Commit 3afaadb8 for libheif

commit 3afaadb87e8290f2d08861b660cb1a9d39929d9e
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Sat Mar 7 15:17:54 2026 +0100

    handle 32bit integer overflow when parsing snuc box

diff --git a/libheif/codecs/uncompressed/unc_boxes.cc b/libheif/codecs/uncompressed/unc_boxes.cc
index 4ca144be..d5381863 100644
--- a/libheif/codecs/uncompressed/unc_boxes.cc
+++ b/libheif/codecs/uncompressed/unc_boxes.cc
@@ -1281,6 +1281,12 @@ Error Box_snuc::parse(BitstreamRange& range, const heif_security_limits* limits)
   m_nuc.image_width = range.read32();
   m_nuc.image_height = range.read32();

+  if (m_nuc.image_width == 0 || m_nuc.image_height == 0) {
+    return {heif_error_Invalid_input,
+            heif_suberror_Invalid_parameter_value,
+            "snuc image width and height must be non-zero."};
+  }
+
   uint64_t num_pixels = static_cast<uint64_t>(m_nuc.image_width) * m_nuc.image_height;

   if (limits->max_image_size_pixels && num_pixels > limits->max_image_size_pixels) {
@@ -1289,6 +1295,13 @@ Error Box_snuc::parse(BitstreamRange& range, const heif_security_limits* limits)
             "snuc image dimensions exceed security limit."};
   }

+  // Prevent size_t overflow when computing alloc size (matters on 32-bit systems)
+  if (std::numeric_limits<size_t>::max() / num_pixels < 2 * sizeof(float)) {
+    return {heif_error_Invalid_input,
+            heif_suberror_Security_limit_exceeded,
+            "snuc image memory size exceeds max integer size."};
+  }
+
   Error err = m_memory_handle.alloc(2 * sizeof(float) * num_pixels, limits, "snuc box");
   if (err) {
     return err;