GraphicsMagick JXL Image Decoder Resource Limit Vulnerability

A vulnerability exists in GraphicsMagick in the JXL image decoder, prior to version 1.3.46, where image dimension resource limits are not enforced. This oversight can lead to excessive memory consumption when decoding JPEG XL images with large dimensions. For instance, a crafted JXL file can cause the decoder to use nearly 4 billion bytes of heap memory, surpassing typical resource limits and causing out-of-memory errors. This vulnerability was identified during fuzz testing and is associated with OSS-Fuzz issue #69728.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting system memory, leading to application crashes or severe performance degradation.

Reproduction

The vulnerability can be reproduced by using the 'djxl' command-line tool to decode a specially crafted JPEG XL file that lacks proper dimension limits. This can be done by invoking 'djxl <filename.jxl> <output.pnm>', where '<filename.jxl>' is a JXL file known to trigger the issue.

Remediation

Users are advised to update to GraphicsMagick version 1.3.46 or later, where this vulnerability has been fixed.