1 /*
2  * rdgif.c
3  *
4  * This file was part of the Independent JPEG Group's software:
5  * Copyright (C) 1991-1997, Thomas G. Lane.
6  * Modified 2019 by Guido Vollbeding.
7  * libjpeg-turbo Modifications:
8  * Copyright (C) 2021, D. R. Commander.
9  * For conditions of distribution and use, see the accompanying README.ijg
10  * file.
11  *
12  * This file contains routines to read input images in GIF format.
13  *
14  * These routines may need modification for non-Unix environments or
15  * specialized applications.  As they stand, they assume input from
16  * an ordinary stdio stream.  They further assume that reading begins
17  * at the start of the file; start_input may need work if the
18  * user interface has already read some data (e.g., to determine that
19  * the file is indeed GIF format).
20  */
21 
22 /*
23  * This code is loosely based on giftoppm from the PBMPLUS distribution
24  * of Feb. 1991.  That file contains the following copyright notice:
25  * +-------------------------------------------------------------------+
26  * | Copyright 1990, David Koblas.                                     |
27  * |   Permission to use, copy, modify, and distribute this software   |
28  * |   and its documentation for any purpose and without fee is hereby |
29  * |   granted, provided that the above copyright notice appear in all |
30  * |   copies and that both that copyright notice and this permission  |
31  * |   notice appear in supporting documentation.  This software is    |
32  * |   provided "as is" without express or implied warranty.           |
33  * +-------------------------------------------------------------------+
34  */
35 
36 #include "cdjpeg.h"             /* Common decls for cjpeg/djpeg applications */
37 
38 #ifdef GIF_SUPPORTED
39 
40 
41 /* Macros to deal with unsigned chars as efficiently as compiler allows */
42 
43 typedef unsigned char U_CHAR;
44 #define UCH(x)  ((int)(x))
45 
46 
47 #define ReadOK(file, buffer, len) \
48   (JFREAD(file, buffer, len) == ((size_t)(len)))
49 
50 
51 #define MAXCOLORMAPSIZE  256    /* max # of colors in a GIF colormap */
52 #define NUMCOLORS        3      /* # of colors */
53 #define CM_RED           0      /* color component numbers */
54 #define CM_GREEN         1
55 #define CM_BLUE          2
56 
57 #define MAX_LZW_BITS     12     /* maximum LZW code size */
58 #define LZW_TABLE_SIZE   (1 << MAX_LZW_BITS) /* # of possible LZW symbols */
59 
60 /* Macros for extracting header data --- note we assume chars may be signed */
61 
62 #define LM_to_uint(array, offset) \
63   ((unsigned int)UCH(array[offset]) + \
64    (((unsigned int)UCH(array[offset + 1])) << 8))
65 
66 #define BitSet(byte, bit)       ((byte) & (bit))
67 #define INTERLACE       0x40    /* mask for bit signifying interlaced image */
68 #define COLORMAPFLAG    0x80    /* mask for bit signifying colormap presence */
69 
70 
71 /*
72  * LZW decompression tables look like this:
73  *   symbol_head[K] = prefix symbol of any LZW symbol K (0..LZW_TABLE_SIZE-1)
74  *   symbol_tail[K] = suffix byte   of any LZW symbol K (0..LZW_TABLE_SIZE-1)
75  * Note that entries 0..end_code of the above tables are not used,
76  * since those symbols represent raw bytes or special codes.
77  *
78  * The stack represents the not-yet-used expansion of the last LZW symbol.
79  * In the worst case, a symbol could expand to as many bytes as there are
80  * LZW symbols, so we allocate LZW_TABLE_SIZE bytes for the stack.
81  * (This is conservative since that number includes the raw-byte symbols.)
82  */
83 
84 
85 /* Private version of data source object */
86 
87 typedef struct {
88   struct cjpeg_source_struct pub; /* public fields */
89 
90   j_compress_ptr cinfo;         /* back link saves passing separate parm */
91 
92   JSAMPARRAY colormap;          /* GIF colormap (converted to my format) */
93 
94   /* State for GetCode and LZWReadByte */
95   U_CHAR code_buf[256 + 4];     /* current input data block */
96   int last_byte;                /* # of bytes in code_buf */
97   int last_bit;                 /* # of bits in code_buf */
98   int cur_bit;                  /* next bit index to read */
99   boolean first_time;           /* flags first call to GetCode */
100   boolean out_of_blocks;        /* TRUE if hit terminator data block */
101 
102   int input_code_size;          /* codesize given in GIF file */
103   int clear_code, end_code;     /* values for Clear and End codes */
104 
105   int code_size;                /* current actual code size */
106   int limit_code;               /* 2^code_size */
107   int max_code;                 /* first unused code value */
108 
109   /* Private state for LZWReadByte */
110   int oldcode;                  /* previous LZW symbol */
111   int firstcode;                /* first byte of oldcode's expansion */
112 
113   /* LZW symbol table and expansion stack */
114   UINT16 *symbol_head;          /* => table of prefix symbols */
115   UINT8  *symbol_tail;          /* => table of suffix bytes */
116   UINT8  *symbol_stack;         /* => stack for symbol expansions */
117   UINT8  *sp;                   /* stack pointer */
118 
119   /* State for interlaced image processing */
120   boolean is_interlaced;        /* TRUE if have interlaced image */
121   jvirt_sarray_ptr interlaced_image; /* full image in interlaced order */
122   JDIMENSION cur_row_number;    /* need to know actual row number */
123   JDIMENSION pass2_offset;      /* # of pixel rows in pass 1 */
124   JDIMENSION pass3_offset;      /* # of pixel rows in passes 1&2 */
125   JDIMENSION pass4_offset;      /* # of pixel rows in passes 1,2,3 */
126 } gif_source_struct;
127 
128 typedef gif_source_struct *gif_source_ptr;
129 
130 
131 /* Forward declarations */
132 METHODDEF(JDIMENSION) get_pixel_rows(j_compress_ptr cinfo,
133                                      cjpeg_source_ptr sinfo);
134 METHODDEF(JDIMENSION) load_interlaced_image(j_compress_ptr cinfo,
135                                             cjpeg_source_ptr sinfo);
136 METHODDEF(JDIMENSION) get_interlaced_row(j_compress_ptr cinfo,
137                                          cjpeg_source_ptr sinfo);
138 
139 
140 LOCAL(int)
ReadByte(gif_source_ptr sinfo)141 ReadByte(gif_source_ptr sinfo)
142 /* Read next byte from GIF file */
143 {
144   register FILE *infile = sinfo->pub.input_file;
145   register int c;
146 
147   if ((c = getc(infile)) == EOF)
148     ERREXIT(sinfo->cinfo, JERR_INPUT_EOF);
149   return c;
150 }
151 
152 
153 LOCAL(int)
GetDataBlock(gif_source_ptr sinfo,U_CHAR * buf)154 GetDataBlock(gif_source_ptr sinfo, U_CHAR *buf)
155 /* Read a GIF data block, which has a leading count byte */
156 /* A zero-length block marks the end of a data block sequence */
157 {
158   int count;
159 
160   count = ReadByte(sinfo);
161   if (count > 0) {
162     if (!ReadOK(sinfo->pub.input_file, buf, count))
163       ERREXIT(sinfo->cinfo, JERR_INPUT_EOF);
164   }
165   return count;
166 }
167 
168 
169 LOCAL(void)
SkipDataBlocks(gif_source_ptr sinfo)170 SkipDataBlocks(gif_source_ptr sinfo)
171 /* Skip a series of data blocks, until a block terminator is found */
172 {
173   U_CHAR buf[256];
174 
175   while (GetDataBlock(sinfo, buf) > 0)
176     /* skip */;
177 }
178 
179 
180 LOCAL(void)
ReInitLZW(gif_source_ptr sinfo)181 ReInitLZW(gif_source_ptr sinfo)
182 /* (Re)initialize LZW state; shared code for startup and Clear processing */
183 {
184   sinfo->code_size = sinfo->input_code_size + 1;
185   sinfo->limit_code = sinfo->clear_code << 1;   /* 2^code_size */
186   sinfo->max_code = sinfo->clear_code + 2;      /* first unused code value */
187   sinfo->sp = sinfo->symbol_stack;              /* init stack to empty */
188 }
189 
190 
191 LOCAL(void)
InitLZWCode(gif_source_ptr sinfo)192 InitLZWCode(gif_source_ptr sinfo)
193 /* Initialize for a series of LZWReadByte (and hence GetCode) calls */
194 {
195   /* GetCode initialization */
196   sinfo->last_byte = 2;         /* make safe to "recopy last two bytes" */
197   sinfo->code_buf[0] = 0;
198   sinfo->code_buf[1] = 0;
199   sinfo->last_bit = 0;          /* nothing in the buffer */
200   sinfo->cur_bit = 0;           /* force buffer load on first call */
201   sinfo->first_time = TRUE;
202   sinfo->out_of_blocks = FALSE;
203 
204   /* LZWReadByte initialization: */
205   /* compute special code values (note that these do not change later) */
206   sinfo->clear_code = 1 << sinfo->input_code_size;
207   sinfo->end_code = sinfo->clear_code + 1;
208   ReInitLZW(sinfo);
209 }
210 
211 
212 LOCAL(int)
GetCode(gif_source_ptr sinfo)213 GetCode(gif_source_ptr sinfo)
214 /* Fetch the next code_size bits from the GIF data */
215 /* We assume code_size is less than 16 */
216 {
217   register int accum;
218   int offs, count;
219 
220   while (sinfo->cur_bit + sinfo->code_size > sinfo->last_bit) {
221     /* Time to reload the buffer */
222     /* First time, share code with Clear case */
223     if (sinfo->first_time) {
224       sinfo->first_time = FALSE;
225       return sinfo->clear_code;
226     }
227     if (sinfo->out_of_blocks) {
228       WARNMS(sinfo->cinfo, JWRN_GIF_NOMOREDATA);
229       return sinfo->end_code;   /* fake something useful */
230     }
231     /* preserve last two bytes of what we have -- assume code_size <= 16 */
232     sinfo->code_buf[0] = sinfo->code_buf[sinfo->last_byte-2];
233     sinfo->code_buf[1] = sinfo->code_buf[sinfo->last_byte-1];
234     /* Load more bytes; set flag if we reach the terminator block */
235     if ((count = GetDataBlock(sinfo, &sinfo->code_buf[2])) == 0) {
236       sinfo->out_of_blocks = TRUE;
237       WARNMS(sinfo->cinfo, JWRN_GIF_NOMOREDATA);
238       return sinfo->end_code;   /* fake something useful */
239     }
240     /* Reset counters */
241     sinfo->cur_bit = (sinfo->cur_bit - sinfo->last_bit) + 16;
242     sinfo->last_byte = 2 + count;
243     sinfo->last_bit = sinfo->last_byte * 8;
244   }
245 
246   /* Form up next 24 bits in accum */
247   offs = sinfo->cur_bit >> 3;   /* byte containing cur_bit */
248   accum = UCH(sinfo->code_buf[offs + 2]);
249   accum <<= 8;
250   accum |= UCH(sinfo->code_buf[offs + 1]);
251   accum <<= 8;
252   accum |= UCH(sinfo->code_buf[offs]);
253 
254   /* Right-align cur_bit in accum, then mask off desired number of bits */
255   accum >>= (sinfo->cur_bit & 7);
256   sinfo->cur_bit += sinfo->code_size;
257   return accum & ((1 << sinfo->code_size) - 1);
258 }
259 
260 
261 LOCAL(int)
LZWReadByte(gif_source_ptr sinfo)262 LZWReadByte(gif_source_ptr sinfo)
263 /* Read an LZW-compressed byte */
264 {
265   register int code;            /* current working code */
266   int incode;                   /* saves actual input code */
267 
268   /* If any codes are stacked from a previously read symbol, return them */
269   if (sinfo->sp > sinfo->symbol_stack)
270     return (int)(*(--sinfo->sp));
271 
272   /* Time to read a new symbol */
273   code = GetCode(sinfo);
274 
275   if (code == sinfo->clear_code) {
276     /* Reinit state, swallow any extra Clear codes, and */
277     /* return next code, which is expected to be a raw byte. */
278     ReInitLZW(sinfo);
279     do {
280       code = GetCode(sinfo);
281     } while (code == sinfo->clear_code);
282     if (code > sinfo->clear_code) { /* make sure it is a raw byte */
283       WARNMS(sinfo->cinfo, JWRN_GIF_BADDATA);
284       code = 0;                 /* use something valid */
285     }
286     /* make firstcode, oldcode valid! */
287     sinfo->firstcode = sinfo->oldcode = code;
288     return code;
289   }
