From ad149e320777dd6bfd76c7328b3233fd222301af Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Mon, 18 May 2026 23:53:29 +0530
Subject: [PATCH] Reject unsupported external iloc data references

---
 src/read.c                        |  4 ++++
 tests/gtest/avifilocextenttest.cc | 32 +++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/src/read.c b/src/read.c
index a6a33d8102..87b9fd7fce 100644
--- a/src/read.c
+++ b/src/read.c
@@ -2054,6 +2054,10 @@ static avifResult avifParseItemLocationBox(avifMeta * meta, const uint8_t * raw,
 
         uint16_t dataReferenceIndex;
         AVIF_CHECKERR(avifROStreamReadU16(&s, &dataReferenceIndex), AVIF_RESULT_BMFF_PARSE_FAILED); // unsigned int(16) data_reference_index;
+        if (dataReferenceIndex != 0) {
+            avifDiagnosticsPrintf(diag, "Item ID [%u] contains an unsupported data reference index [%u]", itemID, dataReferenceIndex);
+            return AVIF_RESULT_BMFF_PARSE_FAILED;
+        }
         uint64_t baseOffset;
         AVIF_CHECKERR(avifROStreamReadUX8(&s, &baseOffset, baseOffsetSize), AVIF_RESULT_BMFF_PARSE_FAILED); // unsigned int(base_offset_size*8) base_offset;
         uint16_t extentCount;
diff --git a/tests/gtest/avifilocextenttest.cc b/tests/gtest/avifilocextenttest.cc
index aa2c80c84c..71c9144103 100644
--- a/tests/gtest/avifilocextenttest.cc
+++ b/tests/gtest/avifilocextenttest.cc
@@ -1,6 +1,9 @@
 // Copyright 2024 Google LLC
 // SPDX-License-Identifier: BSD-2-Clause
 
+#include <algorithm>
+#include <string>
+
 #include "avif/avif.h"
 #include "aviftest_helpers.h"
 #include "gtest/gtest.h"
@@ -30,6 +33,35 @@ TEST(IlocTest, TwoExtents) {
   EXPECT_LT(psnr, 45.0);
 }
 
+TEST(IlocTest, NonZeroDataReferenceIndex) {
+  testutil::AvifRwData avif =
+      testutil::ReadFile(std::string(data_path) + "white_1x1.avif");
+  ASSERT_NE(avif.data, nullptr);
+
+  const uint8_t kIloc[] = {'i', 'l', 'o', 'c'};
+  uint8_t* iloc_position =
+      std::search(avif.data, avif.data + avif.size, kIloc, kIloc + 4);
+  ASSERT_NE(iloc_position, avif.data + avif.size);
+  ASSERT_GE(static_cast<size_t>(avif.data + avif.size - iloc_position),
+            size_t{16});
+
+  // white_1x1.avif uses iloc version 0 with a single item. The
+  // data_reference_index field follows the item_ID field.
+  ASSERT_EQ(iloc_position[4], 0);
+  ASSERT_EQ(iloc_position[10], 0);
+  ASSERT_EQ(iloc_position[11], 1);
+  ASSERT_EQ(iloc_position[14], 0);
+  ASSERT_EQ(iloc_position[15], 0);
+  iloc_position[14] = 0;
+  iloc_position[15] = 1;
+
+  DecoderPtr decoder(avifDecoderCreate());
+  ASSERT_NE(decoder, nullptr);
+  ASSERT_EQ(avifDecoderSetIOMemory(decoder.get(), avif.data, avif.size),
+            AVIF_RESULT_OK);
+  EXPECT_EQ(avifDecoderParse(decoder.get()), AVIF_RESULT_BMFF_PARSE_FAILED);
+}
+
 //------------------------------------------------------------------------------
 
 }  // namespace