FFmpeg coverage

Directory: ../../../ffmpeg/
File: src/libavformat/flac_picture.c
Date: 2026-05-02 03:33:10
Exec Total Coverage
Lines: 54 103 52.4%
Functions: 1 1 100.0%
Branches: 22 68 32.4%
Line Branch Exec Source
1 /*
2 * Raw FLAC picture parser
3 * Copyright (c) 2001 Fabrice Bellard
4 *
5 * This file is part of FFmpeg.
6 *
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include "libavutil/intreadwrite.h"
23 #include "libavcodec/bytestream.h"
24 #include "libavcodec/png.h"
25 #include "avformat.h"
26 #include "avio_internal.h"
27 #include "demux.h"
28 #include "flac_picture.h"
29 #include "id3v2.h"
30 #include "internal.h"
31
32 #define MAX_TRUNC_PICTURE_SIZE (500 * 1024 * 1024)
33
34 17 int ff_flac_parse_picture(AVFormatContext *s, uint8_t **bufp, int buf_size,
35 int truncate_workaround)
36 {
37 17 const CodecMime *mime = ff_id3v2_mime_tags;
38 17 enum AVCodecID id = AV_CODEC_ID_NONE;
39 17 AVBufferRef *data = NULL;
40 17 uint8_t mimetype[64], *buf = *bufp;
41 17 const uint8_t *desc = NULL;
42 GetByteContext g;
43 AVStream *st;
44 17 int width, height, ret = 0;
45 unsigned int type;
46 17 uint32_t len, left, trunclen = 0;
47
48
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 17 times.
 17 if (buf_size < 34) {
49 av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
50 if (s->error_recognition & AV_EF_EXPLODE)
51 return AVERROR_INVALIDDATA;
52 return 0;
53 }
54
55 17 bytestream2_init(&g, buf, buf_size);
56
57 /* read the picture type */
58 17 type = bytestream2_get_be32u(&g);
59
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 17 times.
 17 if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
60 av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
61 if (s->error_recognition & AV_EF_EXPLODE) {
62 return AVERROR_INVALIDDATA;
63 }
64 type = 0;
65 }
66
67 /* picture mimetype */
68 17 len = bytestream2_get_be32u(&g);
69
2/4
✓ Branch 0 taken 17 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 17 times.
 17 if (len <= 0 || len >= sizeof(mimetype)) {
70 av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
71 "picture.\n");
72 if (s->error_recognition & AV_EF_EXPLODE)
73 return AVERROR_INVALIDDATA;
74 return 0;
75 }
76
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 17 times.
 17 if (len + 24 > bytestream2_get_bytes_left(&g)) {
77 av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
78 if (s->error_recognition & AV_EF_EXPLODE)
79 return AVERROR_INVALIDDATA;
80 return 0;
81 }
82 17 bytestream2_get_bufferu(&g, mimetype, len);
83 17 mimetype[len] = 0;
84
85
1/2
✓ Branch 0 taken 56 times.
✗ Branch 1 not taken.
 56 while (mime->id != AV_CODEC_ID_NONE) {
86
2/2
✓ Branch 0 taken 17 times.
✓ Branch 1 taken 39 times.
 56 if (!strncmp(mime->str, mimetype, sizeof(mimetype))) {
87 17 id = mime->id;
88 17 break;
89 }
90 39 mime++;
91 }
92
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 17 times.
 17 if (id == AV_CODEC_ID_NONE) {
93 av_log(s, AV_LOG_WARNING, "Unknown attached picture mimetype: %s.\n",
94 mimetype);
95 return 0;
96 }
97
98 /* picture description */
99 17 len = bytestream2_get_be32u(&g);
100
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 17 times.
 17 if (len > bytestream2_get_bytes_left(&g) - 20) {
101 av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
102 if (s->error_recognition & AV_EF_EXPLODE)
103 return AVERROR_INVALIDDATA;
104 return 0;
105 }
106
2/2
✓ Branch 0 taken 14 times.
✓ Branch 1 taken 3 times.
