1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim:set ts=2 sw=2 sts=2 et cindent: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include <string.h>
8
9 #include "mozilla/EndianUtils.h"
10 #include "mozilla/ScopeExit.h"
11 #include "mozilla/TextUtils.h"
12 #include "mozilla/Utf8.h"
13 #include <stdint.h>
14 #include <algorithm>
15 #include <opus/opus.h>
16
17 #include "OggCodecState.h"
18 #include "OggRLBox.h"
19 #include "OpusDecoder.h"
20 #include "OpusParser.h"
21 #include "VideoUtils.h"
22 #include "XiphExtradata.h"
23 #include "nsDebug.h"
24 #include "opus/opus_multistream.h"
25
26 namespace mozilla {
27
28 extern LazyLogModule gMediaDecoderLog;
29 #define LOG(type, msg) MOZ_LOG(gMediaDecoderLog, type, msg)
30
31 using media::TimeUnit;
32
33 /** Decoder base class for Ogg-encapsulated streams. */
Create(rlbox_sandbox_ogg * aSandbox,tainted_opaque_ogg<ogg_page * > aPage,uint32_t aSerial)34 UniquePtr<OggCodecState> OggCodecState::Create(
35 rlbox_sandbox_ogg* aSandbox, tainted_opaque_ogg<ogg_page*> aPage,
36 uint32_t aSerial) {
37 NS_ASSERTION(sandbox_invoke(*aSandbox, ogg_page_bos, aPage)
38 .unverified_safe_because(RLBOX_SAFE_DEBUG_ASSERTION),
39 "Only call on BOS page!");
40 UniquePtr<OggCodecState> codecState;
41 tainted_ogg<ogg_page*> aPage_t = rlbox::from_opaque(aPage);
42 const char codec_reason[] =
43 "These conditions set the type of codec. Since we are relying on "
44 "ogg_page to determine the codec type, the library could lie about "
45 "this. We allow this as it does not directly allow renderer "
46 "vulnerabilities if this is incorrect.";
47 long body_len = aPage_t->body_len.unverified_safe_because(codec_reason);
48
49 if (body_len > 6 && rlbox::memcmp(*aSandbox, aPage_t->body + 1, "theora", 6u)
50 .unverified_safe_because(codec_reason) == 0) {
51 codecState = MakeUnique<TheoraState>(aSandbox, aPage, aSerial);
52 } else if (body_len > 6 &&
53 rlbox::memcmp(*aSandbox, aPage_t->body + 1, "vorbis", 6u)
54 .unverified_safe_because(codec_reason) == 0) {
55 codecState = MakeUnique<VorbisState>(aSandbox, aPage, aSerial);
56 } else if (body_len > 8 &&
57 rlbox::memcmp(*aSandbox, aPage_t->body, "OpusHead", 8u)
58 .unverified_safe_because(codec_reason) == 0) {
59 codecState = MakeUnique<OpusState>(aSandbox, aPage, aSerial);
60 } else if (body_len > 8 &&
61 rlbox::memcmp(*aSandbox, aPage_t->body, "fishead\0", 8u)
62 .unverified_safe_because(codec_reason) == 0) {
63 codecState = MakeUnique<SkeletonState>(aSandbox, aPage, aSerial);
64 } else if (body_len > 5 &&
65 rlbox::memcmp(*aSandbox, aPage_t->body, "\177FLAC", 5u)
66 .unverified_safe_because(codec_reason) == 0) {
67 codecState = MakeUnique<FlacState>(aSandbox, aPage, aSerial);
68 } else {
69 // Can't use MakeUnique here, OggCodecState is protected.
70 codecState.reset(new OggCodecState(aSandbox, aPage, aSerial, false));
71 }
72
73 if (!codecState->OggCodecState::InternalInit()) {
74 codecState.reset();
75 }
76
77 return codecState;
78 }
79
OggCodecState(rlbox_sandbox_ogg * aSandbox,tainted_opaque_ogg<ogg_page * > aBosPage,uint32_t aSerial,bool aActive)80 OggCodecState::OggCodecState(rlbox_sandbox_ogg* aSandbox,
81 tainted_opaque_ogg<ogg_page*> aBosPage,
82 uint32_t aSerial, bool aActive)
83 : mPacketCount(0),
84 mSerial(aSerial),
85 mActive(aActive),
86 mDoneReadingHeaders(!aActive),
87 mSandbox(aSandbox) {
88 MOZ_COUNT_CTOR(OggCodecState);
89 tainted_ogg<ogg_stream_state*> state =
90 mSandbox->malloc_in_sandbox<ogg_stream_state>();
91 MOZ_RELEASE_ASSERT(state != nullptr);
92 rlbox::memset(*mSandbox, state, 0, sizeof(ogg_stream_state));
93 mState = state.to_opaque();
94 }
95
~OggCodecState()96 OggCodecState::~OggCodecState() {
97 MOZ_COUNT_DTOR(OggCodecState);
98 Reset();
99 #ifdef DEBUG
100 int ret =
101 #endif
102 sandbox_invoke(*mSandbox, ogg_stream_clear, mState)
103 .unverified_safe_because(RLBOX_SAFE_DEBUG_ASSERTION);
104 NS_ASSERTION(ret == 0, "ogg_stream_clear failed");
105 mSandbox->free_in_sandbox(rlbox::from_opaque(mState));
106 tainted_ogg<ogg_stream_state*> nullval = nullptr;
107 mState = nullval.to_opaque();
108 }
109
Reset()110 nsresult OggCodecState::Reset() {
111 if (sandbox_invoke(*mSandbox, ogg_stream_reset, mState)
112 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) != 0) {
113 return NS_ERROR_FAILURE;
114 }
115 mPackets.Erase();
116 ClearUnstamped();
117 return NS_OK;
118 }
119
ClearUnstamped()120 void OggCodecState::ClearUnstamped() { mUnstamped.Clear(); }
121
InternalInit()122 bool OggCodecState::InternalInit() {
123 int ret = sandbox_invoke(*mSandbox, ogg_stream_init, mState, mSerial)
124 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON);
125 return ret == 0;
126 }
127
IsValidVorbisTagName(nsCString & aName)128 bool OggCodecState::IsValidVorbisTagName(nsCString& aName) {
129 // Tag names must consist of ASCII 0x20 through 0x7D,
130 // excluding 0x3D '=' which is the separator.
131 uint32_t length = aName.Length();
132 const char* data = aName.Data();
133 for (uint32_t i = 0; i < length; i++) {
134 if (data[i] < 0x20 || data[i] > 0x7D || data[i] == '=') {
135 return false;
136 }
137 }
138 return true;
139 }
140
AddVorbisComment(UniquePtr<MetadataTags> & aTags,const char * aComment,uint32_t aLength)141 bool OggCodecState::AddVorbisComment(UniquePtr<MetadataTags>& aTags,
142 const char* aComment, uint32_t aLength) {
143 const char* div = (const char*)memchr(aComment, '=', aLength);
144 if (!div) {
145 LOG(LogLevel::Debug, ("Skipping comment: no separator"));
146 return false;
147 }
148 nsCString key = nsCString(aComment, div - aComment);
149 if (!IsValidVorbisTagName(key)) {
150 LOG(LogLevel::Debug, ("Skipping comment: invalid tag name"));
151 return false;
152 }
153 uint32_t valueLength = aLength - (div - aComment);
154 nsCString value = nsCString(div + 1, valueLength);
155 if (!IsUtf8(value)) {
156 LOG(LogLevel::Debug, ("Skipping comment: invalid UTF-8 in value"));
157 return false;
158 }
159 aTags->InsertOrUpdate(key, value);
160 return true;
161 }
162
SetCodecSpecificConfig(MediaByteBuffer * aBuffer,OggPacketQueue & aHeaders)163 bool OggCodecState::SetCodecSpecificConfig(MediaByteBuffer* aBuffer,
164 OggPacketQueue& aHeaders) {
165 nsTArray<const unsigned char*> headers;
166 nsTArray<size_t> headerLens;
167 for (size_t i = 0; i < aHeaders.Length(); i++) {
168 headers.AppendElement(aHeaders[i]->packet);
169 headerLens.AppendElement(aHeaders[i]->bytes);
170 }
171 // Save header packets for the decoder
172 if (!XiphHeadersToExtradata(aBuffer, headers, headerLens)) {
173 return false;
174 }
175 aHeaders.Erase();
176 return true;
177 }
178
RecordVorbisPacketSamples(ogg_packet * aPacket,long aSamples)179 void VorbisState::RecordVorbisPacketSamples(ogg_packet* aPacket,
180 long aSamples) {
181 #ifdef VALIDATE_VORBIS_SAMPLE_CALCULATION
182 mVorbisPacketSamples[aPacket] = aSamples;
183 #endif
184 }
185
ValidateVorbisPacketSamples(ogg_packet * aPacket,long aSamples)186 void VorbisState::ValidateVorbisPacketSamples(ogg_packet* aPacket,
187 long aSamples) {
188 #ifdef VALIDATE_VORBIS_SAMPLE_CALCULATION
189 NS_ASSERTION(mVorbisPacketSamples[aPacket] == aSamples,
190 "Decoded samples for Vorbis packet don't match expected!");
191 mVorbisPacketSamples.erase(aPacket);
192 #endif
193 }
194
AssertHasRecordedPacketSamples(ogg_packet * aPacket)195 void VorbisState::AssertHasRecordedPacketSamples(ogg_packet* aPacket) {
196 #ifdef VALIDATE_VORBIS_SAMPLE_CALCULATION
197 NS_ASSERTION(mVorbisPacketSamples.count(aPacket) == 1,
198 "Must have recorded packet samples");
199 #endif
200 }
201
202 // Clone the given packet from memory accessible to the sandboxed libOgg to
203 // memory accessible only to the Firefox renderer
CloneOutOfSandbox(tainted_ogg<ogg_packet * > aPacket)204 static OggPacketPtr CloneOutOfSandbox(tainted_ogg<ogg_packet*> aPacket) {
205 ogg_packet* clone =
206 aPacket.copy_and_verify([](std::unique_ptr<tainted_ogg<ogg_packet>> val) {
207 const char packet_reason[] =
208 "Packets have no guarantees on what data they hold. The renderer's "
209 "safety is not compromised even if packets return garbage data.";
210
211 ogg_packet* p = new ogg_packet();
212 p->bytes = val->bytes.unverified_safe_because(packet_reason);
213 p->b_o_s = val->b_o_s.unverified_safe_because(packet_reason);
214 p->e_o_s = val->e_o_s.unverified_safe_because(packet_reason);
215 p->granulepos = val->granulepos.unverified_safe_because(packet_reason);
216 p->packetno = val->packetno.unverified_safe_because(packet_reason);
217 if (p->bytes == 0) {
218 p->packet = nullptr;
219 } else {
220 p->packet = val->packet.copy_and_verify_range(
221 [](std::unique_ptr<unsigned char[]> packet) {
222 return packet.release();
223 },
224 p->bytes);
225 }
226 return p;
227 });
228 return OggPacketPtr(clone);
229 }
230
Append(OggPacketPtr aPacket)231 void OggPacketQueue::Append(OggPacketPtr aPacket) {
232 nsDeque::Push(aPacket.release());
233 }
234
IsPacketReady()235 bool OggCodecState::IsPacketReady() { return !mPackets.IsEmpty(); }
236
PacketOut()237 OggPacketPtr OggCodecState::PacketOut() {
238 if (mPackets.IsEmpty()) {
239 return nullptr;
240 }
241 return mPackets.PopFront();
242 }
243
PacketPeek()244 ogg_packet* OggCodecState::PacketPeek() {
245 if (mPackets.IsEmpty()) {
246 return nullptr;
247 }
248 return mPackets.PeekFront();
249 }
250
PushFront(OggPacketQueue && aOther)251 void OggCodecState::PushFront(OggPacketQueue&& aOther) {
252 while (!aOther.IsEmpty()) {
253 mPackets.PushFront(aOther.Pop());
254 }
255 }
256
PacketOutAsMediaRawData()257 already_AddRefed<MediaRawData> OggCodecState::PacketOutAsMediaRawData() {
258 OggPacketPtr packet = PacketOut();
259 if (!packet) {
260 return nullptr;
261 }
262
263 NS_ASSERTION(
264 !IsHeader(packet.get()),
265 "PacketOutAsMediaRawData can only be called on non-header packets");
266 RefPtr<MediaRawData> sample = new MediaRawData(packet->packet, packet->bytes);
267 if (packet->bytes && !sample->Data()) {
268 // OOM.
