X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=deanimate.c;h=2ad811ccc3cae399d0d2e5eacef1a046df8d1457;hp=07515005e24f2ac64ce5f911321e6db8717b3a3a;hb=da7a7f71908233fdd4f8e5a480276bed9d1e04fb;hpb=b277622f6ab31e2787cb5f72fe47cd3a9c198d63 diff --git a/deanimate.c b/deanimate.c index 07515005..2ad811cc 100644 --- a/deanimate.c +++ b/deanimate.c @@ -1,16 +1,18 @@ -const char deanimate_rcs[] = "$Id: $"; +const char deanimate_rcs[] = "$Id: deanimate.c,v 1.18 2008/03/28 15:13:38 fabiankeil Exp $"; /********************************************************************* * - * File : $Source: $ + * File : $Source: /cvsroot/ijbswa/current/deanimate.c,v $ * - * Purpose : Declares functions to deanimate GIF images on the fly. + * Purpose : Declares functions to manipulate binary images on the + * fly. High-level functions include: + * - Deanimation of GIF images * * Functions declared include: gif_deanimate, buf_free, - * buf_copy, buf_getbyte, gif_skip_data_block, and - * gif_extract_image + * buf_copy, buf_getbyte, gif_skip_data_block + * and gif_extract_image * - * Copyright : Written by and Copyright (C) 2001 Andreas S. Oesterhelt - * for the SourceForge IJBSWA team. http://ijbswa.sourceforge.net + * Copyright : Written by and Copyright (C) 2001 - 2004, 2006 by the + * SourceForge Privoxy team. http://www.privoxy.org/ * * Based on the GIF file format specification (see * http://tronche.com/computer-graphics/gif/gif89a.html) @@ -36,17 +38,84 @@ const char deanimate_rcs[] = "$Id: $"; * Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * Revisions : - * $Log: $ + * $Log: deanimate.c,v $ + * Revision 1.18 2008/03/28 15:13:38 fabiankeil + * Remove inspect-jpegs action. + * + * Revision 1.17 2007/08/05 13:42:22 fabiankeil + * #1763173 from Stefan Huehner: declare some more functions static. + * + * Revision 1.16 2007/07/14 08:01:58 fabiankeil + * s@failiure@failure@ + * + * Revision 1.15 2007/01/03 14:39:19 fabiankeil + * Fix a gcc43 warning and mark the binbuffer + * as immutable for buf_getbyte(). + * + * Revision 1.14 2006/07/18 14:48:45 david__schmidt + * Reorganizing the repository: swapping out what was HEAD (the old 3.1 branch) + * with what was really the latest development (the v_3_0_branch branch) + * + * Revision 1.12.2.1 2004/10/03 12:53:32 david__schmidt + * Add the ability to check jpeg images for invalid + * lengths of comment blocks. Defensive strategy + * against the exploit: + * Microsoft Security Bulletin MS04-028 + * Buffer Overrun in JPEG Processing (GDI+) Could + * Allow Code Execution (833987) + * Enabled with +inspect-jpegs in actions files. + * + * Revision 1.12 2002/05/12 21:36:29 jongfoster + * Correcting function comments + * + * Revision 1.11 2002/03/26 22:29:54 swa + * we have a new homepage! + * + * Revision 1.10 2002/03/24 13:25:43 swa + * name change related issues + * + * Revision 1.9 2002/03/13 00:27:04 jongfoster + * Killing warnings + * + * Revision 1.8 2002/03/09 19:42:47 jongfoster + * Fixing more warnings + * + * Revision 1.7 2002/03/08 17:46:04 jongfoster + * Fixing int/size_t warnings + * + * Revision 1.6 2002/03/07 03:46:17 oes + * Fixed compiler warnings + * + * Revision 1.5 2001/09/10 10:16:06 oes + * Silenced compiler warnings + * + * Revision 1.4 2001/07/18 12:28:49 oes + * - Added feature for extracting the first frame + * to gif_deanimate + * - Separated image buffer extension into buf_extend + * - Extended gif deanimation to GIF87a (untested!) + * - Cosmetics + * + * Revision 1.3 2001/07/15 13:57:50 jongfoster + * Adding #includes string.h and miscutil.h + * + * Revision 1.2 2001/07/13 13:46:20 oes + * Introduced GIF deanimation feature + * * **********************************************************************/ #include "config.h" -#include "project.h" -#include "deanimate.h" +#include #include +#include "errlog.h" +#include "project.h" +#include "deanimate.h" +#include "miscutil.h" + const char deanimate_h_rcs[] = DEANIMATE_H_VERSION; /********************************************************************* @@ -75,6 +144,48 @@ void buf_free(struct binbuffer *buf) } +/********************************************************************* + * + * Function : buf_extend + * + * Description : Ensure that a given binbuffer can hold a given amount + * of bytes, by reallocating its buffer if necessary. + * Allocate new mem in chunks of 1024 bytes, so we don't + * have to realloc() too often. + * + * Parameters : + * 1 : buf = Pointer to the binbuffer + * 2 : length = Desired minimum size + * + * + * Returns : 0 on success, 1 on failure. + * + *********************************************************************/ +static int buf_extend(struct binbuffer *buf, size_t length) +{ + char *newbuf; + + if (buf->offset + length > buf->size) + { + buf->size = ((buf->size + length + (size_t)1023) & ~(size_t)1023); + newbuf = (char *)realloc(buf->buffer, buf->size); + + if (newbuf == NULL) + { + freez(buf->buffer); + return 1; + } + else + { + buf->buffer = newbuf; + return 0; + } + } + return 0; + +} + + /********************************************************************* * * Function : buf_copy @@ -88,12 +199,11 @@ void buf_free(struct binbuffer *buf) * 2 : dst = Pointer to the destination binbuffer * 3 : length = Number of bytes to be copied * - * Returns : 0 on success, 1 on failiure. + * Returns : 0 on success, 1 on failure. * *********************************************************************/ -int buf_copy(struct binbuffer *src, struct binbuffer *dst, int length) +static int buf_copy(struct binbuffer *src, struct binbuffer *dst, size_t length) { - char *p; /* * Sanity check: Can't copy more data than we have @@ -104,20 +214,11 @@ int buf_copy(struct binbuffer *src, struct binbuffer *dst, int length) } /* - * If dst can't hold the new data, get mem first. (In chunks - * of 1000 bytes, so we don't have to realloc() too often) + * Ensure that dst can hold the new data */ - if (dst->offset + length > dst->size) + if (buf_extend(dst, length)) { - dst->size = dst->size + length + 1000 - (dst->size + length) % 1000; - p = dst->buffer; - dst->buffer = (char *)realloc(dst->buffer, dst->size); - - if (dst->buffer == NULL) - { - free(p); - return 1; - } + return 1; } /* @@ -141,13 +242,13 @@ int buf_copy(struct binbuffer *src, struct binbuffer *dst, int length) * given offset * * Parameters : - * 1 : buf = Pointer to the source binbuffer + * 1 : src = Pointer to the source binbuffer * 2 : offset = Offset to the desired byte * - * Returns : The byte on success, or 0 on failiure + * Returns : The byte on success, or 0 on failure * *********************************************************************/ -unsigned char buf_getbyte(struct binbuffer *src, int offset) +static unsigned char buf_getbyte(const struct binbuffer *src, size_t offset) { if (src->offset + offset < src->size) { @@ -167,16 +268,16 @@ unsigned char buf_getbyte(struct binbuffer *src, int offset) * * Description : Safely advances the offset of a given struct binbuffer * that contains a GIF image and whose offset is - * positioned at the start of a data block behind + * positioned at the start of a data block, behind * that block. * * Parameters : * 1 : buf = Pointer to the binbuffer * - * Returns : 0 on success, or 1 on failiure + * Returns : 0 on success, or 1 on failure * *********************************************************************/ -int gif_skip_data_block(struct binbuffer *buf) +static int gif_skip_data_block(struct binbuffer *buf) { unsigned char c; @@ -185,9 +286,10 @@ int gif_skip_data_block(struct binbuffer *buf) * by a one-byte length field, with the last chunk having * zero length. */ - while(c = buf_getbyte(buf, 0)) + while((c = buf_getbyte(buf, 0)) != '\0') { - if ((buf->offset += c + 1) >= buf->size - 1) + buf->offset += (size_t)c + 1; + if (buf->offset >= buf->size - 1) { return 1; } @@ -212,13 +314,13 @@ int