Legacy ImageMagick Discussions Archive

I use Linux Ubuntu - both desktop and server editions. After upgrading to Ubuntu 10.04 I discover that one of my application test failed.

This was "image bomb" test. I prepared special PNG image that could easy lead to memory overconsumption. So my program tried to prevent loading such images by testing image's parameters before loading it into memory.

So, pinging this PNG image doesn't work any more. I tried to run ping with the command line "identify -ping bomb.png" and this command hangs too.

You could try this file yourselves

http://dl.dropbox.com/u/3146456/bomb.png.zip

I think that this is a kind of very serious vulnerability in ImageMagick and that could crash any web application

Pinging your image works fine with the latest release. For releases of ImageMagick that improperly allocate the pixel cache when pinging, you can still prevent a denial-of-service problem with resource limits. Use the area and disk limits to prevent large images from consuming excessive resources.

I tried the last version. I compiled it myself from the sources at 8-bit mode.

"identify -ping" really works now but what upset me is that this utility hanged almost for 2 seconds and leads to 100% processor use for that time for the file provided.

libpng has the capability of rejecting images quickly if they exceed user-specified limits.
The default acceptable maximum width and height are 1,000,000 x 1,000,000 (I guess
you knew that because your test image is 1,000,000 rows high). Should we apply
smaller limits? If so, what should they be? Perhaps 64k? Users who want to
process larger images would be able to reset the limits to whatever they are
willing to accept. It would be possible to apply even smaller limits while "pinging",
too, if that would be useful.

Glenn

I think that this is a kind of very serious vulnerability in ImageMagick and that could crash any web application

I would have thought you could avoid this by setting the maximium file upload size in php.ini or similar.