Mahara

Potential DoS attack by running large images through GD

Bug #784978 reported by Richard Mansfield on 2011-05-19
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Richard Mansfield
Mahara 1.3.7
1.4
Fix Released
High
Richard Mansfield
Mahara 1.4.1
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

When resizing images to create icons, etc., gd's imagecreatefrompng, etc., functions are called without checking the image size. This can gobble lots of memory when the images are large, because gd can allocate memory without respecting the php memory limit.

CVE References

Richard Mansfield (richard-mansfield) wrote :
François Marier (fmarier) on 2011-05-19
summary: - Check image dimensions before resizing
+ Potential DoS attack by running large images through GD
François Marier (fmarier) on 2011-05-19
Changed in mahara:
milestone: none → 1.3.7
Ruslan Kabalin (rkabalin) wrote :

That is a good one. It looks like it is possible to estimate how much memory will be <a href="http://www.charles-reace.com/blog/2009/11/18/memory-usage-in-php-gd-image-functions/">required</a> for GD functions, in which case, the decision about resize can be made based on the particular system performance (rather than keeping it fixed). Also there are some suggestions to use gc_collect_cycles() after GD calls to free system memory that GP keeps after use.

François Marier (fmarier) on 2011-05-19
Changed in mahara:
assignee: nobody → Richard Mansfield (richard-mansfield)
François Marier (fmarier) wrote :

I have filed two related bugs to mitigate this (bug #785465 and bug #785467).

Richard Mansfield (richard-mansfield) wrote :

Updated patch with configurable memory limit as suggested by Ruslan.

Ruslan Kabalin (rkabalin) wrote :

Thanks Richard, I have verified your patch, it works fine. Good idea to calculate bytes based on the actual bits used in the colour coding.

Richard Mansfield (richard-mansfield) wrote :

Adding rebased patch for 1.3/1.4

Richard Mansfield (richard-mansfield) wrote :
Richard Mansfield (richard-mansfield) wrote :
François Marier (fmarier) on 2011-10-31
Changed in mahara:
status: Confirmed → In Progress
François Marier (fmarier) on 2011-11-03
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/882
Committed: http://gitorious.org/mahara/mahara/commit/a7d5e2fd64a0c7dd47f1e6470652d83de85acac9
Submitter: Richard Mansfield (<email address hidden>)
Branch: master

commit a7d5e2fd64a0c7dd47f1e6470652d83de85acac9
Author: Richard Mansfield <email address hidden>
Date: Thu Nov 24 18:39:59 2011 +1300

    Check mimetype when bits per pixel not returned by gd (bug #784978)

    Sometimes when creating a thumbnail image, getimagesize doesn't return
    a value for bits per pixel on certain gifs. This creates warnings in
    the logs when approximating the required memory consumption, and also
    refuses to create the thumbnail. We can check the mimetype of the
    image when 'bits' is not set, and when it's a gif, just assume the
    maximum value (8 bpp).

    Change-Id: Ie4a7161f8e17fa17291448084a57fa13873e0e4a
    Signed-off-by: Richard Mansfield <email address hidden>

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers