Certain JPGs Can Crash Your ColdFusion 8 Server
This issue was brought to my attention by Adrian Lynch on CF-Talk. It seems that if you use the new image functions in ColdFusion 8 against certain kinds of JPG images you can actually cause your JVM to crash. If you have code that uses the latest image functions to handle uploaded images you should definitely take note of this post. I cannot yet see how a user might take advantage of this bug to penetrate your server, but a malicious (or even non-malicious) user could easily perform a denial of service attack and cause your CF server to go up and down like Jack LaLanne doing jumping jacks. So if you fit into that category (handling uploaded images using CF 8 image functionality) here's the scoop.
JPG "ICC" Profile
A JPG image has something (optionally) embedded in it called an "image color correction" profile. It is actually a bit of meta data that tells a browser or other image rendering program how to show the image on the screen. To see the profile, take an ordinary JPG and run this code:
<cfdump var="#info#"/>
| struct | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| colormodel |
|
||||||||||||||||||||||||
| height | 1780 | ||||||||||||||||||||||||
| source | C:\ColdFusion8\wwwroot\sample.jpg | ||||||||||||||||||||||||
| width | 1280 | ||||||||||||||||||||||||
Notice the "clolor model" structure and keys. I could be wrong but I take that to be the ICC profile. Now it just so happens that there is a bug in the parser for this ICC Profile. Not the ColdFusion parser, but the underlying parser used by the javax.imageio classes - the ones used by CF under the hood to make this "imageRead()" magic happen. Under certain conditions information in the ICC Profile will be parsed incorrectly and cause a buffer overflow. This in turn abends the entire JVM and causes your ColdFusion server to restart.
Sample JPGs
If you would like to test this and see for yourself, here are 3 images that will do the trick for you.
- http://www.coldfusionmuse.com/images/icc_sample1.jpg
- http://www.coldfusionmuse.com/images/icc_sample2.jpg
- http://www.coldfusionmuse.com/images/icc_sample3.jpg
The Fix
Fortunately the fix is pretty easy. Upgrade your JVM to 1.6.0_05 or above (current distribution is 1.6.0_14). In the newer build of the 1.6 engine this vulnerability is fixed. Now, if you are using CF 8 with JVM 1.5 (as some folks are) I would be interested to know if this issue is relevant. I could be that it only affects 1.6.0 to 1.6.0_04. Perhaps one of my readers would test it find out. Meanwhile, if you accept images uploaded to your server and you are taking advantage of any of the ColdFusion 8 image libraries (like imageRead() above), then you should probably upgrade ASAP. It's only a matter of time before someone uploads an image that crashes your server.
7 Comments
-
As a quick addition to this. This crash issue also affects CF8 on x64 servers. Since the 32 and 64bit java versions are a little different I am not certain that the fix is the same but it may be.
--Dave -
FYI I still found images where the JVM upgrade doesn't work! After hours of trying everything on the net the only thing I could use to get resizes to work was saving it temporarily as a BMP, and then resaving it to get rid of all the "junk" attached to the jpeg. So code would look something like this......
<cfset var.oImage = ImageNew(var.oImage)>
<cfset var.tempName = "#APPLICATION.tempDirectory#\#createUUID()#.bmp">
<cfset ImageWrite(var.oImage, "#var.tempName#")>
<cfset var.newImage = ImageRead(var.tempName)>
<cfset ImageWrite(var.newImage, "#ARGUMENTS.directory##var.theFileInfo.serverFile#")>
<cffile action="delete" file="#var.tempName#"> -
I am facing one issue with multiserver launching on Coldfusion8.
I have modified the multiservermonitor-access-policy.xml file in the remote host to allow the access from the source host.Then I have added the remote host details and I am getting permission denied in the status line with below error msg.
Error #2048 url: 'http://wlpv0002.edc.cingular.net:8500/flex2gateway...' Ensure that you have allowed access to this server by
changing the multiservermonitor-access-policy.xml file. -
I had luck getting around this problem without updating the JVM by making use of CF's imageGetBufferedImage(...) function:
bufferedImageObj = imageGetBufferedImage(cfImageObj);
output = createObject("Java", "java.io.File").init(pathToDestFile);
createObject("Java", "javax.imageio.ImageIO").write(bufferedImageObj , ".jpg", output);
Sites to Watch
Aggregators
RSS
Related Blog Entries