Closed Bug 1814561 Opened 2 years ago Closed 2 years ago

Assertion failure: aSamples.mColorImage, at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:518

Categories

(Core :: Graphics: ImageLib, defect)

defect

Tracking

()

RESOLVED FIXED
111 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox109 --- unaffected
firefox110 --- unaffected
firefox111 --- fixed

People

(Reporter: tsmith, Assigned: Zaggy1024)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(2 files)

Attached image testcase.avif

Found while fuzzing m-c 20230201-b7f075124503 (--enable-debug --enable-fuzzing)

Requires pref image.avif.sequence.enabled=true

Assertion failure: aSamples.mColorImage, at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:518

#0 0x7fc11093d214 in mozilla::image::Dav1dDecoder::Decode(bool, Mp4parseAvifInfo const&, mozilla::image::AVIFImage const&) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:518:5
#1 0x7fc110911d69 in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1491:17
#2 0x7fc110910f61 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1181:25
#3 0x7fc110853057 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:177:19
#4 0x7fc1108529fb in mozilla::image::AnimationSurfaceProvider::Run() /builds/worker/checkouts/gecko/image/AnimationSurfaceProvider.cpp:232:36
#5 0x7fc110875401 in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:146:12
#6 0x7fc10f1aee03 in mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:328:33
#7 0x7fc122f75c86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#8 0x7fc123cf6608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#9 0x7fc1238a1132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Crash Signature: [@ mozilla::AlignedBuffer<T>::Data ]

The iterator used to read from an AVIF sample index will return true from
HasNext() even if the next sample is incomplete. We should error completely
out of the decode when this happens, so that we are always guaranteed to have a
sample to decode when there is no error in the parser.

Assignee: nobody → Zaggy1024
Status: NEW → ASSIGNED
Severity: -- → S3

This requires image.avif.sequence.enabled=true for me to reproduce and does not reproduce before bug 1788119 landed.

Duplicate of this bug: 1814557
Duplicate of this bug: 1814559
Pushed by tnikkel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/88ec39c52edb Error out when samples fail to be read from an AVIF sequence. r=tnikkel
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: