Commit 5782bca0 for libheif

commit 5782bca04a70ebc01c59397205a3cfff22841311
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Mon May 25 12:32:04 2026 +0200

    unci: prevent integer overflow when reading compressed data (GHSA-r7qj-cg5r-r6vf)

diff --git a/libheif/codecs/uncompressed/unc_decoder.cc b/libheif/codecs/uncompressed/unc_decoder.cc
index 92153dd1..c3fdcae3 100644
--- a/libheif/codecs/uncompressed/unc_decoder.cc
+++ b/libheif/codecs/uncompressed/unc_decoder.cc
@@ -165,7 +165,11 @@ const Error unc_decoder::get_compressed_image_data_uncompressed(const DataExtent
     const std::vector<uint8_t> compressed_bytes = std::move(**readResult);

     for (Box_icef::CompressedUnitInfo unit_info : icef_box->get_units()) {
-      if (unit_info.unit_offset + unit_info.unit_size > compressed_bytes.size()) {
+      // Use subtraction form to avoid a uint64_t wrap in 'unit_offset + unit_size',
+      // which could otherwise pass this check and lead to an out-of-bounds read when
+      // constructing the iterators below (GHSA-r7qj-cg5r-r6vf).
+      if (unit_info.unit_offset > compressed_bytes.size() ||
+          unit_info.unit_size > compressed_bytes.size() - unit_info.unit_offset) {
         return Error{
           heif_error_Invalid_input,
           heif_suberror_Unspecified,