VDB
KO
MEDIUM 6.2

GHSA-2v8p-fqpx-2q3w

jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS)

Details

### Summary Logic bug in `decode_simple_table_slow` may cause integer arithmetic overflow when decoding Modular image with certain kind of MA tree, which may panic with `overflow-checks` enabled.

### Impact Denial of service: any application passing untrusted JXL data to `JxlImage::render_frame` (or equivalent) can be crashed. Affects all builds with overflow checks enabled, which includes debug builds and any release build that sets `overflow-checks = true` in Cargo.toml or `[profile.*]`.

No memory corruption is possible — the panic fires before any unsafe code is reached.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / jxl-modular
Introduced in: 0 Fixed in: 0.11.3

Upgrade jxl-modular to 0.11.3 or newer (ecosystem crates.io).

References