Commit 3a81c0ec for libheif
commit 3a81c0ecc04ae079ff5f4d84ca865c1718ef20a5
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Thu Mar 5 19:04:56 2026 +0100
fix some potential integer overflows in mask_image
diff --git a/libheif/image-items/mask_image.cc b/libheif/image-items/mask_image.cc
index 1c4357ff..1dca27e0 100644
--- a/libheif/image-items/mask_image.cc
+++ b/libheif/image-items/mask_image.cc
@@ -71,25 +71,20 @@ Error MaskImageCodec::decode_mask_image(const HeifContext* context,
std::shared_ptr<Box_ispe> ispe = image->get_property<Box_ispe>();
std::shared_ptr<Box_mskC> mskC = image->get_property<Box_mskC>();
- uint32_t width = 0;
- uint32_t height = 0;
-
- if (ispe) {
- width = ispe->get_width();
- height = ispe->get_height();
-
- Error error = check_for_valid_image_size(context->get_security_limits(), width, height);
- if (error) {
- return error;
- }
- }
-
if (!ispe || !mskC) {
return Error(heif_error_Unsupported_feature,
heif_suberror_Unsupported_data_version,
"Missing required box for mask codec");
}
+ uint32_t width = ispe->get_width();
+ uint32_t height = ispe->get_height();
+
+ Error error = check_for_valid_image_size(context->get_security_limits(), width, height);
+ if (error) {
+ return error;
+ }
+
if ((mskC->get_bits_per_pixel() != 8) && (mskC->get_bits_per_pixel() != 16))
{
return Error(heif_error_Unsupported_feature,
@@ -97,7 +92,7 @@ Error MaskImageCodec::decode_mask_image(const HeifContext* context,
"Unsupported bit depth for mask item");
}
- if (data.size() < width * height) {
+ if (data.size() / width < height) {
return {heif_error_Invalid_input,
heif_suberror_Unspecified,
"Mask image data is too short"};
@@ -118,7 +113,7 @@ Error MaskImageCodec::decode_mask_image(const HeifContext* context,
}
else
{
- for (uint32_t i = 0; i < height; i++)
+ for (size_t i = 0; i < height; i++)
{
memcpy(dst + i * stride, data.data() + i * width, width);
}