Bug 301514
| Summary: | Crash in WebCore::JPEGXLImageDecoder::decode | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> |
| Component: | Images | Assignee: | Michael Catanzaro <mcatanzaro> |
| Status: | RESOLVED FIXED | ||
| Severity: | Minor | CC: | bugs-noreply, mcatanzaro, sabouhallawa, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Michael Catanzaro
Using WebKitGTK 2.50.1, load https://github.com/WebKit/WebKit/compare/main...webkitglib/2.46 and scroll down the page. The web process will crash:
(gdb) bt
#0 JxlDecoderReleaseInput (dec=0x0) at /usr/lib/debug/source/components/libjxl.bst/lib/jxl/decode.cc:1517
#1 0x00007fee38803504 in WebCore::JPEGXLImageDecoder::decode
(this=0x7fed43644b60, query=WebCore::JPEGXLImageDecoder::Query::Size, frameIndex=<optimized out>, allDataReceived=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp:274
#2 0x00007fee387f87e5 in WebCore::ScalableImageDecoder::setData (this=0x7fed43644b60, data=<optimized out>, allDataReceived=false)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:85
#3 0x00007fee3a44b6b9 in WebCore::BitmapImageSource::setData (this=0x7fed07463da0, data=0x7fed073d2e80, allDataReceived=false)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:250
#4 0x00007fee3a44b608 in WebCore::BitmapImageSource::dataChanged (this=0x0, data=0x56208f776fd0, allDataReceived=true)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:116
#5 0x00007fee3a1d2ae8 in WebCore::CachedImage::updateImageData (this=0x7fee13cc7d00, allDataReceived=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:577
#6 0x00007fee3a1d2946 in WebCore::CachedImage::updateBufferInternal (this=0x7fee13cc7d00, data=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:529
#7 0x00007fee3a1b0a89 in WebCore::SubresourceLoader::didReceiveBuffer
(this=0x7fee13f953d0, buffer=..., encodedDataLength=0, dataPayloadType=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/SubresourceLoader.cpp:580
#8 0x00007fee38694e63 in WebKit::WebResourceLoader::didReceiveData
(this=<optimized out>, data=<optimized out>, bytesTransferredOverNetwork=0)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:252
#9 0x00007fee37e8755c in IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}::operator()<IPC::SharedBufferReference, unsigned long>(IPC::SharedBufferReference&&, unsigned long&&) const
(args=..., args=@0x7ffe1673cf20: 0, this=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:135
#10 std::__invoke_impl<void, IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}, IPC::SharedBufferReference, unsigned long>(std::__invoke_other, IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}&&, IPC::SharedBufferReference&&, unsigned long&&) (__args=..., __args=@0x7ffe1673cf20: 0, __f=<optimized out>)
at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/invoke.h:63
#11 std::__invoke<IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}, IPC::SharedBufferReference, unsigned long>(IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}&&, IPC::SharedBufferReference&&, unsigned long&&) (__args=..., __args=@0x7ffe1673cf20: 0, __fn=<optimized out>)
at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/invoke.h:98
#12 std::__apply_impl<IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}, std::tuple<IPC::SharedBufferReference, unsigned long>, 0ul, 1ul>(IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}&&, std::tuple<IPC::SharedBufferReference, unsigned long>&&, std::integer_sequence<unsigned long, 0ul, 1ul>)
(__t=..., __f=<optimized out>) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/tuple:2920
#13 apply<(lambda at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:133:9), std::tuple<IPC::SharedBufferReference, unsigned long> > (__t=..., __f=<optimized out>)
at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/tuple:2935
#14 IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> > (object=0x7fee1232e500, function=<optimized out>, tuple=...)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:132
#15 IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, IPC::Connection, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void(IPC::SharedBufferReference&&, unsigned long)>
(connection=<optimized out>, decoder=..., object=0x7fee1232e500, function=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:337
#16 WebKit::WebResourceLoader::didReceiveMessage (this=0x7fee1232e500, connection=<optimized out>, decoder=...)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/WebResourceLoaderMessageReceiver.cpp:76
#17 0x00007fee38688b67 in WebKit::NetworkProcessConnection::dispatchMessage (this=<optimized out>, connection=..., decoder=...)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:103
--Type <RET> for more, q to quit, c to continue without paging--c
#18 0x00007fee37e85d76 in WebKit::NetworkProcessConnection::didReceiveMessage (this=0x7fee12014380, connection=..., decoder=...)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/NetworkProcessConnectionMessageReceiver.cpp:99
#19 0x00007fee38283f50 in IPC::Connection::dispatchMessage (this=0x7fee12054340, decoder=...)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1383
#20 0x00007fee38284147 in IPC::Connection::dispatchMessage (this=0x7fee12054340, message=...)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1433
#21 0x00007fee38284278 in IPC::Connection::dispatchOneIncomingMessage (this=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1512
#22 0x00007fee36c83655 in WTF::Function<void()>::operator() (this=0x7ffe1673d390)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82
#23 WTF::RunLoop::performWork (this=0x7fee12008180) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:148
#24 0x00007fee36d42b8d in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const (userData=0x0,
