stream.h: check against huge negative values in stream_seek()
[mplayer/glamo.git] / libmpdemux / ebml.c
blob28b4a4643a72d49d3578ce3d1614ced75e8b14c7
1 /*
2 * native ebml reader for the Matroska demuxer
3 * new parser copyright (c) 2010 Uoti Urpala
4 * copyright (c) 2004 Aurelien Jacobs <aurel@gnuage.org>
5 * based on the one written by Ronald Bultje for gstreamer
7 * This file is part of MPlayer.
9 * MPlayer is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * MPlayer is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with MPlayer; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "config.h"
26 #include <stdlib.h>
27 #include <stdbool.h>
28 #include <inttypes.h>
29 #include <stddef.h>
30 #include <assert.h>
32 #include <libavutil/intfloat_readwrite.h>
33 #include <libavutil/common.h>
34 #include "talloc.h"
35 #include "ebml.h"
36 #include "stream/stream.h"
37 #include "mpbswap.h"
38 #include "mp_msg.h"
40 #ifndef SIZE_MAX
41 #define SIZE_MAX ((size_t)-1)
42 #endif
45 * Read: the element content data ID.
46 * Return: the ID.
48 uint32_t ebml_read_id(stream_t *s, int *length)
50 int i, len_mask = 0x80;
51 uint32_t id;
53 for (i = 0, id = stream_read_char(s); i < 4 && !(id & len_mask); i++)
54 len_mask >>= 1;
55 if (i >= 4)
56 return EBML_ID_INVALID;
57 if (length)
58 *length = i + 1;
59 while (i--)
60 id = (id << 8) | stream_read_char(s);
61 return id;
65 * Read a variable length unsigned int.
67 uint64_t ebml_read_vlen_uint(uint8_t *buffer, int *length)
69 int i, j, num_ffs = 0, len_mask = 0x80;
70 uint64_t num;
72 for (i = 0, num = *buffer++; i < 8 && !(num & len_mask); i++)
73 len_mask >>= 1;
74 if (i >= 8)
75 return EBML_UINT_INVALID;
76 j = i + 1;
77 if (length)
78 *length = j;
79 if ((int) (num &= (len_mask - 1)) == len_mask - 1)
80 num_ffs++;
81 while (i--) {
82 num = (num << 8) | *buffer++;
83 if ((num & 0xFF) == 0xFF)
84 num_ffs++;
86 if (j == num_ffs)
87 return EBML_UINT_INVALID;
88 return num;
92 * Read a variable length signed int.
94 int64_t ebml_read_vlen_int(uint8_t *buffer, int *length)
96 uint64_t unum;
97 int l;
99 /* read as unsigned number first */
100 unum = ebml_read_vlen_uint(buffer, &l);
101 if (unum == EBML_UINT_INVALID)
102 return EBML_INT_INVALID;
103 if (length)
104 *length = l;
106 return unum - ((1 << ((7 * l) - 1)) - 1);
110 * Read: element content length.
112 uint64_t ebml_read_length(stream_t *s, int *length)
114 int i, j, num_ffs = 0, len_mask = 0x80;
115 uint64_t len;
117 for (i = 0, len = stream_read_char(s); i < 8 && !(len & len_mask); i++)
118 len_mask >>= 1;
119 if (i >= 8)
120 return EBML_UINT_INVALID;
121 j = i + 1;
122 if (length)
123 *length = j;
124 if ((int) (len &= (len_mask - 1)) == len_mask - 1)
125 num_ffs++;
126 while (i--) {
127 len = (len << 8) | stream_read_char(s);
128 if ((len & 0xFF) == 0xFF)
129 num_ffs++;
131 if (j == num_ffs)
132 return EBML_UINT_INVALID;
133 return len;
137 * Read the next element as an unsigned int.
139 uint64_t ebml_read_uint(stream_t *s, uint64_t *length)
141 uint64_t len, value = 0;
142 int l;
144 len = ebml_read_length(s, &l);
145 if (len == EBML_UINT_INVALID || len < 1 || len > 8)
146 return EBML_UINT_INVALID;
147 if (length)
148 *length = len + l;
150 while (len--)
151 value = (value << 8) | stream_read_char(s);
153 return value;
157 * Read the next element as a signed int.
