Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(58)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libpng/pngrutil.c

Issue 1509773004: CL for perf tryjob on android Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 1
2 /* pngrutil.c - utilities to read a PNG file 2 /* pngrutil.c - utilities to read a PNG file
3 * 3 *
4 * Last changed in libpng 1.2.54 [November 12, 2015] 4 * Last changed in libpng 1.6.19 [November 12, 2015]
5 * Copyright (c) 1998-2015 Glenn Randers-Pehrson 5 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 * 8 *
9 * This code is released under the libpng license. 9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer 10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h 11 * and license in png.h
12 * 12 *
13 * This file contains routines that are only called from within 13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image. 14 * libpng itself during the course of reading an image.
15 */ 15 */
16 16
17 #define PNG_INTERNAL 17 #include "pngpriv.h"
18 #define PNG_NO_PEDANTIC_WARNINGS 18
19 #include "png.h"
20 #ifdef PNG_READ_SUPPORTED 19 #ifdef PNG_READ_SUPPORTED
21 20
22 #if defined(_WIN32_WCE) && (_WIN32_WCE<0x500) 21 png_uint_32 PNGAPI
23 # define WIN32_WCE_OLD 22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
24 #endif 23 {
25 24 png_uint_32 uval = png_get_uint_32(buf);
26 #ifdef PNG_FLOATING_POINT_SUPPORTED 25
27 # ifdef WIN32_WCE_OLD 26 if (uval > PNG_UINT_31_MAX)
28 /* The strtod() function is not supported on WindowsCE */ 27 png_error(png_ptr, "PNG unsigned integer out of range");
29 __inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr, 28
30 char **endptr) 29 return (uval);
31 { 30 }
32 double result = 0; 31
33 int len; 32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
34 wchar_t *str, *end; 33 /* The following is a variation on the above for use with the fixed
35 34 * point values used for gAMA and cHRM. Instead of png_error it
36 len = MultiByteToWideChar(CP_ACP, 0, nptr, -1, NULL, 0); 35 * issues a warning and returns (-1) - an invalid value because both
37 str = (wchar_t *)png_malloc(png_ptr, len * png_sizeof(wchar_t)); 36 * gAMA and cHRM use *unsigned* integers for fixed point values.
38 if ( NULL != str ) 37 */
38 #define PNG_FIXED_ERROR (-1)
39
40 static png_fixed_point /* PRIVATE */
41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42 {
43 png_uint_32 uval = png_get_uint_32(buf);
44
45 if (uval <= PNG_UINT_31_MAX)
46 return (png_fixed_point)uval; /* known to be in range */
47
48 /* The caller can turn off the warning by passing NULL. */
49 if (png_ptr != NULL)
50 png_warning(png_ptr, "PNG fixed point integer out of range");
51
52 return PNG_FIXED_ERROR;
53 }
54 #endif
55
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57 /* NOTE: the read macros will obscure these definitions, so that if
58 * PNG_USE_READ_MACROS is set the library will not use them internally,
59 * but the APIs will still be available externally.
60 *
61 * The parentheses around "PNGAPI function_name" in the following three
62 * functions are necessary because they allow the macros to co-exist with
63 * these (unused but exported) functions.
64 */
65
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
67 png_uint_32 (PNGAPI
68 png_get_uint_32)(png_const_bytep buf)
69 {
70 png_uint_32 uval =
71 ((png_uint_32)(*(buf )) << 24) +
72 ((png_uint_32)(*(buf + 1)) << 16) +
73 ((png_uint_32)(*(buf + 2)) << 8) +
74 ((png_uint_32)(*(buf + 3)) ) ;
75
76 return uval;
77 }
78
79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
80 * data is stored in the PNG file in two's complement format and there
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82 * the following code does a two's complement to native conversion.
83 */
84 png_int_32 (PNGAPI
85 png_get_int_32)(png_const_bytep buf)
86 {
87 png_uint_32 uval = png_get_uint_32(buf);
88 if ((uval & 0x80000000) == 0) /* non-negative */
89 return uval;
90
91 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
92 if ((uval & 0x80000000) == 0) /* no overflow */
93 return -(png_int_32)uval;
94 /* The following has to be safe; this function only gets called on PNG data
95 * and if we get here that data is invalid. 0 is the most safe value and
96 * if not then an attacker would surely just generate a PNG with 0 instead.
97 */
98 return 0;
99 }
100
101 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
102 png_uint_16 (PNGAPI
103 png_get_uint_16)(png_const_bytep buf)
104 {
105 /* ANSI-C requires an int value to accomodate at least 16 bits so this
106 * works and allows the compiler not to worry about possible narrowing
107 * on 32-bit systems. (Pre-ANSI systems did not make integers smaller
108 * than 16 bits either.)
109 */
110 unsigned int val =
111 ((unsigned int)(*buf) << 8) +
112 ((unsigned int)(*(buf + 1)));
113
114 return (png_uint_16)val;
115 }
116
117 #endif /* READ_INT_FUNCTIONS */
118
119 /* Read and check the PNG file signature */
120 void /* PRIVATE */
121 png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
122 {
123 png_size_t num_checked, num_to_check;
124
125 /* Exit if the user application does not expect a signature. */
126 if (png_ptr->sig_bytes >= 8)
127 return;
128
129 num_checked = png_ptr->sig_bytes;
130 num_to_check = 8 - num_checked;
131
132 #ifdef PNG_IO_STATE_SUPPORTED
133 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
134 #endif
135
136 /* The signature must be serialized in a single I/O call. */
137 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
138 png_ptr->sig_bytes = 8;
139
140 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
39 { 141 {
40 MultiByteToWideChar(CP_ACP, 0, nptr, -1, str, len); 142 if (num_checked < 4 &&
41 result = wcstod(str, &end); 143 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
42 len = WideCharToMultiByte(CP_ACP, 0, end, -1, NULL, 0, NULL, NULL); 144 png_error(png_ptr, "Not a PNG file");
43 *endptr = (char *)nptr + (png_strlen(nptr) - len + 1); 145 else
44 png_free(png_ptr, str); 146 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
45 } 147 }
46 return result; 148 if (num_checked < 3)
47 } 149 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
48 # else 150 }
49 # define png_strtod(p,a,b) strtod(a,b)
50 # endif
51 #endif
52
53 png_uint_32 PNGAPI
54 png_get_uint_31(png_structp png_ptr, png_bytep buf)
55 {
56 #ifdef PNG_READ_BIG_ENDIAN_SUPPORTED
57 png_uint_32 i = png_get_uint_32(buf);
58 #else
59 /* Avoid an extra function call by inlining the result. */
60 png_uint_32 i = ((png_uint_32)((*(buf )) & 0xff) << 24) +
61 ((png_uint_32)((*(buf + 1)) & 0xff) << 16) +
62 ((png_uint_32)((*(buf + 2)) & 0xff) << 8) +
63 ((png_uint_32)((*(buf + 3)) & 0xff) );
64 #endif
65 if (i > PNG_UINT_31_MAX)
66 png_error(png_ptr, "PNG unsigned integer out of range.");
67 return (i);
68 }
69 #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
70 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
71 png_uint_32 PNGAPI
72 png_get_uint_32(png_bytep buf)
73 {
74 png_uint_32 i = ((png_uint_32)((*(buf )) & 0xff) << 24) +
75 ((png_uint_32)((*(buf + 1)) & 0xff) << 16) +
76 ((png_uint_32)((*(buf + 2)) & 0xff) << 8) +
77 ((png_uint_32)((*(buf + 3)) & 0xff) );
78
79 return (i);
80 }
81
82 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
83 * data is stored in the PNG file in two's complement format, and it is
84 * assumed that the machine format for signed integers is the same.
85 */
86 png_int_32 PNGAPI
87 png_get_int_32(png_bytep buf)
88 {
89 png_int_32 i = ((png_int_32)((*(buf )) & 0xff) << 24) +
90 ((png_int_32)((*(buf + 1)) & 0xff) << 16) +
91 ((png_int_32)((*(buf + 2)) & 0xff) << 8) +
92 ((png_int_32)((*(buf + 3)) & 0xff) );
93
94 return (i);
95 }
96
97 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
98 png_uint_16 PNGAPI
99 png_get_uint_16(png_bytep buf)
100 {
101 png_uint_16 i = ((png_uint_16)((*(buf )) & 0xff) << 8) +
102 ((png_uint_16)((*(buf + 1)) & 0xff) );
103
104 return (i);
105 }
106 #endif /* PNG_READ_BIG_ENDIAN_SUPPORTED */
107 151
108 /* Read the chunk header (length + type name). 152 /* Read the chunk header (length + type name).
109 * Put the type name into png_ptr->chunk_name, and return the length. 153 * Put the type name into png_ptr->chunk_name, and return the length.
110 */ 154 */
111 png_uint_32 /* PRIVATE */ 155 png_uint_32 /* PRIVATE */
112 png_read_chunk_header(png_structp png_ptr) 156 png_read_chunk_header(png_structrp png_ptr)
113 { 157 {
114 png_byte buf[8]; 158 png_byte buf[8];
115 png_uint_32 length; 159 png_uint_32 length;
116 160
117 /* Read the length and the chunk name */ 161 #ifdef PNG_IO_STATE_SUPPORTED
162 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
163 #endif
164
165 /* Read the length and the chunk name.
166 * This must be performed in a single I/O call.
167 */
118 png_read_data(png_ptr, buf, 8); 168 png_read_data(png_ptr, buf, 8);
119 length = png_get_uint_31(png_ptr, buf); 169 length = png_get_uint_31(png_ptr, buf);
120 170
121 /* Put the chunk name into png_ptr->chunk_name */ 171 /* Put the chunk name into png_ptr->chunk_name. */
122 png_memcpy(png_ptr->chunk_name, buf + 4, 4); 172 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
123 173
124 png_debug2(0, "Reading %s chunk, length = %lu", 174 png_debug2(0, "Reading %lx chunk, length = %lu",
125 png_ptr->chunk_name, length); 175 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
126 176
127 /* Reset the crc and run it over the chunk name */ 177 /* Reset the crc and run it over the chunk name. */
128 png_reset_crc(png_ptr); 178 png_reset_crc(png_ptr);
129 png_calculate_crc(png_ptr, png_ptr->chunk_name, 4); 179 png_calculate_crc(png_ptr, buf + 4, 4);
130 180
131 /* Check to see if chunk name is valid */ 181 /* Check to see if chunk name is valid. */
132 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 182 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
133 183
184 #ifdef PNG_IO_STATE_SUPPORTED
185 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
186 #endif
187
134 return length; 188 return length;
135 } 189 }
136 190
137 /* Read data, and (optionally) run it through the CRC. */ 191 /* Read data, and (optionally) run it through the CRC. */
138 void /* PRIVATE */ 192 void /* PRIVATE */
139 png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length) 193 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
140 { 194 {
141 if (png_ptr == NULL) 195 if (png_ptr == NULL)
142 return; 196 return;
197
143 png_read_data(png_ptr, buf, length); 198 png_read_data(png_ptr, buf, length);
144 png_calculate_crc(png_ptr, buf, length); 199 png_calculate_crc(png_ptr, buf, length);
145 } 200 }
146 201
147 /* Optionally skip data and then check the CRC. Depending on whether we 202 /* Optionally skip data and then check the CRC. Depending on whether we
148 * are reading a ancillary or critical chunk, and how the program has set 203 * are reading an ancillary or critical chunk, and how the program has set
149 * things up, we may calculate the CRC on the data and print a message. 204 * things up, we may calculate the CRC on the data and print a message.
150 * Returns '1' if there was a CRC error, '0' otherwise. 205 * Returns '1' if there was a CRC error, '0' otherwise.
151 */ 206 */
152 int /* PRIVATE */ 207 int /* PRIVATE */
153 png_crc_finish(png_structp png_ptr, png_uint_32 skip) 208 png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
154 { 209 {
155 png_size_t i; 210 /* The size of the local buffer for inflate is a good guess as to a
156 png_size_t istop = png_ptr->zbuf_size; 211 * reasonable size to use for buffering reads from the application.
157 212 */
158 for (i = (png_size_t)skip; i > istop; i -= istop) 213 while (skip > 0)
159 { 214 {
160 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size); 215 png_uint_32 len;
216 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
217
218 len = (sizeof tmpbuf);
219 if (len > skip)
220 len = skip;
221 skip -= len;
222
223 png_crc_read(png_ptr, tmpbuf, len);
161 } 224 }
162 if (i) 225
226 if (png_crc_error(png_ptr) != 0)
163 { 227 {
164 png_crc_read(png_ptr, png_ptr->zbuf, i); 228 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?
165 } 229 (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :
166 230 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)
167 if (png_crc_error(png_ptr))
168 {
169 if (((png_ptr->chunk_name[0] & 0x20) && /* Ancillary */
170 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) ||
171 (!(png_ptr->chunk_name[0] & 0x20) && /* Critical */
172 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE)))
173 { 231 {
174 png_chunk_warning(png_ptr, "CRC error"); 232 png_chunk_warning(png_ptr, "CRC error");
175 } 233 }
234
176 else 235 else
177 {
178 png_chunk_error(png_ptr, "CRC error"); 236 png_chunk_error(png_ptr, "CRC error");
179 } 237
180 return (1); 238 return (1);
181 } 239 }
182 240
183 return (0); 241 return (0);
184 } 242 }
185 243
186 /* Compare the CRC stored in the PNG file with that calculated by libpng from 244 /* Compare the CRC stored in the PNG file with that calculated by libpng from
187 * the data it has read thus far. 245 * the data it has read thus far.
188 */ 246 */
189 int /* PRIVATE */ 247 int /* PRIVATE */
190 png_crc_error(png_structp png_ptr) 248 png_crc_error(png_structrp png_ptr)
191 { 249 {
192 png_byte crc_bytes[4]; 250 png_byte crc_bytes[4];
193 png_uint_32 crc; 251 png_uint_32 crc;
194 int need_crc = 1; 252 int need_crc = 1;
195 253
196 if (png_ptr->chunk_name[0] & 0x20) /* ancillary */ 254 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
197 { 255 {
198 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 256 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
199 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 257 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
200 need_crc = 0; 258 need_crc = 0;
201 } 259 }
202 else /* critical */ 260
203 { 261 else /* critical */
204 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) 262 {
263 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
205 need_crc = 0; 264 need_crc = 0;
206 } 265 }
207 266
267 #ifdef PNG_IO_STATE_SUPPORTED
268 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
269 #endif
270
271 /* The chunk CRC must be serialized in a single I/O call. */
208 png_read_data(png_ptr, crc_bytes, 4); 272 png_read_data(png_ptr, crc_bytes, 4);
209 273
210 if (need_crc) 274 if (need_crc != 0)
211 { 275 {
212 crc = png_get_uint_32(crc_bytes); 276 crc = png_get_uint_32(crc_bytes);
213 return ((int)(crc != png_ptr->crc)); 277 return ((int)(crc != png_ptr->crc));
214 } 278 }
279
215 else 280 else
216 return (0); 281 return (0);
217 } 282 }
218 283
219 #if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \ 284 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
220 defined(PNG_READ_iCCP_SUPPORTED) 285 defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
221 static png_size_t 286 defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
222 png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size, 287 defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
223 png_bytep output, png_size_t output_size) 288 /* Manage the read buffer; this simply reallocates the buffer if it is not small
224 { 289 * enough (or if it is not allocated). The routine returns a pointer to the
225 png_size_t count = 0; 290 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
226 291 * it will call png_error (via png_malloc) on failure. (warn == 2 means
227 png_ptr->zstream.next_in = (png_bytep)data; /* const_cast: VALID */ 292 * 'silent').
228 png_ptr->zstream.avail_in = size; 293 */
229 294 static png_bytep
230 while (1) 295 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
231 { 296 {
232 int ret, avail; 297 png_bytep buffer = png_ptr->read_buffer;
233 298
234 /* Reset the output buffer each time round - we empty it 299 if (buffer != NULL && new_size > png_ptr->read_buffer_size)
235 * after every inflate call. 300 {
301 png_ptr->read_buffer = NULL;
302 png_ptr->read_buffer = NULL;
303 png_ptr->read_buffer_size = 0;
304 png_free(png_ptr, buffer);
305 buffer = NULL;
306 }
307
308 if (buffer == NULL)
309 {
310 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
311
312 if (buffer != NULL)
313 {
314 png_ptr->read_buffer = buffer;
315 png_ptr->read_buffer_size = new_size;
316 }
317
318 else if (warn < 2) /* else silent */
319 {
320 if (warn != 0)
321 png_chunk_warning(png_ptr, "insufficient memory to read chunk");
322
323 else
324 png_chunk_error(png_ptr, "insufficient memory to read chunk");
325 }
326 }
327
328 return buffer;
329 }
330 #endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
331
332 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
333 * decompression. Returns Z_OK on success, else a zlib error code. It checks
334 * the owner but, in final release builds, just issues a warning if some other
335 * chunk apparently owns the stream. Prior to release it does a png_error.
336 */
337 static int
338 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
339 {
340 if (png_ptr->zowner != 0)
341 {
342 char msg[64];
343
344 PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
345 /* So the message that results is "<chunk> using zstream"; this is an
346 * internal error, but is very useful for debugging. i18n requirements
347 * are minimal.
236 */ 348 */
237 png_ptr->zstream.next_out = png_ptr->zbuf; 349 (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
238 png_ptr->zstream.avail_out = png_ptr->zbuf_size; 350 #if PNG_RELEASE_BUILD
239 351 png_chunk_warning(png_ptr, msg);
240 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH); 352 png_ptr->zowner = 0;
241 avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out; 353 #else
242 354 png_chunk_error(png_ptr, msg);
243 /* First copy/count any new output - but only if we didn't 355 #endif
244 * get an error code. 356 }
357
358 /* Implementation note: unlike 'png_deflate_claim' this internal function
359 * does not take the size of the data as an argument. Some efficiency could
360 * be gained by using this when it is known *if* the zlib stream itself does
361 * not record the number; however, this is an illusion: the original writer
362 * of the PNG may have selected a lower window size, and we really must
363 * follow that because, for systems with with limited capabilities, we
364 * would otherwise reject the application's attempts to use a smaller window
365 * size (zlib doesn't have an interface to say "this or lower"!).
366 *
367 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
368 * reset, therefore it is necessary to always allocate the maximum window
369 * size with earlier zlibs just in case later compressed chunks need it.
370 */
371 {
372 int ret; /* zlib return code */
373 #if PNG_ZLIB_VERNUM >= 0x1240
374
375 # if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
376 int window_bits;
377
378 if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
379 PNG_OPTION_ON)
380 window_bits = 15;
381
382 else
383 window_bits = 0;
384 # else
385 # define window_bits 0
386 # endif
387 #endif
388
389 /* Set this for safety, just in case the previous owner left pointers to
390 * memory allocations.
245 */ 391 */
246 if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0) 392 png_ptr->zstream.next_in = NULL;
247 { 393 png_ptr->zstream.avail_in = 0;
248 if (output != 0 && output_size > count) 394 png_ptr->zstream.next_out = NULL;
395 png_ptr->zstream.avail_out = 0;
396
397 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
398 {
399 #if PNG_ZLIB_VERNUM < 0x1240
400 ret = inflateReset(&png_ptr->zstream);
401 #else
402 ret = inflateReset2(&png_ptr->zstream, window_bits);
403 #endif
404 }
405
406 else
407 {
408 #if PNG_ZLIB_VERNUM < 0x1240
409 ret = inflateInit(&png_ptr->zstream);
410 #else
411 ret = inflateInit2(&png_ptr->zstream, window_bits);
412 #endif
413
414 if (ret == Z_OK)
415 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
416 }
417
418 if (ret == Z_OK)
419 png_ptr->zowner = owner;
420
421 else
422 png_zstream_error(png_ptr, ret);
423
424 return ret;
425 }
426
427 #ifdef window_bits
428 # undef window_bits
429 #endif
430 }
431
432 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
433 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
434 * allow the caller to do multiple calls if required. If the 'finish' flag is
435 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
436 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
437 * Z_OK or Z_STREAM_END will be returned on success.
438 *
439 * The input and output sizes are updated to the actual amounts of data consumed
440 * or written, not the amount available (as in a z_stream). The data pointers
441 * are not changed, so the next input is (data+input_size) and the next
442 * available output is (output+output_size).
443 */
444 static int
445 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
446 /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
447 /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
448 {
449 if (png_ptr->zowner == owner) /* Else not claimed */
450 {
451 int ret;
452 png_alloc_size_t avail_out = *output_size_ptr;
453 png_uint_32 avail_in = *input_size_ptr;
454
455 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
456 * can't even necessarily handle 65536 bytes) because the type uInt is
457 * "16 bits or more". Consequently it is necessary to chunk the input to
458 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
459 * maximum value that can be stored in a uInt.) It is possible to set
460 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
461 * a performance advantage, because it reduces the amount of data accessed
462 * at each step and that may give the OS more time to page it in.
463 */
464 png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
465 /* avail_in and avail_out are set below from 'size' */
466 png_ptr->zstream.avail_in = 0;
467 png_ptr->zstream.avail_out = 0;
468
469 /* Read directly into the output if it is available (this is set to
470 * a local buffer below if output is NULL).
471 */
472 if (output != NULL)
473 png_ptr->zstream.next_out = output;
474
475 do
476 {
477 uInt avail;
478 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
479
480 /* zlib INPUT BUFFER */
481 /* The setting of 'avail_in' used to be outside the loop; by setting it
482 * inside it is possible to chunk the input to zlib and simply rely on
483 * zlib to advance the 'next_in' pointer. This allows arbitrary
484 * amounts of data to be passed through zlib at the unavoidable cost of
485 * requiring a window save (memcpy of up to 32768 output bytes)
486 * every ZLIB_IO_MAX input bytes.
487 */
488 avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
489
490 avail = ZLIB_IO_MAX;
491
492 if (avail_in < avail)
493 avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
494
495 avail_in -= avail;
496 png_ptr->zstream.avail_in = avail;
497
498 /* zlib OUTPUT BUFFER */
499 avail_out += png_ptr->zstream.avail_out; /* not written last time */
500
501 avail = ZLIB_IO_MAX; /* maximum zlib can process */
502
503 if (output == NULL)
249 { 504 {
250 png_size_t copy = output_size - count; 505 /* Reset the output buffer each time round if output is NULL and
251 if ((png_size_t) avail < copy) copy = (png_size_t) avail; 506 * make available the full buffer, up to 'remaining_space'
252 png_memcpy(output + count, png_ptr->zbuf, copy); 507 */
508 png_ptr->zstream.next_out = local_buffer;
509 if ((sizeof local_buffer) < avail)
510 avail = (sizeof local_buffer);
253 } 511 }
254 count += avail; 512
255 } 513 if (avail_out < avail)
256 514 avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
257 if (ret == Z_OK) 515
258 continue; 516 png_ptr->zstream.avail_out = avail;
259 517 avail_out -= avail;
260 /* Termination conditions - always reset the zstream, it 518
261 * must be left in inflateInit state. 519 /* zlib inflate call */
520 /* In fact 'avail_out' may be 0 at this point, that happens at the end
521 * of the read when the final LZ end code was not passed at the end of
522 * the previous chunk of input data. Tell zlib if we have reached the
523 * end of the output buffer.
524 */
525 ret = inflate(&png_ptr->zstream, avail_out > 0 ? Z_NO_FLUSH :
526 (finish ? Z_FINISH : Z_SYNC_FLUSH));
527 } while (ret == Z_OK);
528
529 /* For safety kill the local buffer pointer now */
530 if (output == NULL)
531 png_ptr->zstream.next_out = NULL;
532
533 /* Claw back the 'size' and 'remaining_space' byte counts. */
534 avail_in += png_ptr->zstream.avail_in;
535 avail_out += png_ptr->zstream.avail_out;
536
537 /* Update the input and output sizes; the updated values are the amount
538 * consumed or written, effectively the inverse of what zlib uses.
262 */ 539 */
263 png_ptr->zstream.avail_in = 0; 540 if (avail_out > 0)
264 inflateReset(&png_ptr->zstream); 541 *output_size_ptr -= avail_out;
265 542
266 if (ret == Z_STREAM_END) 543 if (avail_in > 0)
267 return count; /* NOTE: may be zero. */ 544 *input_size_ptr -= avail_in;
268 545
269 /* Now handle the error codes - the API always returns 0 546 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
270 * and the error message is dumped into the uncompressed 547 png_zstream_error(png_ptr, ret);
271 * buffer if available. 548 return ret;
549 }
550
551 else
552 {
553 /* This is a bad internal error. The recovery assigns to the zstream msg
554 * pointer, which is not owned by the caller, but this is safe; it's only
555 * used on errors!
272 */ 556 */
273 { 557 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
274 PNG_CONST char *msg; 558 return Z_STREAM_ERROR;
275 if (png_ptr->zstream.msg != 0)
276 msg = png_ptr->zstream.msg;
277 else
278 {
279 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
280 char umsg[52];
281
282 switch (ret)
283 {
284 case Z_BUF_ERROR:
285 msg = "Buffer error in compressed datastream in %s chunk";
286 break;
287 case Z_DATA_ERROR:
288 msg = "Data error in compressed datastream in %s chunk";
289 break;
290 default:
291 msg = "Incomplete compressed datastream in %s chunk";
292 break;
293 }
294
295 png_snprintf(umsg, sizeof umsg, msg, png_ptr->chunk_name);
296 msg = umsg;
297 png_warning(png_ptr, msg);
298 #else
299 msg = "Damaged compressed datastream in chunk other than IDAT";
300 #endif
301 }
302
303 #ifndef PNG_STDIO_SUPPORTED
304 png_warning(png_ptr, msg);
305 #endif
306 }
307
308 /* 0 means an error - notice that this code simple ignores
309 * zero length compressed chunks as a result.
310 */
311 return 0;
312 } 559 }
313 } 560 }
314 561
315 /* 562 /*
316 * Decompress trailing data in a chunk. The assumption is that chunkdata 563 * Decompress trailing data in a chunk. The assumption is that read_buffer
317 * points at an allocated area holding the contents of a chunk with a 564 * points at an allocated area holding the contents of a chunk with a
318 * trailing compressed part. What we get back is an allocated area 565 * trailing compressed part. What we get back is an allocated area
319 * holding the original prefix part and an uncompressed version of the 566 * holding the original prefix part and an uncompressed version of the
320 * trailing part (the malloc area passed in is freed). 567 * trailing part (the malloc area passed in is freed).
321 */ 568 */
569 static int
570 png_decompress_chunk(png_structrp png_ptr,
571 png_uint_32 chunklength, png_uint_32 prefix_size,
572 png_alloc_size_t *newlength /* must be initialized to the maximum! */,
573 int terminate /*add a '\0' to the end of the uncompressed data*/)
574 {
575 /* TODO: implement different limits for different types of chunk.
576 *
577 * The caller supplies *newlength set to the maximum length of the
578 * uncompressed data, but this routine allocates space for the prefix and
579 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is
580 * limited only by the maximum chunk size.
581 */
582 png_alloc_size_t limit = PNG_SIZE_MAX;
583
584 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
585 if (png_ptr->user_chunk_malloc_max > 0 &&
586 png_ptr->user_chunk_malloc_max < limit)
587 limit = png_ptr->user_chunk_malloc_max;
588 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
589 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
590 limit = PNG_USER_CHUNK_MALLOC_MAX;
591 # endif
592
593 if (limit >= prefix_size + (terminate != 0))
594 {
595 int ret;
596
597 limit -= prefix_size + (terminate != 0);
598
599 if (limit < *newlength)
600 *newlength = limit;
601
602 /* Now try to claim the stream. */
603 ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
604
605 if (ret == Z_OK)
606 {
607 png_uint_32 lzsize = chunklength - prefix_size;
608
609 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
610 /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
611 /* output: */ NULL, newlength);
612
613 if (ret == Z_STREAM_END)
614 {
615 /* Use 'inflateReset' here, not 'inflateReset2' because this
616 * preserves the previously decided window size (otherwise it would
617 * be necessary to store the previous window size.) In practice
618 * this doesn't matter anyway, because png_inflate will call inflate
619 * with Z_FINISH in almost all cases, so the window will not be
620 * maintained.
621 */
622 if (inflateReset(&png_ptr->zstream) == Z_OK)
623 {
624 /* Because of the limit checks above we know that the new,
625 * expanded, size will fit in a size_t (let alone an
626 * png_alloc_size_t). Use png_malloc_base here to avoid an
627 * extra OOM message.
628 */
629 png_alloc_size_t new_size = *newlength;
630 png_alloc_size_t buffer_size = prefix_size + new_size +
631 (terminate != 0);
632 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
633 buffer_size));
634
635 if (text != NULL)
636 {
637 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
638 png_ptr->read_buffer + prefix_size, &lzsize,
639 text + prefix_size, newlength);
640
641 if (ret == Z_STREAM_END)
642 {
643 if (new_size == *newlength)
644 {
645 if (terminate != 0)
646 text[prefix_size + *newlength] = 0;
647
648 if (prefix_size > 0)
649 memcpy(text, png_ptr->read_buffer, prefix_size);
650
651 {
652 png_bytep old_ptr = png_ptr->read_buffer;
653
654 png_ptr->read_buffer = text;
655 png_ptr->read_buffer_size = buffer_size;
656 text = old_ptr; /* freed below */
657 }
658 }
659
660 else
661 {
662 /* The size changed on the second read, there can be no
663 * guarantee that anything is correct at this point.
664 * The 'msg' pointer has been set to "unexpected end of
665 * LZ stream", which is fine, but return an error code
666 * that the caller won't accept.
667 */
668 ret = PNG_UNEXPECTED_ZLIB_RETURN;
669 }
670 }
671
672 else if (ret == Z_OK)
673 ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
674
675 /* Free the text pointer (this is the old read_buffer on
676 * success)
677 */
678 png_free(png_ptr, text);
679
680 /* This really is very benign, but it's still an error because
681 * the extra space may otherwise be used as a Trojan Horse.
682 */
683 if (ret == Z_STREAM_END &&
684 chunklength - prefix_size != lzsize)
685 png_chunk_benign_error(png_ptr, "extra compressed data");
686 }
687
688 else
689 {
690 /* Out of memory allocating the buffer */
691 ret = Z_MEM_ERROR;
692 png_zstream_error(png_ptr, Z_MEM_ERROR);
693 }
694 }
695
696 else
697 {
698 /* inflateReset failed, store the error message */
699 png_zstream_error(png_ptr, ret);
700
701 if (ret == Z_STREAM_END)
702 ret = PNG_UNEXPECTED_ZLIB_RETURN;
703 }
704 }
705
706 else if (ret == Z_OK)
707 ret = PNG_UNEXPECTED_ZLIB_RETURN;
708
709 /* Release the claimed stream */
710 png_ptr->zowner = 0;
711 }
712
713 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
714 ret = PNG_UNEXPECTED_ZLIB_RETURN;
715
716 return ret;
717 }
718
719 else
720 {
721 /* Application/configuration limits exceeded */
722 png_zstream_error(png_ptr, Z_MEM_ERROR);
723 return Z_MEM_ERROR;
724 }
725 }
726 #endif /* READ_COMPRESSED_TEXT */
727
728 #ifdef PNG_READ_iCCP_SUPPORTED
729 /* Perform a partial read and decompress, producing 'avail_out' bytes and
730 * reading from the current chunk as required.
731 */
732 static int
733 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
734 png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
735 int finish)
736 {
737 if (png_ptr->zowner == png_ptr->chunk_name)
738 {
739 int ret;
740
741 /* next_in and avail_in must have been initialized by the caller. */
742 png_ptr->zstream.next_out = next_out;
743 png_ptr->zstream.avail_out = 0; /* set in the loop */
744
745 do
746 {
747 if (png_ptr->zstream.avail_in == 0)
748 {
749 if (read_size > *chunk_bytes)
750 read_size = (uInt)*chunk_bytes;
751 *chunk_bytes -= read_size;
752
753 if (read_size > 0)
754 png_crc_read(png_ptr, read_buffer, read_size);
755
756 png_ptr->zstream.next_in = read_buffer;
757 png_ptr->zstream.avail_in = read_size;
758 }
759
760 if (png_ptr->zstream.avail_out == 0)
761 {
762 uInt avail = ZLIB_IO_MAX;
763 if (avail > *out_size)
764 avail = (uInt)*out_size;
765 *out_size -= avail;
766
767 png_ptr->zstream.avail_out = avail;
768 }
769
770 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
771 * the available output is produced; this allows reading of truncated
772 * streams.
773 */
774 ret = inflate(&png_ptr->zstream,
775 *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
776 }
777 while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
778
779 *out_size += png_ptr->zstream.avail_out;
780 png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
781
782 /* Ensure the error message pointer is always set: */
783 png_zstream_error(png_ptr, ret);
784 return ret;
785 }
786
787 else
788 {
789 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
790 return Z_STREAM_ERROR;
791 }
792 }
793 #endif
794
795 /* Read and check the IDHR chunk */
796
322 void /* PRIVATE */ 797 void /* PRIVATE */
323 png_decompress_chunk(png_structp png_ptr, int comp_type, 798 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
324 png_size_t chunklength,
325 png_size_t prefix_size, png_size_t *newlength)
326 {
327 /* The caller should guarantee this */
328 if (prefix_size > chunklength)
329 {
330 /* The recovery is to delete the chunk. */
331 png_warning(png_ptr, "invalid chunklength");
332 prefix_size = 0; /* To delete everything */
333 }
334
335 else if (comp_type == PNG_COMPRESSION_TYPE_BASE)
336 {
337 png_size_t expanded_size = png_inflate(png_ptr,
338 (png_bytep)(png_ptr->chunkdata + prefix_size),
339 chunklength - prefix_size,
340 0/*output*/, 0/*output size*/);
341
342 /* Now check the limits on this chunk - if the limit fails the
343 * compressed data will be removed, the prefix will remain.
344 */
345 if (prefix_size >= (~(png_size_t)0) - 1 ||
346 expanded_size >= (~(png_size_t)0) - 1 - prefix_size
347 #ifdef PNG_USER_CHUNK_MALLOC_MAX
348 || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
349 prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
350 #endif
351 )
352 png_warning(png_ptr, "Exceeded size limit while expanding chunk");
353
354 /* If the size is zero either there was an error and a message
355 * has already been output (warning) or the size really is zero
356 * and we have nothing to do - the code will exit through the
357 * error case below.
358 */
359 else if (expanded_size > 0)
360 {
361 /* Success (maybe) - really uncompress the chunk. */
362 png_size_t new_size = 0;
363
364 png_charp text = png_malloc_warn(png_ptr,
365 prefix_size + expanded_size + 1);
366
367 if (text != NULL)
368 {
369 png_memcpy(text, png_ptr->chunkdata, prefix_size);
370 new_size = png_inflate(png_ptr,
371 (png_bytep)(png_ptr->chunkdata + prefix_size),
372 chunklength - prefix_size,
373 (png_bytep)(text + prefix_size), expanded_size);
374 text[prefix_size + expanded_size] = 0; /* just in case */
375
376 if (new_size == expanded_size)
377 {
378 png_free(png_ptr, png_ptr->chunkdata);
379 png_ptr->chunkdata = text;
380 *newlength = prefix_size + expanded_size;
381 return; /* The success return! */
382 }
383
384 png_warning(png_ptr, "png_inflate logic error");
385 png_free(png_ptr, text);
386 }
387 else
388 png_warning(png_ptr, "Not enough memory to decompress chunk.");
389 }
390 }
391
392 else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */
393 {
394 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
395 char umsg[50];
396
397 png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d",
398 comp_type);
399 png_warning(png_ptr, umsg);
400 #else
401 png_warning(png_ptr, "Unknown zTXt compression type");
402 #endif
403
404 /* The recovery is to simply drop the data. */
405 }
406
407 /* Generic error return - leave the prefix, delete the compressed
408 * data, reallocate the chunkdata to remove the potentially large
409 * amount of compressed data.
410 */
411 {
412 png_charp text = png_malloc_warn(png_ptr, prefix_size + 1);
413 if (text != NULL)
414 {
415 if (prefix_size > 0)
416 png_memcpy(text, png_ptr->chunkdata, prefix_size);
417 png_free(png_ptr, png_ptr->chunkdata);
418 png_ptr->chunkdata = text;
419
420 /* This is an extra zero in the 'uncompressed' part. */
421 *(png_ptr->chunkdata + prefix_size) = 0x00;
422 }
423 /* Ignore a malloc error here - it is safe. */
424 }
425
426 *newlength = prefix_size;
427 }
428 #endif
429
430 /* Read and check the IDHR chunk */
431 void /* PRIVATE */
432 png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
433 { 799 {
434 png_byte buf[13]; 800 png_byte buf[13];
435 png_uint_32 width, height; 801 png_uint_32 width, height;
436 int bit_depth, color_type, compression_type, filter_type; 802 int bit_depth, color_type, compression_type, filter_type;
437 int interlace_type; 803 int interlace_type;
438 804
439 png_debug(1, "in png_handle_IHDR"); 805 png_debug(1, "in png_handle_IHDR");
440 806
441 if (png_ptr->mode & PNG_HAVE_IHDR) 807 if ((png_ptr->mode & PNG_HAVE_IHDR) != 0)
442 png_error(png_ptr, "Out of place IHDR"); 808 png_chunk_error(png_ptr, "out of place");
443 809
444 /* Check the length */ 810 /* Check the length */
445 if (length != 13) 811 if (length != 13)
446 png_error(png_ptr, "Invalid IHDR chunk"); 812 png_chunk_error(png_ptr, "invalid");
447 813
448 png_ptr->mode |= PNG_HAVE_IHDR; 814 png_ptr->mode |= PNG_HAVE_IHDR;
449 815
450 png_crc_read(png_ptr, buf, 13); 816 png_crc_read(png_ptr, buf, 13);
451 png_crc_finish(png_ptr, 0); 817 png_crc_finish(png_ptr, 0);
452 818
453 width = png_get_uint_31(png_ptr, buf); 819 width = png_get_uint_31(png_ptr, buf);
454 height = png_get_uint_31(png_ptr, buf + 4); 820 height = png_get_uint_31(png_ptr, buf + 4);
455 bit_depth = buf[8]; 821 bit_depth = buf[8];
456 color_type = buf[9]; 822 color_type = buf[9];
457 compression_type = buf[10]; 823 compression_type = buf[10];
458 filter_type = buf[11]; 824 filter_type = buf[11];
459 interlace_type = buf[12]; 825 interlace_type = buf[12];
460 826
461 /* Set internal variables */ 827 /* Set internal variables */
462 png_ptr->width = width; 828 png_ptr->width = width;
463 png_ptr->height = height; 829 png_ptr->height = height;
464 png_ptr->bit_depth = (png_byte)bit_depth; 830 png_ptr->bit_depth = (png_byte)bit_depth;
465 png_ptr->interlaced = (png_byte)interlace_type; 831 png_ptr->interlaced = (png_byte)interlace_type;
466 png_ptr->color_type = (png_byte)color_type; 832 png_ptr->color_type = (png_byte)color_type;
467 #ifdef PNG_MNG_FEATURES_SUPPORTED 833 #ifdef PNG_MNG_FEATURES_SUPPORTED
468 png_ptr->filter_type = (png_byte)filter_type; 834 png_ptr->filter_type = (png_byte)filter_type;
469 #endif 835 #endif
470 png_ptr->compression_type = (png_byte)compression_type; 836 png_ptr->compression_type = (png_byte)compression_type;
471 837
472 /* Find number of channels */ 838 /* Find number of channels */
473 switch (png_ptr->color_type) 839 switch (png_ptr->color_type)
474 { 840 {
841 default: /* invalid, png_set_IHDR calls png_error */
475 case PNG_COLOR_TYPE_GRAY: 842 case PNG_COLOR_TYPE_GRAY:
476 case PNG_COLOR_TYPE_PALETTE: 843 case PNG_COLOR_TYPE_PALETTE:
477 png_ptr->channels = 1; 844 png_ptr->channels = 1;
478 break; 845 break;
479 846
480 case PNG_COLOR_TYPE_RGB: 847 case PNG_COLOR_TYPE_RGB:
481 png_ptr->channels = 3; 848 png_ptr->channels = 3;
482 break; 849 break;
483 850
484 case PNG_COLOR_TYPE_GRAY_ALPHA: 851 case PNG_COLOR_TYPE_GRAY_ALPHA:
485 png_ptr->channels = 2; 852 png_ptr->channels = 2;
486 break; 853 break;
487 854
488 case PNG_COLOR_TYPE_RGB_ALPHA: 855 case PNG_COLOR_TYPE_RGB_ALPHA:
489 png_ptr->channels = 4; 856 png_ptr->channels = 4;
490 break; 857 break;
491 } 858 }
492 859
493 /* Set up other useful info */ 860 /* Set up other useful info */
494 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * 861 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
495 png_ptr->channels);
496 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width); 862 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
497 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth); 863 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
498 png_debug1(3, "channels = %d", png_ptr->channels); 864 png_debug1(3, "channels = %d", png_ptr->channels);
499 png_debug1(3, "rowbytes = %lu", png_ptr->rowbytes); 865 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
500 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth, 866 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
501 color_type, interlace_type, compression_type, filter_type); 867 color_type, interlace_type, compression_type, filter_type);
502 } 868 }
503 869
504 /* Read and check the palette */ 870 /* Read and check the palette */
505 void /* PRIVATE */ 871 void /* PRIVATE */
506 png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 872 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
507 { 873 {
508 png_color palette[PNG_MAX_PALETTE_LENGTH]; 874 png_color palette[PNG_MAX_PALETTE_LENGTH];
509 int max_palette_length, num, i; 875 int max_palette_length, num, i;
510 #ifdef PNG_POINTER_INDEXING_SUPPORTED 876 #ifdef PNG_POINTER_INDEXING_SUPPORTED
511 png_colorp pal_ptr; 877 png_colorp pal_ptr;
512 #endif 878 #endif
513 879
514 png_debug(1, "in png_handle_PLTE"); 880 png_debug(1, "in png_handle_PLTE");
515 881
516 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 882 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
517 png_error(png_ptr, "Missing IHDR before PLTE"); 883 png_chunk_error(png_ptr, "missing IHDR");
518 884
519 else if (png_ptr->mode & PNG_HAVE_IDAT) 885 /* Moved to before the 'after IDAT' check below because otherwise duplicate
886 * PLTE chunks are potentially ignored (the spec says there shall not be more
887 * than one PLTE, the error is not treated as benign, so this check trumps
888 * the requirement that PLTE appears before IDAT.)
889 */
890 else if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)
891 png_chunk_error(png_ptr, "duplicate");
892
893 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
520 { 894 {
521 png_warning(png_ptr, "Invalid PLTE after IDAT"); 895 /* This is benign because the non-benign error happened before, when an
896 * IDAT was encountered in a color-mapped image with no PLTE.
897 */
522 png_crc_finish(png_ptr, length); 898 png_crc_finish(png_ptr, length);
899 png_chunk_benign_error(png_ptr, "out of place");
523 return; 900 return;
524 } 901 }
525 902
526 else if (png_ptr->mode & PNG_HAVE_PLTE)
527 png_error(png_ptr, "Duplicate PLTE chunk");
528
529 png_ptr->mode |= PNG_HAVE_PLTE; 903 png_ptr->mode |= PNG_HAVE_PLTE;
530 904
531 if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR)) 905 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
532 { 906 {
533 png_warning(png_ptr,
534 "Ignoring PLTE chunk in grayscale PNG");
535 png_crc_finish(png_ptr, length); 907 png_crc_finish(png_ptr, length);
908 png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
536 return; 909 return;
537 } 910 }
911
538 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 912 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
539 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 913 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
540 { 914 {
541 png_crc_finish(png_ptr, length); 915 png_crc_finish(png_ptr, length);
542 return; 916 return;
543 } 917 }
544 #endif 918 #endif
545 919
546 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3) 920 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
547 { 921 {
922 png_crc_finish(png_ptr, length);
923
548 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 924 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
549 { 925 png_chunk_benign_error(png_ptr, "invalid");
550 png_warning(png_ptr, "Invalid palette chunk");
551 png_crc_finish(png_ptr, length);
552 return;
553 }
554 926
555 else 927 else
556 { 928 png_chunk_error(png_ptr, "invalid");
557 png_error(png_ptr, "Invalid palette chunk"); 929
558 } 930 return;
559 } 931 }
560 932
561 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ 933 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
562 num = (int)length / 3; 934 num = (int)length / 3;
563 935
564 /* If the palette has 256 or fewer entries but is too large for the bit 936 /* If the palette has 256 or fewer entries but is too large for the bit
565 * depth, we don't issue an error, to preserve the behavior of previous 937 * depth, we don't issue an error, to preserve the behavior of previous
566 * libpng versions. We silently truncate the unused extra palette entries 938 * libpng versions. We silently truncate the unused extra palette entries
567 * here. 939 * here.
568 */ 940 */
(...skipping 21 matching lines...) Expand all
590 png_byte buf[3]; 962 png_byte buf[3];
591 963
592 png_crc_read(png_ptr, buf, 3); 964 png_crc_read(png_ptr, buf, 3);
593 /* Don't depend upon png_color being any order */ 965 /* Don't depend upon png_color being any order */
594 palette[i].red = buf[0]; 966 palette[i].red = buf[0];
595 palette[i].green = buf[1]; 967 palette[i].green = buf[1];
596 palette[i].blue = buf[2]; 968 palette[i].blue = buf[2];
597 } 969 }
598 #endif 970 #endif
599 971
600 /* If we actually NEED the PLTE chunk (ie for a paletted image), we do 972 /* If we actually need the PLTE chunk (ie for a paletted image), we do
601 * whatever the normal CRC configuration tells us. However, if we 973 * whatever the normal CRC configuration tells us. However, if we
602 * have an RGB image, the PLTE can be considered ancillary, so 974 * have an RGB image, the PLTE can be considered ancillary, so
603 * we will act as though it is. 975 * we will act as though it is.
604 */ 976 */
605 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 977 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
606 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 978 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
607 #endif 979 #endif
608 { 980 {
609 png_crc_finish(png_ptr, (int) length - num * 3); 981 png_crc_finish(png_ptr, (int) length - num * 3);
610 } 982 }
983
611 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 984 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
612 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */ 985 else if (png_crc_error(png_ptr) != 0) /* Only if we have a CRC error */
613 { 986 {
614 /* If we don't want to use the data from an ancillary chunk, 987 /* If we don't want to use the data from an ancillary chunk,
615 we have two options: an error abort, or a warning and we 988 * we have two options: an error abort, or a warning and we
616 ignore the data in this chunk (which should be OK, since 989 * ignore the data in this chunk (which should be OK, since
617 it's considered ancillary for a RGB or RGBA image). */ 990 * it's considered ancillary for a RGB or RGBA image).
618 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE)) 991 *
992 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
993 * chunk type to determine whether to check the ancillary or the critical
994 * flags.
995 */
996 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == 0)
619 { 997 {
620 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) 998 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != 0)
621 { 999 return;
1000
1001 else
622 png_chunk_error(png_ptr, "CRC error"); 1002 png_chunk_error(png_ptr, "CRC error");
623 }
624 else
625 {
626 png_chunk_warning(png_ptr, "CRC error");
627 return;
628 }
629 } 1003 }
1004
630 /* Otherwise, we (optionally) emit a warning and use the chunk. */ 1005 /* Otherwise, we (optionally) emit a warning and use the chunk. */
631 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) 1006 else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0)
632 {
633 png_chunk_warning(png_ptr, "CRC error"); 1007 png_chunk_warning(png_ptr, "CRC error");
634 } 1008 }
635 } 1009 #endif
636 #endif 1010
637 1011 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1012 * own copy of the palette. This has the side effect that when png_start_row
1013 * is called (this happens after any call to png_read_update_info) the
1014 * info_ptr palette gets changed. This is extremely unexpected and
1015 * confusing.
1016 *
1017 * Fix this by not sharing the palette in this way.
1018 */
638 png_set_PLTE(png_ptr, info_ptr, palette, num); 1019 png_set_PLTE(png_ptr, info_ptr, palette, num);
639 1020
1021 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1022 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1023 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1024 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
1025 * therefore does a benign error if the erroneous condition is detected *and*
1026 * cancels the tRNS if the benign error returns. The alternative is to
1027 * amend the standard since it would be rather hypocritical of the standards
1028 * maintainers to ignore it.
1029 */
640 #ifdef PNG_READ_tRNS_SUPPORTED 1030 #ifdef PNG_READ_tRNS_SUPPORTED
641 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1031 if (png_ptr->num_trans > 0 ||
642 { 1032 (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
643 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS)) 1033 {
644 { 1034 /* Cancel this because otherwise it would be used if the transforms
645 if (png_ptr->num_trans > (png_uint_16)num) 1035 * require it. Don't cancel the 'valid' flag because this would prevent
646 { 1036 * detection of duplicate chunks.
647 png_warning(png_ptr, "Truncating incorrect tRNS chunk length"); 1037 */
648 png_ptr->num_trans = (png_uint_16)num; 1038 png_ptr->num_trans = 0;
649 } 1039
650 if (info_ptr->num_trans > (png_uint_16)num) 1040 if (info_ptr != NULL)
651 { 1041 info_ptr->num_trans = 0;
652 png_warning(png_ptr, "Truncating incorrect info tRNS chunk length"); 1042
653 info_ptr->num_trans = (png_uint_16)num; 1043 png_chunk_benign_error(png_ptr, "tRNS must be after");
654 } 1044 }
655 } 1045 #endif
656 } 1046
657 #endif 1047 #ifdef PNG_READ_hIST_SUPPORTED
658 1048 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1049 png_chunk_benign_error(png_ptr, "hIST must be after");
1050 #endif
1051
1052 #ifdef PNG_READ_bKGD_SUPPORTED
1053 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1054 png_chunk_benign_error(png_ptr, "bKGD must be after");
1055 #endif
659 } 1056 }
660 1057
661 void /* PRIVATE */ 1058 void /* PRIVATE */
662 png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1059 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
663 { 1060 {
664 png_debug(1, "in png_handle_IEND"); 1061 png_debug(1, "in png_handle_IEND");
665 1062
666 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT)) 1063 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0 ||
667 { 1064 (png_ptr->mode & PNG_HAVE_IDAT) == 0)
668 png_error(png_ptr, "No image in file"); 1065 png_chunk_error(png_ptr, "out of place");
669 }
670 1066
671 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND); 1067 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
672 1068
1069 png_crc_finish(png_ptr, length);
1070
673 if (length != 0) 1071 if (length != 0)
674 { 1072 png_chunk_benign_error(png_ptr, "invalid");
675 png_warning(png_ptr, "Incorrect IEND chunk length"); 1073
676 } 1074 PNG_UNUSED(info_ptr)
677 png_crc_finish(png_ptr, length);
678
679 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */
680 } 1075 }
681 1076
682 #ifdef PNG_READ_gAMA_SUPPORTED 1077 #ifdef PNG_READ_gAMA_SUPPORTED
683 void /* PRIVATE */ 1078 void /* PRIVATE */
684 png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1079 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
685 { 1080 {
686 png_fixed_point igamma; 1081 png_fixed_point igamma;
687 #ifdef PNG_FLOATING_POINT_SUPPORTED
688 float file_gamma;
689 #endif
690 png_byte buf[4]; 1082 png_byte buf[4];
691 1083
692 png_debug(1, "in png_handle_gAMA"); 1084 png_debug(1, "in png_handle_gAMA");
693 1085
694 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1086 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
695 png_error(png_ptr, "Missing IHDR before gAMA"); 1087 png_chunk_error(png_ptr, "missing IHDR");
696 else if (png_ptr->mode & PNG_HAVE_IDAT) 1088
697 { 1089 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
698 png_warning(png_ptr, "Invalid gAMA after IDAT"); 1090 {
699 png_crc_finish(png_ptr, length); 1091 png_crc_finish(png_ptr, length);
700 return; 1092 png_chunk_benign_error(png_ptr, "out of place");
701 }
702 else if (png_ptr->mode & PNG_HAVE_PLTE)
703 /* Should be an error, but we can cope with it */
704 png_warning(png_ptr, "Out of place gAMA chunk");
705
706 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
707 #ifdef PNG_READ_sRGB_SUPPORTED
708 && !(info_ptr->valid & PNG_INFO_sRGB)
709 #endif
710 )
711 {
712 png_warning(png_ptr, "Duplicate gAMA chunk");
713 png_crc_finish(png_ptr, length);
714 return; 1093 return;
715 } 1094 }
716 1095
717 if (length != 4) 1096 if (length != 4)
718 { 1097 {
719 png_warning(png_ptr, "Incorrect gAMA chunk length"); 1098 png_crc_finish(png_ptr, length);
720 png_crc_finish(png_ptr, length); 1099 png_chunk_benign_error(png_ptr, "invalid");
721 return; 1100 return;
722 } 1101 }
723 1102
724 png_crc_read(png_ptr, buf, 4); 1103 png_crc_read(png_ptr, buf, 4);
725 if (png_crc_finish(png_ptr, 0)) 1104
726 return; 1105 if (png_crc_finish(png_ptr, 0) != 0)
727 1106 return;
728 igamma = (png_fixed_point)png_get_uint_32(buf); 1107
729 /* Check for zero gamma */ 1108 igamma = png_get_fixed_point(NULL, buf);
730 if (igamma == 0) 1109
1110 png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
1111 png_colorspace_sync(png_ptr, info_ptr);
1112 }
1113 #endif
1114
1115 #ifdef PNG_READ_sBIT_SUPPORTED
1116 void /* PRIVATE */
1117 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1118 {
1119 unsigned int truelen, i;
1120 png_byte sample_depth;
1121 png_byte buf[4];
1122
1123 png_debug(1, "in png_handle_sBIT");
1124
1125 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1126 png_chunk_error(png_ptr, "missing IHDR");
1127
1128 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1129 {
1130 png_crc_finish(png_ptr, length);
1131 png_chunk_benign_error(png_ptr, "out of place");
1132 return;
1133 }
1134
1135 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != 0)
1136 {
1137 png_crc_finish(png_ptr, length);
1138 png_chunk_benign_error(png_ptr, "duplicate");
1139 return;
1140 }
1141
1142 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1143 {
1144 truelen = 3;
1145 sample_depth = 8;
1146 }
1147
1148 else
1149 {
1150 truelen = png_ptr->channels;
1151 sample_depth = png_ptr->bit_depth;
1152 }
1153
1154 if (length != truelen || length > 4)
1155 {
1156 png_chunk_benign_error(png_ptr, "invalid");
1157 png_crc_finish(png_ptr, length);
1158 return;
1159 }
1160
1161 buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
1162 png_crc_read(png_ptr, buf, truelen);
1163
1164 if (png_crc_finish(png_ptr, 0) != 0)
1165 return;
1166
1167 for (i=0; i<truelen; ++i)
1168 {
1169 if (buf[i] == 0 || buf[i] > sample_depth)
731 { 1170 {
732 png_warning(png_ptr, 1171 png_chunk_benign_error(png_ptr, "invalid");
733 "Ignoring gAMA chunk with gamma=0");
734 return; 1172 return;
735 } 1173 }
736 1174 }
737 #ifdef PNG_READ_sRGB_SUPPORTED 1175
738 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) 1176 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
739 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
740 {
741 png_warning(png_ptr,
742 "Ignoring incorrect gAMA value when sRGB is also present");
743 #ifdef PNG_CONSOLE_IO_SUPPORTED
744 fprintf(stderr, "gamma = (%d/100000)", (int)igamma);
745 #endif
746 return;
747 }
748 #endif /* PNG_READ_sRGB_SUPPORTED */
749
750 #ifdef PNG_FLOATING_POINT_SUPPORTED
751 file_gamma = (float)igamma / (float)100000.0;
752 # ifdef PNG_READ_GAMMA_SUPPORTED
753 png_ptr->gamma = file_gamma;
754 # endif
755 png_set_gAMA(png_ptr, info_ptr, file_gamma);
756 #endif
757 #ifdef PNG_FIXED_POINT_SUPPORTED
758 png_set_gAMA_fixed(png_ptr, info_ptr, igamma);
759 #endif
760 }
761 #endif
762
763 #ifdef PNG_READ_sBIT_SUPPORTED
764 void /* PRIVATE */
765 png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
766 {
767 png_size_t truelen;
768 png_byte buf[4];
769
770 png_debug(1, "in png_handle_sBIT");
771
772 buf[0] = buf[1] = buf[2] = buf[3] = 0;
773
774 if (!(png_ptr->mode & PNG_HAVE_IHDR))
775 png_error(png_ptr, "Missing IHDR before sBIT");
776 else if (png_ptr->mode & PNG_HAVE_IDAT)
777 {
778 png_warning(png_ptr, "Invalid sBIT after IDAT");
779 png_crc_finish(png_ptr, length);
780 return;
781 }
782 else if (png_ptr->mode & PNG_HAVE_PLTE)
783 {
784 /* Should be an error, but we can cope with it */
785 png_warning(png_ptr, "Out of place sBIT chunk");
786 }
787 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
788 {
789 png_warning(png_ptr, "Duplicate sBIT chunk");
790 png_crc_finish(png_ptr, length);
791 return;
792 }
793
794 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
795 truelen = 3;
796 else
797 truelen = (png_size_t)png_ptr->channels;
798
799 if (length != truelen || length > 4)
800 {
801 png_warning(png_ptr, "Incorrect sBIT chunk length");
802 png_crc_finish(png_ptr, length);
803 return;
804 }
805
806 png_crc_read(png_ptr, buf, truelen);
807 if (png_crc_finish(png_ptr, 0))
808 return;
809
810 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
811 { 1177 {
812 png_ptr->sig_bit.red = buf[0]; 1178 png_ptr->sig_bit.red = buf[0];
813 png_ptr->sig_bit.green = buf[1]; 1179 png_ptr->sig_bit.green = buf[1];
814 png_ptr->sig_bit.blue = buf[2]; 1180 png_ptr->sig_bit.blue = buf[2];
815 png_ptr->sig_bit.alpha = buf[3]; 1181 png_ptr->sig_bit.alpha = buf[3];
816 } 1182 }
1183
817 else 1184 else
818 { 1185 {
819 png_ptr->sig_bit.gray = buf[0]; 1186 png_ptr->sig_bit.gray = buf[0];
820 png_ptr->sig_bit.red = buf[0]; 1187 png_ptr->sig_bit.red = buf[0];
821 png_ptr->sig_bit.green = buf[0]; 1188 png_ptr->sig_bit.green = buf[0];
822 png_ptr->sig_bit.blue = buf[0]; 1189 png_ptr->sig_bit.blue = buf[0];
823 png_ptr->sig_bit.alpha = buf[1]; 1190 png_ptr->sig_bit.alpha = buf[1];
824 } 1191 }
1192
825 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit)); 1193 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
826 } 1194 }
827 #endif 1195 #endif
828 1196
829 #ifdef PNG_READ_cHRM_SUPPORTED 1197 #ifdef PNG_READ_cHRM_SUPPORTED
830 void /* PRIVATE */ 1198 void /* PRIVATE */
831 png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1199 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
832 { 1200 {
833 png_byte buf[32]; 1201 png_byte buf[32];
834 #ifdef PNG_FLOATING_POINT_SUPPORTED 1202 png_xy xy;
835 float white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y;
836 #endif
837 png_fixed_point int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
838 int_y_green, int_x_blue, int_y_blue;
839
840 png_uint_32 uint_x, uint_y;
841 1203
842 png_debug(1, "in png_handle_cHRM"); 1204 png_debug(1, "in png_handle_cHRM");
843 1205
844 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1206 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
845 png_error(png_ptr, "Missing IHDR before cHRM"); 1207 png_chunk_error(png_ptr, "missing IHDR");
846 else if (png_ptr->mode & PNG_HAVE_IDAT) 1208
847 { 1209 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
848 png_warning(png_ptr, "Invalid cHRM after IDAT"); 1210 {
849 png_crc_finish(png_ptr, length); 1211 png_crc_finish(png_ptr, length);
850 return; 1212 png_chunk_benign_error(png_ptr, "out of place");
851 }
852 else if (png_ptr->mode & PNG_HAVE_PLTE)
853 /* Should be an error, but we can cope with it */
854 png_warning(png_ptr, "Missing PLTE before cHRM");
855
856 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
857 #ifdef PNG_READ_sRGB_SUPPORTED
858 && !(info_ptr->valid & PNG_INFO_sRGB)
859 #endif
860 )
861 {
862 png_warning(png_ptr, "Duplicate cHRM chunk");
863 png_crc_finish(png_ptr, length);
864 return; 1213 return;
865 } 1214 }
866 1215
867 if (length != 32) 1216 if (length != 32)
868 { 1217 {
869 png_warning(png_ptr, "Incorrect cHRM chunk length"); 1218 png_crc_finish(png_ptr, length);
870 png_crc_finish(png_ptr, length); 1219 png_chunk_benign_error(png_ptr, "invalid");
871 return; 1220 return;
872 } 1221 }
873 1222
874 png_crc_read(png_ptr, buf, 32); 1223 png_crc_read(png_ptr, buf, 32);
875 if (png_crc_finish(png_ptr, 0)) 1224
876 return; 1225 if (png_crc_finish(png_ptr, 0) != 0)
877 1226 return;
878 uint_x = png_get_uint_32(buf); 1227
879 uint_y = png_get_uint_32(buf + 4); 1228 xy.whitex = png_get_fixed_point(NULL, buf);
880 int_x_white = (png_fixed_point)uint_x; 1229 xy.whitey = png_get_fixed_point(NULL, buf + 4);
881 int_y_white = (png_fixed_point)uint_y; 1230 xy.redx = png_get_fixed_point(NULL, buf + 8);
882 1231 xy.redy = png_get_fixed_point(NULL, buf + 12);
883 uint_x = png_get_uint_32(buf + 8); 1232 xy.greenx = png_get_fixed_point(NULL, buf + 16);
884 uint_y = png_get_uint_32(buf + 12); 1233 xy.greeny = png_get_fixed_point(NULL, buf + 20);
885 int_x_red = (png_fixed_point)uint_x; 1234 xy.bluex = png_get_fixed_point(NULL, buf + 24);
886 int_y_red = (png_fixed_point)uint_y; 1235 xy.bluey = png_get_fixed_point(NULL, buf + 28);
887 1236
888 uint_x = png_get_uint_32(buf + 16); 1237 if (xy.whitex == PNG_FIXED_ERROR ||
889 uint_y = png_get_uint_32(buf + 20); 1238 xy.whitey == PNG_FIXED_ERROR ||
890 int_x_green = (png_fixed_point)uint_x; 1239 xy.redx == PNG_FIXED_ERROR ||
891 int_y_green = (png_fixed_point)uint_y; 1240 xy.redy == PNG_FIXED_ERROR ||
892 1241 xy.greenx == PNG_FIXED_ERROR ||
893 uint_x = png_get_uint_32(buf + 24); 1242 xy.greeny == PNG_FIXED_ERROR ||
894 uint_y = png_get_uint_32(buf + 28); 1243 xy.bluex == PNG_FIXED_ERROR ||
895 int_x_blue = (png_fixed_point)uint_x; 1244 xy.bluey == PNG_FIXED_ERROR)
896 int_y_blue = (png_fixed_point)uint_y; 1245 {
897 1246 png_chunk_benign_error(png_ptr, "invalid values");
898 #ifdef PNG_FLOATING_POINT_SUPPORTED 1247 return;
899 white_x = (float)int_x_white / (float)100000.0; 1248 }
900 white_y = (float)int_y_white / (float)100000.0; 1249
901 red_x = (float)int_x_red / (float)100000.0; 1250 /* If a colorspace error has already been output skip this chunk */
902 red_y = (float)int_y_red / (float)100000.0; 1251 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
903 green_x = (float)int_x_green / (float)100000.0; 1252 return;
904 green_y = (float)int_y_green / (float)100000.0; 1253
905 blue_x = (float)int_x_blue / (float)100000.0; 1254 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0)
906 blue_y = (float)int_y_blue / (float)100000.0; 1255 {
907 #endif 1256 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
908 1257 png_colorspace_sync(png_ptr, info_ptr);
909 #ifdef PNG_READ_sRGB_SUPPORTED 1258 png_chunk_benign_error(png_ptr, "duplicate");
910 if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB)) 1259 return;
911 { 1260 }
912 if (PNG_OUT_OF_RANGE(int_x_white, 31270, 1000) || 1261
913 PNG_OUT_OF_RANGE(int_y_white, 32900, 1000) || 1262 png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
914 PNG_OUT_OF_RANGE(int_x_red, 64000L, 1000) || 1263 (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
915 PNG_OUT_OF_RANGE(int_y_red, 33000, 1000) || 1264 1/*prefer cHRM values*/);
916 PNG_OUT_OF_RANGE(int_x_green, 30000, 1000) || 1265 png_colorspace_sync(png_ptr, info_ptr);
917 PNG_OUT_OF_RANGE(int_y_green, 60000L, 1000) ||
918 PNG_OUT_OF_RANGE(int_x_blue, 15000, 1000) ||
919 PNG_OUT_OF_RANGE(int_y_blue, 6000, 1000))
920 {
921 png_warning(png_ptr,
922 "Ignoring incorrect cHRM value when sRGB is also present");
923 #ifdef PNG_CONSOLE_IO_SUPPORTED
924 #ifdef PNG_FLOATING_POINT_SUPPORTED
925 fprintf(stderr, "wx=%f, wy=%f, rx=%f, ry=%f\n",
926 white_x, white_y, red_x, red_y);
927 fprintf(stderr, "gx=%f, gy=%f, bx=%f, by=%f\n",
928 green_x, green_y, blue_x, blue_y);
929 #else
930 fprintf(stderr, "wx=%ld, wy=%ld, rx=%ld, ry=%ld\n",
931 (long)int_x_white, (long)int_y_white,
932 (long)int_x_red, (long)int_y_red);
933 fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n",
934 (long)int_x_green, (long)int_y_green,
935 (long)int_x_blue, (long)int_y_blue);
936 #endif
937 #endif /* PNG_CONSOLE_IO_SUPPORTED */
938 }
939 return;
940 }
941 #endif /* PNG_READ_sRGB_SUPPORTED */
942
943 #ifdef PNG_FLOATING_POINT_SUPPORTED
944 png_set_cHRM(png_ptr, info_ptr,
945 white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y);
946 #endif
947 #ifdef PNG_FIXED_POINT_SUPPORTED
948 png_set_cHRM_fixed(png_ptr, info_ptr,
949 int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
950 int_y_green, int_x_blue, int_y_blue);
951 #endif
952 } 1266 }
953 #endif 1267 #endif
954 1268
955 #ifdef PNG_READ_sRGB_SUPPORTED 1269 #ifdef PNG_READ_sRGB_SUPPORTED
956 void /* PRIVATE */ 1270 void /* PRIVATE */
957 png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1271 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
958 { 1272 {
959 int intent; 1273 png_byte intent;
960 png_byte buf[1];
961 1274
962 png_debug(1, "in png_handle_sRGB"); 1275 png_debug(1, "in png_handle_sRGB");
963 1276
964 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1277 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
965 png_error(png_ptr, "Missing IHDR before sRGB"); 1278 png_chunk_error(png_ptr, "missing IHDR");
966 else if (png_ptr->mode & PNG_HAVE_IDAT) 1279
967 { 1280 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
968 png_warning(png_ptr, "Invalid sRGB after IDAT"); 1281 {
969 png_crc_finish(png_ptr, length); 1282 png_crc_finish(png_ptr, length);
970 return; 1283 png_chunk_benign_error(png_ptr, "out of place");
971 }
972 else if (png_ptr->mode & PNG_HAVE_PLTE)
973 /* Should be an error, but we can cope with it */
974 png_warning(png_ptr, "Out of place sRGB chunk");
975
976 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
977 {
978 png_warning(png_ptr, "Duplicate sRGB chunk");
979 png_crc_finish(png_ptr, length);
980 return; 1284 return;
981 } 1285 }
982 1286
983 if (length != 1) 1287 if (length != 1)
984 { 1288 {
985 png_warning(png_ptr, "Incorrect sRGB chunk length"); 1289 png_crc_finish(png_ptr, length);
986 png_crc_finish(png_ptr, length); 1290 png_chunk_benign_error(png_ptr, "invalid");
987 return; 1291 return;
988 } 1292 }
989 1293
990 png_crc_read(png_ptr, buf, 1); 1294 png_crc_read(png_ptr, &intent, 1);
991 if (png_crc_finish(png_ptr, 0)) 1295
992 return; 1296 if (png_crc_finish(png_ptr, 0) != 0)
993 1297 return;
994 intent = buf[0]; 1298
995 /* Check for bad intent */ 1299 /* If a colorspace error has already been output skip this chunk */
996 if (intent >= PNG_sRGB_INTENT_LAST) 1300 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
997 { 1301 return;
998 png_warning(png_ptr, "Unknown sRGB intent"); 1302
999 return; 1303 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1000 } 1304 * this.
1001 1305 */
1002 #if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED) 1306 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != 0)
1003 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)) 1307 {
1004 { 1308 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1005 png_fixed_point igamma; 1309 png_colorspace_sync(png_ptr, info_ptr);
1006 #ifdef PNG_FIXED_POINT_SUPPORTED 1310 png_chunk_benign_error(png_ptr, "too many profiles");
1007 igamma=info_ptr->int_gamma; 1311 return;
1008 #else 1312 }
1009 # ifdef PNG_FLOATING_POINT_SUPPORTED 1313
1010 igamma=(png_fixed_point)(info_ptr->gamma * 100000.); 1314 (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1011 # endif 1315 png_colorspace_sync(png_ptr, info_ptr);
1012 #endif
1013 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
1014 {
1015 png_warning(png_ptr,
1016 "Ignoring incorrect gAMA value when sRGB is also present");
1017 #ifdef PNG_CONSOLE_IO_SUPPORTED
1018 # ifdef PNG_FIXED_POINT_SUPPORTED
1019 fprintf(stderr, "incorrect gamma=(%d/100000)\n",
1020 (int)png_ptr->int_gamma);
1021 # else
1022 # ifdef PNG_FLOATING_POINT_SUPPORTED
1023 fprintf(stderr, "incorrect gamma=%f\n", png_ptr->gamma);
1024 # endif
1025 # endif
1026 #endif
1027 }
1028 }
1029 #endif /* PNG_READ_gAMA_SUPPORTED */
1030
1031 #ifdef PNG_READ_cHRM_SUPPORTED
1032 #ifdef PNG_FIXED_POINT_SUPPORTED
1033 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM))
1034 if (PNG_OUT_OF_RANGE(info_ptr->int_x_white, 31270, 1000) ||
1035 PNG_OUT_OF_RANGE(info_ptr->int_y_white, 32900, 1000) ||
1036 PNG_OUT_OF_RANGE(info_ptr->int_x_red, 64000L, 1000) ||
1037 PNG_OUT_OF_RANGE(info_ptr->int_y_red, 33000, 1000) ||
1038 PNG_OUT_OF_RANGE(info_ptr->int_x_green, 30000, 1000) ||
1039 PNG_OUT_OF_RANGE(info_ptr->int_y_green, 60000L, 1000) ||
1040 PNG_OUT_OF_RANGE(info_ptr->int_x_blue, 15000, 1000) ||
1041 PNG_OUT_OF_RANGE(info_ptr->int_y_blue, 6000, 1000))
1042 {
1043 png_warning(png_ptr,
1044 "Ignoring incorrect cHRM value when sRGB is also present");
1045 }
1046 #endif /* PNG_FIXED_POINT_SUPPORTED */
1047 #endif /* PNG_READ_cHRM_SUPPORTED */
1048
1049 png_set_sRGB_gAMA_and_cHRM(png_ptr, info_ptr, intent);
1050 } 1316 }
1051 #endif /* PNG_READ_sRGB_SUPPORTED */ 1317 #endif /* READ_sRGB */
1052 1318
1053 #ifdef PNG_READ_iCCP_SUPPORTED 1319 #ifdef PNG_READ_iCCP_SUPPORTED
1054 void /* PRIVATE */ 1320 void /* PRIVATE */
1055 png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1321 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1322 /* Note: this does not properly handle profiles that are > 64K under DOS */
1323 {
1324 png_const_charp errmsg = NULL; /* error message output, or no error */
1325 int finished = 0; /* crc checked */
1326
1327 png_debug(1, "in png_handle_iCCP");
1328
1329 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1330 png_chunk_error(png_ptr, "missing IHDR");
1331
1332 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1333 {
1334 png_crc_finish(png_ptr, length);
1335 png_chunk_benign_error(png_ptr, "out of place");
1336 return;
1337 }
1338
1339 /* Consistent with all the above colorspace handling an obviously *invalid*
1340 * chunk is just ignored, so does not invalidate the color space. An
1341 * alternative is to set the 'invalid' flags at the start of this routine
1342 * and only clear them in they were not set before and all the tests pass.
1343 * The minimum 'deflate' stream is assumed to be just the 2 byte header and
1344 * 4 byte checksum. The keyword must be at least one character and there is
1345 * a terminator (0) byte and the compression method.
1346 */
1347 if (length < 9)
1348 {
1349 png_crc_finish(png_ptr, length);
1350 png_chunk_benign_error(png_ptr, "too short");
1351 return;
1352 }
1353
1354 /* If a colorspace error has already been output skip this chunk */
1355 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1356 {
1357 png_crc_finish(png_ptr, length);
1358 return;
1359 }
1360
1361 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1362 * this.
1363 */
1364 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1365 {
1366 uInt read_length, keyword_length;
1367 char keyword[81];
1368
1369 /* Find the keyword; the keyword plus separator and compression method
1370 * bytes can be at most 81 characters long.
1371 */
1372 read_length = 81; /* maximum */
1373 if (read_length > length)
1374 read_length = (uInt)length;
1375
1376 png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1377 length -= read_length;
1378
1379 keyword_length = 0;
1380 while (keyword_length < 80 && keyword_length < read_length &&
1381 keyword[keyword_length] != 0)
1382 ++keyword_length;
1383
1384 /* TODO: make the keyword checking common */
1385 if (keyword_length >= 1 && keyword_length <= 79)
1386 {
1387 /* We only understand '0' compression - deflate - so if we get a
1388 * different value we can't safely decode the chunk.
1389 */
1390 if (keyword_length+1 < read_length &&
1391 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1392 {
1393 read_length -= keyword_length+2;
1394
1395 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1396 {
1397 Byte profile_header[132];
1398 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1399 png_alloc_size_t size = (sizeof profile_header);
1400
1401 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1402 png_ptr->zstream.avail_in = read_length;
1403 (void)png_inflate_read(png_ptr, local_buffer,
1404 (sizeof local_buffer), &length, profile_header, &size,
1405 0/*finish: don't, because the output is too small*/);
1406
1407 if (size == 0)
1408 {
1409 /* We have the ICC profile header; do the basic header checks.
1410 */
1411 const png_uint_32 profile_length =
1412 png_get_uint_32(profile_header);
1413
1414 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1415 keyword, profile_length) != 0)
1416 {
1417 /* The length is apparently ok, so we can check the 132
1418 * byte header.
1419 */
1420 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1421 keyword, profile_length, profile_header,
1422 png_ptr->color_type) != 0)
1423 {
1424 /* Now read the tag table; a variable size buffer is
1425 * needed at this point, allocate one for the whole
1426 * profile. The header check has already validated
1427 * that none of these stuff will overflow.
1428 */
1429 const png_uint_32 tag_count = png_get_uint_32(
1430 profile_header+128);
1431 png_bytep profile = png_read_buffer(png_ptr,
1432 profile_length, 2/*silent*/);
1433
1434 if (profile != NULL)
1435 {
1436 memcpy(profile, profile_header,
1437 (sizeof profile_header));
1438
1439 size = 12 * tag_count;
1440
1441 (void)png_inflate_read(png_ptr, local_buffer,
1442 (sizeof local_buffer), &length,
1443 profile + (sizeof profile_header), &size, 0);
1444
1445 /* Still expect a buffer error because we expect
1446 * there to be some tag data!
1447 */
1448 if (size == 0)
1449 {
1450 if (png_icc_check_tag_table(png_ptr,
1451 &png_ptr->colorspace, keyword, profile_length,
1452 profile) != 0)
1453 {
1454 /* The profile has been validated for basic
1455 * security issues, so read the whole thing in.
1456 */
1457 size = profile_length - (sizeof profile_header)
1458 - 12 * tag_count;
1459
1460 (void)png_inflate_read(png_ptr, local_buffer,
1461 (sizeof local_buffer), &length,
1462 profile + (sizeof profile_header) +
1463 12 * tag_count, &size, 1/*finish*/);
1464
1465 if (length > 0 && !(png_ptr->flags &
1466 PNG_FLAG_BENIGN_ERRORS_WARN))
1467 errmsg = "extra compressed data";
1468
1469 /* But otherwise allow extra data: */
1470 else if (size == 0)
1471 {
1472 if (length > 0)
1473 {
1474 /* This can be handled completely, so
1475 * keep going.
1476 */
1477 png_chunk_warning(png_ptr,
1478 "extra compressed data");
1479 }
1480
1481 png_crc_finish(png_ptr, length);
1482 finished = 1;
1483
1484 # ifdef PNG_sRGB_SUPPORTED
1485 /* Check for a match against sRGB */
1486 png_icc_set_sRGB(png_ptr,
1487 &png_ptr->colorspace, profile,
1488 png_ptr->zstream.adler);
1489 # endif
1490
1491 /* Steal the profile for info_ptr. */
1492 if (info_ptr != NULL)
1493 {
1494 png_free_data(png_ptr, info_ptr,
1495 PNG_FREE_ICCP, 0);
1496
1497 info_ptr->iccp_name = png_voidcast(char*,
1498 png_malloc_base(png_ptr,
1499 keyword_length+1));
1500 if (info_ptr->iccp_name != NULL)
1501 {
1502 memcpy(info_ptr->iccp_name, keyword,
1503 keyword_length+1);
1504 info_ptr->iccp_proflen =
1505 profile_length;
1506 info_ptr->iccp_profile = profile;
1507 png_ptr->read_buffer = NULL; /*steal*/
1508 info_ptr->free_me |= PNG_FREE_ICCP;
1509 info_ptr->valid |= PNG_INFO_iCCP;
1510 }
1511
1512 else
1513 {
1514 png_ptr->colorspace.flags |=
1515 PNG_COLORSPACE_INVALID;
1516 errmsg = "out of memory";
1517 }
1518 }
1519
1520 /* else the profile remains in the read
1521 * buffer which gets reused for subsequent
1522 * chunks.
1523 */
1524
1525 if (info_ptr != NULL)
1526 png_colorspace_sync(png_ptr, info_ptr);
1527
1528 if (errmsg == NULL)
1529 {
1530 png_ptr->zowner = 0;
1531 return;
1532 }
1533 }
1534
1535 else if (size > 0)
1536 errmsg = "truncated";
1537
1538 #ifndef __COVERITY__
1539 else
1540 errmsg = png_ptr->zstream.msg;
1541 #endif
1542 }
1543
1544 /* else png_icc_check_tag_table output an error */
1545 }
1546
1547 else /* profile truncated */
1548 errmsg = png_ptr->zstream.msg;
1549 }
1550
1551 else
1552 errmsg = "out of memory";
1553 }
1554
1555 /* else png_icc_check_header output an error */
1556 }
1557
1558 /* else png_icc_check_length output an error */
1559 }
1560
1561 else /* profile truncated */
1562 errmsg = png_ptr->zstream.msg;
1563
1564 /* Release the stream */
1565 png_ptr->zowner = 0;
1566 }
1567
1568 else /* png_inflate_claim failed */
1569 errmsg = png_ptr->zstream.msg;
1570 }
1571
1572 else
1573 errmsg = "bad compression method"; /* or missing */
1574 }
1575
1576 else
1577 errmsg = "bad keyword";
1578 }
1579
1580 else
1581 errmsg = "too many profiles";
1582
1583 /* Failure: the reason is in 'errmsg' */
1584 if (finished == 0)
1585 png_crc_finish(png_ptr, length);
1586
1587 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1588 png_colorspace_sync(png_ptr, info_ptr);
1589 if (errmsg != NULL) /* else already output */
1590 png_chunk_benign_error(png_ptr, errmsg);
1591 }
1592 #endif /* READ_iCCP */
1593
1594 #ifdef PNG_READ_sPLT_SUPPORTED
1595 void /* PRIVATE */
1596 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1056 /* Note: this does not properly handle chunks that are > 64K under DOS */ 1597 /* Note: this does not properly handle chunks that are > 64K under DOS */
1057 { 1598 {
1058 png_byte compression_type; 1599 png_bytep entry_start, buffer;
1059 png_bytep pC; 1600 png_sPLT_t new_palette;
1060 png_charp profile; 1601 png_sPLT_entryp pp;
1602 png_uint_32 data_length;
1603 int entry_size, i;
1061 png_uint_32 skip = 0; 1604 png_uint_32 skip = 0;
1062 png_uint_32 profile_size, profile_length; 1605 png_uint_32 dl;
1063 png_size_t slength, prefix_length, data_length; 1606 png_size_t max_dl;
1064
1065 png_debug(1, "in png_handle_iCCP");
1066
1067 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1068 png_error(png_ptr, "Missing IHDR before iCCP");
1069 else if (png_ptr->mode & PNG_HAVE_IDAT)
1070 {
1071 png_warning(png_ptr, "Invalid iCCP after IDAT");
1072 png_crc_finish(png_ptr, length);
1073 return;
1074 }
1075 else if (png_ptr->mode & PNG_HAVE_PLTE)
1076 /* Should be an error, but we can cope with it */
1077 png_warning(png_ptr, "Out of place iCCP chunk");
1078
1079 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
1080 {
1081 png_warning(png_ptr, "Duplicate iCCP chunk");
1082 png_crc_finish(png_ptr, length);
1083 return;
1084 }
1085
1086 #ifdef PNG_MAX_MALLOC_64K
1087 if (length > (png_uint_32)65535L)
1088 {
1089 png_warning(png_ptr, "iCCP chunk too large to fit in memory");
1090 skip = length - (png_uint_32)65535L;
1091 length = (png_uint_32)65535L;
1092 }
1093 #endif
1094
1095 png_free(png_ptr, png_ptr->chunkdata);
1096 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
1097 slength = (png_size_t)length;
1098 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1099
1100 if (png_crc_finish(png_ptr, skip))
1101 {
1102 png_free(png_ptr, png_ptr->chunkdata);
1103 png_ptr->chunkdata = NULL;
1104 return;
1105 }
1106
1107 png_ptr->chunkdata[slength] = 0x00;
1108
1109 for (profile = png_ptr->chunkdata; *profile; profile++)
1110 /* Empty loop to find end of name */ ;
1111
1112 ++profile;
1113
1114 /* There should be at least one zero (the compression type byte)
1115 * following the separator, and we should be on it
1116 */
1117 if ( profile >= png_ptr->chunkdata + slength - 1)
1118 {
1119 png_free(png_ptr, png_ptr->chunkdata);
1120 png_ptr->chunkdata = NULL;
1121 png_warning(png_ptr, "Malformed iCCP chunk");
1122 return;
1123 }
1124
1125 /* Compression_type should always be zero */
1126 compression_type = *profile++;
1127 if (compression_type)
1128 {
1129 png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk");
1130 compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8
1131 wrote nonzero) */
1132 }
1133
1134 prefix_length = profile - png_ptr->chunkdata;
1135 png_decompress_chunk(png_ptr, compression_type,
1136 slength, prefix_length, &data_length);
1137
1138 profile_length = data_length - prefix_length;
1139
1140 if ( prefix_length > data_length || profile_length < 4)
1141 {
1142 png_free(png_ptr, png_ptr->chunkdata);
1143 png_ptr->chunkdata = NULL;
1144 png_warning(png_ptr, "Profile size field missing from iCCP chunk");
1145 return;
1146 }
1147
1148 /* Check the profile_size recorded in the first 32 bits of the ICC profile */
1149 pC = (png_bytep)(png_ptr->chunkdata + prefix_length);
1150 profile_size = ((png_uint_32) (*(pC )<<24)) |
1151 ((png_uint_32) (*(pC + 1)<<16)) |
1152 ((png_uint_32) (*(pC + 2)<< 8)) |
1153 ((png_uint_32) (*(pC + 3) ));
1154
1155 if (profile_size < profile_length)
1156 profile_length = profile_size;
1157
1158 if (profile_size > profile_length)
1159 {
1160 png_free(png_ptr, png_ptr->chunkdata);
1161 png_ptr->chunkdata = NULL;
1162 png_warning(png_ptr, "Ignoring truncated iCCP profile.");
1163 return;
1164 }
1165
1166 png_set_iCCP(png_ptr, info_ptr, png_ptr->chunkdata,
1167 compression_type, png_ptr->chunkdata + prefix_length, profile_length);
1168 png_free(png_ptr, png_ptr->chunkdata);
1169 png_ptr->chunkdata = NULL;
1170 }
1171 #endif /* PNG_READ_iCCP_SUPPORTED */
1172
1173 #ifdef PNG_READ_sPLT_SUPPORTED
1174 void /* PRIVATE */
1175 png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1176 /* Note: this does not properly handle chunks that are > 64K under DOS */
1177 {
1178 png_bytep entry_start;
1179 png_sPLT_t new_palette;
1180 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1181 png_sPLT_entryp pp;
1182 #endif
1183 int data_length, entry_size, i;
1184 png_uint_32 skip = 0;
1185 png_size_t slength;
1186 1607
1187 png_debug(1, "in png_handle_sPLT"); 1608 png_debug(1, "in png_handle_sPLT");
1188 1609
1189 #ifdef PNG_USER_LIMITS_SUPPORTED 1610 #ifdef PNG_USER_LIMITS_SUPPORTED
1190
1191 if (png_ptr->user_chunk_cache_max != 0) 1611 if (png_ptr->user_chunk_cache_max != 0)
1192 { 1612 {
1193 if (png_ptr->user_chunk_cache_max == 1) 1613 if (png_ptr->user_chunk_cache_max == 1)
1194 { 1614 {
1195 png_crc_finish(png_ptr, length); 1615 png_crc_finish(png_ptr, length);
1196 return; 1616 return;
1197 } 1617 }
1618
1198 if (--png_ptr->user_chunk_cache_max == 1) 1619 if (--png_ptr->user_chunk_cache_max == 1)
1199 { 1620 {
1200 png_warning(png_ptr, "No space in chunk cache for sPLT"); 1621 png_warning(png_ptr, "No space in chunk cache for sPLT");
1201 png_crc_finish(png_ptr, length); 1622 png_crc_finish(png_ptr, length);
1202 return; 1623 return;
1203 } 1624 }
1204 } 1625 }
1205 #endif 1626 #endif
1206 1627
1207 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1628 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1208 png_error(png_ptr, "Missing IHDR before sPLT"); 1629 png_chunk_error(png_ptr, "missing IHDR");
1209 else if (png_ptr->mode & PNG_HAVE_IDAT) 1630
1631 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1210 { 1632 {
1211 png_warning(png_ptr, "Invalid sPLT after IDAT");
1212 png_crc_finish(png_ptr, length); 1633 png_crc_finish(png_ptr, length);
1634 png_chunk_benign_error(png_ptr, "out of place");
1213 return; 1635 return;
1214 } 1636 }
1215 1637
1216 #ifdef PNG_MAX_MALLOC_64K 1638 #ifdef PNG_MAX_MALLOC_64K
1217 if (length > (png_uint_32)65535L) 1639 if (length > 65535U)
1218 { 1640 {
1219 png_warning(png_ptr, "sPLT chunk too large to fit in memory"); 1641 png_crc_finish(png_ptr, length);
1220 skip = length - (png_uint_32)65535L; 1642 png_chunk_benign_error(png_ptr, "too large to fit in memory");
1221 length = (png_uint_32)65535L; 1643 return;
1222 } 1644 }
1223 #endif 1645 #endif
1224 1646
1225 png_free(png_ptr, png_ptr->chunkdata); 1647 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1226 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1); 1648 if (buffer == NULL)
1227 slength = (png_size_t)length;
1228 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1229
1230 if (png_crc_finish(png_ptr, skip))
1231 { 1649 {
1232 png_free(png_ptr, png_ptr->chunkdata); 1650 png_crc_finish(png_ptr, length);
1233 png_ptr->chunkdata = NULL; 1651 png_chunk_benign_error(png_ptr, "out of memory");
1234 return; 1652 return;
1235 } 1653 }
1236 1654
1237 png_ptr->chunkdata[slength] = 0x00;
1238 1655
1239 for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start; 1656 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1240 entry_start++) 1657 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1658 * potential breakage point if the types in pngconf.h aren't exactly right.
1659 */
1660 png_crc_read(png_ptr, buffer, length);
1661
1662 if (png_crc_finish(png_ptr, skip) != 0)
1663 return;
1664
1665 buffer[length] = 0;
1666
1667 for (entry_start = buffer; *entry_start; entry_start++)
1241 /* Empty loop to find end of name */ ; 1668 /* Empty loop to find end of name */ ;
1669
1242 ++entry_start; 1670 ++entry_start;
1243 1671
1244 /* A sample depth should follow the separator, and we should be on it */ 1672 /* A sample depth should follow the separator, and we should be on it */
1245 if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2) 1673 if (entry_start > buffer + length - 2)
1246 { 1674 {
1247 png_free(png_ptr, png_ptr->chunkdata);
1248 png_ptr->chunkdata = NULL;
1249 png_warning(png_ptr, "malformed sPLT chunk"); 1675 png_warning(png_ptr, "malformed sPLT chunk");
1250 return; 1676 return;
1251 } 1677 }
1252 1678
1253 new_palette.depth = *entry_start++; 1679 new_palette.depth = *entry_start++;
1254 entry_size = (new_palette.depth == 8 ? 6 : 10); 1680 entry_size = (new_palette.depth == 8 ? 6 : 10);
1255 data_length = (slength - (entry_start - (png_bytep)png_ptr->chunkdata)); 1681 /* This must fit in a png_uint_32 because it is derived from the original
1682 * chunk data length.
1683 */
1684 data_length = length - (png_uint_32)(entry_start - buffer);
1256 1685
1257 /* Integrity-check the data length */ 1686 /* Integrity-check the data length */
1258 if (data_length % entry_size) 1687 if ((data_length % entry_size) != 0)
1259 { 1688 {
1260 png_free(png_ptr, png_ptr->chunkdata);
1261 png_ptr->chunkdata = NULL;
1262 png_warning(png_ptr, "sPLT chunk has bad length"); 1689 png_warning(png_ptr, "sPLT chunk has bad length");
1263 return; 1690 return;
1264 } 1691 }
1265 1692
1266 new_palette.nentries = (png_int_32) ( data_length / entry_size); 1693 dl = (png_int_32)(data_length / entry_size);
1267 if ((png_uint_32) new_palette.nentries > 1694 max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1268 (png_uint_32) (PNG_SIZE_MAX / png_sizeof(png_sPLT_entry))) 1695
1696 if (dl > max_dl)
1269 { 1697 {
1270 png_warning(png_ptr, "sPLT chunk too long"); 1698 png_warning(png_ptr, "sPLT chunk too long");
1271 return; 1699 return;
1272 } 1700 }
1701
1702 new_palette.nentries = (png_int_32)(data_length / entry_size);
1703
1273 new_palette.entries = (png_sPLT_entryp)png_malloc_warn( 1704 new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
1274 png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry)); 1705 png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry)));
1706
1275 if (new_palette.entries == NULL) 1707 if (new_palette.entries == NULL)
1276 { 1708 {
1277 png_warning(png_ptr, "sPLT chunk requires too much memory"); 1709 png_warning(png_ptr, "sPLT chunk requires too much memory");
1278 return; 1710 return;
1279 } 1711 }
1280 1712
1281 #ifdef PNG_POINTER_INDEXING_SUPPORTED 1713 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1282 for (i = 0; i < new_palette.nentries; i++) 1714 for (i = 0; i < new_palette.nentries; i++)
1283 { 1715 {
1284 pp = new_palette.entries + i; 1716 pp = new_palette.entries + i;
1285 1717
1286 if (new_palette.depth == 8) 1718 if (new_palette.depth == 8)
1287 { 1719 {
1288 pp->red = *entry_start++; 1720 pp->red = *entry_start++;
1289 pp->green = *entry_start++; 1721 pp->green = *entry_start++;
1290 pp->blue = *entry_start++; 1722 pp->blue = *entry_start++;
1291 pp->alpha = *entry_start++; 1723 pp->alpha = *entry_start++;
1292 } 1724 }
1725
1293 else 1726 else
1294 { 1727 {
1295 pp->red = png_get_uint_16(entry_start); entry_start += 2; 1728 pp->red = png_get_uint_16(entry_start); entry_start += 2;
1296 pp->green = png_get_uint_16(entry_start); entry_start += 2; 1729 pp->green = png_get_uint_16(entry_start); entry_start += 2;
1297 pp->blue = png_get_uint_16(entry_start); entry_start += 2; 1730 pp->blue = png_get_uint_16(entry_start); entry_start += 2;
1298 pp->alpha = png_get_uint_16(entry_start); entry_start += 2; 1731 pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1299 } 1732 }
1733
1300 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; 1734 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1301 } 1735 }
1302 #else 1736 #else
1303 pp = new_palette.entries; 1737 pp = new_palette.entries;
1738
1304 for (i = 0; i < new_palette.nentries; i++) 1739 for (i = 0; i < new_palette.nentries; i++)
1305 { 1740 {
1306 1741
1307 if (new_palette.depth == 8) 1742 if (new_palette.depth == 8)
1308 { 1743 {
1309 pp[i].red = *entry_start++; 1744 pp[i].red = *entry_start++;
1310 pp[i].green = *entry_start++; 1745 pp[i].green = *entry_start++;
1311 pp[i].blue = *entry_start++; 1746 pp[i].blue = *entry_start++;
1312 pp[i].alpha = *entry_start++; 1747 pp[i].alpha = *entry_start++;
1313 } 1748 }
1749
1314 else 1750 else
1315 { 1751 {
1316 pp[i].red = png_get_uint_16(entry_start); entry_start += 2; 1752 pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
1317 pp[i].green = png_get_uint_16(entry_start); entry_start += 2; 1753 pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1318 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2; 1754 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
1319 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2; 1755 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1320 } 1756 }
1321 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; 1757
1758 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1322 } 1759 }
1323 #endif 1760 #endif
1324 1761
1325 /* Discard all chunk data except the name and stash that */ 1762 /* Discard all chunk data except the name and stash that */
1326 new_palette.name = png_ptr->chunkdata; 1763 new_palette.name = (png_charp)buffer;
1327 1764
1328 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1); 1765 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1329 1766
1330 png_free(png_ptr, png_ptr->chunkdata);
1331 png_ptr->chunkdata = NULL;
1332 png_free(png_ptr, new_palette.entries); 1767 png_free(png_ptr, new_palette.entries);
1333 } 1768 }
1334 #endif /* PNG_READ_sPLT_SUPPORTED */ 1769 #endif /* READ_sPLT */
1335 1770
1336 #ifdef PNG_READ_tRNS_SUPPORTED 1771 #ifdef PNG_READ_tRNS_SUPPORTED
1337 void /* PRIVATE */ 1772 void /* PRIVATE */
1338 png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1773 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1339 { 1774 {
1340 png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; 1775 png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1341 1776
1342 png_debug(1, "in png_handle_tRNS"); 1777 png_debug(1, "in png_handle_tRNS");
1343 1778
1344 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1779 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1345 png_error(png_ptr, "Missing IHDR before tRNS"); 1780 png_chunk_error(png_ptr, "missing IHDR");
1346 else if (png_ptr->mode & PNG_HAVE_IDAT) 1781
1782 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1347 { 1783 {
1348 png_warning(png_ptr, "Invalid tRNS after IDAT");
1349 png_crc_finish(png_ptr, length); 1784 png_crc_finish(png_ptr, length);
1350 return; 1785 png_chunk_benign_error(png_ptr, "out of place");
1351 }
1352 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1353 {
1354 png_warning(png_ptr, "Duplicate tRNS chunk");
1355 png_crc_finish(png_ptr, length);
1356 return; 1786 return;
1357 } 1787 }
1358 1788
1789 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0)
1790 {
1791 png_crc_finish(png_ptr, length);
1792 png_chunk_benign_error(png_ptr, "duplicate");
1793 return;
1794 }
1795
1359 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 1796 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1360 { 1797 {
1361 png_byte buf[2]; 1798 png_byte buf[2];
1362 1799
1363 if (length != 2) 1800 if (length != 2)
1364 { 1801 {
1365 png_warning(png_ptr, "Incorrect tRNS chunk length"); 1802 png_crc_finish(png_ptr, length);
1366 png_crc_finish(png_ptr, length); 1803 png_chunk_benign_error(png_ptr, "invalid");
1367 return; 1804 return;
1368 } 1805 }
1369 1806
1370 png_crc_read(png_ptr, buf, 2); 1807 png_crc_read(png_ptr, buf, 2);
1371 png_ptr->num_trans = 1; 1808 png_ptr->num_trans = 1;
1372 png_ptr->trans_values.gray = png_get_uint_16(buf); 1809 png_ptr->trans_color.gray = png_get_uint_16(buf);
1373 } 1810 }
1811
1374 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 1812 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1375 { 1813 {
1376 png_byte buf[6]; 1814 png_byte buf[6];
1377 1815
1378 if (length != 6) 1816 if (length != 6)
1379 { 1817 {
1380 png_warning(png_ptr, "Incorrect tRNS chunk length"); 1818 png_crc_finish(png_ptr, length);
1381 png_crc_finish(png_ptr, length); 1819 png_chunk_benign_error(png_ptr, "invalid");
1382 return; 1820 return;
1383 } 1821 }
1384 png_crc_read(png_ptr, buf, (png_size_t)length); 1822
1823 png_crc_read(png_ptr, buf, length);
1385 png_ptr->num_trans = 1; 1824 png_ptr->num_trans = 1;
1386 png_ptr->trans_values.red = png_get_uint_16(buf); 1825 png_ptr->trans_color.red = png_get_uint_16(buf);
1387 png_ptr->trans_values.green = png_get_uint_16(buf + 2); 1826 png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1388 png_ptr->trans_values.blue = png_get_uint_16(buf + 4); 1827 png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1389 } 1828 }
1829
1390 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1830 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1391 { 1831 {
1392 if (!(png_ptr->mode & PNG_HAVE_PLTE)) 1832 if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
1393 { 1833 {
1394 /* Should be an error, but we can cope with it. */ 1834 /* TODO: is this actually an error in the ISO spec? */
1395 png_warning(png_ptr, "Missing PLTE before tRNS"); 1835 png_crc_finish(png_ptr, length);
1396 } 1836 png_chunk_benign_error(png_ptr, "out of place");
1397 if (length > (png_uint_32)png_ptr->num_palette || 1837 return;
1398 length > PNG_MAX_PALETTE_LENGTH) 1838 }
1399 { 1839
1400 png_warning(png_ptr, "Incorrect tRNS chunk length"); 1840 if (length > (unsigned int) png_ptr->num_palette ||
1401 png_crc_finish(png_ptr, length); 1841 length > (unsigned int) PNG_MAX_PALETTE_LENGTH ||
1402 return; 1842 length == 0)
1403 } 1843 {
1404 if (length == 0) 1844 png_crc_finish(png_ptr, length);
1405 { 1845 png_chunk_benign_error(png_ptr, "invalid");
1406 png_warning(png_ptr, "Zero length tRNS chunk"); 1846 return;
1407 png_crc_finish(png_ptr, length); 1847 }
1408 return; 1848
1409 } 1849 png_crc_read(png_ptr, readbuf, length);
1410 png_crc_read(png_ptr, readbuf, (png_size_t)length);
1411 png_ptr->num_trans = (png_uint_16)length; 1850 png_ptr->num_trans = (png_uint_16)length;
1412 } 1851 }
1852
1413 else 1853 else
1414 { 1854 {
1415 png_warning(png_ptr, "tRNS chunk not allowed with alpha channel"); 1855 png_crc_finish(png_ptr, length);
1416 png_crc_finish(png_ptr, length); 1856 png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1417 return; 1857 return;
1418 } 1858 }
1419 1859
1420 if (png_crc_finish(png_ptr, 0)) 1860 if (png_crc_finish(png_ptr, 0) != 0)
1421 { 1861 {
1422 png_ptr->num_trans = 0; 1862 png_ptr->num_trans = 0;
1423 return; 1863 return;
1424 } 1864 }
1425 1865
1866 /* TODO: this is a horrible side effect in the palette case because the
1867 * png_struct ends up with a pointer to the tRNS buffer owned by the
1868 * png_info. Fix this.
1869 */
1426 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, 1870 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1427 &(png_ptr->trans_values)); 1871 &(png_ptr->trans_color));
1428 } 1872 }
1429 #endif 1873 #endif
1430 1874
1431 #ifdef PNG_READ_bKGD_SUPPORTED 1875 #ifdef PNG_READ_bKGD_SUPPORTED
1432 void /* PRIVATE */ 1876 void /* PRIVATE */
1433 png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1877 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1434 { 1878 {
1435 png_size_t truelen; 1879 unsigned int truelen;
1436 png_byte buf[6]; 1880 png_byte buf[6];
1881 png_color_16 background;
1437 1882
1438 png_debug(1, "in png_handle_bKGD"); 1883 png_debug(1, "in png_handle_bKGD");
1439 1884
1440 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1885 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1441 png_error(png_ptr, "Missing IHDR before bKGD"); 1886 png_chunk_error(png_ptr, "missing IHDR");
1442 else if (png_ptr->mode & PNG_HAVE_IDAT) 1887
1443 { 1888 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
1444 png_warning(png_ptr, "Invalid bKGD after IDAT"); 1889 (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1445 png_crc_finish(png_ptr, length); 1890 (png_ptr->mode & PNG_HAVE_PLTE) == 0))
1446 return; 1891 {
1447 } 1892 png_crc_finish(png_ptr, length);
1448 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 1893 png_chunk_benign_error(png_ptr, "out of place");
1449 !(png_ptr->mode & PNG_HAVE_PLTE)) 1894 return;
1450 { 1895 }
1451 png_warning(png_ptr, "Missing PLTE before bKGD"); 1896
1452 png_crc_finish(png_ptr, length); 1897 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1453 return; 1898 {
1454 } 1899 png_crc_finish(png_ptr, length);
1455 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD)) 1900 png_chunk_benign_error(png_ptr, "duplicate");
1456 {
1457 png_warning(png_ptr, "Duplicate bKGD chunk");
1458 png_crc_finish(png_ptr, length);
1459 return; 1901 return;
1460 } 1902 }
1461 1903
1462 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1904 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1463 truelen = 1; 1905 truelen = 1;
1464 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) 1906
1907 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1465 truelen = 6; 1908 truelen = 6;
1909
1466 else 1910 else
1467 truelen = 2; 1911 truelen = 2;
1468 1912
1469 if (length != truelen) 1913 if (length != truelen)
1470 { 1914 {
1471 png_warning(png_ptr, "Incorrect bKGD chunk length"); 1915 png_crc_finish(png_ptr, length);
1472 png_crc_finish(png_ptr, length); 1916 png_chunk_benign_error(png_ptr, "invalid");
1473 return; 1917 return;
1474 } 1918 }
1475 1919
1476 png_crc_read(png_ptr, buf, truelen); 1920 png_crc_read(png_ptr, buf, truelen);
1477 if (png_crc_finish(png_ptr, 0)) 1921
1922 if (png_crc_finish(png_ptr, 0) != 0)
1478 return; 1923 return;
1479 1924
1480 /* We convert the index value into RGB components so that we can allow 1925 /* We convert the index value into RGB components so that we can allow
1481 * arbitrary RGB values for background when we have transparency, and 1926 * arbitrary RGB values for background when we have transparency, and
1482 * so it is easy to determine the RGB values of the background color 1927 * so it is easy to determine the RGB values of the background color
1483 * from the info_ptr struct. */ 1928 * from the info_ptr struct.
1929 */
1484 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1930 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1485 { 1931 {
1486 png_ptr->background.index = buf[0]; 1932 background.index = buf[0];
1487 if (info_ptr && info_ptr->num_palette) 1933
1488 { 1934 if (info_ptr != NULL && info_ptr->num_palette != 0)
1489 if (buf[0] >= info_ptr->num_palette) 1935 {
1490 { 1936 if (buf[0] >= info_ptr->num_palette)
1491 png_warning(png_ptr, "Incorrect bKGD chunk index value"); 1937 {
1492 return; 1938 png_chunk_benign_error(png_ptr, "invalid index");
1493 } 1939 return;
1494 png_ptr->background.red = 1940 }
1495 (png_uint_16)png_ptr->palette[buf[0]].red; 1941
1496 png_ptr->background.green = 1942 background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1497 (png_uint_16)png_ptr->palette[buf[0]].green; 1943 background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1498 png_ptr->background.blue = 1944 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1499 (png_uint_16)png_ptr->palette[buf[0]].blue; 1945 }
1500 } 1946
1501 } 1947 else
1502 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */ 1948 background.red = background.green = background.blue = 0;
1503 { 1949
1504 png_ptr->background.red = 1950 background.gray = 0;
1505 png_ptr->background.green = 1951 }
1506 png_ptr->background.blue = 1952
1507 png_ptr->background.gray = png_get_uint_16(buf); 1953 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */
1508 } 1954 {
1955 background.index = 0;
1956 background.red =
1957 background.green =
1958 background.blue =
1959 background.gray = png_get_uint_16(buf);
1960 }
1961
1509 else 1962 else
1510 { 1963 {
1511 png_ptr->background.red = png_get_uint_16(buf); 1964 background.index = 0;
1512 png_ptr->background.green = png_get_uint_16(buf + 2); 1965 background.red = png_get_uint_16(buf);
1513 png_ptr->background.blue = png_get_uint_16(buf + 4); 1966 background.green = png_get_uint_16(buf + 2);
1514 } 1967 background.blue = png_get_uint_16(buf + 4);
1515 1968 background.gray = 0;
1516 png_set_bKGD(png_ptr, info_ptr, &(png_ptr->background)); 1969 }
1970
1971 png_set_bKGD(png_ptr, info_ptr, &background);
1517 } 1972 }
1518 #endif 1973 #endif
1519 1974
1520 #ifdef PNG_READ_hIST_SUPPORTED 1975 #ifdef PNG_READ_hIST_SUPPORTED
1521 void /* PRIVATE */ 1976 void /* PRIVATE */
1522 png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1977 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1523 { 1978 {
1524 unsigned int num, i; 1979 unsigned int num, i;
1525 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; 1980 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
1526 1981
1527 png_debug(1, "in png_handle_hIST"); 1982 png_debug(1, "in png_handle_hIST");
1528 1983
1529 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1984 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1530 png_error(png_ptr, "Missing IHDR before hIST"); 1985 png_chunk_error(png_ptr, "missing IHDR");
1531 else if (png_ptr->mode & PNG_HAVE_IDAT) 1986
1532 { 1987 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
1533 png_warning(png_ptr, "Invalid hIST after IDAT"); 1988 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
1534 png_crc_finish(png_ptr, length); 1989 {
1535 return; 1990 png_crc_finish(png_ptr, length);
1536 } 1991 png_chunk_benign_error(png_ptr, "out of place");
1537 else if (!(png_ptr->mode & PNG_HAVE_PLTE)) 1992 return;
1538 { 1993 }
1539 png_warning(png_ptr, "Missing PLTE before hIST"); 1994
1540 png_crc_finish(png_ptr, length); 1995 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1541 return; 1996 {
1542 } 1997 png_crc_finish(png_ptr, length);
1543 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST)) 1998 png_chunk_benign_error(png_ptr, "duplicate");
1544 {
1545 png_warning(png_ptr, "Duplicate hIST chunk");
1546 png_crc_finish(png_ptr, length);
1547 return;
1548 }
1549
1550 if (length > 2*PNG_MAX_PALETTE_LENGTH ||
1551 length != (unsigned int) (2*png_ptr->num_palette))
1552 {
1553 png_warning(png_ptr, "Incorrect hIST chunk length");
1554 png_crc_finish(png_ptr, length);
1555 return; 1999 return;
1556 } 2000 }
1557 2001
1558 num = length / 2 ; 2002 num = length / 2 ;
1559 2003
2004 if (num != (unsigned int) png_ptr->num_palette ||
2005 num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
2006 {
2007 png_crc_finish(png_ptr, length);
2008 png_chunk_benign_error(png_ptr, "invalid");
2009 return;
2010 }
2011
1560 for (i = 0; i < num; i++) 2012 for (i = 0; i < num; i++)
1561 { 2013 {
1562 png_byte buf[2]; 2014 png_byte buf[2];
1563 2015
1564 png_crc_read(png_ptr, buf, 2); 2016 png_crc_read(png_ptr, buf, 2);
1565 readbuf[i] = png_get_uint_16(buf); 2017 readbuf[i] = png_get_uint_16(buf);
1566 } 2018 }
1567 2019
1568 if (png_crc_finish(png_ptr, 0)) 2020 if (png_crc_finish(png_ptr, 0) != 0)
1569 return; 2021 return;
1570 2022
1571 png_set_hIST(png_ptr, info_ptr, readbuf); 2023 png_set_hIST(png_ptr, info_ptr, readbuf);
1572 } 2024 }
1573 #endif 2025 #endif
1574 2026
1575 #ifdef PNG_READ_pHYs_SUPPORTED 2027 #ifdef PNG_READ_pHYs_SUPPORTED
1576 void /* PRIVATE */ 2028 void /* PRIVATE */
1577 png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2029 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1578 { 2030 {
1579 png_byte buf[9]; 2031 png_byte buf[9];
1580 png_uint_32 res_x, res_y; 2032 png_uint_32 res_x, res_y;
1581 int unit_type; 2033 int unit_type;
1582 2034
1583 png_debug(1, "in png_handle_pHYs"); 2035 png_debug(1, "in png_handle_pHYs");
1584 2036
1585 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2037 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1586 png_error(png_ptr, "Missing IHDR before pHYs"); 2038 png_chunk_error(png_ptr, "missing IHDR");
1587 else if (png_ptr->mode & PNG_HAVE_IDAT) 2039
2040 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1588 { 2041 {
1589 png_warning(png_ptr, "Invalid pHYs after IDAT");
1590 png_crc_finish(png_ptr, length); 2042 png_crc_finish(png_ptr, length);
2043 png_chunk_benign_error(png_ptr, "out of place");
1591 return; 2044 return;
1592 } 2045 }
1593 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs)) 2046
2047 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != 0)
1594 { 2048 {
1595 png_warning(png_ptr, "Duplicate pHYs chunk");
1596 png_crc_finish(png_ptr, length); 2049 png_crc_finish(png_ptr, length);
2050 png_chunk_benign_error(png_ptr, "duplicate");
1597 return; 2051 return;
1598 } 2052 }
1599 2053
1600 if (length != 9) 2054 if (length != 9)
1601 { 2055 {
1602 png_warning(png_ptr, "Incorrect pHYs chunk length");
1603 png_crc_finish(png_ptr, length); 2056 png_crc_finish(png_ptr, length);
2057 png_chunk_benign_error(png_ptr, "invalid");
1604 return; 2058 return;
1605 } 2059 }
1606 2060
1607 png_crc_read(png_ptr, buf, 9); 2061 png_crc_read(png_ptr, buf, 9);
1608 if (png_crc_finish(png_ptr, 0)) 2062
2063 if (png_crc_finish(png_ptr, 0) != 0)
1609 return; 2064 return;
1610 2065
1611 res_x = png_get_uint_32(buf); 2066 res_x = png_get_uint_32(buf);
1612 res_y = png_get_uint_32(buf + 4); 2067 res_y = png_get_uint_32(buf + 4);
1613 unit_type = buf[8]; 2068 unit_type = buf[8];
1614 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type); 2069 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
1615 } 2070 }
1616 #endif 2071 #endif
1617 2072
1618 #ifdef PNG_READ_oFFs_SUPPORTED 2073 #ifdef PNG_READ_oFFs_SUPPORTED
1619 void /* PRIVATE */ 2074 void /* PRIVATE */
1620 png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2075 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1621 { 2076 {
1622 png_byte buf[9]; 2077 png_byte buf[9];
1623 png_int_32 offset_x, offset_y; 2078 png_int_32 offset_x, offset_y;
1624 int unit_type; 2079 int unit_type;
1625 2080
1626 png_debug(1, "in png_handle_oFFs"); 2081 png_debug(1, "in png_handle_oFFs");
1627 2082
1628 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2083 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1629 png_error(png_ptr, "Missing IHDR before oFFs"); 2084 png_chunk_error(png_ptr, "missing IHDR");
1630 else if (png_ptr->mode & PNG_HAVE_IDAT) 2085
2086 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1631 { 2087 {
1632 png_warning(png_ptr, "Invalid oFFs after IDAT");
1633 png_crc_finish(png_ptr, length); 2088 png_crc_finish(png_ptr, length);
2089 png_chunk_benign_error(png_ptr, "out of place");
1634 return; 2090 return;
1635 } 2091 }
1636 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs)) 2092
2093 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != 0)
1637 { 2094 {
1638 png_warning(png_ptr, "Duplicate oFFs chunk");
1639 png_crc_finish(png_ptr, length); 2095 png_crc_finish(png_ptr, length);
2096 png_chunk_benign_error(png_ptr, "duplicate");
1640 return; 2097 return;
1641 } 2098 }
1642 2099
1643 if (length != 9) 2100 if (length != 9)
1644 { 2101 {
1645 png_warning(png_ptr, "Incorrect oFFs chunk length");
1646 png_crc_finish(png_ptr, length); 2102 png_crc_finish(png_ptr, length);
2103 png_chunk_benign_error(png_ptr, "invalid");
1647 return; 2104 return;
1648 } 2105 }
1649 2106
1650 png_crc_read(png_ptr, buf, 9); 2107 png_crc_read(png_ptr, buf, 9);
1651 if (png_crc_finish(png_ptr, 0)) 2108
2109 if (png_crc_finish(png_ptr, 0) != 0)
1652 return; 2110 return;
1653 2111
1654 offset_x = png_get_int_32(buf); 2112 offset_x = png_get_int_32(buf);
1655 offset_y = png_get_int_32(buf + 4); 2113 offset_y = png_get_int_32(buf + 4);
1656 unit_type = buf[8]; 2114 unit_type = buf[8];
1657 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type); 2115 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
1658 } 2116 }
1659 #endif 2117 #endif
1660 2118
1661 #ifdef PNG_READ_pCAL_SUPPORTED 2119 #ifdef PNG_READ_pCAL_SUPPORTED
1662 /* Read the pCAL chunk (described in the PNG Extensions document) */ 2120 /* Read the pCAL chunk (described in the PNG Extensions document) */
1663 void /* PRIVATE */ 2121 void /* PRIVATE */
1664 png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2122 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1665 { 2123 {
1666 png_int_32 X0, X1; 2124 png_int_32 X0, X1;
1667 png_byte type, nparams; 2125 png_byte type, nparams;
1668 png_charp buf, units, endptr; 2126 png_bytep buffer, buf, units, endptr;
1669 png_charpp params; 2127 png_charpp params;
1670 png_size_t slength;
1671 int i; 2128 int i;
1672 2129
1673 png_debug(1, "in png_handle_pCAL"); 2130 png_debug(1, "in png_handle_pCAL");
1674 2131
1675 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2132 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1676 png_error(png_ptr, "Missing IHDR before pCAL"); 2133 png_chunk_error(png_ptr, "missing IHDR");
1677 else if (png_ptr->mode & PNG_HAVE_IDAT) 2134
2135 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1678 { 2136 {
1679 png_warning(png_ptr, "Invalid pCAL after IDAT");
1680 png_crc_finish(png_ptr, length); 2137 png_crc_finish(png_ptr, length);
1681 return; 2138 png_chunk_benign_error(png_ptr, "out of place");
1682 }
1683 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL))
1684 {
1685 png_warning(png_ptr, "Duplicate pCAL chunk");
1686 png_crc_finish(png_ptr, length);
1687 return; 2139 return;
1688 } 2140 }
1689 2141
1690 png_debug1(2, "Allocating and reading pCAL chunk data (%lu bytes)", 2142 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != 0)
1691 length + 1);
1692 png_free(png_ptr, png_ptr->chunkdata);
1693 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
1694 if (png_ptr->chunkdata == NULL)
1695 {
1696 png_warning(png_ptr, "No memory for pCAL purpose.");
1697 return;
1698 }
1699 slength = (png_size_t)length;
1700 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1701
1702 if (png_crc_finish(png_ptr, 0))
1703 { 2143 {
1704 png_free(png_ptr, png_ptr->chunkdata); 2144 png_crc_finish(png_ptr, length);
1705 png_ptr->chunkdata = NULL; 2145 png_chunk_benign_error(png_ptr, "duplicate");
1706 return; 2146 return;
1707 } 2147 }
1708 2148
1709 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ 2149 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
2150 length + 1);
1710 2151
1711 png_debug(3, "Finding end of pCAL purpose string"); 2152 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1712 for (buf = png_ptr->chunkdata; *buf; buf++)
1713 /* Empty loop */ ;
1714 2153
1715 endptr = png_ptr->chunkdata + slength; 2154 if (buffer == NULL)
1716
1717 /* We need to have at least 12 bytes after the purpose string
1718 in order to get the parameter information. */
1719 if (endptr <= buf + 12)
1720 { 2155 {
1721 png_warning(png_ptr, "Invalid pCAL data"); 2156 png_crc_finish(png_ptr, length);
1722 png_free(png_ptr, png_ptr->chunkdata); 2157 png_chunk_benign_error(png_ptr, "out of memory");
1723 png_ptr->chunkdata = NULL;
1724 return; 2158 return;
1725 } 2159 }
1726 2160
2161 png_crc_read(png_ptr, buffer, length);
2162
2163 if (png_crc_finish(png_ptr, 0) != 0)
2164 return;
2165
2166 buffer[length] = 0; /* Null terminate the last string */
2167
2168 png_debug(3, "Finding end of pCAL purpose string");
2169 for (buf = buffer; *buf; buf++)
2170 /* Empty loop */ ;
2171
2172 endptr = buffer + length;
2173
2174 /* We need to have at least 12 bytes after the purpose string
2175 * in order to get the parameter information.
2176 */
2177 if (endptr <= buf + 12)
2178 {
2179 png_chunk_benign_error(png_ptr, "invalid");
2180 return;
2181 }
2182
1727 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units"); 2183 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
1728 X0 = png_get_int_32((png_bytep)buf+1); 2184 X0 = png_get_int_32((png_bytep)buf+1);
1729 X1 = png_get_int_32((png_bytep)buf+5); 2185 X1 = png_get_int_32((png_bytep)buf+5);
1730 type = buf[9]; 2186 type = buf[9];
1731 nparams = buf[10]; 2187 nparams = buf[10];
1732 units = buf + 11; 2188 units = buf + 11;
1733 2189
1734 png_debug(3, "Checking pCAL equation type and number of parameters"); 2190 png_debug(3, "Checking pCAL equation type and number of parameters");
1735 /* Check that we have the right number of parameters for known 2191 /* Check that we have the right number of parameters for known
1736 equation types. */ 2192 * equation types.
2193 */
1737 if ((type == PNG_EQUATION_LINEAR && nparams != 2) || 2194 if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
1738 (type == PNG_EQUATION_BASE_E && nparams != 3) || 2195 (type == PNG_EQUATION_BASE_E && nparams != 3) ||
1739 (type == PNG_EQUATION_ARBITRARY && nparams != 3) || 2196 (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
1740 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4)) 2197 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
1741 { 2198 {
1742 png_warning(png_ptr, "Invalid pCAL parameters for equation type"); 2199 png_chunk_benign_error(png_ptr, "invalid parameter count");
1743 png_free(png_ptr, png_ptr->chunkdata);
1744 png_ptr->chunkdata = NULL;
1745 return; 2200 return;
1746 } 2201 }
2202
1747 else if (type >= PNG_EQUATION_LAST) 2203 else if (type >= PNG_EQUATION_LAST)
1748 { 2204 {
1749 png_warning(png_ptr, "Unrecognized equation type for pCAL chunk"); 2205 png_chunk_benign_error(png_ptr, "unrecognized equation type");
1750 } 2206 }
1751 2207
1752 for (buf = units; *buf; buf++) 2208 for (buf = units; *buf; buf++)
1753 /* Empty loop to move past the units string. */ ; 2209 /* Empty loop to move past the units string. */ ;
1754 2210
1755 png_debug(3, "Allocating pCAL parameters array"); 2211 png_debug(3, "Allocating pCAL parameters array");
1756 params = (png_charpp)png_malloc_warn(png_ptr, 2212
1757 (png_uint_32)(nparams * png_sizeof(png_charp))) ; 2213 params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2214 nparams * (sizeof (png_charp))));
2215
1758 if (params == NULL) 2216 if (params == NULL)
1759 { 2217 {
1760 png_free(png_ptr, png_ptr->chunkdata); 2218 png_chunk_benign_error(png_ptr, "out of memory");
1761 png_ptr->chunkdata = NULL; 2219 return;
1762 png_warning(png_ptr, "No memory for pCAL params."); 2220 }
1763 return;
1764 }
1765 2221
1766 /* Get pointers to the start of each parameter string. */ 2222 /* Get pointers to the start of each parameter string. */
1767 for (i = 0; i < (int)nparams; i++) 2223 for (i = 0; i < nparams; i++)
1768 { 2224 {
1769 buf++; /* Skip the null string terminator from previous parameter. */ 2225 buf++; /* Skip the null string terminator from previous parameter. */
1770 2226
1771 png_debug1(3, "Reading pCAL parameter %d", i); 2227 png_debug1(3, "Reading pCAL parameter %d", i);
1772 for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++) 2228
2229 for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
1773 /* Empty loop to move past each parameter string */ ; 2230 /* Empty loop to move past each parameter string */ ;
1774 2231
1775 /* Make sure we haven't run out of data yet */ 2232 /* Make sure we haven't run out of data yet */
1776 if (buf > endptr) 2233 if (buf > endptr)
1777 { 2234 {
1778 png_warning(png_ptr, "Invalid pCAL data");
1779 png_free(png_ptr, png_ptr->chunkdata);
1780 png_ptr->chunkdata = NULL;
1781 png_free(png_ptr, params); 2235 png_free(png_ptr, params);
2236 png_chunk_benign_error(png_ptr, "invalid data");
1782 return; 2237 return;
1783 } 2238 }
1784 } 2239 }
1785 2240
1786 png_set_pCAL(png_ptr, info_ptr, png_ptr->chunkdata, X0, X1, type, nparams, 2241 png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
1787 units, params); 2242 (png_charp)units, params);
1788 2243
1789 png_free(png_ptr, png_ptr->chunkdata);
1790 png_ptr->chunkdata = NULL;
1791 png_free(png_ptr, params); 2244 png_free(png_ptr, params);
1792 } 2245 }
1793 #endif 2246 #endif
1794 2247
1795 #ifdef PNG_READ_sCAL_SUPPORTED 2248 #ifdef PNG_READ_sCAL_SUPPORTED
1796 /* Read the sCAL chunk */ 2249 /* Read the sCAL chunk */
1797 void /* PRIVATE */ 2250 void /* PRIVATE */
1798 png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2251 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1799 { 2252 {
1800 png_charp ep; 2253 png_bytep buffer;
1801 #ifdef PNG_FLOATING_POINT_SUPPORTED 2254 png_size_t i;
1802 double width, height; 2255 int state;
1803 png_charp vp;
1804 #else
1805 #ifdef PNG_FIXED_POINT_SUPPORTED
1806 png_charp swidth, sheight;
1807 #endif
1808 #endif
1809 png_size_t slength;
1810 2256
1811 png_debug(1, "in png_handle_sCAL"); 2257 png_debug(1, "in png_handle_sCAL");
1812 2258
1813 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2259 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1814 png_error(png_ptr, "Missing IHDR before sCAL"); 2260 png_chunk_error(png_ptr, "missing IHDR");
1815 else if (png_ptr->mode & PNG_HAVE_IDAT) 2261
2262 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1816 { 2263 {
1817 png_warning(png_ptr, "Invalid sCAL after IDAT");
1818 png_crc_finish(png_ptr, length); 2264 png_crc_finish(png_ptr, length);
2265 png_chunk_benign_error(png_ptr, "out of place");
1819 return; 2266 return;
1820 } 2267 }
1821 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL)) 2268
2269 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != 0)
1822 { 2270 {
1823 png_warning(png_ptr, "Duplicate sCAL chunk");
1824 png_crc_finish(png_ptr, length); 2271 png_crc_finish(png_ptr, length);
2272 png_chunk_benign_error(png_ptr, "duplicate");
1825 return; 2273 return;
1826 } 2274 }
1827 2275
1828 /* Need unit type, width, \0, height: minimum 4 bytes */ 2276 /* Need unit type, width, \0, height: minimum 4 bytes */
1829 else if (length < 4) 2277 else if (length < 4)
1830 { 2278 {
1831 png_warning(png_ptr, "sCAL chunk too short"); 2279 png_crc_finish(png_ptr, length);
2280 png_chunk_benign_error(png_ptr, "invalid");
2281 return;
2282 }
2283
2284 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2285 length + 1);
2286
2287 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2288
2289 if (buffer == NULL)
2290 {
2291 png_chunk_benign_error(png_ptr, "out of memory");
1832 png_crc_finish(png_ptr, length); 2292 png_crc_finish(png_ptr, length);
1833 return; 2293 return;
1834 } 2294 }
1835 2295
1836 png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", 2296 png_crc_read(png_ptr, buffer, length);
1837 length + 1); 2297 buffer[length] = 0; /* Null terminate the last string */
1838 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); 2298
1839 if (png_ptr->chunkdata == NULL) 2299 if (png_crc_finish(png_ptr, 0) != 0)
2300 return;
2301
2302 /* Validate the unit. */
2303 if (buffer[0] != 1 && buffer[0] != 2)
1840 { 2304 {
1841 png_warning(png_ptr, "Out of memory while processing sCAL chunk"); 2305 png_chunk_benign_error(png_ptr, "invalid unit");
1842 png_crc_finish(png_ptr, length);
1843 return;
1844 }
1845 slength = (png_size_t)length;
1846 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1847
1848 if (png_crc_finish(png_ptr, 0))
1849 {
1850 png_free(png_ptr, png_ptr->chunkdata);
1851 png_ptr->chunkdata = NULL;
1852 return; 2306 return;
1853 } 2307 }
1854 2308
1855 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ 2309 /* Validate the ASCII numbers, need two ASCII numbers separated by
2310 * a '\0' and they need to fit exactly in the chunk data.
2311 */
2312 i = 1;
2313 state = 0;
1856 2314
1857 ep = png_ptr->chunkdata + 1; /* Skip unit byte */ 2315 if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 ||
2316 i >= length || buffer[i++] != 0)
2317 png_chunk_benign_error(png_ptr, "bad width format");
1858 2318
1859 #ifdef PNG_FLOATING_POINT_SUPPORTED 2319 else if (PNG_FP_IS_POSITIVE(state) == 0)
1860 width = png_strtod(png_ptr, ep, &vp); 2320 png_chunk_benign_error(png_ptr, "non-positive width");
1861 if (*vp) 2321
2322 else
1862 { 2323 {
1863 png_warning(png_ptr, "malformed width string in sCAL chunk"); 2324 png_size_t heighti = i;
1864 png_free(png_ptr, png_ptr->chunkdata); 2325
1865 png_ptr->chunkdata = NULL; 2326 state = 0;
1866 return; 2327 if (png_check_fp_number((png_const_charp)buffer, length,
2328 &state, &i) == 0 || i != length)
2329 png_chunk_benign_error(png_ptr, "bad height format");
2330
2331 else if (PNG_FP_IS_POSITIVE(state) == 0)
2332 png_chunk_benign_error(png_ptr, "non-positive height");
2333
2334 else
2335 /* This is the (only) success case. */
2336 png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
2337 (png_charp)buffer+1, (png_charp)buffer+heighti);
1867 } 2338 }
1868 #else
1869 #ifdef PNG_FIXED_POINT_SUPPORTED
1870 swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1871 if (swidth == NULL)
1872 {
1873 png_warning(png_ptr, "Out of memory while processing sCAL chunk width");
1874 png_free(png_ptr, png_ptr->chunkdata);
1875 png_ptr->chunkdata = NULL;
1876 return;
1877 }
1878 png_memcpy(swidth, ep, (png_size_t)png_strlen(ep) + 1);
1879 #endif
1880 #endif
1881
1882 for (ep = png_ptr->chunkdata + 1; *ep; ep++)
1883 /* Empty loop */ ;
1884 ep++;
1885
1886 if (png_ptr->chunkdata + slength < ep)
1887 {
1888 png_warning(png_ptr, "Truncated sCAL chunk");
1889 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1890 png_free(png_ptr, swidth);
1891 #endif
1892 png_free(png_ptr, png_ptr->chunkdata);
1893 png_ptr->chunkdata = NULL;
1894 return;
1895 }
1896
1897 #ifdef PNG_FLOATING_POINT_SUPPORTED
1898 height = png_strtod(png_ptr, ep, &vp);
1899 if (*vp)
1900 {
1901 png_warning(png_ptr, "malformed height string in sCAL chunk");
1902 png_free(png_ptr, png_ptr->chunkdata);
1903 png_ptr->chunkdata = NULL;
1904 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1905 png_free(png_ptr, swidth);
1906 #endif
1907 return;
1908 }
1909 #else
1910 #ifdef PNG_FIXED_POINT_SUPPORTED
1911 sheight = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1912 if (sheight == NULL)
1913 {
1914 png_warning(png_ptr, "Out of memory while processing sCAL chunk height");
1915 png_free(png_ptr, png_ptr->chunkdata);
1916 png_ptr->chunkdata = NULL;
1917 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1918 png_free(png_ptr, swidth);
1919 #endif
1920 return;
1921 }
1922 png_memcpy(sheight, ep, (png_size_t)png_strlen(ep) + 1);
1923 #endif
1924 #endif
1925
1926 if (png_ptr->chunkdata + slength < ep
1927 #ifdef PNG_FLOATING_POINT_SUPPORTED
1928 || width <= 0. || height <= 0.
1929 #endif
1930 )
1931 {
1932 png_warning(png_ptr, "Invalid sCAL data");
1933 png_free(png_ptr, png_ptr->chunkdata);
1934 png_ptr->chunkdata = NULL;
1935 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1936 png_free(png_ptr, swidth);
1937 png_free(png_ptr, sheight);
1938 #endif
1939 return;
1940 }
1941
1942
1943 #ifdef PNG_FLOATING_POINT_SUPPORTED
1944 png_set_sCAL(png_ptr, info_ptr, png_ptr->chunkdata[0], width, height);
1945 #else
1946 #ifdef PNG_FIXED_POINT_SUPPORTED
1947 png_set_sCAL_s(png_ptr, info_ptr, png_ptr->chunkdata[0], swidth, sheight);
1948 #endif
1949 #endif
1950
1951 png_free(png_ptr, png_ptr->chunkdata);
1952 png_ptr->chunkdata = NULL;
1953 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1954 png_free(png_ptr, swidth);
1955 png_free(png_ptr, sheight);
1956 #endif
1957 } 2339 }
1958 #endif 2340 #endif
1959 2341
1960 #ifdef PNG_READ_tIME_SUPPORTED 2342 #ifdef PNG_READ_tIME_SUPPORTED
1961 void /* PRIVATE */ 2343 void /* PRIVATE */
1962 png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2344 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1963 { 2345 {
1964 png_byte buf[7]; 2346 png_byte buf[7];
1965 png_time mod_time; 2347 png_time mod_time;
1966 2348
1967 png_debug(1, "in png_handle_tIME"); 2349 png_debug(1, "in png_handle_tIME");
1968 2350
1969 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2351 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1970 png_error(png_ptr, "Out of place tIME chunk"); 2352 png_chunk_error(png_ptr, "missing IHDR");
1971 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME)) 2353
2354 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != 0)
1972 { 2355 {
1973 png_warning(png_ptr, "Duplicate tIME chunk");
1974 png_crc_finish(png_ptr, length); 2356 png_crc_finish(png_ptr, length);
2357 png_chunk_benign_error(png_ptr, "duplicate");
1975 return; 2358 return;
1976 } 2359 }
1977 2360
1978 if (png_ptr->mode & PNG_HAVE_IDAT) 2361 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1979 png_ptr->mode |= PNG_AFTER_IDAT; 2362 png_ptr->mode |= PNG_AFTER_IDAT;
1980 2363
1981 if (length != 7) 2364 if (length != 7)
1982 { 2365 {
1983 png_warning(png_ptr, "Incorrect tIME chunk length");
1984 png_crc_finish(png_ptr, length); 2366 png_crc_finish(png_ptr, length);
2367 png_chunk_benign_error(png_ptr, "invalid");
1985 return; 2368 return;
1986 } 2369 }
1987 2370
1988 png_crc_read(png_ptr, buf, 7); 2371 png_crc_read(png_ptr, buf, 7);
1989 if (png_crc_finish(png_ptr, 0)) 2372
2373 if (png_crc_finish(png_ptr, 0) != 0)
1990 return; 2374 return;
1991 2375
1992 mod_time.second = buf[6]; 2376 mod_time.second = buf[6];
1993 mod_time.minute = buf[5]; 2377 mod_time.minute = buf[5];
1994 mod_time.hour = buf[4]; 2378 mod_time.hour = buf[4];
1995 mod_time.day = buf[3]; 2379 mod_time.day = buf[3];
1996 mod_time.month = buf[2]; 2380 mod_time.month = buf[2];
1997 mod_time.year = png_get_uint_16(buf); 2381 mod_time.year = png_get_uint_16(buf);
1998 2382
1999 png_set_tIME(png_ptr, info_ptr, &mod_time); 2383 png_set_tIME(png_ptr, info_ptr, &mod_time);
2000 } 2384 }
2001 #endif 2385 #endif
2002 2386
2003 #ifdef PNG_READ_tEXt_SUPPORTED 2387 #ifdef PNG_READ_tEXt_SUPPORTED
2004 /* Note: this does not properly handle chunks that are > 64K under DOS */ 2388 /* Note: this does not properly handle chunks that are > 64K under DOS */
2005 void /* PRIVATE */ 2389 void /* PRIVATE */
2006 png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2390 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2007 { 2391 {
2008 png_textp text_ptr; 2392 png_text text_info;
2393 png_bytep buffer;
2009 png_charp key; 2394 png_charp key;
2010 png_charp text; 2395 png_charp text;
2011 png_uint_32 skip = 0; 2396 png_uint_32 skip = 0;
2012 png_size_t slength;
2013 int ret;
2014 2397
2015 png_debug(1, "in png_handle_tEXt"); 2398 png_debug(1, "in png_handle_tEXt");
2016 2399
2017 #ifdef PNG_USER_LIMITS_SUPPORTED 2400 #ifdef PNG_USER_LIMITS_SUPPORTED
2018 if (png_ptr->user_chunk_cache_max != 0) 2401 if (png_ptr->user_chunk_cache_max != 0)
2019 { 2402 {
2020 if (png_ptr->user_chunk_cache_max == 1) 2403 if (png_ptr->user_chunk_cache_max == 1)
2021 { 2404 {
2022 png_crc_finish(png_ptr, length); 2405 png_crc_finish(png_ptr, length);
2023 return; 2406 return;
2024 } 2407 }
2408
2025 if (--png_ptr->user_chunk_cache_max == 1) 2409 if (--png_ptr->user_chunk_cache_max == 1)
2026 { 2410 {
2027 png_warning(png_ptr, "No space in chunk cache for tEXt");
2028 png_crc_finish(png_ptr, length); 2411 png_crc_finish(png_ptr, length);
2412 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2029 return; 2413 return;
2030 } 2414 }
2031 } 2415 }
2032 #endif 2416 #endif
2033 2417
2034 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2418 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2035 png_error(png_ptr, "Missing IHDR before tEXt"); 2419 png_chunk_error(png_ptr, "missing IHDR");
2036 2420
2037 if (png_ptr->mode & PNG_HAVE_IDAT) 2421 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2038 png_ptr->mode |= PNG_AFTER_IDAT; 2422 png_ptr->mode |= PNG_AFTER_IDAT;
2039 2423
2040 #ifdef PNG_MAX_MALLOC_64K 2424 #ifdef PNG_MAX_MALLOC_64K
2041 if (length > (png_uint_32)65535L) 2425 if (length > 65535U)
2042 { 2426 {
2043 png_warning(png_ptr, "tEXt chunk too large to fit in memory"); 2427 png_crc_finish(png_ptr, length);
2044 skip = length - (png_uint_32)65535L; 2428 png_chunk_benign_error(png_ptr, "too large to fit in memory");
2045 length = (png_uint_32)65535L; 2429 return;
2046 } 2430 }
2047 #endif 2431 #endif
2048 2432
2049 png_free(png_ptr, png_ptr->chunkdata); 2433 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2050 2434
2051 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); 2435 if (buffer == NULL)
2052 if (png_ptr->chunkdata == NULL)
2053 { 2436 {
2054 png_warning(png_ptr, "No memory to process text chunk."); 2437 png_chunk_benign_error(png_ptr, "out of memory");
2055 return; 2438 return;
2056 } 2439 }
2057 slength = (png_size_t)length;
2058 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2059 2440
2060 if (png_crc_finish(png_ptr, skip)) 2441 png_crc_read(png_ptr, buffer, length);
2061 { 2442
2062 png_free(png_ptr, png_ptr->chunkdata); 2443 if (png_crc_finish(png_ptr, skip) != 0)
2063 png_ptr->chunkdata = NULL;
2064 return; 2444 return;
2065 }
2066 2445
2067 key = png_ptr->chunkdata; 2446 key = (png_charp)buffer;
2068 2447 key[length] = 0;
2069 key[slength] = 0x00;
2070 2448
2071 for (text = key; *text; text++) 2449 for (text = key; *text; text++)
2072 /* Empty loop to find end of key */ ; 2450 /* Empty loop to find end of key */ ;
2073 2451
2074 if (text != key + slength) 2452 if (text != key + length)
2075 text++; 2453 text++;
2076 2454
2077 text_ptr = (png_textp)png_malloc_warn(png_ptr, 2455 text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2078 (png_uint_32)png_sizeof(png_text)); 2456 text_info.key = key;
2079 if (text_ptr == NULL) 2457 text_info.lang = NULL;
2080 { 2458 text_info.lang_key = NULL;
2081 png_warning(png_ptr, "Not enough memory to process text chunk."); 2459 text_info.itxt_length = 0;
2082 png_free(png_ptr, png_ptr->chunkdata); 2460 text_info.text = text;
2083 png_ptr->chunkdata = NULL; 2461 text_info.text_length = strlen(text);
2084 return;
2085 }
2086 text_ptr->compression = PNG_TEXT_COMPRESSION_NONE;
2087 text_ptr->key = key;
2088 #ifdef PNG_iTXt_SUPPORTED
2089 text_ptr->lang = NULL;
2090 text_ptr->lang_key = NULL;
2091 text_ptr->itxt_length = 0;
2092 #endif
2093 text_ptr->text = text;
2094 text_ptr->text_length = png_strlen(text);
2095 2462
2096 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); 2463 if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) != 0)
2097 2464 png_warning(png_ptr, "Insufficient memory to process text chunk");
2098 png_free(png_ptr, png_ptr->chunkdata);
2099 png_ptr->chunkdata = NULL;
2100 png_free(png_ptr, text_ptr);
2101 if (ret)
2102 png_warning(png_ptr, "Insufficient memory to process text chunk.");
2103 } 2465 }
2104 #endif 2466 #endif
2105 2467
2106 #ifdef PNG_READ_zTXt_SUPPORTED 2468 #ifdef PNG_READ_zTXt_SUPPORTED
2107 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2469 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2108 void /* PRIVATE */ 2470 void /* PRIVATE */
2109 png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2471 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2110 { 2472 {
2111 png_textp text_ptr; 2473 png_const_charp errmsg = NULL;
2112 png_charp text; 2474 png_bytep buffer;
2113 int comp_type; 2475 png_uint_32 keyword_length;
2114 int ret;
2115 png_size_t slength, prefix_len, data_len;
2116 2476
2117 png_debug(1, "in png_handle_zTXt"); 2477 png_debug(1, "in png_handle_zTXt");
2118 2478
2119 #ifdef PNG_USER_LIMITS_SUPPORTED 2479 #ifdef PNG_USER_LIMITS_SUPPORTED
2120 if (png_ptr->user_chunk_cache_max != 0) 2480 if (png_ptr->user_chunk_cache_max != 0)
2121 { 2481 {
2122 if (png_ptr->user_chunk_cache_max == 1) 2482 if (png_ptr->user_chunk_cache_max == 1)
2123 { 2483 {
2124 png_crc_finish(png_ptr, length); 2484 png_crc_finish(png_ptr, length);
2125 return; 2485 return;
2126 } 2486 }
2487
2127 if (--png_ptr->user_chunk_cache_max == 1) 2488 if (--png_ptr->user_chunk_cache_max == 1)
2128 { 2489 {
2129 png_warning(png_ptr, "No space in chunk cache for zTXt");
2130 png_crc_finish(png_ptr, length); 2490 png_crc_finish(png_ptr, length);
2491 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2131 return; 2492 return;
2132 } 2493 }
2133 } 2494 }
2134 #endif 2495 #endif
2135 2496
2136 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2497 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2137 png_error(png_ptr, "Missing IHDR before zTXt"); 2498 png_chunk_error(png_ptr, "missing IHDR");
2138 2499
2139 if (png_ptr->mode & PNG_HAVE_IDAT) 2500 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2140 png_ptr->mode |= PNG_AFTER_IDAT; 2501 png_ptr->mode |= PNG_AFTER_IDAT;
2141 2502
2142 #ifdef PNG_MAX_MALLOC_64K 2503 buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2143 /* We will no doubt have problems with chunks even half this size, but 2504
2144 there is no hard and fast rule to tell us where to stop. */ 2505 if (buffer == NULL)
2145 if (length > (png_uint_32)65535L)
2146 { 2506 {
2147 png_warning(png_ptr, "zTXt chunk too large to fit in memory"); 2507 png_crc_finish(png_ptr, length);
2148 png_crc_finish(png_ptr, length); 2508 png_chunk_benign_error(png_ptr, "out of memory");
2149 return;
2150 }
2151 #endif
2152
2153 png_free(png_ptr, png_ptr->chunkdata);
2154 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2155 if (png_ptr->chunkdata == NULL)
2156 {
2157 png_warning(png_ptr, "Out of memory processing zTXt chunk.");
2158 return;
2159 }
2160 slength = (png_size_t)length;
2161 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2162 if (png_crc_finish(png_ptr, 0))
2163 {
2164 png_free(png_ptr, png_ptr->chunkdata);
2165 png_ptr->chunkdata = NULL;
2166 return; 2509 return;
2167 } 2510 }
2168 2511
2169 png_ptr->chunkdata[slength] = 0x00; 2512 png_crc_read(png_ptr, buffer, length);
2170 2513
2171 for (text = png_ptr->chunkdata; *text; text++) 2514 if (png_crc_finish(png_ptr, 0) != 0)
2172 /* Empty loop */ ; 2515 return;
2173 2516
2174 /* zTXt must have some text after the chunkdataword */ 2517 /* TODO: also check that the keyword contents match the spec! */
2175 if (text >= png_ptr->chunkdata + slength - 2) 2518 for (keyword_length = 0;
2176 { 2519 keyword_length < length && buffer[keyword_length] != 0;
2177 png_warning(png_ptr, "Truncated zTXt chunk"); 2520 ++keyword_length)
2178 png_free(png_ptr, png_ptr->chunkdata); 2521 /* Empty loop to find end of name */ ;
2179 png_ptr->chunkdata = NULL; 2522
2180 return; 2523 if (keyword_length > 79 || keyword_length < 1)
2181 } 2524 errmsg = "bad keyword";
2525
2526 /* zTXt must have some LZ data after the keyword, although it may expand to
2527 * zero bytes; we need a '\0' at the end of the keyword, the compression type
2528 * then the LZ data:
2529 */
2530 else if (keyword_length + 3 > length)
2531 errmsg = "truncated";
2532
2533 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2534 errmsg = "unknown compression type";
2535
2182 else 2536 else
2183 { 2537 {
2184 comp_type = *(++text); 2538 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2185 if (comp_type != PNG_TEXT_COMPRESSION_zTXt) 2539
2186 { 2540 /* TODO: at present png_decompress_chunk imposes a single application
2187 png_warning(png_ptr, "Unknown compression type in zTXt chunk"); 2541 * level memory limit, this should be split to different values for iCCP
2188 comp_type = PNG_TEXT_COMPRESSION_zTXt; 2542 * and text chunks.
2189 } 2543 */
2190 text++; /* Skip the compression_method byte */ 2544 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2545 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2546 {
2547 png_text text;
2548
2549 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
2550 * for the extra compression type byte and the fact that it isn't
2551 * necessarily '\0' terminated.
2552 */
2553 buffer = png_ptr->read_buffer;
2554 buffer[uncompressed_length+(keyword_length+2)] = 0;
2555
2556 text.compression = PNG_TEXT_COMPRESSION_zTXt;
2557 text.key = (png_charp)buffer;
2558 text.text = (png_charp)(buffer + keyword_length+2);
2559 text.text_length = uncompressed_length;
2560 text.itxt_length = 0;
2561 text.lang = NULL;
2562 text.lang_key = NULL;
2563
2564 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2565 errmsg = "insufficient memory";
2566 }
2567
2568 else
2569 errmsg = png_ptr->zstream.msg;
2191 } 2570 }
2192 prefix_len = text - png_ptr->chunkdata;
2193 2571
2194 png_decompress_chunk(png_ptr, comp_type, 2572 if (errmsg != NULL)
2195 (png_size_t)length, prefix_len, &data_len); 2573 png_chunk_benign_error(png_ptr, errmsg);
2196
2197 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2198 (png_uint_32)png_sizeof(png_text));
2199 if (text_ptr == NULL)
2200 {
2201 png_warning(png_ptr, "Not enough memory to process zTXt chunk.");
2202 png_free(png_ptr, png_ptr->chunkdata);
2203 png_ptr->chunkdata = NULL;
2204 return;
2205 }
2206 text_ptr->compression = comp_type;
2207 text_ptr->key = png_ptr->chunkdata;
2208 #ifdef PNG_iTXt_SUPPORTED
2209 text_ptr->lang = NULL;
2210 text_ptr->lang_key = NULL;
2211 text_ptr->itxt_length = 0;
2212 #endif
2213 text_ptr->text = png_ptr->chunkdata + prefix_len;
2214 text_ptr->text_length = data_len;
2215
2216 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2217
2218 png_free(png_ptr, text_ptr);
2219 png_free(png_ptr, png_ptr->chunkdata);
2220 png_ptr->chunkdata = NULL;
2221 if (ret)
2222 png_error(png_ptr, "Insufficient memory to store zTXt chunk.");
2223 } 2574 }
2224 #endif 2575 #endif
2225 2576
2226 #ifdef PNG_READ_iTXt_SUPPORTED 2577 #ifdef PNG_READ_iTXt_SUPPORTED
2227 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2578 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2228 void /* PRIVATE */ 2579 void /* PRIVATE */
2229 png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2580 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2230 { 2581 {
2231 png_textp text_ptr; 2582 png_const_charp errmsg = NULL;
2232 png_charp key, lang, text, lang_key; 2583 png_bytep buffer;
2233 int comp_flag; 2584 png_uint_32 prefix_length;
2234 int comp_type = 0;
2235 int ret;
2236 png_size_t slength, prefix_len, data_len;
2237 2585
2238 png_debug(1, "in png_handle_iTXt"); 2586 png_debug(1, "in png_handle_iTXt");
2239 2587
2240 #ifdef PNG_USER_LIMITS_SUPPORTED 2588 #ifdef PNG_USER_LIMITS_SUPPORTED
2241 if (png_ptr->user_chunk_cache_max != 0) 2589 if (png_ptr->user_chunk_cache_max != 0)
2242 { 2590 {
2243 if (png_ptr->user_chunk_cache_max == 1) 2591 if (png_ptr->user_chunk_cache_max == 1)
2244 { 2592 {
2245 png_crc_finish(png_ptr, length); 2593 png_crc_finish(png_ptr, length);
2246 return; 2594 return;
2247 } 2595 }
2596
2248 if (--png_ptr->user_chunk_cache_max == 1) 2597 if (--png_ptr->user_chunk_cache_max == 1)
2249 { 2598 {
2250 png_warning(png_ptr, "No space in chunk cache for iTXt");
2251 png_crc_finish(png_ptr, length); 2599 png_crc_finish(png_ptr, length);
2600 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2252 return; 2601 return;
2253 } 2602 }
2254 } 2603 }
2255 #endif 2604 #endif
2256 2605
2257 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2606 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2258 png_error(png_ptr, "Missing IHDR before iTXt"); 2607 png_chunk_error(png_ptr, "missing IHDR");
2259 2608
2260 if (png_ptr->mode & PNG_HAVE_IDAT) 2609 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2261 png_ptr->mode |= PNG_AFTER_IDAT; 2610 png_ptr->mode |= PNG_AFTER_IDAT;
2262 2611
2263 #ifdef PNG_MAX_MALLOC_64K 2612 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2264 /* We will no doubt have problems with chunks even half this size, but 2613
2265 there is no hard and fast rule to tell us where to stop. */ 2614 if (buffer == NULL)
2266 if (length > (png_uint_32)65535L) 2615 {
2267 { 2616 png_crc_finish(png_ptr, length);
2268 png_warning(png_ptr, "iTXt chunk too large to fit in memory"); 2617 png_chunk_benign_error(png_ptr, "out of memory");
2269 png_crc_finish(png_ptr, length);
2270 return;
2271 }
2272 #endif
2273
2274 png_free(png_ptr, png_ptr->chunkdata);
2275 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2276 if (png_ptr->chunkdata == NULL)
2277 {
2278 png_warning(png_ptr, "No memory to process iTXt chunk.");
2279 return;
2280 }
2281 slength = (png_size_t)length;
2282 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2283 if (png_crc_finish(png_ptr, 0))
2284 {
2285 png_free(png_ptr, png_ptr->chunkdata);
2286 png_ptr->chunkdata = NULL;
2287 return; 2618 return;
2288 } 2619 }
2289 2620
2290 png_ptr->chunkdata[slength] = 0x00; 2621 png_crc_read(png_ptr, buffer, length);
2291 2622
2292 for (lang = png_ptr->chunkdata; *lang; lang++) 2623 if (png_crc_finish(png_ptr, 0) != 0)
2624 return;
2625
2626 /* First the keyword. */
2627 for (prefix_length=0;
2628 prefix_length < length && buffer[prefix_length] != 0;
2629 ++prefix_length)
2293 /* Empty loop */ ; 2630 /* Empty loop */ ;
2294 lang++; /* Skip NUL separator */ 2631
2295 2632 /* Perform a basic check on the keyword length here. */
2296 /* iTXt must have a language tag (possibly empty), two compression bytes, 2633 if (prefix_length > 79 || prefix_length < 1)
2297 * translated keyword (possibly empty), and possibly some text after the 2634 errmsg = "bad keyword";
2298 * keyword 2635
2299 */ 2636 /* Expect keyword, compression flag, compression type, language, translated
2300 2637 * keyword (both may be empty but are 0 terminated) then the text, which may
2301 if (lang >= png_ptr->chunkdata + slength - 3) 2638 * be empty.
2302 { 2639 */
2303 png_warning(png_ptr, "Truncated iTXt chunk"); 2640 else if (prefix_length + 5 > length)
2304 png_free(png_ptr, png_ptr->chunkdata); 2641 errmsg = "truncated";
2305 png_ptr->chunkdata = NULL; 2642
2306 return; 2643 else if (buffer[prefix_length+1] == 0 ||
2307 } 2644 (buffer[prefix_length+1] == 1 &&
2645 buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
2646 {
2647 int compressed = buffer[prefix_length+1] != 0;
2648 png_uint_32 language_offset, translated_keyword_offset;
2649 png_alloc_size_t uncompressed_length = 0;
2650
2651 /* Now the language tag */
2652 prefix_length += 3;
2653 language_offset = prefix_length;
2654
2655 for (; prefix_length < length && buffer[prefix_length] != 0;
2656 ++prefix_length)
2657 /* Empty loop */ ;
2658
2659 /* WARNING: the length may be invalid here, this is checked below. */
2660 translated_keyword_offset = ++prefix_length;
2661
2662 for (; prefix_length < length && buffer[prefix_length] != 0;
2663 ++prefix_length)
2664 /* Empty loop */ ;
2665
2666 /* prefix_length should now be at the trailing '\0' of the translated
2667 * keyword, but it may already be over the end. None of this arithmetic
2668 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2669 * systems the available allocation may overflow.
2670 */
2671 ++prefix_length;
2672
2673 if (compressed == 0 && prefix_length <= length)
2674 uncompressed_length = length - prefix_length;
2675
2676 else if (compressed != 0 && prefix_length < length)
2677 {
2678 uncompressed_length = PNG_SIZE_MAX;
2679
2680 /* TODO: at present png_decompress_chunk imposes a single application
2681 * level memory limit, this should be split to different values for
2682 * iCCP and text chunks.
2683 */
2684 if (png_decompress_chunk(png_ptr, length, prefix_length,
2685 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2686 buffer = png_ptr->read_buffer;
2687
2688 else
2689 errmsg = png_ptr->zstream.msg;
2690 }
2691
2692 else
2693 errmsg = "truncated";
2694
2695 if (errmsg == NULL)
2696 {
2697 png_text text;
2698
2699 buffer[uncompressed_length+prefix_length] = 0;
2700
2701 if (compressed == 0)
2702 text.compression = PNG_ITXT_COMPRESSION_NONE;
2703
2704 else
2705 text.compression = PNG_ITXT_COMPRESSION_zTXt;
2706
2707 text.key = (png_charp)buffer;
2708 text.lang = (png_charp)buffer + language_offset;
2709 text.lang_key = (png_charp)buffer + translated_keyword_offset;
2710 text.text = (png_charp)buffer + prefix_length;
2711 text.text_length = 0;
2712 text.itxt_length = uncompressed_length;
2713
2714 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2715 errmsg = "insufficient memory";
2716 }
2717 }
2718
2308 else 2719 else
2309 { 2720 errmsg = "bad compression info";
2310 comp_flag = *lang++; 2721
2311 comp_type = *lang++; 2722 if (errmsg != NULL)
2312 } 2723 png_chunk_benign_error(png_ptr, errmsg);
2313
2314 for (lang_key = lang; *lang_key; lang_key++)
2315 /* Empty loop */ ;
2316 lang_key++; /* Skip NUL separator */
2317
2318 if (lang_key >= png_ptr->chunkdata + slength)
2319 {
2320 png_warning(png_ptr, "Truncated iTXt chunk");
2321 png_free(png_ptr, png_ptr->chunkdata);
2322 png_ptr->chunkdata = NULL;
2323 return;
2324 }
2325
2326 for (text = lang_key; *text; text++)
2327 /* Empty loop */ ;
2328 text++; /* Skip NUL separator */
2329 if (text >= png_ptr->chunkdata + slength)
2330 {
2331 png_warning(png_ptr, "Malformed iTXt chunk");
2332 png_free(png_ptr, png_ptr->chunkdata);
2333 png_ptr->chunkdata = NULL;
2334 return;
2335 }
2336
2337 prefix_len = text - png_ptr->chunkdata;
2338
2339 key=png_ptr->chunkdata;
2340 if (comp_flag)
2341 png_decompress_chunk(png_ptr, comp_type,
2342 (size_t)length, prefix_len, &data_len);
2343 else
2344 data_len = png_strlen(png_ptr->chunkdata + prefix_len);
2345 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2346 (png_uint_32)png_sizeof(png_text));
2347 if (text_ptr == NULL)
2348 {
2349 png_warning(png_ptr, "Not enough memory to process iTXt chunk.");
2350 png_free(png_ptr, png_ptr->chunkdata);
2351 png_ptr->chunkdata = NULL;
2352 return;
2353 }
2354 text_ptr->compression = (int)comp_flag + 1;
2355 text_ptr->lang_key = png_ptr->chunkdata + (lang_key - key);
2356 text_ptr->lang = png_ptr->chunkdata + (lang - key);
2357 text_ptr->itxt_length = data_len;
2358 text_ptr->text_length = 0;
2359 text_ptr->key = png_ptr->chunkdata;
2360 text_ptr->text = png_ptr->chunkdata + prefix_len;
2361
2362 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2363
2364 png_free(png_ptr, text_ptr);
2365 png_free(png_ptr, png_ptr->chunkdata);
2366 png_ptr->chunkdata = NULL;
2367 if (ret)
2368 png_error(png_ptr, "Insufficient memory to store iTXt chunk.");
2369 } 2724 }
2370 #endif 2725 #endif
2371 2726
2372 /* This function is called when we haven't found a handler for a 2727 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2373 chunk. If there isn't a problem with the chunk itself (ie bad 2728 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2374 chunk name, CRC, or a critical chunk), the chunk is silently ignored 2729 static int
2375 -- unless the PNG_FLAG_UNKNOWN_CHUNKS_SUPPORTED flag is on in which 2730 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2376 case it will be saved away to be written out later. */ 2731 {
2732 png_alloc_size_t limit = PNG_SIZE_MAX;
2733
2734 if (png_ptr->unknown_chunk.data != NULL)
2735 {
2736 png_free(png_ptr, png_ptr->unknown_chunk.data);
2737 png_ptr->unknown_chunk.data = NULL;
2738 }
2739
2740 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
2741 if (png_ptr->user_chunk_malloc_max > 0 &&
2742 png_ptr->user_chunk_malloc_max < limit)
2743 limit = png_ptr->user_chunk_malloc_max;
2744
2745 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
2746 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2747 limit = PNG_USER_CHUNK_MALLOC_MAX;
2748 # endif
2749
2750 if (length <= limit)
2751 {
2752 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2753 /* The following is safe because of the PNG_SIZE_MAX init above */
2754 png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/;
2755 /* 'mode' is a flag array, only the bottom four bits matter here */
2756 png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
2757
2758 if (length == 0)
2759 png_ptr->unknown_chunk.data = NULL;
2760
2761 else
2762 {
2763 /* Do a 'warn' here - it is handled below. */
2764 png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2765 png_malloc_warn(png_ptr, length));
2766 }
2767 }
2768
2769 if (png_ptr->unknown_chunk.data == NULL && length > 0)
2770 {
2771 /* This is benign because we clean up correctly */
2772 png_crc_finish(png_ptr, length);
2773 png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2774 return 0;
2775 }
2776
2777 else
2778 {
2779 if (length > 0)
2780 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2781 png_crc_finish(png_ptr, 0);
2782 return 1;
2783 }
2784 }
2785 #endif /* READ_UNKNOWN_CHUNKS */
2786
2787 /* Handle an unknown, or known but disabled, chunk */
2377 void /* PRIVATE */ 2788 void /* PRIVATE */
2378 png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2789 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2790 png_uint_32 length, int keep)
2379 { 2791 {
2380 png_uint_32 skip = 0; 2792 int handled = 0; /* the chunk was handled */
2381 2793
2382 png_debug(1, "in png_handle_unknown"); 2794 png_debug(1, "in png_handle_unknown");
2383 2795
2384 #ifdef PNG_USER_LIMITS_SUPPORTED 2796 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2385 if (png_ptr->user_chunk_cache_max != 0) 2797 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2386 { 2798 * the bug which meant that setting a non-default behavior for a specific
2387 if (png_ptr->user_chunk_cache_max == 1) 2799 * chunk would be ignored (the default was always used unless a user
2800 * callback was installed).
2801 *
2802 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2803 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2804 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2805 * This is just an optimization to avoid multiple calls to the lookup
2806 * function.
2807 */
2808 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2809 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2810 keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2811 # endif
2812 # endif
2813
2814 /* One of the following methods will read the chunk or skip it (at least one
2815 * of these is always defined because this is the only way to switch on
2816 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2817 */
2818 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2819 /* The user callback takes precedence over the chunk keep value, but the
2820 * keep value is still required to validate a save of a critical chunk.
2821 */
2822 if (png_ptr->read_user_chunk_fn != NULL)
2823 {
2824 if (png_cache_unknown_chunk(png_ptr, length) != 0)
2388 { 2825 {
2389 png_crc_finish(png_ptr, length); 2826 /* Callback to user unknown chunk handler */
2390 return; 2827 int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2391 } 2828 &png_ptr->unknown_chunk);
2392 if (--png_ptr->user_chunk_cache_max == 1) 2829
2393 { 2830 /* ret is:
2394 png_warning(png_ptr, "No space in chunk cache for unknown chunk"); 2831 * negative: An error occurred; png_chunk_error will be called.
2395 png_crc_finish(png_ptr, length); 2832 * zero: The chunk was not handled, the chunk will be discarded
2396 return; 2833 * unless png_set_keep_unknown_chunks has been used to set
2397 } 2834 * a 'keep' behavior for this particular chunk, in which
2398 } 2835 * case that will be used. A critical chunk will cause an
2399 #endif 2836 * error at this point unless it is to be saved.
2400 2837 * positive: The chunk was handled, libpng will ignore/discard it.
2401 if (png_ptr->mode & PNG_HAVE_IDAT) 2838 */
2402 { 2839 if (ret < 0)
2403 #ifdef PNG_USE_LOCAL_ARRAYS 2840 png_chunk_error(png_ptr, "error in user chunk");
2404 PNG_CONST PNG_IDAT; 2841
2405 #endif 2842 else if (ret == 0)
2406 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) /* Not an IDAT */
2407 png_ptr->mode |= PNG_AFTER_IDAT;
2408 }
2409
2410 if (!(png_ptr->chunk_name[0] & 0x20))
2411 {
2412 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2413 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) !=
2414 PNG_HANDLE_CHUNK_ALWAYS
2415 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2416 && png_ptr->read_user_chunk_fn == NULL
2417 #endif
2418 )
2419 #endif
2420 png_chunk_error(png_ptr, "unknown critical chunk");
2421 }
2422
2423 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2424 if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS)
2425 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2426 || (png_ptr->read_user_chunk_fn != NULL)
2427 #endif
2428 )
2429 {
2430 #ifdef PNG_MAX_MALLOC_64K
2431 if (length > (png_uint_32)65535L)
2432 {
2433 png_warning(png_ptr, "unknown chunk too large to fit in memory");
2434 skip = length - (png_uint_32)65535L;
2435 length = (png_uint_32)65535L;
2436 }
2437 #endif
2438 png_memcpy((png_charp)png_ptr->unknown_chunk.name,
2439 (png_charp)png_ptr->chunk_name,
2440 png_sizeof(png_ptr->unknown_chunk.name));
2441 png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]
2442 = '\0';
2443 png_ptr->unknown_chunk.size = (png_size_t)length;
2444 if (length == 0)
2445 png_ptr->unknown_chunk.data = NULL;
2446 else
2447 {
2448 png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
2449 png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
2450 }
2451 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2452 if (png_ptr->read_user_chunk_fn != NULL)
2453 {
2454 /* Callback to user unknown chunk handler */
2455 int ret;
2456 ret = (*(png_ptr->read_user_chunk_fn))
2457 (png_ptr, &png_ptr->unknown_chunk);
2458 if (ret < 0)
2459 png_chunk_error(png_ptr, "error in user chunk");
2460 if (ret == 0)
2461 {
2462 if (!(png_ptr->chunk_name[0] & 0x20))
2463 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2464 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) !=
2465 PNG_HANDLE_CHUNK_ALWAYS)
2466 #endif
2467 png_chunk_error(png_ptr, "unknown critical chunk");
2468 png_set_unknown_chunks(png_ptr, info_ptr,
2469 &png_ptr->unknown_chunk, 1);
2470 }
2471 }
2472 else
2473 #endif
2474 png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
2475 png_free(png_ptr, png_ptr->unknown_chunk.data);
2476 png_ptr->unknown_chunk.data = NULL;
2477 }
2478 else
2479 #endif
2480 skip = length;
2481
2482 png_crc_finish(png_ptr, skip);
2483
2484 #ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2485 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */
2486 #endif
2487 }
2488
2489 /* This function is called to verify that a chunk name is valid.
2490 This function can't have the "critical chunk check" incorporated
2491 into it, since in the future we will need to be able to call user
2492 functions to handle unknown critical chunks after we check that
2493 the chunk name itself is valid. */
2494
2495 #define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2496
2497 void /* PRIVATE */
2498 png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
2499 {
2500 png_debug(1, "in png_check_chunk_name");
2501 if (isnonalpha(chunk_name[0]) || isnonalpha(chunk_name[1]) ||
2502 isnonalpha(chunk_name[2]) || isnonalpha(chunk_name[3]))
2503 {
2504 png_chunk_error(png_ptr, "invalid chunk type");
2505 }
2506 }
2507
2508 /* Combines the row recently read in with the existing pixels in the
2509 row. This routine takes care of alpha and transparency if requested.
2510 This routine also handles the two methods of progressive display
2511 of interlaced images, depending on the mask value.
2512 The mask value describes which pixels are to be combined with
2513 the row. The pattern always repeats every 8 pixels, so just 8
2514 bits are needed. A one indicates the pixel is to be combined,
2515 a zero indicates the pixel is to be skipped. This is in addition
2516 to any alpha or transparency value associated with the pixel. If
2517 you want all pixels to be combined, pass 0xff (255) in mask. */
2518
2519 void /* PRIVATE */
2520 png_combine_row(png_structp png_ptr, png_bytep row, int mask)
2521 {
2522 png_debug(1, "in png_combine_row");
2523 if (mask == 0xff)
2524 {
2525 png_memcpy(row, png_ptr->row_buf + 1,
2526 PNG_ROWBYTES(png_ptr->row_info.pixel_depth, png_ptr->width));
2527 }
2528 else
2529 {
2530 switch (png_ptr->row_info.pixel_depth)
2531 {
2532 case 1:
2533 { 2843 {
2534 png_bytep sp = png_ptr->row_buf + 1; 2844 /* If the keep value is 'default' or 'never' override it, but
2535 png_bytep dp = row; 2845 * still error out on critical chunks unless the keep value is
2536 int s_inc, s_start, s_end; 2846 * 'always' While this is weird it is the behavior in 1.4.12.
2537 int m = 0x80; 2847 * A possible improvement would be to obey the value set for the
2538 int shift; 2848 * chunk, but this would be an API change that would probably
2539 png_uint_32 i; 2849 * damage some applications.
2540 png_uint_32 row_width = png_ptr->width; 2850 *
2541 2851 * The png_app_warning below catches the case that matters, where
2542 #ifdef PNG_READ_PACKSWAP_SUPPORTED 2852 * the application has not set specific save or ignore for this
2543 if (png_ptr->transformations & PNG_PACKSWAP) 2853 * chunk or global save or ignore.
2854 */
2855 if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2544 { 2856 {
2545 s_start = 0; 2857 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2546 s_end = 7; 2858 if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2547 s_inc = 1; 2859 {
2860 png_chunk_warning(png_ptr, "Saving unknown chunk:");
2861 png_app_warning(png_ptr,
2862 "forcing save of an unhandled chunk;"
2863 " please call png_set_keep_unknown_chunks");
2864 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2865 }
2866 # endif
2867 keep = PNG_HANDLE_CHUNK_IF_SAFE;
2548 } 2868 }
2549 else
2550 #endif
2551 {
2552 s_start = 7;
2553 s_end = 0;
2554 s_inc = -1;
2555 }
2556
2557 shift = s_start;
2558
2559 for (i = 0; i < row_width; i++)
2560 {
2561 if (m & mask)
2562 {
2563 int value;
2564
2565 value = (*sp >> shift) & 0x01;
2566 *dp &= (png_byte)((0x7f7f >> (7 - shift)) & 0xff);
2567 *dp |= (png_byte)(value << shift);
2568 }
2569
2570 if (shift == s_end)
2571 {
2572 shift = s_start;
2573 sp++;
2574 dp++;
2575 }
2576 else
2577 shift += s_inc;
2578
2579 if (m == 1)
2580 m = 0x80;
2581 else
2582 m >>= 1;
2583 }
2584 break;
2585 } 2869 }
2586 case 2: 2870
2871 else /* chunk was handled */
2587 { 2872 {
2588 png_bytep sp = png_ptr->row_buf + 1; 2873 handled = 1;
2589 png_bytep dp = row; 2874 /* Critical chunks can be safely discarded at this point. */
2590 int s_start, s_end, s_inc; 2875 keep = PNG_HANDLE_CHUNK_NEVER;
2591 int m = 0x80;
2592 int shift;
2593 png_uint_32 i;
2594 png_uint_32 row_width = png_ptr->width;
2595 int value;
2596
2597 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2598 if (png_ptr->transformations & PNG_PACKSWAP)
2599 {
2600 s_start = 0;
2601 s_end = 6;
2602 s_inc = 2;
2603 }
2604 else
2605 #endif
2606 {
2607 s_start = 6;
2608 s_end = 0;
2609 s_inc = -2;
2610 }
2611
2612 shift = s_start;
2613
2614 for (i = 0; i < row_width; i++)
2615 {
2616 if (m & mask)
2617 {
2618 value = (*sp >> shift) & 0x03;
2619 *dp &= (png_byte)((0x3f3f >> (6 - shift)) & 0xff);
2620 *dp |= (png_byte)(value << shift);
2621 }
2622
2623 if (shift == s_end)
2624 {
2625 shift = s_start;
2626 sp++;
2627 dp++;
2628 }
2629 else
2630 shift += s_inc;
2631 if (m == 1)
2632 m = 0x80;
2633 else
2634 m >>= 1;
2635 }
2636 break;
2637 }
2638 case 4:
2639 {
2640 png_bytep sp = png_ptr->row_buf + 1;
2641 png_bytep dp = row;
2642 int s_start, s_end, s_inc;
2643 int m = 0x80;
2644 int shift;
2645 png_uint_32 i;
2646 png_uint_32 row_width = png_ptr->width;
2647 int value;
2648
2649 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2650 if (png_ptr->transformations & PNG_PACKSWAP)
2651 {
2652 s_start = 0;
2653 s_end = 4;
2654 s_inc = 4;
2655 }
2656 else
2657 #endif
2658 {
2659 s_start = 4;
2660 s_end = 0;
2661 s_inc = -4;
2662 }
2663 shift = s_start;
2664
2665 for (i = 0; i < row_width; i++)
2666 {
2667 if (m & mask)
2668 {
2669 value = (*sp >> shift) & 0xf;
2670 *dp &= (png_byte)((0xf0f >> (4 - shift)) & 0xff);
2671 *dp |= (png_byte)(value << shift);
2672 }
2673
2674 if (shift == s_end)
2675 {
2676 shift = s_start;
2677 sp++;
2678 dp++;
2679 }
2680 else
2681 shift += s_inc;
2682 if (m == 1)
2683 m = 0x80;
2684 else
2685 m >>= 1;
2686 }
2687 break;
2688 }
2689 default:
2690 {
2691 png_bytep sp = png_ptr->row_buf + 1;
2692 png_bytep dp = row;
2693 png_size_t pixel_bytes = (png_ptr->row_info.pixel_depth >> 3);
2694 png_uint_32 i;
2695 png_uint_32 row_width = png_ptr->width;
2696 png_byte m = 0x80;
2697
2698
2699 for (i = 0; i < row_width; i++)
2700 {
2701 if (m & mask)
2702 {
2703 png_memcpy(dp, sp, pixel_bytes);
2704 }
2705
2706 sp += pixel_bytes;
2707 dp += pixel_bytes;
2708
2709 if (m == 1)
2710 m = 0x80;
2711 else
2712 m >>= 1;
2713 }
2714 break;
2715 } 2876 }
2716 } 2877 }
2717 } 2878
2879 else
2880 keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
2881 }
2882
2883 else
2884 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
2885 # endif /* READ_USER_CHUNKS */
2886
2887 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2888 {
2889 /* keep is currently just the per-chunk setting, if there was no
2890 * setting change it to the global default now (not that this may
2891 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
2892 * if not simply skip the chunk.
2893 */
2894 if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
2895 keep = png_ptr->unknown_default;
2896
2897 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2898 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2899 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2900 {
2901 if (png_cache_unknown_chunk(png_ptr, length) == 0)
2902 keep = PNG_HANDLE_CHUNK_NEVER;
2903 }
2904
2905 else
2906 png_crc_finish(png_ptr, length);
2907 }
2908 # else
2909 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2910 # error no method to support READ_UNKNOWN_CHUNKS
2911 # endif
2912
2913 {
2914 /* If here there is no read callback pointer set and no support is
2915 * compiled in to just save the unknown chunks, so simply skip this
2916 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
2917 * the app has erroneously asked for unknown chunk saving when there
2918 * is no support.
2919 */
2920 if (keep > PNG_HANDLE_CHUNK_NEVER)
2921 png_app_error(png_ptr, "no unknown chunk support available");
2922
2923 png_crc_finish(png_ptr, length);
2924 }
2925 # endif
2926
2927 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2928 /* Now store the chunk in the chunk list if appropriate, and if the limits
2929 * permit it.
2930 */
2931 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2932 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2933 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2934 {
2935 # ifdef PNG_USER_LIMITS_SUPPORTED
2936 switch (png_ptr->user_chunk_cache_max)
2937 {
2938 case 2:
2939 png_ptr->user_chunk_cache_max = 1;
2940 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2941 /* FALL THROUGH */
2942 case 1:
2943 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
2944 * chunk being skipped, now there will be a hard error below.
2945 */
2946 break;
2947
2948 default: /* not at limit */
2949 --(png_ptr->user_chunk_cache_max);
2950 /* FALL THROUGH */
2951 case 0: /* no limit */
2952 # endif /* USER_LIMITS */
2953 /* Here when the limit isn't reached or when limits are compiled
2954 * out; store the chunk.
2955 */
2956 png_set_unknown_chunks(png_ptr, info_ptr,
2957 &png_ptr->unknown_chunk, 1);
2958 handled = 1;
2959 # ifdef PNG_USER_LIMITS_SUPPORTED
2960 break;
2961 }
2962 # endif
2963 }
2964 # else /* no store support: the chunk must be handled by the user callback */
2965 PNG_UNUSED(info_ptr)
2966 # endif
2967
2968 /* Regardless of the error handling below the cached data (if any) can be
2969 * freed now. Notice that the data is not freed if there is a png_error, but
2970 * it will be freed by destroy_read_struct.
2971 */
2972 if (png_ptr->unknown_chunk.data != NULL)
2973 png_free(png_ptr, png_ptr->unknown_chunk.data);
2974 png_ptr->unknown_chunk.data = NULL;
2975
2976 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
2977 /* There is no support to read an unknown chunk, so just skip it. */
2978 png_crc_finish(png_ptr, length);
2979 PNG_UNUSED(info_ptr)
2980 PNG_UNUSED(keep)
2981 #endif /* !READ_UNKNOWN_CHUNKS */
2982
2983 /* Check for unhandled critical chunks */
2984 if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
2985 png_chunk_error(png_ptr, "unhandled critical chunk");
2718 } 2986 }
2719 2987
2720 #ifdef PNG_READ_INTERLACING_SUPPORTED 2988 /* This function is called to verify that a chunk name is valid.
2721 /* OLD pre-1.0.9 interface: 2989 * This function can't have the "critical chunk check" incorporated
2722 void png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass, 2990 * into it, since in the future we will need to be able to call user
2723 png_uint_32 transformations) 2991 * functions to handle unknown critical chunks after we check that
2992 * the chunk name itself is valid.
2993 */
2994
2995 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
2996 *
2997 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2998 */
2999
3000 void /* PRIVATE */
3001 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
3002 {
3003 int i;
3004
3005 png_debug(1, "in png_check_chunk_name");
3006
3007 for (i=1; i<=4; ++i)
3008 {
3009 int c = chunk_name & 0xff;
3010
3011 if (c < 65 || c > 122 || (c > 90 && c < 97))
3012 png_chunk_error(png_ptr, "invalid chunk type");
3013
3014 chunk_name >>= 8;
3015 }
3016 }
3017
3018 /* Combines the row recently read in with the existing pixels in the row. This
3019 * routine takes care of alpha and transparency if requested. This routine also
3020 * handles the two methods of progressive display of interlaced images,
3021 * depending on the 'display' value; if 'display' is true then the whole row
3022 * (dp) is filled from the start by replicating the available pixels. If
3023 * 'display' is false only those pixels present in the pass are filled in.
2724 */ 3024 */
2725 void /* PRIVATE */ 3025 void /* PRIVATE */
2726 png_do_read_interlace(png_structp png_ptr) 3026 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
2727 { 3027 {
2728 png_row_infop row_info = &(png_ptr->row_info); 3028 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
2729 png_bytep row = png_ptr->row_buf + 1; 3029 png_const_bytep sp = png_ptr->row_buf + 1;
2730 int pass = png_ptr->pass; 3030 png_alloc_size_t row_width = png_ptr->width;
2731 png_uint_32 transformations = png_ptr->transformations; 3031 unsigned int pass = png_ptr->pass;
3032 png_bytep end_ptr = 0;
3033 png_byte end_byte = 0;
3034 unsigned int end_mask;
3035
3036 png_debug(1, "in png_combine_row");
3037
3038 /* Added in 1.5.6: it should not be possible to enter this routine until at
3039 * least one row has been read from the PNG data and transformed.
3040 */
3041 if (pixel_depth == 0)
3042 png_error(png_ptr, "internal row logic error");
3043
3044 /* Added in 1.5.4: the pixel depth should match the information returned by
3045 * any call to png_read_update_info at this point. Do not continue if we got
3046 * this wrong.
3047 */
3048 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3049 PNG_ROWBYTES(pixel_depth, row_width))
3050 png_error(png_ptr, "internal row size calculation error");
3051
3052 /* Don't expect this to ever happen: */
3053 if (row_width == 0)
3054 png_error(png_ptr, "internal row width error");
3055
3056 /* Preserve the last byte in cases where only part of it will be overwritten,
3057 * the multiply below may overflow, we don't care because ANSI-C guarantees
3058 * we get the low bits.
3059 */
3060 end_mask = (pixel_depth * row_width) & 7;
3061 if (end_mask != 0)
3062 {
3063 /* end_ptr == NULL is a flag to say do nothing */
3064 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
3065 end_byte = *end_ptr;
3066 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3067 if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3068 /* little-endian byte */
3069 end_mask = 0xff << end_mask;
3070
3071 else /* big-endian byte */
3072 # endif
3073 end_mask = 0xff >> end_mask;
3074 /* end_mask is now the bits to *keep* from the destination row */
3075 }
3076
3077 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3078 * will also happen if interlacing isn't supported or if the application
3079 * does not call png_set_interlace_handling(). In the latter cases the
3080 * caller just gets a sequence of the unexpanded rows from each interlace
3081 * pass.
3082 */
3083 #ifdef PNG_READ_INTERLACING_SUPPORTED
3084 if (png_ptr->interlaced != 0 &&
3085 (png_ptr->transformations & PNG_INTERLACE) != 0 &&
3086 pass < 6 && (display == 0 ||
3087 /* The following copies everything for 'display' on passes 0, 2 and 4. */
3088 (display == 1 && (pass & 1) != 0)))
3089 {
3090 /* Narrow images may have no bits in a pass; the caller should handle
3091 * this, but this test is cheap:
3092 */
3093 if (row_width <= PNG_PASS_START_COL(pass))
3094 return;
3095
3096 if (pixel_depth < 8)
3097 {
3098 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3099 * into 32 bits, then a single loop over the bytes using the four byte
3100 * values in the 32-bit mask can be used. For the 'display' option the
3101 * expanded mask may also not require any masking within a byte. To
3102 * make this work the PACKSWAP option must be taken into account - it
3103 * simply requires the pixels to be reversed in each byte.
3104 *
3105 * The 'regular' case requires a mask for each of the first 6 passes,
3106 * the 'display' case does a copy for the even passes in the range
3107 * 0..6. This has already been handled in the test above.
3108 *
3109 * The masks are arranged as four bytes with the first byte to use in
3110 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3111 * not) of the pixels in each byte.
3112 *
3113 * NOTE: the whole of this logic depends on the caller of this function
3114 * only calling it on rows appropriate to the pass. This function only
3115 * understands the 'x' logic; the 'y' logic is handled by the caller.
3116 *
3117 * The following defines allow generation of compile time constant bit
3118 * masks for each pixel depth and each possibility of swapped or not
3119 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3120 * is in the range 0..7; and the result is 1 if the pixel is to be
3121 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3122 * for the block method.
3123 *
3124 * With some compilers a compile time expression of the general form:
3125 *
3126 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3127 *
3128 * Produces warnings with values of 'shift' in the range 33 to 63
3129 * because the right hand side of the ?: expression is evaluated by
3130 * the compiler even though it isn't used. Microsoft Visual C (various
3131 * versions) and the Intel C compiler are known to do this. To avoid
3132 * this the following macros are used in 1.5.6. This is a temporary
3133 * solution to avoid destabilizing the code during the release process.
3134 */
3135 # if PNG_USE_COMPILE_TIME_MASKS
3136 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3137 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3138 # else
3139 # define PNG_LSR(x,s) ((x)>>(s))
3140 # define PNG_LSL(x,s) ((x)<<(s))
3141 # endif
3142 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3143 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3144 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3145 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3146
3147 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
3148 * little endian - the first pixel is at bit 0 - however the extra
3149 * parameter 's' can be set to cause the mask position to be swapped
3150 * within each byte, to match the PNG format. This is done by XOR of
3151 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3152 */
3153 # define PIXEL_MASK(p,x,d,s) \
3154 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3155
3156 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3157 */
3158 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3159 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3160
3161 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
3162 * cases the result needs replicating, for the 4-bpp case the above
3163 * generates a full 32 bits.
3164 */
3165 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3166
3167 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3168 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3169 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3170
3171 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3172 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3173 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3174
3175 #if PNG_USE_COMPILE_TIME_MASKS
3176 /* Utility macros to construct all the masks for a depth/swap
3177 * combination. The 's' parameter says whether the format is PNG
3178 * (big endian bytes) or not. Only the three odd-numbered passes are
3179 * required for the display/block algorithm.
3180 */
3181 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3182 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3183
3184 # define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3185
3186 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3187
3188 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3189 * then pass:
3190 */
3191 static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3192 {
3193 /* Little-endian byte masks for PACKSWAP */
3194 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3195 /* Normal (big-endian byte) masks - PNG format */
3196 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3197 };
3198
3199 /* display_mask has only three entries for the odd passes, so index by
3200 * pass>>1.
3201 */
3202 static PNG_CONST png_uint_32 display_mask[2][3][3] =
3203 {
3204 /* Little-endian byte masks for PACKSWAP */
3205 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3206 /* Normal (big-endian byte) masks - PNG format */
3207 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3208 };
3209
3210 # define MASK(pass,depth,display,png)\
3211 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3212 row_mask[png][DEPTH_INDEX(depth)][pass])
3213
3214 #else /* !PNG_USE_COMPILE_TIME_MASKS */
3215 /* This is the runtime alternative: it seems unlikely that this will
3216 * ever be either smaller or faster than the compile time approach.
3217 */
3218 # define MASK(pass,depth,display,png)\
3219 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3220 #endif /* !USE_COMPILE_TIME_MASKS */
3221
3222 /* Use the appropriate mask to copy the required bits. In some cases
3223 * the byte mask will be 0 or 0xff; optimize these cases. row_width is
3224 * the number of pixels, but the code copies bytes, so it is necessary
3225 * to special case the end.
3226 */
3227 png_uint_32 pixels_per_byte = 8 / pixel_depth;
3228 png_uint_32 mask;
3229
3230 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3231 if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3232 mask = MASK(pass, pixel_depth, display, 0);
3233
3234 else
3235 # endif
3236 mask = MASK(pass, pixel_depth, display, 1);
3237
3238 for (;;)
3239 {
3240 png_uint_32 m;
3241
3242 /* It doesn't matter in the following if png_uint_32 has more than
3243 * 32 bits because the high bits always match those in m<<24; it is,
3244 * however, essential to use OR here, not +, because of this.
3245 */
3246 m = mask;
3247 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3248 m &= 0xff;
3249
3250 if (m != 0) /* something to copy */
3251 {
3252 if (m != 0xff)
3253 *dp = (png_byte)((*dp & ~m) | (*sp & m));
3254 else
3255 *dp = *sp;
3256 }
3257
3258 /* NOTE: this may overwrite the last byte with garbage if the image
3259 * is not an exact number of bytes wide; libpng has always done
3260 * this.
3261 */
3262 if (row_width <= pixels_per_byte)
3263 break; /* May need to restore part of the last byte */
3264
3265 row_width -= pixels_per_byte;
3266 ++dp;
3267 ++sp;
3268 }
3269 }
3270
3271 else /* pixel_depth >= 8 */
3272 {
3273 unsigned int bytes_to_copy, bytes_to_jump;
3274
3275 /* Validate the depth - it must be a multiple of 8 */
3276 if (pixel_depth & 7)
3277 png_error(png_ptr, "invalid user transform pixel depth");
3278
3279 pixel_depth >>= 3; /* now in bytes */
3280 row_width *= pixel_depth;
3281
3282 /* Regardless of pass number the Adam 7 interlace always results in a
3283 * fixed number of pixels to copy then to skip. There may be a
3284 * different number of pixels to skip at the start though.
3285 */
3286 {
3287 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3288
3289 row_width -= offset;
3290 dp += offset;
3291 sp += offset;
3292 }
3293
3294 /* Work out the bytes to copy. */
3295 if (display != 0)
3296 {
3297 /* When doing the 'block' algorithm the pixel in the pass gets
3298 * replicated to adjacent pixels. This is why the even (0,2,4,6)
3299 * passes are skipped above - the entire expanded row is copied.
3300 */
3301 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3302
3303 /* But don't allow this number to exceed the actual row width. */
3304 if (bytes_to_copy > row_width)
3305 bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3306 }
3307
3308 else /* normal row; Adam7 only ever gives us one pixel to copy. */
3309 bytes_to_copy = pixel_depth;
3310
3311 /* In Adam7 there is a constant offset between where the pixels go. */
3312 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3313
3314 /* And simply copy these bytes. Some optimization is possible here,
3315 * depending on the value of 'bytes_to_copy'. Special case the low
3316 * byte counts, which we know to be frequent.
3317 *
3318 * Notice that these cases all 'return' rather than 'break' - this
3319 * avoids an unnecessary test on whether to restore the last byte
3320 * below.
3321 */
3322 switch (bytes_to_copy)
3323 {
3324 case 1:
3325 for (;;)
3326 {
3327 *dp = *sp;
3328
3329 if (row_width <= bytes_to_jump)
3330 return;
3331
3332 dp += bytes_to_jump;
3333 sp += bytes_to_jump;
3334 row_width -= bytes_to_jump;
3335 }
3336
3337 case 2:
3338 /* There is a possibility of a partial copy at the end here; this
3339 * slows the code down somewhat.
3340 */
3341 do
3342 {
3343 dp[0] = sp[0], dp[1] = sp[1];
3344
3345 if (row_width <= bytes_to_jump)
3346 return;
3347
3348 sp += bytes_to_jump;
3349 dp += bytes_to_jump;
3350 row_width -= bytes_to_jump;
3351 }
3352 while (row_width > 1);
3353
3354 /* And there can only be one byte left at this point: */
3355 *dp = *sp;
3356 return;
3357
3358 case 3:
3359 /* This can only be the RGB case, so each copy is exactly one
3360 * pixel and it is not necessary to check for a partial copy.
3361 */
3362 for (;;)
3363 {
3364 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
3365
3366 if (row_width <= bytes_to_jump)
3367 return;
3368
3369 sp += bytes_to_jump;
3370 dp += bytes_to_jump;
3371 row_width -= bytes_to_jump;
3372 }
3373
3374 default:
3375 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3376 /* Check for double byte alignment and, if possible, use a
3377 * 16-bit copy. Don't attempt this for narrow images - ones that
3378 * are less than an interlace panel wide. Don't attempt it for
3379 * wide bytes_to_copy either - use the memcpy there.
3380 */
3381 if (bytes_to_copy < 16 /*else use memcpy*/ &&
3382 png_isaligned(dp, png_uint_16) &&
3383 png_isaligned(sp, png_uint_16) &&
3384 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3385 bytes_to_jump % (sizeof (png_uint_16)) == 0)
3386 {
3387 /* Everything is aligned for png_uint_16 copies, but try for
3388 * png_uint_32 first.
3389 */
3390 if (png_isaligned(dp, png_uint_32) != 0 &&
3391 png_isaligned(sp, png_uint_32) != 0 &&
3392 bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3393 bytes_to_jump % (sizeof (png_uint_32)) == 0)
3394 {
3395 png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3396 png_const_uint_32p sp32 = png_aligncastconst(
3397 png_const_uint_32p, sp);
3398 size_t skip = (bytes_to_jump-bytes_to_copy) /
3399 (sizeof (png_uint_32));
3400
3401 do
3402 {
3403 size_t c = bytes_to_copy;
3404 do
3405 {
3406 *dp32++ = *sp32++;
3407 c -= (sizeof (png_uint_32));
3408 }
3409 while (c > 0);
3410
3411 if (row_width <= bytes_to_jump)
3412 return;
3413
3414 dp32 += skip;
3415 sp32 += skip;
3416 row_width -= bytes_to_jump;
3417 }
3418 while (bytes_to_copy <= row_width);
3419
3420 /* Get to here when the row_width truncates the final copy.
3421 * There will be 1-3 bytes left to copy, so don't try the
3422 * 16-bit loop below.
3423 */
3424 dp = (png_bytep)dp32;
3425 sp = (png_const_bytep)sp32;
3426 do
3427 *dp++ = *sp++;
3428 while (--row_width > 0);
3429 return;
3430 }
3431
3432 /* Else do it in 16-bit quantities, but only if the size is
3433 * not too large.
3434 */
3435 else
3436 {
3437 png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3438 png_const_uint_16p sp16 = png_aligncastconst(
3439 png_const_uint_16p, sp);
3440 size_t skip = (bytes_to_jump-bytes_to_copy) /
3441 (sizeof (png_uint_16));
3442
3443 do
3444 {
3445 size_t c = bytes_to_copy;
3446 do
3447 {
3448 *dp16++ = *sp16++;
3449 c -= (sizeof (png_uint_16));
3450 }
3451 while (c > 0);
3452
3453 if (row_width <= bytes_to_jump)
3454 return;
3455
3456 dp16 += skip;
3457 sp16 += skip;
3458 row_width -= bytes_to_jump;
3459 }
3460 while (bytes_to_copy <= row_width);
3461
3462 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3463 dp = (png_bytep)dp16;
3464 sp = (png_const_bytep)sp16;
3465 do
3466 *dp++ = *sp++;
3467 while (--row_width > 0);
3468 return;
3469 }
3470 }
3471 #endif /* ALIGN_TYPE code */
3472
3473 /* The true default - use a memcpy: */
3474 for (;;)
3475 {
3476 memcpy(dp, sp, bytes_to_copy);
3477
3478 if (row_width <= bytes_to_jump)
3479 return;
3480
3481 sp += bytes_to_jump;
3482 dp += bytes_to_jump;
3483 row_width -= bytes_to_jump;
3484 if (bytes_to_copy > row_width)
3485 bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3486 }
3487 }
3488
3489 /* NOT REACHED*/
3490 } /* pixel_depth >= 8 */
3491
3492 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3493 }
3494 else
3495 #endif /* READ_INTERLACING */
3496
3497 /* If here then the switch above wasn't used so just memcpy the whole row
3498 * from the temporary row buffer (notice that this overwrites the end of the
3499 * destination row if it is a partial byte.)
3500 */
3501 memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3502
3503 /* Restore the overwritten bits from the last byte if necessary. */
3504 if (end_ptr != NULL)
3505 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3506 }
3507
3508 #ifdef PNG_READ_INTERLACING_SUPPORTED
3509 void /* PRIVATE */
3510 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3511 png_uint_32 transformations /* Because these may affect the byte layout */)
3512 {
2732 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 3513 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2733 /* Offset to next interlace block */ 3514 /* Offset to next interlace block */
2734 #ifndef PNG_USE_GLOBAL_ARRAYS 3515 static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2735 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2736 #endif
2737 3516
2738 png_debug(1, "in png_do_read_interlace"); 3517 png_debug(1, "in png_do_read_interlace");
2739 if (row != NULL && row_info != NULL) 3518 if (row != NULL && row_info != NULL)
2740 { 3519 {
2741 png_uint_32 final_width; 3520 png_uint_32 final_width;
2742 3521
2743 final_width = row_info->width * png_pass_inc[pass]; 3522 final_width = row_info->width * png_pass_inc[pass];
2744 3523
2745 switch (row_info->pixel_depth) 3524 switch (row_info->pixel_depth)
2746 { 3525 {
2747 case 1: 3526 case 1:
2748 { 3527 {
2749 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3); 3528 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3);
2750 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3); 3529 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3);
2751 int sshift, dshift; 3530 int sshift, dshift;
2752 int s_start, s_end, s_inc; 3531 int s_start, s_end, s_inc;
2753 int jstop = png_pass_inc[pass]; 3532 int jstop = png_pass_inc[pass];
2754 png_byte v; 3533 png_byte v;
2755 png_uint_32 i; 3534 png_uint_32 i;
2756 int j; 3535 int j;
2757 3536
2758 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3537 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2759 if (transformations & PNG_PACKSWAP) 3538 if ((transformations & PNG_PACKSWAP) != 0)
2760 { 3539 {
2761 sshift = (int)((row_info->width + 7) & 0x07); 3540 sshift = (int)((row_info->width + 7) & 0x07);
2762 dshift = (int)((final_width + 7) & 0x07); 3541 dshift = (int)((final_width + 7) & 0x07);
2763 s_start = 7; 3542 s_start = 7;
2764 s_end = 0; 3543 s_end = 0;
2765 s_inc = -1; 3544 s_inc = -1;
2766 } 3545 }
3546
2767 else 3547 else
2768 #endif 3548 #endif
2769 { 3549 {
2770 sshift = 7 - (int)((row_info->width + 7) & 0x07); 3550 sshift = 7 - (int)((row_info->width + 7) & 0x07);
2771 dshift = 7 - (int)((final_width + 7) & 0x07); 3551 dshift = 7 - (int)((final_width + 7) & 0x07);
2772 s_start = 0; 3552 s_start = 0;
2773 s_end = 7; 3553 s_end = 7;
2774 s_inc = 1; 3554 s_inc = 1;
2775 } 3555 }
2776 3556
2777 for (i = 0; i < row_info->width; i++) 3557 for (i = 0; i < row_info->width; i++)
2778 { 3558 {
2779 v = (png_byte)((*sp >> sshift) & 0x01); 3559 v = (png_byte)((*sp >> sshift) & 0x01);
2780 for (j = 0; j < jstop; j++) 3560 for (j = 0; j < jstop; j++)
2781 { 3561 {
2782 *dp &= (png_byte)((0x7f7f >> (7 - dshift)) & 0xff); 3562 unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
2783 *dp |= (png_byte)(v << dshift); 3563 tmp |= v << dshift;
3564 *dp = (png_byte)(tmp & 0xff);
3565
2784 if (dshift == s_end) 3566 if (dshift == s_end)
2785 { 3567 {
2786 dshift = s_start; 3568 dshift = s_start;
2787 dp--; 3569 dp--;
2788 } 3570 }
3571
2789 else 3572 else
2790 dshift += s_inc; 3573 dshift += s_inc;
2791 } 3574 }
3575
2792 if (sshift == s_end) 3576 if (sshift == s_end)
2793 { 3577 {
2794 sshift = s_start; 3578 sshift = s_start;
2795 sp--; 3579 sp--;
2796 } 3580 }
3581
2797 else 3582 else
2798 sshift += s_inc; 3583 sshift += s_inc;
2799 } 3584 }
2800 break; 3585 break;
2801 } 3586 }
3587
2802 case 2: 3588 case 2:
2803 { 3589 {
2804 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2); 3590 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
2805 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2); 3591 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
2806 int sshift, dshift; 3592 int sshift, dshift;
2807 int s_start, s_end, s_inc; 3593 int s_start, s_end, s_inc;
2808 int jstop = png_pass_inc[pass]; 3594 int jstop = png_pass_inc[pass];
2809 png_uint_32 i; 3595 png_uint_32 i;
2810 3596
2811 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3597 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2812 if (transformations & PNG_PACKSWAP) 3598 if ((transformations & PNG_PACKSWAP) != 0)
2813 { 3599 {
2814 sshift = (int)(((row_info->width + 3) & 0x03) << 1); 3600 sshift = (int)(((row_info->width + 3) & 0x03) << 1);
2815 dshift = (int)(((final_width + 3) & 0x03) << 1); 3601 dshift = (int)(((final_width + 3) & 0x03) << 1);
2816 s_start = 6; 3602 s_start = 6;
2817 s_end = 0; 3603 s_end = 0;
2818 s_inc = -2; 3604 s_inc = -2;
2819 } 3605 }
3606
2820 else 3607 else
2821 #endif 3608 #endif
2822 { 3609 {
2823 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1); 3610 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
2824 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1); 3611 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
2825 s_start = 0; 3612 s_start = 0;
2826 s_end = 6; 3613 s_end = 6;
2827 s_inc = 2; 3614 s_inc = 2;
2828 } 3615 }
2829 3616
2830 for (i = 0; i < row_info->width; i++) 3617 for (i = 0; i < row_info->width; i++)
2831 { 3618 {
2832 png_byte v; 3619 png_byte v;
2833 int j; 3620 int j;
2834 3621
2835 v = (png_byte)((*sp >> sshift) & 0x03); 3622 v = (png_byte)((*sp >> sshift) & 0x03);
2836 for (j = 0; j < jstop; j++) 3623 for (j = 0; j < jstop; j++)
2837 { 3624 {
2838 *dp &= (png_byte)((0x3f3f >> (6 - dshift)) & 0xff); 3625 unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
2839 *dp |= (png_byte)(v << dshift); 3626 tmp |= v << dshift;
3627 *dp = (png_byte)(tmp & 0xff);
3628
2840 if (dshift == s_end) 3629 if (dshift == s_end)
2841 { 3630 {
2842 dshift = s_start; 3631 dshift = s_start;
2843 dp--; 3632 dp--;
2844 } 3633 }
3634
2845 else 3635 else
2846 dshift += s_inc; 3636 dshift += s_inc;
2847 } 3637 }
3638
2848 if (sshift == s_end) 3639 if (sshift == s_end)
2849 { 3640 {
2850 sshift = s_start; 3641 sshift = s_start;
2851 sp--; 3642 sp--;
2852 } 3643 }
3644
2853 else 3645 else
2854 sshift += s_inc; 3646 sshift += s_inc;
2855 } 3647 }
2856 break; 3648 break;
2857 } 3649 }
3650
2858 case 4: 3651 case 4:
2859 { 3652 {
2860 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1); 3653 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
2861 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1); 3654 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
2862 int sshift, dshift; 3655 int sshift, dshift;
2863 int s_start, s_end, s_inc; 3656 int s_start, s_end, s_inc;
2864 png_uint_32 i; 3657 png_uint_32 i;
2865 int jstop = png_pass_inc[pass]; 3658 int jstop = png_pass_inc[pass];
2866 3659
2867 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3660 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2868 if (transformations & PNG_PACKSWAP) 3661 if ((transformations & PNG_PACKSWAP) != 0)
2869 { 3662 {
2870 sshift = (int)(((row_info->width + 1) & 0x01) << 2); 3663 sshift = (int)(((row_info->width + 1) & 0x01) << 2);
2871 dshift = (int)(((final_width + 1) & 0x01) << 2); 3664 dshift = (int)(((final_width + 1) & 0x01) << 2);
2872 s_start = 4; 3665 s_start = 4;
2873 s_end = 0; 3666 s_end = 0;
2874 s_inc = -4; 3667 s_inc = -4;
2875 } 3668 }
3669
2876 else 3670 else
2877 #endif 3671 #endif
2878 { 3672 {
2879 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2); 3673 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
2880 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2); 3674 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
2881 s_start = 0; 3675 s_start = 0;
2882 s_end = 4; 3676 s_end = 4;
2883 s_inc = 4; 3677 s_inc = 4;
2884 } 3678 }
2885 3679
2886 for (i = 0; i < row_info->width; i++) 3680 for (i = 0; i < row_info->width; i++)
2887 { 3681 {
2888 png_byte v = (png_byte)((*sp >> sshift) & 0xf); 3682 png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
2889 int j; 3683 int j;
2890 3684
2891 for (j = 0; j < jstop; j++) 3685 for (j = 0; j < jstop; j++)
2892 { 3686 {
2893 *dp &= (png_byte)((0xf0f >> (4 - dshift)) & 0xff); 3687 unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
2894 *dp |= (png_byte)(v << dshift); 3688 tmp |= v << dshift;
3689 *dp = (png_byte)(tmp & 0xff);
3690
2895 if (dshift == s_end) 3691 if (dshift == s_end)
2896 { 3692 {
2897 dshift = s_start; 3693 dshift = s_start;
2898 dp--; 3694 dp--;
2899 } 3695 }
3696
2900 else 3697 else
2901 dshift += s_inc; 3698 dshift += s_inc;
2902 } 3699 }
3700
2903 if (sshift == s_end) 3701 if (sshift == s_end)
2904 { 3702 {
2905 sshift = s_start; 3703 sshift = s_start;
2906 sp--; 3704 sp--;
2907 } 3705 }
3706
2908 else 3707 else
2909 sshift += s_inc; 3708 sshift += s_inc;
2910 } 3709 }
2911 break; 3710 break;
2912 } 3711 }
3712
2913 default: 3713 default:
2914 { 3714 {
2915 png_size_t pixel_bytes = (row_info->pixel_depth >> 3); 3715 png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
3716
2916 png_bytep sp = row + (png_size_t)(row_info->width - 1) 3717 png_bytep sp = row + (png_size_t)(row_info->width - 1)
2917 * pixel_bytes; 3718 * pixel_bytes;
3719
2918 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes; 3720 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
2919 3721
2920 int jstop = png_pass_inc[pass]; 3722 int jstop = png_pass_inc[pass];
2921 png_uint_32 i; 3723 png_uint_32 i;
2922 3724
2923 for (i = 0; i < row_info->width; i++) 3725 for (i = 0; i < row_info->width; i++)
2924 { 3726 {
2925 png_byte v[8]; 3727 png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
2926 int j; 3728 int j;
2927 3729
2928 png_memcpy(v, sp, pixel_bytes); 3730 memcpy(v, sp, pixel_bytes);
3731
2929 for (j = 0; j < jstop; j++) 3732 for (j = 0; j < jstop; j++)
2930 { 3733 {
2931 png_memcpy(dp, v, pixel_bytes); 3734 memcpy(dp, v, pixel_bytes);
2932 dp -= pixel_bytes; 3735 dp -= pixel_bytes;
2933 } 3736 }
3737
2934 sp -= pixel_bytes; 3738 sp -= pixel_bytes;
2935 } 3739 }
2936 break; 3740 break;
2937 } 3741 }
2938 } 3742 }
3743
2939 row_info->width = final_width; 3744 row_info->width = final_width;
2940 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width); 3745 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
2941 } 3746 }
2942 #ifndef PNG_READ_PACKSWAP_SUPPORTED 3747 #ifndef PNG_READ_PACKSWAP_SUPPORTED
2943 PNG_UNUSED(transformations) /* Silence compiler warning */ 3748 PNG_UNUSED(transformations) /* Silence compiler warning */
2944 #endif 3749 #endif
2945 } 3750 }
2946 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 3751 #endif /* READ_INTERLACING */
3752
3753 static void
3754 png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3755 png_const_bytep prev_row)
3756 {
3757 png_size_t i;
3758 png_size_t istop = row_info->rowbytes;
3759 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3760 png_bytep rp = row + bpp;
3761
3762 PNG_UNUSED(prev_row)
3763
3764 for (i = bpp; i < istop; i++)
3765 {
3766 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3767 rp++;
3768 }
3769 }
3770
3771 static void
3772 png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3773 png_const_bytep prev_row)
3774 {
3775 png_size_t i;
3776 png_size_t istop = row_info->rowbytes;
3777 png_bytep rp = row;
3778 png_const_bytep pp = prev_row;
3779
3780 for (i = 0; i < istop; i++)
3781 {
3782 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3783 rp++;
3784 }
3785 }
3786
3787 static void
3788 png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3789 png_const_bytep prev_row)
3790 {
3791 png_size_t i;
3792 png_bytep rp = row;
3793 png_const_bytep pp = prev_row;
3794 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3795 png_size_t istop = row_info->rowbytes - bpp;
3796
3797 for (i = 0; i < bpp; i++)
3798 {
3799 *rp = (png_byte)(((int)(*rp) +
3800 ((int)(*pp++) / 2 )) & 0xff);
3801
3802 rp++;
3803 }
3804
3805 for (i = 0; i < istop; i++)
3806 {
3807 *rp = (png_byte)(((int)(*rp) +
3808 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3809
3810 rp++;
3811 }
3812 }
3813
3814 static void
3815 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3816 png_const_bytep prev_row)
3817 {
3818 png_bytep rp_end = row + row_info->rowbytes;
3819 int a, c;
3820
3821 /* First pixel/byte */
3822 c = *prev_row++;
3823 a = *row + c;
3824 *row++ = (png_byte)a;
3825
3826 /* Remainder */
3827 while (row < rp_end)
3828 {
3829 int b, pa, pb, pc, p;
3830
3831 a &= 0xff; /* From previous iteration or start */
3832 b = *prev_row++;
3833
3834 p = b - c;
3835 pc = a - c;
3836
3837 #ifdef PNG_USE_ABS
3838 pa = abs(p);
3839 pb = abs(pc);
3840 pc = abs(p + pc);
3841 #else
3842 pa = p < 0 ? -p : p;
3843 pb = pc < 0 ? -pc : pc;
3844 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3845 #endif
3846
3847 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3848 * ones in the case of a tie.
3849 */
3850 if (pb < pa) pa = pb, a = b;
3851 if (pc < pa) a = c;
3852
3853 /* Calculate the current pixel in a, and move the previous row pixel to c
3854 * for the next time round the loop
3855 */
3856 c = b;
3857 a += *row;
3858 *row++ = (png_byte)a;
3859 }
3860 }
3861
3862 static void
3863 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3864 png_const_bytep prev_row)
3865 {
3866 int bpp = (row_info->pixel_depth + 7) >> 3;
3867 png_bytep rp_end = row + bpp;
3868
3869 /* Process the first pixel in the row completely (this is the same as 'up'
3870 * because there is only one candidate predictor for the first row).
3871 */
3872 while (row < rp_end)
3873 {
3874 int a = *row + *prev_row++;
3875 *row++ = (png_byte)a;
3876 }
3877
3878 /* Remainder */
3879 rp_end += row_info->rowbytes - bpp;
3880
3881 while (row < rp_end)
3882 {
3883 int a, b, c, pa, pb, pc, p;
3884
3885 c = *(prev_row - bpp);
3886 a = *(row - bpp);
3887 b = *prev_row++;
3888
3889 p = b - c;
3890 pc = a - c;
3891
3892 #ifdef PNG_USE_ABS
3893 pa = abs(p);
3894 pb = abs(pc);
3895 pc = abs(p + pc);
3896 #else
3897 pa = p < 0 ? -p : p;
3898 pb = pc < 0 ? -pc : pc;
3899 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3900 #endif
3901
3902 if (pb < pa) pa = pb, a = b;
3903 if (pc < pa) a = c;
3904
3905 a += *row;
3906 *row++ = (png_byte)a;
3907 }
3908 }
3909
3910 static void
3911 png_init_filter_functions(png_structrp pp)
3912 /* This function is called once for every PNG image (except for PNG images
3913 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
3914 * implementations required to reverse the filtering of PNG rows. Reversing
3915 * the filter is the first transformation performed on the row data. It is
3916 * performed in place, therefore an implementation can be selected based on
3917 * the image pixel format. If the implementation depends on image width then
3918 * take care to ensure that it works correctly if the image is interlaced -
3919 * interlacing causes the actual row width to vary.
3920 */
3921 {
3922 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
3923
3924 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
3925 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
3926 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
3927 if (bpp == 1)
3928 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3929 png_read_filter_row_paeth_1byte_pixel;
3930 else
3931 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3932 png_read_filter_row_paeth_multibyte_pixel;
3933
3934 #ifdef PNG_FILTER_OPTIMIZATIONS
3935 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
3936 * call to install hardware optimizations for the above functions; simply
3937 * replace whatever elements of the pp->read_filter[] array with a hardware
3938 * specific (or, for that matter, generic) optimization.
3939 *
3940 * To see an example of this examine what configure.ac does when
3941 * --enable-arm-neon is specified on the command line.
3942 */
3943 PNG_FILTER_OPTIMIZATIONS(pp, bpp);
3944 #endif
3945 }
2947 3946
2948 void /* PRIVATE */ 3947 void /* PRIVATE */
2949 png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row, 3948 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
2950 png_bytep prev_row, int filter) 3949 png_const_bytep prev_row, int filter)
2951 { 3950 {
2952 png_debug(1, "in png_read_filter_row"); 3951 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
2953 png_debug2(2, "row = %lu, filter = %d", png_ptr->row_number, filter); 3952 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
2954 switch (filter) 3953 * implementations. See png_init_filter_functions above.
2955 { 3954 */
2956 case PNG_FILTER_VALUE_NONE: 3955 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
2957 break; 3956 {
2958 case PNG_FILTER_VALUE_SUB: 3957 if (pp->read_filter[0] == NULL)
2959 { 3958 png_init_filter_functions(pp);
2960 png_uint_32 i; 3959
2961 png_uint_32 istop = row_info->rowbytes; 3960 pp->read_filter[filter-1](row_info, row, prev_row);
2962 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2963 png_bytep rp = row + bpp;
2964 png_bytep lp = row;
2965
2966 for (i = bpp; i < istop; i++)
2967 {
2968 *rp = (png_byte)(((int)(*rp) + (int)(*lp++)) & 0xff);
2969 rp++;
2970 }
2971 break;
2972 }
2973 case PNG_FILTER_VALUE_UP:
2974 {
2975 png_uint_32 i;
2976 png_uint_32 istop = row_info->rowbytes;
2977 png_bytep rp = row;
2978 png_bytep pp = prev_row;
2979
2980 for (i = 0; i < istop; i++)
2981 {
2982 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
2983 rp++;
2984 }
2985 break;
2986 }
2987 case PNG_FILTER_VALUE_AVG:
2988 {
2989 png_uint_32 i;
2990 png_bytep rp = row;
2991 png_bytep pp = prev_row;
2992 png_bytep lp = row;
2993 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2994 png_uint_32 istop = row_info->rowbytes - bpp;
2995
2996 for (i = 0; i < bpp; i++)
2997 {
2998 *rp = (png_byte)(((int)(*rp) +
2999 ((int)(*pp++) / 2 )) & 0xff);
3000 rp++;
3001 }
3002
3003 for (i = 0; i < istop; i++)
3004 {
3005 *rp = (png_byte)(((int)(*rp) +
3006 (int)(*pp++ + *lp++) / 2 ) & 0xff);
3007 rp++;
3008 }
3009 break;
3010 }
3011 case PNG_FILTER_VALUE_PAETH:
3012 {
3013 png_uint_32 i;
3014 png_bytep rp = row;
3015 png_bytep pp = prev_row;
3016 png_bytep lp = row;
3017 png_bytep cp = prev_row;
3018 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
3019 png_uint_32 istop=row_info->rowbytes - bpp;
3020
3021 for (i = 0; i < bpp; i++)
3022 {
3023 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3024 rp++;
3025 }
3026
3027 for (i = 0; i < istop; i++) /* Use leftover rp,pp */
3028 {
3029 int a, b, c, pa, pb, pc, p;
3030
3031 a = *lp++;
3032 b = *pp++;
3033 c = *cp++;
3034
3035 p = b - c;
3036 pc = a - c;
3037
3038 #ifdef PNG_USE_ABS
3039 pa = abs(p);
3040 pb = abs(pc);
3041 pc = abs(p + pc);
3042 #else
3043 pa = p < 0 ? -p : p;
3044 pb = pc < 0 ? -pc : pc;
3045 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3046 #endif
3047
3048 /*
3049 if (pa <= pb && pa <= pc)
3050 p = a;
3051 else if (pb <= pc)
3052 p = b;
3053 else
3054 p = c;
3055 */
3056
3057 p = (pa <= pb && pa <= pc) ? a : (pb <= pc) ? b : c;
3058
3059 *rp = (png_byte)(((int)(*rp) + p) & 0xff);
3060 rp++;
3061 }
3062 break;
3063 }
3064 default:
3065 png_warning(png_ptr, "Ignoring bad adaptive filter type");
3066 *row = 0;
3067 break;
3068 } 3961 }
3069 } 3962 }
3070 3963
3071 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED 3964 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3072 void /* PRIVATE */ 3965 void /* PRIVATE */
3073 png_read_finish_row(png_structp png_ptr) 3966 png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
3074 { 3967 png_alloc_size_t avail_out)
3075 #ifdef PNG_READ_INTERLACING_SUPPORTED 3968 {
3076 #ifndef PNG_USE_GLOBAL_ARRAYS 3969 /* Loop reading IDATs and decompressing the result into output[avail_out] */
3970 png_ptr->zstream.next_out = output;
3971 png_ptr->zstream.avail_out = 0; /* safety: set below */
3972
3973 if (output == NULL)
3974 avail_out = 0;
3975
3976 do
3977 {
3978 int ret;
3979 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
3980
3981 if (png_ptr->zstream.avail_in == 0)
3982 {
3983 uInt avail_in;
3984 png_bytep buffer;
3985
3986 while (png_ptr->idat_size == 0)
3987 {
3988 png_crc_finish(png_ptr, 0);
3989
3990 png_ptr->idat_size = png_read_chunk_header(png_ptr);
3991 /* This is an error even in the 'check' case because the code just
3992 * consumed a non-IDAT header.
3993 */
3994 if (png_ptr->chunk_name != png_IDAT)
3995 png_error(png_ptr, "Not enough image data");
3996 }
3997
3998 avail_in = png_ptr->IDAT_read_size;
3999
4000 if (avail_in > png_ptr->idat_size)
4001 avail_in = (uInt)png_ptr->idat_size;
4002
4003 /* A PNG with a gradually increasing IDAT size will defeat this attempt
4004 * to minimize memory usage by causing lots of re-allocs, but
4005 * realistically doing IDAT_read_size re-allocs is not likely to be a
4006 * big problem.
4007 */
4008 buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
4009
4010 png_crc_read(png_ptr, buffer, avail_in);
4011 png_ptr->idat_size -= avail_in;
4012
4013 png_ptr->zstream.next_in = buffer;
4014 png_ptr->zstream.avail_in = avail_in;
4015 }
4016
4017 /* And set up the output side. */
4018 if (output != NULL) /* standard read */
4019 {
4020 uInt out = ZLIB_IO_MAX;
4021
4022 if (out > avail_out)
4023 out = (uInt)avail_out;
4024
4025 avail_out -= out;
4026 png_ptr->zstream.avail_out = out;
4027 }
4028
4029 else /* after last row, checking for end */
4030 {
4031 png_ptr->zstream.next_out = tmpbuf;
4032 png_ptr->zstream.avail_out = (sizeof tmpbuf);
4033 }
4034
4035 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4036 * process. If the LZ stream is truncated the sequential reader will
4037 * terminally damage the stream, above, by reading the chunk header of the
4038 * following chunk (it then exits with png_error).
4039 *
4040 * TODO: deal more elegantly with truncated IDAT lists.
4041 */
4042 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
4043
4044 /* Take the unconsumed output back. */
4045 if (output != NULL)
4046 avail_out += png_ptr->zstream.avail_out;
4047
4048 else /* avail_out counts the extra bytes */
4049 avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4050
4051 png_ptr->zstream.avail_out = 0;
4052
4053 if (ret == Z_STREAM_END)
4054 {
4055 /* Do this for safety; we won't read any more into this row. */
4056 png_ptr->zstream.next_out = NULL;
4057
4058 png_ptr->mode |= PNG_AFTER_IDAT;
4059 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4060
4061 if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4062 png_chunk_benign_error(png_ptr, "Extra compressed data");
4063 break;
4064 }
4065
4066 if (ret != Z_OK)
4067 {
4068 png_zstream_error(png_ptr, ret);
4069
4070 if (output != NULL)
4071 png_chunk_error(png_ptr, png_ptr->zstream.msg);
4072
4073 else /* checking */
4074 {
4075 png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4076 return;
4077 }
4078 }
4079 } while (avail_out > 0);
4080
4081 if (avail_out > 0)
4082 {
4083 /* The stream ended before the image; this is the same as too few IDATs so
4084 * should be handled the same way.
4085 */
4086 if (output != NULL)
4087 png_error(png_ptr, "Not enough image data");
4088
4089 else /* the deflate stream contained extra data */
4090 png_chunk_benign_error(png_ptr, "Too much image data");
4091 }
4092 }
4093
4094 void /* PRIVATE */
4095 png_read_finish_IDAT(png_structrp png_ptr)
4096 {
4097 /* We don't need any more data and the stream should have ended, however the
4098 * LZ end code may actually not have been processed. In this case we must
4099 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4100 * may still remain to be consumed.
4101 */
4102 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4103 {
4104 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4105 * the compressed stream, but the stream may be damaged too, so even after
4106 * this call we may need to terminate the zstream ownership.
4107 */
4108 png_read_IDAT_data(png_ptr, NULL, 0);
4109 png_ptr->zstream.next_out = NULL; /* safety */
4110
4111 /* Now clear everything out for safety; the following may not have been
4112 * done.
4113 */
4114 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4115 {
4116 png_ptr->mode |= PNG_AFTER_IDAT;
4117 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4118 }
4119 }
4120
4121 /* If the zstream has not been released do it now *and* terminate the reading
4122 * of the final IDAT chunk.
4123 */
4124 if (png_ptr->zowner == png_IDAT)
4125 {
4126 /* Always do this; the pointers otherwise point into the read buffer. */
4127 png_ptr->zstream.next_in = NULL;
4128 png_ptr->zstream.avail_in = 0;
4129
4130 /* Now we no longer own the zstream. */
4131 png_ptr->zowner = 0;
4132
4133 /* The slightly weird semantics of the sequential IDAT reading is that we
4134 * are always in or at the end of an IDAT chunk, so we always need to do a
4135 * crc_finish here. If idat_size is non-zero we also need to read the
4136 * spurious bytes at the end of the chunk now.
4137 */
4138 (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4139 }
4140 }
4141
4142 void /* PRIVATE */
4143 png_read_finish_row(png_structrp png_ptr)
4144 {
3077 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 4145 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3078 4146
3079 /* Start of interlace block */ 4147 /* Start of interlace block */
3080 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 4148 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3081 4149
3082 /* Offset to next interlace block */ 4150 /* Offset to next interlace block */
3083 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 4151 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3084 4152
3085 /* Start of interlace block in the y direction */ 4153 /* Start of interlace block in the y direction */
3086 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 4154 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3087 4155
3088 /* Offset to next interlace block in the y direction */ 4156 /* Offset to next interlace block in the y direction */
3089 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 4157 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3090 #endif
3091 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3092 4158
3093 png_debug(1, "in png_read_finish_row"); 4159 png_debug(1, "in png_read_finish_row");
3094 png_ptr->row_number++; 4160 png_ptr->row_number++;
3095 if (png_ptr->row_number < png_ptr->num_rows) 4161 if (png_ptr->row_number < png_ptr->num_rows)
3096 return; 4162 return;
3097 4163
3098 #ifdef PNG_READ_INTERLACING_SUPPORTED 4164 if (png_ptr->interlaced != 0)
3099 if (png_ptr->interlaced)
3100 { 4165 {
3101 png_ptr->row_number = 0; 4166 png_ptr->row_number = 0;
3102 png_memset_check(png_ptr, png_ptr->prev_row, 0, 4167
3103 png_ptr->rowbytes + 1); 4168 /* TO DO: don't do this if prev_row isn't needed (requires
4169 * read-ahead of the next row's filter byte.
4170 */
4171 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4172
3104 do 4173 do
3105 { 4174 {
3106 png_ptr->pass++; 4175 png_ptr->pass++;
4176
3107 if (png_ptr->pass >= 7) 4177 if (png_ptr->pass >= 7)
3108 break; 4178 break;
4179
3109 png_ptr->iwidth = (png_ptr->width + 4180 png_ptr->iwidth = (png_ptr->width +
3110 png_pass_inc[png_ptr->pass] - 1 - 4181 png_pass_inc[png_ptr->pass] - 1 -
3111 png_pass_start[png_ptr->pass]) / 4182 png_pass_start[png_ptr->pass]) /
3112 png_pass_inc[png_ptr->pass]; 4183 png_pass_inc[png_ptr->pass];
3113 4184
3114 if (!(png_ptr->transformations & PNG_INTERLACE)) 4185 if ((png_ptr->transformations & PNG_INTERLACE) == 0)
3115 { 4186 {
3116 png_ptr->num_rows = (png_ptr->height + 4187 png_ptr->num_rows = (png_ptr->height +
3117 png_pass_yinc[png_ptr->pass] - 1 - 4188 png_pass_yinc[png_ptr->pass] - 1 -
3118 png_pass_ystart[png_ptr->pass]) / 4189 png_pass_ystart[png_ptr->pass]) /
3119 png_pass_yinc[png_ptr->pass]; 4190 png_pass_yinc[png_ptr->pass];
3120 if (!(png_ptr->num_rows))
3121 continue;
3122 } 4191 }
4192
3123 else /* if (png_ptr->transformations & PNG_INTERLACE) */ 4193 else /* if (png_ptr->transformations & PNG_INTERLACE) */
3124 break; 4194 break; /* libpng deinterlacing sees every row */
3125 } while (png_ptr->iwidth == 0); 4195
4196 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
3126 4197
3127 if (png_ptr->pass < 7) 4198 if (png_ptr->pass < 7)
3128 return; 4199 return;
3129 } 4200 }
3130 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 4201
3131 4202 /* Here after at the end of the last row of the last pass. */
3132 if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) 4203 png_read_finish_IDAT(png_ptr);
3133 { 4204 }
3134 #ifdef PNG_USE_LOCAL_ARRAYS 4205 #endif /* SEQUENTIAL_READ */
3135 PNG_CONST PNG_IDAT;
3136 #endif
3137 char extra;
3138 int ret;
3139
3140 png_ptr->zstream.next_out = (Byte *)&extra;
3141 png_ptr->zstream.avail_out = (uInt)1;
3142 for (;;)
3143 {
3144 if (!(png_ptr->zstream.avail_in))
3145 {
3146 while (!png_ptr->idat_size)
3147 {
3148 png_byte chunk_length[4];
3149
3150 png_crc_finish(png_ptr, 0);
3151
3152 png_read_data(png_ptr, chunk_length, 4);
3153 png_ptr->idat_size = png_get_uint_31(png_ptr, chunk_length);
3154 png_reset_crc(png_ptr);
3155 png_crc_read(png_ptr, png_ptr->chunk_name, 4);
3156 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))
3157 png_error(png_ptr, "Not enough image data");
3158
3159 }
3160 png_ptr->zstream.avail_in = (uInt)png_ptr->zbuf_size;
3161 png_ptr->zstream.next_in = png_ptr->zbuf;
3162 if (png_ptr->zbuf_size > png_ptr->idat_size)
3163 png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size;
3164 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in);
3165 png_ptr->idat_size -= png_ptr->zstream.avail_in;
3166 }
3167 ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
3168 if (ret == Z_STREAM_END)
3169 {
3170 if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in ||
3171 png_ptr->idat_size)
3172 png_warning(png_ptr, "Extra compressed data.");
3173 png_ptr->mode |= PNG_AFTER_IDAT;
3174 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3175 break;
3176 }
3177 if (ret != Z_OK)
3178 png_error(png_ptr, png_ptr->zstream.msg ? png_ptr->zstream.msg :
3179 "Decompression Error");
3180
3181 if (!(png_ptr->zstream.avail_out))
3182 {
3183 png_warning(png_ptr, "Extra compressed data.");
3184 png_ptr->mode |= PNG_AFTER_IDAT;
3185 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3186 break;
3187 }
3188
3189 }
3190 png_ptr->zstream.avail_out = 0;
3191 }
3192
3193 if (png_ptr->idat_size || png_ptr->zstream.avail_in)
3194 png_warning(png_ptr, "Extra compression data.");
3195
3196 inflateReset(&png_ptr->zstream);
3197
3198 png_ptr->mode |= PNG_AFTER_IDAT;
3199 }
3200 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
3201 4206
3202 void /* PRIVATE */ 4207 void /* PRIVATE */
3203 png_read_start_row(png_structp png_ptr) 4208 png_read_start_row(png_structrp png_ptr)
3204 { 4209 {
3205 #ifdef PNG_READ_INTERLACING_SUPPORTED
3206 #ifndef PNG_USE_GLOBAL_ARRAYS
3207 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 4210 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3208 4211
3209 /* Start of interlace block */ 4212 /* Start of interlace block */
3210 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 4213 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3211 4214
3212 /* Offset to next interlace block */ 4215 /* Offset to next interlace block */
3213 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 4216 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3214 4217
3215 /* Start of interlace block in the y direction */ 4218 /* Start of interlace block in the y direction */
3216 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 4219 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3217 4220
3218 /* Offset to next interlace block in the y direction */ 4221 /* Offset to next interlace block in the y direction */
3219 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 4222 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3220 #endif
3221 #endif
3222 4223
3223 int max_pixel_depth; 4224 int max_pixel_depth;
3224 png_size_t row_bytes; 4225 png_size_t row_bytes;
3225 4226
3226 png_debug(1, "in png_read_start_row"); 4227 png_debug(1, "in png_read_start_row");
3227 png_ptr->zstream.avail_in = 0; 4228
4229 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
3228 png_init_read_transformations(png_ptr); 4230 png_init_read_transformations(png_ptr);
3229 #ifdef PNG_READ_INTERLACING_SUPPORTED 4231 #endif
3230 if (png_ptr->interlaced) 4232 if (png_ptr->interlaced != 0)
3231 { 4233 {
3232 if (!(png_ptr->transformations & PNG_INTERLACE)) 4234 if ((png_ptr->transformations & PNG_INTERLACE) == 0)
3233 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 - 4235 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
3234 png_pass_ystart[0]) / png_pass_yinc[0]; 4236 png_pass_ystart[0]) / png_pass_yinc[0];
4237
3235 else 4238 else
3236 png_ptr->num_rows = png_ptr->height; 4239 png_ptr->num_rows = png_ptr->height;
3237 4240
3238 png_ptr->iwidth = (png_ptr->width + 4241 png_ptr->iwidth = (png_ptr->width +
3239 png_pass_inc[png_ptr->pass] - 1 - 4242 png_pass_inc[png_ptr->pass] - 1 -
3240 png_pass_start[png_ptr->pass]) / 4243 png_pass_start[png_ptr->pass]) /
3241 png_pass_inc[png_ptr->pass]; 4244 png_pass_inc[png_ptr->pass];
3242 } 4245 }
4246
3243 else 4247 else
3244 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3245 { 4248 {
3246 png_ptr->num_rows = png_ptr->height; 4249 png_ptr->num_rows = png_ptr->height;
3247 png_ptr->iwidth = png_ptr->width; 4250 png_ptr->iwidth = png_ptr->width;
3248 } 4251 }
4252
3249 max_pixel_depth = png_ptr->pixel_depth; 4253 max_pixel_depth = png_ptr->pixel_depth;
3250 4254
4255 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4256 * calculations to calculate the final pixel depth, then
4257 * png_do_read_transforms actually does the transforms. This means that the
4258 * code which effectively calculates this value is actually repeated in three
4259 * separate places. They must all match. Innocent changes to the order of
4260 * transformations can and will break libpng in a way that causes memory
4261 * overwrites.
4262 *
4263 * TODO: fix this.
4264 */
3251 #ifdef PNG_READ_PACK_SUPPORTED 4265 #ifdef PNG_READ_PACK_SUPPORTED
3252 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8) 4266 if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8)
3253 max_pixel_depth = 8; 4267 max_pixel_depth = 8;
3254 #endif 4268 #endif
3255 4269
3256 #ifdef PNG_READ_EXPAND_SUPPORTED 4270 #ifdef PNG_READ_EXPAND_SUPPORTED
3257 if (png_ptr->transformations & PNG_EXPAND) 4271 if ((png_ptr->transformations & PNG_EXPAND) != 0)
3258 { 4272 {
3259 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 4273 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3260 { 4274 {
3261 if (png_ptr->num_trans) 4275 if (png_ptr->num_trans != 0)
3262 max_pixel_depth = 32; 4276 max_pixel_depth = 32;
4277
3263 else 4278 else
3264 max_pixel_depth = 24; 4279 max_pixel_depth = 24;
3265 } 4280 }
4281
3266 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 4282 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3267 { 4283 {
3268 if (max_pixel_depth < 8) 4284 if (max_pixel_depth < 8)
3269 max_pixel_depth = 8; 4285 max_pixel_depth = 8;
3270 if (png_ptr->num_trans) 4286
4287 if (png_ptr->num_trans != 0)
3271 max_pixel_depth *= 2; 4288 max_pixel_depth *= 2;
3272 } 4289 }
4290
3273 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 4291 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
3274 { 4292 {
3275 if (png_ptr->num_trans) 4293 if (png_ptr->num_trans != 0)
3276 { 4294 {
3277 max_pixel_depth *= 4; 4295 max_pixel_depth *= 4;
3278 max_pixel_depth /= 3; 4296 max_pixel_depth /= 3;
3279 } 4297 }
3280 } 4298 }
3281 } 4299 }
3282 #endif 4300 #endif
3283 4301
4302 #ifdef PNG_READ_EXPAND_16_SUPPORTED
4303 if ((png_ptr->transformations & PNG_EXPAND_16) != 0)
4304 {
4305 # ifdef PNG_READ_EXPAND_SUPPORTED
4306 /* In fact it is an error if it isn't supported, but checking is
4307 * the safe way.
4308 */
4309 if ((png_ptr->transformations & PNG_EXPAND) != 0)
4310 {
4311 if (png_ptr->bit_depth < 16)
4312 max_pixel_depth *= 2;
4313 }
4314 else
4315 # endif
4316 png_ptr->transformations &= ~PNG_EXPAND_16;
4317 }
4318 #endif
4319
3284 #ifdef PNG_READ_FILLER_SUPPORTED 4320 #ifdef PNG_READ_FILLER_SUPPORTED
3285 if (png_ptr->transformations & (PNG_FILLER)) 4321 if ((png_ptr->transformations & (PNG_FILLER)) != 0)
3286 { 4322 {
3287 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 4323 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3288 max_pixel_depth = 32;
3289 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3290 { 4324 {
3291 if (max_pixel_depth <= 8) 4325 if (max_pixel_depth <= 8)
3292 max_pixel_depth = 16; 4326 max_pixel_depth = 16;
4327
3293 else 4328 else
3294 max_pixel_depth = 32; 4329 max_pixel_depth = 32;
3295 } 4330 }
3296 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 4331
4332 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4333 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3297 { 4334 {
3298 if (max_pixel_depth <= 32) 4335 if (max_pixel_depth <= 32)
3299 max_pixel_depth = 32; 4336 max_pixel_depth = 32;
4337
3300 else 4338 else
3301 max_pixel_depth = 64; 4339 max_pixel_depth = 64;
3302 } 4340 }
3303 } 4341 }
3304 #endif 4342 #endif
3305 4343
3306 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED 4344 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
3307 if (png_ptr->transformations & PNG_GRAY_TO_RGB) 4345 if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0)
3308 { 4346 {
3309 if ( 4347 if (
3310 #ifdef PNG_READ_EXPAND_SUPPORTED 4348 #ifdef PNG_READ_EXPAND_SUPPORTED
3311 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) || 4349 (png_ptr->num_trans != 0 &&
4350 (png_ptr->transformations & PNG_EXPAND) != 0) ||
3312 #endif 4351 #endif
3313 #ifdef PNG_READ_FILLER_SUPPORTED 4352 #ifdef PNG_READ_FILLER_SUPPORTED
3314 (png_ptr->transformations & (PNG_FILLER)) || 4353 (png_ptr->transformations & (PNG_FILLER)) != 0 ||
3315 #endif 4354 #endif
3316 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) 4355 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
3317 { 4356 {
3318 if (max_pixel_depth <= 16) 4357 if (max_pixel_depth <= 16)
3319 max_pixel_depth = 32; 4358 max_pixel_depth = 32;
4359
3320 else 4360 else
3321 max_pixel_depth = 64; 4361 max_pixel_depth = 64;
3322 } 4362 }
4363
3323 else 4364 else
3324 { 4365 {
3325 if (max_pixel_depth <= 8) 4366 if (max_pixel_depth <= 8)
3326 { 4367 {
3327 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 4368 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
3328 max_pixel_depth = 32; 4369 max_pixel_depth = 32;
3329 else 4370
4371 else
3330 max_pixel_depth = 24; 4372 max_pixel_depth = 24;
3331 } 4373 }
4374
3332 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 4375 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
3333 max_pixel_depth = 64; 4376 max_pixel_depth = 64;
4377
3334 else 4378 else
3335 max_pixel_depth = 48; 4379 max_pixel_depth = 48;
3336 } 4380 }
3337 } 4381 }
3338 #endif 4382 #endif
3339 4383
3340 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \ 4384 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
3341 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) 4385 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
3342 if (png_ptr->transformations & PNG_USER_TRANSFORM) 4386 if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0)
3343 { 4387 {
3344 int user_pixel_depth = png_ptr->user_transform_depth* 4388 int user_pixel_depth = png_ptr->user_transform_depth *
3345 png_ptr->user_transform_channels; 4389 png_ptr->user_transform_channels;
3346 if (user_pixel_depth > max_pixel_depth) 4390
3347 max_pixel_depth=user_pixel_depth; 4391 if (user_pixel_depth > max_pixel_depth)
3348 } 4392 max_pixel_depth = user_pixel_depth;
4393 }
3349 #endif 4394 #endif
3350 4395
4396 /* This value is stored in png_struct and double checked in the row read
4397 * code.
4398 */
4399 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4400 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4401
3351 /* Align the width on the next larger 8 pixels. Mainly used 4402 /* Align the width on the next larger 8 pixels. Mainly used
3352 * for interlacing 4403 * for interlacing
3353 */ 4404 */
3354 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7)); 4405 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
3355 /* Calculate the maximum bytes needed, adding a byte and a pixel 4406 /* Calculate the maximum bytes needed, adding a byte and a pixel
3356 * for safety's sake 4407 * for safety's sake
3357 */ 4408 */
3358 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) + 4409 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
3359 1 + ((max_pixel_depth + 7) >> 3); 4410 1 + ((max_pixel_depth + 7) >> 3);
4411
3360 #ifdef PNG_MAX_MALLOC_64K 4412 #ifdef PNG_MAX_MALLOC_64K
3361 if (row_bytes > (png_uint_32)65536L) 4413 if (row_bytes > (png_uint_32)65536L)
3362 png_error(png_ptr, "This image requires a row greater than 64KB"); 4414 png_error(png_ptr, "This image requires a row greater than 64KB");
3363 #endif 4415 #endif
3364 4416
3365 if (row_bytes + 64 > png_ptr->old_big_row_buf_size) 4417 if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
3366 { 4418 {
3367 png_free(png_ptr, png_ptr->big_row_buf); 4419 png_free(png_ptr, png_ptr->big_row_buf);
3368 if (png_ptr->interlaced) 4420 png_free(png_ptr, png_ptr->big_prev_row);
4421
4422 if (png_ptr->interlaced != 0)
3369 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr, 4423 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
3370 row_bytes + 64); 4424 row_bytes + 48);
4425
3371 else 4426 else
3372 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, 4427 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
3373 row_bytes + 64);
3374 png_ptr->old_big_row_buf_size = row_bytes + 64;
3375 4428
3376 /* Use 32 bytes of padding before and after row_buf. */ 4429 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
3377 png_ptr->row_buf = png_ptr->big_row_buf + 32; 4430
3378 png_ptr->old_big_row_buf_size = row_bytes + 64; 4431 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4432 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4433 * of padding before and after row_buf; treat prev_row similarly.
4434 * NOTE: the alignment is to the start of the pixels, one beyond the start
4435 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4436 * was incorrect; the filter byte was aligned, which had the exact
4437 * opposite effect of that intended.
4438 */
4439 {
4440 png_bytep temp = png_ptr->big_row_buf + 32;
4441 int extra = (int)((temp - (png_bytep)0) & 0x0f);
4442 png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4443
4444 temp = png_ptr->big_prev_row + 32;
4445 extra = (int)((temp - (png_bytep)0) & 0x0f);
4446 png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4447 }
4448
4449 #else
4450 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4451 png_ptr->row_buf = png_ptr->big_row_buf + 31;
4452 png_ptr->prev_row = png_ptr->big_prev_row + 31;
4453 #endif
4454 png_ptr->old_big_row_buf_size = row_bytes + 48;
3379 } 4455 }
3380 4456
3381 #ifdef PNG_MAX_MALLOC_64K 4457 #ifdef PNG_MAX_MALLOC_64K
3382 if ((png_uint_32)row_bytes + 1 > (png_uint_32)65536L) 4458 if (png_ptr->rowbytes > 65535)
3383 png_error(png_ptr, "This image requires a row greater than 64KB"); 4459 png_error(png_ptr, "This image requires a row greater than 64KB");
4460
3384 #endif 4461 #endif
3385 if ((png_uint_32)row_bytes > (png_uint_32)(PNG_SIZE_MAX - 1)) 4462 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
3386 png_error(png_ptr, "Row has too many bytes to allocate in memory."); 4463 png_error(png_ptr, "Row has too many bytes to allocate in memory");
3387 4464
3388 if (row_bytes + 1 > png_ptr->old_prev_row_size) 4465 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4466
4467 png_debug1(3, "width = %u,", png_ptr->width);
4468 png_debug1(3, "height = %u,", png_ptr->height);
4469 png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4470 png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4471 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4472 png_debug1(3, "irowbytes = %lu",
4473 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4474
4475 /* The sequential reader needs a buffer for IDAT, but the progressive reader
4476 * does not, so free the read buffer now regardless; the sequential reader
4477 * reallocates it on demand.
4478 */
4479 if (png_ptr->read_buffer != 0)
3389 { 4480 {
3390 png_free(png_ptr, png_ptr->prev_row); 4481 png_bytep buffer = png_ptr->read_buffer;
3391 png_ptr->prev_row = (png_bytep)png_malloc(png_ptr, (png_uint_32)( 4482
3392 row_bytes + 1)); 4483 png_ptr->read_buffer_size = 0;
3393 png_memset_check(png_ptr, png_ptr->prev_row, 0, row_bytes + 1); 4484 png_ptr->read_buffer = NULL;
3394 png_ptr->old_prev_row_size = row_bytes + 1; 4485 png_free(png_ptr, buffer);
3395 } 4486 }
3396 4487
3397 png_ptr->rowbytes = row_bytes; 4488 /* Finally claim the zstream for the inflate of the IDAT data, use the bits
3398 4489 * value from the stream (note that this will result in a fatal error if the
3399 png_debug1(3, "width = %lu,", png_ptr->width); 4490 * IDAT stream has a bogus deflate header window_bits value, but this should
3400 png_debug1(3, "height = %lu,", png_ptr->height); 4491 * not be happening any longer!)
3401 png_debug1(3, "iwidth = %lu,", png_ptr->iwidth); 4492 */
3402 png_debug1(3, "num_rows = %lu,", png_ptr->num_rows); 4493 if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
3403 png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes); 4494 png_error(png_ptr, png_ptr->zstream.msg);
3404 png_debug1(3, "irowbytes = %lu",
3405 PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
3406 4495
3407 png_ptr->flags |= PNG_FLAG_ROW_INIT; 4496 png_ptr->flags |= PNG_FLAG_ROW_INIT;
3408 } 4497 }
3409 #endif /* PNG_READ_SUPPORTED */ 4498 #endif /* READ */
OLDNEW
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698