[MutableLambda]

Have you seen JPEG XL source code? I like the format, but the reference implementation in C++ looked pretty bad at least 2 years ago. I hope they rewrote it, because it surely looked like a security issue waiting to happen.

[jsheard]

That's why both Mozilla and Google have predicated their JXL support on a memory-safe implementation. There's a Rust one in the works.

I think Google are aiming to replace all of Chromiums decoders with memory-safe ones anyway, even for relatively simple formats.

[philistine]

If that's their plan, I predict another situation exactly like this one where Google decides that removing support is the best move forward. Careful, BMP, Chrome is out to get you!

[nine_k]

BMP decoding may seem easy and fun (I wrote a toy decoder back in the day), but the vulnerabilities are real: https://nvd.nist.gov/vuln/detail/CVE-2025-32468

It's not the format, it's the C / C++ unfortunate baggage.

[mdriley]

Happy to report the BMP work is actually being done by our friends on the Edge team at Microsoft! https://chromium-review.googlesource.com/c/chromium/src/+/72...

[foresterre]

This actually seems to use the encoder/decoder from the Rust image crate (1), which would bring the opportunity for more memory safe formats once BMP would be accepted.

(1) https://crates.io/crates/image

[chimeracoder]

> Have you seen JPEG XL source code? I like the format, but the reference implementation in C++ looked pretty bad at least 2 years ago. I hope they rewrote it, because it surely looked like a security issue waiting to happen.

At this point, in 2025, any substantial (non-degenerative) image processing written in C++ is a security issue waiting to happen. That's not specific to JPEG XL.

[spookie]

Well, the first public implementation dates to 2020. And, the Cpp choice is obvious, simpler integration with the majority of existing image processing libs, tools and utilities. Not to mention GUI toolkits.

Nonetheless, we should really bear in mind how entrenched Cpp is. If you normalize CVEs by language popularity Java looks downright dangerous!

[SoKamil]

> any substantial (non-degenerative)

Why this quality poses security issues?

[izacus]

And yet whole of HN is VERY VERY angry because Google won't ship that pile of C++ into most popular software (and app framework) in the world.

[usrnm]

The most popular software in question is also a giant pile of C++, btw.

[ncruces]

Are you familiar with the rule of two?

https://chromium.googlesource.com/chromium/src/+/main/docs/s...

No new code goes in that violates the rule, and ideally no code at all goes in that is both unsafe and parses untrusted data (regardless of sandboxing) and old code doing both gets replaced.

A giant pile of C++ can be used for rendering, not parsing untrusted data. A giant pile of C++ can sit behind a validator: a memory-safe JSON validator can vet a stream, before an C++ library deserializes it. Etc.

[izacus]

What are you saying here?

[Lammy]

https://chromium.googlesource.com/chromium/src/+/refs/heads/...

[izacus]

Communicate. What are you trying to say with these links and insinuations?

[mort96]

Mozilla's position for some time now has been, "we aren't opposed to shipping JXL support, but we'd want to ship a decent implementation in a memory safe language, not the reference C++ implementation". That position hasn't been met with very much criticism.

Google's position, on the other hand, has been a flat-out "no, we will not ship JXL". That's what has been met with criticism. Not an imagined reluctance to shipping a C++ JXL implementation.

[ux266478]

Who is saying Google should ship the reference implementation? It's a standard, and Google has the labor to write their own implementation.

[jeffbee]

Google did write one. They wrote the bad one that we're discussing.

[asddubs]

they wrote both AFAIK

[izacus]

That sounds like an even more request for someone to do for free, doesn't it?

[ipdashc]

It's Google, it's one of the biggest tech companies in the world making boatloads of money, in part off their browser. They're currently best known as one of the companies trying to create AI God. They really can't write an... image format parser?

[izacus]

Cool, but why does that mean they need to write a codec for you for free?