umputun / remark42

84%

master: 85%

LAST BUILD ON BRANCH fix-image-decompression-bomb

branch: fix-image-decompression-bomb

CHANGE BRANCH

x

Reset

Sync Branches

• fix-image-decompression-bomb
• 32/code-colors-styles
• 965-fix-error-on-restricted-words
• Ksinia/master
• add-api-sdk
• add-cssnano
• add-module-type
• add-security-headers
• admin-edit
• admin_email_notifications
• ak/cleanup-comment-form
• ak/compose-button-styles
• ak/raw-content-styles
• ak/update-node
• akellbl4/editorconfig
• aliksend/reduce-number-of-symbols-in-tg-message
• anon-names
• autofill-email-for-subscription
• battle-net-oauth2
• bem-to-css-modules-batch1
• blackfriday
• bluemonday-bump
• bump-auth-oauth-redirect-fix
• bump-deps
• bump_ci_go_version
• bump_lcw
• bump_modules
• bump_tollbooth
• chore-deps-bump-go-modules
• chore/update-go-deps-2026-04
• ci-workflows
• code-colors
• code_cleanup
• commento-import
• configurable-microsoft-tenant
• copilot/sub-pr-1995
• dependabot/github_actions/github-actions-updates-8173ff9682
• dependabot/go_modules/backend/_example/memory_store/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/crypto-0.45.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/image-0.38.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/image-0.5.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/net-0.38.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/net-0.7.0
• dependabot/go_modules/backend/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/backend/github.com/redis/go-redis/v9-9.7.3
• dependabot/go_modules/backend/github.com/slack-go/slack-0.23.1
• dependabot/go_modules/backend/go-modules-updates-3d96251ff3
• dependabot/go_modules/backend/go-modules-updates-47fdc5c9f4
• dependabot/go_modules/backend/go-modules-updates-75c1c3f47e
• dependabot/go_modules/backend/go-modules-updates-76e35b2467
• dependabot/go_modules/backend/go-modules-updates-81f599025a
• dependabot/go_modules/backend/go-modules-updates-e61953c257
• dependabot/go_modules/backend/go-modules-updates-f692995c50
• dependabot/go_modules/backend/golang.org/x/crypto-0.45.0
• dependabot/go_modules/backend/golang.org/x/net-0.36.0
• dependabot/go_modules/backend/google.golang.org/protobuf-1.33.0
• dependabot/npm_and_yarn/frontend/apps/remark42/npm-modules-updates-33950cb83c
• dependabot/npm_and_yarn/frontend/apps/remark42/npm-modules-updates-for-tests-da749204ba
• dependabot/npm_and_yarn/frontend/e2e/npm-modules-updates-for-tests-32faa27b51
• dependabot/npm_and_yarn/frontend/packages/api/npm-modules-updates-for-tests-f28c5bd690
• dependabot/npm_and_yarn/frontend/playwright-1.55.1
• dependabot/npm_and_yarn/site/braces-3.0.3
• dependabot/npm_and_yarn/site/ejs-3.1.10
• dependabot/npm_and_yarn/site/js-yaml-3.14.2
• dependabot/npm_and_yarn/site/luxon-2.5.2
• dependabot/npm_and_yarn/site/micromatch-4.0.8
• dependabot/npm_and_yarn/site/nanoid-3.3.8
• dependabot/npm_and_yarn/site/node-fetch-3.2.10
• dependabot/npm_and_yarn/site/npm-modules-updates-for-tests-284cb22f28
• dependabot/npm_and_yarn/site/npm-modules-updates-for-tests-87ff55c30d
• dependabot/npm_and_yarn/site/ws-8.17.1
• deps-bump
• disqus-empty-username-bug
• disqus-fix
• distributed_cache
• docker-native-arm64-runners
• docker_bump
• docs/edit-time-zero-behavior
• docs/placeholder-1990
• docs/telegram-group-notifications
• dverhoturov/docker
• dverhoturov/docker_ci_build
• dverhoturov/privatePreview
• dverhoturov/renew_image_on_load
• dverhoturov/validate_image_before_post
• e2e
• editorconfig-double-quotes-yml
• email-encode-subject
• email-from-display-name
• examples-ci-issue
• feat/custom-oauth2-provider
• feature/comment-approval
• fix-admin-names
• fix-deprecated-flags
• fix-iframe-resize
• fix-image-proxy-xss-content-type-spoofing
• fix-img-submit-import-stuck
• fix-negative-comments-count
• fix-typo
• fix/auth-send-jwt-header
• fix/frontend-css-cleanup
• fix/quick-fixes-1946-1991-1996
• fix/security-ipv6-ssrf
• fix/writeheader-renderjson-bug-1979
• fix_error_wrap
• fix_memory_store_tests_panic
• fix_unclosed_body
• frame-ancestors
• frontend-infrastructure
• full-text-search
• generate-telegram-translations
• github_golangci_lint
• go-1.14
• go-1.17
• go-consistent
• gocritic
• golangci-lint-v2-migration
• harden-deploy-permissions
• hide-vote-iphash
• image-rpc
• image_interface_fixes
• img_commit_on_start
• img_fixes
• img_route_verification
• img_types
• jwt-migration
• lazy-image
• links-rune
• listen-address
• master
• migrate-to-testing-library
• mkdocs
• move-email-templates-to-separate-files
• move-subscribe-ui-elements
• named-exports
• new-auth
• packages
• paskal/CWE-918
• paskal/allow_dash_in_email_siteid
• paskal/allowed_domains_exact_match
• paskal/allowed_hosts
• paskal/apple
• paskal/apple_bad_key_test
• paskal/apple_frontend
• paskal/aud_per_site
• paskal/auth_fixes
• paskal/better_info
• paskal/borderless_qr
• paskal/bump-ci
• paskal/bump_actions
• paskal/bump_auth
• paskal/bump_chroma
• paskal/bump_dependencies
• paskal/bump_go_modules
• paskal/bump_golangci_lint
• paskal/bump_mockery
• paskal/bump_modules
• paskal/bump_tollbooth
• paskal/chi_render
• paskal/clarify_cache_for_frontend
• paskal/clarify_commands
• paskal/clarify_docs
• paskal/clarify_email_notifications
