1 // Copyright 2012 Google Inc. All Rights Reserved.
2 //
3 // Use of this source code is governed by a BSD-style license
4 // that can be found in the COPYING file in the root of the source
5 // tree. An additional intellectual property rights grant can be found
6 // in the file PATENTS. All contributing project authors may
7 // be found in the AUTHORS file in the root of the source tree.
8 // -----------------------------------------------------------------------------
9 //
10 // WebP container demux.
11 //
12
13 #ifdef HAVE_CONFIG_H
14 #include "src/webp/config.h"
15 #endif
16
17 #include <assert.h>
18 #include <stdlib.h>
19 #include <string.h>
20
21 #include "src/utils/utils.h"
22 #include "src/webp/decode.h" // WebPGetFeatures
23 #include "src/webp/demux.h"
24 #include "src/webp/format_constants.h"
25
26 #define DMUX_MAJ_VERSION 0
27 #define DMUX_MIN_VERSION 3
28 #define DMUX_REV_VERSION 3
29
30 typedef struct {
31 size_t start_; // start location of the data
32 size_t end_; // end location
33 size_t riff_end_; // riff chunk end location, can be > end_.
34 size_t buf_size_; // size of the buffer
35 const uint8_t* buf_;
36 } MemBuffer;
37
38 typedef struct {
39 size_t offset_;
40 size_t size_;
41 } ChunkData;
42
43 typedef struct Frame {
44 int x_offset_, y_offset_;
45 int width_, height_;
46 int has_alpha_;
47 int duration_;
48 WebPMuxAnimDispose dispose_method_;
49 WebPMuxAnimBlend blend_method_;
50 int frame_num_;
51 int complete_; // img_components_ contains a full image.
52 ChunkData img_components_[2]; // 0=VP8{,L} 1=ALPH
53 struct Frame* next_;
54 } Frame;
55
56 typedef struct Chunk {
57 ChunkData data_;
58 struct Chunk* next_;
59 } Chunk;
60
61 struct WebPDemuxer {
62 MemBuffer mem_;
63 WebPDemuxState state_;
64 int is_ext_format_;
65 uint32_t feature_flags_;
66 int canvas_width_, canvas_height_;
67 int loop_count_;
68 uint32_t bgcolor_;
69 int num_frames_;
70 Frame* frames_;
71 Frame** frames_tail_;
72 Chunk* chunks_; // non-image chunks
73 Chunk** chunks_tail_;
74 };
75
76 typedef enum {
77 PARSE_OK,
78 PARSE_NEED_MORE_DATA,
79 PARSE_ERROR
80 } ParseStatus;
81
82 typedef struct ChunkParser {
83 uint8_t id[4];
84 ParseStatus (*parse)(WebPDemuxer* const dmux);
85 int (*valid)(const WebPDemuxer* const dmux);
86 } ChunkParser;
87
88 static ParseStatus ParseSingleImage(WebPDemuxer* const dmux);
89 static ParseStatus ParseVP8X(WebPDemuxer* const dmux);
90 static int IsValidSimpleFormat(const WebPDemuxer* const dmux);
91 static int IsValidExtendedFormat(const WebPDemuxer* const dmux);
92
93 static const ChunkParser kMasterChunks[] = {
94 { { 'V', 'P', '8', ' ' }, ParseSingleImage, IsValidSimpleFormat },
95 { { 'V', 'P', '8', 'L' }, ParseSingleImage, IsValidSimpleFormat },
96 { { 'V', 'P', '8', 'X' }, ParseVP8X, IsValidExtendedFormat },
97 { { '0', '0', '0', '0' }, NULL, NULL },
98 };
99
100 //------------------------------------------------------------------------------
101
WebPGetDemuxVersion(void)102 int WebPGetDemuxVersion(void) {
103 return (DMUX_MAJ_VERSION << 16) | (DMUX_MIN_VERSION << 8) | DMUX_REV_VERSION;
104 }
105
106 // -----------------------------------------------------------------------------
107 // MemBuffer
108
RemapMemBuffer(MemBuffer * const mem,const uint8_t * data,size_t size)109 static int RemapMemBuffer(MemBuffer* const mem,
110 const uint8_t* data, size_t size) {
111 if (size < mem->buf_size_) return 0; // can't remap to a shorter buffer!
112
113 mem->buf_ = data;
114 mem->end_ = mem->buf_size_ = size;
115 return 1;
116 }
117
InitMemBuffer(MemBuffer * const mem,const uint8_t * data,size_t size)118 static int InitMemBuffer(MemBuffer* const mem,
119 const uint8_t* data, size_t size) {
120 memset(mem, 0, sizeof(*mem));
121 return RemapMemBuffer(mem, data, size);
122 }
123
124 // Return the remaining data size available in 'mem'.
MemDataSize(const MemBuffer * const mem)125 static WEBP_INLINE size_t MemDataSize(const MemBuffer* const mem) {
126 return (mem->end_ - mem->start_);
127 }
128
129 // Return true if 'size' exceeds the end of the RIFF chunk.
SizeIsInvalid(const MemBuffer * const mem,size_t size)130 static WEBP_INLINE int SizeIsInvalid(const MemBuffer* const mem, size_t size) {
131 return (size > mem->riff_end_ - mem->start_);
132 }
133
Skip(MemBuffer * const mem,size_t size)134 static WEBP_INLINE void Skip(MemBuffer* const mem, size_t size) {
135 mem->start_ += size;
136 }
137
Rewind(MemBuffer * const mem,size_t size)138 static WEBP_INLINE void Rewind(MemBuffer* const mem, size_t size) {
139 mem->start_ -= size;
140 }
141
GetBuffer(MemBuffer * const mem)142 static WEBP_INLINE const uint8_t* GetBuffer(MemBuffer* const mem) {
143 return mem->buf_ + mem->start_;
144 }
145
146 // Read from 'mem' and skip the read bytes.
ReadByte(MemBuffer * const mem)147 static WEBP_INLINE uint8_t ReadByte(MemBuffer* const mem) {
148 const uint8_t byte = mem->buf_[mem->start_];
149 Skip(mem, 1);
150 return byte;
151 }
152
ReadLE16s(MemBuffer * const mem)153 static WEBP_INLINE int ReadLE16s(MemBuffer* const mem) {
154 const uint8_t* const data = mem->buf_ + mem->start_;
155 const int val = GetLE16(data);
156 Skip(mem, 2);
157 return val;
158 }
159
ReadLE24s(MemBuffer * const mem)160 static WEBP_INLINE int ReadLE24s(MemBuffer* const mem) {
161 const uint8_t* const data = mem->buf_ + mem->start_;
162 const int val = GetLE24(data);
163 Skip(mem, 3);
164 return val;
165 }
166
ReadLE32(MemBuffer * const mem)167 static WEBP_INLINE uint32_t ReadLE32(MemBuffer* const mem) {
168 const uint8_t* const data = mem->buf_ + mem->start_;
169 const uint32_t val = GetLE32(data);
170 Skip(mem, 4);
171 return val;
172 }
173
174 // -----------------------------------------------------------------------------
175 // Secondary chunk parsing
176
AddChunk(WebPDemuxer * const dmux,Chunk * const chunk)177 static void AddChunk(WebPDemuxer* const dmux, Chunk* const chunk) {
178 *dmux->chunks_tail_ = chunk;
179 chunk->next_ = NULL;
180 dmux->chunks_tail_ = &chunk->next_;
181 }
182
183 // Add a frame to the end of the list, ensuring the last frame is complete.
184 // Returns true on success, false otherwise.
AddFrame(WebPDemuxer * const dmux,Frame * const frame)185 static int AddFrame(WebPDemuxer* const dmux, Frame* const frame) {
186 const Frame* const last_frame = *dmux->frames_tail_;
187 if (last_frame != NULL && !last_frame->complete_) return 0;
188
189 *dmux->frames_tail_ = frame;
190 frame->next_ = NULL;
191 dmux->frames_tail_ = &frame->next_;
192 return 1;
193 }
194
SetFrameInfo(size_t start_offset,size_t size,int frame_num,int complete,const WebPBitstreamFeatures * const features,Frame * const frame)195 static void SetFrameInfo(size_t start_offset, size_t size,
196 int frame_num, int complete,
197 const WebPBitstreamFeatures* const features,
198 Frame* const frame) {
199 frame->img_components_[0].offset_ = start_offset;
200 frame->img_components_[0].size_ = size;
201 frame->width_ = features->width;
202 frame->height_ = features->height;
203 frame->has_alpha_ |= features->has_alpha;
204 frame->frame_num_ = frame_num;
205 frame->complete_ = complete;
206 }
207
208 // Store image bearing chunks to 'frame'. 'min_size' is an optional size
209 // requirement, it may be zero.
StoreFrame(int frame_num,uint32_t min_size,MemBuffer * const mem,Frame * const frame)210 static ParseStatus StoreFrame(int frame_num, uint32_t min_size,
211 MemBuffer* const mem, Frame* const frame) {
212 int alpha_chunks = 0;
213 int image_chunks = 0;
214 int done = (MemDataSize(mem) < CHUNK_HEADER_SIZE ||
215 MemDataSize(mem) < min_size);
216 ParseStatus status = PARSE_OK;
217
218 if (done) return PARSE_NEED_MORE_DATA;
219
220 do {
221 const size_t chunk_start_offset = mem->start_;
222 const uint32_t fourcc = ReadLE32(mem);
223 const uint32_t payload_size = ReadLE32(mem);
224 const uint32_t payload_size_padded = payload_size + (payload_size & 1);
225 const size_t payload_available = (payload_size_padded > MemDataSize(mem))
226 ? MemDataSize(mem) : payload_size_padded;
227 const size_t chunk_size = CHUNK_HEADER_SIZE + payload_available;
228
229 if (payload_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
230 if (SizeIsInvalid(mem, payload_size_padded)) return PARSE_ERROR;
231 if (payload_size_padded > MemDataSize(mem)) status = PARSE_NEED_MORE_DATA;
232
233 switch (fourcc) {
234 case MKFOURCC('A', 'L', 'P', 'H'):
235 if (alpha_chunks == 0) {
236 ++alpha_chunks;
237 frame->img_components_[1].offset_ = chunk_start_offset;
238 frame->img_components_[1].size_ = chunk_size;
239 frame->has_alpha_ = 1;
240 frame->frame_num_ = frame_num;
241 Skip(mem, payload_available);
242 } else {
243 goto Done;
244 }
245 break;
246 case MKFOURCC('V', 'P', '8', 'L'):
247 if (alpha_chunks > 0) return PARSE_ERROR; // VP8L has its own alpha
248 // fall through
249 case MKFOURCC('V', 'P', '8', ' '):
250 if (image_chunks == 0) {
251 // Extract the bitstream features, tolerating failures when the data
252 // is incomplete.
253 WebPBitstreamFeatures features;
254 const VP8StatusCode vp8_status =
255 WebPGetFeatures(mem->buf_ + chunk_start_offset, chunk_size,
256 &features);
257 if (status == PARSE_NEED_MORE_DATA &&
258 vp8_status == VP8_STATUS_NOT_ENOUGH_DATA) {
259 return PARSE_NEED_MORE_DATA;
260 } else if (vp8_status != VP8_STATUS_OK) {
261 // We have enough data, and yet WebPGetFeatures() failed.
262 return PARSE_ERROR;
263 }
264 ++image_chunks;
265 SetFrameInfo(chunk_start_offset, chunk_size, frame_num,
266 status == PARSE_OK, &features, frame);
267 Skip(mem, payload_available);
268 } else {
269 goto Done;
270 }
271 break;
272 Done:
273 default:
274 // Restore fourcc/size when moving up one level in parsing.
275 Rewind(mem, CHUNK_HEADER_SIZE);
276 done = 1;
277 break;
278 }
279
280 if (mem->start_ == mem->riff_end_) {
281 done = 1;
282 } else if (MemDataSize(mem) < CHUNK_HEADER_SIZE) {
283 status = PARSE_NEED_MORE_DATA;
284 }
285 } while (!done && status == PARSE_OK);
286
287 return status;
288 }
289
290 // Creates a new Frame if 'actual_size' is within bounds and 'mem' contains
291 // enough data ('min_size') to parse the payload.
292 // Returns PARSE_OK on success with *frame pointing to the new Frame.
293 // Returns PARSE_NEED_MORE_DATA with insufficient data, PARSE_ERROR otherwise.
NewFrame(const MemBuffer * const mem,uint32_t min_size,uint32_t actual_size,Frame ** frame)294 static ParseStatus NewFrame(const MemBuffer* const mem,
295 uint32_t min_size, uint32_t actual_size,
296 Frame** frame) {
297 if (SizeIsInvalid(mem, min_size)) return PARSE_ERROR;
298 if (actual_size < min_size) return PARSE_ERROR;
299 if (MemDataSize(mem) < min_size) return PARSE_NEED_MORE_DATA;
300
301 *frame = (Frame*)WebPSafeCalloc(1ULL, sizeof(**frame));
302 return (*frame == NULL) ? PARSE_ERROR : PARSE_OK;
303 }
304
305 // Parse a 'ANMF' chunk and any image bearing chunks that immediately follow.
306 // 'frame_chunk_size' is the previously validated, padded chunk size.
ParseAnimationFrame(WebPDemuxer * const dmux,uint32_t frame_chunk_size)307 static ParseStatus ParseAnimationFrame(
308 WebPDemuxer* const dmux, uint32_t frame_chunk_size) {
309 const int is_animation = !!(dmux->feature_flags_ & ANIMATION_FLAG);
310 const uint32_t anmf_payload_size = frame_chunk_size - ANMF_CHUNK_SIZE;
311 int added_frame = 0;
312 int bits;
313 MemBuffer* const mem = &dmux->mem_;
314 Frame* frame;
315 ParseStatus status =
316 NewFrame(mem, ANMF_CHUNK_SIZE, frame_chunk_size, &frame);
317 if (status != PARSE_OK) return status;
318
319 frame->x_offset_ = 2 * ReadLE24s(mem);
320 frame->y_offset_ = 2 * ReadLE24s(mem);
321 frame->width_ = 1 + ReadLE24s(mem);
322 frame->height_ = 1 + ReadLE24s(mem);
323 frame->duration_ = ReadLE24s(mem);
324 bits = ReadByte(mem);
325 frame->dispose_method_ =
326 (bits & 1) ? WEBP_MUX_DISPOSE_BACKGROUND : WEBP_MUX_DISPOSE_NONE;
327 frame->blend_method_ = (bits & 2) ? WEBP_MUX_NO_BLEND : WEBP_MUX_BLEND;
328 if (frame->width_ * (uint64_t)frame->height_ >= MAX_IMAGE_AREA) {
329 WebPSafeFree(frame);
330 return PARSE_ERROR;
331 }
332
333 // Store a frame only if the animation flag is set there is some data for
334 // this frame is available.
335 status = StoreFrame(dmux->num_frames_ + 1, anmf_payload_size, mem, frame);
336 if (status != PARSE_ERROR && is_animation && frame->frame_num_ > 0) {
337 added_frame = AddFrame(dmux, frame);
338 if (added_frame) {
339 ++dmux->num_frames_;
340 } else {
341 status = PARSE_ERROR;
342 }
343 }
344
345 if (!added_frame) WebPSafeFree(frame);
346 return status;
347 }
348
349 // General chunk storage, starting with the header at 'start_offset', allowing
350 // the user to request the payload via a fourcc string. 'size' includes the
351 // header and the unpadded payload size.
352 // Returns true on success, false otherwise.
StoreChunk(WebPDemuxer * const dmux,size_t start_offset,uint32_t size)353 static int StoreChunk(WebPDemuxer* const dmux,
354 size_t start_offset, uint32_t size) {
355 Chunk* const chunk = (Chunk*)WebPSafeCalloc(1ULL, sizeof(*chunk));
356 if (chunk == NULL) return 0;
357
358 chunk->data_.offset_ = start_offset;
359 chunk->data_.size_ = size;
360 AddChunk(dmux, chunk);
361 return 1;
362 }
363
364 // -----------------------------------------------------------------------------
365 // Primary chunk parsing
366
ReadHeader(MemBuffer * const mem)367 static ParseStatus ReadHeader(MemBuffer* const mem) {
368 const size_t min_size = RIFF_HEADER_SIZE + CHUNK_HEADER_SIZE;
369 uint32_t riff_size;
370
371 // Basic file level validation.
372 if (MemDataSize(mem) < min_size) return PARSE_NEED_MORE_DATA;
373 if (memcmp(GetBuffer(mem), "RIFF", CHUNK_SIZE_BYTES) ||
374 memcmp(GetBuffer(mem) + CHUNK_HEADER_SIZE, "WEBP", CHUNK_SIZE_BYTES)) {
375 return PARSE_ERROR;
376 }
377
378 riff_size = GetLE32(GetBuffer(mem) + TAG_SIZE);
379 if (riff_size < CHUNK_HEADER_SIZE) return PARSE_ERROR;
380 if (riff_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
381
382 // There's no point in reading past the end of the RIFF chunk
383 mem->riff_end_ = riff_size + CHUNK_HEADER_SIZE;
384 if (mem->buf_size_ > mem->riff_end_) {
385 mem->buf_size_ = mem->end_ = mem->riff_end_;
386 }
387
388 Skip(mem, RIFF_HEADER_SIZE);
389 return PARSE_OK;
390 }
391
ParseSingleImage(WebPDemuxer * const dmux)392 static ParseStatus ParseSingleImage(WebPDemuxer* const dmux) {
393 const size_t min_size = CHUNK_HEADER_SIZE;
394 MemBuffer* const mem = &dmux->mem_;
395 Frame* frame;
396 ParseStatus status;
397 int image_added = 0;
398
399 if (dmux->frames_ != NULL) return PARSE_ERROR;
400 if (SizeIsInvalid(mem, min_size)) return PARSE_ERROR;
401 if (MemDataSize(mem) < min_size) return PARSE_NEED_MORE_DATA;
402
403 frame = (Frame*)WebPSafeCalloc(1ULL, sizeof(*frame));
404 if (frame == NULL) return PARSE_ERROR;
405
406 // For the single image case we allow parsing of a partial frame, so no
407 // minimum size is imposed here.
408 status = StoreFrame(1, 0, &dmux->mem_, frame);
409 if (status != PARSE_ERROR) {
410 const int has_alpha = !!(dmux->feature_flags_ & ALPHA_FLAG);
411 // Clear any alpha when the alpha flag is missing.
412 if (!has_alpha && frame->img_components_[1].size_ > 0) {
413 frame->img_components_[1].offset_ = 0;
414 frame->img_components_[1].size_ = 0;
415 frame->has_alpha_ = 0;
416 }
417
418 // Use the frame width/height as the canvas values for non-vp8x files.
419 // Also, set ALPHA_FLAG if this is a lossless image with alpha.
420 if (!dmux->is_ext_format_ && frame->width_ > 0 && frame->height_ > 0) {
421 dmux->state_ = WEBP_DEMUX_PARSED_HEADER;
422 dmux->canvas_width_ = frame->width_;
423 dmux->canvas_height_ = frame->height_;
424 dmux->feature_flags_ |= frame->has_alpha_ ? ALPHA_FLAG : 0;
425 }
426 if (!AddFrame(dmux, frame)) {
427 status = PARSE_ERROR; // last frame was left incomplete
428 } else {
429 image_added = 1;
430 dmux->num_frames_ = 1;
431 }
432 }
433
434 if (!image_added) WebPSafeFree(frame);
435 return status;
436 }
437
ParseVP8XChunks(WebPDemuxer * const dmux)438 static ParseStatus ParseVP8XChunks(WebPDemuxer* const dmux) {
439 const int is_animation = !!(dmux->feature_flags_ & ANIMATION_FLAG);
440 MemBuffer* const mem = &dmux->mem_;
441 int anim_chunks = 0;
442 ParseStatus status = PARSE_OK;
443
444 do {
445 int store_chunk = 1;
446 const size_t chunk_start_offset = mem->start_;
447 const uint32_t fourcc = ReadLE32(mem);
448 const uint32_t chunk_size = ReadLE32(mem);
449 const uint32_t chunk_size_padded = chunk_size + (chunk_size & 1);
450
451 if (chunk_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
452 if (SizeIsInvalid(mem, chunk_size_padded)) return PARSE_ERROR;
453
454 switch (fourcc) {
455 case MKFOURCC('V', 'P', '8', 'X'): {
456 return PARSE_ERROR;
457 }
458 case MKFOURCC('A', 'L', 'P', 'H'):
459 case MKFOURCC('V', 'P', '8', ' '):
460 case MKFOURCC('V', 'P', '8', 'L'): {
461 // check that this isn't an animation (all frames should be in an ANMF).
462 if (anim_chunks > 0 || is_animation) return PARSE_ERROR;
463
464 Rewind(mem, CHUNK_HEADER_SIZE);
465 status = ParseSingleImage(dmux);
466 break;
467 }
468 case MKFOURCC('A', 'N', 'I', 'M'): {
469 if (chunk_size_padded < ANIM_CHUNK_SIZE) return PARSE_ERROR;
470
471 if (MemDataSize(mem) < chunk_size_padded) {
472 status = PARSE_NEED_MORE_DATA;
473 } else if (anim_chunks == 0) {
474 ++anim_chunks;
475 dmux->bgcolor_ = ReadLE32(mem);
476 dmux->loop_count_ = ReadLE16s(mem);
477 Skip(mem, chunk_size_padded - ANIM_CHUNK_SIZE);
478 } else {
479 store_chunk = 0;
480 goto Skip;
481 }
482 break;
483 }
484 case MKFOURCC('A', 'N', 'M', 'F'): {
485 if (anim_chunks == 0) return PARSE_ERROR; // 'ANIM' precedes frames.
486 status = ParseAnimationFrame(dmux, chunk_size_padded);
487 break;
488 }
489 case MKFOURCC('I', 'C', 'C', 'P'): {
490 store_chunk = !!(dmux->feature_flags_ & ICCP_FLAG);
491 goto Skip;
492 }
493 case MKFOURCC('E', 'X', 'I', 'F'): {
494 store_chunk = !!(dmux->feature_flags_ & EXIF_FLAG);
495 goto Skip;
496 }
497 case MKFOURCC('X', 'M', 'P', ' '): {
498 store_chunk = !!(dmux->feature_flags_ & XMP_FLAG);
499 goto Skip;
500 }
501 Skip:
502 default: {
503 if (chunk_size_padded <= MemDataSize(mem)) {
504 if (store_chunk) {
505 // Store only the chunk header and unpadded size as only the payload
506 // will be returned to the user.
507 if (!StoreChunk(dmux, chunk_start_offset,
508 CHUNK_HEADER_SIZE + chunk_size)) {
509 return PARSE_ERROR;
510 }
511 }
512 Skip(mem, chunk_size_padded);
513 } else {
514 status = PARSE_NEED_MORE_DATA;
515 }
516 }
517 }
518
519 if (mem->start_ == mem->riff_end_) {
520 break;
521 } else if (MemDataSize(mem) < CHUNK_HEADER_SIZE) {
522 status = PARSE_NEED_MORE_DATA;
523 }
524 } while (status == PARSE_OK);
525
526 return status;
527 }
528
ParseVP8X(WebPDemuxer * const dmux)529 static ParseStatus ParseVP8X(WebPDemuxer* const dmux) {
530 MemBuffer* const mem = &dmux->mem_;
531 uint32_t vp8x_size;
532
533 if (MemDataSize(mem) < CHUNK_HEADER_SIZE) return PARSE_NEED_MORE_DATA;
534
535 dmux->is_ext_format_ = 1;
536 Skip(mem, TAG_SIZE); // VP8X
537 vp8x_size = ReadLE32(mem);
538 if (vp8x_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
539 if (vp8x_size < VP8X_CHUNK_SIZE) return PARSE_ERROR;
540 vp8x_size += vp8x_size & 1;
541 if (SizeIsInvalid(mem, vp8x_size)) return PARSE_ERROR;
542 if (MemDataSize(mem) < vp8x_size) return PARSE_NEED_MORE_DATA;
543
544 dmux->feature_flags_ = ReadByte(mem);
545 Skip(mem, 3); // Reserved.
546 dmux->canvas_width_ = 1 + ReadLE24s(mem);
547 dmux->canvas_height_ = 1 + ReadLE24s(mem);
548 if (dmux->canvas_width_ * (uint64_t)dmux->canvas_height_ >= MAX_IMAGE_AREA) {
549 return PARSE_ERROR; // image final dimension is too large
550 }
551 Skip(mem, vp8x_size - VP8X_CHUNK_SIZE); // skip any trailing data.
552 dmux->state_ = WEBP_DEMUX_PARSED_HEADER;
553
554 if (SizeIsInvalid(mem, CHUNK_HEADER_SIZE)) return PARSE_ERROR;
555 if (MemDataSize(mem) < CHUNK_HEADER_SIZE) return PARSE_NEED_MORE_DATA;
556
557 return ParseVP8XChunks(dmux);
558 }
559
560 // -----------------------------------------------------------------------------
561 // Format validation
562
IsValidSimpleFormat(const WebPDemuxer * const dmux)563 static int IsValidSimpleFormat(const WebPDemuxer* const dmux) {
564 const Frame* const frame = dmux->frames_;
565 if (dmux->state_ == WEBP_DEMUX_PARSING_HEADER) return 1;
566
567 if (dmux->canvas_width_ <= 0 || dmux->canvas_height_ <= 0) return 0;
568 if (dmux->state_ == WEBP_DEMUX_DONE && frame == NULL) return 0;
569
570 if (frame->width_ <= 0 || frame->height_ <= 0) return 0;
571 return 1;
572 }
573
574 // If 'exact' is true, check that the image resolution matches the canvas.
575 // If 'exact' is false, check that the x/y offsets do not exceed the canvas.
CheckFrameBounds(const Frame * const frame,int exact,int canvas_width,int canvas_height)576 static int CheckFrameBounds(const Frame* const frame, int exact,
577 int canvas_width, int canvas_height) {
578 if (exact) {
579 if (frame->x_offset_ != 0 || frame->y_offset_ != 0) {
580 return 0;
581 }
582 if (frame->width_ != canvas_width || frame->height_ != canvas_height) {
583 return 0;
584 }
585 } else {
586 if (frame->x_offset_ < 0 || frame->y_offset_ < 0) return 0;
587 if (frame->width_ + frame->x_offset_ > canvas_width) return 0;
588 if (frame->height_ + frame->y_offset_ > canvas_height) return 0;
589 }
590 return 1;
591 }
592
IsValidExtendedFormat(const WebPDemuxer * const dmux)593 static int IsValidExtendedFormat(const WebPDemuxer* const dmux) {
594 const int is_animation = !!(dmux->feature_flags_ & ANIMATION_FLAG);
595 const Frame* f = dmux->frames_;
596
597 if (dmux->state_ == WEBP_DEMUX_PARSING_HEADER) return 1;
598
599 if (dmux->canvas_width_ <= 0 || dmux->canvas_height_ <= 0) return 0;
600 if (dmux->loop_count_ < 0) return 0;
601 if (dmux->state_ == WEBP_DEMUX_DONE && dmux->frames_ == NULL) return 0;
602 if (dmux->feature_flags_ & ~ALL_VALID_FLAGS) return 0; // invalid bitstream
603
604 while (f != NULL) {
605 const int cur_frame_set = f->frame_num_;
606 int frame_count = 0;
607
608 // Check frame properties.
609 for (; f != NULL && f->frame_num_ == cur_frame_set; f = f->next_) {
610 const ChunkData* const image = f->img_components_;
611 const ChunkData* const alpha = f->img_components_ + 1;
612
613 if (!is_animation && f->frame_num_ > 1) return 0;
614
615 if (f->complete_) {
616 if (alpha->size_ == 0 && image->size_ == 0) return 0;
617 // Ensure alpha precedes image bitstream.
618 if (alpha->size_ > 0 && alpha->offset_ > image->offset_) {
619 return 0;
620 }
621
622 if (f->width_ <= 0 || f->height_ <= 0) return 0;
623 } else {
624 // There shouldn't be a partial frame in a complete file.
625 if (dmux->state_ == WEBP_DEMUX_DONE) return 0;
626
627 // Ensure alpha precedes image bitstream.
628 if (alpha->size_ > 0 && image->size_ > 0 &&
629 alpha->offset_ > image->offset_) {
630 return 0;
631 }
632 // There shouldn't be any frames after an incomplete one.
633 if (f->next_ != NULL) return 0;
634 }
635
636 if (f->width_ > 0 && f->height_ > 0 &&
637 !CheckFrameBounds(f, !is_animation,
638 dmux->canvas_width_, dmux->canvas_height_)) {
639 return 0;
640 }
641
642 ++frame_count;
643 }
644 }
645 return 1;
646 }
647
648 // -----------------------------------------------------------------------------
649 // WebPDemuxer object
650
InitDemux(WebPDemuxer * const dmux,const MemBuffer * const mem)651 static void InitDemux(WebPDemuxer* const dmux, const MemBuffer* const mem) {
652 dmux->state_ = WEBP_DEMUX_PARSING_HEADER;
653 dmux->loop_count_ = 1;
654 dmux->bgcolor_ = 0xFFFFFFFF; // White background by default.
655 dmux->canvas_width_ = -1;
656 dmux->canvas_height_ = -1;
657 dmux->frames_tail_ = &dmux->frames_;
658 dmux->chunks_tail_ = &dmux->chunks_;
659 dmux->mem_ = *mem;
660 }
661
CreateRawImageDemuxer(MemBuffer * const mem,WebPDemuxer ** demuxer)662 static ParseStatus CreateRawImageDemuxer(MemBuffer* const mem,
663 WebPDemuxer** demuxer) {
664 WebPBitstreamFeatures features;
665 const VP8StatusCode status =
666 WebPGetFeatures(mem->buf_, mem->buf_size_, &features);
667 *demuxer = NULL;
668 if (status != VP8_STATUS_OK) {
669 return (status == VP8_STATUS_NOT_ENOUGH_DATA) ? PARSE_NEED_MORE_DATA
670 : PARSE_ERROR;
671 }
672
673 {
674 WebPDemuxer* const dmux = (WebPDemuxer*)WebPSafeCalloc(1ULL, sizeof(*dmux));
675 Frame* const frame = (Frame*)WebPSafeCalloc(1ULL, sizeof(*frame));
676 if (dmux == NULL || frame == NULL) goto Error;
677 InitDemux(dmux, mem);
678 SetFrameInfo(0, mem->buf_size_, 1 /*frame_num*/, 1 /*complete*/, &features,
679 frame);
680 if (!AddFrame(dmux, frame)) goto Error;
681 dmux->state_ = WEBP_DEMUX_DONE;
682 dmux->canvas_width_ = frame->width_;
683 dmux->canvas_height_ = frame->height_;
684 dmux->feature_flags_ |= frame->has_alpha_ ? ALPHA_FLAG : 0;
685 dmux->num_frames_ = 1;
686 assert(IsValidSimpleFormat(dmux));
687 *demuxer = dmux;
688 return PARSE_OK;
689
690 Error:
691 WebPSafeFree(dmux);
692 WebPSafeFree(frame);
693 return PARSE_ERROR;
694 }
695 }
696
WebPDemuxInternal(const WebPData * data,int allow_partial,WebPDemuxState * state,int version)697 WebPDemuxer* WebPDemuxInternal(const WebPData* data, int allow_partial,
698 WebPDemuxState* state, int version) {
699 const ChunkParser* parser;
700 int partial;
701 ParseStatus status = PARSE_ERROR;
702 MemBuffer mem;
703 WebPDemuxer* dmux;
704
705 if (state != NULL) *state = WEBP_DEMUX_PARSE_ERROR;
706
707 if (WEBP_ABI_IS_INCOMPATIBLE(version, WEBP_DEMUX_ABI_VERSION)) return NULL;
708 if (data == NULL || data->bytes == NULL || data->size == 0) return NULL;
709
710 if (!InitMemBuffer(&mem, data->bytes, data->size)) return NULL;
711 status = ReadHeader(&mem);
712 if (status != PARSE_OK) {
713 // If parsing of the webp file header fails attempt to handle a raw
714 // VP8/VP8L frame. Note 'allow_partial' is ignored in this case.
715 if (status == PARSE_ERROR) {
716 status = CreateRawImageDemuxer(&mem, &dmux);
717 if (status == PARSE_OK) {
718 if (state != NULL) *state = WEBP_DEMUX_DONE;
719 return dmux;
720 }
721 }
722 if (state != NULL) {
723 *state = (status == PARSE_NEED_MORE_DATA) ? WEBP_DEMUX_PARSING_HEADER
724 : WEBP_DEMUX_PARSE_ERROR;
725 }
726 return NULL;
727 }
728
729 partial = (mem.buf_size_ < mem.riff_end_);
730 if (!allow_partial && partial) return NULL;
731
732 dmux = (WebPDemuxer*)WebPSafeCalloc(1ULL, sizeof(*dmux));
733 if (dmux == NULL) return NULL;
734 InitDemux(dmux, &mem);
735
736 status = PARSE_ERROR;
737 for (parser = kMasterChunks; parser->parse != NULL; ++parser) {
738 if (!memcmp(parser->id, GetBuffer(&dmux->mem_), TAG_SIZE)) {
739 status = parser->parse(dmux);
740 if (status == PARSE_OK) dmux->state_ = WEBP_DEMUX_DONE;
741 if (status == PARSE_NEED_MORE_DATA && !partial) status = PARSE_ERROR;
742 if (status != PARSE_ERROR && !parser->valid(dmux)) status = PARSE_ERROR;
743 if (status == PARSE_ERROR) dmux->state_ = WEBP_DEMUX_PARSE_ERROR;
744 break;
745 }
746 }
747 if (state != NULL) *state = dmux->state_;
748
749 if (status == PARSE_ERROR) {
750 WebPDemuxDelete(dmux);
751 return NULL;
752 }
753 return dmux;
754 }
755
WebPDemuxDelete(WebPDemuxer * dmux)756 void WebPDemuxDelete(WebPDemuxer* dmux) {
757 Chunk* c;
758 Frame* f;
759 if (dmux == NULL) return;
760
761 for (f = dmux->frames_; f != NULL;) {
762 Frame* const cur_frame = f;
763 f = f->next_;
764 WebPSafeFree(cur_frame);
765 }
766 for (c = dmux->chunks_; c != NULL;) {
767 Chunk* const cur_chunk = c;
768 c = c->next_;
769 WebPSafeFree(cur_chunk);
770 }
771 WebPSafeFree(dmux);
772 }
773
774 // -----------------------------------------------------------------------------
775
WebPDemuxGetI(const WebPDemuxer * dmux,WebPFormatFeature feature)776 uint32_t WebPDemuxGetI(const WebPDemuxer* dmux, WebPFormatFeature feature) {
777 if (dmux == NULL) return 0;
778
779 switch (feature) {
780 case WEBP_FF_FORMAT_FLAGS: return dmux->feature_flags_;
781 case WEBP_FF_CANVAS_WIDTH: return (uint32_t)dmux->canvas_width_;
782 case WEBP_FF_CANVAS_HEIGHT: return (uint32_t)dmux->canvas_height_;
783 case WEBP_FF_LOOP_COUNT: return (uint32_t)dmux->loop_count_;
784 case WEBP_FF_BACKGROUND_COLOR: return dmux->bgcolor_;
785 case WEBP_FF_FRAME_COUNT: return (uint32_t)dmux->num_frames_;
786 }
787 return 0;
788 }
789
790 // -----------------------------------------------------------------------------
791 // Frame iteration
792
GetFrame(const WebPDemuxer * const dmux,int frame_num)793 static const Frame* GetFrame(const WebPDemuxer* const dmux, int frame_num) {
794 const Frame* f;
795 for (f = dmux->frames_; f != NULL; f = f->next_) {
796 if (frame_num == f->frame_num_) break;
797 }
798 return f;
799 }
800
GetFramePayload(const uint8_t * const mem_buf,const Frame * const frame,size_t * const data_size)801 static const uint8_t* GetFramePayload(const uint8_t* const mem_buf,
802 const Frame* const frame,
803 size_t* const data_size) {
804 *data_size = 0;
805 if (frame != NULL) {
806 const ChunkData* const image = frame->img_components_;
807 const ChunkData* const alpha = frame->img_components_ + 1;
808 size_t start_offset = image->offset_;
809 *data_size = image->size_;
810
811 // if alpha exists it precedes image, update the size allowing for
812 // intervening chunks.
813 if (alpha->size_ > 0) {
814 const size_t inter_size = (image->offset_ > 0)
815 ? image->offset_ - (alpha->offset_ + alpha->size_)
816 : 0;
817 start_offset = alpha->offset_;
818 *data_size += alpha->size_ + inter_size;
819 }
820 return mem_buf + start_offset;
821 }
822 return NULL;
823 }
824
825 // Create a whole 'frame' from VP8 (+ alpha) or lossless.
SynthesizeFrame(const WebPDemuxer * const dmux,const Frame * const frame,WebPIterator * const iter)826 static int SynthesizeFrame(const WebPDemuxer* const dmux,
827 const Frame* const frame,
828 WebPIterator* const iter) {
829 const uint8_t* const mem_buf = dmux->mem_.buf_;
830 size_t payload_size = 0;
831 const uint8_t* const payload = GetFramePayload(mem_buf, frame, &payload_size);
832 if (payload == NULL) return 0;
833 assert(frame != NULL);
834
835 iter->frame_num = frame->frame_num_;
836 iter->num_frames = dmux->num_frames_;
837 iter->x_offset = frame->x_offset_;
838 iter->y_offset = frame->y_offset_;
839 iter->width = frame->width_;
840 iter->height = frame->height_;
841 iter->has_alpha = frame->has_alpha_;
842 iter->duration = frame->duration_;
843 iter->dispose_method = frame->dispose_method_;
844 iter->blend_method = frame->blend_method_;
845 iter->complete = frame->complete_;
846 iter->fragment.bytes = payload;
847 iter->fragment.size = payload_size;
848 return 1;
849 }
850
SetFrame(int frame_num,WebPIterator * const iter)851 static int SetFrame(int frame_num, WebPIterator* const iter) {
852 const Frame* frame;
853 const WebPDemuxer* const dmux = (WebPDemuxer*)iter->private_;
854 if (dmux == NULL || frame_num < 0) return 0;
855 if (frame_num > dmux->num_frames_) return 0;
856 if (frame_num == 0) frame_num = dmux->num_frames_;
857
858 frame = GetFrame(dmux, frame_num);
859 if (frame == NULL) return 0;
860
861 return SynthesizeFrame(dmux, frame, iter);
862 }
863
WebPDemuxGetFrame(const WebPDemuxer * dmux,int frame,WebPIterator * iter)864 int WebPDemuxGetFrame(const WebPDemuxer* dmux, int frame, WebPIterator* iter) {
865 if (iter == NULL) return 0;
866
867 memset(iter, 0, sizeof(*iter));
868 iter->private_ = (void*)dmux;
869 return SetFrame(frame, iter);
870 }
871
WebPDemuxNextFrame(WebPIterator * iter)872 int WebPDemuxNextFrame(WebPIterator* iter) {
873 if (iter == NULL) return 0;
874 return SetFrame(iter->frame_num + 1, iter);
875 }
876
WebPDemuxPrevFrame(WebPIterator * iter)877 int WebPDemuxPrevFrame(WebPIterator* iter) {
878 if (iter == NULL) return 0;
879 if (iter->frame_num <= 1) return 0;
880 return SetFrame(iter->frame_num - 1, iter);
881 }
882
WebPDemuxReleaseIterator(WebPIterator * iter)883 void WebPDemuxReleaseIterator(WebPIterator* iter) {
884 (void)iter;
885 }
886
887 // -----------------------------------------------------------------------------
888 // Chunk iteration
889
ChunkCount(const WebPDemuxer * const dmux,const char fourcc[4])890 static int ChunkCount(const WebPDemuxer* const dmux, const char fourcc[4]) {
891 const uint8_t* const mem_buf = dmux->mem_.buf_;
892 const Chunk* c;
893 int count = 0;
894 for (c = dmux->chunks_; c != NULL; c = c->next_) {
895 const uint8_t* const header = mem_buf + c->data_.offset_;
896 if (!memcmp(header, fourcc, TAG_SIZE)) ++count;
897 }
898 return count;
899 }
900
GetChunk(const WebPDemuxer * const dmux,const char fourcc[4],int chunk_num)901 static const Chunk* GetChunk(const WebPDemuxer* const dmux,
902 const char fourcc[4], int chunk_num) {
903 const uint8_t* const mem_buf = dmux->mem_.buf_;
904 const Chunk* c;
905 int count = 0;
906 for (c = dmux->chunks_; c != NULL; c = c->next_) {
907 const uint8_t* const header = mem_buf + c->data_.offset_;
908 if (!memcmp(header, fourcc, TAG_SIZE)) ++count;
909 if (count == chunk_num) break;
910 }
911 return c;
912 }
913
SetChunk(const char fourcc[4],int chunk_num,WebPChunkIterator * const iter)914 static int SetChunk(const char fourcc[4], int chunk_num,
915 WebPChunkIterator* const iter) {
916 const WebPDemuxer* const dmux = (WebPDemuxer*)iter->private_;
917 int count;
918
919 if (dmux == NULL || fourcc == NULL || chunk_num < 0) return 0;
920 count = ChunkCount(dmux, fourcc);
921 if (count == 0) return 0;
922 if (chunk_num == 0) chunk_num = count;
923
924 if (chunk_num <= count) {
925 const uint8_t* const mem_buf = dmux->mem_.buf_;
926 const Chunk* const chunk = GetChunk(dmux, fourcc, chunk_num);
927 iter->chunk.bytes = mem_buf + chunk->data_.offset_ + CHUNK_HEADER_SIZE;
928 iter->chunk.size = chunk->data_.size_ - CHUNK_HEADER_SIZE;
929 iter->num_chunks = count;
930 iter->chunk_num = chunk_num;
931 return 1;
932 }
933 return 0;
934 }
935
WebPDemuxGetChunk(const WebPDemuxer * dmux,const char fourcc[4],int chunk_num,WebPChunkIterator * iter)936 int WebPDemuxGetChunk(const WebPDemuxer* dmux,
937 const char fourcc[4], int chunk_num,
938 WebPChunkIterator* iter) {
939 if (iter == NULL) return 0;
940
941 memset(iter, 0, sizeof(*iter));
942 iter->private_ = (void*)dmux;
943 return SetChunk(fourcc, chunk_num, iter);
944 }
945
WebPDemuxNextChunk(WebPChunkIterator * iter)946 int WebPDemuxNextChunk(WebPChunkIterator* iter) {
947 if (iter != NULL) {
948 const char* const fourcc =
949 (const char*)iter->chunk.bytes - CHUNK_HEADER_SIZE;
950 return SetChunk(fourcc, iter->chunk_num + 1, iter);
951 }
952 return 0;
953 }
954
WebPDemuxPrevChunk(WebPChunkIterator * iter)955 int WebPDemuxPrevChunk(WebPChunkIterator* iter) {
956 if (iter != NULL && iter->chunk_num > 1) {
957 const char* const fourcc =
958 (const char*)iter->chunk.bytes - CHUNK_HEADER_SIZE;
959 return SetChunk(fourcc, iter->chunk_num - 1, iter);
960 }
961 return 0;
962 }
963
WebPDemuxReleaseChunkIterator(WebPChunkIterator * iter)964 void WebPDemuxReleaseChunkIterator(WebPChunkIterator* iter) {
965 (void)iter;
966 }
967
968