Releases: strukturag/libde265
v1.1.1 - speed improvements
The decoding speed has been improved by about 8% on x86 CPUs thanks to more SIMD acceleration and optimized CABAC code. Also the startup time has been improved, which gives a 3% speed improvement when decoding HEIC files with similar-sized tiles.
Build differences
When building shared-libraries in Release mode, we are now using -fvisibility=hidden by default. You can override this with the new cmake option "FORCE_FULL_VISIBILITY".
Security
- CVE TBD (GHSA-ccfw-29x7-rrx3) - Pixel accessor signed integer overflow causes heap OOB read/write
- CVE TBD (GHSA-j2qq-x2xq-g9wr) - SAO sequential filter heap buffer overflow via signed integer overflow
v1.1.0 - security limits
Added de265_security_limits parameters to limit the maximum image size and memory that libde265 will use during decoding.
Security fixes
- CVE-2026-49295 (GHSA-g2rg-wj66-w594) - Out-of-bounds write in process_reference_picture_set via predicted short-term RPS
- CVE-2026-49337 (GHSA-g5hj-rf9f-7vxm) - Unbounded memory accumulation via orphaned slice headers in
read_slice_NAL - CVE-2026-49346 (GHSA-vv8h-932h-7r86) - Heap buffer overflow in de265_image_get_buffer via SPS dimension integer overflow
- (GHSA-x27c-jp65-g395) - Quadratic CPU consumption in NAL parser (
remove_stuffing_bytes,resize)
v1.0.19
This release contains a number of security fixes, correctness fixes for edge cases,
and build/packaging improvements.
The public API is binary-compatible with v1.0.18.
Fixed CVEs
- CVE-2026-45382 (GHSA-hwhx-x2mq-ccr9) : Heap-buffer-overflow READ in decode_slice_unit_tiles via unvalidated PPS tile geometry
- CVE-2026-45383 (GHSA-wg9q-ppqw-6q38) : Heap buffer overflow (OOB read) in decode_slice_unit_WPP() via out-of-bounds CtbAddrRStoTS access
Sample applications
v1.0.18 - maintenance
libde265ConfigVersion.cmakerenamed tolibde265-config-version.cmake- fix pkg-config when installing to absolute paths
- fix compilation with MSVC in Debug mode
- removed the (defunct) encoder code and the internal development tools from the tarball
v1.0.17 - maintenance
This release removes the autotools build scripts. Please migrate to cmake if you have not done that yet.
Furthermore, many input validations have been added and security relevant issues have been fixed.
Note for packaging
the name of libde265ConfigVersion.cmake will shortly change to libde265-config-version.cmake in an upcoming v1.0.18 release. This makes it consistent with the naming scheme in libheif. If you want to avoid renaming the file in your package, wait for v1.0.18.
v1.0.16 - maintenance
This release fixes some rare decoding errors and some build issues.
v1.0.15 - maintenance
A couple of bug fixes, including the following CVEs:
v1.0.14 - build fix
This fixes build-time SSE detection when using the CMake build system.
No other changes than that. You don't need to update if you are using the autotools build system.
v1.0.13 - maintenance release
This release fixes among other smaller issues the following crashes:
- #413 SEGV:occured in function main at dec265.cc
- #414 Memory allocation failed in function main at dec265.cc
- #418 Buffer over-read causes segmentation fault in pic_parameter_set::dump
- #419 Potential segmentation fault due to incorrect realloc in CABAC_encoder_bitstream::check_size_and_resize (unused function)
- #426 SEGV in libde265 in slice_segment_header::dump_slice_segment_header
- #427 Libde265 v1.0.12 was discovered that requested allocation size exceeds maximum supported size of 0x10000000000
- #429 heap-buffer-overflow in derive_spatial_luma_vector_prediction(...)