• paskal/clarify_notifications
• paskal/clarify_password
• paskal/clean_stream
• paskal/clean_title_and_username
• paskal/cleanup_images_on_delete
• paskal/close_body
• paskal/comment_validation
• paskal/commento_url
• paskal/comments_pagination
• paskal/consistent_info
• paskal/csp
• paskal/data_race
• paskal/datastore_info_combine
• paskal/debug_verify
• paskal/dependabot
• paskal/deprecate_twitter
• paskal/deprecated_notifications
• paskal/deprecated_params
• paskal/deprecation_update
• paskal/dev_provider
• paskal/disable_md_sanitize
• paskal/discord_poc
• paskal/doc_split
• paskal/docker-compose
• paskal/docker_labels
• paskal/docs
• paskal/docs_from_wiki
• paskal/duplicate_types
• paskal/easy_subscription
• paskal/email
• paskal/email_login_auth
• paskal/email_subscription_post
• paskal/err_fix
• paskal/find_tests
• paskal/fix_avatar_types
• paskal/fix_backup_error
• paskal/fix_commento_import
• paskal/fix_docker
• paskal/fix_double_close
• paskal/fix_email_templates
• paskal/fix_golangci_lint
• paskal/fix_image_proxy
• paskal/fix_img_src_CSP
• paskal/fix_links
• paskal/fix_log
• paskal/fix_logout
• paskal/fix_notify_deprecation
• paskal/fix_refresh_tokens_cache
• paskal/fix_telegram_auth
• paskal/fix_telegram_cli
• paskal/fix_telegram_escape
• paskal/fix_telegram_format
• paskal/fix_ticker
• paskal/fix_timeout
• paskal/fix_variable
• paskal/fix_webhook_json
• paskal/generic_fixes
• paskal/get_rid_of_dockerhub
• paskal/go_embed
• paskal/go_embed_templates
• paskal/golangci-lint-update
• paskal/golangci_lint
• paskal/golangci_lint_v2
• paskal/golangcilint_bump
• paskal/image_proxy_blacklist
• paskal/improve_docker_build
• paskal/improve_get_user
• paskal/improve_server_test
• paskal/improve_telegram_flow
• paskal/improve_telegram_notify
• paskal/improve_tests
• paskal/increase_timeout
• paskal/jwt_v5
• paskal/lcw_v2
• paskal/md_ci
• paskal/min_comment_size
• paskal/modules_update
• paskal/moq
• paskal/multiple-admin-emails
• paskal/new_errors
• paskal/new_telegram_key
• paskal/no_getstarted
• paskal/no_mod_vendor
• paskal/no_path
• paskal/notifications_rework
• paskal/notify
• paskal/notify-drops-tail
• paskal/notify_drops_test
• paskal/notify_improvements
• paskal/notify_migration
• paskal/optimise_images
• paskal/pagination_fixes
• paskal/params
• paskal/pngcrush
• paskal/privatePreview
• paskal/proper_site_id
• paskal/raw_quotes
• paskal/readonly_find_test
• paskal/recursive_email_notifications
• paskal/remove-deprecated-func
• paskal/remove_common_shared_secret
• paskal/remove_deprecated_param
• paskal/remove_put
• paskal/renew_cache_on_delete
• paskal/rpc_panic
• paskal/secret-clarify
• paskal/send_jwt_header
• paskal/simlify_boltdb_info
• paskal/simplify_admin_emails
• paskal/simplify_extract_pictures
• paskal/siteid_dot
• paskal/small_improvements
• paskal/telegram-update
• paskal/telegram_auth
• paskal/telegram_channel
• paskal/telegram_notifications
• paskal/telegram_notify
• paskal/telegram_notify_clarity
• paskal/telegram_notify_params
• paskal/test_user_replies
• paskal/tests
• paskal/tests_cleanup
• paskal/tg_qr
• paskal/token_instructions
• paskal/twitter_blockquote_class
• paskal/typos
• paskal/update-go-modules
• paskal/update-gopkgz
• paskal/update-images
• paskal/update_discreet_variables
• paskal/update_doc
• paskal/update_dockerfiles
• paskal/update_go
• paskal/update_modules
• paskal/user_detail_telegram
• patch-1
• patch-2
• patreon-auth
• pkgs-rename
• postmessage-to-child
• proxy_image_commit
• proxy_images
• refactor-before-search
• refactor/go-fix-modernize
• refs/tags/backend/v1.10.0
• refs/tags/backend/v1.11.0
• refs/tags/backend/v1.11.2
• refs/tags/backend/v1.11.3
• refs/tags/backend/v1.12.0
• refs/tags/backend/v1.13.0
• refs/tags/backend/v1.13.1
• refs/tags/backend/v1.14.0
• refs/tags/backend/v1.16.0
• refs/tags/backend/v1.6.0
• refs/tags/backend/v1.6.1
• refs/tags/backend/v1.7.0
• refs/tags/backend/v1.7.1
• refs/tags/backend/v1.8.1
• refs/tags/backend/v1.9.0
• refs/tags/backend/v1/11/3
• refs/tags/v.1.9.0
• refs/tags/v1.10.0
• refs/tags/v1.10.1
• refs/tags/v1.11.0
• refs/tags/v1.11.1
• refs/tags/v1.11.2
• refs/tags/v1.11.3
• refs/tags/v1.12.0
• refs/tags/v1.12.1
• refs/tags/v1.13.0
• refs/tags/v1.13.1
• refs/tags/v1.14.0
• refs/tags/v1.15.0
• refs/tags/v1.16.0
• refs/tags/v1.30.0
• refs/tags/v1.6.0
• refs/tags/v1.6.1
• refs/tags/v1.7.0
• refs/tags/v1.7.1
• refs/tags/v1.8.0
• refs/tags/v1.8.1
• refs/tags/v1.9.0
• refs/tags/v1.9.1
• refs/tags/v1.9.2
• remark42-pr-fix-quotedprintable-buff-flush
• remark42-pr-fix-smtp-newclient
• remove-redundant-frame-ancestors-log
• remove_golangci_conf
• remove_unused_cache
• same-site
• sameip-correction-vote-728
• sanitize-hotfix-1.6
• sanitize-loactor
• security-fixes-2026-04
• security-pr-a-path-traversal
• security-pr-c-matchsiteid
• security-pr-d-tz-tests
• simplify_img_storage
• site
• site_email_notifications
• small-improvements
• switch-to-pnpm
• switch_to_lcw
• termination_fix
• tests/synctest-refactor
• tests_fixes
• tests_golangci_lint
• unsinitize
• upd-backend-deps
• update-comments
• update-docs-1.7
• update-go-version
• update-repeater-v2
• use-packages
• user-comments-empy-200
• user-info
• valid-email-auth
• webhook-notify
• workspaces

