{"id":"CVE-2025-29769","summary":"libvips has a potential heap-based buffer overflow when attempting to convert multiband TIFF input to HEIF output","details":"libvips is a demand-driven, horizontally threaded image processing library.  The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as \"multiband\". There aren't many ways to create a \"multiband\" input, but it is possible with a well-crafted TIFF image. If a \"multiband\" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips creating a 3 channel HEIF image without an alpha channel but then attempting to write 4 channels of data. This caused a heap buffer overflow, which could crash the process. This vulnerability is fixed in 8.16.1.","aliases":["GHSA-f8r8-43hh-rghm"],"modified":"2026-05-19T08:42:21.629212Z","published":"2025-04-07T20:09:30.971Z","database_specific":{"cwe_ids":["CWE-122"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/29xxx/CVE-2025-29769.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://issues.oss-fuzz.com/issues/396460413"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00044.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/29xxx/CVE-2025-29769.json"},{"type":"ADVISORY","url":"https://github.com/libvips/libvips/security/advisories/GHSA-f8r8-43hh-rghm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29769"},{"type":"FIX","url":"https://github.com/libvips/libvips/commit/9ab6784f693de50b00fa535b9efbbe9d2cbf71f2"},{"type":"FIX","url":"https://github.com/libvips/libvips/pull/4392"},{"type":"FIX","url":"https://github.com/libvips/libvips/pull/4394"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libvips/libvips","events":[{"introduced":"0"},{"fixed":"82c7c05cb02a52750251bb4cc69d67f40568cf98"}]}],"versions":["v8.16.0","v8.16.0-rc2","v8.16.0-rc1","v8.15.0","v8.15.0-rc2","v8.14.0","v8.14.0-rc1","v8.13.0","v8.13.0-rc2","v8.13.0-rc1","v8.13.0-pre1","v8.12.0","v8.12.0-rc1","v8.11.0","v8.11","v8.11.0-rc1","v8.10.6-beta2","v8.10.0","v8.10.0-rc2","v8.10.0-rc1","v8.10.0-beta2","v8.10.0-beta1","v8.9.0","v8.9.0-rc4","v8.9.0-rc3","v8.9.0-rc2","v8.9.0-rc1","v8.9.0-beta2","v8.9.0-beta1","v8.9.0-alpha1","v8.8.0-rc3","v8.8.0","v8.8.0-rc2","v8.8.0-rc1","v8.7.0","v8.7.0-rc3","v8.7.0-rc2","v8.7.0-rc1","v8.7.0-alpha2","v8.6.0","v8.6.0-beta2","v8.6.0-beta1","v8.6.0-alpha2","v8.6.0-alpha1","v8.5.3","v8.5.2","v8.5.1","v8.3.0","v8.2.2","v8.1","v8.0-beta","v7.28.0"],"database_specific":{"vanir_signatures_modified":"2026-05-19T08:42:21Z","vanir_signatures":[{"signature_type":"Function","signature_version":"v1","target":{"function":"histogram_new","file":"libvips/arithmetic/project.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-0063a648","digest":{"length":620,"function_hash":"204020809808310251746300681675559292488"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/colour/LCh2UCS.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-00c1ae1b","digest":{"line_hashes":["146472816832899882966478323424401127517","148326969278183464372550809532090466944","182219639003239320448735512808934449634","155924435074457232687163652552213826156","336617849283971222837505782177383409653","803955325889370501923842229077371335"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/arithmetic/hist_find_indexed.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-04e1a71e","digest":{"line_hashes":["193108773183593523063244334198615847800","264945369779496300054931651289675991538","86915066004139306974228449770797227031","207801093950959293730776636176370628677","64554583486337420752129310521102766938"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_bandfold_gen","file":"libvips/conversion/bandfold.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-06cb308a","digest":{"length":738,"function_hash":"219336353028416286600163239812572623554"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"sink_memory_area_allocate_fn","file":"libvips/iofuncs/sinkmemory.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-0710beed","digest":{"length":1248,"function_hash":"49482531972001338931917788933450096189"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"rtiff_memcpy_f16_line","file":"libvips/foreign/tiff2vips.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-07c93c75","digest":{"length":449,"function_hash":"81195685466037972049142443751421814165"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"wbuffer_allocate_fn","file":"libvips/iofuncs/sinkdisc.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-1fb62569","digest":{"length":1563,"function_hash":"226757554773432999185031849290785704508"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_foreign_load_nsgif_generate","file":"libvips/foreign/nsgifload.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-25cfd41e","digest":{"length":1383,"function_hash":"162065518651073381149323774574119761123"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/iofuncs/sink.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-25d6a5b1","digest":{"line_hashes":["272291151288643359550297672357935186156","295825767676251176497493997935099637567","277351185936650717006935512785023070139","303535540788642997802566058272638721106"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/conversion/bandfold.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-2ca60095","digest":{"line_hashes":["141442950390216318326352839088305770071","153069353973596181927703545135427839666","9055500463534748510970152684301091965","164615813486703122047085905963844179098"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_bandunfold_gen","file":"libvips/conversion/bandunfold.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-39ad95ab","digest":{"length":856,"function_hash":"172177910203211658879442797228772129995"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_image_write_line","file":"libvips/iofuncs/image.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-3c98ae87","digest":{"length":826,"function_hash":"136313937702517628057648004774623903246"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/foreign/jp2ksave.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-4c102671","digest":{"line_hashes":["277026826687837235815190948504319578323","252722630879511071764624341773658224149","49889071180197118036636417345194692873","119968551676930068520052005204735500119"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_col_Ch2hcmc","file":"libvips/colour/LCh2UCS.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-51dc2075","digest":{"length":731,"function_hash":"66454751116007750885452359630712951636"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/iofuncs/image.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-54d8197c","digest":{"line_hashes":["224111719122948287673371751216582171456","290513418336582190457024954504297058084","69520451101562331025353693862332901778","40817255997188265090830122362266292339"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/foreign/vips2tiff.