Assertion failure: aSamples.mColorImage, at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:518
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox109 | --- | unaffected |
firefox110 | --- | unaffected |
firefox111 | --- | fixed |
People
(Reporter: tsmith, Assigned: Zaggy1024)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20230201-b7f075124503 (--enable-debug --enable-fuzzing)
Requires pref image.avif.sequence.enabled=true
Assertion failure: aSamples.mColorImage, at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:518
#0 0x7fc11093d214 in mozilla::image::Dav1dDecoder::Decode(bool, Mp4parseAvifInfo const&, mozilla::image::AVIFImage const&) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:518:5
#1 0x7fc110911d69 in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1491:17
#2 0x7fc110910f61 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1181:25
#3 0x7fc110853057 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:177:19
#4 0x7fc1108529fb in mozilla::image::AnimationSurfaceProvider::Run() /builds/worker/checkouts/gecko/image/AnimationSurfaceProvider.cpp:232:36
#5 0x7fc110875401 in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:146:12
#6 0x7fc10f1aee03 in mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:328:33
#7 0x7fc122f75c86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#8 0x7fc123cf6608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#9 0x7fc1238a1132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Comment 1•2 years ago
|
||
Got a crash with AVIF pref set: https://crash-stats.mozilla.org/report/index/cf1b69d0-88d7-4c18-831b-1eda70230202#tab-bugzilla
The iterator used to read from an AVIF sample index will return true
from
HasNext()
even if the next sample is incomplete. We should error completely
out of the decode when this happens, so that we are always guaranteed to have a
sample to decode when there is no error in the parser.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 3•2 years ago
|
||
This requires image.avif.sequence.enabled=true for me to reproduce and does not reproduce before bug 1788119 landed.
Comment 7•2 years ago
|
||
bugherder |
Updated•2 years ago
|
Description
•