// Copyright 2015 PDFium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com #include "core/fxcodec/jbig2/JBig2_SddProc.h" #include #include #include #include #include #include "core/fxcodec/jbig2/JBig2_ArithIntDecoder.h" #include "core/fxcodec/jbig2/JBig2_GrdProc.h" #include "core/fxcodec/jbig2/JBig2_GrrdProc.h" #include "core/fxcodec/jbig2/JBig2_HuffmanDecoder.h" #include "core/fxcodec/jbig2/JBig2_HuffmanTable.h" #include "core/fxcodec/jbig2/JBig2_SymbolDict.h" #include "core/fxcodec/jbig2/JBig2_TrdProc.h" #include "core/fxcrt/fx_safe_types.h" #include "third_party/base/ptr_util.h" CJBig2_SDDProc::CJBig2_SDDProc() = default; CJBig2_SDDProc::~CJBig2_SDDProc() = default; std::unique_ptr CJBig2_SDDProc::DecodeArith( CJBig2_ArithDecoder* pArithDecoder, std::vector* gbContext, std::vector* grContext) { std::vector> SDNEWSYMS; uint32_t HCHEIGHT, NSYMSDECODED; int32_t HCDH; uint32_t SYMWIDTH, TOTWIDTH; int32_t DW; uint32_t I, J, REFAGGNINST; std::vector EXFLAGS; uint32_t EXINDEX; bool CUREXFLAG; uint32_t EXRUNLENGTH; uint32_t nTmp; uint32_t SBNUMSYMS; uint8_t SBSYMCODELEN; int32_t RDXI, RDYI; uint32_t num_ex_syms; // Pointers are not owned std::vector SBSYMS; std::unique_ptr IAID; std::unique_ptr pDict; auto IADH = pdfium::MakeUnique(); auto IADW = pdfium::MakeUnique(); auto IAAI = pdfium::MakeUnique(); auto IARDX = pdfium::MakeUnique(); auto IARDY = pdfium::MakeUnique(); auto IAEX = pdfium::MakeUnique(); auto IADT = pdfium::MakeUnique(); auto IAFS = pdfium::MakeUnique(); auto IADS = pdfium::MakeUnique(); auto IAIT = pdfium::MakeUnique(); auto IARI = pdfium::MakeUnique(); auto IARDW = pdfium::MakeUnique(); auto IARDH = pdfium::MakeUnique(); nTmp = 0; while ((uint32_t)(1 << nTmp) < (SDNUMINSYMS + SDNUMNEWSYMS)) { nTmp++; } IAID = pdfium::MakeUnique((uint8_t)nTmp); SDNEWSYMS.resize(SDNUMNEWSYMS); HCHEIGHT = 0; NSYMSDECODED = 0; while (NSYMSDECODED < SDNUMNEWSYMS) { std::unique_ptr BS; IADH->Decode(pArithDecoder, &HCDH); HCHEIGHT = HCHEIGHT + HCDH; if ((int)HCHEIGHT < 0 || (int)HCHEIGHT > JBIG2_MAX_IMAGE_SIZE) return nullptr; SYMWIDTH = 0; TOTWIDTH = 0; for (;;) { if (!IADW->Decode(pArithDecoder, &DW)) break; if (NSYMSDECODED >= SDNUMNEWSYMS) return nullptr; SYMWIDTH = SYMWIDTH + DW; if ((int)SYMWIDTH < 0 || (int)SYMWIDTH > JBIG2_MAX_IMAGE_SIZE) return nullptr; if (HCHEIGHT == 0 || SYMWIDTH == 0) { TOTWIDTH = TOTWIDTH + SYMWIDTH; SDNEWSYMS[NSYMSDECODED] = nullptr; NSYMSDECODED = NSYMSDECODED + 1; continue; } TOTWIDTH = TOTWIDTH + SYMWIDTH; if (SDREFAGG == 0) { auto pGRD = pdfium::MakeUnique(); pGRD->MMR = 0; pGRD->GBW = SYMWIDTH; pGRD->GBH = HCHEIGHT; pGRD->GBTEMPLATE = SDTEMPLATE; pGRD->TPGDON = 0; pGRD->USESKIP = 0; pGRD->GBAT[0] = SDAT[0]; pGRD->GBAT[1] = SDAT[1]; pGRD->GBAT[2] = SDAT[2]; pGRD->GBAT[3] = SDAT[3]; pGRD->GBAT[4] = SDAT[4]; pGRD->GBAT[5] = SDAT[5]; pGRD->GBAT[6] = SDAT[6]; pGRD->GBAT[7] = SDAT[7]; BS = pGRD->DecodeArith(pArithDecoder, gbContext->data()); if (!BS) return nullptr; } else { IAAI->Decode(pArithDecoder, (int*)&REFAGGNINST); if (REFAGGNINST > 1) { // Huffman tables must not outlive |pDecoder|. auto SBHUFFFS = pdfium::MakeUnique(6); auto SBHUFFDS = pdfium::MakeUnique(8); auto SBHUFFDT = pdfium::MakeUnique(11); auto SBHUFFRDW = pdfium::MakeUnique(15); auto SBHUFFRDH = pdfium::MakeUnique(15); auto SBHUFFRDX = pdfium::MakeUnique(15); auto SBHUFFRDY = pdfium::MakeUnique(15); auto SBHUFFRSIZE = pdfium::MakeUnique(1); auto pDecoder = pdfium::MakeUnique(); pDecoder->SBHUFF = SDHUFF; pDecoder->SBREFINE = 1; pDecoder->SBW = SYMWIDTH; pDecoder->SBH = HCHEIGHT; pDecoder->SBNUMINSTANCES = REFAGGNINST; pDecoder->SBSTRIPS = 1; pDecoder->SBNUMSYMS = SDNUMINSYMS + NSYMSDECODED; SBNUMSYMS = pDecoder->SBNUMSYMS; nTmp = 0; while ((uint32_t)(1 << nTmp) < SBNUMSYMS) { nTmp++; } SBSYMCODELEN = (uint8_t)nTmp; pDecoder->SBSYMCODELEN = SBSYMCODELEN; SBSYMS.resize(SBNUMSYMS); std::copy(SDINSYMS, SDINSYMS + SDNUMINSYMS, SBSYMS.begin()); for (size_t i = 0; i < NSYMSDECODED; ++i) SBSYMS[i + SDNUMINSYMS] = SDNEWSYMS[i].get(); pDecoder->SBSYMS = SBSYMS.data(); pDecoder->SBDEFPIXEL = 0; pDecoder->SBCOMBOP = JBIG2_COMPOSE_OR; pDecoder->TRANSPOSED = 0; pDecoder->REFCORNER = JBIG2_CORNER_TOPLEFT; pDecoder->SBDSOFFSET = 0; pDecoder->SBHUFFFS = SBHUFFFS.get(); pDecoder->SBHUFFDS = SBHUFFDS.get(); pDecoder->SBHUFFDT = SBHUFFDT.get(); pDecoder->SBHUFFRDW = SBHUFFRDW.get(); pDecoder->SBHUFFRDH = SBHUFFRDH.get(); pDecoder->SBHUFFRDX = SBHUFFRDX.get(); pDecoder->SBHUFFRDY = SBHUFFRDY.get(); pDecoder->SBHUFFRSIZE = SBHUFFRSIZE.get(); pDecoder->SBRTEMPLATE = SDRTEMPLATE; pDecoder->SBRAT[0] = SDRAT[0]; pDecoder->SBRAT[1] = SDRAT[1]; pDecoder->SBRAT[2] = SDRAT[2]; pDecoder->SBRAT[3] = SDRAT[3]; JBig2IntDecoderState ids; ids.IADT = IADT.get(); ids.IAFS = IAFS.get(); ids.IADS = IADS.get(); ids.IAIT = IAIT.get(); ids.IARI = IARI.get(); ids.IARDW = IARDW.get(); ids.IARDH = IARDH.get(); ids.IARDX = IARDX.get(); ids.IARDY = IARDY.get(); ids.IAID = IAID.get(); BS = pDecoder->DecodeArith(pArithDecoder, grContext->data(), &ids); if (!BS) return nullptr; } else if (REFAGGNINST == 1) { SBNUMSYMS = SDNUMINSYMS + NSYMSDECODED; uint32_t IDI; IAID->Decode(pArithDecoder, &IDI); IARDX->Decode(pArithDecoder, &RDXI); IARDY->Decode(pArithDecoder, &RDYI); if (IDI >= SBNUMSYMS) return nullptr; SBSYMS.resize(SBNUMSYMS); std::copy(SDINSYMS, SDINSYMS + SDNUMINSYMS, SBSYMS.begin()); for (size_t i = 0; i < NSYMSDECODED; ++i) SBSYMS[i + SDNUMINSYMS] = SDNEWSYMS[i].get(); if (!SBSYMS[IDI]) return nullptr; auto pGRRD = pdfium::MakeUnique(); pGRRD->GRW = SYMWIDTH; pGRRD->GRH = HCHEIGHT; pGRRD->GRTEMPLATE = SDRTEMPLATE; pGRRD->GRREFERENCE = SBSYMS[IDI]; pGRRD->GRREFERENCEDX = RDXI; pGRRD->GRREFERENCEDY = RDYI; pGRRD->TPGRON = 0; pGRRD->GRAT[0] = SDRAT[0]; pGRRD->GRAT[1] = SDRAT[1]; pGRRD->GRAT[2] = SDRAT[2]; pGRRD->GRAT[3] = SDRAT[3]; BS = pGRRD->Decode(pArithDecoder, grContext->data()); if (!BS) return nullptr; } } SDNEWSYMS[NSYMSDECODED] = std::move(BS); NSYMSDECODED = NSYMSDECODED + 1; } } EXINDEX = 0; CUREXFLAG = 0; EXFLAGS.resize(SDNUMINSYMS + SDNUMNEWSYMS); num_ex_syms = 0; while (EXINDEX < SDNUMINSYMS + SDNUMNEWSYMS) { IAEX->Decode(pArithDecoder, (int*)&EXRUNLENGTH); if (EXINDEX + EXRUNLENGTH > SDNUMINSYMS + SDNUMNEWSYMS) return nullptr; if (EXRUNLENGTH != 0) { for (I = EXINDEX; I < EXINDEX + EXRUNLENGTH; I++) { if (CUREXFLAG) num_ex_syms++; EXFLAGS[I] = CUREXFLAG; } } EXINDEX = EXINDEX + EXRUNLENGTH; CUREXFLAG = !CUREXFLAG; } if (num_ex_syms > SDNUMEXSYMS) return nullptr; pDict = pdfium::MakeUnique(); J = 0; for (I = 0; I < SDNUMINSYMS + SDNUMNEWSYMS; I++) { if (!EXFLAGS[I] || J >= SDNUMEXSYMS) continue; if (I < SDNUMINSYMS) { pDict->AddImage(SDINSYMS[I] ? pdfium::MakeUnique(*SDINSYMS[I]) : nullptr); } else { pDict->AddImage(std::move(SDNEWSYMS[I - SDNUMINSYMS])); } ++J; } return pDict; } std::unique_ptr CJBig2_SDDProc::DecodeHuffman( CJBig2_BitStream* pStream, std::vector* gbContext, std::vector* grContext) { std::vector> SDNEWSYMS; std::vector SDNEWSYMWIDTHS; uint32_t HCHEIGHT, NSYMSDECODED; int32_t HCDH; uint32_t SYMWIDTH, TOTWIDTH, HCFIRSTSYM; int32_t DW; uint32_t I, J, REFAGGNINST; std::vector EXFLAGS; uint32_t EXINDEX; bool CUREXFLAG; uint32_t EXRUNLENGTH; int32_t nVal; uint32_t nTmp; uint32_t SBNUMSYMS; uint8_t SBSYMCODELEN; uint32_t IDI; int32_t RDXI, RDYI; uint32_t BMSIZE; uint32_t num_ex_syms; // Pointers are not owned std::vector SBSYMS; auto pHuffmanDecoder = pdfium::MakeUnique(pStream); SDNEWSYMS.resize(SDNUMNEWSYMS); if (SDREFAGG == 0) SDNEWSYMWIDTHS.resize(SDNUMNEWSYMS); auto pDict = pdfium::MakeUnique(); std::unique_ptr pTable; HCHEIGHT = 0; NSYMSDECODED = 0; std::unique_ptr BS; while (NSYMSDECODED < SDNUMNEWSYMS) { if (pHuffmanDecoder->DecodeAValue(SDHUFFDH.Get(), &HCDH) != 0) return nullptr; HCHEIGHT = HCHEIGHT + HCDH; if ((int)HCHEIGHT < 0 || (int)HCHEIGHT > JBIG2_MAX_IMAGE_SIZE) return nullptr; SYMWIDTH = 0; TOTWIDTH = 0; HCFIRSTSYM = NSYMSDECODED; for (;;) { nVal = pHuffmanDecoder->DecodeAValue(SDHUFFDW.Get(), &DW); if (nVal == JBIG2_OOB) break; if (nVal != 0) return nullptr; if (NSYMSDECODED >= SDNUMNEWSYMS) return nullptr; SYMWIDTH = SYMWIDTH + DW; if ((int)SYMWIDTH < 0 || (int)SYMWIDTH > JBIG2_MAX_IMAGE_SIZE) return nullptr; if (HCHEIGHT == 0 || SYMWIDTH == 0) { TOTWIDTH = TOTWIDTH + SYMWIDTH; SDNEWSYMS[NSYMSDECODED] = nullptr; NSYMSDECODED = NSYMSDECODED + 1; continue; } TOTWIDTH = TOTWIDTH + SYMWIDTH; if (SDREFAGG == 1) { if (pHuffmanDecoder->DecodeAValue(SDHUFFAGGINST.Get(), (int*)&REFAGGNINST) != 0) { return nullptr; } BS = nullptr; if (REFAGGNINST > 1) { // Huffman tables must outlive |pDecoder|. auto SBHUFFFS = pdfium::MakeUnique(6); auto SBHUFFDS = pdfium::MakeUnique(8); auto SBHUFFDT = pdfium::MakeUnique(11); auto SBHUFFRDW = pdfium::MakeUnique(15); auto SBHUFFRDH = pdfium::MakeUnique(15); auto SBHUFFRDX = pdfium::MakeUnique(15); auto SBHUFFRDY = pdfium::MakeUnique(15); auto SBHUFFRSIZE = pdfium::MakeUnique(1); auto pDecoder = pdfium::MakeUnique(); pDecoder->SBHUFF = SDHUFF; pDecoder->SBREFINE = 1; pDecoder->SBW = SYMWIDTH; pDecoder->SBH = HCHEIGHT; pDecoder->SBNUMINSTANCES = REFAGGNINST; pDecoder->SBSTRIPS = 1; pDecoder->SBNUMSYMS = SDNUMINSYMS + NSYMSDECODED; SBNUMSYMS = pDecoder->SBNUMSYMS; std::vector SBSYMCODES(SBNUMSYMS); nTmp = 1; while (static_cast(1 << nTmp) < SBNUMSYMS) ++nTmp; for (I = 0; I < SBNUMSYMS; ++I) { SBSYMCODES[I].codelen = nTmp; SBSYMCODES[I].code = I; } pDecoder->SBSYMCODES = std::move(SBSYMCODES); SBSYMS.resize(SBNUMSYMS); std::copy(SDINSYMS, SDINSYMS + SDNUMINSYMS, SBSYMS.begin()); for (size_t i = 0; i < NSYMSDECODED; ++i) SBSYMS[i + SDNUMINSYMS] = SDNEWSYMS[i].get(); pDecoder->SBSYMS = SBSYMS.data(); pDecoder->SBDEFPIXEL = 0; pDecoder->SBCOMBOP = JBIG2_COMPOSE_OR; pDecoder->TRANSPOSED = 0; pDecoder->REFCORNER = JBIG2_CORNER_TOPLEFT; pDecoder->SBDSOFFSET = 0; pDecoder->SBHUFFFS = SBHUFFFS.get(); pDecoder->SBHUFFDS = SBHUFFDS.get(); pDecoder->SBHUFFDT = SBHUFFDT.get(); pDecoder->SBHUFFRDW = SBHUFFRDW.get(); pDecoder->SBHUFFRDH = SBHUFFRDH.get(); pDecoder->SBHUFFRDX = SBHUFFRDX.get(); pDecoder->SBHUFFRDY = SBHUFFRDY.get(); pDecoder->SBHUFFRSIZE = SBHUFFRSIZE.get(); pDecoder->SBRTEMPLATE = SDRTEMPLATE; pDecoder->SBRAT[0] = SDRAT[0]; pDecoder->SBRAT[1] = SDRAT[1]; pDecoder->SBRAT[2] = SDRAT[2]; pDecoder->SBRAT[3] = SDRAT[3]; BS = pDecoder->DecodeHuffman(pStream, grContext->data()); if (!BS) return nullptr; } else if (REFAGGNINST == 1) { SBNUMSYMS = SDNUMINSYMS + SDNUMNEWSYMS; nTmp = 1; while ((uint32_t)(1 << nTmp) < SBNUMSYMS) { nTmp++; } SBSYMCODELEN = (uint8_t)nTmp; uint32_t uVal = 0; for (;;) { if (pStream->read1Bit(&nTmp) != 0) return nullptr; uVal = (uVal << 1) | nTmp; if (uVal >= SBNUMSYMS) return nullptr; IDI = SBSYMCODELEN == 0 ? uVal : SBNUMSYMS; if (IDI < SBNUMSYMS) break; } auto SBHUFFRDX = pdfium::MakeUnique(15); auto SBHUFFRSIZE = pdfium::MakeUnique(1); if ((pHuffmanDecoder->DecodeAValue(SBHUFFRDX.get(), &RDXI) != 0) || (pHuffmanDecoder->DecodeAValue(SBHUFFRDX.get(), &RDYI) != 0) || (pHuffmanDecoder->DecodeAValue(SBHUFFRSIZE.get(), &nVal) != 0)) { return nullptr; } pStream->alignByte(); nTmp = pStream->getOffset(); SBSYMS.resize(SBNUMSYMS); std::copy(SDINSYMS, SDINSYMS + SDNUMINSYMS, SBSYMS.begin()); for (size_t i = 0; i < NSYMSDECODED; ++i) SBSYMS[i + SDNUMINSYMS] = SDNEWSYMS[i].get(); auto pGRRD = pdfium::MakeUnique(); pGRRD->GRW = SYMWIDTH; pGRRD->GRH = HCHEIGHT; pGRRD->GRTEMPLATE = SDRTEMPLATE; pGRRD->GRREFERENCE = SBSYMS[IDI]; pGRRD->GRREFERENCEDX = RDXI; pGRRD->GRREFERENCEDY = RDYI; pGRRD->TPGRON = 0; pGRRD->GRAT[0] = SDRAT[0]; pGRRD->GRAT[1] = SDRAT[1]; pGRRD->GRAT[2] = SDRAT[2]; pGRRD->GRAT[3] = SDRAT[3]; auto pArithDecoder = pdfium::MakeUnique(pStream); BS = pGRRD->Decode(pArithDecoder.get(), grContext->data()); if (!BS) return nullptr; pStream->alignByte(); pStream->offset(2); if ((uint32_t)nVal != (pStream->getOffset() - nTmp)) return nullptr; } SDNEWSYMS[NSYMSDECODED] = std::move(BS); } if (SDREFAGG == 0) SDNEWSYMWIDTHS[NSYMSDECODED] = SYMWIDTH; NSYMSDECODED = NSYMSDECODED + 1; } if (SDREFAGG == 0) { if (pHuffmanDecoder->DecodeAValue(SDHUFFBMSIZE.Get(), (int32_t*)&BMSIZE) != 0) { return nullptr; } pStream->alignByte(); std::unique_ptr BHC; if (BMSIZE == 0) { FX_SAFE_UINT32 safe_stride = TOTWIDTH; safe_stride += 7; safe_stride /= 8; FX_SAFE_UINT32 safe_image_size = safe_stride; safe_image_size *= HCHEIGHT; if (!safe_image_size.IsValid() || pStream->getByteLeft() < safe_image_size.ValueOrDie()) { return nullptr; } const uint32_t stride = safe_stride.ValueOrDie(); BHC = pdfium::MakeUnique(TOTWIDTH, HCHEIGHT); for (I = 0; I < HCHEIGHT; I++) { memcpy(BHC->data() + I * BHC->stride(), pStream->getPointer(), stride); pStream->offset(stride); } } else { auto pGRD = pdfium::MakeUnique(); pGRD->MMR = 1; pGRD->GBW = TOTWIDTH; pGRD->GBH = HCHEIGHT; pGRD->StartDecodeMMR(&BHC, pStream); pStream->alignByte(); } nTmp = 0; if (!BHC) continue; for (I = HCFIRSTSYM; I < NSYMSDECODED; ++I) { SDNEWSYMS[I] = BHC->SubImage(nTmp, 0, SDNEWSYMWIDTHS[I], HCHEIGHT); nTmp += SDNEWSYMWIDTHS[I]; } } } EXINDEX = 0; CUREXFLAG = 0; pTable = pdfium::MakeUnique(1); EXFLAGS.resize(SDNUMINSYMS + SDNUMNEWSYMS); num_ex_syms = 0; while (EXINDEX < SDNUMINSYMS + SDNUMNEWSYMS) { if (pHuffmanDecoder->DecodeAValue(pTable.get(), (int*)&EXRUNLENGTH) != 0) return nullptr; if (EXINDEX + EXRUNLENGTH > SDNUMINSYMS + SDNUMNEWSYMS) return nullptr; if (EXRUNLENGTH != 0) { for (I = EXINDEX; I < EXINDEX + EXRUNLENGTH; ++I) { if (CUREXFLAG) num_ex_syms++; EXFLAGS[I] = CUREXFLAG; } } EXINDEX = EXINDEX + EXRUNLENGTH; CUREXFLAG = !CUREXFLAG; } if (num_ex_syms > SDNUMEXSYMS) return nullptr; J = 0; for (I = 0; I < SDNUMINSYMS + SDNUMNEWSYMS; ++I) { if (!EXFLAGS[I] || J >= SDNUMEXSYMS) continue; if (I < SDNUMINSYMS) { pDict->AddImage(SDINSYMS[I] ? pdfium::MakeUnique(*SDINSYMS[I]) : nullptr); } else { pDict->AddImage(std::move(SDNEWSYMS[I - SDNUMINSYMS])); } ++J; } return pDict; }