Home/ Questions/Q 7999097
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T15:24:15+00:00

I’ve just run code analysis on a project I’m working on and I’ve been

  • 0

I’ve just run code analysis on a project I’m working on and I’ve been alerted to this message.

Warning 17 CA2122 : Microsoft.Security : ‘Quantizer.Quantize(Image)’
calls into ‘Bitmap.LockBits(Rectangle, ImageLockMode, PixelFormat)’
which has a LinkDemand. By making this call,
‘Bitmap.LockBits(Rectangle, ImageLockMode, PixelFormat)’ is indirectly
exposed to user code. Review the following call stack that might
expose a way to circumvent security protection:
->’Quantizer.Quantize(Image)’ ->’Quantizer.Quantize(Image)’ ->’ImageFactory.SaveFileAndReset(string)’ ->’ImageFactory.Save(string)’

    private void SaveFileAndReset(string path)
    {
        // Fix the colour palette of gif images.
        if (this.imageFormat == ImageFormat.Gif)
        {
            OctreeQuantizer quantizer = new OctreeQuantizer(255, 8);
            this.Image = quantizer.Quantize(this.Image);
        }

        /// etc....

The information I could find on MSDN was very brief and I couldn’t extract anything particularly meaningful from it and most answers I have found online simply suggest turning of the warning with a flag obviously this is something I do not want to do without being absolutely sure that I am safe to do so.

Could someone please explain what this actually means and how I would go about fixing any security issues I have that are triggering the warning?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It looks like you have probably encountered a false positive in the rule, which does not appear to properly account for default security transparency settings under .NET 4.0. To avoid the problem, you could simply make the default transparency explicit by adding the following two assembly-level attributes to the assembly that contains ImageFactory and OctreeQuantizer:

    [assembly: SecurityCritical]
[assembly: SecurityRules(SecurityRuleSet.Level2)]

    Since these match the CLR 4.0 defaults, adding the attributes will not affect the runtime behaviour of your code. However, the presence of the attributes will allow the CA2122 rule to recognize that the problem that it is intended to detect is not actually present in your code.

    If you are interested in learning more about the transparency model and the security rule levels, see http://blogs.msdn.com/b/shawnfa/archive/2009/11/03/transparency-101-basic-transparency-rules.aspx, http://blogs.msdn.com/b/shawnfa/archive/2009/11/09/transparency-as-enforcement-in-clr-v4.aspx, and http://blogs.msdn.com/b/shawnfa/archive/2009/11/12/differences-between-the-security-rule-sets.aspx.

    • 0