| // Copyright 2014 The PDFium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| |
| #include "core/fxcodec/jpeg/jpegmodule.h" |
| |
| #include <setjmp.h> |
| #include <stdint.h> |
| #include <string.h> |
| |
| #include <memory> |
| #include <utility> |
| |
| #include "build/build_config.h" |
| #include "core/fxcodec/cfx_codec_memory.h" |
| #include "core/fxcodec/jpeg/jpeg_common.h" |
| #include "core/fxcodec/scanlinedecoder.h" |
| #include "core/fxcrt/data_vector.h" |
| #include "core/fxcrt/fx_safe_types.h" |
| #include "core/fxge/dib/cfx_dibbase.h" |
| #include "core/fxge/dib/fx_dib.h" |
| #include "third_party/abseil-cpp/absl/types/optional.h" |
| #include "third_party/base/check.h" |
| #include "third_party/base/notreached.h" |
| |
| static pdfium::span<const uint8_t> JpegScanSOI( |
| pdfium::span<const uint8_t> src_span) { |
| DCHECK(!src_span.empty()); |
| |
| for (size_t offset = 0; offset < src_span.size() - 1; ++offset) { |
| if (src_span[offset] == 0xff && src_span[offset + 1] == 0xd8) |
| return src_span.subspan(offset); |
| } |
| return src_span; |
| } |
| |
| extern "C" { |
| |
| static void error_fatal(j_common_ptr cinfo) { |
| longjmp(*(jmp_buf*)cinfo->client_data, -1); |
| } |
| |
| static void src_skip_data(jpeg_decompress_struct* cinfo, long num) { |
| if (num > (long)cinfo->src->bytes_in_buffer) { |
| error_fatal((j_common_ptr)cinfo); |
| } |
| cinfo->src->next_input_byte += num; |
| cinfo->src->bytes_in_buffer -= num; |
| } |
| |
| #if BUILDFLAG(IS_WIN) |
| static void dest_do_nothing(j_compress_ptr cinfo) {} |
| |
| static boolean dest_empty(j_compress_ptr cinfo) { |
| return false; |
| } |
| #endif // BUILDFLAG(IS_WIN) |
| |
| } // extern "C" |
| |
| static bool JpegLoadInfo(pdfium::span<const uint8_t> src_span, |
| JpegModule::ImageInfo* pInfo) { |
| src_span = JpegScanSOI(src_span); |
| jpeg_decompress_struct cinfo; |
| jpeg_error_mgr jerr; |
| jerr.error_exit = error_fatal; |
| jerr.emit_message = error_do_nothing_int; |
| jerr.output_message = error_do_nothing; |
| jerr.format_message = error_do_nothing_char; |
| jerr.reset_error_mgr = error_do_nothing; |
| jerr.trace_level = 0; |
| cinfo.err = &jerr; |
| jmp_buf mark; |
| cinfo.client_data = &mark; |
| if (setjmp(mark) == -1) |
| return false; |
| |
| jpeg_create_decompress(&cinfo); |
| jpeg_source_mgr src; |
| src.init_source = src_do_nothing; |
| src.term_source = src_do_nothing; |
| src.skip_input_data = src_skip_data; |
| src.fill_input_buffer = src_fill_buffer; |
| src.resync_to_restart = src_resync; |
| src.bytes_in_buffer = src_span.size(); |
| src.next_input_byte = src_span.data(); |
| cinfo.src = &src; |
| if (setjmp(mark) == -1) { |
| jpeg_destroy_decompress(&cinfo); |
| return false; |
| } |
| int ret = jpeg_read_header(&cinfo, TRUE); |
| if (ret != JPEG_HEADER_OK) { |
| jpeg_destroy_decompress(&cinfo); |
| return false; |
| } |
| pInfo->width = cinfo.image_width; |
| pInfo->height = cinfo.image_height; |
| pInfo->num_components = cinfo.num_components; |
| pInfo->color_transform = |
| cinfo.jpeg_color_space == JCS_YCbCr || cinfo.jpeg_color_space == JCS_YCCK; |
