-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| diplib | pip | < 3.1.0 | 3.1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper error handling in JPEG I/O functions. The pre-patch code used setjmp/longjmp in JpegInput/JpegOutput constructors without ensuring proper resource cleanup. When libjpeg errors occurred, longjmp bypassed C++ stack unwinding, causing destructors to run multiple times (e.g., freeing the same memory twice). The commit fixed this by centralizing error handling with DIP__DECLARE_JPEG_EXIT, ensuring consistent setjmp buffer usage and proper exception-based unwinding. The ASAN trace in GHSA-xf2w-5673-h6ww explicitly shows a double-free in ImageReadJPEG, confirming these functions' vulnerability.