• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Raw FLAC picture parser
3  * Copyright (c) 2001 Fabrice Bellard
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include "libavutil/intreadwrite.h"
23 #include "libavcodec/bytestream.h"
24 #include "libavcodec/png.h"
25 #include "avformat.h"
26 #include "flac_picture.h"
27 #include "id3v2.h"
28 #include "internal.h"
29 
30 #define MAX_TRUNC_PICTURE_SIZE (500 * 1024 * 1024)
31 
ff_flac_parse_picture(AVFormatContext * s,uint8_t * buf,int buf_size,int truncate_workaround)32 int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size, int truncate_workaround)
33 {
34     const CodecMime *mime = ff_id3v2_mime_tags;
35     enum AVCodecID id = AV_CODEC_ID_NONE;
36     AVBufferRef *data = NULL;
37     uint8_t mimetype[64], *desc = NULL;
38     GetByteContext g;
39     AVStream *st;
40     int width, height, ret = 0;
41     unsigned int type;
42     uint32_t len, left, trunclen = 0;
43 
44     if (buf_size < 34) {
45         av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
46         if (s->error_recognition & AV_EF_EXPLODE)
47             return AVERROR_INVALIDDATA;
48         return 0;
49     }
50 
51     bytestream2_init(&g, buf, buf_size);
52 
53     /* read the picture type */
54     type = bytestream2_get_be32u(&g);
55     if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
56         av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
57         if (s->error_recognition & AV_EF_EXPLODE) {
58             return AVERROR_INVALIDDATA;
59         }
60         type = 0;
61     }
62 
63     /* picture mimetype */
64     len = bytestream2_get_be32u(&g);
65     if (len <= 0 || len >= sizeof(mimetype)) {
66         av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
67                "picture.\n");
68         if (s->error_recognition & AV_EF_EXPLODE)
69             return AVERROR_INVALIDDATA;
70         return 0;
71     }
72     if (len + 24 > bytestream2_get_bytes_left(&g)) {
73         av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
74         if (s->error_recognition & AV_EF_EXPLODE)
75             return AVERROR_INVALIDDATA;
76         return 0;
77     }
78     bytestream2_get_bufferu(&g, mimetype, len);
79     mimetype[len] = 0;
80 
81     while (mime->id != AV_CODEC_ID_NONE) {
82         if (!strncmp(mime->str, mimetype, sizeof(mimetype))) {
83             id = mime->id;
84             break;
85         }
86         mime++;
87     }
88     if (id == AV_CODEC_ID_NONE) {
89         av_log(s, AV_LOG_ERROR, "Unknown attached picture mimetype: %s.\n",
90                mimetype);
91         if (s->error_recognition & AV_EF_EXPLODE)
92             return AVERROR_INVALIDDATA;
93         return 0;
94     }
95 
96     /* picture description */
97     len = bytestream2_get_be32u(&g);
98     if (len > bytestream2_get_bytes_left(&g) - 20) {
99         av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
100         if (s->error_recognition & AV_EF_EXPLODE)
101             return AVERROR_INVALIDDATA;
102         return 0;
103     }
104     if (len > 0) {
105         if (!(desc = av_malloc(len + 1))) {
106             return AVERROR(ENOMEM);
107         }
108 
109         bytestream2_get_bufferu(&g, desc, len);
110         desc[len] = 0;
111     }
112 
113     /* picture metadata */
114     width  = bytestream2_get_be32u(&g);
115     height = bytestream2_get_be32u(&g);
116     bytestream2_skipu(&g, 8);
117 
118     /* picture data */
119     len = bytestream2_get_be32u(&g);
120 
121     left = bytestream2_get_bytes_left(&g);
122     if (len <= 0 || len > left) {
123         if (len > MAX_TRUNC_PICTURE_SIZE || len >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
124             av_log(s, AV_LOG_ERROR, "Attached picture metadata block too big %u\n", len);
125             if (s->error_recognition & AV_EF_EXPLODE)
126                 ret = AVERROR_INVALIDDATA;
127             goto fail;
128         }
129 
130         // Workaround bug for flac muxers that writs truncated metadata picture block size if
131         // the picture size do not fit in 24 bits. lavf flacenc used to have the issue and based
132         // on existing broken files other unknown flac muxers seems to truncate also.
133         if (truncate_workaround &&
134             s->strict_std_compliance <= FF_COMPLIANCE_NORMAL &&
135             len > left && (len & 0xffffff) == left) {
136             av_log(s, AV_LOG_INFO, "Correcting truncated metadata picture size from %u to %u\n", left, len);
137             trunclen = len - left;
138         } else {
139             av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
140             if (s->error_recognition & AV_EF_EXPLODE)
141                 ret = AVERROR_INVALIDDATA;
142             goto fail;
143         }
144     }
145     if (!(data = av_buffer_alloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) {
146         RETURN_ERROR(AVERROR(ENOMEM));
147     }
148 
149     if (trunclen == 0) {
150         bytestream2_get_bufferu(&g, data->data, len);
151     } else {
152         // If truncation was detected copy all data from block and read missing bytes
153         // not included in the block size
154         bytestream2_get_bufferu(&g, data->data, left);
155         if (avio_read(s->pb, data->data + len - trunclen, trunclen) < trunclen)
156             RETURN_ERROR(AVERROR_INVALIDDATA);
157     }
158     memset(data->data + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
159 
160     if (AV_RB64(data->data) == PNGSIG)
161         id = AV_CODEC_ID_PNG;
162 
163     st = avformat_new_stream(s, NULL);
164     if (!st) {
165         RETURN_ERROR(AVERROR(ENOMEM));
166     }
167 
168     av_packet_unref(&st->attached_pic);
169     st->attached_pic.buf          = data;
170     st->attached_pic.data         = data->data;
171     st->attached_pic.size         = len;
172     st->attached_pic.stream_index = st->index;
173     st->attached_pic.flags       |= AV_PKT_FLAG_KEY;
174 
175     st->disposition      |= AV_DISPOSITION_ATTACHED_PIC;
176     st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
177     st->codecpar->codec_id   = id;
178     st->codecpar->width      = width;
179     st->codecpar->height     = height;
180     av_dict_set(&st->metadata, "comment", ff_id3v2_picture_types[type], 0);
181     if (desc)
182         av_dict_set(&st->metadata, "title", desc, AV_DICT_DONT_STRDUP_VAL);
183 
184     return 0;
185 
186 fail:
187     av_buffer_unref(&data);
188     av_freep(&desc);
189 
190     return ret;
191 }
192