gif_skip_data_block(struct binbuffer *buf) * 1 : src = Pointer to the source binbuffer * 2 : dst = Pointer to the destination binbuffer * - * Returns : 0 on success, or 1 on failiure + * Returns : 0 on success, or 1 on failure * *********************************************************************/ -int gif_extract_image(struct binbuffer *src, struct binbuffer *dst) +static int gif_extract_image(struct binbuffer *src, struct binbuffer *dst) { unsigned char c; - + /* * Remember the colormap flag and copy the image head */ @@ -233,7 +335,14 @@ int gif_extract_image(struct binbuffer *src, struct binbuffer *dst) */ if (c & 0x80) { - if (buf_copy(src, dst, 3 * (1 << ((c & 0x07) + 1)))) + int map_length = 3 * (1 << ((c & 0x07) + 1)); + if (map_length <= 0) + { + log_error(LOG_LEVEL_DEANIMATE, + "colormap length = %d (%c)?", map_length, c); + return 1; + } + if (buf_copy(src, dst, (size_t)map_length)) { return 1; } @@ -243,16 +352,16 @@ int gif_extract_image(struct binbuffer *src, struct binbuffer *dst) /* * Copy the image chunk by chunk. */ - while(c = buf_getbyte(src, 0)) + while((c = buf_getbyte(src, 0)) != '\0') { - if (buf_copy(src, dst, c + 1)) return 1; + if (buf_copy(src, dst, 1 + (size_t) c)) return 1; } if (buf_copy(src, dst, 1)) return 1; /* * Trim and rewind the dst buffer */ - dst->buffer = (char *)realloc(dst->buffer, dst->offset); + if (NULL == (dst->buffer = (char *)realloc(dst->buffer, dst->offset))) return 1; dst->size = dst->offset; dst->offset = 0; @@ -274,11 +383,13 @@ int gif_extract_image(struct binbuffer *src, struct binbuffer *dst) * Parameters : * 1 : src = Pointer to the source binbuffer * 2 : dst = Pointer to the destination binbuffer + * 3 : get_first_image = Flag: If set, get the first image + * If unset (default), get the last * - * Returns : 0 on success, or 1 on failiure + * Returns : 0 on success, or 1 on failure * *********************************************************************/ -int gif_deanimate(struct binbuffer *src, struct binbuffer *dst) +int gif_deanimate(struct binbuffer *src, struct binbuffer *dst, int get_first_image) { unsigned char c; struct binbuffer *image; @@ -293,9 +404,8 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst) /* * Check & copy GIF header */ - if (strncmp(src->buffer, "GIF89a", 6)) + if (strncmp(src->buffer, "GIF89a", 6) && strncmp(src->buffer, "GIF87a", 6)) { - fprintf(stderr, "This is not a GIF98a!\n"); return 1; } else @@ -311,7 +421,14 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst) */ if(c & 0x80) { - if (buf_copy(src, dst, 3 * (1 << ((c & 0x07) + 1)))) + int map_length = 3 * (1 << ((c & 0x07) + 1)); + if (map_length <= 0) + { + log_error(LOG_LEVEL_DEANIMATE, + "colormap length = %d (%c)?", map_length, c); + return 1; + } + if (buf_copy(src, dst, (size_t)map_length)) { return 1; } @@ -337,22 +454,15 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst) * End-of-GIF Marker: Append current image and return */ case 0x3b: - if (buf_copy(image, dst, image->size) || buf_copy(src, dst, 1)) - { - goto failed; - } - buf_free(image); - return(0); + goto write; /* - * Image block: Extract to current image buffer + * Image block: Extract to current image buffer. */ case 0x2c: image->offset = 0; - if (gif_extract_image(src, image)) - { - goto failed; - } + if (gif_extract_image(src, image)) goto failed; + if (get_first_image) goto write; continue; /* @@ -369,6 +479,7 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst) image->offset = 0; if (buf_copy(src, image, 8) || buf_getbyte(src, 0) != 0x2c) goto failed; if (gif_extract_image(src, image)) goto failed; + if (get_first_image) goto write; continue; /* @@ -419,6 +530,17 @@ failed: buf_free(image); return 1; + /* + * Append the current image to dst and return + */ + +write: + if (buf_copy(image, dst, image->size)) goto failed; + if (buf_extend(dst, 1)) goto failed; + *(dst->buffer + dst->offset++) = 0x3b; + buf_free(image); + return 0; + }