/* vi: set sw=4 ts=4: */ /* * Small lzma deflate implementation. * Copyright (C) 2006 Aurelien Jacobs <aurel@gnuage.org> * * Based on LzmaDecode.c from the LZMA SDK 4.22 (http://www.7-zip.org/) * Copyright (C) 1999-2005 Igor Pavlov * * Licensed under GPLv2 or later, see file LICENSE in this source tree. */ #include "libbb.h" #include "bb_archive.h" #if 0 # define dbg(...) bb_error_msg(__VA_ARGS__) #else # define dbg(...) ((void)0) #endif #if ENABLE_FEATURE_LZMA_FAST # define speed_inline ALWAYS_INLINE # define size_inline #else # define speed_inline # define size_inline ALWAYS_INLINE #endif typedef struct { int fd; uint8_t *ptr; /* Was keeping rc on stack in unlzma and separately allocating buffer, * but with "buffer 'attached to' allocated rc" code is smaller: */ /* uint8_t *buffer; */ #define RC_BUFFER ((uint8_t*)(rc+1)) uint8_t *buffer_end; /* Had provisions for variable buffer, but we don't need it here */ /* int buffer_size; */ #define RC_BUFFER_SIZE 0x10000 uint32_t code; uint32_t range; uint32_t bound; } rc_t; #define RC_TOP_BITS 24 #define RC_MOVE_BITS 5 #define RC_MODEL_TOTAL_BITS 11 /* Called once in rc_do_normalize() */ static void rc_read(rc_t *rc) { int buffer_size = safe_read(rc->fd, RC_BUFFER, RC_BUFFER_SIZE); //TODO: return -1 instead //This will make unlzma delete broken unpacked file on unpack errors if (buffer_size <= 0) bb_simple_error_msg_and_die("unexpected EOF"); rc->buffer_end = RC_BUFFER + buffer_size; rc->ptr = RC_BUFFER; } /* Called twice, but one callsite is in speed_inline'd rc_is_bit_1() */ static void rc_do_normalize(rc_t *rc) { if (rc->ptr >= rc->buffer_end) rc_read(rc); rc->range <<= 8; rc->code = (rc->code << 8) | *rc->ptr++; } static ALWAYS_INLINE void rc_normalize(rc_t *rc) { if (rc->range < (1 << RC_TOP_BITS)) { rc_do_normalize(rc); } } /* Called once */ static ALWAYS_INLINE rc_t* rc_init(int fd) /*, int buffer_size) */ { int i; rc_t *rc; rc = xzalloc(sizeof(*rc) + RC_BUFFER_SIZE); rc->fd = fd; /* rc->ptr = rc->buffer_end; */ for (i = 0; i < 5; i++) { rc_do_normalize(rc); } rc->range = 0xffffffff; return rc; } /* Called once */ static ALWAYS_INLINE void rc_free(rc_t *rc) { free(rc); } /* rc_is_bit_1 is called 9 times */ static speed_inline int rc_is_bit_1(rc_t *rc, uint16_t *p) { rc_normalize(rc); rc->bound = *p * (rc->range >> RC_MODEL_TOTAL_BITS); if (rc->code < rc->bound) { rc->range = rc->bound; *p += ((1 << RC_MODEL_TOTAL_BITS) - *p) >> RC_MOVE_BITS; return 0; } rc->range -= rc->bound; rc->code -= rc->bound; *p -= *p >> RC_MOVE_BITS; return 1; } /* Called 4 times in unlzma loop */ static ALWAYS_INLINE int rc_get_bit(rc_t *rc, uint16_t *p, int *symbol) { int ret = rc_is_bit_1(rc, p); *symbol = *symbol * 2 + ret; return ret; } /* Called once */ static ALWAYS_INLINE int rc_direct_bit(rc_t *rc) { rc_normalize(rc); rc->range >>= 1; if (rc->code >= rc->range) { rc->code -= rc->range; return 1; } return 0; } /* Called twice */ static speed_inline void rc_bit_tree_decode(rc_t *rc, uint16_t *p, int num_levels, int *symbol) { int i = num_levels; *symbol = 1; while (i--) rc_get_bit(rc, p + *symbol, symbol); *symbol -= 1 << num_levels; } typedef struct { uint8_t pos; uint32_t dict_size; uint64_t dst_size; } PACKED lzma_header_t; /* #defines will force compiler to compute/optimize each one with each usage. * Have heart and use enum instead. */ enum { LZMA_BASE_SIZE = 1846, LZMA_LIT_SIZE = 768, LZMA_NUM_POS_BITS_MAX = 4, LZMA_LEN_NUM_LOW_BITS = 3, LZMA_LEN_NUM_MID_BITS = 3, LZMA_LEN_NUM_HIGH_BITS = 8, LZMA_LEN_CHOICE = 0, LZMA_LEN_CHOICE_2 = (LZMA_LEN_CHOICE + 1), LZMA_LEN_LOW = (LZMA_LEN_CHOICE_2 + 1), LZMA_LEN_MID = (LZMA_LEN_LOW \ + (1 << (LZMA_NUM_POS_BITS_MAX + LZMA_LEN_NUM_LOW_BITS))), LZMA_LEN_HIGH = (LZMA_LEN_MID \ + (1 << (LZMA_NUM_POS_BITS_MAX + LZMA_LEN_NUM_MID_BITS))), LZMA_NUM_LEN_PROBS = (LZMA_LEN_HIGH + (1 << LZMA_LEN_NUM_HIGH_BITS)), LZMA_NUM_STATES = 12, LZMA_NUM_LIT_STATES = 7, LZMA_START_POS_MODEL_INDEX = 4, LZMA_END_POS_MODEL_INDEX = 14, LZMA_NUM_FULL_DISTANCES = (1 << (LZMA_END_POS_MODEL_INDEX >> 1)), LZMA_NUM_POS_SLOT_BITS = 6, LZMA_NUM_LEN_TO_POS_STATES = 4, LZMA_NUM_ALIGN_BITS = 4, LZMA_MATCH_MIN_LEN = 2, LZMA_IS_MATCH = 0, LZMA_IS_REP = (LZMA_IS_MATCH + (LZMA_NUM_STATES << LZMA_NUM_POS_BITS_MAX)), LZMA_IS_REP_G0 = (LZMA_IS_REP + LZMA_NUM_STATES), LZMA_IS_REP_G1 = (LZMA_IS_REP_G0 + LZMA_NUM_STATES), LZMA_IS_REP_G2 = (LZMA_IS_REP_G1 + LZMA_NUM_STATES), LZMA_IS_REP_0_LONG = (LZMA_IS_REP_G2 + LZMA_NUM_STATES), LZMA_POS_SLOT = (LZMA_IS_REP_0_LONG \ + (LZMA_NUM_STATES << LZMA_NUM_POS_BITS_MAX)), LZMA_SPEC_POS = (LZMA_POS_SLOT \ + (LZMA_NUM_LEN_TO_POS_STATES << LZMA_NUM_POS_SLOT_BITS)), LZMA_ALIGN = (LZMA_SPEC_POS \ + LZMA_NUM_FULL_DISTANCES - LZMA_END_POS_MODEL_INDEX), LZMA_LEN_CODER = (LZMA_ALIGN + (1 << LZMA_NUM_ALIGN_BITS)), LZMA_REP_LEN_CODER = (LZMA_LEN_CODER + LZMA_NUM_LEN_PROBS), LZMA_LITERAL = (LZMA_REP_LEN_CODER + LZMA_NUM_LEN_PROBS), }; IF_DESKTOP(long long) int FAST_FUNC unpack_lzma_stream(transformer_state_t *xstate) { IF_DESKTOP(long long total_written = 0;) lzma_header_t header; int lc, pb, lp; uint32_t pos_state_mask; uint32_t literal_pos_mask; uint16_t *p; rc_t *rc; int i; uint8_t *buffer; uint32_t buffer_size; uint8_t previous_byte = 0; size_t buffer_pos = 0, global_pos = 0; int len = 0; int state = 0; uint32_t rep0 = 1, rep1 = 1, rep2 = 1, rep3 = 1; if (full_read(xstate->src_fd, &header, sizeof(header)) != sizeof(header) || header.pos >= (9 * 5 * 5) ) { bb_simple_error_msg("bad lzma header"); return -1; } i = header.pos / 9; lc = header.pos % 9; pb = i / 5; lp = i % 5; pos_state_mask = (1 << pb) - 1; literal_pos_mask = (1 << lp) - 1; /* Example values from linux-3.3.4.tar.lzma: * dict_size: 64M, dst_size: 2^64-1 */ header.dict_size = SWAP_LE32(header.dict_size); header.dst_size = SWAP_LE64(header.dst_size); if (header.dict_size == 0) header.dict_size++; buffer_size = MIN(header.dst_size, header.dict_size); buffer = xmalloc(buffer_size); { int num_probs; num_probs = LZMA_BASE_SIZE + (LZMA_LIT_SIZE << (lc + lp)); p = xmalloc(num_probs * sizeof(*p)); num_probs += LZMA_LITERAL - LZMA_BASE_SIZE; for (i = 0; i < num_probs; i++) p[i] = (1 << RC_MODEL_TOTAL_BITS) >> 1; } rc = rc_init(xstate->src_fd); /*, RC_BUFFER_SIZE); */ while (global_pos + buffer_pos < header.dst_size) { int pos_state = (buffer_pos + global_pos) & pos_state_mask; uint16_t *prob = p + LZMA_IS_MATCH + (state << LZMA_NUM_POS_BITS_MAX) + pos_state; if (!rc_is_bit_1(rc, prob)) { static const char next_state[LZMA_NUM_STATES] = { 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 4, 5 }; int mi = 1; prob = (p + LZMA_LITERAL + (LZMA_LIT_SIZE * ((((buffer_pos + global_pos) & literal_pos_mask) << lc) + (previous_byte >> (8 - lc)) ) ) ); if (state >= LZMA_NUM_LIT_STATES) { int match_byte; uint32_t pos; pos = buffer_pos - rep0; if ((int32_t)pos < 0) pos += header.dict_size; match_byte = buffer[pos]; do { int bit; match_byte <<= 1; bit = match_byte & 0x100; bit ^= (rc_get_bit(rc, prob + 0x100 + bit + mi, &mi) << 8); /* 0x100 or 0 */ if (bit) break; } while (mi < 0x100); } while (mi < 0x100) { rc_get_bit(rc, prob + mi, &mi); } state = next_state[state]; previous_byte = (uint8_t) mi; #if ENABLE_FEATURE_LZMA_FAST one_byte1: buffer[buffer_pos++] = previous_byte; if (buffer_pos == header.dict_size) { buffer_pos = 0; global_pos += header.dict_size; if (transformer_write(xstate, buffer, header.dict_size) != (ssize_t)header.dict_size) goto bad; IF_DESKTOP(total_written += header.dict_size;) } #else len = 1; goto one_byte2; #endif } else { int num_bits; int offset; uint16_t *prob2; #define prob_len prob2 prob2 = p + LZMA_IS_REP + state; if (!rc_is_bit_1(rc, prob2)) { rep3 = rep2; rep2 = rep1; rep1 = rep0; state = state < LZMA_NUM_LIT_STATES ? 0 : 3; prob2 = p + LZMA_LEN_CODER; } else { prob2 += LZMA_IS_REP_G0 - LZMA_IS_REP; if (!rc_is_bit_1(rc, prob2)) { prob2 = (p + LZMA_IS_REP_0_LONG + (state << LZMA_NUM_POS_BITS_MAX) + pos_state ); if (!rc_is_bit_1(rc, prob2)) { #if ENABLE_FEATURE_LZMA_FAST uint32_t pos; state = state < LZMA_NUM_LIT_STATES ? 9 : 11; pos = buffer_pos - rep0; if ((int32_t)pos < 0) { pos += header.dict_size; /* see unzip_bad_lzma_2.zip: */ if (pos >= buffer_size) { dbg("%d pos:%d buffer_size:%d", __LINE__, pos, buffer_size); goto bad; } } previous_byte = buffer[pos]; goto one_byte1; #else state = state < LZMA_NUM_LIT_STATES ? 9 : 11; len = 1; goto string; #endif } } else { uint32_t distance; prob2 += LZMA_IS_REP_G1 - LZMA_IS_REP_G0; distance = rep1; if (rc_is_bit_1(rc, prob2)) { prob2 += LZMA_IS_REP_G2 - LZMA_IS_REP_G1; distance = rep2; if (rc_is_bit_1(rc, prob2)) { distance = rep3; rep3 = rep2; } rep2 = rep1; } rep1 = rep0; rep0 = distance; } state = state < LZMA_NUM_LIT_STATES ? 8 : 11; prob2 = p + LZMA_REP_LEN_CODER; } prob_len = prob2 + LZMA_LEN_CHOICE; num_bits = LZMA_LEN_NUM_LOW_BITS; if (!rc_is_bit_1(rc, prob_len)) { prob_len += LZMA_LEN_LOW - LZMA_LEN_CHOICE + (pos_state << LZMA_LEN_NUM_LOW_BITS); offset = 0; } else { prob_len += LZMA_LEN_CHOICE_2 - LZMA_LEN_CHOICE; if (!rc_is_bit_1(rc, prob_len)) { prob_len += LZMA_LEN_MID - LZMA_LEN_CHOICE_2 + (pos_state << LZMA_LEN_NUM_MID_BITS); offset = 1 << LZMA_LEN_NUM_LOW_BITS; num_bits += LZMA_LEN_NUM_MID_BITS - LZMA_LEN_NUM_LOW_BITS; } else { prob_len += LZMA_LEN_HIGH - LZMA_LEN_CHOICE_2; offset = ((1 << LZMA_LEN_NUM_LOW_BITS) + (1 << LZMA_LEN_NUM_MID_BITS)); num_bits += LZMA_LEN_NUM_HIGH_BITS - LZMA_LEN_NUM_LOW_BITS; } } rc_bit_tree_decode(rc, prob_len, num_bits, &len); len += offset; if (state < 4) { int pos_slot; uint16_t *prob3; state += LZMA_NUM_LIT_STATES; prob3 = p + LZMA_POS_SLOT + ((len < LZMA_NUM_LEN_TO_POS_STATES ? len : LZMA_NUM_LEN_TO_POS_STATES - 1) << LZMA_NUM_POS_SLOT_BITS); rc_bit_tree_decode(rc, prob3, LZMA_NUM_POS_SLOT_BITS, &pos_slot); rep0 = pos_slot; if (pos_slot >= LZMA_START_POS_MODEL_INDEX) { int i2, mi2, num_bits2 = (pos_slot >> 1) - 1; rep0 = 2 | (pos_slot & 1); if (pos_slot < LZMA_END_POS_MODEL_INDEX) { rep0 <<= num_bits2; prob3 = p + LZMA_SPEC_POS + rep0 - pos_slot - 1; } else { for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--) rep0 = (rep0 << 1) | rc_direct_bit(rc); rep0 <<= LZMA_NUM_ALIGN_BITS; // Note: (int32_t)rep0 may be < 0 here // (I have linux-3.3.4.tar.lzma which has it). // I moved the check after "++rep0 == 0" check below. prob3 = p + LZMA_ALIGN; } i2 = 1; mi2 = 1; while (num_bits2--) { if (rc_get_bit(rc, prob3 + mi2, &mi2)) rep0 |= i2; i2 <<= 1; } } rep0++; if ((int32_t)rep0 <= 0) { if (rep0 == 0) break; dbg("%d rep0:%d", __LINE__, rep0); goto bad; } } len += LZMA_MATCH_MIN_LEN; /* * LZMA SDK has this optimized: * it precalculates size and copies many bytes * in a loop with simpler checks, a-la: * do * *(dest) = *(dest + ofs); * while (++dest != lim); * and * do { * buffer[buffer_pos++] = buffer[pos]; * if (++pos == header.dict_size) * pos = 0; * } while (--cur_len != 0); * Our code is slower (more checks per byte copy): */ IF_NOT_FEATURE_LZMA_FAST(string:) do { uint32_t pos = buffer_pos - rep0; if ((int32_t)pos < 0) { pos += header.dict_size; /* bug 10436 has an example file where this triggers: */ //if ((int32_t)pos < 0) // goto bad; /* more stringent test (see unzip_bad_lzma_1.zip): */ if (pos >= buffer_size) goto bad; } previous_byte = buffer[pos]; IF_NOT_FEATURE_LZMA_FAST(one_byte2:) buffer[buffer_pos++] = previous_byte; if (buffer_pos == header.dict_size) { buffer_pos = 0; global_pos += header.dict_size; if (transformer_write(xstate, buffer, header.dict_size) != (ssize_t)header.dict_size) goto bad; IF_DESKTOP(total_written += header.dict_size;) } len--; } while (len != 0 && buffer_pos < header.dst_size); /* FIXME: ...........^^^^^ * shouldn't it be "global_pos + buffer_pos < header.dst_size"? * It probably should, but it is a "do we accidentally * unpack more bytes than expected?" check - which * never happens for well-formed compression data... */ } } { IF_NOT_DESKTOP(int total_written = 0; /* success */) IF_DESKTOP(total_written += buffer_pos;) if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) { bad: /* One of our users, bbunpack(), expects _us_ to emit * the error message (since it's the best place to give * potentially more detailed information). * Do not fail silently. */ bb_simple_error_msg("corrupted data"); total_written = -1; /* failure */ } rc_free(rc); free(p); free(buffer); return total_written; } }