1910211 - Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(result)), 1))) (Failed to convert YUV into RGB data), at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1927

Status: VERIFIED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.avif

Found while fuzzing m-c 20240724-a0e3db73fd24 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(result)), 1))) (Failed to convert YUV into RGB data), at /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1927

#0 0x78abfd68db0a in mozilla::image::nsAVIFDecoder::DoDecodeInternal(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1927:3
#1 0x78abfd68a678 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1256:25
#2 0x78abfd5c116a in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:180:19
#3 0x78abfd5cd44f in mozilla::image::DecodedSurfaceProvider::Run() /builds/worker/checkouts/gecko/image/DecodedSurfaceProvider.cpp:125:34
#4 0x78abfd5e3cd1 in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:153:12
#5 0x78abfbba0898 in mozilla::TaskController::RunPoolThread(mozilla::PoolThread*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:350:29
#6 0x78ac0f4db6ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#7 0x78ac0ee94ac2 in start_thread nptl/pthread_create.c:442:8
#8 0x78ac0ef2684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240727090309-265f9fb218cd.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 1c410aed156878dc739ffdb4343c315fb0bb0a00 (20230729091211)
End: a0e3db73fd245839270bf90032fcab98a5549a64 (20240724215903)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 2

[Timothy Nikkel (:tnikkel)]

Attachment: Bug 1910211. Error-out if an avif file specifies color space options that are not supported instead of asserting. r?#gfx-reviewers

The matrix coefficients field in the file is Identity, indicating this is RGB data, but the pixel layout field is "half width and half height". We don't support subsampling with RGB data, so we hit this

https://searchfox.org/mozilla-central/rev/fa55b33a4b56f392bc5a0c7616e0dfe055112cb5/gfx/ycbcr/yuv_convert.cpp#144

which makes ConvertYCbCrToRGB32 fail.

Comment 3

[Pulsebot]

Pushed by tnikkel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/34a8413ced65
Error-out if an avif file specifies color space options that are not supported instead of asserting. r=gfx-reviewers,nical

Comment 4

[tszentpeteri]

https://hg.mozilla.org/mozilla-central/rev/34a8413ced65

Comment 5

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240807215007-70728a2fa4a2.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:tnikkel, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox130 to wontfix.

For more information, please visit BugBot documentation.