290 
291   if (code == sinfo->end_code) {
292     /* Skip the rest of the image, unless GetCode already read terminator */
293     if (!sinfo->out_of_blocks) {
294       SkipDataBlocks(sinfo);
295       sinfo->out_of_blocks = TRUE;
296     }
297     /* Complain that there's not enough data */
298     WARNMS(sinfo->cinfo, JWRN_GIF_ENDCODE);
299     /* Pad data with 0's */
300     return 0;                   /* fake something usable */
301   }
302 
303   /* Got normal raw byte or LZW symbol */
304   incode = code;                /* save for a moment */
305 
306   if (code >= sinfo->max_code) { /* special case for not-yet-defined symbol */
307     /* code == max_code is OK; anything bigger is bad data */
308     if (code > sinfo->max_code) {
309       WARNMS(sinfo->cinfo, JWRN_GIF_BADDATA);
310       incode = 0;               /* prevent creation of loops in symbol table */
311     }
312     /* this symbol will be defined as oldcode/firstcode */
313     *(sinfo->sp++) = (UINT8)sinfo->firstcode;
314     code = sinfo->oldcode;
315   }
316 
317   /* If it's a symbol, expand it into the stack */
318   while (code >= sinfo->clear_code) {
319     *(sinfo->sp++) = sinfo->symbol_tail[code]; /* tail is a byte value */
320     code = sinfo->symbol_head[code]; /* head is another LZW symbol */
321   }
322   /* At this point code just represents a raw byte */
323   sinfo->firstcode = code;      /* save for possible future use */
324 
325   /* If there's room in table... */
326   if ((code = sinfo->max_code) < LZW_TABLE_SIZE) {
327     /* Define a new symbol = prev sym + head of this sym's expansion */
328     sinfo->symbol_head[code] = (UINT16)sinfo->oldcode;
329     sinfo->symbol_tail[code] = (UINT8)sinfo->firstcode;
330     sinfo->max_code++;
331     /* Is it time to increase code_size? */
332     if (sinfo->max_code >= sinfo->limit_code &&
333         sinfo->code_size < MAX_LZW_BITS) {
334       sinfo->code_size++;
335       sinfo->limit_code <<= 1;  /* keep equal to 2^code_size */
336     }
337   }
338 
339   sinfo->oldcode = incode;      /* save last input symbol for future use */
340   return sinfo->firstcode;      /* return first byte of symbol's expansion */
341 }
342 
343 
344 LOCAL(void)
ReadColorMap(gif_source_ptr sinfo,int cmaplen,JSAMPARRAY cmap)345 ReadColorMap(gif_source_ptr sinfo, int cmaplen, JSAMPARRAY cmap)
346 /* Read a GIF colormap */
347 {
348   int i;
349 
350   for (i = 0; i < cmaplen; i++) {
351 #if BITS_IN_JSAMPLE == 8
352 #define UPSCALE(x)  (x)
353 #else
354 #define UPSCALE(x)  ((x) << (BITS_IN_JSAMPLE - 8))
355 #endif
356     cmap[CM_RED][i]   = (JSAMPLE)UPSCALE(ReadByte(sinfo));
357     cmap[CM_GREEN][i] = (JSAMPLE)UPSCALE(ReadByte(sinfo));
358     cmap[CM_BLUE][i]  = (JSAMPLE)UPSCALE(ReadByte(sinfo));
359   }
360 }
361 
362 
363 LOCAL(void)
DoExtension(gif_source_ptr sinfo)364 DoExtension(gif_source_ptr sinfo)
365 /* Process an extension block */
366 /* Currently we ignore 'em all */
367 {
368   int extlabel;
369 
370   /* Read extension label byte */
371   extlabel = ReadByte(sinfo);
372   TRACEMS1(sinfo->cinfo, 1, JTRC_GIF_EXTENSION, extlabel);
373   /* Skip the data block(s) associated with the extension */
374   SkipDataBlocks(sinfo);
375 }
376 
377 
378 /*
379  * Read the file header; return image size and component count.
380  */
381 
382 METHODDEF(void)
start_input_gif(j_compress_ptr cinfo,cjpeg_source_ptr sinfo)383 start_input_gif(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
384 {
385   gif_source_ptr source = (gif_source_ptr)sinfo;
386   U_CHAR hdrbuf[10];            /* workspace for reading control blocks */
387   unsigned int width, height;   /* image dimensions */
388   int colormaplen, aspectRatio;
389   int c;
390 
391   /* Read and verify GIF Header */
392   if (!ReadOK(source->pub.input_file, hdrbuf, 6))
393     ERREXIT(cinfo, JERR_GIF_NOT);
394   if (hdrbuf[0] != 'G' || hdrbuf[1] != 'I' || hdrbuf[2] != 'F')
395     ERREXIT(cinfo, JERR_GIF_NOT);
396   /* Check for expected version numbers.