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-597613ab","digest":{"line_hashes":["115689833891332522440686458280635997257","40508754931948131137613498287664560942","298389639304085383603340978501759588667","129563101249015669603578012539749899962"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"wtiff_copy_tiles","file":"libvips/foreign/vips2tiff.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-5fedffe8","digest":{"length":442,"function_hash":"114021330274702959458823973567211416642"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/arithmetic/project.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-6a570517","digest":{"line_hashes":["250630285592061441462996242439780594535","121148056315924335082155559554402105049","121766204676390800623815629539350676340","25260374781496496573451853141710047134","16370322979098300526162288795531926709"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/foreign/webp2vips.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-74811e8d","digest":{"line_hashes":["25014365708793849312105565107376123787","6979766214851900822491636522080970959","194062793705506041484935398416525435604","7645406198215832225298928340040545038"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_foreign_save_webp_sink_disc","file":"libvips/foreign/webpsave.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-7c4db7ab","digest":{"length":571,"function_hash":"243377832511917294406550829998174968534"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/iofuncs/sinkdisc.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-7d5d0508","digest":{"line_hashes":["70466197837800275671426846784454753898","32002996136132438557141455686239459372","277351185936650717006935512785023070139","303535540788642997802566058272638721106"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/conversion/composite.cpp"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-874e0777","digest":{"line_hashes":["269934432524418097979283969797131971754","91630415714778288992856255175593183926","187281943457099218252227373160068129551","258043668703769235876002668803825491344"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/foreign/tiff2vips.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-8b3323bf","digest":{"line_hashes":["52523319222682133306067690970262988637","218933073584012078905010539949691704481","230548712135915964927364027985317706594","58546834836218732294859452091743856728","239804529752878341096181055589144925776","202911701663837746884652638389915571212","260705589446926322483771404580149949099","34331004634277756899999991212284680245"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/iofuncs/sinkmemory.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-8c370571","digest":{"line_hashes":["252783723868940395789848860920698113710","184689510815020467176263032827923398916","277351185936650717006935512785023070139","303535540788642997802566058272638721106"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/conversion/embed.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-8fbe1538","digest":{"line_hashes":["302361671922933163081884868596792378226","216318392601005908538537229341969927467","279984703499309912758272473104122316302","323552431928893289578256023953586836911"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"histogram_new","file":"libvips/arithmetic/hist_find_indexed.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-913a4da7","digest":{"length":731,"function_hash":"55066222544191457898521205504890021304"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"lu_decomp","file":"libvips/mosaicing/matrixinvert.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-91f040c1","digest":{"length":1983,"function_hash":"200159597338612280373174958795461821360"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_embed_base_paint_edge","file":"libvips/conversion/embed.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-9e6e4056","digest":{"length":865,"function_hash":"337752901805752112892059833783117723676"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_image_paint_image","file":"libvips/foreign/webp2vips.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-acf859c0","digest":{"length":907,"function_hash":"295086633344562358492305010474157156326"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/mosaicing/matrixinvert.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-adafd844","digest":{"line_hashes":["104101647814092378979766491578675454821","81943542041296418169157601065047272728","171058700349401871254313516766569271451","255904088170959438372305781804967209428"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"sink_area_allocate_fn","file":"libvips/iofuncs/sink.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-b101c8ea","digest":{"length":1239,"function_hash":"87901119015312691826201689114662279514"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/foreign/nsgifload.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-bb5be849","digest":{"line_hashes":["318626080935404777321996941007022724219","126728542830347104328899979776212024271","237572275032682885397696619724365302130","185898092728466258361382489170615574696"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"rtiff_decompress_jpeg_run","file":"libvips/foreign/tiff2vips.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-bb918ce3","digest":{"length":1607,"function_hash":"205736318270045473948896703020627779753"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/foreign/webpsave.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-be439bc7","digest":{"line_hashes":["24875867738206083492760039906121135648","105038057759592853591083683240054476714","209573835184059481931656536947595802878","11584784780552678659114232395508616292"],"threshold":0.9}},{"signature_type":"Line","signature_version":"v1","target":{"file":"libvips/conversion/bandunfold.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-e58a0d91","digest":{"line_hashes":["318000631397884841997196568373679664561","112131231652818112737136636747257954743","188980767027441133412796215488847185327","244411993317488070253681494387579941093"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","target":{"function":"vips_foreign_save_jp2k_sizeof_tile","file":"libvips/foreign/jp2ksave.c"},"deprecated":false,"source":"https://github.com/libvips/libvips/commit/82c7c05cb02a52750251bb4cc69d67f40568cf98","id":"CVE-2025-29769-e7045178","digest":{"length":450,"function_hash":"208411974504325091436517522032930970505"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-29769.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}