-#include "image.h"
#include <stdarg.h>
+#include "imagei.h"
/*
=head1 NAME
static int write_8bit_data(io_glue *ig, i_img *im);
static int write_24bit_data(io_glue *ig, i_img *im);
static int read_bmp_pal(io_glue *ig, i_img *im, int count);
-static i_img *read_1bit_bmp(io_glue *ig, int xsize, int ysize,
- int clr_used);
+static i_img *read_1bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
+ int compression, long offbits);
static i_img *read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
- int compression);
+ int compression, long offbits);
static i_img *read_8bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
- int compression);
+ int compression, long offbits);
static i_img *read_direct_bmp(io_glue *ig, int xsize, int ysize,
- int bit_count, int clr_used, int compression);
+ int bit_count, int clr_used, int compression,
+ long offbits);
/*
=item i_writebmp_wiol(im, io_glue)
i_img *
i_readbmp_wiol(io_glue *ig) {
- int b_magic, m_magic, filesize, dummy, infohead_size;
+ int b_magic, m_magic, filesize, res1, res2, infohead_size;
int xsize, ysize, planes, bit_count, compression, size_image, xres, yres;
int clr_used, clr_important, offbits;
i_img *im;
+
+ mm_log((1, "i_readbmp_wiol(ig %p)\n", ig));
io_glue_commit_types(ig);
i_clear_error();
if (!read_packed(ig, "CCVvvVVVVvvVVVVVV", &b_magic, &m_magic, &filesize,
- &dummy, &dummy, &offbits, &infohead_size,
+ &res1, &res2, &offbits, &infohead_size,
&xsize, &ysize, &planes,
&bit_count, &compression, &size_image, &xres, &yres,
&clr_used, &clr_important)) {
i_push_error(0, "not a BMP file");
return 0;
}
+
+ mm_log((1, " bmp header: filesize %d offbits %d xsize %d ysize %d planes %d "
+ "bit_count %d compression %d size %d xres %d yres %d clr_used %d "
+ "clr_important %d\n", filesize, offbits, xsize, ysize, planes,
+ bit_count, compression, size_image, xres, yres, clr_used,
+ clr_important));
+
+ if (!i_int_check_image_file_limits(xsize, ysize, 3, sizeof(i_sample_t))) {
+ mm_log((1, "i_readbmp_wiol: image size exceeds limits\n"));
+ return NULL;
+ }
switch (bit_count) {
case 1:
- im = read_1bit_bmp(ig, xsize, ysize, clr_used);
+ im = read_1bit_bmp(ig, xsize, ysize, clr_used, compression, offbits);
break;
case 4:
- im = read_4bit_bmp(ig, xsize, ysize, clr_used, compression);
+ im = read_4bit_bmp(ig, xsize, ysize, clr_used, compression, offbits);
break;
case 8:
- im = read_8bit_bmp(ig, xsize, ysize, clr_used, compression);
+ im = read_8bit_bmp(ig, xsize, ysize, clr_used, compression, offbits);
break;
case 32:
case 24:
case 16:
- im = read_direct_bmp(ig, xsize, ysize, bit_count, clr_used, compression);
+ im = read_direct_bmp(ig, xsize, ysize, bit_count, clr_used, compression,
+ offbits);
break;
+
+ default:
+ i_push_errorf(0, "unknown bit count for BMP file (%d)", bit_count);
