# security fixtures (AZ-407 + AZ-439)

## Contents

| File | Source | License | Consumer |
|------|--------|---------|----------|
| `generate_cve_jpeg.py` | Synthetic (this repo) | Same as repository license | AZ-439 (NFT-SEC-04) |
| `cve-2025-53644.jpg`   | Generated by `generate_cve_jpeg.py` | Synthetic — no third-party data | NFT-SEC-04 control / regression test |

## Provenance

The JPEG is **fully synthetic** — hand-crafted bytes following the
JPEG structure documented in ITU-T T.81 / RFC 2046. It is NOT a copy
of the upstream CVE-2025-53644 proof-of-concept (whose redistribution
terms are unclear). The structural feature it exercises is a
**truncated SOS marker**: the marker is announced (`FFDA`) with a
valid 12-byte header but the entropy-coded scan data is absent and
the EOI (`FFD9`) is not present.

This matches the class of malformed input that CVE-2025-53644
exploits in vulnerable OpenCV (≤ 4.11). Hardened OpenCV (≥ 4.12)
must return a clean `imdecode` failure (None) without
buffer-overflow / use-after-free / SIGSEGV.

## Verification

```bash
.venv/bin/python -c "
import cv2, numpy as np
buf = np.fromfile('e2e/fixtures/security/cve-2025-53644.jpg', dtype=np.uint8)
img = cv2.imdecode(buf, cv2.IMREAD_COLOR)
assert img is None, 'AZ-407 fixture: OpenCV must reject this JPEG'
"
```

## Reproducibility

The generator is deterministic — `python generate_cve_jpeg.py out.jpg`
produces the same 158-byte file every time. The SHA-256 of the
generated file is checked into `e2e/_unit_tests/fixtures/test_cve_jpeg.py`
so any change to the generator's byte layout fails the unit test
explicitly.

## Re-distribution

The synthetic byte-stream and the generator script are covered by
this repository's license. No third-party CVE proof-of-concept content
is committed.