libwebp VS libavif

The thing that concerns me most is looking at the fix it is very difficult to see why this fix is correct. It also appears as there is lots of code without explicit bounds checks. It makes me worried because while the logic may be safe this makes the logic very complex. I wonder what the cost would be to add an explicit, local bounds check at every array access. This would serve as a backup that is much easier to verify. I suspect the cost would be relatively small. Small enough that I personally would be happy to pay it.

https://github.com/webmproject/libwebp/commit/902bc919033134...

This is also a great reminded that fuzzing isn't a solution to memory unsafe languages and libraries. If anything the massive amount of bugs found via fuzzing should scare us as it is likely only scratching the surface of the vulnerabilities that still lie in the code, a couple too many branches away from being likely to be found by fuzzing.

There's a follow-up fix, according to Debian[0]: https://github.com/webmproject/libwebp/commit/95ea5226c87044...

[0]: https://security-tracker.debian.org/tracker/CVE-2023-4863

The breakage [0] was introduced by the creator [1] of the project. If you want to audit 1674 commits over the past 12 years, it'd be easier to just audit the full project.

[0] https://github.com/webmproject/libwebp/commit/21735e06f7c1cb...

[1] https://github.com/webmproject/libwebp/commit/c3f41cb47e5f32...

If you like the command line, then you can use ffmpeg and ImageMagick, or use libwebp directly

The webp parser code is open source. Which means that even if Google decides to hide/obscure the code for webp, they'd legally not be allowed to prevent you from using older versions of the webp parser library. The only thing they could do is patent it, and then companies in the US (which has software patents, unfortunately) would have to pay royalties to decode it anyway; but here comes the next point

It's 2023, surely this is not yet another bug related to memory unsafety that could be avoided if we'd stop writing critical code that deals with extremely complex untrusted input (media codecs) in memory unsafe languages?

Yep, of course it is: https://github.com/webmproject/libwebp/commit/902bc919033134...

I guess libwebp could be excused as it was started when there were no alternatives, but even for new projects today we're still committing the same mistake[1][2][3].

[1] -- https://code.videolan.org/videolan/dav1d

[2] -- https://github.com/AOMediaCodec/libavif

[3] -- https://github.com/AOMediaCodec/libiamf

Yep. Keep writing these in C; surely nothing will go wrong.

As far as I understand you are talking about this plugin. I don't know c++ and half of the code was like a black magic, but if I get it correctly, it encodes your images with libavif, and adds custom metadata ([solar/time of day] -> json -> base64).

So a few dozen comments, but so far it doesn't look like any mention the immediate thing that jumped out at me which was the claims vs AVIF:

>"In turn, what users will be given is yet another facet of the web that Google itself controls: the AVIF format."

Huh? I'll admit I haven't been following codecs as super ultra closely as I used to, but I thought AOM was a pretty broad coalition of varying interests and AV1 an open, royalty free codec that was plenty open source friendly? I've heard plenty of reasonable arguments that JPEG XL has some real technical advantages over AVIF and as well as superior performance is much more feature rich and scalable. So I could see people being bummed for that. But this is the first time I've heard the assertion that it's somehow a Google project? I mean, AOM's libavif reference is BSD too [0]? I'd love some more details on that from anyone who has been following this more closely. I can even understand if AOM isn't as community friendly and an accusation that it's dominated by big corps, but in that case why single out Google alone? From wiki:

>The governing members of the Alliance for Open Media are Amazon, Apple, ARM, Cisco, Facebook, Google, Huawei, Intel, Microsoft, Mozilla, Netflix, Nvidia, Samsung Electronics and Tencent.

Like, Google is certainly significant, but that's a lot of equally heavy hitters. And interesting that Mozilla is there too.

----

0: https://github.com/AOMediaCodec/libavif

> You have a good point that AVIF layered image items can act like such P/B-frames. Do libavif (or other AVIF implementations if any) make use of them?

Seemingly. As search for "libavif progressive encoding" shows several issues about this, and a search for "progressive" in https://github.com/AOMediaCodec/libavif/blob/main/include/av... shows an enum for avifProgressiveState, appears to show support for it.

I mean, it already has it: https://github.com/AOMediaCodec/libavif/commit/570c42c2c10a878c8cc896f1c5daf1a955274142

Apart from mpv and ffplay, the only software I currently have installed that can play animated AVIF is Chromium. And from what I've read from this libavif bug report, I'm not sure if looping animated files in general is something that's just done by default by a lot of software regardless of whether the file is marked as a loop or not.

The support for progressive AVIF decoding has landed in libavif and in Chromium. But are there any docs on how to create and test progressive AVIF images?

The "for example" is the key here, because AVIF does support multi-layer coding per the spec now (though not currently implemented in libavif from what I can tell).

libavif is at version 0.11.1, see https://github.com/AOMediaCodec/libavif/tags