Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability occurs in the libjxl library's decoder when processing specially-crafted JPEG XL grayscale images. It involves the Color Management System (CMS) engine LCMS2, where buffers allocated for one float per pixel are mistakenly used as if they were allocated for three floats per pixel. This leads to writing pixel data into uninitialized and unallocated memory regions."}, {'type': 'paragraph', 'content': 'Specifically, when decoding grayscale images and requesting a color transformation to another grayscale color space, the decoder improperly handles memory allocation and cleanup. This causes heap corruption and can lead to application crashes due to invalid memory writes and frees during the destruction of CMS-related objects.'}, {'type': 'paragraph', 'content': 'The issue is triggered when both JxlDecoderSetCms and JxlDecoderSetPreferredColorProfile functions are called together during decoding. The crash is caused by memory corruption detected by malloc during cleanup, as confirmed by debugging tools like Valgrind.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the libjxl decoder to crash due to heap corruption when processing certain grayscale JPEG XL images with specific color management settings.

The impact includes potential denial of service (DoS) as the application using libjxl may abort unexpectedly. Additionally, because the vulnerability involves writing to uninitialized and unallocated memory, it could potentially be exploited to execute arbitrary code or cause unpredictable behavior, depending on the context in which the library is used.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to decode specially crafted grayscale JPEG XL images using the libjxl library with both JxlDecoderSetCms and JxlDecoderSetPreferredColorProfile functions called together. A known test file is grayscale_linear.jxl, a 256x256 lossy 16-bit grayscale JPEG XL image with linear transfer function and D65 white point.

Detection involves observing crashes or memory corruption during decoding, such as heap corruption errors or aborts triggered by invalid memory writes.

Using debugging tools like Valgrind can help identify invalid memory writes during the decoding process, specifically in the CmsStage::ProcessRow function.

• Run the decoding process with both JxlDecoderSetCms and JxlDecoderSetPreferredColorProfile enabled on grayscale JPEG XL images.
• Use Valgrind or similar memory debugging tools to detect invalid memory writes or heap corruption.
• Monitor for crashes or aborts related to memory deallocation failures (e.g., munmap_chunk errors) during decoding.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves avoiding the use of the LCMS2 color management engine when decoding grayscale JPEG XL images, as the vulnerability occurs only if LCMS2 is used as the CMS engine.

Alternatively, configure the build flags to select the other available CMS engine instead of LCMS2.

Avoid calling both JxlDecoderSetCms and JxlDecoderSetPreferredColorProfile together during decoding until a patched version of libjxl is available.

Monitor for updates or patches from the libjxl project addressing this issue and apply them promptly.

Useful 0 Not Useful 0