/src/libtheora/lib/decinfo.c
Line | Count | Source (jump to first uncovered line) |
1 | | /******************************************************************** |
2 | | * * |
3 | | * THIS FILE IS PART OF THE OggTheora SOFTWARE CODEC SOURCE CODE. * |
4 | | * USE, DISTRIBUTION AND REPRODUCTION OF THIS LIBRARY SOURCE IS * |
5 | | * GOVERNED BY A BSD-STYLE SOURCE LICENSE INCLUDED WITH THIS SOURCE * |
6 | | * IN 'COPYING'. PLEASE READ THESE TERMS BEFORE DISTRIBUTING. * |
7 | | * * |
8 | | * THE Theora SOURCE CODE IS COPYRIGHT (C) 2002-2009 * |
9 | | * by the Xiph.Org Foundation and contributors http://www.xiph.org/ * |
10 | | * * |
11 | | ******************************************************************** |
12 | | |
13 | | function: |
14 | | last mod: $Id$ |
15 | | |
16 | | ********************************************************************/ |
17 | | |
18 | | #include <stdlib.h> |
19 | | #include <string.h> |
20 | | #include <limits.h> |
21 | | #include "decint.h" |
22 | | |
23 | | /*Only used for fuzzing.*/ |
24 | | #if defined(HAVE_MEMORY_CONSTRAINT) |
25 | | static const int MAX_FUZZING_WIDTH = 16384; |
26 | | static const int MAX_FUZZING_HEIGHT = 16384; |
27 | | #endif |
28 | | |
29 | | |
30 | | /*Unpacks a series of octets from a given byte array into the pack buffer. |
31 | | No checking is done to ensure the buffer contains enough data. |
32 | | _opb: The pack buffer to read the octets from. |
33 | | _buf: The byte array to store the unpacked bytes in. |
34 | | _len: The number of octets to unpack.*/ |
35 | 36.0k | static void oc_unpack_octets(oc_pack_buf *_opb,char *_buf,size_t _len){ |
36 | 841k | while(_len-->0){ |
37 | 805k | long val; |
38 | 805k | val=oc_pack_read(_opb,8); |
39 | 805k | *_buf++=(char)val; |
40 | 805k | } |
41 | 36.0k | } |
42 | | |
43 | | /*Unpacks a 32-bit integer encoded by octets in little-endian form.*/ |
44 | 32.7k | static long oc_unpack_length(oc_pack_buf *_opb){ |
45 | 32.7k | long ret[4]; |
46 | 32.7k | int i; |
47 | 163k | for(i=0;i<4;i++)ret[i]=oc_pack_read(_opb,8); |
48 | 32.7k | return ret[0]|ret[1]<<8|ret[2]<<16|ret[3]<<24; |
49 | 32.7k | } |
50 | | |
51 | 2.02k | static int oc_info_unpack(oc_pack_buf *_opb,th_info *_info){ |
52 | 2.02k | long val; |
53 | | /*Check the codec bitstream version.*/ |
54 | 2.02k | val=oc_pack_read(_opb,8); |
55 | 2.02k | _info->version_major=(unsigned char)val; |
56 | 2.02k | val=oc_pack_read(_opb,8); |
57 | 2.02k | _info->version_minor=(unsigned char)val; |
58 | 2.02k | val=oc_pack_read(_opb,8); |
59 | 2.02k | _info->version_subminor=(unsigned char)val; |
60 | | /*verify we can parse this bitstream version. |
61 | | We accept earlier minors and all subminors, by spec*/ |
62 | 2.02k | if(_info->version_major>TH_VERSION_MAJOR|| |
63 | 2.02k | (_info->version_major==TH_VERSION_MAJOR&& |
64 | 2.01k | _info->version_minor>TH_VERSION_MINOR)){ |
65 | 15 | return TH_EVERSION; |
66 | 15 | } |
67 | | /*Read the encoded frame description.*/ |
68 | 2.01k | val=oc_pack_read(_opb,16); |
69 | 2.01k | _info->frame_width=(ogg_uint32_t)val<<4; |
