From 1ca8b76f104508da778aed29b98cadb2a1e8b243 Mon Sep 17 00:00:00 2001
From: Dirk Farin <dirk.farin@gmail.com>
Date: Sun, 20 Oct 2024 16:18:49 +0200
Subject: [PATCH] remove max_iloc_items security limits, because we reuse
 max_items

---
 libheif/api/libheif/heif.h |  1 -
 libheif/box.cc             | 15 ++++++++++++---
 libheif/context.cc         |  1 -
 libheif/security_limits.cc |  1 -
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/libheif/api/libheif/heif.h b/libheif/api/libheif/heif.h
index a4328f0567..d974757da9 100644
--- a/libheif/api/libheif/heif.h
+++ b/libheif/api/libheif/heif.h
@@ -1138,7 +1138,6 @@ struct heif_security_limits {
 
   uint32_t max_uncompressed_components;
 
-  uint32_t max_iloc_items;
   uint32_t max_iloc_extents_per_item;
   uint32_t max_size_entity_group;
 
diff --git a/libheif/box.cc b/libheif/box.cc
index 2db21e7530..3fb51f0305 100644
--- a/libheif/box.cc
+++ b/libheif/box.cc
@@ -1336,11 +1336,10 @@ Error Box_iloc::parse(BitstreamRange& range, const heif_security_limits* limits)
   }
 
   // Sanity check. (This might be obsolete now as we check for range.error() below).
-  auto max_iloc_items = limits->max_iloc_items;
-  if (max_iloc_items && item_count > max_iloc_items) {
+  if (limits->max_items && item_count > limits->max_items) {
     std::stringstream sstr;
     sstr << "iloc box contains " << item_count << " items, which exceeds the security limit of "
-         << max_iloc_items << " items.";
+         << limits->max_items << " items.";
 
     return Error(heif_error_Memory_allocation_error,
                  heif_suberror_Security_limit_exceeded,
@@ -2900,6 +2899,16 @@ Error Box_ipma::parse(BitstreamRange& range, const heif_security_limits* limits)
   }
 
   uint32_t entry_cnt = range.read32();
+
+  if (limits->max_items && entry_cnt > limits->max_items) {
+    std::stringstream sstr;
+    sstr << "ipma box wants to define properties for " << entry_cnt
+         << " items, but the security limit has been set to " << limits->max_items << " items";
+    return {heif_error_Invalid_input,
+            heif_suberror_Security_limit_exceeded,
+            sstr.str()};
+  }
+
   for (uint32_t i = 0; i < entry_cnt && !range.error() && !range.eof(); i++) {
     Entry entry;
     if (get_version() < 1) {
diff --git a/libheif/context.cc b/libheif/context.cc
index 2120af4b66..268f4d604e 100644
--- a/libheif/context.cc
+++ b/libheif/context.cc
@@ -123,7 +123,6 @@ static void copy_security_limits(heif_security_limits* dst, const heif_security_
   dst->max_memory_block_size = src->max_memory_block_size;
 
   dst->max_uncompressed_components = src->max_uncompressed_components;
-  dst->max_iloc_items = src->max_iloc_items;
   dst->max_iloc_extents_per_item = src->max_iloc_extents_per_item;
   dst->max_size_entity_group = src->max_size_entity_group;
 
diff --git a/libheif/security_limits.cc b/libheif/security_limits.cc
index aab5ee8dee..513ff839b7 100644
--- a/libheif/security_limits.cc
+++ b/libheif/security_limits.cc
@@ -38,7 +38,6 @@ struct heif_security_limits global_security_limits {
     .max_memory_block_size = 512 * 1024 * 1024,  // 512 MB
 
     .max_uncompressed_components = 256,
-    .max_iloc_items = 2000,
     .max_iloc_extents_per_item = 32,
     .max_size_entity_group = 64,