269 return nullptr;
270 }
271
272 int64_t end_tstamp = Time(packet->granulepos);
273 NS_ASSERTION(end_tstamp >= 0, "timestamp invalid");
274
275 int64_t duration = PacketDuration(packet.get());
276 NS_ASSERTION(duration >= 0, "duration invalid");
277
278 sample->mTimecode = TimeUnit::FromMicroseconds(packet->granulepos);
279 sample->mTime = TimeUnit::FromMicroseconds(end_tstamp - duration);
280 sample->mDuration = TimeUnit::FromMicroseconds(duration);
281 sample->mKeyframe = IsKeyframe(packet.get());
282 sample->mEOS = packet->e_o_s;
283
284 return sample.forget();
285 }
286
PageIn(tainted_opaque_ogg<ogg_page * > aPage)287 nsresult OggCodecState::PageIn(tainted_opaque_ogg<ogg_page*> aPage) {
288 if (!mActive) {
289 return NS_OK;
290 }
291 NS_ASSERTION((rlbox::sandbox_static_cast<uint32_t>(sandbox_invoke(
292 *mSandbox, ogg_page_serialno, aPage)) == mSerial)
293 .unverified_safe_because(RLBOX_OGG_PAGE_SERIAL_REASON),
294 "Page must be for this stream!");
295 if (sandbox_invoke(*mSandbox, ogg_stream_pagein, mState, aPage)
296 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) == -1) {
297 return NS_ERROR_FAILURE;
298 }
299 int r;
300 tainted_ogg<ogg_packet*> packet = mSandbox->malloc_in_sandbox<ogg_packet>();
301 if (!packet) {
302 return NS_ERROR_OUT_OF_MEMORY;
303 }
304 auto clean_packet = MakeScopeExit([&] { mSandbox->free_in_sandbox(packet); });
305
306 do {
307 r = sandbox_invoke(*mSandbox, ogg_stream_packetout, mState, packet)
308 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON);
309 if (r == 1) {
310 mPackets.Append(CloneOutOfSandbox(packet));
311 }
312 } while (r != 0);
313 if (sandbox_invoke(*mSandbox, ogg_stream_check, mState)
314 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON)) {
315 NS_WARNING("Unrecoverable error in ogg_stream_packetout");
316 return NS_ERROR_FAILURE;
317 }
318 return NS_OK;
319 }
320
PacketOutUntilGranulepos(bool & aFoundGranulepos)321 nsresult OggCodecState::PacketOutUntilGranulepos(bool& aFoundGranulepos) {
322 tainted_ogg<int> r;
323 aFoundGranulepos = false;
324 // Extract packets from the sync state until either no more packets
325 // come out, or we get a data packet with non -1 granulepos.
326 tainted_ogg<ogg_packet*> packet = mSandbox->malloc_in_sandbox<ogg_packet>();
327 if (!packet) {
328 return NS_ERROR_OUT_OF_MEMORY;
329 }
330 auto clean_packet = MakeScopeExit([&] { mSandbox->free_in_sandbox(packet); });
331
332 do {
333 r = sandbox_invoke(*mSandbox, ogg_stream_packetout, mState, packet);
334 if (r.unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) == 1) {
335 OggPacketPtr clone = CloneOutOfSandbox(packet);
336 if (IsHeader(clone.get())) {
337 // Header packets go straight into the packet queue.
338 mPackets.Append(std::move(clone));
339 } else {
340 // We buffer data packets until we encounter a granulepos. We'll
341 // then use the granulepos to figure out the granulepos of the
342 // preceeding packets.
343 aFoundGranulepos = clone.get()->granulepos > 0;
344 mUnstamped.AppendElement(std::move(clone));
345 }
346 }
347 } while (r.unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) != 0 &&
348 !aFoundGranulepos);
349 if (sandbox_invoke(*mSandbox, ogg_stream_check, mState)
350 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON)) {
351 NS_WARNING("Unrecoverable error in ogg_stream_packetout");
352 return NS_ERROR_FAILURE;
353 }
354 return NS_OK;
355 }
356
TheoraState(rlbox_sandbox_ogg * aSandbox,tainted_opaque_ogg<ogg_page * > aBosPage,uint32_t aSerial)357 TheoraState::TheoraState(rlbox_sandbox_ogg* aSandbox,
358 tainted_opaque_ogg<ogg_page*> aBosPage,
359 uint32_t aSerial)
360 : OggCodecState(aSandbox, aBosPage, aSerial, true),
361 mSetup(nullptr),
362 mCtx(nullptr) {
363 MOZ_COUNT_CTOR(TheoraState);
364 th_info_init(&mTheoraInfo);
365 th_comment_init(&mComment);
366 }
367
~TheoraState()368 TheoraState::~TheoraState() {
369 MOZ_COUNT_DTOR(TheoraState);
370 th_setup_free(mSetup);
371 th_decode_free(mCtx);
372 th_comment_clear(&mComment);
373 th_info_clear(&mTheoraInfo);
374 Reset();
375 }
376
Init()377 bool TheoraState::Init() {
378 if (!mActive) {
379 return false;
380 }
381
382 int64_t n = mTheoraInfo.aspect_numerator;
383 int64_t d = mTheoraInfo.aspect_denominator;
384
385 float aspectRatio =
386 (n == 0 || d == 0) ? 1.0f : static_cast<float>(n) / static_cast<float>(d);
387
388 // Ensure the frame and picture regions aren't larger than our prescribed
389 // maximum, or zero sized.
390 gfx::IntSize frame(mTheoraInfo.frame_width, mTheoraInfo.frame_height);
391 gfx::IntRect picture(mTheoraInfo.pic_x, mTheoraInfo.pic_y,
392 mTheoraInfo.pic_width, mTheoraInfo.pic_height);
393 gfx::IntSize display(mTheoraInfo.pic_width, mTheoraInfo.pic_height);
394 ScaleDisplayByAspectRatio(display, aspectRatio);
395 if (!IsValidVideoRegion(frame, picture, display)) {
396 return mActive = false;
397 }
398
399 mCtx = th_decode_alloc(&mTheoraInfo, mSetup);
400 if (!mCtx) {
401 return mActive = false;
402 }
403
404 // Video track's frame sizes will not overflow. Activate the video track.
405 mInfo.mMimeType = "video/theora"_ns;
406 mInfo.mDisplay = display;
407 mInfo.mImage = frame;
408 mInfo.SetImageRect(picture);
409
410 return mActive = SetCodecSpecificConfig(mInfo.mCodecSpecificConfig, mHeaders);
411 }
412
Reset()413 nsresult TheoraState::Reset() {
414 mHeaders.Erase();
415 return OggCodecState::Reset();
416 }
417
DecodeHeader(OggPacketPtr aPacket)418 bool TheoraState::DecodeHeader(OggPacketPtr aPacket) {
419 ogg_packet* packet = aPacket.get(); // Will be owned by mHeaders.
420 mHeaders.Append(std::move(aPacket));
421 mPacketCount++;
422 int ret = th_decode_headerin(&mTheoraInfo, &mComment, &mSetup, packet);
423
424 // We must determine when we've read the last header packet.
425 // th_decode_headerin() does not tell us when it's read the last header, so
426 // we must keep track of the headers externally.
427 //
428 // There are 3 header packets, the Identification, Comment, and Setup
429 // headers, which must be in that order. If they're out of order, the file
430 // is invalid. If we've successfully read a header, and it's the setup
431 // header, then we're done reading headers. The first byte of each packet
432 // determines it's type as follows:
433 // 0x80 -> Identification header
434 // 0x81 -> Comment header
435 // 0x82 -> Setup header
436 // See http://www.theora.org/doc/Theora.pdf Chapter 6, "Bitstream Headers",
437 // for more details of the Ogg/Theora containment scheme.
438 bool isSetupHeader = packet->bytes > 0 && packet->packet[0] == 0x82;
439 if (ret < 0 || mPacketCount > 3) {
440 // We've received an error, or the first three packets weren't valid
441 // header packets. Assume bad input.
442 // Our caller will deactivate the bitstream.
443 return false;
444 } else if (ret > 0 && isSetupHeader && mPacketCount == 3) {
445 // Successfully read the three header packets.
446 mDoneReadingHeaders = true;
447 }
448 return true;
449 }
450
Time(int64_t granulepos)451 int64_t TheoraState::Time(int64_t granulepos) {
452 if (!mActive) {
453 return -1;
454 }
455 return TheoraState::Time(&mTheoraInfo, granulepos);
456 }
457
IsHeader(ogg_packet * aPacket)458 bool TheoraState::IsHeader(ogg_packet* aPacket) {
459 return th_packet_isheader(aPacket);
460 }
461
462 #define TH_VERSION_CHECK(_info, _maj, _min, _sub) \
463 (((_info)->version_major > (_maj) || (_info)->version_major == (_maj)) && \
464 (((_info)->version_minor > (_min) || (_info)->version_minor == (_min)) && \
465 (_info)->version_subminor >= (_sub)))
466
Time(th_info * aInfo,int64_t aGranulepos)467 int64_t TheoraState::Time(th_info* aInfo, int64_t aGranulepos) {
468 if (aGranulepos < 0 || aInfo->fps_numerator == 0) {
469 return -1;
470 }
471 // Implementation of th_granule_frame inlined here to operate
472 // on the th_info structure instead of the theora_state.
473 int shift = aInfo->keyframe_granule_shift;
474 ogg_int64_t iframe = aGranulepos >> shift;
475 ogg_int64_t pframe = aGranulepos - (iframe << shift);
476 int64_t frameno = iframe + pframe - TH_VERSION_CHECK(aInfo, 3, 2, 1);
477 CheckedInt64 t =
478 ((CheckedInt64(frameno) + 1) * USECS_PER_S) * aInfo->fps_denominator;
479 if (!t.isValid()) {
480 return -1;
481 }
482 t /= aInfo->fps_numerator;
483 return t.isValid() ? t.value() : -1;
484 }
485
StartTime(int64_t granulepos)486 int64_t TheoraState::StartTime(int64_t granulepos) {
487 if (granulepos < 0 || !mActive || mTheoraInfo.fps_numerator == 0) {
488 return -1;
489 }
490 CheckedInt64 t =
491 (CheckedInt64(th_granule_frame(mCtx, granulepos)) * USECS_PER_S) *
492 mTheoraInfo.fps_denominator;
493 if (!t.isValid()) {
494 return -1;
495 }
496 return t.value() / mTheoraInfo.fps_numerator;
497 }
498
PacketDuration(ogg_packet * aPacket)499 int64_t TheoraState::PacketDuration(ogg_packet* aPacket) {
500 if (!mActive || mTheoraInfo.fps_numerator == 0) {
501 return -1;
502 }
503 CheckedInt64 t = SaferMultDiv(mTheoraInfo.fps_denominator, USECS_PER_S,
504 mTheoraInfo.fps_numerator);
505 return t.isValid() ? t.value() : -1;
506 }
507
MaxKeyframeOffset()508 int64_t TheoraState::MaxKeyframeOffset() {
509 // Determine the maximum time in microseconds by which a key frame could
510 // offset for the theora bitstream. Theora granulepos encode time as:
511 // ((key_frame_number << granule_shift) + frame_offset).
512 // Therefore the maximum possible time by which any frame could be offset
513 // from a keyframe is the duration of (1 << granule_shift) - 1) frames.
514 int64_t frameDuration;
515
516 // Max number of frames keyframe could possibly be offset.
517 int64_t keyframeDiff = (1 << mTheoraInfo.keyframe_granule_shift) - 1;
518
519 // Length of frame in usecs.
520 frameDuration =
521 (mTheoraInfo.fps_denominator * USECS_PER_S) / mTheoraInfo.fps_numerator;
522
523 // Total time in usecs keyframe can be offset from any given frame.
524 return frameDuration * keyframeDiff;
525 }
526
IsKeyframe(ogg_packet * pkt)527 bool TheoraState::IsKeyframe(ogg_packet* pkt) {
528 // first bit of packet is 1 for header, 0 for data
529 // second bit of packet is 1 for inter frame, 0 for intra frame
530 return (pkt->bytes >= 1 && (pkt->packet[0] & 0x40) == 0x00);
531 }
532
PageIn(tainted_opaque_ogg<ogg_page * > aPage)533 nsresult TheoraState::PageIn(tainted_opaque_ogg<ogg_page*> aPage) {
534 if (!mActive) return NS_OK;
535 NS_ASSERTION((rlbox::sandbox_static_cast<uint32_t>(sandbox_invoke(
536 *mSandbox, ogg_page_serialno, aPage)) == mSerial)
537 .unverified_safe_because(RLBOX_OGG_PAGE_SERIAL_REASON),
538 "Page must be for this stream!");
539 if (sandbox_invoke(*mSandbox, ogg_stream_pagein, mState, aPage)
540 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) == -1) {
541 return NS_ERROR_FAILURE;
542 }
543 bool foundGp;
544 nsresult res = PacketOutUntilGranulepos(foundGp);
545 if (NS_FAILED(res)) return res;
546 if (foundGp && mDoneReadingHeaders) {
547 // We've found a packet with a granulepos, and we've loaded our metadata
548 // and initialized our decoder. Determine granulepos of buffered packets.
549 ReconstructTheoraGranulepos();
550 for (uint32_t i = 0; i < mUnstamped.Length(); ++i) {
551 OggPacketPtr packet = std::move(mUnstamped[i]);
552 #ifdef DEBUG
553 NS_ASSERTION(!IsHeader(packet.get()),
554 "Don't try to recover header packet gp");
555 NS_ASSERTION(packet->granulepos != -1, "Packet must have gp by now");
556 #endif
557 mPackets.Append(std::move(packet));
558 }
559 mUnstamped.Clear();
560 }
561 return NS_OK;
562 }
563
564 // Returns 1 if the Theora info struct is decoding a media of Theora
565 // version (maj,min,sub) or later, otherwise returns 0.
TheoraVersion(th_info * info,unsigned char maj,unsigned char min,unsigned char sub)566 int TheoraVersion(th_info* info, unsigned char maj, unsigned char min,
567 unsigned char sub) {
568 ogg_uint32_t ver = (maj << 16) + (min << 8) + sub;
569 ogg_uint32_t th_ver = (info->version_major << 16) +
570 (info->version_minor << 8) + info->version_subminor;
571 return (th_ver >= ver) ? 1 : 0;
572 }
573
ReconstructTheoraGranulepos()574 void TheoraState::ReconstructTheoraGranulepos() {
575 if (mUnstamped.Length() == 0) {
576 return;
577 }
578 ogg_int64_t lastGranulepos = mUnstamped[mUnstamped.Length() - 1]->granulepos;
579 NS_ASSERTION(lastGranulepos != -1, "Must know last granulepos");
580
581 // Reconstruct the granulepos (and thus timestamps) of the decoded
582 // frames. Granulepos are stored as ((keyframe<<shift)+offset). We
583 // know the granulepos of the last frame in the list, so we can infer
584 // the granulepos of the intermediate frames using their frame numbers.
585 ogg_int64_t shift = mTheoraInfo.keyframe_granule_shift;
586 ogg_int64_t version_3_2_1 = TheoraVersion(&mTheoraInfo, 3, 2, 1);
587 ogg_int64_t lastFrame =
588 th_granule_frame(mCtx, lastGranulepos) + version_3_2_1;
589 ogg_int64_t firstFrame = lastFrame - mUnstamped.Length() + 1;
590
591 // Until we encounter a keyframe, we'll assume that the "keyframe"
592 // segment of the granulepos is the first frame, or if that causes
593 // the "offset" segment to overflow, we assume the required
594 // keyframe is maximumally offset. Until we encounter a keyframe
595 // the granulepos will probably be wrong, but we can't decode the
596 // frame anyway (since we don't have its keyframe) so it doesn't really
597 // matter.
598 ogg_int64_t keyframe = lastGranulepos >> shift;
599
600 // The lastFrame, firstFrame, keyframe variables, as well as the frame
601 // variable in the loop below, store the frame number for Theora
602 // version >= 3.2.1 streams, and store the frame index for Theora
603 // version < 3.2.1 streams.
604 for (uint32_t i = 0; i < mUnstamped.Length() - 1; ++i) {
605 ogg_int64_t frame = firstFrame + i;
606 ogg_int64_t granulepos;
607 auto& packet = mUnstamped[i];
608 bool isKeyframe = th_packet_iskeyframe(packet.get()) == 1;
609
610 if (isKeyframe) {
611 granulepos = frame << shift;
612 keyframe = frame;
613 } else if (frame >= keyframe &&
614 frame - keyframe < ((ogg_int64_t)1 << shift)) {
615 // (frame - keyframe) won't overflow the "offset" segment of the
616 // granulepos, so it's safe to calculate the granulepos.
617 granulepos = (keyframe << shift) + (frame - keyframe);
618 } else {
619 // (frame - keyframeno) will overflow the "offset" segment of the
620 // granulepos, so we take "keyframe" to be the max possible offset
621 // frame instead.
622 ogg_int64_t k =
623 std::max(frame - (((ogg_int64_t)1 << shift) - 1), version_3_2_1);
624 granulepos = (k << shift) + (frame - k);
625 }
626 // Theora 3.2.1+ granulepos store frame number [1..N], so granulepos
627 // should be > 0.
628 // Theora 3.2.0 granulepos store the frame index [0..(N-1)], so
629 // granulepos should be >= 0.
630 NS_ASSERTION(granulepos >= version_3_2_1,
631 "Invalid granulepos for Theora version");
632
633 // Check that the frame's granule number is one more than the
634 // previous frame's.
635 NS_ASSERTION(
636 i == 0 || th_granule_frame(mCtx, granulepos) ==
637 th_granule_frame(mCtx, mUnstamped[i - 1]->granulepos) + 1,
638 "Granulepos calculation is incorrect!");
639
640 packet->granulepos = granulepos;
641 }
642
643 // Check that the second to last frame's granule number is one less than
644 // the last frame's (the known granule number). If not our granulepos
645 // recovery missed a beat.
646 NS_ASSERTION(mUnstamped.Length() < 2 ||
647 (th_granule_frame(
648 mCtx, mUnstamped[mUnstamped.Length() - 2]->granulepos) +
649 1) == th_granule_frame(mCtx, lastGranulepos),
650 "Granulepos recovery should catch up with packet->granulepos!");
651 }
652
Reset()653 nsresult VorbisState::Reset() {
654 nsresult res = NS_OK;
655 if (mActive && vorbis_synthesis_restart(&mDsp) != 0) {
656 res = NS_ERROR_FAILURE;
657 }
658 mHeaders.Erase();
659 if (NS_FAILED(OggCodecState::Reset())) {
660 return NS_ERROR_FAILURE;
661 }
662
663 mGranulepos = 0;
664 mPrevVorbisBlockSize = 0;
665
666 return res;
667 }
668
VorbisState(rlbox_sandbox_ogg * aSandbox,tainted_opaque_ogg<ogg_page * > aBosPage,uint32_t aSerial)669 VorbisState::VorbisState(rlbox_sandbox_ogg* aSandbox,
670 tainted_opaque_ogg<ogg_page*> aBosPage,
671 uint32_t aSerial)
672 : OggCodecState(aSandbox, aBosPage, aSerial, true),
673 mPrevVorbisBlockSize(0),
674 mGranulepos(0) {
675 MOZ_COUNT_CTOR(VorbisState);
676 vorbis_info_init(&mVorbisInfo);
677 vorbis_comment_init(&mComment);
678 memset(&mDsp, 0, sizeof(vorbis_dsp_state));
679 memset(&mBlock, 0, sizeof(vorbis_block));
680 }
681
~VorbisState()682 VorbisState::~VorbisState() {
683 MOZ_COUNT_DTOR(VorbisState);
684 Reset();
685 vorbis_block_clear(&mBlock);
686 vorbis_dsp_clear(&mDsp);
687 vorbis_info_clear(&mVorbisInfo);
688 vorbis_comment_clear(&mComment);
689 }
690
DecodeHeader(OggPacketPtr aPacket)691 bool VorbisState::DecodeHeader(OggPacketPtr aPacket) {
692 ogg_packet* packet = aPacket.get(); // Will be owned by mHeaders.
693 mHeaders.Append(std::move(aPacket));
694 mPacketCount++;
695 int ret = vorbis_synthesis_headerin(&mVorbisInfo, &mComment, packet);
696 // We must determine when we've read the last header packet.
697 // vorbis_synthesis_headerin() does not tell us when it's read the last
698 // header, so we must keep track of the headers externally.
699 //
700 // There are 3 header packets, the Identification, Comment, and Setup
701 // headers, which must be in that order. If they're out of order, the file
702 // is invalid. If we've successfully read a header, and it's the setup
703 // header, then we're done reading headers. The first byte of each packet
704 // determines it's type as follows:
705 // 0x1 -> Identification header
706 // 0x3 -> Comment header
707 // 0x5 -> Setup header
708 // For more details of the Vorbis/Ogg containment scheme, see the Vorbis I
709 // Specification, Chapter 4, Codec Setup and Packet Decode:
710 // http://www.xiph.org/vorbis/doc/Vorbis_I_spec.html#x1-580004
711
712 bool isSetupHeader = packet->bytes > 0 && packet->packet[0] == 0x5;
713
714 if (ret < 0 || mPacketCount > 3) {
715 // We've received an error, or the first three packets weren't valid
716 // header packets. Assume bad input. Our caller will deactivate the
717 // bitstream.
718 return false;
719 } else if (!ret && isSetupHeader && mPacketCount == 3) {
720 // Successfully read the three header packets.
721 // The bitstream remains active.
722 mDoneReadingHeaders = true;
723 }
724
725 return true;
726 }
727
Init()728 bool VorbisState::Init() {
729 if (!mActive) {
730 return false;
731 }
732
733 int ret = vorbis_synthesis_init(&mDsp, &mVorbisInfo);
734 if (ret != 0) {
735 NS_WARNING("vorbis_synthesis_init() failed initializing vorbis bitstream");
736 return mActive = false;
737 }
738 ret = vorbis_block_init(&mDsp, &mBlock);
739 if (ret != 0) {
740 NS_WARNING("vorbis_block_init() failed initializing vorbis bitstream");
741 if (mActive) {
742 vorbis_dsp_clear(&mDsp);
743 }
744 return mActive = false;
745 }
746
747 nsTArray<const unsigned char*> headers;
748 nsTArray<size_t> headerLens;
749 for (size_t i = 0; i < mHeaders.Length(); i++) {
750 headers.AppendElement(mHeaders[i]->packet);
751 headerLens.AppendElement(mHeaders[i]->bytes);
752 }
753 // Save header packets for the decoder
754 if (!XiphHeadersToExtradata(mInfo.mCodecSpecificConfig, headers,
755 headerLens)) {
756 return mActive = false;
757 }
758 mHeaders.Erase();
759 mInfo.mMimeType = "audio/vorbis"_ns;
760 mInfo.mRate = mVorbisInfo.rate;
761 mInfo.mChannels = mVorbisInfo.channels;
762 mInfo.mBitDepth = 16;
763
764 return true;
765 }
766
Time(int64_t granulepos)767 int64_t VorbisState::Time(int64_t granulepos) {
768 if (!mActive) {
769 return -1;
770 }
771
772 return VorbisState::Time(&mVorbisInfo, granulepos);
773 }
774
Time(vorbis_info * aInfo,int64_t aGranulepos)775 int64_t VorbisState::Time(vorbis_info* aInfo, int64_t aGranulepos) {
776 if (aGranulepos == -1 || aInfo->rate == 0) {
777 return -1;
778 }
779 CheckedInt64 t = SaferMultDiv(aGranulepos, USECS_PER_S, aInfo->rate);
780 return t.isValid() ? t.value() : 0;
781 }
782
PacketDuration(ogg_packet * aPacket)783 int64_t VorbisState::PacketDuration(ogg_packet* aPacket) {
784 if (!mActive) {
785 return -1;
786 }
787 if (aPacket->granulepos == -1) {
788 return -1;
789 }
790 // @FIXME store these in a more stable place
791 if (mVorbisPacketSamples.count(aPacket) == 0) {
792 // We haven't seen this packet, don't know its size?
793 return -1;
794 }
795
796 long samples = mVorbisPacketSamples[aPacket];
797 return Time(samples);
798 }
799
IsHeader(ogg_packet * aPacket)800 bool VorbisState::IsHeader(ogg_packet* aPacket) {
801 // The first byte in each Vorbis header packet is either 0x01, 0x03, or 0x05,
802 // i.e. the first bit is odd. Audio data packets have their first bit as 0x0.
803 // Any packet with its first bit set cannot be a data packet, it's a
804 // (possibly invalid) header packet.
805 // See: http://xiph.org/vorbis/doc/Vorbis_I_spec.html#x1-610004.2.1
806 return aPacket->bytes > 0 ? (aPacket->packet[0] & 0x1) : false;
807 }
808
GetTags()809 UniquePtr<MetadataTags> VorbisState::GetTags() {
810 NS_ASSERTION(mComment.user_comments, "no vorbis comment strings!");
811 NS_ASSERTION(mComment.comment_lengths, "no vorbis comment lengths!");
812 auto tags = MakeUnique<MetadataTags>();
813 for (int i = 0; i < mComment.comments; i++) {
814 AddVorbisComment(tags, mComment.user_comments[i],
815 mComment.comment_lengths[i]);
816 }
817 return tags;
818 }
819
PageIn(tainted_opaque_ogg<ogg_page * > aPage)820 nsresult VorbisState::PageIn(tainted_opaque_ogg<ogg_page*> aPage) {
821 if (!mActive) {
822 return NS_OK;
823 }
824 NS_ASSERTION((rlbox::sandbox_static_cast<uint32_t>(sandbox_invoke(
825 *mSandbox, ogg_page_serialno, aPage)) == mSerial)
826 .unverified_safe_because(RLBOX_OGG_PAGE_SERIAL_REASON),
827 "Page must be for this stream!");
828 if (sandbox_invoke(*mSandbox, ogg_stream_pagein, mState, aPage)
829 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) == -1) {
830 return NS_ERROR_FAILURE;
831 }
832 bool foundGp;
833 nsresult res = PacketOutUntilGranulepos(foundGp);
834 if (NS_FAILED(res)) {
835 return res;
836 }
837 if (foundGp && mDoneReadingHeaders) {
838 // We've found a packet with a granulepos, and we've loaded our metadata
839 // and initialized our decoder. Determine granulepos of buffered packets.
840 ReconstructVorbisGranulepos();
841 for (uint32_t i = 0; i < mUnstamped.Length(); ++i) {
842 OggPacketPtr packet = std::move(mUnstamped[i]);
843 AssertHasRecordedPacketSamples(packet.get());
844 NS_ASSERTION(!IsHeader(packet.get()),
845 "Don't try to recover header packet gp");
846 NS_ASSERTION(packet->granulepos != -1, "Packet must have gp by now");
847 mPackets.Append(std::move(packet));
848 }
849 mUnstamped.Clear();
850 }
851 return NS_OK;
852 }
853
ReconstructVorbisGranulepos()854 void VorbisState::ReconstructVorbisGranulepos() {
855 // The number of samples in a Vorbis packet is:
856 // window_blocksize(previous_packet)/4+window_blocksize(current_packet)/4
857 // See: http://xiph.org/vorbis/doc/Vorbis_I_spec.html#x1-230001.3.2
858 // So we maintain mPrevVorbisBlockSize, the block size of the last packet
859 // encountered. We also maintain mGranulepos, which is the granulepos of
860 // the last encountered packet. This enables us to give granulepos to
861 // packets when the last packet in mUnstamped doesn't have a granulepos
862 // (for example if the stream was truncated).
863 //
864 // We validate our prediction of the number of samples decoded when
865 // VALIDATE_VORBIS_SAMPLE_CALCULATION is defined by recording the predicted
866 // number of samples, and verifing we extract that many when decoding
867 // each packet.
868
869 NS_ASSERTION(mUnstamped.Length() > 0, "Length must be > 0");
870 auto& last = mUnstamped.LastElement();
871 NS_ASSERTION(last->e_o_s || last->granulepos >= 0,
872 "Must know last granulepos!");
873 if (mUnstamped.Length() == 1) {
874 auto& packet = mUnstamped[0];
875 long blockSize = vorbis_packet_blocksize(&mVorbisInfo, packet.get());
876 if (blockSize < 0) {
877 // On failure vorbis_packet_blocksize returns < 0. If we've got
878 // a bad packet, we just assume that decode will have to skip this
879 // packet, i.e. assume 0 samples are decodable from this packet.
880 blockSize = 0;
881 mPrevVorbisBlockSize = 0;
882 }
883 long samples = mPrevVorbisBlockSize / 4 + blockSize / 4;
884 mPrevVorbisBlockSize = blockSize;
885 if (packet->granulepos == -1) {
886 packet->granulepos = mGranulepos + samples;
887 }
888
889 // Account for a partial last frame
890 if (packet->e_o_s && packet->granulepos >= mGranulepos) {
891 samples = packet->granulepos - mGranulepos;
892 }
893
894 mGranulepos = packet->granulepos;
895 RecordVorbisPacketSamples(packet.get(), samples);
896 return;
897 }
898
899 bool unknownGranulepos = last->granulepos == -1;
900 int totalSamples = 0;
901 for (int32_t i = mUnstamped.Length() - 1; i > 0; i--) {
902 auto& packet = mUnstamped[i];
903 auto& prev = mUnstamped[i - 1];
904 ogg_int64_t granulepos = packet->granulepos;
905 NS_ASSERTION(granulepos != -1, "Must know granulepos!");
906 long prevBlockSize = vorbis_packet_blocksize(&mVorbisInfo, prev.get());
907 long blockSize = vorbis_packet_blocksize(&mVorbisInfo, packet.get());
908
909 if (blockSize < 0 || prevBlockSize < 0) {
910 // On failure vorbis_packet_blocksize returns < 0. If we've got
911 // a bad packet, we just assume that decode will have to skip this
912 // packet, i.e. assume 0 samples are decodable from this packet.
