1 // Copyright 2018 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include <stdint.h>
18 #include <stdlib.h>
19
20 #include "dsp/dsp.h"
21 #include "img_alpha.h"
22 #include "img_grid.h"
23 #include "img_peak.h"
24 #include "webp/encode.h"
25
26 //------------------------------------------------------------------------------
27 // Arbitrary limits to prevent OOM, timeout, or slow execution.
28 //
29 // The decoded image size, and for animations additionally the canvas size.
30 static const size_t kFuzzPxLimit = 1024 * 1024;
31 // Demuxed or decoded animation frames.
32 static const int kFuzzFrameLimit = 3;
33
34 // Reads and sums (up to) 128 spread-out bytes.
FuzzHash(const uint8_t * const data,size_t size)35 uint8_t FuzzHash(const uint8_t* const data, size_t size) {
36 uint8_t value = 0;
37 size_t incr = size / 128;
38 if (!incr) incr = 1;
39 for (size_t i = 0; i < size; i += incr) value += data[i];
40 return value;
41 }
42
43 //------------------------------------------------------------------------------
44 // Extract an integer in [0, max_value].
45
Extract(uint32_t max_value,const uint8_t data[],size_t size,uint32_t * const bit_pos)46 static uint32_t Extract(uint32_t max_value, const uint8_t data[], size_t size,
47 uint32_t* const bit_pos) {
48 uint32_t v = 0;
49 int range = 1;
50 while (*bit_pos < 8 * size && range <= max_value) {
51 const uint8_t mask = 1u << (*bit_pos & 7);
52 v = (v << 1) | !!(data[*bit_pos >> 3] & mask);
53 range <<= 1;
54 ++*bit_pos;
55 }
56 return v % (max_value + 1);
57 }
58
59 //------------------------------------------------------------------------------
60 // Some functions to override VP8GetCPUInfo and disable some optimizations.
61
62 static VP8CPUInfo GetCPUInfo;
63
GetCPUInfoNoSSE41(CPUFeature feature)64 static int GetCPUInfoNoSSE41(CPUFeature feature) {
65 if (feature == kSSE4_1 || feature == kAVX) return 0;
66 return GetCPUInfo(feature);
67 }
68
GetCPUInfoNoAVX(CPUFeature feature)69 static int GetCPUInfoNoAVX(CPUFeature feature) {
70 if (feature == kAVX) return 0;
71 return GetCPUInfo(feature);
72 }
73
GetCPUInfoForceSlowSSSE3(CPUFeature feature)74 static int GetCPUInfoForceSlowSSSE3(CPUFeature feature) {
75 if (feature == kSlowSSSE3 && GetCPUInfo(kSSE3)) {
76 return 1; // we have SSE3 -> force SlowSSSE3
77 }
78 return GetCPUInfo(feature);
79 }
80
GetCPUInfoOnlyC(CPUFeature feature)81 static int GetCPUInfoOnlyC(CPUFeature feature) { return 0; }
82
ExtractAndDisableOptimizations(VP8CPUInfo default_VP8GetCPUInfo,const uint8_t data[],size_t size,uint32_t * const bit_pos)83 static void ExtractAndDisableOptimizations(VP8CPUInfo default_VP8GetCPUInfo,
84 const uint8_t data[], size_t size,
85 uint32_t* const bit_pos) {
86 GetCPUInfo = default_VP8GetCPUInfo;
87 const VP8CPUInfo kVP8CPUInfos[5] = {GetCPUInfoOnlyC, GetCPUInfoForceSlowSSSE3,
88 GetCPUInfoNoSSE41, GetCPUInfoNoAVX,
89 GetCPUInfo};
90 int VP8GetCPUInfo_index = Extract(4, data, size, bit_pos);
91 VP8GetCPUInfo = kVP8CPUInfos[VP8GetCPUInfo_index];
92 }
93
94 //------------------------------------------------------------------------------
95
ExtractWebPConfig(WebPConfig * const config,const uint8_t data[],size_t size,uint32_t * const bit_pos)96 static int ExtractWebPConfig(WebPConfig* const config, const uint8_t data[],
97 size_t size, uint32_t* const bit_pos) {
98 if (config == NULL || !WebPConfigInit(config)) return 0;
99 config->lossless = Extract(1, data, size, bit_pos);
100 config->quality = Extract(100, data, size, bit_pos);
101 config->method = Extract(6, data, size, bit_pos);
102 config->image_hint =
103 (WebPImageHint)Extract(WEBP_HINT_LAST - 1, data, size, bit_pos);
104 config->segments = 1 + Extract(3, data, size, bit_pos);
105 config->sns_strength = Extract(100, data, size, bit_pos);
106 config->filter_strength = Extract(100, data, size, bit_pos);
