fixed crash when image size differs after decoding #79

pillow_heif/_pillow_heif.c

@@ -875,6 +875,17 @@ int decode_image(CtxImageObject* self) {
         return 0;
     }
 
+    int decoded_width = heif_image_get_primary_width(self->heif_image);
+    int decoded_height = heif_image_get_primary_height(self->heif_image);
+    if ((self->width > decoded_width) || (self->height > decoded_height)) {
+        heif_image_release(self->heif_image);
+        self->heif_image = NULL;
+        PyErr_Format(PyExc_ValueError,
+                    "corrupted image(dimensions in header: (%d, %d), decoded dimensions: (%d, %d)",
+                    self->width, self->height, decoded_width, decoded_height);
+        return 0;
+    }
+
     if (!self->postprocess) {
         self->stride = stride;
         return 1;

tests/read_test.py

@@ -350,3 +350,17 @@ def test_hdr_read(im_path, original_path):
 @pytest.mark.skipif(not helpers.aom(), reason="requires AVIF support.")
 def test_hdr_read_avif(im_path, original_path):
     helpers.compare_hashes([im_path, original_path], hash_size=16)
+
+
+def test_invalid_ispe():
+    im = Image.open("images/heif_special/L_8__29(255)x100.heif")
+    assert im.size == (255, 100)
+    with pytest.raises(ValueError):
+        im.load()
+    im = Image.open("images/heif_special/L_8__29x100(255).heif")
+    assert im.size == (29, 255)
+    with pytest.raises(ValueError):
+        im.load()
+    im = Image.open("images/heif_special/L_8__128(64)x128(64).heif")
+    assert im.size == (64, 64)
+    im.load()