Gitly

alex

v Public

Additions: 117 Deletions: 27 View patch


1 -/* stb_image - v2.27 - public domain image loader - http://nothings.org/stb
2 +/* stb_image - v2.28 - public domain image loader - http://nothings.org/stb
3                                    no warranty implied; use at your own risk
4  
5     Do this:
6  
7  RECENT REVISION HISTORY:
8  
9 +      2.28  (2023-01-29) many error fixes, security errors, just tons of stuff
10        2.27  (2021-07-11) document stbi_info better, 16-bit PNM support, bug fixes
11        2.26  (2020-07-13) many minor fixes
12        2.25  (2020-02-02) fix warnings
13      Cass Everitt            Ryamond Barbiero                        github:grim210
14      Paul Du Bois            Engin Manap        Aldo Culquicondor    github:sammyhw
15      Philipp Wiesemann       Dale Weiler        Oriol Ferrer Mesia   github:phprus
16 -    Josh Tobin                                 Matthew Gregan       github:poppolopoppo
17 +    Josh Tobin              Neil Bickford      Matthew Gregan       github:poppolopoppo
18      Julian Raschke          Gregory Mullen     Christian Floisand   github:darealshinji
19      Baldur Karlsson         Kevin Schmidt      JR Smith             github:Michaelangel007
20                              Brad Weinberger    Matvey Cherevko      github:mosra
21  //    // ... x = width, y = height, n = # 8-bit components per pixel ...
22  //    // ... replace '0' with '1'..'4' to force that many components per pixel
23  //    // ... but 'n' will always be the number that it would have been if you said 0
24 -//    stbi_image_free(data)
25 +//    stbi_image_free(data);
26  //
27  // Standard parameters:
28  //    int *x                 -- outputs image width in pixels
29     #endif
30  #endif
31  
32 -#ifdef _MSC_VER
33 +#if defined(_MSC_VER) || defined(__SYMBIAN32__)
34  typedef unsigned short stbi__uint16;
35  typedef   signed short stbi__int16;
36  typedef unsigned int   stbi__uint32;
37  }
38  #endif
39  
40 +// returns 1 if the sum of two signed ints is valid (between -2^31 and 2^31-1 inclusive), 0 on overflow.
41 +static int stbi__addints_valid(int a, int b)
42 +{
43 +   if ((a >= 0) != (b >= 0)) return 1; // a and b have different signs, so no overflow
44 +   if (a < 0 && b < 0) return a >= INT_MIN - b; // same as a + b >= INT_MIN; INT_MIN - b cannot overflow since b < 0.
45 +   return a <= INT_MAX - b;
46 +}
47 +
48 +// returns 1 if the product of two signed shorts is valid, 0 on overflow.
49 +static int stbi__mul2shorts_valid(short a, short b)
50 +{
51 +   if (b == 0 || b == -1) return 1; // multiplication by 0 is always 0; check for -1 so SHRT_MIN/b doesn't overflow
52 +   if ((a >= 0) == (b >= 0)) return a <= SHRT_MAX/b; // product is positive, so similar to mul2sizes_valid
53 +   if (b < 0) return a <= SHRT_MIN / b; // same as a * b >= SHRT_MIN
54 +   return a >= SHRT_MIN / b;
55 +}
56 +
57  // stbi__err - error
58  // stbi__errpf - error returning pointer to float
59  // stbi__errpuc - error returning pointer to unsigned char
60     int i,j,k=0;
61     unsigned int code;
62     // build size list for each symbol (from JPEG spec)
63 -   for (i=0; i < 16; ++i)
64 -      for (j=0; j < count[i]; ++j)
65 +   for (i=0; i < 16; ++i) {
66 +      for (j=0; j < count[i]; ++j) {
67           h->size[k++] = (stbi_uc) (i+1);
68 +         if(k >= 257) return stbi__err("bad size list","Corrupt JPEG");
69 +      }
70 +   }
71     h->size[k] = 0;
72  
73     // compute actual symbols (from jpeg spec)
74  
75     // convert the huffman code to the symbol id
76     c = ((j->code_buffer >> (32 - k)) & stbi__bmask[k]) + h->delta[k];
77 +   if(c < 0 || c >= 256) // symbol id out of bounds!