159 int64_t ebml_read_int(stream_t *s, uint64_t *length)
161 int64_t value = 0;
162 uint64_t len;
163 int l;
165 len = ebml_read_length(s, &l);
166 if (len == EBML_UINT_INVALID || len < 1 || len > 8)
167 return EBML_INT_INVALID;
168 if (length)
169 *length = len + l;
171 len--;
172 l = stream_read_char(s);
173 if (l & 0x80)
174 value = -1;
175 value = (value << 8) | l;
176 while (len--)
177 value = (value << 8) | stream_read_char(s);
179 return value;
183 * Read the next element as a float.
185 double ebml_read_float(stream_t *s, uint64_t *length)
187 double value;
188 uint64_t len;
189 int l;
191 len = ebml_read_length(s, &l);
192 switch (len) {
193 case 4:
194 value = av_int2flt(stream_read_dword(s));
195 break;
197 case 8:
198 value = av_int2dbl(stream_read_qword(s));
199 break;
201 default:
202 return EBML_FLOAT_INVALID;
205 if (length)
206 *length = len + l;
208 return value;
212 * Read the next element as an ASCII string.
214 char *ebml_read_ascii(stream_t *s, uint64_t *length)
216 uint64_t len;
217 char *str;
218 int l;
220 len = ebml_read_length(s, &l);
221 if (len == EBML_UINT_INVALID)
222 return NULL;
223 if (len > SIZE_MAX - 1)
224 return NULL;
225 if (length)
226 *length = len + l;
228 str = malloc(len + 1);
229 if (stream_read(s, str, len) != (int) len) {
230 free(str);
231 return NULL;
233 str[len] = '\0';
235 return str;
239 * Read the next element as a UTF-8 string.
241 char *ebml_read_utf8(stream_t *s, uint64_t *length)
243 return ebml_read_ascii(s, length);
247 * Skip the next element.
249 int ebml_read_skip(stream_t *s, uint64_t *length)
251 uint64_t len;
252 int l;
254 len = ebml_read_length(s, &l);
255 if (len == EBML_UINT_INVALID)
256 return 1;
257 if (length)
258 *length = len + l;
260 stream_skip(s, len);
262 return 0;
266 * Read the next element, but only the header. The contents
267 * are supposed to be sub-elements which can be read separately.
269 uint32_t ebml_read_master(stream_t *s, uint64_t *length)
271 uint64_t len;
272 uint32_t id;
274 id = ebml_read_id(s, NULL);
275 if (id == EBML_ID_INVALID)
276 return id;
278 len = ebml_read_length(s, NULL);
279 if (len == EBML_UINT_INVALID)
280 return EBML_ID_INVALID;
281 if (length)
282 *length = len;
284 return id;
289 #define EVALARGS(F, ...) F(__VA_ARGS__)
290 #define E(str, N, type) const struct ebml_elem_desc ebml_ ## N ## _desc = { str, type };
291 #define E_SN(str, count, N) const struct ebml_elem_desc ebml_ ## N ## _desc = { str, EBML_TYPE_SUBELEMENTS, sizeof(struct ebml_ ## N), count, (const struct ebml_field_desc[]){
292 #define E_S(str, count) EVALARGS(E_SN, str, count, N)
293 #define FN(id, name, multiple, N) { id, multiple, offsetof(struct ebml_ ## N, name), offsetof(struct ebml_ ## N, n_ ## name), &ebml_##name##_desc},
294 #define F(id, name, multiple) EVALARGS(FN, id, name, multiple, N)
295 #include "ebml_defs.c"
296 #undef EVALARGS
297 #undef SN
298 #undef S
299 #undef FN
300 #undef F
302 // Used to read/write pointers to different struct types
303 struct generic;
304 #define generic_struct struct generic
306 static uint32_t ebml_parse_id(uint8_t *data, int *length)
308 int len = 1;
309 uint32_t id = *data++;
310 for (int len_mask = 0x80; !(id & len_mask); len_mask >>= 1) {
311 len++;
312 if (len > 4) {
313 *length = -1;
314 return EBML_ID_INVALID;
317 *length = len;
318 while (--len)
319 id = (id << 8) | *data++;
320 return id;
323 static uint64_t parse_vlen(uint8_t *data, int *length, bool is_length)
325 uint64_t r = *data++;
326 int len = 1;
327 int len_mask;
328 for (len_mask = 0x80; !(r & len_mask); len_mask >>= 1) {
329 len++;
330 if (len > 8) {
331 *length = -1;
332 return -1;
335 r &= len_mask - 1;
337 int num_allones = 0;
338 if (r == len_mask - 1)
339 num_allones++;
340 for (int i = 1; i < len; i++) {
341 if (*data == 255)
342 num_allones++;
343 r = (r << 8) | *data++;
345 if (is_length && num_allones == len) {
346 // According to Matroska specs this means "unknown length"
347 // Could be supported if there are any actual files using it
348 *length = -1;
349 return -1;
351 *length = len;
352 return r;
355 static uint64_t ebml_parse_length(uint8_t *data, int *length)
357 return parse_vlen(data, length, true);
360 static uint64_t ebml_parse_uint(uint8_t *data, int length)
362 assert(length >= 1 && length <= 8);
363 uint64_t r = 0;
364 while (length--)
365 r = (r << 8) + *data++;
366 return r;
369 static int64_t ebml_parse_sint(uint8_t *data, int length)
371 assert(length >=1 && length <= 8);
372 int64_t r = 0;
373 if (*data & 0x80)
374 r = -1;
375 while (length--)
376 r = (r << 8) | *data++;
377 return r;
380 static double ebml_parse_float(uint8_t *data, int length)
382 assert(length == 4 || length == 8);
383 uint64_t i = ebml_parse_uint(data, length);
384 if (length == 4)
385 return av_int2flt(i);
386 else
387 return av_int2dbl(i);
391 // target must be initialized to zero
392 static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target,
393 uint8_t *data, int size,
394 const struct ebml_elem_desc *type, int level)
396 assert(type->type == EBML_TYPE_SUBELEMENTS);
397 assert(level < 8);
398 mp_msg(MSGT_DEMUX, MSGL_DBG2, "%.*s[mkv] Parsing element %s\n",
399 level, " ", type->name);
401 char *s = target;
402 int len;
403 uint8_t *end = data + size;
404 uint8_t *p = data;
405 int num_elems[MAX_EBML_SUBELEMENTS] = {};
406 while (p < end) {
407 uint8_t *startp = p;
408 uint32_t id = ebml_parse_id(p, &len);
409 if (len > end - p)
410 goto past_end_error;
411 if (len < 0) {
412 mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] Error parsing subelement "
413 "id\n");
414 goto other_error;
416 p += len;
417 uint64_t length = ebml_parse_length(p, &len);
418 if (len > end - p)
419 goto past_end_error;
420 if (len < 0) {
421 mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] Error parsing subelement "
422 "length\n");
423 goto other_error;
425 p += len;
427 int field_idx = -1;
428 for (int i = 0; i < type->field_count; i++)
429 if (type->fields[i].id == id) {
430 field_idx = i;
431 num_elems[i]++;
432 break;
435 if (length > end - p) {
436 if (field_idx >= 0 && type->fields[field_idx].desc->type
437 != EBML_TYPE_SUBELEMENTS) {
438 mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] Subelement content goes "
439 "past end of containing element\n");
440 goto other_error;
442 // Try to parse what is possible from inside this partial element
443 ctx->has_errors = true;
444 length = end - p;
446 p += length;
448 continue;
450 past_end_error:
451 mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] Subelement headers go "
452 "past end of containing element\n");
453 other_error:
