OLD | NEW |
1 | 1 |
2 /* pngrutil.c - utilities to read a PNG file | 2 /* pngrutil.c - utilities to read a PNG file |
3 * | 3 * |
4 * Last changed in libpng 1.2.55 [%RDATE%] | 4 * Last changed in libpng 1.6.20 [December 3, 2014] |
5 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson | 5 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson |
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) | 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) | 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
8 * | 8 * |
9 * This code is released under the libpng license. | 9 * This code is released under the libpng license. |
10 * For conditions of distribution and use, see the disclaimer | 10 * For conditions of distribution and use, see the disclaimer |
11 * and license in png.h | 11 * and license in png.h |
12 * | 12 * |
13 * This file contains routines that are only called from within | 13 * This file contains routines that are only called from within |
14 * libpng itself during the course of reading an image. | 14 * libpng itself during the course of reading an image. |
15 */ | 15 */ |
16 | 16 |
17 #define PNG_INTERNAL | 17 #include "pngpriv.h" |
18 #define PNG_NO_PEDANTIC_WARNINGS | 18 |
19 #include "png.h" | |
20 #ifdef PNG_READ_SUPPORTED | 19 #ifdef PNG_READ_SUPPORTED |
21 | 20 |
22 #if defined(_WIN32_WCE) && (_WIN32_WCE<0x500) | 21 png_uint_32 PNGAPI |
23 # define WIN32_WCE_OLD | 22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf) |
24 #endif | 23 { |
25 | 24 png_uint_32 uval = png_get_uint_32(buf); |
26 #ifdef PNG_FLOATING_POINT_SUPPORTED | 25 |
27 # ifdef WIN32_WCE_OLD | 26 if (uval > PNG_UINT_31_MAX) |
28 /* The strtod() function is not supported on WindowsCE */ | 27 png_error(png_ptr, "PNG unsigned integer out of range"); |
29 __inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr, | 28 |
30 char **endptr) | 29 return (uval); |
31 { | 30 } |
32 double result = 0; | 31 |
33 int len; | 32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED) |
34 wchar_t *str, *end; | 33 /* The following is a variation on the above for use with the fixed |
35 | 34 * point values used for gAMA and cHRM. Instead of png_error it |
36 len = MultiByteToWideChar(CP_ACP, 0, nptr, -1, NULL, 0); | 35 * issues a warning and returns (-1) - an invalid value because both |
37 str = (wchar_t *)png_malloc(png_ptr, len * png_sizeof(wchar_t)); | 36 * gAMA and cHRM use *unsigned* integers for fixed point values. |
38 if ( NULL != str ) | 37 */ |
| 38 #define PNG_FIXED_ERROR (-1) |
| 39 |
| 40 static png_fixed_point /* PRIVATE */ |
| 41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf) |
| 42 { |
| 43 png_uint_32 uval = png_get_uint_32(buf); |
| 44 |
| 45 if (uval <= PNG_UINT_31_MAX) |
| 46 return (png_fixed_point)uval; /* known to be in range */ |
| 47 |
| 48 /* The caller can turn off the warning by passing NULL. */ |
| 49 if (png_ptr != NULL) |
| 50 png_warning(png_ptr, "PNG fixed point integer out of range"); |
| 51 |
| 52 return PNG_FIXED_ERROR; |
| 53 } |
| 54 #endif |
| 55 |
| 56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED |
| 57 /* NOTE: the read macros will obscure these definitions, so that if |
| 58 * PNG_USE_READ_MACROS is set the library will not use them internally, |
| 59 * but the APIs will still be available externally. |
| 60 * |
| 61 * The parentheses around "PNGAPI function_name" in the following three |
| 62 * functions are necessary because they allow the macros to co-exist with |
| 63 * these (unused but exported) functions. |
| 64 */ |
| 65 |
| 66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ |
| 67 png_uint_32 (PNGAPI |
| 68 png_get_uint_32)(png_const_bytep buf) |
| 69 { |
| 70 png_uint_32 uval = |
| 71 ((png_uint_32)(*(buf )) << 24) + |
| 72 ((png_uint_32)(*(buf + 1)) << 16) + |
| 73 ((png_uint_32)(*(buf + 2)) << 8) + |
| 74 ((png_uint_32)(*(buf + 3)) ) ; |
| 75 |
| 76 return uval; |
| 77 } |
| 78 |
| 79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The |
| 80 * data is stored in the PNG file in two's complement format and there |
| 81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore |
| 82 * the following code does a two's complement to native conversion. |
| 83 */ |
| 84 png_int_32 (PNGAPI |
| 85 png_get_int_32)(png_const_bytep buf) |
| 86 { |
| 87 png_uint_32 uval = png_get_uint_32(buf); |
| 88 if ((uval & 0x80000000) == 0) /* non-negative */ |
| 89 return uval; |
| 90 |
| 91 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ |
| 92 if ((uval & 0x80000000) == 0) /* no overflow */ |
| 93 return -(png_int_32)uval; |
| 94 /* The following has to be safe; this function only gets called on PNG data |
| 95 * and if we get here that data is invalid. 0 is the most safe value and |
| 96 * if not then an attacker would surely just generate a PNG with 0 instead. |
| 97 */ |
| 98 return 0; |
| 99 } |
| 100 |
| 101 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ |
| 102 png_uint_16 (PNGAPI |
| 103 png_get_uint_16)(png_const_bytep buf) |
| 104 { |
| 105 /* ANSI-C requires an int value to accomodate at least 16 bits so this |
| 106 * works and allows the compiler not to worry about possible narrowing |
| 107 * on 32-bit systems. (Pre-ANSI systems did not make integers smaller |
| 108 * than 16 bits either.) |
| 109 */ |
| 110 unsigned int val = |
| 111 ((unsigned int)(*buf) << 8) + |
| 112 ((unsigned int)(*(buf + 1))); |
| 113 |
| 114 return (png_uint_16)val; |
| 115 } |
| 116 |
| 117 #endif /* READ_INT_FUNCTIONS */ |
| 118 |
| 119 /* Read and check the PNG file signature */ |
| 120 void /* PRIVATE */ |
| 121 png_read_sig(png_structrp png_ptr, png_inforp info_ptr) |
| 122 { |
| 123 png_size_t num_checked, num_to_check; |
| 124 |
| 125 /* Exit if the user application does not expect a signature. */ |
| 126 if (png_ptr->sig_bytes >= 8) |
| 127 return; |
| 128 |
| 129 num_checked = png_ptr->sig_bytes; |
| 130 num_to_check = 8 - num_checked; |
| 131 |
| 132 #ifdef PNG_IO_STATE_SUPPORTED |
| 133 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE; |
| 134 #endif |
| 135 |
| 136 /* The signature must be serialized in a single I/O call. */ |
| 137 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check); |
| 138 png_ptr->sig_bytes = 8; |
| 139 |
| 140 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0) |
39 { | 141 { |
40 MultiByteToWideChar(CP_ACP, 0, nptr, -1, str, len); | 142 if (num_checked < 4 && |
41 result = wcstod(str, &end); | 143 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) |
42 len = WideCharToMultiByte(CP_ACP, 0, end, -1, NULL, 0, NULL, NULL); | 144 png_error(png_ptr, "Not a PNG file"); |
43 *endptr = (char *)nptr + (png_strlen(nptr) - len + 1); | 145 else |
44 png_free(png_ptr, str); | 146 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); |
45 } | 147 } |
46 return result; | 148 if (num_checked < 3) |
47 } | 149 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE; |
48 # else | 150 } |
49 # define png_strtod(p,a,b) strtod(a,b) | |
50 # endif | |
51 #endif | |
52 | |
53 png_uint_32 PNGAPI | |
54 png_get_uint_31(png_structp png_ptr, png_bytep buf) | |
55 { | |
56 #ifdef PNG_READ_BIG_ENDIAN_SUPPORTED | |
57 png_uint_32 i = png_get_uint_32(buf); | |
58 #else | |
59 /* Avoid an extra function call by inlining the result. */ | |
60 png_uint_32 i = ((png_uint_32)((*(buf )) & 0xff) << 24) + | |
61 ((png_uint_32)((*(buf + 1)) & 0xff) << 16) + | |
62 ((png_uint_32)((*(buf + 2)) & 0xff) << 8) + | |
63 ((png_uint_32)((*(buf + 3)) & 0xff) ); | |
64 #endif | |
65 if (i > PNG_UINT_31_MAX) | |
66 png_error(png_ptr, "PNG unsigned integer out of range."); | |
67 return (i); | |
68 } | |
69 #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED | |
70 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ | |
71 png_uint_32 PNGAPI | |
72 png_get_uint_32(png_bytep buf) | |
73 { | |
74 png_uint_32 i = ((png_uint_32)((*(buf )) & 0xff) << 24) + | |
75 ((png_uint_32)((*(buf + 1)) & 0xff) << 16) + | |
76 ((png_uint_32)((*(buf + 2)) & 0xff) << 8) + | |
77 ((png_uint_32)((*(buf + 3)) & 0xff) ); | |
78 | |
79 return (i); | |
80 } | |
81 | |
82 /* Grab a signed 32-bit integer from a buffer in big-endian format. The | |
83 * data is stored in the PNG file in two's complement format, and it is | |
84 * assumed that the machine format for signed integers is the same. | |
85 */ | |
86 png_int_32 PNGAPI | |
87 png_get_int_32(png_bytep buf) | |
88 { | |
89 png_int_32 i = ((png_int_32)((*(buf )) & 0xff) << 24) + | |
90 ((png_int_32)((*(buf + 1)) & 0xff) << 16) + | |
91 ((png_int_32)((*(buf + 2)) & 0xff) << 8) + | |
92 ((png_int_32)((*(buf + 3)) & 0xff) ); | |
93 | |
94 return (i); | |
95 } | |
96 | |
97 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ | |
98 png_uint_16 PNGAPI | |
99 png_get_uint_16(png_bytep buf) | |
100 { | |
101 png_uint_16 i = ((png_uint_16)((*(buf )) & 0xff) << 8) + | |
102 ((png_uint_16)((*(buf + 1)) & 0xff) ); | |
103 | |
104 return (i); | |
105 } | |
106 #endif /* PNG_READ_BIG_ENDIAN_SUPPORTED */ | |
107 | 151 |
108 /* Read the chunk header (length + type name). | 152 /* Read the chunk header (length + type name). |
109 * Put the type name into png_ptr->chunk_name, and return the length. | 153 * Put the type name into png_ptr->chunk_name, and return the length. |
110 */ | 154 */ |
111 png_uint_32 /* PRIVATE */ | 155 png_uint_32 /* PRIVATE */ |
112 png_read_chunk_header(png_structp png_ptr) | 156 png_read_chunk_header(png_structrp png_ptr) |
113 { | 157 { |
114 png_byte buf[8]; | 158 png_byte buf[8]; |
115 png_uint_32 length; | 159 png_uint_32 length; |
116 | 160 |
117 /* Read the length and the chunk name */ | 161 #ifdef PNG_IO_STATE_SUPPORTED |
| 162 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR; |
| 163 #endif |
| 164 |
| 165 /* Read the length and the chunk name. |
| 166 * This must be performed in a single I/O call. |
| 167 */ |
118 png_read_data(png_ptr, buf, 8); | 168 png_read_data(png_ptr, buf, 8); |
119 length = png_get_uint_31(png_ptr, buf); | 169 length = png_get_uint_31(png_ptr, buf); |
120 | 170 |
121 /* Put the chunk name into png_ptr->chunk_name */ | 171 /* Put the chunk name into png_ptr->chunk_name. */ |
122 png_memcpy(png_ptr->chunk_name, buf + 4, 4); | 172 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4); |
123 | 173 |
124 png_debug2(0, "Reading %s chunk, length = %lu", | 174 png_debug2(0, "Reading %lx chunk, length = %lu", |
125 png_ptr->chunk_name, length); | 175 (unsigned long)png_ptr->chunk_name, (unsigned long)length); |
126 | 176 |
127 /* Reset the crc and run it over the chunk name */ | 177 /* Reset the crc and run it over the chunk name. */ |
128 png_reset_crc(png_ptr); | 178 png_reset_crc(png_ptr); |
129 png_calculate_crc(png_ptr, png_ptr->chunk_name, 4); | 179 png_calculate_crc(png_ptr, buf + 4, 4); |
130 | 180 |
131 /* Check to see if chunk name is valid */ | 181 /* Check to see if chunk name is valid. */ |
132 png_check_chunk_name(png_ptr, png_ptr->chunk_name); | 182 png_check_chunk_name(png_ptr, png_ptr->chunk_name); |
133 | 183 |
| 184 #ifdef PNG_IO_STATE_SUPPORTED |
| 185 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA; |
| 186 #endif |
| 187 |
134 return length; | 188 return length; |
135 } | 189 } |
136 | 190 |
137 /* Read data, and (optionally) run it through the CRC. */ | 191 /* Read data, and (optionally) run it through the CRC. */ |
138 void /* PRIVATE */ | 192 void /* PRIVATE */ |
139 png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length) | 193 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length) |
140 { | 194 { |
141 if (png_ptr == NULL) | 195 if (png_ptr == NULL) |
142 return; | 196 return; |
| 197 |
143 png_read_data(png_ptr, buf, length); | 198 png_read_data(png_ptr, buf, length); |
144 png_calculate_crc(png_ptr, buf, length); | 199 png_calculate_crc(png_ptr, buf, length); |
145 } | 200 } |
146 | 201 |
147 /* Optionally skip data and then check the CRC. Depending on whether we | 202 /* Optionally skip data and then check the CRC. Depending on whether we |
148 * are reading a ancillary or critical chunk, and how the program has set | 203 * are reading an ancillary or critical chunk, and how the program has set |
149 * things up, we may calculate the CRC on the data and print a message. | 204 * things up, we may calculate the CRC on the data and print a message. |
150 * Returns '1' if there was a CRC error, '0' otherwise. | 205 * Returns '1' if there was a CRC error, '0' otherwise. |
151 */ | 206 */ |
152 int /* PRIVATE */ | 207 int /* PRIVATE */ |
153 png_crc_finish(png_structp png_ptr, png_uint_32 skip) | 208 png_crc_finish(png_structrp png_ptr, png_uint_32 skip) |
154 { | 209 { |
155 png_size_t i; | 210 /* The size of the local buffer for inflate is a good guess as to a |
156 png_size_t istop = png_ptr->zbuf_size; | 211 * reasonable size to use for buffering reads from the application. |
157 | 212 */ |
158 for (i = (png_size_t)skip; i > istop; i -= istop) | 213 while (skip > 0) |
159 { | 214 { |
160 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size); | 215 png_uint_32 len; |
| 216 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE]; |
| 217 |
| 218 len = (sizeof tmpbuf); |
| 219 if (len > skip) |
| 220 len = skip; |
| 221 skip -= len; |
| 222 |
| 223 png_crc_read(png_ptr, tmpbuf, len); |
161 } | 224 } |
162 if (i) | 225 |
| 226 if (png_crc_error(png_ptr) != 0) |
163 { | 227 { |
164 png_crc_read(png_ptr, png_ptr->zbuf, i); | 228 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ? |
165 } | 229 (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 : |
166 | 230 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0) |
167 if (png_crc_error(png_ptr)) | |
168 { | |
169 if (((png_ptr->chunk_name[0] & 0x20) && /* Ancillary */ | |
170 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) || | |
171 (!(png_ptr->chunk_name[0] & 0x20) && /* Critical */ | |
172 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE))) | |
173 { | 231 { |
174 png_chunk_warning(png_ptr, "CRC error"); | 232 png_chunk_warning(png_ptr, "CRC error"); |
175 } | 233 } |
| 234 |
176 else | 235 else |
177 { | |
178 png_chunk_error(png_ptr, "CRC error"); | 236 png_chunk_error(png_ptr, "CRC error"); |
179 } | 237 |
180 return (1); | 238 return (1); |
181 } | 239 } |
182 | 240 |
183 return (0); | 241 return (0); |
184 } | 242 } |
185 | 243 |
186 /* Compare the CRC stored in the PNG file with that calculated by libpng from | 244 /* Compare the CRC stored in the PNG file with that calculated by libpng from |
187 * the data it has read thus far. | 245 * the data it has read thus far. |
188 */ | 246 */ |
189 int /* PRIVATE */ | 247 int /* PRIVATE */ |
190 png_crc_error(png_structp png_ptr) | 248 png_crc_error(png_structrp png_ptr) |
191 { | 249 { |
192 png_byte crc_bytes[4]; | 250 png_byte crc_bytes[4]; |
193 png_uint_32 crc; | 251 png_uint_32 crc; |
194 int need_crc = 1; | 252 int need_crc = 1; |
195 | 253 |
196 if (png_ptr->chunk_name[0] & 0x20) /* ancillary */ | 254 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0) |
197 { | 255 { |
198 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == | 256 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == |
199 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) | 257 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) |
200 need_crc = 0; | 258 need_crc = 0; |
201 } | 259 } |
202 else /* critical */ | 260 |
203 { | 261 else /* critical */ |
204 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) | 262 { |
| 263 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0) |
205 need_crc = 0; | 264 need_crc = 0; |
206 } | 265 } |
207 | 266 |
| 267 #ifdef PNG_IO_STATE_SUPPORTED |
| 268 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC; |
| 269 #endif |
| 270 |
| 271 /* The chunk CRC must be serialized in a single I/O call. */ |
208 png_read_data(png_ptr, crc_bytes, 4); | 272 png_read_data(png_ptr, crc_bytes, 4); |
209 | 273 |
210 if (need_crc) | 274 if (need_crc != 0) |
211 { | 275 { |
212 crc = png_get_uint_32(crc_bytes); | 276 crc = png_get_uint_32(crc_bytes); |
213 return ((int)(crc != png_ptr->crc)); | 277 return ((int)(crc != png_ptr->crc)); |
214 } | 278 } |
| 279 |
215 else | 280 else |
216 return (0); | 281 return (0); |
217 } | 282 } |
218 | 283 |
219 #if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \ | 284 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\ |
220 defined(PNG_READ_iCCP_SUPPORTED) | 285 defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\ |
221 static png_size_t | 286 defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\ |
222 png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size, | 287 defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED) |
223 png_bytep output, png_size_t output_size) | 288 /* Manage the read buffer; this simply reallocates the buffer if it is not small |
224 { | 289 * enough (or if it is not allocated). The routine returns a pointer to the |
225 png_size_t count = 0; | 290 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else |
226 | 291 * it will call png_error (via png_malloc) on failure. (warn == 2 means |
227 png_ptr->zstream.next_in = (png_bytep)data; /* const_cast: VALID */ | 292 * 'silent'). |
228 png_ptr->zstream.avail_in = size; | 293 */ |
229 | 294 static png_bytep |
230 while (1) | 295 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn) |
231 { | 296 { |
232 int ret, avail; | 297 png_bytep buffer = png_ptr->read_buffer; |
233 | 298 |
234 /* Reset the output buffer each time round - we empty it | 299 if (buffer != NULL && new_size > png_ptr->read_buffer_size) |
235 * after every inflate call. | 300 { |
| 301 png_ptr->read_buffer = NULL; |
| 302 png_ptr->read_buffer = NULL; |
| 303 png_ptr->read_buffer_size = 0; |
| 304 png_free(png_ptr, buffer); |
| 305 buffer = NULL; |
| 306 } |
| 307 |
| 308 if (buffer == NULL) |
| 309 { |
| 310 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size)); |
| 311 |
| 312 if (buffer != NULL) |
| 313 { |
| 314 png_ptr->read_buffer = buffer; |
| 315 png_ptr->read_buffer_size = new_size; |
| 316 } |
| 317 |
| 318 else if (warn < 2) /* else silent */ |
| 319 { |
| 320 if (warn != 0) |
| 321 png_chunk_warning(png_ptr, "insufficient memory to read chunk"); |
| 322 |
| 323 else |
| 324 png_chunk_error(png_ptr, "insufficient memory to read chunk"); |
| 325 } |
| 326 } |
| 327 |
| 328 return buffer; |
| 329 } |
| 330 #endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */ |
| 331 |
| 332 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves |
| 333 * decompression. Returns Z_OK on success, else a zlib error code. It checks |
| 334 * the owner but, in final release builds, just issues a warning if some other |
| 335 * chunk apparently owns the stream. Prior to release it does a png_error. |
| 336 */ |
| 337 static int |
| 338 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner) |
| 339 { |
| 340 if (png_ptr->zowner != 0) |
| 341 { |
| 342 char msg[64]; |
| 343 |
| 344 PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner); |
| 345 /* So the message that results is "<chunk> using zstream"; this is an |
| 346 * internal error, but is very useful for debugging. i18n requirements |
| 347 * are minimal. |
236 */ | 348 */ |
237 png_ptr->zstream.next_out = png_ptr->zbuf; | 349 (void)png_safecat(msg, (sizeof msg), 4, " using zstream"); |
238 png_ptr->zstream.avail_out = png_ptr->zbuf_size; | 350 #if PNG_RELEASE_BUILD |
239 | 351 png_chunk_warning(png_ptr, msg); |
240 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH); | 352 png_ptr->zowner = 0; |
241 avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out; | 353 #else |
242 | 354 png_chunk_error(png_ptr, msg); |
243 /* First copy/count any new output - but only if we didn't | 355 #endif |
244 * get an error code. | 356 } |
| 357 |
| 358 /* Implementation note: unlike 'png_deflate_claim' this internal function |
| 359 * does not take the size of the data as an argument. Some efficiency could |
| 360 * be gained by using this when it is known *if* the zlib stream itself does |
| 361 * not record the number; however, this is an illusion: the original writer |
| 362 * of the PNG may have selected a lower window size, and we really must |
| 363 * follow that because, for systems with with limited capabilities, we |
| 364 * would otherwise reject the application's attempts to use a smaller window |
| 365 * size (zlib doesn't have an interface to say "this or lower"!). |
| 366 * |
| 367 * inflateReset2 was added to zlib 1.2.4; before this the window could not be |
| 368 * reset, therefore it is necessary to always allocate the maximum window |
| 369 * size with earlier zlibs just in case later compressed chunks need it. |
| 370 */ |
| 371 { |
| 372 int ret; /* zlib return code */ |
| 373 #if PNG_ZLIB_VERNUM >= 0x1240 |
| 374 |
| 375 # if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW) |
| 376 int window_bits; |
| 377 |
| 378 if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) == |
| 379 PNG_OPTION_ON) |
| 380 { |
| 381 window_bits = 15; |
| 382 png_ptr->zstream_start = 0; /* fixed window size */ |
| 383 } |
| 384 |
| 385 else |
| 386 { |
| 387 window_bits = 0; |
| 388 png_ptr->zstream_start = 1; |
| 389 } |
| 390 # else |
| 391 # define window_bits 0 |
| 392 # endif |
| 393 #endif |
| 394 |
| 395 /* Set this for safety, just in case the previous owner left pointers to |
| 396 * memory allocations. |
245 */ | 397 */ |
246 if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0) | 398 png_ptr->zstream.next_in = NULL; |
247 { | 399 png_ptr->zstream.avail_in = 0; |
248 if (output != 0 && output_size > count) | 400 png_ptr->zstream.next_out = NULL; |
| 401 png_ptr->zstream.avail_out = 0; |
| 402 |
| 403 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0) |
| 404 { |
| 405 #if PNG_ZLIB_VERNUM < 0x1240 |
| 406 ret = inflateReset(&png_ptr->zstream); |
| 407 #else |
| 408 ret = inflateReset2(&png_ptr->zstream, window_bits); |
| 409 #endif |
| 410 } |
| 411 |
| 412 else |
| 413 { |
| 414 #if PNG_ZLIB_VERNUM < 0x1240 |
| 415 ret = inflateInit(&png_ptr->zstream); |
| 416 #else |
| 417 ret = inflateInit2(&png_ptr->zstream, window_bits); |
| 418 #endif |
| 419 |
| 420 if (ret == Z_OK) |
| 421 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED; |
| 422 } |
| 423 |
| 424 if (ret == Z_OK) |
| 425 png_ptr->zowner = owner; |
| 426 |
| 427 else |
| 428 png_zstream_error(png_ptr, ret); |
| 429 |
| 430 return ret; |
| 431 } |
| 432 |
| 433 #ifdef window_bits |
| 434 # undef window_bits |
| 435 #endif |
| 436 } |
| 437 |
| 438 #if PNG_ZLIB_VERNUM >= 0x1240 |
| 439 /* Handle the start of the inflate stream if we called inflateInit2(strm,0); |
| 440 * in this case some zlib versions skip validation of the CINFO field and, in |
| 441 * certain circumstances, libpng may end up displaying an invalid image, in |
| 442 * contrast to implementations that call zlib in the normal way (e.g. libpng |
| 443 * 1.5). |
| 444 */ |
| 445 int /* PRIVATE */ |
| 446 png_zlib_inflate(png_structrp png_ptr, int flush) |
| 447 { |
| 448 if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0) |
| 449 { |
| 450 if ((*png_ptr->zstream.next_in >> 4) > 7) |
| 451 { |
| 452 png_ptr->zstream.msg = "invalid window size (libpng)"; |
| 453 return Z_DATA_ERROR; |
| 454 } |
| 455 |
| 456 png_ptr->zstream_start = 0; |
| 457 } |
| 458 |
| 459 return inflate(&png_ptr->zstream, flush); |
| 460 } |
| 461 #endif /* Zlib >= 1.2.4 */ |
| 462 |
| 463 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED |
| 464 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to |
| 465 * allow the caller to do multiple calls if required. If the 'finish' flag is |
| 466 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must |
| 467 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and |
| 468 * Z_OK or Z_STREAM_END will be returned on success. |
| 469 * |
| 470 * The input and output sizes are updated to the actual amounts of data consumed |
| 471 * or written, not the amount available (as in a z_stream). The data pointers |
| 472 * are not changed, so the next input is (data+input_size) and the next |
| 473 * available output is (output+output_size). |
| 474 */ |
| 475 static int |
| 476 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish, |
| 477 /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr, |
| 478 /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr) |
| 479 { |
| 480 if (png_ptr->zowner == owner) /* Else not claimed */ |
| 481 { |
| 482 int ret; |
| 483 png_alloc_size_t avail_out = *output_size_ptr; |
| 484 png_uint_32 avail_in = *input_size_ptr; |
| 485 |
| 486 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it |
| 487 * can't even necessarily handle 65536 bytes) because the type uInt is |
| 488 * "16 bits or more". Consequently it is necessary to chunk the input to |
| 489 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the |
| 490 * maximum value that can be stored in a uInt.) It is possible to set |
| 491 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have |
| 492 * a performance advantage, because it reduces the amount of data accessed |
| 493 * at each step and that may give the OS more time to page it in. |
| 494 */ |
| 495 png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input); |
| 496 /* avail_in and avail_out are set below from 'size' */ |
| 497 png_ptr->zstream.avail_in = 0; |
| 498 png_ptr->zstream.avail_out = 0; |
| 499 |
| 500 /* Read directly into the output if it is available (this is set to |
| 501 * a local buffer below if output is NULL). |
| 502 */ |
| 503 if (output != NULL) |
| 504 png_ptr->zstream.next_out = output; |
| 505 |
| 506 do |
| 507 { |
| 508 uInt avail; |
| 509 Byte local_buffer[PNG_INFLATE_BUF_SIZE]; |
| 510 |
| 511 /* zlib INPUT BUFFER */ |
| 512 /* The setting of 'avail_in' used to be outside the loop; by setting it |
| 513 * inside it is possible to chunk the input to zlib and simply rely on |
| 514 * zlib to advance the 'next_in' pointer. This allows arbitrary |
| 515 * amounts of data to be passed through zlib at the unavoidable cost of |
| 516 * requiring a window save (memcpy of up to 32768 output bytes) |
| 517 * every ZLIB_IO_MAX input bytes. |
| 518 */ |
| 519 avail_in += png_ptr->zstream.avail_in; /* not consumed last time */ |
| 520 |
| 521 avail = ZLIB_IO_MAX; |
| 522 |
| 523 if (avail_in < avail) |
| 524 avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */ |
| 525 |
| 526 avail_in -= avail; |
| 527 png_ptr->zstream.avail_in = avail; |
| 528 |
| 529 /* zlib OUTPUT BUFFER */ |
| 530 avail_out += png_ptr->zstream.avail_out; /* not written last time */ |
| 531 |
| 532 avail = ZLIB_IO_MAX; /* maximum zlib can process */ |
| 533 |
| 534 if (output == NULL) |
249 { | 535 { |
250 png_size_t copy = output_size - count; | 536 /* Reset the output buffer each time round if output is NULL and |
251 if ((png_size_t) avail < copy) copy = (png_size_t) avail; | 537 * make available the full buffer, up to 'remaining_space' |
252 png_memcpy(output + count, png_ptr->zbuf, copy); | 538 */ |
| 539 png_ptr->zstream.next_out = local_buffer; |
| 540 if ((sizeof local_buffer) < avail) |
| 541 avail = (sizeof local_buffer); |
253 } | 542 } |
254 count += avail; | 543 |
255 } | 544 if (avail_out < avail) |
256 | 545 avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */ |
257 if (ret == Z_OK) | 546 |
258 continue; | 547 png_ptr->zstream.avail_out = avail; |
259 | 548 avail_out -= avail; |
260 /* Termination conditions - always reset the zstream, it | 549 |
261 * must be left in inflateInit state. | 550 /* zlib inflate call */ |
| 551 /* In fact 'avail_out' may be 0 at this point, that happens at the end |
| 552 * of the read when the final LZ end code was not passed at the end of |
| 553 * the previous chunk of input data. Tell zlib if we have reached the |
| 554 * end of the output buffer. |
| 555 */ |
| 556 ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH : |
| 557 (finish ? Z_FINISH : Z_SYNC_FLUSH)); |
| 558 } while (ret == Z_OK); |
| 559 |
| 560 /* For safety kill the local buffer pointer now */ |
| 561 if (output == NULL) |
| 562 png_ptr->zstream.next_out = NULL; |
| 563 |
| 564 /* Claw back the 'size' and 'remaining_space' byte counts. */ |
| 565 avail_in += png_ptr->zstream.avail_in; |
| 566 avail_out += png_ptr->zstream.avail_out; |
| 567 |
| 568 /* Update the input and output sizes; the updated values are the amount |
| 569 * consumed or written, effectively the inverse of what zlib uses. |
262 */ | 570 */ |
263 png_ptr->zstream.avail_in = 0; | 571 if (avail_out > 0) |
264 inflateReset(&png_ptr->zstream); | 572 *output_size_ptr -= avail_out; |
265 | 573 |
266 if (ret == Z_STREAM_END) | 574 if (avail_in > 0) |
267 return count; /* NOTE: may be zero. */ | 575 *input_size_ptr -= avail_in; |
268 | 576 |
269 /* Now handle the error codes - the API always returns 0 | 577 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */ |
270 * and the error message is dumped into the uncompressed | 578 png_zstream_error(png_ptr, ret); |
271 * buffer if available. | 579 return ret; |
| 580 } |
| 581 |
| 582 else |
| 583 { |
| 584 /* This is a bad internal error. The recovery assigns to the zstream msg |
| 585 * pointer, which is not owned by the caller, but this is safe; it's only |
| 586 * used on errors! |
272 */ | 587 */ |
273 { | 588 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed"); |
274 PNG_CONST char *msg; | 589 return Z_STREAM_ERROR; |
275 if (png_ptr->zstream.msg != 0) | |
276 msg = png_ptr->zstream.msg; | |
277 else | |
278 { | |
279 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) | |
280 char umsg[52]; | |
281 | |
282 switch (ret) | |
283 { | |
284 case Z_BUF_ERROR: | |
285 msg = "Buffer error in compressed datastream in %s chunk"; | |
286 break; | |
287 case Z_DATA_ERROR: | |
288 msg = "Data error in compressed datastream in %s chunk"; | |
289 break; | |
290 default: | |
291 msg = "Incomplete compressed datastream in %s chunk"; | |
292 break; | |
293 } | |
294 | |
295 png_snprintf(umsg, sizeof umsg, msg, png_ptr->chunk_name); | |
296 msg = umsg; | |
297 png_warning(png_ptr, msg); | |
298 #else | |
299 msg = "Damaged compressed datastream in chunk other than IDAT"; | |
300 #endif | |
301 } | |
302 | |
303 #ifndef PNG_STDIO_SUPPORTED | |
304 png_warning(png_ptr, msg); | |
305 #endif | |
306 } | |
307 | |
308 /* 0 means an error - notice that this code simple ignores | |
309 * zero length compressed chunks as a result. | |
310 */ | |
311 return 0; | |
312 } | 590 } |
313 } | 591 } |
314 | 592 |
315 /* | 593 /* |
316 * Decompress trailing data in a chunk. The assumption is that chunkdata | 594 * Decompress trailing data in a chunk. The assumption is that read_buffer |
317 * points at an allocated area holding the contents of a chunk with a | 595 * points at an allocated area holding the contents of a chunk with a |
318 * trailing compressed part. What we get back is an allocated area | 596 * trailing compressed part. What we get back is an allocated area |
319 * holding the original prefix part and an uncompressed version of the | 597 * holding the original prefix part and an uncompressed version of the |
320 * trailing part (the malloc area passed in is freed). | 598 * trailing part (the malloc area passed in is freed). |
321 */ | 599 */ |
| 600 static int |
| 601 png_decompress_chunk(png_structrp png_ptr, |
| 602 png_uint_32 chunklength, png_uint_32 prefix_size, |
| 603 png_alloc_size_t *newlength /* must be initialized to the maximum! */, |
| 604 int terminate /*add a '\0' to the end of the uncompressed data*/) |
| 605 { |
| 606 /* TODO: implement different limits for different types of chunk. |
| 607 * |
| 608 * The caller supplies *newlength set to the maximum length of the |
| 609 * uncompressed data, but this routine allocates space for the prefix and |
