libpng has a VERY old issue first reported in 2002, where ancillary data outside of the bounds of the image as described in the header can lead to buffer overflow and is a common exploit on windows machines, but can also affect any device displaying pngs without a modern version of libpng. Furthermore, because of its awesome compression it is possible (and rather trivial) to expand a small file to occupy huge amounts of memory. Considering the fact that we will someday be delivering this module as a stand-alone Node Webkit application, we would be wise to stick to bleeding edge versions of libpng where possible.
"libpng-1.6.17 and 1.5.22 have been released. They "harden" the library against attacks using very wide images by imposing a default limit of 1 million columns. Users who truly need to process wider images can override this limit."
Most importantly we need to make sure that we are installing at least, and if possible remove it entirely:
libpng-1.2.53
Unfortunately, various components of the transcoder use repository versions of libpng (if I am not mistaken because ufraw requires minimum libpng-1.2*).
Later we are building libpng-1.6.17 for pngquant - although we are changing the makefile of pngquant to link libpng16 instead of libpng15. I propose refactoring the build process such that all image based libs are installed / made before actual applications (like graphicsmagick etc.) are built.
While we are at it, it would be wise to prevent the system from parsing out of bounds data when reading PNG files - but that might mean PATCHING EVERY LIBRARY THAT USES libpng. :-1:
At the very least we should look over the source of the following:
graphicsmagick
ffmpeg
mplayer
ufraw
pngquant
Additionally, it might be a nice touch to simply trim ancillary data out of the png. This should be relatively trivial to write and more trivial to use in the pipeline.
libpng
has a VERY old issue first reported in 2002, where ancillary data outside of the bounds of the image as described in the header can lead to buffer overflow and is a common exploit on windows machines, but can also affect any device displaying pngs without a modern version of libpng. Furthermore, because of its awesome compression it is possible (and rather trivial) to expand a small file to occupy huge amounts of memory. Considering the fact that we will someday be delivering this module as a stand-alone Node Webkit application, we would be wise to stick to bleeding edge versions of libpng where possible.Here is a case in point:
libpng-1.6.17 and 1.5.22 released
"libpng-1.6.17 and 1.5.22 have been released. They "harden" the library against attacks using very wide images by imposing a default limit of 1 million columns. Users who truly need to process wider images can override this limit."
Most importantly we need to make sure that we are installing at least, and if possible remove it entirely:
Unfortunately, various components of the transcoder use repository versions of libpng (if I am not mistaken because ufraw requires minimum libpng-1.2*).
Later we are building libpng-1.6.17 for pngquant - although we are changing the makefile of pngquant to link libpng16 instead of libpng15. I propose refactoring the build process such that all image based libs are installed / made before actual applications (like graphicsmagick etc.) are built.
While we are at it, it would be wise to prevent the system from parsing out of bounds data when reading PNG files - but that might mean PATCHING EVERY LIBRARY THAT USES libpng. :-1:
At the very least we should look over the source of the following:
Additionally, it might be a nice touch to simply trim ancillary data out of the png. This should be relatively trivial to write and more trivial to use in the pipeline.