Resource limits for RAM, dimensions, and CPU time

[carbotaniuman]

I use oxipng to process untrusted files from uploaded users, and we currently rely on pod level resource limits in order to protect against PNG bombs. Is it possible for there to be resource limits by oxipng itself, ala ImageMagick? I'd be happy to contribute these changes to the project, but I'm not really sure where to start looking.

[shssoichiro]

Since Rust doesn't run within a VM (ala Java), I don't think there's a way to set explicit memory limits, but there could be options added to limit the width and height. There is an existing CLI option, --timeout, which will limit the wall time oxipng will spend on a file.

I'm reading that these attacks can also happen through excessively large iCCP chunks, zTXt chunks, and iTXt chunks, so ensuring oxipng protects against these (by default) would be a good addition as well.

[Winterhuman]

For anyone looking for a temporary workaround, you can use systemd-run to do resource limiting, e.g.

systemd-run --user --wait -Pp MemoryHigh=5% oxipng input.png output.png

You can set -p MemoryMax=10% as well if you want the transient service to exit if its memory usage creeps too high (MemoryHigh is only a soft cap, and oxipng's memory use does tend to increase the longer it runs).