| 610 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is |
| 611 * limited only by the maximum chunk size. |
| 612 */ |
| 613 png_alloc_size_t limit = PNG_SIZE_MAX; |
| 614 |
| 615 # ifdef PNG_SET_USER_LIMITS_SUPPORTED |
| 616 if (png_ptr->user_chunk_malloc_max > 0 && |
| 617 png_ptr->user_chunk_malloc_max < limit) |
| 618 limit = png_ptr->user_chunk_malloc_max; |
| 619 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 |
| 620 if (PNG_USER_CHUNK_MALLOC_MAX < limit) |
| 621 limit = PNG_USER_CHUNK_MALLOC_MAX; |
| 622 # endif |
| 623 |
| 624 if (limit >= prefix_size + (terminate != 0)) |
| 625 { |
| 626 int ret; |
| 627 |
| 628 limit -= prefix_size + (terminate != 0); |
| 629 |
| 630 if (limit < *newlength) |
| 631 *newlength = limit; |
| 632 |
| 633 /* Now try to claim the stream. */ |
| 634 ret = png_inflate_claim(png_ptr, png_ptr->chunk_name); |
| 635 |
| 636 if (ret == Z_OK) |
| 637 { |
| 638 png_uint_32 lzsize = chunklength - prefix_size; |
| 639 |
| 640 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/, |
| 641 /* input: */ png_ptr->read_buffer + prefix_size, &lzsize, |
| 642 /* output: */ NULL, newlength); |
| 643 |
| 644 if (ret == Z_STREAM_END) |
| 645 { |
| 646 /* Use 'inflateReset' here, not 'inflateReset2' because this |
| 647 * preserves the previously decided window size (otherwise it would |
| 648 * be necessary to store the previous window size.) In practice |
| 649 * this doesn't matter anyway, because png_inflate will call inflate |
| 650 * with Z_FINISH in almost all cases, so the window will not be |
| 651 * maintained. |
| 652 */ |
| 653 if (inflateReset(&png_ptr->zstream) == Z_OK) |
| 654 { |
| 655 /* Because of the limit checks above we know that the new, |
| 656 * expanded, size will fit in a size_t (let alone an |
| 657 * png_alloc_size_t). Use png_malloc_base here to avoid an |
| 658 * extra OOM message. |
| 659 */ |
| 660 png_alloc_size_t new_size = *newlength; |
| 661 png_alloc_size_t buffer_size = prefix_size + new_size + |
| 662 (terminate != 0); |
| 663 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr, |
| 664 buffer_size)); |
| 665 |
| 666 if (text != NULL) |
| 667 { |
| 668 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/, |
| 669 png_ptr->read_buffer + prefix_size, &lzsize, |
| 670 text + prefix_size, newlength); |
| 671 |
| 672 if (ret == Z_STREAM_END) |
| 673 { |
| 674 if (new_size == *newlength) |
| 675 { |
| 676 if (terminate != 0) |
| 677 text[prefix_size + *newlength] = 0; |
| 678 |
| 679 if (prefix_size > 0) |
| 680 memcpy(text, png_ptr->read_buffer, prefix_size); |
| 681 |
| 682 { |
| 683 png_bytep old_ptr = png_ptr->read_buffer; |
| 684 |
| 685 png_ptr->read_buffer = text; |
| 686 png_ptr->read_buffer_size = buffer_size; |
| 687 text = old_ptr; /* freed below */ |
| 688 } |
| 689 } |
| 690 |
| 691 else |
| 692 { |
| 693 /* The size changed on the second read, there can be no |
| 694 * guarantee that anything is correct at this point. |
| 695 * The 'msg' pointer has been set to "unexpected end of |
| 696 * LZ stream", which is fine, but return an error code |
| 697 * that the caller won't accept. |
| 698 */ |
| 699 ret = PNG_UNEXPECTED_ZLIB_RETURN; |
| 700 } |
| 701 } |
| 702 |
| 703 else if (ret == Z_OK) |
| 704 ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */ |
| 705 |
| 706 /* Free the text pointer (this is the old read_buffer on |
| 707 * success) |
| 708 */ |
| 709 png_free(png_ptr, text); |
| 710 |
| 711 /* This really is very benign, but it's still an error because |
| 712 * the extra space may otherwise be used as a Trojan Horse. |
| 713 */ |
| 714 if (ret == Z_STREAM_END && |
| 715 chunklength - prefix_size != lzsize) |
| 716 png_chunk_benign_error(png_ptr, "extra compressed data"); |
| 717 } |
| 718 |
| 719 else |
| 720 { |
| 721 /* Out of memory allocating the buffer */ |
| 722 ret = Z_MEM_ERROR; |
| 723 png_zstream_error(png_ptr, Z_MEM_ERROR); |
| 724 } |
| 725 } |
| 726 |
| 727 else |
| 728 { |
| 729 /* inflateReset failed, store the error message */ |
| 730 png_zstream_error(png_ptr, ret); |
| 731 |
| 732 if (ret == Z_STREAM_END) |
| 733 ret = PNG_UNEXPECTED_ZLIB_RETURN; |
| 734 } |
| 735 } |
| 736 |
| 737 else if (ret == Z_OK) |
| 738 ret = PNG_UNEXPECTED_ZLIB_RETURN; |
| 739 |
| 740 /* Release the claimed stream */ |
| 741 png_ptr->zowner = 0; |
| 742 } |
| 743 |
| 744 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */ |
| 745 ret = PNG_UNEXPECTED_ZLIB_RETURN; |
| 746 |
| 747 return ret; |
| 748 } |
| 749 |
| 750 else |
| 751 { |
| 752 /* Application/configuration limits exceeded */ |
| 753 png_zstream_error(png_ptr, Z_MEM_ERROR); |
| 754 return Z_MEM_ERROR; |
| 755 } |
| 756 } |
| 757 #endif /* READ_COMPRESSED_TEXT */ |
| 758 |
| 759 #ifdef PNG_READ_iCCP_SUPPORTED |
| 760 /* Perform a partial read and decompress, producing 'avail_out' bytes and |
| 761 * reading from the current chunk as required. |
| 762 */ |
| 763 static int |
| 764 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size, |
| 765 png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size, |
| 766 int finish) |
| 767 { |
| 768 if (png_ptr->zowner == png_ptr->chunk_name) |
| 769 { |
| 770 int ret; |
| 771 |
| 772 /* next_in and avail_in must have been initialized by the caller. */ |
| 773 png_ptr->zstream.next_out = next_out; |
| 774 png_ptr->zstream.avail_out = 0; /* set in the loop */ |
| 775 |
| 776 do |
| 777 { |
| 778 if (png_ptr->zstream.avail_in == 0) |
| 779 { |
| 780 if (read_size > *chunk_bytes) |
| 781 read_size = (uInt)*chunk_bytes; |
| 782 *chunk_bytes -= read_size; |
| 783 |
| 784 if (read_size > 0) |
| 785 png_crc_read(png_ptr, read_buffer, read_size); |
| 786 |
| 787 png_ptr->zstream.next_in = read_buffer; |
| 788 png_ptr->zstream.avail_in = read_size; |
| 789 } |
| 790 |
| 791 if (png_ptr->zstream.avail_out == 0) |
| 792 { |
| 793 uInt avail = ZLIB_IO_MAX; |
| 794 if (avail > *out_size) |
| 795 avail = (uInt)*out_size; |
| 796 *out_size -= avail; |
| 797 |
| 798 png_ptr->zstream.avail_out = avail; |
| 799 } |
| 800 |
| 801 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all |
| 802 * the available output is produced; this allows reading of truncated |
| 803 * streams. |
| 804 */ |
| 805 ret = PNG_INFLATE(png_ptr, |
| 806 *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH)); |
| 807 } |
| 808 while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0)); |
| 809 |
| 810 *out_size += png_ptr->zstream.avail_out; |
| 811 png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */ |
| 812 |
| 813 /* Ensure the error message pointer is always set: */ |
| 814 png_zstream_error(png_ptr, ret); |
| 815 return ret; |
| 816 } |
| 817 |
| 818 else |
| 819 { |
| 820 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed"); |
| 821 return Z_STREAM_ERROR; |
| 822 } |
| 823 } |
| 824 #endif |
| 825 |
| 826 /* Read and check the IDHR chunk */ |
| 827 |
322 void /* PRIVATE */ | 828 void /* PRIVATE */ |
323 png_decompress_chunk(png_structp png_ptr, int comp_type, | 829 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
324 png_size_t chunklength, | |
325 png_size_t prefix_size, png_size_t *newlength) | |
326 { | |
327 /* The caller should guarantee this */ | |
328 if (prefix_size > chunklength) | |
329 { | |
330 /* The recovery is to delete the chunk. */ | |
331 png_warning(png_ptr, "invalid chunklength"); | |
332 prefix_size = 0; /* To delete everything */ | |
333 } | |
334 | |
335 else if (comp_type == PNG_COMPRESSION_TYPE_BASE) | |
336 { | |
337 png_size_t expanded_size = png_inflate(png_ptr, | |
338 (png_bytep)(png_ptr->chunkdata + prefix_size), | |
339 chunklength - prefix_size, | |
340 0/*output*/, 0/*output size*/); | |
341 | |
342 /* Now check the limits on this chunk - if the limit fails the | |
343 * compressed data will be removed, the prefix will remain. | |
344 */ | |
345 if (prefix_size >= (~(png_size_t)0) - 1 || | |
346 expanded_size >= (~(png_size_t)0) - 1 - prefix_size | |
347 #ifdef PNG_USER_CHUNK_MALLOC_MAX | |
348 || ((PNG_USER_CHUNK_MALLOC_MAX > 0) && | |
349 prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) | |
350 #endif | |
351 ) | |
352 png_warning(png_ptr, "Exceeded size limit while expanding chunk"); | |
353 | |
354 /* If the size is zero either there was an error and a message | |
355 * has already been output (warning) or the size really is zero | |
356 * and we have nothing to do - the code will exit through the | |
357 * error case below. | |
358 */ | |
359 else if (expanded_size > 0) | |
360 { | |
361 /* Success (maybe) - really uncompress the chunk. */ | |
362 png_size_t new_size = 0; | |
363 | |
364 png_charp text = png_malloc_warn(png_ptr, | |
365 prefix_size + expanded_size + 1); | |
366 | |
367 if (text != NULL) | |
368 { | |
369 png_memcpy(text, png_ptr->chunkdata, prefix_size); | |
370 new_size = png_inflate(png_ptr, | |
371 (png_bytep)(png_ptr->chunkdata + prefix_size), | |
372 chunklength - prefix_size, | |
373 (png_bytep)(text + prefix_size), expanded_size); | |
374 text[prefix_size + expanded_size] = 0; /* just in case */ | |
375 | |
376 if (new_size == expanded_size) | |
377 { | |
378 png_free(png_ptr, png_ptr->chunkdata); | |
379 png_ptr->chunkdata = text; | |
380 *newlength = prefix_size + expanded_size; | |
381 return; /* The success return! */ | |
382 } | |
383 | |
384 png_warning(png_ptr, "png_inflate logic error"); | |
385 png_free(png_ptr, text); | |
386 } | |
387 else | |
388 png_warning(png_ptr, "Not enough memory to decompress chunk."); | |
389 } | |
390 } | |
391 | |
392 else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */ | |
393 { | |
394 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) | |
395 char umsg[50]; | |
396 | |
397 png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d", | |
398 comp_type); | |
399 png_warning(png_ptr, umsg); | |
400 #else | |
401 png_warning(png_ptr, "Unknown zTXt compression type"); | |
402 #endif | |
403 | |
404 /* The recovery is to simply drop the data. */ | |
405 } | |
406 | |
407 /* Generic error return - leave the prefix, delete the compressed | |
408 * data, reallocate the chunkdata to remove the potentially large | |
409 * amount of compressed data. | |
410 */ | |
411 { | |
412 png_charp text = png_malloc_warn(png_ptr, prefix_size + 1); | |
413 if (text != NULL) | |
414 { | |
415 if (prefix_size > 0) | |
416 png_memcpy(text, png_ptr->chunkdata, prefix_size); | |
417 png_free(png_ptr, png_ptr->chunkdata); | |
418 png_ptr->chunkdata = text; | |
419 | |
420 /* This is an extra zero in the 'uncompressed' part. */ | |
421 *(png_ptr->chunkdata + prefix_size) = 0x00; | |
422 } | |
423 /* Ignore a malloc error here - it is safe. */ | |
424 } | |
425 | |
426 *newlength = prefix_size; | |
427 } | |
428 #endif | |
429 | |
430 /* Read and check the IDHR chunk */ | |
431 void /* PRIVATE */ | |
432 png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | |
433 { | 830 { |
434 png_byte buf[13]; | 831 png_byte buf[13]; |
435 png_uint_32 width, height; | 832 png_uint_32 width, height; |
436 int bit_depth, color_type, compression_type, filter_type; | 833 int bit_depth, color_type, compression_type, filter_type; |
437 int interlace_type; | 834 int interlace_type; |
438 | 835 |
439 png_debug(1, "in png_handle_IHDR"); | 836 png_debug(1, "in png_handle_IHDR"); |
440 | 837 |
441 if (png_ptr->mode & PNG_HAVE_IHDR) | 838 if ((png_ptr->mode & PNG_HAVE_IHDR) != 0) |
442 png_error(png_ptr, "Out of place IHDR"); | 839 png_chunk_error(png_ptr, "out of place"); |
443 | 840 |
444 /* Check the length */ | 841 /* Check the length */ |
445 if (length != 13) | 842 if (length != 13) |
446 png_error(png_ptr, "Invalid IHDR chunk"); | 843 png_chunk_error(png_ptr, "invalid"); |
447 | 844 |
448 png_ptr->mode |= PNG_HAVE_IHDR; | 845 png_ptr->mode |= PNG_HAVE_IHDR; |
449 | 846 |
450 png_crc_read(png_ptr, buf, 13); | 847 png_crc_read(png_ptr, buf, 13); |
451 png_crc_finish(png_ptr, 0); | 848 png_crc_finish(png_ptr, 0); |
452 | 849 |
453 width = png_get_uint_31(png_ptr, buf); | 850 width = png_get_uint_31(png_ptr, buf); |
454 height = png_get_uint_31(png_ptr, buf + 4); | 851 height = png_get_uint_31(png_ptr, buf + 4); |
455 bit_depth = buf[8]; | 852 bit_depth = buf[8]; |
456 color_type = buf[9]; | 853 color_type = buf[9]; |
457 compression_type = buf[10]; | 854 compression_type = buf[10]; |
458 filter_type = buf[11]; | 855 filter_type = buf[11]; |
459 interlace_type = buf[12]; | 856 interlace_type = buf[12]; |
460 | 857 |
461 /* Set internal variables */ | 858 /* Set internal variables */ |
462 png_ptr->width = width; | 859 png_ptr->width = width; |
463 png_ptr->height = height; | 860 png_ptr->height = height; |
464 png_ptr->bit_depth = (png_byte)bit_depth; | 861 png_ptr->bit_depth = (png_byte)bit_depth; |
465 png_ptr->interlaced = (png_byte)interlace_type; | 862 png_ptr->interlaced = (png_byte)interlace_type; |
466 png_ptr->color_type = (png_byte)color_type; | 863 png_ptr->color_type = (png_byte)color_type; |
467 #ifdef PNG_MNG_FEATURES_SUPPORTED | 864 #ifdef PNG_MNG_FEATURES_SUPPORTED |
468 png_ptr->filter_type = (png_byte)filter_type; | 865 png_ptr->filter_type = (png_byte)filter_type; |
469 #endif | 866 #endif |
470 png_ptr->compression_type = (png_byte)compression_type; | 867 png_ptr->compression_type = (png_byte)compression_type; |
471 | 868 |
472 /* Find number of channels */ | 869 /* Find number of channels */ |
473 switch (png_ptr->color_type) | 870 switch (png_ptr->color_type) |
474 { | 871 { |
| 872 default: /* invalid, png_set_IHDR calls png_error */ |
475 case PNG_COLOR_TYPE_GRAY: | 873 case PNG_COLOR_TYPE_GRAY: |
476 case PNG_COLOR_TYPE_PALETTE: | 874 case PNG_COLOR_TYPE_PALETTE: |
477 png_ptr->channels = 1; | 875 png_ptr->channels = 1; |
478 break; | 876 break; |
479 | 877 |
480 case PNG_COLOR_TYPE_RGB: | 878 case PNG_COLOR_TYPE_RGB: |
481 png_ptr->channels = 3; | 879 png_ptr->channels = 3; |
482 break; | 880 break; |
483 | 881 |
484 case PNG_COLOR_TYPE_GRAY_ALPHA: | 882 case PNG_COLOR_TYPE_GRAY_ALPHA: |
485 png_ptr->channels = 2; | 883 png_ptr->channels = 2; |
486 break; | 884 break; |
487 | 885 |
488 case PNG_COLOR_TYPE_RGB_ALPHA: | 886 case PNG_COLOR_TYPE_RGB_ALPHA: |
489 png_ptr->channels = 4; | 887 png_ptr->channels = 4; |
490 break; | 888 break; |
491 } | 889 } |
492 | 890 |
493 /* Set up other useful info */ | 891 /* Set up other useful info */ |
494 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * | 892 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels); |
495 png_ptr->channels); | |
496 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width); | 893 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width); |
497 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth); | 894 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth); |
498 png_debug1(3, "channels = %d", png_ptr->channels); | 895 png_debug1(3, "channels = %d", png_ptr->channels); |
499 png_debug1(3, "rowbytes = %lu", png_ptr->rowbytes); | 896 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes); |
500 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth, | 897 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth, |
501 color_type, interlace_type, compression_type, filter_type); | 898 color_type, interlace_type, compression_type, filter_type); |
502 } | 899 } |
503 | 900 |
504 /* Read and check the palette */ | 901 /* Read and check the palette */ |
505 void /* PRIVATE */ | 902 void /* PRIVATE */ |
506 png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 903 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
507 { | 904 { |
508 png_color palette[PNG_MAX_PALETTE_LENGTH]; | 905 png_color palette[PNG_MAX_PALETTE_LENGTH]; |
509 int max_palette_length, num, i; | 906 int max_palette_length, num, i; |
510 #ifdef PNG_POINTER_INDEXING_SUPPORTED | 907 #ifdef PNG_POINTER_INDEXING_SUPPORTED |
511 png_colorp pal_ptr; | 908 png_colorp pal_ptr; |
512 #endif | 909 #endif |
513 | 910 |
514 png_debug(1, "in png_handle_PLTE"); | 911 png_debug(1, "in png_handle_PLTE"); |
515 | 912 |
516 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 913 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
517 png_error(png_ptr, "Missing IHDR before PLTE"); | 914 png_chunk_error(png_ptr, "missing IHDR"); |
518 | 915 |
519 else if (png_ptr->mode & PNG_HAVE_IDAT) | 916 /* Moved to before the 'after IDAT' check below because otherwise duplicate |
| 917 * PLTE chunks are potentially ignored (the spec says there shall not be more |
| 918 * than one PLTE, the error is not treated as benign, so this check trumps |
| 919 * the requirement that PLTE appears before IDAT.) |
| 920 */ |
| 921 else if ((png_ptr->mode & PNG_HAVE_PLTE) != 0) |
| 922 png_chunk_error(png_ptr, "duplicate"); |
| 923 |
| 924 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
520 { | 925 { |
521 png_warning(png_ptr, "Invalid PLTE after IDAT"); | 926 /* This is benign because the non-benign error happened before, when an |
| 927 * IDAT was encountered in a color-mapped image with no PLTE. |
| 928 */ |
522 png_crc_finish(png_ptr, length); | 929 png_crc_finish(png_ptr, length); |
| 930 png_chunk_benign_error(png_ptr, "out of place"); |
523 return; | 931 return; |
524 } | 932 } |
525 | 933 |
526 else if (png_ptr->mode & PNG_HAVE_PLTE) | |
527 png_error(png_ptr, "Duplicate PLTE chunk"); | |
528 | |
529 png_ptr->mode |= PNG_HAVE_PLTE; | 934 png_ptr->mode |= PNG_HAVE_PLTE; |
530 | 935 |
531 if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR)) | 936 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) |
532 { | 937 { |
533 png_warning(png_ptr, | |
534 "Ignoring PLTE chunk in grayscale PNG"); | |
535 png_crc_finish(png_ptr, length); | 938 png_crc_finish(png_ptr, length); |
| 939 png_chunk_benign_error(png_ptr, "ignored in grayscale PNG"); |
536 return; | 940 return; |
537 } | 941 } |
| 942 |
538 #ifndef PNG_READ_OPT_PLTE_SUPPORTED | 943 #ifndef PNG_READ_OPT_PLTE_SUPPORTED |
539 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) | 944 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) |
540 { | 945 { |
541 png_crc_finish(png_ptr, length); | 946 png_crc_finish(png_ptr, length); |
542 return; | 947 return; |
543 } | 948 } |
544 #endif | 949 #endif |
545 | 950 |
546 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3) | 951 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3) |
547 { | 952 { |
| 953 png_crc_finish(png_ptr, length); |
| 954 |
548 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) | 955 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) |
549 { | 956 png_chunk_benign_error(png_ptr, "invalid"); |
550 png_warning(png_ptr, "Invalid palette chunk"); | |
551 png_crc_finish(png_ptr, length); | |
552 return; | |
553 } | |
554 | 957 |
555 else | 958 else |
556 { | 959 png_chunk_error(png_ptr, "invalid"); |
557 png_error(png_ptr, "Invalid palette chunk"); | 960 |
558 } | 961 return; |
559 } | 962 } |
560 | 963 |
561 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ | 964 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ |
562 num = (int)length / 3; | 965 num = (int)length / 3; |
563 | 966 |
564 /* If the palette has 256 or fewer entries but is too large for the bit | 967 /* If the palette has 256 or fewer entries but is too large for the bit |
565 * depth, we don't issue an error, to preserve the behavior of previous | 968 * depth, we don't issue an error, to preserve the behavior of previous |
566 * libpng versions. We silently truncate the unused extra palette entries | 969 * libpng versions. We silently truncate the unused extra palette entries |
567 * here. | 970 * here. |
568 */ | 971 */ |
(...skipping 21 matching lines...) Expand all Loading... |
590 png_byte buf[3]; | 993 png_byte buf[3]; |
591 | 994 |
592 png_crc_read(png_ptr, buf, 3); | 995 png_crc_read(png_ptr, buf, 3); |
593 /* Don't depend upon png_color being any order */ | 996 /* Don't depend upon png_color being any order */ |
594 palette[i].red = buf[0]; | 997 palette[i].red = buf[0]; |
595 palette[i].green = buf[1]; | 998 palette[i].green = buf[1]; |
596 palette[i].blue = buf[2]; | 999 palette[i].blue = buf[2]; |
597 } | 1000 } |
598 #endif | 1001 #endif |
599 | 1002 |
600 /* If we actually NEED the PLTE chunk (ie for a paletted image), we do | 1003 /* If we actually need the PLTE chunk (ie for a paletted image), we do |
601 * whatever the normal CRC configuration tells us. However, if we | 1004 * whatever the normal CRC configuration tells us. However, if we |
602 * have an RGB image, the PLTE can be considered ancillary, so | 1005 * have an RGB image, the PLTE can be considered ancillary, so |
603 * we will act as though it is. | 1006 * we will act as though it is. |
604 */ | 1007 */ |
605 #ifndef PNG_READ_OPT_PLTE_SUPPORTED | 1008 #ifndef PNG_READ_OPT_PLTE_SUPPORTED |
606 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | 1009 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) |
607 #endif | 1010 #endif |
608 { | 1011 { |
609 png_crc_finish(png_ptr, (int) length - num * 3); | 1012 png_crc_finish(png_ptr, (int) length - num * 3); |
610 } | 1013 } |
| 1014 |
611 #ifndef PNG_READ_OPT_PLTE_SUPPORTED | 1015 #ifndef PNG_READ_OPT_PLTE_SUPPORTED |
612 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */ | 1016 else if (png_crc_error(png_ptr) != 0) /* Only if we have a CRC error */ |
613 { | 1017 { |
614 /* If we don't want to use the data from an ancillary chunk, | 1018 /* If we don't want to use the data from an ancillary chunk, |
615 we have two options: an error abort, or a warning and we | 1019 * we have two options: an error abort, or a warning and we |
616 ignore the data in this chunk (which should be OK, since | 1020 * ignore the data in this chunk (which should be OK, since |
617 it's considered ancillary for a RGB or RGBA image). */ | 1021 * it's considered ancillary for a RGB or RGBA image). |
618 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE)) | 1022 * |
| 1023 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the |
| 1024 * chunk type to determine whether to check the ancillary or the critical |
| 1025 * flags. |
| 1026 */ |
| 1027 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == 0) |
619 { | 1028 { |
620 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) | 1029 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != 0) |
621 { | 1030 return; |
| 1031 |
| 1032 else |
622 png_chunk_error(png_ptr, "CRC error"); | 1033 png_chunk_error(png_ptr, "CRC error"); |
623 } | |
624 else | |
625 { | |
626 png_chunk_warning(png_ptr, "CRC error"); | |
627 return; | |
628 } | |
629 } | 1034 } |
| 1035 |
630 /* Otherwise, we (optionally) emit a warning and use the chunk. */ | 1036 /* Otherwise, we (optionally) emit a warning and use the chunk. */ |
631 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) | 1037 else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0) |
632 { | |
633 png_chunk_warning(png_ptr, "CRC error"); | 1038 png_chunk_warning(png_ptr, "CRC error"); |
634 } | 1039 } |
635 } | 1040 #endif |
636 #endif | 1041 |
637 | 1042 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its |
| 1043 * own copy of the palette. This has the side effect that when png_start_row |
| 1044 * is called (this happens after any call to png_read_update_info) the |
| 1045 * info_ptr palette gets changed. This is extremely unexpected and |
| 1046 * confusing. |
| 1047 * |
| 1048 * Fix this by not sharing the palette in this way. |
| 1049 */ |
638 png_set_PLTE(png_ptr, info_ptr, palette, num); | 1050 png_set_PLTE(png_ptr, info_ptr, palette, num); |
639 | 1051 |
| 1052 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before |
| 1053 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely |
| 1054 * checked the apparent validity of a tRNS chunk inserted before PLTE on a |
| 1055 * palette PNG. 1.6.0 attempts to rigorously follow the standard and |
| 1056 * therefore does a benign error if the erroneous condition is detected *and* |
| 1057 * cancels the tRNS if the benign error returns. The alternative is to |
| 1058 * amend the standard since it would be rather hypocritical of the standards |
| 1059 * maintainers to ignore it. |
| 1060 */ |
640 #ifdef PNG_READ_tRNS_SUPPORTED | 1061 #ifdef PNG_READ_tRNS_SUPPORTED |
641 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | 1062 if (png_ptr->num_trans > 0 || |
642 { | 1063 (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0)) |
643 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS)) | 1064 { |
644 { | 1065 /* Cancel this because otherwise it would be used if the transforms |
645 if (png_ptr->num_trans > (png_uint_16)num) | 1066 * require it. Don't cancel the 'valid' flag because this would prevent |
646 { | 1067 * detection of duplicate chunks. |
647 png_warning(png_ptr, "Truncating incorrect tRNS chunk length"); | 1068 */ |
648 png_ptr->num_trans = (png_uint_16)num; | 1069 png_ptr->num_trans = 0; |
649 } | 1070 |
650 if (info_ptr->num_trans > (png_uint_16)num) | 1071 if (info_ptr != NULL) |
651 { | 1072 info_ptr->num_trans = 0; |
652 png_warning(png_ptr, "Truncating incorrect info tRNS chunk length"); | 1073 |
653 info_ptr->num_trans = (png_uint_16)num; | 1074 png_chunk_benign_error(png_ptr, "tRNS must be after"); |
654 } | 1075 } |
655 } | 1076 #endif |
656 } | 1077 |
657 #endif | 1078 #ifdef PNG_READ_hIST_SUPPORTED |
658 | 1079 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0) |
| 1080 png_chunk_benign_error(png_ptr, "hIST must be after"); |
| 1081 #endif |
| 1082 |
| 1083 #ifdef PNG_READ_bKGD_SUPPORTED |
| 1084 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0) |
| 1085 png_chunk_benign_error(png_ptr, "bKGD must be after"); |
| 1086 #endif |
659 } | 1087 } |
660 | 1088 |
661 void /* PRIVATE */ | 1089 void /* PRIVATE */ |
662 png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 1090 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
663 { | 1091 { |
664 png_debug(1, "in png_handle_IEND"); | 1092 png_debug(1, "in png_handle_IEND"); |
665 | 1093 |
666 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT)) | 1094 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0 || |
667 { | 1095 (png_ptr->mode & PNG_HAVE_IDAT) == 0) |
668 png_error(png_ptr, "No image in file"); | 1096 png_chunk_error(png_ptr, "out of place"); |
669 } | |
670 | 1097 |
671 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND); | 1098 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND); |
672 | 1099 |
| 1100 png_crc_finish(png_ptr, length); |
| 1101 |
673 if (length != 0) | 1102 if (length != 0) |
674 { | 1103 png_chunk_benign_error(png_ptr, "invalid"); |
675 png_warning(png_ptr, "Incorrect IEND chunk length"); | 1104 |
676 } | 1105 PNG_UNUSED(info_ptr) |
677 png_crc_finish(png_ptr, length); | |
678 | |
679 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */ | |
680 } | 1106 } |
681 | 1107 |
682 #ifdef PNG_READ_gAMA_SUPPORTED | 1108 #ifdef PNG_READ_gAMA_SUPPORTED |
683 void /* PRIVATE */ | 1109 void /* PRIVATE */ |
684 png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 1110 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
685 { | 1111 { |
686 png_fixed_point igamma; | 1112 png_fixed_point igamma; |
687 #ifdef PNG_FLOATING_POINT_SUPPORTED | |
688 float file_gamma; | |
689 #endif | |
690 png_byte buf[4]; | 1113 png_byte buf[4]; |
691 | 1114 |
692 png_debug(1, "in png_handle_gAMA"); | 1115 png_debug(1, "in png_handle_gAMA"); |
693 | 1116 |
694 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 1117 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
695 png_error(png_ptr, "Missing IHDR before gAMA"); | 1118 png_chunk_error(png_ptr, "missing IHDR"); |
696 else if (png_ptr->mode & PNG_HAVE_IDAT) | 1119 |
697 { | 1120 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0) |
698 png_warning(png_ptr, "Invalid gAMA after IDAT"); | 1121 { |
699 png_crc_finish(png_ptr, length); | 1122 png_crc_finish(png_ptr, length); |
700 return; | 1123 png_chunk_benign_error(png_ptr, "out of place"); |
701 } | |
702 else if (png_ptr->mode & PNG_HAVE_PLTE) | |
703 /* Should be an error, but we can cope with it */ | |
704 png_warning(png_ptr, "Out of place gAMA chunk"); | |
705 | |
706 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) | |
707 #ifdef PNG_READ_sRGB_SUPPORTED | |
708 && !(info_ptr->valid & PNG_INFO_sRGB) | |
709 #endif | |
710 ) | |
711 { | |
712 png_warning(png_ptr, "Duplicate gAMA chunk"); | |
713 png_crc_finish(png_ptr, length); | |
714 return; | 1124 return; |
715 } | 1125 } |
716 | 1126 |
717 if (length != 4) | 1127 if (length != 4) |
718 { | 1128 { |
719 png_warning(png_ptr, "Incorrect gAMA chunk length"); | 1129 png_crc_finish(png_ptr, length); |
720 png_crc_finish(png_ptr, length); | 1130 png_chunk_benign_error(png_ptr, "invalid"); |
721 return; | 1131 return; |
722 } | 1132 } |
723 | 1133 |
724 png_crc_read(png_ptr, buf, 4); | 1134 png_crc_read(png_ptr, buf, 4); |
725 if (png_crc_finish(png_ptr, 0)) | 1135 |
726 return; | 1136 if (png_crc_finish(png_ptr, 0) != 0) |
727 | 1137 return; |
728 igamma = (png_fixed_point)png_get_uint_32(buf); | 1138 |
729 /* Check for zero gamma */ | 1139 igamma = png_get_fixed_point(NULL, buf); |
730 if (igamma == 0) | 1140 |
| 1141 png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma); |
| 1142 png_colorspace_sync(png_ptr, info_ptr); |
| 1143 } |
| 1144 #endif |
| 1145 |
| 1146 #ifdef PNG_READ_sBIT_SUPPORTED |
| 1147 void /* PRIVATE */ |
| 1148 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
| 1149 { |
| 1150 unsigned int truelen, i; |
| 1151 png_byte sample_depth; |
| 1152 png_byte buf[4]; |
| 1153 |
| 1154 png_debug(1, "in png_handle_sBIT"); |
| 1155 |
| 1156 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
| 1157 png_chunk_error(png_ptr, "missing IHDR"); |
| 1158 |
| 1159 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0) |
| 1160 { |
| 1161 png_crc_finish(png_ptr, length); |
| 1162 png_chunk_benign_error(png_ptr, "out of place"); |
| 1163 return; |
| 1164 } |
| 1165 |
| 1166 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != 0) |
| 1167 { |
| 1168 png_crc_finish(png_ptr, length); |
| 1169 png_chunk_benign_error(png_ptr, "duplicate"); |
| 1170 return; |
| 1171 } |
| 1172 |
| 1173 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) |
| 1174 { |
| 1175 truelen = 3; |
| 1176 sample_depth = 8; |
| 1177 } |
| 1178 |
| 1179 else |
| 1180 { |
| 1181 truelen = png_ptr->channels; |
| 1182 sample_depth = png_ptr->bit_depth; |
| 1183 } |
| 1184 |
| 1185 if (length != truelen || length > 4) |
| 1186 { |
| 1187 png_chunk_benign_error(png_ptr, "invalid"); |
| 1188 png_crc_finish(png_ptr, length); |
| 1189 return; |
| 1190 } |
| 1191 |
| 1192 buf[0] = buf[1] = buf[2] = buf[3] = sample_depth; |
| 1193 png_crc_read(png_ptr, buf, truelen); |
| 1194 |
| 1195 if (png_crc_finish(png_ptr, 0) != 0) |
| 1196 return; |
| 1197 |
| 1198 for (i=0; i<truelen; ++i) |
| 1199 { |
| 1200 if (buf[i] == 0 || buf[i] > sample_depth) |
731 { | 1201 { |
732 png_warning(png_ptr, | 1202 png_chunk_benign_error(png_ptr, "invalid"); |
733 "Ignoring gAMA chunk with gamma=0"); | |
734 return; | 1203 return; |
735 } | 1204 } |
736 | 1205 } |
737 #ifdef PNG_READ_sRGB_SUPPORTED | 1206 |
738 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) | 1207 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) |
739 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500)) | |
740 { | |
741 png_warning(png_ptr, | |
742 "Ignoring incorrect gAMA value when sRGB is also present"); | |
743 #ifdef PNG_CONSOLE_IO_SUPPORTED | |
744 fprintf(stderr, "gamma = (%d/100000)", (int)igamma); | |
745 #endif | |
746 return; | |
747 } | |
748 #endif /* PNG_READ_sRGB_SUPPORTED */ | |
749 | |
750 #ifdef PNG_FLOATING_POINT_SUPPORTED | |
751 file_gamma = (float)igamma / (float)100000.0; | |
752 # ifdef PNG_READ_GAMMA_SUPPORTED | |
753 png_ptr->gamma = file_gamma; | |
754 # endif | |
755 png_set_gAMA(png_ptr, info_ptr, file_gamma); | |