userData@entry=0x7fee12008180, this=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#25 WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (userData=0x0)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:79
#26 0x00007fee36d41cb1 in WTF::RunLoop::$_0::operator()
(source=0x56208db5e400, callback=0x7fee36d42b80 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7fee12008180, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#27 WTF::RunLoop::$_0::__invoke
(source=0x56208db5e400, callback=0x7fee36d42b80 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7fee12008180)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45
#28 0x00007fee3290280b in g_main_dispatch (context=context@entry=0x56208db122d0) at ../glib/gmain.c:3565
#29 0x00007fee32905c47 in g_main_context_dispatch_unlocked (context=0x56208db122d0) at ../glib/gmain.c:4425
#30 g_main_context_iterate_unlocked (context=0x56208db122d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
at ../glib/gmain.c:4490
#31 0x00007fee32906787 in g_main_loop_run (loop=0x56208db25240) at ../glib/gmain.c:4695
#32 0x00007fee36d42214 in WTF::RunLoop::run () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#33 0x00007fee387b9ed4 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run
(this=0x7ffe1673d5e0, argc=<optimized out>, argv=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:77
#34 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk> (argc=4, argv=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:103
#35 0x00007fee3742c975 in __libc_start_call_main
(main=main@entry=0x56208bb20150 <main(int, char**)>, argc=argc@entry=4, argv=argv@entry=0x7ffe1673d778)
at ../sysdeps/nptl/libc_start_call_main.h:58
#36 0x00007fee3742ca28 in __libc_start_main_impl
(main=0x56208bb20150 <main(int, char**)>, argc=4, argv=0x7ffe1673d778, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe1673d768) at ../csu/libc-start.c:360
#37 0x000056208bb20085 in _start () at ../sysdeps/x86_64/start.S:115
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Michael Catanzaro
Looks like game over with this=0x0 in frame 4. Here's the full backtrace of the more interesting frames:
Core was generated by `/usr/libexec/webkitgtk-6.0/WebKitWebProcess 54 120 143'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 JxlDecoderReleaseInput (dec=0x0) at /usr/lib/debug/source/components/libjxl.bst/lib/jxl/decode.cc:1517
1517 size_t result = dec->avail_in;
[Current thread is 1 (Thread 0x7f8e67cd0e80 (LWP 2))]
(gdb) bt full
#0 JxlDecoderReleaseInput (dec=0x0) at /usr/lib/debug/source/components/libjxl.bst/lib/jxl/decode.cc:1517
result = <optimized out>
#1 0x00007f8e73203504 in WebCore::JPEGXLImageDecoder::decode
(this=0x7f8c6f168d00, query=WebCore::JPEGXLImageDecoder::Query::Size, frameIndex=<optimized out>, allDataReceived=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp:274
dataSpan = Python Exception <class 'gdb.error'>: value has been optimized out
dataSize = 48
status = <optimized out>
remainingDataSize = <optimized out>
#2 0x00007f8e731f87e5 in WebCore::ScalableImageDecoder::setData (this=0x7f8c6f168d00, data=<optimized out>, allDataReceived=false)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:85
locker = {<WTF::AbstractLocker> = {<No data fields>}, m_lock = @0x7f8c6f168d50, m_isLocked = true}
#3 0x00007f8e74e4b6b9 in WebCore::BitmapImageSource::setData (this=0x7f8c4f740960, data=0x7f8c4f51a940, allDataReceived=false)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:250
decoder = {static isRefPtr = <optimized out>, m_ptr = <optimized out>}
#4 0x00007f8e74e4b608 in WebCore::BitmapImageSource::dataChanged (this=0x0, data=0x560261f42a50, allDataReceived=true)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:116
status = <optimized out>
#5 0x00007f8e74bd2ae8 in WebCore::CachedImage::updateImageData (this=0x7f8c6f189600, allDataReceived=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:577
image = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f781580}
result = <optimized out>
#6 0x00007f8e74bd2946 in WebCore::CachedImage::updateBufferInternal (this=0x7f8c6f189600, data=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:529
protectedThis = {<WebCore::CachedResourceHandleBase> = {m_resource = {m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f774a60}}}, <No data fields>}
encodedDataStatus = WebCore::EncodedDataStatus::Unknown
#7 0x00007f8e74bb0a89 in WebCore::SubresourceLoader::didReceiveBuffer
(this=0x7f8c814d39b0, buffer=..., encodedDataLength=0, dataPayloadType=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/SubresourceLoader.cpp:580
resourceData = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f51a940}
resource = {<WebCore::CachedResourceHandleBase> = {m_resource = {m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f774a60}}}, <No data fields>}
protectedThis = {static isRef = <optimized out>, m_ptr = 0x7f8c814d39b0}
#8 0x00007f8e73094e63 in WebKit::WebResourceLoader::didReceiveData
(this=<optimized out>, data=<optimized out>, bytesTransferredOverNetwork=0)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:252
coreLoader = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c814d39b0}
delta = 0
#9 0x00007f8e7288755c in IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}::operator()<IPC::SharedBufferReference, unsigned long>(IPC::SharedBufferReference&&, unsigned long&&) const
(args=..., args=@0x7ffd4d101650: 0, this=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:135
But m_data looks good in frame 5:
(gdb) frame 5
#5 0x00007f8e74bd2ae8 in WebCore::CachedImage::updateImageData (this=0x7f8c6f189600, allDataReceived=<optimized out>)
at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:577
577 EncodedDataStatus result = image->setData(m_data.copyRef(), allDataReceived);
(gdb) print m_data
$1 = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f51a940}
Hm.
