libwebp
libavif
Our great sponsors
libwebp | libavif | |
---|---|---|
13 | 44 | |
1,908 | 1,370 | |
1.9% | 4.5% | |
8.7 | 9.7 | |
5 days ago | 3 days ago | |
C | C | |
BSD 3-clause "New" or "Revised" License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
libwebp
-
Google assigns a CVE for libwebp and gives it a 10.0 score
The thing that concerns me most is looking at the fix it is very difficult to see why this fix is correct. It also appears as there is lots of code without explicit bounds checks. It makes me worried because while the logic may be safe this makes the logic very complex. I wonder what the cost would be to add an explicit, local bounds check at every array access. This would serve as a backup that is much easier to verify. I suspect the cost would be relatively small. Small enough that I personally would be happy to pay it.
https://github.com/webmproject/libwebp/commit/902bc919033134...
This is also a great reminded that fuzzing isn't a solution to memory unsafe languages and libraries. If anything the massive amount of bugs found via fuzzing should scare us as it is likely only scratching the surface of the vulnerabilities that still lie in the code, a couple too many branches away from being likely to be found by fuzzing.
-
The WebP 0day
There's a follow-up fix, according to Debian[0]: https://github.com/webmproject/libwebp/commit/95ea5226c87044...
[0]: https://security-tracker.debian.org/tracker/CVE-2023-4863
-
CVE-2023-4863: Heap buffer overflow in WebP (Chrome)
The breakage [0] was introduced by the creator [1] of the project. If you want to audit 1674 commits over the past 12 years, it'd be easier to just audit the full project.
[0] https://github.com/webmproject/libwebp/commit/21735e06f7c1cb...
[1] https://github.com/webmproject/libwebp/commit/c3f41cb47e5f32...
- Convenient CPU feature detection and dispatch in the Magnum Engine
-
Whats going on with .webp and why are more and more internet images being converted to it?
If you like the command line, then you can use ffmpeg and ImageMagick, or use libwebp directly
-
What's up with people hating WebP?
The webp parser code is open source. Which means that even if Google decides to hide/obscure the code for webp, they'd legally not be allowed to prevent you from using older versions of the webp parser library. The only thing they could do is patent it, and then companies in the US (which has software patents, unfortunately) would have to pay royalties to decode it anyway; but here comes the next point
libavif
-
CVE-2023-4863: Heap buffer overflow in WebP (Chrome)
It's 2023, surely this is not yet another bug related to memory unsafety that could be avoided if we'd stop writing critical code that deals with extremely complex untrusted input (media codecs) in memory unsafe languages?
Yep, of course it is: https://github.com/webmproject/libwebp/commit/902bc919033134...
I guess libwebp could be excused as it was started when there were no alternatives, but even for new projects today we're still committing the same mistake[1][2][3].
[1] -- https://code.videolan.org/videolan/dav1d
[2] -- https://github.com/AOMediaCodec/libavif
[3] -- https://github.com/AOMediaCodec/libiamf
Yep. Keep writing these in C; surely nothing will go wrong.
- Libavif 1.0 Released
-
Is there any clear documentation on how to make avif collections and how to read them?
As far as I understand you are talking about this plugin. I don't know c++ and half of the code was like a black magic, but if I get it correctly, it encodes your images with libavif, and adds custom metadata ([solar/time of day] -> json -> base64).
-
FSF Slams Google over Dropping JPEG-XL in Chrome
So a few dozen comments, but so far it doesn't look like any mention the immediate thing that jumped out at me which was the claims vs AVIF:
>"In turn, what users will be given is yet another facet of the web that Google itself controls: the AVIF format."
Huh? I'll admit I haven't been following codecs as super ultra closely as I used to, but I thought AOM was a pretty broad coalition of varying interests and AV1 an open, royalty free codec that was plenty open source friendly? I've heard plenty of reasonable arguments that JPEG XL has some real technical advantages over AVIF and as well as superior performance is much more feature rich and scalable. So I could see people being bummed for that. But this is the first time I've heard the assertion that it's somehow a Google project? I mean, AOM's libavif reference is BSD too [0]? I'd love some more details on that from anyone who has been following this more closely. I can even understand if AOM isn't as community friendly and an accusation that it's dominated by big corps, but in that case why single out Google alone? From wiki:
>The governing members of the Alliance for Open Media are Amazon, Apple, ARM, Cisco, Facebook, Google, Huawei, Intel, Microsoft, Mozilla, Netflix, Nvidia, Samsung Electronics and Tencent.
Like, Google is certainly significant, but that's a lot of equally heavy hitters. And interesting that Mozilla is there too.
----
0: https://github.com/AOMediaCodec/libavif
-
JPEG XL support has officially been removed from Chromium
> You have a good point that AVIF layered image items can act like such P/B-frames. Do libavif (or other AVIF implementations if any) make use of them?
Seemingly. As search for "libavif progressive encoding" shows several issues about this, and a search for "progressive" in https://github.com/AOMediaCodec/libavif/blob/main/include/av... shows an enum for avifProgressiveState, appears to show support for it.
-
Wavif discussion
I mean, it already has it: https://github.com/AOMediaCodec/libavif/commit/570c42c2c10a878c8cc896f1c5daf1a955274142
-
Animated AVIF and JXL tools for Windows
Apart from mpv and ffplay, the only software I currently have installed that can play animated AVIF is Chromium. And from what I've read from this libavif bug report, I'm not sure if looping animated files in general is something that's just done by default by a lot of software regardless of whether the file is marked as a loop or not.
-
How to create progressive AVIF images?
The support for progressive AVIF decoding has landed in libavif and in Chromium. But are there any docs on how to create and test progressive AVIF images?
-
The Case for JPEG XL
The "for example" is the key here, because AVIF does support multi-layer coding per the spec now (though not currently implemented in libavif from what I can tell).
-
Google Outlines Why They Are Removing JPEG-XL Support From Chrome
libavif is at version 0.11.1, see https://github.com/AOMediaCodec/libavif/tags
What are some alternatives?
libjpeg-turbo - Main libjpeg-turbo repository
rav1e - The fastest and safest AV1 encoder.
Save-webP-as-extension - Firefox extension to overlay format and JPEG quality buttons on inline or stand-alone images for quickly saving a converted version of the image.
cavif-rs - AVIF image creator in pure Rust
BrowserBoxPro - :cyclone: BrowserBox is Web application virtualization via zero trust remote browser isolation and secure document gateway technology. Embed secure unrestricted webviews on any device in a regular webpage. Multiplayer embeddable browsers, open source! [Moved to: https://github.com/BrowserBox/BrowserBox]
av1-avif - AV1 Image File Format Specification - ISO-BMFF/HEIF derivative
image - [mirror] Go supplementary image libraries
libjxl - JPEG XL image format reference implementation
Electron - :electron: Build cross-platform desktop apps with JavaScript, HTML, and CSS
WebKit - Home of the WebKit project, the browser engine used by Safari, Mail, App Store and many other applications on macOS, iOS and Linux.
zlib-ng - zlib replacement with optimizations for "next generation" systems.
benchmarks - Test images and results of compression benchmarks.