756 #endif | |
757 #ifdef PNG_FIXED_POINT_SUPPORTED | |
758 png_set_gAMA_fixed(png_ptr, info_ptr, igamma); | |
759 #endif | |
760 } | |
761 #endif | |
762 | |
763 #ifdef PNG_READ_sBIT_SUPPORTED | |
764 void /* PRIVATE */ | |
765 png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | |
766 { | |
767 png_size_t truelen; | |
768 png_byte buf[4]; | |
769 | |
770 png_debug(1, "in png_handle_sBIT"); | |
771 | |
772 buf[0] = buf[1] = buf[2] = buf[3] = 0; | |
773 | |
774 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | |
775 png_error(png_ptr, "Missing IHDR before sBIT"); | |
776 else if (png_ptr->mode & PNG_HAVE_IDAT) | |
777 { | |
778 png_warning(png_ptr, "Invalid sBIT after IDAT"); | |
779 png_crc_finish(png_ptr, length); | |
780 return; | |
781 } | |
782 else if (png_ptr->mode & PNG_HAVE_PLTE) | |
783 { | |
784 /* Should be an error, but we can cope with it */ | |
785 png_warning(png_ptr, "Out of place sBIT chunk"); | |
786 } | |
787 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) | |
788 { | |
789 png_warning(png_ptr, "Duplicate sBIT chunk"); | |
790 png_crc_finish(png_ptr, length); | |
791 return; | |
792 } | |
793 | |
794 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | |
795 truelen = 3; | |
796 else | |
797 truelen = (png_size_t)png_ptr->channels; | |
798 | |
799 if (length != truelen || length > 4) | |
800 { | |
801 png_warning(png_ptr, "Incorrect sBIT chunk length"); | |
802 png_crc_finish(png_ptr, length); | |
803 return; | |
804 } | |
805 | |
806 png_crc_read(png_ptr, buf, truelen); | |
807 if (png_crc_finish(png_ptr, 0)) | |
808 return; | |
809 | |
810 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) | |
811 { | 1208 { |
812 png_ptr->sig_bit.red = buf[0]; | 1209 png_ptr->sig_bit.red = buf[0]; |
813 png_ptr->sig_bit.green = buf[1]; | 1210 png_ptr->sig_bit.green = buf[1]; |
814 png_ptr->sig_bit.blue = buf[2]; | 1211 png_ptr->sig_bit.blue = buf[2]; |
815 png_ptr->sig_bit.alpha = buf[3]; | 1212 png_ptr->sig_bit.alpha = buf[3]; |
816 } | 1213 } |
| 1214 |
817 else | 1215 else |
818 { | 1216 { |
819 png_ptr->sig_bit.gray = buf[0]; | 1217 png_ptr->sig_bit.gray = buf[0]; |
820 png_ptr->sig_bit.red = buf[0]; | 1218 png_ptr->sig_bit.red = buf[0]; |
821 png_ptr->sig_bit.green = buf[0]; | 1219 png_ptr->sig_bit.green = buf[0]; |
822 png_ptr->sig_bit.blue = buf[0]; | 1220 png_ptr->sig_bit.blue = buf[0]; |
823 png_ptr->sig_bit.alpha = buf[1]; | 1221 png_ptr->sig_bit.alpha = buf[1]; |
824 } | 1222 } |
| 1223 |
825 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit)); | 1224 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit)); |
826 } | 1225 } |
827 #endif | 1226 #endif |
828 | 1227 |
829 #ifdef PNG_READ_cHRM_SUPPORTED | 1228 #ifdef PNG_READ_cHRM_SUPPORTED |
830 void /* PRIVATE */ | 1229 void /* PRIVATE */ |
831 png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 1230 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
832 { | 1231 { |
833 png_byte buf[32]; | 1232 png_byte buf[32]; |
834 #ifdef PNG_FLOATING_POINT_SUPPORTED | 1233 png_xy xy; |
835 float white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y; | |
836 #endif | |
837 png_fixed_point int_x_white, int_y_white, int_x_red, int_y_red, int_x_green, | |
838 int_y_green, int_x_blue, int_y_blue; | |
839 | |
840 png_uint_32 uint_x, uint_y; | |
841 | 1234 |
842 png_debug(1, "in png_handle_cHRM"); | 1235 png_debug(1, "in png_handle_cHRM"); |
843 | 1236 |
844 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 1237 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
845 png_error(png_ptr, "Missing IHDR before cHRM"); | 1238 png_chunk_error(png_ptr, "missing IHDR"); |
846 else if (png_ptr->mode & PNG_HAVE_IDAT) | 1239 |
847 { | 1240 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0) |
848 png_warning(png_ptr, "Invalid cHRM after IDAT"); | 1241 { |
849 png_crc_finish(png_ptr, length); | 1242 png_crc_finish(png_ptr, length); |
850 return; | 1243 png_chunk_benign_error(png_ptr, "out of place"); |
851 } | |
852 else if (png_ptr->mode & PNG_HAVE_PLTE) | |
853 /* Should be an error, but we can cope with it */ | |
854 png_warning(png_ptr, "Missing PLTE before cHRM"); | |
855 | |
856 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) | |
857 #ifdef PNG_READ_sRGB_SUPPORTED | |
858 && !(info_ptr->valid & PNG_INFO_sRGB) | |
859 #endif | |
860 ) | |
861 { | |
862 png_warning(png_ptr, "Duplicate cHRM chunk"); | |
863 png_crc_finish(png_ptr, length); | |
864 return; | 1244 return; |
865 } | 1245 } |
866 | 1246 |
867 if (length != 32) | 1247 if (length != 32) |
868 { | 1248 { |
869 png_warning(png_ptr, "Incorrect cHRM chunk length"); | 1249 png_crc_finish(png_ptr, length); |
870 png_crc_finish(png_ptr, length); | 1250 png_chunk_benign_error(png_ptr, "invalid"); |
871 return; | 1251 return; |
872 } | 1252 } |
873 | 1253 |
874 png_crc_read(png_ptr, buf, 32); | 1254 png_crc_read(png_ptr, buf, 32); |
875 if (png_crc_finish(png_ptr, 0)) | 1255 |
876 return; | 1256 if (png_crc_finish(png_ptr, 0) != 0) |
877 | 1257 return; |
878 uint_x = png_get_uint_32(buf); | 1258 |
879 uint_y = png_get_uint_32(buf + 4); | 1259 xy.whitex = png_get_fixed_point(NULL, buf); |
880 int_x_white = (png_fixed_point)uint_x; | 1260 xy.whitey = png_get_fixed_point(NULL, buf + 4); |
881 int_y_white = (png_fixed_point)uint_y; | 1261 xy.redx = png_get_fixed_point(NULL, buf + 8); |
882 | 1262 xy.redy = png_get_fixed_point(NULL, buf + 12); |
883 uint_x = png_get_uint_32(buf + 8); | 1263 xy.greenx = png_get_fixed_point(NULL, buf + 16); |
884 uint_y = png_get_uint_32(buf + 12); | 1264 xy.greeny = png_get_fixed_point(NULL, buf + 20); |
885 int_x_red = (png_fixed_point)uint_x; | 1265 xy.bluex = png_get_fixed_point(NULL, buf + 24); |
886 int_y_red = (png_fixed_point)uint_y; | 1266 xy.bluey = png_get_fixed_point(NULL, buf + 28); |
887 | 1267 |
888 uint_x = png_get_uint_32(buf + 16); | 1268 if (xy.whitex == PNG_FIXED_ERROR || |
889 uint_y = png_get_uint_32(buf + 20); | 1269 xy.whitey == PNG_FIXED_ERROR || |
890 int_x_green = (png_fixed_point)uint_x; | 1270 xy.redx == PNG_FIXED_ERROR || |
891 int_y_green = (png_fixed_point)uint_y; | 1271 xy.redy == PNG_FIXED_ERROR || |
892 | 1272 xy.greenx == PNG_FIXED_ERROR || |
893 uint_x = png_get_uint_32(buf + 24); | 1273 xy.greeny == PNG_FIXED_ERROR || |
894 uint_y = png_get_uint_32(buf + 28); | 1274 xy.bluex == PNG_FIXED_ERROR || |
895 int_x_blue = (png_fixed_point)uint_x; | 1275 xy.bluey == PNG_FIXED_ERROR) |
896 int_y_blue = (png_fixed_point)uint_y; | 1276 { |
897 | 1277 png_chunk_benign_error(png_ptr, "invalid values"); |
898 #ifdef PNG_FLOATING_POINT_SUPPORTED | 1278 return; |
899 white_x = (float)int_x_white / (float)100000.0; | 1279 } |
900 white_y = (float)int_y_white / (float)100000.0; | 1280 |
901 red_x = (float)int_x_red / (float)100000.0; | 1281 /* If a colorspace error has already been output skip this chunk */ |
902 red_y = (float)int_y_red / (float)100000.0; | 1282 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) |
903 green_x = (float)int_x_green / (float)100000.0; | 1283 return; |
904 green_y = (float)int_y_green / (float)100000.0; | 1284 |
905 blue_x = (float)int_x_blue / (float)100000.0; | 1285 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0) |
906 blue_y = (float)int_y_blue / (float)100000.0; | 1286 { |
907 #endif | 1287 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID; |
908 | 1288 png_colorspace_sync(png_ptr, info_ptr); |
909 #ifdef PNG_READ_sRGB_SUPPORTED | 1289 png_chunk_benign_error(png_ptr, "duplicate"); |
910 if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB)) | 1290 return; |
911 { | 1291 } |
912 if (PNG_OUT_OF_RANGE(int_x_white, 31270, 1000) || | 1292 |
913 PNG_OUT_OF_RANGE(int_y_white, 32900, 1000) || | 1293 png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM; |
914 PNG_OUT_OF_RANGE(int_x_red, 64000L, 1000) || | 1294 (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy, |
915 PNG_OUT_OF_RANGE(int_y_red, 33000, 1000) || | 1295 1/*prefer cHRM values*/); |
916 PNG_OUT_OF_RANGE(int_x_green, 30000, 1000) || | 1296 png_colorspace_sync(png_ptr, info_ptr); |
917 PNG_OUT_OF_RANGE(int_y_green, 60000L, 1000) || | |
918 PNG_OUT_OF_RANGE(int_x_blue, 15000, 1000) || | |
919 PNG_OUT_OF_RANGE(int_y_blue, 6000, 1000)) | |
920 { | |
921 png_warning(png_ptr, | |
922 "Ignoring incorrect cHRM value when sRGB is also present"); | |
923 #ifdef PNG_CONSOLE_IO_SUPPORTED | |
924 #ifdef PNG_FLOATING_POINT_SUPPORTED | |
925 fprintf(stderr, "wx=%f, wy=%f, rx=%f, ry=%f\n", | |
926 white_x, white_y, red_x, red_y); | |
927 fprintf(stderr, "gx=%f, gy=%f, bx=%f, by=%f\n", | |
928 green_x, green_y, blue_x, blue_y); | |
929 #else | |
930 fprintf(stderr, "wx=%ld, wy=%ld, rx=%ld, ry=%ld\n", | |
931 (long)int_x_white, (long)int_y_white, | |
932 (long)int_x_red, (long)int_y_red); | |
933 fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n", | |
934 (long)int_x_green, (long)int_y_green, | |
935 (long)int_x_blue, (long)int_y_blue); | |
936 #endif | |
937 #endif /* PNG_CONSOLE_IO_SUPPORTED */ | |
938 } | |
939 return; | |
940 } | |
941 #endif /* PNG_READ_sRGB_SUPPORTED */ | |
942 | |
943 #ifdef PNG_FLOATING_POINT_SUPPORTED | |
944 png_set_cHRM(png_ptr, info_ptr, | |
945 white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y); | |
946 #endif | |
947 #ifdef PNG_FIXED_POINT_SUPPORTED | |
948 png_set_cHRM_fixed(png_ptr, info_ptr, | |
949 int_x_white, int_y_white, int_x_red, int_y_red, int_x_green, | |
950 int_y_green, int_x_blue, int_y_blue); | |
951 #endif | |
952 } | 1297 } |
953 #endif | 1298 #endif |
954 | 1299 |
955 #ifdef PNG_READ_sRGB_SUPPORTED | 1300 #ifdef PNG_READ_sRGB_SUPPORTED |
956 void /* PRIVATE */ | 1301 void /* PRIVATE */ |
957 png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 1302 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
958 { | 1303 { |
959 int intent; | 1304 png_byte intent; |
960 png_byte buf[1]; | |
961 | 1305 |
962 png_debug(1, "in png_handle_sRGB"); | 1306 png_debug(1, "in png_handle_sRGB"); |
963 | 1307 |
964 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 1308 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
965 png_error(png_ptr, "Missing IHDR before sRGB"); | 1309 png_chunk_error(png_ptr, "missing IHDR"); |
966 else if (png_ptr->mode & PNG_HAVE_IDAT) | 1310 |
967 { | 1311 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0) |
968 png_warning(png_ptr, "Invalid sRGB after IDAT"); | 1312 { |
969 png_crc_finish(png_ptr, length); | 1313 png_crc_finish(png_ptr, length); |
970 return; | 1314 png_chunk_benign_error(png_ptr, "out of place"); |
971 } | |
972 else if (png_ptr->mode & PNG_HAVE_PLTE) | |
973 /* Should be an error, but we can cope with it */ | |
974 png_warning(png_ptr, "Out of place sRGB chunk"); | |
975 | |
976 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) | |
977 { | |
978 png_warning(png_ptr, "Duplicate sRGB chunk"); | |
979 png_crc_finish(png_ptr, length); | |
980 return; | 1315 return; |
981 } | 1316 } |
982 | 1317 |
983 if (length != 1) | 1318 if (length != 1) |
984 { | 1319 { |
985 png_warning(png_ptr, "Incorrect sRGB chunk length"); | 1320 png_crc_finish(png_ptr, length); |
986 png_crc_finish(png_ptr, length); | 1321 png_chunk_benign_error(png_ptr, "invalid"); |
987 return; | 1322 return; |
988 } | 1323 } |
989 | 1324 |
990 png_crc_read(png_ptr, buf, 1); | 1325 png_crc_read(png_ptr, &intent, 1); |
991 if (png_crc_finish(png_ptr, 0)) | 1326 |
992 return; | 1327 if (png_crc_finish(png_ptr, 0) != 0) |
993 | 1328 return; |
994 intent = buf[0]; | 1329 |
995 /* Check for bad intent */ | 1330 /* If a colorspace error has already been output skip this chunk */ |
996 if (intent >= PNG_sRGB_INTENT_LAST) | 1331 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) |
997 { | 1332 return; |
998 png_warning(png_ptr, "Unknown sRGB intent"); | 1333 |
999 return; | 1334 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect |
1000 } | 1335 * this. |
1001 | 1336 */ |
1002 #if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED) | 1337 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != 0) |
1003 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)) | 1338 { |
1004 { | 1339 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID; |
1005 png_fixed_point igamma; | 1340 png_colorspace_sync(png_ptr, info_ptr); |
1006 #ifdef PNG_FIXED_POINT_SUPPORTED | 1341 png_chunk_benign_error(png_ptr, "too many profiles"); |
1007 igamma=info_ptr->int_gamma; | 1342 return; |
1008 #else | 1343 } |
1009 # ifdef PNG_FLOATING_POINT_SUPPORTED | 1344 |
1010 igamma=(png_fixed_point)(info_ptr->gamma * 100000.); | 1345 (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent); |
1011 # endif | 1346 png_colorspace_sync(png_ptr, info_ptr); |
1012 #endif | |
1013 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500)) | |
1014 { | |
1015 png_warning(png_ptr, | |
1016 "Ignoring incorrect gAMA value when sRGB is also present"); | |
1017 #ifdef PNG_CONSOLE_IO_SUPPORTED | |
1018 # ifdef PNG_FIXED_POINT_SUPPORTED | |
1019 fprintf(stderr, "incorrect gamma=(%d/100000)\n", | |
1020 (int)png_ptr->int_gamma); | |
1021 # else | |
1022 # ifdef PNG_FLOATING_POINT_SUPPORTED | |
1023 fprintf(stderr, "incorrect gamma=%f\n", png_ptr->gamma); | |
1024 # endif | |
1025 # endif | |
1026 #endif | |
1027 } | |
1028 } | |
1029 #endif /* PNG_READ_gAMA_SUPPORTED */ | |
1030 | |
1031 #ifdef PNG_READ_cHRM_SUPPORTED | |
1032 #ifdef PNG_FIXED_POINT_SUPPORTED | |
1033 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)) | |
1034 if (PNG_OUT_OF_RANGE(info_ptr->int_x_white, 31270, 1000) || | |
1035 PNG_OUT_OF_RANGE(info_ptr->int_y_white, 32900, 1000) || | |
1036 PNG_OUT_OF_RANGE(info_ptr->int_x_red, 64000L, 1000) || | |
1037 PNG_OUT_OF_RANGE(info_ptr->int_y_red, 33000, 1000) || | |
1038 PNG_OUT_OF_RANGE(info_ptr->int_x_green, 30000, 1000) || | |
1039 PNG_OUT_OF_RANGE(info_ptr->int_y_green, 60000L, 1000) || | |
1040 PNG_OUT_OF_RANGE(info_ptr->int_x_blue, 15000, 1000) || | |
1041 PNG_OUT_OF_RANGE(info_ptr->int_y_blue, 6000, 1000)) | |
1042 { | |
1043 png_warning(png_ptr, | |
1044 "Ignoring incorrect cHRM value when sRGB is also present"); | |
1045 } | |
1046 #endif /* PNG_FIXED_POINT_SUPPORTED */ | |
1047 #endif /* PNG_READ_cHRM_SUPPORTED */ | |
1048 | |
1049 png_set_sRGB_gAMA_and_cHRM(png_ptr, info_ptr, intent); | |
1050 } | 1347 } |
1051 #endif /* PNG_READ_sRGB_SUPPORTED */ | 1348 #endif /* READ_sRGB */ |
1052 | 1349 |
1053 #ifdef PNG_READ_iCCP_SUPPORTED | 1350 #ifdef PNG_READ_iCCP_SUPPORTED |
1054 void /* PRIVATE */ | 1351 void /* PRIVATE */ |
1055 png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 1352 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
| 1353 /* Note: this does not properly handle profiles that are > 64K under DOS */ |
| 1354 { |
| 1355 png_const_charp errmsg = NULL; /* error message output, or no error */ |
| 1356 int finished = 0; /* crc checked */ |
| 1357 |
| 1358 png_debug(1, "in png_handle_iCCP"); |
| 1359 |
| 1360 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
| 1361 png_chunk_error(png_ptr, "missing IHDR"); |
| 1362 |
| 1363 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0) |
| 1364 { |
| 1365 png_crc_finish(png_ptr, length); |
| 1366 png_chunk_benign_error(png_ptr, "out of place"); |
| 1367 return; |
| 1368 } |
| 1369 |
| 1370 /* Consistent with all the above colorspace handling an obviously *invalid* |
| 1371 * chunk is just ignored, so does not invalidate the color space. An |
| 1372 * alternative is to set the 'invalid' flags at the start of this routine |
| 1373 * and only clear them in they were not set before and all the tests pass. |
| 1374 * The minimum 'deflate' stream is assumed to be just the 2 byte header and |
| 1375 * 4 byte checksum. The keyword must be at least one character and there is |
| 1376 * a terminator (0) byte and the compression method. |
| 1377 */ |
| 1378 if (length < 9) |
| 1379 { |
| 1380 png_crc_finish(png_ptr, length); |
| 1381 png_chunk_benign_error(png_ptr, "too short"); |
| 1382 return; |
| 1383 } |
| 1384 |
| 1385 /* If a colorspace error has already been output skip this chunk */ |
| 1386 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) |
| 1387 { |
| 1388 png_crc_finish(png_ptr, length); |
| 1389 return; |
| 1390 } |
| 1391 |
| 1392 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect |
| 1393 * this. |
| 1394 */ |
| 1395 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0) |
| 1396 { |
| 1397 uInt read_length, keyword_length; |
| 1398 char keyword[81]; |
| 1399 |
| 1400 /* Find the keyword; the keyword plus separator and compression method |
| 1401 * bytes can be at most 81 characters long. |
| 1402 */ |
| 1403 read_length = 81; /* maximum */ |
| 1404 if (read_length > length) |
| 1405 read_length = (uInt)length; |
| 1406 |
| 1407 png_crc_read(png_ptr, (png_bytep)keyword, read_length); |
| 1408 length -= read_length; |
| 1409 |
| 1410 keyword_length = 0; |
| 1411 while (keyword_length < 80 && keyword_length < read_length && |
| 1412 keyword[keyword_length] != 0) |
| 1413 ++keyword_length; |
| 1414 |
| 1415 /* TODO: make the keyword checking common */ |
| 1416 if (keyword_length >= 1 && keyword_length <= 79) |
| 1417 { |
| 1418 /* We only understand '0' compression - deflate - so if we get a |
| 1419 * different value we can't safely decode the chunk. |
| 1420 */ |
| 1421 if (keyword_length+1 < read_length && |
| 1422 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE) |
| 1423 { |
| 1424 read_length -= keyword_length+2; |
| 1425 |
| 1426 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK) |
| 1427 { |
| 1428 Byte profile_header[132]; |
| 1429 Byte local_buffer[PNG_INFLATE_BUF_SIZE]; |
| 1430 png_alloc_size_t size = (sizeof profile_header); |
| 1431 |
| 1432 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2); |
| 1433 png_ptr->zstream.avail_in = read_length; |
| 1434 (void)png_inflate_read(png_ptr, local_buffer, |
| 1435 (sizeof local_buffer), &length, profile_header, &size, |
| 1436 0/*finish: don't, because the output is too small*/); |
| 1437 |
| 1438 if (size == 0) |
| 1439 { |
| 1440 /* We have the ICC profile header; do the basic header checks. |
| 1441 */ |
| 1442 const png_uint_32 profile_length = |
| 1443 png_get_uint_32(profile_header); |
| 1444 |
| 1445 if (png_icc_check_length(png_ptr, &png_ptr->colorspace, |
| 1446 keyword, profile_length) != 0) |
| 1447 { |
| 1448 /* The length is apparently ok, so we can check the 132 |
| 1449 * byte header. |
| 1450 */ |
| 1451 if (png_icc_check_header(png_ptr, &png_ptr->colorspace, |
| 1452 keyword, profile_length, profile_header, |
| 1453 png_ptr->color_type) != 0) |
| 1454 { |
| 1455 /* Now read the tag table; a variable size buffer is |
| 1456 * needed at this point, allocate one for the whole |
| 1457 * profile. The header check has already validated |
| 1458 * that none of these stuff will overflow. |
| 1459 */ |
| 1460 const png_uint_32 tag_count = png_get_uint_32( |
| 1461 profile_header+128); |
| 1462 png_bytep profile = png_read_buffer(png_ptr, |
| 1463 profile_length, 2/*silent*/); |
| 1464 |
| 1465 if (profile != NULL) |
| 1466 { |
| 1467 memcpy(profile, profile_header, |
| 1468 (sizeof profile_header)); |
| 1469 |
| 1470 size = 12 * tag_count; |
| 1471 |
| 1472 (void)png_inflate_read(png_ptr, local_buffer, |
| 1473 (sizeof local_buffer), &length, |
| 1474 profile + (sizeof profile_header), &size, 0); |
| 1475 |
| 1476 /* Still expect a buffer error because we expect |
| 1477 * there to be some tag data! |
| 1478 */ |
| 1479 if (size == 0) |
| 1480 { |
| 1481 if (png_icc_check_tag_table(png_ptr, |
| 1482 &png_ptr->colorspace, keyword, profile_length, |
| 1483 profile) != 0) |
| 1484 { |
| 1485 /* The profile has been validated for basic |
| 1486 * security issues, so read the whole thing in. |
| 1487 */ |
| 1488 size = profile_length - (sizeof profile_header) |
| 1489 - 12 * tag_count; |
| 1490 |
| 1491 (void)png_inflate_read(png_ptr, local_buffer, |
| 1492 (sizeof local_buffer), &length, |
| 1493 profile + (sizeof profile_header) + |
| 1494 12 * tag_count, &size, 1/*finish*/); |
| 1495 |
| 1496 if (length > 0 && !(png_ptr->flags & |
| 1497 PNG_FLAG_BENIGN_ERRORS_WARN)) |
| 1498 errmsg = "extra compressed data"; |
| 1499 |
| 1500 /* But otherwise allow extra data: */ |
| 1501 else if (size == 0) |
| 1502 { |
| 1503 if (length > 0) |
| 1504 { |
| 1505 /* This can be handled completely, so |
| 1506 * keep going. |
| 1507 */ |
| 1508 png_chunk_warning(png_ptr, |
| 1509 "extra compressed data"); |
| 1510 } |
| 1511 |
| 1512 png_crc_finish(png_ptr, length); |
| 1513 finished = 1; |
| 1514 |
| 1515 # ifdef PNG_sRGB_SUPPORTED |
| 1516 /* Check for a match against sRGB */ |
| 1517 png_icc_set_sRGB(png_ptr, |
| 1518 &png_ptr->colorspace, profile, |
| 1519 png_ptr->zstream.adler); |
| 1520 # endif |
| 1521 |
| 1522 /* Steal the profile for info_ptr. */ |
| 1523 if (info_ptr != NULL) |
| 1524 { |
| 1525 png_free_data(png_ptr, info_ptr, |
| 1526 PNG_FREE_ICCP, 0); |
| 1527 |
| 1528 info_ptr->iccp_name = png_voidcast(char*, |
| 1529 png_malloc_base(png_ptr, |
| 1530 keyword_length+1)); |
| 1531 if (info_ptr->iccp_name != NULL) |
| 1532 { |
| 1533 memcpy(info_ptr->iccp_name, keyword, |
| 1534 keyword_length+1); |
| 1535 info_ptr->iccp_proflen = |
| 1536 profile_length; |
| 1537 info_ptr->iccp_profile = profile; |
| 1538 png_ptr->read_buffer = NULL; /*steal*/ |
| 1539 info_ptr->free_me |= PNG_FREE_ICCP; |
| 1540 info_ptr->valid |= PNG_INFO_iCCP; |
| 1541 } |
| 1542 |
| 1543 else |
| 1544 { |
| 1545 png_ptr->colorspace.flags |= |
| 1546 PNG_COLORSPACE_INVALID; |
| 1547 errmsg = "out of memory"; |
| 1548 } |
| 1549 } |
| 1550 |
| 1551 /* else the profile remains in the read |
| 1552 * buffer which gets reused for subsequent |
| 1553 * chunks. |
| 1554 */ |
| 1555 |
| 1556 if (info_ptr != NULL) |
| 1557 png_colorspace_sync(png_ptr, info_ptr); |
| 1558 |
| 1559 if (errmsg == NULL) |
| 1560 { |
| 1561 png_ptr->zowner = 0; |
| 1562 return; |
| 1563 } |
| 1564 } |
| 1565 |
| 1566 else if (size > 0) |
| 1567 errmsg = "truncated"; |
| 1568 |
| 1569 #ifndef __COVERITY__ |
| 1570 else |
| 1571 errmsg = png_ptr->zstream.msg; |
| 1572 #endif |
| 1573 } |
| 1574 |
| 1575 /* else png_icc_check_tag_table output an error */ |
| 1576 } |
| 1577 |
| 1578 else /* profile truncated */ |
| 1579 errmsg = png_ptr->zstream.msg; |
| 1580 } |
| 1581 |
| 1582 else |
| 1583 errmsg = "out of memory"; |
| 1584 } |
| 1585 |
| 1586 /* else png_icc_check_header output an error */ |
| 1587 } |
| 1588 |
| 1589 /* else png_icc_check_length output an error */ |
| 1590 } |
| 1591 |
| 1592 else /* profile truncated */ |
| 1593 errmsg = png_ptr->zstream.msg; |
| 1594 |
| 1595 /* Release the stream */ |
| 1596 png_ptr->zowner = 0; |
| 1597 } |
| 1598 |
| 1599 else /* png_inflate_claim failed */ |
| 1600 errmsg = png_ptr->zstream.msg; |
| 1601 } |
| 1602 |
| 1603 else |
| 1604 errmsg = "bad compression method"; /* or missing */ |
| 1605 } |
| 1606 |
| 1607 else |
| 1608 errmsg = "bad keyword"; |
| 1609 } |
| 1610 |
| 1611 else |
| 1612 errmsg = "too many profiles"; |
| 1613 |
| 1614 /* Failure: the reason is in 'errmsg' */ |
| 1615 if (finished == 0) |
| 1616 png_crc_finish(png_ptr, length); |
| 1617 |
| 1618 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID; |
| 1619 png_colorspace_sync(png_ptr, info_ptr); |
| 1620 if (errmsg != NULL) /* else already output */ |
| 1621 png_chunk_benign_error(png_ptr, errmsg); |
| 1622 } |
| 1623 #endif /* READ_iCCP */ |
| 1624 |
| 1625 #ifdef PNG_READ_sPLT_SUPPORTED |
| 1626 void /* PRIVATE */ |
| 1627 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1056 /* Note: this does not properly handle chunks that are > 64K under DOS */ | 1628 /* Note: this does not properly handle chunks that are > 64K under DOS */ |
1057 { | 1629 { |
1058 png_byte compression_type; | 1630 png_bytep entry_start, buffer; |
1059 png_bytep pC; | 1631 png_sPLT_t new_palette; |
1060 png_charp profile; | 1632 png_sPLT_entryp pp; |
| 1633 png_uint_32 data_length; |
| 1634 int entry_size, i; |
1061 png_uint_32 skip = 0; | 1635 png_uint_32 skip = 0; |
1062 png_uint_32 profile_size, profile_length; | 1636 png_uint_32 dl; |
1063 png_size_t slength, prefix_length, data_length; | 1637 png_size_t max_dl; |
1064 | |
1065 png_debug(1, "in png_handle_iCCP"); | |
1066 | |
1067 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | |
1068 png_error(png_ptr, "Missing IHDR before iCCP"); | |
1069 else if (png_ptr->mode & PNG_HAVE_IDAT) | |
1070 { | |
1071 png_warning(png_ptr, "Invalid iCCP after IDAT"); | |
1072 png_crc_finish(png_ptr, length); | |
1073 return; | |
1074 } | |
1075 else if (png_ptr->mode & PNG_HAVE_PLTE) | |
1076 /* Should be an error, but we can cope with it */ | |
1077 png_warning(png_ptr, "Out of place iCCP chunk"); | |
1078 | |
1079 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) | |
1080 { | |
1081 png_warning(png_ptr, "Duplicate iCCP chunk"); | |
1082 png_crc_finish(png_ptr, length); | |
1083 return; | |
1084 } | |
1085 | |
1086 #ifdef PNG_MAX_MALLOC_64K | |
1087 if (length > (png_uint_32)65535L) | |
1088 { | |
1089 png_warning(png_ptr, "iCCP chunk too large to fit in memory"); | |
1090 skip = length - (png_uint_32)65535L; | |
1091 length = (png_uint_32)65535L; | |
1092 } | |
1093 #endif | |
1094 | |
1095 png_free(png_ptr, png_ptr->chunkdata); | |
1096 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1); | |
1097 slength = (png_size_t)length; | |
1098 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); | |
1099 | |
1100 if (png_crc_finish(png_ptr, skip)) | |
1101 { | |
1102 png_free(png_ptr, png_ptr->chunkdata); | |
1103 png_ptr->chunkdata = NULL; | |
1104 return; | |
1105 } | |
1106 | |
1107 png_ptr->chunkdata[slength] = 0x00; | |
1108 | |
1109 for (profile = png_ptr->chunkdata; *profile; profile++) | |
1110 /* Empty loop to find end of name */ ; | |
1111 | |
1112 ++profile; | |
1113 | |
1114 /* There should be at least one zero (the compression type byte) | |
1115 * following the separator, and we should be on it | |
1116 */ | |
1117 if (slength < 1U || profile >= png_ptr->chunkdata + slength - 1U) | |
1118 { | |
1119 png_free(png_ptr, png_ptr->chunkdata); | |
1120 png_ptr->chunkdata = NULL; | |
1121 png_warning(png_ptr, "Malformed iCCP chunk"); | |
1122 return; | |
1123 } | |
1124 | |
1125 /* Compression_type should always be zero */ | |
1126 compression_type = *profile++; | |
1127 if (compression_type) | |
1128 { | |
1129 png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk"); | |
1130 compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8 | |
1131 wrote nonzero) */ | |
1132 } | |
1133 | |
1134 prefix_length = profile - png_ptr->chunkdata; | |
1135 png_decompress_chunk(png_ptr, compression_type, | |
1136 slength, prefix_length, &data_length); | |
1137 | |
1138 profile_length = data_length - prefix_length; | |
1139 | |
1140 if ( prefix_length > data_length || profile_length < 4) | |
1141 { | |
1142 png_free(png_ptr, png_ptr->chunkdata); | |
1143 png_ptr->chunkdata = NULL; | |
1144 png_warning(png_ptr, "Profile size field missing from iCCP chunk"); | |
1145 return; | |
1146 } | |
1147 | |
1148 /* Check the profile_size recorded in the first 32 bits of the ICC profile */ | |
1149 pC = (png_bytep)(png_ptr->chunkdata + prefix_length); | |
1150 profile_size = ((png_uint_32) (*(pC )<<24)) | | |
1151 ((png_uint_32) (*(pC + 1)<<16)) | | |
1152 ((png_uint_32) (*(pC + 2)<< 8)) | | |
1153 ((png_uint_32) (*(pC + 3) )); | |
1154 | |
1155 if (profile_size < profile_length) | |
1156 profile_length = profile_size; | |
1157 | |
1158 if (profile_size > profile_length) | |
1159 { | |
1160 png_free(png_ptr, png_ptr->chunkdata); | |
1161 png_ptr->chunkdata = NULL; | |
1162 png_warning(png_ptr, "Ignoring truncated iCCP profile."); | |
1163 return; | |
1164 } | |
1165 | |
1166 png_set_iCCP(png_ptr, info_ptr, png_ptr->chunkdata, | |
1167 compression_type, png_ptr->chunkdata + prefix_length, profile_length); | |
1168 png_free(png_ptr, png_ptr->chunkdata); | |
1169 png_ptr->chunkdata = NULL; | |
1170 } | |
1171 #endif /* PNG_READ_iCCP_SUPPORTED */ | |
1172 | |
1173 #ifdef PNG_READ_sPLT_SUPPORTED | |
1174 void /* PRIVATE */ | |
1175 png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | |
1176 /* Note: this does not properly handle chunks that are > 64K under DOS */ | |
1177 { | |
1178 png_bytep entry_start; | |
1179 png_sPLT_t new_palette; | |
1180 #ifdef PNG_POINTER_INDEXING_SUPPORTED | |
1181 png_sPLT_entryp pp; | |
1182 #endif | |
1183 int data_length, entry_size, i; | |
1184 png_uint_32 skip = 0; | |
1185 png_size_t slength; | |
1186 | 1638 |
1187 png_debug(1, "in png_handle_sPLT"); | 1639 png_debug(1, "in png_handle_sPLT"); |
1188 | 1640 |
1189 #ifdef PNG_USER_LIMITS_SUPPORTED | 1641 #ifdef PNG_USER_LIMITS_SUPPORTED |
1190 | |
1191 if (png_ptr->user_chunk_cache_max != 0) | 1642 if (png_ptr->user_chunk_cache_max != 0) |
1192 { | 1643 { |
1193 if (png_ptr->user_chunk_cache_max == 1) | 1644 if (png_ptr->user_chunk_cache_max == 1) |
1194 { | 1645 { |
1195 png_crc_finish(png_ptr, length); | 1646 png_crc_finish(png_ptr, length); |
1196 return; | 1647 return; |
1197 } | 1648 } |
| 1649 |
1198 if (--png_ptr->user_chunk_cache_max == 1) | 1650 if (--png_ptr->user_chunk_cache_max == 1) |
1199 { | 1651 { |
1200 png_warning(png_ptr, "No space in chunk cache for sPLT"); | 1652 png_warning(png_ptr, "No space in chunk cache for sPLT"); |
1201 png_crc_finish(png_ptr, length); | 1653 png_crc_finish(png_ptr, length); |
1202 return; | 1654 return; |
1203 } | 1655 } |
1204 } | 1656 } |
1205 #endif | 1657 #endif |
1206 | 1658 |
1207 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 1659 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1208 png_error(png_ptr, "Missing IHDR before sPLT"); | 1660 png_chunk_error(png_ptr, "missing IHDR"); |
1209 else if (png_ptr->mode & PNG_HAVE_IDAT) | 1661 |
| 1662 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
1210 { | 1663 { |
1211 png_warning(png_ptr, "Invalid sPLT after IDAT"); | |
1212 png_crc_finish(png_ptr, length); | 1664 png_crc_finish(png_ptr, length); |
| 1665 png_chunk_benign_error(png_ptr, "out of place"); |
1213 return; | 1666 return; |
1214 } | 1667 } |
1215 | 1668 |
1216 #ifdef PNG_MAX_MALLOC_64K | 1669 #ifdef PNG_MAX_MALLOC_64K |
1217 if (length > (png_uint_32)65535L) | 1670 if (length > 65535U) |
1218 { | 1671 { |
1219 png_warning(png_ptr, "sPLT chunk too large to fit in memory"); | 1672 png_crc_finish(png_ptr, length); |
1220 skip = length - (png_uint_32)65535L; | 1673 png_chunk_benign_error(png_ptr, "too large to fit in memory"); |
1221 length = (png_uint_32)65535L; | 1674 return; |
1222 } | 1675 } |
1223 #endif | 1676 #endif |
1224 | 1677 |
1225 png_free(png_ptr, png_ptr->chunkdata); | 1678 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/); |
1226 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1); | 1679 if (buffer == NULL) |
1227 slength = (png_size_t)length; | |
1228 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); | |
1229 | |
1230 if (png_crc_finish(png_ptr, skip)) | |
1231 { | 1680 { |
1232 png_free(png_ptr, png_ptr->chunkdata); | 1681 png_crc_finish(png_ptr, length); |
1233 png_ptr->chunkdata = NULL; | 1682 png_chunk_benign_error(png_ptr, "out of memory"); |
1234 return; | 1683 return; |
1235 } | 1684 } |
1236 | 1685 |
1237 png_ptr->chunkdata[slength] = 0x00; | |
1238 | 1686 |
1239 for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start; | 1687 /* WARNING: this may break if size_t is less than 32 bits; it is assumed |
1240 entry_start++) | 1688 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a |
| 1689 * potential breakage point if the types in pngconf.h aren't exactly right. |
| 1690 */ |
| 1691 png_crc_read(png_ptr, buffer, length); |
| 1692 |
| 1693 if (png_crc_finish(png_ptr, skip) != 0) |
| 1694 return; |
| 1695 |
