From 333ddd40118bc5324c797d93f369669f6fd8e480 Mon Sep 17 00:00:00 2001
From: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
Date: Mon, 14 Sep 2020 10:10:55 +1000
Subject: [PATCH] SECURITY: return error on oversized images

---
 lib/upload_creator.rb         |   2 ++
 spec/fixtures/images/huge.jpg | Bin 557056 -> 466479 bytes
 spec/models/upload_spec.rb    |   6 +++---
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/upload_creator.rb b/lib/upload_creator.rb
index 991c3151772..a5352c995c0 100644
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@@ -168,6 +168,8 @@ class UploadCreator
       @upload.errors.add(:base, I18n.t("upload.empty"))
     elsif pixels == 0
       @upload.errors.add(:base, I18n.t("upload.images.size_not_found"))
+    elsif max_image_pixels > 0 && pixels >= max_image_pixels * 2
+      @upload.errors.add(:base, I18n.t("upload.images.larger_than_x_megapixels", max_image_megapixels: SiteSetting.max_image_megapixels * 2))
     end
   end
 
diff --git a/spec/fixtures/images/huge.jpg b/spec/fixtures/images/huge.jpg
index 25f2d5c6fb460b9ee97f1a777594df6feb295089..2fb791c816212389ef871a690260b306b72cdd12 100644
GIT binary patch
literal 466479
zcmeIxe{7WX836FRwzTEuu*Y>*s6Z8Hxe~#4)kZ>XrxJ}?Af)a`QiqmCnMOB9{83QR
zZE7ZxoSPZ6tWsqn5ho5|EzV&@ssvHG*eDd0siZc5$V!Hw(4Kc)Qp#V;{@OpE_f4MM
z`##_A^E}_rn@j9Xd=kjH_Nr^H3Iv0}Ks0#=5+4Sx3}j}E$Q+T8nK>deD=RZQloJY#
z92v?Tb?!MidAVc8<mE=A`Qr-<^3R(zE*d@m!t*B;O(~vQJhot3$+TEWVXQcoDiX}f
z$_izNBB4+umLJWJ{m)n8^*}g#V#mae^x(umS~!><4kkJR=M9dUo*Z}R$_}QbXJln2
zlhbp8fwZ)=<a2g##DDU^^qSwN<%TmN7nIIR9%uCTFRxp)t^8NNduCH|eO~g|!z(4X
zB=;s0<HN~9$tJ^+;Ye_FUHau|7bNxt&Ph+E!|CBbRp8l--lHF`c=y>8M|R!v-r@TE
z*tQv`zUtX@>t&}Fb#GpgAKTl1;hd%YuiU<G?$VE1?<jn9S=si;y7r&fmOuH=wrPL7
zrf&V?2MY2g_nfKmliU7u)13LkcU(ODvH7RhuML0J@bxz{yQZ|?Q(L~`tLe$cyLYZ%
z6}f1^7p-?pNrmE<4?XwHu9XK9fxC9>eKpx;Fl=1k9DkzmRNl>-Zk?G5<(Jg7{OH)p
zJ6oz|y?JI;@%ni0uK1`(XG`qBj^&G+n)<>8*Y}_JU|;{$``b6axMp{B&)Y{U7XPbf
z+?x81`=6UI^0n@G<QFsIN2a%bckj=74-QONy``nO`s;lQPrtgqX6M53eW#XR*>x=b
zc;}%nH~ejJXXU&J4ewliy7b9#)uqR3-`aS%prHKptmCh(>fE^G?vHn@d_F$!t(_Yx
z%f{7rHYEaWyQUqexP5iSngt7%mR7yo)HC~rb)8dBRwn`#bx$q%<&Xbd^gv!^S6^A_
z?7I)XIsY$%p|xyb<l@l6m*z}8{+m>IwCcteSMAt*fAv4!FWs~5drP*Z!W;D^ZGB|}
zNB(fp(5vmWg&$RS6tCWT=?fo>N`*1CC!4ybo+<S3?#b<stvs}-rJ`<FyDbBCWk;$a
z55BM|UN!sRq<F09)44r8r|0(eR((F9xMpi=%JHc%c3|z_t7q2?jy?Eda<s4Xy4(}<
zn}2vXD-|-LeI?888=CvqqxTm@-+t<F*RriQ4TeYB9(%av<Dq&vE6!g2orcEW4r`aw
z`roTRzklek*|iOgwV`{@>Rwd*<yram1(mm*S@Fnq4UOFeg)@f$UvKRz`RknHLm#5(
zvWCXB-@Nq3(c^7T541kmyYob4s@%9OT{n)J->_%<^8WheSB(94^Q;*UZTP{^-`NiW
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0tEiw
J0_P^WzXhp<@caM(

literal 557056
zcmeI)X?PV?x+vfs5(p4x12PC{4O1K<LlgyppoSo$2_i~^3W^PM12P4~1`$-62!=_q
zgV-U2Ndy}^92w*Y91;53XdsBns3Nn1$|M2ItsS)6d!KXrIp^N<+~@pwcT%-$*RH+l
z`@Z$ARXaaY#h(^`9;(u@{XOkN5fKrg8o^Jfcu(lAP^s`EBD{(Wek037MFx-P(xs!y
zl#MP|wrq6SvgOKGj44;XLiw^~V=Bi~s932|<x1sZs#L8~scNuYDcndz@WJq>qN1WJ
zl`C5=*!!P+6mJMsEn5^kA|tK~m8u#MSv8{gy--{z6j3^eHXQIzkKjyErOQMIF~tN2
ztf~?!6%iR(Dk?IFH!3)KT=0G<s%q(K*EVfe=Bl*5(bo-&ZT8HJ`DNqpT)DA&`u1<@
zH}5xmV!84)uC7_Dc7ukE8Yf(zbjz(RZo9qZU3aInPwj9|$L{y_xWDHE5B7TWvHp+$
zX28HfBSwzO7(M36v6G&C?)k}on36ej*6f#Fp7Y8dvvU{ZEnKvC$<o)~`b++*e|dZL
znzft$?Y+(KZ`u0S|FNTR=f}G~`Si2hUwnD+t3!v696fgYyYEk*IeYH>4;PBUc}0XG
zucY<&%>K8$ss?$Lii(PiiVo)$QEGIsL{^O|eQnb+)!L;+_Z@cCb<LhB8++%B`71Y;
zi*KI(ZS{V`x0kO`Kk17G--S~v$?QLt*u?*<%>JI(Kl0igst_3wbY5iDP}|VuKj&uN
zaJ2G`jdL?Y|G6c*YsFB)#Z|Q~=6^Y&OZ;^c>iuc_8;v@ySU=+a*kQ?)ax)v3s!+S*
z%FaKweSbpy#sy^-=T7)l$<s59hOe)laB=7CtNXR=U3=Ue<90_ZtMd8wN!_=%o42*e
zfQ?I!=HynW-DJ?%a05*Sb^B=6gL~`N9CzUPPm4n<o^JbnugN!5SUKrf`^pO+$bDnr
z-Zy{RoS6ATo7s;P^$5=Uuay_xJ!0MQLEpqibc^0GHLl~Dl+gWY8>+WFvp6lebZlC3
z#pvs%{{FLVF+1j!ybN}=n;GA_OKiPGnH68&*!7{=yN932={zdf{b6icN_28sN^B@t
zuK6M*_TGqK889)kaZbU%U#`5|$NRmSReA8Yl|O6u(MQFhJ1(z1zkEgOrQ;uNmolP3
z-&f8IJK8vR?cF0|(@Fw=^6)b$HN$}i4gddnF12*onY0Jqej>ic3oou}@T-gY`E!Rp
zQND5R^jc@Ggfue9_1fE(4d{^H=4{;X1-D0MmpNE?%S+F<$sD@vMC!H^9ir2^Tv$IK
z_>I`vef-c~ZHD#=jfy=mcURWjT@&i2v^acr!Qrzx|K34$kG<Ps`LCjr9w;|ub9~0a
z`1<KB2DR%y{I>WFyXRJ#`<Fvymfzd5{PlHK2OZL(ROa<<_a0u7IIm#So(?s?T+{q~
zN|!dD-+Df8$f~37&+Ih3=JCe4`33D#V!MX|YZW)md%ED0FK()S&u^bNxoKMMNm<3A
zK2iTND7o=xDYv(}H*!GktI->3oopQHyL-ioHs$Yad+3vX=><JbJvy`?a$Bc+rzbD^
zIPvazZ;Z?Q^yxMq*Se;{*!1mb!{$`(p8m|Nd*7@(s7L(m%aUU^bx11e8<m|Cdrju3
zqzdIng#sL1Cp5`@ZRfh4JEm<4enPiq-WiImQ8z2;s_dkQ#S;cK+j33q>6dp;S=%F`
zRz~GrSxwgu%=`V$9(mKMuW0quRTBq()@D_e+s3y4{is`p&RN;3{P#2VFZp29b&-=J
zzg;pU@!3bdn)=DjPc3`B%!LWd^1Hk=?bq{q9j~&dVPw6Jw;uT6%?F;Txq0l>kryYf
z*?0esuXgL(@z@R1R!`n|`u#`iHJeg><MfedS7hWT9FLls{MDpIzlnSAwI*-vJ2$v@
zYF1Id$wfV@Z(m>7?{LGnDxVu#?GN7-UansG%!*&Xx4+r6w}1S0^r?s2{4i^C+L~EM
