Package: graphicsmagick Version: 1.3.20-3+deb8u1 Severity: important Dear Maintainer,
I have an application that passes jpegs to gm convert to resize to roughly 1600x900/900x1600. Since I don't enforce any aspect ratio and want to have roughly equivalent sizes, I make use of the @ suffix in the -resize option. When resizing jpegs around 256KB, it seems to work just fine. But on images around 1MB (and I assume any larger), gm convert runs forever, using up all the RAM it can and starving the system. take this image: -rw-r--r-- 1 root root 1036879 Oct 2 21:43 9nkNnX6.jpg A totally ordinary jpg from my smartphone. Run the following: gm convert 9nkNnX6.jpg -resize "1440000@" -strip output.jpg It should resize nicely and quickly. Instead it creates this file in the working directory: -rw------- 1 root root 8294397253776 Jan 23 14:34 gmRziFj6 ...which I don't understand, because that is almost 8TB on a 2TB disk. Here is the output of ps aux|grep convert just before I kill -9 the thing: root 25082 1475 43.5 14431592 10760328 pts/2 Sl 14:34 2:57 gm convert 9nkNnX6.jpg -resize 1440000@ -strip output.jpg Look at those memory foot prints. They would have kept going up until eventually the system locked me out. On this identical hardware, I did not have this problem with the oldstable (wheezy) binaries. If I resize with a more typical WxH parameter, it works fine. I could try to make my own 'max largest dimension' determination, but the pixel limit suffix feature is so nice -- when it works. Right now this has security ramifications. If a web app uploads larger jpeg images (not that large really) and passes them to gm convert, could DOS the server. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages graphicsmagick depends on: ii libc6 2.19-18+deb8u2 ii libgomp1 4.9.2-10 ii libgraphicsmagick3 1.3.20-3+deb8u1 graphicsmagick recommends no packages. Versions of packages graphicsmagick suggests: pn graphicsmagick-dbg <none> -- no debconf information
