Overview

File libheif-CVE-2026-3949.patch of Package libheif

From b97c8b5f198b27f375127cd597a35f2113544d03 Mon Sep 17 00:00:00 2001
From: Dirk Farin <dirk.farin@gmail.com>
Date: Tue, 24 Feb 2026 00:32:48 +0100
Subject: [PATCH] vvdec: check that NAL size does not exceed data size (#1712)

---
 libheif/plugins/decoder_vvdec.cc | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/libheif/plugins/decoder_vvdec.cc b/libheif/plugins/decoder_vvdec.cc
index 095157209c..14b3e9fd2b 100644
--- a/libheif/plugins/decoder_vvdec.cc
+++ b/libheif/plugins/decoder_vvdec.cc
@@ -55,6 +55,7 @@ struct vvdec_decoder
   std::string error_message;
 };
 
+static const char kEmptyString[] = "";
 static const char kSuccess[] = "Success";
 
 static const int VVDEC_PLUGIN_PRIORITY = 100;
@@ -179,9 +180,25 @@ heif_error vvdec_push_data2(void* decoder_raw, const void* frame_data, size_t fr
 
   const auto* data = (const uint8_t*) frame_data;
 
+  if (frame_size < 4) {
+    return {
+      heif_error_Decoder_plugin_error,
+      heif_suberror_End_of_data,
+      kEmptyString
+    };
+  }
+
   for (;;) {
     uint32_t size = four_bytes_to_uint32(data[0], data[1], data[2], data[3]);
 
+    if (frame_size < 4 + size) {
+      return {
+        heif_error_Decoder_plugin_error,
+        heif_suberror_End_of_data,
+        kEmptyString
+      };
+    }
+
     data += 4;
 
     std::vector<uint8_t> nalu;
openSUSE Build Service is sponsored by
Places