From ddb6733036e452479e5c54597ddadf6c95bb11da Mon Sep 17 00:00:00 2001 From: tomaioo Date: Mon, 20 Apr 2026 11:20:01 -0700 Subject: [PATCH] fix(security): potential denial of service from unbounded image d `resizeImage()` loads arbitrary image bytes into memory and decodes them without checking input size or dimensions first. If attacker-controlled or remote-fetched image data is very large or crafted, this may cause excessive memory/CPU consumption and degrade service availability. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- lib/Service/ImageResizer.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/Service/ImageResizer.php b/lib/Service/ImageResizer.php index b92f67b31e..49f9a0ea2f 100644 --- a/lib/Service/ImageResizer.php +++ b/lib/Service/ImageResizer.php @@ -14,14 +14,28 @@ class ImageResizer { public const RESIZE_MAX_X = 256; public const RESIZE_MAX_Y = 256; + public const MAX_INPUT_BYTES = 5 * 1024 * 1024; + public const MAX_INPUT_PIXELS = 4096 * 4096; /** * @param string $socialData * @return null|string */ public function resizeImage(string $socialData) { - $image = new Image(); + if ($socialData === '' || strlen($socialData) > self::MAX_INPUT_BYTES) { + return null; + } + + $size = @getimagesizefromstring($socialData); + if ($size === false || !isset($size[0], $size[1])) { + return null; + } + if ($size[0] <= 0 || $size[1] <= 0 || ($size[0] * $size[1]) > self::MAX_INPUT_PIXELS) { + return null; + } + + $image = new Image(); $image->loadFromData($socialData); if ($image->valid()) {