| 1696 buffer[length] = 0; |
| 1697 |
| 1698 for (entry_start = buffer; *entry_start; entry_start++) |
1241 /* Empty loop to find end of name */ ; | 1699 /* Empty loop to find end of name */ ; |
| 1700 |
1242 ++entry_start; | 1701 ++entry_start; |
1243 | 1702 |
1244 /* A sample depth should follow the separator, and we should be on it */ | 1703 /* A sample depth should follow the separator, and we should be on it */ |
1245 if (slength < 2U || | 1704 if (length < 2U || entry_start > buffer + (length - 2U)) |
1246 entry_start > (png_bytep)png_ptr->chunkdata + slength - 2U) | |
1247 { | 1705 { |
1248 png_free(png_ptr, png_ptr->chunkdata); | |
1249 png_ptr->chunkdata = NULL; | |
1250 png_warning(png_ptr, "malformed sPLT chunk"); | 1706 png_warning(png_ptr, "malformed sPLT chunk"); |
1251 return; | 1707 return; |
1252 } | 1708 } |
1253 | 1709 |
1254 new_palette.depth = *entry_start++; | 1710 new_palette.depth = *entry_start++; |
1255 entry_size = (new_palette.depth == 8 ? 6 : 10); | 1711 entry_size = (new_palette.depth == 8 ? 6 : 10); |
1256 data_length = (slength - (entry_start - (png_bytep)png_ptr->chunkdata)); | 1712 /* This must fit in a png_uint_32 because it is derived from the original |
| 1713 * chunk data length. |
| 1714 */ |
| 1715 data_length = length - (png_uint_32)(entry_start - buffer); |
1257 | 1716 |
1258 /* Integrity-check the data length */ | 1717 /* Integrity-check the data length */ |
1259 if (data_length % entry_size) | 1718 if ((data_length % entry_size) != 0) |
1260 { | 1719 { |
1261 png_free(png_ptr, png_ptr->chunkdata); | |
1262 png_ptr->chunkdata = NULL; | |
1263 png_warning(png_ptr, "sPLT chunk has bad length"); | 1720 png_warning(png_ptr, "sPLT chunk has bad length"); |
1264 return; | 1721 return; |
1265 } | 1722 } |
1266 | 1723 |
1267 new_palette.nentries = (png_int_32) ( data_length / entry_size); | 1724 dl = (png_int_32)(data_length / entry_size); |
1268 if ((png_uint_32) new_palette.nentries > | 1725 max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry)); |
1269 (png_uint_32) (PNG_SIZE_MAX / png_sizeof(png_sPLT_entry))) | 1726 |
| 1727 if (dl > max_dl) |
1270 { | 1728 { |
1271 png_warning(png_ptr, "sPLT chunk too long"); | 1729 png_warning(png_ptr, "sPLT chunk too long"); |
1272 return; | 1730 return; |
1273 } | 1731 } |
| 1732 |
| 1733 new_palette.nentries = (png_int_32)(data_length / entry_size); |
| 1734 |
1274 new_palette.entries = (png_sPLT_entryp)png_malloc_warn( | 1735 new_palette.entries = (png_sPLT_entryp)png_malloc_warn( |
1275 png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry)); | 1736 png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry))); |
| 1737 |
1276 if (new_palette.entries == NULL) | 1738 if (new_palette.entries == NULL) |
1277 { | 1739 { |
1278 png_warning(png_ptr, "sPLT chunk requires too much memory"); | 1740 png_warning(png_ptr, "sPLT chunk requires too much memory"); |
1279 return; | 1741 return; |
1280 } | 1742 } |
1281 | 1743 |
1282 #ifdef PNG_POINTER_INDEXING_SUPPORTED | 1744 #ifdef PNG_POINTER_INDEXING_SUPPORTED |
1283 for (i = 0; i < new_palette.nentries; i++) | 1745 for (i = 0; i < new_palette.nentries; i++) |
1284 { | 1746 { |
1285 pp = new_palette.entries + i; | 1747 pp = new_palette.entries + i; |
1286 | 1748 |
1287 if (new_palette.depth == 8) | 1749 if (new_palette.depth == 8) |
1288 { | 1750 { |
1289 pp->red = *entry_start++; | 1751 pp->red = *entry_start++; |
1290 pp->green = *entry_start++; | 1752 pp->green = *entry_start++; |
1291 pp->blue = *entry_start++; | 1753 pp->blue = *entry_start++; |
1292 pp->alpha = *entry_start++; | 1754 pp->alpha = *entry_start++; |
1293 } | 1755 } |
| 1756 |
1294 else | 1757 else |
1295 { | 1758 { |
1296 pp->red = png_get_uint_16(entry_start); entry_start += 2; | 1759 pp->red = png_get_uint_16(entry_start); entry_start += 2; |
1297 pp->green = png_get_uint_16(entry_start); entry_start += 2; | 1760 pp->green = png_get_uint_16(entry_start); entry_start += 2; |
1298 pp->blue = png_get_uint_16(entry_start); entry_start += 2; | 1761 pp->blue = png_get_uint_16(entry_start); entry_start += 2; |
1299 pp->alpha = png_get_uint_16(entry_start); entry_start += 2; | 1762 pp->alpha = png_get_uint_16(entry_start); entry_start += 2; |
1300 } | 1763 } |
| 1764 |
1301 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; | 1765 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; |
1302 } | 1766 } |
1303 #else | 1767 #else |
1304 pp = new_palette.entries; | 1768 pp = new_palette.entries; |
| 1769 |
1305 for (i = 0; i < new_palette.nentries; i++) | 1770 for (i = 0; i < new_palette.nentries; i++) |
1306 { | 1771 { |
1307 | 1772 |
1308 if (new_palette.depth == 8) | 1773 if (new_palette.depth == 8) |
1309 { | 1774 { |
1310 pp[i].red = *entry_start++; | 1775 pp[i].red = *entry_start++; |
1311 pp[i].green = *entry_start++; | 1776 pp[i].green = *entry_start++; |
1312 pp[i].blue = *entry_start++; | 1777 pp[i].blue = *entry_start++; |
1313 pp[i].alpha = *entry_start++; | 1778 pp[i].alpha = *entry_start++; |
1314 } | 1779 } |
| 1780 |
1315 else | 1781 else |
1316 { | 1782 { |
1317 pp[i].red = png_get_uint_16(entry_start); entry_start += 2; | 1783 pp[i].red = png_get_uint_16(entry_start); entry_start += 2; |
1318 pp[i].green = png_get_uint_16(entry_start); entry_start += 2; | 1784 pp[i].green = png_get_uint_16(entry_start); entry_start += 2; |
1319 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2; | 1785 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2; |
1320 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2; | 1786 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2; |
1321 } | 1787 } |
1322 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; | 1788 |
| 1789 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2; |
1323 } | 1790 } |
1324 #endif | 1791 #endif |
1325 | 1792 |
1326 /* Discard all chunk data except the name and stash that */ | 1793 /* Discard all chunk data except the name and stash that */ |
1327 new_palette.name = png_ptr->chunkdata; | 1794 new_palette.name = (png_charp)buffer; |
1328 | 1795 |
1329 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1); | 1796 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1); |
1330 | 1797 |
1331 png_free(png_ptr, png_ptr->chunkdata); | |
1332 png_ptr->chunkdata = NULL; | |
1333 png_free(png_ptr, new_palette.entries); | 1798 png_free(png_ptr, new_palette.entries); |
1334 } | 1799 } |
1335 #endif /* PNG_READ_sPLT_SUPPORTED */ | 1800 #endif /* READ_sPLT */ |
1336 | 1801 |
1337 #ifdef PNG_READ_tRNS_SUPPORTED | 1802 #ifdef PNG_READ_tRNS_SUPPORTED |
1338 void /* PRIVATE */ | 1803 void /* PRIVATE */ |
1339 png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 1804 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1340 { | 1805 { |
1341 png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; | 1806 png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; |
1342 | 1807 |
1343 png_debug(1, "in png_handle_tRNS"); | 1808 png_debug(1, "in png_handle_tRNS"); |
1344 | 1809 |
1345 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 1810 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1346 png_error(png_ptr, "Missing IHDR before tRNS"); | 1811 png_chunk_error(png_ptr, "missing IHDR"); |
1347 else if (png_ptr->mode & PNG_HAVE_IDAT) | 1812 |
| 1813 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
1348 { | 1814 { |
1349 png_warning(png_ptr, "Invalid tRNS after IDAT"); | |
1350 png_crc_finish(png_ptr, length); | 1815 png_crc_finish(png_ptr, length); |
1351 return; | 1816 png_chunk_benign_error(png_ptr, "out of place"); |
1352 } | |
1353 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS)) | |
1354 { | |
1355 png_warning(png_ptr, "Duplicate tRNS chunk"); | |
1356 png_crc_finish(png_ptr, length); | |
1357 return; | 1817 return; |
1358 } | 1818 } |
1359 | 1819 |
| 1820 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0) |
| 1821 { |
| 1822 png_crc_finish(png_ptr, length); |
| 1823 png_chunk_benign_error(png_ptr, "duplicate"); |
| 1824 return; |
| 1825 } |
| 1826 |
1360 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) | 1827 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) |
1361 { | 1828 { |
1362 png_byte buf[2]; | 1829 png_byte buf[2]; |
1363 | 1830 |
1364 if (length != 2) | 1831 if (length != 2) |
1365 { | 1832 { |
1366 png_warning(png_ptr, "Incorrect tRNS chunk length"); | 1833 png_crc_finish(png_ptr, length); |
1367 png_crc_finish(png_ptr, length); | 1834 png_chunk_benign_error(png_ptr, "invalid"); |
1368 return; | 1835 return; |
1369 } | 1836 } |
1370 | 1837 |
1371 png_crc_read(png_ptr, buf, 2); | 1838 png_crc_read(png_ptr, buf, 2); |
1372 png_ptr->num_trans = 1; | 1839 png_ptr->num_trans = 1; |
1373 png_ptr->trans_values.gray = png_get_uint_16(buf); | 1840 png_ptr->trans_color.gray = png_get_uint_16(buf); |
1374 } | 1841 } |
| 1842 |
1375 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) | 1843 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) |
1376 { | 1844 { |
1377 png_byte buf[6]; | 1845 png_byte buf[6]; |
1378 | 1846 |
1379 if (length != 6) | 1847 if (length != 6) |
1380 { | 1848 { |
1381 png_warning(png_ptr, "Incorrect tRNS chunk length"); | 1849 png_crc_finish(png_ptr, length); |
1382 png_crc_finish(png_ptr, length); | 1850 png_chunk_benign_error(png_ptr, "invalid"); |
1383 return; | 1851 return; |
1384 } | 1852 } |
1385 png_crc_read(png_ptr, buf, (png_size_t)length); | 1853 |
| 1854 png_crc_read(png_ptr, buf, length); |
1386 png_ptr->num_trans = 1; | 1855 png_ptr->num_trans = 1; |
1387 png_ptr->trans_values.red = png_get_uint_16(buf); | 1856 png_ptr->trans_color.red = png_get_uint_16(buf); |
1388 png_ptr->trans_values.green = png_get_uint_16(buf + 2); | 1857 png_ptr->trans_color.green = png_get_uint_16(buf + 2); |
1389 png_ptr->trans_values.blue = png_get_uint_16(buf + 4); | 1858 png_ptr->trans_color.blue = png_get_uint_16(buf + 4); |
1390 } | 1859 } |
| 1860 |
1391 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | 1861 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) |
1392 { | 1862 { |
1393 if (!(png_ptr->mode & PNG_HAVE_PLTE)) | 1863 if ((png_ptr->mode & PNG_HAVE_PLTE) == 0) |
1394 { | 1864 { |
1395 /* Should be an error, but we can cope with it. */ | 1865 /* TODO: is this actually an error in the ISO spec? */ |
1396 png_warning(png_ptr, "Missing PLTE before tRNS"); | 1866 png_crc_finish(png_ptr, length); |
1397 } | 1867 png_chunk_benign_error(png_ptr, "out of place"); |
1398 if (length > (png_uint_32)png_ptr->num_palette || | 1868 return; |
1399 length > PNG_MAX_PALETTE_LENGTH) | 1869 } |
1400 { | 1870 |
1401 png_warning(png_ptr, "Incorrect tRNS chunk length"); | 1871 if (length > (unsigned int) png_ptr->num_palette || |
1402 png_crc_finish(png_ptr, length); | 1872 length > (unsigned int) PNG_MAX_PALETTE_LENGTH || |
1403 return; | 1873 length == 0) |
1404 } | 1874 { |
1405 if (length == 0) | 1875 png_crc_finish(png_ptr, length); |
1406 { | 1876 png_chunk_benign_error(png_ptr, "invalid"); |
1407 png_warning(png_ptr, "Zero length tRNS chunk"); | 1877 return; |
1408 png_crc_finish(png_ptr, length); | 1878 } |
1409 return; | 1879 |
1410 } | 1880 png_crc_read(png_ptr, readbuf, length); |
1411 png_crc_read(png_ptr, readbuf, (png_size_t)length); | |
1412 png_ptr->num_trans = (png_uint_16)length; | 1881 png_ptr->num_trans = (png_uint_16)length; |
1413 } | 1882 } |
| 1883 |
1414 else | 1884 else |
1415 { | 1885 { |
1416 png_warning(png_ptr, "tRNS chunk not allowed with alpha channel"); | 1886 png_crc_finish(png_ptr, length); |
1417 png_crc_finish(png_ptr, length); | 1887 png_chunk_benign_error(png_ptr, "invalid with alpha channel"); |
1418 return; | 1888 return; |
1419 } | 1889 } |
1420 | 1890 |
1421 if (png_crc_finish(png_ptr, 0)) | 1891 if (png_crc_finish(png_ptr, 0) != 0) |
1422 { | 1892 { |
1423 png_ptr->num_trans = 0; | 1893 png_ptr->num_trans = 0; |
1424 return; | 1894 return; |
1425 } | 1895 } |
1426 | 1896 |
| 1897 /* TODO: this is a horrible side effect in the palette case because the |
| 1898 * png_struct ends up with a pointer to the tRNS buffer owned by the |
| 1899 * png_info. Fix this. |
| 1900 */ |
1427 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, | 1901 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, |
1428 &(png_ptr->trans_values)); | 1902 &(png_ptr->trans_color)); |
1429 } | 1903 } |
1430 #endif | 1904 #endif |
1431 | 1905 |
1432 #ifdef PNG_READ_bKGD_SUPPORTED | 1906 #ifdef PNG_READ_bKGD_SUPPORTED |
1433 void /* PRIVATE */ | 1907 void /* PRIVATE */ |
1434 png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 1908 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1435 { | 1909 { |
1436 png_size_t truelen; | 1910 unsigned int truelen; |
1437 png_byte buf[6]; | 1911 png_byte buf[6]; |
| 1912 png_color_16 background; |
1438 | 1913 |
1439 png_debug(1, "in png_handle_bKGD"); | 1914 png_debug(1, "in png_handle_bKGD"); |
1440 | 1915 |
1441 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 1916 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1442 png_error(png_ptr, "Missing IHDR before bKGD"); | 1917 png_chunk_error(png_ptr, "missing IHDR"); |
1443 else if (png_ptr->mode & PNG_HAVE_IDAT) | 1918 |
1444 { | 1919 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 || |
1445 png_warning(png_ptr, "Invalid bKGD after IDAT"); | 1920 (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && |
1446 png_crc_finish(png_ptr, length); | 1921 (png_ptr->mode & PNG_HAVE_PLTE) == 0)) |
1447 return; | 1922 { |
1448 } | 1923 png_crc_finish(png_ptr, length); |
1449 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && | 1924 png_chunk_benign_error(png_ptr, "out of place"); |
1450 !(png_ptr->mode & PNG_HAVE_PLTE)) | 1925 return; |
1451 { | 1926 } |
1452 png_warning(png_ptr, "Missing PLTE before bKGD"); | 1927 |
1453 png_crc_finish(png_ptr, length); | 1928 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0) |
1454 return; | 1929 { |
1455 } | 1930 png_crc_finish(png_ptr, length); |
1456 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD)) | 1931 png_chunk_benign_error(png_ptr, "duplicate"); |
1457 { | |
1458 png_warning(png_ptr, "Duplicate bKGD chunk"); | |
1459 png_crc_finish(png_ptr, length); | |
1460 return; | 1932 return; |
1461 } | 1933 } |
1462 | 1934 |
1463 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | 1935 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) |
1464 truelen = 1; | 1936 truelen = 1; |
1465 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) | 1937 |
| 1938 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) |
1466 truelen = 6; | 1939 truelen = 6; |
| 1940 |
1467 else | 1941 else |
1468 truelen = 2; | 1942 truelen = 2; |
1469 | 1943 |
1470 if (length != truelen) | 1944 if (length != truelen) |
1471 { | 1945 { |
1472 png_warning(png_ptr, "Incorrect bKGD chunk length"); | 1946 png_crc_finish(png_ptr, length); |
1473 png_crc_finish(png_ptr, length); | 1947 png_chunk_benign_error(png_ptr, "invalid"); |
1474 return; | 1948 return; |
1475 } | 1949 } |
1476 | 1950 |
1477 png_crc_read(png_ptr, buf, truelen); | 1951 png_crc_read(png_ptr, buf, truelen); |
1478 if (png_crc_finish(png_ptr, 0)) | 1952 |
| 1953 if (png_crc_finish(png_ptr, 0) != 0) |
1479 return; | 1954 return; |
1480 | 1955 |
1481 /* We convert the index value into RGB components so that we can allow | 1956 /* We convert the index value into RGB components so that we can allow |
1482 * arbitrary RGB values for background when we have transparency, and | 1957 * arbitrary RGB values for background when we have transparency, and |
1483 * so it is easy to determine the RGB values of the background color | 1958 * so it is easy to determine the RGB values of the background color |
1484 * from the info_ptr struct. */ | 1959 * from the info_ptr struct. |
| 1960 */ |
1485 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | 1961 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) |
1486 { | 1962 { |
1487 png_ptr->background.index = buf[0]; | 1963 background.index = buf[0]; |
1488 if (info_ptr && info_ptr->num_palette) | 1964 |
1489 { | 1965 if (info_ptr != NULL && info_ptr->num_palette != 0) |
1490 if (buf[0] >= info_ptr->num_palette) | 1966 { |
1491 { | 1967 if (buf[0] >= info_ptr->num_palette) |
1492 png_warning(png_ptr, "Incorrect bKGD chunk index value"); | 1968 { |
1493 return; | 1969 png_chunk_benign_error(png_ptr, "invalid index"); |
1494 } | 1970 return; |
1495 png_ptr->background.red = | 1971 } |
1496 (png_uint_16)png_ptr->palette[buf[0]].red; | 1972 |
1497 png_ptr->background.green = | 1973 background.red = (png_uint_16)png_ptr->palette[buf[0]].red; |
1498 (png_uint_16)png_ptr->palette[buf[0]].green; | 1974 background.green = (png_uint_16)png_ptr->palette[buf[0]].green; |
1499 png_ptr->background.blue = | 1975 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue; |
1500 (png_uint_16)png_ptr->palette[buf[0]].blue; | 1976 } |
1501 } | 1977 |
1502 } | 1978 else |
1503 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */ | 1979 background.red = background.green = background.blue = 0; |
1504 { | 1980 |
1505 png_ptr->background.red = | 1981 background.gray = 0; |
1506 png_ptr->background.green = | 1982 } |
1507 png_ptr->background.blue = | 1983 |
1508 png_ptr->background.gray = png_get_uint_16(buf); | 1984 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */ |
1509 } | 1985 { |
| 1986 background.index = 0; |
| 1987 background.red = |
| 1988 background.green = |
| 1989 background.blue = |
| 1990 background.gray = png_get_uint_16(buf); |
| 1991 } |
| 1992 |
1510 else | 1993 else |
1511 { | 1994 { |
1512 png_ptr->background.red = png_get_uint_16(buf); | 1995 background.index = 0; |
1513 png_ptr->background.green = png_get_uint_16(buf + 2); | 1996 background.red = png_get_uint_16(buf); |
1514 png_ptr->background.blue = png_get_uint_16(buf + 4); | 1997 background.green = png_get_uint_16(buf + 2); |
1515 } | 1998 background.blue = png_get_uint_16(buf + 4); |
1516 | 1999 background.gray = 0; |
1517 png_set_bKGD(png_ptr, info_ptr, &(png_ptr->background)); | 2000 } |
| 2001 |
| 2002 png_set_bKGD(png_ptr, info_ptr, &background); |
1518 } | 2003 } |
1519 #endif | 2004 #endif |
1520 | 2005 |
1521 #ifdef PNG_READ_hIST_SUPPORTED | 2006 #ifdef PNG_READ_hIST_SUPPORTED |
1522 void /* PRIVATE */ | 2007 void /* PRIVATE */ |
1523 png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2008 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1524 { | 2009 { |
1525 unsigned int num, i; | 2010 unsigned int num, i; |
1526 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; | 2011 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; |
1527 | 2012 |
1528 png_debug(1, "in png_handle_hIST"); | 2013 png_debug(1, "in png_handle_hIST"); |
1529 | 2014 |
1530 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2015 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1531 png_error(png_ptr, "Missing IHDR before hIST"); | 2016 png_chunk_error(png_ptr, "missing IHDR"); |
1532 else if (png_ptr->mode & PNG_HAVE_IDAT) | 2017 |
1533 { | 2018 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 || |
1534 png_warning(png_ptr, "Invalid hIST after IDAT"); | 2019 (png_ptr->mode & PNG_HAVE_PLTE) == 0) |
1535 png_crc_finish(png_ptr, length); | 2020 { |
1536 return; | 2021 png_crc_finish(png_ptr, length); |
1537 } | 2022 png_chunk_benign_error(png_ptr, "out of place"); |
1538 else if (!(png_ptr->mode & PNG_HAVE_PLTE)) | 2023 return; |
1539 { | 2024 } |
1540 png_warning(png_ptr, "Missing PLTE before hIST"); | 2025 |
1541 png_crc_finish(png_ptr, length); | 2026 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0) |
1542 return; | 2027 { |
1543 } | 2028 png_crc_finish(png_ptr, length); |
1544 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST)) | 2029 png_chunk_benign_error(png_ptr, "duplicate"); |
1545 { | |
1546 png_warning(png_ptr, "Duplicate hIST chunk"); | |
1547 png_crc_finish(png_ptr, length); | |
1548 return; | |
1549 } | |
1550 | |
1551 if (length > 2*PNG_MAX_PALETTE_LENGTH || | |
1552 length != (unsigned int) (2*png_ptr->num_palette)) | |
1553 { | |
1554 png_warning(png_ptr, "Incorrect hIST chunk length"); | |
1555 png_crc_finish(png_ptr, length); | |
1556 return; | 2030 return; |
1557 } | 2031 } |
1558 | 2032 |
1559 num = length / 2 ; | 2033 num = length / 2 ; |
1560 | 2034 |
| 2035 if (num != (unsigned int) png_ptr->num_palette || |
| 2036 num > (unsigned int) PNG_MAX_PALETTE_LENGTH) |
| 2037 { |
| 2038 png_crc_finish(png_ptr, length); |
| 2039 png_chunk_benign_error(png_ptr, "invalid"); |
| 2040 return; |
| 2041 } |
| 2042 |
1561 for (i = 0; i < num; i++) | 2043 for (i = 0; i < num; i++) |
1562 { | 2044 { |
1563 png_byte buf[2]; | 2045 png_byte buf[2]; |
1564 | 2046 |
1565 png_crc_read(png_ptr, buf, 2); | 2047 png_crc_read(png_ptr, buf, 2); |
1566 readbuf[i] = png_get_uint_16(buf); | 2048 readbuf[i] = png_get_uint_16(buf); |
1567 } | 2049 } |
1568 | 2050 |
1569 if (png_crc_finish(png_ptr, 0)) | 2051 if (png_crc_finish(png_ptr, 0) != 0) |
1570 return; | 2052 return; |
1571 | 2053 |
1572 png_set_hIST(png_ptr, info_ptr, readbuf); | 2054 png_set_hIST(png_ptr, info_ptr, readbuf); |
1573 } | 2055 } |
1574 #endif | 2056 #endif |
1575 | 2057 |
1576 #ifdef PNG_READ_pHYs_SUPPORTED | 2058 #ifdef PNG_READ_pHYs_SUPPORTED |
1577 void /* PRIVATE */ | 2059 void /* PRIVATE */ |
1578 png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2060 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1579 { | 2061 { |
1580 png_byte buf[9]; | 2062 png_byte buf[9]; |
1581 png_uint_32 res_x, res_y; | 2063 png_uint_32 res_x, res_y; |
1582 int unit_type; | 2064 int unit_type; |
1583 | 2065 |
1584 png_debug(1, "in png_handle_pHYs"); | 2066 png_debug(1, "in png_handle_pHYs"); |
1585 | 2067 |
1586 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2068 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1587 png_error(png_ptr, "Missing IHDR before pHYs"); | 2069 png_chunk_error(png_ptr, "missing IHDR"); |
1588 else if (png_ptr->mode & PNG_HAVE_IDAT) | 2070 |
| 2071 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
1589 { | 2072 { |
1590 png_warning(png_ptr, "Invalid pHYs after IDAT"); | |
1591 png_crc_finish(png_ptr, length); | 2073 png_crc_finish(png_ptr, length); |
| 2074 png_chunk_benign_error(png_ptr, "out of place"); |
1592 return; | 2075 return; |
1593 } | 2076 } |
1594 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs)) | 2077 |
| 2078 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != 0) |
1595 { | 2079 { |
1596 png_warning(png_ptr, "Duplicate pHYs chunk"); | |
1597 png_crc_finish(png_ptr, length); | 2080 png_crc_finish(png_ptr, length); |
| 2081 png_chunk_benign_error(png_ptr, "duplicate"); |
1598 return; | 2082 return; |
1599 } | 2083 } |
1600 | 2084 |
1601 if (length != 9) | 2085 if (length != 9) |
1602 { | 2086 { |
1603 png_warning(png_ptr, "Incorrect pHYs chunk length"); | |
1604 png_crc_finish(png_ptr, length); | 2087 png_crc_finish(png_ptr, length); |
| 2088 png_chunk_benign_error(png_ptr, "invalid"); |
1605 return; | 2089 return; |
1606 } | 2090 } |
1607 | 2091 |
1608 png_crc_read(png_ptr, buf, 9); | 2092 png_crc_read(png_ptr, buf, 9); |
1609 if (png_crc_finish(png_ptr, 0)) | 2093 |
| 2094 if (png_crc_finish(png_ptr, 0) != 0) |
1610 return; | 2095 return; |
1611 | 2096 |
1612 res_x = png_get_uint_32(buf); | 2097 res_x = png_get_uint_32(buf); |
1613 res_y = png_get_uint_32(buf + 4); | 2098 res_y = png_get_uint_32(buf + 4); |
1614 unit_type = buf[8]; | 2099 unit_type = buf[8]; |
1615 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type); | 2100 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type); |
1616 } | 2101 } |
1617 #endif | 2102 #endif |
1618 | 2103 |
1619 #ifdef PNG_READ_oFFs_SUPPORTED | 2104 #ifdef PNG_READ_oFFs_SUPPORTED |
1620 void /* PRIVATE */ | 2105 void /* PRIVATE */ |
1621 png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2106 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1622 { | 2107 { |
1623 png_byte buf[9]; | 2108 png_byte buf[9]; |
1624 png_int_32 offset_x, offset_y; | 2109 png_int_32 offset_x, offset_y; |
1625 int unit_type; | 2110 int unit_type; |
1626 | 2111 |
1627 png_debug(1, "in png_handle_oFFs"); | 2112 png_debug(1, "in png_handle_oFFs"); |
1628 | 2113 |
1629 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2114 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1630 png_error(png_ptr, "Missing IHDR before oFFs"); | 2115 png_chunk_error(png_ptr, "missing IHDR"); |
1631 else if (png_ptr->mode & PNG_HAVE_IDAT) | 2116 |
| 2117 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
1632 { | 2118 { |
1633 png_warning(png_ptr, "Invalid oFFs after IDAT"); | |
1634 png_crc_finish(png_ptr, length); | 2119 png_crc_finish(png_ptr, length); |
| 2120 png_chunk_benign_error(png_ptr, "out of place"); |
1635 return; | 2121 return; |
1636 } | 2122 } |
1637 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs)) | 2123 |
| 2124 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != 0) |
1638 { | 2125 { |
1639 png_warning(png_ptr, "Duplicate oFFs chunk"); | |
1640 png_crc_finish(png_ptr, length); | 2126 png_crc_finish(png_ptr, length); |
| 2127 png_chunk_benign_error(png_ptr, "duplicate"); |
1641 return; | 2128 return; |
1642 } | 2129 } |
1643 | 2130 |
1644 if (length != 9) | 2131 if (length != 9) |
1645 { | 2132 { |
1646 png_warning(png_ptr, "Incorrect oFFs chunk length"); | |
1647 png_crc_finish(png_ptr, length); | 2133 png_crc_finish(png_ptr, length); |
| 2134 png_chunk_benign_error(png_ptr, "invalid"); |
1648 return; | 2135 return; |
1649 } | 2136 } |
1650 | 2137 |
1651 png_crc_read(png_ptr, buf, 9); | 2138 png_crc_read(png_ptr, buf, 9); |
1652 if (png_crc_finish(png_ptr, 0)) | 2139 |
| 2140 if (png_crc_finish(png_ptr, 0) != 0) |
1653 return; | 2141 return; |
1654 | 2142 |
1655 offset_x = png_get_int_32(buf); | 2143 offset_x = png_get_int_32(buf); |
1656 offset_y = png_get_int_32(buf + 4); | 2144 offset_y = png_get_int_32(buf + 4); |
1657 unit_type = buf[8]; | 2145 unit_type = buf[8]; |
1658 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type); | 2146 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type); |
1659 } | 2147 } |
1660 #endif | 2148 #endif |
1661 | 2149 |
1662 #ifdef PNG_READ_pCAL_SUPPORTED | 2150 #ifdef PNG_READ_pCAL_SUPPORTED |
1663 /* Read the pCAL chunk (described in the PNG Extensions document) */ | 2151 /* Read the pCAL chunk (described in the PNG Extensions document) */ |
1664 void /* PRIVATE */ | 2152 void /* PRIVATE */ |
1665 png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2153 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1666 { | 2154 { |
1667 png_int_32 X0, X1; | 2155 png_int_32 X0, X1; |
1668 png_byte type, nparams; | 2156 png_byte type, nparams; |
1669 png_charp buf, units, endptr; | 2157 png_bytep buffer, buf, units, endptr; |
1670 png_charpp params; | 2158 png_charpp params; |
1671 png_size_t slength; | |
1672 int i; | 2159 int i; |
1673 | 2160 |
1674 png_debug(1, "in png_handle_pCAL"); | 2161 png_debug(1, "in png_handle_pCAL"); |
1675 | 2162 |
1676 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2163 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1677 png_error(png_ptr, "Missing IHDR before pCAL"); | 2164 png_chunk_error(png_ptr, "missing IHDR"); |
1678 else if (png_ptr->mode & PNG_HAVE_IDAT) | 2165 |
| 2166 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
1679 { | 2167 { |
1680 png_warning(png_ptr, "Invalid pCAL after IDAT"); | |
1681 png_crc_finish(png_ptr, length); | 2168 png_crc_finish(png_ptr, length); |
1682 return; | 2169 png_chunk_benign_error(png_ptr, "out of place"); |
1683 } | |
1684 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL)) | |
1685 { | |
1686 png_warning(png_ptr, "Duplicate pCAL chunk"); | |
1687 png_crc_finish(png_ptr, length); | |
1688 return; | 2170 return; |
1689 } | 2171 } |
1690 | 2172 |
1691 png_debug1(2, "Allocating and reading pCAL chunk data (%lu bytes)", | 2173 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != 0) |
1692 length + 1); | |
1693 png_free(png_ptr, png_ptr->chunkdata); | |
1694 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); | |
1695 if (png_ptr->chunkdata == NULL) | |
1696 { | |
1697 png_warning(png_ptr, "No memory for pCAL purpose."); | |
1698 return; | |
1699 } | |
1700 slength = (png_size_t)length; | |
1701 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); | |
1702 | |
1703 if (png_crc_finish(png_ptr, 0)) | |
1704 { | 2174 { |
1705 png_free(png_ptr, png_ptr->chunkdata); | 2175 png_crc_finish(png_ptr, length); |
1706 png_ptr->chunkdata = NULL; | 2176 png_chunk_benign_error(png_ptr, "duplicate"); |
1707 return; | 2177 return; |
1708 } | 2178 } |
1709 | 2179 |
1710 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ | 2180 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)", |
| 2181 length + 1); |
1711 | 2182 |
1712 png_debug(3, "Finding end of pCAL purpose string"); | 2183 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/); |
1713 for (buf = png_ptr->chunkdata; *buf; buf++) | |
1714 /* Empty loop */ ; | |
1715 | 2184 |
1716 endptr = png_ptr->chunkdata + slength; | 2185 if (buffer == NULL) |
1717 | |
1718 /* We need to have at least 12 bytes after the purpose string | |
1719 in order to get the parameter information. */ | |
1720 if (slength < 12U || endptr - buf <= 12) | |
1721 { | 2186 { |
1722 png_warning(png_ptr, "Invalid pCAL data"); | 2187 png_crc_finish(png_ptr, length); |
1723 png_free(png_ptr, png_ptr->chunkdata); | 2188 png_chunk_benign_error(png_ptr, "out of memory"); |
1724 png_ptr->chunkdata = NULL; | |
1725 return; | 2189 return; |
1726 } | 2190 } |
1727 | 2191 |
| 2192 png_crc_read(png_ptr, buffer, length); |
| 2193 |
| 2194 if (png_crc_finish(png_ptr, 0) != 0) |
| 2195 return; |
| 2196 |
| 2197 buffer[length] = 0; /* Null terminate the last string */ |
| 2198 |
| 2199 png_debug(3, "Finding end of pCAL purpose string"); |
| 2200 for (buf = buffer; *buf; buf++) |
| 2201 /* Empty loop */ ; |
| 2202 |
| 2203 endptr = buffer + length; |
| 2204 |
| 2205 /* We need to have at least 12 bytes after the purpose string |
| 2206 * in order to get the parameter information. |
| 2207 */ |
| 2208 if (endptr - buf <= 12) |
| 2209 { |
| 2210 png_chunk_benign_error(png_ptr, "invalid"); |
| 2211 return; |
| 2212 } |
| 2213 |
1728 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units"); | 2214 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units"); |
1729 X0 = png_get_int_32((png_bytep)buf+1); | 2215 X0 = png_get_int_32((png_bytep)buf+1); |
1730 X1 = png_get_int_32((png_bytep)buf+5); | 2216 X1 = png_get_int_32((png_bytep)buf+5); |
1731 type = buf[9]; | 2217 type = buf[9]; |
1732 nparams = buf[10]; | 2218 nparams = buf[10]; |
1733 units = buf + 11; | 2219 units = buf + 11; |
1734 | 2220 |
1735 png_debug(3, "Checking pCAL equation type and number of parameters"); | 2221 png_debug(3, "Checking pCAL equation type and number of parameters"); |
1736 /* Check that we have the right number of parameters for known | 2222 /* Check that we have the right number of parameters for known |
1737 equation types. */ | 2223 * equation types. |
| 2224 */ |
1738 if ((type == PNG_EQUATION_LINEAR && nparams != 2) || | 2225 if ((type == PNG_EQUATION_LINEAR && nparams != 2) || |
1739 (type == PNG_EQUATION_BASE_E && nparams != 3) || | 2226 (type == PNG_EQUATION_BASE_E && nparams != 3) || |
1740 (type == PNG_EQUATION_ARBITRARY && nparams != 3) || | 2227 (type == PNG_EQUATION_ARBITRARY && nparams != 3) || |
1741 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4)) | 2228 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4)) |
1742 { | 2229 { |
1743 png_warning(png_ptr, "Invalid pCAL parameters for equation type"); | 2230 png_chunk_benign_error(png_ptr, "invalid parameter count"); |
1744 png_free(png_ptr, png_ptr->chunkdata); | |
1745 png_ptr->chunkdata = NULL; | |
1746 return; | 2231 return; |
1747 } | 2232 } |
| 2233 |
1748 else if (type >= PNG_EQUATION_LAST) | 2234 else if (type >= PNG_EQUATION_LAST) |
1749 { | 2235 { |
1750 png_warning(png_ptr, "Unrecognized equation type for pCAL chunk"); | 2236 png_chunk_benign_error(png_ptr, "unrecognized equation type"); |
1751 } | 2237 } |
1752 | 2238 |
1753 for (buf = units; *buf; buf++) | 2239 for (buf = units; *buf; buf++) |
1754 /* Empty loop to move past the units string. */ ; | 2240 /* Empty loop to move past the units string. */ ; |
1755 | 2241 |
1756 png_debug(3, "Allocating pCAL parameters array"); | 2242 png_debug(3, "Allocating pCAL parameters array"); |
1757 params = (png_charpp)png_malloc_warn(png_ptr, | 2243 |
1758 (png_uint_32)(nparams * png_sizeof(png_charp))) ; | 2244 params = png_voidcast(png_charpp, png_malloc_warn(png_ptr, |
| 2245 nparams * (sizeof (png_charp)))); |
| 2246 |
1759 if (params == NULL) | 2247 if (params == NULL) |
1760 { | 2248 { |
1761 png_free(png_ptr, png_ptr->chunkdata); | 2249 png_chunk_benign_error(png_ptr, "out of memory"); |
1762 png_ptr->chunkdata = NULL; | 2250 return; |
1763 png_warning(png_ptr, "No memory for pCAL params."); | 2251 } |
1764 return; | |
1765 } | |
1766 | 2252 |
1767 /* Get pointers to the start of each parameter string. */ | 2253 /* Get pointers to the start of each parameter string. */ |
1768 for (i = 0; i < (int)nparams; i++) | 2254 for (i = 0; i < nparams; i++) |
1769 { | 2255 { |
1770 buf++; /* Skip the null string terminator from previous parameter. */ | 2256 buf++; /* Skip the null string terminator from previous parameter. */ |
1771 | 2257 |
1772 png_debug1(3, "Reading pCAL parameter %d", i); | 2258 png_debug1(3, "Reading pCAL parameter %d", i); |
1773 for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++) | 2259 |
| 2260 for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++) |
1774 /* Empty loop to move past each parameter string */ ; | 2261 /* Empty loop to move past each parameter string */ ; |
1775 | 2262 |
1776 /* Make sure we haven't run out of data yet */ | 2263 /* Make sure we haven't run out of data yet */ |
1777 if (buf > endptr) | 2264 if (buf > endptr) |
1778 { | 2265 { |
1779 png_warning(png_ptr, "Invalid pCAL data"); | |
1780 png_free(png_ptr, png_ptr->chunkdata); | |
1781 png_ptr->chunkdata = NULL; | |
1782 png_free(png_ptr, params); | 2266 png_free(png_ptr, params); |
| 2267 png_chunk_benign_error(png_ptr, "invalid data"); |
1783 return; | 2268 return; |
1784 } | 2269 } |
1785 } | 2270 } |
1786 | 2271 |
1787 png_set_pCAL(png_ptr, info_ptr, png_ptr->chunkdata, X0, X1, type, nparams, | 2272 png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams, |
1788 units, params); | 2273 (png_charp)units, params); |
1789 | 2274 |
1790 png_free(png_ptr, png_ptr->chunkdata); | |
1791 png_ptr->chunkdata = NULL; | |
1792 png_free(png_ptr, params); | 2275 png_free(png_ptr, params); |
1793 } | 2276 } |
1794 #endif | 2277 #endif |
1795 | 2278 |
1796 #ifdef PNG_READ_sCAL_SUPPORTED | 2279 #ifdef PNG_READ_sCAL_SUPPORTED |
1797 /* Read the sCAL chunk */ | 2280 /* Read the sCAL chunk */ |
1798 void /* PRIVATE */ | 2281 void /* PRIVATE */ |
1799 png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2282 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1800 { | 2283 { |
1801 png_charp ep; | 2284 png_bytep buffer; |
1802 #ifdef PNG_FLOATING_POINT_SUPPORTED | 2285 png_size_t i; |
1803 double width, height; | 2286 int state; |
1804 png_charp vp; | |
1805 #else | |
1806 #ifdef PNG_FIXED_POINT_SUPPORTED | |
1807 png_charp swidth, sheight; | |
1808 #endif | |
1809 #endif | |
1810 png_size_t slength; | |
1811 | 2287 |
1812 png_debug(1, "in png_handle_sCAL"); | 2288 png_debug(1, "in png_handle_sCAL"); |
1813 | 2289 |
1814 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2290 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1815 png_error(png_ptr, "Missing IHDR before sCAL"); | 2291 png_chunk_error(png_ptr, "missing IHDR"); |
1816 else if (png_ptr->mode & PNG_HAVE_IDAT) | 2292 |
| 2293 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
1817 { | 2294 { |
1818 png_warning(png_ptr, "Invalid sCAL after IDAT"); | |
1819 png_crc_finish(png_ptr, length); | 2295 png_crc_finish(png_ptr, length); |
| 2296 png_chunk_benign_error(png_ptr, "out of place"); |
1820 return; | 2297 return; |
1821 } | 2298 } |
1822 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL)) | 2299 |
| 2300 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != 0) |
1823 { | 2301 { |
1824 png_warning(png_ptr, "Duplicate sCAL chunk"); | |
1825 png_crc_finish(png_ptr, length); | 2302 png_crc_finish(png_ptr, length); |
| 2303 png_chunk_benign_error(png_ptr, "duplicate"); |
1826 return; | 2304 return; |
1827 } | 2305 } |
1828 | 2306 |
1829 /* Need unit type, width, \0, height: minimum 4 bytes */ | 2307 /* Need unit type, width, \0, height: minimum 4 bytes */ |
1830 else if (length < 4) | 2308 else if (length < 4) |
1831 { | 2309 { |
1832 png_warning(png_ptr, "sCAL chunk too short"); | 2310 png_crc_finish(png_ptr, length); |
| 2311 png_chunk_benign_error(png_ptr, "invalid"); |
| 2312 return; |
| 2313 } |
| 2314 |
| 2315 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)", |
| 2316 length + 1); |
| 2317 |
| 2318 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/); |
| 2319 |
| 2320 if (buffer == NULL) |
| 2321 { |
| 2322 png_chunk_benign_error(png_ptr, "out of memory"); |
1833 png_crc_finish(png_ptr, length); | 2323 png_crc_finish(png_ptr, length); |
1834 return; | 2324 return; |
1835 } | 2325 } |
1836 | 2326 |
1837 png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", | 2327 png_crc_read(png_ptr, buffer, length); |
1838 length + 1); | 2328 buffer[length] = 0; /* Null terminate the last string */ |
1839 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); | 2329 |
1840 if (png_ptr->chunkdata == NULL) | 2330 if (png_crc_finish(png_ptr, 0) != 0) |
| 2331 return; |
| 2332 |
| 2333 /* Validate the unit. */ |
| 2334 if (buffer[0] != 1 && buffer[0] != 2) |
1841 { | 2335 { |
1842 png_warning(png_ptr, "Out of memory while processing sCAL chunk"); | 2336 png_chunk_benign_error(png_ptr, "invalid unit"); |
1843 png_crc_finish(png_ptr, length); | |
1844 return; | |
1845 } | |
1846 slength = (png_size_t)length; | |
1847 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); | |
1848 | |
1849 if (png_crc_finish(png_ptr, 0)) | |
1850 { | |
1851 png_free(png_ptr, png_ptr->chunkdata); | |
1852 png_ptr->chunkdata = NULL; | |
1853 return; | 2337 return; |
1854 } | 2338 } |
1855 | 2339 |
1856 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ | 2340 /* Validate the ASCII numbers, need two ASCII numbers separated by |
| 2341 * a '\0' and they need to fit exactly in the chunk data. |
| 2342 */ |
| 2343 i = 1; |
| 2344 state = 0; |
1857 | 2345 |
1858 ep = png_ptr->chunkdata + 1; /* Skip unit byte */ | 2346 if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 || |
| 2347 i >= length || buffer[i++] != 0) |
| 2348 png_chunk_benign_error(png_ptr, "bad width format"); |
1859 | 2349 |
1860 #ifdef PNG_FLOATING_POINT_SUPPORTED | 2350 else if (PNG_FP_IS_POSITIVE(state) == 0) |
1861 width = png_strtod(png_ptr, ep, &vp); | 2351 png_chunk_benign_error(png_ptr, "non-positive width"); |
1862 if (*vp) | 2352 |
| 2353 else |
1863 { | 2354 { |
1864 png_warning(png_ptr, "malformed width string in sCAL chunk"); | 2355 png_size_t heighti = i; |
1865 png_free(png_ptr, png_ptr->chunkdata); | 2356 |
1866 png_ptr->chunkdata = NULL; | 2357 state = 0; |
1867 return; | 2358 if (png_check_fp_number((png_const_charp)buffer, length, |
| 2359 &state, &i) == 0 || i != length) |
| 2360 png_chunk_benign_error(png_ptr, "bad height format"); |
| 2361 |
| 2362 else if (PNG_FP_IS_POSITIVE(state) == 0) |
| 2363 png_chunk_benign_error(png_ptr, "non-positive height"); |
| 2364 |
| 2365 else |
| 2366 /* This is the (only) success case. */ |
| 2367 png_set_sCAL_s(png_ptr, info_ptr, buffer[0], |
| 2368 (png_charp)buffer+1, (png_charp)buffer+heighti); |
1868 } | 2369 } |
1869 #else | |
1870 #ifdef PNG_FIXED_POINT_SUPPORTED | |
1871 swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1); | |
1872 if (swidth == NULL) | |
1873 { | |
1874 png_warning(png_ptr, "Out of memory while processing sCAL chunk width"); | |
1875 png_free(png_ptr, png_ptr->chunkdata); | |
1876 png_ptr->chunkdata = NULL; | |
1877 return; | |
1878 } | |
1879 png_memcpy(swidth, ep, (png_size_t)png_strlen(ep) + 1); | |
1880 #endif | |
1881 #endif | |
1882 | |
1883 for (ep = png_ptr->chunkdata + 1; *ep; ep++) | |
1884 /* Empty loop */ ; | |
1885 ep++; | |
1886 | |
1887 if (png_ptr->chunkdata + slength < ep) | |
1888 { | |
1889 png_warning(png_ptr, "Truncated sCAL chunk"); | |
1890 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) | |
1891 png_free(png_ptr, swidth); | |
1892 #endif | |
1893 png_free(png_ptr, png_ptr->chunkdata); | |
1894 png_ptr->chunkdata = NULL; | |
1895 return; | |
1896 } | |
1897 | |
1898 #ifdef PNG_FLOATING_POINT_SUPPORTED | |
1899 height = png_strtod(png_ptr, ep, &vp); | |
1900 if (*vp) | |
1901 { | |
1902 png_warning(png_ptr, "malformed height string in sCAL chunk"); | |
1903 png_free(png_ptr, png_ptr->chunkdata); | |
1904 png_ptr->chunkdata = NULL; | |
1905 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) | |
1906 png_free(png_ptr, swidth); | |
1907 #endif | |
1908 return; | |
1909 } | |
1910 #else | |
1911 #ifdef PNG_FIXED_POINT_SUPPORTED | |
1912 sheight = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1); | |
1913 if (sheight == NULL) | |
1914 { | |
1915 png_warning(png_ptr, "Out of memory while processing sCAL chunk height"); | |
1916 png_free(png_ptr, png_ptr->chunkdata); | |
1917 png_ptr->chunkdata = NULL; | |
1918 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) | |
1919 png_free(png_ptr, swidth); | |
1920 #endif | |
1921 return; | |
1922 } | |
1923 png_memcpy(sheight, ep, (png_size_t)png_strlen(ep) + 1); | |
1924 #endif | |
1925 #endif | |
1926 | |
1927 if (png_ptr->chunkdata + slength < ep | |
1928 #ifdef PNG_FLOATING_POINT_SUPPORTED | |
1929 || width <= 0. || height <= 0. | |
1930 #endif | |
1931 ) | |
1932 { | |
1933 png_warning(png_ptr, "Invalid sCAL data"); | |
1934 png_free(png_ptr, png_ptr->chunkdata); | |
1935 png_ptr->chunkdata = NULL; | |
1936 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) | |
1937 png_free(png_ptr, swidth); | |
1938 png_free(png_ptr, sheight); | |
1939 #endif | |
1940 return; | |
1941 } | |
1942 | |
1943 | |
1944 #ifdef PNG_FLOATING_POINT_SUPPORTED | |
1945 png_set_sCAL(png_ptr, info_ptr, png_ptr->chunkdata[0], width, height); | |
1946 #else | |
1947 #ifdef PNG_FIXED_POINT_SUPPORTED | |
1948 png_set_sCAL_s(png_ptr, info_ptr, png_ptr->chunkdata[0], swidth, sheight); | |
1949 #endif | |
1950 #endif | |
1951 | |
1952 png_free(png_ptr, png_ptr->chunkdata); | |
1953 png_ptr->chunkdata = NULL; | |
1954 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) | |
1955 png_free(png_ptr, swidth); | |
1956 png_free(png_ptr, sheight); | |
1957 #endif | |
1958 } | 2370 } |
1959 #endif | 2371 #endif |
1960 | 2372 |
1961 #ifdef PNG_READ_tIME_SUPPORTED | 2373 #ifdef PNG_READ_tIME_SUPPORTED |
1962 void /* PRIVATE */ | 2374 void /* PRIVATE */ |
1963 png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2375 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
1964 { | 2376 { |
1965 png_byte buf[7]; | 2377 png_byte buf[7]; |
1966 png_time mod_time; | 2378 png_time mod_time; |
1967 | 2379 |
1968 png_debug(1, "in png_handle_tIME"); | 2380 png_debug(1, "in png_handle_tIME"); |
1969 | 2381 |
1970 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2382 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
1971 png_error(png_ptr, "Out of place tIME chunk"); | 2383 png_chunk_error(png_ptr, "missing IHDR"); |
1972 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME)) | 2384 |
| 2385 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != 0) |
1973 { | 2386 { |
1974 png_warning(png_ptr, "Duplicate tIME chunk"); | |
1975 png_crc_finish(png_ptr, length); | 2387 png_crc_finish(png_ptr, length); |
| 2388 png_chunk_benign_error(png_ptr, "duplicate"); |
1976 return; | 2389 return; |
1977 } | 2390 } |
1978 | 2391 |
1979 if (png_ptr->mode & PNG_HAVE_IDAT) | 2392 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
1980 png_ptr->mode |= PNG_AFTER_IDAT; | 2393 png_ptr->mode |= PNG_AFTER_IDAT; |
1981 | 2394 |
1982 if (length != 7) | 2395 if (length != 7) |
1983 { | 2396 { |
1984 png_warning(png_ptr, "Incorrect tIME chunk length"); | |
1985 png_crc_finish(png_ptr, length); | 2397 png_crc_finish(png_ptr, length); |
| 2398 png_chunk_benign_error(png_ptr, "invalid"); |
1986 return; | 2399 return; |
1987 } | 2400 } |
1988 | 2401 |
1989 png_crc_read(png_ptr, buf, 7); | 2402 png_crc_read(png_ptr, buf, 7); |
1990 if (png_crc_finish(png_ptr, 0)) | 2403 |
| 2404 if (png_crc_finish(png_ptr, 0) != 0) |
1991 return; | 2405 return; |
1992 | 2406 |
1993 mod_time.second = buf[6]; | 2407 mod_time.second = buf[6]; |
1994 mod_time.minute = buf[5]; | 2408 mod_time.minute = buf[5]; |
1995 mod_time.hour = buf[4]; | 2409 mod_time.hour = buf[4]; |
1996 mod_time.day = buf[3]; | 2410 mod_time.day = buf[3]; |
1997 mod_time.month = buf[2]; | 2411 mod_time.month = buf[2]; |
1998 mod_time.year = png_get_uint_16(buf); | 2412 mod_time.year = png_get_uint_16(buf); |
1999 | 2413 |
2000 png_set_tIME(png_ptr, info_ptr, &mod_time); | 2414 png_set_tIME(png_ptr, info_ptr, &mod_time); |
2001 } | 2415 } |
2002 #endif | 2416 #endif |
2003 | 2417 |
2004 #ifdef PNG_READ_tEXt_SUPPORTED | 2418 #ifdef PNG_READ_tEXt_SUPPORTED |
2005 /* Note: this does not properly handle chunks that are > 64K under DOS */ | 2419 /* Note: this does not properly handle chunks that are > 64K under DOS */ |
2006 void /* PRIVATE */ | 2420 void /* PRIVATE */ |
2007 png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2421 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
2008 { | 2422 { |
2009 png_textp text_ptr; | 2423 png_text text_info; |
| 2424 png_bytep buffer; |
2010 png_charp key; | 2425 png_charp key; |
2011 png_charp text; | 2426 png_charp text; |
2012 png_uint_32 skip = 0; | 2427 png_uint_32 skip = 0; |
2013 png_size_t slength; | |
2014 int ret; | |
2015 | 2428 |
2016 png_debug(1, "in png_handle_tEXt"); | 2429 png_debug(1, "in png_handle_tEXt"); |
2017 | 2430 |
2018 #ifdef PNG_USER_LIMITS_SUPPORTED | 2431 #ifdef PNG_USER_LIMITS_SUPPORTED |
2019 if (png_ptr->user_chunk_cache_max != 0) | 2432 if (png_ptr->user_chunk_cache_max != 0) |
2020 { | 2433 { |
2021 if (png_ptr->user_chunk_cache_max == 1) | 2434 if (png_ptr->user_chunk_cache_max == 1) |
2022 { | 2435 { |
2023 png_crc_finish(png_ptr, length); | 2436 png_crc_finish(png_ptr, length); |
2024 return; | 2437 return; |
2025 } | 2438 } |
| 2439 |
2026 if (--png_ptr->user_chunk_cache_max == 1) | 2440 if (--png_ptr->user_chunk_cache_max == 1) |
2027 { | 2441 { |
2028 png_warning(png_ptr, "No space in chunk cache for tEXt"); | |
2029 png_crc_finish(png_ptr, length); | 2442 png_crc_finish(png_ptr, length); |
| 2443 png_chunk_benign_error(png_ptr, "no space in chunk cache"); |
2030 return; | 2444 return; |
2031 } | 2445 } |
2032 } | 2446 } |
2033 #endif | 2447 #endif |
2034 | 2448 |
2035 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2449 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
2036 png_error(png_ptr, "Missing IHDR before tEXt"); | 2450 png_chunk_error(png_ptr, "missing IHDR"); |
2037 | 2451 |
2038 if (png_ptr->mode & PNG_HAVE_IDAT) | 2452 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
2039 png_ptr->mode |= PNG_AFTER_IDAT; | 2453 png_ptr->mode |= PNG_AFTER_IDAT; |
2040 | 2454 |
2041 #ifdef PNG_MAX_MALLOC_64K | 2455 #ifdef PNG_MAX_MALLOC_64K |
2042 if (length > (png_uint_32)65535L) | 2456 if (length > 65535U) |
2043 { | 2457 { |
2044 png_warning(png_ptr, "tEXt chunk too large to fit in memory"); | 2458 png_crc_finish(png_ptr, length); |
2045 skip = length - (png_uint_32)65535L; | 2459 png_chunk_benign_error(png_ptr, "too large to fit in memory"); |
2046 length = (png_uint_32)65535L; | 2460 return; |
2047 } | 2461 } |
2048 #endif | 2462 #endif |
2049 | 2463 |
2050 png_free(png_ptr, png_ptr->chunkdata); | 2464 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/); |
2051 | 2465 |
2052 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); | 2466 if (buffer == NULL) |
2053 if (png_ptr->chunkdata == NULL) | |
2054 { | 2467 { |
2055 png_warning(png_ptr, "No memory to process text chunk."); | 2468 png_chunk_benign_error(png_ptr, "out of memory"); |
2056 return; | 2469 return; |
2057 } | 2470 } |
2058 slength = (png_size_t)length; | |
2059 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); | |
2060 | 2471 |
2061 if (png_crc_finish(png_ptr, skip)) | 2472 png_crc_read(png_ptr, buffer, length); |
2062 { | 2473 |
2063 png_free(png_ptr, png_ptr->chunkdata); | 2474 if (png_crc_finish(png_ptr, skip) != 0) |
2064 png_ptr->chunkdata = NULL; | |
2065 return; | 2475 return; |
2066 } | |
2067 | 2476 |
2068 key = png_ptr->chunkdata; | 2477 key = (png_charp)buffer; |
2069 | 2478 key[length] = 0; |
2070 key[slength] = 0x00; | |
2071 | 2479 |
2072 for (text = key; *text; text++) | 2480 for (text = key; *text; text++) |
2073 /* Empty loop to find end of key */ ; | 2481 /* Empty loop to find end of key */ ; |
2074 | 2482 |
2075 if (text != key + slength) | 2483 if (text != key + length) |
2076 text++; | 2484 text++; |
2077 | 2485 |
2078 text_ptr = (png_textp)png_malloc_warn(png_ptr, | 2486 text_info.compression = PNG_TEXT_COMPRESSION_NONE; |
2079 (png_uint_32)png_sizeof(png_text)); | 2487 text_info.key = key; |
2080 if (text_ptr == NULL) | 2488 text_info.lang = NULL; |
2081 { | 2489 text_info.lang_key = NULL; |
2082 png_warning(png_ptr, "Not enough memory to process text chunk."); | 2490 text_info.itxt_length = 0; |
2083 png_free(png_ptr, png_ptr->chunkdata); | 2491 text_info.text = text; |
2084 png_ptr->chunkdata = NULL; | 2492 text_info.text_length = strlen(text); |
2085 return; | |
2086 } | |
2087 text_ptr->compression = PNG_TEXT_COMPRESSION_NONE; | |
2088 text_ptr->key = key; | |
2089 #ifdef PNG_iTXt_SUPPORTED | |
2090 text_ptr->lang = NULL; | |
2091 text_ptr->lang_key = NULL; | |
2092 text_ptr->itxt_length = 0; | |
2093 #endif | |
2094 text_ptr->text = text; | |
2095 text_ptr->text_length = png_strlen(text); | |
2096 | 2493 |
2097 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); | 2494 if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) != 0) |
2098 | 2495 png_warning(png_ptr, "Insufficient memory to process text chunk"); |
2099 png_free(png_ptr, png_ptr->chunkdata); | |
2100 png_ptr->chunkdata = NULL; | |
2101 png_free(png_ptr, text_ptr); | |
2102 if (ret) | |
2103 png_warning(png_ptr, "Insufficient memory to process text chunk."); | |
2104 } | 2496 } |
2105 #endif | 2497 #endif |
2106 | 2498 |
2107 #ifdef PNG_READ_zTXt_SUPPORTED | 2499 #ifdef PNG_READ_zTXt_SUPPORTED |
2108 /* Note: this does not correctly handle chunks that are > 64K under DOS */ | 2500 /* Note: this does not correctly handle chunks that are > 64K under DOS */ |
2109 void /* PRIVATE */ | 2501 void /* PRIVATE */ |
2110 png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2502 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
2111 { | 2503 { |
2112 png_textp text_ptr; | 2504 png_const_charp errmsg = NULL; |
2113 png_charp text; | 2505 png_bytep buffer; |
2114 int comp_type; | 2506 png_uint_32 keyword_length; |
2115 int ret; | |
2116 png_size_t slength, prefix_len, data_len; | |
2117 | 2507 |
2118 png_debug(1, "in png_handle_zTXt"); | 2508 png_debug(1, "in png_handle_zTXt"); |
2119 | 2509 |
2120 #ifdef PNG_USER_LIMITS_SUPPORTED | 2510 #ifdef PNG_USER_LIMITS_SUPPORTED |
2121 if (png_ptr->user_chunk_cache_max != 0) | 2511 if (png_ptr->user_chunk_cache_max != 0) |
2122 { | 2512 { |
2123 if (png_ptr->user_chunk_cache_max == 1) | 2513 if (png_ptr->user_chunk_cache_max == 1) |
2124 { | 2514 { |
2125 png_crc_finish(png_ptr, length); | 2515 png_crc_finish(png_ptr, length); |
2126 return; | 2516 return; |
2127 } | 2517 } |
| 2518 |
2128 if (--png_ptr->user_chunk_cache_max == 1) | 2519 if (--png_ptr->user_chunk_cache_max == 1) |
2129 { | 2520 { |
2130 png_warning(png_ptr, "No space in chunk cache for zTXt"); | |
2131 png_crc_finish(png_ptr, length); | 2521 png_crc_finish(png_ptr, length); |
| 2522 png_chunk_benign_error(png_ptr, "no space in chunk cache"); |
2132 return; | 2523 return; |
2133 } | 2524 } |
2134 } | 2525 } |
2135 #endif | 2526 #endif |
2136 | 2527 |
2137 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2528 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
2138 png_error(png_ptr, "Missing IHDR before zTXt"); | 2529 png_chunk_error(png_ptr, "missing IHDR"); |
2139 | 2530 |
2140 if (png_ptr->mode & PNG_HAVE_IDAT) | 2531 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
2141 png_ptr->mode |= PNG_AFTER_IDAT; | 2532 png_ptr->mode |= PNG_AFTER_IDAT; |
2142 | 2533 |
2143 #ifdef PNG_MAX_MALLOC_64K | 2534 buffer = png_read_buffer(png_ptr, length, 2/*silent*/); |
2144 /* We will no doubt have problems with chunks even half this size, but | 2535 |
2145 there is no hard and fast rule to tell us where to stop. */ | 2536 if (buffer == NULL) |
2146 if (length > (png_uint_32)65535L) | |
2147 { | 2537 { |
2148 png_warning(png_ptr, "zTXt chunk too large to fit in memory"); | 2538 png_crc_finish(png_ptr, length); |
2149 png_crc_finish(png_ptr, length); | 2539 png_chunk_benign_error(png_ptr, "out of memory"); |
2150 return; | |
2151 } | |
2152 #endif | |
2153 | |
2154 png_free(png_ptr, png_ptr->chunkdata); | |
2155 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); | |
2156 if (png_ptr->chunkdata == NULL) | |
2157 { | |
2158 png_warning(png_ptr, "Out of memory processing zTXt chunk."); | |
2159 return; | |
2160 } | |
2161 slength = (png_size_t)length; | |
2162 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); | |
2163 if (png_crc_finish(png_ptr, 0)) | |
2164 { | |
2165 png_free(png_ptr, png_ptr->chunkdata); | |
2166 png_ptr->chunkdata = NULL; | |
2167 return; | 2540 return; |
2168 } | 2541 } |
2169 | 2542 |
2170 png_ptr->chunkdata[slength] = 0x00; | 2543 png_crc_read(png_ptr, buffer, length); |
2171 | 2544 |
2172 for (text = png_ptr->chunkdata; *text; text++) | 2545 if (png_crc_finish(png_ptr, 0) != 0) |
2173 /* Empty loop */ ; | 2546 return; |
2174 | 2547 |
2175 /* zTXt must have some text after the chunkdataword */ | 2548 /* TODO: also check that the keyword contents match the spec! */ |
2176 if (slength < 2U || text >= png_ptr->chunkdata + slength - 2U) | 2549 for (keyword_length = 0; |
2177 { | 2550 keyword_length < length && buffer[keyword_length] != 0; |
2178 png_warning(png_ptr, "Truncated zTXt chunk"); | 2551 ++keyword_length) |
2179 png_free(png_ptr, png_ptr->chunkdata); | 2552 /* Empty loop to find end of name */ ; |
2180 png_ptr->chunkdata = NULL; | 2553 |
2181 return; | 2554 if (keyword_length > 79 || keyword_length < 1) |
2182 } | 2555 errmsg = "bad keyword"; |
| 2556 |
| 2557 /* zTXt must have some LZ data after the keyword, although it may expand to |
| 2558 * zero bytes; we need a '\0' at the end of the keyword, the compression type |
| 2559 * then the LZ data: |
| 2560 */ |
| 2561 else if (keyword_length + 3 > length) |
| 2562 errmsg = "truncated"; |
| 2563 |
| 2564 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE) |
| 2565 errmsg = "unknown compression type"; |
| 2566 |
2183 else | 2567 else |
2184 { | 2568 { |
2185 comp_type = *(++text); | 2569 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX; |
2186 if (comp_type != PNG_TEXT_COMPRESSION_zTXt) | 2570 |
2187 { | 2571 /* TODO: at present png_decompress_chunk imposes a single application |
2188 png_warning(png_ptr, "Unknown compression type in zTXt chunk"); | 2572 * level memory limit, this should be split to different values for iCCP |
2189 comp_type = PNG_TEXT_COMPRESSION_zTXt; | 2573 * and text chunks. |
2190 } | 2574 */ |
2191 text++; /* Skip the compression_method byte */ | 2575 if (png_decompress_chunk(png_ptr, length, keyword_length+2, |
| 2576 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END) |
| 2577 { |
| 2578 png_text text; |
| 2579 |
| 2580 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except |
| 2581 * for the extra compression type byte and the fact that it isn't |
| 2582 * necessarily '\0' terminated. |
| 2583 */ |
| 2584 buffer = png_ptr->read_buffer; |
| 2585 buffer[uncompressed_length+(keyword_length+2)] = 0; |
| 2586 |
| 2587 text.compression = PNG_TEXT_COMPRESSION_zTXt; |
| 2588 text.key = (png_charp)buffer; |
| 2589 text.text = (png_charp)(buffer + keyword_length+2); |
| 2590 text.text_length = uncompressed_length; |
| 2591 text.itxt_length = 0; |
| 2592 text.lang = NULL; |
| 2593 text.lang_key = NULL; |
| 2594 |
| 2595 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0) |
| 2596 errmsg = "insufficient memory"; |
| 2597 } |
| 2598 |
| 2599 else |
| 2600 errmsg = png_ptr->zstream.msg; |
2192 } | 2601 } |
2193 prefix_len = text - png_ptr->chunkdata; | |
2194 | 2602 |
2195 png_decompress_chunk(png_ptr, comp_type, | 2603 if (errmsg != NULL) |
2196 (png_size_t)length, prefix_len, &data_len); | 2604 png_chunk_benign_error(png_ptr, errmsg); |
2197 | |
2198 text_ptr = (png_textp)png_malloc_warn(png_ptr, | |
2199 (png_uint_32)png_sizeof(png_text)); | |
2200 if (text_ptr == NULL) | |
2201 { | |
2202 png_warning(png_ptr, "Not enough memory to process zTXt chunk."); | |
2203 png_free(png_ptr, png_ptr->chunkdata); | |
2204 png_ptr->chunkdata = NULL; | |
2205 return; | |
2206 } | |
2207 text_ptr->compression = comp_type; | |
2208 text_ptr->key = png_ptr->chunkdata; | |
2209 #ifdef PNG_iTXt_SUPPORTED | |
2210 text_ptr->lang = NULL; | |
2211 text_ptr->lang_key = NULL; | |
2212 text_ptr->itxt_length = 0; | |
2213 #endif | |
2214 text_ptr->text = png_ptr->chunkdata + prefix_len; | |
2215 text_ptr->text_length = data_len; | |
2216 | |
2217 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); | |
2218 | |
2219 png_free(png_ptr, text_ptr); | |
2220 png_free(png_ptr, png_ptr->chunkdata); | |
2221 png_ptr->chunkdata = NULL; | |
2222 if (ret) | |
2223 png_error(png_ptr, "Insufficient memory to store zTXt chunk."); | |
2224 } | 2605 } |
2225 #endif | 2606 #endif |
2226 | 2607 |
2227 #ifdef PNG_READ_iTXt_SUPPORTED | 2608 #ifdef PNG_READ_iTXt_SUPPORTED |
2228 /* Note: this does not correctly handle chunks that are > 64K under DOS */ | 2609 /* Note: this does not correctly handle chunks that are > 64K under DOS */ |
2229 void /* PRIVATE */ | 2610 void /* PRIVATE */ |
2230 png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2611 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) |
2231 { | 2612 { |
2232 png_textp text_ptr; | 2613 png_const_charp errmsg = NULL; |
2233 png_charp key, lang, text, lang_key; | 2614 png_bytep buffer; |
2234 int comp_flag; | 2615 png_uint_32 prefix_length; |
2235 int comp_type = 0; | |
2236 int ret; | |
2237 png_size_t slength, prefix_len, data_len; | |
2238 | 2616 |
2239 png_debug(1, "in png_handle_iTXt"); | 2617 png_debug(1, "in png_handle_iTXt"); |
2240 | 2618 |
2241 #ifdef PNG_USER_LIMITS_SUPPORTED | 2619 #ifdef PNG_USER_LIMITS_SUPPORTED |
2242 if (png_ptr->user_chunk_cache_max != 0) | 2620 if (png_ptr->user_chunk_cache_max != 0) |
2243 { | 2621 { |
2244 if (png_ptr->user_chunk_cache_max == 1) | 2622 if (png_ptr->user_chunk_cache_max == 1) |
2245 { | 2623 { |
2246 png_crc_finish(png_ptr, length); | 2624 png_crc_finish(png_ptr, length); |
2247 return; | 2625 return; |
2248 } | 2626 } |
| 2627 |
2249 if (--png_ptr->user_chunk_cache_max == 1) | 2628 if (--png_ptr->user_chunk_cache_max == 1) |
2250 { | 2629 { |
2251 png_warning(png_ptr, "No space in chunk cache for iTXt"); | |
2252 png_crc_finish(png_ptr, length); | 2630 png_crc_finish(png_ptr, length); |
| 2631 png_chunk_benign_error(png_ptr, "no space in chunk cache"); |
2253 return; | 2632 return; |
2254 } | 2633 } |
2255 } | 2634 } |
2256 #endif | 2635 #endif |
2257 | 2636 |
2258 if (!(png_ptr->mode & PNG_HAVE_IHDR)) | 2637 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) |
2259 png_error(png_ptr, "Missing IHDR before iTXt"); | 2638 png_chunk_error(png_ptr, "missing IHDR"); |
2260 | 2639 |
2261 if (png_ptr->mode & PNG_HAVE_IDAT) | 2640 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) |
2262 png_ptr->mode |= PNG_AFTER_IDAT; | 2641 png_ptr->mode |= PNG_AFTER_IDAT; |
2263 | 2642 |
2264 #ifdef PNG_MAX_MALLOC_64K | 2643 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/); |
2265 /* We will no doubt have problems with chunks even half this size, but | 2644 |
2266 there is no hard and fast rule to tell us where to stop. */ | 2645 if (buffer == NULL) |
2267 if (length > (png_uint_32)65535L) | 2646 { |
2268 { | 2647 png_crc_finish(png_ptr, length); |
2269 png_warning(png_ptr, "iTXt chunk too large to fit in memory"); | 2648 png_chunk_benign_error(png_ptr, "out of memory"); |
2270 png_crc_finish(png_ptr, length); | |
2271 return; | |
2272 } | |
2273 #endif | |
2274 | |
2275 png_free(png_ptr, png_ptr->chunkdata); | |
2276 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); | |
2277 if (png_ptr->chunkdata == NULL) | |
2278 { | |
2279 png_warning(png_ptr, "No memory to process iTXt chunk."); | |
2280 return; | |
2281 } | |
2282 slength = (png_size_t)length; | |
2283 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); | |
2284 if (png_crc_finish(png_ptr, 0)) | |
2285 { | |
2286 png_free(png_ptr, png_ptr->chunkdata); | |
2287 png_ptr->chunkdata = NULL; | |
2288 return; | 2649 return; |
2289 } | 2650 } |
2290 | 2651 |
2291 png_ptr->chunkdata[slength] = 0x00; | 2652 png_crc_read(png_ptr, buffer, length); |
2292 | 2653 |
2293 for (lang = png_ptr->chunkdata; *lang; lang++) | 2654 if (png_crc_finish(png_ptr, 0) != 0) |
| 2655 return; |
| 2656 |
| 2657 /* First the keyword. */ |
| 2658 for (prefix_length=0; |
| 2659 prefix_length < length && buffer[prefix_length] != 0; |
| 2660 ++prefix_length) |
2294 /* Empty loop */ ; | 2661 /* Empty loop */ ; |
2295 lang++; /* Skip NUL separator */ | 2662 |
2296 | 2663 /* Perform a basic check on the keyword length here. */ |
2297 /* iTXt must have a language tag (possibly empty), two compression bytes, | 2664 if (prefix_length > 79 || prefix_length < 1) |
2298 * translated keyword (possibly empty), and possibly some text after the | 2665 errmsg = "bad keyword"; |
2299 * keyword | 2666 |
2300 */ | 2667 /* Expect keyword, compression flag, compression type, language, translated |
2301 | 2668 * keyword (both may be empty but are 0 terminated) then the text, which may |
2302 if (slength < 3U || lang >= png_ptr->chunkdata + slength - 3U) | 2669 * be empty. |
2303 { | 2670 */ |
2304 png_warning(png_ptr, "Truncated iTXt chunk"); | 2671 else if (prefix_length + 5 > length) |
2305 png_free(png_ptr, png_ptr->chunkdata); | 2672 errmsg = "truncated"; |
2306 png_ptr->chunkdata = NULL; | 2673 |
2307 return; | 2674 else if (buffer[prefix_length+1] == 0 || |
2308 } | 2675 (buffer[prefix_length+1] == 1 && |
| 2676 buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE)) |
| 2677 { |
| 2678 int compressed = buffer[prefix_length+1] != 0; |
| 2679 png_uint_32 language_offset, translated_keyword_offset; |
| 2680 png_alloc_size_t uncompressed_length = 0; |
| 2681 |
| 2682 /* Now the language tag */ |
| 2683 prefix_length += 3; |
| 2684 language_offset = prefix_length; |
| 2685 |
| 2686 for (; prefix_length < length && buffer[prefix_length] != 0; |
| 2687 ++prefix_length) |
| 2688 /* Empty loop */ ; |
| 2689 |
| 2690 /* WARNING: the length may be invalid here, this is checked below. */ |
| 2691 translated_keyword_offset = ++prefix_length; |
| 2692 |
| 2693 for (; prefix_length < length && buffer[prefix_length] != 0; |
| 2694 ++prefix_length) |
| 2695 /* Empty loop */ ; |
| 2696 |
| 2697 /* prefix_length should now be at the trailing '\0' of the translated |
| 2698 * keyword, but it may already be over the end. None of this arithmetic |
| 2699 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit |
| 2700 * systems the available allocation may overflow. |
| 2701 */ |
| 2702 ++prefix_length; |
| 2703 |
| 2704 if (compressed == 0 && prefix_length <= length) |
| 2705 uncompressed_length = length - prefix_length; |
| 2706 |
| 2707 else if (compressed != 0 && prefix_length < length) |
| 2708 { |
| 2709 uncompressed_length = PNG_SIZE_MAX; |
| 2710 |
| 2711 /* TODO: at present png_decompress_chunk imposes a single application |
| 2712 * level memory limit, this should be split to different values for |
| 2713 * iCCP and text chunks. |
| 2714 */ |
| 2715 if (png_decompress_chunk(png_ptr, length, prefix_length, |
| 2716 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END) |
| 2717 buffer = png_ptr->read_buffer; |
| 2718 |
| 2719 else |
| 2720 errmsg = png_ptr->zstream.msg; |
| 2721 } |
| 2722 |
| 2723 else |
| 2724 errmsg = "truncated"; |
| 2725 |
| 2726 if (errmsg == NULL) |
| 2727 { |
| 2728 png_text text; |
| 2729 |
| 2730 buffer[uncompressed_length+prefix_length] = 0; |
| 2731 |
| 2732 if (compressed == 0) |
| 2733 text.compression = PNG_ITXT_COMPRESSION_NONE; |
| 2734 |
| 2735 else |
| 2736 text.compression = PNG_ITXT_COMPRESSION_zTXt; |
| 2737 |
| 2738 text.key = (png_charp)buffer; |
| 2739 text.lang = (png_charp)buffer + language_offset; |
| 2740 text.lang_key = (png_charp)buffer + translated_keyword_offset; |
| 2741 text.text = (png_charp)buffer + prefix_length; |
| 2742 text.text_length = 0; |
| 2743 text.itxt_length = uncompressed_length; |
| 2744 |
| 2745 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0) |
| 2746 errmsg = "insufficient memory"; |
| 2747 } |
| 2748 } |
| 2749 |
2309 else | 2750 else |
2310 { | 2751 errmsg = "bad compression info"; |
2311 comp_flag = *lang++; | 2752 |
2312 comp_type = *lang++; | 2753 if (errmsg != NULL) |
2313 } | 2754 png_chunk_benign_error(png_ptr, errmsg); |
2314 | |
2315 for (lang_key = lang; *lang_key; lang_key++) | |
2316 /* Empty loop */ ; | |
2317 lang_key++; /* Skip NUL separator */ | |
2318 | |
2319 if (lang_key >= png_ptr->chunkdata + slength) | |
2320 { | |
2321 png_warning(png_ptr, "Truncated iTXt chunk"); | |
2322 png_free(png_ptr, png_ptr->chunkdata); | |
2323 png_ptr->chunkdata = NULL; | |
2324 return; | |
2325 } | |
2326 | |
2327 for (text = lang_key; *text; text++) | |
2328 /* Empty loop */ ; | |
2329 text++; /* Skip NUL separator */ | |
2330 if (text >= png_ptr->chunkdata + slength) | |
2331 { | |
2332 png_warning(png_ptr, "Malformed iTXt chunk"); | |
2333 png_free(png_ptr, png_ptr->chunkdata); | |
2334 png_ptr->chunkdata = NULL; | |
2335 return; | |
2336 } | |
2337 | |
2338 prefix_len = text - png_ptr->chunkdata; | |
2339 | |
2340 key=png_ptr->chunkdata; | |
2341 if (comp_flag) | |
2342 png_decompress_chunk(png_ptr, comp_type, | |
2343 (size_t)length, prefix_len, &data_len); | |
2344 else | |
2345 data_len = png_strlen(png_ptr->chunkdata + prefix_len); | |
2346 text_ptr = (png_textp)png_malloc_warn(png_ptr, | |
2347 (png_uint_32)png_sizeof(png_text)); | |
2348 if (text_ptr == NULL) | |
2349 { | |
2350 png_warning(png_ptr, "Not enough memory to process iTXt chunk."); | |
2351 png_free(png_ptr, png_ptr->chunkdata); | |
2352 png_ptr->chunkdata = NULL; | |
2353 return; | |
2354 } | |
2355 text_ptr->compression = (int)comp_flag + 1; | |
2356 text_ptr->lang_key = png_ptr->chunkdata + (lang_key - key); | |
2357 text_ptr->lang = png_ptr->chunkdata + (lang - key); | |
2358 text_ptr->itxt_length = data_len; | |
2359 text_ptr->text_length = 0; | |
2360 text_ptr->key = png_ptr->chunkdata; | |
2361 text_ptr->text = png_ptr->chunkdata + prefix_len; | |
2362 | |
2363 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); | |
2364 | |
2365 png_free(png_ptr, text_ptr); | |
2366 png_free(png_ptr, png_ptr->chunkdata); | |
2367 png_ptr->chunkdata = NULL; | |
2368 if (ret) | |
2369 png_error(png_ptr, "Insufficient memory to store iTXt chunk."); | |
2370 } | 2755 } |
2371 #endif | 2756 #endif |
2372 | 2757 |
2373 /* This function is called when we haven't found a handler for a | 2758 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED |
2374 chunk. If there isn't a problem with the chunk itself (ie bad | 2759 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */ |
2375 chunk name, CRC, or a critical chunk), the chunk is silently ignored | 2760 static int |
2376 -- unless the PNG_FLAG_UNKNOWN_CHUNKS_SUPPORTED flag is on in which | 2761 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length) |
2377 case it will be saved away to be written out later. */ | 2762 { |
| 2763 png_alloc_size_t limit = PNG_SIZE_MAX; |
| 2764 |
| 2765 if (png_ptr->unknown_chunk.data != NULL) |
| 2766 { |
| 2767 png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 2768 png_ptr->unknown_chunk.data = NULL; |
| 2769 } |
| 2770 |
| 2771 # ifdef PNG_SET_USER_LIMITS_SUPPORTED |
| 2772 if (png_ptr->user_chunk_malloc_max > 0 && |
| 2773 png_ptr->user_chunk_malloc_max < limit) |
| 2774 limit = png_ptr->user_chunk_malloc_max; |
| 2775 |
| 2776 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 |
| 2777 if (PNG_USER_CHUNK_MALLOC_MAX < limit) |
| 2778 limit = PNG_USER_CHUNK_MALLOC_MAX; |
| 2779 # endif |
| 2780 |
| 2781 if (length <= limit) |
| 2782 { |
| 2783 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name); |
| 2784 /* The following is safe because of the PNG_SIZE_MAX init above */ |
| 2785 png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/; |
| 2786 /* 'mode' is a flag array, only the bottom four bits matter here */ |
| 2787 png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/; |
| 2788 |
| 2789 if (length == 0) |
| 2790 png_ptr->unknown_chunk.data = NULL; |
| 2791 |
| 2792 else |
| 2793 { |
| 2794 /* Do a 'warn' here - it is handled below. */ |
| 2795 png_ptr->unknown_chunk.data = png_voidcast(png_bytep, |
| 2796 png_malloc_warn(png_ptr, length)); |
| 2797 } |
| 2798 } |
| 2799 |
| 2800 if (png_ptr->unknown_chunk.data == NULL && length > 0) |
| 2801 { |
| 2802 /* This is benign because we clean up correctly */ |
| 2803 png_crc_finish(png_ptr, length); |
| 2804 png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits"); |
| 2805 return 0; |
| 2806 } |
| 2807 |
| 2808 else |
| 2809 { |
| 2810 if (length > 0) |
| 2811 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length); |
| 2812 png_crc_finish(png_ptr, 0); |
| 2813 return 1; |
| 2814 } |
| 2815 } |
| 2816 #endif /* READ_UNKNOWN_CHUNKS */ |
| 2817 |
| 2818 /* Handle an unknown, or known but disabled, chunk */ |
2378 void /* PRIVATE */ | 2819 void /* PRIVATE */ |
2379 png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) | 2820 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr, |
| 2821 png_uint_32 length, int keep) |
2380 { | 2822 { |
2381 png_uint_32 skip = 0; | 2823 int handled = 0; /* the chunk was handled */ |
2382 | 2824 |
2383 png_debug(1, "in png_handle_unknown"); | 2825 png_debug(1, "in png_handle_unknown"); |
2384 | 2826 |
2385 #ifdef PNG_USER_LIMITS_SUPPORTED | 2827 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED |
2386 if (png_ptr->user_chunk_cache_max != 0) | 2828 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing |
2387 { | 2829 * the bug which meant that setting a non-default behavior for a specific |
2388 if (png_ptr->user_chunk_cache_max == 1) | 2830 * chunk would be ignored (the default was always used unless a user |
| 2831 * callback was installed). |
| 2832 * |
| 2833 * 'keep' is the value from the png_chunk_unknown_handling, the setting for |
| 2834 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it |
| 2835 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here. |
| 2836 * This is just an optimization to avoid multiple calls to the lookup |
| 2837 * function. |
| 2838 */ |
| 2839 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED |
| 2840 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED |
| 2841 keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name); |
| 2842 # endif |
| 2843 # endif |
| 2844 |
| 2845 /* One of the following methods will read the chunk or skip it (at least one |
| 2846 * of these is always defined because this is the only way to switch on |
| 2847 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) |
| 2848 */ |
| 2849 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED |
| 2850 /* The user callback takes precedence over the chunk keep value, but the |
| 2851 * keep value is still required to validate a save of a critical chunk. |
| 2852 */ |
| 2853 if (png_ptr->read_user_chunk_fn != NULL) |
| 2854 { |
| 2855 if (png_cache_unknown_chunk(png_ptr, length) != 0) |
2389 { | 2856 { |
2390 png_crc_finish(png_ptr, length); | 2857 /* Callback to user unknown chunk handler */ |
2391 return; | 2858 int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr, |
2392 } | 2859 &png_ptr->unknown_chunk); |
2393 if (--png_ptr->user_chunk_cache_max == 1) | 2860 |
2394 { | 2861 /* ret is: |
2395 png_warning(png_ptr, "No space in chunk cache for unknown chunk"); | 2862 * negative: An error occurred; png_chunk_error will be called. |
2396 png_crc_finish(png_ptr, length); | 2863 * zero: The chunk was not handled, the chunk will be discarded |
2397 return; | 2864 * unless png_set_keep_unknown_chunks has been used to set |
2398 } | 2865 * a 'keep' behavior for this particular chunk, in which |
2399 } | 2866 * case that will be used. A critical chunk will cause an |
2400 #endif | 2867 * error at this point unless it is to be saved. |
2401 | 2868 * positive: The chunk was handled, libpng will ignore/discard it. |
2402 if (png_ptr->mode & PNG_HAVE_IDAT) | 2869 */ |
2403 { | 2870 if (ret < 0) |
2404 #ifdef PNG_USE_LOCAL_ARRAYS | 2871 png_chunk_error(png_ptr, "error in user chunk"); |
2405 PNG_CONST PNG_IDAT; | 2872 |
2406 #endif | 2873 else if (ret == 0) |
2407 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) /* Not an IDAT */ | |
2408 png_ptr->mode |= PNG_AFTER_IDAT; | |
2409 } | |
2410 | |
2411 if (!(png_ptr->chunk_name[0] & 0x20)) | |
2412 { | |
2413 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED | |
2414 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != | |
2415 PNG_HANDLE_CHUNK_ALWAYS | |
2416 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED | |
2417 && png_ptr->read_user_chunk_fn == NULL | |
2418 #endif | |
2419 ) | |
2420 #endif | |
2421 png_chunk_error(png_ptr, "unknown critical chunk"); | |
2422 } | |
2423 | |
2424 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED | |
2425 if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) | |
2426 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED | |
2427 || (png_ptr->read_user_chunk_fn != NULL) | |
2428 #endif | |
2429 ) | |
2430 { | |
2431 #ifdef PNG_MAX_MALLOC_64K | |
2432 if (length > (png_uint_32)65535L) | |
2433 { | |
2434 png_warning(png_ptr, "unknown chunk too large to fit in memory"); | |
2435 skip = length - (png_uint_32)65535L; | |
2436 length = (png_uint_32)65535L; | |
2437 } | |
2438 #endif | |
2439 png_memcpy((png_charp)png_ptr->unknown_chunk.name, | |
2440 (png_charp)png_ptr->chunk_name, | |
2441 png_sizeof(png_ptr->unknown_chunk.name)); | |
2442 png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] | |
2443 = '\0'; | |
2444 png_ptr->unknown_chunk.size = (png_size_t)length; | |
2445 if (length == 0) | |
2446 png_ptr->unknown_chunk.data = NULL; | |
2447 else | |
2448 { | |
2449 png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); | |
2450 png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); | |
2451 } | |
2452 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED | |
2453 if (png_ptr->read_user_chunk_fn != NULL) | |
2454 { | |
2455 /* Callback to user unknown chunk handler */ | |
2456 int ret; | |
2457 ret = (*(png_ptr->read_user_chunk_fn)) | |
2458 (png_ptr, &png_ptr->unknown_chunk); | |
2459 if (ret < 0) | |
2460 png_chunk_error(png_ptr, "error in user chunk"); | |
2461 if (ret == 0) | |
2462 { | |
2463 if (!(png_ptr->chunk_name[0] & 0x20)) | |
2464 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED | |
2465 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != | |
2466 PNG_HANDLE_CHUNK_ALWAYS) | |
2467 #endif | |
2468 png_chunk_error(png_ptr, "unknown critical chunk"); | |
2469 png_set_unknown_chunks(png_ptr, info_ptr, | |
2470 &png_ptr->unknown_chunk, 1); | |
2471 } | |
2472 } | |
2473 else | |
2474 #endif | |
2475 png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); | |
2476 png_free(png_ptr, png_ptr->unknown_chunk.data); | |
2477 png_ptr->unknown_chunk.data = NULL; | |
2478 } | |
2479 else | |
2480 #endif | |
2481 skip = length; | |
2482 | |
2483 png_crc_finish(png_ptr, skip); | |
2484 | |
2485 #ifndef PNG_READ_USER_CHUNKS_SUPPORTED | |
2486 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */ | |
2487 #endif | |
2488 } | |
2489 | |
2490 /* This function is called to verify that a chunk name is valid. | |
2491 This function can't have the "critical chunk check" incorporated | |
2492 into it, since in the future we will need to be able to call user | |
2493 functions to handle unknown critical chunks after we check that | |
2494 the chunk name itself is valid. */ | |
2495 | |
2496 #define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97)) | |
2497 | |
2498 void /* PRIVATE */ | |
2499 png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name) | |
2500 { | |
2501 png_debug(1, "in png_check_chunk_name"); | |
2502 if (isnonalpha(chunk_name[0]) || isnonalpha(chunk_name[1]) || | |
2503 isnonalpha(chunk_name[2]) || isnonalpha(chunk_name[3])) | |
2504 { | |
2505 png_chunk_error(png_ptr, "invalid chunk type"); | |
2506 } | |
2507 } | |
2508 | |
2509 /* Combines the row recently read in with the existing pixels in the | |
2510 row. This routine takes care of alpha and transparency if requested. | |
2511 This routine also handles the two methods of progressive display | |
2512 of interlaced images, depending on the mask value. | |
2513 The mask value describes which pixels are to be combined with | |
2514 the row. The pattern always repeats every 8 pixels, so just 8 | |
2515 bits are needed. A one indicates the pixel is to be combined, | |
2516 a zero indicates the pixel is to be skipped. This is in addition | |
2517 to any alpha or transparency value associated with the pixel. If | |
2518 you want all pixels to be combined, pass 0xff (255) in mask. */ | |
2519 | |
2520 void /* PRIVATE */ | |
2521 png_combine_row(png_structp png_ptr, png_bytep row, int mask) | |
2522 { | |
2523 png_debug(1, "in png_combine_row"); | |
2524 if (mask == 0xff) | |
2525 { | |
2526 png_memcpy(row, png_ptr->row_buf + 1, | |
2527 PNG_ROWBYTES(png_ptr->row_info.pixel_depth, png_ptr->width)); | |
2528 } | |
2529 else | |
2530 { | |
2531 switch (png_ptr->row_info.pixel_depth) | |
2532 { | |
2533 case 1: | |
2534 { | 2874 { |
2535 png_bytep sp = png_ptr->row_buf + 1; | 2875 /* If the keep value is 'default' or 'never' override it, but |
2536 png_bytep dp = row; | 2876 * still error out on critical chunks unless the keep value is |
2537 int s_inc, s_start, s_end; | 2877 * 'always' While this is weird it is the behavior in 1.4.12. |
2538 int m = 0x80; | 2878 * A possible improvement would be to obey the value set for the |
2539 int shift; | 2879 * chunk, but this would be an API change that would probably |
2540 png_uint_32 i; | 2880 * damage some applications. |
2541 png_uint_32 row_width = png_ptr->width; | 2881 * |
2542 | 2882 * The png_app_warning below catches the case that matters, where |
2543 #ifdef PNG_READ_PACKSWAP_SUPPORTED | 2883 * the application has not set specific save or ignore for this |
2544 if (png_ptr->transformations & PNG_PACKSWAP) | 2884 * chunk or global save or ignore. |
| 2885 */ |
| 2886 if (keep < PNG_HANDLE_CHUNK_IF_SAFE) |
2545 { | 2887 { |
2546 s_start = 0; | 2888 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED |
2547 s_end = 7; | 2889 if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE) |
2548 s_inc = 1; | 2890 { |
| 2891 png_chunk_warning(png_ptr, "Saving unknown chunk:"); |
| 2892 png_app_warning(png_ptr, |
| 2893 "forcing save of an unhandled chunk;" |
| 2894 " please call png_set_keep_unknown_chunks"); |
| 2895 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */ |
| 2896 } |
| 2897 # endif |
| 2898 keep = PNG_HANDLE_CHUNK_IF_SAFE; |
2549 } | 2899 } |
2550 else | |
2551 #endif | |
2552 { | |
2553 s_start = 7; | |
2554 s_end = 0; | |
2555 s_inc = -1; | |
2556 } | |
2557 | |
2558 shift = s_start; | |
2559 | |
2560 for (i = 0; i < row_width; i++) | |
2561 { | |
2562 if (m & mask) | |
2563 { | |
2564 int value; | |
2565 | |
2566 value = (*sp >> shift) & 0x01; | |
2567 *dp &= (png_byte)((0x7f7f >> (7 - shift)) & 0xff); | |
2568 *dp |= (png_byte)(value << shift); | |
2569 } | |
2570 | |
2571 if (shift == s_end) | |
2572 { | |
2573 shift = s_start; | |
2574 sp++; | |
2575 dp++; | |
2576 } | |
2577 else | |
2578 shift += s_inc; | |
2579 | |
2580 if (m == 1) | |
2581 m = 0x80; | |
2582 else | |
2583 m >>= 1; | |
2584 } | |
2585 break; | |
2586 } | 2900 } |
2587 case 2: | 2901 |
| 2902 else /* chunk was handled */ |
2588 { | 2903 { |
2589 png_bytep sp = png_ptr->row_buf + 1; | 2904 handled = 1; |
2590 png_bytep dp = row; | 2905 /* Critical chunks can be safely discarded at this point. */ |
2591 int s_start, s_end, s_inc; | 2906 keep = PNG_HANDLE_CHUNK_NEVER; |
2592 int m = 0x80; | |
2593 int shift; | |
2594 png_uint_32 i; | |
2595 png_uint_32 row_width = png_ptr->width; | |
2596 int value; | |
2597 | |
2598 #ifdef PNG_READ_PACKSWAP_SUPPORTED | |
2599 if (png_ptr->transformations & PNG_PACKSWAP) | |
2600 { | |
2601 s_start = 0; | |
2602 s_end = 6; | |
2603 s_inc = 2; | |
2604 } | |
2605 else | |
2606 #endif | |
2607 { | |
2608 s_start = 6; | |
2609 s_end = 0; | |
2610 s_inc = -2; | |
2611 } | |
2612 | |
2613 shift = s_start; | |
2614 | |
2615 for (i = 0; i < row_width; i++) | |
2616 { | |
2617 if (m & mask) | |
2618 { | |
2619 value = (*sp >> shift) & 0x03; | |
2620 *dp &= (png_byte)((0x3f3f >> (6 - shift)) & 0xff); | |
2621 *dp |= (png_byte)(value << shift); | |
2622 } | |
2623 | |
2624 if (shift == s_end) | |
2625 { | |
2626 shift = s_start; | |
2627 sp++; | |
2628 dp++; | |
2629 } | |
2630 else | |
2631 shift += s_inc; | |
2632 if (m == 1) | |
2633 m = 0x80; | |
2634 else | |
2635 m >>= 1; | |
2636 } | |
2637 break; | |
2638 } | |
2639 case 4: | |
2640 { | |
2641 png_bytep sp = png_ptr->row_buf + 1; | |
2642 png_bytep dp = row; | |
2643 int s_start, s_end, s_inc; | |
2644 int m = 0x80; | |
2645 int shift; | |
2646 png_uint_32 i; | |
2647 png_uint_32 row_width = png_ptr->width; | |
2648 int value; | |
2649 | |
2650 #ifdef PNG_READ_PACKSWAP_SUPPORTED | |
2651 if (png_ptr->transformations & PNG_PACKSWAP) | |
2652 { | |
2653 s_start = 0; | |
2654 s_end = 4; | |
2655 s_inc = 4; | |
2656 } | |
2657 else | |
2658 #endif | |
2659 { | |
2660 s_start = 4; | |
2661 s_end = 0; | |
2662 s_inc = -4; | |
2663 } | |
2664 shift = s_start; | |
2665 | |
2666 for (i = 0; i < row_width; i++) | |
2667 { | |
2668 if (m & mask) | |
2669 { | |
2670 value = (*sp >> shift) & 0xf; | |
2671 *dp &= (png_byte)((0xf0f >> (4 - shift)) & 0xff); | |
2672 *dp |= (png_byte)(value << shift); | |
2673 } | |
2674 | |
2675 if (shift == s_end) | |
2676 { | |
2677 shift = s_start; | |
2678 sp++; | |
2679 dp++; | |
2680 } | |
2681 else | |
2682 shift += s_inc; | |
2683 if (m == 1) | |
2684 m = 0x80; | |
2685 else | |
2686 m >>= 1; | |
2687 } | |
2688 break; | |
2689 } | |
2690 default: | |
2691 { | |
2692 png_bytep sp = png_ptr->row_buf + 1; | |
2693 png_bytep dp = row; | |
2694 png_size_t pixel_bytes = (png_ptr->row_info.pixel_depth >> 3); | |
2695 png_uint_32 i; | |
2696 png_uint_32 row_width = png_ptr->width; | |
2697 png_byte m = 0x80; | |
2698 | |
2699 | |
2700 for (i = 0; i < row_width; i++) | |
2701 { | |
2702 if (m & mask) | |
2703 { | |
2704 png_memcpy(dp, sp, pixel_bytes); | |
2705 } | |
2706 | |
2707 sp += pixel_bytes; | |
2708 dp += pixel_bytes; | |
2709 | |
2710 if (m == 1) | |
2711 m = 0x80; | |
2712 else | |
2713 m >>= 1; | |
2714 } | |
2715 break; | |
2716 } | 2907 } |
2717 } | 2908 } |
2718 } | 2909 |
| 2910 else |
| 2911 keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */ |
| 2912 } |
| 2913 |
| 2914 else |
| 2915 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */ |
| 2916 # endif /* READ_USER_CHUNKS */ |
| 2917 |
| 2918 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED |
| 2919 { |
| 2920 /* keep is currently just the per-chunk setting, if there was no |
| 2921 * setting change it to the global default now (not that this may |
| 2922 * still be AS_DEFAULT) then obtain the cache of the chunk if required, |
| 2923 * if not simply skip the chunk. |
| 2924 */ |
| 2925 if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT) |
| 2926 keep = png_ptr->unknown_default; |
| 2927 |
| 2928 if (keep == PNG_HANDLE_CHUNK_ALWAYS || |
| 2929 (keep == PNG_HANDLE_CHUNK_IF_SAFE && |
| 2930 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))) |
| 2931 { |
| 2932 if (png_cache_unknown_chunk(png_ptr, length) == 0) |
| 2933 keep = PNG_HANDLE_CHUNK_NEVER; |
| 2934 } |
| 2935 |
| 2936 else |
| 2937 png_crc_finish(png_ptr, length); |
| 2938 } |
| 2939 # else |
| 2940 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED |
| 2941 # error no method to support READ_UNKNOWN_CHUNKS |
| 2942 # endif |
| 2943 |
| 2944 { |
| 2945 /* If here there is no read callback pointer set and no support is |
| 2946 * compiled in to just save the unknown chunks, so simply skip this |
| 2947 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then |
| 2948 * the app has erroneously asked for unknown chunk saving when there |
| 2949 * is no support. |
| 2950 */ |
| 2951 if (keep > PNG_HANDLE_CHUNK_NEVER) |
| 2952 png_app_error(png_ptr, "no unknown chunk support available"); |
| 2953 |
| 2954 png_crc_finish(png_ptr, length); |
| 2955 } |
| 2956 # endif |
| 2957 |
| 2958 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED |
| 2959 /* Now store the chunk in the chunk list if appropriate, and if the limits |
| 2960 * permit it. |
| 2961 */ |
| 2962 if (keep == PNG_HANDLE_CHUNK_ALWAYS || |
| 2963 (keep == PNG_HANDLE_CHUNK_IF_SAFE && |
| 2964 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))) |
| 2965 { |
| 2966 # ifdef PNG_USER_LIMITS_SUPPORTED |
| 2967 switch (png_ptr->user_chunk_cache_max) |
| 2968 { |
| 2969 case 2: |
| 2970 png_ptr->user_chunk_cache_max = 1; |
| 2971 png_chunk_benign_error(png_ptr, "no space in chunk cache"); |
| 2972 /* FALL THROUGH */ |
| 2973 case 1: |
| 2974 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical |
| 2975 * chunk being skipped, now there will be a hard error below. |
| 2976 */ |
| 2977 break; |
| 2978 |
| 2979 default: /* not at limit */ |
| 2980 --(png_ptr->user_chunk_cache_max); |
| 2981 /* FALL THROUGH */ |
| 2982 case 0: /* no limit */ |
| 2983 # endif /* USER_LIMITS */ |
| 2984 /* Here when the limit isn't reached or when limits are compiled |
| 2985 * out; store the chunk. |
| 2986 */ |
| 2987 png_set_unknown_chunks(png_ptr, info_ptr, |
| 2988 &png_ptr->unknown_chunk, 1); |
| 2989 handled = 1; |
| 2990 # ifdef PNG_USER_LIMITS_SUPPORTED |
| 2991 break; |
| 2992 } |
| 2993 # endif |
| 2994 } |
| 2995 # else /* no store support: the chunk must be handled by the user callback */ |
| 2996 PNG_UNUSED(info_ptr) |
| 2997 # endif |
| 2998 |
| 2999 /* Regardless of the error handling below the cached data (if any) can be |
| 3000 * freed now. Notice that the data is not freed if there is a png_error, but |
| 3001 * it will be freed by destroy_read_struct. |
| 3002 */ |
| 3003 if (png_ptr->unknown_chunk.data != NULL) |
| 3004 png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 3005 png_ptr->unknown_chunk.data = NULL; |
| 3006 |
| 3007 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */ |
| 3008 /* There is no support to read an unknown chunk, so just skip it. */ |
| 3009 png_crc_finish(png_ptr, length); |
| 3010 PNG_UNUSED(info_ptr) |
| 3011 PNG_UNUSED(keep) |
| 3012 #endif /* !READ_UNKNOWN_CHUNKS */ |
| 3013 |
| 3014 /* Check for unhandled critical chunks */ |
| 3015 if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name)) |
| 3016 png_chunk_error(png_ptr, "unhandled critical chunk"); |
2719 } | 3017 } |
2720 | 3018 |
2721 #ifdef PNG_READ_INTERLACING_SUPPORTED | 3019 /* This function is called to verify that a chunk name is valid. |
2722 /* OLD pre-1.0.9 interface: | 3020 * This function can't have the "critical chunk check" incorporated |
2723 void png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass, | 3021 * into it, since in the future we will need to be able to call user |
2724 png_uint_32 transformations) | 3022 * functions to handle unknown critical chunks after we check that |
| 3023 * the chunk name itself is valid. |
| 3024 */ |
| 3025 |
| 3026 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is: |
| 3027 * |
| 3028 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97)) |
| 3029 */ |
| 3030 |
| 3031 void /* PRIVATE */ |
| 3032 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name) |
| 3033 { |
| 3034 int i; |
| 3035 |
| 3036 png_debug(1, "in png_check_chunk_name"); |
| 3037 |
| 3038 for (i=1; i<=4; ++i) |
| 3039 { |
| 3040 int c = chunk_name & 0xff; |
| 3041 |
| 3042 if (c < 65 || c > 122 || (c > 90 && c < 97)) |
| 3043 png_chunk_error(png_ptr, "invalid chunk type"); |
| 3044 |
| 3045 chunk_name >>= 8; |
| 3046 } |
| 3047 } |
| 3048 |
| 3049 /* Combines the row recently read in with the existing pixels in the row. This |
| 3050 * routine takes care of alpha and transparency if requested. This routine also |
| 3051 * handles the two methods of progressive display of interlaced images, |
| 3052 * depending on the 'display' value; if 'display' is true then the whole row |
| 3053 * (dp) is filled from the start by replicating the available pixels. If |
| 3054 * 'display' is false only those pixels present in the pass are filled in. |
2725 */ | 3055 */ |
2726 void /* PRIVATE */ | 3056 void /* PRIVATE */ |
2727 png_do_read_interlace(png_structp png_ptr) | 3057 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) |
2728 { | 3058 { |
2729 png_row_infop row_info = &(png_ptr->row_info); | 3059 unsigned int pixel_depth = png_ptr->transformed_pixel_depth; |
2730 png_bytep row = png_ptr->row_buf + 1; | 3060 png_const_bytep sp = png_ptr->row_buf + 1; |
2731 int pass = png_ptr->pass; | 3061 png_alloc_size_t row_width = png_ptr->width; |
2732 png_uint_32 transformations = png_ptr->transformations; | 3062 unsigned int pass = png_ptr->pass; |
| 3063 png_bytep end_ptr = 0; |
| 3064 png_byte end_byte = 0; |
| 3065 unsigned int end_mask; |
| 3066 |
| 3067 png_debug(1, "in png_combine_row"); |
| 3068 |
| 3069 /* Added in 1.5.6: it should not be possible to enter this routine until at |
| 3070 * least one row has been read from the PNG data and transformed. |
| 3071 */ |
| 3072 if (pixel_depth == 0) |
| 3073 png_error(png_ptr, "internal row logic error"); |
| 3074 |
| 3075 /* Added in 1.5.4: the pixel depth should match the information returned by |
| 3076 * any call to png_read_update_info at this point. Do not continue if we got |
| 3077 * this wrong. |
| 3078 */ |
| 3079 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes != |
| 3080 PNG_ROWBYTES(pixel_depth, row_width)) |
| 3081 png_error(png_ptr, "internal row size calculation error"); |
| 3082 |
| 3083 /* Don't expect this to ever happen: */ |
| 3084 if (row_width == 0) |
| 3085 png_error(png_ptr, "internal row width error"); |
| 3086 |
| 3087 /* Preserve the last byte in cases where only part of it will be overwritten, |
| 3088 * the multiply below may overflow, we don't care because ANSI-C guarantees |
| 3089 * we get the low bits. |
| 3090 */ |
| 3091 end_mask = (pixel_depth * row_width) & 7; |
| 3092 if (end_mask != 0) |
| 3093 { |
| 3094 /* end_ptr == NULL is a flag to say do nothing */ |
| 3095 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1; |
| 3096 end_byte = *end_ptr; |
| 3097 # ifdef PNG_READ_PACKSWAP_SUPPORTED |
| 3098 if ((png_ptr->transformations & PNG_PACKSWAP) != 0) |
| 3099 /* little-endian byte */ |
| 3100 end_mask = 0xff << end_mask; |
| 3101 |
| 3102 else /* big-endian byte */ |
| 3103 # endif |
| 3104 end_mask = 0xff >> end_mask; |
| 3105 /* end_mask is now the bits to *keep* from the destination row */ |
| 3106 } |
| 3107 |
| 3108 /* For non-interlaced images this reduces to a memcpy(). A memcpy() |
| 3109 * will also happen if interlacing isn't supported or if the application |
| 3110 * does not call png_set_interlace_handling(). In the latter cases the |
| 3111 * caller just gets a sequence of the unexpanded rows from each interlace |
| 3112 * pass. |
| 3113 */ |
| 3114 #ifdef PNG_READ_INTERLACING_SUPPORTED |
| 3115 if (png_ptr->interlaced != 0 && |
| 3116 (png_ptr->transformations & PNG_INTERLACE) != 0 && |
| 3117 pass < 6 && (display == 0 || |
| 3118 /* The following copies everything for 'display' on passes 0, 2 and 4. */ |
| 3119 (display == 1 && (pass & 1) != 0))) |
| 3120 { |
| 3121 /* Narrow images may have no bits in a pass; the caller should handle |
| 3122 * this, but this test is cheap: |
| 3123 */ |
| 3124 if (row_width <= PNG_PASS_START_COL(pass)) |
| 3125 return; |
| 3126 |
| 3127 if (pixel_depth < 8) |
| 3128 { |
| 3129 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit |
| 3130 * into 32 bits, then a single loop over the bytes using the four byte |
| 3131 * values in the 32-bit mask can be used. For the 'display' option the |
| 3132 * expanded mask may also not require any masking within a byte. To |
| 3133 * make this work the PACKSWAP option must be taken into account - it |
| 3134 * simply requires the pixels to be reversed in each byte. |
| 3135 * |
| 3136 * The 'regular' case requires a mask for each of the first 6 passes, |
| 3137 * the 'display' case does a copy for the even passes in the range |
| 3138 * 0..6. This has already been handled in the test above. |
| 3139 * |
| 3140 * The masks are arranged as four bytes with the first byte to use in |
| 3141 * the lowest bits (little-endian) regardless of the order (PACKSWAP or |
| 3142 * not) of the pixels in each byte. |
| 3143 * |
| 3144 * NOTE: the whole of this logic depends on the caller of this function |
| 3145 * only calling it on rows appropriate to the pass. This function only |
| 3146 * understands the 'x' logic; the 'y' logic is handled by the caller. |
| 3147 * |
| 3148 * The following defines allow generation of compile time constant bit |
| 3149 * masks for each pixel depth and each possibility of swapped or not |
| 3150 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index, |
| 3151 * is in the range 0..7; and the result is 1 if the pixel is to be |
| 3152 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B' |
| 3153 * for the block method. |
| 3154 * |
| 3155 * With some compilers a compile time expression of the general form: |
| 3156 * |
| 3157 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift) |
| 3158 * |
| 3159 * Produces warnings with values of 'shift' in the range 33 to 63 |
| 3160 * because the right hand side of the ?: expression is evaluated by |
| 3161 * the compiler even though it isn't used. Microsoft Visual C (various |
| 3162 * versions) and the Intel C compiler are known to do this. To avoid |
| 3163 * this the following macros are used in 1.5.6. This is a temporary |
| 3164 * solution to avoid destabilizing the code during the release process. |
| 3165 */ |
| 3166 # if PNG_USE_COMPILE_TIME_MASKS |
| 3167 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f)) |
| 3168 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f)) |
| 3169 # else |
| 3170 # define PNG_LSR(x,s) ((x)>>(s)) |
| 3171 # define PNG_LSL(x,s) ((x)<<(s)) |
| 3172 # endif |
| 3173 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\ |
| 3174 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1) |
| 3175 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\ |
| 3176 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1) |
| 3177 |
| 3178 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is |
| 3179 * little endian - the first pixel is at bit 0 - however the extra |
| 3180 * parameter 's' can be set to cause the mask position to be swapped |
| 3181 * within each byte, to match the PNG format. This is done by XOR of |
| 3182 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4. |
| 3183 */ |
| 3184 # define PIXEL_MASK(p,x,d,s) \ |
| 3185 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0)))) |
| 3186 |
| 3187 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask. |
| 3188 */ |
| 3189 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0) |
| 3190 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0) |
| 3191 |
| 3192 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp |
| 3193 * cases the result needs replicating, for the 4-bpp case the above |
| 3194 * generates a full 32 bits. |
| 3195 */ |
| 3196 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1))) |
| 3197 |
| 3198 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\ |
| 3199 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\ |
| 3200 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d) |
| 3201 |
| 3202 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\ |
| 3203 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\ |
| 3204 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d) |
| 3205 |
| 3206 #if PNG_USE_COMPILE_TIME_MASKS |
| 3207 /* Utility macros to construct all the masks for a depth/swap |
| 3208 * combination. The 's' parameter says whether the format is PNG |
| 3209 * (big endian bytes) or not. Only the three odd-numbered passes are |
| 3210 * required for the display/block algorithm. |
| 3211 */ |
| 3212 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\ |
| 3213 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) } |
| 3214 |
| 3215 # define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) } |
| 3216 |
| 3217 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2)) |
| 3218 |
| 3219 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and |
| 3220 * then pass: |
| 3221 */ |
| 3222 static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] = |
| 3223 { |
| 3224 /* Little-endian byte masks for PACKSWAP */ |
| 3225 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) }, |
| 3226 /* Normal (big-endian byte) masks - PNG format */ |
| 3227 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) } |
| 3228 }; |
| 3229 |
| 3230 /* display_mask has only three entries for the odd passes, so index by |
| 3231 * pass>>1. |
| 3232 */ |
| 3233 static PNG_CONST png_uint_32 display_mask[2][3][3] = |
| 3234 { |
| 3235 /* Little-endian byte masks for PACKSWAP */ |
| 3236 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) }, |
| 3237 /* Normal (big-endian byte) masks - PNG format */ |
| 3238 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) } |
| 3239 }; |
| 3240 |
| 3241 # define MASK(pass,depth,display,png)\ |
| 3242 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\ |
| 3243 row_mask[png][DEPTH_INDEX(depth)][pass]) |
| 3244 |
| 3245 #else /* !PNG_USE_COMPILE_TIME_MASKS */ |
| 3246 /* This is the runtime alternative: it seems unlikely that this will |
| 3247 * ever be either smaller or faster than the compile time approach. |
| 3248 */ |
| 3249 # define MASK(pass,depth,display,png)\ |
| 3250 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png)) |
| 3251 #endif /* !USE_COMPILE_TIME_MASKS */ |
| 3252 |
| 3253 /* Use the appropriate mask to copy the required bits. In some cases |
| 3254 * the byte mask will be 0 or 0xff; optimize these cases. row_width is |
| 3255 * the number of pixels, but the code copies bytes, so it is necessary |
| 3256 * to special case the end. |
| 3257 */ |
| 3258 png_uint_32 pixels_per_byte = 8 / pixel_depth; |
| 3259 png_uint_32 mask; |
| 3260 |
| 3261 # ifdef PNG_READ_PACKSWAP_SUPPORTED |
| 3262 if ((png_ptr->transformations & PNG_PACKSWAP) != 0) |
| 3263 mask = MASK(pass, pixel_depth, display, 0); |
| 3264 |
| 3265 else |
| 3266 # endif |
| 3267 mask = MASK(pass, pixel_depth, display, 1); |
| 3268 |
| 3269 for (;;) |
| 3270 { |
| 3271 png_uint_32 m; |
| 3272 |
| 3273 /* It doesn't matter in the following if png_uint_32 has more than |
| 3274 * 32 bits because the high bits always match those in m<<24; it is, |
| 3275 * however, essential to use OR here, not +, because of this. |
| 3276 */ |
| 3277 m = mask; |
| 3278 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */ |
| 3279 m &= 0xff; |
| 3280 |
| 3281 if (m != 0) /* something to copy */ |
| 3282 { |
| 3283 if (m != 0xff) |
| 3284 *dp = (png_byte)((*dp & ~m) | (*sp & m)); |
| 3285 else |
| 3286 *dp = *sp; |
| 3287 } |
| 3288 |
| 3289 /* NOTE: this may overwrite the last byte with garbage if the image |
| 3290 * is not an exact number of bytes wide; libpng has always done |
| 3291 * this. |
| 3292 */ |
| 3293 if (row_width <= pixels_per_byte) |
| 3294 break; /* May need to restore part of the last byte */ |
| 3295 |
| 3296 row_width -= pixels_per_byte; |
| 3297 ++dp; |
| 3298 ++sp; |
| 3299 } |
| 3300 } |
| 3301 |
| 3302 else /* pixel_depth >= 8 */ |
| 3303 { |
| 3304 unsigned int bytes_to_copy, bytes_to_jump; |
| 3305 |
| 3306 /* Validate the depth - it must be a multiple of 8 */ |
| 3307 if (pixel_depth & 7) |
| 3308 png_error(png_ptr, "invalid user transform pixel depth"); |
| 3309 |
| 3310 pixel_depth >>= 3; /* now in bytes */ |
| 3311 row_width *= pixel_depth; |
| 3312 |
| 3313 /* Regardless of pass number the Adam 7 interlace always results in a |
| 3314 * fixed number of pixels to copy then to skip. There may be a |
| 3315 * different number of pixels to skip at the start though. |
| 3316 */ |
| 3317 { |
| 3318 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth; |
| 3319 |
| 3320 row_width -= offset; |
| 3321 dp += offset; |
| 3322 sp += offset; |
| 3323 } |
| 3324 |
| 3325 /* Work out the bytes to copy. */ |
| 3326 if (display != 0) |
| 3327 { |
| 3328 /* When doing the 'block' algorithm the pixel in the pass gets |
| 3329 * replicated to adjacent pixels. This is why the even (0,2,4,6) |
| 3330 * passes are skipped above - the entire expanded row is copied. |
| 3331 */ |
| 3332 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth; |
| 3333 |
| 3334 /* But don't allow this number to exceed the actual row width. */ |
| 3335 if (bytes_to_copy > row_width) |
| 3336 bytes_to_copy = (unsigned int)/*SAFE*/row_width; |
| 3337 } |
| 3338 |
| 3339 else /* normal row; Adam7 only ever gives us one pixel to copy. */ |
| 3340 bytes_to_copy = pixel_depth; |
| 3341 |
| 3342 /* In Adam7 there is a constant offset between where the pixels go. */ |
| 3343 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth; |
| 3344 |
| 3345 /* And simply copy these bytes. Some optimization is possible here, |
| 3346 * depending on the value of 'bytes_to_copy'. Special case the low |
| 3347 * byte counts, which we know to be frequent. |
| 3348 * |
| 3349 * Notice that these cases all 'return' rather than 'break' - this |
| 3350 * avoids an unnecessary test on whether to restore the last byte |
| 3351 * below. |
| 3352 */ |
| 3353 switch (bytes_to_copy) |
| 3354 { |
| 3355 case 1: |
| 3356 for (;;) |
| 3357 { |
| 3358 *dp = *sp; |
| 3359 |
| 3360 if (row_width <= bytes_to_jump) |
| 3361 return; |
| 3362 |
| 3363 dp += bytes_to_jump; |
| 3364 sp += bytes_to_jump; |
| 3365 row_width -= bytes_to_jump; |
| 3366 } |
| 3367 |
| 3368 case 2: |
| 3369 /* There is a possibility of a partial copy at the end here; this |
| 3370 * slows the code down somewhat. |
| 3371 */ |
| 3372 do |
| 3373 { |
| 3374 dp[0] = sp[0], dp[1] = sp[1]; |
| 3375 |
| 3376 if (row_width <= bytes_to_jump) |
| 3377 return; |
| 3378 |
| 3379 sp += bytes_to_jump; |
| 3380 dp += bytes_to_jump; |
| 3381 row_width -= bytes_to_jump; |
| 3382 } |
| 3383 while (row_width > 1); |
| 3384 |
| 3385 /* And there can only be one byte left at this point: */ |
| 3386 *dp = *sp; |
| 3387 return; |
| 3388 |
| 3389 case 3: |
| 3390 /* This can only be the RGB case, so each copy is exactly one |
| 3391 * pixel and it is not necessary to check for a partial copy. |
| 3392 */ |
| 3393 for (;;) |
| 3394 { |
| 3395 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2]; |
| 3396 |
| 3397 if (row_width <= bytes_to_jump) |
| 3398 return; |
| 3399 |
| 3400 sp += bytes_to_jump; |
| 3401 dp += bytes_to_jump; |
| 3402 row_width -= bytes_to_jump; |
| 3403 } |
| 3404 |
| 3405 default: |
| 3406 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE |
| 3407 /* Check for double byte alignment and, if possible, use a |
| 3408 * 16-bit copy. Don't attempt this for narrow images - ones that |
| 3409 * are less than an interlace panel wide. Don't attempt it for |
| 3410 * wide bytes_to_copy either - use the memcpy there. |
| 3411 */ |
| 3412 if (bytes_to_copy < 16 /*else use memcpy*/ && |
| 3413 png_isaligned(dp, png_uint_16) && |
| 3414 png_isaligned(sp, png_uint_16) && |
| 3415 bytes_to_copy % (sizeof (png_uint_16)) == 0 && |
| 3416 bytes_to_jump % (sizeof (png_uint_16)) == 0) |
| 3417 { |
| 3418 /* Everything is aligned for png_uint_16 copies, but try for |
| 3419 * png_uint_32 first. |
| 3420 */ |
| 3421 if (png_isaligned(dp, png_uint_32) != 0 && |
| 3422 png_isaligned(sp, png_uint_32) != 0 && |
| 3423 bytes_to_copy % (sizeof (png_uint_32)) == 0 && |
| 3424 bytes_to_jump % (sizeof (png_uint_32)) == 0) |
| 3425 { |
| 3426 png_uint_32p dp32 = png_aligncast(png_uint_32p,dp); |
| 3427 png_const_uint_32p sp32 = png_aligncastconst( |
| 3428 png_const_uint_32p, sp); |
| 3429 size_t skip = (bytes_to_jump-bytes_to_copy) / |
| 3430 (sizeof (png_uint_32)); |
| 3431 |
| 3432 do |
| 3433 { |
| 3434 size_t c = bytes_to_copy; |
| 3435 do |
| 3436 { |
| 3437 *dp32++ = *sp32++; |
| 3438 c -= (sizeof (png_uint_32)); |
| 3439 } |
| 3440 while (c > 0); |
| 3441 |
| 3442 if (row_width <= bytes_to_jump) |
| 3443 return; |
| 3444 |
| 3445 dp32 += skip; |
| 3446 sp32 += skip; |
| 3447 row_width -= bytes_to_jump; |
| 3448 } |
| 3449 while (bytes_to_copy <= row_width); |
| 3450 |
| 3451 /* Get to here when the row_width truncates the final copy. |
| 3452 * There will be 1-3 bytes left to copy, so don't try the |
| 3453 * 16-bit loop below. |
| 3454 */ |
| 3455 dp = (png_bytep)dp32; |
| 3456 sp = (png_const_bytep)sp32; |
| 3457 do |
| 3458 *dp++ = *sp++; |
| 3459 while (--row_width > 0); |
| 3460 return; |
| 3461 } |
| 3462 |
| 3463 /* Else do it in 16-bit quantities, but only if the size is |
| 3464 * not too large. |
| 3465 */ |
| 3466 else |
| 3467 { |
| 3468 png_uint_16p dp16 = png_aligncast(png_uint_16p, dp); |
| 3469 png_const_uint_16p sp16 = png_aligncastconst( |
| 3470 png_const_uint_16p, sp); |
| 3471 size_t skip = (bytes_to_jump-bytes_to_copy) / |
| 3472 (sizeof (png_uint_16)); |
| 3473 |
| 3474 do |
| 3475 { |
| 3476 size_t c = bytes_to_copy; |
| 3477 do |
| 3478 { |
| 3479 *dp16++ = *sp16++; |
| 3480 c -= (sizeof (png_uint_16)); |
| 3481 } |
| 3482 while (c > 0); |
| 3483 |
| 3484 if (row_width <= bytes_to_jump) |
| 3485 return; |
| 3486 |
| 3487 dp16 += skip; |
| 3488 sp16 += skip; |
| 3489 row_width -= bytes_to_jump; |
| 3490 } |
| 3491 while (bytes_to_copy <= row_width); |
| 3492 |
| 3493 /* End of row - 1 byte left, bytes_to_copy > row_width: */ |
| 3494 dp = (png_bytep)dp16; |
| 3495 sp = (png_const_bytep)sp16; |
| 3496 do |
| 3497 *dp++ = *sp++; |
| 3498 while (--row_width > 0); |
| 3499 return; |
| 3500 } |
| 3501 } |
| 3502 #endif /* ALIGN_TYPE code */ |
| 3503 |
| 3504 /* The true default - use a memcpy: */ |
| 3505 for (;;) |
| 3506 { |
| 3507 memcpy(dp, sp, bytes_to_copy); |
| 3508 |
| 3509 if (row_width <= bytes_to_jump) |
| 3510 return; |
| 3511 |
| 3512 sp += bytes_to_jump; |
| 3513 dp += bytes_to_jump; |
| 3514 row_width -= bytes_to_jump; |
| 3515 if (bytes_to_copy > row_width) |
| 3516 bytes_to_copy = (unsigned int)/*SAFE*/row_width; |
| 3517 } |
| 3518 } |
| 3519 |
| 3520 /* NOT REACHED*/ |
| 3521 } /* pixel_depth >= 8 */ |
| 3522 |
| 3523 /* Here if pixel_depth < 8 to check 'end_ptr' below. */ |
| 3524 } |
| 3525 else |
| 3526 #endif /* READ_INTERLACING */ |
| 3527 |
| 3528 /* If here then the switch above wasn't used so just memcpy the whole row |
| 3529 * from the temporary row buffer (notice that this overwrites the end of the |
| 3530 * destination row if it is a partial byte.) |
| 3531 */ |
| 3532 memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width)); |
| 3533 |
| 3534 /* Restore the overwritten bits from the last byte if necessary. */ |
| 3535 if (end_ptr != NULL) |
| 3536 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask)); |
| 3537 } |
| 3538 |
| 3539 #ifdef PNG_READ_INTERLACING_SUPPORTED |
| 3540 void /* PRIVATE */ |
| 3541 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass, |
| 3542 png_uint_32 transformations /* Because these may affect the byte layout */) |
| 3543 { |
2733 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ | 3544 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ |
2734 /* Offset to next interlace block */ | 3545 /* Offset to next interlace block */ |
2735 #ifndef PNG_USE_GLOBAL_ARRAYS | 3546 static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; |
2736 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; | |
2737 #endif | |
2738 | 3547 |
2739 png_debug(1, "in png_do_read_interlace"); | 3548 png_debug(1, "in png_do_read_interlace"); |
2740 if (row != NULL && row_info != NULL) | 3549 if (row != NULL && row_info != NULL) |
2741 { | 3550 { |
2742 png_uint_32 final_width; | 3551 png_uint_32 final_width; |
2743 | 3552 |
2744 final_width = row_info->width * png_pass_inc[pass]; | 3553 final_width = row_info->width * png_pass_inc[pass]; |
2745 | 3554 |
2746 switch (row_info->pixel_depth) | 3555 switch (row_info->pixel_depth) |
2747 { | 3556 { |
2748 case 1: | 3557 case 1: |
2749 { | 3558 { |
2750 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3); | 3559 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3); |
2751 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3); | 3560 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3); |
2752 int sshift, dshift; | 3561 int sshift, dshift; |
2753 int s_start, s_end, s_inc; | 3562 int s_start, s_end, s_inc; |
2754 int jstop = png_pass_inc[pass]; | 3563 int jstop = png_pass_inc[pass]; |
2755 png_byte v; | 3564 png_byte v; |
2756 png_uint_32 i; | 3565 png_uint_32 i; |
2757 int j; | 3566 int j; |
2758 | 3567 |
2759 #ifdef PNG_READ_PACKSWAP_SUPPORTED | 3568 #ifdef PNG_READ_PACKSWAP_SUPPORTED |
2760 if (transformations & PNG_PACKSWAP) | 3569 if ((transformations & PNG_PACKSWAP) != 0) |
2761 { | 3570 { |
2762 sshift = (int)((row_info->width + 7) & 0x07); | 3571 sshift = (int)((row_info->width + 7) & 0x07); |
2763 dshift = (int)((final_width + 7) & 0x07); | 3572 dshift = (int)((final_width + 7) & 0x07); |
2764 s_start = 7; | 3573 s_start = 7; |
2765 s_end = 0; | 3574 s_end = 0; |
2766 s_inc = -1; | 3575 s_inc = -1; |
2767 } | 3576 } |
| 3577 |
2768 else | 3578 else |
2769 #endif | 3579 #endif |
2770 { | 3580 { |
2771 sshift = 7 - (int)((row_info->width + 7) & 0x07); | 3581 sshift = 7 - (int)((row_info->width + 7) & 0x07); |
2772 dshift = 7 - (int)((final_width + 7) & 0x07); | 3582 dshift = 7 - (int)((final_width + 7) & 0x07); |
2773 s_start = 0; | 3583 s_start = 0; |
2774 s_end = 7; | 3584 s_end = 7; |
2775 s_inc = 1; | 3585 s_inc = 1; |
2776 } | 3586 } |
2777 | 3587 |
2778 for (i = 0; i < row_info->width; i++) | 3588 for (i = 0; i < row_info->width; i++) |
2779 { | 3589 { |
2780 v = (png_byte)((*sp >> sshift) & 0x01); | 3590 v = (png_byte)((*sp >> sshift) & 0x01); |
2781 for (j = 0; j < jstop; j++) | 3591 for (j = 0; j < jstop; j++) |
2782 { | 3592 { |
2783 *dp &= (png_byte)((0x7f7f >> (7 - dshift)) & 0xff); | 3593 unsigned int tmp = *dp & (0x7f7f >> (7 - dshift)); |
2784 *dp |= (png_byte)(v << dshift); | 3594 tmp |= v << dshift; |
| 3595 *dp = (png_byte)(tmp & 0xff); |
| 3596 |
2785 if (dshift == s_end) | 3597 if (dshift == s_end) |
2786 { | 3598 { |
2787 dshift = s_start; | 3599 dshift = s_start; |
2788 dp--; | 3600 dp--; |
2789 } | 3601 } |
| 3602 |
2790 else | 3603 else |
2791 dshift += s_inc; | 3604 dshift += s_inc; |
2792 } | 3605 } |
| 3606 |
2793 if (sshift == s_end) | 3607 if (sshift == s_end) |
2794 { | 3608 { |
2795 sshift = s_start; | 3609 sshift = s_start; |
2796 sp--; | 3610 sp--; |
2797 } | 3611 } |
| 3612 |
2798 else | 3613 else |
2799 sshift += s_inc; | 3614 sshift += s_inc; |
2800 } | 3615 } |
2801 break; | 3616 break; |
2802 } | 3617 } |
| 3618 |
2803 case 2: | 3619 case 2: |
2804 { | 3620 { |
2805 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2); | 3621 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2); |
2806 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2); | 3622 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2); |
2807 int sshift, dshift; | 3623 int sshift, dshift; |
2808 int s_start, s_end, s_inc; | 3624 int s_start, s_end, s_inc; |
2809 int jstop = png_pass_inc[pass]; | 3625 int jstop = png_pass_inc[pass]; |
2810 png_uint_32 i; | 3626 png_uint_32 i; |
2811 | 3627 |
2812 #ifdef PNG_READ_PACKSWAP_SUPPORTED | 3628 #ifdef PNG_READ_PACKSWAP_SUPPORTED |
2813 if (transformations & PNG_PACKSWAP) | 3629 if ((transformations & PNG_PACKSWAP) != 0) |
2814 { | 3630 { |
2815 sshift = (int)(((row_info->width + 3) & 0x03) << 1); | 3631 sshift = (int)(((row_info->width + 3) & 0x03) << 1); |
2816 dshift = (int)(((final_width + 3) & 0x03) << 1); | 3632 dshift = (int)(((final_width + 3) & 0x03) << 1); |
2817 s_start = 6; | 3633 s_start = 6; |
2818 s_end = 0; | 3634 s_end = 0; |
2819 s_inc = -2; | 3635 s_inc = -2; |
2820 } | 3636 } |
| 3637 |
2821 else | 3638 else |
2822 #endif | 3639 #endif |
2823 { | 3640 { |
2824 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1); | 3641 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1); |
2825 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1); | 3642 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1); |
2826 s_start = 0; | 3643 s_start = 0; |
2827 s_end = 6; | 3644 s_end = 6; |
2828 s_inc = 2; | 3645 s_inc = 2; |
2829 } | 3646 } |
2830 | 3647 |
2831 for (i = 0; i < row_info->width; i++) | 3648 for (i = 0; i < row_info->width; i++) |
2832 { | 3649 { |
2833 png_byte v; | 3650 png_byte v; |
2834 int j; | 3651 int j; |
2835 | 3652 |
2836 v = (png_byte)((*sp >> sshift) & 0x03); | 3653 v = (png_byte)((*sp >> sshift) & 0x03); |
2837 for (j = 0; j < jstop; j++) | 3654 for (j = 0; j < jstop; j++) |
2838 { | 3655 { |
2839 *dp &= (png_byte)((0x3f3f >> (6 - dshift)) & 0xff); | 3656 unsigned int tmp = *dp & (0x3f3f >> (6 - dshift)); |
2840 *dp |= (png_byte)(v << dshift); | 3657 tmp |= v << dshift; |
| 3658 *dp = (png_byte)(tmp & 0xff); |
| 3659 |
2841 if (dshift == s_end) | 3660 if (dshift == s_end) |
2842 { | 3661 { |
2843 dshift = s_start; | 3662 dshift = s_start; |
2844 dp--; | 3663 dp--; |
2845 } | 3664 } |
| 3665 |
2846 else | 3666 else |
2847 dshift += s_inc; | 3667 dshift += s_inc; |
2848 } | 3668 } |
| 3669 |
2849 if (sshift == s_end) | 3670 if (sshift == s_end) |
2850 { | 3671 { |
2851 sshift = s_start; | 3672 sshift = s_start; |
2852 sp--; | 3673 sp--; |
2853 } | 3674 } |
| 3675 |
2854 else | 3676 else |
2855 sshift += s_inc; | 3677 sshift += s_inc; |
2856 } | 3678 } |
2857 break; | 3679 break; |
2858 } | 3680 } |
| 3681 |
2859 case 4: | 3682 case 4: |
2860 { | 3683 { |
2861 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1); | 3684 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1); |
2862 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1); | 3685 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1); |
2863 int sshift, dshift; | 3686 int sshift, dshift; |
2864 int s_start, s_end, s_inc; | 3687 int s_start, s_end, s_inc; |
2865 png_uint_32 i; | 3688 png_uint_32 i; |
2866 int jstop = png_pass_inc[pass]; | 3689 int jstop = png_pass_inc[pass]; |
2867 | 3690 |
2868 #ifdef PNG_READ_PACKSWAP_SUPPORTED | 3691 #ifdef PNG_READ_PACKSWAP_SUPPORTED |
2869 if (transformations & PNG_PACKSWAP) | 3692 if ((transformations & PNG_PACKSWAP) != 0) |
2870 { | 3693 { |
2871 sshift = (int)(((row_info->width + 1) & 0x01) << 2); | 3694 sshift = (int)(((row_info->width + 1) & 0x01) << 2); |
2872 dshift = (int)(((final_width + 1) & 0x01) << 2); | 3695 dshift = (int)(((final_width + 1) & 0x01) << 2); |
2873 s_start = 4; | 3696 s_start = 4; |
2874 s_end = 0; | 3697 s_end = 0; |
2875 s_inc = -4; | 3698 s_inc = -4; |
2876 } | 3699 } |
| 3700 |
2877 else | 3701 else |
2878 #endif | 3702 #endif |
2879 { | 3703 { |
2880 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2); | 3704 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2); |
2881 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2); | 3705 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2); |
2882 s_start = 0; | 3706 s_start = 0; |
2883 s_end = 4; | 3707 s_end = 4; |
2884 s_inc = 4; | 3708 s_inc = 4; |
2885 } | 3709 } |
2886 | 3710 |
2887 for (i = 0; i < row_info->width; i++) | 3711 for (i = 0; i < row_info->width; i++) |
2888 { | 3712 { |
2889 png_byte v = (png_byte)((*sp >> sshift) & 0xf); | 3713 png_byte v = (png_byte)((*sp >> sshift) & 0x0f); |
2890 int j; | 3714 int j; |
2891 | 3715 |
2892 for (j = 0; j < jstop; j++) | 3716 for (j = 0; j < jstop; j++) |
2893 { | 3717 { |
2894 *dp &= (png_byte)((0xf0f >> (4 - dshift)) & 0xff); | 3718 unsigned int tmp = *dp & (0xf0f >> (4 - dshift)); |
2895 *dp |= (png_byte)(v << dshift); | 3719 tmp |= v << dshift; |
| 3720 *dp = (png_byte)(tmp & 0xff); |
| 3721 |
2896 if (dshift == s_end) | 3722 if (dshift == s_end) |
2897 { | 3723 { |
2898 dshift = s_start; | 3724 dshift = s_start; |
2899 dp--; | 3725 dp--; |
2900 } | 3726 } |
| 3727 |
2901 else | 3728 else |
2902 dshift += s_inc; | 3729 dshift += s_inc; |
2903 } | 3730 } |
| 3731 |
2904 if (sshift == s_end) | 3732 if (sshift == s_end) |
2905 { | 3733 { |
2906 sshift = s_start; | 3734 sshift = s_start; |
2907 sp--; | 3735 sp--; |
2908 } | 3736 } |
| 3737 |
2909 else | 3738 else |
2910 sshift += s_inc; | 3739 sshift += s_inc; |
2911 } | 3740 } |
2912 break; | 3741 break; |
2913 } | 3742 } |
| 3743 |
2914 default: | 3744 default: |
2915 { | 3745 { |
2916 png_size_t pixel_bytes = (row_info->pixel_depth >> 3); | 3746 png_size_t pixel_bytes = (row_info->pixel_depth >> 3); |
| 3747 |
2917 png_bytep sp = row + (png_size_t)(row_info->width - 1) | 3748 png_bytep sp = row + (png_size_t)(row_info->width - 1) |
2918 * pixel_bytes; | 3749 * pixel_bytes; |
| 3750 |
2919 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes; | 3751 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes; |
2920 | 3752 |
2921 int jstop = png_pass_inc[pass]; | 3753 int jstop = png_pass_inc[pass]; |
2922 png_uint_32 i; | 3754 png_uint_32 i; |
2923 | 3755 |
2924 for (i = 0; i < row_info->width; i++) | 3756 for (i = 0; i < row_info->width; i++) |
2925 { | 3757 { |
2926 png_byte v[8]; | 3758 png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */ |
2927 int j; | 3759 int j; |
2928 | 3760 |
2929 png_memcpy(v, sp, pixel_bytes); | 3761 memcpy(v, sp, pixel_bytes); |
| 3762 |
2930 for (j = 0; j < jstop; j++) | 3763 for (j = 0; j < jstop; j++) |
2931 { | 3764 { |
2932 png_memcpy(dp, v, pixel_bytes); | 3765 memcpy(dp, v, pixel_bytes); |
2933 dp -= pixel_bytes; | 3766 dp -= pixel_bytes; |
2934 } | 3767 } |
| 3768 |
2935 sp -= pixel_bytes; | 3769 sp -= pixel_bytes; |
2936 } | 3770 } |
2937 break; | 3771 break; |
2938 } | 3772 } |
2939 } | 3773 } |
| 3774 |
2940 row_info->width = final_width; | 3775 row_info->width = final_width; |
2941 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width); | 3776 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width); |
2942 } | 3777 } |
2943 #ifndef PNG_READ_PACKSWAP_SUPPORTED | 3778 #ifndef PNG_READ_PACKSWAP_SUPPORTED |
2944 PNG_UNUSED(transformations) /* Silence compiler warning */ | 3779 PNG_UNUSED(transformations) /* Silence compiler warning */ |
2945 #endif | 3780 #endif |
2946 } | 3781 } |
2947 #endif /* PNG_READ_INTERLACING_SUPPORTED */ | 3782 #endif /* READ_INTERLACING */ |
| 3783 |
| 3784 static void |
| 3785 png_read_filter_row_sub(png_row_infop row_info, png_bytep row, |
| 3786 png_const_bytep prev_row) |
| 3787 { |
| 3788 png_size_t i; |
| 3789 png_size_t istop = row_info->rowbytes; |
| 3790 unsigned int bpp = (row_info->pixel_depth + 7) >> 3; |
| 3791 png_bytep rp = row + bpp; |
| 3792 |
| 3793 PNG_UNUSED(prev_row) |
| 3794 |
| 3795 for (i = bpp; i < istop; i++) |
| 3796 { |
| 3797 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff); |
| 3798 rp++; |
| 3799 } |
| 3800 } |
| 3801 |
| 3802 static void |
| 3803 png_read_filter_row_up(png_row_infop row_info, png_bytep row, |
| 3804 png_const_bytep prev_row) |
| 3805 { |
| 3806 png_size_t i; |
| 3807 png_size_t istop = row_info->rowbytes; |
| 3808 png_bytep rp = row; |
| 3809 png_const_bytep pp = prev_row; |
| 3810 |
| 3811 for (i = 0; i < istop; i++) |
| 3812 { |
| 3813 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff); |
| 3814 rp++; |
| 3815 } |
| 3816 } |
| 3817 |
| 3818 static void |
| 3819 png_read_filter_row_avg(png_row_infop row_info, png_bytep row, |
| 3820 png_const_bytep prev_row) |
| 3821 { |
| 3822 png_size_t i; |
| 3823 png_bytep rp = row; |
| 3824 png_const_bytep pp = prev_row; |
| 3825 unsigned int bpp = (row_info->pixel_depth + 7) >> 3; |
| 3826 png_size_t istop = row_info->rowbytes - bpp; |
| 3827 |
| 3828 for (i = 0; i < bpp; i++) |
| 3829 { |
| 3830 *rp = (png_byte)(((int)(*rp) + |
| 3831 ((int)(*pp++) / 2 )) & 0xff); |
| 3832 |
| 3833 rp++; |
| 3834 } |
| 3835 |
| 3836 for (i = 0; i < istop; i++) |
| 3837 { |
| 3838 *rp = (png_byte)(((int)(*rp) + |
| 3839 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff); |
| 3840 |
| 3841 rp++; |
| 3842 } |
| 3843 } |
| 3844 |
| 3845 static void |
| 3846 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row, |
| 3847 png_const_bytep prev_row) |
| 3848 { |
| 3849 png_bytep rp_end = row + row_info->rowbytes; |
| 3850 int a, c; |
| 3851 |
| 3852 /* First pixel/byte */ |
| 3853 c = *prev_row++; |
| 3854 a = *row + c; |
| 3855 *row++ = (png_byte)a; |
| 3856 |
| 3857 /* Remainder */ |
| 3858 while (row < rp_end) |
| 3859 { |
| 3860 int b, pa, pb, pc, p; |
| 3861 |
| 3862 a &= 0xff; /* From previous iteration or start */ |
| 3863 b = *prev_row++; |
| 3864 |
| 3865 p = b - c; |
| 3866 pc = a - c; |
| 3867 |
| 3868 #ifdef PNG_USE_ABS |
| 3869 pa = abs(p); |
| 3870 pb = abs(pc); |
| 3871 pc = abs(p + pc); |
| 3872 #else |
| 3873 pa = p < 0 ? -p : p; |
| 3874 pb = pc < 0 ? -pc : pc; |
| 3875 pc = (p + pc) < 0 ? -(p + pc) : p + pc; |
| 3876 #endif |
| 3877 |
| 3878 /* Find the best predictor, the least of pa, pb, pc favoring the earlier |
| 3879 * ones in the case of a tie. |
| 3880 */ |
| 3881 if (pb < pa) pa = pb, a = b; |
| 3882 if (pc < pa) a = c; |
| 3883 |
| 3884 /* Calculate the current pixel in a, and move the previous row pixel to c |
| 3885 * for the next time round the loop |
| 3886 */ |
| 3887 c = b; |
| 3888 a += *row; |
| 3889 *row++ = (png_byte)a; |
| 3890 } |
| 3891 } |
| 3892 |
| 3893 static void |
| 3894 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row, |
| 3895 png_const_bytep prev_row) |
| 3896 { |
| 3897 int bpp = (row_info->pixel_depth + 7) >> 3; |
| 3898 png_bytep rp_end = row + bpp; |
| 3899 |
| 3900 /* Process the first pixel in the row completely (this is the same as 'up' |
| 3901 * because there is only one candidate predictor for the first row). |
| 3902 */ |
| 3903 while (row < rp_end) |
| 3904 { |
| 3905 int a = *row + *prev_row++; |
| 3906 *row++ = (png_byte)a; |
| 3907 } |
| 3908 |
| 3909 /* Remainder */ |
| 3910 rp_end += row_info->rowbytes - bpp; |
| 3911 |
| 3912 while (row < rp_end) |
| 3913 { |
| 3914 int a, b, c, pa, pb, pc, p; |
| 3915 |
| 3916 c = *(prev_row - bpp); |
| 3917 a = *(row - bpp); |
| 3918 b = *prev_row++; |
| 3919 |
| 3920 p = b - c; |
| 3921 pc = a - c; |
| 3922 |
| 3923 #ifdef PNG_USE_ABS |
| 3924 pa = abs(p); |
| 3925 pb = abs(pc); |
| 3926 pc = abs(p + pc); |
| 3927 #else |
| 3928 pa = p < 0 ? -p : p; |
| 3929 pb = pc < 0 ? -pc : pc; |
| 3930 pc = (p + pc) < 0 ? -(p + pc) : p + pc; |
| 3931 #endif |
| 3932 |
| 3933 if (pb < pa) pa = pb, a = b; |
| 3934 if (pc < pa) a = c; |
| 3935 |
| 3936 a += *row; |
| 3937 *row++ = (png_byte)a; |
| 3938 } |
| 3939 } |
| 3940 |
| 3941 static void |
| 3942 png_init_filter_functions(png_structrp pp) |
| 3943 /* This function is called once for every PNG image (except for PNG images |
| 3944 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the |
| 3945 * implementations required to reverse the filtering of PNG rows. Reversing |
| 3946 * the filter is the first transformation performed on the row data. It is |
| 3947 * performed in place, therefore an implementation can be selected based on |
| 3948 * the image pixel format. If the implementation depends on image width then |
| 3949 * take care to ensure that it works correctly if the image is interlaced - |
| 3950 * interlacing causes the actual row width to vary. |
| 3951 */ |
| 3952 { |
| 3953 unsigned int bpp = (pp->pixel_depth + 7) >> 3; |
| 3954 |
| 3955 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub; |
| 3956 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up; |
| 3957 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg; |
| 3958 if (bpp == 1) |
| 3959 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] = |
| 3960 png_read_filter_row_paeth_1byte_pixel; |
| 3961 else |
| 3962 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] = |
| 3963 png_read_filter_row_paeth_multibyte_pixel; |
| 3964 |
| 3965 #ifdef PNG_FILTER_OPTIMIZATIONS |
| 3966 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to |
| 3967 * call to install hardware optimizations for the above functions; simply |
| 3968 * replace whatever elements of the pp->read_filter[] array with a hardware |
| 3969 * specific (or, for that matter, generic) optimization. |
| 3970 * |
| 3971 * To see an example of this examine what configure.ac does when |
| 3972 * --enable-arm-neon is specified on the command line. |
| 3973 */ |
| 3974 PNG_FILTER_OPTIMIZATIONS(pp, bpp); |
| 3975 #endif |
| 3976 } |
2948 | 3977 |
2949 void /* PRIVATE */ | 3978 void /* PRIVATE */ |
2950 png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row, | 3979 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row, |
2951 png_bytep prev_row, int filter) | 3980 png_const_bytep prev_row, int filter) |
2952 { | 3981 { |
2953 png_debug(1, "in png_read_filter_row"); | 3982 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define |
2954 png_debug2(2, "row = %lu, filter = %d", png_ptr->row_number, filter); | 3983 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic |
2955 switch (filter) | 3984 * implementations. See png_init_filter_functions above. |
2956 { | 3985 */ |
2957 case PNG_FILTER_VALUE_NONE: | 3986 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST) |
2958 break; | 3987 { |
2959 case PNG_FILTER_VALUE_SUB: | 3988 if (pp->read_filter[0] == NULL) |
2960 { | 3989 png_init_filter_functions(pp); |
2961 png_uint_32 i; | 3990 |
2962 png_uint_32 istop = row_info->rowbytes; | 3991 pp->read_filter[filter-1](row_info, row, prev_row); |
2963 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3; | |
2964 png_bytep rp = row + bpp; | |
2965 png_bytep lp = row; | |
2966 | |
2967 for (i = bpp; i < istop; i++) | |
2968 { | |
2969 *rp = (png_byte)(((int)(*rp) + (int)(*lp++)) & 0xff); | |
