From 0f4e0e678ec4381531cc3f859a7bad886f115d9f Mon Sep 17 00:00:00 2001
From: chenzhaohui <chenzhaohui14@huawei.com>
Date: Wed, 27 Aug 2025 10:52:29 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=90=8C=E4=B8=80=E4=B8=AAim?=
 =?UTF-8?q?agesource=E8=B0=83=E7=94=A8=E4=B8=A4=E6=AC=A1=E8=A7=A3=E7=A0=81?=
 =?UTF-8?q?=E5=BC=82=E5=B8=B8=E5=92=8C=E5=AE=89=E5=85=A8=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: chenzhaohui <chenzhaohui14@huawei.com>
Change-Id: I530ad9f8978788126a15f3b7b4d7334611a21c00
---
 .../heif_impl/heif_parser/box/item_data_box.h        |  2 +-
 .../include/heif_impl/heif_parser/heif_error.h       |  1 +
 .../libextplugin/src/heif_impl/HeifDecoderImpl.cpp   |  2 ++
 .../src/heif_impl/heif_parser/box/item_data_box.cpp  | 12 ++++++++++--
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/box/item_data_box.h b/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/box/item_data_box.h
index abbe3402e..5905c3ec9 100644
--- a/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/box/item_data_box.h
+++ b/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/box/item_data_box.h
@@ -83,7 +83,7 @@ private:
     uint8_t lengthSize_ = 0;
     uint8_t baseOffsetSize_ = 0;
     uint8_t indexSize_ = 0;
-    void ParseExtents(Item& item, HeifStreamReader &reader, int indexSize, int offsetSize, int lengthSize);
+    heif_error ParseExtents(Item& item, HeifStreamReader &reader, int indexSize, int offsetSize, int lengthSize);
     void PackIlocHeader(HeifStreamWriter &writer) const;
 
     uint64_t idatOffset_ = 0;
diff --git a/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/heif_error.h b/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/heif_error.h
index c13cefba8..8bd540ff8 100644
--- a/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/heif_error.h
+++ b/plugins/common/libs/image/libextplugin/include/heif_impl/heif_parser/heif_error.h
@@ -45,6 +45,7 @@ enum heif_error {
     heif_error_too_many_item = 23,
     heif_error_too_many_recursion = 24,
     heif_error_no_data = 25,
+    heif_error_extent_num_too_large = 26,
 };
 } // namespace ImagePlugin
 } // namespace OHOS
diff --git a/plugins/common/libs/image/libextplugin/src/heif_impl/HeifDecoderImpl.cpp b/plugins/common/libs/image/libextplugin/src/heif_impl/HeifDecoderImpl.cpp
index 1388cb3e9..adc835922 100644
--- a/plugins/common/libs/image/libextplugin/src/heif_impl/HeifDecoderImpl.cpp
+++ b/plugins/common/libs/image/libextplugin/src/heif_impl/HeifDecoderImpl.cpp
@@ -1182,6 +1182,7 @@ void HeifDecoderImpl::setGainmapDstBuffer(uint8_t* dstBuffer, size_t rowStride,
     gainmapDstRowStride_ = rowStride;
     regionInfo_.isGainmapImage = true;
     isGainmapDecode_ = true;
+    isAuxiliaryDecode_ = false;
     gainMapDstHwbuffer_ = reinterpret_cast<SurfaceBuffer*>(context);
 }
 
@@ -1191,6 +1192,7 @@ void HeifDecoderImpl::setAuxiliaryDstBuffer(uint8_t* dstBuffer, size_t dstSize,
     auxiliaryDstMemorySize_ = dstSize;
     auxiliaryDstRowStride_ = rowStride;
     isAuxiliaryDecode_ = true;
+    isGainmapDecode_ = false;
     auxiliaryDstHwBuffer_ = reinterpret_cast<SurfaceBuffer*>(context);
     sampleSize_ = DEFAULT_SCALE_SIZE;
 }
diff --git a/plugins/common/libs/image/libextplugin/src/heif_impl/heif_parser/box/item_data_box.cpp b/plugins/common/libs/image/libextplugin/src/heif_impl/heif_parser/box/item_data_box.cpp
index a1ff61e77..58b43a0c8 100644
--- a/plugins/common/libs/image/libextplugin/src/heif_impl/heif_parser/box/item_data_box.cpp
+++ b/plugins/common/libs/image/libextplugin/src/heif_impl/heif_parser/box/item_data_box.cpp
@@ -20,13 +20,18 @@ namespace {
     const uint8_t CONSTRUCTION_METHOD_IDAT_OFFSET = 1;
     const uint32_t MAX_HEIF_IMAGE_GRID_SIZE = 128 * 1024 * 1024;
     const uint32_t MAX_HEIF_ITEM_COUNT = 2000;
+    const uint32_t MAX_HEIF_EXTENT_NUM = 1024;
 }
 
 namespace OHOS {
 namespace ImagePlugin {
-void HeifIlocBox::ParseExtents(Item& item, HeifStreamReader &reader, int indexSize, int offsetSize, int lengthSize)
+heif_error HeifIlocBox::ParseExtents(Item& item, HeifStreamReader &reader,
+    int indexSize, int offsetSize, int lengthSize)
 {
     uint16_t extentNum = reader.Read16();
+    if (extentNum > MAX_HEIF_EXTENT_NUM) {
+        return heif_error_extent_num_too_large;
+    }
     item.extents.resize(extentNum);
     for (int extentIndex = 0; extentIndex < extentNum; extentIndex++) {
         // indexSize is taken from the set {0, 4, 8} and indicates the length in bytes of 'index'
@@ -55,6 +60,7 @@ void HeifIlocBox::ParseExtents(Item& item, HeifStreamReader &reader, int indexSi
             item.extents[extentIndex].length = reader.Read64();
         }
     }
+    return heif_error_ok;
 }
 
 heif_error HeifIlocBox::ParseContent(HeifStreamReader &reader)
@@ -89,7 +95,9 @@ heif_error HeifIlocBox::ParseContent(HeifStreamReader &reader)
         } else if (baseOffsetSize == UINT64_BYTES_NUM) {
             item.baseOffset = reader.Read64();
         }
-        ParseExtents(item, reader, indexSize, offsetSize, lengthSize);
+        if (ParseExtents(item, reader, indexSize, offsetSize, lengthSize)) {
+            return heif_error_extent_num_too_large;
+        }
         if (!reader.HasError()) {
             items_.push_back(item);
         }
-- 
Gitee