Pinging PNG image doesn't work properly (image bomb)
Posted: 2010-04-29T07:10:32-07:00
I use Linux Ubuntu - both desktop and server editions. After upgrading to Ubuntu 10.04 I discover that one of my application test failed.
This was "image bomb" test. I prepared special PNG image that could easy lead to memory overconsumption. So my program tried to prevent loading such images by testing image's parameters before loading it into memory.
So, pinging this PNG image doesn't work any more. I tried to run ping with the command line "identify -ping bomb.png" and this command hangs too.
You could try this file yourselves
http://dl.dropbox.com/u/3146456/bomb.png.zip
I think that this is a kind of very serious vulnerability in ImageMagick and that could crash any web application
This was "image bomb" test. I prepared special PNG image that could easy lead to memory overconsumption. So my program tried to prevent loading such images by testing image's parameters before loading it into memory.
So, pinging this PNG image doesn't work any more. I tried to run ping with the command line "identify -ping bomb.png" and this command hangs too.
You could try this file yourselves
http://dl.dropbox.com/u/3146456/bomb.png.zip
I think that this is a kind of very serious vulnerability in ImageMagick and that could crash any web application