78 +       return -1;
79     STBI_ASSERT((((j->code_buffer) >> (32 - h->size[c])) & stbi__bmask[h->size[c]]) == h->code[c]);
80  
81     // convert the id to a symbol
82     unsigned int k;
83     int sgn;
84     if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
85 +   if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
86  
87     sgn = j->code_buffer >> 31; // sign bit always in MSB; 0 if MSB clear (positive), 1 if MSB set (negative)
88     k = stbi_lrot(j->code_buffer, n);
89  {
90     unsigned int k;
91     if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
92 +   if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
93     k = stbi_lrot(j->code_buffer, n);
94     j->code_buffer = k & ~stbi__bmask[n];
95     k &= stbi__bmask[n];
96  {
97     unsigned int k;
98     if (j->code_bits < 1) stbi__grow_buffer_unsafe(j);
99 +   if (j->code_bits < 1) return 0; // ran out of bits from stream, return 0s intead of continuing
100     k = j->code_buffer;
101     j->code_buffer <<= 1;
102     --j->code_bits;
103     memset(data,0,64*sizeof(data[0]));
104  
105     diff = t ? stbi__extend_receive(j, t) : 0;
106 +   if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta","Corrupt JPEG");
107     dc = j->img_comp[b].dc_pred + diff;
108     j->img_comp[b].dc_pred = dc;
109 +   if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
110     data[0] = (short) (dc * dequant[0]);
111  
112     // decode AC components, see JPEG spec
113        if (r) { // fast-AC path
114           k += (r >> 4) & 15; // run
115           s = r & 15; // combined length
116 +         if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
117           j->code_buffer <<= s;
118           j->code_bits -= s;
119           // decode into unzigzag'd location
120        if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
121        diff = t ? stbi__extend_receive(j, t) : 0;
122  
123 +      if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta", "Corrupt JPEG");
124        dc = j->img_comp[b].dc_pred + diff;
125        j->img_comp[b].dc_pred = dc;
126 +      if (!stbi__mul2shorts_valid(dc, 1 << j->succ_low)) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
127        data[0] = (short) (dc * (1 << j->succ_low));
128     } else {
129        // refinement scan for DC coefficient
130           if (r) { // fast-AC path
131              k += (r >> 4) & 15; // run
132              s = r & 15; // combined length
133 +            if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
134              j->code_buffer <<= s;
135              j->code_bits -= s;
136              zig = stbi__jpeg_dezigzag[k++];
137                 sizes[i] = stbi__get8(z->s);
138                 n += sizes[i];
139              }
140 +            if(n > 256) return stbi__err("bad DHT header","Corrupt JPEG"); // Loop over i < n would write past end of values!
141              L -= 17;
142              if (tc == 0) {
143                 if (!stbi__build_huffman(z->huff_dc+th, sizes)) return 0;
144     return 1;
145  }
146  
147 +static int stbi__skip_jpeg_junk_at_end(stbi__jpeg *j)
148 +{
149 +   // some JPEGs have junk at end, skip over it but if we find what looks
150 +   // like a valid marker, resume there
151 +   while (!stbi__at_eof(j->s)) {
152 +      int x = stbi__get8(j->s);
153 +      while (x == 255) { // might be a marker
154 +         if (stbi__at_eof(j->s)) return STBI__MARKER_none;
155 +         x = stbi__get8(j->s);
156 +         if (x != 0x00 && x != 0xff) {
157 +            // not a stuffed zero or lead-in to another marker, looks
158 +            // like an actual marker, return it
159 +            return x;
160 +         }
161 +         // stuffed zero has x=0 now which ends the loop, meaning we go
162 +         // back to regular scan loop.
163 +         // repeated 0xff keeps trying to read the next byte of the marker.
164 +      }
165 +   }
166 +   return STBI__MARKER_none;
167 +}
168 +
169  // decode image to YCbCr format
170  static int stbi__decode_jpeg_image(stbi__jpeg *j)
171  {
172           if (!stbi__process_scan_header(j)) return 0;
173           if (!stbi__parse_entropy_coded_data(j)) return 0;
174           if (j->marker == STBI__MARKER_none ) {
175 -            // handle 0s at the end of image data from IP Kamera 9060
176 -            while (!stbi__at_eof(j->s)) {
177 -               int x = stbi__get8(j->s);
178 -               if (x == 255) {
179 -                  j->marker = stbi__get8(j->s);
180 -                  break;
181 -               }
182 -            }
183 +         j->marker = stbi__skip_jpeg_junk_at_end(j);
184              // if we reach eof without hitting a marker, stbi__get_marker() below will fail and we'll eventually return 0
185           }
186 +         m = stbi__get_marker(j);
187 +         if (STBI__RESTART(m))
188 +            m = stbi__get_marker(j);
189        } else if (stbi__DNL(m)) {
190           int Ld = stbi__get16be(j->s);
191           stbi__uint32 NL = stbi__get16be(j->s);
192           if (Ld != 4) return stbi__err("bad DNL len", "Corrupt JPEG");
193           if (NL != j->s->img_y) return stbi__err("bad DNL height", "Corrupt JPEG");
194 +         m = stbi__get_marker(j);
195        } else {
196 -         if (!stbi__process_marker(j, m)) return 0;
197 +         if (!stbi__process_marker(j, m)) return 1;
198 +         m = stbi__get_marker(j);
199        }
200 -      m = stbi__get_marker(j);
201     }
202     if (j->progressive)
203        stbi__jpeg_finish(j);
204     unsigned char* result;
205     stbi__jpeg* j = (stbi__jpeg*) stbi__malloc(sizeof(stbi__jpeg));
206     if (!j) return stbi__errpuc("outofmem", "Out of memory");
207 +   memset(j, 0, sizeof(stbi__jpeg));
208     STBI_NOTUSED(ri);
209     j->s = s;
210     stbi__setup_jpeg(j);
211     int r;
212     stbi__jpeg* j = (stbi__jpeg*)stbi__malloc(sizeof(stbi__jpeg));
213     if (!j) return stbi__err("outofmem", "Out of memory");
214 +   memset(j, 0, sizeof(stbi__jpeg));
215     j->s = s;
216     stbi__setup_jpeg(j);
217     r = stbi__decode_jpeg_header(j, STBI__SCAN_type);
218     int result;
219     stbi__jpeg* j = (stbi__jpeg*) (stbi__malloc(sizeof(stbi__jpeg)));
220     if (!j) return stbi__err("outofmem", "Out of memory");
221 +   memset(j, 0, sizeof(stbi__jpeg));
222     j->s = s;
223     result = stbi__jpeg_info_raw(j, x, y, comp);
224     STBI_FREE(j);
225              a->zout = zout;
226              return 1;
227           }
228 +         if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data
229           z -= 257;
230           len = stbi__zlength_base[z];
231           if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]);
232           z = stbi__zhuffman_decode(a, &a->z_distance);
233 -         if (z < 0) return stbi__err("bad huffman code","Corrupt PNG");
234 +         if (z < 0 || z >= 30) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, distance codes 30 and 31 must not appear in compressed data
235           dist = stbi__zdist_base[z];
236           if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]);
237           if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG");
238  static STBI_THREAD_LOCAL int stbi__unpremultiply_on_load_local, stbi__unpremultiply_on_load_set;
239  static STBI_THREAD_LOCAL int stbi__de_iphone_flag_local, stbi__de_iphone_flag_set;
240  
241 -STBIDEF void stbi__unpremultiply_on_load_thread(int flag_true_if_should_unpremultiply)
242 +STBIDEF void stbi_set_unpremultiply_on_load_thread(int flag_true_if_should_unpremultiply)
243  {
244     stbi__unpremultiply_on_load_local = flag_true_if_should_unpremultiply;
245     stbi__unpremultiply_on_load_set = 1;
246              if (!pal_img_n) {
247                 s->img_n = (color & 2 ? 3 : 1) + (color & 4 ? 1 : 0);
248                 if ((1 << 30) / s->img_x / s->img_n < s->img_y) return stbi__err("too large", "Image too large to decode");
249 -               if (scan == STBI__SCAN_header) return 1;
250              } else {
251                 // if paletted, then pal_n is our final components, and
252                 // img_n is # components to decompress/filter.
253                 s->img_n = 1;
254                 if ((1 << 30) / s->img_x / 4 < s->img_y) return stbi__err("too large","Corrupt PNG");
255 -               // if SCAN_header, have to scan to see if we have a tRNS
256              }
257 +            // even with SCAN_header, have to scan to see if we have a tRNS
258              break;
259           }
260  
261                 if (!(s->img_n & 1)) return stbi__err("tRNS with alpha","Corrupt PNG");
262                 if (c.length != (stbi__uint32) s->img_n*2) return stbi__err("bad tRNS len","Corrupt PNG");
263                 has_trans = 1;
264 +               // non-paletted with tRNS = constant alpha. if header-scanning, we can stop now.
