Assertion failure: image.primary_image.data, at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:272
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: tnikkel)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
testcase.avif
Found while fuzzing m-c 20230812-3328121ba1cc (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.avif
Assertion failure: image.primary_image.data, at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:272
#0 0x7f44b3ff4536 in mozilla::image::AVIFParser::GetImage(mozilla::image::AVIFImage&) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:272:3
#1 0x7f44b3ff7b36 in mozilla::image::nsAVIFDecoder::DoDecodeInternal(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1465:29
#2 0x7f44b3ff709b in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1195:25
#3 0x7f44b3f359f0 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:177:19
#4 0x7f44b3f4f426 in mozilla::image::MetadataDecodingTask::Run() /builds/worker/checkouts/gecko/image/IDecodingTask.cpp:161:34
#5 0x7f44b3f58ce1 in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:146:12
#6 0x7f44b271f115 in mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:357:33
#7 0x7f44c87c49ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#8 0x7f44c8494b42 in start_thread nptl/pthread_create.c:442:8
#9 0x7f44c85269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 2•10 months ago
|
||
Set release status flags based on info from the regressing bug 1788119
:Zaggy1024, since you are the author of the regressor, bug 1788119, could you take a look?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 3•10 months ago
|
||
Zaggy1024, if you prefer, I'm happy to look into this.
|
||
Comment 4•10 months ago
|
||
Verified bug as reproducible on mozilla-central 20230814214038-27c67d619752.
The bug appears to have been introduced in the following build range:
Start: 8dfe63fbc302f61029f4f652942e4628b4a1b209 (20230127165641)
End: 72da2fb0aab1c5cd50aee0b7759eb4678a2d84b8 (20230127202057)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8dfe63fbc302f61029f4f652942e4628b4a1b209&tochange=72da2fb0aab1c5cd50aee0b7759eb4678a2d84b8
|
|
Assignee | |
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
Hi, I am just curious where the testcase.avif came from.
The image would not display in my Chromium (v116) either, and I have tried the validator with it, which gives:
[avif] 3 error(s), 1 warning(s).
[miaf] 1 error(s), 0 warning(s).
[isobmff] 1 error(s), 0 warning(s).
|
|
Assignee | |
Comment 6•10 months ago
|
||
The image came from a fuzzer. It is not expected to display necessarily. It is however expected that we don't assert or crash.
To follow up on the needinfo (sorry for the delay, had account issues):
Looks like the file's primary item (contained in the pitm box) refers to an item with an extent starting at the end of the mdat box, so the size ends up being zero. In mp4parse, that zero-length data gets returned as a null pointer, which Firefox's AVIF decoder doesn't account for.
In my opinion, the mp4parse_avif_get_image() API should guarantee that a primary item is present if no error is returned (as nsAVIFDecoder currently assumes), so there should probably be a few more checks/assertions present there. We should return an error if there is no primary item, and we should be able to guarantee that if context.alpha_item_is_present() is true, we return a non-null Mp4parseByteData for the alpha image.
mp4parse should also return an error in read_avif() (relevant code) in case the primary or alpha items have zero-sized data, as that is never valid. To prevent that case from happening, DataBox.get(Extent) should return None in cases where the slice length is zero, causing the AVIF item location not to be found.
As a quick fix, though, AVIFParser::GetImage() can check whether the data is null and if so return the same error as if the primary item was not present. That check could be removed if mp4parse is changed to guarantee an error instead.
|
|
||
Comment 8•10 months ago
|
||
Set release status flags based on info from the regressing bug 1788119
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 9•8 months ago
|
||
|
||
Updated•8 months ago
|
|
||
Comment 10•8 months ago
|
||
Pushed by tnikkel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/64af05ee7091 Check that an avif has primary image data too. r=Zaggy1024
|
||
Comment 11•8 months ago
|
||
| bugherder | ||
|
|
||
Comment 12•8 months ago
|
||
The patch landed in nightly and beta is affected.
:tnikkel, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox119towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Comment 13•8 months ago
|
||
Verified bug as fixed on rev mozilla-central 20231011092203-bbe69c1ce114.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•