1
/********************************************************************
2
 *                                                                  *
3
 * THIS FILE IS PART OF THE OggTheora SOFTWARE CODEC SOURCE CODE.   *
4
 * USE, DISTRIBUTION AND REPRODUCTION OF THIS LIBRARY SOURCE IS     *
5
 * GOVERNED BY A BSD-STYLE SOURCE LICENSE INCLUDED WITH THIS SOURCE *
6
 * IN 'COPYING'. PLEASE READ THESE TERMS BEFORE DISTRIBUTING.       *
7
 *                                                                  *
8
 * THE Theora SOURCE CODE IS COPYRIGHT (C) 2002-2009                *
9
 * by the Xiph.Org Foundation and contributors                      *
10
 * https://www.xiph.org/                                            *
11
 *                                                                  *
12
 ********************************************************************
13

14
  function:
15

16
 ********************************************************************/
17

18
#include <stdlib.h>
19
#include <string.h>
20
#include <limits.h>
21
#include "decint.h"
22

23
/*Only used for fuzzing.*/
24
#if defined(HAVE_MEMORY_CONSTRAINT)
25
static const int MAX_FUZZING_WIDTH = 16384;
26
static const int MAX_FUZZING_HEIGHT = 16384;
27
#endif
28

29

30
/*Unpacks a series of octets from a given byte array into the pack buffer.
31
  No checking is done to ensure the buffer contains enough data.
32
  _opb: The pack buffer to read the octets from.
33
  _buf: The byte array to store the unpacked bytes in.
34
  _len: The number of octets to unpack.*/
35
static void oc_unpack_octets(oc_pack_buf *_opb,char *_buf,size_t _len){
36
  while(_len-->0){
37
    long val;
38
    val=oc_pack_read(_opb,8);
39
    *_buf++=(char)val;
40
  }
41
}
42

43
/*Unpacks a 32-bit integer encoded by octets in little-endian form.*/
44
static long oc_unpack_length(oc_pack_buf *_opb){
45
  long ret[4];
46
  int  i;
47
  for(i=0;i<4;i++)ret[i]=oc_pack_read(_opb,8);
48
  return ret[0]|ret[1]<<8|ret[2]<<16|ret[3]<<24;
49
}
50

51
static int oc_info_unpack(oc_pack_buf *_opb,th_info *_info){
52
  long val;
53
  /*Check the codec bitstream version.*/
54
  val=oc_pack_read(_opb,8);
55
  _info->version_major=(unsigned char)val;
56
  val=oc_pack_read(_opb,8);
57
  _info->version_minor=(unsigned char)val;
58
  val=oc_pack_read(_opb,8);
59
  _info->version_subminor=(unsigned char)val;
60
  /*verify we can parse this bitstream version.
61
     We accept earlier minors and all subminors, by spec*/
62
  if(_info->version_major>TH_VERSION_MAJOR||
63
   (_info->version_major==TH_VERSION_MAJOR&&
64
   _info->version_minor>TH_VERSION_MINOR)){
65
    return TH_EVERSION;
66
  }
67
  /*Read the encoded frame description.*/
68
  val=oc_pack_read(_opb,16);
69
  _info->frame_width=(ogg_uint32_t)val<<4;
70
  val=oc_pack_read(_opb,16);
71
  _info->frame_height=(ogg_uint32_t)val<<4;
72
  val=oc_pack_read(_opb,24);
73
  _info->pic_width=(ogg_uint32_t)val;
74
  val=oc_pack_read(_opb,24);
75
  _info->pic_height=(ogg_uint32_t)val;
76
  val=oc_pack_read(_opb,8);
77
  _info->pic_x=(ogg_uint32_t)val;
78
  val=oc_pack_read(_opb,8);
79
  _info->pic_y=(ogg_uint32_t)val;
80
  val=oc_pack_read(_opb,32);
81
  _info->fps_numerator=(ogg_uint32_t)val;
82
  val=oc_pack_read(_opb,32);
83
  _info->fps_denominator=(ogg_uint32_t)val;
84
  if(_info->frame_width==0||_info->frame_height==0||
85
   _info->pic_width+_info->pic_x>_info->frame_width||
86
   _info->pic_height+_info->pic_y>_info->frame_height||
87
   _info->fps_numerator==0||_info->fps_denominator==0){
88
    return TH_EBADHEADER;
89
  }
90
#if defined(HAVE_MEMORY_CONSTRAINT)
91
  if(_info->frame_width>=MAX_FUZZING_WIDTH&&_info->frame_height>=MAX_FUZZING_HEIGHT){
92
    return TH_EBADHEADER;
93
  }
94
#endif
95
  /*Note: The sense of pic_y is inverted in what we pass back to the
96
     application compared to how it is stored in the bitstream.
97
    This is because the bitstream uses a right-handed coordinate system, while
98
     applications expect a left-handed one.*/
99
  _info->pic_y=_info->frame_height-_info->pic_height-_info->pic_y;
100
  val=oc_pack_read(_opb,24);
101
  _info->aspect_numerator=(ogg_uint32_t)val;
102
  val=oc_pack_read(_opb,24);
103
  _info->aspect_denominator=(ogg_uint32_t)val;
104
  val=oc_pack_read(_opb,8);
105
  _info->colorspace=(th_colorspace)val;
106
  val=oc_pack_read(_opb,24);
107
  _info->target_bitrate=(int)val;
108
  val=oc_pack_read(_opb,6);
109
  _info->quality=(int)val;
110
  val=oc_pack_read(_opb,5);
111
  _info->keyframe_granule_shift=(int)val;
112
  val=oc_pack_read(_opb,2);
113
  _info->pixel_fmt=(th_pixel_fmt)val;
114
  if(_info->pixel_fmt==TH_PF_RSVD)return TH_EBADHEADER;
115
  val=oc_pack_read(_opb,3);
116
  if(val!=0||oc_pack_bytes_left(_opb)<0)return TH_EBADHEADER;
117
  return 0;
118
}
119