265 +               if (scan == STBI__SCAN_header) { ++s->img_n; return 1; }
266                 if (z->depth == 16) {
267                    for (k = 0; k < s->img_n; ++k) tc16[k] = (stbi__uint16)stbi__get16be(s); // copy the values as-is
268                 } else {
269           case STBI__PNG_TYPE('I','D','A','T'): {
270              if (first) return stbi__err("first not IHDR", "Corrupt PNG");
271              if (pal_img_n && !pal_len) return stbi__err("no PLTE","Corrupt PNG");
272 -            if (scan == STBI__SCAN_header) { s->img_n = pal_img_n; return 1; }
273 +            if (scan == STBI__SCAN_header) {
274 +               // header scan definitely stops at first IDAT
275 +               if (pal_img_n)
276 +                  s->img_n = pal_img_n;
277 +               return 1;
278 +            }
279 +            if (c.length > (1u << 30)) return stbi__err("IDAT size limit", "IDAT section larger than 2^30 bytes");
280              if ((int)(ioff + c.length) < (int)ioff) return 0;
281              if (ioff + c.length > idata_limit) {
282                 stbi__uint32 idata_limit_old = idata_limit;
283           psize = (info.offset - info.extra_read - info.hsz) >> 2;
284     }
285     if (psize == 0) {
286 -      if (info.offset != s->callback_already_read + (int) (s->img_buffer - s->img_buffer_original)) {
287 -        return stbi__errpuc("bad offset", "Corrupt BMP");
288 +      // accept some number of extra bytes after the header, but if the offset points either to before
289 +      // the header ends or implies a large amount of extra data, reject the file as malformed
290 +      int bytes_read_so_far = s->callback_already_read + (int)(s->img_buffer - s->img_buffer_original);
291 +      int header_limit = 1024; // max we actually read is below 256 bytes currently.
292 +      int extra_data_limit = 256*4; // what ordinarily goes here is a palette; 256 entries*4 bytes is its max size.
293 +      if (bytes_read_so_far <= 0 || bytes_read_so_far > header_limit) {
294 +         return stbi__errpuc("bad header", "Corrupt BMP");
295 +      }
296 +      // we established that bytes_read_so_far is positive and sensible.
297 +      // the first half of this test rejects offsets that are either too small positives, or
298 +      // negative, and guarantees that info.offset >= bytes_read_so_far > 0. this in turn
299 +      // ensures the number computed in the second half of the test can't overflow.
300 +      if (info.offset < bytes_read_so_far || info.offset - bytes_read_so_far > extra_data_limit) {
301 +         return stbi__errpuc("bad offset", "Corrupt BMP");
302 +      } else {
303 +         stbi__skip(s, info.offset - bytes_read_so_far);
304        }
305     }
306  
307                    // Run
308                    value = stbi__get8(s);
309                    count -= 128;
310 -                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
311 +                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
312                    for (z = 0; z < count; ++z)
313                       scanline[i++ * 4 + k] = value;
314                 } else {
315                    // Dump
316 -                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
317 +                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
318                    for (z = 0; z < count; ++z)
319                       scanline[i++ * 4 + k] = stbi__get8(s);
320                 }
321  
322     out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
323     if (!out) return stbi__errpuc("outofmem", "Out of memory");
324 -   stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
325 +   if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
326 +      STBI_FREE(out);
327 +      return stbi__errpuc("bad PNM", "PNM file truncated");
328 +   }
329  
330     if (req_comp && req_comp != s->img_n) {
331 -      out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
332 +      if (ri->bits_per_channel == 16) {
333 +         out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
334 +      } else {
335 +         out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
336 +      }
337        if (out == NULL) return out; // stbi__convert_format frees input on failure
338     }
339     return out;
340     while (!stbi__at_eof(s) && stbi__pnm_isdigit(*c)) {
341        value = value*10 + (*c - '0');
342        *c = (char) stbi__get8(s);
343 +      if((value > 214748364) || (value == 214748364 && *c > '7'))
344 +          return stbi__err("integer parse overflow", "Parsing an integer in the PPM header overflowed a 32-bit int");
345     }
346  
347     return value;
348     stbi__pnm_skip_whitespace(s, &c);
349  
350     *x = stbi__pnm_getinteger(s, &c); // read width
351 +   if(*x == 0)
352 +       return stbi__err("invalid width", "PPM image header had zero or overflowing width");
353     stbi__pnm_skip_whitespace(s, &c);
354  
355     *y = stbi__pnm_getinteger(s, &c); // read height
356 +   if (*y == 0)
357 +       return stbi__err("invalid width", "PPM image header had zero or overflowing width");
358     stbi__pnm_skip_whitespace(s, &c);
359  
360     maxv = stbi__pnm_getinteger(s, &c);  // read max value
361

1	-/ stb_image - v2.27 - public domain image loader - http://nothings.org/stb*
2	+/ stb_image - v2.28 - public domain image loader - http://nothings.org/stb*
3	no warranty implied; use at your own risk
4
5	Do this:
6
7	RECENT REVISION HISTORY:
8
9	+ 2.28 (2023-01-29) many error fixes, security errors, just tons of stuff
10	2.27 (2021-07-11) document stbi_info better, 16-bit PNM support, bug fixes
11	2.26 (2020-07-13) many minor fixes
12	2.25 (2020-02-02) fix warnings
13	Cass Everitt Ryamond Barbiero github:grim210
14	Paul Du Bois Engin Manap Aldo Culquicondor github:sammyhw
15	Philipp Wiesemann Dale Weiler Oriol Ferrer Mesia github:phprus
16	- Josh Tobin Matthew Gregan github:poppolopoppo
17	+ Josh Tobin Neil Bickford Matthew Gregan github:poppolopoppo
18	Julian Raschke Gregory Mullen Christian Floisand github:darealshinji
19	Baldur Karlsson Kevin Schmidt JR Smith github:Michaelangel007
20	Brad Weinberger Matvey Cherevko github:mosra
21	// // ... x = width, y = height, n = # 8-bit components per pixel ...
