• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Raw FLAC picture parser
3  * Copyright (c) 2001 Fabrice Bellard
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include "libavutil/intreadwrite.h"
23 #include "libavcodec/bytestream.h"
24 #include "libavcodec/png.h"
25 #include "avformat.h"
26 #include "demux.h"
27 #include "flac_picture.h"
28 #include "id3v2.h"
29 #include "internal.h"
30 
31 #define MAX_TRUNC_PICTURE_SIZE (500 * 1024 * 1024)
32 
ff_flac_parse_picture(AVFormatContext * s,uint8_t ** bufp,int buf_size,int truncate_workaround)33 int ff_flac_parse_picture(AVFormatContext *s, uint8_t **bufp, int buf_size,
34                           int truncate_workaround)
35 {
36     const CodecMime *mime = ff_id3v2_mime_tags;
37     enum AVCodecID id = AV_CODEC_ID_NONE;
38     AVBufferRef *data = NULL;
39     uint8_t mimetype[64], *buf = *bufp;
40     const uint8_t *desc = NULL;
41     GetByteContext g;
42     AVStream *st;
43     int width, height, ret = 0;
44     unsigned int type;
45     uint32_t len, left, trunclen = 0;
46 
47     if (buf_size < 34) {
48         av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
49         if (s->error_recognition & AV_EF_EXPLODE)
50             return AVERROR_INVALIDDATA;
51         return 0;
52     }
53 
54     bytestream2_init(&g, buf, buf_size);
55 
56     /* read the picture type */
57     type = bytestream2_get_be32u(&g);
58     if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
59         av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
60         if (s->error_recognition & AV_EF_EXPLODE) {
61             return AVERROR_INVALIDDATA;
62         }
63         type = 0;
64     }
65 
66     /* picture mimetype */
67     len = bytestream2_get_be32u(&g);
68     if (len <= 0 || len >= sizeof(mimetype)) {
69         av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
70                "picture.\n");
71         if (s->error_recognition & AV_EF_EXPLODE)
72             return AVERROR_INVALIDDATA;
73         return 0;
74     }
75     if (len + 24 > bytestream2_get_bytes_left(&g)) {
76         av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
77         if (s->error_recognition & AV_EF_EXPLODE)
78             return AVERROR_INVALIDDATA;
79         return 0;
80     }
81     bytestream2_get_bufferu(&g, mimetype, len);
82     mimetype[len] = 0;
83 
84     while (mime->id != AV_CODEC_ID_NONE) {
85         if (!strncmp(mime->str, mimetype, sizeof(mimetype))) {
86             id = mime->id;
87             break;
88         }
89         mime++;
90     }
91     if (id == AV_CODEC_ID_NONE) {
92         av_log(s, AV_LOG_ERROR, "Unknown attached picture mimetype: %s.\n",
93                mimetype);
94         if (s->error_recognition & AV_EF_EXPLODE)
95             return AVERROR_INVALIDDATA;
96         return 0;
97     }
98 
99     /* picture description */
100     len = bytestream2_get_be32u(&g);
101     if (len > bytestream2_get_bytes_left(&g) - 20) {
102         av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
103         if (s->error_recognition & AV_EF_EXPLODE)
104             return AVERROR_INVALIDDATA;
105         return 0;
106     }
107     if (len > 0) {
108         desc = g.buffer;
109         bytestream2_skipu(&g, len);
110     }
111 
112     /* picture metadata */
113     width  = bytestream2_get_be32u(&g);
114     ((uint8_t*)g.buffer)[-4] = '\0';   // NUL-terminate desc.
115     height = bytestream2_get_be32u(&g);
116     bytestream2_skipu(&g, 8);
117 
118     /* picture data */
119     len = bytestream2_get_be32u(&g);
120 
121     left = bytestream2_get_bytes_left(&g);
122     if (len <= 0 || len > left) {
123         if (len > MAX_TRUNC_PICTURE_SIZE || len >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
124             av_log(s, AV_LOG_ERROR, "Attached picture metadata block too big %u\n", len);
125             if (s->error_recognition & AV_EF_EXPLODE)
126                 return AVERROR_INVALIDDATA;
127             return 0;
128         }
129 
130         // Workaround bug for flac muxers that writs truncated metadata picture block size if
131         // the picture size do not fit in 24 bits. lavf flacenc used to have the issue and based
132         // on existing broken files other unknown flac muxers seems to truncate also.
133         if (truncate_workaround &&
134             s->strict_std_compliance <= FF_COMPLIANCE_NORMAL &&
135             len > left && (len & 0xffffff) == left) {
136             av_log(s, AV_LOG_INFO, "Correcting truncated metadata picture size from %u to %u\n", left, len);
137             trunclen = len - left;
138         } else {
139             av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
140             if (s->error_recognition & AV_EF_EXPLODE)
141                 return AVERROR_INVALIDDATA;
142             return 0;
143         }
144     }
145     if (trunclen == 0 && len >= buf_size - (buf_size >> 4)) {
146         data = av_buffer_create(buf, buf_size + AV_INPUT_BUFFER_PADDING_SIZE,
147                                 av_buffer_default_free, NULL, 0);
148         if (!data)
149             return AVERROR(ENOMEM);
150         *bufp = NULL;
151         data->data += bytestream2_tell(&g);
152         data->size  = len + AV_INPUT_BUFFER_PADDING_SIZE;
153     } else {
154         if (!(data = av_buffer_alloc(len + AV_INPUT_BUFFER_PADDING_SIZE)))
155             return AVERROR(ENOMEM);
156 
157         if (trunclen == 0) {
158             bytestream2_get_bufferu(&g, data->data, len);
159         } else {
160             // If truncation was detected copy all data from block and
161             // read missing bytes not included in the block size.
162             bytestream2_get_bufferu(&g, data->data, left);
163             if (avio_read(s->pb, data->data + len - trunclen, trunclen) < trunclen)
164                 RETURN_ERROR(AVERROR_INVALIDDATA);
165         }
166     }
167     memset(data->data + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
168 
169     if (AV_RB64(data->data) == PNGSIG)
170         id = AV_CODEC_ID_PNG;
171 
172     ret = ff_add_attached_pic(s, NULL, NULL, &data, 0);
173     if (ret < 0)
174         RETURN_ERROR(ret);
175 
176     st = s->streams[s->nb_streams - 1];
177     st->codecpar->codec_id   = id;
178     st->codecpar->width      = width;
179     st->codecpar->height     = height;
180     av_dict_set(&st->metadata, "comment", ff_id3v2_picture_types[type], 0);
181     if (desc)
182         av_dict_set(&st->metadata, "title", desc, 0);
183 
184     return 0;
185 
186 fail:
187     av_buffer_unref(&data);
188 
189     return ret;
190 }
191