0

I'm using a image resizing library for resizing images on a website. To better secure the image resizing process I used a fuzzer(afl fuzz).

One image caused excessive memory. It a GIF image with 65503x65503 dimension. I have used several different image libraries like ImageSharp and SKIASharp and all libraries struggle with these images. A JPEG with a large dimension seems to cause the same issue.

Tried opening these images with these applications to see how they handle those images.

These are the results:

  • Windows photo => Image in a invalid format message
  • Irfanview => hangs
  • GIMP => takes a while and uses up 22gb ram
  • Firefox => black image and large memory usage
  • Chrome => returns a white default image
  • Edge => returns a white default image

The main question is how to properly handle images that have a large dimension without using up excessive memory.

One solution could be to limit opening/resizing an image if exceeds a certain limit. How can you determine that limit?

Valderann
  • 805
  • 12
  • 30
  • 1
    Where or how are the images used? Is there a reasonable maximum image size for your application which you can define as limit? – jonas Apr 06 '22 at 13:39
  • 1
    for specific file types, you can determine the size before decoding. look into the available libraries (libpng, libjpeg, ...) to see how they can give you that. – Christoph Rackwitz Apr 06 '22 at 13:41
  • The target is the web, show a resized image on a website. Maybe 4k resolution max. Attackers could upload images with those absurd dimensions to do a resource exhaustion attack. – Valderann Apr 06 '22 at 13:52
  • Found some more information about supported image formats in browsers: https://stackoverflow.com/questions/57223559/what-is-the-maximum-image-dimensions-supported-in-desktop-chrome – Valderann Apr 06 '22 at 13:56

0 Answers0