Menu

#594 Be able to affect libpng user_chunk_malloc_max

v1.0_(example)
closed-fixed
None
5
2021-12-25
2019-02-19
No

Hello, I've run into PNG images with very large (~24Mb) chunks with xmp metadata. Currently the default limit in libpng is 8MB so graphicsmagick fails.

Would it be possible to make graphicsmagick to call png_set_chunk_malloc_max somehow? (maybe also png_set_chunk_cache_max?)

Something like this patch:

diff --git a/coders/png.c b/coders/png.c
index ba2ea76..ce42b5d 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -1637,6 +1637,9 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
   png_set_user_limits(ping,
     (png_uint_32) Min(0x7fffffffL, GetMagickResourceLimit(WidthResource)),
     (png_uint_32) Min(0x7fffffffL, GetMagickResourceLimit(HeightResource)));
+# if PNG_LIBPNG_VER >= 10401 /* png_set_chunk_malloc_max was added in 1.4.1 */
+  png_set_chunk_malloc_max(ping, GetMagickResourceLimit(MemoryResource));
+# endif
 #endif /* PNG_SET_USER_LIMITS_SUPPORTED */

   (void) LogMagickEvent(CoderEvent,GetMagickModule(),

Discussion

  • Mattias Wadman

    Mattias Wadman - 2019-02-20

    Not sure if it make sense to use GetMagickResourceLimit(MemoryResource) as limit?

     
    • Bob Friesenhahn

      Bob Friesenhahn - 2019-02-20

      On Wed, 20 Feb 2019, Mattias Wadman wrote:

      Not sure if it make sense to use GetMagickResourceLimit(MemoryResource) as limit?

      It would be an extraordinarily high limit and a huge jump from the
      default, impacting all users. Intentionally compromised PNG files
      could take advantage of the weakness.

      Most format-specific options are supported via the -define mechanism
      so that they can be carefully targeted.

      Bob

       
      • Mattias Wadman

        Mattias Wadman - 2019-02-20

        Yes i agree. Do you want me to look into adding such define?

         
        • Bob Friesenhahn

          Bob Friesenhahn - 2019-02-20

          On Wed, 20 Feb 2019, Mattias Wadman wrote:

          Yes i agree. Do you want me to look into adding such define?

          Well tested patches are always appreciated.

          A recent example pertaining to the PNG coder is

          -define mng:maximum-loops=<value></value>

          The PNG coder supports PNG, JNG, and MNG so it would need to be
          decided if all of these should support the same feature and if the
          same feature should appear with png:, jng:, and mng: prefixes. It is
          possible for a definition starting with png: to be used by JNG and MNG
          since usage is arbitary.

          Bob

           
  • Mattias Wadman

    Mattias Wadman - 2019-02-20

    A similar issue with ImageMagick https://github.com/ImageMagick/ImageMagick/issues/1301 maybe useful

     

    Last edit: Mattias Wadman 2019-02-20
  • Bob Friesenhahn

    Bob Friesenhahn - 2021-12-25

    I downloaded the PNG file pertaining to the ImageMagick issue 1301. I see that it has a raw profile which decompresses to 117,048,920 bytes! This is very convincing that it would be wrong to use your patch directly because then it would be very easy to attack using highly-compressed PNG files.

    The error message produced by libpng is not helpful since it does not indicated its maximum chunk size or the size that the user would need to specify in order to successfully decode a file.

    It appears that if the libpng tunable PNG_USER_CHUNK_MALLOC_MAX is set when libpng is built, that this would allow creating a libpng with higher limits. In a libpng I am looking at, the limit seems to be set to 8000000 (8MB).

     
  • Bob Friesenhahn

    Bob Friesenhahn - 2021-12-25
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2021-12-25

    Mercurial changeset 16601:083c790c4850 provides support for a png:chunk-malloc-max=limit define in order to adjust libpng's chunk size limit.

     
  • Mattias Wadman

    Mattias Wadman - 2021-12-25

    Don't remember now if we ended up modifying PNG_USER_CHUNK_MALLOC_MAX or call png_set_chunk_malloc_max in our patched build.

    Thanks for adding an option!

     

Log in to post a comment.

MongoDB Logo MongoDB