WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
301514
Crash in WebCore::JPEGXLImageDecoder::decode
https://bugs.webkit.org/show_bug.cgi?id=301514
Summary
Crash in WebCore::JPEGXLImageDecoder::decode
Michael Catanzaro
Reported
2025-10-27 08:06:26 PDT
Using WebKitGTK 2.50.1, load
https://github.com/WebKit/WebKit/compare/main...webkitglib/2.46
and scroll down the page. The web process will crash: (gdb) bt #0 JxlDecoderReleaseInput (dec=0x0) at /usr/lib/debug/source/components/libjxl.bst/lib/jxl/decode.cc:1517 #1 0x00007fee38803504 in WebCore::JPEGXLImageDecoder::decode (this=0x7fed43644b60, query=WebCore::JPEGXLImageDecoder::Query::Size, frameIndex=<optimized out>, allDataReceived=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp:274 #2 0x00007fee387f87e5 in WebCore::ScalableImageDecoder::setData (this=0x7fed43644b60, data=<optimized out>, allDataReceived=false) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:85 #3 0x00007fee3a44b6b9 in WebCore::BitmapImageSource::setData (this=0x7fed07463da0, data=0x7fed073d2e80, allDataReceived=false) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:250 #4 0x00007fee3a44b608 in WebCore::BitmapImageSource::dataChanged (this=0x0, data=0x56208f776fd0, allDataReceived=true) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:116 #5 0x00007fee3a1d2ae8 in WebCore::CachedImage::updateImageData (this=0x7fee13cc7d00, allDataReceived=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:577 #6 0x00007fee3a1d2946 in WebCore::CachedImage::updateBufferInternal (this=0x7fee13cc7d00, data=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:529 #7 0x00007fee3a1b0a89 in WebCore::SubresourceLoader::didReceiveBuffer (this=0x7fee13f953d0, buffer=..., encodedDataLength=0, dataPayloadType=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/SubresourceLoader.cpp:580 #8 0x00007fee38694e63 in WebKit::WebResourceLoader::didReceiveData (this=<optimized out>, data=<optimized out>, bytesTransferredOverNetwork=0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:252 #9 0x00007fee37e8755c in IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}::operator()<IPC::SharedBufferReference, unsigned long>(IPC::SharedBufferReference&&, unsigned long&&) const (args=..., args=@0x7ffe1673cf20: 0, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:135 #10 std::__invoke_impl<void, IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}, IPC::SharedBufferReference, unsigned long>(std::__invoke_other, IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}&&, IPC::SharedBufferReference&&, unsigned long&&) (__args=..., __args=@0x7ffe1673cf20: 0, __f=<optimized out>) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/invoke.h:63 #11 std::__invoke<IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}, IPC::SharedBufferReference, unsigned long>(IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}&&, IPC::SharedBufferReference&&, unsigned long&&) (__args=..., __args=@0x7ffe1673cf20: 0, __fn=<optimized out>) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/invoke.h:98 #12 std::__apply_impl<IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}, std::tuple<IPC::SharedBufferReference, unsigned long>, 0ul, 1ul>(IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}&&, std::tuple<IPC::SharedBufferReference, unsigned long>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) (__t=..., __f=<optimized out>) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/tuple:2920 #13 apply<(lambda at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:133:9), std::tuple<IPC::SharedBufferReference, unsigned long> > (__t=..., __f=<optimized out>) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/tuple:2935 #14 IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> > (object=0x7fee1232e500, function=<optimized out>, tuple=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:132 #15 IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, IPC::Connection, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void(IPC::SharedBufferReference&&, unsigned long)> (connection=<optimized out>, decoder=..., object=0x7fee1232e500, function=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:337 #16 WebKit::WebResourceLoader::didReceiveMessage (this=0x7fee1232e500, connection=<optimized out>, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/WebResourceLoaderMessageReceiver.cpp:76 #17 0x00007fee38688b67 in WebKit::NetworkProcessConnection::dispatchMessage (this=<optimized out>, connection=..., decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:103 --Type <RET> for more, q to quit, c to continue without paging--c #18 0x00007fee37e85d76 in WebKit::NetworkProcessConnection::didReceiveMessage (this=0x7fee12014380, connection=..., decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/NetworkProcessConnectionMessageReceiver.cpp:99 #19 0x00007fee38283f50 in IPC::Connection::dispatchMessage (this=0x7fee12054340, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1383 #20 0x00007fee38284147 in IPC::Connection::dispatchMessage (this=0x7fee12054340, message=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1433 #21 0x00007fee38284278 in IPC::Connection::dispatchOneIncomingMessage (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1512 #22 0x00007fee36c83655 in WTF::Function<void()>::operator() (this=0x7ffe1673d390) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82 #23 WTF::RunLoop::performWork (this=0x7fee12008180) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:148 #24 0x00007fee36d42b8d in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const (userData=0x0, userData@entry=0x7fee12008180, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #25 WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (userData=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:79 #26 0x00007fee36d41cb1 in WTF::RunLoop::$_0::operator() (source=0x56208db5e400, callback=0x7fee36d42b80 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7fee12008180, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #27 WTF::RunLoop::$_0::__invoke (source=0x56208db5e400, callback=0x7fee36d42b80 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7fee12008180) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #28 0x00007fee3290280b in g_main_dispatch (context=context@entry=0x56208db122d0) at ../glib/gmain.c:3565 #29 0x00007fee32905c47 in g_main_context_dispatch_unlocked (context=0x56208db122d0) at ../glib/gmain.c:4425 #30 g_main_context_iterate_unlocked (context=0x56208db122d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4490 #31 0x00007fee32906787 in g_main_loop_run (loop=0x56208db25240) at ../glib/gmain.c:4695 #32 0x00007fee36d42214 in WTF::RunLoop::run () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #33 0x00007fee387b9ed4 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (this=0x7ffe1673d5e0, argc=<optimized out>, argv=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:77 #34 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk> (argc=4, argv=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:103 #35 0x00007fee3742c975 in __libc_start_call_main (main=main@entry=0x56208bb20150 <main(int, char**)>, argc=argc@entry=4, argv=argv@entry=0x7ffe1673d778) at ../sysdeps/nptl/libc_start_call_main.h:58 #36 0x00007fee3742ca28 in __libc_start_main_impl (main=0x56208bb20150 <main(int, char**)>, argc=4, argv=0x7ffe1673d778, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe1673d768) at ../csu/libc-start.c:360 #37 0x000056208bb20085 in _start () at ../sysdeps/x86_64/start.S:115
Attachments
Add attachment
proposed patch, testcase, etc.
Michael Catanzaro
Comment 1
2025-10-27 14:05:40 PDT
Looks like game over with this=0x0 in frame 4. Here's the full backtrace of the more interesting frames: Core was generated by `/usr/libexec/webkitgtk-6.0/WebKitWebProcess 54 120 143'. Program terminated with signal SIGSEGV, Segmentation fault. #0 JxlDecoderReleaseInput (dec=0x0) at /usr/lib/debug/source/components/libjxl.bst/lib/jxl/decode.cc:1517 1517 size_t result = dec->avail_in; [Current thread is 1 (Thread 0x7f8e67cd0e80 (LWP 2))] (gdb) bt full #0 JxlDecoderReleaseInput (dec=0x0) at /usr/lib/debug/source/components/libjxl.bst/lib/jxl/decode.cc:1517 result = <optimized out> #1 0x00007f8e73203504 in WebCore::JPEGXLImageDecoder::decode (this=0x7f8c6f168d00, query=WebCore::JPEGXLImageDecoder::Query::Size, frameIndex=<optimized out>, allDataReceived=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp:274 dataSpan = Python Exception <class 'gdb.error'>: value has been optimized out dataSize = 48 status = <optimized out> remainingDataSize = <optimized out> #2 0x00007f8e731f87e5 in WebCore::ScalableImageDecoder::setData (this=0x7f8c6f168d00, data=<optimized out>, allDataReceived=false) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:85 locker = {<WTF::AbstractLocker> = {<No data fields>}, m_lock = @0x7f8c6f168d50, m_isLocked = true} #3 0x00007f8e74e4b6b9 in WebCore::BitmapImageSource::setData (this=0x7f8c4f740960, data=0x7f8c4f51a940, allDataReceived=false) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:250 decoder = {static isRefPtr = <optimized out>, m_ptr = <optimized out>} #4 0x00007f8e74e4b608 in WebCore::BitmapImageSource::dataChanged (this=0x0, data=0x560261f42a50, allDataReceived=true) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImageSource.cpp:116 status = <optimized out> #5 0x00007f8e74bd2ae8 in WebCore::CachedImage::updateImageData (this=0x7f8c6f189600, allDataReceived=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:577 image = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f781580} result = <optimized out> #6 0x00007f8e74bd2946 in WebCore::CachedImage::updateBufferInternal (this=0x7f8c6f189600, data=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:529 protectedThis = {<WebCore::CachedResourceHandleBase> = {m_resource = {m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f774a60}}}, <No data fields>} encodedDataStatus = WebCore::EncodedDataStatus::Unknown #7 0x00007f8e74bb0a89 in WebCore::SubresourceLoader::didReceiveBuffer (this=0x7f8c814d39b0, buffer=..., encodedDataLength=0, dataPayloadType=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/SubresourceLoader.cpp:580 resourceData = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f51a940} resource = {<WebCore::CachedResourceHandleBase> = {m_resource = {m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f774a60}}}, <No data fields>} protectedThis = {static isRef = <optimized out>, m_ptr = 0x7f8c814d39b0} #8 0x00007f8e73094e63 in WebKit::WebResourceLoader::didReceiveData (this=<optimized out>, data=<optimized out>, bytesTransferredOverNetwork=0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:252 coreLoader = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c814d39b0} delta = 0 #9 0x00007f8e7288755c in IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferReference&&, unsigned long), std::tuple<IPC::SharedBufferReference, unsigned long>&&)::{lambda((auto:1&&)...)#1}::operator()<IPC::SharedBufferReference, unsigned long>(IPC::SharedBufferReference&&, unsigned long&&) const (args=..., args=@0x7ffd4d101650: 0, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:135 But m_data looks good in frame 5: (gdb) frame 5 #5 0x00007f8e74bd2ae8 in WebCore::CachedImage::updateImageData (this=0x7f8c6f189600, allDataReceived=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/CachedImage.cpp:577 577 EncodedDataStatus result = image->setData(m_data.copyRef(), allDataReceived); (gdb) print m_data $1 = {static isRefPtr = <optimized out>, m_ptr = 0x7f8c4f51a940} Hm.
