Commit f20c8174 for libheif

commit f20c81745e917b4c496615140385c86d7a2fa58d
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Mon Apr 13 20:09:26 2026 +0200

    fix: reject malformed sequence files where saiz sample count exceeds actual samples

diff --git a/libheif/sequences/track.cc b/libheif/sequences/track.cc
index ee4f2374..405b6ad3 100644
--- a/libheif/sequences/track.cc
+++ b/libheif/sequences/track.cc
@@ -138,7 +138,9 @@ SampleAuxInfoReader::SampleAuxInfoReader(std::shared_ptr<Box_saiz> saiz,
     for (uint32_t i = 0; i < nSamples; i++) {
       if (!oneChunk && i > chunks[current_chunk]->last_sample_number()) {
         current_chunk++;
-        assert(current_chunk < chunks.size());
+        if (current_chunk >= chunks.size()) {
+          break;
+        }
         offset = saio->get_chunk_offset(current_chunk);
       }

@@ -451,6 +453,14 @@ Error Track::load(const std::shared_ptr<Box_trak>& trak_box)
         };
       }

+      if (saiz->get_num_samples() > m_stsz->num_samples()) {
+        return Error{
+          heif_error_Invalid_input,
+          heif_suberror_Unspecified,
+          "Number of samples in 'saiz' box exceeds actual number of samples."
+        };
+      }
+
       if (aux_info_type == fourcc("suid")) {
         m_aux_reader_content_ids = std::make_unique<SampleAuxInfoReader>(saiz, saio, m_chunks);
       }