454 ctx->has_errors = true;
455 end = startp;
456 break;
459 for (int i = 0; i < type->field_count; i++)
460 if (num_elems[i] && type->fields[i].multiple) {
461 char *ptr = s + type->fields[i].offset;
462 switch (type->fields[i].desc->type) {
463 case EBML_TYPE_SUBELEMENTS:
464 num_elems[i] = FFMIN(num_elems[i],
465 1000000000 / type->fields[i].desc->size);
466 int size = num_elems[i] * type->fields[i].desc->size;
467 *(generic_struct **) ptr = talloc_zero_size(ctx->talloc_ctx,
468 size);
469 break;
470 case EBML_TYPE_UINT:
471 *(uint64_t **) ptr = talloc_zero_array(ctx->talloc_ctx,
472 uint64_t, num_elems[i]);
473 break;
474 case EBML_TYPE_SINT:
475 *(int64_t **) ptr = talloc_zero_array(ctx->talloc_ctx,
476 int64_t, num_elems[i]);
477 break;
478 case EBML_TYPE_FLOAT:
479 *(double **) ptr = talloc_zero_array(ctx->talloc_ctx,
480 double, num_elems[i]);
481 break;
482 case EBML_TYPE_STR:
483 case EBML_TYPE_BINARY:
484 *(struct bstr **) ptr = talloc_zero_array(ctx->talloc_ctx,
485 struct bstr,
486 num_elems[i]);
487 break;
488 case EBML_TYPE_EBML_ID:
489 *(int32_t **) ptr = talloc_zero_array(ctx->talloc_ctx,
490 uint32_t, num_elems[i]);
491 break;
492 default:
493 abort();
497 while (data < end) {
498 int len;
499 uint32_t id = ebml_parse_id(data, &len);
500 assert(len >= 0 && len <= end - data);
501 data += len;
502 uint64_t length = ebml_parse_length(data, &len);
503 assert(len >= 0 && len <= end - data);
504 data += len;
505 if (length > end - data) {
506 // Try to parse what is possible from inside this partial element
507 length = end - data;
508 mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] Next subelement content goes "
509 "past end of containing element, will be truncated\n");
511 int field_idx = -1;
512 for (int i = 0; i < type->field_count; i++)
513 if (type->fields[i].id == id) {
514 field_idx = i;
515 break;
517 if (field_idx < 0) {
518 if (id == 0xec)
519 mp_msg(MSGT_DEMUX, MSGL_DBG2, "%.*s[mkv] Ignoring Void element "
520 "size: %"PRIu64"\n", level+1, " ", length);
521 else if (id == 0xbf)
522 mp_msg(MSGT_DEMUX, MSGL_DBG2, "%.*s[mkv] Ignoring CRC-32 "
523 "element size: %"PRIu64"\n", level+1, " ",
524 length);
525 else
526 mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] Ignoring unrecognized "
527 "subelement. ID: %x size: %"PRIu64"\n", id, length);
528 data += length;
529 continue;
531 const struct ebml_field_desc *fd = &type->fields[field_idx];
532 const struct ebml_elem_desc *ed = fd->desc;
533 bool multiple = fd->multiple;
534 int *countptr = (int *) (s + fd->count_offset);
535 if (*countptr >= num_elems[field_idx]) {
536 // Shouldn't happen with on any sane file without bugs
537 mp_msg(MSGT_DEMUX, MSGL_ERR, "[mkv] Too many subelems?\n");
538 ctx->has_errors = true;
539 data += length;
540 continue;
542 if (*countptr > 0 && !multiple) {
543 mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] Another subelement of type "
544 "%x %s (size: %"PRIu64"). Only one allowed. Ignoring.\n",
545 id, ed->name, length);
546 ctx->has_errors = true;
547 data += length;
548 continue;
550 mp_msg(MSGT_DEMUX, MSGL_DBG2, "%.*s[mkv] Parsing %x %s size: %"PRIu64
551 " value: ", level+1, " ", id, ed->name, length);
553 char *fieldptr = s + fd->offset;
554 switch (ed->type) {
555 case EBML_TYPE_SUBELEMENTS:
