[Webkit-unassigned] [Bug 223843] New: Fix a crash due to the failure of AVIF decoding

Sat Mar 27 14:19:46 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=223843

            Bug ID: 223843
           Summary: Fix a crash due to the failure of AVIF decoding
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Images
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: changseok at webkit.org

https://gif2avif.com/browser-test/ crashes where AVIF support is enabled.

#0  0x00007fa33d834cf0 in WebCore::AVIFImageReader::imageCount() const ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#1  0x00007fa33d834441 in WebCore::AVIFImageDecoder::tryDecodeSize(bool) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#2  0x00007fa33d813ef3 in WebCore::ScalableImageDecoder::setData(WebCore::SharedBuffer&, bool) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#3  0x00007fa33cfa765c in WebCore::ImageSource::dataChanged(WebCore::SharedBuffer*, bool) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#4  0x00007fa33cd07363 in WebCore::CachedImage::updateImageData(bool) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#5  0x00007fa33cd0d0e0 in WebCore::CachedImage::updateBufferInternal(WebCore::SharedBuffer&) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#6  0x00007fa33cd0d332 in WebCore::CachedImage::updateBuffer(WebCore::SharedBuffer&) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#7  0x00007fa33c9dfcad in WebCore::ImageDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007fa33b550696 in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007fa33cc527aa in WebCore::DocumentLoader::commitLoad(char const*, int) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#10 0x00007fa33cd1b6d8 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) [clone .part.0] () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#11 0x00007fa33cd1bd5a in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) [clone .part.0] () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#12 0x00007fa33ccd6c22 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::Shar--Type <RET> for more, q to quit, c to continue without paging--
edBuffer> >&&, long long, WebCore::DataPayloadType) ()
   from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#13 0x00007fa33ccd6dc5 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
Backtrace stopped: Cannot access memory at address 0x7fff96d4b698

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210327/32976dc7/attachment.htm>