Skip to content

Add AVIF plugin (decoder + encoder using libavif) #5201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 64 commits into from
Apr 1, 2025
Merged

Add AVIF plugin (decoder + encoder using libavif) #5201

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
64 commits
Select commit Hold shift + click to select a range
3878b58
Add AVIF plugin (using libavif)
fdintino Jan 3, 2021
e2add24
Added type hints (#2)
radarhere Oct 16, 2024
e5494a2
Fix PLAT envvar in cibuildwheel container
fdintino Oct 16, 2024
8b8bbba
Update Tests/check_avif_leaks.py
fdintino Oct 18, 2024
58ef692
Simplified code (#3)
radarhere Oct 19, 2024
d6a0a15
Merge branch 'main' into libavif-plugin
radarhere Nov 8, 2024
50b993a
Set default max threads in Python (#4)
radarhere Nov 11, 2024
671e3c8
Removed unused upsampling setting (#5)
radarhere Nov 12, 2024
658cdf3
Merge branch 'main' into libavif-plugin
radarhere Nov 18, 2024
7225cb9
Merge branch 'main' into libavif-plugin
radarhere Nov 24, 2024
3730bf2
Merge branch 'main' into libavif-plugin
radarhere Nov 30, 2024
c40bcbf
Improved error handling
radarhere Dec 2, 2024
d76ae2f
Do not ignore SyntaxError when saving EXIF data (#8)
radarhere Dec 7, 2024
9ad8311
Allow libavif to install rav1e, except on manylinux2014 and aarch64 (#7)
radarhere Dec 7, 2024
de4c6c1
Removed ld64 flag (#6)
radarhere Dec 7, 2024
524d802
fix: set exif orientation from irot/imir when decoding AVIF
fdintino Dec 9, 2024
7b73d77
Merge branch 'main' into libavif-plugin
radarhere Dec 13, 2024
a56acd8
Removed unittest mock (#10)
radarhere Dec 13, 2024
f5dc957
Use cmds_cmake (#9)
radarhere Dec 13, 2024
8d77678
chore(docs): update quality and speed with correct defaults
fdintino Dec 13, 2024
4eaa6b7
Merge branch 'main' into libavif-plugin
radarhere Dec 14, 2024
bdb24f9
Removed `_avif.HAVE_AVIF` and `_avif.VERSION` (#11)
radarhere Dec 15, 2024
ddc8e7e
Use "rav1e" if available as default ("auto") avif encoder
fdintino Dec 15, 2024
b585f9e
Simplified EXIF code (#12)
radarhere Dec 15, 2024
da2e18d
Revert "Use "rav1e" if available as default ("auto") avif encoder"
fdintino Dec 17, 2024
9b6e575
Merge branch 'main' into libavif-plugin
radarhere Dec 18, 2024
3a9a3ab
Reduced epsilons (#13)
radarhere Dec 24, 2024
9328932
Removed avifEncOptions (#14)
radarhere Jan 3, 2025
be02830
Merge branch 'main' into libavif-plugin
radarhere Jan 3, 2025
4135664
Merge branch 'main' into libavif-plugin
radarhere Jan 4, 2025
29c158d
Merge branch 'main' into libavif-plugin
radarhere Jan 8, 2025
4c63ea6
Fixed series of tuples as advanced argument (#15)
radarhere Jan 15, 2025
ce6bf21
Merge branch 'main' into libavif-plugin
radarhere Jan 17, 2025
4b29af4
Skip building libavif on 32-bit Windows (#16)
radarhere Jan 21, 2025
38f0d10
Merge branch 'main' into libavif-plugin
radarhere Jan 25, 2025
1410d23
Removed qmin and qmax (#17)
radarhere Jan 25, 2025
6cbad27
Merge branch 'main' into libavif-plugin
radarhere Feb 1, 2025
19ba2dd
Use rgb.rowBytes in overflow check (#18)
radarhere Feb 3, 2025
4508f37
Use aom LICENSE instead of PATENTS (#19)
radarhere Feb 3, 2025
7de1212
Merge branch 'main' into libavif-plugin
radarhere Feb 7, 2025
e1509ee
Removed memset and ignoreAlpha (#20)
radarhere Feb 9, 2025
0590f08
Handle avifDecoderCreate and avifEncoderCreate errors (#21)
radarhere Feb 12, 2025
5761b44
Merge branch 'main' into libavif-plugin
radarhere Feb 14, 2025
38b9941
Sort formats alphabetically
radarhere Feb 15, 2025
10dfa63
Simplified code
radarhere Feb 15, 2025
9abfdbc
Merge branch 'main' into libavif-plugin
radarhere Mar 3, 2025
d80ac3c
Use default PyTypeObject values
radarhere Feb 8, 2025
b4eec64
Merge branch 'main' into libavif-plugin
radarhere Mar 17, 2025
d552087
Updated libavif to 1.2.1 (#26)
radarhere Mar 17, 2025
79f7339
Updated wording
radarhere Mar 19, 2025
46f4508
Added version comments
radarhere Mar 19, 2025
9bebf37
Sort alphabetically
radarhere Mar 19, 2025
5da2113
Simplified code
radarhere Mar 19, 2025
0732554
Merge branch 'main' into libavif-plugin
radarhere Mar 21, 2025
9ea5e3d
Remove support for libavif < 1.0.0
radarhere Mar 21, 2025
fca6df2
Added get_codec_version() (#29)
radarhere Mar 21, 2025
024a894
Merge branch 'radarhere-avif_1' into libavif-plugin
fdintino Mar 21, 2025
2ba9356
Update rust (#33)
radarhere Mar 25, 2025
fdc68e6
Merge branch 'main' into libavif-plugin
radarhere Mar 31, 2025
9e63868
Continue to build libyuv on macOS
radarhere Mar 31, 2025
eff2680
Added release notes
radarhere Mar 31, 2025
fb096e1
Derive some avif test images from existing Pillow test images
fdintino Mar 31, 2025
1276543
Updated size
radarhere Mar 31, 2025
c8d0408
Continue to build libyuv on Linux
radarhere Mar 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 4 additions & 7 deletions docs/handbook/image-file-formats.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,20 +63,17 @@ The :py:meth:`~PIL.Image.Image.save` method supports the following options:

**tile_rows** / **tile_cols**
For tile encoding, the (log 2) number of tile rows and columns to use.
Valid values are 0-6, default 0. Ignored if "autotiling" is set to true in libavif
version **0.11.0** or greater.
Valid values are 0-6, default 0. Ignored if "autotiling" is set to true.

**autotiling**
Split the image up to allow parallelization. Enabled automatically if "tile_rows"
and "tile_cols" both have their default values of zero. Requires libavif version
**0.11.0** or greater.
and "tile_cols" both have their default values of zero.

**alpha_premultiplied**
Encode the image with premultiplied alpha. Defaults to ``False``. Requires libavif
version **0.9.0** or greater.
Encode the image with premultiplied alpha. Defaults to ``False``.

**advanced**
Codec specific options. Requires libavif version **0.8.2** or greater.
Codec specific options.

**icc_profile**
The ICC Profile to include in the saved file.
Expand Down
3 changes: 1 addition & 2 deletions docs/installation/building-from-source.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,7 @@ Many of Pillow's features require external libraries:

* **libavif** provides support for the AVIF format.

* Pillow requires libavif version **0.8.0** or greater, which is when
AVIF image sequence support was added.
* Pillow requires libavif version **1.0.0** or greater.
* libavif is merely an API that wraps AVIF codecs. If you are compiling
libavif from source, you will also need to install both an AVIF encoder
and decoder, such as rav1e and dav1d, or libaom, which both encodes and
Expand Down
56 changes: 2 additions & 54 deletions src/_avif.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,27 +20,14 @@

static PyTypeObject AvifDecoder_Type;

#if AVIF_VERSION < 1000000 // 1.0.0
static int
normalize_quantize_value(int qvalue) {
if (qvalue < AVIF_QUANTIZER_BEST_QUALITY) {
return AVIF_QUANTIZER_BEST_QUALITY;
} else if (qvalue > AVIF_QUANTIZER_WORST_QUALITY) {
return AVIF_QUANTIZER_WORST_QUALITY;
} else {
return qvalue;
}
}
#endif

static int
normalize_tiles_log2(int value) {

Check warning on line 24 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L24 

