1 const char deanimate_rcs[] = "$Id: deanimate.c,v 1.15 2007/01/03 14:39:19 fabiankeil Exp $";
2 /*********************************************************************
4 * File : $Source: /cvsroot/ijbswa/current/deanimate.c,v $
6 * Purpose : Declares functions to manipulate binary images on the
7 * fly. High-level functions include:
8 * - Deanimation of GIF images
9 * - Fixup of malformed comment block in JPEG headers
11 * Functions declared include: gif_deanimate, buf_free,
12 * buf_copy, buf_getbyte, gif_skip_data_block,
13 * gif_extract_image and jpeg_inspect
15 * Copyright : Written by and Copyright (C) 2001 - 2004, 2006 by the
16 * SourceForge Privoxy team. http://www.privoxy.org/
18 * Based on the GIF file format specification (see
19 * http://tronche.com/computer-graphics/gif/gif89a.html)
20 * and ideas from the Image::DeAnim Perl module by
21 * Ken MacFarlane, <ksm+cpan@universal.dca.net>
23 * This program is free software; you can redistribute it
24 * and/or modify it under the terms of the GNU General
25 * Public License as published by the Free Software
26 * Foundation; either version 2 of the License, or (at
27 * your option) any later version.
29 * This program is distributed in the hope that it will
30 * be useful, but WITHOUT ANY WARRANTY; without even the
31 * implied warranty of MERCHANTABILITY or FITNESS FOR A
32 * PARTICULAR PURPOSE. See the GNU General Public
33 * License for more details.
35 * The GNU General Public License should be included with
36 * this file. If not, you can view it at
37 * http://www.gnu.org/copyleft/gpl.html
38 * or write to the Free Software Foundation, Inc., 59
39 * Temple Place - Suite 330, Boston, MA 02111-1307, USA.
42 * $Log: deanimate.c,v $
43 * Revision 1.15 2007/01/03 14:39:19 fabiankeil
44 * Fix a gcc43 warning and mark the binbuffer
45 * as immutable for buf_getbyte().
47 * Revision 1.14 2006/07/18 14:48:45 david__schmidt
48 * Reorganizing the repository: swapping out what was HEAD (the old 3.1 branch)
49 * with what was really the latest development (the v_3_0_branch branch)
51 * Revision 1.12.2.1 2004/10/03 12:53:32 david__schmidt
52 * Add the ability to check jpeg images for invalid
53 * lengths of comment blocks. Defensive strategy
54 * against the exploit:
55 * Microsoft Security Bulletin MS04-028
56 * Buffer Overrun in JPEG Processing (GDI+) Could
57 * Allow Code Execution (833987)
58 * Enabled with +inspect-jpegs in actions files.
60 * Revision 1.12 2002/05/12 21:36:29 jongfoster
61 * Correcting function comments
63 * Revision 1.11 2002/03/26 22:29:54 swa
64 * we have a new homepage!
66 * Revision 1.10 2002/03/24 13:25:43 swa
67 * name change related issues
69 * Revision 1.9 2002/03/13 00:27:04 jongfoster
72 * Revision 1.8 2002/03/09 19:42:47 jongfoster
73 * Fixing more warnings
75 * Revision 1.7 2002/03/08 17:46:04 jongfoster
76 * Fixing int/size_t warnings
78 * Revision 1.6 2002/03/07 03:46:17 oes
79 * Fixed compiler warnings
81 * Revision 1.5 2001/09/10 10:16:06 oes
82 * Silenced compiler warnings
84 * Revision 1.4 2001/07/18 12:28:49 oes
85 * - Added feature for extracting the first frame
87 * - Separated image buffer extension into buf_extend
88 * - Extended gif deanimation to GIF87a (untested!)
91 * Revision 1.3 2001/07/15 13:57:50 jongfoster
92 * Adding #includes string.h and miscutil.h
94 * Revision 1.2 2001/07/13 13:46:20 oes
95 * Introduced GIF deanimation feature
98 **********************************************************************/
108 #include "deanimate.h"
109 #include "miscutil.h"
111 const char deanimate_h_rcs[] = DEANIMATE_H_VERSION;
113 /*********************************************************************
115 * Function : buf_free
117 * Description : Safely frees a struct binbuffer
120 * 1 : buf = Pointer to the binbuffer to be freed
124 *********************************************************************/
125 void buf_free(struct binbuffer *buf)
127 if (buf == NULL) return;
129 if (buf->buffer != NULL)
139 /*********************************************************************
141 * Function : buf_extend
143 * Description : Ensure that a given binbuffer can hold a given amount
144 * of bytes, by reallocating its buffer if necessary.