zY88Dlsb@-I!6z?AFWdX$&bZn$zuSIC-)EyI+<34!RKEZ3_cYk}WT(eQJTz&^!QqwK
zoO`Y~lvn1hbD2d|mbE{ZI(P8xKOV|xwqQlq1&@7J_1MDiibHJ{ReAcmQ~PS4J@CVz
zr(cLWT^w4Nb@BNIW3K+7Fn-D3>VHyg*wFTm)=qn>>A^#fw9H&{y8b&a3@8qLTWi_=
zcfVLMzRAmNkL^w_4y{h_xvkanmmcf4YDCvvyNjw{KjWzi^>>Wux^K(=xP^7z-Tm;^
z`|Iuh<F>C43|rSVp~=9D#i8AC(--b<-Shj{_3N8Hb;Go@7js`7yJK?P{<!Ijf0Omj
zyVGBPv0--7xvuYx%(>Y8g{Sl1oxbQ)acE$-&u>VXvZ&Ldg4v@N4{f{u;jL+_kDSWd
z+P!FV)9ZgXWJF5a(HA>iDBq%T+J*At_g8pm+tfyxLypfHeetgEW1lS!<+ttl=D=#b
zAFR1$Y)1Qm2fn?w)0QQd6B0JO*1k#6m(#}`?AGY={G#+p$5W5pw>WfYbj{}b=Y5#4
zXY%>yYSlcR@cPP>;T0P-oH_f^J7!!c{MU!mE^Pm%UxPC5-#2M-(z`dGpL`_sgUerB
z*x7Pv_UnVorG(zhh?|$#^Wwjqexvt_X|Z=Nnzj4Yj_3MbC>*|c^`#Tpzn;B$YtD?!
zX020?v`<}f>3FDDLW^)4_pEvPowh9xw^&;@t?=#ej?P=p#?9*#Gk-u{c%xRm1*ex@
z^_Lp6D-;e7KHByEhn|d^mwxx66>Tzy9QyIwOUJ@{?^`gUYv1<{&zxJ*R`0B|3m-S=
zd+RIt=|jRX&p6(;WzO0fueJFmHM}{d|DND1eX2HJTPG!I#rU9!a7?{=&-rcELub~+
zZrBjH_0q9$JwIOl?Cu)bsYz>s5EjJm96xevM!)U%gqsL|pk2>93%BfB@_n$`t-`vX
znWIr3Z%L0^cO{>g!~;QAF@r1RUWutB)dycZ+Wq{%*+ZgNm!x)A-<<sP$Hr!TI5h}(
z*XX`EYc{9u|I_MV$AWO?kMD??S(vdSy4F`&AI>XD?D<(Y-4jtOZ%?O^S6xbqpFeqI
z!-_SN*3Aj(zF>H9Xw3MLG0FSBX@6?a<3W{=h8s%x^yHLgjklJB8ZP~@(@oaKt;^0B
zk@i(^u36#CcIHhy`f@Nyl(bp!U`Eibg?&f1yi($$d*9t3H!mW1*?VzNx%S=T#*81;
zv*x6Qu>~Il#pn}WeUW&yf9%}JOTu*;^<l$;e<W5=J0_*!&!LR0I`XF2KmJ_L>3x3j
zR)xeV16o&XSkk94iIw9|zj=3J=HjI}qhhNydouQqHBa=a*Z+gW3!U$~Iry6O(Kl5S
zu72(5KOO%3H{-wAv%cl&9y2??-RqtC9fNc$6;wVy^UsfOZq?{gcFfJK+qUd-;+x*@
zEPQCs%CM-|OPgO?b7a@@KX*Mi;KPJwtq0}>#oyU_)49}w9b<OHe0sX#uBlt1X6}A>
zO8pP|?Pz}K;W1wqJ@V)e{i2V&liB5i6YUS3T{fzI(d@7ChVH%Q@LLC#F8=Gd!`IC2
zQFP0FPqynf=F*83J#x0caiqrE)tBaP`ti#-!;3ztGxPRS87(s(|L(^wb+%l%<;JV-
zI#zaDi!sHahO@?el$PFV{u2W>F8XS0Ffs<j%>Oj$k-+(Yt!Hx*CqJ@%QkSh~7sT(H
zu(s}`_7z*i@0yy`tJKjk5BD0Cy1LStbz9y(l3rN1py>M6`-2x3lHPbfZ}Rre``i9?
z!I-nJ_pDw}lrT5gJ2dXA!e4I3%s-Rfe_Tpp>hgvK+v~=jnzQHhf<r+tiw@RFX%*hc
znsX^TF*01M;M7Zc-ZgoDUQX3@%NwRHFE#jqUO~yi(arej{RuTPJ7@I@_C@?x?udP2
zP{$YIcg@LYwPV1#+>XIHQ;&4MvGUm2D{d{Uzo=gR-1Whj9W*oMg+SKwTJ`cbm#E5r
zY;3{RcW&>Pad2YWmP1mPN39F<3cp`A9QMHBtp{cv%{Vaj){8sB@WZ2S$IZzb7IhDg
