ffmpeg/libavformat/flac_picture.c

191 lines
6.5 KiB
C

/*
* Raw FLAC picture parser
* Copyright (c) 2001 Fabrice Bellard
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "libavutil/intreadwrite.h"
#include "libavcodec/bytestream.h"
#include "libavcodec/png.h"
#include "avformat.h"
#include "demux.h"
#include "flac_picture.h"
#include "id3v2.h"
#include "internal.h"
#define MAX_TRUNC_PICTURE_SIZE (500 * 1024 * 1024)
int ff_flac_parse_picture(AVFormatContext *s, uint8_t **bufp, int buf_size,
int truncate_workaround)
{
const CodecMime *mime = ff_id3v2_mime_tags;
enum AVCodecID id = AV_CODEC_ID_NONE;
AVBufferRef *data = NULL;
uint8_t mimetype[64], *buf = *bufp;
const uint8_t *desc = NULL;
GetByteContext g;
AVStream *st;
int width, height, ret = 0;
unsigned int type;
uint32_t len, left, trunclen = 0;
if (buf_size < 34) {
av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
if (s->error_recognition & AV_EF_EXPLODE)
return AVERROR_INVALIDDATA;
return 0;
}
bytestream2_init(&g, buf, buf_size);
/* read the picture type */
type = bytestream2_get_be32u(&g);
if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
if (s->error_recognition & AV_EF_EXPLODE) {
return AVERROR_INVALIDDATA;
}
type = 0;
}
/* picture mimetype */
len = bytestream2_get_be32u(&g);
if (len <= 0 || len >= sizeof(mimetype)) {
av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
"picture.\n");
if (s->error_recognition & AV_EF_EXPLODE)
return AVERROR_INVALIDDATA;
return 0;
}
if (len + 24 > bytestream2_get_bytes_left(&g)) {
av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
if (s->error_recognition & AV_EF_EXPLODE)
return AVERROR_INVALIDDATA;
return 0;
}
bytestream2_get_bufferu(&g, mimetype, len);
mimetype[len] = 0;
while (mime->id != AV_CODEC_ID_NONE) {
if (!strncmp(mime->str, mimetype, sizeof(mimetype))) {
id = mime->id;
break;
}
mime++;
}
if (id == AV_CODEC_ID_NONE) {
av_log(s, AV_LOG_ERROR, "Unknown attached picture mimetype: %s.\n",
mimetype);
if (s->error_recognition & AV_EF_EXPLODE)
return AVERROR_INVALIDDATA;
return 0;
}
/* picture description */
len = bytestream2_get_be32u(&g);
if (len > bytestream2_get_bytes_left(&g) - 20) {
av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
if (s->error_recognition & AV_EF_EXPLODE)
return AVERROR_INVALIDDATA;
return 0;
}
if (len > 0) {
desc = g.buffer;
bytestream2_skipu(&g, len);
}
/* picture metadata */
width = bytestream2_get_be32u(&g);
((uint8_t*)g.buffer)[-4] = '\0'; // NUL-terminate desc.
height = bytestream2_get_be32u(&g);
bytestream2_skipu(&g, 8);
/* picture data */
len = bytestream2_get_be32u(&g);
left = bytestream2_get_bytes_left(&g);
if (len <= 0 || len > left) {
if (len > MAX_TRUNC_PICTURE_SIZE || len >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
av_log(s, AV_LOG_ERROR, "Attached picture metadata block too big %u\n", len);
if (s->error_recognition & AV_EF_EXPLODE)
return AVERROR_INVALIDDATA;
return 0;
}
// Workaround bug for flac muxers that writs truncated metadata picture block size if
// the picture size do not fit in 24 bits. lavf flacenc used to have the issue and based
// on existing broken files other unknown flac muxers seems to truncate also.
if (truncate_workaround &&
s->strict_std_compliance <= FF_COMPLIANCE_NORMAL &&
len > left && (len & 0xffffff) == left) {
av_log(s, AV_LOG_INFO, "Correcting truncated metadata picture size from %u to %u\n", left, len);
trunclen = len - left;
} else {
av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
if (s->error_recognition & AV_EF_EXPLODE)
return AVERROR_INVALIDDATA;
return 0;
}
}
if (trunclen == 0 && len >= buf_size - (buf_size >> 4)) {
data = av_buffer_create(buf, buf_size + AV_INPUT_BUFFER_PADDING_SIZE,
av_buffer_default_free, NULL, 0);
if (!data)
return AVERROR(ENOMEM);
*bufp = NULL;
data->data += bytestream2_tell(&g);
data->size = len + AV_INPUT_BUFFER_PADDING_SIZE;
} else {
if (!(data = av_buffer_alloc(len + AV_INPUT_BUFFER_PADDING_SIZE)))
return AVERROR(ENOMEM);
if (trunclen == 0) {
bytestream2_get_bufferu(&g, data->data, len);
} else {
// If truncation was detected copy all data from block and
// read missing bytes not included in the block size.
bytestream2_get_bufferu(&g, data->data, left);
if (avio_read(s->pb, data->data + len - trunclen, trunclen) < trunclen)
RETURN_ERROR(AVERROR_INVALIDDATA);
}
}
memset(data->data + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
if (AV_RB64(data->data) == PNGSIG)
id = AV_CODEC_ID_PNG;
ret = ff_add_attached_pic(s, NULL, NULL, &data, 0);
if (ret < 0)
RETURN_ERROR(ret);
st = s->streams[s->nb_streams - 1];
st->codecpar->codec_id = id;
st->codecpar->width = width;
st->codecpar->height = height;
av_dict_set(&st->metadata, "comment", ff_id3v2_picture_types[type], 0);
if (desc)
av_dict_set(&st->metadata, "title", desc, 0);
return 0;
fail:
av_buffer_unref(&data);
return ret;
}