+ return NULL;
}
- /* store the resolution */
- if (xres && !yres)
- yres = xres;
- else if (yres && !xres)
- xres = yres;
- if (xres) {
- i_tags_set_float(&im->tags, "i_xres", 0, xres * 0.0254);
- i_tags_set_float(&im->tags, "i_yres", 0, yres * 0.0254);
+ if (im) {
+ /* store the resolution */
+ if (xres && !yres)
+ yres = xres;
+ else if (yres && !xres)
+ xres = yres;
+ if (xres) {
+ i_tags_set_float2(&im->tags, "i_xres", 0, xres * 0.0254, 4);
+ i_tags_set_float2(&im->tags, "i_yres", 0, yres * 0.0254, 4);
+ }
+ i_tags_addn(&im->tags, "bmp_compression", 0, compression);
+ i_tags_addn(&im->tags, "bmp_important_colors", 0, clr_important);
+ i_tags_addn(&im->tags, "bmp_used_colors", 0, clr_used);
+ i_tags_addn(&im->tags, "bmp_filesize", 0, filesize);
+ i_tags_addn(&im->tags, "bmp_bit_count", 0, bit_count);
+ i_tags_add(&im->tags, "i_format", 0, "bmp", 3, 0);
}
- i_tags_addn(&im->tags, "bmp_compression", 0, compression);
- i_tags_addn(&im->tags, "bmp_important_colors", 0, clr_important);
return im;
}
switch (*format) {
case 'v':
- if (ig->readcb(ig, buf, 2) == -1)
+ if (ig->readcb(ig, buf, 2) != 2)
return 0;
*p = buf[0] + (buf[1] << 8);
break;
case 'V':
- if (ig->readcb(ig, buf, 4) == -1)
+ if (ig->readcb(ig, buf, 4) != 4)
return 0;
*p = buf[0] + (buf[1] << 8) + (buf[2] << 16) + (buf[3] << 24);
break;
case 'C':
- if (ig->readcb(ig, buf, 1) == -1)
+ if (ig->readcb(ig, buf, 1) != 1)
return 0;
*p = buf[0];
break;
case 'c':
- if (ig->readcb(ig, buf, 1) == -1)
+ if (ig->readcb(ig, buf, 1) != 1)
return 0;
*p = (char)buf[0];
break;
case '3': /* extension - 24-bit number */
- if (ig->readcb(ig, buf, 3) == -1)
+ if (ig->readcb(ig, buf, 3) != 3)
return 0;
*p = buf[0] + (buf[1] << 8) + (buf[2] << 16);
break;
break;
default:
- m_fatal(1, "Unknown read_packed format code 0x%02x", *format);
+ m_fatal(1, "Unknown write_packed format code 0x%02x", *format);
}
++format;
}
unsigned char *out;
int line_size = (im->xsize+7) / 8;
int x, y;
+ int unpacked_size;
/* round up to nearest multiple of four */
line_size = (line_size + 3) / 4 * 4;
if (!write_bmphead(ig, im, 1, line_size * im->ysize))
return 0;
- line = mymalloc(im->xsize + 8);
+ /* this shouldn't be an issue, but let's be careful */
+ unpacked_size = im->xsize + 8;
+ if (unpacked_size < im->xsize) {
+ i_push_error(0, "integer overflow during memory allocation");
+ return 0;
+ }
+ line = mymalloc(unpacked_size); /* checked 29jun05 tonyc */
memset(line + im->xsize, 0, 8);
-
- packed = mymalloc(line_size);
+
+ /* size allocated here is always much smaller than xsize, hence
+ can't overflow int */
+ packed = mymalloc(line_size); /* checked 29jun05 tonyc */
memset(packed, 0, line_size);
for (y = im->ysize-1; y >= 0; --y) {
myfree(packed);
myfree(line);
+ ig->closecb(ig);
+