z;d@?cz2!)9tBScnje}!nJaJ`XK+JQokB!|v<3w_w(tn3LszuHGv>7Mbr!H^Wr*vY)
zU&Y^%Jw80Hrd4>q@#1Q?o{jxmR<9c?{$c{l>((SZAi`Z-d-~Ve%?7Ti7Y?>(lYeYq
zvniNb!cCSg85H5D%jMq`J3jvOg74zyl`7x6c5?f%h2cn(Z}`Qi36AbEWM`RL#i0|0
zog#yEPM4#xS7M8LE(ka{O<|RAutDR=CFKY@zGLUU;lc!4_f8CE#pdz5UM;(4XL>@@
zZu=Iczg+V~m%XhA9_<wF*|Z>_>wb4r?64CZo9@lbsJ*vi!hxHEY30JW)FT~M=65f-
zCVXF%_2Gm%Kb5-rFT3JOMiKvX*IiS#H3)(U@~!su=G<9f<iUVkS^1$e$NSAVp72>P
zSuDH$_=fS{G<&tfo}Jx;PAr%IQ--C=H{N<SaJuN)EBJz`r$WgLoiM!lt|jFfhlhK3
zew}#oxuD@-nhU>JT5WepW>>BY^UK`6Eoo}^w}QHM>37@Vg?X)x)=YY2$B^?2Mz8O1
zVfx8&!KFL0a<6dr9$ocJ()+<530;4_Eai;8D;T<Y`%bk#HMaEMCJ$aPxW(x8b=DuB
z+31zV!O#gH-I%gzYQHO>ZaZ7M-!s|cQrGRDw*SoU9&Yw%_Vfxnp0B$ts;Fwp*EKqK
zuHEDcio$g<cV`3>dO~ph4d=eFAgRuzd%A_snRIYv+`Ma#HmDom50Am5M)mv6O*<J5
zwbe@_Ta9WNTs9V$TCn=kv6yx{?|U%Z_aFCp;m%&a%~%-z_$_}pn7w%Ab>S|pRd3ZR
zmE$sA&JK5bcr5%c6`HWNR!Yzv0np^14$f^Ju5@@N`ssP{pLcz6<(OUlGus@?xqQ6y
zw8h!w>a5MIcc|eTv4QpQkU2T|&9S4Jb~rMlq+|huTh^7FE&IJ;TXPbhz0%pijP~=S
zk{Ir$E0f$mcICBw;&Ql~>kq!;Tux%v{?~)=+->@w48HdU-Jcr-WKjbK7+`<_1{h#~
z0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz
z7+`<_1{h#~0S10DFmFR}3!>!UpK-%CqWP~}T1^P<cGTy^;C4r88CUoHd7T~;+$$<!
zZ{nuR#<^dI*LmUhy00tQUHa4DBmaDLa?{sAyovvO9d5GZM2*AE{zq2{`<@G*zt8_+
zJu!UZQvVOD=+S$F7D{IXb&jx7ga1Ab{2#u15V#Km0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
jzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu=fnLj(U40pE|j

diff --git a/spec/models/upload_spec.rb b/spec/models/upload_spec.rb
index 23d79fc4692..3415363b6b6 100644
--- a/spec/models/upload_spec.rb
+++ b/spec/models/upload_spec.rb
@@ -56,11 +56,11 @@ describe Upload do
 
     upload = Upload.find(upload.id)
 
-    expect(upload.width).to eq(64250)
-    expect(upload.height).to eq(64250)
+    expect(upload.width).to eq(8900)
+    expect(upload.height).to eq(8900)
 
     upload.reload
-    expect(upload.read_attribute(:width)).to eq(64250)
+    expect(upload.read_attribute(:width)).to eq(8900)
 
     upload.update_columns(width: nil, height: nil, thumbnail_width: nil, thumbnail_height: nil)