1 | -/* stb_image - v2.27 - public domain image loader - http://nothings.org/stb |
2 | +/* stb_image - v2.28 - public domain image loader - http://nothings.org/stb |
3 | no warranty implied; use at your own risk |
4 | |
5 | Do this: |
6 | |
7 | RECENT REVISION HISTORY: |
8 | |
9 | + 2.28 (2023-01-29) many error fixes, security errors, just tons of stuff |
10 | 2.27 (2021-07-11) document stbi_info better, 16-bit PNM support, bug fixes |
11 | 2.26 (2020-07-13) many minor fixes |
12 | 2.25 (2020-02-02) fix warnings |
13 | Cass Everitt Ryamond Barbiero github:grim210 |
14 | Paul Du Bois Engin Manap Aldo Culquicondor github:sammyhw |
15 | Philipp Wiesemann Dale Weiler Oriol Ferrer Mesia github:phprus |
16 | - Josh Tobin Matthew Gregan github:poppolopoppo |
17 | + Josh Tobin Neil Bickford Matthew Gregan github:poppolopoppo |
18 | Julian Raschke Gregory Mullen Christian Floisand github:darealshinji |
19 | Baldur Karlsson Kevin Schmidt JR Smith github:Michaelangel007 |
20 | Brad Weinberger Matvey Cherevko github:mosra |
21 | // // ... x = width, y = height, n = # 8-bit components per pixel ... |
22 | // // ... replace '0' with '1'..'4' to force that many components per pixel |
23 | // // ... but 'n' will always be the number that it would have been if you said 0 |
24 | -// stbi_image_free(data) |
25 | +// stbi_image_free(data); |
26 | // |
27 | // Standard parameters: |
28 | // int *x -- outputs image width in pixels |
29 | #endif |
30 | #endif |
31 | |
32 | -#ifdef _MSC_VER |
33 | +#if defined(_MSC_VER) || defined(__SYMBIAN32__) |
34 | typedef unsigned short stbi__uint16; |
35 | typedef signed short stbi__int16; |
36 | typedef unsigned int stbi__uint32; |
37 | } |
38 | #endif |
39 | |
40 | +// returns 1 if the sum of two signed ints is valid (between -2^31 and 2^31-1 inclusive), 0 on overflow. |
41 | +static int stbi__addints_valid(int a, int b) |
42 | +{ |
43 | + if ((a >= 0) != (b >= 0)) return 1; // a and b have different signs, so no overflow |
44 | + if (a < 0 && b < 0) return a >= INT_MIN - b; // same as a + b >= INT_MIN; INT_MIN - b cannot overflow since b < 0. |
45 | + return a <= INT_MAX - b; |
46 | +} |
47 | + |
48 | +// returns 1 if the product of two signed shorts is valid, 0 on overflow. |
49 | +static int stbi__mul2shorts_valid(short a, short b) |
50 | +{ |
51 | + if (b == 0 || b == -1) return 1; // multiplication by 0 is always 0; check for -1 so SHRT_MIN/b doesn't overflow |
52 | + if ((a >= 0) == (b >= 0)) return a <= SHRT_MAX/b; // product is positive, so similar to mul2sizes_valid |
53 | + if (b < 0) return a <= SHRT_MIN / b; // same as a * b >= SHRT_MIN |
54 | + return a >= SHRT_MIN / b; |
55 | +} |
56 | + |
57 | // stbi__err - error |
58 | // stbi__errpf - error returning pointer to float |
59 | // stbi__errpuc - error returning pointer to unsigned char |
60 | int i,j,k=0; |
61 | unsigned int code; |
62 | // build size list for each symbol (from JPEG spec) |
63 | - for (i=0; i < 16; ++i) |
64 | - for (j=0; j < count[i]; ++j) |
65 | + for (i=0; i < 16; ++i) { |
66 | + for (j=0; j < count[i]; ++j) { |
67 | h->size[k++] = (stbi_uc) (i+1); |
68 | + if(k >= 257) return stbi__err("bad size list","Corrupt JPEG"); |
69 | + } |
70 | + } |
71 | h->size[k] = 0; |
72 | |
73 | // compute actual symbols (from jpeg spec) |
74 | |
