From 6c4016fd3d944a8903bdd3e6be8fcdd1bc73ca79 Mon Sep 17 00:00:00 2001 From: Dirk Farin Date: Tue, 3 Oct 2023 14:05:41 +0200 Subject: [PATCH] detect invalid mask region image reference (fixes clusterfuzz issue 60359) --- libheif/context.cc | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/libheif/context.cc b/libheif/context.cc index 359a5b74f3..ca1dfd9a6c 100644 --- a/libheif/context.cc +++ b/libheif/context.cc @@ -969,20 +969,33 @@ Error HeifContext::interpret_heif_file() img_iter->second->add_region_item_id(id); m_region_items.push_back(region_item); } + /* When the geometry 'mask' of a region is represented by a mask stored in * another image item the image item containing the mask shall be identified * by an item reference of type 'mask' from the region item to the image item * containing the mask. */ if (ref.header.get_short_type() == fourcc("mask")) { std::vector refs = ref.to_item_ID; - int mask_index = 0; + size_t mask_index = 0; for (int j = 0; j < region_item->get_number_of_regions(); j++) { if (region_item->get_regions()[j]->getRegionType() == heif_region_type_referenced_mask) { std::shared_ptr mask_geometry = std::dynamic_pointer_cast(region_item->get_regions()[j]); + + if (mask_index >= refs.size()) { + return Error(heif_error_Invalid_input, + heif_suberror_Unspecified, + "Region mask reference with non-existing mask image reference"); + } + uint32_t mask_image_id = refs[mask_index]; - assert(is_image(mask_image_id)); - mask_geometry->referenced_item = mask_image_id; + if (!is_image(mask_image_id)) { + return Error(heif_error_Invalid_input, + heif_suberror_Unspecified, + "Region mask referenced item is not an image"); + } + auto mask_image = m_all_images.find(mask_image_id)->second; + mask_geometry->referenced_item = mask_image_id; if (mask_geometry->width == 0) { mask_geometry->width = mask_image->get_ispe_width(); }