Some of the vulnerabilities with ImageMagick are addressed by use of the policy.xml file. I would like to know if I can do the same thing with GraphicsMagick.
In particular, consider the pixel flood attack exploit. This exploit involves specifying an extremely large pixel value in the encoding of the (small/regular sized) image itself, so that when the decoder tries to allocate memory for the entire image, it takes up all the memory and results in a dos attack. It was reported for a different app (paperclip) but the same technique easily applies to ImageMagick or GraphicsMagick.
ImageMagick recommends avoiding this sort of attack via the policy.xml file. How should one deal with this issue in GraphicsMagick? Or is GraphicsMagick somehow immune to this? Please explain.
GraphicsMagick does not have or recognize a policy.xml file.
In order to do things like set the maximum amount of memory, etc. one can set the environment variables of the software. Running the command gm convert -list resources will show an overview of the current allocations, in a format as below:
Resource Limits (Q16, 64 bits/pixel, 64bit address)
Disk: Unlimited (MAGICK_LIMIT_DISK)
Files: 256 (MAGICK_LIMIT_FILES)
Map: 15.6GiB (MAGICK_LIMIT_MAP)
Memory: 7.8GiB (MAGICK_LIMIT_MEMORY)
Pixels: Unlimited (MAGICK_LIMIT_PIXELS)
Threads: 4 (OMP_NUM_THREADS)
Width: 256.0MiP (MAGICK_LIMIT_WIDTH)
Height: 256.0MiP (MAGICK_LIMIT_HEIGHT)
The terms in bold at the end denote the name of the actual environment variable, which can be set by issuing a command like env MAGICK_LIMIT_MEMORY=200mb