70 | 2.01k | val=oc_pack_read(_opb,16); |
71 | 2.01k | _info->frame_height=(ogg_uint32_t)val<<4; |
72 | 2.01k | val=oc_pack_read(_opb,24); |
73 | 2.01k | _info->pic_width=(ogg_uint32_t)val; |
74 | 2.01k | val=oc_pack_read(_opb,24); |
75 | 2.01k | _info->pic_height=(ogg_uint32_t)val; |
76 | 2.01k | val=oc_pack_read(_opb,8); |
77 | 2.01k | _info->pic_x=(ogg_uint32_t)val; |
78 | 2.01k | val=oc_pack_read(_opb,8); |
79 | 2.01k | _info->pic_y=(ogg_uint32_t)val; |
80 | 2.01k | val=oc_pack_read(_opb,32); |
81 | 2.01k | _info->fps_numerator=(ogg_uint32_t)val; |
82 | 2.01k | val=oc_pack_read(_opb,32); |
83 | 2.01k | _info->fps_denominator=(ogg_uint32_t)val; |
84 | 2.01k | if(_info->frame_width==0||_info->frame_height==0|| |
85 | 2.01k | _info->pic_width+_info->pic_x>_info->frame_width|| |
86 | 2.01k | _info->pic_height+_info->pic_y>_info->frame_height|| |
87 | 2.01k | _info->fps_numerator==0||_info->fps_denominator==0){ |
88 | 158 | return TH_EBADHEADER; |
89 | 158 | } |
90 | | #if defined(HAVE_MEMORY_CONSTRAINT) |
91 | | if(_info->frame_width>=MAX_FUZZING_WIDTH&&_info->frame_height>=MAX_FUZZING_HEIGHT){ |
92 | | return TH_EBADHEADER; |
93 | | } |
94 | | #endif |
95 | | /*Note: The sense of pic_y is inverted in what we pass back to the |
96 | | application compared to how it is stored in the bitstream. |
97 | | This is because the bitstream uses a right-handed coordinate system, while |
98 | | applications expect a left-handed one.*/ |
99 | 1.85k | _info->pic_y=_info->frame_height-_info->pic_height-_info->pic_y; |
100 | 1.85k | val=oc_pack_read(_opb,24); |
101 | 1.85k | _info->aspect_numerator=(ogg_uint32_t)val; |
102 | 1.85k | val=oc_pack_read(_opb,24); |
103 | 1.85k | _info->aspect_denominator=(ogg_uint32_t)val; |
104 | 1.85k | val=oc_pack_read(_opb,8); |
105 | 1.85k | _info->colorspace=(th_colorspace)val; |
106 | 1.85k | val=oc_pack_read(_opb,24); |
107 | 1.85k | _info->target_bitrate=(int)val; |
108 | 1.85k | val=oc_pack_read(_opb,6); |
109 | 1.85k | _info->quality=(int)val; |
110 | 1.85k | val=oc_pack_read(_opb,5); |
111 | 1.85k | _info->keyframe_granule_shift=(int)val; |
112 | 1.85k | val=oc_pack_read(_opb,2); |
113 | 1.85k | _info->pixel_fmt=(th_pixel_fmt)val; |
114 | 1.85k | if(_info->pixel_fmt==TH_PF_RSVD)return TH_EBADHEADER; |
115 | 1.85k | val=oc_pack_read(_opb,3); |
116 | 1.85k | if(val!=0||oc_pack_bytes_left(_opb)<0)return TH_EBADHEADER; |
117 | 1.79k | return 0; |
118 | 1.85k | } |
119 | | |
120 | 1.72k | static int oc_comment_unpack(oc_pack_buf *_opb,th_comment *_tc){ |
121 | 1.72k | long len; |
122 | 1.72k | int i; |
123 | | /*Read the vendor string.*/ |
124 | 1.72k | len=oc_unpack_length(_opb); |
125 | 1.72k | if(len<0||len>oc_pack_bytes_left(_opb))return TH_EBADHEADER; |
126 | 1.64k | _tc->vendor=_ogg_malloc((size_t)len+1); |
127 | 1.64k | if(_tc->vendor==NULL)return TH_EFAULT; |
128 | 1.64k | oc_unpack_octets(_opb,_tc->vendor,len); |
129 | 1.64k | _tc->vendor[len]='\0'; |
130 | | /*Read the user comments.*/ |
131 | 1.64k | _tc->comments=(int)oc_unpack_length(_opb); |