556 mp_msg(MSGT_DEMUX, MSGL_DBG2, "subelements\n");
557 char *subelptr;
558 if (multiple) {
559 char *array_start = (char *) *(generic_struct **) fieldptr;
560 subelptr = array_start + *countptr * ed->size;
561 } else
562 subelptr = fieldptr;
563 ebml_parse_element(ctx, subelptr, data, length, ed, level + 1);
564 break;
566 case EBML_TYPE_UINT:;
567 uint64_t *uintptr;
568 #define GETPTR(subelptr, fieldtype) \
569 if (multiple) \
570 subelptr = *(fieldtype **) fieldptr + *countptr; \
571 else \
572 subelptr = (fieldtype *) fieldptr
573 GETPTR(uintptr, uint64_t);
574 if (length < 1 || length > 8) {
575 mp_msg(MSGT_DEMUX, MSGL_DBG2, "uint invalid length %"PRIu64
576 "\n", length);
577 goto error;
579 *uintptr = ebml_parse_uint(data, length);
580 mp_msg(MSGT_DEMUX, MSGL_DBG2, "uint %"PRIu64"\n", *uintptr);
581 break;
583 case EBML_TYPE_SINT:;
584 int64_t *sintptr;
585 GETPTR(sintptr, int64_t);
586 if (length < 1 || length > 8) {
587 mp_msg(MSGT_DEMUX, MSGL_DBG2, "sint invalid length %"PRIu64
588 "\n", length);
589 goto error;
591 *sintptr = ebml_parse_sint(data, length);
592 mp_msg(MSGT_DEMUX, MSGL_DBG2, "sint %"PRId64"\n", *sintptr);
593 break;
595 case EBML_TYPE_FLOAT:;
596 double *floatptr;
597 GETPTR(floatptr, double);
598 if (length != 4 && length != 8) {
599 mp_msg(MSGT_DEMUX, MSGL_DBG2, "float invalid length %"PRIu64
600 "\n", length);
601 goto error;
603 *floatptr = ebml_parse_float(data, length);
604 mp_msg(MSGT_DEMUX, MSGL_DBG2, "float %f\n", *floatptr);
605 break;
607 case EBML_TYPE_STR:
608 case EBML_TYPE_BINARY:;
609 struct bstr *strptr;
610 GETPTR(strptr, struct bstr);
611 strptr->start = data;
612 strptr->len = length;
613 if (ed->type == EBML_TYPE_STR)
614 mp_msg(MSGT_DEMUX, MSGL_DBG2, "string \"%.*s\"\n",
615 BSTR_P(*strptr));
616 else
617 mp_msg(MSGT_DEMUX, MSGL_DBG2, "binary %zd bytes\n",
618 strptr->len);
619 break;
621 case EBML_TYPE_EBML_ID:;
622 uint32_t *idptr;
623 GETPTR(idptr, uint32_t);
624 *idptr = ebml_parse_id(data, &len);
625 if (len != length) {
626 mp_msg(MSGT_DEMUX, MSGL_DBG2, "ebml_id broken value\n");
627 goto error;
629 mp_msg(MSGT_DEMUX, MSGL_DBG2, "ebml_id %x\n", (unsigned)*idptr);
630 break;
631 default:
632 abort();
634 *countptr += 1;
635 error:
636 data += length;
640 // target must be initialized to zero
641 int ebml_read_element(struct stream *s, struct ebml_parse_ctx *ctx,
642 void *target, const struct ebml_elem_desc *desc)
644 ctx->has_errors = false;
645 int msglevel = ctx->no_error_messages ? MSGL_DBG2 : MSGL_WARN;
646 uint64_t length = ebml_read_length(s, &ctx->bytes_read);
647 if (s->eof) {
648 mp_msg(MSGT_DEMUX, msglevel, "[mkv] Unexpected end of file "
649 "- partial or corrupt file?\n");
650 return -1;
652 if (length > 1000000000) {
653 mp_msg(MSGT_DEMUX, msglevel, "[mkv] Refusing to read element over "
654 "100 MB in size\n");
655 return -1;
657 ctx->talloc_ctx = talloc_size(NULL, length + 8);
658 int read_len = stream_read(s, ctx->talloc_ctx, length);
659 ctx->bytes_read += read_len;
660 if (read_len < length)
661 mp_msg(MSGT_DEMUX, msglevel, "[mkv] Unexpected end of file "
662 "- partial or corrupt file?\n");
663 ebml_parse_element(ctx, target, ctx->talloc_ctx, read_len, desc, 0);
664 if (ctx->has_errors)
665 mp_msg(MSGT_DEMUX, msglevel, "[mkv] Error parsing element %s\n",
666 desc->name);
667 return 0;