How to prevent bombs from being displayed using ImageMagick?

Setting the Resource Area limit only sets the size at which images are not stored in memory, but instead dumped to disk. If you want to use this option to actually limit the maximum size of the image that can be opened, you also need to set the "Disk Disk" limit.

The correct code below shows the memory allocation error for the images they made.

try {
    Imagick::setResourceLimit(Imagick::RESOURCETYPE_AREA, 2000 * 2000);
    Imagick::setResourceLimit(Imagick::RESOURCETYPE_DISK, 2000 * 2000);

    $imagick = new Imagick("./picture-100M-6000x6000.png");
    $imagick->modulateImage(100, 50, 120);
    $imagick->writeImage("./output.png");

    echo "Complete";
}
catch(\Exception $e) {
    echo "Exception: ".$e->getMessage()."\n";
}

      

        
        
        
      

    

Output:

Exception: Memory failure failed .. / picture -100M-6000x6000.png'@error/png.c/MagickPNGErrorHandler/1630

If you want to set width and height resource and have ImageMagick version> = 6.9.0-1 you should be able to use values ​​directly from WidthResource = 9, HeightResource = 10

//Set max image width of 2000
Imagick::setResourceLimit(9, 2000);
//Set max image height of 1000
Imagick::setResourceLimit(10, 1000);

      

        
        
        
      

    

These programs do not need to be installed programmatically, you can install them via the policy.xml file installed with ImageMagick. ImageMagick reads this file and uses these parameters if none are specified in the program, which may be a more convenient way to configure them, since you can change them to one machine.

This makes it impossible to handle it correctly.

This prevents you from handling it in the same process. You can handle this simply by doing image processing in a background job.

Personally, I think using Imagick on a server that is directly accessed by web browsers is nuts anyway. It is much safer to run it as a background task (managed by something like http://supervisord.org/ ) and communicate with this background task through the queue to be processed.

This not only solves the problem with "bad images", but also makes it much easier to monitor resource usage or offloads image processing to a computer with a faster processor than the web interface server is needed.

Source - I maintain the Imagick extension and I recently added it to the Imagick readme file:

Safety

The PHP Imagick extension works by calling the ImageMagick library. While the ImageMagick developers try to avoid bugs, it is inevitable that some bugs will be present in the code. ImageMagick also uses many third party libraries to open, read and manipulate files. The writers of these libraries also take care when writing their code. However, everyone makes mistakes and inevitably some mistakes are present.

Since ImageMagick is used for image processing, it is possible for hackers to create images containing invalid data in order to exploit these errors. Therefore, we recommend the following:

1) Do not run Imagick on a server that is directly accessible from outside your network. Better to either use it as a background using something like SupervisorD or to run on a separate server that doesn't have direct internet access.

Doing so will make it harder for a hacker to exploit the bug, even if it exists in the libraries that ImageMagick uses.

2) Run it as a very low privileged process. As much as possible, the files and system resources available to the PHP script that Imagick is called from should be locked.

3) Check that the image processing result is a valid image file before displaying it to the user. In the extremely unlikely scenario, a hacker is able to transfer arbitrary files to the Imagick output, verifying that it is an image file and not the source code of your application being sent is a sensible precaution.