File libheif-CVE-2024-41311.patch of Package libheif.36312

Overview Repositories Revisions Requests Users Attributes Meta

File libheif-CVE-2024-41311.patch of Package libheif.36312

Index: libheif-1.12.0/libheif/heif_context.cc
===================================================================
--- libheif-1.12.0.orig/libheif/heif_context.cc
+++ libheif-1.12.0/libheif/heif_context.cc
@@ -317,9 +317,9 @@ Error ImageOverlay::parse(size_t num_ima
     std::stringstream sstr;
     sstr << "Overlay image data version " << ((int) m_version) << " is not implemented yet";
 
-    return Error(heif_error_Unsupported_feature,
-                 heif_suberror_Unsupported_data_version,
-                 sstr.str());
+    return {heif_error_Unsupported_feature,
+            heif_suberror_Unsupported_data_version,
+            sstr.str()};
   }
 
   int field_len = ((m_flags & 1) ? 4 : 2);
@@ -337,6 +337,12 @@ Error ImageOverlay::parse(size_t num_ima
   m_width = readvec(data, ptr, field_len);
   m_height = readvec(data, ptr, field_len);
 
+  if (m_width==0 || m_height==0) {
+    return {heif_error_Invalid_input,
+            heif_suberror_Invalid_overlay_data,
+            "Overlay image with zero width or height."};
+  }
+
   m_offsets.resize(num_images);
 
   for (size_t i = 0; i < num_images; i++) {
Index: libheif-1.12.0/libheif/heif_image.cc
===================================================================
--- libheif-1.12.0.orig/libheif/heif_image.cc
+++ libheif-1.12.0/libheif/heif_image.cc
@@ -782,7 +782,20 @@ Error HeifPixelImage::fill_RGB_16bit(uin
 }
 
 
-Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int dx, int dy)
+uint32_t negate_negative_int32(int32_t x)
+{
+  assert(x <= 0);
+
+  if (x == INT32_MIN) {
+    return static_cast<uint32_t>(INT32_MAX) + 1;
+  }
+  else {
+    return static_cast<uint32_t>(-x);
+  }
+}
+
+
+Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int32_t dx, int32_t dy)
 {
   std::set<enum heif_channel> channels = overlay->get_channel_set();
 
@@ -807,70 +820,89 @@ Error HeifPixelImage::overlay(std::share
     in_p = overlay->get_plane(channel, &in_stride);
     out_p = get_plane(channel, &out_stride);
 
-    int in_w = overlay->get_width(channel);
-    int in_h = overlay->get_height(channel);
-    assert(in_w >= 0);
-    assert(in_h >= 0);
+    uint32_t in_w = overlay->get_width(channel);
+    uint32_t in_h = overlay->get_height(channel);
 
-    int out_w = get_width(channel);
-    int out_h = get_height(channel);
-    assert(out_w >= 0);
-    assert(out_h >= 0);
+    uint32_t out_w = get_width(channel);
+    uint32_t out_h = get_height(channel);
 
-    // overlay image extends past the right border -> cut width for copy
-    if (dx + in_w > out_w) {
-      in_w = out_w - dx;
+    // top-left points where to start copying in source and destination
+    uint32_t in_x0;
+    uint32_t in_y0;
+    uint32_t out_x0;
+    uint32_t out_y0;
+
+    if (dx > 0 && static_cast<uint32_t>(dx) >= out_w) {
+      // the overlay image is completely outside the right border -> skip overlaying
+      return Error::Ok;
+    }
+    else if (dx < 0 && in_w <= negate_negative_int32(dx)) {
+      // the overlay image is completely outside the left border -> skip overlaying
+      return Error::Ok;
     }
 
-    // overlay image extends past the bottom border -> cut height for copy
-    if (dy + in_h > out_h) {
-      in_h = out_h - dy;
-    }
+    if (dx < 0) {
+      // overlay image started partially outside of left border
 
