offset...]`. Don't write
 /// outside the span boundaries. Return the number of items actually written,
 /// which should be `n` if the operation was fully successful, but may be less