Closed Bug 1799787 Opened 2 years ago Closed 2 years ago

In a AV1 fuzzing testcase with profile=2 and reduced_still_picture=true, an AV1ChangeMonitor assert fails

Categories

(Core :: Audio/Video: Playback, defect)

defect

Tracking

()

RESOLVED FIXED
108 Branch
Tracking Status
firefox108 --- fixed

People

(Reporter: Zaggy1024, Assigned: Zaggy1024)

References

Details

Attachments

(1 file)

In Bug 1798782, a WebM AV1 testcase's sequence header is read incorrectly, causing an assertion failure in AV1ChangeMonitor due to the subsampling fields being invalid for profile 2 (Professional).

For the sequence header of a reduced still picture sample in profile 2, the reading function will incorrectly skip color_config(), which should be called according to spec. This causes the function to not set the subsampling x and y values to their appropriate values for the profile.

The stack trace of the assertion failure from Bug 1798782 comment 1:

Assertion failure: wroteSequenceHeader, at /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:384

#0 0x7f7fb322d40d in mozilla::AV1ChangeMonitor::UpdateConfig(mozilla::AOMDecoder::AV1SequenceInfo const&) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:384:5
#1 0x7f7fb322d7fb in mozilla::AV1ChangeMonitor::CheckForChange(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:425:5
#2 0x7f7fb3222c1d in mozilla::MediaChangeMonitor::CreateDecoderAndInit(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:723:36
#3 0x7f7fb3222002 in mozilla::MediaChangeMonitor::CheckForChange(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:835:12
#4 0x7f7fb3221994 in mozilla::MediaChangeMonitor::Decode(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:546:20
#5 0x7f7fb3237f7a in operator() /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaDataDecoderProxy.cpp:31:33
#6 0x7f7fb3237f7a in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaDataDecoderProxy::Decode(mozilla::MediaRawData*)::$_18, mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> >::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1645:29
#7 0x7f7faf1a3245 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
#8 0x7f7faf1bf3af in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:309:14
#9 0x7f7faf1b6314 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#10 0x7f7faf1bca5d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#11 0x7f7fafdb9adb in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#12 0x7f7fafcdbf77 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#13 0x7f7fafcdbe82 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#14 0x7f7fafcdbe82 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#15 0x7f7faf1b16c6 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
#16 0x7f7fc3c20e27 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7f7fc44cbb42 in start_thread nptl/./nptl/pthread_create.c:442:8
#18 0x7f7fc455d9ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

AOMDecoder::ReadSequenceHeaderInfo() previously was not reading color information when reduced_still_picture is set, causing an assertion failure when reading a Professional (profile 2) file with it set, because subsampling_y is true by default when it must be false for Professional.

Pushed by zaggy1024@gmail.com: https://hg.mozilla.org/integration/autoland/rev/a02414474194 Read color information when reduced_still_picture is set in AV1 headers. r=alwu
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: