Potential DoS attack by running large images through GD

Bug #784978 reported by Richard Mansfield on 2011-05-19
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.4
High
Richard Mansfield

Bug Description

When resizing images to create icons, etc., gd's imagecreatefrompng, etc., functions are called without checking the image size. This can gobble lots of memory when the images are large, because gd can allocate memory without respecting the php memory limit.

CVE References

summary: - Check image dimensions before resizing
+ Potential DoS attack by running large images through GD
Changed in mahara:
milestone: none → 1.3.7
Ruslan Kabalin (rkabalin) wrote :

That is a good one. It looks like it is possible to estimate how much memory will be <a href="http://www.charles-reace.com/blog/2009/11/18/memory-usage-in-php-gd-image-functions/">required</a> for GD functions, in which case, the decision about resize can be made based on the particular system performance (rather than keeping it fixed). Also there are some suggestions to use gc_collect_cycles() after GD calls to free system memory that GP keeps after use.

Changed in mahara:
assignee: nobody → Richard Mansfield (richard-mansfield)
François Marier (fmarier) wrote :

I have filed two related bugs to mitigate this (bug #785465 and bug #785467).

Updated patch with configurable memory limit as suggested by Ruslan.

Ruslan Kabalin (rkabalin) wrote :

Thanks Richard, I have verified your patch, it works fine. Good idea to calculate bytes based on the actual bits used in the colour coding.

Adding rebased patch for 1.3/1.4

Changed in mahara:
status: Confirmed → In Progress
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public

Reviewed: https://reviews.mahara.org/882
Committed: http://gitorious.org/mahara/mahara/commit/a7d5e2fd64a0c7dd47f1e6470652d83de85acac9
Submitter: Richard Mansfield (<email address hidden>)
Branch: master

commit a7d5e2fd64a0c7dd47f1e6470652d83de85acac9
Author: Richard Mansfield <email address hidden>
Date: Thu Nov 24 18:39:59 2011 +1300

    Check mimetype when bits per pixel not returned by gd (bug #784978)

    Sometimes when creating a thumbnail image, getimagesize doesn't return
    a value for bits per pixel on certain gifs. This creates warnings in
    the logs when approximating the required memory consumption, and also
    refuses to create the thumbnail. We can check the mimetype of the
    image when 'bits' is not set, and when it's a gif, just assume the
    maximum value (8 bpp).

    Change-Id: Ie4a7161f8e17fa17291448084a57fa13873e0e4a
    Signed-off-by: Richard Mansfield <email address hidden>

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers