PT-2026-55366 · Crates.Io · Jxl-Grid

Published

2026-07-02

·

Updated

2026-07-02

CVSS v3.1

7.3

High

VectorAV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

Summary

On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation.

Details & PoC

The test listed below fail under miri with command cargo +nightly miri test --release -p jxl-grid
Or you can use Address Sanitizer, which ignores Rust-specific UB like aliasing but still flags out-of-bounds accesses:
RUSTFLAGS=-Zsanitizer=address cargo +nightly test -Zbuild-std -p jxl-grid --release --target x86 64-unknown-linux-gnu
The following tests should be appended to crates/jxl-grid/src/test/subgrids.rs:
rust
mod miri ub {
  use super::*;

  // `AlignedGrid::with alloc tracker` computes `width * height` unchecked. In release, overflow
  // can create a tiny backing buffer for huge logical dimensions.
  #[test]
  fn aligned grid dimension product overflows() {
    let width = usize::MAX / 2 + 1;
    let mut grid = AlignedGrid::<u8>::with alloc tracker(width, 2, None).unwrap();
    let mut subgrid = grid.as subgrid mut();
    *subgrid.get mut(0, 1) = 1;
    std::hint::black box(grid);
  }
}
This issue can be reachable through decoding a crafted image in two ways:
  1. Huge actual frame A frame such as 65536 x 65536 passes the current frame area limit (2^32 <= 2^40) but overflows usize element count on 32-bit. Rendering then allocates too-small AlignedGrids in modular/VarDCT/filter paths and later writes through mutable subgrids.
  2. Huge canvas plus tiny cropped frame This is the more practical “small payload, huge logical output” case. A bitstream-controlled frame crop can be tiny, but if the canvas/default requested region is huge, composition can allocate an output grid sized to the canvas/ROI at crates/jxl-render/src/blend.rs. That is bitstream frame cropping, not API crop. With a 32-bit target and a full requested image region whose area overflows, this can happen through ordinary render frame().

Impact

On 32-bit platforms this can cause out-of-bounds writes with attacker-controlled data when decoding a crafted JPEG XL image. This could allow arbitrary code execution.

Fix

Integer Overflow

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-5PMV-RX8R-WMV5

Affected Products

Jxl-Grid