Product: JPEG XL Affected: cjxl/libjxl prior to fix commit (see References) CVE: CVE-2025-70103 CWE: CWE-122 (Heap-based Buffer Overflow) CVSS 3.1: 8.8 HIGH (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Reporter: sigdevel <https://infosec.exchange/@sigdevel> Description: The jxl::extras::DecodeImagePNM function in lib/extras/dec/pnm.cc is responsible for decoding PBM/PNM image data into a PackedPixelFile structure. When processing a crafted PBM image, the function computes an incorrect pixel row stride at pnm.cc:526 during frame initialization, causing the PackedImage buffer to be allocated with an undersized length of 16 bytes (lib/extras/packed_image.h:162). At pnm.cc:554, a memcpy call uses the unchecked stride value to copy 24 bytes into the 16-byte region, writing 8 bytes past the end of the heap allocation (WRITE of size 24 at 0x5020000000a0, 0 bytes after a 16-byte region). Due to the WRITE-type nature of the overflow, memory corruption leading to further exploitation cannot be ruled out. Crash is reproducible on the current master branch at the time of discovery. No authentication or special privileges required beyond ability to provide a crafted file. Reproduction: -Command: ./cjxl ./2_PBM_lib_extras_dec_pnm_cc_554 --disable_output Asan-log: ==3294966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000000a0 at pc 0x7f043c8f27ef bp 0x7fff5de54250 sp 0x7fff5de53a10 WRITE of size 24 at 0x5020000000a0 thread T0 #0 0x7f043c8f27ee in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 #1 0x55fcb63f6abd in jxl::extras::DecodeImagePNM lib/extras/dec/pnm.cc:554 #2 0x55fcb639e322 in jxl::extras::DecodeBytes lib/extras/dec/decode.cc:170 PoC: https://github.com/sigdevel/pocs/blob/main/res/libjxl/2025/2/2_PBM_lib_extras_dec_pnm_cc_554 References: https://github.com/libjxl/libjxl/issues/4337 https://nvd.nist.gov/vuln/detail/CVE-2025-70103 https://infosec.exchange/@sigdevel/116642233929409910
--- Best regards, Alexander A. Shvedov https://github.com/sigdevel
