Biggest image in the smallest space

359 点作者 fekberg超过 9 年前

27 条评论

Actually, it decompresses to a 5.8MB PNG. However, many graphics programs may choose to use three bytes per pixel when rendering the image and because it has incredibly large dimensions, this representation would take up 141GB of RAM.

评论 #10159146 未加载

评论 #10158907 未加载

评论 #10158696 未加载

评论 #10158901 未加载

DanBC超过 9 年前

That's impressive. Here are some other compression curiosities.<a href="http://www.maximumcompression.com/compression_fun.php" rel="nofollow">http://www.maximumcompression.com/compression_fun.php</a>A 24 byte file that uncompresses to 5 MB; another file with good compression under RAR but almost no compression under ZIP; and a compressed file that decompresses to itself.

评论 #10159089 未加载

评论 #10158789 未加载

评论 #10159050 未加载

评论 #10160299 未加载

评论 #10159905 未加载

评论 #10161155 未加载

0x0超过 9 年前

That's neat, but I still think the self-reproducing r.zip from "zip files all the way down" is the best compression trick I've seen:<a href="http://research.swtch.com/zip" rel="nofollow">http://research.swtch.com/zip</a>

评论 #10158655 未加载

__mp超过 9 年前

Photoshop was able to show it: <a href="http://i.imgur.com/7EdBySv.png" rel="nofollow">http://i.imgur.com/7EdBySv.png</a> (Macbook Pro, 16GB RAM)

评论 #10159941 未加载

评论 #10159953 未加载

semi-extrinsic超过 9 年前

If you follow the "related reading" link on the bottom of TFA, you come to a page by Glenn Randers-Pehrson discussing how libpng deals with decompression bombs. On the bottom of that page you find the following curious note; anyone know what to make of it?""" [Note for any DHS people who have stumbled upon this site, be aware that this is a cybersecurity issue, not a physical security issue. Feel free to contact me at <glennrp at users.sourceforge.net> to discuss it.] """

评论 #10158951 未加载

评论 #10158955 未加载

评论 #10158957 未加载

评论 #10160611 未加载

wiredfool超过 9 年前

PNGs also have optional compressed text metadata chunks, and it's possible to sneak a decompression bomb into one of those as well. You can get about a factor of 1000 in the compression -- 1MB of 'a' winds up being about 1040 bytes. You can have multiple itxt chunks, and it appears that the chunk size is only limited to 2^31-1.See <a href="https://github.com/python-pillow/Pillow/blob/master/Tests/check_png_dos.py" rel="nofollow">https://github.com/python-pillow/Pillow/blob/master/Tests/ch...</a> for a quick way to generate some of these.

andersthue超过 9 年前

Reminds me of how you could crash a fido node by sending them some big empty files, so when they got automatically unzipped the filled of the harddrive :)

评论 #10158840 未加载

eli_gottlieb超过 9 年前

<a href="http://jeremykun.com/2012/04/21/kolmogorov-complexity-a-primer/" rel="nofollow">http://jeremykun.com/2012/04/21/kolmogorov-complexity-a-prim...</a><a href="http://c2.com/cgi/wiki?KolmogorovComplexity" rel="nofollow">http://c2.com/cgi/wiki?KolmogorovComplexity</a>Here be rabbit-hole.

inglor超过 9 年前

This does wonders when used in favicons :D

评论 #10158898 未加载

评论 #10158860 未加载

raffomania超过 9 年前

Fun fact: When trying to upload this as a profile picture (on a site I host myself), chromium crashes.

dahart超过 9 年前

Having dealt with and printed a lot of very large images, e.g., 60k x 60k pixels, I have been on the lookout for image processing software that never decompresses the entire image into ram, but instead works on blocks or scan lines or blocks of scan lines, but stays in constant memory and streams to and from disk. For example, the ImageMagick fork GraphicsMagick does a much better job of this than ImageMagick. What other software is out there that can handle these kinds of images?

评论 #10159105 未加载

评论 #10162442 未加载

AndrewStephens超过 9 年前

I used to work on a scanning SMTP/HTTP proxy and even back then it wasn't unknown for people to send crafted decompression bombs to attempt to crash the services. We handled it by estimating the total uncompressed size upfront (including sub archives) and throwing out anything with a suspiciously large compression ratio.I imagine that .pdf files are another avenue for mischief. They contain lots of chunks which may be compressed in varying ways.

tetrep超过 9 年前

Neat. I needed to make very large PNG bombs recently and toyed with the idea of doing it "manually." In the end I decided to take the lazy route and use libpng[1].[1]: <a href="https://bitbucket.org/tetrep/pngbomb/src/03dfc95065d78562c156c056abc3d5f1fd7047b8/pngbomb.c?at=master" rel="nofollow">https://bitbucket.org/tetrep/pngbomb/src/03dfc95065d78562c15...</a>

评论 #10162829 未加载

JosephRedfern超过 9 年前

That's cool. Presumably the same "attack" could be applied to any file format that uses DEFLATE.From a legal stand-point, I'd be wary about following through with the authors suggestion of "Upload as your profile picture to some online service, try to crash their image processing scripts" without permission. Sounds like a good way of getting into trouble.

评论 #10158770 未加载

评论 #10161069 未加载

logicallee超过 9 年前

>The image is almost entirely zeroes, with a secret message in the center.too pressed for time, did anyone look? What is it?

评论 #10159849 未加载

tiler超过 9 年前

I realize that this is besides the point but going on the title alone we could write a script that could generate an 'infinite' (max out available memory) sized image.

javajosh超过 9 年前

Everyone's focusing on this being a PNG problem but actually if my server unzips a 420 byte file into a 5M file of any kind, I'd say that's the first red flag. Assuming some sort of streaming decompression, you could write an output filter that shuts off the decompressor when it's seen a factor of X bytes. A reasonable factor would be 10 - which in this case would have halted bzip decompression at 4kB.This would probably be a trivial patch to bzip2. But I like the idea in general of passing an "max input/output ratio" to any process or function that might yield far more output than input.

评论 #10164721 未加载

ctdonath超过 9 年前

Looks handy for large image processing tests, thanks.

atom_enger超过 9 年前

Trying to run the program and create my own image, however a few questions, what did you use for secret.png? Any old png?Are you using PIL or pillow?

pvdebbe超过 9 年前

Cool, but most web sites wouldn't allow to upload a 5-MB picture as a profile picture. Or do they, these days?

andrewstuart超过 9 年前

Is there a way to check for decompression bombs? I'd like my software to be able to unzip zip files safely.

评论 #10159062 未加载

评论 #10158827 未加载

评论 #10158884 未加载

评论 #10159111 未加载

评论 #10158864 未加载

ak2196超过 9 年前

It's probably using middle-out.

TurplePurtle超过 9 年前

I wonder what the ratio would look like if the equivalent was done with a JPEG instead of a PNG.

mridulmalpani超过 9 年前

does anybody tried to upload it on facebook as profile picture?

评论 #10162029 未加载

hnpc123超过 9 年前

The title was changed and is now more opaque and less descriptive.

评论 #10162654 未加载

_hhff超过 9 年前

righto pied piper

hadeharian超过 9 年前

This is a very easy form of attack in security circles.