return 1;
}
unsigned char *out;
int line_size = (im->xsize+1) / 2;
int x, y;
+ int unpacked_size;
/* round up to nearest multiple of four */
line_size = (line_size + 3) / 4 * 4;
if (!write_bmphead(ig, im, 4, line_size * im->ysize))
return 0;
- line = mymalloc(im->xsize + 2);
+ /* this shouldn't be an issue, but let's be careful */
+ unpacked_size = im->xsize + 2;
+ if (unpacked_size < im->xsize) {
+ i_push_error(0, "integer overflow during memory allocation");
+ return 0;
+ }
+ line = mymalloc(unpacked_size); /* checked 29jun05 tonyc */
memset(line + im->xsize, 0, 2);
- packed = mymalloc(line_size);
+ /* size allocated here is always much smaller than xsize, hence
+ can't overflow int */
+ packed = mymalloc(line_size); /* checked 29jun05 tonyc */
memset(packed, 0, line_size);
for (y = im->ysize-1; y >= 0; --y) {
myfree(packed);
myfree(line);
+ ig->closecb(ig);
+
return 1;
}
write_8bit_data(io_glue *ig, i_img *im) {
i_palidx *line;
int line_size = im->xsize;
- int x, y;
+ int y;
+ int unpacked_size;
/* round up to nearest multiple of four */
line_size = (line_size + 3) / 4 * 4;
if (!write_bmphead(ig, im, 8, line_size * im->ysize))
return 0;
- line = mymalloc(im->xsize + 4);
+ /* this shouldn't be an issue, but let's be careful */
+ unpacked_size = im->xsize + 4;
+ if (unpacked_size < im->xsize) {
+ i_push_error(0, "integer overflow during memory allocation");
+ return 0;
+ }
+ line = mymalloc(unpacked_size); /* checked 29jun05 tonyc */
memset(line + im->xsize, 0, 4);
for (y = im->ysize-1; y >= 0; --y) {
}
myfree(line);
+ ig->closecb(ig);
+
return 1;
}
write_24bit_data(io_glue *ig, i_img *im) {
int *chans;
unsigned char *samples;
- int x, y;
+ int y;
int line_size = 3 * im->xsize;
+
+ /* just in case we implement a direct format with 2bytes/pixel
+ (unlikely though) */
+ if (line_size / 3 != im->xsize) {
+ i_push_error(0, "integer overflow during memory allocation");
+ return 0;
+ }
line_size = (line_size + 3) / 4 * 4;
if (!write_bmphead(ig, im, 24, line_size * im->ysize))
return 0;
chans = im->channels >= 3 ? bgr_chans : grey_chans;
- samples = mymalloc(line_size);
+ samples = mymalloc(line_size); /* checked 29jun05 tonyc */
+ memset(samples, 0, line_size);
for (y = im->ysize-1; y >= 0; --y) {
i_gsamp(im, 0, im->xsize, y, samples, chans, 3);
if (ig->writecb(ig, samples, line_size) < 0) {
}
myfree(samples);
+ ig->closecb(ig);
+
return 1;
}
c.channel[0] = r;
c.channel[1] = g;
c.channel[2] = b;
- if (i_addcolors(im, &c, 1) < 0)
+ if (i_addcolors(im, &c, 1) < 0) {
+ i_push_error(0, "out of space in image palette");
return 0;
+ }
}
return 1;
}
/*
-=item read_1bit_bmp(ig, xsize, ysize, clr_used)
+=item read_1bit_bmp(ig, xsize, ysize, clr_used, compression, offbits)
Reads in the palette and image data for a 1-bit/pixel image.
