1656927 - Assertion failure: aContentType.Equals("image/avif"), at /builds/worker/checkouts/gecko/image/imgLoader.cpp:2785

Status: VERIFIED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 84b257d07031 (built with --enable-debug).

Assertion failure: aContentType.Equals("image/avif"), at /builds/worker/checkouts/gecko/image/imgLoader.cpp:2785

    #0 0x7f1df6b6378d in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
    #1 0x7f1df6b6378d in imgLoader::GetMimeTypeFromContent(char const*, unsigned int, nsTSubstring<char>&) /builds/worker/checkouts/gecko/image/imgLoader.cpp:2785:5
    #2 0x7f1df6b8bc5a in sniff_mimetype_callback(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/image/imgRequest.cpp:1116:5
    #3 0x7f1df4e9c100 in nsStringInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/xpcom/io/nsStringStream.cpp:316:17
    #4 0x7f1df4e7263a in mozilla::NonBlockingAsyncInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:230:24
    #5 0x7f1df6b6fe31 in PrepareForNewPart /builds/worker/checkouts/gecko/image/imgRequest.cpp:878:13
    #6 0x7f1df6b6fe31 in imgRequest::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/checkouts/gecko/image/imgRequest.cpp:1022:9
    #7 0x7f1df503a7b8 in nsBaseChannel::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsBaseChannel.cpp:873:28
    #8 0x7f1df505b059 in nsInputStreamPump::OnStateTransfer() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:548:23
    #9 0x7f1df505a6f7 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:393:21
    #10 0x7f1df505b72c in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp
    #11 0x7f1df4e732d5 in mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>) /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:397:13
    #12 0x7f1df4e7244f in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:33:14
    #13 0x7f1df4ec9592 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #14 0x7f1df4ecf3a4 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #15 0x7f1df4ecd16d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #16 0x7f1df4ecc134 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #17 0x7f1df4ecc2e7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #18 0x7f1df4ed3d66 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
    #19 0x7f1df4ed3d66 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #20 0x7f1df4ee7138 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #21 0x7f1df4eecaaa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #22 0x7f1df57f92bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #23 0x7f1df576a763 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #24 0x7f1df576a67d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #25 0x7f1df576a67d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #26 0x7f1df964a858 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #27 0x7f1dfae61413 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #28 0x7f1df57fa087 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #29 0x7f1df576a763 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #30 0x7f1df576a67d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #31 0x7f1df576a67d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #32 0x7f1dfae60fb2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #33 0x558db2918f5f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #34 0x558db2918f5f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #35 0x7f1e1042fb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Jon Bauman [:jbauman:]]

I added this assert thinking that imgLoader::GetMimeTypeFromContent would only be called for image types, but I suppose there's nothing to prevent someone putting some other valid MP4 container file as the src of an <image> element. I'll remove the assert.

I need to spend a bit more time looking at the calling code to see if it's acceptable to have the aContentType out parameter set to video/mp4 or if I need to ensure it isn't modified at all in this case.

Comment 2

[Jon Bauman [:jbauman:]]

Attachment: Bug 1656927 - Assertion failure: aContentType.Equals("image/avif"), at /builds/worker/checkouts/gecko/image/imgLoader.cpp:2785. r=aosmond

Comment 3

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
The bug appears to have been introduced in the following build range:
> Start: e0fcac18ed9a92c1ce55f9a95af9580c6ec88b26 (20200801020404)
> End: dc86316b4008ef909127817fcd5d1fc9d088bcaa (20200801023442)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e0fcac18ed9a92c1ce55f9a95af9580c6ec88b26&tochange=dc86316b4008ef909127817fcd5d1fc9d088bcaa

Comment 4

[Pulsebot]

Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ae8eeb6d2b88
Assertion failure: aContentType.Equals("image/avif"), at /builds/worker/checkouts/gecko/image/imgLoader.cpp:2785. r=aosmond

Comment 5

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/ae8eeb6d2b88

Comment 6

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200805031417-451800aa75df.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.