1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * V4L2 JPEG header parser helpers.
4 *
5 * Copyright (C) 2019 Pengutronix, Philipp Zabel <kernel@pengutronix.de>
6 *
7 * For reference, see JPEG ITU-T.81 (ISO/IEC 10918-1) [1]
8 *
9 * [1] https://www.w3.org/Graphics/JPEG/itu-t81.pdf
10 */
11
12 #include <asm/unaligned.h>
13 #include <linux/errno.h>
14 #include <linux/kernel.h>
15 #include <linux/module.h>
16 #include <linux/types.h>
17 #include <media/v4l2-jpeg.h>
18
19 MODULE_DESCRIPTION("V4L2 JPEG header parser helpers");
20 MODULE_AUTHOR("Philipp Zabel <kernel@pengutronix.de>");
21 MODULE_LICENSE("GPL");
22
23 /* Table B.1 - Marker code assignments */
24 #define SOF0 0xffc0 /* start of frame */
25 #define SOF1 0xffc1
26 #define SOF2 0xffc2
27 #define SOF3 0xffc3
28 #define SOF5 0xffc5
29 #define SOF7 0xffc7
30 #define JPG 0xffc8 /* extensions */
31 #define SOF9 0xffc9
32 #define SOF11 0xffcb
33 #define SOF13 0xffcd
34 #define SOF15 0xffcf
35 #define DHT 0xffc4 /* huffman table */
36 #define DAC 0xffcc /* arithmetic coding conditioning */
37 #define RST0 0xffd0 /* restart */
38 #define RST7 0xffd7
39 #define SOI 0xffd8 /* start of image */
40 #define EOI 0xffd9 /* end of image */
41 #define SOS 0xffda /* start of stream */
42 #define DQT 0xffdb /* quantization table */
43 #define DNL 0xffdc /* number of lines */
44 #define DRI 0xffdd /* restart interval */
45 #define DHP 0xffde /* hierarchical progression */
46 #define EXP 0xffdf /* expand reference */
47 #define APP0 0xffe0 /* application data */
48 #define APP15 0xffef
49 #define JPG0 0xfff0 /* extensions */
50 #define JPG13 0xfffd
51 #define COM 0xfffe /* comment */
52 #define TEM 0xff01 /* temporary */
53
54 /**
55 * struct jpeg_stream - JPEG byte stream
56 * @curr: current position in stream
57 * @end: end position, after last byte
58 */
59 struct jpeg_stream {
60 u8 *curr;
61 u8 *end;
62 };
63
64 /* returns a value that fits into u8, or negative error */
jpeg_get_byte(struct jpeg_stream * stream)65 static int jpeg_get_byte(struct jpeg_stream *stream)
66 {
67 if (stream->curr >= stream->end)
68 return -EINVAL;
69
70 return *stream->curr++;
71 }
72
73 /* returns a value that fits into u16, or negative error */
jpeg_get_word_be(struct jpeg_stream * stream)74 static int jpeg_get_word_be(struct jpeg_stream *stream)
75 {
76 u16 word;
77
78 if (stream->curr + sizeof(__be16) > stream->end)
79 return -EINVAL;
80
81 word = get_unaligned_be16(stream->curr);
82 stream->curr += sizeof(__be16);
83
84 return word;
85 }
86
jpeg_skip(struct jpeg_stream * stream,size_t len)87 static int jpeg_skip(struct jpeg_stream *stream, size_t len)
88 {
89 if (stream->curr + len > stream->end)
90 return -EINVAL;
91
92 stream->curr += len;
93
94 return 0;
95 }
96
jpeg_next_marker(struct jpeg_stream * stream)97 static int jpeg_next_marker(struct jpeg_stream *stream)
98 {
99 int byte;
100 u16 marker = 0;
101
102 while ((byte = jpeg_get_byte(stream)) >= 0) {
103 marker = (marker << 8) | byte;
104 /* skip stuffing bytes and REServed markers */
105 if (marker == TEM || (marker > 0xffbf && marker < 0xffff))
106 return marker;
107 }
108
109 return byte;
110 }
111
112 /* this does not advance the current position in the stream */
jpeg_reference_segment(struct jpeg_stream * stream,struct v4l2_jpeg_reference * segment)113 static int jpeg_reference_segment(struct jpeg_stream *stream,
114 struct v4l2_jpeg_reference *segment)
115 {
116 u16 len;
117
118 if (stream->curr + sizeof(__be16) > stream->end)
119 return -EINVAL;
120
121 len = get_unaligned_be16(stream->curr);
122 if (stream->curr + len > stream->end)
123 return -EINVAL;
124
125 segment->start = stream->curr;
126 segment->length = len;
127
128 return 0;
