diff --git a/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp b/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp index 135c90d076..301e25a680 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp @@ -172,7 +172,6 @@ static ErrorOr decode_segment_header(SeekableStream& stream) dbgln_if(JBIG2_DEBUG, "Segment data length: {}", data_length); // FIXME: Add some validity checks: - // - data_length can only be 0xffff'ffff for type ImmediateGenericRegion // - check type is valid // - check referred_to_segment_numbers are smaller than segment_number // - 7.3.1 Rules for segment references @@ -181,10 +180,45 @@ static ErrorOr decode_segment_header(SeekableStream& stream) Optional opt_data_length; if (data_length != 0xffff'ffff) opt_data_length = data_length; + else if (type != ImmediateGenericRegion) + return Error::from_string_literal("JBIG2ImageDecoderPlugin: Unknown data length only allowed for ImmediateGenericRegion"); return SegmentHeader { segment_number, type, move(referred_to_segment_numbers), segment_page_association, opt_data_length }; } +static ErrorOr scan_for_immediate_generic_region_size(ReadonlyBytes data) +{ + // 7.2.7 Segment data length + // "If the segment's type is "Immediate generic region", then the length field may contain the value 0xFFFFFFFF. + // This value is intended to mean that the length of the segment's data part is unknown at the time that the segment header is written (...). + // In this case, the true length of the segment's data part shall be determined through examination of the data: + // if the segment uses template-based arithmetic coding, then the segment's data part ends with the two-byte sequence 0xFF 0xAC followed by a four-byte row count. + // If the segment uses MMR coding, then the segment's data part ends with the two-byte sequence 0x00 0x00 followed by a four-byte row count. + // The form of encoding used by the segment may be determined by examining the eighteenth byte of its segment data part, + // and the end sequences can occur anywhere after that eighteenth byte." + // 7.4.6.4 Decoding a generic region segment + // "NOTE – The sequence 0x00 0x00 cannot occur within MMR-encoded data; the sequence 0xFF 0xAC can occur only at the end of arithmetically-coded data. + // Thus, those sequences cannot occur by chance in the data that is decoded to generate the contents of the generic region." + dbgln_if(JBIG2_DEBUG, "(Unknown data length, computing it)"); + + if (data.size() < 18) + return Error::from_string_literal("JBIG2ImageDecoderPlugin: Data too short to contain segment data header"); + + // Per 7.4.6.1 Generic region segment data header, this starts with the 17 bytes described in + // 7.4.1 Region segment information field, followed the byte described in 7.4.6.2 Generic region segment flags. + // That byte's lowest bit stores if the segment uses MMR. + u8 flags = data[17]; + bool uses_mmr = (flags & 1) != 0; + auto end_sequence = uses_mmr ? to_array({ 0x00, 0x00 }) : to_array({ 0xFF, 0xAC }); + u8 const* end = static_cast(memmem(data.data() + 19, data.size() - 19 - sizeof(u32), end_sequence.data(), end_sequence.size())); + if (!end) + return Error::from_string_literal("JBIG2ImageDecoderPlugin: Could not find end sequence in segment data"); + + size_t size = end - data.data() + end_sequence.size() + sizeof(u32); + dbgln_if(JBIG2_DEBUG, "(Computed size is {})", size); + return size; +} + static ErrorOr decode_segment_headers(JBIG2LoadingContext& context) { ReadonlyBytes data = context.data; @@ -194,16 +228,19 @@ static ErrorOr decode_segment_headers(JBIG2LoadingContext& context) Vector segment_datas; auto store_and_skip_segment_data = [&](SegmentHeader const& segment_header) -> ErrorOr { - if (!segment_header.data_length.has_value()) - return Error::from_string_literal("JBIG2ImageDecoderPlugin: Can't handle segment without data length yet"); - size_t start_offset = TRY(stream.tell()); - if (start_offset + segment_header.data_length.value() > data.size()) + u32 data_length = TRY(segment_header.data_length.try_value_or_lazy_evaluated([&]() { + return scan_for_immediate_generic_region_size(data.slice(start_offset)); + })); + + if (start_offset + data_length > data.size()) { + dbgln_if(JBIG2_DEBUG, "JBIG2ImageDecoderPlugin: start_offset={}, data_length={}, data.size()={}", start_offset, data_length, data.size()); return Error::from_string_literal("JBIG2ImageDecoderPlugin: Segment data length exceeds file size"); - ReadonlyBytes segment_data = data.slice(start_offset, segment_header.data_length.value()); + } + ReadonlyBytes segment_data = data.slice(start_offset, data_length); segment_datas.append(segment_data); - TRY(stream.seek(segment_header.data_length.value(), SeekMode::FromCurrentPosition)); + TRY(stream.seek(data_length, SeekMode::FromCurrentPosition)); return {}; }; @@ -271,6 +308,7 @@ ErrorOr JBIG2ImageDecoderPlugin::frame(size_t index, Optio ErrorOr JBIG2ImageDecoderPlugin::decode_embedded(ReadonlyBytes data) { + dbgln_if(JBIG2_DEBUG, "JBIG2ImageDecoderPlugin: Decoding embedded JBIG2 of size {}", data.size()); auto plugin = TRY(adopt_nonnull_own_or_enomem(new (nothrow) JBIG2ImageDecoderPlugin(data))); plugin->m_context->organization = Organization::Embedded; TRY(decode_segment_headers(*plugin->m_context));