Michael Catanzaro
So I got a little confused there. The data object is not null. No reason to be looking at that.
According to the stack trace, the BitmapImageSource is null. However, I've been adding debug to the code and I think the stack trace is just wrong. This is the second time I've encountered this now; first time was in bug #295679. My guess is it's some new Clang optimization. Unfortunately we might have to start ignoring suspicious this= pointers.
Michael Catanzaro
Problem is GitHub uses jxl image with size x=512752 y=256376 for some reason, which is nuts. I wonder why.
ScalableImageDecoder::setSize will call JPEGXLImageDecoder::setFailed virtual function, which clears m_decoder. Then m_decoder is unexpectedly unset at the bottom of JPEGXLImageDecoder::decode, which assumes it is still valid if it hasn't failed. Problem is it has failed and just hasn't noticed.
Fix is:
diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
index f79847eeefeb..a25b029344a8 100644
--- a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
+++ b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
@@ -300,7 +300,8 @@ JxlDecoderStatus JPEGXLImageDecoder::processInput(Query query)
if (query == Query::Size) {
// setSize() must be called only if the query is Query::Size,
// otherwise this would roll back the encoded data status from completed.
- setSize(IntSize(m_basicInfo->xsize, m_basicInfo->ysize));
+ if (!setSize(IntSize(m_basicInfo->xsize, m_basicInfo->ysize)))
+ return JXL_DEC_ERROR;
return status;
}
which is sufficient.
We could also optionally do something like:
diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
index f79847eeefeb..8025c739c7ca 100644
--- a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
+++ b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
@@ -271,6 +271,8 @@ void JPEGXLImageDecoder::decode(Query query, size_t frameIndex, bool allDataRece
return;
}
+ ASSERT(!failed());
+
size_t remainingDataSize = JxlDecoderReleaseInput(m_decoder.get());
m_readOffset = dataSize - remainingDataSize;
}
Or even:
diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
index f79847eeefeb..f0ad4dce6a8a 100644
--- a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
+++ b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp
@@ -271,6 +271,9 @@ void JPEGXLImageDecoder::decode(Query query, size_t frameIndex, bool allDataRece
return;
}
+ if (failed())
+ return;
+
size_t remainingDataSize = JxlDecoderReleaseInput(m_decoder.get());
m_readOffset = dataSize - remainingDataSize;
}
Michael Catanzaro
Using Firefox's inspector, I figured out why GitHub is using an image of such ridiculous size. The image that is failing is:
https://raw.githubusercontent.com/WebKit/WebKit/9beb1ac7b5ecdebbd59c7ad44f2fd4ff54711d96/LayoutTests/fast/images/resources/512752x256376.jpg
Safe to say we can't blame GitHub for this one :D and also that this is definitely covered by existing tests, hooray. No clue why GitHub is displaying this random test image in the commit history view, but whatever.
Unfortunately, we are skipping the test fast/images/image-size-unsigned-overflow.html in platform/glib/TestExpectations and platform/win/TestExpectations. Too bad. It probably should have been marked as Crash rather than Skip. I wonder if we can remove that Skip now.
Michael Catanzaro
Pull request: https://github.com/WebKit/WebKit/pull/53054
EWS
Committed 302235@main (92abf9e11b92): <https://commits.webkit.org/302235@main>
Reviewed commits have been landed. Closing PR #53054 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/163560643>