Is there a code sample of bullet proof usage of ImageMagick library?
I'm doing this - is it safe? Can I do better? I want to handle all images that aren't RCE vulnerable? Like get policy.xml to load?
Code: Select all
if ((imageData.size() < 8) || // enough characters to see signature?
(strncmp(imageData.c_str(), "GIF87a", 6) && // GIF ?
strncmp(imageData.c_str(), "GIF89a", 6) && // GIF ?
strncmp(imageData.c_str(),
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A", 8) && // PNG ?
strncmp(imageData.c_str(), "\xFF\xD8", 2))) // JPG ?
{
LOG(INFO) << "imageMagickDecode failed - unsafe image type";
return false;
}
int fileSize = imageData.size();
Blob blob((const char *)imageData.c_str(), fileSize);
Image image;
image.read(blob);
Pixels pixels(image);
Do stuff.