Potential DoS attack by running large images through GD
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Mahara |
High
|
Richard Mansfield | ||
| 1.4 |
High
|
Richard Mansfield |
Bug Description
When resizing images to create icons, etc., gd's imagecreatefrompng, etc., functions are called without checking the image size. This can gobble lots of memory when the images are large, because gd can allocate memory without respecting the php memory limit.
CVE References
summary: |
- Check image dimensions before resizing + Potential DoS attack by running large images through GD |
Changed in mahara: | |
milestone: | none → 1.3.7 |
Ruslan Kabalin (rkabalin) wrote : | #2 |
Changed in mahara: | |
assignee: | nobody → Richard Mansfield (richard-mansfield) |
François Marier (fmarier) wrote : | #3 |
I have filed two related bugs to mitigate this (bug #785465 and bug #785467).
Updated patch with configurable memory limit as suggested by Ruslan.
Ruslan Kabalin (rkabalin) wrote : | #5 |
Thanks Richard, I have verified your patch, it works fine. Good idea to calculate bytes based on the actual bits used in the colour coding.
Adding rebased patch for 1.3/1.4
Changed in mahara: | |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Released |
visibility: | private → public |
Reviewed: https:/
Committed: http://
Submitter: Richard Mansfield (<email address hidden>)
Branch: master
commit a7d5e2fd64a0c7d
Author: Richard Mansfield <email address hidden>
Date: Thu Nov 24 18:39:59 2011 +1300
Check mimetype when bits per pixel not returned by gd (bug #784978)
Sometimes when creating a thumbnail image, getimagesize doesn't return
a value for bits per pixel on certain gifs. This creates warnings in
the logs when approximating the required memory consumption, and also
refuses to create the thumbnail. We can check the mimetype of the
image when 'bits' is not set, and when it's a gif, just assume the
maximum value (8 bpp).
Change-Id: Ie4a7161f8e17fa
Signed-off-by: Richard Mansfield <email address hidden>
That is a good one. It looks like it is possible to estimate how much memory will be <a href="http:// www.charles- reace.com/ blog/2009/ 11/18/memory- usage-in- php-gd- image-functions /">required</a> for GD functions, in which case, the decision about resize can be made based on the particular system performance (rather than keeping it fixed). Also there are some suggestions to use gc_collect_cycles() after GD calls to free system memory that GP keeps after use.