Commit 518bd95f for libheif

commit 518bd95f8853ce27deb41b3ceef6235fc6a0d09c
Author: Anthony Hurtado <amhurtado@pm.me>
Date:   Sun May 17 22:02:06 2026 -0500

    grid: fix OOB read in decode_grid_tile when grid exceeds tile count

    When a grid header declares cols*rows larger than the actual dimg iref
    tile count, the index into m_grid_tile_ids exceeds the vector size.
    The existing assert() is compiled out in Release builds (-DNDEBUG),
    leaving an unguarded out-of-bounds heap read.

    Replace the assert with a runtime bounds check that returns an error.

    Found by: AFL++ fuzzing with custom harness

    Signed-off-by: Anthony Hurtado <amhurtado@pm.me>

diff --git a/libheif/image-items/grid.cc b/libheif/image-items/grid.cc
index e52eeab5..31bb9cc2 100644
--- a/libheif/image-items/grid.cc
+++ b/libheif/image-items/grid.cc
@@ -589,7 +589,11 @@ Result<std::shared_ptr<HeifPixelImage>> ImageItem_Grid::decode_grid_tile(const h
 {
   uint32_t idx = ty * m_grid_spec.get_columns() + tx;

-  assert(idx < m_grid_tile_ids.size());
+  if (idx >= m_grid_tile_ids.size()) {
+    return Error{heif_error_Invalid_input,
+                 heif_suberror_Missing_grid_images,
+                 "Grid tile coordinate out of range"};
+  }

   heif_item_id tile_id = m_grid_tile_ids[idx];
   std::shared_ptr<const ImageItem> tile_item = get_context()->get_image(tile_id, true);