129 }
130
v4l2_jpeg_decode_subsampling(u8 nf,u8 h_v)131 static int v4l2_jpeg_decode_subsampling(u8 nf, u8 h_v)
132 {
133 if (nf == 1)
134 return V4L2_JPEG_CHROMA_SUBSAMPLING_GRAY;
135
136 /* no chroma subsampling for 4-component images */
137 if (nf == 4 && h_v != 0x11)
138 return -EINVAL;
139
140 switch (h_v) {
141 case 0x11:
142 return V4L2_JPEG_CHROMA_SUBSAMPLING_444;
143 case 0x21:
144 return V4L2_JPEG_CHROMA_SUBSAMPLING_422;
145 case 0x22:
146 return V4L2_JPEG_CHROMA_SUBSAMPLING_420;
147 case 0x41:
148 return V4L2_JPEG_CHROMA_SUBSAMPLING_411;
149 default:
150 return -EINVAL;
151 }
152 }
153
jpeg_parse_frame_header(struct jpeg_stream * stream,u16 sof_marker,struct v4l2_jpeg_frame_header * frame_header)154 static int jpeg_parse_frame_header(struct jpeg_stream *stream, u16 sof_marker,
155 struct v4l2_jpeg_frame_header *frame_header)
156 {
157 int len = jpeg_get_word_be(stream);
158
159 if (len < 0)
160 return len;
161 /* Lf = 8 + 3 * Nf, Nf >= 1 */
162 if (len < 8 + 3)
163 return -EINVAL;
164
165 if (frame_header) {
166 /* Table B.2 - Frame header parameter sizes and values */
167 int p, y, x, nf;
168 int i;
169
170 p = jpeg_get_byte(stream);
171 if (p < 0)
172 return p;
173 /*
174 * Baseline DCT only supports 8-bit precision.
175 * Extended sequential DCT also supports 12-bit precision.
176 */
177 if (p != 8 && (p != 12 || sof_marker != SOF1))
178 return -EINVAL;
179
180 y = jpeg_get_word_be(stream);
181 if (y < 0)
182 return y;
183 if (y == 0)
184 return -EINVAL;
185
186 x = jpeg_get_word_be(stream);
187 if (x < 0)
188 return x;
189 if (x == 0)
190 return -EINVAL;
191
192 nf = jpeg_get_byte(stream);
193 if (nf < 0)
194 return nf;
195 /*
196 * The spec allows 1 <= Nf <= 255, but we only support up to 4
197 * components.
198 */
199 if (nf < 1 || nf > V4L2_JPEG_MAX_COMPONENTS)
200 return -EINVAL;
201 if (len != 8 + 3 * nf)
202 return -EINVAL;
203
204 frame_header->precision = p;
205 frame_header->height = y;
206 frame_header->width = x;
207 frame_header->num_components = nf;
208
209 for (i = 0; i < nf; i++) {
210 struct v4l2_jpeg_frame_component_spec *component;
211 int c, h_v, tq;
212
213 c = jpeg_get_byte(stream);
214 if (c < 0)
215 return c;
216
217 h_v = jpeg_get_byte(stream);
218 if (h_v < 0)
219 return h_v;
220 if (i == 0) {
221 int subs;
222
223 subs = v4l2_jpeg_decode_subsampling(nf, h_v);
224 if (subs < 0)
225 return subs;
226 frame_header->subsampling = subs;
227 } else if (h_v != 0x11) {
228 /* all chroma sampling factors must be 1 */
229 return -EINVAL;
230 }
231
232 tq = jpeg_get_byte(stream);
233 if (tq < 0)
234 return tq;
235
236 component = &frame_header->component[i];
237 component->component_identifier = c;
238 component->horizontal_sampling_factor =
239 (h_v >> 4) & 0xf;
240 component->vertical_sampling_factor = h_v & 0xf;
241 component->quantization_table_selector = tq;
242 }
243 } else {
244 return jpeg_skip(stream, len - 2);
245 }
246
247 return 0;
248 }
249
jpeg_parse_scan_header(struct jpeg_stream * stream,struct v4l2_jpeg_scan_header * scan_header)250 static int jpeg_parse_scan_header(struct jpeg_stream *stream,
251 struct v4l2_jpeg_scan_header *scan_header)
252 {
253 size_t skip;
254 int len = jpeg_get_word_be(stream);
255
256 if (len < 0)
257 return len;
258 /* Ls = 8 + 3 * Ns, Ns >= 1 */
259 if (len < 6 + 2)
260 return -EINVAL;
261
262 if (scan_header) {
263 int ns;
264 int i;
265
266 ns = jpeg_get_byte(stream);
267 if (ns < 0)
268 return ns;
269 if (ns < 1 || ns > 4 || len != 6 + 2 * ns)
270 return -EINVAL;
271
272 scan_header->num_components = ns;
273
274 for (i = 0; i < ns; i++) {
275 struct v4l2_jpeg_scan_component_spec *component;
276 int cs, td_ta;
277
278 cs = jpeg_get_byte(stream);
279 if (cs < 0)
280 return cs;
281
282 td_ta = jpeg_get_byte(stream);
283 if (td_ta < 0)
284 return td_ta;
285
286 component = &scan_header->component[i];
287 component->component_selector = cs;
288 component->dc_entropy_coding_table_selector =
289 (td_ta >> 4) & 0xf;
290 component->ac_entropy_coding_table_selector =
291 td_ta & 0xf;
292 }
293
294 skip = 3; /* skip Ss, Se, Ah, and Al */
295 } else {
296 skip = len - 2;
297 }
298
299 return jpeg_skip(stream, skip);
300 }
301
302 /* B.2.4.1 Quantization table-specification syntax */
jpeg_parse_quantization_tables(struct jpeg_stream * stream,u8 precision,struct v4l2_jpeg_reference * tables)303 static int jpeg_parse_quantization_tables(struct jpeg_stream *stream,
304 u8 precision,
305 struct v4l2_jpeg_reference *tables)
306 {
307 int len = jpeg_get_word_be(stream);
308
309 if (len < 0)
310 return len;
311 /* Lq = 2 + n * 65 (for baseline DCT), n >= 1 */
312 if (len < 2 + 65)
313 return -EINVAL;
314
315 len -= 2;
316 while (len >= 65) {
317 u8 pq, tq, *qk;
318 int ret;
319 int pq_tq = jpeg_get_byte(stream);
320
321 if (pq_tq < 0)
322 return pq_tq;
323
324 /* quantization table element precision */
325 pq = (pq_tq >> 4) & 0xf;
326 /*
327 * Only 8-bit Qk values for 8-bit sample precision. Extended
328 * sequential DCT with 12-bit sample precision also supports
329 * 16-bit Qk values.
330 */
331 if (pq != 0 && (pq != 1 || precision != 12))
332 return -EINVAL;
333
334 /* quantization table destination identifier */
335 tq = pq_tq & 0xf;
336 if (tq > 3)
337 return -EINVAL;
338
339 /* quantization table element */
340 qk = stream->curr;
341 ret = jpeg_skip(stream, pq ? 128 : 64);
342 if (ret < 0)
343 return -EINVAL;
344
345 if (tables) {
346 tables[tq].start = qk;
347 tables[tq].length = pq ? 128 : 64;
348 }
349
350 len -= pq ? 129 : 65;
351 }
352
353 return 0;
354 }
355
356 /* B.2.4.2 Huffman table-specification syntax */
jpeg_parse_huffman_tables(struct jpeg_stream * stream,struct v4l2_jpeg_reference * tables)357 static int jpeg_parse_huffman_tables(struct jpeg_stream *stream,
358 struct v4l2_jpeg_reference *tables)
359 {
360 int mt;
361 int len = jpeg_get_word_be(stream);
362
363 if (len < 0)
364 return len;
365 /* Table B.5 - Huffman table specification parameter sizes and values */
366 if (len < 2 + 17)
367 return -EINVAL;
368
369 for (len -= 2; len >= 17; len -= 17 + mt) {
370 u8 tc, th, *table;
371 int tc_th = jpeg_get_byte(stream);
372 int i, ret;
373
374 if (tc_th < 0)
375 return tc_th;
376
377 /* table class - 0 = DC, 1 = AC */
378 tc = (tc_th >> 4) & 0xf;
379 if (tc > 1)
380 return -EINVAL;
381
382 /* huffman table destination identifier */
383 th = tc_th & 0xf;
384 /* only two Huffman tables for baseline DCT */
385 if (th > 1)
386 return -EINVAL;
387
388 /* BITS - number of Huffman codes with length i */
389 table = stream->curr;
390 mt = 0;
391 for (i = 0; i < 16; i++) {
392 int li;
393
394 li = jpeg_get_byte(stream);
395 if (li < 0)
396 return li;
397
398 mt += li;
399 }
400 /* HUFFVAL - values associated with each Huffman code */
401 ret = jpeg_skip(stream, mt);
402 if (ret < 0)
403 return ret;
404
405 if (tables) {
406 tables[(tc << 1) | th].start = table;
407 tables[(tc << 1) | th].length = stream->curr - table;
408 }
409 }
410
411 return jpeg_skip(stream, len - 2);
412 }
413
414 /* B.2.4.4 Restart interval definition syntax */
jpeg_parse_restart_interval(struct jpeg_stream * stream,u16 * restart_interval)415 static int jpeg_parse_restart_interval(struct jpeg_stream *stream,
416 u16 *restart_interval)
417 {
418 int len = jpeg_get_word_be(stream);
419 int ri;
420
421 if (len < 0)
422 return len;
423 if (len != 4)
424 return -EINVAL;
425
426 ri = jpeg_get_word_be(stream);