=cut
*/
static i_img *
-read_1bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used) {
+read_1bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
+ int compression, long offbits) {
i_img *im;
int x, y, lasty, yinc;
i_palidx *line, *p;
unsigned char *packed;
int line_size = (xsize + 7)/8;
- int byte, bit;
+ int bit;
unsigned char *in;
+ long base_offset;
+
+ if (compression != BI_RGB) {
+ i_push_errorf(0, "unknown 1-bit BMP compression (%d)", compression);
+ return NULL;
+ }
+
+ if (xsize + 8 < xsize) { /* if there was overflow */
+ /* we check with 8 because we allocate that much for the decoded
+ line buffer */
+ i_push_error(0, "integer overflow during memory allocation");
+ return NULL;
+ }
+ /* if xsize+7 is ok then (xsize+7)/8 will be and the minor
+ adjustments below won't make it overflow */
line_size = (line_size+3) / 4 * 4;
if (ysize > 0) {
lasty = ysize;
yinc = 1;
}
- im = i_img_pal_new(xsize, ysize, 3, 256);
if (!clr_used)
clr_used = 2;
+ if (clr_used < 0 || clr_used > 2) {
+ i_push_errorf(0, "out of range colors used (%d)", clr_used);
+ return NULL;
+ }
+
+ base_offset = FILEHEAD_SIZE + INFOHEAD_SIZE + clr_used * 4;
+ if (offbits < base_offset) {
+ i_push_errorf(0, "image data offset too small (%ld)", offbits);
+ return NULL;
+ }
+
+ im = i_img_pal_new(xsize, ysize, 3, 256);
+ if (!im)
+ return NULL;
if (!read_bmp_pal(ig, im, clr_used)) {
i_img_destroy(im);
return NULL;
}
- packed = mymalloc(line_size);
- line = mymalloc(xsize+8);
+ if (offbits > base_offset) {
+ /* this will be slow if the offset is large, but that should be
+ rare */
+ char buffer;
+ while (base_offset < offbits) {
+ if (ig->readcb(ig, &buffer, 1) != 1) {
+ i_img_destroy(im);
+ i_push_error(0, "failed skipping to image data offset");
+ return NULL;
+ }
+ ++base_offset;
+ }
+ }
+
+ i_tags_add(&im->tags, "bmp_compression_name", 0, "BI_RGB", -1, 0);
+
+ packed = mymalloc(line_size); /* checked 29jun05 tonyc */
+ line = mymalloc(xsize+8); /* checked 29jun05 tonyc */
while (y != lasty) {
if (ig->readcb(ig, packed, line_size) != line_size) {
myfree(packed);
myfree(line);
- i_push_error(0, "reading 1-bit bmp data");
+ i_push_error(0, "failed reading 1-bit bmp data");
i_img_destroy(im);
return NULL;
}
y += yinc;
}
+ myfree(packed);
+ myfree(line);
return im;
}
*/
static i_img *
read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
- int compression) {
+ int compression, long offbits) {
i_img *im;
int x, y, lasty, yinc;
i_palidx *line, *p;
int line_size = (xsize + 1)/2;
unsigned char *in;
int size, i;
+ long base_offset;
+ /* line_size is going to be smaller than xsize in most cases (and
+ when it's not, xsize is itself small), and hence not overflow */
line_size = (line_size+3) / 4 * 4;
if (ysize > 0) {
lasty = ysize;
yinc = 1;
}
- im = i_img_pal_new(xsize, ysize, 3, 256);
if (!clr_used)
clr_used = 16;
+
+ if (clr_used > 16 || clr_used < 0) {
+ i_push_errorf(0, "out of range colors used (%d)", clr_used);
+ return NULL;
+ }
+
+ base_offset = FILEHEAD_SIZE + INFOHEAD_SIZE + clr_used * 4;
+ if (offbits < base_offset) {
+ i_push_errorf(0, "image data offset too small (%ld)", offbits);
+ return NULL;
+ }
+
+ im = i_img_pal_new(xsize, ysize, 3, 256);
+ if (!im) /* error should have been pushed already */
