Dev news

Commit 5140879c for libheif

commit 5140879c5d4329351ae937d1e9f8e12703c4ab97
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Mon Apr 13 01:11:32 2026 +0200

    fix overflows in image size or stride computations

diff --git a/libheif/api/libheif/heif_regions.cc b/libheif/api/libheif/heif_regions.cc
index b54b6952..cacdfdeb 100644
--- a/libheif/api/libheif/heif_regions.cc
+++ b/libheif/api/libheif/heif_regions.cc
@@ -26,6 +26,7 @@
 #include "api_structs.h"
 #include "context.h"
 #include <cstring>
+#include <limits>
 #include <memory>
 #include <vector>
 #include <utility>
@@ -705,7 +706,11 @@ heif_error heif_region_item_add_region_inline_mask(heif_region_item* item,
   region->y = y0;
   region->width = width;
   region->height = height;
-  region->mask_data.resize((width * height + 7) / 8);
+  uint64_t mask_size = (static_cast<uint64_t>(width) * height + 7) / 8;
+  if (mask_size > std::numeric_limits<size_t>::max()) {
+    return {heif_error_Memory_allocation_error, heif_suberror_Security_limit_exceeded, "Inline mask size overflow"};
+  }
+  region->mask_data.resize(static_cast<size_t>(mask_size));
   memset(region->mask_data.data(), 0, region->mask_data.size());

   uint32_t mask_height = mask_image->image->get_height();
diff --git a/libheif/codecs/uncompressed/unc_encoder_rgb_block_pixel_interleave.cc b/libheif/codecs/uncompressed/unc_encoder_rgb_block_pixel_interleave.cc
index 4e5062a7..f448aa78 100644
--- a/libheif/codecs/uncompressed/unc_encoder_rgb_block_pixel_interleave.cc
+++ b/libheif/codecs/uncompressed/unc_encoder_rgb_block_pixel_interleave.cc
@@ -82,7 +82,7 @@ unc_encoder_rgb_block_pixel_interleave::unc_encoder_rgb_block_pixel_interleave(c

 uint64_t unc_encoder_rgb_block_pixel_interleave::compute_tile_data_size_bytes(uint32_t tile_width, uint32_t tile_height) const
 {
-  return tile_width * tile_height * m_bytes_per_pixel;
+  return static_cast<uint64_t>(tile_width) * tile_height * m_bytes_per_pixel;
 }


diff --git a/libheif/codecs/uncompressed/unc_encoder_rgb_bytealign_pixel_interleave.cc b/libheif/codecs/uncompressed/unc_encoder_rgb_bytealign_pixel_interleave.cc
index c46cd7b8..7698941f 100644
--- a/libheif/codecs/uncompressed/unc_encoder_rgb_bytealign_pixel_interleave.cc
+++ b/libheif/codecs/uncompressed/unc_encoder_rgb_bytealign_pixel_interleave.cc
@@ -95,7 +95,7 @@ unc_encoder_rgb_bytealign_pixel_interleave::unc_encoder_rgb_bytealign_pixel_inte

 uint64_t unc_encoder_rgb_bytealign_pixel_interleave::compute_tile_data_size_bytes(uint32_t tile_width, uint32_t tile_height) const
 {
-  return tile_width * tile_height * m_bytes_per_pixel;
+  return static_cast<uint64_t>(tile_width) * tile_height * m_bytes_per_pixel;
 }


diff --git a/libheif/codecs/uncompressed/unc_encoder_rgb_pixel_interleave.cc b/libheif/codecs/uncompressed/unc_encoder_rgb_pixel_interleave.cc
index eb4e6a3b..7741bc2b 100644
--- a/libheif/codecs/uncompressed/unc_encoder_rgb_pixel_interleave.cc
+++ b/libheif/codecs/uncompressed/unc_encoder_rgb_pixel_interleave.cc
@@ -91,7 +91,7 @@ unc_encoder_rgb_pixel_interleave::unc_encoder_rgb_pixel_interleave(const std::sh

 uint64_t unc_encoder_rgb_pixel_interleave::compute_tile_data_size_bytes(uint32_t tile_width, uint32_t tile_height) const
 {
-  return tile_width * tile_height * m_bytes_per_pixel;
+  return static_cast<uint64_t>(tile_width) * tile_height * m_bytes_per_pixel;
 }


diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
index 42e77502..a65bf34b 100644
--- a/libheif/pixelimage.cc
+++ b/libheif/pixelimage.cc
@@ -616,6 +616,12 @@ Error HeifPixelImage::ImageComponent::alloc(uint32_t width, uint32_t height, hei
             "Invalid image size"};
   }

+  if (width == std::numeric_limits<uint32_t>::max() || height == std::numeric_limits<uint32_t>::max()) {
+    return {heif_error_Memory_allocation_error,
+            heif_suberror_Security_limit_exceeded,
+            "Image size too large for memory alignment"};
+  }
+
   // use 16 byte alignment (enough for 128 bit data-types). Every row is an integer number of data-elements.
   uint16_t alignment = 16; // must be power of two

@@ -634,8 +640,14 @@ Error HeifPixelImage::ImageComponent::alloc(uint32_t width, uint32_t height, hei

   int bytes_per_pixel = get_bytes_per_pixel();

-  stride = m_mem_width * bytes_per_pixel;
-  stride = (stride + alignment - 1U) & ~(alignment - 1U);
+  uint64_t stride_64 = static_cast<uint64_t>(m_mem_width) * bytes_per_pixel;
+  stride_64 = (stride_64 + alignment - 1U) & ~static_cast<uint64_t>(alignment - 1U);
+  if (stride_64 > std::numeric_limits<size_t>::max()) {
+    return {heif_error_Memory_allocation_error,
+            heif_suberror_Security_limit_exceeded,
+            "Image stride overflow"};
+  }
+  stride = static_cast<size_t>(stride_64);

   assert(alignment>=1);