132 | 1.64k | len=_tc->comments; |
133 | 1.64k | if(len<0||len>(LONG_MAX>>2)||len<<2>oc_pack_bytes_left(_opb)){ |
134 | 126 | _tc->comments=0; |
135 | 126 | return TH_EBADHEADER; |
136 | 126 | } |
137 | 1.51k | _tc->comment_lengths=(int *)_ogg_malloc( |
138 | 1.51k | _tc->comments*sizeof(_tc->comment_lengths[0])); |
139 | 1.51k | _tc->user_comments=(char **)_ogg_malloc( |
140 | 1.51k | _tc->comments*sizeof(_tc->user_comments[0])); |
141 | 1.51k | if(_tc->comment_lengths==NULL||_tc->user_comments==NULL){ |
142 | 0 | _tc->comments=0; |
143 | 0 | return TH_EFAULT; |
144 | 0 | } |
145 | 30.7k | for(i=0;i<_tc->comments;i++){ |
146 | 29.3k | len=oc_unpack_length(_opb); |
147 | 29.3k | if(len<0||len>oc_pack_bytes_left(_opb)){ |
148 | 121 | _tc->comments=i; |
149 | 121 | return TH_EBADHEADER; |
150 | 121 | } |
151 | 29.2k | _tc->comment_lengths[i]=len; |
152 | 29.2k | _tc->user_comments[i]=_ogg_malloc((size_t)len+1); |
153 | 29.2k | if(_tc->user_comments[i]==NULL){ |
154 | 0 | _tc->comments=i; |
155 | 0 | return TH_EFAULT; |
156 | 0 | } |
157 | 29.2k | oc_unpack_octets(_opb,_tc->user_comments[i],len); |
158 | 29.2k | _tc->user_comments[i][len]='\0'; |
159 | 29.2k | } |
160 | 1.39k | return oc_pack_bytes_left(_opb)<0?TH_EBADHEADER:0; |
161 | 1.51k | } |
162 | | |
163 | 1.34k | static int oc_setup_unpack(oc_pack_buf *_opb,th_setup_info *_setup){ |
164 | 1.34k | int ret; |
165 | | /*Read the quantizer tables.*/ |
166 | 1.34k | ret=oc_quant_params_unpack(_opb,&_setup->qinfo); |
167 | 1.34k | if(ret<0)return ret; |
168 | | /*Read the Huffman trees.*/ |
169 | 1.32k | return oc_huff_trees_unpack(_opb,_setup->huff_tables); |
170 | 1.34k | } |
171 | | |
172 | 1.34k | static void oc_setup_clear(th_setup_info *_setup){ |
173 | 1.34k | oc_quant_params_clear(&_setup->qinfo); |
174 | 1.34k | oc_huff_trees_clear(_setup->huff_tables); |
175 | 1.34k | } |
176 | | |
177 | | static int oc_dec_headerin(oc_pack_buf *_opb,th_info *_info, |
178 | 5.23k | th_comment *_tc,th_setup_info **_setup,ogg_packet *_op){ |
179 | 5.23k | char buffer[6]; |
180 | 5.23k | long val; |
181 | 5.23k | int packtype; |
182 | 5.23k | int ret; |
183 | 5.23k | val=oc_pack_read(_opb,8); |
184 | 5.23k | packtype=(int)val; |
185 | | /*If we're at a data packet...*/ |
186 | 5.23k | if(!(packtype&0x80)){ |
187 | | /*Check to make sure we received all three headers... |
188 | | If we haven't seen any valid headers, assume this is not actually |
189 | | Theora.*/ |
190 | 51 | if(_info->frame_width<=0)return TH_ENOTFORMAT; |
191 | | /*Follow our documentation, which says we'll return TH_EFAULT if this |
192 | | are NULL (_info was checked by our caller).*/ |
193 | 19 | if(_tc==NULL)return TH_EFAULT; |
194 | | /*And if any other headers were missing, declare this packet "out of |
195 | | sequence" instead.*/ |
196 | 19 | if(_tc->vendor==NULL)return TH_EBADHEADER; |
197 | | /*Don't check this until it's needed, since we allow passing NULL for the |
198 | | arguments that we're not expecting the next header to fill in yet.*/ |