 17 if (len > 0) {
107 14 desc = g.buffer;
108 14 bytestream2_skipu(&g, len);
109 }
110
111 /* picture metadata */
112 17 width = bytestream2_get_be32u(&g);
113 17 ((uint8_t*)g.buffer)[-4] = '\0'; // NUL-terminate desc.
114 17 height = bytestream2_get_be32u(&g);
115 17 bytestream2_skipu(&g, 8);
116
117 /* picture data */
118 17 len = bytestream2_get_be32u(&g);
119
120 17 left = bytestream2_get_bytes_left(&g);
121
2/4
✓ Branch 0 taken 17 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 17 times.
 17 if (len <= 0 || len > left) {
122 if (len > MAX_TRUNC_PICTURE_SIZE || len >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
123 av_log(s, AV_LOG_ERROR, "Attached picture metadata block too big %"PRIu32"\n", len);
124 if (s->error_recognition & AV_EF_EXPLODE)
125 return AVERROR_INVALIDDATA;
126 return 0;
127 }
128
129 // Workaround bug for flac muxers that writs truncated metadata picture block size if
130 // the picture size do not fit in 24 bits. lavf flacenc used to have the issue and based
131 // on existing broken files other unknown flac muxers seems to truncate also.
132 if (truncate_workaround &&
133 s->strict_std_compliance <= FF_COMPLIANCE_NORMAL &&
134 len > left && (len & 0xffffff) == left) {
135 av_log(s, AV_LOG_INFO, "Correcting truncated metadata picture size from %"PRIu32" to %"PRIu32"\n", left, len);
136 trunclen = len - left;
137 } else {
138 av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
139 if (s->error_recognition & AV_EF_EXPLODE)
140 return AVERROR_INVALIDDATA;
141 return 0;
142 }
143 }
144
2/4
✓ Branch 0 taken 17 times.
✗ Branch 1 not taken.
✓ Branch 2 taken 17 times.
✗ Branch 3 not taken.
 17 if (trunclen == 0 && len >= buf_size - (buf_size >> 4)) {
145 17 data = av_buffer_create(buf, buf_size + AV_INPUT_BUFFER_PADDING_SIZE,
146 av_buffer_default_free, NULL, 0);
147
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 17 times.
 17 if (!data)
148 return AVERROR(ENOMEM);
149 17 *bufp = NULL;
150 17 data->data += bytestream2_tell(&g);
151 17 data->size = len + AV_INPUT_BUFFER_PADDING_SIZE;
152 } else {
153 if (!(data = av_buffer_alloc(len + AV_INPUT_BUFFER_PADDING_SIZE)))
154 return AVERROR(ENOMEM);
155
156 if (trunclen == 0) {
157 bytestream2_get_bufferu(&g, data->data, len);
158 } else {
159 // If truncation was detected copy all data from block and
160 // read missing bytes not included in the block size.
161 bytestream2_get_bufferu(&g, data->data, left);
162 ret = ffio_read_size(s->pb, data->data + len - trunclen, trunclen);
163 if (ret < 0)
164 goto fail;
165 }
166 }
167 17 memset(data->data + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
168
169
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 13 times.
 17 if (AV_RB64(data->data) == PNGSIG)
170 4 id = AV_CODEC_ID_PNG;
171
172 17 ret = ff_add_attached_pic(s, NULL, NULL, &data, 0);
173
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 17 times.
 17 if (ret < 0)
174 RETURN_ERROR(ret);
175
176 17 st = s->streams[s->nb_streams - 1];
177 17 st->codecpar->codec_id = id;
178 17 st->codecpar->width = width;
179 17 st->codecpar->height = height;
180 17 av_dict_set(&st->metadata, "comment", ff_id3v2_picture_types[type], 0);
181
2/2
✓ Branch 0 taken 14 times.
✓ Branch 1 taken 3 times.
 17 if (desc)
182 14 av_dict_set(&st->metadata, "title", desc, 0);
183
184 17 return 0;
185
186 fail:
187 av_buffer_unref(&data);
188
189 return ret;
190 }
191