22	// // ... replace '0' with '1'..'4' to force that many components per pixel
23	// // ... but 'n' will always be the number that it would have been if you said 0
24	-// stbi_image_free(data)
25	+// stbi_image_free(data);
26	//
27	// Standard parameters:
28	// int x -- outputs image width in pixels*
29	#endif
30	#endif
31
32	-#ifdef _MSC_VER
33	+#if defined(_MSC_VER) \|\| defined(__SYMBIAN32__)
34	typedef unsigned short stbi__uint16;
35	typedef signed short stbi__int16;
36	typedef unsigned int stbi__uint32;
37	}
38	#endif
39
40	+// returns 1 if the sum of two signed ints is valid (between -2^31 and 2^31-1 inclusive), 0 on overflow.
41	+static int stbi__addints_valid(int a, int b)
42	+{
43	+ if ((a >= 0) != (b >= 0)) return 1; // a and b have different signs, so no overflow
44	+ if (a < 0 && b < 0) return a >= INT_MIN - b; // same as a + b >= INT_MIN; INT_MIN - b cannot overflow since b < 0.
45	+ return a <= INT_MAX - b;
46	+}
47	+
48	+// returns 1 if the product of two signed shorts is valid, 0 on overflow.
49	+static int stbi__mul2shorts_valid(short a, short b)
50	+{
51	+ if (b == 0 \|\| b == -1) return 1; // multiplication by 0 is always 0; check for -1 so SHRT_MIN/b doesn't overflow
52	+ if ((a >= 0) == (b >= 0)) return a <= SHRT_MAX/b; // product is positive, so similar to mul2sizes_valid
53	+ if (b < 0) return a <= SHRT_MIN / b; // same as a b >= SHRT_MIN*
54	+ return a >= SHRT_MIN / b;
55	+}
56	+
57	// stbi__err - error
58	// stbi__errpf - error returning pointer to float
59	// stbi__errpuc - error returning pointer to unsigned char
60	int i,j,k=0;
61	unsigned int code;
62	// build size list for each symbol (from JPEG spec)
63	- for (i=0; i < 16; ++i)
64	- for (j=0; j < count[i]; ++j)
65	+ for (i=0; i < 16; ++i) {
66	+ for (j=0; j < count[i]; ++j) {
67	h->size[k++] = (stbi_uc) (i+1);
68	+ if(k >= 257) return stbi__err("bad size list","Corrupt JPEG");
69	+ }
70	+ }
71	h->size[k] = 0;
72
73	// compute actual symbols (from jpeg spec)
74
75	// convert the huffman code to the symbol id
76	c = ((j->code_buffer >> (32 - k)) & stbi__bmask[k]) + h->delta[k];
77	+ if(c < 0 \|\| c >= 256) // symbol id out of bounds!
