GHSA-66m8-c62j-h6v5
jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow
상세
### Summary `jxl-oxide` exposes a public safe API that can construct an undersized `FrameBuffer` due to unchecked `usize` multiplication, which immediately trigger panic while initializing the buffer in normal decoding path.
Additionally, calling the safe grouped buffer accessors afterward can create invalid oversized slices from a much smaller allocation, causing undefined behavior; however normal decoding path never reaches UB, because these methods are never used within `jxl-oxide`.
### Impact On 32-bit platforms this can cause panic by accessing out-of-range indices, making it a DoS vulnerability.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 0.12.6 Upgrade jxl-oxide to 0.12.6 or newer (ecosystem crates.io).