Commit 79301bdf for libheif

commit 79301bdff74988cfb25bab700a5021da2d209248
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu May 28 14:41:06 2026 +0200

    skip reading sgpt boxes with unknown grouping types

diff --git a/libheif/sequences/seq_boxes.cc b/libheif/sequences/seq_boxes.cc
index 9ea7b445..54eaca5a 100644
--- a/libheif/sequences/seq_boxes.cc
+++ b/libheif/sequences/seq_boxes.cc
@@ -1719,6 +1719,15 @@ Error Box_sgpd::parse(BitstreamRange& range, const heif_security_limits* limits)

   m_grouping_type = range.read32();

+  // Readers are expected to ignore sgpd boxes with grouping_types they don't
+  // understand. Skip parsing of unknown types to avoid allocating Entry objects
+  // for entries whose payload we wouldn't read anyway (and which, with
+  // version==1 + default_length!=0 or version>=2, would consume zero bytes per
+  // iteration and allow unbounded allocation from a tiny box).
+  if (m_grouping_type != fourcc("refs")) {
+    return Error::Ok;
+  }
+
   if (get_version() == 1) {
     m_default_length = range.read32();
   }
@@ -1741,6 +1750,11 @@ Error Box_sgpd::parse(BitstreamRange& range, const heif_security_limits* limits)

   }

+  if (auto err = m_memory_handle.alloc(static_cast<uint64_t>(entry_count) * sizeof(Entry),
+                                       limits, "the 'sgpd' table")) {
+    return err;
+  }
+
   for (uint32_t i = 0; i < entry_count; i++) {
     Entry entry;

diff --git a/libheif/sequences/seq_boxes.h b/libheif/sequences/seq_boxes.h
index 5aec8c63..2da1cec5 100644
--- a/libheif/sequences/seq_boxes.h
+++ b/libheif/sequences/seq_boxes.h
@@ -809,6 +809,7 @@ private:
   };

   std::vector<Entry> m_entries;
+  MemoryHandle m_memory_handle;
 };

 // Bitrate