78	+ return -1;
79	STBI_ASSERT((((j->code_buffer) >> (32 - h->size[c])) & stbi__bmask[h->size[c]]) == h->code[c]);
80
81	// convert the id to a symbol
82	unsigned int k;
83	int sgn;
84	if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
85	+ if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
86
87	sgn = j->code_buffer >> 31; // sign bit always in MSB; 0 if MSB clear (positive), 1 if MSB set (negative)
88	k = stbi_lrot(j->code_buffer, n);
89	{
90	unsigned int k;
91	if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
92	+ if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
93	k = stbi_lrot(j->code_buffer, n);
94	j->code_buffer = k & ~stbi__bmask[n];
95	k &= stbi__bmask[n];
96	{
97	unsigned int k;
98	if (j->code_bits < 1) stbi__grow_buffer_unsafe(j);
99	+ if (j->code_bits < 1) return 0; // ran out of bits from stream, return 0s intead of continuing
100	k = j->code_buffer;
101	j->code_buffer <<= 1;
102	--j->code_bits;
103	memset(data,0,64sizeof(data[0]));*
104
105	diff = t ? stbi__extend_receive(j, t) : 0;
106	+ if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta","Corrupt JPEG");
107	dc = j->img_comp[b].dc_pred + diff;
108	j->img_comp[b].dc_pred = dc;
109	+ if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
110	data[0] = (short) (dc dequant[0]);*
111
112	// decode AC components, see JPEG spec
113	if (r) { // fast-AC path
114	k += (r >> 4) & 15; // run
115	s = r & 15; // combined length
116	+ if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
117	j->code_buffer <<= s;
118	j->code_bits -= s;
119	// decode into unzigzag'd location
120	if (t < 0 \|\| t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
121	diff = t ? stbi__extend_receive(j, t) : 0;
122
123	+ if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta", "Corrupt JPEG");
124	dc = j->img_comp[b].dc_pred + diff;
125	j->img_comp[b].dc_pred = dc;
126	+ if (!stbi__mul2shorts_valid(dc, 1 << j->succ_low)) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
127	data[0] = (short) (dc (1 << j->succ_low));*
128	} else {
129	// refinement scan for DC coefficient
130	if (r) { // fast-AC path
131	k += (r >> 4) & 15; // run
132	s = r & 15; // combined length
133	+ if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
134	j->code_buffer <<= s;
135	j->code_bits -= s;
136	zig = stbi__jpeg_dezigzag[k++];
137	sizes[i] = stbi__get8(z->s);
138	n += sizes[i];
139	}
140	+ if(n > 256) return stbi__err("bad DHT header","Corrupt JPEG"); // Loop over i < n would write past end of values!
141	L -= 17;
142	if (tc == 0) {
143	if (!stbi__build_huffman(z->huff_dc+th, sizes)) return 0;
144	return 1;
145	}
146
147	+static int stbi__skip_jpeg_junk_at_end(stbi__jpeg j)*
148	+{
149	+ // some JPEGs have junk at end, skip over it but if we find what looks
150	+ // like a valid marker, resume there
151	+ while (!stbi__at_eof(j->s)) {
152	+ int x = stbi__get8(j->s);
153	+ while (x == 255) { // might be a marker
154	+ if (stbi__at_eof(j->s)) return STBI__MARKER_none;
155	+ x = stbi__get8(j->s);
156	+ if (x != 0x00 && x != 0xff) {
157	+ // not a stuffed zero or lead-in to another marker, looks
158	+ // like an actual marker, return it
159	+ return x;
160	+ }
161	+ // stuffed zero has x=0 now which ends the loop, meaning we go
162	+ // back to regular scan loop.
163	+ // repeated 0xff keeps trying to read the next byte of the marker.