397    * If unknown version, give warning and try to process anyway;
398    * this is per recommendation in GIF89a standard.
399    */
400   if ((hdrbuf[3] != '8' || hdrbuf[4] != '7' || hdrbuf[5] != 'a') &&
401       (hdrbuf[3] != '8' || hdrbuf[4] != '9' || hdrbuf[5] != 'a'))
402     TRACEMS3(cinfo, 1, JTRC_GIF_BADVERSION, hdrbuf[3], hdrbuf[4], hdrbuf[5]);
403 
404   /* Read and decipher Logical Screen Descriptor */
405   if (!ReadOK(source->pub.input_file, hdrbuf, 7))
406     ERREXIT(cinfo, JERR_INPUT_EOF);
407   width = LM_to_uint(hdrbuf, 0);
408   height = LM_to_uint(hdrbuf, 2);
409   if (width == 0 || height == 0)
410     ERREXIT(cinfo, JERR_GIF_EMPTY);
411 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
412   if (sinfo->max_pixels &&
413       (unsigned long long)width * height > sinfo->max_pixels)
414     ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
415 #endif
416   /* we ignore the color resolution, sort flag, and background color index */
417   aspectRatio = UCH(hdrbuf[6]);
418   if (aspectRatio != 0 && aspectRatio != 49)
419     TRACEMS(cinfo, 1, JTRC_GIF_NONSQUARE);
420 
421   /* Allocate space to store the colormap */
422   source->colormap = (*cinfo->mem->alloc_sarray)
423     ((j_common_ptr)cinfo, JPOOL_IMAGE, (JDIMENSION)MAXCOLORMAPSIZE,
424      (JDIMENSION)NUMCOLORS);
425   colormaplen = 0;              /* indicate initialization */
426 
427   /* Read global colormap if header indicates it is present */
428   if (BitSet(hdrbuf[4], COLORMAPFLAG)) {
429     colormaplen = 2 << (hdrbuf[4] & 0x07);
430     ReadColorMap(source, colormaplen, source->colormap);
431   }
432 
433   /* Scan until we reach start of desired image.
434    * We don't currently support skipping images, but could add it easily.
435    */
436   for (;;) {
437     c = ReadByte(source);
438 
439     if (c == ';')               /* GIF terminator?? */
440       ERREXIT(cinfo, JERR_GIF_IMAGENOTFOUND);
441 
442     if (c == '!') {             /* Extension */
443       DoExtension(source);
444       continue;
445     }
446 
447     if (c != ',') {             /* Not an image separator? */
448       WARNMS1(cinfo, JWRN_GIF_CHAR, c);
449       continue;
450     }
451 
452     /* Read and decipher Local Image Descriptor */
453     if (!ReadOK(source->pub.input_file, hdrbuf, 9))
454       ERREXIT(cinfo, JERR_INPUT_EOF);
455     /* we ignore top/left position info, also sort flag */
456     width = LM_to_uint(hdrbuf, 4);
457     height = LM_to_uint(hdrbuf, 6);
458     if (width == 0 || height == 0)
459       ERREXIT(cinfo, JERR_GIF_EMPTY);
460 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
461     if (sinfo->max_pixels &&
462         (unsigned long long)width * height > sinfo->max_pixels)
463       ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
464 #endif
465     source->is_interlaced = (BitSet(hdrbuf[8], INTERLACE) != 0);
466 
467     /* Read local colormap if header indicates it is present */
468     /* Note: if we wanted to support skipping images, */
469     /* we'd need to skip rather than read colormap for ignored images */
470     if (BitSet(hdrbuf[8], COLORMAPFLAG)) {
471       colormaplen = 2 << (hdrbuf[8] & 0x07);
472       ReadColorMap(source, colormaplen, source->colormap);
473     }
474 
475     source->input_code_size = ReadByte(source); /* get min-code-size byte */
476     if (source->input_code_size < 2 || source->input_code_size > 8)
477       ERREXIT1(cinfo, JERR_GIF_CODESIZE, source->input_code_size);
478 
479     /* Reached desired image, so break out of loop */
480     /* If we wanted to skip this image, */
481     /* we'd call SkipDataBlocks and then continue the loop */
482     break;
483   }
484 
485   /* Prepare to read selected image: first initialize LZW decompressor */
486   source->symbol_head = (UINT16 *)
487     (*cinfo->mem->alloc_large) ((j_common_ptr)cinfo, JPOOL_IMAGE,
488                                 LZW_TABLE_SIZE * sizeof(UINT16));
489   source->symbol_tail = (UINT8 *)
490     (*cinfo->mem->alloc_large) ((j_common_ptr)cinfo, JPOOL_IMAGE,
491                                 LZW_TABLE_SIZE * sizeof(UINT8));
492   source->symbol_stack = (UINT8 *)
493     (*cinfo->mem->alloc_large) ((j_common_ptr)cinfo, JPOOL_IMAGE,
494                                 LZW_TABLE_SIZE * sizeof(UINT8));
495   InitLZWCode(source);
496 
497   /*
498    * If image is interlaced, we read it into a full-size sample array,
499    * decompressing as we go; then get_interlaced_row selects rows from the
500    * sample array in the proper order.
501    */
502   if (source->is_interlaced) {
503     /* We request the virtual array now, but can't access it until virtual
504      * arrays have been allocated.  Hence, the actual work of reading the
505      * image is postponed until the first call to get_pixel_rows.
506      */
507     source->interlaced_image = (*cinfo->mem->request_virt_sarray)
508       ((j_common_ptr)cinfo, JPOOL_IMAGE, FALSE,
509        (JDIMENSION)width, (JDIMENSION)height, (JDIMENSION)1);
510     if (cinfo->progress != NULL) {
511       cd_progress_ptr progress = (cd_progress_ptr)cinfo->progress;
512       progress->total_extra_passes++; /* count file input as separate pass */
513     }
514     source->pub.get_pixel_rows = load_interlaced_image;
515   } else {
516     source->pub.get_pixel_rows = get_pixel_rows;
517   }
518 
519   /* Create compressor input buffer. */
520   source->pub.buffer = (*cinfo->mem->alloc_sarray)
521     ((j_common_ptr)cinfo, JPOOL_IMAGE, (JDIMENSION)width * NUMCOLORS,
522      (JDIMENSION)1);
523   source->pub.buffer_height = 1;
524 
525   /* Pad colormap for safety. */
526   for (c = colormaplen; c < source->clear_code; c++) {
527     source->colormap[CM_RED][c]   =
528     source->colormap[CM_GREEN][c] =
529     source->colormap[CM_BLUE][c]  = CENTERJSAMPLE;
530   }
531 
532   /* Return info about the image. */
533   cinfo->in_color_space = JCS_RGB;
534   cinfo->input_components = NUMCOLORS;
535   cinfo->data_precision = BITS_IN_JSAMPLE; /* we always rescale data to this */
536   cinfo->image_width = width;
537   cinfo->image_height = height;
538 
539   TRACEMS3(cinfo, 1, JTRC_GIF, width, height, colormaplen);
540 }
541 
542 
543 /*
544  * Read one row of pixels.
545  * This version is used for noninterlaced GIF images:
546  * we read directly from the GIF file.
547  */
548 
549 METHODDEF(JDIMENSION)
get_pixel_rows(j_compress_ptr cinfo,cjpeg_source_ptr sinfo)550 get_pixel_rows(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
551 {
552   gif_source_ptr source = (gif_source_ptr)sinfo;
553   register int c;
554   register JSAMPROW ptr;
555   register JDIMENSION col;
556   register JSAMPARRAY colormap = source->colormap;
557 
558   ptr = source->pub.buffer[0];
559   for (col = cinfo->image_width; col > 0; col--) {
560     c = LZWReadByte(source);
561     *ptr++ = colormap[CM_RED][c];
562     *ptr++ = colormap[CM_GREEN][c];
563     *ptr++ = colormap[CM_BLUE][c];
564   }
565   return 1;
566 }
567 
568 
569 /*
570  * Read one row of pixels.
571  * This version is used for the first call on get_pixel_rows when
572  * reading an interlaced GIF file: we read the whole image into memory.