| pInfo->bits_per_components = cinfo.data_precision; |
| jpeg_destroy_decompress(&cinfo); |
| return true; |
| } |
| |
| namespace fxcodec { |
| |
| namespace { |
| |
| constexpr size_t kKnownBadHeaderWithInvalidHeightByteOffsetStarts[] = {94, 163}; |
| |
| class JpegDecoder final : public ScanlineDecoder { |
| public: |
| JpegDecoder(); |
| ~JpegDecoder() override; |
| |
| bool Create(pdfium::span<const uint8_t> src_span, |
| uint32_t width, |
| uint32_t height, |
| int nComps, |
| bool ColorTransform); |
| |
| // ScanlineDecoder: |
| bool Rewind() override; |
| pdfium::span<uint8_t> GetNextLine() override; |
| uint32_t GetSrcOffset() override; |
| |
| bool InitDecode(bool bAcceptKnownBadHeader); |
| |
| private: |
| void CalcPitch(); |
| void InitDecompressSrc(); |
| |
| // Can only be called inside a jpeg_read_header() setjmp handler. |
| bool HasKnownBadHeaderWithInvalidHeight(size_t dimension_offset) const; |
| |
| // Is a JPEG SOFn marker, which is defined as 0xff, 0xc[0-9a-f]. |
| bool IsSofSegment(size_t marker_offset) const; |
| |
| // Patch up the in-memory JPEG header for known bad JPEGs. |
| void PatchUpKnownBadHeaderWithInvalidHeight(size_t dimension_offset); |
| |
| // Patch up the JPEG trailer, even if it is correct. |
| void PatchUpTrailer(); |
| |
| uint8_t* GetWritableSrcData(); |
| |
| // For a given invalid height byte offset in |
| // |kKnownBadHeaderWithInvalidHeightByteOffsetStarts|, the SOFn marker should |
| // be this many bytes before that. |
| static constexpr size_t kSofMarkerByteOffset = 5; |
| |
| jmp_buf m_JmpBuf; |
| jpeg_decompress_struct m_Cinfo; |
| jpeg_error_mgr m_Jerr; |
| jpeg_source_mgr m_Src; |
| pdfium::span<const uint8_t> m_SrcSpan; |
| DataVector<uint8_t> m_ScanlineBuf; |
| bool m_bInited = false; |
| bool m_bStarted = false; |
| bool m_bJpegTransform = false; |
| uint32_t m_nDefaultScaleDenom = 1; |
| }; |
| |
| JpegDecoder::JpegDecoder() { |
| memset(&m_Cinfo, 0, sizeof(m_Cinfo)); |
| memset(&m_Jerr, 0, sizeof(m_Jerr)); |
| memset(&m_Src, 0, sizeof(m_Src)); |
| } |
| |
| JpegDecoder::~JpegDecoder() { |
| if (m_bInited) |
| jpeg_destroy_decompress(&m_Cinfo); |
| |
| // Span in superclass can't outlive our buffer. |
| m_pLastScanline = pdfium::span<uint8_t>(); |
| } |
| |
| bool JpegDecoder::InitDecode(bool bAcceptKnownBadHeader) { |
| m_Cinfo.err = &m_Jerr; |
| m_Cinfo.client_data = &m_JmpBuf; |
| if (setjmp(m_JmpBuf) == -1) |
| return false; |
| |
| jpeg_create_decompress(&m_Cinfo); |
| InitDecompressSrc(); |
| m_bInited = true; |
| |
| if (setjmp(m_JmpBuf) == -1) { |
| absl::optional<size_t> known_bad_header_offset; |
| if (bAcceptKnownBadHeader) { |
| for (size_t offset : kKnownBadHeaderWithInvalidHeightByteOffsetStarts) { |
| if (HasKnownBadHeaderWithInvalidHeight(offset)) { |
| known_bad_header_offset = offset; |
| break; |
| } |
| } |
| } |
| jpeg_destroy_decompress(&m_Cinfo); |
| if (!known_bad_header_offset.has_value()) { |
| m_bInited = false; |
| return false; |
| } |
| |
| PatchUpKnownBadHeaderWithInvalidHeight(known_bad_header_offset.value()); |
| |
| jpeg_create_decompress(&m_Cinfo); |
| InitDecompressSrc(); |
| } |
| m_Cinfo.image_width = m_OrigWidth; |
| m_Cinfo.image_height = m_OrigHeight; |
| int ret = jpeg_read_header(&m_Cinfo, TRUE); |
| if (ret != JPEG_HEADER_OK) |
| return false; |
| |
| if (m_Cinfo.saw_Adobe_marker) |
| m_bJpegTransform = true; |
| |
| if (m_Cinfo.num_components == 3 && !m_bJpegTransform) |
| m_Cinfo.out_color_space = m_Cinfo.jpeg_color_space; |
| |
| m_OrigWidth = m_Cinfo.image_width; |
| m_OrigHeight = m_Cinfo.image_height; |
| m_OutputWidth = m_OrigWidth; |
| m_OutputHeight = m_OrigHeight; |
| m_nDefaultScaleDenom = m_Cinfo.scale_denom; |
| return true; |
| } |
| |
| bool JpegDecoder::Create(pdfium::span<const uint8_t> src_span, |
| uint32_t width, |
| uint32_t height, |
| int nComps, |
| bool ColorTransform) { |
| m_SrcSpan = JpegScanSOI(src_span); |
| if (m_SrcSpan.size() < 2) |
| return false; |
| |
| PatchUpTrailer(); |
| |
| m_Jerr.error_exit = error_fatal; |
| m_Jerr.emit_message = error_do_nothing_int; |
| m_Jerr.output_message = error_do_nothing; |
| m_Jerr.format_message = error_do_nothing_char; |
| m_Jerr.reset_error_mgr = error_do_nothing; |
| m_Src.init_source = src_do_nothing; |
| m_Src.term_source = src_do_nothing; |
| m_Src.skip_input_data = src_skip_data; |
| m_Src.fill_input_buffer = src_fill_buffer; |
| m_Src.resync_to_restart = src_resync; |
| m_bJpegTransform = ColorTransform; |
| m_OutputWidth = m_OrigWidth = width; |
| m_OutputHeight = m_OrigHeight = height; |
| if (!InitDecode(/*bAcceptKnownBadHeader=*/true)) |
| return false; |
| |
| if (m_Cinfo.num_components < nComps) |
| return false; |
| |
| if (m_Cinfo.image_width < width) |
| return false; |
| |
| CalcPitch(); |
| m_ScanlineBuf = DataVector<uint8_t>(m_Pitch); |
| m_nComps = m_Cinfo.num_components; |
| m_bpc = 8; |
| m_bStarted = false; |
| return true; |
| } |
| |
| bool JpegDecoder::Rewind() { |
| if (m_bStarted) { |
| jpeg_destroy_decompress(&m_Cinfo); |
| if (!InitDecode(/*bAcceptKnownBadHeader=*/false)) { |
| return false; |
| } |
| } |
| if (setjmp(m_JmpBuf) == -1) { |
| return false; |
| } |
| m_Cinfo.scale_denom = m_nDefaultScaleDenom; |
| m_OutputWidth = m_OrigWidth; |
| m_OutputHeight = m_OrigHeight; |
| if (!jpeg_start_decompress(&m_Cinfo)) { |
| jpeg_destroy_decompress(&m_Cinfo); |
| return false; |
| } |
| if (static_cast<int>(m_Cinfo.output_width) > m_OrigWidth) { |
| NOTREACHED(); |
| return false; |
| } |
| m_bStarted = true; |
| return true; |
| } |
| |
| pdfium::span<uint8_t> JpegDecoder::GetNextLine() { |
| if (setjmp(m_JmpBuf) == -1) |
| return pdfium::span<uint8_t>(); |
| |
| uint8_t* row_array[] = {m_ScanlineBuf.data()}; |
| int nlines = jpeg_read_scanlines(&m_Cinfo, row_array, 1); |
| if (nlines <= 0) |
| return pdfium::span<uint8_t>(); |
| |
| return m_ScanlineBuf; |
| } |
| |
| uint32_t JpegDecoder::GetSrcOffset() { |
| return static_cast<uint32_t>(m_SrcSpan.size() - m_Src.bytes_in_buffer); |
| } |
| |
| void JpegDecoder::CalcPitch() { |
| m_Pitch = static_cast<uint32_t>(m_Cinfo.image_width) * m_Cinfo.num_components; |
| m_Pitch += 3; |
| m_Pitch /= 4; |
| m_Pitch *= 4; |
| } |
| |
| void JpegDecoder::InitDecompressSrc() { |
| m_Cinfo.src = &m_Src; |
