Commit 6297de2b for libheif

commit 6297de2b9d74885f5ee1c7cd69875ed21ece170c
Author: Saud Satopay <satopaysaud@gmail.com>
Date:   Fri Jun 19 01:10:53 2026 +0530

    uncompressed: enforce security limits on icef unit allocation

    Box_icef::parse() resized m_unit_infos to the file-controlled num_compressed_units without routing the allocation through the security-limits memory accounting (the existing "// TODO: should we impose some security limit?"). A crafted icef box could therefore drive a very large allocation before the per-unit reads run.

    Allocate via m_memory_handle.alloc(num_compressed_units, sizeof(CompressedUnitInfo), limits, ...) before the resize, mirroring Box_snuc and the sequence boxes, so the configured heif_security_limits apply.

diff --git a/libheif/codecs/uncompressed/unc_boxes.cc b/libheif/codecs/uncompressed/unc_boxes.cc
index 714a9348..5a9085bf 100644
--- a/libheif/codecs/uncompressed/unc_boxes.cc
+++ b/libheif/codecs/uncompressed/unc_boxes.cc
@@ -833,10 +833,13 @@ Error Box_icef::parse(BitstreamRange& range, const heif_security_limits* limits)
             sstr.str()};
   }

-  // TODO: should we impose some security limit?
-
   // --- read box content

+  if (auto err = m_memory_handle.alloc(num_compressed_units, sizeof(CompressedUnitInfo),
+                                       limits, "icef box compressed unit infos")) {
+    return err;
+  }
+
   m_unit_infos.resize(num_compressed_units);

   for (uint32_t r = 0; r < num_compressed_units; r++) {
diff --git a/libheif/codecs/uncompressed/unc_boxes.h b/libheif/codecs/uncompressed/unc_boxes.h
index ed99d6bf..c29910bc 100644
--- a/libheif/codecs/uncompressed/unc_boxes.h
+++ b/libheif/codecs/uncompressed/unc_boxes.h
@@ -335,6 +335,7 @@ protected:
   Error parse(BitstreamRange& range, const heif_security_limits* limits) override;

   std::vector<CompressedUnitInfo> m_unit_infos;
+  MemoryHandle m_memory_handle;

 private:
   const uint8_t get_required_offset_code(uint64_t offset) const;