Commit a6caa38f for libheif

commit a6caa38f7a70d66dc9caec2a7bfe20935b32c622
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu May 28 13:46:46 2026 +0200

    fix check against security limit (GHSA-jvmp-j3cw-84mh)

diff --git a/libheif/sequences/seq_boxes.cc b/libheif/sequences/seq_boxes.cc
index 9da5f497..f95d4583 100644
--- a/libheif/sequences/seq_boxes.cc
+++ b/libheif/sequences/seq_boxes.cc
@@ -1066,17 +1066,17 @@ Error Box_stsz::parse(BitstreamRange& range, const heif_security_limits* limits)
   m_fixed_sample_size = range.read32();
   m_sample_count = range.read32();

+  if (limits->max_sequence_frames > 0 && m_sample_count > limits->max_sequence_frames) {
+    return {
+      heif_error_Memory_allocation_error,
+      heif_suberror_Security_limit_exceeded,
+      "Security limit for maximum number of sequence frames exceeded"
+    };
+  }
+
   if (m_fixed_sample_size == 0) {
     // check required memory

-    if (limits->max_sequence_frames > 0 && m_sample_count > limits->max_sequence_frames) {
-      return {
-        heif_error_Memory_allocation_error,
-        heif_suberror_Security_limit_exceeded,
-        "Security limit for maximum number of sequence frames exceeded"
-      };
-    }
-
     uint64_t mem_size = m_sample_count * sizeof(uint32_t);
     if (auto err = m_memory_handle.alloc(mem_size, limits, "the 'stsz' table")) {
       return err;
diff --git a/libheif/sequences/track.cc b/libheif/sequences/track.cc
index 5f50fd26..db3e00b3 100644
--- a/libheif/sequences/track.cc
+++ b/libheif/sequences/track.cc
@@ -377,7 +377,7 @@ Error Track::load(const std::shared_ptr<Box_trak>& trak_box)
       }
     }

-    if (current_sample_idx + sampleToChunk.samples_per_chunk > m_stsz->num_samples()) {
+    if (static_cast<uint64_t>(current_sample_idx) + sampleToChunk.samples_per_chunk > m_stsz->num_samples()) {
       return {
         heif_error_Invalid_input,
         heif_suberror_Unspecified,