| m_Src.bytes_in_buffer = m_SrcSpan.size(); |
| m_Src.next_input_byte = m_SrcSpan.data(); |
| } |
| |
| bool JpegDecoder::HasKnownBadHeaderWithInvalidHeight( |
| size_t dimension_offset) const { |
| // Perform lots of possibly redundant checks to make sure this has no false |
| // positives. |
| bool bDimensionChecks = m_Cinfo.err->msg_code == JERR_IMAGE_TOO_BIG && |
| m_Cinfo.image_width < JPEG_MAX_DIMENSION && |
| m_Cinfo.image_height == 0xffff && m_OrigWidth > 0 && |
| m_OrigWidth <= JPEG_MAX_DIMENSION && |
| m_OrigHeight > 0 && |
| m_OrigHeight <= JPEG_MAX_DIMENSION; |
| if (!bDimensionChecks) |
| return false; |
| |
| if (m_SrcSpan.size() <= dimension_offset + 3u) |
| return false; |
| |
| if (!IsSofSegment(dimension_offset - kSofMarkerByteOffset)) |
| return false; |
| |
| const uint8_t* pHeaderDimensions = &m_SrcSpan[dimension_offset]; |
| uint8_t nExpectedWidthByte1 = (m_OrigWidth >> 8) & 0xff; |
| uint8_t nExpectedWidthByte2 = m_OrigWidth & 0xff; |
| // Height high byte, height low byte, width high byte, width low byte. |
| return pHeaderDimensions[0] == 0xff && pHeaderDimensions[1] == 0xff && |
| pHeaderDimensions[2] == nExpectedWidthByte1 && |
| pHeaderDimensions[3] == nExpectedWidthByte2; |
| } |
| |
| bool JpegDecoder::IsSofSegment(size_t marker_offset) const { |
| const uint8_t* pHeaderMarker = &m_SrcSpan[marker_offset]; |
| return pHeaderMarker[0] == 0xff && pHeaderMarker[1] >= 0xc0 && |
| pHeaderMarker[1] <= 0xcf; |
| } |
| |
| void JpegDecoder::PatchUpKnownBadHeaderWithInvalidHeight( |
| size_t dimension_offset) { |
| DCHECK(m_SrcSpan.size() > dimension_offset + 1u); |
| uint8_t* pData = GetWritableSrcData() + dimension_offset; |
| pData[0] = (m_OrigHeight >> 8) & 0xff; |
| pData[1] = m_OrigHeight & 0xff; |
| } |
| |
| void JpegDecoder::PatchUpTrailer() { |
| uint8_t* pData = GetWritableSrcData(); |
| pData[m_SrcSpan.size() - 2] = 0xff; |
| pData[m_SrcSpan.size() - 1] = 0xd9; |
| } |
| |
| uint8_t* JpegDecoder::GetWritableSrcData() { |
| return const_cast<uint8_t*>(m_SrcSpan.data()); |
| } |
| |
| } // namespace |
| |
| // static |
| std::unique_ptr<ScanlineDecoder> JpegModule::CreateDecoder( |
| pdfium::span<const uint8_t> src_span, |
| uint32_t width, |
| uint32_t height, |
| int nComps, |
| bool ColorTransform) { |
| DCHECK(!src_span.empty()); |
| |
| auto pDecoder = std::make_unique<JpegDecoder>(); |
| if (!pDecoder->Create(src_span, width, height, nComps, ColorTransform)) |
| return nullptr; |
| |
| return std::move(pDecoder); |
| } |
| |
| // static |
| absl::optional<JpegModule::ImageInfo> JpegModule::LoadInfo( |
| pdfium::span<const uint8_t> src_span) { |
| ImageInfo info; |
| if (!JpegLoadInfo(src_span, &info)) |
| return absl::nullopt; |
| |
| return info; |
| } |
| |
| #if BUILDFLAG(IS_WIN) |
| bool JpegModule::JpegEncode(const RetainPtr<CFX_DIBBase>& pSource, |
| uint8_t** dest_buf, |
| size_t* dest_size) { |
| jpeg_error_mgr jerr; |
| jerr.error_exit = error_do_nothing; |
| jerr.emit_message = error_do_nothing_int; |
| jerr.output_message = error_do_nothing; |
| jerr.format_message = error_do_nothing_char; |
