From a4cfe72d101138750046b531fffb9e319b729359 Mon Sep 17 00:00:00 2001
From: flyyee <8mrgil@gmail.com>
Date: Sun, 7 Jul 2024 17:37:45 +0800
Subject: [PATCH 1/2] Added patch to check that overlay's offsets are valid

---
 libheif/pixelimage.cc | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
index 9fd69366d7..f22e40f4d6 100644
--- a/libheif/pixelimage.cc
+++ b/libheif/pixelimage.cc
@@ -829,6 +829,26 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int dx,
                    "Overlay image outside of left or top canvas border");
     }
 
+    // verify that the destination points are within the bounds of the image's dimensions
+    if (out_x0 < 0 ||
+        out_x0 > out_w ||
+        out_y0 < 0 ||
+        out_y0 > out_h) {
+      return Error(heif_error_Invalid_input,
+                   heif_suberror_Invalid_overlay_data,
+                   "Overlay image has invalid offsets");
+    }
+
+    // verify that the source points are within the bounds of the image's dimensions
+    if (in_x0 < 0 ||
+        in_x0 > in_w ||
+        in_y0 < 0 ||
+        in_y0 > in_h) {
+      return Error(heif_error_Invalid_input,
+                   heif_suberror_Invalid_overlay_data,
+                   "Overlay image has invalid offsets");
+    }
+
     for (int y = in_y0; y < in_h; y++) {
       if (!has_alpha) {
         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,

From 45c704a82cd8cb587b6ac01f65c12a7a75c785fe Mon Sep 17 00:00:00 2001
From: flyyee <8mrgil@gmail.com>
Date: Mon, 8 Jul 2024 16:50:15 +0800
Subject: [PATCH 2/2] Changed offset checks against image dimensions to use >=

---
 libheif/pixelimage.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
index f22e40f4d6..3a54dd4117 100644
--- a/libheif/pixelimage.cc
+++ b/libheif/pixelimage.cc
@@ -831,9 +831,9 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int dx,
 
     // verify that the destination points are within the bounds of the image's dimensions
     if (out_x0 < 0 ||
-        out_x0 > out_w ||
+        out_x0 >= out_w ||
         out_y0 < 0 ||
-        out_y0 > out_h) {
+        out_y0 >= out_h) {
       return Error(heif_error_Invalid_input,
                    heif_suberror_Invalid_overlay_data,
                    "Overlay image has invalid offsets");
@@ -841,9 +841,9 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int dx,
 
     // verify that the source points are within the bounds of the image's dimensions
     if (in_x0 < 0 ||
-        in_x0 > in_w ||
+        in_x0 >= in_w ||
         in_y0 < 0 ||
-        in_y0 > in_h) {
+        in_y0 >= in_h) {
       return Error(heif_error_Invalid_input,
                    heif_suberror_Invalid_overlay_data,
                    "Overlay image has invalid offsets");