> 0xFFFE is the comment Marker in a JPEG. So it's not that bad to > detect. It ist followed by the length field. With is where the > Problem occures. So you have to detect the following sequence from > the beginning of the JPEG. > > ffd8 <- SoI marker > ffe0 <- APP0 marker > 0010 <- lenght of APP0 including those 2 Bytes. > 4a46 4946 00 <- string JFIF terminated with 0x00 > 010[012] <- common Version number. (May differ) -> 0?0? > 0[012] <- NA; p/" ; p/cm -> 0? > 0010 <- vertical resolution -> ???? > 0010 <- horizontal resolution -> ???? > 0000 <- preview resolution -> ???? > fffe <- comment marker > 000[01] <- bad comment length -> 000?
Here is some more information on the JPEG format. I have listed below what the structure means that you are talking about, BUT the file could also start with FFD8FFFE00 and this will cause the problem. For more information read below and the references below. I have found by looking at JPEG's created by my digital camera that the comments can be at the start of the file. Also in my reading I found that a file can contain more than one comment field and therefore the bad comment may not be the first comment field. > ffd8 <- SoI marker BYTE SOI[2]; /* 00h Start of Image Marker */ SOI is the start of image marker and always contains the marker code values FFh D8h. > ffe0 <- APP0 marker BYTE APP0[2]; /* 02h Application Use Marker */ APP0 is the Application marker and always contains the marker code values FFh E0h. > 0010 <- lenght of APP0 including those 2 Bytes. BYTE Length[2]; /* 04h Length of APP0 Field */ Length is the size of the JFIF (APP0) marker segment, including the size of the Length field itself and any thumbnail data contained in the APP0 segment. Because of this, the value of Length equals 16 * 3 * Xthumbnail * Ythumbnail. > 4a46 4946 00 <- string JFIF terminated with 0x00 BYTE Identifier[5]; /* 06h 'JFIF' (zero terminated) Id String */ Identifier contains the values 4Ah 46h 49h 46h 00h (JFIF) and is used to idennify the code stream as conforming to the JFIF specification. > 010[012] <- common Version number. (May differ) -> 0?0? BYTE Version[2]; /* 07h JFIF Format Revision */ Version identifies the version of the JFIF specification, with the first byte containing the major revision number and the second byte containing the minor version number. For version 1.02, the values of the Version field are 01h 02h;, older files contain 01h 00h or 01h 01h. > 0[012] <- NA; p/" ; p/cm -> 0? > 0010 <- vertical resolution -> ???? > 0010 <- horizontal resolution -> ???? BYTE Units; /* 09h Units used for Resolution */ BYTE Xdensity[2]; /* 0Ah Horizontal Resolution */ BYTE Ydensity[2]; /* 0Ch Vertical Resolution */ Units, Xdensity, and Ydensity identify the unit of measurement used to describe the image resolution. Units may be 01h for dots per inch, 02h for dots per centimeter, or 00h for none (use measurement as pixel aspect ratio). Xdensity and Ydensity are horizontal and vertical resolution of the image data respectively. If the Units field value is 00h, the Xdensity and Ydensity fields will contin the pixel aspect rati o (Xdensity : Ydensity) rather than the image resolution. Because non-square pixels are discouraged for portability reasons, the Xdensity and Ydensity values normally equal 1 when the Units value is 0. > 0000 <- preview resolution -> ???? BYTE XThumbnail; /* 0Eh Horizontal Pixel Count */ BYTE YThumbnail; /* 0Fh Vertical Pixel Count */ XThumbnail and YThumbnail give the dimensions of the thumbnail image included in the JFIF APP0 marker. If no thumbnail image is included in the marker, then these fields contain 0. A thumbnail image is a smaller representation of the images stored in the main JPEG data stream (some people call it an icon or preview image). The thumbnail data itself consists of an array of XThumbnail * Ythumbnail pixel values, where each pixel value occupies three bytes and contains a 24-bit RGB value (stored in the order R,G,B). No compression is preformed on the thumbnail image. Storing a thumbnail image in the JFIF APP0 marker is nor discouraged, though it is still suported for backwards compatibility. Version 1.02 of JFIF defines extension markers that allow thumbnail images to be stored spearately from the identification marker. This method is more flexible, because multiple thumbnail formats are permitted and because multiple thumbnail images of different sizes could be included in a file. Version 1.02 allows color-mapped thumbnails (one byte per pixel plus a 256-entry colormap) and JPEG-compressed thumbnails, in addition to the 24-bit RGB thumbnail format. In any case, a thumbnail image is limited to less than 64K bytes because it must fit in an APP0 marker. There are also optional JFIF entension marker segments. Extension segments are used to store additional information and are found in JFIF version 1.02 and later. The structure of these extension segments is shown below: BYTE APP0[2]; /* 00h Application Use Marker */ BYTE Length[2]; /* 02h Length of APP0 Field */ BYTE Identifier[5]; /* 04h 'JFXX' (zero terminated) Id String */ BYTE EntensionCode; /* 09h Extension ID Code */ There can be an unspecified number of these Application Use Marker Extensions. In JPEG images, textual comments can be embedded in the COM marker. The file may contain multiple such markers. BYTE COM[2]; /* 00h COM Marker */ BYTE Length[2]; /* 02h Length of COM Field (Min 2) */ BYTE Data[0-65533]; /* 04h Data String */ The COM Markers, Application Markers and other markers can be in any order within the file. References: http://seclists.org/lists/fulldisclosure/2004/Sep/0509.html http://netghost.narod.ru/gff/graphics/summary/jfif.htm http://www.funet.fi/pub/sci/graphics/packages/photomolo/photomolo.html https://lists.latech.edu/pipermail/javascript/2004-February/007034.html -- Lloyd Albin <[EMAIL PROTECTED]> Global Wizards Communications ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
