Commit 748b2b76 for libheif
commit 748b2b76e7e3148dfccc3fce3fd53fff3467f9e4
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Fri May 15 20:19:54 2026 +0200
prevent integer underflow in conformance window cropping (#1794)
diff --git a/libheif/codecs/hevc_boxes.cc b/libheif/codecs/hevc_boxes.cc
index c00237f0..ea585321 100644
--- a/libheif/codecs/hevc_boxes.cc
+++ b/libheif/codecs/hevc_boxes.cc
@@ -693,8 +693,15 @@ Error parse_sps_for_hvcC_configuration(const uint8_t* sps, size_t size,
}
if (config->chroma_format == 2) { subH = 2; }
- *width -= subH * (left + right);
- *height -= subV * (top + bottom);
+ const uint64_t crop_w = (uint64_t)subH * ((uint64_t)left + (uint64_t)right);
+ const uint64_t crop_h = (uint64_t)subV * ((uint64_t)top + (uint64_t)bottom);
+ if (crop_w > *width || crop_h > *height) {
+ return Error{heif_error_Invalid_input,
+ heif_suberror_Invalid_parameter_value,
+ "SPS conformance window exceeds image dimensions"};
+ }
+ *width -= (uint32_t)crop_w;
+ *height -= (uint32_t)crop_h;
}
reader.get_uvlc(&value);
diff --git a/libheif/codecs/vvc_boxes.cc b/libheif/codecs/vvc_boxes.cc
index 104c1a78..0a531514 100644
--- a/libheif/codecs/vvc_boxes.cc
+++ b/libheif/codecs/vvc_boxes.cc
@@ -543,8 +543,15 @@ Error parse_sps_for_vvcC_configuration(const uint8_t* sps, size_t size,
default: break; // mono / 4:4:4
}
- *width -= subWidthC * (left + right);
- *height -= subHeightC * (top + bottom);
+ const uint64_t crop_w = (uint64_t)subWidthC * ((uint64_t)left + (uint64_t)right);
+ const uint64_t crop_h = (uint64_t)subHeightC * ((uint64_t)top + (uint64_t)bottom);
+ if (crop_w > *width || crop_h > *height) {
+ return {heif_error_Invalid_input,
+ heif_suberror_Invalid_parameter_value,
+ "SPS conformance window exceeds image dimensions"};
+ }
+ *width -= (uint32_t)crop_w;
+ *height -= (uint32_t)crop_h;
}
bool sps_subpic_info_present_flag = reader.get_bits(1);
diff --git a/libheif/plugins/decoder_webcodecs.cc b/libheif/plugins/decoder_webcodecs.cc
index 44d3489d..31a6d4e2 100644
--- a/libheif/plugins/decoder_webcodecs.cc
+++ b/libheif/plugins/decoder_webcodecs.cc
@@ -299,8 +299,15 @@ Error parse_sps_for_hvcC_configuration2(const uint8_t* sps, size_t size,
}
if (config->chroma_format == 2) { subH = 2; }
- *width -= subH * (left + right);
- *height -= subV * (top + bottom);
+ const uint64_t crop_w = (uint64_t)subH * ((uint64_t)left + (uint64_t)right);
+ const uint64_t crop_h = (uint64_t)subV * ((uint64_t)top + (uint64_t)bottom);
+ if (crop_w > *width || crop_h > *height) {
+ return Error{heif_error_Invalid_input,
+ heif_suberror_Invalid_parameter_value,
+ "SPS conformance window exceeds image dimensions"};
+ }
+ *width -= (uint32_t)crop_w;
+ *height -= (uint32_t)crop_h;
}
reader.get_uvlc(&value);