Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's why both Mozilla and Google have predicated their JXL support on a memory-safe implementation. There's a Rust one in the works.

I think Google are aiming to replace all of Chromiums decoders with memory-safe ones anyway, even for relatively simple formats.





If that's their plan, I predict another situation exactly like this one where Google decides that removing support is the best move forward. Careful, BMP, Chrome is out to get you!

reply


BMP decoding may seem easy and fun (I wrote a toy decoder back in the day), but the vulnerabilities are real: https://nvd.nist.gov/vuln/detail/CVE-2025-32468

It's not the format, it's the C / C++ unfortunate baggage.

reply


Happy to report the BMP work is actually being done by our friends on the Edge team at Microsoft! https://chromium-review.googlesource.com/c/chromium/src/+/72...

reply


This actually seems to use the encoder/decoder from the Rust image crate (1), which would bring the opportunity for more memory safe formats once BMP would be accepted.

(1) https://crates.io/crates/image

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: