Check proper image size

Change-Id: I75bda958afc83ee5f23b7c03574c7260d197ed7c

diff --git a/src/heif_itemtable.c b/src/heif_itemtable.c
index 0285d57fb9c9567040a65ae024b2b4c5e7851a5e..447edd6b000a1a5521730d866991f01734bd8cfa 100644 (file)
--- a/src/heif_itemtable.c
+++ b/src/heif_itemtable.c
@@ -41,6 +41,7 @@
                } while (0) \
 
 #define START_CODE_LEN         4
+#define IMAGE_HEADER_LEN       4
 
 typedef struct {
        uint8_t completeness;
@@ -343,6 +344,7 @@ int heif_itemtable_get_coded_data(heif_itemtable_h handle, heif_image_item_h ima
 
        heif_retvm_if_failed(handle, LIBHEIF_ERROR_INVALID_PARAMETER, "invalid handle");
        heif_retvm_if_failed(image_item, LIBHEIF_ERROR_INVALID_PARAMETER, "invalid image_item");
+       heif_retvm_if_failed(_image_item->size > IMAGE_HEADER_LEN, LIBHEIF_ERROR_INVALID_PARAMETER, "invalid image_item size");
        heif_retvm_if_failed(coded_data, LIBHEIF_ERROR_INVALID_PARAMETER, "invalid coded_data");
 
        codec_config = &(_image_item->hvc_config.nal_unit);
@@ -364,11 +366,11 @@ int heif_itemtable_get_coded_data(heif_itemtable_h handle, heif_image_item_h ima
        memcpy(mdat->data, codec_config->data, codec_config->size);
        memcpy(mdat->data + codec_config->size, START_CODE, START_CODE_LEN);
 
-       read_n = _image_item->size - START_CODE_LEN;
+       read_n = _image_item->size - IMAGE_HEADER_LEN;
 
        // read media
        if (heif_source_read_at(((heif_itemtable_t *)handle)->source,
-                                                       _image_item->offset + START_CODE_LEN,
+                                                       _image_item->offset + IMAGE_HEADER_LEN,
                                                        mdat->data + codec_config->size + START_CODE_LEN,
                                                        read_n) != read_n) {
                heif_error("heif_source_read_at fail");