[devwastaken]

How is the security? Any sort of image processing is a potential exploitation point. I see it says it uses the 'mature' libjpeg-turbo and libpng libraries,along with giflib for .gifs, but even with full trust of those, the C code, patches, and changes ontop could be more exploitation points. You can look through Imagemagick alone to see all the fun things possible when seemingly basic processing turns into exploits. https://www.cvedetails.com/vulnerability-list/vendor_id-1749...

[mark-r]

They specifically addressed this by throwing a fuzzer at it. Of course that's to find crashes rather than exploits, but it's a good start.

[Buttons840]

Wow really? Is there room for another image processing library? Is ImageMagic poorly written or is image manipulation inherently risky?

[bri3d]

ImageMagick is notoriously questionable. It was originally written, I believe, as a local command-line tool for users to work with their own images, so security and untrusted input were not primary concerns.

Additionally, image manipulation is inherently challenging - not even due to the actual manipulation of image pixel data, but due to the proliferation of complex image container formats which require binary data manipulation and byte copying in performance-critical code. This is a minefield for secure programming practices because it puts at direct odds performance and sanity checking, as well as encouraging pointer and memory arithmetic and unsafe access.

[abiox]

> Is there room for another (...)

seems to me that there is no limit to available room. well, i suppose we're capped by the collective capacity of local storage and storage service providers.

[tedunangst]

ImageMagick is a particularly poor choice because it will try parsing a thousand formats your users will never upload. That's a lot of code to leave exposed to the internet.