-    // overlay image completely outside right or bottom border -> do not copy
-    if (in_w < 0 || in_h < 0) {
-      return Error(heif_error_Invalid_input,
-                   heif_suberror_Overlay_image_outside_of_canvas,
-                   "Overlay image outside of right or bottom canvas border");
+      in_x0 = negate_negative_int32(dx);
+      out_x0 = 0;
+      in_w = in_w - in_x0; // in_x0 < in_w because in_w > -dx = in_x0
+    }
+    else {
+      in_x0 = 0;
+      out_x0 = static_cast<uint32_t>(dx);
     }
 
+    // we know that dx >= 0 && dx < out_w
 
-    // calculate top-left point where to start copying in source and destination
-    int in_x0 = 0;
-    int in_y0 = 0;
-    int out_x0 = dx;
-    int out_y0 = dy;
+    if (static_cast<uint32_t>(dx) > UINT32_MAX - in_w ||
+       dx + in_w > out_w) {
+      // overlay image extends partially outside of right border
 
-    // overlay image started outside of left border
-    // -> move start into the image and start at left output column
-    if (dx < 0) {
-      in_x0 = -dx;
-      out_x0 = 0;
+      in_w = out_w - static_cast<uint32_t>(dx); // we know that dx < out_w from first condition
     }
 
-    // overlay image started outside of top border
-    // -> move start into the image and start at top output row
+
+    if (dy > 0 && static_cast<uint32_t>(dy) >= out_h) {
+      // the overlay image is completely outside the bottom border -> skip overlaying
+      return Error::Ok;
+    }
+    else if (dy < 0 && in_h <= negate_negative_int32(dy)) {
+      // the overlay image is completely outside the top border -> skip overlaying
+      return Error::Ok;
+    }
+
+
+
     if (dy < 0) {
-      in_y0 = -dy;
+      // overlay image started partially outside of top border
+
+      in_y0 = negate_negative_int32(dy);
       out_y0 = 0;
+      in_h = in_h - in_y0; // in_y0 < in_h because in_h > -dy = in_y0
+    }
+    else {
+      in_y0 = 0;
+      out_y0 = static_cast<uint32_t>(dy);
     }
 
-    // if overlay image is completely outside at left border, do not copy anything.
-    if (in_w <= in_x0 ||
-        in_h <= in_y0) {
-      return Error(heif_error_Invalid_input,
-                   heif_suberror_Overlay_image_outside_of_canvas,
-                   "Overlay image outside of left or top canvas border");
+    // we know that dy >= 0 && dy < out_h
+
+    if (static_cast<uint32_t>(dy) > UINT32_MAX - in_h ||
+      dy + in_h > out_h) {
+      // overlay image extends partially outside of bottom border
+
+      in_h = out_h - static_cast<uint32_t>(dy); // we know that dy < out_h from first condition
     }
 
-    for (int y = in_y0; y < in_h; y++) {
+    for (uint32_t y = in_y0; y < in_h; y++) {
       if (!has_alpha) {
         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
                in_p + in_x0 + y * in_stride,
                in_w - in_x0);
       }
       else {
-        for (int x = in_x0; x < in_w; x++) {
+        for (uint32_t x = in_x0; x < in_w; x++) {
           uint8_t* outptr = &out_p[out_x0 + (out_y0 + y - in_y0) * out_stride + x];
           uint8_t in_val = in_p[in_x0 + y * in_stride + x];
           uint8_t alpha_val = alpha_p[in_x0 + y * in_stride + x];
Index: libheif-1.12.0/libheif/heif_image.h
===================================================================
--- libheif-1.12.0.orig/libheif/heif_image.h
+++ libheif-1.12.0/libheif/heif_image.h
@@ -117,7 +117,7 @@ namespace heif {
 
     Error fill_RGB_16bit(uint16_t r, uint16_t g, uint16_t b, uint16_t a);
 
-    Error overlay(std::shared_ptr<HeifPixelImage>& overlay, int dx, int dy);
+    Error overlay(std::shared_ptr<HeifPixelImage>& overlay, int32_t dx, int32_t dy);
 
     Error scale_nearest_neighbor(std::shared_ptr<HeifPixelImage>& output, int width, int height) const;

Places

File libheif-CVE-2024-41311.patch of Package libheif.36312

Places