+ return NULL;
if (!read_bmp_pal(ig, im, clr_used)) {
i_img_destroy(im);
return NULL;
}
+ if (offbits > base_offset) {
+ /* this will be slow if the offset is large, but that should be
+ rare */
+ char buffer;
+ while (base_offset < offbits) {
+ if (ig->readcb(ig, &buffer, 1) != 1) {
+ i_img_destroy(im);
+ i_push_error(0, "failed skipping to image data offset");
+ return NULL;
+ }
+ ++base_offset;
+ }
+ }
+
if (line_size < 260)
- packed = mymalloc(260);
+ packed = mymalloc(260); /* checked 29jun05 tonyc */
else
- packed = mymalloc(line_size);
- line = mymalloc(xsize+1);
+ packed = mymalloc(line_size); /* checked 29jun05 tonyc */
+ /* xsize won't approach MAXINT */
+ line = mymalloc(xsize+1); /* checked 29jun05 tonyc */
if (compression == BI_RGB) {
+ i_tags_add(&im->tags, "bmp_compression_name", 0, "BI_RGB", -1, 0);
while (y != lasty) {
if (ig->readcb(ig, packed, line_size) != line_size) {
myfree(packed);
myfree(line);
- i_push_error(0, "reading 4-bit bmp data");
+ i_push_error(0, "failed reading 4-bit bmp data");
i_img_destroy(im);
return NULL;
}
i_ppal(im, 0, xsize, y, line);
y += yinc;
}
+ myfree(packed);
+ myfree(line);
}
else if (compression == BI_RLE4) {
int read_size;
- int want_high;
int count;
+ i_tags_add(&im->tags, "bmp_compression_name", 0, "BI_RLE4", -1, 0);
x = 0;
while (1) {
/* there's always at least 2 bytes in a sequence */
break;
case BMPRLE_ENDOFBMP:
- free(packed);
- free(line);
+ myfree(packed);
+ myfree(line);
return im;
case BMPRLE_DELTA:
else { /*if (compression == BI_RLE4) {*/
myfree(packed);
myfree(line);
- i_push_error(0, "bad compression for 4-bit image");
+ i_push_errorf(0, "unknown 4-bit BMP compression (%d)", compression);
i_img_destroy(im);
return NULL;
}
*/
static i_img *
read_8bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
- int compression) {
+ int compression, long offbits) {
i_img *im;
int x, y, lasty, yinc;
- i_palidx *line, *p;
+ i_palidx *line;
int line_size = xsize;
- unsigned char *in;
+ long base_offset;
line_size = (line_size+3) / 4 * 4;
+ if (line_size < xsize) { /* if it overflowed (unlikely, but check) */
+ i_push_error(0, "integer overflow during memory allocation");
+ return NULL;
+ }
if (ysize > 0) {
y = ysize-1;
lasty = ysize;
yinc = 1;
}
- im = i_img_pal_new(xsize, ysize, 3, 256);
if (!clr_used)
clr_used = 256;
+ if (clr_used > 256 || clr_used < 0) {
+ i_push_errorf(0, "out of range colors used (%d)", clr_used);
+ return NULL;
+ }
+
+ base_offset = FILEHEAD_SIZE + INFOHEAD_SIZE + clr_used * 4;
+ if (offbits < base_offset) {
+ i_push_errorf(0, "image data offset too small (%ld)", offbits);
+ return NULL;
+ }
+
+ im = i_img_pal_new(xsize, ysize, 3, 256);
+ if (!im)
+ return NULL;
if (!read_bmp_pal(ig, im, clr_used)) {
i_img_destroy(im);
return NULL;
}
- line = mymalloc(line_size);
+ if (offbits > base_offset) {
+ /* this will be slow if the offset is large, but that should be
+ rare */
+ char buffer;
+ while (base_offset < offbits) {
+ if (ig->readcb(ig, &buffer, 1) != 1) {
+ i_img_destroy(im);
+ i_push_error(0, "failed skipping to image data offset");
+ return NULL;
+ }
+ ++base_offset;
+ }
+ }
+
+ line = mymalloc(line_size); /* checked 29jun05 tonyc */
if (compression == BI_RGB) {
+ i_tags_add(&im->tags, "bmp_compression_name", 0, "BI_RGB", -1, 0);
