1 // Copyright 2014 The PDFium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6
7 #include "core/fxcodec/jpeg/jpegmodule.h"
8
9 #include <setjmp.h>
10 #include <stdint.h>
11 #include <string.h>
12
13 #include <memory>
14 #include <utility>
15
16 #include "build/build_config.h"
17 #include "core/fxcodec/cfx_codec_memory.h"
18 #include "core/fxcodec/jpeg/jpeg_common.h"
19 #include "core/fxcodec/scanlinedecoder.h"
20 #include "core/fxcrt/data_vector.h"
21 #include "core/fxcrt/fx_safe_types.h"
22 #include "core/fxge/dib/cfx_dibbase.h"
23 #include "core/fxge/dib/fx_dib.h"
24 #include "third_party/abseil-cpp/absl/types/optional.h"
25 #include "third_party/base/check.h"
26 #include "third_party/base/check_op.h"
27
JpegScanSOI(pdfium::span<const uint8_t> src_span)28 static pdfium::span<const uint8_t> JpegScanSOI(
29 pdfium::span<const uint8_t> src_span) {
30 DCHECK(!src_span.empty());
31
32 for (size_t offset = 0; offset < src_span.size() - 1; ++offset) {
33 if (src_span[offset] == 0xff && src_span[offset + 1] == 0xd8)
34 return src_span.subspan(offset);
35 }
36 return src_span;
37 }
38
39 extern "C" {
40
error_fatal(j_common_ptr cinfo)41 static void error_fatal(j_common_ptr cinfo) {
42 longjmp(*(jmp_buf*)cinfo->client_data, -1);
43 }
44
src_skip_data(jpeg_decompress_struct * cinfo,long num)45 static void src_skip_data(jpeg_decompress_struct* cinfo, long num) {
46 if (num > (long)cinfo->src->bytes_in_buffer) {
47 error_fatal((j_common_ptr)cinfo);
48 }
49 cinfo->src->next_input_byte += num;
50 cinfo->src->bytes_in_buffer -= num;
51 }
52
53 #if BUILDFLAG(IS_WIN)
dest_do_nothing(j_compress_ptr cinfo)54 static void dest_do_nothing(j_compress_ptr cinfo) {}
55
dest_empty(j_compress_ptr cinfo)56 static boolean dest_empty(j_compress_ptr cinfo) {
57 return false;
58 }
59 #endif // BUILDFLAG(IS_WIN)
60
61 } // extern "C"
62
JpegLoadInfo(pdfium::span<const uint8_t> src_span,JpegModule::ImageInfo * pInfo)63 static bool JpegLoadInfo(pdfium::span<const uint8_t> src_span,
64 JpegModule::ImageInfo* pInfo) {
65 src_span = JpegScanSOI(src_span);
66 jpeg_decompress_struct cinfo;
67 jpeg_error_mgr jerr;
68 jerr.error_exit = error_fatal;
69 jerr.emit_message = error_do_nothing_int;
70 jerr.output_message = error_do_nothing;
71 jerr.format_message = error_do_nothing_char;
72 jerr.reset_error_mgr = error_do_nothing;
73 jerr.trace_level = 0;
74 cinfo.err = &jerr;
75 jmp_buf mark;
76 cinfo.client_data = &mark;
77 if (setjmp(mark) == -1)
78 return false;
79
80 jpeg_create_decompress(&cinfo);
81 jpeg_source_mgr src;
82 src.init_source = src_do_nothing;
83 src.term_source = src_do_nothing;
84 src.skip_input_data = src_skip_data;
85 src.fill_input_buffer = src_fill_buffer;
86 src.resync_to_restart = src_resync;
87 src.bytes_in_buffer = src_span.size();
88 src.next_input_byte = src_span.data();
89 cinfo.src = &src;
90 if (setjmp(mark) == -1) {
91 jpeg_destroy_decompress(&cinfo);
92 return false;
93 }
94 int ret = jpeg_read_header(&cinfo, TRUE);
95 if (ret != JPEG_HEADER_OK) {
96 jpeg_destroy_decompress(&cinfo);
97 return false;
98 }
99 pInfo->width = cinfo.image_width;
100 pInfo->height = cinfo.image_height;
101 pInfo->num_components = cinfo.num_components;
102 pInfo->color_transform =
103 cinfo.jpeg_color_space == JCS_YCbCr || cinfo.jpeg_color_space == JCS_YCCK;
104 pInfo->bits_per_components = cinfo.data_precision;
105 jpeg_destroy_decompress(&cinfo);
106 return true;
107 }
108
109 namespace fxcodec {
110
111 namespace {
112
113 constexpr size_t kKnownBadHeaderWithInvalidHeightByteOffsetStarts[] = {94, 163};
114
115 class JpegDecoder final : public ScanlineDecoder {
116 public:
117 JpegDecoder();
118 ~JpegDecoder() override;
119
120 bool Create(pdfium::span<const uint8_t> src_span,
121 uint32_t width,
122 uint32_t height,
123 int nComps,
124 bool ColorTransform);
125
126 // ScanlineDecoder:
127 bool Rewind() override;
128 pdfium::span<uint8_t> GetNextLine() override;
129 uint32_t GetSrcOffset() override;
130
131 bool InitDecode(bool bAcceptKnownBadHeader);
132
133 private:
134 void CalcPitch();
135 void InitDecompressSrc();
136
137 // Can only be called inside a jpeg_read_header() setjmp handler.