Added line #L24 was not covered by tests
if (value < 0) {
return 0;

Check warning on line 26 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L26 

Added line #L26 was not covered by tests
} else if (value > 6) {
return 6;

Check warning on line 28 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L28 

Added line #L28 was not covered by tests
} else {
return value;

Check warning on line 30 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L30 

Added line #L30 was not covered by tests
}
}

Expand All @@ -55,19 +42,14 @@
case AVIF_RESULT_TRUNCATED_DATA:
case AVIF_RESULT_NO_CONTENT:
return PyExc_SyntaxError;
default:
return PyExc_RuntimeError;

Check warning on line 46 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L45-L46 

Added lines #L45 - L46 were not covered by tests
}
}

static uint8_t
irot_imir_to_exif_orientation(const avifImage *image) {
uint8_t axis;
#if AVIF_VERSION_MAJOR >= 1
axis = image->imir.axis;
#else
axis = image->imir.mode;
#endif
uint8_t axis = image->imir.axis;
int imir = image->transformFlags & AVIF_TRANSFORM_IMIR;
int irot = image->transformFlags & AVIF_TRANSFORM_IROT;
if (irot) {
Expand All @@ -77,15 +59,15 @@
return axis ? 7 // 90 degrees anti-clockwise then swap left and right.
: 5; // 90 degrees anti-clockwise then swap top and bottom.
}
return 6; // 90 degrees anti-clockwise.

Check warning on line 62 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L62 

Added line #L62 was not covered by tests
}
if (angle == 2) {
if (imir) {
return axis

Check warning on line 66 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L66 

Added line #L66 was not covered by tests
? 4 // 180 degrees anti-clockwise then swap left and right.
: 2; // 180 degrees anti-clockwise then swap top and bottom.

Check warning on line 68 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L68 

Added line #L68 was not covered by tests
}
return 3; // 180 degrees anti-clockwise.

Check warning on line 70 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L70 

Added line #L70 was not covered by tests
}
if (angle == 3) {
if (imir) {
Expand All @@ -93,7 +75,7 @@
? 5 // 270 degrees anti-clockwise then swap left and right.
: 7; // 270 degrees anti-clockwise then swap top and bottom.
}
return 8; // 270 degrees anti-clockwise.

Check warning on line 78 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L78 

Added line #L78 was not covered by tests
}
}
if (imir) {
Expand All @@ -112,17 +94,13 @@
case 2: // The 0th row is at the visual top of the image, and the 0th column is
// the visual right-hand side.
image->transformFlags |= AVIF_TRANSFORM_IMIR;
#if AVIF_VERSION_MAJOR >= 1
image->imir.axis = 1;
#else
image->imir.mode = 1;
#endif
break;
case 3: // The 0th row is at the visual bottom of the image, and the 0th column

Check warning on line 99 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L99 

Added line #L99 was not covered by tests
// is the visual right-hand side.
image->transformFlags |= AVIF_TRANSFORM_IROT;
image->irot.angle = 2;
break;

Check warning on line 103 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L101-L103 

Added lines #L101 - L103 were not covered by tests
case 4: // The 0th row is at the visual bottom of the image, and the 0th column
// is the visual left-hand side.
image->transformFlags |= AVIF_TRANSFORM_IMIR;
Expand All @@ -133,22 +111,22 @@
image->irot.angle = 1; // applied before imir according to MIAF spec
// ISO/IEC 28002-12:2021 - section 7.3.6.7
break;
case 6: // The 0th row is the visual right-hand side of the image, and the 0th

Check warning on line 114 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L114 

Added line #L114 was not covered by tests
// column is the visual top.
image->transformFlags |= AVIF_TRANSFORM_IROT;
image->irot.angle = 3;
break;

Check warning on line 118 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L116-L118 

Added lines #L116 - L118 were not covered by tests
case 7: // The 0th row is the visual right-hand side of the image, and the 0th
// column is the visual bottom.
image->transformFlags |= AVIF_TRANSFORM_IROT | AVIF_TRANSFORM_IMIR;
image->irot.angle = 3; // applied before imir according to MIAF spec
// ISO/IEC 28002-12:2021 - section 7.3.6.7
break;
case 8: // The 0th row is the visual left-hand side of the image, and the 0th

Check warning on line 125 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L125 

Added line #L125 was not covered by tests
// column is the visual bottom.
image->transformFlags |= AVIF_TRANSFORM_IROT;
image->irot.angle = 1;
break;

Check warning on line 129 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L127-L129 

Added lines #L127 - L129 were not covered by tests
}
}

Expand Down Expand Up @@ -189,22 +167,21 @@
return PyUnicode_FromString(buffer);
}

#if AVIF_VERSION >= 80200 // 0.8.2
static int
_add_codec_specific_options(avifEncoder *encoder, PyObject *opts) {
Py_ssize_t i, size;
PyObject *keyval, *py_key, *py_val;
if (!PyTuple_Check(opts)) {
PyErr_SetString(PyExc_ValueError, "Invalid advanced codec options");
return 1;

Check warning on line 176 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L175-L176 

Added lines #L175 - L176 were not covered by tests
}
size = PyTuple_GET_SIZE(opts);

for (i = 0; i < size; i++) {
keyval = PyTuple_GetItem(opts, i);
if (!PyTuple_Check(keyval) || PyTuple_GET_SIZE(keyval) != 2) {
PyErr_SetString(PyExc_ValueError, "Invalid advanced codec options");
return 1;

Check warning on line 184 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L183-L184 

Added lines #L183 - L184 were not covered by tests
}
py_key = PyTuple_GetItem(keyval, 0);
py_val = PyTuple_GetItem(keyval, 1);
Expand All @@ -215,23 +192,22 @@
const char *key = PyUnicode_AsUTF8(py_key);
const char *val = PyUnicode_AsUTF8(py_val);
if (key == NULL || val == NULL) {
PyErr_SetString(PyExc_ValueError, "Invalid advanced codec options");
return 1;

Check warning on line 196 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L195-L196 

Added lines #L195 - L196 were not covered by tests
}

avifResult result = avifEncoderSetCodecSpecificOption(encoder, key, val);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 202 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L201-L202 

Added lines #L201 - L202 were not covered by tests
"Setting advanced codec options failed: %s",
avifResultToString(result)

Check warning on line 204 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L204 

Added line #L204 was not covered by tests
);
return 1;

Check warning on line 206 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L206 

Added line #L206 was not covered by tests
}
}
return 0;
}
#endif

// Encoder functions
PyObject *
Expand Down Expand Up @@ -286,9 +262,9 @@
// Create a new animation encoder and picture frame
avifImage *image = avifImageCreateEmpty();
if (image == NULL) {
PyErr_SetString(PyExc_ValueError, "Image creation failed");
error = 1;
goto end;

Check warning on line 267 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L265-L267 

Added lines #L265 - L267 were not covered by tests
}

// Set these in advance so any upcoming RGB -> YUV use the proper coefficients
Expand Down Expand Up @@ -325,15 +301,13 @@
image->height = height;

image->depth = 8;
#if AVIF_VERSION >= 90000 // 0.9.0
image->alphaPremultiplied = alpha_premultiplied ? AVIF_TRUE : AVIF_FALSE;
#endif

encoder = avifEncoderCreate();
if (!encoder) {
PyErr_SetString(PyExc_MemoryError, "Can't allocate encoder");
error = 1;
goto end;

Check warning on line 310 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L308-L310 

Added lines #L308 - L310 were not covered by tests
}

int is_aom_encode = strcmp(codec, "aom") == 0 ||
Expand All @@ -341,12 +315,7 @@
_codec_available("aom", AVIF_CODEC_FLAG_CAN_ENCODE));
encoder->maxThreads = is_aom_encode && max_threads > 64 ? 64 : max_threads;

#if AVIF_VERSION >= 1000000 // 1.0.0
encoder->quality = quality;
#else
encoder->minQuantizer = normalize_quantize_value(64 - quality);
encoder->maxQuantizer = normalize_quantize_value(100 - quality);
#endif

if (strcmp(codec, "auto") == 0) {
encoder->codecChoice = AVIF_CODEC_CHOICE_AUTO;
Expand All @@ -361,37 +330,22 @@
encoder->speed = speed;
encoder->timescale = (uint64_t)1000;

#if AVIF_VERSION >= 110000 // 0.11.0
encoder->autoTiling = autotiling ? AVIF_TRUE : AVIF_FALSE;
if (!autotiling) {
encoder->tileRowsLog2 = normalize_tiles_log2(tile_rows_log2);
encoder->tileColsLog2 = normalize_tiles_log2(tile_cols_log2);

Check warning on line 336 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L335-L336 

Added lines #L335 - L336 were not covered by tests
}
#else
encoder->tileRowsLog2 = normalize_tiles_log2(tile_rows_log2);
encoder->tileColsLog2 = normalize_tiles_log2(tile_cols_log2);
#endif

if (advanced != Py_None) {
#if AVIF_VERSION >= 80200 // 0.8.2
if (_add_codec_specific_options(encoder, advanced)) {
error = 1;
goto end;
}
#else
PyErr_SetString(
PyExc_ValueError, "Advanced codec options require libavif >= 0.8.2"
);
if (advanced != Py_None && _add_codec_specific_options(encoder, advanced)) {
error = 1;
goto end;
#endif
}

self = PyObject_New(AvifEncoderObject, &AvifEncoder_Type);
if (!self) {
PyErr_SetString(PyExc_RuntimeError, "could not create encoder object");
error = 1;
goto end;

Check warning on line 348 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L346-L348 

Added lines #L346 - L348 were not covered by tests
}
self->first_frame = 1;

Expand All @@ -399,13 +353,13 @@
if (icc_buffer.len) {
result = avifImageSetProfileICC(image, icc_buffer.buf, icc_buffer.len);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 357 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L356-L357 

Added lines #L356 - L357 were not covered by tests
"Setting ICC profile failed: %s",
avifResultToString(result)

Check warning on line 359 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L359 

Added line #L359 was not covered by tests
);
error = 1;
goto end;

Check warning on line 362 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L361-L362 

Added lines #L361 - L362 were not covered by tests
}
// colorPrimaries and transferCharacteristics are ignored when an ICC
// profile is present, so set them to UNSPECIFIED.
Expand All @@ -420,26 +374,26 @@
if (exif_buffer.len) {
result = avifImageSetMetadataExif(image, exif_buffer.buf, exif_buffer.len);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 378 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L377-L378 

Added lines #L377 - L378 were not covered by tests
"Setting EXIF data failed: %s",
avifResultToString(result)

Check warning on line 380 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L380 

Added line #L380 was not covered by tests
);
error = 1;
goto end;

Check warning on line 383 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L382-L383 

Added lines #L382 - L383 were not covered by tests
}
}

if (xmp_buffer.len) {
result = avifImageSetMetadataXMP(image, xmp_buffer.buf, xmp_buffer.len);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 391 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L390-L391 

Added lines #L390 - L391 were not covered by tests
"Setting XMP data failed: %s",
avifResultToString(result)

Check warning on line 393 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L393 

Added line #L393 was not covered by tests
);
error = 1;
goto end;

Check warning on line 396 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L395-L396 

Added lines #L395 - L396 were not covered by tests
}
}

Expand All @@ -463,7 +417,7 @@
avifEncoderDestroy(encoder);
}
if (self) {
PyObject_Del(self);

Check warning on line 420 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L420 

Added line #L420 was not covered by tests
}
return NULL;
}
Expand Down Expand Up @@ -511,7 +465,7 @@
&mode,
&is_single_frame
)) {
return NULL;

Check warning on line 468 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L468 

Added line #L468 was not covered by tests
}

if (image->width != width || image->height != height) {
Expand All @@ -532,8 +486,8 @@
} else {
frame = avifImageCreateEmpty();
if (image == NULL) {
PyErr_SetString(PyExc_ValueError, "Image creation failed");
return NULL;

Check warning on line 490 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L489-L490 

Added lines #L489 - L490 were not covered by tests
}

frame->width = width;
Expand All @@ -544,9 +498,7 @@
frame->yuvRange = image->yuvRange;
frame->yuvFormat = image->yuvFormat;
frame->depth = image->depth;
#if AVIF_VERSION >= 90000 // 0.9.0
frame->alphaPremultiplied = image->alphaPremultiplied;
#endif
}

avifRGBImageSetDefaults(&rgb, frame);
Expand All @@ -559,26 +511,26 @@

result = avifRGBImageAllocatePixels(&rgb);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 515 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L514-L515 

