GHSA-2v8p-fqpx-2q3w
jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS)
Details
### Summary Logic bug in `decode_simple_table_slow` may cause integer arithmetic overflow when decoding Modular image with certain kind of MA tree, which may panic with `overflow-checks` enabled.
### Impact Denial of service: any application passing untrusted JXL data to `JxlImage::render_frame` (or equivalent) can be crashed. Affects all builds with overflow checks enabled, which includes debug builds and any release build that sets `overflow-checks = true` in Cargo.toml or `[profile.*]`.
No memory corruption is possible — the panic fires before any unsafe code is reached.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.11.3 Upgrade jxl-modular to 0.11.3 or newer (ecosystem crates.io).