427 if (ri < 0)
428 return ri;
429
430 *restart_interval = ri;
431
432 return 0;
433 }
434
jpeg_skip_segment(struct jpeg_stream * stream)435 static int jpeg_skip_segment(struct jpeg_stream *stream)
436 {
437 int len = jpeg_get_word_be(stream);
438
439 if (len < 0)
440 return len;
441 if (len < 2)
442 return -EINVAL;
443
444 return jpeg_skip(stream, len - 2);
445 }
446
447 /**
448 * jpeg_parse_header - locate marker segments and optionally parse headers
449 * @buf: address of the JPEG buffer, should start with a SOI marker
450 * @len: length of the JPEG buffer
451 * @out: returns marker segment positions and optionally parsed headers
452 *
453 * The out->scan_header pointer must be initialized to NULL or point to a valid
454 * v4l2_jpeg_scan_header structure. The out->huffman_tables and
455 * out->quantization_tables pointers must be initialized to NULL or point to a
456 * valid array of 4 v4l2_jpeg_reference structures each.
457 *
458 * Returns 0 or negative error if parsing failed.
459 */
v4l2_jpeg_parse_header(void * buf,size_t len,struct v4l2_jpeg_header * out)460 int v4l2_jpeg_parse_header(void *buf, size_t len, struct v4l2_jpeg_header *out)
461 {
462 struct jpeg_stream stream;
463 int marker;
464 int ret = 0;
465
466 stream.curr = buf;
467 stream.end = stream.curr + len;
468
469 out->num_dht = 0;
470 out->num_dqt = 0;
471
472 /* the first marker must be SOI */
473 marker = jpeg_next_marker(&stream);
474 if (marker < 0)
475 return marker;
476 if (marker != SOI)
477 return -EINVAL;
478
479 /* loop through marker segments */
480 while ((marker = jpeg_next_marker(&stream)) >= 0) {
481 switch (marker) {
482 /* baseline DCT, extended sequential DCT */
483 case SOF0 ... SOF1:
484 ret = jpeg_reference_segment(&stream, &out->sof);
485 if (ret < 0)
486 return ret;
487 ret = jpeg_parse_frame_header(&stream, marker,
488 &out->frame);
489 break;
490 /* progressive, lossless */
491 case SOF2 ... SOF3:
492 /* differential coding */
493 case SOF5 ... SOF7:
494 /* arithmetic coding */
495 case SOF9 ... SOF11:
496 case SOF13 ... SOF15:
497 case DAC:
498 case TEM:
499 return -EINVAL;
500
501 case DHT:
502 ret = jpeg_reference_segment(&stream,
503 &out->dht[out->num_dht++ % 4]);
504 if (ret < 0)
505 return ret;
506 ret = jpeg_parse_huffman_tables(&stream,
507 out->huffman_tables);
508 break;
509 case DQT:
510 ret = jpeg_reference_segment(&stream,
511 &out->dqt[out->num_dqt++ % 4]);
512 if (ret < 0)
513 return ret;
514 ret = jpeg_parse_quantization_tables(&stream,
515 out->frame.precision,
516 out->quantization_tables);
517 break;
518 case DRI:
519 ret = jpeg_parse_restart_interval(&stream,
520 &out->restart_interval);
521 break;
522
523 case SOS:
524 ret = jpeg_reference_segment(&stream, &out->sos);
525 if (ret < 0)
526 return ret;
527 ret = jpeg_parse_scan_header(&stream, out->scan);
528 /*
529 * stop parsing, the scan header marks the beginning of
530 * the entropy coded segment
531 */
532 out->ecs_offset = stream.curr - (u8 *)buf;
533 return ret;
534
535 /* markers without parameters */
536 case RST0 ... RST7: /* restart */
537 case SOI: /* start of image */
538 case EOI: /* end of image */
539 break;
540
541 /* skip unknown or unsupported marker segments */
542 default:
543 ret = jpeg_skip_segment(&stream);
544 break;
545 }
546 if (ret < 0)
547 return ret;
548 }
549
550 return marker;
551 }
552 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_header);
553
554 /**
555 * v4l2_jpeg_parse_frame_header - parse frame header
556 * @buf: address of the frame header, after the SOF0 marker
557 * @len: length of the frame header
558 * @frame_header: returns the parsed frame header
559 *
560 * Returns 0 or negative error if parsing failed.
