libheif icon indicating copy to clipboard operation
libheif copied to clipboard
verified publisher icon strukturag

Some files processing errors after update to 1.17.6

Open anatoliiKumunzhiev opened this issue 1 year ago • 7 comments

Hi! I faced with some issues after update libheif in a project from 1.12.0 to 1.17.6. I'm get an errors for some files that were successfully processed in version 1.12.0. It happens when I call heif_context_read_from_reader(). For sample_1.heic it is error code 2: "Invalid input: Unspecified: 'iref' has double references" For sample_2.heic it is error code 6: "Memory allocation error: Security limit exceeded: Maximum number of child boxes 20000 exceeded." At the same time for 1.12.0 version I get 0 error code, get the page count after heif_context_get_number_of_top_level_images() calling, image handle after heif_context_get_image_handle() etc. without any problem. Could you tell pls, is it expected behavior in this case? It is strange for me because I successfully processed these files with previous version before.

Thank you.

Samples download link: https://drive.google.com/file/d/1F8UqW57cFx06CF4p2ZU81mjY8f2YKmTt/view?usp=sharing

anatoliiKumunzhiev avatar Feb 27 '24 10:02 anatoliiKumunzhiev

It looks like your example didn't upload correctly before you submitted. Can you edit the issue and upload the file again?

bradh avatar Feb 27 '24 13:02 bradh

Sorry, there are some problems with file uploading. I have edited the issue and added the link.

anatoliiKumunzhiev avatar Feb 29 '24 13:02 anatoliiKumunzhiev

Tell pls, were you able to download the files?

anatoliiKumunzhiev avatar Mar 11 '24 13:03 anatoliiKumunzhiev

They can be downloaded OK.

They are both hitting security checks that have been added to newer versions of libheif.

The first one (sample_1) is failing a check for double iref linkage. It doesn't look like a real problem in your case, but I think it is technically invalid.

The second one (sample_2) has an extremely large number of images (like > 20000). That could be valid, but probably makes no sense.

What device or software produced those images?

bradh avatar Mar 12 '24 08:03 bradh

@anatoliiKumunzhiev Can you follow up on this?

bradh avatar Apr 07 '24 07:04 bradh

Sorry for delay. Actually it is difficult to determine where these files came from. That's fine for me if you confirm that this is not a regression but this is expected behavior related to the new security checks. Tanks a lot!

anatoliiKumunzhiev avatar Apr 10 '24 12:04 anatoliiKumunzhiev

I think the second sample is probably valid but not sensible. The first sample is probably invalid.

Both cases relate to additional security checks, and are expected and (currently) intended behaviour.

If the data in those are important to your use cases (as opposed to just noting the difference in behaviour, which is still worth reporting), there might be options for further changes.

bradh avatar Apr 10 '24 22:04 bradh