From 83ea8d96b4bca36c48f1adb321b9c069333b9b3d Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Tue, 26 May 2026 00:03:25 +0530
Subject: [PATCH] Validate property allocation size in
 avifImageCopyProperties()

---
 src/avif.c                   |  6 ++++--
 tests/gtest/avifimagetest.cc | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/avif.c b/src/avif.c
index f44dc49e93..4039657400 100644
--- a/src/avif.c
+++ b/src/avif.c
@@ -234,9 +234,11 @@ static avifResult avifImageCopyProperties(avifImage * dstImage, const avifImage
     dstImage->numProperties = 0;
 
     if (srcImage->numProperties != 0) {
-        dstImage->properties = (avifImageItemProperty *)avifAlloc(srcImage->numProperties * sizeof(srcImage->properties[0]));
+        AVIF_CHECKERR(srcImage->numProperties <= SIZE_MAX / sizeof(srcImage->properties[0]), AVIF_RESULT_INVALID_ARGUMENT);
+        const size_t propertiesSize = srcImage->numProperties * sizeof(srcImage->properties[0]);
+        dstImage->properties = (avifImageItemProperty *)avifAlloc(propertiesSize);
         AVIF_CHECKERR(dstImage->properties != NULL, AVIF_RESULT_OUT_OF_MEMORY);
-        memset(dstImage->properties, 0, srcImage->numProperties * sizeof(srcImage->properties[0]));
+        memset(dstImage->properties, 0, propertiesSize);
         dstImage->numProperties = srcImage->numProperties;
         for (size_t i = 0; i < srcImage->numProperties; ++i) {
             memcpy(dstImage->properties[i].boxtype, srcImage->properties[i].boxtype, sizeof(srcImage->properties[i].boxtype));
diff --git a/tests/gtest/avifimagetest.cc b/tests/gtest/avifimagetest.cc
index 44e9cefc65..6c75e3e32b 100644
--- a/tests/gtest/avifimagetest.cc
+++ b/tests/gtest/avifimagetest.cc
@@ -49,5 +49,27 @@ TEST(AvifImageTest, WriteImage) {
       image.get(), (testing::TempDir() + "/avifimagetest.png").c_str()));
 }
 
+TEST(AvifImageTest, CopyRejectsTooManyProperties) {
+  ImagePtr src(avifImageCreateEmpty());
+  ImagePtr dst(avifImageCreateEmpty());
+  ASSERT_NE(src, nullptr);
+  ASSERT_NE(dst, nullptr);
+
+  const uint8_t property_type[4] = {'a', 'b', 'c', 'd'};
+  const uint8_t property_payload = 0;
+  ASSERT_EQ(avifImageAddOpaqueProperty(src.get(), property_type,
+                                       &property_payload,
+                                       sizeof(property_payload)),
+            AVIF_RESULT_OK);
+
+  src->numProperties =
+      std::numeric_limits<size_t>::max() / sizeof(avifImageItemProperty) + 1;
+  EXPECT_EQ(avifImageCopy(dst.get(), src.get(), AVIF_PLANES_ALL),
+            AVIF_RESULT_INVALID_ARGUMENT);
+  src->numProperties = 1;
+  EXPECT_EQ(dst->properties, nullptr);
+  EXPECT_EQ(dst->numProperties, 0u);
+}
+
 }  // namespace
 }  // namespace avif