Potential DoS attack by running large images through GD

Bug #784978 reported by Richard Mansfield
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Richard Mansfield
1.4
Fix Released
High
Richard Mansfield

Bug Description

When resizing images to create icons, etc., gd's imagecreatefrompng, etc., functions are called without checking the image size. This can gobble lots of memory when the images are large, because gd can allocate memory without respecting the php memory limit.

CVE References

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
summary: - Check image dimensions before resizing
+ Potential DoS attack by running large images through GD
Changed in mahara:
milestone: none → 1.3.7
Revision history for this message
Ruslan Kabalin (rkabalin) wrote :

That is a good one. It looks like it is possible to estimate how much memory will be <a href="http://www.charles-reace.com/blog/2009/11/18/memory-usage-in-php-gd-image-functions/">required</a> for GD functions, in which case, the decision about resize can be made based on the particular system performance (rather than keeping it fixed). Also there are some suggestions to use gc_collect_cycles() after GD calls to free system memory that GP keeps after use.

Changed in mahara:
assignee: nobody → Richard Mansfield (richard-mansfield)
Revision history for this message
François Marier (fmarier) wrote :

I have filed two related bugs to mitigate this (bug #785465 and bug #785467).

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Updated patch with configurable memory limit as suggested by Ruslan.

Revision history for this message
Ruslan Kabalin (rkabalin) wrote :

Thanks Richard, I have verified your patch, it works fine. Good idea to calculate bytes based on the actual bits used in the colour coding.

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Adding rebased patch for 1.3/1.4

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Changed in mahara:
status: Confirmed → In Progress
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/882
Committed: http://gitorious.org/mahara/mahara/commit/a7d5e2fd64a0c7dd47f1e6470652d83de85acac9
Submitter: Richard Mansfield (<email address hidden>)
Branch: master

commit a7d5e2fd64a0c7dd47f1e6470652d83de85acac9
Author: Richard Mansfield <email address hidden>
Date: Thu Nov 24 18:39:59 2011 +1300

    Check mimetype when bits per pixel not returned by gd (bug #784978)

    Sometimes when creating a thumbnail image, getimagesize doesn't return
    a value for bits per pixel on certain gifs. This creates warnings in
    the logs when approximating the required memory consumption, and also
    refuses to create the thumbnail. We can check the mimetype of the
    image when 'bits' is not set, and when it's a gif, just assume the
    maximum value (8 bpp).

    Change-Id: Ie4a7161f8e17fa17291448084a57fa13873e0e4a
    Signed-off-by: Richard Mansfield <email address hidden>

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.