How is libavif Used in Chromium Architecture?

This article explores how the Chromium web browser integrates and utilizes the libavif library to decode and render AV1 Image File Format (AVIF) images. It details the architectural placement of libavif within Chromium’s multi-process model, its relationship with the Blink rendering engine, and the security measures applied during image decoding.

Integration in the Third-Party Directory

Chromium incorporates libavif as a third-party dependency located within its source tree at //third_party/libavif. As an open-source library maintained by AOMedia, libavif acts as a multiplexer/demultiplexer for AVIF container files (HEIF/BMFF). However, libavif itself does not decode the underlying compressed AV1 video frames.

To achieve full decoding, Chromium links libavif with its internal AV1 video decoders. In most standard builds, Chromium configures libavif to use libaom (the Alliance for Open Media’s reference decoder) or dav1d (the highly optimized AV1 decoder developed by VideoLAN) to parse and decode the pixel data.

The Blink Rendering Engine and AVIFImageDecoder

The Blink rendering engine is responsible for parsing HTML, CSS, and orchestrating the rendering of web pages. When Blink encounters an AVIF image, it routes the data through its unified image decoding pipeline:

1. Detection: The image data stream is identified as AVIF via its magic bytes (the FTYP box in the ISO Base Media File Format).
2. Instantiation: Blink instantiates the AVIFImageDecoder class, which inherits from blink::ImageDecoder.
3. Delegation: AVIFImageDecoder acts as a wrapper that translates Blink’s decoding requests into C API calls recognized by libavif.
4. Parsing: libavif parses the container metadata (such as color profiles, alpha channel configurations, transforms, and grid layouts).
5. Decoding: The underlying AV1 payloads are passed to the designated AV1 decoder (dav1d or libaom), which outputs raw YUV or RGB pixel buffers.

Once decoded, the image frames are handed over to Skia, Chromium’s graphics engine, for color space conversion, scaling, and ultimate compositing onto the user’s screen.

Sandboxing and Multi-Process Security

Because image decoders parse untrusted, highly complex binary data from the internet, they are primary targets for security exploits. Chromium mitigates this risk by enforcing a strict sandboxing architecture:

• Isolated Renderer Processes: The AVIFImageDecoder and the linked libavif library run entirely within the restricted Renderer Process.
• Privilege Minimization: The Renderer Process has zero direct access to the local file system, network, or physical hardware devices.
• Exploit Containment: If a malicious AVIF file exploits a memory vulnerability (such as a buffer overflow) in libavif or the underlying AV1 decoder, the attacker remains trapped inside the highly restricted sandbox, preventing them from compromising the host operating system.

Performance Optimization and Feature Support

Chromium leverages specific features of libavif to ensure fast loading times and smooth rendering:

• Incremental Decoding: libavif allows Chromium to decode and display images progressively as they download, improving the user’s perceived loading speed.
• Animation Support: For animated AVIFs, Chromium utilizes libavif to parse sequence tracks, managing frame timings and looping behaviors directly within the browser’s compositing lifecycle.
• Color Space Accuracy: libavif extracts ICC profiles and High Dynamic Range (HDR) metadata, which Chromium passes to its internal color management system to ensure accurate color reproduction across different displays.