Elhananhaenel

**Name of the Vulnerable Software and Affected Versions** libheif versions prior to 1.22.0 **Description** An unsigned integer underflow occurs in the Chunk constructor when processing a crafted HEIF sequence file containing `samples per chunk=0` in the stsc box. This causes all samples to map to an empty chunk, leading to a denial of service. A segmentation fault (SEGV), which is a null-page read, is triggered when the library attempts to access the first frame by reading from index 0 of an empty `std::vector`. **Recommendations** Update to version 1.22.0.

**Name of the Vulnerable Software and Affected Versions** libheif versions prior to 1.22.0 **Description** An issue in the HEIF and AVIF file format decoder and encoder allows a specially crafted 800-byte HEIF sequence file to trigger an infinite loop in the `Box stts::get sample duration()` function. This occurs during the file parsing stage upon opening the file, before any user interaction or image decoding takes place. The loop lacks an iteration limit or timeout, resulting in 100% CPU consumption and a Denial of Service (DoS) condition. Because the process remains active without crashing or logging errors, the issue may remain undetected by crash-based monitoring systems. **Recommendations** Update to version 1.22.0.

**Name of the Vulnerable Software and Affected Versions** libheif versions prior to 1.22.0 **Description** A heap-buffer-overflow (write) exists in the grid tile compositing of the HEIF and AVIF file format decoder and encoder. An attacker can write 64 bytes of controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. This occurs during normal image decoding with default build configuration, where the written bytes are chroma (Cb/Cr) pixel values from the attacking tile. **Recommendations** Update to version 1.22.0.