php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #70952 GD massive memory consumption
Submitted: 2015-11-21 20:42 UTC Modified: 2018-01-12 16:44 UTC
From: s dot brunner at stephan-brunner dot net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.5.30 OS: Ubuntu 14.04.3 LTS
Private report: No CVE-ID: None
 [2015-11-21 20:42 UTC] s dot brunner at stephan-brunner dot net
Description:
------------
Hello,

GD-version: 5.5.9+dfsg-1ubuntu4.14 (official repo)

We, Stephan Brunner and Tobias Sachs, discovered that the GD library bypasses any memory_limit setting, no matter whether it is forced as an php_admin_value in the fpm pool config or set in the php.ini. Letting gd import an image (131072 by 131072 pixels compressed to 5 MB), download: https://bug.boomer41.net/gd_memory/picture.png) will bypass any memory limit set. 

The memory limit is set to 32MB as a php_admin_value in the pool config of fpm as shown below:
php_admin_value[memory_limit] = 32M

The php.ini file of the fpm remains untouched, 
the memory_limit value of the cli is set to 128M.

Exploitation of this bug renders the machine unusable because the machine starts to swap immediately and uses about 100% of the available cpu and memory resources as shown here: https://bug.boomer41.net/gd_memory/memory_usage.png

Yours sincerely
Stephan Brunner (GPG-Key: ACA501B0@pgp.mit.edu)
Tobias Sachs (GPG-Key: EF14985E@pgp.mit.edu)

Test script:
---------------
<?php

// Also available for download at https://bug.boomer41.net/gd_memory/test.php

// Download link here: https://bug.boomer41.net/gd_memory/picture.png
$picturepath = "picture.png";

imagecreatefromstring(file_get_contents($picturepath));

Expected result:
----------------
The GD library should respect the memory_limit.

Actual result:
--------------
The GD library uses all available resources and renders the machine unusable.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-26 15:56 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2015-11-26 15:56 UTC] johannes@php.net
The memory_limit relates only to memory allocated by PHP itself, not extenal libraries. The purpose is to mitigate effects from accidents like recursion or unterminated loops. For stricter resource controls please use the operating system's facilities.
 [2015-11-28 15:32 UTC] pajoye@php.net
-Type: Security +Type: Documentation Problem
 [2015-11-28 15:32 UTC] pajoye@php.net
Moving to doc.

If you use the bundled Gd library, the php memory management is used. For systen's GD, the system memory management is used  (aka malloc VS emalloc)
 [2018-01-12 16:42 UTC] cmb@php.net
-Status: Not a bug +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-02-07 06:06 UTC] phpdocbot@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=bb612d4a3100467a0959fa33df7822c2c8f385d8
Log: Fix #70952: GD massive memory consumption
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 23 20:01:23 2021 UTC