Closed Bug 1817108 Opened 2 years ago Closed 2 years ago

Assertion failure: rgbSize == GetImageMetadata().GetOrientation().ToUnoriented(Size()).ToUnknownSize(), at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1569

Categories

(Core :: Graphics: ImageLib, defect, P3)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- disabled
firefox112 --- fixed

People

(Reporter: tsmith, Assigned: Zaggy1024)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

testcase.avif
2.06 KB, image/avif
Details
Bug 1817108 - Check that AVIF frame sizes remain unchanged during animation. r=tnikkel
48 bytes, text/x-phabricator-request
Details | Review
Attached image testcase.avif

Found while fuzzing m-c 20230215-d07a18cd4ca2 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.avif

Assertion failure: rgbSize == GetImageMetadata().GetOrientation().ToUnoriented(Size()).ToUnknownSize(), at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1569

#0 0x7f565c21a9c6 in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1567:3
#1 0x7f565c217cf1 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1195:25
#2 0x7f565c159fe7 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:177:19
#3 0x7f565c15998b in mozilla::image::AnimationSurfaceProvider::Run() /builds/worker/checkouts/gecko/image/AnimationSurfaceProvider.cpp:232:36
#4 0x7f565c17c391 in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:146:12
#5 0x7f565aa2fb53 in mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:328:33
#6 0x7f566dbbec86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#7 0x7f566e467b42 in start_thread nptl/pthread_create.c:442:8
#8 0x7f566e4f99ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Unable to reproduce bug 1817108 using build mozilla-central 20230215145624-d07a18cd4ca2. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I am able to reproduce but only with the pref image.avif.sequence.enabled=true

Timothy, could you take this bug? It looks like the image size doesn't match the metadata size even though the decoded size seems to be correct.

Flags: needinfo?(tnikkel)
Severity: -- → S3
Priority: -- → P3

Yeah, either myself or Zaggy will get to this before turned on the animated avif pref

Flags: needinfo?(tnikkel)

It looks like this was caused by changing frame size in the animated bitstream, just something I overlooked. I've got a fix coming soon.

Blocks: 1813145
Assignee: nobody → Zaggy1024
Status: NEW → ASSIGNED
Pushed by tnikkel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2351f87a1d9c Check that AVIF frame sizes remain unchanged during animation. r=tnikkel

https://hg.mozilla.org/mozilla-central/rev/2351f87a1d9c

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: