Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/contrib/xz-embedded/linux/lib/xz/xz_dec_lzma2.c
48521 views
1
/*

2
 * LZMA2 decoder

3
 *

4
 * Authors: Lasse Collin <[email protected]>

5
 *          Igor Pavlov <https://7-zip.org/>

6
 *

7
 * This file has been put into the public domain.

8
 * You can do whatever you want with this file.

9
 */

10


11
#include "xz_private.h"

12
#include "xz_lzma2.h"

13


14
/*

15
 * Range decoder initialization eats the first five bytes of each LZMA chunk.

16
 */

17
#define RC_INIT_BYTES 5

18


19
/*

20
 * Minimum number of usable input buffer to safely decode one LZMA symbol.

21
 * The worst case is that we decode 22 bits using probabilities and 26

22
 * direct bits. This may decode at maximum of 20 bytes of input. However,

23
 * lzma_main() does an extra normalization before returning, thus we

24
 * need to put 21 here.

25
 */

26
#define LZMA_IN_REQUIRED 21

27


28
/*

29
 * Dictionary (history buffer)

30
 *

31
 * These are always true:

32
 *    start <= pos <= full <= end

33
 *    pos <= limit <= end

34
 *

35
 * In multi-call mode, also these are true:

36
 *    end == size

37
 *    size <= size_max

38
 *    allocated <= size

39
 *

40
 * Most of these variables are size_t to support single-call mode,

41
 * in which the dictionary variables address the actual output

42
 * buffer directly.

43
 */

44
struct dictionary {

45
	/* Beginning of the history buffer */

46
	uint8_t *buf;

47


48
	/* Old position in buf (before decoding more data) */

49
	size_t start;

50


51
	/* Position in buf */

52
	size_t pos;

53


54
	/*

55
	 * How full dictionary is. This is used to detect corrupt input that

56
	 * would read beyond the beginning of the uncompressed stream.

57
	 */

58
	size_t full;

59


60
	/* Write limit; we don't write to buf[limit] or later bytes. */

61
	size_t limit;

62


63
	/*

64
	 * End of the dictionary buffer. In multi-call mode, this is

65
	 * the same as the dictionary size. In single-call mode, this

66
	 * indicates the size of the output buffer.

67
	 */

68
	size_t end;

69


70
	/*

71
	 * Size of the dictionary as specified in Block Header. This is used

72
	 * together with "full" to detect corrupt input that would make us

73
	 * read beyond the beginning of the uncompressed stream.

74
	 */

75
	uint32_t size;

76


77
	/*

78
	 * Maximum allowed dictionary size in multi-call mode.

79
	 * This is ignored in single-call mode.

80
	 */

81
	uint32_t size_max;

82


83
	/*

84
	 * Amount of memory currently allocated for the dictionary.

85
	 * This is used only with XZ_DYNALLOC. (With XZ_PREALLOC,

86
	 * size_max is always the same as the allocated size.)

87
	 */

88
	uint32_t allocated;

89


90
	/* Operation mode */

91
	enum xz_mode mode;

92
};

93


94
/* Range decoder */

95
struct rc_dec {

96
	uint32_t range;

97
	uint32_t code;

98


99
	/*

100
	 * Number of initializing bytes remaining to be read

101
	 * by rc_read_init().

102
	 */

103
	uint32_t init_bytes_left;

104


105
	/*

106
	 * Buffer from which we read our input. It can be either

107
	 * temp.buf or the caller-provided input buffer.

108
	 */

109
	const uint8_t *in;

110
	size_t in_pos;

111
	size_t in_limit;

112
};

113


114
/* Probabilities for a length decoder. */

115
struct lzma_len_dec {

116
	/* Probability of match length being at least 10 */

117
	uint16_t choice;

118


119
	/* Probability of match length being at least 18 */

120
	uint16_t choice2;

121


122
	/* Probabilities for match lengths 2-9 */

123
	uint16_t low[POS_STATES_MAX][LEN_LOW_SYMBOLS];

124


125
	/* Probabilities for match lengths 10-17 */

126
	uint16_t mid[POS_STATES_MAX][LEN_MID_SYMBOLS];

127


128
	/* Probabilities for match lengths 18-273 */

129
	uint16_t high[LEN_HIGH_SYMBOLS];

130
};

131


132
struct lzma_dec {

133
	/* Distances of latest four matches */

134
	uint32_t rep0;

135
	uint32_t rep1;

136
	uint32_t rep2;

137
	uint32_t rep3;

138


139
	/* Types of the most recently seen LZMA symbols */

140
	enum lzma_state state;

141


142
	/*

143
	 * Length of a match. This is updated so that dict_repeat can

144
	 * be called again to finish repeating the whole match.

145
	 */

146
	uint32_t len;

147


148
	/*

149
	 * LZMA properties or related bit masks (number of literal

150
	 * context bits, a mask derived from the number of literal

151
	 * position bits, and a mask derived from the number

152
	 * position bits)

153
	 */

154
	uint32_t lc;

155
	uint32_t literal_pos_mask; /* (1 << lp) - 1 */

156
	uint32_t pos_mask;         /* (1 << pb) - 1 */

157


158
	/* If 1, it's a match. Otherwise it's a single 8-bit literal. */

159
	uint16_t is_match[STATES][POS_STATES_MAX];

160


161
	/* If 1, it's a repeated match. The distance is one of rep0 .. rep3. */

162
	uint16_t is_rep[STATES];

163


164
	/*

165
	 * If 0, distance of a repeated match is rep0.

166
	 * Otherwise check is_rep1.

167
	 */

168
	uint16_t is_rep0[STATES];

169


170
	/*

171
	 * If 0, distance of a repeated match is rep1.

172
	 * Otherwise check is_rep2.

173
	 */

174
	uint16_t is_rep1[STATES];

175


176
	/* If 0, distance of a repeated match is rep2. Otherwise it is rep3. */

177
	uint16_t is_rep2[STATES];

178


179
	/*

180
	 * If 1, the repeated match has length of one byte. Otherwise

181
	 * the length is decoded from rep_len_decoder.

182
	 */

183
	uint16_t is_rep0_long[STATES][POS_STATES_MAX];

184


185
	/*

186
	 * Probability tree for the highest two bits of the match

187
	 * distance. There is a separate probability tree for match

188
	 * lengths of 2 (i.e. MATCH_LEN_MIN), 3, 4, and [5, 273].

189
	 */

190
	uint16_t dist_slot[DIST_STATES][DIST_SLOTS];

191


192
	/*

193
	 * Probility trees for additional bits for match distance

194
	 * when the distance is in the range [4, 127].

195
	 */

196
	uint16_t dist_special[FULL_DISTANCES - DIST_MODEL_END];

197


198
	/*

199
	 * Probability tree for the lowest four bits of a match

200
	 * distance that is equal to or greater than 128.

201
	 */

202
	uint16_t dist_align[ALIGN_SIZE];

203


204
	/* Length of a normal match */

205
	struct lzma_len_dec match_len_dec;

206


207
	/* Length of a repeated match */

208
	struct lzma_len_dec rep_len_dec;

209


210
	/* Probabilities of literals */

211
	uint16_t literal[LITERAL_CODERS_MAX][LITERAL_CODER_SIZE];

212
};

213


214
struct lzma2_dec {

215
	/* Position in xz_dec_lzma2_run(). */

216
	enum lzma2_seq {

217
		SEQ_CONTROL,

218
		SEQ_UNCOMPRESSED_1,

219
		SEQ_UNCOMPRESSED_2,

220
		SEQ_COMPRESSED_0,

221
		SEQ_COMPRESSED_1,

222
		SEQ_PROPERTIES,

223
		SEQ_LZMA_PREPARE,

224
		SEQ_LZMA_RUN,

225
		SEQ_COPY

226
	} sequence;

227


228
	/* Next position after decoding the compressed size of the chunk. */

229
	enum lzma2_seq next_sequence;

230


231
	/* Uncompressed size of LZMA chunk (2 MiB at maximum) */

232
	uint32_t uncompressed;

233


234
	/*

235
	 * Compressed size of LZMA chunk or compressed/uncompressed

236
	 * size of uncompressed chunk (64 KiB at maximum)

237
	 */

238
	uint32_t compressed;

239


240
	/*

241
	 * True if dictionary reset is needed. This is false before

242
	 * the first chunk (LZMA or uncompressed).

243
	 */

244
	bool need_dict_reset;

245


246
	/*

247
	 * True if new LZMA properties are needed. This is false

248
	 * before the first LZMA chunk.

249
	 */

250
	bool need_props;

251


252
#ifdef XZ_DEC_MICROLZMA

253
	bool pedantic_microlzma;

254
#endif

255
};

256


257
struct xz_dec_lzma2 {

258
	/*

259
	 * The order below is important on x86 to reduce code size and

260
	 * it shouldn't hurt on other platforms. Everything up to and

261
	 * including lzma.pos_mask are in the first 128 bytes on x86-32,

262
	 * which allows using smaller instructions to access those

263
	 * variables. On x86-64, fewer variables fit into the first 128

264
	 * bytes, but this is still the best order without sacrificing

265
	 * the readability by splitting the structures.

266
	 */

267
	struct rc_dec rc;

268
	struct dictionary dict;

269
	struct lzma2_dec lzma2;

270
	struct lzma_dec lzma;

271


272
	/*

273
	 * Temporary buffer which holds small number of input bytes between

274
	 * decoder calls. See lzma2_lzma() for details.

275
	 */

276
	struct {

277
		uint32_t size;

278
		uint8_t buf[3 * LZMA_IN_REQUIRED];

279
	} temp;

280
};

281


282
/**************

283
 * Dictionary *

284
 **************/

285


286
/*

287
 * Reset the dictionary state. When in single-call mode, set up the beginning

288
 * of the dictionary to point to the actual output buffer.

289
 */

290
static void dict_reset(struct dictionary *dict, struct xz_buf *b)

291
{

292
	if (DEC_IS_SINGLE(dict->mode)) {

293
		dict->buf = b->out + b->out_pos;

294
		dict->end = b->out_size - b->out_pos;

295
	}

296


297
	dict->start = 0;

298
	dict->pos = 0;

299
	dict->limit = 0;

300
	dict->full = 0;

301
}

302


303
/* Set dictionary write limit */

304
static void dict_limit(struct dictionary *dict, size_t out_max)

305
{

306
	if (dict->end - dict->pos <= out_max)

307
		dict->limit = dict->end;

308
	else

309
		dict->limit = dict->pos + out_max;

310
}

311


312
/* Return true if at least one byte can be written into the dictionary. */

313
static inline bool dict_has_space(const struct dictionary *dict)

314
{

315
	return dict->pos < dict->limit;

316
}

317


318
/*

319
 * Get a byte from the dictionary at the given distance. The distance is

320
 * assumed to valid, or as a special case, zero when the dictionary is

321
 * still empty. This special case is needed for single-call decoding to

322
 * avoid writing a '\0' to the end of the destination buffer.

323
 */

324
static inline uint32_t dict_get(const struct dictionary *dict, uint32_t dist)

325
{

326
	size_t offset = dict->pos - dist - 1;

327


328
	if (dist >= dict->pos)

329
		offset += dict->end;

330


331
	return dict->full > 0 ? dict->buf[offset] : 0;

332
}

333


334
/*

335
 * Put one byte into the dictionary. It is assumed that there is space for it.

336
 */

337
static inline void dict_put(struct dictionary *dict, uint8_t byte)

338
{

339
	dict->buf[dict->pos++] = byte;

340


341
	if (dict->full < dict->pos)

342
		dict->full = dict->pos;

343
}

344


345
/*

346
 * Repeat given number of bytes from the given distance. If the distance is

347
 * invalid, false is returned. On success, true is returned and *len is

348
 * updated to indicate how many bytes were left to be repeated.

349
 */

350
static bool dict_repeat(struct dictionary *dict, uint32_t *len, uint32_t dist)

351
{

352
	size_t back;

353
	uint32_t left;

354


355
	if (dist >= dict->full || dist >= dict->size)

356
		return false;

357


358
	left = min_t(size_t, dict->limit - dict->pos, *len);

359
	*len -= left;

360


361
	back = dict->pos - dist - 1;

362
	if (dist >= dict->pos)

363
		back += dict->end;

364


365
	do {

366
		dict->buf[dict->pos++] = dict->buf[back++];

367
		if (back == dict->end)

368
			back = 0;

369
	} while (--left > 0);

370


371
	if (dict->full < dict->pos)

372
		dict->full = dict->pos;

373


374
	return true;

375
}

376


377
/* Copy uncompressed data as is from input to dictionary and output buffers. */

378
static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b,

379
			      uint32_t *left)

380
{

381
	size_t copy_size;

382


383
	while (*left > 0 && b->in_pos < b->in_size

384
			&& b->out_pos < b->out_size) {

385
		copy_size = min(b->in_size - b->in_pos,

386
				b->out_size - b->out_pos);

387
		if (copy_size > dict->end - dict->pos)

388
			copy_size = dict->end - dict->pos;

389
		if (copy_size > *left)

390
			copy_size = *left;

391


392
		*left -= copy_size;

393


394
		/*

395
		 * If doing in-place decompression in single-call mode and the

396
		 * uncompressed size of the file is larger than the caller

397
		 * thought (i.e. it is invalid input!), the buffers below may

398
		 * overlap and cause undefined behavior with memcpy().

399
		 * With valid inputs memcpy() would be fine here.

400
		 */

401
		memmove(dict->buf + dict->pos, b->in + b->in_pos, copy_size);

402
		dict->pos += copy_size;

403


404
		if (dict->full < dict->pos)

405
			dict->full = dict->pos;

406


407
		if (DEC_IS_MULTI(dict->mode)) {

408
			if (dict->pos == dict->end)

409
				dict->pos = 0;

410


411
			/*

412
			 * Like above but for multi-call mode: use memmove()

413
			 * to avoid undefined behavior with invalid input.

414
			 */

415
			memmove(b->out + b->out_pos, b->in + b->in_pos,

416
					copy_size);

417
		}

418


419
		dict->start = dict->pos;

420


421
		b->out_pos += copy_size;

422
		b->in_pos += copy_size;

423
	}

424
}

425


426
#ifdef XZ_DEC_MICROLZMA

427
#	define DICT_FLUSH_SUPPORTS_SKIPPING true

428
#else

429
#	define DICT_FLUSH_SUPPORTS_SKIPPING false

430
#endif

431


432
/*

433
 * Flush pending data from dictionary to b->out. It is assumed that there is

434
 * enough space in b->out. This is guaranteed because caller uses dict_limit()

435
 * before decoding data into the dictionary.

436
 */

437
static uint32_t dict_flush(struct dictionary *dict, struct xz_buf *b)

438
{

439
	size_t copy_size = dict->pos - dict->start;

440


441
	if (DEC_IS_MULTI(dict->mode)) {

442
		if (dict->pos == dict->end)

443
			dict->pos = 0;

444


445
		/*

446
		 * These buffers cannot overlap even if doing in-place

447
		 * decompression because in multi-call mode dict->buf

448
		 * has been allocated by us in this file; it's not

449
		 * provided by the caller like in single-call mode.

450
		 *

451
		 * With MicroLZMA, b->out can be NULL to skip bytes that

452
		 * the caller doesn't need. This cannot be done with XZ

453
		 * because it would break BCJ filters.

454
		 */

455
		if (!DICT_FLUSH_SUPPORTS_SKIPPING || b->out != NULL)

456
			memcpy(b->out + b->out_pos, dict->buf + dict->start,

457
					copy_size);

458
	}

459


460
	dict->start = dict->pos;

461
	b->out_pos += copy_size;

462
	return copy_size;

463
}

464


465
/*****************

466
 * Range decoder *

467
 *****************/

468


469
/* Reset the range decoder. */

470
static void rc_reset(struct rc_dec *rc)

471
{

472
	rc->range = (uint32_t)-1;

473
	rc->code = 0;

474
	rc->init_bytes_left = RC_INIT_BYTES;

475
}

476


477
/*

478
 * Read the first five initial bytes into rc->code if they haven't been

479
 * read already. (Yes, the first byte gets completely ignored.)

480
 */

481
static bool rc_read_init(struct rc_dec *rc, struct xz_buf *b)

482
{

483
	while (rc->init_bytes_left > 0) {

484
		if (b->in_pos == b->in_size)

485
			return false;

486


487
		rc->code = (rc->code << 8) + b->in[b->in_pos++];

488
		--rc->init_bytes_left;

489
	}

490


491
	return true;

492
}

493


494
/* Return true if there may not be enough input for the next decoding loop. */

495
static inline bool rc_limit_exceeded(const struct rc_dec *rc)

496
{

497
	return rc->in_pos > rc->in_limit;

498
}

499


500
/*

501
 * Return true if it is possible (from point of view of range decoder) that

502
 * we have reached the end of the LZMA chunk.

503
 */

504
static inline bool rc_is_finished(const struct rc_dec *rc)

505
{

506
	return rc->code == 0;

507
}

508


509
/* Read the next input byte if needed. */

510
static __always_inline void rc_normalize(struct rc_dec *rc)

511
{

512
	if (rc->range < RC_TOP_VALUE) {

513
		rc->range <<= RC_SHIFT_BITS;

514
		rc->code = (rc->code << RC_SHIFT_BITS) + rc->in[rc->in_pos++];

515
	}

516
}

517


518
/*

519
 * Decode one bit. In some versions, this function has been split in three

520
 * functions so that the compiler is supposed to be able to more easily avoid

521
 * an extra branch. In this particular version of the LZMA decoder, this

522
 * doesn't seem to be a good idea (tested with GCC 3.3.6, 3.4.6, and 4.3.3

523
 * on x86). Using a non-split version results in nicer looking code too.

524
 *

525
 * NOTE: This must return an int. Do not make it return a bool or the speed

526
 * of the code generated by GCC 3.x decreases 10-15 %. (GCC 4.3 doesn't care,

527
 * and it generates 10-20 % faster code than GCC 3.x from this file anyway.)

528
 */

529
static __always_inline int rc_bit(struct rc_dec *rc, uint16_t *prob)

530
{

531
	uint32_t bound;

532
	int bit;

533


534
	rc_normalize(rc);

535
	bound = (rc->range >> RC_BIT_MODEL_TOTAL_BITS) * *prob;

536
	if (rc->code < bound) {

537
		rc->range = bound;

538
		*prob += (RC_BIT_MODEL_TOTAL - *prob) >> RC_MOVE_BITS;

539
		bit = 0;

540
	} else {

541
		rc->range -= bound;

542
		rc->code -= bound;

543
		*prob -= *prob >> RC_MOVE_BITS;

544
		bit = 1;

545
	}

546


547
	return bit;

548
}

549


550
/* Decode a bittree starting from the most significant bit. */

551
static __always_inline uint32_t rc_bittree(struct rc_dec *rc,

552
					   uint16_t *probs, uint32_t limit)

553
{

554
	uint32_t symbol = 1;

555


556
	do {

557
		if (rc_bit(rc, &probs[symbol]))

558
			symbol = (symbol << 1) + 1;

559
		else

560
			symbol <<= 1;

561
	} while (symbol < limit);

562


563
	return symbol;

564
}

565


566
/* Decode a bittree starting from the least significant bit. */

567
static __always_inline void rc_bittree_reverse(struct rc_dec *rc,

568
					       uint16_t *probs,

569
					       uint32_t *dest, uint32_t limit)

570
{

571
	uint32_t symbol = 1;

572
	uint32_t i = 0;

573


574
	do {

575
		if (rc_bit(rc, &probs[symbol])) {

576
			symbol = (symbol << 1) + 1;

577
			*dest += 1 << i;

578
		} else {

579
			symbol <<= 1;

580
		}

581
	} while (++i < limit);

582
}

583


584
/* Decode direct bits (fixed fifty-fifty probability) */

585
static inline void rc_direct(struct rc_dec *rc, uint32_t *dest, uint32_t limit)

586
{

587
	uint32_t mask;

588


589
	do {

590
		rc_normalize(rc);

591
		rc->range >>= 1;

592
		rc->code -= rc->range;

593
		mask = (uint32_t)0 - (rc->code >> 31);

594
		rc->code += rc->range & mask;

595
		*dest = (*dest << 1) + (mask + 1);

596
	} while (--limit > 0);

597
}

598


599
/********

600
 * LZMA *

601
 ********/

602


603
/* Get pointer to literal coder probability array. */

604
static uint16_t *lzma_literal_probs(struct xz_dec_lzma2 *s)

605
{

606
	uint32_t prev_byte = dict_get(&s->dict, 0);

607
	uint32_t low = prev_byte >> (8 - s->lzma.lc);

608
	uint32_t high = (s->dict.pos & s->lzma.literal_pos_mask) << s->lzma.lc;

609
	return s->lzma.literal[low + high];

610
}

611


612
/* Decode a literal (one 8-bit byte) */

613
static void lzma_literal(struct xz_dec_lzma2 *s)

614
{

615
	uint16_t *probs;

616
	uint32_t symbol;

617
	uint32_t match_byte;

618
	uint32_t match_bit;

619
	uint32_t offset;

620
	uint32_t i;

621


622
	probs = lzma_literal_probs(s);

623


624
	if (lzma_state_is_literal(s->lzma.state)) {

625
		symbol = rc_bittree(&s->rc, probs, 0x100);

626
	} else {

627
		symbol = 1;

628
		match_byte = dict_get(&s->dict, s->lzma.rep0) << 1;

629
		offset = 0x100;

630


631
		do {

632
			match_bit = match_byte & offset;

633
			match_byte <<= 1;

634
			i = offset + match_bit + symbol;

635


636
			if (rc_bit(&s->rc, &probs[i])) {

637
				symbol = (symbol << 1) + 1;

638
				offset &= match_bit;

639
			} else {

640
				symbol <<= 1;

641
				offset &= ~match_bit;

642
			}

643
		} while (symbol < 0x100);

644
	}

645


646
	dict_put(&s->dict, (uint8_t)symbol);

647
	lzma_state_literal(&s->lzma.state);

648
}

649


650
/* Decode the length of the match into s->lzma.len. */

651
static void lzma_len(struct xz_dec_lzma2 *s, struct lzma_len_dec *l,

652
		     uint32_t pos_state)

653
{

654
	uint16_t *probs;

655
	uint32_t limit;

656


657
	if (!rc_bit(&s->rc, &l->choice)) {

658
		probs = l->low[pos_state];

659
		limit = LEN_LOW_SYMBOLS;

660
		s->lzma.len = MATCH_LEN_MIN;

661
	} else {

662
		if (!rc_bit(&s->rc, &l->choice2)) {

663
			probs = l->mid[pos_state];

664
			limit = LEN_MID_SYMBOLS;

665
			s->lzma.len = MATCH_LEN_MIN + LEN_LOW_SYMBOLS;

666
		} else {

667
			probs = l->high;

668
			limit = LEN_HIGH_SYMBOLS;

669
			s->lzma.len = MATCH_LEN_MIN + LEN_LOW_SYMBOLS

670
					+ LEN_MID_SYMBOLS;

671
		}

672
	}

673


674
	s->lzma.len += rc_bittree(&s->rc, probs, limit) - limit;

675
}

676


677
/* Decode a match. The distance will be stored in s->lzma.rep0. */

678
static void lzma_match(struct xz_dec_lzma2 *s, uint32_t pos_state)

679
{

680
	uint16_t *probs;

681
	uint32_t dist_slot;

682
	uint32_t limit;

683


684
	lzma_state_match(&s->lzma.state);

685


686
	s->lzma.rep3 = s->lzma.rep2;

687
	s->lzma.rep2 = s->lzma.rep1;

688
	s->lzma.rep1 = s->lzma.rep0;

689


690
	lzma_len(s, &s->lzma.match_len_dec, pos_state);

691


692
	probs = s->lzma.dist_slot[lzma_get_dist_state(s->lzma.len)];

693
	dist_slot = rc_bittree(&s->rc, probs, DIST_SLOTS) - DIST_SLOTS;

694


695
	if (dist_slot < DIST_MODEL_START) {

696
		s->lzma.rep0 = dist_slot;

697
	} else {

698
		limit = (dist_slot >> 1) - 1;

699
		s->lzma.rep0 = 2 + (dist_slot & 1);

700


701
		if (dist_slot < DIST_MODEL_END) {

702
			s->lzma.rep0 <<= limit;

703
			probs = s->lzma.dist_special + s->lzma.rep0

704
					- dist_slot - 1;

705
			rc_bittree_reverse(&s->rc, probs,

706
					&s->lzma.rep0, limit);

707
		} else {

708
			rc_direct(&s->rc, &s->lzma.rep0, limit - ALIGN_BITS);

709
			s->lzma.rep0 <<= ALIGN_BITS;

710
			rc_bittree_reverse(&s->rc, s->lzma.dist_align,

711
					&s->lzma.rep0, ALIGN_BITS);

712
		}

713
	}

714
}

715


716
/*

717
 * Decode a repeated match. The distance is one of the four most recently

718
 * seen matches. The distance will be stored in s->lzma.rep0.

719
 */

720
static void lzma_rep_match(struct xz_dec_lzma2 *s, uint32_t pos_state)

721
{

722
	uint32_t tmp;

723


724
	if (!rc_bit(&s->rc, &s->lzma.is_rep0[s->lzma.state])) {

725
		if (!rc_bit(&s->rc, &s->lzma.is_rep0_long[

726
				s->lzma.state][pos_state])) {

727
			lzma_state_short_rep(&s->lzma.state);

728
			s->lzma.len = 1;

729
			return;

730
		}

731
	} else {

732
		if (!rc_bit(&s->rc, &s->lzma.is_rep1[s->lzma.state])) {

733
			tmp = s->lzma.rep1;

734
		} else {

735
			if (!rc_bit(&s->rc, &s->lzma.is_rep2[s->lzma.state])) {

736
				tmp = s->lzma.rep2;

737
			} else {

738
				tmp = s->lzma.rep3;

739
				s->lzma.rep3 = s->lzma.rep2;

740
			}

741


742
			s->lzma.rep2 = s->lzma.rep1;

743
		}

744


745
		s->lzma.rep1 = s->lzma.rep0;

746
		s->lzma.rep0 = tmp;

747
	}

748


749
	lzma_state_long_rep(&s->lzma.state);

750
	lzma_len(s, &s->lzma.rep_len_dec, pos_state);

751
}

752


753
/* LZMA decoder core */

754
static bool lzma_main(struct xz_dec_lzma2 *s)

755
{

756
	uint32_t pos_state;

757


758
	/*

759
	 * If the dictionary was reached during the previous call, try to

760
	 * finish the possibly pending repeat in the dictionary.

761
	 */

762
	if (dict_has_space(&s->dict) && s->lzma.len > 0)

763
		dict_repeat(&s->dict, &s->lzma.len, s->lzma.rep0);

764


765
	/*

766
	 * Decode more LZMA symbols. One iteration may consume up to

767
	 * LZMA_IN_REQUIRED - 1 bytes.

768
	 */

769
	while (dict_has_space(&s->dict) && !rc_limit_exceeded(&s->rc)) {

770
		pos_state = s->dict.pos & s->lzma.pos_mask;

771


772
		if (!rc_bit(&s->rc, &s->lzma.is_match[

773
				s->lzma.state][pos_state])) {

774
			lzma_literal(s);

775
		} else {

776
			if (rc_bit(&s->rc, &s->lzma.is_rep[s->lzma.state]))

777
				lzma_rep_match(s, pos_state);

778
			else

779
				lzma_match(s, pos_state);

780


781
			if (!dict_repeat(&s->dict, &s->lzma.len, s->lzma.rep0))

782
				return false;

783
		}

784
	}

785


786
	/*

787
	 * Having the range decoder always normalized when we are outside

788
	 * this function makes it easier to correctly handle end of the chunk.

789
	 */

790
	rc_normalize(&s->rc);

791


792
	return true;

793
}

794


795
/*

796
 * Reset the LZMA decoder and range decoder state. Dictionary is not reset

797
 * here, because LZMA state may be reset without resetting the dictionary.

798
 */

799
static void lzma_reset(struct xz_dec_lzma2 *s)

800
{

801
	uint16_t *probs;

802
	size_t i;

803


804
	s->lzma.state = STATE_LIT_LIT;

805
	s->lzma.rep0 = 0;

806
	s->lzma.rep1 = 0;

807
	s->lzma.rep2 = 0;

808
	s->lzma.rep3 = 0;

809
	s->lzma.len = 0;

810


811
	/*

812
	 * All probabilities are initialized to the same value. This hack

813
	 * makes the code smaller by avoiding a separate loop for each

814
	 * probability array.

815
	 *

816
	 * This could be optimized so that only that part of literal

817
	 * probabilities that are actually required. In the common case

818
	 * we would write 12 KiB less.

819
	 */

820
	probs = s->lzma.is_match[0];

821
	for (i = 0; i < PROBS_TOTAL; ++i)

822
		probs[i] = RC_BIT_MODEL_TOTAL / 2;

823


824
	rc_reset(&s->rc);

825
}

826


827
/*

828
 * Decode and validate LZMA properties (lc/lp/pb) and calculate the bit masks

829
 * from the decoded lp and pb values. On success, the LZMA decoder state is

830
 * reset and true is returned.

831
 */

832
static bool lzma_props(struct xz_dec_lzma2 *s, uint8_t props)

833
{

834
	if (props > (4 * 5 + 4) * 9 + 8)

835
		return false;

836


837
	s->lzma.pos_mask = 0;

838
	while (props >= 9 * 5) {

839
		props -= 9 * 5;

840
		++s->lzma.pos_mask;

841
	}

842


843
	s->lzma.pos_mask = (1 << s->lzma.pos_mask) - 1;

844


845
	s->lzma.literal_pos_mask = 0;

846
	while (props >= 9) {

847
		props -= 9;

848
		++s->lzma.literal_pos_mask;

849
	}

850


851
	s->lzma.lc = props;

852


853
	if (s->lzma.lc + s->lzma.literal_pos_mask > 4)

854
		return false;

855


856
	s->lzma.literal_pos_mask = (1 << s->lzma.literal_pos_mask) - 1;

857


858
	lzma_reset(s);

859


860
	return true;

861
}

862


863
/*********

864
 * LZMA2 *

865
 *********/

866


867
/*

868
 * The LZMA decoder assumes that if the input limit (s->rc.in_limit) hasn't

869
 * been exceeded, it is safe to read up to LZMA_IN_REQUIRED bytes. This

870
 * wrapper function takes care of making the LZMA decoder's assumption safe.

871
 *

872
 * As long as there is plenty of input left to be decoded in the current LZMA

873
 * chunk, we decode directly from the caller-supplied input buffer until

874
 * there's LZMA_IN_REQUIRED bytes left. Those remaining bytes are copied into

875
 * s->temp.buf, which (hopefully) gets filled on the next call to this

876
 * function. We decode a few bytes from the temporary buffer so that we can

877
 * continue decoding from the caller-supplied input buffer again.

878
 */

879
static bool lzma2_lzma(struct xz_dec_lzma2 *s, struct xz_buf *b)

880
{

881
	size_t in_avail;

882
	uint32_t tmp;

883


884
	in_avail = b->in_size - b->in_pos;

885
	if (s->temp.size > 0 || s->lzma2.compressed == 0) {

886
		tmp = 2 * LZMA_IN_REQUIRED - s->temp.size;

887
		if (tmp > s->lzma2.compressed - s->temp.size)

888
			tmp = s->lzma2.compressed - s->temp.size;

889
		if (tmp > in_avail)

890
			tmp = in_avail;

891


892
		memcpy(s->temp.buf + s->temp.size, b->in + b->in_pos, tmp);

893


894
		if (s->temp.size + tmp == s->lzma2.compressed) {

895
			memzero(s->temp.buf + s->temp.size + tmp,

896
					sizeof(s->temp.buf)

897
						- s->temp.size - tmp);

898
			s->rc.in_limit = s->temp.size + tmp;

899
		} else if (s->temp.size + tmp < LZMA_IN_REQUIRED) {

900
			s->temp.size += tmp;

901
			b->in_pos += tmp;

902
			return true;

903
		} else {

904
			s->rc.in_limit = s->temp.size + tmp - LZMA_IN_REQUIRED;

905
		}

906


907
		s->rc.in = s->temp.buf;

908
		s->rc.in_pos = 0;

909


910
		if (!lzma_main(s) || s->rc.in_pos > s->temp.size + tmp)

911
			return false;

912


913
		s->lzma2.compressed -= s->rc.in_pos;

914


915
		if (s->rc.in_pos < s->temp.size) {

916
			s->temp.size -= s->rc.in_pos;

917
			memmove(s->temp.buf, s->temp.buf + s->rc.in_pos,

918
					s->temp.size);

919
			return true;

920
		}

921


922
		b->in_pos += s->rc.in_pos - s->temp.size;

923
		s->temp.size = 0;

924
	}

925


926
	in_avail = b->in_size - b->in_pos;

927
	if (in_avail >= LZMA_IN_REQUIRED) {

928
		s->rc.in = b->in;

929
		s->rc.in_pos = b->in_pos;

930


931
		if (in_avail >= s->lzma2.compressed + LZMA_IN_REQUIRED)

932
			s->rc.in_limit = b->in_pos + s->lzma2.compressed;

933
		else

934
			s->rc.in_limit = b->in_size - LZMA_IN_REQUIRED;

935


936
		if (!lzma_main(s))

937
			return false;

938


939
		in_avail = s->rc.in_pos - b->in_pos;

940
		if (in_avail > s->lzma2.compressed)

941
			return false;

942


943
		s->lzma2.compressed -= in_avail;

944
		b->in_pos = s->rc.in_pos;

945
	}

946


947
	in_avail = b->in_size - b->in_pos;

948
	if (in_avail < LZMA_IN_REQUIRED) {

949
		if (in_avail > s->lzma2.compressed)

950
			in_avail = s->lzma2.compressed;

951


952
		memcpy(s->temp.buf, b->in + b->in_pos, in_avail);

953
		s->temp.size = in_avail;

954
		b->in_pos += in_avail;

955
	}

956


957
	return true;

958
}

959


960
/*

961
 * Take care of the LZMA2 control layer, and forward the job of actual LZMA

962
 * decoding or copying of uncompressed chunks to other functions.

963
 */

964
XZ_EXTERN enum xz_ret xz_dec_lzma2_run(struct xz_dec_lzma2 *s,

965
				       struct xz_buf *b)

966
{

967
	uint32_t tmp;

968


969
	while (b->in_pos < b->in_size || s->lzma2.sequence == SEQ_LZMA_RUN) {

970
		switch (s->lzma2.sequence) {

971
		case SEQ_CONTROL:

972
			/*

973
			 * LZMA2 control byte

974
			 *

975
			 * Exact values:

976
			 *   0x00   End marker

977
			 *   0x01   Dictionary reset followed by

978
			 *          an uncompressed chunk

979
			 *   0x02   Uncompressed chunk (no dictionary reset)

980
			 *

981
			 * Highest three bits (s->control & 0xE0):

982
			 *   0xE0   Dictionary reset, new properties and state

983
			 *          reset, followed by LZMA compressed chunk

984
			 *   0xC0   New properties and state reset, followed

985
			 *          by LZMA compressed chunk (no dictionary

986
			 *          reset)

987
			 *   0xA0   State reset using old properties,

988
			 *          followed by LZMA compressed chunk (no

989
			 *          dictionary reset)

990
			 *   0x80   LZMA chunk (no dictionary or state reset)

991
			 *

992
			 * For LZMA compressed chunks, the lowest five bits

993
			 * (s->control & 1F) are the highest bits of the

994
			 * uncompressed size (bits 16-20).

995
			 *

996
			 * A new LZMA2 stream must begin with a dictionary

997
			 * reset. The first LZMA chunk must set new

998
			 * properties and reset the LZMA state.

999
			 *

1000
			 * Values that don't match anything described above

1001
			 * are invalid and we return XZ_DATA_ERROR.

1002
			 */

1003
			tmp = b->in[b->in_pos++];

1004


1005
			if (tmp == 0x00)

1006
				return XZ_STREAM_END;

1007


1008
			if (tmp >= 0xE0 || tmp == 0x01) {

1009
				s->lzma2.need_props = true;

1010
				s->lzma2.need_dict_reset = false;

1011
				dict_reset(&s->dict, b);

1012
			} else if (s->lzma2.need_dict_reset) {

1013
				return XZ_DATA_ERROR;

1014
			}

1015


1016
			if (tmp >= 0x80) {

1017
				s->lzma2.uncompressed = (tmp & 0x1F) << 16;

1018
				s->lzma2.sequence = SEQ_UNCOMPRESSED_1;

1019


1020
				if (tmp >= 0xC0) {

1021
					/*

1022
					 * When there are new properties,

1023
					 * state reset is done at

1024
					 * SEQ_PROPERTIES.

1025
					 */

1026
					s->lzma2.need_props = false;

1027
					s->lzma2.next_sequence

1028
							= SEQ_PROPERTIES;

1029


1030
				} else if (s->lzma2.need_props) {

1031
					return XZ_DATA_ERROR;

1032


1033
				} else {

1034
					s->lzma2.next_sequence

1035
							= SEQ_LZMA_PREPARE;

1036
					if (tmp >= 0xA0)

1037
						lzma_reset(s);

1038
				}

1039
			} else {

1040
				if (tmp > 0x02)

1041
					return XZ_DATA_ERROR;

1042


1043
				s->lzma2.sequence = SEQ_COMPRESSED_0;

1044
				s->lzma2.next_sequence = SEQ_COPY;

1045
			}

1046


1047
			break;

1048


1049
		case SEQ_UNCOMPRESSED_1:

1050
			s->lzma2.uncompressed

1051
					+= (uint32_t)b->in[b->in_pos++] << 8;

1052
			s->lzma2.sequence = SEQ_UNCOMPRESSED_2;

1053
			break;

1054


1055
		case SEQ_UNCOMPRESSED_2:

1056
			s->lzma2.uncompressed

1057
					+= (uint32_t)b->in[b->in_pos++] + 1;

1058
			s->lzma2.sequence = SEQ_COMPRESSED_0;

1059
			break;

1060


1061
		case SEQ_COMPRESSED_0:

1062
			s->lzma2.compressed

1063
					= (uint32_t)b->in[b->in_pos++] << 8;

1064
			s->lzma2.sequence = SEQ_COMPRESSED_1;

1065
			break;

1066


1067
		case SEQ_COMPRESSED_1:

1068
			s->lzma2.compressed

1069
					+= (uint32_t)b->in[b->in_pos++] + 1;

1070
			s->lzma2.sequence = s->lzma2.next_sequence;

1071
			break;

1072


1073
		case SEQ_PROPERTIES:

1074
			if (!lzma_props(s, b->in[b->in_pos++]))

1075
				return XZ_DATA_ERROR;

1076


1077
			s->lzma2.sequence = SEQ_LZMA_PREPARE;

1078


1079
		/* Fall through */

1080


1081
		case SEQ_LZMA_PREPARE:

1082
			if (s->lzma2.compressed < RC_INIT_BYTES)

1083
				return XZ_DATA_ERROR;

1084


1085
			if (!rc_read_init(&s->rc, b))

1086
				return XZ_OK;

1087


1088
			s->lzma2.compressed -= RC_INIT_BYTES;

1089
			s->lzma2.sequence = SEQ_LZMA_RUN;

1090


1091
		/* Fall through */

1092


1093
		case SEQ_LZMA_RUN:

1094
			/*

1095
			 * Set dictionary limit to indicate how much we want

1096
			 * to be encoded at maximum. Decode new data into the

1097
			 * dictionary. Flush the new data from dictionary to

1098
			 * b->out. Check if we finished decoding this chunk.

1099
			 * In case the dictionary got full but we didn't fill

1100
			 * the output buffer yet, we may run this loop

1101
			 * multiple times without changing s->lzma2.sequence.

1102
			 */

1103
			dict_limit(&s->dict, min_t(size_t,

1104
					b->out_size - b->out_pos,

1105
					s->lzma2.uncompressed));

1106
			if (!lzma2_lzma(s, b))

1107
				return XZ_DATA_ERROR;

1108


1109
			s->lzma2.uncompressed -= dict_flush(&s->dict, b);

1110


1111
			if (s->lzma2.uncompressed == 0) {

1112
				if (s->lzma2.compressed > 0 || s->lzma.len > 0

1113
						|| !rc_is_finished(&s->rc))

1114
					return XZ_DATA_ERROR;

1115


1116
				rc_reset(&s->rc);

1117
				s->lzma2.sequence = SEQ_CONTROL;

1118


1119
			} else if (b->out_pos == b->out_size

1120
					|| (b->in_pos == b->in_size

1121
						&& s->temp.size

1122
						< s->lzma2.compressed)) {

1123
				return XZ_OK;

1124
			}

1125


1126
			break;

1127


1128
		case SEQ_COPY:

1129
			dict_uncompressed(&s->dict, b, &s->lzma2.compressed);

1130
			if (s->lzma2.compressed > 0)

1131
				return XZ_OK;

1132


1133
			s->lzma2.sequence = SEQ_CONTROL;

1134
			break;

1135
		}

1136
	}

1137


1138
	return XZ_OK;

1139
}

1140


1141
XZ_EXTERN struct xz_dec_lzma2 *xz_dec_lzma2_create(enum xz_mode mode,

1142
						   uint32_t dict_max)

1143
{

1144
	struct xz_dec_lzma2 *s = kmalloc(sizeof(*s), GFP_KERNEL);

1145
	if (s == NULL)

1146
		return NULL;

1147


1148
	s->dict.mode = mode;

1149
	s->dict.size_max = dict_max;

1150


1151
	if (DEC_IS_PREALLOC(mode)) {

1152
		s->dict.buf = vmalloc(dict_max);

1153
		if (s->dict.buf == NULL) {

1154
			kfree(s);

1155
			return NULL;

1156
		}

1157
	} else if (DEC_IS_DYNALLOC(mode)) {

1158
		s->dict.buf = NULL;

1159
		s->dict.allocated = 0;

1160
	}

1161


1162
	return s;

1163
}

1164


1165
XZ_EXTERN enum xz_ret xz_dec_lzma2_reset(struct xz_dec_lzma2 *s, uint8_t props)

1166
{

1167
	/* This limits dictionary size to 3 GiB to keep parsing simpler. */

1168
	if (props > 39)

1169
		return XZ_OPTIONS_ERROR;

1170


1171
	s->dict.size = 2 + (props & 1);

1172
	s->dict.size <<= (props >> 1) + 11;

1173


1174
	if (DEC_IS_MULTI(s->dict.mode)) {

1175
		if (s->dict.size > s->dict.size_max)

1176
			return XZ_MEMLIMIT_ERROR;

1177


1178
		s->dict.end = s->dict.size;

1179


1180
		if (DEC_IS_DYNALLOC(s->dict.mode)) {

1181
			if (s->dict.allocated < s->dict.size) {

1182
				s->dict.allocated = s->dict.size;

1183
				vfree(s->dict.buf);

1184
				s->dict.buf = vmalloc(s->dict.size);

1185
				if (s->dict.buf == NULL) {

1186
					s->dict.allocated = 0;

1187
					return XZ_MEM_ERROR;

1188
				}

1189
			}

1190
		}

1191
	}

1192


1193
	s->lzma2.sequence = SEQ_CONTROL;

1194
	s->lzma2.need_dict_reset = true;

1195


1196
	s->temp.size = 0;

1197


1198
	return XZ_OK;

1199
}

1200


1201
XZ_EXTERN void xz_dec_lzma2_end(struct xz_dec_lzma2 *s)

1202
{

1203
	if (DEC_IS_MULTI(s->dict.mode))

1204
		vfree(s->dict.buf);

1205


1206
	kfree(s);

1207
}

1208


1209
#ifdef XZ_DEC_MICROLZMA

1210
/* This is a wrapper struct to have a nice struct name in the public API. */

1211
struct xz_dec_microlzma {

1212
	struct xz_dec_lzma2 s;

1213
};

1214


1215
enum xz_ret xz_dec_microlzma_run(struct xz_dec_microlzma *s_ptr,

1216
				 struct xz_buf *b)

1217
{

1218
	struct xz_dec_lzma2 *s = &s_ptr->s;

1219


1220
	/*

1221
	 * sequence is SEQ_PROPERTIES before the first input byte,

1222
	 * SEQ_LZMA_PREPARE until a total of five bytes have been read,

1223
	 * and SEQ_LZMA_RUN for the rest of the input stream.

1224
	 */

1225
	if (s->lzma2.sequence != SEQ_LZMA_RUN) {

1226
		if (s->lzma2.sequence == SEQ_PROPERTIES) {

1227
			/* One byte is needed for the props. */

1228
			if (b->in_pos >= b->in_size)

1229
				return XZ_OK;

1230


1231
			/*

1232
			 * Don't increment b->in_pos here. The same byte is

1233
			 * also passed to rc_read_init() which will ignore it.

1234
			 */

1235
			if (!lzma_props(s, ~b->in[b->in_pos]))

1236
				return XZ_DATA_ERROR;

1237


1238
			s->lzma2.sequence = SEQ_LZMA_PREPARE;

1239
		}

1240


1241
		/*

1242
		 * xz_dec_microlzma_reset() doesn't validate the compressed

1243
		 * size so we do it here. We have to limit the maximum size

1244
		 * to avoid integer overflows in lzma2_lzma(). 3 GiB is a nice

1245
		 * round number and much more than users of this code should

1246
		 * ever need.

1247
		 */

1248
		if (s->lzma2.compressed < RC_INIT_BYTES

1249
				|| s->lzma2.compressed > (3U << 30))

1250
			return XZ_DATA_ERROR;

1251


1252
		if (!rc_read_init(&s->rc, b))

1253
			return XZ_OK;

1254


1255
		s->lzma2.compressed -= RC_INIT_BYTES;

1256
		s->lzma2.sequence = SEQ_LZMA_RUN;

1257


1258
		dict_reset(&s->dict, b);

1259
	}

1260


1261
	/* This is to allow increasing b->out_size between calls. */

1262
	if (DEC_IS_SINGLE(s->dict.mode))

1263
		s->dict.end = b->out_size - b->out_pos;

1264


1265
	while (true) {

1266
		dict_limit(&s->dict, min_t(size_t, b->out_size - b->out_pos,

1267
					   s->lzma2.uncompressed));

1268


1269
		if (!lzma2_lzma(s, b))

1270
			return XZ_DATA_ERROR;

1271


1272
		s->lzma2.uncompressed -= dict_flush(&s->dict, b);

1273


1274
		if (s->lzma2.uncompressed == 0) {

1275
			if (s->lzma2.pedantic_microlzma) {

1276
				if (s->lzma2.compressed > 0 || s->lzma.len > 0

1277
						|| !rc_is_finished(&s->rc))

1278
					return XZ_DATA_ERROR;

1279
			}

1280


1281
			return XZ_STREAM_END;

1282
		}

1283


1284
		if (b->out_pos == b->out_size)

1285
			return XZ_OK;

1286


1287
		if (b->in_pos == b->in_size

1288
				&& s->temp.size < s->lzma2.compressed)

1289
			return XZ_OK;

1290
	}

1291
}

1292


1293
struct xz_dec_microlzma *xz_dec_microlzma_alloc(enum xz_mode mode,

1294
						uint32_t dict_size)

1295
{

1296
	struct xz_dec_microlzma *s;

1297


1298
	/* Restrict dict_size to the same range as in the LZMA2 code. */

1299
	if (dict_size < 4096 || dict_size > (3U << 30))

1300
		return NULL;

1301


1302
	s = kmalloc(sizeof(*s), GFP_KERNEL);

1303
	if (s == NULL)

1304
		return NULL;

1305


1306
	s->s.dict.mode = mode;

1307
	s->s.dict.size = dict_size;

1308


1309
	if (DEC_IS_MULTI(mode)) {

1310
		s->s.dict.end = dict_size;

1311


1312
		s->s.dict.buf = vmalloc(dict_size);

1313
		if (s->s.dict.buf == NULL) {

1314
			kfree(s);

1315
			return NULL;

1316
		}

1317
	}

1318


1319
	return s;

1320
}

1321


1322
void xz_dec_microlzma_reset(struct xz_dec_microlzma *s, uint32_t comp_size,

1323
			    uint32_t uncomp_size, int uncomp_size_is_exact)

1324
{

1325
	/*

1326
	 * comp_size is validated in xz_dec_microlzma_run().

1327
	 * uncomp_size can safely be anything.

1328
	 */

1329
	s->s.lzma2.compressed = comp_size;

1330
	s->s.lzma2.uncompressed = uncomp_size;

1331
	s->s.lzma2.pedantic_microlzma = uncomp_size_is_exact;

1332


1333
	s->s.lzma2.sequence = SEQ_PROPERTIES;

1334
	s->s.temp.size = 0;

1335
}

1336


1337
void xz_dec_microlzma_end(struct xz_dec_microlzma *s)

1338
{

1339
	if (DEC_IS_MULTI(s->s.dict.mode))

1340
		vfree(s->s.dict.buf);

1341


1342
	kfree(s);

1343
}

1344
#endif

1345


1346