75 | // convert the huffman code to the symbol id |
76 | c = ((j->code_buffer >> (32 - k)) & stbi__bmask[k]) + h->delta[k]; |
77 | + if(c < 0 || c >= 256) // symbol id out of bounds! |
78 | + return -1; |
79 | STBI_ASSERT((((j->code_buffer) >> (32 - h->size[c])) & stbi__bmask[h->size[c]]) == h->code[c]); |
80 | |
81 | // convert the id to a symbol |
82 | unsigned int k; |
83 | int sgn; |
84 | if (j->code_bits < n) stbi__grow_buffer_unsafe(j); |
85 | + if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing |
86 | |
87 | sgn = j->code_buffer >> 31; // sign bit always in MSB; 0 if MSB clear (positive), 1 if MSB set (negative) |
88 | k = stbi_lrot(j->code_buffer, n); |
89 | { |
90 | unsigned int k; |
91 | if (j->code_bits < n) stbi__grow_buffer_unsafe(j); |
92 | + if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing |
93 | k = stbi_lrot(j->code_buffer, n); |
94 | j->code_buffer = k & ~stbi__bmask[n]; |
95 | k &= stbi__bmask[n]; |
96 | { |
97 | unsigned int k; |
98 | if (j->code_bits < 1) stbi__grow_buffer_unsafe(j); |
99 | + if (j->code_bits < 1) return 0; // ran out of bits from stream, return 0s intead of continuing |
100 | k = j->code_buffer; |
101 | j->code_buffer <<= 1; |
102 | --j->code_bits; |
103 | memset(data,0,64*sizeof(data[0])); |
104 | |
105 | diff = t ? stbi__extend_receive(j, t) : 0; |
106 | + if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta","Corrupt JPEG"); |
107 | dc = j->img_comp[b].dc_pred + diff; |
108 | j->img_comp[b].dc_pred = dc; |
109 | + if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); |
110 | data[0] = (short) (dc * dequant[0]); |
111 | |
112 | // decode AC components, see JPEG spec |
113 | if (r) { // fast-AC path |
114 | k += (r >> 4) & 15; // run |
115 | s = r & 15; // combined length |
116 | + if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available"); |
117 | j->code_buffer <<= s; |
118 | j->code_bits -= s; |
119 | // decode into unzigzag'd location |
120 | if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); |
121 | diff = t ? stbi__extend_receive(j, t) : 0; |
122 | |
123 | + if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta", "Corrupt JPEG"); |
124 | dc = j->img_comp[b].dc_pred + diff; |
125 | j->img_comp[b].dc_pred = dc; |
126 | + if (!stbi__mul2shorts_valid(dc, 1 << j->succ_low)) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); |
127 | data[0] = (short) (dc * (1 << j->succ_low)); |
128 | } else { |
129 | // refinement scan for DC coefficient |
130 | if (r) { // fast-AC path |
131 | k += (r >> 4) & 15; // run |
132 | s = r & 15; // combined length |
133 | + if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available"); |
134 | j->code_buffer <<= s; |
135 | j->code_bits -= s; |
136 | zig = stbi__jpeg_dezigzag[k++]; |
137 | sizes[i] = stbi__get8(z->s); |
138 | n += sizes[i]; |
139 | } |
140 | + if(n > 256) return stbi__err("bad DHT header","Corrupt JPEG"); // Loop over i < n would write past end of values! |
141 | L -= 17; |
142 | if (tc == 0) { |
143 | if (!stbi__build_huffman(z->huff_dc+th, sizes)) return 0; |
144 | return 1; |
145 | } |
146 | |
147 | +static int stbi__skip_jpeg_junk_at_end(stbi__jpeg *j) |
148 | +{ |
149 | + // some JPEGs have junk at end, skip over it but if we find what looks |
150 | + // like a valid marker, resume there |
151 | + while (!stbi__at_eof(j->s)) { |
152 | + int x = stbi__get8(j->s); |
153 | + while (x == 255) { // might be a marker |
154 | + if (stbi__at_eof(j->s)) return STBI__MARKER_none; |
155 | + x = stbi__get8(j->s); |
156 | + if (x != 0x00 && x != 0xff) { |
157 | + // not a stuffed zero or lead-in to another marker, looks |
158 | + // like an actual marker, return it |
159 | + return x; |
160 | + } |
161 | + // stuffed zero has x=0 now which ends the loop, meaning we go |
162 | + // back to regular scan loop. |
163 | + // repeated 0xff keeps trying to read the next byte of the marker. |
164 | + } |
165 | + } |
166 | + return STBI__MARKER_none; |
167 | +} |
168 | + |
169 | // decode image to YCbCr format |
170 | static int stbi__decode_jpeg_image(stbi__jpeg *j) |
171 | { |
172 | if (!stbi__process_scan_header(j)) return 0; |
173 | if (!stbi__parse_entropy_coded_data(j)) return 0; |
174 | if (j->marker == STBI__MARKER_none ) { |
175 | - // handle 0s at the end of image data from IP Kamera 9060 |
176 | - while (!stbi__at_eof(j->s)) { |
177 | - int x = stbi__get8(j->s); |
178 | - if (x == 255) { |
179 | - j->marker = stbi__get8(j->s); |
180 | - break; |
181 | - } |
182 | - } |
183 | + j->marker = stbi__skip_jpeg_junk_at_end(j); |
184 | // if we reach eof without hitting a marker, stbi__get_marker() below will fail and we'll eventually return 0 |
185 | } |
186 | + m = stbi__get_marker(j); |
187 | + if (STBI__RESTART(m)) |
188 | + m = stbi__get_marker(j); |
189 | } else if (stbi__DNL(m)) { |
190 | int Ld = stbi__get16be(j->s); |
191 | stbi__uint32 NL = stbi__get16be(j->s); |
192 | if (Ld != 4) return stbi__err("bad DNL len", "Corrupt JPEG"); |
193 | if (NL != j->s->img_y) return stbi__err("bad DNL height", "Corrupt JPEG"); |
194 | + m = stbi__get_marker(j); |
195 | } else { |
196 | - if (!stbi__process_marker(j, m)) return 0; |
197 | + if (!stbi__process_marker(j, m)) return 1; |
198 | + m = stbi__get_marker(j); |
199 | } |
200 | - m = stbi__get_marker(j); |
201 | } |
202 | if (j->progressive) |
203 | stbi__jpeg_finish(j); |
204 | unsigned char* result; |
205 | stbi__jpeg* j = (stbi__jpeg*) stbi__malloc(sizeof(stbi__jpeg)); |
206 | if (!j) return stbi__errpuc("outofmem", "Out of memory"); |
207 | + memset(j, 0, sizeof(stbi__jpeg)); |
208 | STBI_NOTUSED(ri); |
209 | j->s = s; |
210 | stbi__setup_jpeg(j); |
211 | int r; |
212 | stbi__jpeg* j = (stbi__jpeg*)stbi__malloc(sizeof(stbi__jpeg)); |
213 | if (!j) return stbi__err("outofmem", "Out of memory"); |
214 | + memset(j, 0, sizeof(stbi__jpeg)); |
215 | j->s = s; |
216 | stbi__setup_jpeg(j); |
217 | r = stbi__decode_jpeg_header(j, STBI__SCAN_type); |
218 | int result; |
219 | stbi__jpeg* j = (stbi__jpeg*) (stbi__malloc(sizeof(stbi__jpeg))); |
220 | if (!j) return stbi__err("outofmem", "Out of memory"); |
221 | + memset(j, 0, sizeof(stbi__jpeg)); |
222 | j->s = s; |
223 | result = stbi__jpeg_info_raw(j, x, y, comp); |
224 | STBI_FREE(j); |
225 | a->zout = zout; |
226 | return 1; |
227 | } |
228 | + if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data |
229 | z -= 257; |
230 | len = stbi__zlength_base[z]; |
231 | if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]); |
232 | z = stbi__zhuffman_decode(a, &a->z_distance); |
233 | - if (z < 0) return stbi__err("bad huffman code","Corrupt PNG"); |
