github strukturag/libheif v1.22.0
v1.22.0 - generic image components, ISO/IEC 23001-17 (lossless images) rewrite
on GitHub

4 hours ago

This is a large release with substantial new functionality, mainly with generalized image formats (e.g., multi-spectral images) and a reworked implementation of ISO/IEC 23001-17 (lossless image codec).

Generic image components

New public API to work with arbitrary image components beyond the usual Y/Cb/Cr/R/G/B/A channels.
You can use that to store multi-spectral images or arbitrary non-visual multi-channel data.
These components can also have unusual pixel datatypes: signed integers, float, complex numbers.
This is currently only supported by the ISO/IEC 23001-17 codec, but will in the future also be added to JPEG-2000.

ISO/IEC 23001-17 (lossless images)

The unci codec received a new architecture where the best file format or decoder is chosen based on the input.
This now covers a larger sub-set of the possible image parameters and is reads images faster.
New features:

  • HDR up to 64 bpp
  • Multi-component images with arbitrary component layouts (multi-spectral images, arbitrary non-visual data)
  • Filter-array (Bayer / mosaic) images, with debayering in color transformation pipeline
  • Metadata: chroma-sample location (cloc), sample non-uniformity (snuc), sensor bad-pixel map (sbpm), polarization pattern (splz)

Command line tools

  • heif-dec can now convert to WebP (thanks to @torusrxxx).
  • heif-enc can now accept input from WebP, HEIF, pure raw files (including floating point pixel data), and CMYK JPEG (converted to RGB).
  • TIFF input can now read many TIFF formats used in geospatial imaging, like: 16-bit, signed integers, float samples, tiled TIFFs, GeoTIFF overview images, CMYK JPEG, YCbCr-as-JPEG. TIFFs with image tiling and multi-resolution layers are now reproduced as HEIFs when converted.
  • PNG decoder/encoder: cICP, cLLI, and mDCV chunk support (#1697).
  • heif-dec: auto-correct option to fix known input errors (e.g. mismatched NCLX/VUI).

GIMI format support

  • Image, Track, Sequence samples, image component GIMI content IDs
  • Embedding of Turtle (.ttl) metadata files; automatic parsing of GIMI content IDs from Turtle

Miscellaneous

  • AOM encoder plugin now auto-selects IQ tune mode (#1725)
  • mini-box syntax updated to the current HEIF version 4 draft (thanks @bradh for the initial implementation)
  • unif brand (globally-unique-ID) support
  • OMAF (omnidirectional images): indicate ISO/IEC 23000-22 spherical/omnidirectional image projection
  • alpha bit-depth tracked through the color-conversion pipeline (#1673)

Security

Many integer-overflow, OOB, NULL-deref, and uninitialized-memory issues were fixed across the codebase. CVEs / advisories addressed in this release:

  • CVE-2026-32738 (GHSA-7f2h-cmpf-v9ww) : Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc
  • CVE-2026-32739 (GHSA-j9g7-q9hv-gq8c) : Infinite Loop DoS in stts Sample Duration Lookup
  • CVE-2026-32740 (GHSA-frfr-f3vg-2g6j) : Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing
  • CVE-2026-32741 (GHSA-j3w5-7whq-p37q) : heap buffer overflow in decode_mask_image()
  • CVE-2026-32814 (GHSA-4m8r-34pg-rvwc) : Uninitialized Heap Memory Information Leak via Failed Grid Tiles
  • CVE-2026-32882 (GHSA-hg7q-rjr2-8x46) : Heap Buffer OOB Read in overlay compositing due to wrong alpha stride
  • CVE-2026-41069 (GHSA-p82x-fpmv-576r) : Out-of-bounds vector access leading to invalid dereference
  • CVE-2026-41071 (GHSA-xj92-xjff-h8w3) : Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count
  • CVE-2026-47178 (GHSA-5x55-x5pf-9c6g) : Heap Out Of Bounds Write in unci subsystem
  • CVE-2026-47247 (GHSA-2vh6-whr3-cmq3) : Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation
  • CVE-2026-47251 (GHSA-p6q9-fhf2-vj9v) : Incomplete fix for CVE-2026-3949: integer overflow bypass in vvdec_push_data2
  • CVE-2026-47254 (GHSA-wqjg-4x9g-6cvg) : Heap Buffer Overflow in Track::get_next_sample_raw_data() -- OOB Chunk Vector Access
  • CVE-2026-47709 (GHSA-4h72-vqgp-9376) : NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe
  • CVE-2026-47714 (GHSA-h4wm-6wwf-qvhx) : Integer overflow in inline mask size calculation causes undersized buffer allocation
  • (GHSA-95jx-g5vf-cpp8) : Integer Overflow in SampleAuxInfoReader Offset Calculation
  • (GHSA-p4r6-6972-g26m) : Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass
  • (GHSA-jh2w-m72q-q595) : Out-of-bounds read and assertion-based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload
  • (GHSA-9h96-c44j-jpq9) : Heap buffer overflow via uint32_t stride overflow in image plane allocation

Build / CI

  • requires C++20
  • oss-fuzz integration overhauled
  • fuzzers for tile API, generic API surface, and per-codec encoders
Check out latest releases or
releases around strukturag/libheif v1.22.0

Don't miss a new libheif release

NewReleases is sending notifications on new releases.

Get notifications