Build # 26199712850

Build Type

Pull #2064

github

Committed by paskal

Commit Message

fix(image): reject decompression-bomb dimensions before raster decode

readAndValidateImage caps the byte size of incoming images but the resize()
helper that follows still called image.Decode unconditionally, allocating
pixel memory proportional to the *declared* image dimensions. A ~100 KB
compressed PNG or GIF that declares 65535x65535 px forces image.Decode to
allocate ~17 GB of raster, OOMing the service on a single comment upload
(or on the proxy's CacheExternal path when caching a malicious upstream).

Hardening:

- maxImagePixels = 16 MP constant. Covers any realistic image (~4096x4096)
  while bounding peak allocation.
- resize() now runs image.DecodeConfig first (cheap, no pixel allocation)
  to read declared width/height before any full decode.
- Multiplication of width × height uses int64 to defeat 32-bit overflow
  (GOARCH=386, 32-bit arm): on those targets, int(cfg.Width)*int(cfg.Height)
  could wrap below maxImagePixels and bypass the cap. GIF's 16-bit logical
  screen and JPEG's 16-bit SOF dimensions both reach this if int-multiplied.
- Bytes exceeding the cap, or non-image input that fails DecodeConfig,
  return nil. prepareImage propagates the rejection as a clear error
  instead of storing the malformed/oversized data verbatim.
- The no-resize-needed path returns the validated original bytes verbatim
  so animated GIFs round-trip without being flattened to a single frame.

The DecodeConfig precheck applies even when MaxWidth/MaxHeight are 0
(resize disabled) — the dimension cap is unconditional defense-in-depth.

Two adjacent fixes surfaced by the new resize contract:

1. readAndValidateImage previously did `data[:512]` without a bounds check,
   panicking on any body shorter than 512 bytes. Now bounded with min().
2. image/webp was listed as an allowed format but no WebP decoder was
   registered, so DecodeConfig would refuse legitimate WebP uploads. Added
   `_ "golang.org/x/image/webp"` (already in go.mod via x/image/draw) so
   ... (continued)

Pull Request Pull Request #2064: fix(image): reject decompression-bomb dimensions before raster decode

Coverage Stats

28 of 31 new or added lines in 2 files covered. (90.32%)

1 existing line in 1 file now uncovered.

6280 of 7452 relevant lines covered (84.27%)

34.35 hits per line