561 */
v4l2_jpeg_parse_frame_header(void * buf,size_t len,struct v4l2_jpeg_frame_header * frame_header)562 int v4l2_jpeg_parse_frame_header(void *buf, size_t len,
563 struct v4l2_jpeg_frame_header *frame_header)
564 {
565 struct jpeg_stream stream;
566
567 stream.curr = buf;
568 stream.end = stream.curr + len;
569 return jpeg_parse_frame_header(&stream, SOF0, frame_header);
570 }
571 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_frame_header);
572
573 /**
574 * v4l2_jpeg_parse_scan_header - parse scan header
575 * @buf: address of the scan header, after the SOS marker
576 * @len: length of the scan header
577 * @scan_header: returns the parsed scan header
578 *
579 * Returns 0 or negative error if parsing failed.
580 */
v4l2_jpeg_parse_scan_header(void * buf,size_t len,struct v4l2_jpeg_scan_header * scan_header)581 int v4l2_jpeg_parse_scan_header(void *buf, size_t len,
582 struct v4l2_jpeg_scan_header *scan_header)
583 {
584 struct jpeg_stream stream;
585
586 stream.curr = buf;
587 stream.end = stream.curr + len;
588 return jpeg_parse_scan_header(&stream, scan_header);
589 }
590 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_scan_header);
591
592 /**
593 * v4l2_jpeg_parse_quantization_tables - parse quantization tables segment
594 * @buf: address of the quantization table segment, after the DQT marker
595 * @len: length of the quantization table segment
596 * @precision: sample precision (P) in bits per component
597 * @q_tables: returns four references into the buffer for the
598 * four possible quantization table destinations
599 *
600 * Returns 0 or negative error if parsing failed.
601 */
v4l2_jpeg_parse_quantization_tables(void * buf,size_t len,u8 precision,struct v4l2_jpeg_reference * q_tables)602 int v4l2_jpeg_parse_quantization_tables(void *buf, size_t len, u8 precision,
603 struct v4l2_jpeg_reference *q_tables)
604 {
605 struct jpeg_stream stream;
606
607 stream.curr = buf;
608 stream.end = stream.curr + len;
609 return jpeg_parse_quantization_tables(&stream, precision, q_tables);
610 }
611 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_quantization_tables);
612
613 /**
614 * v4l2_jpeg_parse_huffman_tables - parse huffman tables segment
615 * @buf: address of the Huffman table segment, after the DHT marker
616 * @len: length of the Huffman table segment
617 * @huffman_tables: returns four references into the buffer for the
618 * four possible Huffman table destinations, in
619 * the order DC0, DC1, AC0, AC1
620 *
621 * Returns 0 or negative error if parsing failed.
622 */
v4l2_jpeg_parse_huffman_tables(void * buf,size_t len,struct v4l2_jpeg_reference * huffman_tables)623 int v4l2_jpeg_parse_huffman_tables(void *buf, size_t len,
624 struct v4l2_jpeg_reference *huffman_tables)
625 {
626 struct jpeg_stream stream;
627
628 stream.curr = buf;
629 stream.end = stream.curr + len;
630 return jpeg_parse_huffman_tables(&stream, huffman_tables);
631 }
632 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_huffman_tables);
633