Skip to content

fix: update image-decoding deps to patch jxl-grid & webp CVEs#12

Merged
Enn3Developer merged 2 commits into
masterfrom
fix/jxl-grid-webp-cve
Jul 1, 2026
Merged

fix: update image-decoding deps to patch jxl-grid & webp CVEs#12
Enn3Developer merged 2 commits into
masterfrom
fix/jxl-grid-webp-cve

Conversation

@Enn3Developer

Copy link
Copy Markdown
Owner

AI Usage Disclaimer

This PR was prepared by Claude (Anthropic's AI assistant), at the repo owner's (@Enn3Developer) request, working in an agentic chat session. The owner asked me to audit the repo for security issues and, after review, authorized me to push this specific fix and open this PR using a scoped personal access token. I'm disclosing this so reviewers/contributors know an AI produced the diff and this description — please review it with that in mind, same as you would any external contribution.

What this fixes

Two RustSec advisories reachable through this app's actual attack surface (audio files with embedded cover art, opened by the user):

  • RUSTSEC-2026-0151jxl-grid < 0.6.2 has an integer-overflow out-of-bounds write when decoding a crafted JPEG XL image (potential memory corruption / code execution, worse on 32-bit targets). Reachable via zune-imagejxl-oxidejxl-grid, which is exactly the path get_image_squared() in n_player/src/lib.rs uses to decode cover art extracted from track tags.
  • RUSTSEC-2024-0443webp 0.3.0 doesn't validate the input buffer size when encoding, causing an out-of-bounds read (memory exposure / possible crash). Pulled in via rimage's webp feature.

Change

Bumped zune-image/zune-core/zune-imageprocs in n_player/Cargo.toml off their long-stale release-candidate pins (0.5.0-rc0/0.5.0-rc2) to the now-stable 0.5.x releases. That change alone is what pulls in the fix:

  • zune-image 0.5.0 requires jxl-oxide ^0.12.5, which resolves to 0.12.6, which requires jxl-grid ^0.6.2 (patched).
  • rimage's existing webp ^0.3 constraint resolves to 0.3.1 (patched) once Cargo.lock is regenerated.

Verification performed

I don't have push/CI access from my sandbox and its Rust toolchain (1.75) is too old to build this workspace at all (unrelated — rand 0.10 already needs edition2024 / Rust 1.85+ transitively). So I could not run a full cargo build here. What I did verify:

  • Ran cargo generate-lockfile against the live crates.io index with the updated Cargo.toml — resolves cleanly with jxl-grid 0.6.2, jxl-oxide 0.12.6, webp 0.3.1, zune-image 0.5.0, zune-core 0.5.1, zune-imageprocs 0.5.1, rimage 0.12.3. No dependency conflicts.
  • Diffed the actual function signatures this codebase calls (Image::read, DecoderOptions::new_fast, convert_color, zune_imageprocs::crop::Crop::new, rimage::operations::resize::Resize::new, rimage::codecs::webp::WebPDecoder::try_new/decode) against the new crate sources — all unchanged.

This PR still needs Cargo.lock regenerated and a real cargo check --workspace / cargo build run on CI or your machine before merging. Suggested command:

cargo update -p jxl-grid -p webp -p zune-image -p zune-core -p zune-imageprocs -p rimage

Other findings from the review (not included here)

A few lower-priority/harder-to-automate items came up during the audit that aren't part of this PR: several .unwrap()s on cover-art decode/resize operations that could panic on a malformed (not necessarily malicious) embedded image, a zstd decompression call in settings.rs with no output-size cap, and the unsafe impl Send/Sync for TrackData in lib.rs worth a second look for actual cross-thread mutation. Happy to open follow-up PRs for any of these if wanted.

Enn3Developer and others added 2 commits July 1, 2026 10:49
…id and webp

Fixes RUSTSEC-2026-0151 (OOB write decoding crafted JPEG XL images,
reachable via embedded cover art) and RUSTSEC-2024-0443 (OOB read in
webp encoder). Bumps zune-image off its RC pin to the stable 0.5.0
release, which requires jxl-oxide ^0.12.5 (resolves to 0.12.6, which
requires the patched jxl-grid ^0.6.2). rimage/webp resolves to 0.3.1+
under its existing ^0.3 constraint.

Note: generated by Claude (Anthropic AI assistant) at the repo owner's
request, working from a security review of this repo. See PR
description for the AI usage disclaimer and verification notes.
@Enn3Developer Enn3Developer merged commit 37d9e25 into master Jul 1, 2026
5 checks passed
@Enn3Developer Enn3Developer deleted the fix/jxl-grid-webp-cve branch July 1, 2026 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant