1/* SPDX-License-Identifier: 0BSD */
2
3/*
4 * XZ decompressor
5 *
6 * Authors: Lasse Collin <lasse.collin@tukaani.org>
7 * Igor Pavlov <https://7-zip.org/>
8 */
9
10#ifndef XZ_H
11#define XZ_H
12
13#ifdef __KERNEL__
14# include <linux/stddef.h>
15# include <linux/types.h>
16#else
17# include <stddef.h>
18# include <stdint.h>
19#endif
20
21/**
22 * enum xz_mode - Operation mode
23 *
24 * @XZ_SINGLE: Single-call mode. This uses less RAM than
25 * multi-call modes, because the LZMA2
26 * dictionary doesn't need to be allocated as
27 * part of the decoder state. All required data
28 * structures are allocated at initialization,
29 * so xz_dec_run() cannot return XZ_MEM_ERROR.
30 * @XZ_PREALLOC: Multi-call mode with preallocated LZMA2
31 * dictionary buffer. All data structures are
32 * allocated at initialization, so xz_dec_run()
33 * cannot return XZ_MEM_ERROR.
34 * @XZ_DYNALLOC: Multi-call mode. The LZMA2 dictionary is
35 * allocated once the required size has been
36 * parsed from the stream headers. If the
37 * allocation fails, xz_dec_run() will return
38 * XZ_MEM_ERROR.
39 *
40 * It is possible to enable support only for a subset of the above
41 * modes at compile time by defining XZ_DEC_SINGLE, XZ_DEC_PREALLOC,
42 * or XZ_DEC_DYNALLOC. The xz_dec kernel module is always compiled
43 * with support for all operation modes, but the preboot code may
44 * be built with fewer features to minimize code size.
45 */
46enum xz_mode {
47 XZ_SINGLE,
48 XZ_PREALLOC,
49 XZ_DYNALLOC
50};
51
52/**
53 * enum xz_ret - Return codes
54 * @XZ_OK: Everything is OK so far. More input or more
55 * output space is required to continue. This
56 * return code is possible only in multi-call mode
57 * (XZ_PREALLOC or XZ_DYNALLOC).
58 * @XZ_STREAM_END: Operation finished successfully.
59 * @XZ_UNSUPPORTED_CHECK: Integrity check type is not supported. Decoding
60 * is still possible in multi-call mode by simply
61 * calling xz_dec_run() again.
62 * Note that this return value is used only if
63 * XZ_DEC_ANY_CHECK was defined at build time,
64 * which is not used in the kernel. Unsupported
65 * check types return XZ_OPTIONS_ERROR if
66 * XZ_DEC_ANY_CHECK was not defined at build time.
67 * @XZ_MEM_ERROR: Allocating memory failed. This return code is
68 * possible only if the decoder was initialized
69 * with XZ_DYNALLOC. The amount of memory that was
70 * tried to be allocated was no more than the
71 * dict_max argument given to xz_dec_init().
72 * @XZ_MEMLIMIT_ERROR: A bigger LZMA2 dictionary would be needed than
73 * allowed by the dict_max argument given to
74 * xz_dec_init(). This return value is possible
75 * only in multi-call mode (XZ_PREALLOC or
76 * XZ_DYNALLOC); the single-call mode (XZ_SINGLE)
77 * ignores the dict_max argument.
78 * @XZ_FORMAT_ERROR: File format was not recognized (wrong magic
79 * bytes).
80 * @XZ_OPTIONS_ERROR: This implementation doesn't support the requested
81 * compression options. In the decoder this means
82 * that the header CRC32 matches, but the header
83 * itself specifies something that we don't support.
84 * @XZ_DATA_ERROR: Compressed data is corrupt.
85 * @XZ_BUF_ERROR: Cannot make any progress. Details are slightly
86 * different between multi-call and single-call
87 * mode; more information below.
88 *
89 * In multi-call mode, XZ_BUF_ERROR is returned when two consecutive calls
90 * to XZ code cannot consume any input and cannot produce any new output.
91 * This happens when there is no new input available, or the output buffer
92 * is full while at least one output byte is still pending. Assuming your
93 * code is not buggy, you can get this error only when decoding a compressed
94 * stream that is truncated or otherwise corrupt.
95 *
96 * In single-call mode, XZ_BUF_ERROR is returned only when the output buffer
97 * is too small or the compressed input is corrupt in a way that makes the
98 * decoder produce more output than the caller expected. When it is
99 * (relatively) clear that the compressed input is truncated, XZ_DATA_ERROR
100 * is used instead of XZ_BUF_ERROR.
101 */
102enum xz_ret {
103 XZ_OK,
104 XZ_STREAM_END,
105 XZ_UNSUPPORTED_CHECK,
106 XZ_MEM_ERROR,
107 XZ_MEMLIMIT_ERROR,
108 XZ_FORMAT_ERROR,
109 XZ_OPTIONS_ERROR,
110 XZ_DATA_ERROR,
111 XZ_BUF_ERROR
112};
113
114/**
115 * struct xz_buf - Passing input and output buffers to XZ code
116 * @in: Beginning of the input buffer. This may be NULL if and only
117 * if in_pos is equal to in_size.
118 * @in_pos: Current position in the input buffer. This must not exceed
119 * in_size.
120 * @in_size: Size of the input buffer
121 * @out: Beginning of the output buffer. This may be NULL if and only
122 * if out_pos is equal to out_size.
123 * @out_pos: Current position in the output buffer. This must not exceed
124 * out_size.
125 * @out_size: Size of the output buffer
126 *
127 * Only the contents of the output buffer from out[out_pos] onward, and
128 * the variables in_pos and out_pos are modified by the XZ code.
129 */
130struct xz_buf {
131 const uint8_t *in;
132 size_t in_pos;
133 size_t in_size;
134
135 uint8_t *out;
136 size_t out_pos;
137 size_t out_size;
138};
139
140/*
141 * struct xz_dec - Opaque type to hold the XZ decoder state
142 */
143struct xz_dec;
144
145/**
146 * xz_dec_init() - Allocate and initialize a XZ decoder state
147 * @mode: Operation mode
148 * @dict_max: Maximum size of the LZMA2 dictionary (history buffer) for
149 * multi-call decoding. This is ignored in single-call mode
150 * (mode == XZ_SINGLE). LZMA2 dictionary is always 2^n bytes
151 * or 2^n + 2^(n-1) bytes (the latter sizes are less common
152 * in practice), so other values for dict_max don't make sense.
153 * In the kernel, dictionary sizes of 64 KiB, 128 KiB, 256 KiB,
154 * 512 KiB, and 1 MiB are probably the only reasonable values,
155 * except for kernel and initramfs images where a bigger
156 * dictionary can be fine and useful.
157 *
158 * Single-call mode (XZ_SINGLE): xz_dec_run() decodes the whole stream at
159 * once. The caller must provide enough output space or the decoding will
160 * fail. The output space is used as the dictionary buffer, which is why
161 * there is no need to allocate the dictionary as part of the decoder's
162 * internal state.
163 *
164 * Because the output buffer is used as the workspace, streams encoded using
165 * a big dictionary are not a problem in single-call mode. It is enough that
166 * the output buffer is big enough to hold the actual uncompressed data; it
167 * can be smaller than the dictionary size stored in the stream headers.
168 *
169 * Multi-call mode with preallocated dictionary (XZ_PREALLOC): dict_max bytes
170 * of memory is preallocated for the LZMA2 dictionary. This way there is no
171 * risk that xz_dec_run() could run out of memory, since xz_dec_run() will
172 * never allocate any memory. Instead, if the preallocated dictionary is too
173 * small for decoding the given input stream, xz_dec_run() will return
174 * XZ_MEMLIMIT_ERROR. Thus, it is important to know what kind of data will be
175 * decoded to avoid allocating excessive amount of memory for the dictionary.
176 *
177 * Multi-call mode with dynamically allocated dictionary (XZ_DYNALLOC):
178 * dict_max specifies the maximum allowed dictionary size that xz_dec_run()
179 * may allocate once it has parsed the dictionary size from the stream
180 * headers. This way excessive allocations can be avoided while still
181 * limiting the maximum memory usage to a sane value to prevent running the
182 * system out of memory when decompressing streams from untrusted sources.
183 *
184 * On success, xz_dec_init() returns a pointer to struct xz_dec, which is
185 * ready to be used with xz_dec_run(). If memory allocation fails,
186 * xz_dec_init() returns NULL.
187 */
188struct xz_dec *xz_dec_init(enum xz_mode mode, uint32_t dict_max);
189
190/**
191 * xz_dec_run() - Run the XZ decoder
192 * @s: Decoder state allocated using xz_dec_init()
193 * @b: Input and output buffers
194 *
195 * The possible return values depend on build options and operation mode.
196 * See enum xz_ret for details.
197 *
198 * Note that if an error occurs in single-call mode (return value is not
199 * XZ_STREAM_END), b->in_pos and b->out_pos are not modified and the
200 * contents of the output buffer from b->out[b->out_pos] onward are
201 * undefined. This is true even after XZ_BUF_ERROR, because with some filter
202 * chains, there may be a second pass over the output buffer, and this pass
203 * cannot be properly done if the output buffer is truncated. Thus, you
204 * cannot give the single-call decoder a too small buffer and then expect to
205 * get that amount valid data from the beginning of the stream. You must use
206 * the multi-call decoder if you don't want to uncompress the whole stream.
207 */
208enum xz_ret xz_dec_run(struct xz_dec *s, struct xz_buf *b);
209
210/**
211 * xz_dec_reset() - Reset an already allocated decoder state
212 * @s: Decoder state allocated using xz_dec_init()
213 *
214 * This function can be used to reset the multi-call decoder state without
215 * freeing and reallocating memory with xz_dec_end() and xz_dec_init().
216 *
217 * In single-call mode, xz_dec_reset() is always called in the beginning of
218 * xz_dec_run(). Thus, explicit call to xz_dec_reset() is useful only in
219 * multi-call mode.
220 */
221void xz_dec_reset(struct xz_dec *s);
222
223/**
224 * xz_dec_end() - Free the memory allocated for the decoder state
225 * @s: Decoder state allocated using xz_dec_init(). If s is NULL,
226 * this function does nothing.
227 */
228void xz_dec_end(struct xz_dec *s);
229
230/**
231 * DOC: MicroLZMA decompressor
232 *
233 * This MicroLZMA header format was created for use in EROFS but may be used
234 * by others too. **In most cases one needs the XZ APIs above instead.**
235 *
236 * The compressed format supported by this decoder is a raw LZMA stream
237 * whose first byte (always 0x00) has been replaced with bitwise-negation
238 * of the LZMA properties (lc/lp/pb) byte. For example, if lc/lp/pb is
239 * 3/0/2, the first byte is 0xA2. This way the first byte can never be 0x00.
240 * Just like with LZMA2, lc + lp <= 4 must be true. The LZMA end-of-stream
241 * marker must not be used. The unused values are reserved for future use.
242 */
243
244/*
245 * struct xz_dec_microlzma - Opaque type to hold the MicroLZMA decoder state
246 */
247struct xz_dec_microlzma;
248
249/**
250 * xz_dec_microlzma_alloc() - Allocate memory for the MicroLZMA decoder
251 * @mode: XZ_SINGLE or XZ_PREALLOC
252 * @dict_size: LZMA dictionary size. This must be at least 4 KiB and
253 * at most 3 GiB.
254 *
255 * In contrast to xz_dec_init(), this function only allocates the memory
256 * and remembers the dictionary size. xz_dec_microlzma_reset() must be used
257 * before calling xz_dec_microlzma_run().
258 *
259 * The amount of allocated memory is a little less than 30 KiB with XZ_SINGLE.
260 * With XZ_PREALLOC also a dictionary buffer of dict_size bytes is allocated.
261 *
262 * On success, xz_dec_microlzma_alloc() returns a pointer to
263 * struct xz_dec_microlzma. If memory allocation fails or
264 * dict_size is invalid, NULL is returned.
265 */
266struct xz_dec_microlzma *xz_dec_microlzma_alloc(enum xz_mode mode,
267 uint32_t dict_size);
268
269/**
270 * xz_dec_microlzma_reset() - Reset the MicroLZMA decoder state
271 * @s: Decoder state allocated using xz_dec_microlzma_alloc()
272 * @comp_size: Compressed size of the input stream
273 * @uncomp_size: Uncompressed size of the input stream. A value smaller
274 * than the real uncompressed size of the input stream can
275 * be specified if uncomp_size_is_exact is set to false.
276 * uncomp_size can never be set to a value larger than the
277 * expected real uncompressed size because it would eventually
278 * result in XZ_DATA_ERROR.
279 * @uncomp_size_is_exact: This is an int instead of bool to avoid
280 * requiring stdbool.h. This should normally be set to true.
281 * When this is set to false, error detection is weaker.
282 */
283void xz_dec_microlzma_reset(struct xz_dec_microlzma *s, uint32_t comp_size,
284 uint32_t uncomp_size, int uncomp_size_is_exact);
285
286/**
287 * xz_dec_microlzma_run() - Run the MicroLZMA decoder
288 * @s: Decoder state initialized using xz_dec_microlzma_reset()
289 * @b: Input and output buffers
290 *
291 * This works similarly to xz_dec_run() with a few important differences.
292 * Only the differences are documented here.
293 *
294 * The only possible return values are XZ_OK, XZ_STREAM_END, and
295 * XZ_DATA_ERROR. This function cannot return XZ_BUF_ERROR: if no progress
296 * is possible due to lack of input data or output space, this function will
297 * keep returning XZ_OK. Thus, the calling code must be written so that it
298 * will eventually provide input and output space matching (or exceeding)
299 * comp_size and uncomp_size arguments given to xz_dec_microlzma_reset().
300 * If the caller cannot do this (for example, if the input file is truncated
301 * or otherwise corrupt), the caller must detect this error by itself to
302 * avoid an infinite loop.
303 *
304 * If the compressed data seems to be corrupt, XZ_DATA_ERROR is returned.
305 * This can happen also when incorrect dictionary, uncompressed, or
306 * compressed sizes have been specified.
307 *
308 * With XZ_PREALLOC only: As an extra feature, b->out may be NULL to skip over
309 * uncompressed data. This way the caller doesn't need to provide a temporary
310 * output buffer for the bytes that will be ignored.
311 *
312 * With XZ_SINGLE only: In contrast to xz_dec_run(), the return value XZ_OK
313 * is also possible and thus XZ_SINGLE is actually a limited multi-call mode.
314 * After XZ_OK the bytes decoded so far may be read from the output buffer.
315 * It is possible to continue decoding but the variables b->out and b->out_pos
316 * MUST NOT be changed by the caller. Increasing the value of b->out_size is
317 * allowed to make more output space available; one doesn't need to provide
318 * space for the whole uncompressed data on the first call. The input buffer
319 * may be changed normally like with XZ_PREALLOC. This way input data can be
320 * provided from non-contiguous memory.
321 */
322enum xz_ret xz_dec_microlzma_run(struct xz_dec_microlzma *s, struct xz_buf *b);
323
324/**
325 * xz_dec_microlzma_end() - Free the memory allocated for the decoder state
326 * @s: Decoder state allocated using xz_dec_microlzma_alloc().
327 * If s is NULL, this function does nothing.
328 */
329void xz_dec_microlzma_end(struct xz_dec_microlzma *s);
330
331/*
332 * Standalone build (userspace build or in-kernel build for boot time use)
333 * needs a CRC32 implementation. For normal in-kernel use, kernel's own
334 * CRC32 module is used instead, and users of this module don't need to
335 * care about the functions below.
336 */
337#ifndef XZ_INTERNAL_CRC32
338# ifdef __KERNEL__
339# define XZ_INTERNAL_CRC32 0
340# else
341# define XZ_INTERNAL_CRC32 1
342# endif
343#endif
344
345#if XZ_INTERNAL_CRC32
346/*
347 * This must be called before any other xz_* function to initialize
348 * the CRC32 lookup table.
349 */
350void xz_crc32_init(void);
351
352/*
353 * Update CRC32 value using the polynomial from IEEE-802.3. To start a new
354 * calculation, the third argument must be zero. To continue the calculation,
355 * the previously returned value is passed as the third argument.
356 */
357uint32_t xz_crc32(const uint8_t *buf, size_t size, uint32_t crc);
358#endif
359#endif
360