PT-2026-55366 · Crates.Io · Jxl-Grid
Published
2026-07-02
·
Updated
2026-07-02
CVSS v3.1
7.3
High
| Vector | AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H |
Summary
On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation.
Details & PoC
The test listed below fail under miri with command
cargo +nightly miri test --release -p jxl-gridOr you can use Address Sanitizer, which ignores Rust-specific UB like aliasing but still flags out-of-bounds accesses:
RUSTFLAGS=-Zsanitizer=address cargo +nightly test -Zbuild-std -p jxl-grid --release --target x86 64-unknown-linux-gnuThe following tests should be appended to
crates/jxl-grid/src/test/subgrids.rs:rust
mod miri ub {
use super::*;
// `AlignedGrid::with alloc tracker` computes `width * height` unchecked. In release, overflow
// can create a tiny backing buffer for huge logical dimensions.
#[test]
fn aligned grid dimension product overflows() {
let width = usize::MAX / 2 + 1;
let mut grid = AlignedGrid::<u8>::with alloc tracker(width, 2, None).unwrap();
let mut subgrid = grid.as subgrid mut();
*subgrid.get mut(0, 1) = 1;
std::hint::black box(grid);
}
}This issue can be reachable through decoding a crafted image in two ways:
-
Huge actual frame A frame such as
65536 x 65536passes the current frame area limit (2^32 <= 2^40) but overflowsusizeelement count on 32-bit. Rendering then allocates too-smallAlignedGrids in modular/VarDCT/filter paths and later writes through mutable subgrids. -
Huge canvas plus tiny cropped frame This is the more practical “small payload, huge logical output” case. A bitstream-controlled frame crop can be tiny, but if the canvas/default requested region is huge, composition can allocate an output grid sized to the canvas/ROI at crates/jxl-render/src/blend.rs. That is bitstream frame cropping, not API crop. With a 32-bit target and a full requested image region whose area overflows, this can happen through ordinary
render frame().
Impact
On 32-bit platforms this can cause out-of-bounds writes with attacker-controlled data when decoding a crafted JPEG XL image. This could allow arbitrary code execution.
Fix
Integer Overflow
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jxl-Grid