| 1 | /****************************************************************************** |
|---|---|
| 2 | * libbmpread - tiny, fast bitmap (.bmp) image file loader * |
| 3 | * <https://github.com/chazomaticus/libbmpread> * |
| 4 | * Copyright (C) 2005, 2012, 2016, 2018 Charles Lindsay <chaz@chazomatic.us> * |
| 5 | * * |
| 6 | * This software is provided 'as-is', without any express or implied * |
| 7 | * warranty. In no event will the authors be held liable for any damages * |
| 8 | * arising from the use of this software. * |
| 9 | * * |
| 10 | * Permission is granted to anyone to use this software for any purpose, * |
| 11 | * including commercial applications, and to alter it and redistribute it * |
| 12 | * freely, subject to the following restrictions: * |
| 13 | * * |
| 14 | * 1. The origin of this software must not be misrepresented; you must not * |
| 15 | * claim that you wrote the original software. If you use this software * |
| 16 | * in a product, an acknowledgment in the product documentation would be * |
| 17 | * appreciated but is not required. * |
| 18 | * 2. Altered source versions must be plainly marked as such, and must not be * |
| 19 | * misrepresented as being the original software. * |
| 20 | * 3. This notice may not be removed or altered from any source distribution. * |
| 21 | ******************************************************************************/ |
| 22 | |
| 23 | |
| 24 | /* bmpread.c |
| 25 | * version 3.0 |
| 26 | * 2018-02-02 |
| 27 | */ |
| 28 | |
| 29 | |
| 30 | #include "bmpread.h" |
| 31 | |
| 32 | #include <limits.h> |
| 33 | #include <stddef.h> |
| 34 | #include <stdio.h> |
| 35 | #include <stdlib.h> |
| 36 | #include <string.h> |
| 37 | |
| 38 | /* If your compiler doesn't come with stdint.h, which is technically a C99 |
| 39 | * feature, see <http://stackoverflow.com/q/126279>. There are 3rd party |
| 40 | * solutions to this problem, which you should be able to find with a little |
| 41 | * searching. Alternately, just define the following types yourself: uint8_t, |
| 42 | * uint16_t, uint32_t, and int32_t. |
| 43 | */ |
| 44 | #include <stdint.h> |
| 45 | |
| 46 | /* This code makes a number of assumptions about a byte being 8 bits, which is |
| 47 | * technically not required by the C spec(s). It's likely that not a whole lot |
| 48 | * here would need to change if CHAR_BIT != 8, but I haven't taken the time to |
| 49 | * figure out exactly what those changes would be. |
| 50 | */ |
| 51 | #if CHAR_BIT != 8 |
| 52 | #error "libbmpread requires CHAR_BIT == 8" |
| 53 | #endif |
| 54 | |
| 55 | |
| 56 | /* Default value for alpha when none is present in the file. */ |
| 57 | #define BMPREAD_DEFAULT_ALPHA 255 |
| 58 | |
| 59 | /* I've tried to make every effort to remove the possibility of undefined |
| 60 | * behavior and prevent related errors where maliciously crafted files could |
| 61 | * lead to buffer overflows or the like. To that end, we'll start with some |
| 62 | * functions that check various operations for behaving as expected. This one |
| 63 | * returns nonzero if the two size_ts can be added without wrapping, or 0 if |
| 64 | * the result would wrap. |
| 65 | */ |
| 66 | static int CanAdd(size_t a, size_t b) |
| 67 | { |
| 68 | return a <= SIZE_MAX - b; |
| 69 | } |
| 70 | |
| 71 | /* Returns nonzero if the two size_ts can be multiplied without wrapping, or 0 |
| 72 | * if the result would wrap. b must not be 0 (we don't even check here since |
| 73 | * everything we pass in will have been checked before). |
| 74 | */ |
| 75 | static int CanMultiply(size_t a, size_t b) |
| 76 | { |
| 77 | return a <= SIZE_MAX / b; |
| 78 | } |
| 79 | |
| 80 | /* Returns nonzero if the uint32_t can be converted to a size_t without losing |
| 81 | * data, which is always the case on 32-bit systems and higher, or 0 if such a |
| 82 | * conversion would lose data, as could happen on 16-bit systems. |
| 83 | */ |
| 84 | static int CanMakeSizeT(uint32_t x) |
| 85 | { |
| 86 | /* The preprocessor guard is there to prevent a warning about the condition |
| 87 | * inside being true by definition on systems where size_t is at least 32 |
| 88 | * bits. I'm relying on C's integer promotion rules to make this all safe. |
| 89 | * I *think* it works as intended here (either way, typecasts don't really |
| 90 | * help clarify things, so I've gone without). |
| 91 | */ |
| 92 | #if UINT32_MAX > SIZE_MAX |
| 93 | if(x > SIZE_MAX) return 0; |
| 94 | #endif |
| 95 | |
| 96 | (void)x; /* Sometimes unused; this prevents a pedantic warning. */ |
| 97 | return 1; |
| 98 | } |
| 99 | |
| 100 | /* Returns nonzero if the uint32_t can be converted to a long without losing |
| 101 | * data, or 0 if the conversion would lose data. |
| 102 | */ |
| 103 | static int CanMakeLong(uint32_t x) |
| 104 | { |
| 105 | #if UINT32_MAX > LONG_MAX |
| 106 | if(x > LONG_MAX) return 0; |
| 107 | #endif |
| 108 | |
| 109 | (void)x; /* Sometimes unused. */ |
| 110 | return 1; |
| 111 | } |
| 112 | |
| 113 | /* Returns nonzero if the int32_t can be negated properly. INT32_MIN doesn't |
| 114 | * work because its positive value isn't representable inside an int32_t (given |
| 115 | * two's complement). |
| 116 | */ |
| 117 | static int CanNegate(int32_t x) |
| 118 | { |
| 119 | return x != INT32_MIN; |
| 120 | } |
| 121 | |
| 122 | /* Reads up to 4 little-endian bytes from fp and stores the result in the |
| 123 | * uint32_t pointed to by dest in the host's byte order. Returns 0 on EOF or |
| 124 | * nonzero on success. |
| 125 | */ |
| 126 | static int ReadLittleBytes(uint32_t * dest, int bytes, FILE * fp) |
| 127 | { |
| 128 | uint32_t shift = 0; |
| 129 | |
| 130 | *dest = 0; |
| 131 | |
| 132 | while(bytes--) |
| 133 | { |
| 134 | int byte; |
| 135 | if((byte = fgetc(fp)) == EOF) return 0; |
| 136 | |
| 137 | *dest += (uint32_t)byte << shift; |
| 138 | shift += 8; |
| 139 | } |
| 140 | |
| 141 | return 1; |
| 142 | } |
| 143 | |
| 144 | /* Reads a little-endian uint32_t from fp and stores the result in *dest in the |
| 145 | * host's byte order. Returns 0 on EOF or nonzero on success. |
| 146 | */ |
| 147 | #define ReadLittleUint32(dest, fp) ReadLittleBytes(dest, 4, fp) |
| 148 | |
| 149 | /* Reads a little-endian int32_t from fp and stores the result in *dest in the |
| 150 | * host's byte order. Returns 0 on EOF or nonzero on success. |
| 151 | */ |
| 152 | static int ReadLittleInt32(int32_t * dest, FILE * fp) |
| 153 | { |
| 154 | /* I *believe* casting unsigned -> signed is implementation-defined when |
| 155 | * the unsigned value is out of range for the signed type, which would be |
| 156 | * the case for any negative number we've just read out of the file into a |
| 157 | * uint. This is a portable way to "reinterpret" the bits as signed |
| 158 | * without running into undefined/implementation-defined behavior. I |
| 159 | * think. |
| 160 | */ |
| 161 | union int32_signedness_swap |
| 162 | { |
| 163 | uint32_t uint32; |
| 164 | int32_t int32; |
| 165 | |
| 166 | } t; |
| 167 | |
| 168 | if(!ReadLittleBytes(&t.uint32, 4, fp)) return 0; |
| 169 | *dest = t.int32; |
| 170 | return 1; |
| 171 | } |
| 172 | |
| 173 | /* Reads a little-endian uint16_t from fp and stores the result in *dest in the |
| 174 | * host's byte order. Returns 0 on EOF or nonzero n success. |
| 175 | */ |
| 176 | static int ReadLittleUint16(uint16_t * dest, FILE * fp) |
| 177 | { |
| 178 | uint32_t t; |
| 179 | if(!ReadLittleBytes(&t, 2, fp)) return 0; |
| 180 | *dest = (uint16_t)t; |
| 181 | return 1; |
| 182 | } |
| 183 | |
| 184 | /* Reads a uint8_t from fp and stores the result in *dest. Returns 0 on EOF or |
| 185 | * nonzero on success. |
| 186 | */ |
| 187 | static int ReadUint8(uint8_t * dest, FILE * fp) |
| 188 | { |
| 189 | int byte; |
| 190 | if((byte = fgetc(fp)) == EOF) return 0; |
| 191 | *dest = (uint8_t)byte; |
| 192 | return 1; |
| 193 | } |
| 194 | |
| 195 | /* Bitmap file header, including magic bytes. |
| 196 | */ |
| 197 | typedef struct bmp_header |
| 198 | { |
| 199 | uint8_t magic[2]; /* Magic bytes 'B' and 'M'. */ |
| 200 | uint32_t file_size; /* Size of whole file. */ |
| 201 | uint32_t unused; /* Should be 0. */ |
| 202 | uint32_t data_offset; /* Offset from beginning of file to bitmap data. */ |
| 203 | |
| 204 | } bmp_header; |
| 205 | |
| 206 | /* Reads a bitmap header from fp into header. Returns 0 on EOF or invalid |
| 207 | * header, or nonzero on success. |
| 208 | */ |
| 209 | static int ReadHeader(bmp_header * header, FILE * fp) |
| 210 | { |
| 211 | if(!ReadUint8(&header->magic[0], fp)) return 0; |
| 212 | if(!ReadUint8(&header->magic[1], fp)) return 0; |
| 213 | |
| 214 | /* If it doesn't look like a bitmap header, don't even bother. */ |
| 215 | if(header->magic[0] != 0x42 /* 'B' */) return 0; |
| 216 | if(header->magic[1] != 0x4d /* 'M' */) return 0; |
| 217 | |
| 218 | if(!ReadLittleUint32(&header->file_size, fp)) return 0; |
| 219 | if(!ReadLittleUint32(&header->unused, fp)) return 0; |
| 220 | if(!ReadLittleUint32(&header->data_offset, fp)) return 0; |
| 221 | |
| 222 | return 1; |
| 223 | } |
| 224 | |
| 225 | /* How many bytes in the file are occupied by a header, by definition in the |
| 226 | * spec. Note that even though our definition logically matches the spec's, C |
| 227 | * struct padding/packing rules mean it might not be the same as |
| 228 | * sizeof(bmp_header). |
| 229 | */ |
| 230 | #define BMP_HEADER_SIZE 14 |
| 231 | |
| 232 | /* Bitmap info: comes immediately after the header and describes the image. |
| 233 | */ |
| 234 | typedef struct bmp_info |
| 235 | { |
| 236 | uint32_t info_size; /* Size of info struct (> sizeof(bmp_info)). */ |
| 237 | int32_t width; /* Width of image. */ |
| 238 | int32_t height; /* Height (< 0 means right-side up). */ |
| 239 | uint16_t planes; /* Planes (should be 1). */ |
| 240 | uint16_t bits; /* Number of bits (1, 4, 8, 16, 24, or 32). */ |
| 241 | uint32_t compression; /* See COMPRESSION_* values below. */ |
| 242 | uint32_t unused0[3]; /* We don't care about these fields. */ |
| 243 | uint32_t colors; /* How many colors in the palette, 0 = 1<<bits. */ |
| 244 | uint32_t unused1; /* Another field we don't care about. */ |
| 245 | uint32_t masks[4]; /* Bitmasks for 16- and 32-bit images. */ |
| 246 | |
| 247 | /* There can be additional later fields in the actual file info, but we |
| 248 | * don't need them here. |
| 249 | */ |
| 250 | |
| 251 | } bmp_info; |
| 252 | |
| 253 | /* We don't support files in bitmap formats older than Windows 3, due to |
| 254 | * incompatibilities I didn't want to bother coding around. info_size is |
| 255 | * defined as 40 for both Windows 3 and NT bitmap formats (together "bitmap |
| 256 | * version 3" format), and gets larger in later incarnations. We *don't* |
| 257 | * support Windows NT format, which is just to say we don't support 16- or |
| 258 | * 32-bit depths before "bitmap version 4", because their data is in an awkward |
| 259 | * format. |
| 260 | */ |
| 261 | #define BMP3_INFO_SIZE 40 |
| 262 | #define MIN_INFO_SIZE BMP3_INFO_SIZE |
| 263 | |
| 264 | /* Values for the compression field. We only support COMPRESSION_NONE and |
| 265 | * COMPRESSION_BITFIELDS so far. |
| 266 | */ |
| 267 | #define COMPRESSION_NONE 0 |
| 268 | #define COMPRESSION_RLE8 1 |
| 269 | #define COMPRESSION_RLE4 2 |
| 270 | #define COMPRESSION_BITFIELDS 3 |
| 271 | |
| 272 | /* Reads bitmap metadata from fp into info. Returns 0 on EOF or invalid info, |
| 273 | * or nonzero on success. info is assumed to be initialized to 0 already. |
| 274 | */ |
| 275 | static int ReadInfo(bmp_info * info, FILE * fp) |
| 276 | { |
| 277 | if(!ReadLittleUint32(&info->info_size, fp)) return 0; |
| 278 | |
| 279 | /* Older formats might not have all the fields we require, so this check |
| 280 | * comes first. |
| 281 | */ |
| 282 | if(info->info_size < MIN_INFO_SIZE) return 0; |
| 283 | |
| 284 | if(!ReadLittleInt32( &info->width, fp)) return 0; |
| 285 | if(!ReadLittleInt32( &info->height, fp)) return 0; |
| 286 | if(!ReadLittleUint16(&info->planes, fp)) return 0; |
| 287 | if(!ReadLittleUint16(&info->bits, fp)) return 0; |
| 288 | if(!ReadLittleUint32(&info->compression, fp)) return 0; |
| 289 | if(!ReadLittleUint32(&info->unused0[0], fp)) return 0; |
| 290 | if(!ReadLittleUint32(&info->unused0[1], fp)) return 0; |
| 291 | if(!ReadLittleUint32(&info->unused0[2], fp)) return 0; |
| 292 | if(!ReadLittleUint32(&info->colors, fp)) return 0; |
| 293 | if(!ReadLittleUint32(&info->unused1, fp)) return 0; |
| 294 | |
| 295 | /* We don't bother to even try to read bitmasks if they aren't needed, |
| 296 | * since they won't be present in Windows 3 format bitmap files. |
| 297 | */ |
| 298 | if(info->compression == COMPRESSION_BITFIELDS) |
| 299 | { |
| 300 | /* Reject Windows NT format files with bitfields, since we don't |
| 301 | * support them, and their masks aren't part of the info header anyway. |
| 302 | */ |
| 303 | if(info->info_size == BMP3_INFO_SIZE) return 0; |
| 304 | |
| 305 | if(!ReadLittleUint32(&info->masks[0], fp)) return 0; |
| 306 | if(!ReadLittleUint32(&info->masks[1], fp)) return 0; |
| 307 | if(!ReadLittleUint32(&info->masks[2], fp)) return 0; |
| 308 | if(!ReadLittleUint32(&info->masks[3], fp)) return 0; |
| 309 | } |
| 310 | |
| 311 | return 1; |
| 312 | } |
| 313 | |
| 314 | /* Bitfields for 16- and 32-bit files. We track the first set bit (rightmost |
| 315 | * being 0) and how many bits it spans. |
| 316 | */ |
| 317 | typedef struct bitfield |
| 318 | { |
| 319 | uint32_t start; |
| 320 | uint32_t span; |
| 321 | |
| 322 | } bitfield; |
| 323 | |
| 324 | /* Applies a bitfield mask to a value, x. |
| 325 | */ |
| 326 | #define ApplyBitfield(x, bitfield) \ |
| 327 | (((x) >> (bitfield).start) & ((UINT32_C(1) << (bitfield).span) - 1)) |
| 328 | |
| 329 | /* Turns a single mask component into a bitfield. Returns 0 if the bitmask was |
| 330 | * invalid, or nonzero if it's ok. Span of 0 means the bitmask was absent. |
| 331 | */ |
| 332 | static int ParseBitfield(bitfield * field, uint32_t mask) |
| 333 | { |
| 334 | uint32_t bit; |
| 335 | for(bit = 0; bit < 32 && !(mask & (UINT32_C(1) << bit)); bit++) |
| 336 | ; |