145 * Allocate new mem in chunks of 1024 bytes, so we don't
146 * have to realloc() too often.
149 * 1 : buf = Pointer to the binbuffer
150 * 2 : length = Desired minimum size
153 * Returns : 0 on success, 1 on failure.
155 *********************************************************************/
156 int buf_extend(struct binbuffer *buf, size_t length)
160 if (buf->offset + length > buf->size)
162 buf->size = ((buf->size + length + (size_t)1023) & ~(size_t)1023);
163 newbuf = (char *)realloc(buf->buffer, buf->size);
172 buf->buffer = newbuf;
181 /*********************************************************************
183 * Function : buf_copy
185 * Description : Safely copies a given amount of bytes from one
186 * struct binbuffer to another, advancing the
187 * offsets appropriately.
190 * 1 : src = Pointer to the source binbuffer
191 * 2 : dst = Pointer to the destination binbuffer
192 * 3 : length = Number of bytes to be copied
194 * Returns : 0 on success, 1 on failure.
196 *********************************************************************/
197 int buf_copy(struct binbuffer *src, struct binbuffer *dst, size_t length)
201 * Sanity check: Can't copy more data than we have
203 if (src->offset + length > src->size)
209 * Ensure that dst can hold the new data
211 if (buf_extend(dst, length))
217 * Now that it's safe, memcpy() the desired amount of
218 * data from src to dst and adjust the offsets
220 memcpy(dst->buffer + dst->offset, src->buffer + src->offset, length);
221 src->offset += length;
222 dst->offset += length;
229 /*********************************************************************
231 * Function : buf_getbyte
233 * Description : Safely gets a byte from a given binbuffer at a
237 * 1 : src = Pointer to the source binbuffer
238 * 2 : offset = Offset to the desired byte
240 * Returns : The byte on success, or 0 on failure
242 *********************************************************************/
243 unsigned char buf_getbyte(const struct binbuffer *src, size_t offset)
245 if (src->offset + offset < src->size)
247 return (unsigned char)*(src->buffer + src->offset + offset);
257 /*********************************************************************
259 * Function : gif_skip_data_block
261 * Description : Safely advances the offset of a given struct binbuffer
262 * that contains a GIF image and whose offset is
263 * positioned at the start of a data block, behind
267 * 1 : buf = Pointer to the binbuffer
269 * Returns : 0 on success, or 1 on failure
271 *********************************************************************/
272 int gif_skip_data_block(struct binbuffer *buf)
277 * Data blocks are sequences of chunks, which are headed
278 * by a one-byte length field, with the last chunk having
281 while((c = buf_getbyte(buf, 0)) != '\0')
283 buf->offset += (size_t)c + 1;
284 if (buf->offset >= buf->size - 1)
296 /*********************************************************************
298 * Function : gif_extract_image
300 * Description : Safely extracts an image data block from a given
301 * struct binbuffer that contains a GIF image and whose
302 * offset is positioned at the start of a data block
303 * into a given destination binbuffer.
306 * 1 : src = Pointer to the source binbuffer
307 * 2 : dst = Pointer to the destination binbuffer
309 * Returns : 0 on success, or 1 on failure
311 *********************************************************************/
312 int gif_extract_image(struct binbuffer *src, struct binbuffer *dst)
317 * Remember the colormap flag and copy the image head
319 c = buf_getbyte(src, 9);
320 if (buf_copy(src, dst, 10))
326 * If the image has a local colormap, copy it.
330 if (buf_copy(src, dst, (size_t) 3 * (1 << ((c & 0x07) + 1))))
335 if (buf_copy(src, dst, 1)) return 1;
338 * Copy the image chunk by chunk.
340 while((c = buf_getbyte(src, 0)) != '\0')
342 if (buf_copy(src, dst, 1 + (size_t) c)) return 1;
344 if (buf_copy(src, dst, 1)) return 1;
347 * Trim and rewind the dst buffer
349 if (NULL == (dst->buffer = (char *)realloc(dst->buffer, dst->offset))) return 1;
350 dst->size = dst->offset;
357 /*********************************************************************
359 * Function : gif_deanimate
361 * Description : Deanimate a given GIF image, i.e. given a GIF with
362 * an (optional) image block and an arbitrary number
363 * of image extension blocks, produce an output GIF with
364 * only one image block that contains the last image
365 * (extenstion) block of the original.
366 * Also strip Comments, Application extenstions, etc.
369 * 1 : src = Pointer to the source binbuffer
370 * 2 : dst = Pointer to the destination binbuffer
371 * 3 : get_first_image = Flag: If set, get the first image
372 * If unset (default), get the last
374 * Returns : 0 on success, or 1 on failure
376 *********************************************************************/
377 int gif_deanimate(struct binbuffer *src, struct binbuffer *dst, int get_first_image)
380 struct binbuffer *image;
382 if (NULL == src || NULL == dst)
387 c = buf_getbyte(src, 10);
390 * Check & copy GIF header
392 if (strncmp(src->buffer, "GIF89a", 6) && strncmp(src->buffer, "GIF87a", 6))
398 if (buf_copy(src, dst, 13))
405 * Look for global colormap and copy if found.
409 if (buf_copy(src, dst, (size_t) 3 * (1 << ((c & 0x07) + 1))))
416 * Reserve a buffer for the current image block
418 if (NULL == (image = (struct binbuffer *)zalloc(sizeof(*image))))
424 * Parse the GIF block by block and copy the relevant
427 while(src->offset < src->size)
429 switch(buf_getbyte(src, 0))
432 * End-of-GIF Marker: Append current image and return
438 * Image block: Extract to current image buffer.
442 if (gif_extract_image(src, image)) goto failed;
443 if (get_first_image) goto write;
447 * Extension block: Look at next byte and decide
450 switch (buf_getbyte(src, 1))
453 * Image extension: Copy extension header and image
454 * to the current image buffer
458 if (buf_copy(src, image, 8) || buf_getbyte(src, 0) != 0x2c) goto failed;
459 if (gif_extract_image(src, image)) goto failed;
460 if (get_first_image) goto write;
464 * Application extension: Skip
467 if ((src->offset += 14) >= src->size || gif_skip_data_block(src)) goto failed;
471 * Comment extension: Skip
474 if ((src->offset += 2) >= src->size || gif_skip_data_block(src)) goto failed;
478 * Plain text extension: Skip
481 if ((src->offset += 15) >= src->size || gif_skip_data_block(src)) goto failed;
485 * Ooops, what type of extension is that?
493 * Ooops, what type of block is that?
499 } /* -END- while src */
502 * Either we got here by goto, or because the GIF is
503 * bogus and EOF was reached before an end-of-gif marker
512 * Append the current image to dst and return
516 if (buf_copy(image, dst, image->size)) goto failed;
517 if (buf_extend(dst, 1)) goto failed;
518 *(dst->buffer + dst->offset++) = 0x3b;
525 /*********************************************************************
527 * Function : jpeg_inspect
529 * Description : Checks a jpeg image for an invalid length in a
530 * comment block (0xFFFE0000 or 0xFFFE0001) and
531 * changes it to 0xFFFE0002. Defensive strategy
532 * against the exploit:
533 * Microsoft Security Bulletin MS04-028
534 * Buffer Overrun in JPEG Processing (GDI+) Could
535 * Allow Code Execution (833987)
538 * 1 : src = Pointer to the image binbuffer
540 * Returns : 0 on success, or 1 on failure
542 *********************************************************************/
543 int jpeg_inspect(struct binbuffer *src, struct binbuffer *dst)
547 * We process the image using a simple finite state machine,
548 * searching for byte patterns.
550 enum { J_INIT, /* The initial state */
551 J_FF, /* Found byte 0xFF */
552 J_FE, /* Found bytes 0xFF 0xFE */
553 J_00, /* Found bytes 0xFF 0xFE 0x00 */
555 * Found bytes 0xFF 0xDA; short-circuit to done-ness
556 * since this signals the beginning end of headers.
559 short state = J_INIT;
562 if (NULL == src || NULL == dst)
567 if (buf_copy(src, dst, src->size))
572 /* Need to search the jpg for patterns:
573 * 0xFF 0xFE 0x00 0x00
575 * 0xFF 0xFE 0x00 0x01
576 * from beginning until:
578 * (or the end of the buffer)
579 * If found, change the pattern to 0xFF 0xFE 0x00 0x02
582 for (i = 0; i < dst->size; i++)
593 state = J_DA; /* End of headers - we're done with this image. */
606 if ((c == 0x00) || (c == 0x01))
608 dst->buffer[i] = 2; /* Reset comment block size to 2. */
609 log_error(LOG_LEVEL_INFO, "JPEG comment exploit removed.");
611 * I'm unsure if we can have more than one comment block. Just in case,
612 * we'll scan the rest of the header for more by going back to J_INIT
613 * state. If there is no possibility of >1 comment block, we could
614 * short-circuit to done-ness here.