How libavif Decodes Corrupted and Truncated AVIFs

This article examines how libavif, the reference library for the AV1 Image File Format (AVIF), handles corrupted or truncated image bitstreams. It details the library’s multi-layered validation process, explaining how it parses the container structure, delegates payload decoding to AV1 codecs, returns specific error codes, and maintains security when encountering malformed data.

Container-Level Validation (ISOBMFF)

An AVIF file is structured using the ISO Base Media File Format (ISOBMFF). Before any image data is sent to the AV1 decoder, libavif parses this container structure.

If a file is truncated or corrupted at the container level, the library’s parser detects missing or malformed boxes (such as ftyp, meta, or iprp). If critical metadata or layout information is missing, libavif immediately halts execution and returns an error code, typically AVIF_RESULT_BMFF_PARSE_FAILED or AVIF_RESULT_TRUNCATED_DATA, preventing the allocation of unnecessary memory for incomplete images.

Decoder-Level Validation (AV1 Bitstream)

Once the container structure is validated, libavif extracts the raw AV1 bitstream from the Media Data (mdat) box and passes it to an underlying AV1 decoder, such as dav1d or libaom.

• Truncated Payloads: If the bitstream is cut short, the AV1 decoder recognizes that the sequence header or tile data is incomplete. Depending on the severity of the truncation, the decoder will either fail gracefully or output a partial image frame if configured to do so.
• Corrupted Payloads: If the bitstream contains corrupted data, the AV1 decoder’s internal error-resilience mechanisms take over. If the corruption occurs in non-critical blocks, some decoders may attempt to conceal the errors. However, if the sequence headers or frame headers are corrupted, decoding will fail, and libavif will return AVIF_RESULT_DECODE_COLOR_FAILED.

Error Reporting and Return Codes

libavif does not crash when encountering malformed files. Instead, it uses a robust error-reporting system utilizing the avifResult enum. Common results returned during failed decodes include:

• AVIF_RESULT_TRUNCATED_DATA: Returned when the input buffer is too small or cut off before the expected end of the stream.
• AVIF_RESULT_BMFF_PARSE_FAILED: Returned when the ISOBMFF container structure is illegal or unreadable.
• AVIF_RESULT_DECODE_COLOR_FAILED: Returned when the container is valid, but the AV1 decoder fails to process the compressed color payload.

Security and Memory Safety

Because AVIF files are widely used on the web, libavif is designed with strict security boundaries to prevent exploits like buffer overflows or out-of-bounds reads. The library is continuously fuzzed via projects like Google’s OSS-Fuzz. This testing ensures that even highly corrupted, malicious, or randomly mutated bitstreams are safely rejected without compromising the host system’s memory safety.