Michael Catanzaro
Comment 2
2025-10-27 15:15:51 PDT
So I got a little confused there. The data object is not null. No reason to be looking at that. According to the stack trace, the BitmapImageSource is null. However, I've been adding debug to the code and I think the stack trace is just wrong. This is the second time I've encountered this now; first time was in
bug #295679
. My guess is it's some new Clang optimization. Unfortunately we might have to start ignoring suspicious this= pointers.
Michael Catanzaro
Comment 3
2025-10-27 16:07:47 PDT
Problem is GitHub uses jxl image with size x=512752 y=256376 for some reason, which is nuts. I wonder why. ScalableImageDecoder::setSize will call JPEGXLImageDecoder::setFailed virtual function, which clears m_decoder. Then m_decoder is unexpectedly unset at the bottom of JPEGXLImageDecoder::decode, which assumes it is still valid if it hasn't failed. Problem is it has failed and just hasn't noticed. Fix is: diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp index f79847eeefeb..a25b029344a8 100644 --- a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp +++ b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp @@ -300,7 +300,8 @@ JxlDecoderStatus JPEGXLImageDecoder::processInput(Query query) if (query == Query::Size) { // setSize() must be called only if the query is Query::Size, // otherwise this would roll back the encoded data status from completed. - setSize(IntSize(m_basicInfo->xsize, m_basicInfo->ysize)); + if (!setSize(IntSize(m_basicInfo->xsize, m_basicInfo->ysize))) + return JXL_DEC_ERROR; return status; } which is sufficient. We could also optionally do something like: diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp index f79847eeefeb..8025c739c7ca 100644 --- a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp +++ b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp @@ -271,6 +271,8 @@ void JPEGXLImageDecoder::decode(Query query, size_t frameIndex, bool allDataRece return; } + ASSERT(!failed()); + size_t remainingDataSize = JxlDecoderReleaseInput(m_decoder.get()); m_readOffset = dataSize - remainingDataSize; } Or even: diff --git a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp index f79847eeefeb..f0ad4dce6a8a 100644 --- a/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp +++ b/Source/WebCore/platform/image-decoders/jpegxl/JPEGXLImageDecoder.cpp @@ -271,6 +271,9 @@ void JPEGXLImageDecoder::decode(Query query, size_t frameIndex, bool allDataRece return; } + if (failed()) + return; + size_t remainingDataSize = JxlDecoderReleaseInput(m_decoder.get()); m_readOffset = dataSize - remainingDataSize; }
Michael Catanzaro
Comment 4
2025-10-27 16:20:09 PDT
Using Firefox's inspector, I figured out why GitHub is using an image of such ridiculous size. The image that is failing is:
https://raw.githubusercontent.com/WebKit/WebKit/9beb1ac7b5ecdebbd59c7ad44f2fd4ff54711d96/LayoutTests/fast/images/resources/512752x256376.jpg
Safe to say we can't blame GitHub for this one :D and also that this is definitely covered by existing tests, hooray. No clue why GitHub is displaying this random test image in the commit history view, but whatever. Unfortunately, we are skipping the test fast/images/image-size-unsigned-overflow.html in platform/glib/TestExpectations and platform/win/TestExpectations. Too bad. It probably should have been marked as Crash rather than Skip. I wonder if we can remove that Skip now.
Michael Catanzaro
Comment 5
2025-10-27 16:31:00 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/53054
EWS
Comment 6
2025-10-28 06:39:11 PDT
Committed
302235@main
(92abf9e11b92): <
https://commits.webkit.org/302235@main
> Reviewed commits have been landed. Closing PR #53054 and removing active labels.
Radar WebKit Bug Importer
Comment 7
2025-10-28 06:40:13 PDT
<
rdar://problem/163560643
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug