Commit e1b97646 for libheif

commit e1b976461433bb7e2c5dfcc90de832a16e31c467
Author: Anthony Hurtado <amhurtado@pm.me>
Date:   Sun May 17 22:01:44 2026 -0500

    grid: fix NULL deref in decode_grid_tile on missing tile reference

    When a grid image's dimg iref references a heif_item_id that does not
    exist in the file's item table, get_context()->get_image() returns
    nullptr. decode_grid_tile() dereferenced it without checking, crashing
    any application using per-tile decoding on crafted HEIF input.

    The full-image decode path (decode_full_grid_image) already handles
    this case correctly at line 317. Add the same null check to the
    tile-by-tile path.

    Found by: AFL++ fuzzing with custom harness

    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    Signed-off-by: Anthony Hurtado <amhurtado@pm.me>

diff --git a/libheif/image-items/grid.cc b/libheif/image-items/grid.cc
index 08f07c4c..e52eeab5 100644
--- a/libheif/image-items/grid.cc
+++ b/libheif/image-items/grid.cc
@@ -593,6 +593,11 @@ Result<std::shared_ptr<HeifPixelImage>> ImageItem_Grid::decode_grid_tile(const h

   heif_item_id tile_id = m_grid_tile_ids[idx];
   std::shared_ptr<const ImageItem> tile_item = get_context()->get_image(tile_id, true);
+  if (!tile_item) {
+    return Error{heif_error_Invalid_input,
+                 heif_suberror_Missing_grid_images,
+                 "Grid tile references a non-existent item"};
+  }
   if (auto error = tile_item->get_item_error()) {
     return error;
   }