Added lines #L514 - L515 were not covered by tests
"Pixel allocation failed: %s",
avifResultToString(result)

Check warning on line 517 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L517 

Added line #L517 was not covered by tests
);
error = 1;
goto end;

Check warning on line 520 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L519-L520 

Added lines #L519 - L520 were not covered by tests
}

if (rgb.rowBytes * rgb.height != size) {
PyErr_Format(
PyExc_RuntimeError,

Check warning on line 525 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L524-L525 

Added lines #L524 - L525 were not covered by tests
"rgb data has incorrect size: %u * %u (%u) != %u",
rgb.rowBytes,
rgb.height,
rgb.rowBytes * rgb.height,
size

Check warning on line 530 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L527-L530 

Added lines #L527 - L530 were not covered by tests
);
error = 1;
goto end;

Check warning on line 533 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L532-L533 

Added lines #L532 - L533 were not covered by tests
}

// rgb.pixels is safe for writes
Expand All @@ -589,13 +541,13 @@
Py_END_ALLOW_THREADS;

if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 545 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L544-L545 

Added lines #L544 - L545 were not covered by tests
"Conversion to YUV failed: %s",
avifResultToString(result)

Check warning on line 547 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L547 

Added line #L547 was not covered by tests
);
error = 1;
goto end;

Check warning on line 550 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L549-L550 

Added lines #L549 - L550 were not covered by tests
}

uint32_t addImageFlags =
Expand Down Expand Up @@ -643,13 +595,13 @@
Py_END_ALLOW_THREADS;

if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 599 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L598-L599 

Added lines #L598 - L599 were not covered by tests
"Failed to finish encoding: %s",
avifResultToString(result)

Check warning on line 601 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L601 

Added line #L601 was not covered by tests
);
avifRWDataFree(&raw);
return NULL;

Check warning on line 604 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L603-L604 

Added lines #L603 - L604 were not covered by tests
}

ret = PyBytes_FromStringAndSize((char *)raw.data, raw.size);
Expand Down Expand Up @@ -684,42 +636,38 @@

self = PyObject_New(AvifDecoderObject, &AvifDecoder_Type);
if (!self) {
PyErr_SetString(PyExc_RuntimeError, "could not create decoder object");
PyBuffer_Release(&buffer);
return NULL;

Check warning on line 641 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L639-L641 

Added lines #L639 - L641 were not covered by tests
}

decoder = avifDecoderCreate();
if (!decoder) {
PyErr_SetString(PyExc_MemoryError, "Can't allocate decoder");
PyBuffer_Release(&buffer);
PyObject_Del(self);
return NULL;

Check warning on line 649 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L646-L649 

Added lines #L646 - L649 were not covered by tests
}
#if AVIF_VERSION >= 80400 // 0.8.4
decoder->maxThreads = max_threads;
#endif
#if AVIF_VERSION >= 90200 // 0.9.2
// Turn off libavif's 'clap' (clean aperture) property validation.
decoder->strictFlags &= ~AVIF_STRICT_CLAP_VALID;
// Allow the PixelInformationProperty ('pixi') to be missing in AV1 image
// items. libheif v1.11.0 and older does not add the 'pixi' item property to
// AV1 image items.
decoder->strictFlags &= ~AVIF_STRICT_PIXI_REQUIRED;
#endif
decoder->codecChoice = codec;

result = avifDecoderSetIOMemory(decoder, buffer.buf, buffer.len);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 663 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L662-L663 

Added lines #L662 - L663 were not covered by tests
"Setting IO memory failed: %s",
avifResultToString(result)

Check warning on line 665 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L665 

Added line #L665 was not covered by tests
);
avifDecoderDestroy(decoder);
PyBuffer_Release(&buffer);
PyObject_Del(self);
return NULL;

Check warning on line 670 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L667-L670 

Added lines #L667 - L670 were not covered by tests
}

result = avifDecoderParse(decoder);
Expand Down Expand Up @@ -806,18 +754,18 @@
decoder = self->decoder;

if (!PyArg_ParseTuple(args, "I", &frame_index)) {
return NULL;

