Open carbotaniuman opened 3 years ago
Since Rust doesn't run within a VM (ala Java), I don't think there's a way to set explicit memory limits, but there could be options added to limit the width and height. There is an existing CLI option, --timeout
, which will limit the wall time oxipng will spend on a file.
I'm reading that these attacks can also happen through excessively large iCCP chunks, zTXt chunks, and iTXt chunks, so ensuring oxipng protects against these (by default) would be a good addition as well.
For anyone looking for a temporary workaround, you can use systemd-run
to do resource limiting, e.g.
systemd-run --user --wait -Pp MemoryHigh=5% oxipng input.png output.png
You can set -p MemoryMax=10%
as well if you want the transient service to exit if its memory usage creeps too high (MemoryHigh
is only a soft cap, and oxipng
's memory use does tend to increase the longer it runs).
I use oxipng to process untrusted files from uploaded users, and we currently rely on pod level resource limits in order to protect against PNG bombs. Is it possible for there to be resource limits by oxipng itself, ala ImageMagick? I'd be happy to contribute these changes to the project, but I'm not really sure where to start looking.