164	+ }
165	+ }
166	+ return STBI__MARKER_none;
167	+}
168	+
169	// decode image to YCbCr format
170	static int stbi__decode_jpeg_image(stbi__jpeg j)*
171	{
172	if (!stbi__process_scan_header(j)) return 0;
173	if (!stbi__parse_entropy_coded_data(j)) return 0;
174	if (j->marker == STBI__MARKER_none ) {
175	- // handle 0s at the end of image data from IP Kamera 9060
176	- while (!stbi__at_eof(j->s)) {
177	- int x = stbi__get8(j->s);
178	- if (x == 255) {
179	- j->marker = stbi__get8(j->s);
180	- break;
181	- }
182	- }
183	+ j->marker = stbi__skip_jpeg_junk_at_end(j);
184	// if we reach eof without hitting a marker, stbi__get_marker() below will fail and we'll eventually return 0
185	}
186	+ m = stbi__get_marker(j);
187	+ if (STBI__RESTART(m))
188	+ m = stbi__get_marker(j);
189	} else if (stbi__DNL(m)) {
190	int Ld = stbi__get16be(j->s);
191	stbi__uint32 NL = stbi__get16be(j->s);
192	if (Ld != 4) return stbi__err("bad DNL len", "Corrupt JPEG");
193	if (NL != j->s->img_y) return stbi__err("bad DNL height", "Corrupt JPEG");
194	+ m = stbi__get_marker(j);
195	} else {
196	- if (!stbi__process_marker(j, m)) return 0;
197	+ if (!stbi__process_marker(j, m)) return 1;
198	+ m = stbi__get_marker(j);
199	}
200	- m = stbi__get_marker(j);
201	}
202	if (j->progressive)
203	stbi__jpeg_finish(j);
204	unsigned char result;*
205	stbi__jpeg j = (stbi__jpeg) stbi__malloc(sizeof(stbi__jpeg));
206	if (!j) return stbi__errpuc("outofmem", "Out of memory");
207	+ memset(j, 0, sizeof(stbi__jpeg));
208	STBI_NOTUSED(ri);
209	j->s = s;
210	stbi__setup_jpeg(j);
211	int r;
212	stbi__jpeg j = (stbi__jpeg)stbi__malloc(sizeof(stbi__jpeg));
213	if (!j) return stbi__err("outofmem", "Out of memory");
214	+ memset(j, 0, sizeof(stbi__jpeg));
215	j->s = s;
216	stbi__setup_jpeg(j);
217	r = stbi__decode_jpeg_header(j, STBI__SCAN_type);
218	int result;
219	stbi__jpeg j = (stbi__jpeg) (stbi__malloc(sizeof(stbi__jpeg)));
220	if (!j) return stbi__err("outofmem", "Out of memory");
221	+ memset(j, 0, sizeof(stbi__jpeg));
222	j->s = s;
223	result = stbi__jpeg_info_raw(j, x, y, comp);
224	STBI_FREE(j);
225	a->zout = zout;
226	return 1;
227	}
228	+ if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data
229	z -= 257;
230	len = stbi__zlength_base[z];
231	if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]);
232	z = stbi__zhuffman_decode(a, &a->z_distance);
233	- if (z < 0) return stbi__err("bad huffman code","Corrupt PNG");
234	+ if (z < 0 \|\| z >= 30) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, distance codes 30 and 31 must not appear in compressed data
235	dist = stbi__zdist_base[z];
236	if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]);
237	if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG");
238	static STBI_THREAD_LOCAL int stbi__unpremultiply_on_load_local, stbi__unpremultiply_on_load_set;
239	static STBI_THREAD_LOCAL int stbi__de_iphone_flag_local, stbi__de_iphone_flag_set;
240
241	-STBIDEF void stbi__unpremultiply_on_load_thread(int flag_true_if_should_unpremultiply)
242	+STBIDEF void stbi_set_unpremultiply_on_load_thread(int flag_true_if_should_unpremultiply)
243	{
244	stbi__unpremultiply_on_load_local = flag_true_if_should_unpremultiply;
245	stbi__unpremultiply_on_load_set = 1;
246	if (!pal_img_n) {
247	s->img_n = (color & 2 ? 3 : 1) + (color & 4 ? 1 : 0);
248	if ((1 << 30) / s->img_x / s->img_n < s->img_y) return stbi__err("too large", "Image too large to decode");
249	- if (scan == STBI__SCAN_header) return 1;
250	} else {
251	// if paletted, then pal_n is our final components, and
252	// img_n is # components to decompress/filter.
253	s->img_n = 1;
254	if ((1 << 30) / s->img_x / 4 < s->img_y) return stbi__err("too large","Corrupt PNG");
255	- // if SCAN_header, have to scan to see if we have a tRNS
256	}
257	+ // even with SCAN_header, have to scan to see if we have a tRNS
258	break;
259	}
260
261	if (!(s->img_n & 1)) return stbi__err("tRNS with alpha","Corrupt PNG");
262	if (c.length != (stbi__uint32) s->img_n2) return stbi__err("bad tRNS len","Corrupt PNG");*
263	has_trans = 1;
264	+ // non-paletted with tRNS = constant alpha. if header-scanning, we can stop now.