2970 rp++; | |
2971 } | |
2972 break; | |
2973 } | |
2974 case PNG_FILTER_VALUE_UP: | |
2975 { | |
2976 png_uint_32 i; | |
2977 png_uint_32 istop = row_info->rowbytes; | |
2978 png_bytep rp = row; | |
2979 png_bytep pp = prev_row; | |
2980 | |
2981 for (i = 0; i < istop; i++) | |
2982 { | |
2983 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff); | |
2984 rp++; | |
2985 } | |
2986 break; | |
2987 } | |
2988 case PNG_FILTER_VALUE_AVG: | |
2989 { | |
2990 png_uint_32 i; | |
2991 png_bytep rp = row; | |
2992 png_bytep pp = prev_row; | |
2993 png_bytep lp = row; | |
2994 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3; | |
2995 png_uint_32 istop = row_info->rowbytes - bpp; | |
2996 | |
2997 for (i = 0; i < bpp; i++) | |
2998 { | |
2999 *rp = (png_byte)(((int)(*rp) + | |
3000 ((int)(*pp++) / 2 )) & 0xff); | |
3001 rp++; | |
3002 } | |
3003 | |
3004 for (i = 0; i < istop; i++) | |
3005 { | |
3006 *rp = (png_byte)(((int)(*rp) + | |
3007 (int)(*pp++ + *lp++) / 2 ) & 0xff); | |
3008 rp++; | |
3009 } | |
3010 break; | |
3011 } | |
3012 case PNG_FILTER_VALUE_PAETH: | |
3013 { | |
3014 png_uint_32 i; | |
3015 png_bytep rp = row; | |
3016 png_bytep pp = prev_row; | |
3017 png_bytep lp = row; | |
3018 png_bytep cp = prev_row; | |
3019 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3; | |
3020 png_uint_32 istop=row_info->rowbytes - bpp; | |
3021 | |
3022 for (i = 0; i < bpp; i++) | |
3023 { | |
3024 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff); | |
3025 rp++; | |
3026 } | |
3027 | |
3028 for (i = 0; i < istop; i++) /* Use leftover rp,pp */ | |
3029 { | |
3030 int a, b, c, pa, pb, pc, p; | |
3031 | |
3032 a = *lp++; | |
3033 b = *pp++; | |
3034 c = *cp++; | |
3035 | |
3036 p = b - c; | |
3037 pc = a - c; | |
3038 | |
3039 #ifdef PNG_USE_ABS | |
3040 pa = abs(p); | |
3041 pb = abs(pc); | |
3042 pc = abs(p + pc); | |
3043 #else | |
3044 pa = p < 0 ? -p : p; | |
3045 pb = pc < 0 ? -pc : pc; | |
3046 pc = (p + pc) < 0 ? -(p + pc) : p + pc; | |
3047 #endif | |
3048 | |
3049 /* | |
3050 if (pa <= pb && pa <= pc) | |
3051 p = a; | |
3052 else if (pb <= pc) | |
3053 p = b; | |
3054 else | |
3055 p = c; | |
3056 */ | |
3057 | |
3058 p = (pa <= pb && pa <= pc) ? a : (pb <= pc) ? b : c; | |
3059 | |
3060 *rp = (png_byte)(((int)(*rp) + p) & 0xff); | |
3061 rp++; | |
3062 } | |
3063 break; | |
3064 } | |
3065 default: | |
3066 png_warning(png_ptr, "Ignoring bad adaptive filter type"); | |
3067 *row = 0; | |
3068 break; | |
3069 } | 3992 } |
3070 } | 3993 } |
3071 | 3994 |
3072 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED | 3995 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED |
3073 void /* PRIVATE */ | 3996 void /* PRIVATE */ |
3074 png_read_finish_row(png_structp png_ptr) | 3997 png_read_IDAT_data(png_structrp png_ptr, png_bytep output, |
3075 { | 3998 png_alloc_size_t avail_out) |
3076 #ifdef PNG_READ_INTERLACING_SUPPORTED | 3999 { |
3077 #ifndef PNG_USE_GLOBAL_ARRAYS | 4000 /* Loop reading IDATs and decompressing the result into output[avail_out] */ |
| 4001 png_ptr->zstream.next_out = output; |
| 4002 png_ptr->zstream.avail_out = 0; /* safety: set below */ |
| 4003 |
| 4004 if (output == NULL) |
| 4005 avail_out = 0; |
| 4006 |
| 4007 do |
| 4008 { |
| 4009 int ret; |
| 4010 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE]; |
| 4011 |
| 4012 if (png_ptr->zstream.avail_in == 0) |
| 4013 { |
| 4014 uInt avail_in; |
| 4015 png_bytep buffer; |
| 4016 |
| 4017 while (png_ptr->idat_size == 0) |
| 4018 { |
| 4019 png_crc_finish(png_ptr, 0); |
| 4020 |
| 4021 png_ptr->idat_size = png_read_chunk_header(png_ptr); |
| 4022 /* This is an error even in the 'check' case because the code just |
| 4023 * consumed a non-IDAT header. |
| 4024 */ |
| 4025 if (png_ptr->chunk_name != png_IDAT) |
| 4026 png_error(png_ptr, "Not enough image data"); |
| 4027 } |
| 4028 |
| 4029 avail_in = png_ptr->IDAT_read_size; |
| 4030 |
| 4031 if (avail_in > png_ptr->idat_size) |
| 4032 avail_in = (uInt)png_ptr->idat_size; |
| 4033 |
| 4034 /* A PNG with a gradually increasing IDAT size will defeat this attempt |
| 4035 * to minimize memory usage by causing lots of re-allocs, but |
| 4036 * realistically doing IDAT_read_size re-allocs is not likely to be a |
| 4037 * big problem. |
| 4038 */ |
| 4039 buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/); |
| 4040 |
| 4041 png_crc_read(png_ptr, buffer, avail_in); |
| 4042 png_ptr->idat_size -= avail_in; |
| 4043 |
| 4044 png_ptr->zstream.next_in = buffer; |
| 4045 png_ptr->zstream.avail_in = avail_in; |
| 4046 } |
| 4047 |
| 4048 /* And set up the output side. */ |
| 4049 if (output != NULL) /* standard read */ |
| 4050 { |
| 4051 uInt out = ZLIB_IO_MAX; |
| 4052 |
| 4053 if (out > avail_out) |
| 4054 out = (uInt)avail_out; |
| 4055 |
| 4056 avail_out -= out; |
| 4057 png_ptr->zstream.avail_out = out; |
| 4058 } |
| 4059 |
| 4060 else /* after last row, checking for end */ |
| 4061 { |
| 4062 png_ptr->zstream.next_out = tmpbuf; |
| 4063 png_ptr->zstream.avail_out = (sizeof tmpbuf); |
| 4064 } |
| 4065 |
| 4066 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the |
| 4067 * process. If the LZ stream is truncated the sequential reader will |
| 4068 * terminally damage the stream, above, by reading the chunk header of the |
| 4069 * following chunk (it then exits with png_error). |
| 4070 * |
| 4071 * TODO: deal more elegantly with truncated IDAT lists. |
| 4072 */ |
| 4073 ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH); |
| 4074 |
| 4075 /* Take the unconsumed output back. */ |
| 4076 if (output != NULL) |
| 4077 avail_out += png_ptr->zstream.avail_out; |
| 4078 |
| 4079 else /* avail_out counts the extra bytes */ |
| 4080 avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out; |
| 4081 |
| 4082 png_ptr->zstream.avail_out = 0; |
| 4083 |
| 4084 if (ret == Z_STREAM_END) |
| 4085 { |
| 4086 /* Do this for safety; we won't read any more into this row. */ |
| 4087 png_ptr->zstream.next_out = NULL; |
| 4088 |
| 4089 png_ptr->mode |= PNG_AFTER_IDAT; |
| 4090 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; |
| 4091 |
| 4092 if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0) |
| 4093 png_chunk_benign_error(png_ptr, "Extra compressed data"); |
| 4094 break; |
| 4095 } |
| 4096 |
| 4097 if (ret != Z_OK) |
| 4098 { |
| 4099 png_zstream_error(png_ptr, ret); |
| 4100 |
| 4101 if (output != NULL) |
| 4102 png_chunk_error(png_ptr, png_ptr->zstream.msg); |
| 4103 |
| 4104 else /* checking */ |
| 4105 { |
| 4106 png_chunk_benign_error(png_ptr, png_ptr->zstream.msg); |
| 4107 return; |
| 4108 } |
| 4109 } |
| 4110 } while (avail_out > 0); |
| 4111 |
| 4112 if (avail_out > 0) |
| 4113 { |
| 4114 /* The stream ended before the image; this is the same as too few IDATs so |
| 4115 * should be handled the same way. |
| 4116 */ |
| 4117 if (output != NULL) |
| 4118 png_error(png_ptr, "Not enough image data"); |
| 4119 |
| 4120 else /* the deflate stream contained extra data */ |
| 4121 png_chunk_benign_error(png_ptr, "Too much image data"); |
| 4122 } |
| 4123 } |
| 4124 |
| 4125 void /* PRIVATE */ |
| 4126 png_read_finish_IDAT(png_structrp png_ptr) |
| 4127 { |
| 4128 /* We don't need any more data and the stream should have ended, however the |
| 4129 * LZ end code may actually not have been processed. In this case we must |
| 4130 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk |
| 4131 * may still remain to be consumed. |
| 4132 */ |
| 4133 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) |
| 4134 { |
| 4135 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in |
| 4136 * the compressed stream, but the stream may be damaged too, so even after |
| 4137 * this call we may need to terminate the zstream ownership. |
| 4138 */ |
| 4139 png_read_IDAT_data(png_ptr, NULL, 0); |
| 4140 png_ptr->zstream.next_out = NULL; /* safety */ |
| 4141 |
| 4142 /* Now clear everything out for safety; the following may not have been |
| 4143 * done. |
| 4144 */ |
| 4145 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) |
| 4146 { |
| 4147 png_ptr->mode |= PNG_AFTER_IDAT; |
| 4148 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; |
| 4149 } |
| 4150 } |
| 4151 |
| 4152 /* If the zstream has not been released do it now *and* terminate the reading |
| 4153 * of the final IDAT chunk. |
| 4154 */ |
| 4155 if (png_ptr->zowner == png_IDAT) |
| 4156 { |
| 4157 /* Always do this; the pointers otherwise point into the read buffer. */ |
| 4158 png_ptr->zstream.next_in = NULL; |
| 4159 png_ptr->zstream.avail_in = 0; |
| 4160 |
| 4161 /* Now we no longer own the zstream. */ |
| 4162 png_ptr->zowner = 0; |
| 4163 |
| 4164 /* The slightly weird semantics of the sequential IDAT reading is that we |
| 4165 * are always in or at the end of an IDAT chunk, so we always need to do a |
| 4166 * crc_finish here. If idat_size is non-zero we also need to read the |
| 4167 * spurious bytes at the end of the chunk now. |
| 4168 */ |
| 4169 (void)png_crc_finish(png_ptr, png_ptr->idat_size); |
| 4170 } |
| 4171 } |
| 4172 |
| 4173 void /* PRIVATE */ |
| 4174 png_read_finish_row(png_structrp png_ptr) |
| 4175 { |
3078 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ | 4176 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ |
3079 | 4177 |
3080 /* Start of interlace block */ | 4178 /* Start of interlace block */ |
3081 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; | 4179 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; |
3082 | 4180 |
3083 /* Offset to next interlace block */ | 4181 /* Offset to next interlace block */ |
3084 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; | 4182 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; |
3085 | 4183 |
3086 /* Start of interlace block in the y direction */ | 4184 /* Start of interlace block in the y direction */ |
3087 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; | 4185 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; |
3088 | 4186 |
3089 /* Offset to next interlace block in the y direction */ | 4187 /* Offset to next interlace block in the y direction */ |
3090 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; | 4188 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; |
3091 #endif | |
3092 #endif /* PNG_READ_INTERLACING_SUPPORTED */ | |
3093 | 4189 |
3094 png_debug(1, "in png_read_finish_row"); | 4190 png_debug(1, "in png_read_finish_row"); |
3095 png_ptr->row_number++; | 4191 png_ptr->row_number++; |
3096 if (png_ptr->row_number < png_ptr->num_rows) | 4192 if (png_ptr->row_number < png_ptr->num_rows) |
3097 return; | 4193 return; |
3098 | 4194 |
3099 #ifdef PNG_READ_INTERLACING_SUPPORTED | 4195 if (png_ptr->interlaced != 0) |
3100 if (png_ptr->interlaced) | |
3101 { | 4196 { |
3102 png_ptr->row_number = 0; | 4197 png_ptr->row_number = 0; |
3103 png_memset_check(png_ptr, png_ptr->prev_row, 0, | 4198 |
3104 png_ptr->rowbytes + 1); | 4199 /* TO DO: don't do this if prev_row isn't needed (requires |
| 4200 * read-ahead of the next row's filter byte. |
| 4201 */ |
| 4202 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); |
| 4203 |
3105 do | 4204 do |
3106 { | 4205 { |
3107 png_ptr->pass++; | 4206 png_ptr->pass++; |
| 4207 |
3108 if (png_ptr->pass >= 7) | 4208 if (png_ptr->pass >= 7) |
3109 break; | 4209 break; |
| 4210 |
3110 png_ptr->iwidth = (png_ptr->width + | 4211 png_ptr->iwidth = (png_ptr->width + |
3111 png_pass_inc[png_ptr->pass] - 1 - | 4212 png_pass_inc[png_ptr->pass] - 1 - |
3112 png_pass_start[png_ptr->pass]) / | 4213 png_pass_start[png_ptr->pass]) / |
3113 png_pass_inc[png_ptr->pass]; | 4214 png_pass_inc[png_ptr->pass]; |
3114 | 4215 |
3115 if (!(png_ptr->transformations & PNG_INTERLACE)) | 4216 if ((png_ptr->transformations & PNG_INTERLACE) == 0) |
3116 { | 4217 { |
3117 png_ptr->num_rows = (png_ptr->height + | 4218 png_ptr->num_rows = (png_ptr->height + |
3118 png_pass_yinc[png_ptr->pass] - 1 - | 4219 png_pass_yinc[png_ptr->pass] - 1 - |
3119 png_pass_ystart[png_ptr->pass]) / | 4220 png_pass_ystart[png_ptr->pass]) / |
3120 png_pass_yinc[png_ptr->pass]; | 4221 png_pass_yinc[png_ptr->pass]; |
3121 if (!(png_ptr->num_rows)) | |
3122 continue; | |
3123 } | 4222 } |
| 4223 |
3124 else /* if (png_ptr->transformations & PNG_INTERLACE) */ | 4224 else /* if (png_ptr->transformations & PNG_INTERLACE) */ |
3125 break; | 4225 break; /* libpng deinterlacing sees every row */ |
3126 } while (png_ptr->iwidth == 0); | 4226 |
| 4227 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0); |
3127 | 4228 |
3128 if (png_ptr->pass < 7) | 4229 if (png_ptr->pass < 7) |
3129 return; | 4230 return; |
3130 } | 4231 } |
3131 #endif /* PNG_READ_INTERLACING_SUPPORTED */ | 4232 |
3132 | 4233 /* Here after at the end of the last row of the last pass. */ |
3133 if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) | 4234 png_read_finish_IDAT(png_ptr); |
3134 { | 4235 } |
3135 #ifdef PNG_USE_LOCAL_ARRAYS | 4236 #endif /* SEQUENTIAL_READ */ |
3136 PNG_CONST PNG_IDAT; | |
3137 #endif | |
3138 char extra; | |
3139 int ret; | |
3140 | |
3141 png_ptr->zstream.next_out = (Byte *)&extra; | |
3142 png_ptr->zstream.avail_out = (uInt)1; | |
3143 for (;;) | |
3144 { | |
3145 if (!(png_ptr->zstream.avail_in)) | |
3146 { | |
3147 while (!png_ptr->idat_size) | |
3148 { | |
3149 png_byte chunk_length[4]; | |
3150 | |
3151 png_crc_finish(png_ptr, 0); | |
3152 | |
3153 png_read_data(png_ptr, chunk_length, 4); | |
3154 png_ptr->idat_size = png_get_uint_31(png_ptr, chunk_length); | |
3155 png_reset_crc(png_ptr); | |
3156 png_crc_read(png_ptr, png_ptr->chunk_name, 4); | |
3157 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) | |
3158 png_error(png_ptr, "Not enough image data"); | |
3159 | |
3160 } | |
3161 png_ptr->zstream.avail_in = (uInt)png_ptr->zbuf_size; | |
3162 png_ptr->zstream.next_in = png_ptr->zbuf; | |
3163 if (png_ptr->zbuf_size > png_ptr->idat_size) | |
3164 png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size; | |
3165 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in); | |
3166 png_ptr->idat_size -= png_ptr->zstream.avail_in; | |
3167 } | |
3168 ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); | |
3169 if (ret == Z_STREAM_END) | |
3170 { | |
3171 if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in || | |
3172 png_ptr->idat_size) | |
3173 png_warning(png_ptr, "Extra compressed data."); | |
3174 png_ptr->mode |= PNG_AFTER_IDAT; | |
3175 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; | |
3176 break; | |
3177 } | |
3178 if (ret != Z_OK) | |
3179 png_error(png_ptr, png_ptr->zstream.msg ? png_ptr->zstream.msg : | |
3180 "Decompression Error"); | |
3181 | |
3182 if (!(png_ptr->zstream.avail_out)) | |
3183 { | |
3184 png_warning(png_ptr, "Extra compressed data."); | |
3185 png_ptr->mode |= PNG_AFTER_IDAT; | |
3186 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; | |
3187 break; | |
3188 } | |
3189 | |
3190 } | |
3191 png_ptr->zstream.avail_out = 0; | |
3192 } | |
3193 | |
3194 if (png_ptr->idat_size || png_ptr->zstream.avail_in) | |
3195 png_warning(png_ptr, "Extra compression data."); | |
3196 | |
3197 inflateReset(&png_ptr->zstream); | |
3198 | |
3199 png_ptr->mode |= PNG_AFTER_IDAT; | |
3200 } | |
3201 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */ | |
3202 | 4237 |
3203 void /* PRIVATE */ | 4238 void /* PRIVATE */ |
3204 png_read_start_row(png_structp png_ptr) | 4239 png_read_start_row(png_structrp png_ptr) |
3205 { | 4240 { |
3206 #ifdef PNG_READ_INTERLACING_SUPPORTED | |
3207 #ifndef PNG_USE_GLOBAL_ARRAYS | |
3208 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ | 4241 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ |
3209 | 4242 |
3210 /* Start of interlace block */ | 4243 /* Start of interlace block */ |
3211 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; | 4244 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; |
3212 | 4245 |
3213 /* Offset to next interlace block */ | 4246 /* Offset to next interlace block */ |
3214 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; | 4247 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; |
3215 | 4248 |
3216 /* Start of interlace block in the y direction */ | 4249 /* Start of interlace block in the y direction */ |
3217 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; | 4250 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; |
3218 | 4251 |
3219 /* Offset to next interlace block in the y direction */ | 4252 /* Offset to next interlace block in the y direction */ |
3220 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; | 4253 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; |
3221 #endif | |
3222 #endif | |
3223 | 4254 |
3224 int max_pixel_depth; | 4255 int max_pixel_depth; |
3225 png_size_t row_bytes; | 4256 png_size_t row_bytes; |
3226 | 4257 |
3227 png_debug(1, "in png_read_start_row"); | 4258 png_debug(1, "in png_read_start_row"); |
3228 png_ptr->zstream.avail_in = 0; | 4259 |
| 4260 #ifdef PNG_READ_TRANSFORMS_SUPPORTED |
3229 png_init_read_transformations(png_ptr); | 4261 png_init_read_transformations(png_ptr); |
3230 #ifdef PNG_READ_INTERLACING_SUPPORTED | 4262 #endif |
3231 if (png_ptr->interlaced) | 4263 if (png_ptr->interlaced != 0) |
3232 { | 4264 { |
3233 if (!(png_ptr->transformations & PNG_INTERLACE)) | 4265 if ((png_ptr->transformations & PNG_INTERLACE) == 0) |
3234 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 - | 4266 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 - |
3235 png_pass_ystart[0]) / png_pass_yinc[0]; | 4267 png_pass_ystart[0]) / png_pass_yinc[0]; |
| 4268 |
3236 else | 4269 else |
3237 png_ptr->num_rows = png_ptr->height; | 4270 png_ptr->num_rows = png_ptr->height; |
3238 | 4271 |
3239 png_ptr->iwidth = (png_ptr->width + | 4272 png_ptr->iwidth = (png_ptr->width + |
3240 png_pass_inc[png_ptr->pass] - 1 - | 4273 png_pass_inc[png_ptr->pass] - 1 - |
3241 png_pass_start[png_ptr->pass]) / | 4274 png_pass_start[png_ptr->pass]) / |
3242 png_pass_inc[png_ptr->pass]; | 4275 png_pass_inc[png_ptr->pass]; |
3243 } | 4276 } |
| 4277 |
3244 else | 4278 else |
3245 #endif /* PNG_READ_INTERLACING_SUPPORTED */ | |
3246 { | 4279 { |
3247 png_ptr->num_rows = png_ptr->height; | 4280 png_ptr->num_rows = png_ptr->height; |
3248 png_ptr->iwidth = png_ptr->width; | 4281 png_ptr->iwidth = png_ptr->width; |
3249 } | 4282 } |
| 4283 |
3250 max_pixel_depth = png_ptr->pixel_depth; | 4284 max_pixel_depth = png_ptr->pixel_depth; |
3251 | 4285 |
| 4286 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of |
| 4287 * calculations to calculate the final pixel depth, then |
| 4288 * png_do_read_transforms actually does the transforms. This means that the |
| 4289 * code which effectively calculates this value is actually repeated in three |
| 4290 * separate places. They must all match. Innocent changes to the order of |
| 4291 * transformations can and will break libpng in a way that causes memory |
| 4292 * overwrites. |
| 4293 * |
| 4294 * TODO: fix this. |
| 4295 */ |
3252 #ifdef PNG_READ_PACK_SUPPORTED | 4296 #ifdef PNG_READ_PACK_SUPPORTED |
3253 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8) | 4297 if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8) |
3254 max_pixel_depth = 8; | 4298 max_pixel_depth = 8; |
3255 #endif | 4299 #endif |
3256 | 4300 |
3257 #ifdef PNG_READ_EXPAND_SUPPORTED | 4301 #ifdef PNG_READ_EXPAND_SUPPORTED |
3258 if (png_ptr->transformations & PNG_EXPAND) | 4302 if ((png_ptr->transformations & PNG_EXPAND) != 0) |
3259 { | 4303 { |
3260 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | 4304 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) |
3261 { | 4305 { |
3262 if (png_ptr->num_trans) | 4306 if (png_ptr->num_trans != 0) |
3263 max_pixel_depth = 32; | 4307 max_pixel_depth = 32; |
| 4308 |
3264 else | 4309 else |
3265 max_pixel_depth = 24; | 4310 max_pixel_depth = 24; |
3266 } | 4311 } |
| 4312 |
3267 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) | 4313 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) |
3268 { | 4314 { |
3269 if (max_pixel_depth < 8) | 4315 if (max_pixel_depth < 8) |
3270 max_pixel_depth = 8; | 4316 max_pixel_depth = 8; |
3271 if (png_ptr->num_trans) | 4317 |
| 4318 if (png_ptr->num_trans != 0) |
3272 max_pixel_depth *= 2; | 4319 max_pixel_depth *= 2; |
3273 } | 4320 } |
| 4321 |
3274 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) | 4322 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) |
3275 { | 4323 { |
3276 if (png_ptr->num_trans) | 4324 if (png_ptr->num_trans != 0) |
3277 { | 4325 { |
3278 max_pixel_depth *= 4; | 4326 max_pixel_depth *= 4; |
3279 max_pixel_depth /= 3; | 4327 max_pixel_depth /= 3; |
3280 } | 4328 } |
3281 } | 4329 } |
3282 } | 4330 } |
3283 #endif | 4331 #endif |
3284 | 4332 |
| 4333 #ifdef PNG_READ_EXPAND_16_SUPPORTED |
| 4334 if ((png_ptr->transformations & PNG_EXPAND_16) != 0) |
| 4335 { |
| 4336 # ifdef PNG_READ_EXPAND_SUPPORTED |
| 4337 /* In fact it is an error if it isn't supported, but checking is |
| 4338 * the safe way. |
| 4339 */ |
| 4340 if ((png_ptr->transformations & PNG_EXPAND) != 0) |
| 4341 { |
| 4342 if (png_ptr->bit_depth < 16) |
| 4343 max_pixel_depth *= 2; |
| 4344 } |
| 4345 else |
| 4346 # endif |
| 4347 png_ptr->transformations &= ~PNG_EXPAND_16; |
| 4348 } |
| 4349 #endif |
| 4350 |
3285 #ifdef PNG_READ_FILLER_SUPPORTED | 4351 #ifdef PNG_READ_FILLER_SUPPORTED |
3286 if (png_ptr->transformations & (PNG_FILLER)) | 4352 if ((png_ptr->transformations & (PNG_FILLER)) != 0) |
3287 { | 4353 { |
3288 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | 4354 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) |
3289 max_pixel_depth = 32; | |
3290 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) | |
3291 { | 4355 { |
3292 if (max_pixel_depth <= 8) | 4356 if (max_pixel_depth <= 8) |
3293 max_pixel_depth = 16; | 4357 max_pixel_depth = 16; |
| 4358 |
3294 else | 4359 else |
3295 max_pixel_depth = 32; | 4360 max_pixel_depth = 32; |
3296 } | 4361 } |
3297 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) | 4362 |
| 4363 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB || |
| 4364 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) |
3298 { | 4365 { |
3299 if (max_pixel_depth <= 32) | 4366 if (max_pixel_depth <= 32) |
3300 max_pixel_depth = 32; | 4367 max_pixel_depth = 32; |
| 4368 |
3301 else | 4369 else |
3302 max_pixel_depth = 64; | 4370 max_pixel_depth = 64; |
3303 } | 4371 } |
3304 } | 4372 } |
3305 #endif | 4373 #endif |
3306 | 4374 |
3307 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED | 4375 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED |
3308 if (png_ptr->transformations & PNG_GRAY_TO_RGB) | 4376 if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0) |
3309 { | 4377 { |
3310 if ( | 4378 if ( |
3311 #ifdef PNG_READ_EXPAND_SUPPORTED | 4379 #ifdef PNG_READ_EXPAND_SUPPORTED |
3312 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) || | 4380 (png_ptr->num_trans != 0 && |
| 4381 (png_ptr->transformations & PNG_EXPAND) != 0) || |
3313 #endif | 4382 #endif |
3314 #ifdef PNG_READ_FILLER_SUPPORTED | 4383 #ifdef PNG_READ_FILLER_SUPPORTED |
3315 (png_ptr->transformations & (PNG_FILLER)) || | 4384 (png_ptr->transformations & (PNG_FILLER)) != 0 || |
3316 #endif | 4385 #endif |
3317 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) | 4386 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) |
3318 { | 4387 { |
3319 if (max_pixel_depth <= 16) | 4388 if (max_pixel_depth <= 16) |
3320 max_pixel_depth = 32; | 4389 max_pixel_depth = 32; |
| 4390 |
3321 else | 4391 else |
3322 max_pixel_depth = 64; | 4392 max_pixel_depth = 64; |
3323 } | 4393 } |
| 4394 |
3324 else | 4395 else |
3325 { | 4396 { |
3326 if (max_pixel_depth <= 8) | 4397 if (max_pixel_depth <= 8) |
3327 { | 4398 { |
3328 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) | 4399 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) |
3329 max_pixel_depth = 32; | 4400 max_pixel_depth = 32; |
3330 else | 4401 |
| 4402 else |
3331 max_pixel_depth = 24; | 4403 max_pixel_depth = 24; |
3332 } | 4404 } |
| 4405 |
3333 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) | 4406 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) |
3334 max_pixel_depth = 64; | 4407 max_pixel_depth = 64; |
| 4408 |
3335 else | 4409 else |
3336 max_pixel_depth = 48; | 4410 max_pixel_depth = 48; |
3337 } | 4411 } |
3338 } | 4412 } |
3339 #endif | 4413 #endif |
3340 | 4414 |
3341 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \ | 4415 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \ |
3342 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) | 4416 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) |
3343 if (png_ptr->transformations & PNG_USER_TRANSFORM) | 4417 if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0) |
3344 { | 4418 { |
3345 int user_pixel_depth = png_ptr->user_transform_depth* | 4419 int user_pixel_depth = png_ptr->user_transform_depth * |
3346 png_ptr->user_transform_channels; | 4420 png_ptr->user_transform_channels; |
3347 if (user_pixel_depth > max_pixel_depth) | 4421 |
3348 max_pixel_depth=user_pixel_depth; | 4422 if (user_pixel_depth > max_pixel_depth) |
3349 } | 4423 max_pixel_depth = user_pixel_depth; |
| 4424 } |
3350 #endif | 4425 #endif |
3351 | 4426 |
| 4427 /* This value is stored in png_struct and double checked in the row read |
| 4428 * code. |
| 4429 */ |
| 4430 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth; |
| 4431 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */ |
| 4432 |
3352 /* Align the width on the next larger 8 pixels. Mainly used | 4433 /* Align the width on the next larger 8 pixels. Mainly used |
3353 * for interlacing | 4434 * for interlacing |
3354 */ | 4435 */ |
3355 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7)); | 4436 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7)); |
3356 /* Calculate the maximum bytes needed, adding a byte and a pixel | 4437 /* Calculate the maximum bytes needed, adding a byte and a pixel |
3357 * for safety's sake | 4438 * for safety's sake |
3358 */ | 4439 */ |
3359 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) + | 4440 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) + |
3360 1 + ((max_pixel_depth + 7) >> 3); | 4441 1 + ((max_pixel_depth + 7) >> 3); |
| 4442 |
3361 #ifdef PNG_MAX_MALLOC_64K | 4443 #ifdef PNG_MAX_MALLOC_64K |
3362 if (row_bytes > (png_uint_32)65536L) | 4444 if (row_bytes > (png_uint_32)65536L) |
3363 png_error(png_ptr, "This image requires a row greater than 64KB"); | 4445 png_error(png_ptr, "This image requires a row greater than 64KB"); |
3364 #endif | 4446 #endif |
3365 | 4447 |
3366 if (row_bytes + 64 > png_ptr->old_big_row_buf_size) | 4448 if (row_bytes + 48 > png_ptr->old_big_row_buf_size) |
3367 { | 4449 { |
3368 png_free(png_ptr, png_ptr->big_row_buf); | 4450 png_free(png_ptr, png_ptr->big_row_buf); |
3369 if (png_ptr->interlaced) | 4451 png_free(png_ptr, png_ptr->big_prev_row); |
| 4452 |
| 4453 if (png_ptr->interlaced != 0) |
3370 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr, | 4454 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr, |
3371 row_bytes + 64); | 4455 row_bytes + 48); |
| 4456 |
3372 else | 4457 else |
3373 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, | 4458 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48); |
3374 row_bytes + 64); | |
3375 png_ptr->old_big_row_buf_size = row_bytes + 64; | |
3376 | 4459 |
3377 /* Use 32 bytes of padding before and after row_buf. */ | 4460 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48); |
3378 png_ptr->row_buf = png_ptr->big_row_buf + 32; | 4461 |
3379 png_ptr->old_big_row_buf_size = row_bytes + 64; | 4462 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED |
| 4463 /* Use 16-byte aligned memory for row_buf with at least 16 bytes |
| 4464 * of padding before and after row_buf; treat prev_row similarly. |
| 4465 * NOTE: the alignment is to the start of the pixels, one beyond the start |
| 4466 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this |
| 4467 * was incorrect; the filter byte was aligned, which had the exact |
| 4468 * opposite effect of that intended. |
| 4469 */ |
| 4470 { |
| 4471 png_bytep temp = png_ptr->big_row_buf + 32; |
| 4472 int extra = (int)((temp - (png_bytep)0) & 0x0f); |
| 4473 png_ptr->row_buf = temp - extra - 1/*filter byte*/; |
| 4474 |
| 4475 temp = png_ptr->big_prev_row + 32; |
| 4476 extra = (int)((temp - (png_bytep)0) & 0x0f); |
| 4477 png_ptr->prev_row = temp - extra - 1/*filter byte*/; |
| 4478 } |
| 4479 |
| 4480 #else |
| 4481 /* Use 31 bytes of padding before and 17 bytes after row_buf. */ |
| 4482 png_ptr->row_buf = png_ptr->big_row_buf + 31; |
| 4483 png_ptr->prev_row = png_ptr->big_prev_row + 31; |
| 4484 #endif |
| 4485 png_ptr->old_big_row_buf_size = row_bytes + 48; |
3380 } | 4486 } |
3381 | 4487 |
3382 #ifdef PNG_MAX_MALLOC_64K | 4488 #ifdef PNG_MAX_MALLOC_64K |
3383 if ((png_uint_32)row_bytes + 1 > (png_uint_32)65536L) | 4489 if (png_ptr->rowbytes > 65535) |
3384 png_error(png_ptr, "This image requires a row greater than 64KB"); | 4490 png_error(png_ptr, "This image requires a row greater than 64KB"); |
| 4491 |
3385 #endif | 4492 #endif |
3386 if ((png_uint_32)row_bytes > (png_uint_32)(PNG_SIZE_MAX - 1)) | 4493 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1)) |
3387 png_error(png_ptr, "Row has too many bytes to allocate in memory."); | 4494 png_error(png_ptr, "Row has too many bytes to allocate in memory"); |
3388 | 4495 |
3389 if (row_bytes + 1 > png_ptr->old_prev_row_size) | 4496 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); |
| 4497 |
| 4498 png_debug1(3, "width = %u,", png_ptr->width); |
| 4499 png_debug1(3, "height = %u,", png_ptr->height); |
| 4500 png_debug1(3, "iwidth = %u,", png_ptr->iwidth); |
| 4501 png_debug1(3, "num_rows = %u,", png_ptr->num_rows); |
| 4502 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes); |
| 4503 png_debug1(3, "irowbytes = %lu", |
| 4504 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1); |
| 4505 |
| 4506 /* The sequential reader needs a buffer for IDAT, but the progressive reader |
| 4507 * does not, so free the read buffer now regardless; the sequential reader |
| 4508 * reallocates it on demand. |
| 4509 */ |
| 4510 if (png_ptr->read_buffer != 0) |
3390 { | 4511 { |
3391 png_free(png_ptr, png_ptr->prev_row); | 4512 png_bytep buffer = png_ptr->read_buffer; |
3392 png_ptr->prev_row = (png_bytep)png_malloc(png_ptr, (png_uint_32)( | 4513 |
3393 row_bytes + 1)); | 4514 png_ptr->read_buffer_size = 0; |
3394 png_memset_check(png_ptr, png_ptr->prev_row, 0, row_bytes + 1); | 4515 png_ptr->read_buffer = NULL; |
3395 png_ptr->old_prev_row_size = row_bytes + 1; | 4516 png_free(png_ptr, buffer); |
3396 } | 4517 } |
3397 | 4518 |
3398 png_ptr->rowbytes = row_bytes; | 4519 /* Finally claim the zstream for the inflate of the IDAT data, use the bits |
3399 | 4520 * value from the stream (note that this will result in a fatal error if the |
3400 png_debug1(3, "width = %lu,", png_ptr->width); | 4521 * IDAT stream has a bogus deflate header window_bits value, but this should |
3401 png_debug1(3, "height = %lu,", png_ptr->height); | 4522 * not be happening any longer!) |
3402 png_debug1(3, "iwidth = %lu,", png_ptr->iwidth); | 4523 */ |
3403 png_debug1(3, "num_rows = %lu,", png_ptr->num_rows); | 4524 if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK) |
3404 png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes); | 4525 png_error(png_ptr, png_ptr->zstream.msg); |
3405 png_debug1(3, "irowbytes = %lu", | |
3406 PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1); | |
3407 | 4526 |
3408 png_ptr->flags |= PNG_FLAG_ROW_INIT; | 4527 png_ptr->flags |= PNG_FLAG_ROW_INIT; |
3409 } | 4528 } |
3410 #endif /* PNG_READ_SUPPORTED */ | 4529 #endif /* READ */ |
OLD | NEW |