Commit 1d0db563 for libheif

commit 1d0db5633e5f196b9d5e11bca20e140476ef5b4e
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Mon Apr 13 19:57:52 2026 +0200

    fix: prevent uint32 overflow in tiled image tile index computation

diff --git a/libheif/image-items/tiled.cc b/libheif/image-items/tiled.cc
index 4ae467ef..aaccdabd 100644
--- a/libheif/image-items/tiled.cc
+++ b/libheif/image-items/tiled.cc
@@ -22,6 +22,7 @@
 #include "context.h"
 #include "file.h"
 #include <algorithm>
+#include <limits>
 #include "security_limits.h"
 #include "codecs/hevc_dec.h"
 #if WITH_UNCOMPRESSED_CODEC
@@ -883,7 +884,13 @@ ImageItem_Tiled::decode_compressed_image(const heif_decoding_options& options,

 Error ImageItem_Tiled::append_compressed_tile_data(std::vector<uint8_t>& data, uint32_t tx, uint32_t ty) const
 {
-  uint32_t idx = (uint32_t) (ty * nTiles_h(m_tild_header.get_parameters()) + tx);
+  uint64_t idx64 = static_cast<uint64_t>(ty) * nTiles_h(m_tild_header.get_parameters()) + tx;
+  if (idx64 > std::numeric_limits<uint32_t>::max()) {
+    return Error{heif_error_Invalid_input,
+                 heif_suberror_Unspecified,
+                 "Tile index out of range."};
+  }
+  auto idx = static_cast<uint32_t>(idx64);

   if (!m_tild_header.is_tile_offset_known(idx)) {
     Error err = const_cast<ImageItem_Tiled*>(this)->load_tile_offset_entry(idx);