| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274 | /******************************************************************** *                                                                  * * THIS FILE IS PART OF THE OggTheora SOFTWARE CODEC SOURCE CODE.   * * USE, DISTRIBUTION AND REPRODUCTION OF THIS LIBRARY SOURCE IS     * * GOVERNED BY A BSD-STYLE SOURCE LICENSE INCLUDED WITH THIS SOURCE * * IN 'COPYING'. PLEASE READ THESE TERMS BEFORE DISTRIBUTING.       * *                                                                  * * THE Theora SOURCE CODE IS COPYRIGHT (C) 2002-2009                * * by the Xiph.Org Foundation and contributors http://www.xiph.org/ * *                                                                  * ********************************************************************  function:    last mod: $Id$ ********************************************************************/#include <stdlib.h>#include <string.h>#include <limits.h>#include "decint.h"/*Only used for fuzzing.*/#if defined(HAVE_MEMORY_CONSTRAINT)static const int MAX_FUZZING_WIDTH = 16384;static const int MAX_FUZZING_HEIGHT = 16384;#endif/*Unpacks a series of octets from a given byte array into the pack buffer.  No checking is done to ensure the buffer contains enough data.  _opb: The pack buffer to read the octets from.  _buf: The byte array to store the unpacked bytes in.  _len: The number of octets to unpack.*/static void oc_unpack_octets(oc_pack_buf *_opb,char *_buf,size_t _len){  while(_len-->0){    long val;    val=oc_pack_read(_opb,8);    *_buf++=(char)val;  }}/*Unpacks a 32-bit integer encoded by octets in little-endian form.*/static long oc_unpack_length(oc_pack_buf *_opb){  long ret[4];  int  i;  for(i=0;i<4;i++)ret[i]=oc_pack_read(_opb,8);  return ret[0]|ret[1]<<8|ret[2]<<16|ret[3]<<24;}static int oc_info_unpack(oc_pack_buf *_opb,th_info *_info){  long val;  /*Check the codec bitstream version.*/  val=oc_pack_read(_opb,8);  _info->version_major=(unsigned char)val;  val=oc_pack_read(_opb,8);  _info->version_minor=(unsigned char)val;  val=oc_pack_read(_opb,8);  _info->version_subminor=(unsigned char)val;  /*verify we can parse this bitstream version.     We accept earlier minors and all subminors, by spec*/  if(_info->version_major>TH_VERSION_MAJOR||   (_info->version_major==TH_VERSION_MAJOR&&   _info->version_minor>TH_VERSION_MINOR)){    return TH_EVERSION;  }  /*Read the encoded frame description.*/  val=oc_pack_read(_opb,16);  _info->frame_width=(ogg_uint32_t)val<<4;  val=oc_pack_read(_opb,16);  _info->frame_height=(ogg_uint32_t)val<<4;  val=oc_pack_read(_opb,24);  _info->pic_width=(ogg_uint32_t)val;  val=oc_pack_read(_opb,24);  _info->pic_height=(ogg_uint32_t)val;  val=oc_pack_read(_opb,8);  _info->pic_x=(ogg_uint32_t)val;  val=oc_pack_read(_opb,8);  _info->pic_y=(ogg_uint32_t)val;  val=oc_pack_read(_opb,32);  _info->fps_numerator=(ogg_uint32_t)val;  val=oc_pack_read(_opb,32);  _info->fps_denominator=(ogg_uint32_t)val;  if(_info->frame_width==0||_info->frame_height==0||   _info->pic_width+_info->pic_x>_info->frame_width||   _info->pic_height+_info->pic_y>_info->frame_height||   _info->fps_numerator==0||_info->fps_denominator==0){    return TH_EBADHEADER;  }#if defined(HAVE_MEMORY_CONSTRAINT)  if(_info->frame_width>=MAX_FUZZING_WIDTH&&_info->frame_height>=MAX_FUZZING_HEIGHT){    return TH_EBADHEADER;  }#endif  /*Note: The sense of pic_y is inverted in what we pass back to the     application compared to how it is stored in the bitstream.    This is because the bitstream uses a right-handed coordinate system, while     applications expect a left-handed one.*/  _info->pic_y=_info->frame_height-_info->pic_height-_info->pic_y;  val=oc_pack_read(_opb,24);  _info->aspect_numerator=(ogg_uint32_t)val;  val=oc_pack_read(_opb,24);  _info->aspect_denominator=(ogg_uint32_t)val;  val=oc_pack_read(_opb,8);  _info->colorspace=(th_colorspace)val;  val=oc_pack_read(_opb,24);  _info->target_bitrate=(int)val;  val=oc_pack_read(_opb,6);  _info->quality=(int)val;  val=oc_pack_read(_opb,5);  _info->keyframe_granule_shift=(int)val;  val=oc_pack_read(_opb,2);  _info->pixel_fmt=(th_pixel_fmt)val;  if(_info->pixel_fmt==TH_PF_RSVD)return TH_EBADHEADER;  val=oc_pack_read(_opb,3);  if(val!=0||oc_pack_bytes_left(_opb)<0)return TH_EBADHEADER;  return 0;}static int oc_comment_unpack(oc_pack_buf *_opb,th_comment *_tc){  long len;  int  i;  /*Read the vendor string.*/  len=oc_unpack_length(_opb);  if(len<0||len>oc_pack_bytes_left(_opb))return TH_EBADHEADER;  _tc->vendor=_ogg_malloc((size_t)len+1);  if(_tc->vendor==NULL)return TH_EFAULT;  oc_unpack_octets(_opb,_tc->vendor,len);  _tc->vendor[len]='\0';  /*Read the user comments.