Acropalypse (CVE-2023-21036) is a vulnerability caused by image editing tools failing to truncate images when editing has made them smaller, most often seen when images are cropped. This leaves remnants of the cropped contents written in the file after the image has finished. The remnants (written in a ‘trailer’ after the end-of-image marker) are ignored by most software when reading the image, but can be used to partially reconstruct the original image by an attacker.
The general class of vulnerability can, in theory, affect any image format if it ignores data written after the end of the image. In this case the applications affected were the ‘Markup’ screenshot editor that shipped with Google Pixel phones from the Pixel 3 (saving its images in the PNG format) and the Windows Snipping tool (with both PNG and JPEG formats).
Our customers deliver their images using Cloudflare Images products and may have images that are affected. We would like to ensure their images are protected from this vulnerability if they have been edited using a vulnerable editor.
As a concrete example, imagine a Cloudflare customer running a social network, delivering images using Cloudflare Images. A user of the social network might take a screenshot of an invoice containing their address after ordering a product, crop their address out and share the cropped image on the social network. If the image was cropped using an editor affected by aCropalypse an attacker would be able to recover their address, violating their expectation of privacy.
How Cloudflare Images products works
Cloudflare Images and Image Resizing use a proxy as the upstream for requests. This proxy fetches the original image (from either Cloudflare Images storage or the customer’s upstream), applies any transformations (from the variant definition for Cloudflare Images, or from the URL/worker parameters for Image Resizing) and then responds with the transformed image.
This naturally provides protection against aCropalypse for our customers: the proxy will ignore any trailing data in the input, so it won’t be present in the re-encoded image.
However, for certain requests, the proxy might respond with the original. This occurs when two conditions hold: the original can satisfy the request and the re-encoded image has a larger file size. The original satisfies the request if we can guarantee that if the requested format is supported the original format will be supported, it has the same dimensions, it doesn’t have any metadata that needs stripping and it doesn’t have any other transformations such as sharpening or overlays.
Even if the original can satisfy the request, it is fairly unlikely the original will be smaller for images affected by aCropalypse as the leaked information in the trailer will increase the file size. So Cloudflare Images and Image Resizing should provide protection against aCropalypse without adding any additional mitigations.
That being said, we couldn’t guarantee that images affected by aCropalypse would always be re-encoded. We wanted to be able to offer this guarantee for customers of Cloudflare Images and Image Resizing.
How we addressed the issue for JPEG and PNG file format
To ensure that no images with a trailer will ever be passed through, we can add another requirement to reply with the original image — if the original image is a PNG or a JPEG (so might have been affected by aCropalypse), it must not have a trailer. Then we just need to be able to detect trailers for both formats.
As a first idea we might consider simply checking that the image ends with the correct end-of-image marker, which for JPEG is the byte sequence [0xFF 0xD9] and for PNG is the byte sequence [0x00 0x00 0x00 0x00 0x49 0x45 0x4E 0x44 0xAE 0x42 0x60 0x82]. But this won’t work for images affected by aCropalypse: because the original image was a valid image, the trailer that results from overwriting the start of the file will be the end of a valid image. We also can’t check whether there is more than one end-of-image marker in the file; both formats have chunks of variable-length bytestrings in which the end-of-image marker could appear. We need to do it properly by parsing the image’s structure and checking there is no data after its end.
For JPEGs, we use a Rust wrapper of the library libjpeg-turbo for decoding. Libjpeg-turbo allows fine control of resource usage; for example it allows decompressing and re-compressing a JPEG file a scanline at a time. This flexibility allows us to easily detect trailers using the library’s API: we just have to check that once we have consumed the end-of-image marker all of the input has been consumed. In our proxy we use an in-memory buffer as input, so we can check that there are no bytes left in the buffer:
pub fn consume_eoi_marker(&mut self) -> bool {
// Try to consume the EOI marker of the image
unsafe {
(ffi::jpeg_input_complete(&self.dec.cinfo) == 1) || {
ffi::jpeg_consume_input(&mut self.dec.cinfo);
ffi::jpeg_input_complete(&self.dec.cinfo) == 1
}
}
}
pub fn has_trailer(&mut self) -> io::Result<bool> {
if self.consume_eoi_marker() {
let src = unsafe {
NonNull::new(self.dec.cinfo.src)
.ok_or_else(|| {
io::Error::new(
io::ErrorKind::Other,
"source manager not set".to_string()
)
})?
.as_ref()
};
// We have a trailer if we have any bytes left over in the buffer
Ok(src.bytes_in_buffer != 0)
} else {
// We didn't consume the EOI - we can't say if there is a trailer
Err(io::Error::new(
io::ErrorKind::Other,
"EOI not reached".to_string(),
))
}
}
For PNGs, we use the lodepng library. This has a much simpler API surface that decodes an image in one shot when you call lodepng_decode. This doesn’t tell us how many bytes were read or provide an interface to detect if we have a trailer.
Luckily the PNG format has a very consistent and simple internal structure:
- First the PNG prelude, the byte sequence [0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]
- Then a series of chunks, which each consist of
- 4 bytes length as a big-endian integer N
- 4 bytes chunk type
- N bytes of data (whose meaning depends on the chunk type)
- 4 bytes of checksum — CRC-32 of the type and data
The file is terminated by a chunk of type IEND with no data.
As the format is so regular, it’s easy to write a separate parser that just reads the prelude, loops through the chunks until we see IEND, and then checks if we have any bytes left. We can perform this check after decoding the image with lodepng, as this allows us to skip validating the checksums as lodepng has already checked them for us:
const PNG_PRELUDE: &[u8] = &[0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a];
enum ChunkStatus {
SeenEnd { has_trailer: bool },
MoreChunks,
}
fn consume_chunks_until_iend(buf: &[u8]) -> Result<(ChunkStatus, &[u8]), &'static str> {
let (length_bytes, buf) = consume(buf, 4)?;
let (chunk_type, buf) = consume(buf, 4)?;
// Infallible: We've definitely consumed 4 bytes
let length = u32::from_be_bytes(length_bytes.try_into().unwrap());
let (_data, buf) = consume(buf, length as usize)?;
let (_checksum, buf) = consume(buf, 4)?;
if chunk_type == b"IEND" && buf.is_empty() {
Ok((ChunkStatus::SeenEnd { has_trailer: false }, buf))
} else if chunk_type == b"IEND" && !buf.is_empty() {
Ok((ChunkStatus::SeenEnd { has_trailer: true }, buf))
} else {
Ok((ChunkStatus::MoreChunks, buf))
}
}
pub(crate) fn has_trailer(png_data: &[u8]) -> Result<bool, &'static str> {
let (magic, mut buf) = consume(png_data, PNG_PRELUDE.len())?;
if magic != PNG_PRELUDE {
return Err("expected prelude");
}
loop {
let (status, tmp_buf) = consume_chunks_until_iend(buf)?;
buf = tmp_buf;
if let ChunkStatus::SeenEnd { has_trailer } = status {
return Ok(has_trailer)
}
}
}
Conclusion
Customers using Cloudflare Images or Image Resizing products are protected against the aCropalypse vulnerability. The Images team addressed the vulnerability in a way that didn’t require any changes to the original images or cause any increased latency or regressions for customers.