199 | 2 | if(_setup==NULL)return TH_EFAULT; |
200 | 2 | if(*_setup==NULL)return TH_EBADHEADER; |
201 | | /*If we got everything, we're done.*/ |
202 | 0 | return 0; |
203 | 2 | } |
204 | | /*Check the codec string.*/ |
205 | 5.18k | oc_unpack_octets(_opb,buffer,6); |
206 | 5.18k | if(memcmp(buffer,"theora",6)!=0)return TH_ENOTFORMAT; |
207 | 5.13k | switch(packtype){ |
208 | | /*Codec info header.*/ |
209 | 2.04k | case 0x80:{ |
210 | | /*This should be the first packet, and we should not already be |
211 | | initialized.*/ |
212 | 2.04k | if(!_op->b_o_s||_info->frame_width>0)return TH_EBADHEADER; |
213 | 2.02k | ret=oc_info_unpack(_opb,_info); |
214 | 2.02k | if(ret<0)th_info_clear(_info); |
215 | 1.79k | else ret=3; |
216 | 2.02k | }break; |
217 | | /*Comment header.*/ |
218 | 1.72k | case 0x81:{ |
219 | 1.72k | if(_tc==NULL)return TH_EFAULT; |
220 | | /*We shoud have already decoded the info header, and should not yet have |
221 | | decoded the comment header.*/ |
222 | 1.72k | if(_info->frame_width==0||_tc->vendor!=NULL)return TH_EBADHEADER; |
223 | 1.72k | ret=oc_comment_unpack(_opb,_tc); |
224 | 1.72k | if(ret<0)th_comment_clear(_tc); |
225 | 1.39k | else ret=2; |
226 | 1.72k | }break; |
227 | | /*Codec setup header.*/ |
228 | 1.36k | case 0x82:{ |
229 | 1.36k | oc_setup_info *setup; |
230 | 1.36k | if(_tc==NULL||_setup==NULL)return TH_EFAULT; |
231 | | /*We should have already decoded the info header and the comment header, |
232 | | and should not yet have decoded the setup header.*/ |
233 | 1.36k | if(_info->frame_width==0||_tc->vendor==NULL||*_setup!=NULL){ |
234 | 17 | return TH_EBADHEADER; |
235 | 17 | } |
236 | 1.34k | setup=(oc_setup_info *)_ogg_calloc(1,sizeof(*setup)); |
237 | 1.34k | if(setup==NULL)return TH_EFAULT; |
238 | 1.34k | ret=oc_setup_unpack(_opb,setup); |
239 | 1.34k | if(ret<0){ |
240 | 227 | oc_setup_clear(setup); |
241 | 227 | _ogg_free(setup); |
242 | 227 | } |
243 | 1.11k | else{ |
244 | 1.11k | *_setup=setup; |
245 | 1.11k | ret=1; |
246 | 1.11k | } |
247 | 1.34k | }break; |
248 | 1 | default:{ |
249 | | /*We don't know what this header is.*/ |
250 | 1 | return TH_EBADHEADER; |
251 | 1.34k | }break; |
252 | 5.13k | } |
253 | 5.09k | return ret; |
254 | 5.13k | } |
255 | | |
256 | | |
257 | | /*Decodes one header packet. |
258 | | This should be called repeatedly with the packets at the beginning of the |
259 | | stream until it returns 0.*/ |
260 | | int th_decode_headerin(th_info *_info,th_comment *_tc, |
261 | 5.23k | th_setup_info **_setup,ogg_packet *_op){ |
262 | 5.23k | oc_pack_buf opb; |
263 | 5.23k | if(_op==NULL)return TH_EBADHEADER; |
264 | 5.23k | if(_info==NULL)return TH_EFAULT; |
265 | 5.23k | oc_pack_readinit(&opb,_op->packet,_op->bytes); |
266 | 5.23k | return oc_dec_headerin(&opb,_info,_tc,_setup,_op); |
267 | 5.23k | } |
268 | | |
269 | 1.11k | void th_setup_free(th_setup_info *_setup){ |
270 | 1.11k | if(_setup!=NULL){ |
271 | 1.11k | oc_setup_clear(_setup); |
272 | 1.11k | _ogg_free(_setup); |
273 | 1.11k | } |
274 | 1.11k | } |