libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay(). The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to size_t and is passed to memcpy, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using iovl overlay boxes.