while (y != lasty) {
if (ig->readcb(ig, line, line_size) != line_size) {
myfree(line);
- i_push_error(0, "reading 8-bit bmp data");
+ i_push_error(0, "failed reading 8-bit bmp data");
i_img_destroy(im);
return NULL;
}
i_ppal(im, 0, xsize, y, line);
y += yinc;
}
+ myfree(line);
}
else if (compression == BI_RLE8) {
int read_size;
- int want_high;
int count;
unsigned char packed[2];
+ i_tags_add(&im->tags, "bmp_compression_name", 0, "BI_RLE8", -1, 0);
x = 0;
while (1) {
/* there's always at least 2 bytes in a sequence */
break;
case BMPRLE_ENDOFBMP:
- free(line);
+ myfree(line);
return im;
case BMPRLE_DELTA:
}
else {
myfree(line);
- i_push_errorf(0, "unknown 8-bit BMP compression %d", compression);
+ i_push_errorf(0, "unknown 8-bit BMP compression (%d)", compression);
i_img_destroy(im);
return NULL;
}
*/
static i_img *
read_direct_bmp(io_glue *ig, int xsize, int ysize, int bit_count,
- int clr_used, int compression) {
+ int clr_used, int compression, long offbits) {
i_img *im;
int x, y, lasty, yinc;
i_color *line, *p;
- unsigned char *in;
int pix_size = bit_count / 8;
int line_size = xsize * pix_size;
struct bm_masks masks;
int i;
int extras;
char junk[4];
+ const char *compression_name;
+ int bytes;
+ long base_offset = FILEHEAD_SIZE + INFOHEAD_SIZE;
unpack_code[0] = *("v3V"+pix_size-2);
unpack_code[1] = '\0';
lasty = ysize;
yinc = 1;
}
- line = mymalloc(line_size);
if (compression == BI_RGB) {
+ compression_name = "BI_RGB";
masks = std_masks[pix_size-2];
/* there's a potential "palette" after the header */
i_push_error(0, "skipping colors");
return 0;
}
+ base_offset += 4;
}
}
else if (compression == BI_BITFIELDS) {
int pos, bit;
+ compression_name = "BI_BITFIELDS";
+
for (i = 0; i < 3; ++i) {
if (!read_packed(ig, "V", masks.masks+i)) {
i_push_error(0, "reading pixel masks");
}
masks.shifts[i] = pos - 8;
}
+ base_offset += 4 * 4;
+ }
+ else {
+ i_push_errorf(0, "unknown 24-bit BMP compression (%d)", compression);
+ return NULL;
}
+ if (offbits > base_offset) {
+ /* this will be slow if the offset is large, but that should be
+ rare */
+ char buffer;
+ while (base_offset < offbits) {
+ if (ig->readcb(ig, &buffer, 1) != 1) {
+ i_img_destroy(im);
+ i_push_error(0, "failed skipping to image data offset");
+ return NULL;
+ }
+ ++base_offset;
+ }
+ }
+
im = i_img_empty(NULL, xsize, ysize);
+ if (!im)
+ return NULL;
+
+ i_tags_add(&im->tags, "bmp_compression_name", 0, compression_name, -1, 0);
- line = mymalloc(sizeof(i_color) * xsize);
+ /* I wasn't able to make this overflow in testing, but better to be
+ safe */
+ bytes = sizeof(i_color) * xsize;
+ if (bytes / sizeof(i_color) != xsize) {
+ i_img_destroy(im);
+ i_push_error(0, "integer overflow calculating buffer size");
+ return NULL;
+ }
+ line = mymalloc(bytes); /* checked 29jun05 tonyc */
while (y != lasty) {
p = line;
for (x = 0; x < xsize; ++x) {
unsigned pixel;
if (!read_packed(ig, unpack_code, &pixel)) {
- i_push_error(0, "reading image data");
+ i_push_error(0, "failed reading image data");
myfree(line);
i_img_destroy(im);
return NULL;
BI_BITFIELDS compression hasn't been tested (I need an image).
+The header handling for paletted images needs to be refactored
+
=cut
*/
projects / imager.git / blobdiff