| 337 | |
| 338 | if(bit >= 32) |
| 339 | { |
| 340 | /* Absent bitmasks are valid. */ |
| 341 | field->start = field->span = 0; |
| 342 | return 1; |
| 343 | } |
| 344 | |
| 345 | field->start = bit; |
| 346 | for(; bit < 32 && (mask & (UINT32_C(1) << bit)); bit++) |
| 347 | ; |
| 348 | field->span = bit - field->start; |
| 349 | |
| 350 | /* If there are more set bits, there was a gap, which is invalid. */ |
| 351 | if(bit < 32 && (mask & ~((UINT32_C(1) << bit) - 1))) return 0; |
| 352 | |
| 353 | return 1; |
| 354 | } |
| 355 | |
| 356 | /* A single color entry in the palette, in file order (BGR + one unused byte). |
| 357 | */ |
| 358 | typedef struct bmp_color |
| 359 | { |
| 360 | uint8_t blue; |
| 361 | uint8_t green; |
| 362 | uint8_t red; |
| 363 | uint8_t unused; |
| 364 | |
| 365 | } bmp_color; |
| 366 | |
| 367 | /* How many bytes in the file are occupied by a palette entry, by definition in |
| 368 | * the spec (and again note that it might not be the same as |
| 369 | * sizeof(bmp_color), even if we match). |
| 370 | */ |
| 371 | #define BMP_COLOR_SIZE 4 |
| 372 | |
| 373 | /* Reads the given number of colors from fp into the palette array. Returns 0 |
| 374 | * on EOF or nonzero on success. |
| 375 | */ |
| 376 | static int ReadPalette(bmp_color * palette, int colors, FILE * fp) |
| 377 | { |
| 378 | /* This isn't the guaranteed-fastest way to implement this, but it should |
| 379 | * perform quite well in practice due to compiler optimization and stdio |
| 380 | * input buffering. It's implemented this way because of how simple the |
| 381 | * code is, while avoiding undefined and implementation-defined behavior or |
| 382 | * allocating any memory. If you aren't averse to an extra allocation (or |
| 383 | * using a chunk of the stack), it might be made faster while still |
| 384 | * avoiding implementation-defined behavior by reading the entire palette |
| 385 | * into one big buffer up front, then copying bytes into place. |
| 386 | */ |
| 387 | int i; |
| 388 | for(i = 0; i < colors; i++) |
| 389 | { |
| 390 | uint8_t components[BMP_COLOR_SIZE]; |
| 391 | if(fread(components, 1, sizeof(components), fp) != sizeof(components)) |
| 392 | return 0; |
| 393 | |
| 394 | palette[i].blue = components[0]; |
| 395 | palette[i].green = components[1]; |
| 396 | palette[i].red = components[2]; |
| 397 | palette[i].unused = components[3]; |
| 398 | } |
| 399 | return 1; |
| 400 | } |
| 401 | |
| 402 | /* Context shared between the below functions. |
| 403 | */ |
| 404 | typedef struct read_context |
| 405 | { |
| 406 | unsigned int flags; /* Flags passed to bmpread. */ |
| 407 | FILE * fp; /* File pointer. */ |
| 408 | bmp_header header; /* Bitmap file header. */ |
| 409 | bmp_info info; /* Bitmap file info. */ |
| 410 | uint32_t headers_size; /* Total size of header + info. */ |
| 411 | uint32_t after_headers; /* Size of space for palette. */ |
| 412 | int32_t lines; /* How many scan lines (abs(height)). */ |
| 413 | size_t file_line_len; /* How many bytes each scan line is. */ |
| 414 | size_t out_channels; /* Output color channels (3, or 4=alpha). */ |
| 415 | size_t out_line_len; /* Bytes in each output line. */ |
| 416 | bitfield bitfields[4]; /* How to decode 16- and 32-bits. */ |
| 417 | bmp_color * palette; /* Enough entries for our bit depth. */ |
| 418 | uint8_t * file_data; /* A line of data in the file. */ |
| 419 | uint8_t * data_out; /* RGB(A) data output buffer. */ |
| 420 | |
| 421 | } read_context; |
| 422 | |
| 423 | /* A sub-function to Validate() that handles the bitfields. Returns 0 on |
| 424 | * invalid bitfields or nonzero on success. Note that we don't treat odd |
| 425 | * bitmasks such as R8G8 or A1G1B1 as invalid, even though they may not load in |
| 426 | * most other loaders. |
| 427 | */ |
| 428 | static int ValidateBitfields(read_context * p_ctx) |
| 429 | { |
| 430 | bitfield * bf = p_ctx->bitfields; |
| 431 | |
| 432 | uint32_t total_mask = 0; |
| 433 | bitfield total_field; |
| 434 | |
| 435 | int i; |
| 436 | |
| 437 | if(p_ctx->info.compression != COMPRESSION_BITFIELDS) |
| 438 | return 1; |
| 439 | |
| 440 | for(i = 0; i < 4; i++) |
| 441 | { |
| 442 | /* No overlapping masks. */ |
| 443 | if(total_mask & p_ctx->info.masks[i]) return 0; |
| 444 | total_mask |= p_ctx->info.masks[i]; |
| 445 | |
| 446 | if(!ParseBitfield(&bf[i], p_ctx->info.masks[i])) return 0; |
| 447 | |
| 448 | /* Make sure we fit in our bit size. */ |
| 449 | if(bf[i].start + bf[i].span > p_ctx->info.bits) return 0; |
| 450 | } |
| 451 | |
| 452 | if(!total_mask) return 0; |
| 453 | |
| 454 | /* Check for contiguous-ity between fields, too. */ |
| 455 | if(!ParseBitfield(&total_field, total_mask)) return 0; |
| 456 | |
| 457 | return 1; |
| 458 | } |
| 459 | |
| 460 | /* A sub-function to Validate() that handles the palette. Returns 0 on EOF or |
| 461 | * invalid palette, or nonzero on success. |
| 462 | */ |
| 463 | static int ValidateAndReadPalette(read_context * p_ctx) |
| 464 | { |
| 465 | uint32_t colors = UINT32_C(1) << p_ctx->info.bits; |
| 466 | uint32_t file_colors = p_ctx->info.colors; |
| 467 | |
| 468 | if(p_ctx->info.bits > 8) |
| 469 | return 1; |
| 470 | |
| 471 | if(file_colors > colors) return 0; |
| 472 | if(!file_colors) |
| 473 | file_colors = colors; |
| 474 | |
| 475 | /* Make sure we actually have space in the file for all the colors. */ |
| 476 | if(p_ctx->after_headers / BMP_COLOR_SIZE < file_colors) return 0; |
| 477 | |
| 478 | /* We always allocate a full palette even if the file only claims to |
| 479 | * contain a smaller number, so we don't have to check for out of bound |
| 480 | * color lookups. Not sure what the desired behavior is, but loading the |
| 481 | * image anyway and treating OOB colors as black seems ok to me. 0-fill so |
| 482 | * lookups beyond the file's palette get set to black. |
| 483 | */ |
| 484 | if(!(p_ctx->palette = (bmp_color *) |
| 485 | calloc(colors, sizeof(p_ctx->palette[0])))) return 0; |
| 486 | |
| 487 | if(!CanMakeLong(p_ctx->headers_size)) return 0; |
| 488 | if(fseek(p_ctx->fp, p_ctx->headers_size, SEEK_SET)) return 0; |
| 489 | if(!ReadPalette(p_ctx->palette, file_colors, p_ctx->fp)) return 0; |
| 490 | |
| 491 | return 1; |
| 492 | } |
| 493 | |
| 494 | /* Returns whether a non-negative integer is a power of 2. |
| 495 | */ |
| 496 | static int IsPowerOf2(uint32_t x) |
| 497 | { |
| 498 | while(x) |
| 499 | { |
| 500 | /* When we find a bit, return whether no other bits are set. */ |
| 501 | if(x & 1) |
| 502 | return !(x & ~UINT32_C(1)); |
| 503 | x = x >> 1; |
| 504 | } |
| 505 | |
| 506 | /* 0, the only value for x which lands us here, isn't a power of 2. */ |
| 507 | return 0; |
| 508 | } |
| 509 | |
| 510 | /* Returns the byte length of a scan line padded as necessary to be divisible |
| 511 | * by four. For example, 3 pixels wide at 24 bpp would yield 12 (3 pixels * 3 |
| 512 | * bytes each = 9 bytes, padded by 3 to the next multiple of 4). bpp is *bits* |
| 513 | * per pixel, not bytes. Returns 0 in case of overflow. |
| 514 | */ |
| 515 | static size_t GetLineLength(size_t width, size_t bpp) |
| 516 | { |
| 517 | size_t bits = width * bpp; |
| 518 | size_t pad_bits = (32 - (bits & 0x1f)) & 0x1f; /* x & 0x1f == x % 32 */ |
| 519 | |
| 520 | /* Check for overflow, in both the above multiplication and the below |
| 521 | * addition. It's well defined to do this in any order relative to the |
| 522 | * operations themselves (since size_t is unsigned), so we combine the |
| 523 | * checks into one if. bpp has been checked for being nonzero elsewhere. |
| 524 | */ |
| 525 | if(!CanMultiply(width, bpp) || !CanAdd(bits, pad_bits)) return 0; |
| 526 | |
| 527 | /* Convert to bytes. */ |
| 528 | return (bits + pad_bits) / 8; |
| 529 | } |
| 530 | |
| 531 | /* Reads and validates the bitmap header metadata from the context's file |
| 532 | * object. Assumes the file pointer is at the start of the file. Returns 1 if |
| 533 | * ok or 0 if error or invalid file. |
| 534 | */ |
| 535 | static int Validate(read_context * p_ctx) |
| 536 | { |
| 537 | if(!ReadHeader(&p_ctx->header, p_ctx->fp)) return 0; |
| 538 | if(!ReadInfo( &p_ctx->info, p_ctx->fp)) return 0; |
| 539 | |
| 540 | if(p_ctx->info.info_size > UINT32_MAX - BMP_HEADER_SIZE) return 0; |
| 541 | p_ctx->headers_size = BMP_HEADER_SIZE + p_ctx->info.info_size; |
| 542 | |
| 543 | if(p_ctx->header.data_offset < p_ctx->headers_size) return 0; |
| 544 | p_ctx->after_headers = p_ctx->header.data_offset - p_ctx->headers_size; |
| 545 | |
| 546 | if(p_ctx->info.width <= 0 || p_ctx->info.height == 0) return 0; |
| 547 | |
| 548 | if(!CanMakeSizeT(p_ctx->info.width)) return 0; |
| 549 | if(!CanNegate( p_ctx->info.height)) return 0; |
| 550 | p_ctx->lines = ((p_ctx->info.height < 0) ? |
| 551 | -p_ctx->info.height : |
| 552 | p_ctx->info.height); |
| 553 | |
| 554 | if(!(p_ctx->flags & BMPREAD_ANY_SIZE)) |
| 555 | { |
| 556 | /* Both of these values have just been checked against being negative, |
| 557 | * and thus it's safe to pass them on as uint32_t. |
| 558 | */ |
| 559 | if(!IsPowerOf2(p_ctx->info.width)) return 0; |
| 560 | if(!IsPowerOf2(p_ctx->lines)) return 0; |
| 561 | } |
| 562 | |
| 563 | switch(p_ctx->info.compression) |
| 564 | { |
| 565 | case COMPRESSION_NONE: |
| 566 | if(p_ctx->info.bits != 1 && p_ctx->info.bits != 4 && |
| 567 | p_ctx->info.bits != 8 && p_ctx->info.bits != 24) return 0; |
| 568 | break; |
| 569 | |
| 570 | case COMPRESSION_BITFIELDS: |
| 571 | if(p_ctx->info.bits != 16 && p_ctx->info.bits != 32) return 0; |
| 572 | break; |
| 573 | |
| 574 | default: /* No compression supported yet (TODO: handle RLE). */ |
| 575 | return 0; |
| 576 | } |
| 577 | |
| 578 | p_ctx->file_line_len = GetLineLength(p_ctx->info.width, p_ctx->info.bits); |
| 579 | if(p_ctx->file_line_len == 0) return 0; |
| 580 | |
| 581 | p_ctx->out_channels = ((p_ctx->flags & BMPREAD_ALPHA) ? 4 : 3); |
| 582 | |
| 583 | /* This check happens outside the following if, where it would seem to |
| 584 | * belong, because we make the same computation again in the future. |
| 585 | */ |
| 586 | if(!CanMultiply(p_ctx->info.width, p_ctx->out_channels)) return 0; |
| 587 | |
| 588 | if(p_ctx->flags & BMPREAD_BYTE_ALIGN) |
| 589 | p_ctx->out_line_len = (size_t)p_ctx->info.width * p_ctx->out_channels; |
| 590 | else |
| 591 | { |
| 592 | p_ctx->out_line_len = GetLineLength(p_ctx->info.width, |
| 593 | p_ctx->out_channels * 8); |
| 594 | if(p_ctx->out_line_len == 0) return 0; |
| 595 | } |
| 596 | |
| 597 | if(!ValidateBitfields(p_ctx)) return 0; |
| 598 | if(!ValidateAndReadPalette(p_ctx)) return 0; |
| 599 | |
| 600 | /* Set things up for decoding. */ |
| 601 | if(!(p_ctx->file_data = (uint8_t *)malloc(p_ctx->file_line_len))) return 0; |
| 602 | |
| 603 | if(!CanMakeSizeT(p_ctx->lines)) return 0; |
| 604 | if(!CanMultiply( p_ctx->lines, p_ctx->out_line_len)) return 0; |
| 605 | if(!(p_ctx->data_out = (uint8_t *) |
| 606 | malloc((size_t)p_ctx->lines * p_ctx->out_line_len))) return 0; |
| 607 | |
| 608 | return 1; |
| 609 | } |
| 610 | |
| 611 | /* Evenly distribute a value that spans a given number of bits into 8 bits. |
| 612 | */ |
| 613 | static uint32_t Make8Bits(uint32_t value, uint32_t bitspan) |
| 614 | { |
| 615 | uint32_t output = 0; |
| 616 | |
| 617 | if(bitspan == 8) |
| 618 | return value; |
| 619 | if(bitspan > 8) |
| 620 | return value >> (bitspan - 8); |
| 621 | |
| 622 | value <<= (8 - bitspan); /* Shift it up into the most significant bits. */ |
| 623 | while(value) |
| 624 | { |
| 625 | /* Repeat the bit pattern down into the least significant bits. This |
| 626 | * gives an even distribution when extrapolating from [0, 2^bitspan-1] |
| 627 | * into [0, 2^8-1], and avoids both floating point and awkward integer |
| 628 | * multiplication. Unfortunately, because we don't enforce a whitelist |
| 629 | * of bit patterns we support and can hard-code for, it necessitates a |
| 630 | * loop. I believe this is a fairly efficient way to express the idea, |
| 631 | * but it'd still be nice if the compiler could optimize this whole |
| 632 | * function heavily, since it's called in a tight decode loop. |
| 633 | */ |
| 634 | output |= value; |
| 635 | value >>= bitspan; |
| 636 | } |
| 637 | |
| 638 | return output; |
| 639 | } |
| 640 | |
| 641 | /* Reads four bytes out of a memory buffer and converts it to a uint32_t. |
| 642 | */ |
| 643 | #define LoadLittleUint32(buf) (((uint32_t)(buf)[0] ) + \ |
| 644 | ((uint32_t)(buf)[1] << 8) + \ |
| 645 | ((uint32_t)(buf)[2] << 16) + \ |
| 646 | ((uint32_t)(buf)[3] << 24)) |
| 647 | |
| 648 | /* Decodes 32-bit bitmap data by applying bitmasks. The 16- and 32-bit |
| 649 | * decoders could be made more efficient by whitelisting supported bit patterns |
| 650 | * ahead of time and special-casing their decoding here, but this allows us to |
| 651 | * support more bitmask patterns, and shouldn't be *too* inefficient in any |
| 652 | * case. |
| 653 | * |
| 654 | * Takes a pointer to an output buffer scan line (p_out), a pointer to the end |
| 655 | * of the *pixel data* of this scan line (p_out_end), a pointer to the source |
| 656 | * scan line of file data (p_file), and our context. |
| 657 | */ |
| 658 | static void Decode32(uint8_t * p_out, |
| 659 | const uint8_t * p_out_end, |
| 660 | const uint8_t * p_file, |
| 661 | const read_context * p_ctx) |
| 662 | { |
| 663 | const bitfield * bf = p_ctx->bitfields; |
| 664 | |
| 665 | while(p_out < p_out_end) |
| 666 | { |
| 667 | uint32_t value = LoadLittleUint32(p_file); |
| 668 | |
| 669 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[0]), bf[0].span); |
| 670 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[1]), bf[1].span); |
| 671 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[2]), bf[2].span); |
| 672 | if(p_ctx->out_channels == 4) |
| 673 | { |
| 674 | if(bf[3].span) |
| 675 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[3]), bf[3].span); |
| 676 | else |
| 677 | *p_out++ = BMPREAD_DEFAULT_ALPHA; |
| 678 | } |
| 679 | |
| 680 | p_file += 4; |
| 681 | } |
| 682 | } |
| 683 | |
| 684 | /* Decodes 24-bit bitmap data--basically just swaps the order of color |
| 685 | * components. |
| 686 | */ |
| 687 | static void Decode24(uint8_t * p_out, |
| 688 | const uint8_t * p_out_end, |
| 689 | const uint8_t * p_file, |
| 690 | const read_context * p_ctx) |
| 691 | { |
| 692 | while(p_out < p_out_end) |
| 693 | { |
| 694 | *p_out++ = *(p_file + 2); |
| 695 | *p_out++ = *(p_file + 1); |
| 696 | *p_out++ = *(p_file ); |
| 697 | if(p_ctx->out_channels == 4) |
| 698 | *p_out++ = BMPREAD_DEFAULT_ALPHA; |
| 699 | |
| 700 | p_file += 3; |
| 701 | } |
| 702 | } |
| 703 | |
| 704 | /* Reads two bytes out of a memory buffer and converts it to a uint16_t. |
| 705 | */ |
| 706 | #define LoadLittleUint16(buf) (((uint16_t)(buf)[0] ) + \ |
| 707 | ((uint16_t)(buf)[1] << 8)) |
| 708 | |
| 709 | /* Decodes 16-bit bitmap data by applying bitmasks. |
| 710 | */ |
| 711 | static void Decode16(uint8_t * p_out, |
| 712 | const uint8_t * p_out_end, |
| 713 | const uint8_t * p_file, |
| 714 | const read_context * p_ctx) |
| 715 | { |
| 716 | const bitfield * bf = p_ctx->bitfields; |
| 717 | |
| 718 | while(p_out < p_out_end) |
| 719 | { |
| 720 | uint16_t value = LoadLittleUint16(p_file); |
| 721 | |
| 722 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[0]), bf[0].span); |
| 723 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[1]), bf[1].span); |
| 724 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[2]), bf[2].span); |
| 725 | if(p_ctx->out_channels == 4) |
| 726 | { |
| 727 | if(bf[3].span) |
| 728 | *p_out++ = Make8Bits(ApplyBitfield(value, bf[3]), bf[3].span); |
| 729 | else |
| 730 | *p_out++ = BMPREAD_DEFAULT_ALPHA; |
| 731 | } |
| 732 | |
| 733 | p_file += 2; |
| 734 | } |
| 735 | } |
| 736 | |
| 737 | /* Decodes 8-bit bitmap data by looking colors up in the palette. |
| 738 | */ |
| 739 | static void Decode8(uint8_t * p_out, |
| 740 | const uint8_t * p_out_end, |
| 741 | const uint8_t * p_file, |
| 742 | const read_context * p_ctx) |
| 743 | { |
| 744 | while(p_out < p_out_end) { |
| 745 | *p_out++ = p_ctx->palette[*p_file].red; |
| 746 | *p_out++ = p_ctx->palette[*p_file].green; |
| 747 | *p_out++ = p_ctx->palette[*p_file].blue; |
| 748 | if(p_ctx->out_channels == 4) |
| 749 | *p_out++ = BMPREAD_DEFAULT_ALPHA; |
| 750 | |
| 751 | p_file++; |
| 752 | } |
| 753 | } |
| 754 | |
| 755 | /* Decodes 4-bit bitmap data by looking colors up in the palette. |
| 756 | */ |
| 757 | static void Decode4(uint8_t * p_out, |
| 758 | const uint8_t * p_out_end, |
| 759 | const uint8_t * p_file, |
| 760 | const read_context * p_ctx) |
| 761 | { |
| 762 | while(p_out < p_out_end) |
| 763 | { |
| 764 | unsigned int lookup = (*p_file & 0xf0U) >> 4; |
| 765 | |
| 766 | *p_out++ = p_ctx->palette[lookup].red; |
| 767 | *p_out++ = p_ctx->palette[lookup].green; |
| 768 | *p_out++ = p_ctx->palette[lookup].blue; |
| 769 | if(p_ctx->out_channels == 4) |
| 770 | *p_out++ = BMPREAD_DEFAULT_ALPHA; |
| 771 | |
| 772 | if(p_out < p_out_end) |
| 773 | { |
| 774 | lookup = *p_file++ & 0x0fU; |
| 775 | |
| 776 | *p_out++ = p_ctx->palette[lookup].red; |
| 777 | *p_out++ = p_ctx->palette[lookup].green; |
| 778 | *p_out++ = p_ctx->palette[lookup].blue; |
| 779 | if(p_ctx->out_channels == 4) |
| 780 | *p_out++ = BMPREAD_DEFAULT_ALPHA; |
| 781 | } |
| 782 | } |
| 783 | } |
| 784 | |
| 785 | /* Decodes 1-bit bitmap data by looking colors up in the two-color palette. |
| 786 | */ |
| 787 | static void Decode1(uint8_t * p_out, |
| 788 | const uint8_t * p_out_end, |
| 789 | const uint8_t * p_file, |
| 790 | const read_context * p_ctx) |
| 791 | { |
| 792 | while(p_out < p_out_end) |
| 793 | { |
| 794 | unsigned int bit; |
| 795 | for(bit = 0; bit < 8 && p_out < p_out_end; bit++) |
| 796 | { |
| 797 | unsigned int lookup = (*p_file >> (7 - bit)) & 1; |
| 798 | |
| 799 | *p_out++ = p_ctx->palette[lookup].red; |
| 800 | *p_out++ = p_ctx->palette[lookup].green; |
| 801 | *p_out++ = p_ctx->palette[lookup].blue; |
| 802 | if(p_ctx->out_channels == 4) |
| 803 | *p_out++ = BMPREAD_DEFAULT_ALPHA; |
| 804 | } |
| 805 | |
| 806 | p_file++; |
| 807 | } |
| 808 | } |
| 809 | |
| 810 | /* Selects an above decoder and runs it for each scan line of the file. |
| 811 | * Returns 0 if there's an error or 1 if it's gravy. |
| 812 | */ |
| 813 | static int Decode(read_context * p_ctx) |
| 814 | { |
| 815 | void (* decoder)(uint8_t *, const uint8_t *, const uint8_t *, |
| 816 | const read_context *); |
| 817 | |
| 818 | uint8_t * p_out; /* Pointer to current scan line in output buffer. */ |
| 819 | uint8_t * p_out_end; /* End marker for output buffer. */ |
| 820 | uint8_t * p_line_end; /* Pointer to end of current scan line in output. */ |
| 821 | |
| 822 | /* out_inc is an incrementor for p_out to advance it one scan line. I'm |
| 823 | * not exactly sure what the correct type for it would be, perhaps ssize_t, |