234 | + if (z < 0 || z >= 30) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, distance codes 30 and 31 must not appear in compressed data |
235 | dist = stbi__zdist_base[z]; |
236 | if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]); |
237 | if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG"); |
238 | static STBI_THREAD_LOCAL int stbi__unpremultiply_on_load_local, stbi__unpremultiply_on_load_set; |
239 | static STBI_THREAD_LOCAL int stbi__de_iphone_flag_local, stbi__de_iphone_flag_set; |
240 | |
241 | -STBIDEF void stbi__unpremultiply_on_load_thread(int flag_true_if_should_unpremultiply) |
242 | +STBIDEF void stbi_set_unpremultiply_on_load_thread(int flag_true_if_should_unpremultiply) |
243 | { |
244 | stbi__unpremultiply_on_load_local = flag_true_if_should_unpremultiply; |
245 | stbi__unpremultiply_on_load_set = 1; |
246 | if (!pal_img_n) { |
247 | s->img_n = (color & 2 ? 3 : 1) + (color & 4 ? 1 : 0); |
248 | if ((1 << 30) / s->img_x / s->img_n < s->img_y) return stbi__err("too large", "Image too large to decode"); |
249 | - if (scan == STBI__SCAN_header) return 1; |
250 | } else { |
251 | // if paletted, then pal_n is our final components, and |
252 | // img_n is # components to decompress/filter. |
253 | s->img_n = 1; |
254 | if ((1 << 30) / s->img_x / 4 < s->img_y) return stbi__err("too large","Corrupt PNG"); |
255 | - // if SCAN_header, have to scan to see if we have a tRNS |
256 | } |
257 | + // even with SCAN_header, have to scan to see if we have a tRNS |
258 | break; |
259 | } |
260 | |
261 | if (!(s->img_n & 1)) return stbi__err("tRNS with alpha","Corrupt PNG"); |
262 | if (c.length != (stbi__uint32) s->img_n*2) return stbi__err("bad tRNS len","Corrupt PNG"); |
263 | has_trans = 1; |
264 | + // non-paletted with tRNS = constant alpha. if header-scanning, we can stop now. |
265 | + if (scan == STBI__SCAN_header) { ++s->img_n; return 1; } |
266 | if (z->depth == 16) { |
267 | for (k = 0; k < s->img_n; ++k) tc16[k] = (stbi__uint16)stbi__get16be(s); // copy the values as-is |
268 | } else { |
269 | case STBI__PNG_TYPE('I','D','A','T'): { |
270 | if (first) return stbi__err("first not IHDR", "Corrupt PNG"); |
271 | if (pal_img_n && !pal_len) return stbi__err("no PLTE","Corrupt PNG"); |
272 | - if (scan == STBI__SCAN_header) { s->img_n = pal_img_n; return 1; } |
273 | + if (scan == STBI__SCAN_header) { |
274 | + // header scan definitely stops at first IDAT |
275 | + if (pal_img_n) |
276 | + s->img_n = pal_img_n; |
277 | + return 1; |
278 | + } |
279 | + if (c.length > (1u << 30)) return stbi__err("IDAT size limit", "IDAT section larger than 2^30 bytes"); |
280 | if ((int)(ioff + c.length) < (int)ioff) return 0; |
281 | if (ioff + c.length > idata_limit) { |
282 | stbi__uint32 idata_limit_old = idata_limit; |
283 | psize = (info.offset - info.extra_read - info.hsz) >> 2; |
284 | } |
285 | if (psize == 0) { |
286 | - if (info.offset != s->callback_already_read + (int) (s->img_buffer - s->img_buffer_original)) { |
287 | - return stbi__errpuc("bad offset", "Corrupt BMP"); |
288 | + // accept some number of extra bytes after the header, but if the offset points either to before |
289 | + // the header ends or implies a large amount of extra data, reject the file as malformed |
290 | + int bytes_read_so_far = s->callback_already_read + (int)(s->img_buffer - s->img_buffer_original); |