913 blockSize = 0;
914 prevBlockSize = 0;
915 }
916
917 long samples = prevBlockSize / 4 + blockSize / 4;
918 totalSamples += samples;
919 prev->granulepos = granulepos - samples;
920 RecordVorbisPacketSamples(packet.get(), samples);
921 }
922
923 if (unknownGranulepos) {
924 for (uint32_t i = 0; i < mUnstamped.Length(); i++) {
925 mUnstamped[i]->granulepos += mGranulepos + totalSamples + 1;
926 }
927 }
928
929 auto& first = mUnstamped[0];
930 long blockSize = vorbis_packet_blocksize(&mVorbisInfo, first.get());
931 if (blockSize < 0) {
932 mPrevVorbisBlockSize = 0;
933 blockSize = 0;
934 }
935
936 long samples = (mPrevVorbisBlockSize == 0)
937 ? 0
938 : mPrevVorbisBlockSize / 4 + blockSize / 4;
939 int64_t start = first->granulepos - samples;
940 RecordVorbisPacketSamples(first.get(), samples);
941
942 if (last->e_o_s && start < mGranulepos) {
943 // We've calculated that there are more samples in this page than its
944 // granulepos claims, and it's the last page in the stream. This is legal,
945 // and we will need to prune the trailing samples when we come to decode it.
946 // We must correct the timestamps so that they follow the last Vorbis page's
947 // samples.
948 int64_t pruned = mGranulepos - start;
949 for (uint32_t i = 0; i < mUnstamped.Length() - 1; i++) {
950 mUnstamped[i]->granulepos += pruned;
951 }
952 #ifdef VALIDATE_VORBIS_SAMPLE_CALCULATION
953 mVorbisPacketSamples[last.get()] -= pruned;
954 #endif
955 }
956
957 mPrevVorbisBlockSize = vorbis_packet_blocksize(&mVorbisInfo, last.get());
958 mPrevVorbisBlockSize = std::max(static_cast<long>(0), mPrevVorbisBlockSize);
959 mGranulepos = last->granulepos;
960 }
961
OpusState(rlbox_sandbox_ogg * aSandbox,tainted_opaque_ogg<ogg_page * > aBosPage,uint32_t aSerial)962 OpusState::OpusState(rlbox_sandbox_ogg* aSandbox,
963 tainted_opaque_ogg<ogg_page*> aBosPage, uint32_t aSerial)
964 : OggCodecState(aSandbox, aBosPage, aSerial, true),
965 mParser(nullptr),
966 mDecoder(nullptr),
967 mPrevPacketGranulepos(0),
968 mPrevPageGranulepos(0) {
969 MOZ_COUNT_CTOR(OpusState);
970 }
971
~OpusState()972 OpusState::~OpusState() {
973 MOZ_COUNT_DTOR(OpusState);
974 Reset();
975
976 if (mDecoder) {
977 opus_multistream_decoder_destroy(mDecoder);
978 mDecoder = nullptr;
979 }
980 }
981
Reset()982 nsresult OpusState::Reset() { return Reset(false); }
983
Reset(bool aStart)984 nsresult OpusState::Reset(bool aStart) {
985 nsresult res = NS_OK;
986
987 if (mActive && mDecoder) {
988 // Reset the decoder.
989 opus_multistream_decoder_ctl(mDecoder, OPUS_RESET_STATE);
990 // This lets us distinguish the first page being the last page vs. just
991 // not having processed the previous page when we encounter the last page.
992 mPrevPageGranulepos = aStart ? 0 : -1;
993 mPrevPacketGranulepos = aStart ? 0 : -1;
994 }
995
996 // Clear queued data.
997 if (NS_FAILED(OggCodecState::Reset())) {
998 return NS_ERROR_FAILURE;
999 }
1000
1001 LOG(LogLevel::Debug, ("Opus decoder reset"));
1002
1003 return res;
1004 }
1005
Init(void)1006 bool OpusState::Init(void) {
1007 if (!mActive) {
1008 return false;
1009 }
1010
1011 int error;
1012
1013 NS_ASSERTION(mDecoder == nullptr, "leaking OpusDecoder");
1014
1015 mDecoder = opus_multistream_decoder_create(
1016 mParser->mRate, mParser->mChannels, mParser->mStreams,
1017 mParser->mCoupledStreams, mParser->mMappingTable, &error);
1018
1019 mInfo.mMimeType = "audio/opus"_ns;
1020 mInfo.mRate = mParser->mRate;
1021 mInfo.mChannels = mParser->mChannels;
1022 mInfo.mBitDepth = 16;
1023 // Save preskip & the first header packet for the Opus decoder
1024 OpusDataDecoder::AppendCodecDelay(mInfo.mCodecSpecificConfig,
1025 Time(0, mParser->mPreSkip));
1026 if (!mHeaders.PeekFront()) {
1027 return false;
1028 }
1029 mInfo.mCodecSpecificConfig->AppendElements(mHeaders.PeekFront()->packet,
1030 mHeaders.PeekFront()->bytes);
1031 mHeaders.Erase();
1032 LOG(LogLevel::Debug, ("Opus decoder init"));
1033
1034 return error == OPUS_OK;
1035 }
1036
DecodeHeader(OggPacketPtr aPacket)1037 bool OpusState::DecodeHeader(OggPacketPtr aPacket) {
1038 switch (mPacketCount++) {
1039 // Parse the id header.
1040 case 0:
1041 mParser = MakeUnique<OpusParser>();
1042 if (!mParser->DecodeHeader(aPacket->packet, aPacket->bytes)) {
1043 return false;
1044 }
1045 mHeaders.Append(std::move(aPacket));
1046 break;
1047
1048 // Parse the metadata header.
1049 case 1:
1050 if (!mParser->DecodeTags(aPacket->packet, aPacket->bytes)) {
1051 return false;
1052 }
1053 break;
1054
1055 // We made it to the first data packet (which includes reconstructing
1056 // timestamps for it in PageIn). Success!
1057 default:
1058 mDoneReadingHeaders = true;
1059 // Put it back on the queue so we can decode it.
1060 mPackets.PushFront(std::move(aPacket));
1061 break;
1062 }
1063 return true;
1064 }
1065
1066 /* Construct and return a tags hashmap from our internal array */
GetTags()1067 UniquePtr<MetadataTags> OpusState::GetTags() {
1068 auto tags = MakeUnique<MetadataTags>();
1069 for (uint32_t i = 0; i < mParser->mTags.Length(); i++) {
1070 AddVorbisComment(tags, mParser->mTags[i].Data(),
1071 mParser->mTags[i].Length());
1072 }
1073
1074 return tags;
1075 }
1076
1077 /* Return the timestamp (in microseconds) equivalent to a granulepos. */
Time(int64_t aGranulepos)1078 int64_t OpusState::Time(int64_t aGranulepos) {
1079 if (!mActive) {
1080 return -1;
1081 }
1082
1083 return Time(mParser->mPreSkip, aGranulepos);
1084 }
1085
Time(int aPreSkip,int64_t aGranulepos)1086 int64_t OpusState::Time(int aPreSkip, int64_t aGranulepos) {
1087 if (aGranulepos < 0) {
1088 return -1;
1089 }
1090
1091 // Ogg Opus always runs at a granule rate of 48 kHz.
1092 CheckedInt64 t = SaferMultDiv(aGranulepos - aPreSkip, USECS_PER_S, 48000);
1093 return t.isValid() ? t.value() : -1;
1094 }
1095
IsHeader(ogg_packet * aPacket)1096 bool OpusState::IsHeader(ogg_packet* aPacket) {
1097 return aPacket->bytes >= 16 && (!memcmp(aPacket->packet, "OpusHead", 8) ||
1098 !memcmp(aPacket->packet, "OpusTags", 8));
1099 }
1100
PageIn(tainted_opaque_ogg<ogg_page * > aPage)1101 nsresult OpusState::PageIn(tainted_opaque_ogg<ogg_page*> aPage) {
1102 if (!mActive) {
1103 return NS_OK;
1104 }
1105 NS_ASSERTION((rlbox::sandbox_static_cast<uint32_t>(sandbox_invoke(
1106 *mSandbox, ogg_page_serialno, aPage)) == mSerial)
1107 .unverified_safe_because(RLBOX_OGG_PAGE_SERIAL_REASON),
1108 "Page must be for this stream!");
1109 if (sandbox_invoke(*mSandbox, ogg_stream_pagein, mState, aPage)
1110 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) == -1) {
1111 return NS_ERROR_FAILURE;
1112 }
1113
1114 bool haveGranulepos;
1115 nsresult rv = PacketOutUntilGranulepos(haveGranulepos);
1116 if (NS_FAILED(rv) || !haveGranulepos || mPacketCount < 2) {
1117 return rv;
1118 }
1119 if (!ReconstructOpusGranulepos()) {
1120 return NS_ERROR_FAILURE;
1121 }
1122 for (uint32_t i = 0; i < mUnstamped.Length(); i++) {
1123 OggPacketPtr packet = std::move(mUnstamped[i]);
1124 NS_ASSERTION(!IsHeader(packet.get()), "Don't try to play a header packet");
1125 NS_ASSERTION(packet->granulepos != -1, "Packet should have a granulepos");
1126 mPackets.Append(std::move(packet));
1127 }
1128 mUnstamped.Clear();
1129 return NS_OK;
1130 }
1131
1132 // Helper method to return the change in granule position due to an Opus packet
1133 // (as distinct from the number of samples in the packet, which depends on the
1134 // decoder rate). It should work with a multistream Opus file, and continue to
1135 // work should we ever allow the decoder to decode at a rate other than 48 kHz.
1136 // It even works before we've created the actual Opus decoder.
GetOpusDeltaGP(ogg_packet * packet)1137 static int GetOpusDeltaGP(ogg_packet* packet) {
1138 int nframes;
1139 nframes = opus_packet_get_nb_frames(packet->packet, packet->bytes);
1140 if (nframes > 0) {
1141 return nframes * opus_packet_get_samples_per_frame(packet->packet, 48000);
1142 }
1143 NS_WARNING("Invalid Opus packet.");
1144 return nframes;
1145 }
1146
PacketDuration(ogg_packet * aPacket)1147 int64_t OpusState::PacketDuration(ogg_packet* aPacket) {
1148 CheckedInt64 t = SaferMultDiv(GetOpusDeltaGP(aPacket), USECS_PER_S, 48000);
1149 return t.isValid() ? t.value() : -1;
1150 }
1151
ReconstructOpusGranulepos(void)1152 bool OpusState::ReconstructOpusGranulepos(void) {
1153 NS_ASSERTION(mUnstamped.Length() > 0, "Must have unstamped packets");
1154 NS_ASSERTION(mUnstamped.LastElement()->e_o_s ||
1155 mUnstamped.LastElement()->granulepos > 0,
1156 "Must know last granulepos!");
1157 int64_t gp;
1158 // If this is the last page, and we've seen at least one previous page (or
1159 // this is the first page)...
1160 if (mUnstamped.LastElement()->e_o_s) {
1161 auto& last = mUnstamped.LastElement();
1162 if (mPrevPageGranulepos != -1) {
1163 // If this file only has one page and the final granule position is
1164 // smaller than the pre-skip amount, we MUST reject the stream.
1165 if (!mDoneReadingHeaders && last->granulepos < mParser->mPreSkip)
1166 return false;
1167 int64_t last_gp = last->granulepos;
1168 gp = mPrevPageGranulepos;
1169 // Loop through the packets forwards, adding the current packet's
1170 // duration to the previous granulepos to get the value for the
1171 // current packet.
1172 for (uint32_t i = 0; i < mUnstamped.Length() - 1; ++i) {
1173 auto& packet = mUnstamped[i];
1174 int offset = GetOpusDeltaGP(packet.get());
1175 // Check for error (negative offset) and overflow.
1176 if (offset >= 0 && gp <= INT64_MAX - offset) {
1177 gp += offset;
1178 if (gp >= last_gp) {
1179 NS_WARNING("Opus end trimming removed more than a full packet.");
1180 // We were asked to remove a full packet's worth of data or more.
1181 // Encoders SHOULD NOT produce streams like this, but we'll handle
1182 // it for them anyway.
1183 gp = last_gp;
1184 mUnstamped.RemoveLastElements(mUnstamped.Length() - (i + 1));
1185 packet->e_o_s = 1;
1186 }
1187 }
1188 packet->granulepos = gp;
1189 }
1190 mPrevPageGranulepos = last_gp;
1191 return true;
1192 } else {
1193 NS_WARNING("No previous granule position to use for Opus end trimming.");
1194 // If we don't have a previous granule position, fall through.
1195 // We simply won't trim any samples from the end.
1196 // TODO: Are we guaranteed to have seen a previous page if there is one?
1197 }
1198 }
1199
1200 auto& last = mUnstamped.LastElement();
1201 gp = last->granulepos;
1202 // Loop through the packets backwards, subtracting the next
1203 // packet's duration from its granulepos to get the value
1204 // for the current packet.
1205 for (uint32_t i = mUnstamped.Length() - 1; i > 0; i--) {
1206 int offset = GetOpusDeltaGP(mUnstamped[i].get());
1207 // Check for error (negative offset) and overflow.
1208 if (offset >= 0) {
1209 if (offset <= gp) {
1210 gp -= offset;
1211 } else {
1212 // If the granule position of the first data page is smaller than the
1213 // number of decodable audio samples on that page, then we MUST reject
1214 // the stream.
1215 if (!mDoneReadingHeaders) return false;
1216 // It's too late to reject the stream.
1217 // If we get here, this almost certainly means the file has screwed-up
1218 // timestamps somewhere after the first page.
1219 NS_WARNING("Clamping negative Opus granulepos to zero.");
1220 gp = 0;
1221 }
1222 }
1223 mUnstamped[i - 1]->granulepos = gp;
1224 }
1225
1226 // Check to make sure the first granule position is at least as large as the
1227 // total number of samples decodable from the first page with completed
1228 // packets. This requires looking at the duration of the first packet, too.
1229 // We MUST reject such streams.
1230 if (!mDoneReadingHeaders && GetOpusDeltaGP(mUnstamped[0].get()) > gp) {
1231 return false;
1232 }
1233 mPrevPageGranulepos = last->granulepos;
1234 return true;
1235 }
1236
PacketOutAsMediaRawData()1237 already_AddRefed<MediaRawData> OpusState::PacketOutAsMediaRawData() {
1238 ogg_packet* packet = PacketPeek();
1239 if (!packet) {
1240 return nullptr;
1241 }
1242
1243 uint32_t frames = 0;
1244 const int64_t endFrame = packet->granulepos;
1245
1246 if (packet->e_o_s) {
1247 frames = GetOpusDeltaGP(packet);
1248 }
1249
1250 RefPtr<MediaRawData> data = OggCodecState::PacketOutAsMediaRawData();
1251 if (!data) {
1252 return nullptr;
1253 }
1254
1255 if (data->mEOS && mPrevPacketGranulepos != -1) {
1256 // If this is the last packet, perform end trimming.
1257 int64_t startFrame = mPrevPacketGranulepos;
1258 frames -= std::max<int64_t>(
1259 0, std::min(endFrame - startFrame, static_cast<int64_t>(frames)));
1260 data->mDiscardPadding = frames;
1261 }
1262
1263 // Save this packet's granule position in case we need to perform end
1264 // trimming on the next packet.
1265 mPrevPacketGranulepos = endFrame;
1266
1267 return data.forget();
1268 }
1269
FlacState(rlbox_sandbox_ogg * aSandbox,tainted_opaque_ogg<ogg_page * > aBosPage,uint32_t aSerial)1270 FlacState::FlacState(rlbox_sandbox_ogg* aSandbox,
1271 tainted_opaque_ogg<ogg_page*> aBosPage, uint32_t aSerial)
1272 : OggCodecState(aSandbox, aBosPage, aSerial, true) {}
1273
DecodeHeader(OggPacketPtr aPacket)1274 bool FlacState::DecodeHeader(OggPacketPtr aPacket) {
1275 if (mParser.DecodeHeaderBlock(aPacket->packet, aPacket->bytes).isErr()) {
1276 return false;
1277 }
1278 if (mParser.HasFullMetadata()) {
1279 mDoneReadingHeaders = true;
1280 }
1281 return true;
1282 }
1283
Time(int64_t granulepos)1284 int64_t FlacState::Time(int64_t granulepos) {
1285 if (!mParser.mInfo.IsValid()) {
1286 return -1;
1287 }
1288 CheckedInt64 t = SaferMultDiv(granulepos, USECS_PER_S, mParser.mInfo.mRate);
1289 if (!t.isValid()) {
1290 return -1;
1291 }
1292 return t.value();
1293 }
1294
PacketDuration(ogg_packet * aPacket)1295 int64_t FlacState::PacketDuration(ogg_packet* aPacket) {
1296 return mParser.BlockDuration(aPacket->packet, aPacket->bytes);
1297 }
1298
IsHeader(ogg_packet * aPacket)1299 bool FlacState::IsHeader(ogg_packet* aPacket) {
1300 auto res = mParser.IsHeaderBlock(aPacket->packet, aPacket->bytes);
1301 return res.isOk() ? res.unwrap() : false;
1302 }
1303
PageIn(tainted_opaque_ogg<ogg_page * > aPage)1304 nsresult FlacState::PageIn(tainted_opaque_ogg<ogg_page*> aPage) {
1305 if (!mActive) {
1306 return NS_OK;
1307 }
1308 NS_ASSERTION((rlbox::sandbox_static_cast<uint32_t>(sandbox_invoke(
1309 *mSandbox, ogg_page_serialno, aPage)) == mSerial)
1310 .unverified_safe_because(RLBOX_OGG_PAGE_SERIAL_REASON),
1311 "Page must be for this stream!");
1312 if (sandbox_invoke(*mSandbox, ogg_stream_pagein, mState, aPage)
1313 .unverified_safe_because(RLBOX_OGG_STATE_ASSERT_REASON) == -1) {
1314 return NS_ERROR_FAILURE;
1315 }
1316 bool foundGp;
1317 nsresult res = PacketOutUntilGranulepos(foundGp);
1318 if (NS_FAILED(res)) {
1319 return res;
1320 }
1321 if (foundGp && mDoneReadingHeaders) {
1322 // We've found a packet with a granulepos, and we've loaded our metadata
1323 // and initialized our decoder. Determine granulepos of buffered packets.
1324 ReconstructFlacGranulepos();
1325 for (uint32_t i = 0; i < mUnstamped.Length(); ++i) {
1326 OggPacketPtr packet = std::move(mUnstamped[i]);
1327 NS_ASSERTION(!IsHeader(packet.get()),
1328 "Don't try to recover header packet gp");
1329 NS_ASSERTION(packet->granulepos != -1, "Packet must have gp by now");
1330 mPackets.Append(std::move(packet));
1331 }
1332 mUnstamped.Clear();
1333 }
1334 return NS_OK;
1335 }
1336
1337 // Return a hash table with tag metadata.
GetTags()1338 UniquePtr<MetadataTags> FlacState::GetTags() { return mParser.GetTags(); }
1339
GetInfo() const1340 const TrackInfo* FlacState::GetInfo() const { return &mParser.mInfo; }
1341
ReconstructFlacGranulepos(void)1342 bool FlacState::ReconstructFlacGranulepos(void) {
1343 NS_ASSERTION(mUnstamped.Length() > 0, "Must have unstamped packets");
1344 auto& last = mUnstamped.LastElement();
1345 NS_ASSERTION(last->e_o_s || last->granulepos > 0,
1346 "Must know last granulepos!");
1347 int64_t gp;
1348
1349 gp = last->granulepos;
1350 // Loop through the packets backwards, subtracting the next
1351 // packet's duration from its granulepos to get the value
1352 // for the current packet.
1353 for (uint32_t i = mUnstamped.Length() - 1; i > 0; i--) {
1354 int offset =
1355 mParser.BlockDuration(mUnstamped[i]->packet, mUnstamped[i]->bytes);
1356 // Check for error (negative offset) and overflow.
1357 if (offset >= 0) {
1358 if (offset <= gp) {
1359 gp -= offset;
1360 } else {
1361 // If the granule position of the first data page is smaller than the
1362 // number of decodable audio samples on that page, then we MUST reject
1363 // the stream.
1364 if (!mDoneReadingHeaders) {
1365 return false;
1366 }
1367 // It's too late to reject the stream.
1368 // If we get here, this almost certainly means the file has screwed-up
1369 // timestamps somewhere after the first page.
1370 NS_WARNING("Clamping negative granulepos to zero.");
1371 gp = 0;
1372 }
1373 }
1374 mUnstamped[i - 1]->granulepos = gp;
1375 }
1376
1377 return true;
1378 }
1379
SkeletonState(rlbox_sandbox_ogg * aSandbox,tainted_opaque_ogg<ogg_page * > aBosPage,uint32_t aSerial)1380 SkeletonState::SkeletonState(rlbox_sandbox_ogg* aSandbox,
1381 tainted_opaque_ogg<ogg_page*> aBosPage,
1382 uint32_t aSerial)
1383 : OggCodecState(aSandbox, aBosPage, aSerial, true),
1384 mVersion(0),
1385 mPresentationTime(0),
1386 mLength(0) {
1387 MOZ_COUNT_CTOR(SkeletonState);
1388 }
1389
~SkeletonState()1390 SkeletonState::~SkeletonState() { MOZ_COUNT_DTOR(SkeletonState); }
1391
1392 // Support for Ogg Skeleton 4.0, as per specification at:
1393 // http://wiki.xiph.org/Ogg_Skeleton_4
1394
1395 // Minimum length in bytes of a Skeleton header packet.
1396 static const long SKELETON_MIN_HEADER_LEN = 28;
1397 static const long SKELETON_4_0_MIN_HEADER_LEN = 80;
1398
1399 // Minimum length in bytes of a Skeleton 4.0 index packet.
1400 static const long SKELETON_4_0_MIN_INDEX_LEN = 42;
1401
1402 // Minimum length in bytes of a Skeleton 3.0/4.0 Fisbone packet.
1403 static const long SKELETON_MIN_FISBONE_LEN = 52;
1404
1405 // Minimum possible size of a compressed index keypoint.
1406 static const size_t MIN_KEY_POINT_SIZE = 2;
1407
1408 // Byte offset of the major and minor version numbers in the
1409 // Ogg Skeleton 4.0 header packet.
1410 static const size_t SKELETON_VERSION_MAJOR_OFFSET = 8;
1411 static const size_t SKELETON_VERSION_MINOR_OFFSET = 10;
1412
1413 // Byte-offsets of the presentation time numerator and denominator
1414 static const size_t SKELETON_PRESENTATION_TIME_NUMERATOR_OFFSET = 12;
1415 static const size_t SKELETON_PRESENTATION_TIME_DENOMINATOR_OFFSET = 20;
1416
1417 // Byte-offsets of the length of file field in the Skeleton 4.0 header packet.
1418 static const size_t SKELETON_FILE_LENGTH_OFFSET = 64;
1419
1420 // Byte-offsets of the fields in the Skeleton index packet.
1421 static const size_t INDEX_SERIALNO_OFFSET = 6;
1422 static const size_t INDEX_NUM_KEYPOINTS_OFFSET = 10;
1423 static const size_t INDEX_TIME_DENOM_OFFSET = 18;
1424 static const size_t INDEX_FIRST_NUMER_OFFSET = 26;
1425 static const size_t INDEX_LAST_NUMER_OFFSET = 34;
1426 static const size_t INDEX_KEYPOINT_OFFSET = 42;
1427
1428 // Byte-offsets of the fields in the Skeleton Fisbone packet.
1429 static const size_t FISBONE_MSG_FIELDS_OFFSET = 8;
1430 static const size_t FISBONE_SERIALNO_OFFSET = 12;
1431
IsSkeletonBOS(ogg_packet * aPacket)1432 static bool IsSkeletonBOS(ogg_packet* aPacket) {
1433 static_assert(SKELETON_MIN_HEADER_LEN >= 8,
1434 "Minimum length of skeleton BOS header incorrect");
1435 return aPacket->bytes >= SKELETON_MIN_HEADER_LEN &&
1436 memcmp(reinterpret_cast<char*>(aPacket->packet), "fishead", 8) == 0;
1437 }
1438
IsSkeletonIndex(ogg_packet * aPacket)1439 static bool IsSkeletonIndex(ogg_packet* aPacket) {
1440 static_assert(SKELETON_4_0_MIN_INDEX_LEN >= 5,
1441 "Minimum length of skeleton index header incorrect");
1442 return aPacket->bytes >= SKELETON_4_0_MIN_INDEX_LEN &&
1443 memcmp(reinterpret_cast<char*>(aPacket->packet), "index", 5) == 0;
1444 }
1445
IsSkeletonFisbone(ogg_packet * aPacket)1446 static bool IsSkeletonFisbone(ogg_packet* aPacket) {
1447 static_assert(SKELETON_MIN_FISBONE_LEN >= 8,
1448 "Minimum length of skeleton fisbone header incorrect");
1449 return aPacket->bytes >= SKELETON_MIN_FISBONE_LEN &&
1450 memcmp(reinterpret_cast<char*>(aPacket->packet), "fisbone", 8) == 0;
1451 }
1452
1453 // Reads a variable length encoded integer at p. Will not read
1454 // past aLimit. Returns pointer to character after end of integer.
ReadVariableLengthInt(const unsigned char * p,const unsigned char * aLimit,int64_t & n)1455 static const unsigned char* ReadVariableLengthInt(const unsigned char* p,
1456 const unsigned char* aLimit,
1457 int64_t& n) {
1458 int shift = 0;
1459 int64_t byte = 0;
1460 n = 0;
1461 while (p < aLimit && (byte & 0x80) != 0x80 && shift < 57) {
1462 byte = static_cast<int64_t>(*p);
1463 n |= ((byte & 0x7f) << shift);
1464 shift += 7;
1465 p++;
1466 }
1467 return p;
1468 }
1469
DecodeIndex(ogg_packet * aPacket)1470 bool SkeletonState::DecodeIndex(ogg_packet* aPacket) {
1471 NS_ASSERTION(aPacket->bytes >= SKELETON_4_0_MIN_INDEX_LEN,
1472 "Index must be at least minimum size");
1473 if (!mActive) {
1474 return false;
1475 }
1476
1477 uint32_t serialno =
1478 LittleEndian::readUint32(aPacket->packet + INDEX_SERIALNO_OFFSET);
1479 int64_t numKeyPoints =
1480 LittleEndian::readInt64(aPacket->packet + INDEX_NUM_KEYPOINTS_OFFSET);
1481
1482 int64_t endTime = 0, startTime = 0;
1483 const unsigned char* p = aPacket->packet;
1484
1485 int64_t timeDenom =
1486 LittleEndian::readInt64(aPacket->packet + INDEX_TIME_DENOM_OFFSET);
1487 if (timeDenom == 0) {
1488 LOG(LogLevel::Debug, ("Ogg Skeleton Index packet for stream %u has 0 "
1489 "timestamp denominator.",
1490 serialno));
1491 return (mActive = false);
1492 }
1493
1494 // Extract the start time.
1495 int64_t timeRawInt = LittleEndian::readInt64(p + INDEX_FIRST_NUMER_OFFSET);
1496 CheckedInt64 t = SaferMultDiv(timeRawInt, USECS_PER_S, timeDenom);
1497 if (!t.isValid()) {
1498 return (mActive = false);
1499 } else {
1500 startTime = t.value();
1501 }
1502
1503 // Extract the end time.
1504 timeRawInt = LittleEndian::readInt64(p + INDEX_LAST_NUMER_OFFSET);
1505 t = SaferMultDiv(timeRawInt, USECS_PER_S, timeDenom);
1506 if (!t.isValid()) {
1507 return (mActive = false);
1508 } else {
1509 endTime = t.value();
1510 }
1511
1512 // Check the numKeyPoints value read, ensure we're not going to run out of
1513 // memory while trying to decode the index packet.
1514 CheckedInt64 minPacketSize =
1515 (CheckedInt64(numKeyPoints) * MIN_KEY_POINT_SIZE) + INDEX_KEYPOINT_OFFSET;
1516 if (!minPacketSize.isValid()) {
1517 return (mActive = false);
1518 }
1519
1520 int64_t sizeofIndex = aPacket->bytes - INDEX_KEYPOINT_OFFSET;
1521 int64_t maxNumKeyPoints = sizeofIndex / MIN_KEY_POINT_SIZE;
1522 if (aPacket->bytes < minPacketSize.value() ||
1523 numKeyPoints > maxNumKeyPoints || numKeyPoints < 0) {
1524 // Packet size is less than the theoretical minimum size, or the packet is
1525 // claiming to store more keypoints than it's capable of storing. This means
1526 // that the numKeyPoints field is too large or small for the packet to
1527 // possibly contain as many packets as it claims to, so the numKeyPoints
1528 // field is possibly malicious. Don't try decoding this index, we may run
1529 // out of memory.
1530 LOG(LogLevel::Debug, ("Possibly malicious number of key points reported "
1531 "(%" PRId64 ") in index packet for stream %u.",
1532 numKeyPoints, serialno));
1533 return (mActive = false);
1534 }
1535
1536 UniquePtr<nsKeyFrameIndex> keyPoints(new nsKeyFrameIndex(startTime, endTime));
1537
1538 p = aPacket->packet + INDEX_KEYPOINT_OFFSET;
1539 const unsigned char* limit = aPacket->packet + aPacket->bytes;
1540 int64_t numKeyPointsRead = 0;
1541 CheckedInt64 offset = 0;
1542 CheckedInt64 time = 0;
1543 while (p < limit && numKeyPointsRead < numKeyPoints) {
1544 int64_t delta = 0;
1545 p = ReadVariableLengthInt(p, limit, delta);
1546 offset += delta;
1547 if (p == limit || !offset.isValid() || offset.value() > mLength ||
1548 offset.value() < 0) {
1549 return (mActive = false);
1550 }
1551 p = ReadVariableLengthInt(p, limit, delta);
1552 time += delta;
1553 if (!time.isValid() || time.value() > endTime || time.value() < startTime) {
1554 return (mActive = false);
1555 }
1556 CheckedInt64 timeUsecs = SaferMultDiv(time.value(), USECS_PER_S, timeDenom);
1557 if (!timeUsecs.isValid()) {
1558 return (mActive = false);
1559 }
1560 keyPoints->Add(offset.value(), timeUsecs.value());
1561 numKeyPointsRead++;
1562 }
1563
1564 int32_t keyPointsRead = keyPoints->Length();
1565 if (keyPointsRead > 0) {
1566 mIndex.InsertOrUpdate(serialno, std::move(keyPoints));
1567 }
1568
1569 LOG(LogLevel::Debug, ("Loaded %d keypoints for Skeleton on stream %u",
1570 keyPointsRead, serialno));
1571 return true;
1572 }
1573
IndexedSeekTargetForTrack(uint32_t aSerialno,int64_t aTarget,nsKeyPoint & aResult)1574 nsresult SkeletonState::IndexedSeekTargetForTrack(uint32_t aSerialno,
1575 int64_t aTarget,
1576 nsKeyPoint& aResult) {
1577 nsKeyFrameIndex* index = nullptr;
1578 mIndex.Get(aSerialno, &index);
1579
1580 if (!index || index->Length() == 0 || aTarget < index->mStartTime ||
1581 aTarget > index->mEndTime) {
1582 return NS_ERROR_FAILURE;
1583 }
1584
1585 // Binary search to find the last key point with time less than target.
1586 int start = 0;
1587 int end = index->Length() - 1;
1588 while (end > start) {
1589 int mid = start + ((end - start + 1) >> 1);
1590 if (index->Get(mid).mTime == aTarget) {
1591 start = mid;
1592 break;
1593 } else if (index->Get(mid).mTime < aTarget) {
1594 start = mid;
1595 } else {
1596 end = mid - 1;
1597 }
1598 }
1599
1600 aResult = index->Get(start);
1601 NS_ASSERTION(aResult.mTime <= aTarget, "Result should have time <= target");
1602 return NS_OK;
1603 }
1604
IndexedSeekTarget(int64_t aTarget,nsTArray<uint32_t> & aTracks,nsSeekTarget & aResult)1605 nsresult SkeletonState::IndexedSeekTarget(int64_t aTarget,
1606 nsTArray<uint32_t>& aTracks,
1607 nsSeekTarget& aResult) {
1608 if (!mActive || mVersion < SKELETON_VERSION(4, 0)) {
1609 return NS_ERROR_FAILURE;
1610 }
1611 // Loop over all requested tracks' indexes, and get the keypoint for that
1612 // seek target. Record the keypoint with the lowest offset, this will be
1613 // our seek result. User must seek to the one with lowest offset to ensure we
1614 // pass "keyframes" on all tracks when we decode forwards to the seek target.
1615 nsSeekTarget r;
1616 for (uint32_t i = 0; i < aTracks.Length(); i++) {
1617 nsKeyPoint k;
1618 if (NS_SUCCEEDED(IndexedSeekTargetForTrack(aTracks[i], aTarget, k)) &&
1619 k.mOffset < r.mKeyPoint.mOffset) {
1620 r.mKeyPoint = k;
1621 r.mSerial = aTracks[i];
1622 }
1623 }
1624 if (r.IsNull()) {
1625 return NS_ERROR_FAILURE;
1626 }
1627 LOG(LogLevel::Debug,
1628 ("Indexed seek target for time %" PRId64 " is offset %" PRId64, aTarget,
1629 r.mKeyPoint.mOffset));
1630 aResult = r;
1631 return NS_OK;
1632 }
1633
GetDuration(const nsTArray<uint32_t> & aTracks,int64_t & aDuration)1634 nsresult SkeletonState::GetDuration(const nsTArray<uint32_t>& aTracks,
1635 int64_t& aDuration) {
1636 if (!mActive || mVersion < SKELETON_VERSION(4, 0) || !HasIndex() ||
1637 aTracks.Length() == 0) {
1638 return NS_ERROR_FAILURE;
1639 }
1640 int64_t endTime = INT64_MIN;
1641 int64_t startTime = INT64_MAX;
1642 for (uint32_t i = 0; i < aTracks.Length(); i++) {
1643 nsKeyFrameIndex* index = nullptr;
1644 mIndex.Get(aTracks[i], &index);
1645 if (!index) {
1646 // Can't get the timestamps for one of the required tracks, fail.
1647 return NS_ERROR_FAILURE;
1648 }
1649 if (index->mEndTime > endTime) {
1650 endTime = index->mEndTime;
1651 }
1652 if (index->mStartTime < startTime) {
1653 startTime = index->mStartTime;
1654 }
1655 }
1656 NS_ASSERTION(endTime > startTime, "Duration must be positive");
1657 CheckedInt64 duration = CheckedInt64(endTime) - startTime;
1658 aDuration = duration.isValid() ? duration.value() : 0;
1659 return duration.isValid() ? NS_OK : NS_ERROR_FAILURE;
1660 }
1661
DecodeFisbone(ogg_packet * aPacket)1662 bool SkeletonState::DecodeFisbone(ogg_packet* aPacket) {
1663 if (aPacket->bytes < static_cast<long>(FISBONE_MSG_FIELDS_OFFSET + 4)) {
1664 return false;
1665 }
1666 uint32_t offsetMsgField =
1667 LittleEndian::readUint32(aPacket->packet + FISBONE_MSG_FIELDS_OFFSET);
1668
1669 if (aPacket->bytes < static_cast<long>(FISBONE_SERIALNO_OFFSET + 4)) {
1670 return false;
1671 }
1672 uint32_t serialno =
1673 LittleEndian::readUint32(aPacket->packet + FISBONE_SERIALNO_OFFSET);
1674
1675 CheckedUint32 checked_fields_pos =
1676 CheckedUint32(FISBONE_MSG_FIELDS_OFFSET) + offsetMsgField;
1677 if (!checked_fields_pos.isValid() ||
1678 aPacket->bytes < static_cast<int64_t>(checked_fields_pos.value())) {
1679 return false;
1680 }
1681 int64_t msgLength = aPacket->bytes - checked_fields_pos.value();
1682 char* msgProbe = (char*)aPacket->packet + checked_fields_pos.value();
1683 char* msgHead = msgProbe;
1684 UniquePtr<MessageField> field(new MessageField());
1685
1686 const static FieldPatternType kFieldTypeMaps[] = {
1687 {"Content-Type:", eContentType},
1688 {"Role:", eRole},
1689 {"Name:", eName},
1690 {"Language:", eLanguage},
1691 {"Title:", eTitle},
1692 {"Display-hint:", eDisplayHint},
1693 {"Altitude:", eAltitude},
1694 {"TrackOrder:", eTrackOrder},
1695 {"Track dependencies:", eTrackDependencies}};
1696
1697 bool isContentTypeParsed = false;
1698 while (msgLength > 1) {
1699 if (*msgProbe == '\r' && *(msgProbe + 1) == '\n') {
1700 nsAutoCString strMsg(msgHead, msgProbe - msgHead);
1701 for (size_t i = 0; i < ArrayLength(kFieldTypeMaps); i++) {
1702 if (strMsg.Find(kFieldTypeMaps[i].mPatternToRecognize) != -1) {
1703 // The content of message header fields follows [RFC2822], and the
1704 // mandatory message field must be encoded in US-ASCII, others
1705 // must be be encoded in UTF-8. "Content-Type" must come first
1706 // for all of message header fields.
1707 // See
1708 // http://svn.annodex.net/standards/draft-pfeiffer-oggskeleton-current.txt.
1709 if (i != 0 && !isContentTypeParsed) {
1710 return false;
1711 }
1712
1713 if ((i == 0 && IsAscii(strMsg)) || (i != 0 && IsUtf8(strMsg))) {
1714 EMsgHeaderType eHeaderType = kFieldTypeMaps[i].mMsgHeaderType;
1715 Unused << field->mValuesStore.LookupOrInsertWith(
1716 eHeaderType, [i, msgHead, msgProbe]() {
1717 uint32_t nameLen =
1718 strlen(kFieldTypeMaps[i].mPatternToRecognize);
1719 return MakeUnique<nsCString>(msgHead + nameLen,
1720 msgProbe - msgHead - nameLen);
1721 });
1722 isContentTypeParsed = i == 0 ? true : isContentTypeParsed;
1723 }
1724 break;
1725 }
1726 }
1727 msgProbe += 2;
1728 msgLength -= 2;
1729 msgHead = msgProbe;
1730 continue;
1731 }
1732 msgLength--;
1733 msgProbe++;
1734 }
1735
1736 return mMsgFieldStore.WithEntryHandle(serialno, [&](auto&& entry) {
1737 if (entry) {
1738 // mMsgFieldStore has an entry for serialno already.
1739 return false;
1740 }
1741 entry.Insert(std::move(field));
1742 return true;
1743 });
1744 }
1745
DecodeHeader(OggPacketPtr aPacket)1746 bool SkeletonState::DecodeHeader(OggPacketPtr aPacket) {
1747 if (IsSkeletonBOS(aPacket.get())) {
1748 uint16_t verMajor = LittleEndian::readUint16(aPacket->packet +
1749 SKELETON_VERSION_MAJOR_OFFSET);
1750 uint16_t verMinor = LittleEndian::readUint16(aPacket->packet +
1751 SKELETON_VERSION_MINOR_OFFSET);
1752
1753 // Read the presentation time. We read this before the version check as the
1754 // presentation time exists in all versions.
1755 int64_t n = LittleEndian::readInt64(
1756 aPacket->packet + SKELETON_PRESENTATION_TIME_NUMERATOR_OFFSET);
1757 int64_t d = LittleEndian::readInt64(
1758 aPacket->packet + SKELETON_PRESENTATION_TIME_DENOMINATOR_OFFSET);
1759 mPresentationTime =
1760 d == 0 ? 0
1761 : (static_cast<float>(n) / static_cast<float>(d)) * USECS_PER_S;
1762
1763 mVersion = SKELETON_VERSION(verMajor, verMinor);
1764 // We can only care to parse Skeleton version 4.0+.
1765 if (mVersion < SKELETON_VERSION(4, 0) ||
1766 mVersion >= SKELETON_VERSION(5, 0) ||
1767 aPacket->bytes < SKELETON_4_0_MIN_HEADER_LEN) {
1768 return false;
1769 }
1770
1771 // Extract the segment length.
1772 mLength =
1773 LittleEndian::readInt64(aPacket->packet + SKELETON_FILE_LENGTH_OFFSET);
1774
1775 LOG(LogLevel::Debug, ("Skeleton segment length: %" PRId64, mLength));
1776
1777 // Initialize the serialno-to-index map.
1778 return true;
1779 }
1780 if (IsSkeletonIndex(aPacket.get()) && mVersion >= SKELETON_VERSION(4, 0)) {
1781 return DecodeIndex(aPacket.get());
1782 }
1783 if (IsSkeletonFisbone(aPacket.get())) {
1784 return DecodeFisbone(aPacket.get());
1785 }
1786 if (aPacket->e_o_s) {
1787 mDoneReadingHeaders = true;
1788 }
1789 return true;
1790 }
1791
1792 #undef LOG
1793
1794 } // namespace mozilla
1795