M1-Llie

**Name of the Vulnerable Software and Affected Versions** libheif versions prior to 1.22.0 **Description** A heap-buffer-overflow (out-of-bounds read) occurs in the `SampleAuxInfoReader` constructor when parsing a crafted HEIF sequence file. The issue arises because the constructor iterates over the number of samples declared in the `saiz` box using `saiz->get num samples()` without validating that this count is consistent with the number of chunks in the `chunks` vector. Consequently, if the `saiz` box declares more samples than the chunks cover, the loop increments `current chunk` beyond the size of the `chunks` vector, leading to an out-of-bounds read. This is triggered during file parsing via the `heif context read from file` function without requiring user interaction. **Recommendations** Update to version 1.22.0.

**Name of the Vulnerable Software and Affected Versions** OpenEXR versions 3.0.0 through 3.2.8 OpenEXR versions 3.3.0 through 3.3.10 OpenEXR versions 3.4.0 through 3.4.10 **Description** The `IDManifest::init()` function reconstructs strings from a prefix-compressed representation. When a previous string exceeds 255 bytes, the subsequent string is expected to start with a 2-byte prefix length. The software reads the first two bytes of the current string without verifying that the string contains at least two bytes, leading to a buffer over-read (reading data beyond the end of the intended buffer). **Recommendations** Update versions 3.0.0 through 3.2.8 to version 3.2.9. Update versions 3.3.0 through 3.3.10 to version 3.3.11. Update versions 3.4.0 through 3.4.10 to version 3.4.11.

**Name of the Vulnerable Software and Affected Versions** OpenEXR versions 3.0.0 through 3.2.8 OpenEXR versions 3.3.0 through 3.3.10 OpenEXR versions 3.4.0 through 3.4.10 **Description** The `readVariableLengthInteger()` function decodes a variable-length integer from untrusted EXR input without bounding the shift count. When a sufficient number of continuation bytes are processed, the code performs a left shift by 70 on a 64-bit value, resulting in undefined behavior. **Recommendations** Update versions 3.0.0 through 3.2.8 to version 3.2.9. Update versions 3.3.0 through 3.3.10 to version 3.3.11. Update versions 3.4.0 through 3.4.10 to version 3.4.11.