Open Bug 1814791 Opened 3 years ago Updated 2 years ago

Slow avif test case consumes memory before failing to load

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox111 --- disabled

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

Details

(Keywords: testcase, Whiteboard: [fuzz-blocker])

Attachments

(1 file)

testcase.avif
2.05 KB, image/avif
Details
Attached image testcase.avif

Found while fuzzing m-c 20230201-b7f075124503 (--enable-debug --enable-fuzzing)

This test case consumes a bunch of memory before failing to load. Pressing F5 during the load makes things much worse. Marking as fuzzblocker because this can have a negative impact on libfuzzer based fuzzing.

Might be related to bug 1661368, which would also be good to fixed for libfuzzer performance reasons.

Severity: -- → S3
Summary: Slow test case consumes memory before failing to load → Slow avif test case consumes memory before failing to load

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:aosmond, could you increase the severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(aosmond)
Flags: needinfo?(aosmond)

Seems like most of the time/memory happens on this line

https://searchfox.org/mozilla-central/rev/08362489086b10de96e7a199b267ea5504c01583/third_party/rust/mp4parse/src/unstable.rs#166

total_sample_count is 8 million. The file is only 2kb, so there can't actually be that many samples in the file. So hopefully not too hard to avoid a useless allocation here.

For avif we currently wait until we have the whole file to start decoding (we don't want to do that forever), so we could just limit the sample table to stop when the offset goes past the file length. But I would guess mp4 video (that starts playing before the full file is downloaded) would have the same problem as here then? Is there any place in the mp4parse where we place some sort of limit on a data structure? Not sure what kind of limit would work here in general, or how to avoid this.

Flags: needinfo?(kinetik)

I've filed Issue #395 on mp4parse-rust to discuss possible solutions to this.

Not planning to work on this, but I don't want to get a nag email about this every week so I'm gonna change the whiteboard, sorry if this affects anyone negatively!

Whiteboard: [fuzzblocker] → [fuzz-blocker]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: