hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 1 | /* |
| 2 | * rdgif.c |
| 3 | * |
Jonathan Wright | 24e3105 | 2021-04-26 12:10:48 +0100 | [diff] [blame] | 4 | * This file was part of the Independent JPEG Group's software: |
hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 5 | * Copyright (C) 1991-1997, Thomas G. Lane. |
Jonathan Wright | bbb8282 | 2020-11-25 13:36:43 +0000 | [diff] [blame] | 6 | * Modified 2019 by Guido Vollbeding. |
Jonathan Wright | 24e3105 | 2021-04-26 12:10:48 +0100 | [diff] [blame] | 7 | * libjpeg-turbo Modifications: |
| 8 | * Copyright (C) 2021, D. R. Commander. |
Tom Hudson | 0d47d2d | 2016-05-04 13:22:56 -0400 | [diff] [blame] | 9 | * For conditions of distribution and use, see the accompanying README.ijg |
| 10 | * file. |
hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 11 | * |
| 12 | * This file contains routines to read input images in GIF format. |
| 13 | * |
Jonathan Wright | bbb8282 | 2020-11-25 13:36:43 +0000 | [diff] [blame] | 14 | * These routines may need modification for non-Unix environments or |
| 15 | * specialized applications. As they stand, they assume input from |
| 16 | * an ordinary stdio stream. They further assume that reading begins |
| 17 | * at the start of the file; start_input may need work if the |
| 18 | * user interface has already read some data (e.g., to determine that |
| 19 | * the file is indeed GIF format). |
| 20 | */ |
| 21 | |
| 22 | /* |
| 23 | * This code is loosely based on giftoppm from the PBMPLUS distribution |
| 24 | * of Feb. 1991. That file contains the following copyright notice: |
| 25 | * +-------------------------------------------------------------------+ |
| 26 | * | Copyright 1990, David Koblas. | |
| 27 | * | Permission to use, copy, modify, and distribute this software | |
| 28 | * | and its documentation for any purpose and without fee is hereby | |
| 29 | * | granted, provided that the above copyright notice appear in all | |
| 30 | * | copies and that both that copyright notice and this permission | |
| 31 | * | notice appear in supporting documentation. This software is | |
| 32 | * | provided "as is" without express or implied warranty. | |
| 33 | * +-------------------------------------------------------------------+ |
hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 34 | */ |
| 35 | |
Tom Hudson | 0d47d2d | 2016-05-04 13:22:56 -0400 | [diff] [blame] | 36 | #include "cdjpeg.h" /* Common decls for cjpeg/djpeg applications */ |
hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 37 | |
| 38 | #ifdef GIF_SUPPORTED |
| 39 | |
Jonathan Wright | bbb8282 | 2020-11-25 13:36:43 +0000 | [diff] [blame] | 40 | |
| 41 | /* Macros to deal with unsigned chars as efficiently as compiler allows */ |
| 42 | |
| 43 | typedef unsigned char U_CHAR; |
| 44 | #define UCH(x) ((int)(x)) |
| 45 | |
| 46 | |
| 47 | #define ReadOK(file, buffer, len) \ |
| 48 | (JFREAD(file, buffer, len) == ((size_t)(len))) |
| 49 | |
| 50 | |
| 51 | #define MAXCOLORMAPSIZE 256 /* max # of colors in a GIF colormap */ |
| 52 | #define NUMCOLORS 3 /* # of colors */ |
| 53 | #define CM_RED 0 /* color component numbers */ |
| 54 | #define CM_GREEN 1 |
| 55 | #define CM_BLUE 2 |
| 56 | |
| 57 | #define MAX_LZW_BITS 12 /* maximum LZW code size */ |
| 58 | #define LZW_TABLE_SIZE (1 << MAX_LZW_BITS) /* # of possible LZW symbols */ |
| 59 | |
| 60 | /* Macros for extracting header data --- note we assume chars may be signed */ |
| 61 | |
| 62 | #define LM_to_uint(array, offset) \ |
| 63 | ((unsigned int)UCH(array[offset]) + \ |
| 64 | (((unsigned int)UCH(array[offset + 1])) << 8)) |
| 65 | |
| 66 | #define BitSet(byte, bit) ((byte) & (bit)) |
| 67 | #define INTERLACE 0x40 /* mask for bit signifying interlaced image */ |
| 68 | #define COLORMAPFLAG 0x80 /* mask for bit signifying colormap presence */ |
| 69 | |
| 70 | |
| 71 | /* |
| 72 | * LZW decompression tables look like this: |
| 73 | * symbol_head[K] = prefix symbol of any LZW symbol K (0..LZW_TABLE_SIZE-1) |
| 74 | * symbol_tail[K] = suffix byte of any LZW symbol K (0..LZW_TABLE_SIZE-1) |
| 75 | * Note that entries 0..end_code of the above tables are not used, |
| 76 | * since those symbols represent raw bytes or special codes. |
| 77 | * |
| 78 | * The stack represents the not-yet-used expansion of the last LZW symbol. |
| 79 | * In the worst case, a symbol could expand to as many bytes as there are |
| 80 | * LZW symbols, so we allocate LZW_TABLE_SIZE bytes for the stack. |
| 81 | * (This is conservative since that number includes the raw-byte symbols.) |
| 82 | */ |
| 83 | |
| 84 | |
| 85 | /* Private version of data source object */ |
| 86 | |
| 87 | typedef struct { |
| 88 | struct cjpeg_source_struct pub; /* public fields */ |
| 89 | |
| 90 | j_compress_ptr cinfo; /* back link saves passing separate parm */ |
| 91 | |
| 92 | JSAMPARRAY colormap; /* GIF colormap (converted to my format) */ |
| 93 | |
| 94 | /* State for GetCode and LZWReadByte */ |
| 95 | U_CHAR code_buf[256 + 4]; /* current input data block */ |
| 96 | int last_byte; /* # of bytes in code_buf */ |
| 97 | int last_bit; /* # of bits in code_buf */ |
| 98 | int cur_bit; /* next bit index to read */ |
| 99 | boolean first_time; /* flags first call to GetCode */ |
| 100 | boolean out_of_blocks; /* TRUE if hit terminator data block */ |
| 101 | |
| 102 | int input_code_size; /* codesize given in GIF file */ |
| 103 | int clear_code, end_code; /* values for Clear and End codes */ |
| 104 | |
| 105 | int code_size; /* current actual code size */ |
| 106 | int limit_code; /* 2^code_size */ |
| 107 | int max_code; /* first unused code value */ |
| 108 | |
| 109 | /* Private state for LZWReadByte */ |
| 110 | int oldcode; /* previous LZW symbol */ |
| 111 | int firstcode; /* first byte of oldcode's expansion */ |
| 112 | |
| 113 | /* LZW symbol table and expansion stack */ |
| 114 | UINT16 *symbol_head; /* => table of prefix symbols */ |
| 115 | UINT8 *symbol_tail; /* => table of suffix bytes */ |
| 116 | UINT8 *symbol_stack; /* => stack for symbol expansions */ |
| 117 | UINT8 *sp; /* stack pointer */ |
| 118 | |
| 119 | /* State for interlaced image processing */ |
| 120 | boolean is_interlaced; /* TRUE if have interlaced image */ |
| 121 | jvirt_sarray_ptr interlaced_image; /* full image in interlaced order */ |
| 122 | JDIMENSION cur_row_number; /* need to know actual row number */ |
| 123 | JDIMENSION pass2_offset; /* # of pixel rows in pass 1 */ |
| 124 | JDIMENSION pass3_offset; /* # of pixel rows in passes 1&2 */ |
| 125 | JDIMENSION pass4_offset; /* # of pixel rows in passes 1,2,3 */ |
| 126 | } gif_source_struct; |
| 127 | |
| 128 | typedef gif_source_struct *gif_source_ptr; |
| 129 | |
| 130 | |
| 131 | /* Forward declarations */ |
| 132 | METHODDEF(JDIMENSION) get_pixel_rows(j_compress_ptr cinfo, |
| 133 | cjpeg_source_ptr sinfo); |
| 134 | METHODDEF(JDIMENSION) load_interlaced_image(j_compress_ptr cinfo, |
| 135 | cjpeg_source_ptr sinfo); |
| 136 | METHODDEF(JDIMENSION) get_interlaced_row(j_compress_ptr cinfo, |
| 137 | cjpeg_source_ptr sinfo); |
| 138 | |
| 139 | |
| 140 | LOCAL(int) |
| 141 | ReadByte(gif_source_ptr sinfo) |
| 142 | /* Read next byte from GIF file */ |
| 143 | { |
| 144 | register FILE *infile = sinfo->pub.input_file; |
| 145 | register int c; |
| 146 | |
| 147 | if ((c = getc(infile)) == EOF) |
| 148 | ERREXIT(sinfo->cinfo, JERR_INPUT_EOF); |
| 149 | return c; |
| 150 | } |
| 151 | |
| 152 | |
| 153 | LOCAL(int) |
| 154 | GetDataBlock(gif_source_ptr sinfo, U_CHAR *buf) |
| 155 | /* Read a GIF data block, which has a leading count byte */ |
| 156 | /* A zero-length block marks the end of a data block sequence */ |
| 157 | { |
| 158 | int count; |
| 159 | |
| 160 | count = ReadByte(sinfo); |
| 161 | if (count > 0) { |
| 162 | if (!ReadOK(sinfo->pub.input_file, buf, count)) |
| 163 | ERREXIT(sinfo->cinfo, JERR_INPUT_EOF); |
| 164 | } |
| 165 | return count; |
| 166 | } |
| 167 | |
| 168 | |
| 169 | LOCAL(void) |
| 170 | SkipDataBlocks(gif_source_ptr sinfo) |
| 171 | /* Skip a series of data blocks, until a block terminator is found */ |
| 172 | { |
| 173 | U_CHAR buf[256]; |
| 174 | |
| 175 | while (GetDataBlock(sinfo, buf) > 0) |
| 176 | /* skip */; |
| 177 | } |
| 178 | |
| 179 | |
| 180 | LOCAL(void) |
| 181 | ReInitLZW(gif_source_ptr sinfo) |
| 182 | /* (Re)initialize LZW state; shared code for startup and Clear processing */ |
| 183 | { |
| 184 | sinfo->code_size = sinfo->input_code_size + 1; |
| 185 | sinfo->limit_code = sinfo->clear_code << 1; /* 2^code_size */ |
| 186 | sinfo->max_code = sinfo->clear_code + 2; /* first unused code value */ |
| 187 | sinfo->sp = sinfo->symbol_stack; /* init stack to empty */ |
| 188 | } |
| 189 | |
| 190 | |
| 191 | LOCAL(void) |
| 192 | InitLZWCode(gif_source_ptr sinfo) |
| 193 | /* Initialize for a series of LZWReadByte (and hence GetCode) calls */ |
| 194 | { |
| 195 | /* GetCode initialization */ |
| 196 | sinfo->last_byte = 2; /* make safe to "recopy last two bytes" */ |
| 197 | sinfo->code_buf[0] = 0; |
| 198 | sinfo->code_buf[1] = 0; |
| 199 | sinfo->last_bit = 0; /* nothing in the buffer */ |
| 200 | sinfo->cur_bit = 0; /* force buffer load on first call */ |
| 201 | sinfo->first_time = TRUE; |
| 202 | sinfo->out_of_blocks = FALSE; |
| 203 | |
| 204 | /* LZWReadByte initialization: */ |
| 205 | /* compute special code values (note that these do not change later) */ |
| 206 | sinfo->clear_code = 1 << sinfo->input_code_size; |
| 207 | sinfo->end_code = sinfo->clear_code + 1; |
| 208 | ReInitLZW(sinfo); |
| 209 | } |
| 210 | |
| 211 | |
| 212 | LOCAL(int) |
| 213 | GetCode(gif_source_ptr sinfo) |
| 214 | /* Fetch the next code_size bits from the GIF data */ |
| 215 | /* We assume code_size is less than 16 */ |
| 216 | { |
| 217 | register int accum; |
| 218 | int offs, count; |
| 219 | |
| 220 | while (sinfo->cur_bit + sinfo->code_size > sinfo->last_bit) { |
| 221 | /* Time to reload the buffer */ |
| 222 | /* First time, share code with Clear case */ |
| 223 | if (sinfo->first_time) { |
| 224 | sinfo->first_time = FALSE; |
| 225 | return sinfo->clear_code; |
| 226 | } |
| 227 | if (sinfo->out_of_blocks) { |
| 228 | WARNMS(sinfo->cinfo, JWRN_GIF_NOMOREDATA); |
| 229 | return sinfo->end_code; /* fake something useful */ |
| 230 | } |
| 231 | /* preserve last two bytes of what we have -- assume code_size <= 16 */ |
| 232 | sinfo->code_buf[0] = sinfo->code_buf[sinfo->last_byte-2]; |
| 233 | sinfo->code_buf[1] = sinfo->code_buf[sinfo->last_byte-1]; |
| 234 | /* Load more bytes; set flag if we reach the terminator block */ |
| 235 | if ((count = GetDataBlock(sinfo, &sinfo->code_buf[2])) == 0) { |
| 236 | sinfo->out_of_blocks = TRUE; |
| 237 | WARNMS(sinfo->cinfo, JWRN_GIF_NOMOREDATA); |
| 238 | return sinfo->end_code; /* fake something useful */ |
| 239 | } |
| 240 | /* Reset counters */ |
| 241 | sinfo->cur_bit = (sinfo->cur_bit - sinfo->last_bit) + 16; |
| 242 | sinfo->last_byte = 2 + count; |
| 243 | sinfo->last_bit = sinfo->last_byte * 8; |
| 244 | } |
| 245 | |
| 246 | /* Form up next 24 bits in accum */ |
| 247 | offs = sinfo->cur_bit >> 3; /* byte containing cur_bit */ |
| 248 | accum = UCH(sinfo->code_buf[offs + 2]); |
| 249 | accum <<= 8; |
| 250 | accum |= UCH(sinfo->code_buf[offs + 1]); |
| 251 | accum <<= 8; |
| 252 | accum |= UCH(sinfo->code_buf[offs]); |
| 253 | |
| 254 | /* Right-align cur_bit in accum, then mask off desired number of bits */ |
| 255 | accum >>= (sinfo->cur_bit & 7); |
| 256 | sinfo->cur_bit += sinfo->code_size; |
| 257 | return accum & ((1 << sinfo->code_size) - 1); |
| 258 | } |
| 259 | |
| 260 | |
| 261 | LOCAL(int) |
| 262 | LZWReadByte(gif_source_ptr sinfo) |
| 263 | /* Read an LZW-compressed byte */ |
| 264 | { |
| 265 | register int code; /* current working code */ |
| 266 | int incode; /* saves actual input code */ |
| 267 | |
| 268 | /* If any codes are stacked from a previously read symbol, return them */ |
| 269 | if (sinfo->sp > sinfo->symbol_stack) |
| 270 | return (int)(*(--sinfo->sp)); |
| 271 | |
| 272 | /* Time to read a new symbol */ |
| 273 | code = GetCode(sinfo); |
| 274 | |
| 275 | if (code == sinfo->clear_code) { |
| 276 | /* Reinit state, swallow any extra Clear codes, and */ |
| 277 | /* return next code, which is expected to be a raw byte. */ |
| 278 | ReInitLZW(sinfo); |
| 279 | do { |
| 280 | code = GetCode(sinfo); |
| 281 | } while (code == sinfo->clear_code); |
| 282 | if (code > sinfo->clear_code) { /* make sure it is a raw byte */ |
| 283 | WARNMS(sinfo->cinfo, JWRN_GIF_BADDATA); |
| 284 | code = 0; /* use something valid */ |
| 285 | } |
| 286 | /* make firstcode, oldcode valid! */ |
| 287 | sinfo->firstcode = sinfo->oldcode = code; |
| 288 | return code; |
| 289 | } |
| 290 | |
| 291 | if (code == sinfo->end_code) { |
| 292 | /* Skip the rest of the image, unless GetCode already read terminator */ |
| 293 | if (!sinfo->out_of_blocks) { |
| 294 | SkipDataBlocks(sinfo); |
| 295 | sinfo->out_of_blocks = TRUE; |
| 296 | } |
| 297 | /* Complain that there's not enough data */ |
| 298 | WARNMS(sinfo->cinfo, JWRN_GIF_ENDCODE); |
| 299 | /* Pad data with 0's */ |
| 300 | return 0; /* fake something usable */ |
| 301 | } |
| 302 | |
| 303 | /* Got normal raw byte or LZW symbol */ |
| 304 | incode = code; /* save for a moment */ |
| 305 | |
| 306 | if (code >= sinfo->max_code) { /* special case for not-yet-defined symbol */ |
| 307 | /* code == max_code is OK; anything bigger is bad data */ |
| 308 | if (code > sinfo->max_code) { |
| 309 | WARNMS(sinfo->cinfo, JWRN_GIF_BADDATA); |
| 310 | incode = 0; /* prevent creation of loops in symbol table */ |
| 311 | } |
| 312 | /* this symbol will be defined as oldcode/firstcode */ |
| 313 | *(sinfo->sp++) = (UINT8)sinfo->firstcode; |
| 314 | code = sinfo->oldcode; |
| 315 | } |
| 316 | |
| 317 | /* If it's a symbol, expand it into the stack */ |
| 318 | while (code >= sinfo->clear_code) { |
| 319 | *(sinfo->sp++) = sinfo->symbol_tail[code]; /* tail is a byte value */ |
| 320 | code = sinfo->symbol_head[code]; /* head is another LZW symbol */ |
| 321 | } |
| 322 | /* At this point code just represents a raw byte */ |
| 323 | sinfo->firstcode = code; /* save for possible future use */ |
| 324 | |
| 325 | /* If there's room in table... */ |
| 326 | if ((code = sinfo->max_code) < LZW_TABLE_SIZE) { |
| 327 | /* Define a new symbol = prev sym + head of this sym's expansion */ |
| 328 | sinfo->symbol_head[code] = (UINT16)sinfo->oldcode; |
| 329 | sinfo->symbol_tail[code] = (UINT8)sinfo->firstcode; |
| 330 | sinfo->max_code++; |
| 331 | /* Is it time to increase code_size? */ |
| 332 | if (sinfo->max_code >= sinfo->limit_code && |
| 333 | sinfo->code_size < MAX_LZW_BITS) { |
| 334 | sinfo->code_size++; |
| 335 | sinfo->limit_code <<= 1; /* keep equal to 2^code_size */ |
| 336 | } |
| 337 | } |
| 338 | |
| 339 | sinfo->oldcode = incode; /* save last input symbol for future use */ |
| 340 | return sinfo->firstcode; /* return first byte of symbol's expansion */ |
| 341 | } |
| 342 | |
| 343 | |
| 344 | LOCAL(void) |
| 345 | ReadColorMap(gif_source_ptr sinfo, int cmaplen, JSAMPARRAY cmap) |
| 346 | /* Read a GIF colormap */ |
| 347 | { |
| 348 | int i; |
| 349 | |
| 350 | for (i = 0; i < cmaplen; i++) { |
| 351 | #if BITS_IN_JSAMPLE == 8 |
| 352 | #define UPSCALE(x) (x) |
| 353 | #else |
| 354 | #define UPSCALE(x) ((x) << (BITS_IN_JSAMPLE - 8)) |
| 355 | #endif |
| 356 | cmap[CM_RED][i] = (JSAMPLE)UPSCALE(ReadByte(sinfo)); |
| 357 | cmap[CM_GREEN][i] = (JSAMPLE)UPSCALE(ReadByte(sinfo)); |
| 358 | cmap[CM_BLUE][i] = (JSAMPLE)UPSCALE(ReadByte(sinfo)); |
| 359 | } |
| 360 | } |
| 361 | |
| 362 | |
| 363 | LOCAL(void) |
| 364 | DoExtension(gif_source_ptr sinfo) |
| 365 | /* Process an extension block */ |
| 366 | /* Currently we ignore 'em all */ |
| 367 | { |
| 368 | int extlabel; |
| 369 | |
| 370 | /* Read extension label byte */ |
| 371 | extlabel = ReadByte(sinfo); |
| 372 | TRACEMS1(sinfo->cinfo, 1, JTRC_GIF_EXTENSION, extlabel); |
| 373 | /* Skip the data block(s) associated with the extension */ |
| 374 | SkipDataBlocks(sinfo); |
| 375 | } |
| 376 | |
| 377 | |
| 378 | /* |
| 379 | * Read the file header; return image size and component count. |
| 380 | */ |
| 381 | |
| 382 | METHODDEF(void) |
| 383 | start_input_gif(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) |
| 384 | { |
| 385 | gif_source_ptr source = (gif_source_ptr)sinfo; |
| 386 | U_CHAR hdrbuf[10]; /* workspace for reading control blocks */ |
| 387 | unsigned int width, height; /* image dimensions */ |
| 388 | int colormaplen, aspectRatio; |
| 389 | int c; |
| 390 | |
| 391 | /* Read and verify GIF Header */ |
| 392 | if (!ReadOK(source->pub.input_file, hdrbuf, 6)) |
| 393 | ERREXIT(cinfo, JERR_GIF_NOT); |
| 394 | if (hdrbuf[0] != 'G' || hdrbuf[1] != 'I' || hdrbuf[2] != 'F') |
| 395 | ERREXIT(cinfo, JERR_GIF_NOT); |
| 396 | /* Check for expected version numbers. |
| 397 | * If unknown version, give warning and try to process anyway; |
| 398 | * this is per recommendation in GIF89a standard. |
| 399 | */ |
| 400 | if ((hdrbuf[3] != '8' || hdrbuf[4] != '7' || hdrbuf[5] != 'a') && |
| 401 | (hdrbuf[3] != '8' || hdrbuf[4] != '9' || hdrbuf[5] != 'a')) |
| 402 | TRACEMS3(cinfo, 1, JTRC_GIF_BADVERSION, hdrbuf[3], hdrbuf[4], hdrbuf[5]); |
| 403 | |
| 404 | /* Read and decipher Logical Screen Descriptor */ |
| 405 | if (!ReadOK(source->pub.input_file, hdrbuf, 7)) |
| 406 | ERREXIT(cinfo, JERR_INPUT_EOF); |
| 407 | width = LM_to_uint(hdrbuf, 0); |
| 408 | height = LM_to_uint(hdrbuf, 2); |
Jonathan Wright | 24e3105 | 2021-04-26 12:10:48 +0100 | [diff] [blame] | 409 | if (width == 0 || height == 0) |
| 410 | ERREXIT(cinfo, JERR_GIF_EMPTY); |
| 411 | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
| 412 | if (sinfo->max_pixels && |
| 413 | (unsigned long long)width * height > sinfo->max_pixels) |
| 414 | ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); |
| 415 | #endif |
Jonathan Wright | bbb8282 | 2020-11-25 13:36:43 +0000 | [diff] [blame] | 416 | /* we ignore the color resolution, sort flag, and background color index */ |
| 417 | aspectRatio = UCH(hdrbuf[6]); |
| 418 | if (aspectRatio != 0 && aspectRatio != 49) |
| 419 | TRACEMS(cinfo, 1, JTRC_GIF_NONSQUARE); |
| 420 | |
| 421 | /* Allocate space to store the colormap */ |
| 422 | source->colormap = (*cinfo->mem->alloc_sarray) |
| 423 | ((j_common_ptr)cinfo, JPOOL_IMAGE, (JDIMENSION)MAXCOLORMAPSIZE, |
| 424 | (JDIMENSION)NUMCOLORS); |
| 425 | colormaplen = 0; /* indicate initialization */ |
| 426 | |
| 427 | /* Read global colormap if header indicates it is present */ |
| 428 | if (BitSet(hdrbuf[4], COLORMAPFLAG)) { |
| 429 | colormaplen = 2 << (hdrbuf[4] & 0x07); |
| 430 | ReadColorMap(source, colormaplen, source->colormap); |
| 431 | } |
| 432 | |
| 433 | /* Scan until we reach start of desired image. |
| 434 | * We don't currently support skipping images, but could add it easily. |
| 435 | */ |
| 436 | for (;;) { |
| 437 | c = ReadByte(source); |
| 438 | |
| 439 | if (c == ';') /* GIF terminator?? */ |
| 440 | ERREXIT(cinfo, JERR_GIF_IMAGENOTFOUND); |
| 441 | |
| 442 | if (c == '!') { /* Extension */ |
| 443 | DoExtension(source); |
| 444 | continue; |
| 445 | } |
| 446 | |
| 447 | if (c != ',') { /* Not an image separator? */ |
| 448 | WARNMS1(cinfo, JWRN_GIF_CHAR, c); |
| 449 | continue; |
| 450 | } |
| 451 | |
| 452 | /* Read and decipher Local Image Descriptor */ |
| 453 | if (!ReadOK(source->pub.input_file, hdrbuf, 9)) |
| 454 | ERREXIT(cinfo, JERR_INPUT_EOF); |
| 455 | /* we ignore top/left position info, also sort flag */ |
| 456 | width = LM_to_uint(hdrbuf, 4); |
| 457 | height = LM_to_uint(hdrbuf, 6); |
Jonathan Wright | 24e3105 | 2021-04-26 12:10:48 +0100 | [diff] [blame] | 458 | if (width == 0 || height == 0) |
| 459 | ERREXIT(cinfo, JERR_GIF_EMPTY); |
| 460 | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
| 461 | if (sinfo->max_pixels && |
| 462 | (unsigned long long)width * height > sinfo->max_pixels) |
| 463 | ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); |
| 464 | #endif |
Jonathan Wright | bbb8282 | 2020-11-25 13:36:43 +0000 | [diff] [blame] | 465 | source->is_interlaced = (BitSet(hdrbuf[8], INTERLACE) != 0); |
| 466 | |
| 467 | /* Read local colormap if header indicates it is present */ |
| 468 | /* Note: if we wanted to support skipping images, */ |
| 469 | /* we'd need to skip rather than read colormap for ignored images */ |
| 470 | if (BitSet(hdrbuf[8], COLORMAPFLAG)) { |
| 471 | colormaplen = 2 << (hdrbuf[8] & 0x07); |
| 472 | ReadColorMap(source, colormaplen, source->colormap); |
| 473 | } |
| 474 | |
| 475 | source->input_code_size = ReadByte(source); /* get min-code-size byte */ |
| 476 | if (source->input_code_size < 2 || source->input_code_size > 8) |
| 477 | ERREXIT1(cinfo, JERR_GIF_CODESIZE, source->input_code_size); |
| 478 | |
| 479 | /* Reached desired image, so break out of loop */ |
| 480 | /* If we wanted to skip this image, */ |
| 481 | /* we'd call SkipDataBlocks and then continue the loop */ |
| 482 | break; |
| 483 | } |
| 484 | |
| 485 | /* Prepare to read selected image: first initialize LZW decompressor */ |
| 486 | source->symbol_head = (UINT16 *) |
| 487 | (*cinfo->mem->alloc_large) ((j_common_ptr)cinfo, JPOOL_IMAGE, |
| 488 | LZW_TABLE_SIZE * sizeof(UINT16)); |
| 489 | source->symbol_tail = (UINT8 *) |
| 490 | (*cinfo->mem->alloc_large) ((j_common_ptr)cinfo, JPOOL_IMAGE, |
| 491 | LZW_TABLE_SIZE * sizeof(UINT8)); |
| 492 | source->symbol_stack = (UINT8 *) |
| 493 | (*cinfo->mem->alloc_large) ((j_common_ptr)cinfo, JPOOL_IMAGE, |
| 494 | LZW_TABLE_SIZE * sizeof(UINT8)); |
| 495 | InitLZWCode(source); |
| 496 | |
| 497 | /* |
| 498 | * If image is interlaced, we read it into a full-size sample array, |
| 499 | * decompressing as we go; then get_interlaced_row selects rows from the |
| 500 | * sample array in the proper order. |
| 501 | */ |
| 502 | if (source->is_interlaced) { |
| 503 | /* We request the virtual array now, but can't access it until virtual |
| 504 | * arrays have been allocated. Hence, the actual work of reading the |
| 505 | * image is postponed until the first call to get_pixel_rows. |
| 506 | */ |
| 507 | source->interlaced_image = (*cinfo->mem->request_virt_sarray) |
| 508 | ((j_common_ptr)cinfo, JPOOL_IMAGE, FALSE, |
| 509 | (JDIMENSION)width, (JDIMENSION)height, (JDIMENSION)1); |
| 510 | if (cinfo->progress != NULL) { |
| 511 | cd_progress_ptr progress = (cd_progress_ptr)cinfo->progress; |
| 512 | progress->total_extra_passes++; /* count file input as separate pass */ |
| 513 | } |
| 514 | source->pub.get_pixel_rows = load_interlaced_image; |
| 515 | } else { |
| 516 | source->pub.get_pixel_rows = get_pixel_rows; |
| 517 | } |
| 518 | |
| 519 | /* Create compressor input buffer. */ |
| 520 | source->pub.buffer = (*cinfo->mem->alloc_sarray) |
| 521 | ((j_common_ptr)cinfo, JPOOL_IMAGE, (JDIMENSION)width * NUMCOLORS, |
| 522 | (JDIMENSION)1); |
| 523 | source->pub.buffer_height = 1; |
| 524 | |
| 525 | /* Pad colormap for safety. */ |
| 526 | for (c = colormaplen; c < source->clear_code; c++) { |
| 527 | source->colormap[CM_RED][c] = |
| 528 | source->colormap[CM_GREEN][c] = |
| 529 | source->colormap[CM_BLUE][c] = CENTERJSAMPLE; |
| 530 | } |
| 531 | |
| 532 | /* Return info about the image. */ |
| 533 | cinfo->in_color_space = JCS_RGB; |
| 534 | cinfo->input_components = NUMCOLORS; |
| 535 | cinfo->data_precision = BITS_IN_JSAMPLE; /* we always rescale data to this */ |
| 536 | cinfo->image_width = width; |
| 537 | cinfo->image_height = height; |
| 538 | |
| 539 | TRACEMS3(cinfo, 1, JTRC_GIF, width, height, colormaplen); |
| 540 | } |
| 541 | |
| 542 | |
| 543 | /* |
| 544 | * Read one row of pixels. |
| 545 | * This version is used for noninterlaced GIF images: |
| 546 | * we read directly from the GIF file. |
| 547 | */ |
| 548 | |
| 549 | METHODDEF(JDIMENSION) |
| 550 | get_pixel_rows(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) |
| 551 | { |
| 552 | gif_source_ptr source = (gif_source_ptr)sinfo; |
| 553 | register int c; |
| 554 | register JSAMPROW ptr; |
| 555 | register JDIMENSION col; |
| 556 | register JSAMPARRAY colormap = source->colormap; |
| 557 | |
| 558 | ptr = source->pub.buffer[0]; |
| 559 | for (col = cinfo->image_width; col > 0; col--) { |
| 560 | c = LZWReadByte(source); |
| 561 | *ptr++ = colormap[CM_RED][c]; |
| 562 | *ptr++ = colormap[CM_GREEN][c]; |
| 563 | *ptr++ = colormap[CM_BLUE][c]; |
| 564 | } |
| 565 | return 1; |
| 566 | } |
| 567 | |
| 568 | |
| 569 | /* |
| 570 | * Read one row of pixels. |
| 571 | * This version is used for the first call on get_pixel_rows when |
| 572 | * reading an interlaced GIF file: we read the whole image into memory. |
| 573 | */ |
| 574 | |
| 575 | METHODDEF(JDIMENSION) |
| 576 | load_interlaced_image(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) |
| 577 | { |
| 578 | gif_source_ptr source = (gif_source_ptr)sinfo; |
| 579 | register JSAMPROW sptr; |
| 580 | register JDIMENSION col; |
| 581 | JDIMENSION row; |
| 582 | cd_progress_ptr progress = (cd_progress_ptr)cinfo->progress; |
| 583 | |
| 584 | /* Read the interlaced image into the virtual array we've created. */ |
| 585 | for (row = 0; row < cinfo->image_height; row++) { |
| 586 | if (progress != NULL) { |
| 587 | progress->pub.pass_counter = (long)row; |
| 588 | progress->pub.pass_limit = (long)cinfo->image_height; |
| 589 | (*progress->pub.progress_monitor) ((j_common_ptr)cinfo); |
| 590 | } |
| 591 | sptr = *(*cinfo->mem->access_virt_sarray) |
| 592 | ((j_common_ptr)cinfo, source->interlaced_image, row, (JDIMENSION)1, |
| 593 | TRUE); |
| 594 | for (col = cinfo->image_width; col > 0; col--) { |
| 595 | *sptr++ = (JSAMPLE)LZWReadByte(source); |
| 596 | } |
| 597 | } |
| 598 | if (progress != NULL) |
| 599 | progress->completed_extra_passes++; |
| 600 | |
| 601 | /* Replace method pointer so subsequent calls don't come here. */ |
| 602 | source->pub.get_pixel_rows = get_interlaced_row; |
| 603 | /* Initialize for get_interlaced_row, and perform first call on it. */ |
| 604 | source->cur_row_number = 0; |
| 605 | source->pass2_offset = (cinfo->image_height + 7) / 8; |
| 606 | source->pass3_offset = source->pass2_offset + (cinfo->image_height + 3) / 8; |
| 607 | source->pass4_offset = source->pass3_offset + (cinfo->image_height + 1) / 4; |
| 608 | |
| 609 | return get_interlaced_row(cinfo, sinfo); |
| 610 | } |
| 611 | |
| 612 | |
| 613 | /* |
| 614 | * Read one row of pixels. |
| 615 | * This version is used for interlaced GIF images: |
| 616 | * we read from the virtual array. |
| 617 | */ |
| 618 | |
| 619 | METHODDEF(JDIMENSION) |
| 620 | get_interlaced_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) |
| 621 | { |
| 622 | gif_source_ptr source = (gif_source_ptr)sinfo; |
| 623 | register int c; |
| 624 | register JSAMPROW sptr, ptr; |
| 625 | register JDIMENSION col; |
| 626 | register JSAMPARRAY colormap = source->colormap; |
| 627 | JDIMENSION irow; |
| 628 | |
| 629 | /* Figure out which row of interlaced image is needed, and access it. */ |
| 630 | switch ((int)(source->cur_row_number & 7)) { |
| 631 | case 0: /* first-pass row */ |
| 632 | irow = source->cur_row_number >> 3; |
| 633 | break; |
| 634 | case 4: /* second-pass row */ |
| 635 | irow = (source->cur_row_number >> 3) + source->pass2_offset; |
| 636 | break; |
| 637 | case 2: /* third-pass row */ |
| 638 | case 6: |
| 639 | irow = (source->cur_row_number >> 2) + source->pass3_offset; |
| 640 | break; |
| 641 | default: /* fourth-pass row */ |
| 642 | irow = (source->cur_row_number >> 1) + source->pass4_offset; |
| 643 | } |
| 644 | sptr = *(*cinfo->mem->access_virt_sarray) |
| 645 | ((j_common_ptr)cinfo, source->interlaced_image, irow, (JDIMENSION)1, |
| 646 | FALSE); |
| 647 | /* Scan the row, expand colormap, and output */ |
| 648 | ptr = source->pub.buffer[0]; |
| 649 | for (col = cinfo->image_width; col > 0; col--) { |
| 650 | c = *sptr++; |
| 651 | *ptr++ = colormap[CM_RED][c]; |
| 652 | *ptr++ = colormap[CM_GREEN][c]; |
| 653 | *ptr++ = colormap[CM_BLUE][c]; |
| 654 | } |
| 655 | source->cur_row_number++; /* for next time */ |
| 656 | return 1; |
| 657 | } |
| 658 | |
| 659 | |
| 660 | /* |
| 661 | * Finish up at the end of the file. |
| 662 | */ |
| 663 | |
| 664 | METHODDEF(void) |
| 665 | finish_input_gif(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) |
| 666 | { |
| 667 | /* no work */ |
| 668 | } |
| 669 | |
| 670 | |
hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 671 | /* |
| 672 | * The module selection routine for GIF format input. |
| 673 | */ |
| 674 | |
| 675 | GLOBAL(cjpeg_source_ptr) |
Chris Blume | cca8c4d | 2019-03-01 01:09:50 -0800 | [diff] [blame] | 676 | jinit_read_gif(j_compress_ptr cinfo) |
hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 677 | { |
Jonathan Wright | bbb8282 | 2020-11-25 13:36:43 +0000 | [diff] [blame] | 678 | gif_source_ptr source; |
| 679 | |
| 680 | /* Create module interface object */ |
| 681 | source = (gif_source_ptr) |
| 682 | (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, |
| 683 | sizeof(gif_source_struct)); |
| 684 | source->cinfo = cinfo; /* make back link for subroutines */ |
| 685 | /* Fill in method ptrs, except get_pixel_rows which start_input sets */ |
| 686 | source->pub.start_input = start_input_gif; |
| 687 | source->pub.finish_input = finish_input_gif; |
Jonathan Wright | 24e3105 | 2021-04-26 12:10:48 +0100 | [diff] [blame] | 688 | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
| 689 | source->pub.max_pixels = 0; |
| 690 | #endif |
Jonathan Wright | bbb8282 | 2020-11-25 13:36:43 +0000 | [diff] [blame] | 691 | |
| 692 | return (cjpeg_source_ptr)source; |
hbono@chromium.org | f0c4f33 | 2010-11-01 05:14:55 +0000 | [diff] [blame] | 693 | } |
| 694 | |
| 695 | #endif /* GIF_SUPPORTED */ |