[Buildroot] [2025.02.x, PATCH 2/3] package/libheif: patch CVE-2025-68431

[Thomas Perale]

- CVE-2025-68431:
    libheif is an HEIF and AVIF file format decoder and encoder. Prior to
    version 1.21.0, a crafted HEIF that exercises the overlay image item
    path triggers a heap buffer over-read in `HeifPixelImage::overlay()`.
    The function computes a negative row length (likely from an unclipped
    overlay rectangle or invalid offsets), which then underflows when
    converted to `size_t` and is passed to `memcpy`, causing a very large
    read past the end of the source plane and a crash. Version 1.21.0
    contains a patch. As a workaround, avoid decoding images using `iovl`
    overlay boxes.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2025-68431
  - https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46

Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 ...x-wrong-copy-width-in-overlay-images.patch | 26 +++++++++++++++++++
 package/libheif/libheif.mk                    |  3 +++
 2 files changed, 29 insertions(+)
 create mode 100644 package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch

diff --git a/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
new file mode 100644
index 0000000000..4d845b2f90
--- /dev/null
+++ b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
@@ -0,0 +1,26 @@
+From b8c12a7b70f46c9516711a988483bed377b78d46 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin at gmail.com>
+Date: Tue, 11 Nov 2025 19:47:50 +0100
+Subject: [PATCH] fix wrong copy width in overlay images (thanks to Aldo
+ Ristori for reporting this)
+
+CVE: CVE-2025-68431
+Upstream: https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
+Signed-off-by: Thomas Perale <thomas.perale at mind.be>
+---
+ libheif/pixelimage.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
+index f202c61049..84a8dd739e 100644
+--- a/libheif/pixelimage.cc
++++ b/libheif/pixelimage.cc
+@@ -1508,7 +1508,7 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int32_t
+       if (!has_alpha) {
+         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
+                in_p + in_x0 + y * in_stride,
+-               in_w - in_x0);
++               in_w);
+       }
+       else {
+         for (uint32_t x = in_x0; x < in_w; x++) {
diff --git a/package/libheif/libheif.mk b/package/libheif/libheif.mk
index 8d91a109db..325502ad00 100644
--- a/package/libheif/libheif.mk
+++ b/package/libheif/libheif.mk
@@ -23,6 +23,9 @@ LIBHEIF_CONF_OPTS = \
 	-DWITH_REDUCED_VISIBILITY=ON \
 	-DWITH_SvtEnc=OFF
 
+# 0001-fix-wrong-copy-width-in-overlay-images.patch
+LIBHEIF_IGNORE_CVES += CVE-2025-68431
+
 ifeq ($(BR2_PACKAGE_DAV1D),y)
 LIBHEIF_CONF_OPTS += -DWITH_DAV1D=ON
 LIBHEIF_DEPENDENCIES += dav1d
-- 
2.53.0