291 | + int header_limit = 1024; // max we actually read is below 256 bytes currently. |
292 | + int extra_data_limit = 256*4; // what ordinarily goes here is a palette; 256 entries*4 bytes is its max size. |
293 | + if (bytes_read_so_far <= 0 || bytes_read_so_far > header_limit) { |
294 | + return stbi__errpuc("bad header", "Corrupt BMP"); |
295 | + } |
296 | + // we established that bytes_read_so_far is positive and sensible. |
297 | + // the first half of this test rejects offsets that are either too small positives, or |
298 | + // negative, and guarantees that info.offset >= bytes_read_so_far > 0. this in turn |
299 | + // ensures the number computed in the second half of the test can't overflow. |
300 | + if (info.offset < bytes_read_so_far || info.offset - bytes_read_so_far > extra_data_limit) { |
301 | + return stbi__errpuc("bad offset", "Corrupt BMP"); |
302 | + } else { |
303 | + stbi__skip(s, info.offset - bytes_read_so_far); |
304 | } |
305 | } |
306 | |
307 | // Run |
308 | value = stbi__get8(s); |
309 | count -= 128; |
310 | - if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } |
311 | + if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } |
312 | for (z = 0; z < count; ++z) |
313 | scanline[i++ * 4 + k] = value; |
314 | } else { |
315 | // Dump |
316 | - if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } |
317 | + if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } |
318 | for (z = 0; z < count; ++z) |
319 | scanline[i++ * 4 + k] = stbi__get8(s); |
320 | } |
321 | |
322 | out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0); |
323 | if (!out) return stbi__errpuc("outofmem", "Out of memory"); |
324 | - stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8)); |
325 | + if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) { |
326 | + STBI_FREE(out); |
327 | + return stbi__errpuc("bad PNM", "PNM file truncated"); |
328 | + } |
329 | |
330 | if (req_comp && req_comp != s->img_n) { |
331 | - out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y); |
332 | + if (ri->bits_per_channel == 16) { |
333 | + out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y); |
334 | + } else { |
335 | + out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y); |
336 | + } |
337 | if (out == NULL) return out; // stbi__convert_format frees input on failure |
338 | } |
339 | return out; |
340 | while (!stbi__at_eof(s) && stbi__pnm_isdigit(*c)) { |
341 | value = value*10 + (*c - '0'); |
342 | *c = (char) stbi__get8(s); |
343 | + if((value > 214748364) || (value == 214748364 && *c > '7')) |
344 | + return stbi__err("integer parse overflow", "Parsing an integer in the PPM header overflowed a 32-bit int"); |
345 | } |
346 | |
347 | return value; |
348 | stbi__pnm_skip_whitespace(s, &c); |
349 | |
350 | *x = stbi__pnm_getinteger(s, &c); // read width |
351 | + if(*x == 0) |
352 | + return stbi__err("invalid width", "PPM image header had zero or overflowing width"); |
353 | stbi__pnm_skip_whitespace(s, &c); |
354 | |
355 | *y = stbi__pnm_getinteger(s, &c); // read height |
356 | + if (*y == 0) |
357 | + return stbi__err("invalid width", "PPM image header had zero or overflowing width"); |
358 | stbi__pnm_skip_whitespace(s, &c); |
359 | |
360 | maxv = stbi__pnm_getinteger(s, &c); // read max value |
361 | |