573  */
574 
575 METHODDEF(JDIMENSION)
load_interlaced_image(j_compress_ptr cinfo,cjpeg_source_ptr sinfo)576 load_interlaced_image(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
577 {
578   gif_source_ptr source = (gif_source_ptr)sinfo;
579   register JSAMPROW sptr;
580   register JDIMENSION col;
581   JDIMENSION row;
582   cd_progress_ptr progress = (cd_progress_ptr)cinfo->progress;
583 
584   /* Read the interlaced image into the virtual array we've created. */
585   for (row = 0; row < cinfo->image_height; row++) {
586     if (progress != NULL) {
587       progress->pub.pass_counter = (long)row;
588       progress->pub.pass_limit = (long)cinfo->image_height;
589       (*progress->pub.progress_monitor) ((j_common_ptr)cinfo);
590     }
591     sptr = *(*cinfo->mem->access_virt_sarray)
592       ((j_common_ptr)cinfo, source->interlaced_image, row, (JDIMENSION)1,
593        TRUE);
594     for (col = cinfo->image_width; col > 0; col--) {
595       *sptr++ = (JSAMPLE)LZWReadByte(source);
596     }
597   }
598   if (progress != NULL)
599     progress->completed_extra_passes++;
600 
601   /* Replace method pointer so subsequent calls don't come here. */
602   source->pub.get_pixel_rows = get_interlaced_row;
603   /* Initialize for get_interlaced_row, and perform first call on it. */
604   source->cur_row_number = 0;
605   source->pass2_offset = (cinfo->image_height + 7) / 8;
606   source->pass3_offset = source->pass2_offset + (cinfo->image_height + 3) / 8;
607   source->pass4_offset = source->pass3_offset + (cinfo->image_height + 1) / 4;
608 
609   return get_interlaced_row(cinfo, sinfo);
610 }
611 
612 
613 /*
614  * Read one row of pixels.
615  * This version is used for interlaced GIF images:
616  * we read from the virtual array.
617  */
618 
619 METHODDEF(JDIMENSION)
get_interlaced_row(j_compress_ptr cinfo,cjpeg_source_ptr sinfo)620 get_interlaced_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
621 {
622   gif_source_ptr source = (gif_source_ptr)sinfo;
623   register int c;
624   register JSAMPROW sptr, ptr;
625   register JDIMENSION col;
626   register JSAMPARRAY colormap = source->colormap;
627   JDIMENSION irow;
628 
629   /* Figure out which row of interlaced image is needed, and access it. */
630   switch ((int)(source->cur_row_number & 7)) {
631   case 0:                       /* first-pass row */
632     irow = source->cur_row_number >> 3;
633     break;
634   case 4:                       /* second-pass row */
635     irow = (source->cur_row_number >> 3) + source->pass2_offset;
636     break;
637   case 2:                       /* third-pass row */
638   case 6:
639     irow = (source->cur_row_number >> 2) + source->pass3_offset;
640     break;
641   default:                      /* fourth-pass row */
642     irow = (source->cur_row_number >> 1) + source->pass4_offset;
643   }
644   sptr = *(*cinfo->mem->access_virt_sarray)
645     ((j_common_ptr)cinfo, source->interlaced_image, irow, (JDIMENSION)1,
646      FALSE);
647   /* Scan the row, expand colormap, and output */
648   ptr = source->pub.buffer[0];
649   for (col = cinfo->image_width; col > 0; col--) {
650     c = *sptr++;
651     *ptr++ = colormap[CM_RED][c];
652     *ptr++ = colormap[CM_GREEN][c];
653     *ptr++ = colormap[CM_BLUE][c];
654   }
655   source->cur_row_number++;     /* for next time */
656   return 1;
657 }
658 
659 
660 /*
661  * Finish up at the end of the file.
662  */
663 
664 METHODDEF(void)
finish_input_gif(j_compress_ptr cinfo,cjpeg_source_ptr sinfo)665 finish_input_gif(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
666 {
667   /* no work */
668 }
669 
670 
671 /*
672  * The module selection routine for GIF format input.
673  */
674 
675 GLOBAL(cjpeg_source_ptr)
jinit_read_gif(j_compress_ptr cinfo)676 jinit_read_gif(j_compress_ptr cinfo)
677 {
678   gif_source_ptr source;
679 
680   /* Create module interface object */
681   source = (gif_source_ptr)
682     (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
683                                 sizeof(gif_source_struct));
684   source->cinfo = cinfo;        /* make back link for subroutines */
685   /* Fill in method ptrs, except get_pixel_rows which start_input sets */
686   source->pub.start_input = start_input_gif;
687   source->pub.finish_input = finish_input_gif;
688 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
689   source->pub.max_pixels = 0;
690 #endif
691 
692   return (cjpeg_source_ptr)source;
693 }
694 
695 #endif /* GIF_SUPPORTED */
696