| jerr.reset_error_mgr = error_do_nothing; |
| |
| jpeg_compress_struct cinfo; |
| memset(&cinfo, 0, sizeof(cinfo)); |
| cinfo.err = &jerr; |
| jpeg_create_compress(&cinfo); |
| int Bpp = pSource->GetBPP() / 8; |
| uint32_t nComponents = Bpp >= 3 ? 3 : 1; |
| uint32_t pitch = pSource->GetPitch(); |
| uint32_t width = pdfium::base::checked_cast<uint32_t>(pSource->GetWidth()); |
| uint32_t height = pdfium::base::checked_cast<uint32_t>(pSource->GetHeight()); |
| FX_SAFE_UINT32 safe_buf_len = width; |
| safe_buf_len *= height; |
| safe_buf_len *= nComponents; |
| safe_buf_len += 1024; |
| if (!safe_buf_len.IsValid()) |
| return false; |
| |
| uint32_t dest_buf_length = safe_buf_len.ValueOrDie(); |
| *dest_buf = FX_TryAlloc(uint8_t, dest_buf_length); |
| const int MIN_TRY_BUF_LEN = 1024; |
| while (!(*dest_buf) && dest_buf_length > MIN_TRY_BUF_LEN) { |
| dest_buf_length >>= 1; |
| *dest_buf = FX_TryAlloc(uint8_t, dest_buf_length); |
| } |
| if (!(*dest_buf)) |
| return false; |
| |
| jpeg_destination_mgr dest; |
| dest.init_destination = dest_do_nothing; |
| dest.term_destination = dest_do_nothing; |
| dest.empty_output_buffer = dest_empty; |
| dest.next_output_byte = *dest_buf; |
| dest.free_in_buffer = dest_buf_length; |
| cinfo.dest = &dest; |
| cinfo.image_width = width; |
| cinfo.image_height = height; |
| cinfo.input_components = nComponents; |
| if (nComponents == 1) { |
| cinfo.in_color_space = JCS_GRAYSCALE; |
| } else if (nComponents == 3) { |
| cinfo.in_color_space = JCS_RGB; |
| } else { |
| cinfo.in_color_space = JCS_CMYK; |
| } |
| uint8_t* line_buf = nullptr; |
| if (nComponents > 1) |
| line_buf = FX_Alloc2D(uint8_t, width, nComponents); |
| |
| jpeg_set_defaults(&cinfo); |
| jpeg_start_compress(&cinfo, TRUE); |
| JSAMPROW row_pointer[1]; |
| JDIMENSION row; |
| while (cinfo.next_scanline < cinfo.image_height) { |
| pdfium::span<const uint8_t> src_scan = |
| pSource->GetScanline(cinfo.next_scanline); |
| if (nComponents > 1) { |
| uint8_t* dest_scan = line_buf; |
| if (nComponents == 3) { |
| for (uint32_t i = 0; i < width; i++) { |
| ReverseCopy3Bytes(dest_scan, src_scan.data()); |
| dest_scan += 3; |
| src_scan = src_scan.subspan(Bpp); |
| } |
| } else { |
| for (uint32_t i = 0; i < pitch; i++) { |
| *dest_scan++ = ~src_scan.front(); |
| src_scan = src_scan.subspan(1); |
| } |
| } |
| row_pointer[0] = line_buf; |
| } else { |
| row_pointer[0] = const_cast<uint8_t*>(src_scan.data()); |
| } |
| row = cinfo.next_scanline; |
| jpeg_write_scanlines(&cinfo, row_pointer, 1); |
| if (cinfo.next_scanline == row) { |
| constexpr size_t kJpegBlockSize = 1048576; |
| *dest_buf = |
| FX_Realloc(uint8_t, *dest_buf, dest_buf_length + kJpegBlockSize); |
| dest.next_output_byte = *dest_buf + dest_buf_length - dest.free_in_buffer; |
| dest_buf_length += kJpegBlockSize; |
| dest.free_in_buffer += kJpegBlockSize; |
| } |
| } |
| jpeg_finish_compress(&cinfo); |
| jpeg_destroy_compress(&cinfo); |
| FX_Free(line_buf); |
| *dest_size = dest_buf_length - static_cast<size_t>(dest.free_in_buffer); |
| |
| return true; |
| } |
| #endif // BUILDFLAG(IS_WIN) |
| |
| } // namespace fxcodec |