Check warning on line 757 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L757 

Added line #L757 was not covered by tests
}

result = avifDecoderNthImage(decoder, frame_index);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 763 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L762-L763 

Added lines #L762 - L763 were not covered by tests
"Failed to decode frame %u: %s",
frame_index,
avifResultToString(result)

Check warning on line 766 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L765-L766 

Added lines #L765 - L766 were not covered by tests
);
return NULL;

Check warning on line 768 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L768 

Added line #L768 was not covered by tests
}

image = decoder->image;
Expand All @@ -829,12 +777,12 @@

result = avifRGBImageAllocatePixels(&rgb);
if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 781 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L780-L781 

Added lines #L780 - L781 were not covered by tests
"Pixel allocation failed: %s",
avifResultToString(result)

Check warning on line 783 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L783 

Added line #L783 was not covered by tests
);
return NULL;

Check warning on line 785 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L785 

Added line #L785 was not covered by tests
}

Py_BEGIN_ALLOW_THREADS;
Expand All @@ -842,18 +790,18 @@
Py_END_ALLOW_THREADS;

if (result != AVIF_RESULT_OK) {
PyErr_Format(
exc_type_for_avif_result(result),

Check warning on line 794 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L793-L794 

Added lines #L793 - L794 were not covered by tests
"Conversion from YUV failed: %s",
avifResultToString(result)

Check warning on line 796 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L796 

Added line #L796 was not covered by tests
);
avifRGBImageFreePixels(&rgb);
return NULL;

Check warning on line 799 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L798-L799 

Added lines #L798 - L799 were not covered by tests
}

if (rgb.height > PY_SSIZE_T_MAX / rgb.rowBytes) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in pixel size");
return NULL;

Check warning on line 804 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L803-L804 

Added lines #L803 - L804 were not covered by tests
}

size = rgb.rowBytes * rgb.height;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this guaranteed to not overflow, even in the face of invalid input?

Copy link
Contributor Author

@fdintino fdintino Jan 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libavif currently restricts images to a maximum of 2^28 pixels. If the dimensions are larger than 16384x16384 then the function that sets decoder->image->width and decoder->image->height fails. So I suppose that a 4-channel 16384x16384 8-bit image could overflow on a 32-bit platform. I'm not certain because the codecs used by libavif have their own overflow limit checks. For instance, dav1d enforces a maximum of 2^26 pixels on 32-bit systems. Should I add a check against PY_SSIZE_T_MAX to be sure? (edit: answering my own question and adding this check)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added here

Pillow/src/_avif.c

Lines 619 to 622 in b84a8e0

if (rgb.height > PY_SSIZE_T_MAX / row_bytes) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in pixel size");
return NULL;
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically, I'm the one who will get a CVE on this if there's a problem, and I'd like really clear guidelines about what the assumptions are for sizes of things and where they come from for dangerous operations like memset, malloc, and pointer reads/writes. This isn't so much for now, but a couple years down the line, things need to be clear. This will be fuzzed, this will be run under valgrind, so hopefully there won't be problems.

I've basically had to reverse engineer how SgiRleDecode works over the last month or so, and I'd like to be preventing that sort of experience in the future.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does raising a MemoryError if rgb.height > PY_SSIZE_T_MAX / row_bytes (as I have in the latest PR push) suffice to address that concern?

Expand Down Expand Up @@ -924,7 +872,7 @@
static int
setup_module(PyObject *m) {
if (PyType_Ready(&AvifDecoder_Type) < 0 || PyType_Ready(&AvifEncoder_Type) < 0) {
return -1;

Check warning on line 875 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L875 

Added line #L875 was not covered by tests
}

PyObject *d = PyModule_GetDict(m);
Expand All @@ -948,8 +896,8 @@

m = PyModule_Create(&module_def);
if (setup_module(m) < 0) {
Py_DECREF(m);
return NULL;

Check warning on line 900 in src/_avif.c

View check run for this annotation

Codecov / codecov/patch

src/_avif.c#L899-L900 

Added lines #L899 - L900 were not covered by tests
}

#ifdef Py_GIL_DISABLED
Expand Down
Loading