*/  _tc->comments=(int)oc_unpack_length(_opb);  len=_tc->comments;  if(len<0||len>(LONG_MAX>>2)||len<<2>oc_pack_bytes_left(_opb)){    _tc->comments=0;    return TH_EBADHEADER;  }  _tc->comment_lengths=(int *)_ogg_malloc(   _tc->comments*sizeof(_tc->comment_lengths[0]));  _tc->user_comments=(char **)_ogg_malloc(   _tc->comments*sizeof(_tc->user_comments[0]));  if(_tc->comment_lengths==NULL||_tc->user_comments==NULL){    _tc->comments=0;    return TH_EFAULT;  }  for(i=0;i<_tc->comments;i++){    len=oc_unpack_length(_opb);    if(len<0||len>oc_pack_bytes_left(_opb)){      _tc->comments=i;      return TH_EBADHEADER;    }    _tc->comment_lengths[i]=len;    _tc->user_comments[i]=_ogg_malloc((size_t)len+1);    if(_tc->user_comments[i]==NULL){      _tc->comments=i;      return TH_EFAULT;    }    oc_unpack_octets(_opb,_tc->user_comments[i],len);    _tc->user_comments[i][len]='\0';  }  return oc_pack_bytes_left(_opb)<0?TH_EBADHEADER:0;}static int oc_setup_unpack(oc_pack_buf *_opb,th_setup_info *_setup){  int ret;  /*Read the quantizer tables.*/  ret=oc_quant_params_unpack(_opb,&_setup->qinfo);  if(ret<0)return ret;  /*Read the Huffman trees.*/  return oc_huff_trees_unpack(_opb,_setup->huff_tables);}static void oc_setup_clear(th_setup_info *_setup){  oc_quant_params_clear(&_setup->qinfo);  oc_huff_trees_clear(_setup->huff_tables);}static int oc_dec_headerin(oc_pack_buf *_opb,th_info *_info, th_comment *_tc,th_setup_info **_setup,ogg_packet *_op){  char buffer[6];  long val;  int  packtype;  int  ret;  val=oc_pack_read(_opb,8);  packtype=(int)val;  /*If we're at a data packet...*/  if(!(packtype&0x80)){    /*Check to make sure we received all three headers...      If we haven't seen any valid headers, assume this is not actually       Theora.*/    if(_info->frame_width<=0)return TH_ENOTFORMAT;    /*Follow our documentation, which says we'll return TH_EFAULT if this       are NULL (_info was checked by our caller).*/    if(_tc==NULL)return TH_EFAULT;    /*And if any other headers were missing, declare this packet "out of       sequence" instead.*/    if(_tc->vendor==NULL)return TH_EBADHEADER;    /*Don't check this until it's needed, since we allow passing NULL for the       arguments that we're not expecting the next header to fill in yet.*/    if(_setup==NULL)return TH_EFAULT;    if(*_setup==NULL)return TH_EBADHEADER;    /*If we got everything, we're done.*/    return 0;  }  /*Check the codec string.*/  oc_unpack_octets(_opb,buffer,6);  if(memcmp(buffer,"theora",6)!=0)return TH_ENOTFORMAT;  switch(packtype){    /*Codec info header.*/    case 0x80:{      /*This should be the first packet, and we should not already be         initialized.*/      if(!_op->b_o_s||_info->frame_width>0)return TH_EBADHEADER;      ret=oc_info_unpack(_opb,_info);      if(ret<0)th_info_clear(_info);      else ret=3;    }break;    /*Comment header.*/    case 0x81:{      if(_tc==NULL)return TH_EFAULT;      /*We shoud have already decoded the info header, and should not yet have         decoded the comment header.*/      if(_info->frame_width==0||_tc->vendor!=NULL)return TH_EBADHEADER;      ret=oc_comment_unpack(_opb,_tc);      if(ret<0)th_comment_clear(_tc);      else ret=2;    }break;    /*Codec setup header.*/    case 0x82:{      oc_setup_info *setup;      if(_tc==NULL||_setup==NULL)return TH_EFAULT;      /*We should have already decoded the info header and the comment header,         and should not yet have decoded the setup header.*/      if(_info->frame_width==0||_tc->vendor==NULL||*_setup!=NULL){        return TH_EBADHEADER;      }      setup=(oc_setup_info *)_ogg_calloc(1,sizeof(*setup));      if(setup==NULL)return TH_EFAULT;      ret=oc_setup_unpack(_opb,setup);      if(ret<0){        oc_setup_clear(setup);        _ogg_free(setup);      }      else{        *_setup=setup;        ret=1;      }    }break;    default:{      /*We don't know what this header is.*/      return TH_EBADHEADER;    }break;  }  return ret;}/*Decodes one header packet.  This should be called repeatedly with the packets at the beginning of the   stream until it returns 0.*/int th_decode_headerin(th_info *_info,th_comment *_tc, th_setup_info **_setup,ogg_packet *_op){  oc_pack_buf opb;  if(_op==NULL)return TH_EBADHEADER;  if(_info==NULL)return TH_EFAULT;  oc_pack_readinit(&opb,_op->packet,_op->bytes);  return oc_dec_headerin(&opb,_info,_tc,_setup,_op);}void th_setup_free(th_setup_info *_setup){  if(_setup!=NULL){    oc_setup_clear(_setup);    _ogg_free(_setup);  }}
 |