Commit f20c8174 for libheif
commit f20c81745e917b4c496615140385c86d7a2fa58d
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Mon Apr 13 20:09:26 2026 +0200
fix: reject malformed sequence files where saiz sample count exceeds actual samples
diff --git a/libheif/sequences/track.cc b/libheif/sequences/track.cc
index ee4f2374..405b6ad3 100644
--- a/libheif/sequences/track.cc
+++ b/libheif/sequences/track.cc
@@ -138,7 +138,9 @@ SampleAuxInfoReader::SampleAuxInfoReader(std::shared_ptr<Box_saiz> saiz,
for (uint32_t i = 0; i < nSamples; i++) {
if (!oneChunk && i > chunks[current_chunk]->last_sample_number()) {
current_chunk++;
- assert(current_chunk < chunks.size());
+ if (current_chunk >= chunks.size()) {
+ break;
+ }
offset = saio->get_chunk_offset(current_chunk);
}
@@ -451,6 +453,14 @@ Error Track::load(const std::shared_ptr<Box_trak>& trak_box)
};
}
+ if (saiz->get_num_samples() > m_stsz->num_samples()) {
+ return Error{
+ heif_error_Invalid_input,
+ heif_suberror_Unspecified,
+ "Number of samples in 'saiz' box exceeds actual number of samples."
+ };
+ }
+
if (aux_info_type == fourcc("suid")) {
m_aux_reader_content_ids = std::make_unique<SampleAuxInfoReader>(saiz, saio, m_chunks);
}