| 824 | * but that's not C standard. I went with ptrdiff_t because its value |
| 825 | * will be equivalent to the difference between two pointers, whether it |
| 826 | * was derived that way or not. |
| 827 | */ |
| 828 | ptrdiff_t out_inc; |
| 829 | |
| 830 | /* Double check this won't overflow. Who knows, man. */ |
| 831 | #if SIZE_MAX > PTRDIFF_MAX |
| 832 | if(p_ctx->out_line_len > PTRDIFF_MAX) return 0; |
| 833 | #endif |
| 834 | out_inc = p_ctx->out_line_len; |
| 835 | |
| 836 | if(!(p_ctx->info.height < 0) == !(p_ctx->flags & BMPREAD_TOP_DOWN)) |
| 837 | { |
| 838 | /* We're keeping scan lines in order. These and subsequent operations |
| 839 | * have all been checked earlier. |
| 840 | */ |
| 841 | p_out = p_ctx->data_out; |
| 842 | p_out_end = p_ctx->data_out + |
| 843 | ((size_t)p_ctx->lines * p_ctx->out_line_len); |
| 844 | } |
| 845 | else /* We're reversing scan lines. */ |
| 846 | { |
| 847 | /* TODO: I'm not 100% sure about the legality, purely C spec-wise, of |
| 848 | * this subtraction. |
| 849 | */ |
| 850 | p_out_end = p_ctx->data_out - p_ctx->out_line_len; |
| 851 | p_out = p_ctx->data_out + |
| 852 | (((size_t)p_ctx->lines - 1) * p_ctx->out_line_len); |
| 853 | |
| 854 | /* Always safe, given two's complement, since it was positive. */ |
| 855 | out_inc = -out_inc; |
| 856 | } |
| 857 | |
| 858 | p_line_end = p_out + (size_t)p_ctx->info.width * p_ctx->out_channels; |
| 859 | |
| 860 | switch(p_ctx->info.bits) |
| 861 | { |
| 862 | case 32: decoder = Decode32; break; |
| 863 | case 24: decoder = Decode24; break; |
| 864 | case 16: decoder = Decode16; break; |
| 865 | case 8: decoder = Decode8; break; |
| 866 | case 4: decoder = Decode4; break; |
| 867 | case 1: decoder = Decode1; break; |
| 868 | default: return 0; |
| 869 | } |
| 870 | |
| 871 | if(!CanMakeLong(p_ctx->header.data_offset)) return 0; |
| 872 | if(fseek(p_ctx->fp, p_ctx->header.data_offset, SEEK_SET)) return 0; |
| 873 | |
| 874 | while(p_out != p_out_end && |
| 875 | fread(p_ctx->file_data, 1, p_ctx->file_line_len, p_ctx->fp) == |
| 876 | p_ctx->file_line_len) |
| 877 | { |
| 878 | decoder(p_out, p_line_end, p_ctx->file_data, p_ctx); |
| 879 | |
| 880 | p_out += out_inc; |
| 881 | p_line_end += out_inc; |
| 882 | } |
| 883 | |
| 884 | return (p_out == p_out_end); |
| 885 | } |
| 886 | |
| 887 | /* Frees resources allocated by various functions along the way. Only frees |
| 888 | * data_out if !leave_data_out (if the bitmap loads successfully, you want the |
| 889 | * data to remain until THEY free it). |
| 890 | */ |
| 891 | static void FreeContext(read_context * p_ctx, int leave_data_out) |
| 892 | { |
| 893 | if(p_ctx->fp) |
| 894 | fclose(p_ctx->fp); |
| 895 | if(p_ctx->palette) |
| 896 | free(p_ctx->palette); |
| 897 | if(p_ctx->file_data) |
| 898 | free(p_ctx->file_data); |
| 899 | |
| 900 | if(!leave_data_out && p_ctx->data_out) |
| 901 | free(p_ctx->data_out); |
| 902 | } |
| 903 | |
| 904 | int bmpread(const char * bmp_file, unsigned int flags, bmpread_t * p_bmp_out) |
| 905 | { |
| 906 | int success = 0; |
| 907 | |
| 908 | read_context ctx; |
| 909 | memset(&ctx, 0, sizeof(ctx)); |
| 910 | |
| 911 | do |
| 912 | { |
| 913 | if(!bmp_file) break; |
| 914 | if(!p_bmp_out) break; |
| 915 | memset(p_bmp_out, 0, sizeof(*p_bmp_out)); |
| 916 | |
| 917 | ctx.flags = flags; |
| 918 | |
| 919 | if(!(ctx.fp = fopen(bmp_file, "rb"))) break; |
| 920 | if(!Validate(&ctx)) break; |
| 921 | if(!Decode(&ctx)) break; |
| 922 | |
| 923 | /* Finally, make sure we can stuff these into ints. I feel like this |
| 924 | * is slightly justified by how it keeps the header definition dead |
| 925 | * simple (including, well, no #includes). I suppose this could also |
| 926 | * be done way earlier and maybe save some disk reads, but I like |
| 927 | * keeping the check with the code it's checking. |
| 928 | */ |
| 929 | #if INT32_MAX > INT_MAX |
| 930 | if(ctx.info.width > INT_MAX) break; |
| 931 | if(ctx.lines > INT_MAX) break; |
| 932 | #endif |
| 933 | |
| 934 | p_bmp_out->width = ctx.info.width; |
| 935 | p_bmp_out->height = ctx.lines; |
| 936 | p_bmp_out->flags = ctx.flags; |
| 937 | p_bmp_out->data = ctx.data_out; |
| 938 | |
| 939 | success = 1; |
| 940 | } while(0); |
| 941 | |
| 942 | FreeContext(&ctx, success); |
| 943 | |
| 944 | return success; |
| 945 | } |
| 946 | |
| 947 | void bmpread_free(bmpread_t * p_bmp) |
| 948 | { |
| 949 | if(p_bmp) |
| 950 | { |
| 951 | if(p_bmp->data) |
| 952 | free(p_bmp->data); |
| 953 | |
| 954 | memset(p_bmp, 0, sizeof(*p_bmp)); |
| 955 | } |
| 956 | } |
| 957 |
Generated on 2019-Jun-21 from project POCO revision 1.9.1
Powered by 
Code Browser 2.1
Generator usage only permitted with license.