138 bool HasKnownBadHeaderWithInvalidHeight(size_t dimension_offset) const;
139
140 // Is a JPEG SOFn marker, which is defined as 0xff, 0xc[0-9a-f].
141 bool IsSofSegment(size_t marker_offset) const;
142
143 // Patch up the in-memory JPEG header for known bad JPEGs.
144 void PatchUpKnownBadHeaderWithInvalidHeight(size_t dimension_offset);
145
146 // Patch up the JPEG trailer, even if it is correct.
147 void PatchUpTrailer();
148
149 uint8_t* GetWritableSrcData();
150
151 // For a given invalid height byte offset in
152 // |kKnownBadHeaderWithInvalidHeightByteOffsetStarts|, the SOFn marker should
153 // be this many bytes before that.
154 static constexpr size_t kSofMarkerByteOffset = 5;
155
156 jmp_buf m_JmpBuf;
157 jpeg_decompress_struct m_Cinfo;
158 jpeg_error_mgr m_Jerr;
159 jpeg_source_mgr m_Src;
160 pdfium::span<const uint8_t> m_SrcSpan;
161 DataVector<uint8_t> m_ScanlineBuf;
162 bool m_bInited = false;
163 bool m_bStarted = false;
164 bool m_bJpegTransform = false;
165 uint32_t m_nDefaultScaleDenom = 1;
166 };
167
JpegDecoder()168 JpegDecoder::JpegDecoder() {
169 memset(&m_Cinfo, 0, sizeof(m_Cinfo));
170 memset(&m_Jerr, 0, sizeof(m_Jerr));
171 memset(&m_Src, 0, sizeof(m_Src));
172 }
173
~JpegDecoder()174 JpegDecoder::~JpegDecoder() {
175 if (m_bInited)
176 jpeg_destroy_decompress(&m_Cinfo);
177
178 // Span in superclass can't outlive our buffer.
179 m_pLastScanline = pdfium::span<uint8_t>();
180 }
181
InitDecode(bool bAcceptKnownBadHeader)182 bool JpegDecoder::InitDecode(bool bAcceptKnownBadHeader) {
183 m_Cinfo.err = &m_Jerr;
184 m_Cinfo.client_data = &m_JmpBuf;
185 if (setjmp(m_JmpBuf) == -1)
186 return false;
187
188 jpeg_create_decompress(&m_Cinfo);
189 InitDecompressSrc();
190 m_bInited = true;
191
192 if (setjmp(m_JmpBuf) == -1) {
193 absl::optional<size_t> known_bad_header_offset;
194 if (bAcceptKnownBadHeader) {
195 for (size_t offset : kKnownBadHeaderWithInvalidHeightByteOffsetStarts) {
196 if (HasKnownBadHeaderWithInvalidHeight(offset)) {
197 known_bad_header_offset = offset;
198 break;
199 }
200 }
201 }
202 jpeg_destroy_decompress(&m_Cinfo);
203 if (!known_bad_header_offset.has_value()) {
204 m_bInited = false;
205 return false;
206 }
207
208 PatchUpKnownBadHeaderWithInvalidHeight(known_bad_header_offset.value());
209
210 jpeg_create_decompress(&m_Cinfo);
211 InitDecompressSrc();
212 }
213 m_Cinfo.image_width = m_OrigWidth;
214 m_Cinfo.image_height = m_OrigHeight;
215 int ret = jpeg_read_header(&m_Cinfo, TRUE);
216 if (ret != JPEG_HEADER_OK)
217 return false;
218
219 if (m_Cinfo.saw_Adobe_marker)
220 m_bJpegTransform = true;
221
222 if (m_Cinfo.num_components == 3 && !m_bJpegTransform)
223 m_Cinfo.out_color_space = m_Cinfo.jpeg_color_space;
224
225 m_OrigWidth = m_Cinfo.image_width;
226 m_OrigHeight = m_Cinfo.image_height;
227 m_OutputWidth = m_OrigWidth;
228 m_OutputHeight = m_OrigHeight;
229 m_nDefaultScaleDenom = m_Cinfo.scale_denom;
230 return true;
231 }
232
Create(pdfium::span<const uint8_t> src_span,uint32_t width,uint32_t height,int nComps,bool ColorTransform)233 bool JpegDecoder::Create(pdfium::span<const uint8_t> src_span,
234 uint32_t width,
235 uint32_t height,
236 int nComps,
237 bool ColorTransform) {
238 m_SrcSpan = JpegScanSOI(src_span);
239 if (m_SrcSpan.size() < 2)
240 return false;
241
242 PatchUpTrailer();
243
244 m_Jerr.error_exit = error_fatal;
245 m_Jerr.emit_message = error_do_nothing_int;
246 m_Jerr.output_message = error_do_nothing;
247 m_Jerr.format_message = error_do_nothing_char;
248 m_Jerr.reset_error_mgr = error_do_nothing;
249 m_Src.init_source = src_do_nothing;
250 m_Src.term_source = src_do_nothing;
251 m_Src.skip_input_data = src_skip_data;
252 m_Src.fill_input_buffer = src_fill_buffer;
253 m_Src.resync_to_restart = src_resync;
254 m_bJpegTransform = ColorTransform;
255 m_OutputWidth = m_OrigWidth = width;
256 m_OutputHeight = m_OrigHeight = height;
257 if (!InitDecode(/*bAcceptKnownBadHeader=*/true))
258 return false;
259
260 if (m_Cinfo.num_components < nComps)
261 return false;
262
263 if (m_Cinfo.image_width < width)
264 return false;
265
266 CalcPitch();
267 m_ScanlineBuf = DataVector<uint8_t>(m_Pitch);
268 m_nComps = m_Cinfo.num_components;
269 m_bpc = 8;
270 m_bStarted = false;
271 return true;
272 }
273
Rewind()274 bool JpegDecoder::Rewind() {
275 if (m_bStarted) {
276 jpeg_destroy_decompress(&m_Cinfo);
277 if (!InitDecode(/*bAcceptKnownBadHeader=*/false)) {
278 return false;
279 }
280 }
281 if (setjmp(m_JmpBuf) == -1) {
282 return false;
283 }
284 m_Cinfo.scale_denom = m_nDefaultScaleDenom;
285 m_OutputWidth = m_OrigWidth;
286 m_OutputHeight = m_OrigHeight;
287 if (!jpeg_start_decompress(&m_Cinfo)) {
288 jpeg_destroy_decompress(&m_Cinfo);
289 return false;
290 }
291 CHECK_LE(static_cast<int>(m_Cinfo.output_width), m_OrigWidth);
292 m_bStarted = true;
293 return true;
294 }
295
GetNextLine()296 pdfium::span<uint8_t> JpegDecoder::GetNextLine() {
297 if (setjmp(m_JmpBuf) == -1)
298 return pdfium::span<uint8_t>();
299
300 uint8_t* row_array[] = {m_ScanlineBuf.data()};
301 int nlines = jpeg_read_scanlines(&m_Cinfo, row_array, 1);
302 if (nlines <= 0)
303 return pdfium::span<uint8_t>();
304
305 return m_ScanlineBuf;
306 }
307
GetSrcOffset()308 uint32_t JpegDecoder::GetSrcOffset() {
309 return static_cast<uint32_t>(m_SrcSpan.size() - m_Src.bytes_in_buffer);
310 }
311
CalcPitch()312 void JpegDecoder::CalcPitch() {
313 m_Pitch = static_cast<uint32_t>(m_Cinfo.image_width) * m_Cinfo.num_components;
314 m_Pitch += 3;
315 m_Pitch /= 4;
316 m_Pitch *= 4;
317 }
318
InitDecompressSrc()319 void JpegDecoder::InitDecompressSrc() {
320 m_Cinfo.src = &m_Src;
321 m_Src.bytes_in_buffer = m_SrcSpan.size();
322 m_Src.next_input_byte = m_SrcSpan.data();
323 }
324
HasKnownBadHeaderWithInvalidHeight(size_t dimension_offset) const325 bool JpegDecoder::HasKnownBadHeaderWithInvalidHeight(
326 size_t dimension_offset) const {
327 // Perform lots of possibly redundant checks to make sure this has no false
328 // positives.
329 bool bDimensionChecks = m_Cinfo.err->msg_code == JERR_IMAGE_TOO_BIG &&
330 m_Cinfo.image_width < JPEG_MAX_DIMENSION &&
331 m_Cinfo.image_height == 0xffff && m_OrigWidth > 0 &&
332 m_OrigWidth <= JPEG_MAX_DIMENSION &&
333 m_OrigHeight > 0 &&
334 m_OrigHeight <= JPEG_MAX_DIMENSION;
335 if (!bDimensionChecks)
336 return false;
337
338 if (m_SrcSpan.size() <= dimension_offset + 3u)
339 return false;
340
341 if (!IsSofSegment(dimension_offset - kSofMarkerByteOffset))
342 return false;
343
344 const uint8_t* pHeaderDimensions = &m_SrcSpan[dimension_offset];
345 uint8_t nExpectedWidthByte1 = (m_OrigWidth >> 8) & 0xff;
346 uint8_t nExpectedWidthByte2 = m_OrigWidth & 0xff;
347 // Height high byte, height low byte, width high byte, width low byte.
348 return pHeaderDimensions[0] == 0xff && pHeaderDimensions[1] == 0xff &&
349 pHeaderDimensions[2] == nExpectedWidthByte1 &&
350 pHeaderDimensions[3] == nExpectedWidthByte2;
351 }
352
IsSofSegment(size_t marker_offset) const353 bool JpegDecoder::IsSofSegment(size_t marker_offset) const {
354 const uint8_t* pHeaderMarker = &m_SrcSpan[marker_offset];
355 return pHeaderMarker[0] == 0xff && pHeaderMarker[1] >= 0xc0 &&
356 pHeaderMarker[1] <= 0xcf;
357 }
358
PatchUpKnownBadHeaderWithInvalidHeight(size_t dimension_offset)359 void JpegDecoder::PatchUpKnownBadHeaderWithInvalidHeight(
360 size_t dimension_offset) {
361 DCHECK(m_SrcSpan.size() > dimension_offset + 1u);
362 uint8_t* pData = GetWritableSrcData() + dimension_offset;
363 pData[0] = (m_OrigHeight >> 8) & 0xff;
364 pData[1] = m_OrigHeight & 0xff;
365 }
366
PatchUpTrailer()367 void JpegDecoder::PatchUpTrailer() {
368 uint8_t* pData = GetWritableSrcData();
369 pData[m_SrcSpan.size() - 2] = 0xff;
370 pData[m_SrcSpan.size() - 1] = 0xd9;
371 }
372
GetWritableSrcData()373 uint8_t* JpegDecoder::GetWritableSrcData() {
374 return const_cast<uint8_t*>(m_SrcSpan.data());
375 }
376
377 } // namespace
378
379 // static
CreateDecoder(pdfium::span<const uint8_t> src_span,uint32_t width,uint32_t height,int nComps,bool ColorTransform)380 std::unique_ptr<ScanlineDecoder> JpegModule::CreateDecoder(
381 pdfium::span<const uint8_t> src_span,
382 uint32_t width,
383 uint32_t height,
384 int nComps,
385 bool ColorTransform) {
386 DCHECK(!src_span.empty());
387
388 auto pDecoder = std::make_unique<JpegDecoder>();
389 if (!pDecoder->Create(src_span, width, height, nComps, ColorTransform))
390 return nullptr;
391
392 return std::move(pDecoder);
393 }
394
395 // static
LoadInfo(pdfium::span<const uint8_t> src_span)396 absl::optional<JpegModule::ImageInfo> JpegModule::LoadInfo(
397 pdfium::span<const uint8_t> src_span) {
398 ImageInfo info;
399 if (!JpegLoadInfo(src_span, &info))
400 return absl::nullopt;
401
402 return info;
403 }
404
405 #if BUILDFLAG(IS_WIN)
JpegEncode(const RetainPtr<CFX_DIBBase> & pSource,uint8_t ** dest_buf,size_t * dest_size)406 bool JpegModule::JpegEncode(const RetainPtr<CFX_DIBBase>& pSource,
407 uint8_t** dest_buf,
408 size_t* dest_size) {
409 jpeg_error_mgr jerr;
410 jerr.error_exit = error_do_nothing;
411 jerr.emit_message = error_do_nothing_int;
412 jerr.output_message = error_do_nothing;
413 jerr.format_message = error_do_nothing_char;
414 jerr.reset_error_mgr = error_do_nothing;
415
416 jpeg_compress_struct cinfo;
417 memset(&cinfo, 0, sizeof(cinfo));
418 cinfo.err = &jerr;
419 jpeg_create_compress(&cinfo);
420 int Bpp = pSource->GetBPP() / 8;
421 uint32_t nComponents = Bpp >= 3 ? 3 : 1;
422 uint32_t pitch = pSource->GetPitch();
423 uint32_t width = pdfium::base::checked_cast<uint32_t>(pSource->GetWidth());
424 uint32_t height = pdfium::base::checked_cast<uint32_t>(pSource->GetHeight());
425 FX_SAFE_UINT32 safe_buf_len = width;
426 safe_buf_len *= height;
427 safe_buf_len *= nComponents;
428 safe_buf_len += 1024;
429 if (!safe_buf_len.IsValid())
430 return false;
431
432 uint32_t dest_buf_length = safe_buf_len.ValueOrDie();
433 *dest_buf = FX_TryAlloc(uint8_t, dest_buf_length);
434 const int MIN_TRY_BUF_LEN = 1024;
435 while (!(*dest_buf) && dest_buf_length > MIN_TRY_BUF_LEN) {
436 dest_buf_length >>= 1;
437 *dest_buf = FX_TryAlloc(uint8_t, dest_buf_length);
438 }
439 if (!(*dest_buf))
440 return false;
441
442 jpeg_destination_mgr dest;
443 dest.init_destination = dest_do_nothing;
444 dest.term_destination = dest_do_nothing;
445 dest.empty_output_buffer = dest_empty;
446 dest.next_output_byte = *dest_buf;
447 dest.free_in_buffer = dest_buf_length;
448 cinfo.dest = &dest;
449 cinfo.image_width = width;
450 cinfo.image_height = height;
451 cinfo.input_components = nComponents;
452 if (nComponents == 1) {
453 cinfo.in_color_space = JCS_GRAYSCALE;
454 } else if (nComponents == 3) {
455 cinfo.in_color_space = JCS_RGB;
456 } else {
457 cinfo.in_color_space = JCS_CMYK;
458 }
459 uint8_t* line_buf = nullptr;
460 if (nComponents > 1)
461 line_buf = FX_Alloc2D(uint8_t, width, nComponents);
462
463 jpeg_set_defaults(&cinfo);
464 jpeg_start_compress(&cinfo, TRUE);
465 JSAMPROW row_pointer[1];
466 JDIMENSION row;
467 while (cinfo.next_scanline < cinfo.image_height) {
468 pdfium::span<const uint8_t> src_scan =
469 pSource->GetScanline(cinfo.next_scanline);
470 if (nComponents > 1) {
471 uint8_t* dest_scan = line_buf;
472 if (nComponents == 3) {
473 for (uint32_t i = 0; i < width; i++) {
474 ReverseCopy3Bytes(dest_scan, src_scan.data());
475 dest_scan += 3;
476 src_scan = src_scan.subspan(Bpp);
477 }
478 } else {
479 for (uint32_t i = 0; i < pitch; i++) {
480 *dest_scan++ = ~src_scan.front();
481 src_scan = src_scan.subspan(1);
482 }
483 }
484 row_pointer[0] = line_buf;
485 } else {
486 row_pointer[0] = const_cast<uint8_t*>(src_scan.data());
487 }
488 row = cinfo.next_scanline;
489 jpeg_write_scanlines(&cinfo, row_pointer, 1);
490 if (cinfo.next_scanline == row) {
491 constexpr size_t kJpegBlockSize = 1048576;
492 *dest_buf =
493 FX_Realloc(uint8_t, *dest_buf, dest_buf_length + kJpegBlockSize);
494 dest.next_output_byte = *dest_buf + dest_buf_length - dest.free_in_buffer;
495 dest_buf_length += kJpegBlockSize;
496 dest.free_in_buffer += kJpegBlockSize;
497 }
498 }
499 jpeg_finish_compress(&cinfo);
500 jpeg_destroy_compress(&cinfo);
501 FX_Free(line_buf);
502 *dest_size = dest_buf_length - static_cast<size_t>(dest.free_in_buffer);
503
504 return true;
505 }
506 #endif // BUILDFLAG(IS_WIN)
507
508 } // namespace fxcodec
509