1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * V4L2 JPEG header parser helpers. 4 * 5 * Copyright (C) 2019 Pengutronix, Philipp Zabel <kernel@pengutronix.de> 6 * 7 * For reference, see JPEG ITU-T.81 (ISO/IEC 10918-1) [1] 8 * 9 * [1] https://www.w3.org/Graphics/JPEG/itu-t81.pdf 10 */ 11 12 #include <asm/unaligned.h> 13 #include <linux/errno.h> 14 #include <linux/kernel.h> 15 #include <linux/module.h> 16 #include <linux/types.h> 17 #include <media/v4l2-jpeg.h> 18 19 MODULE_DESCRIPTION("V4L2 JPEG header parser helpers"); 20 MODULE_AUTHOR("Philipp Zabel <kernel@pengutronix.de>"); 21 MODULE_LICENSE("GPL"); 22 23 /* Table B.1 - Marker code assignments */ 24 #define SOF0 0xffc0 /* start of frame */ 25 #define SOF1 0xffc1 26 #define SOF2 0xffc2 27 #define SOF3 0xffc3 28 #define SOF5 0xffc5 29 #define SOF7 0xffc7 30 #define JPG 0xffc8 /* extensions */ 31 #define SOF9 0xffc9 32 #define SOF11 0xffcb 33 #define SOF13 0xffcd 34 #define SOF15 0xffcf 35 #define DHT 0xffc4 /* huffman table */ 36 #define DAC 0xffcc /* arithmetic coding conditioning */ 37 #define RST0 0xffd0 /* restart */ 38 #define RST7 0xffd7 39 #define SOI 0xffd8 /* start of image */ 40 #define EOI 0xffd9 /* end of image */ 41 #define SOS 0xffda /* start of stream */ 42 #define DQT 0xffdb /* quantization table */ 43 #define DNL 0xffdc /* number of lines */ 44 #define DRI 0xffdd /* restart interval */ 45 #define DHP 0xffde /* hierarchical progression */ 46 #define EXP 0xffdf /* expand reference */ 47 #define APP0 0xffe0 /* application data */ 48 #define APP15 0xffef 49 #define JPG0 0xfff0 /* extensions */ 50 #define JPG13 0xfffd 51 #define COM 0xfffe /* comment */ 52 #define TEM 0xff01 /* temporary */ 53 54 /** 55 * struct jpeg_stream - JPEG byte stream 56 * @curr: current position in stream 57 * @end: end position, after last byte 58 */ 59 struct jpeg_stream { 60 u8 *curr; 61 u8 *end; 62 }; 63 64 /* returns a value that fits into u8, or negative error */ 65 static int jpeg_get_byte(struct jpeg_stream *stream) 66 { 67 if (stream->curr >= stream->end) 68 return -EINVAL; 69 70 return *stream->curr++; 71 } 72 73 /* returns a value that fits into u16, or negative error */ 74 static int jpeg_get_word_be(struct jpeg_stream *stream) 75 { 76 u16 word; 77 78 if (stream->curr + sizeof(__be16) > stream->end) 79 return -EINVAL; 80 81 word = get_unaligned_be16(stream->curr); 82 stream->curr += sizeof(__be16); 83 84 return word; 85 } 86 87 static int jpeg_skip(struct jpeg_stream *stream, size_t len) 88 { 89 if (stream->curr + len > stream->end) 90 return -EINVAL; 91 92 stream->curr += len; 93 94 return 0; 95 } 96 97 static int jpeg_next_marker(struct jpeg_stream *stream) 98 { 99 int byte; 100 u16 marker = 0; 101 102 while ((byte = jpeg_get_byte(stream)) >= 0) { 103 marker = (marker << 8) | byte; 104 /* skip stuffing bytes and REServed markers */ 105 if (marker == TEM || (marker > 0xffbf && marker < 0xffff)) 106 return marker; 107 } 108 109 return byte; 110 } 111 112 /* this does not advance the current position in the stream */ 113 static int jpeg_reference_segment(struct jpeg_stream *stream, 114 struct v4l2_jpeg_reference *segment) 115 { 116 u16 len; 117 118 if (stream->curr + sizeof(__be16) > stream->end) 119 return -EINVAL; 120 121 len = get_unaligned_be16(stream->curr); 122 if (stream->curr + len > stream->end) 123 return -EINVAL; 124 125 segment->start = stream->curr; 126 segment->length = len; 127 128 return 0; 129 } 130 131 static int v4l2_jpeg_decode_subsampling(u8 nf, u8 h_v) 132 { 133 if (nf == 1) 134 return V4L2_JPEG_CHROMA_SUBSAMPLING_GRAY; 135 136 /* no chroma subsampling for 4-component images */ 137 if (nf == 4 && h_v != 0x11) 138 return -EINVAL; 139 140 switch (h_v) { 141 case 0x11: 142 return V4L2_JPEG_CHROMA_SUBSAMPLING_444; 143 case 0x21: 144 return V4L2_JPEG_CHROMA_SUBSAMPLING_422; 145 case 0x22: 146 return V4L2_JPEG_CHROMA_SUBSAMPLING_420; 147 case 0x41: 148 return V4L2_JPEG_CHROMA_SUBSAMPLING_411; 149 default: 150 return -EINVAL; 151 } 152 } 153 154 static int jpeg_parse_frame_header(struct jpeg_stream *stream, u16 sof_marker, 155 struct v4l2_jpeg_frame_header *frame_header) 156 { 157 int len = jpeg_get_word_be(stream); 158 159 if (len < 0) 160 return len; 161 /* Lf = 8 + 3 * Nf, Nf >= 1 */ 162 if (len < 8 + 3) 163 return -EINVAL; 164 165 if (frame_header) { 166 /* Table B.2 - Frame header parameter sizes and values */ 167 int p, y, x, nf; 168 int i; 169 170 p = jpeg_get_byte(stream); 171 if (p < 0) 172 return p; 173 /* 174 * Baseline DCT only supports 8-bit precision. 175 * Extended sequential DCT also supports 12-bit precision. 176 */ 177 if (p != 8 && (p != 12 || sof_marker != SOF1)) 178 return -EINVAL; 179 180 y = jpeg_get_word_be(stream); 181 if (y < 0) 182 return y; 183 if (y == 0) 184 return -EINVAL; 185 186 x = jpeg_get_word_be(stream); 187 if (x < 0) 188 return x; 189 if (x == 0) 190 return -EINVAL; 191 192 nf = jpeg_get_byte(stream); 193 if (nf < 0) 194 return nf; 195 /* 196 * The spec allows 1 <= Nf <= 255, but we only support up to 4 197 * components. 198 */ 199 if (nf < 1 || nf > V4L2_JPEG_MAX_COMPONENTS) 200 return -EINVAL; 201 if (len != 8 + 3 * nf) 202 return -EINVAL; 203 204 frame_header->precision = p; 205 frame_header->height = y; 206 frame_header->width = x; 207 frame_header->num_components = nf; 208 209 for (i = 0; i < nf; i++) { 210 struct v4l2_jpeg_frame_component_spec *component; 211 int c, h_v, tq; 212 213 c = jpeg_get_byte(stream); 214 if (c < 0) 215 return c; 216 217 h_v = jpeg_get_byte(stream); 218 if (h_v < 0) 219 return h_v; 220 if (i == 0) { 221 int subs; 222 223 subs = v4l2_jpeg_decode_subsampling(nf, h_v); 224 if (subs < 0) 225 return subs; 226 frame_header->subsampling = subs; 227 } else if (h_v != 0x11) { 228 /* all chroma sampling factors must be 1 */ 229 return -EINVAL; 230 } 231 232 tq = jpeg_get_byte(stream); 233 if (tq < 0) 234 return tq; 235 236 component = &frame_header->component[i]; 237 component->component_identifier = c; 238 component->horizontal_sampling_factor = 239 (h_v >> 4) & 0xf; 240 component->vertical_sampling_factor = h_v & 0xf; 241 component->quantization_table_selector = tq; 242 } 243 } else { 244 return jpeg_skip(stream, len - 2); 245 } 246 247 return 0; 248 } 249 250 static int jpeg_parse_scan_header(struct jpeg_stream *stream, 251 struct v4l2_jpeg_scan_header *scan_header) 252 { 253 size_t skip; 254 int len = jpeg_get_word_be(stream); 255 256 if (len < 0) 257 return len; 258 /* Ls = 8 + 3 * Ns, Ns >= 1 */ 259 if (len < 6 + 2) 260 return -EINVAL; 261 262 if (scan_header) { 263 int ns; 264 int i; 265 266 ns = jpeg_get_byte(stream); 267 if (ns < 0) 268 return ns; 269 if (ns < 1 || ns > 4 || len != 6 + 2 * ns) 270 return -EINVAL; 271 272 scan_header->num_components = ns; 273 274 for (i = 0; i < ns; i++) { 275 struct v4l2_jpeg_scan_component_spec *component; 276 int cs, td_ta; 277 278 cs = jpeg_get_byte(stream); 279 if (cs < 0) 280 return cs; 281 282 td_ta = jpeg_get_byte(stream); 283 if (td_ta < 0) 284 return td_ta; 285 286 component = &scan_header->component[i]; 287 component->component_selector = cs; 288 component->dc_entropy_coding_table_selector = 289 (td_ta >> 4) & 0xf; 290 component->ac_entropy_coding_table_selector = 291 td_ta & 0xf; 292 } 293 294 skip = 3; /* skip Ss, Se, Ah, and Al */ 295 } else { 296 skip = len - 2; 297 } 298 299 return jpeg_skip(stream, skip); 300 } 301 302 /* B.2.4.1 Quantization table-specification syntax */ 303 static int jpeg_parse_quantization_tables(struct jpeg_stream *stream, 304 u8 precision, 305 struct v4l2_jpeg_reference *tables) 306 { 307 int len = jpeg_get_word_be(stream); 308 309 if (len < 0) 310 return len; 311 /* Lq = 2 + n * 65 (for baseline DCT), n >= 1 */ 312 if (len < 2 + 65) 313 return -EINVAL; 314 315 len -= 2; 316 while (len >= 65) { 317 u8 pq, tq, *qk; 318 int ret; 319 int pq_tq = jpeg_get_byte(stream); 320 321 if (pq_tq < 0) 322 return pq_tq; 323 324 /* quantization table element precision */ 325 pq = (pq_tq >> 4) & 0xf; 326 /* 327 * Only 8-bit Qk values for 8-bit sample precision. Extended 328 * sequential DCT with 12-bit sample precision also supports 329 * 16-bit Qk values. 330 */ 331 if (pq != 0 && (pq != 1 || precision != 12)) 332 return -EINVAL; 333 334 /* quantization table destination identifier */ 335 tq = pq_tq & 0xf; 336 if (tq > 3) 337 return -EINVAL; 338 339 /* quantization table element */ 340 qk = stream->curr; 341 ret = jpeg_skip(stream, pq ? 128 : 64); 342 if (ret < 0) 343 return -EINVAL; 344 345 if (tables) { 346 tables[tq].start = qk; 347 tables[tq].length = pq ? 128 : 64; 348 } 349 350 len -= pq ? 129 : 65; 351 } 352 353 return 0; 354 } 355 356 /* B.2.4.2 Huffman table-specification syntax */ 357 static int jpeg_parse_huffman_tables(struct jpeg_stream *stream, 358 struct v4l2_jpeg_reference *tables) 359 { 360 int mt; 361 int len = jpeg_get_word_be(stream); 362 363 if (len < 0) 364 return len; 365 /* Table B.5 - Huffman table specification parameter sizes and values */ 366 if (len < 2 + 17) 367 return -EINVAL; 368 369 for (len -= 2; len >= 17; len -= 17 + mt) { 370 u8 tc, th, *table; 371 int tc_th = jpeg_get_byte(stream); 372 int i, ret; 373 374 if (tc_th < 0) 375 return tc_th; 376 377 /* table class - 0 = DC, 1 = AC */ 378 tc = (tc_th >> 4) & 0xf; 379 if (tc > 1) 380 return -EINVAL; 381 382 /* huffman table destination identifier */ 383 th = tc_th & 0xf; 384 /* only two Huffman tables for baseline DCT */ 385 if (th > 1) 386 return -EINVAL; 387 388 /* BITS - number of Huffman codes with length i */ 389 table = stream->curr; 390 mt = 0; 391 for (i = 0; i < 16; i++) { 392 int li; 393 394 li = jpeg_get_byte(stream); 395 if (li < 0) 396 return li; 397 398 mt += li; 399 } 400 /* HUFFVAL - values associated with each Huffman code */ 401 ret = jpeg_skip(stream, mt); 402 if (ret < 0) 403 return ret; 404 405 if (tables) { 406 tables[(tc << 1) | th].start = table; 407 tables[(tc << 1) | th].length = stream->curr - table; 408 } 409 } 410 411 return jpeg_skip(stream, len - 2); 412 } 413 414 /* B.2.4.4 Restart interval definition syntax */ 415 static int jpeg_parse_restart_interval(struct jpeg_stream *stream, 416 u16 *restart_interval) 417 { 418 int len = jpeg_get_word_be(stream); 419 int ri; 420 421 if (len < 0) 422 return len; 423 if (len != 4) 424 return -EINVAL; 425 426 ri = jpeg_get_word_be(stream); 427 if (ri < 0) 428 return ri; 429 430 *restart_interval = ri; 431 432 return 0; 433 } 434 435 static int jpeg_skip_segment(struct jpeg_stream *stream) 436 { 437 int len = jpeg_get_word_be(stream); 438 439 if (len < 0) 440 return len; 441 if (len < 2) 442 return -EINVAL; 443 444 return jpeg_skip(stream, len - 2); 445 } 446 447 /** 448 * jpeg_parse_header - locate marker segments and optionally parse headers 449 * @buf: address of the JPEG buffer, should start with a SOI marker 450 * @len: length of the JPEG buffer 451 * @out: returns marker segment positions and optionally parsed headers 452 * 453 * The out->scan_header pointer must be initialized to NULL or point to a valid 454 * v4l2_jpeg_scan_header structure. The out->huffman_tables and 455 * out->quantization_tables pointers must be initialized to NULL or point to a 456 * valid array of 4 v4l2_jpeg_reference structures each. 457 * 458 * Returns 0 or negative error if parsing failed. 459 */ 460 int v4l2_jpeg_parse_header(void *buf, size_t len, struct v4l2_jpeg_header *out) 461 { 462 struct jpeg_stream stream; 463 int marker; 464 int ret = 0; 465 466 stream.curr = buf; 467 stream.end = stream.curr + len; 468 469 out->num_dht = 0; 470 out->num_dqt = 0; 471 472 /* the first marker must be SOI */ 473 marker = jpeg_next_marker(&stream); 474 if (marker < 0) 475 return marker; 476 if (marker != SOI) 477 return -EINVAL; 478 479 /* loop through marker segments */ 480 while ((marker = jpeg_next_marker(&stream)) >= 0) { 481 switch (marker) { 482 /* baseline DCT, extended sequential DCT */ 483 case SOF0 ... SOF1: 484 ret = jpeg_reference_segment(&stream, &out->sof); 485 if (ret < 0) 486 return ret; 487 ret = jpeg_parse_frame_header(&stream, marker, 488 &out->frame); 489 break; 490 /* progressive, lossless */ 491 case SOF2 ... SOF3: 492 /* differential coding */ 493 case SOF5 ... SOF7: 494 /* arithmetic coding */ 495 case SOF9 ... SOF11: 496 case SOF13 ... SOF15: 497 case DAC: 498 case TEM: 499 return -EINVAL; 500 501 case DHT: 502 ret = jpeg_reference_segment(&stream, 503 &out->dht[out->num_dht++ % 4]); 504 if (ret < 0) 505 return ret; 506 ret = jpeg_parse_huffman_tables(&stream, 507 out->huffman_tables); 508 break; 509 case DQT: 510 ret = jpeg_reference_segment(&stream, 511 &out->dqt[out->num_dqt++ % 4]); 512 if (ret < 0) 513 return ret; 514 ret = jpeg_parse_quantization_tables(&stream, 515 out->frame.precision, 516 out->quantization_tables); 517 break; 518 case DRI: 519 ret = jpeg_parse_restart_interval(&stream, 520 &out->restart_interval); 521 break; 522 523 case SOS: 524 ret = jpeg_reference_segment(&stream, &out->sos); 525 if (ret < 0) 526 return ret; 527 ret = jpeg_parse_scan_header(&stream, out->scan); 528 /* 529 * stop parsing, the scan header marks the beginning of 530 * the entropy coded segment 531 */ 532 out->ecs_offset = stream.curr - (u8 *)buf; 533 return ret; 534 535 /* markers without parameters */ 536 case RST0 ... RST7: /* restart */ 537 case SOI: /* start of image */ 538 case EOI: /* end of image */ 539 break; 540 541 /* skip unknown or unsupported marker segments */ 542 default: 543 ret = jpeg_skip_segment(&stream); 544 break; 545 } 546 if (ret < 0) 547 return ret; 548 } 549 550 return marker; 551 } 552 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_header); 553 554 /** 555 * v4l2_jpeg_parse_frame_header - parse frame header 556 * @buf: address of the frame header, after the SOF0 marker 557 * @len: length of the frame header 558 * @frame_header: returns the parsed frame header 559 * 560 * Returns 0 or negative error if parsing failed. 561 */ 562 int v4l2_jpeg_parse_frame_header(void *buf, size_t len, 563 struct v4l2_jpeg_frame_header *frame_header) 564 { 565 struct jpeg_stream stream; 566 567 stream.curr = buf; 568 stream.end = stream.curr + len; 569 return jpeg_parse_frame_header(&stream, SOF0, frame_header); 570 } 571 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_frame_header); 572 573 /** 574 * v4l2_jpeg_parse_scan_header - parse scan header 575 * @buf: address of the scan header, after the SOS marker 576 * @len: length of the scan header 577 * @scan_header: returns the parsed scan header 578 * 579 * Returns 0 or negative error if parsing failed. 580 */ 581 int v4l2_jpeg_parse_scan_header(void *buf, size_t len, 582 struct v4l2_jpeg_scan_header *scan_header) 583 { 584 struct jpeg_stream stream; 585 586 stream.curr = buf; 587 stream.end = stream.curr + len; 588 return jpeg_parse_scan_header(&stream, scan_header); 589 } 590 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_scan_header); 591 592 /** 593 * v4l2_jpeg_parse_quantization_tables - parse quantization tables segment 594 * @buf: address of the quantization table segment, after the DQT marker 595 * @len: length of the quantization table segment 596 * @precision: sample precision (P) in bits per component 597 * @q_tables: returns four references into the buffer for the 598 * four possible quantization table destinations 599 * 600 * Returns 0 or negative error if parsing failed. 601 */ 602 int v4l2_jpeg_parse_quantization_tables(void *buf, size_t len, u8 precision, 603 struct v4l2_jpeg_reference *q_tables) 604 { 605 struct jpeg_stream stream; 606 607 stream.curr = buf; 608 stream.end = stream.curr + len; 609 return jpeg_parse_quantization_tables(&stream, precision, q_tables); 610 } 611 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_quantization_tables); 612 613 /** 614 * v4l2_jpeg_parse_huffman_tables - parse huffman tables segment 615 * @buf: address of the Huffman table segment, after the DHT marker 616 * @len: length of the Huffman table segment 617 * @huffman_tables: returns four references into the buffer for the 618 * four possible Huffman table destinations, in 619 * the order DC0, DC1, AC0, AC1 620 * 621 * Returns 0 or negative error if parsing failed. 622 */ 623 int v4l2_jpeg_parse_huffman_tables(void *buf, size_t len, 624 struct v4l2_jpeg_reference *huffman_tables) 625 { 626 struct jpeg_stream stream; 627 628 stream.curr = buf; 629 stream.end = stream.curr + len; 630 return jpeg_parse_huffman_tables(&stream, huffman_tables); 631 } 632 EXPORT_SYMBOL_GPL(v4l2_jpeg_parse_huffman_tables); 633