|By:||Nicholas Clark from London.pm|
|Date:||Wednesday, 15 August 2018 12:50|
"Be conservative in what you do, be liberal in what you accept from others"
The robustness principle seems like a great idea. It's often referred to as "Postel's law", after he wrote in an early specification that this is how TCP implementations should behave.
Happy days. Back then the Internet was a safe and trusting place, and if you searched it for "American Fuzzy Lop", Veronica would direct your Gopher client to pages about rabbits.
ImageMagick isn't as quite as old as the Internet, TCP or animated GIFs - it dates from 1990 - but it certainly tries to be "liberal in what it accepts", reading and writing "over 200 formats" of images.
That's great. We care about 3.
Problem is that it cares deeply about the other >197 too, and will happily try to "do the right thing" when presented with data in some obscure format. Better yet, you can't disable support for the formats you don't care for, and even if you "firewall" it and only feed it images *you* think are JPEGs, PNGs or GIFs, its internal black box might route it somewhere else. Which would be fine if it ended there - "it's actually an unreadable RLE, not an unreadable JPEG" - either way you're not going to make a thumbnail from it.
But the world has moved on...
These days fuzzers are finding bugs in C code faster than ever. ImageMagick announced 88 CVEs in 2016, 225 in 2017. We have to run harder and harder just to keep still, and it's almost all about formats we don't want to care about.
It should be easy to replace it - resizing, sharpening, comment reading and writing - it's nothing *that* tricky, and CPAN has various image manipulation modules which can do all these things.
But which one is best? It turns out that they all have their own little idiosyncrasies, helpful "features" (some documented, some not), bugs and shortcomings. And thereby hangs a tale of discovery, frustration, and ultimately success. I'll tell you about all the "fun" I had, so that you don't need to make the same mistakes as I did.