265	+ if (scan == STBI__SCAN_header) { ++s->img_n; return 1; }
266	if (z->depth == 16) {
267	for (k = 0; k < s->img_n; ++k) tc16[k] = (stbi__uint16)stbi__get16be(s); // copy the values as-is
268	} else {
269	case STBI__PNG_TYPE('I','D','A','T'): {
270	if (first) return stbi__err("first not IHDR", "Corrupt PNG");
271	if (pal_img_n && !pal_len) return stbi__err("no PLTE","Corrupt PNG");
272	- if (scan == STBI__SCAN_header) { s->img_n = pal_img_n; return 1; }
273	+ if (scan == STBI__SCAN_header) {
274	+ // header scan definitely stops at first IDAT
275	+ if (pal_img_n)
276	+ s->img_n = pal_img_n;
277	+ return 1;
278	+ }
279	+ if (c.length > (1u << 30)) return stbi__err("IDAT size limit", "IDAT section larger than 2^30 bytes");
280	if ((int)(ioff + c.length) < (int)ioff) return 0;
281	if (ioff + c.length > idata_limit) {
282	stbi__uint32 idata_limit_old = idata_limit;
283	psize = (info.offset - info.extra_read - info.hsz) >> 2;
284	}
285	if (psize == 0) {
286	- if (info.offset != s->callback_already_read + (int) (s->img_buffer - s->img_buffer_original)) {
287	- return stbi__errpuc("bad offset", "Corrupt BMP");
288	+ // accept some number of extra bytes after the header, but if the offset points either to before
289	+ // the header ends or implies a large amount of extra data, reject the file as malformed
290	+ int bytes_read_so_far = s->callback_already_read + (int)(s->img_buffer - s->img_buffer_original);
291	+ int header_limit = 1024; // max we actually read is below 256 bytes currently.
292	+ int extra_data_limit = 2564; // what ordinarily goes here is a palette; 256 entries4 bytes is its max size.
293	+ if (bytes_read_so_far <= 0 \|\| bytes_read_so_far > header_limit) {
294	+ return stbi__errpuc("bad header", "Corrupt BMP");
295	+ }
296	+ // we established that bytes_read_so_far is positive and sensible.
297	+ // the first half of this test rejects offsets that are either too small positives, or
298	+ // negative, and guarantees that info.offset >= bytes_read_so_far > 0. this in turn
299	+ // ensures the number computed in the second half of the test can't overflow.
300	+ if (info.offset < bytes_read_so_far \|\| info.offset - bytes_read_so_far > extra_data_limit) {
301	+ return stbi__errpuc("bad offset", "Corrupt BMP");
302	+ } else {
303	+ stbi__skip(s, info.offset - bytes_read_so_far);
304	}
305	}
306
307	// Run
308	value = stbi__get8(s);
309	count -= 128;
310	- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
311	+ if ((count == 0) \|\| (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
312	for (z = 0; z < count; ++z)
313	scanline[i++ 4 + k] = value;*
314	} else {
315	// Dump
316	- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
317	+ if ((count == 0) \|\| (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
318	for (z = 0; z < count; ++z)
319	scanline[i++ 4 + k] = stbi__get8(s);*
320	}
321
322	out = (stbi_uc ) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);*
323	if (!out) return stbi__errpuc("outofmem", "Out of memory");
324	- stbi__getn(s, out, s->img_n s->img_x * s->img_y * (ri->bits_per_channel / 8));*
325	+ if (!stbi__getn(s, out, s->img_n s->img_x * s->img_y * (ri->bits_per_channel / 8))) {*
326	+ STBI_FREE(out);
327	+ return stbi__errpuc("bad PNM", "PNM file truncated");
328	+ }
329
330	if (req_comp && req_comp != s->img_n) {
331	- out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
332	+ if (ri->bits_per_channel == 16) {
333	+ out = (stbi_uc ) stbi__convert_format16((stbi__uint16 ) out, s->img_n, req_comp, s->img_x, s->img_y);
334	+ } else {
335	+ out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
336	+ }
337	if (out == NULL) return out; // stbi__convert_format frees input on failure
338	}
339	return out;
340	while (!stbi__at_eof(s) && stbi__pnm_isdigit(c)) {*
341	value = value10 + (c - '0');
342	*c = (char) stbi__get8(s);
343	+ if((value > 214748364) \|\| (value == 214748364 && c > '7'))*
344	+ return stbi__err("integer parse overflow", "Parsing an integer in the PPM header overflowed a 32-bit int");
345	}
346
347	return value;
348	stbi__pnm_skip_whitespace(s, &c);
349
350	*x = stbi__pnm_getinteger(s, &c); // read width
351	+ if(x == 0)*
352	+ return stbi__err("invalid width", "PPM image header had zero or overflowing width");
353	stbi__pnm_skip_whitespace(s, &c);
354
355	*y = stbi__pnm_getinteger(s, &c); // read height
356	+ if (y == 0)*
357	+ return stbi__err("invalid width", "PPM image header had zero or overflowing width");
358	stbi__pnm_skip_whitespace(s, &c);
359
360	maxv = stbi__pnm_getinteger(s, &c); // read max value
361