120
static int oc_comment_unpack(oc_pack_buf *_opb,th_comment *_tc){
121
  long len;
122
  int  i;
123
  /*Read the vendor string.*/
124
  len=oc_unpack_length(_opb);
125
  if(len<0||len>oc_pack_bytes_left(_opb))return TH_EBADHEADER;
126
  _tc->vendor=_ogg_malloc((size_t)len+1);
127
  if(_tc->vendor==NULL)return TH_EFAULT;
128
  oc_unpack_octets(_opb,_tc->vendor,len);
129
  _tc->vendor[len]='\0';
130
  /*Read the user comments.*/
131
  _tc->comments=(int)oc_unpack_length(_opb);
132
  len=_tc->comments;
133
  if(len<0||len>(LONG_MAX>>2)||len<<2>oc_pack_bytes_left(_opb)){
134
    _tc->comments=0;
135
    return TH_EBADHEADER;
136
  }
137
  if(0<_tc->comments){
138
    _tc->comment_lengths=(int *)_ogg_malloc(
139
     _tc->comments*sizeof(_tc->comment_lengths[0]));
140
    _tc->user_comments=(char **)_ogg_malloc(
141
     _tc->comments*sizeof(_tc->user_comments[0]));
142
    if(_tc->comment_lengths==NULL||_tc->user_comments==NULL){
143
      _tc->comments=0;
144
      return TH_EFAULT;
145
    }
146
    for(i=0;i<_tc->comments;i++){
147
      len=oc_unpack_length(_opb);
148
      if(len<0||len>oc_pack_bytes_left(_opb)){
149
        _tc->comments=i;
150
        return TH_EBADHEADER;
151
      }
152
      _tc->comment_lengths[i]=len;
153
      _tc->user_comments[i]=_ogg_malloc((size_t)len+1);
154
      if(_tc->user_comments[i]==NULL){
155
        _tc->comments=i;
156
        return TH_EFAULT;
157
      }
158
      oc_unpack_octets(_opb,_tc->user_comments[i],len);
159
      _tc->user_comments[i][len]='\0';
160
    }
161
  } else {
162
    _tc->comment_lengths=NULL;
163
    _tc->user_comments=NULL;
164
  }
165
  return oc_pack_bytes_left(_opb)<0?TH_EBADHEADER:0;
166
}
167

168
static int oc_setup_unpack(oc_pack_buf *_opb,th_setup_info *_setup){
169
  int ret;
170
  /*Read the quantizer tables.*/
171
  ret=oc_quant_params_unpack(_opb,&_setup->qinfo);
172
  if(ret<0)return ret;
173
  /*Read the Huffman trees.*/
174
  return oc_huff_trees_unpack(_opb,_setup->huff_tables);
175
}
176

177
static void oc_setup_clear(th_setup_info *_setup){
178
  oc_quant_params_clear(&_setup->qinfo);
179
  oc_huff_trees_clear(_setup->huff_tables);
180
}
181

182
static int oc_dec_headerin(oc_pack_buf *_opb,th_info *_info,
183
 th_comment *_tc,th_setup_info **_setup,ogg_packet *_op){
184
  char buffer[6];
185
  long val;
186
  int  packtype;
187
  int  ret;
188
  val=oc_pack_read(_opb,8);
189
  packtype=(int)val;
190
  /*If we're at a data packet...*/
191
  if(!(packtype&0x80)){
192
    /*Check to make sure we received all three headers...
193
      If we haven't seen any valid headers, assume this is not actually
194
       Theora.*/
195
    if(_info->frame_width<=0)return TH_ENOTFORMAT;
196
    /*Follow our documentation, which says we'll return TH_EFAULT if this
197
       are NULL (_info was checked by our caller).*/
198
    if(_tc==NULL)return TH_EFAULT;
199
    /*And if any other headers were missing, declare this packet "out of
200
       sequence" instead.*/
201
    if(_tc->vendor==NULL)return TH_EBADHEADER;
202
    /*Don't check this until it's needed, since we allow passing NULL for the
203
       arguments that we're not expecting the next header to fill in yet.*/
204
    if(_setup==NULL)return TH_EFAULT;
205
    if(*_setup==NULL)return TH_EBADHEADER;
206
    /*If we got everything, we're done.*/
207
    return 0;
208
  }
209
  /*Check the codec string.*/
210
  oc_unpack_octets(_opb,buffer,6);
211
  if(memcmp(buffer,"theora",6)!=0)return TH_ENOTFORMAT;
212
  switch(packtype){
213
    /*Codec info header.*/
214
    case 0x80:{
215
      /*This should be the first packet, and we should not already be
216
         initialized.*/
217
      if(!_op->b_o_s||_info->frame_width>0)return TH_EBADHEADER;
218
      ret=oc_info_unpack(_opb,_info);
219
      if(ret<0)th_info_clear(_info);
220
      else ret=3;
221
    }break;
222
    /*Comment header.*/
223
    case 0x81:{
224
      if(_tc==NULL)return TH_EFAULT;
225
      /*We should have already decoded the info header, and should not yet have
226
         decoded the comment header.*/
227
      if(_info->frame_width==0||_tc->vendor!=NULL)return TH_EBADHEADER;
228
      ret=oc_comment_unpack(_opb,_tc);
229
      if(ret<0)th_comment_clear(_tc);
230
      else ret=2;
231
    }break;
232
    /*Codec setup header.*/
233
    case 0x82:{
234
      oc_setup_info *setup;
235
      if(_tc==NULL||_setup==NULL)return TH_EFAULT;
236
      /*We should have already decoded the info header and the comment header,
237
         and should not yet have decoded the setup header.*/
238
      if(_info->frame_width==0||_tc->vendor==NULL||*_setup!=NULL){
239
        return TH_EBADHEADER;
240
      }
241
      setup=(oc_setup_info *)_ogg_calloc(1,sizeof(*setup));
242
      if(setup==NULL)return TH_EFAULT;
243
      ret=oc_setup_unpack(_opb,setup);
244
      if(ret<0){
245
        oc_setup_clear(setup);
246
        _ogg_free(setup);
247
      }
248
      else{
249
        *_setup=setup;
250
        ret=1;
251
      }
252
    }break;
253
    default:{
254
      /*We don't know what this header is.*/
255
      return TH_EBADHEADER;
256
    }break;
257
  }
258
  return ret;
259
}
260

261

262
/*Decodes one header packet.
263
  This should be called repeatedly with the packets at the beginning of the
264
   stream until it returns 0.*/
265
int th_decode_headerin(th_info *_info,th_comment *_tc,
266
 th_setup_info **_setup,ogg_packet *_op){
267
  oc_pack_buf opb;
268
  if(_op==NULL)return TH_EBADHEADER;
269
  if(_info==NULL)return TH_EFAULT;
270
  oc_pack_readinit(&opb,_op->packet,_op->bytes);
271
  return oc_dec_headerin(&opb,_info,_tc,_setup,_op);
272
}
273

274
void th_setup_free(th_setup_info *_setup){
275
  if(_setup!=NULL){
276
    oc_setup_clear(_setup);
277
    _ogg_free(_setup);
278
  }
279
}
280

281