107 config->filter_sharpness = Extract(7, data, size, bit_pos);
108 config->filter_type = Extract(1, data, size, bit_pos);
109 config->autofilter = Extract(1, data, size, bit_pos);
110 config->alpha_compression = Extract(1, data, size, bit_pos);
111 config->alpha_filtering = Extract(2, data, size, bit_pos);
112 config->alpha_quality = Extract(100, data, size, bit_pos);
113 config->pass = 1 + Extract(9, data, size, bit_pos);
114 config->show_compressed = 1;
115 config->preprocessing = Extract(2, data, size, bit_pos);
116 config->partitions = Extract(3, data, size, bit_pos);
117 config->partition_limit = 10 * Extract(10, data, size, bit_pos);
118 config->emulate_jpeg_size = Extract(1, data, size, bit_pos);
119 config->thread_level = Extract(1, data, size, bit_pos);
120 config->low_memory = Extract(1, data, size, bit_pos);
121 config->near_lossless = 20 * Extract(5, data, size, bit_pos);
122 config->exact = Extract(1, data, size, bit_pos);
123 config->use_delta_palette = Extract(1, data, size, bit_pos);
124 config->use_sharp_yuv = Extract(1, data, size, bit_pos);
125 return WebPValidateConfig(config);
126 }
127
128 //------------------------------------------------------------------------------
129
ExtractSourcePicture(WebPPicture * const pic,const uint8_t data[],size_t size,uint32_t * const bit_pos)130 static int ExtractSourcePicture(WebPPicture* const pic,
131 const uint8_t data[], size_t size,
132 uint32_t* const bit_pos) {
133 if (pic == NULL) return 0;
134
135 // Pick a source picture.
136 const uint8_t* kImagesData[] = {
137 kImgAlphaData,
138 kImgGridData,
139 kImgPeakData
140 };
141 const int kImagesWidth[] = {
142 kImgAlphaWidth,
143 kImgGridWidth,
144 kImgPeakWidth
145 };
146 const int kImagesHeight[] = {
147 kImgAlphaHeight,
148 kImgGridHeight,
149 kImgPeakHeight
150 };
151 const size_t kNbImages = sizeof(kImagesData) / sizeof(kImagesData[0]);
152 const size_t image_index = Extract(kNbImages - 1, data, size, bit_pos);
153 const uint8_t* const image_data = kImagesData[image_index];
154 pic->width = kImagesWidth[image_index];
155 pic->height = kImagesHeight[image_index];
156 pic->argb_stride = pic->width * 4 * sizeof(uint8_t);
157
158 // Read the bytes.
159 return WebPPictureImportRGBA(pic, image_data, pic->argb_stride);
160 }
161
162 //------------------------------------------------------------------------------
163
max(int a,int b)164 static int max(int a, int b) { return ((a < b) ? b : a); }
165
ExtractAndCropOrScale(WebPPicture * const pic,const uint8_t data[],size_t size,uint32_t * const bit_pos)166 static int ExtractAndCropOrScale(WebPPicture* const pic, const uint8_t data[],
167 size_t size, uint32_t* const bit_pos) {
168 if (pic == NULL) return 0;
169 const int alter_input = Extract(1, data, size, bit_pos);
170 const int crop_or_scale = Extract(1, data, size, bit_pos);
171 const int width_ratio = 1 + Extract(7, data, size, bit_pos);
172 const int height_ratio = 1 + Extract(7, data, size, bit_pos);
173 if (alter_input) {
174 if (crop_or_scale) {
175 const uint32_t left_ratio = 1 + Extract(7, data, size, bit_pos);
176 const uint32_t top_ratio = 1 + Extract(7, data, size, bit_pos);
177 const int cropped_width = max(1, pic->width / width_ratio);
178 const int cropped_height = max(1, pic->height / height_ratio);
179 const int cropped_left = (pic->width - cropped_width) / left_ratio;
180 const int cropped_top = (pic->height - cropped_height) / top_ratio;
181 return WebPPictureCrop(pic, cropped_left, cropped_top, cropped_width,
182 cropped_height);
183 } else {
184 const int scaled_width = 1 + (pic->width * width_ratio) / 8;
185 const int scaled_height = 1 + (pic->height * height_ratio) / 8;
186 return WebPPictureRescale(pic, scaled_width, scaled_height);
187 }
188 }
189 return 1;
190 }
191