Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(49)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libpng/pngrutil.c

Issue 2021403002: Update libpng to 1.6.22 (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Rearrange pnglibconf.h Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 1
2 /* pngrutil.c - utilities to read a PNG file 2 /* pngrutil.c - utilities to read a PNG file
3 * 3 *
4 * Last changed in libpng 1.2.55 [%RDATE%] 4 * Last changed in libpng 1.6.20 [December 3, 2014]
5 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson 5 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 * 8 *
9 * This code is released under the libpng license. 9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer 10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h 11 * and license in png.h
12 * 12 *
13 * This file contains routines that are only called from within 13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image. 14 * libpng itself during the course of reading an image.
15 */ 15 */
16 16
17 #define PNG_INTERNAL 17 #include "pngpriv.h"
18 #define PNG_NO_PEDANTIC_WARNINGS 18
19 #include "png.h"
20 #ifdef PNG_READ_SUPPORTED 19 #ifdef PNG_READ_SUPPORTED
21 20
22 #if defined(_WIN32_WCE) && (_WIN32_WCE<0x500) 21 png_uint_32 PNGAPI
23 # define WIN32_WCE_OLD 22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
24 #endif 23 {
25 24 png_uint_32 uval = png_get_uint_32(buf);
26 #ifdef PNG_FLOATING_POINT_SUPPORTED 25
27 # ifdef WIN32_WCE_OLD 26 if (uval > PNG_UINT_31_MAX)
28 /* The strtod() function is not supported on WindowsCE */ 27 png_error(png_ptr, "PNG unsigned integer out of range");
29 __inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr, 28
30 char **endptr) 29 return (uval);
31 { 30 }
32 double result = 0; 31
33 int len; 32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
34 wchar_t *str, *end; 33 /* The following is a variation on the above for use with the fixed
35 34 * point values used for gAMA and cHRM. Instead of png_error it
36 len = MultiByteToWideChar(CP_ACP, 0, nptr, -1, NULL, 0); 35 * issues a warning and returns (-1) - an invalid value because both
37 str = (wchar_t *)png_malloc(png_ptr, len * png_sizeof(wchar_t)); 36 * gAMA and cHRM use *unsigned* integers for fixed point values.
38 if ( NULL != str ) 37 */
38 #define PNG_FIXED_ERROR (-1)
39
40 static png_fixed_point /* PRIVATE */
41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42 {
43 png_uint_32 uval = png_get_uint_32(buf);
44
45 if (uval <= PNG_UINT_31_MAX)
46 return (png_fixed_point)uval; /* known to be in range */
47
48 /* The caller can turn off the warning by passing NULL. */
49 if (png_ptr != NULL)
50 png_warning(png_ptr, "PNG fixed point integer out of range");
51
52 return PNG_FIXED_ERROR;
53 }
54 #endif
55
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57 /* NOTE: the read macros will obscure these definitions, so that if
58 * PNG_USE_READ_MACROS is set the library will not use them internally,
59 * but the APIs will still be available externally.
60 *
61 * The parentheses around "PNGAPI function_name" in the following three
62 * functions are necessary because they allow the macros to co-exist with
63 * these (unused but exported) functions.
64 */
65
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
67 png_uint_32 (PNGAPI
68 png_get_uint_32)(png_const_bytep buf)
69 {
70 png_uint_32 uval =
71 ((png_uint_32)(*(buf )) << 24) +
72 ((png_uint_32)(*(buf + 1)) << 16) +
73 ((png_uint_32)(*(buf + 2)) << 8) +
74 ((png_uint_32)(*(buf + 3)) ) ;
75
76 return uval;
77 }
78
79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
80 * data is stored in the PNG file in two's complement format and there
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82 * the following code does a two's complement to native conversion.
83 */
84 png_int_32 (PNGAPI
85 png_get_int_32)(png_const_bytep buf)
86 {
87 png_uint_32 uval = png_get_uint_32(buf);
88 if ((uval & 0x80000000) == 0) /* non-negative */
89 return uval;
90
91 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
92 if ((uval & 0x80000000) == 0) /* no overflow */
93 return -(png_int_32)uval;
94 /* The following has to be safe; this function only gets called on PNG data
95 * and if we get here that data is invalid. 0 is the most safe value and
96 * if not then an attacker would surely just generate a PNG with 0 instead.
97 */
98 return 0;
99 }
100
101 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
102 png_uint_16 (PNGAPI
103 png_get_uint_16)(png_const_bytep buf)
104 {
105 /* ANSI-C requires an int value to accomodate at least 16 bits so this
106 * works and allows the compiler not to worry about possible narrowing
107 * on 32-bit systems. (Pre-ANSI systems did not make integers smaller
108 * than 16 bits either.)
109 */
110 unsigned int val =
111 ((unsigned int)(*buf) << 8) +
112 ((unsigned int)(*(buf + 1)));
113
114 return (png_uint_16)val;
115 }
116
117 #endif /* READ_INT_FUNCTIONS */
118
119 /* Read and check the PNG file signature */
120 void /* PRIVATE */
121 png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
122 {
123 png_size_t num_checked, num_to_check;
124
125 /* Exit if the user application does not expect a signature. */
126 if (png_ptr->sig_bytes >= 8)
127 return;
128
129 num_checked = png_ptr->sig_bytes;
130 num_to_check = 8 - num_checked;
131
132 #ifdef PNG_IO_STATE_SUPPORTED
133 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
134 #endif
135
136 /* The signature must be serialized in a single I/O call. */
137 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
138 png_ptr->sig_bytes = 8;
139
140 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
39 { 141 {
40 MultiByteToWideChar(CP_ACP, 0, nptr, -1, str, len); 142 if (num_checked < 4 &&
41 result = wcstod(str, &end); 143 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
42 len = WideCharToMultiByte(CP_ACP, 0, end, -1, NULL, 0, NULL, NULL); 144 png_error(png_ptr, "Not a PNG file");
43 *endptr = (char *)nptr + (png_strlen(nptr) - len + 1); 145 else
44 png_free(png_ptr, str); 146 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
45 } 147 }
46 return result; 148 if (num_checked < 3)
47 } 149 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
48 # else 150 }
49 # define png_strtod(p,a,b) strtod(a,b)
50 # endif
51 #endif
52
53 png_uint_32 PNGAPI
54 png_get_uint_31(png_structp png_ptr, png_bytep buf)
55 {
56 #ifdef PNG_READ_BIG_ENDIAN_SUPPORTED
57 png_uint_32 i = png_get_uint_32(buf);
58 #else
59 /* Avoid an extra function call by inlining the result. */
60 png_uint_32 i = ((png_uint_32)((*(buf )) & 0xff) << 24) +
61 ((png_uint_32)((*(buf + 1)) & 0xff) << 16) +
62 ((png_uint_32)((*(buf + 2)) & 0xff) << 8) +
63 ((png_uint_32)((*(buf + 3)) & 0xff) );
64 #endif
65 if (i > PNG_UINT_31_MAX)
66 png_error(png_ptr, "PNG unsigned integer out of range.");
67 return (i);
68 }
69 #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
70 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
71 png_uint_32 PNGAPI
72 png_get_uint_32(png_bytep buf)
73 {
74 png_uint_32 i = ((png_uint_32)((*(buf )) & 0xff) << 24) +
75 ((png_uint_32)((*(buf + 1)) & 0xff) << 16) +
76 ((png_uint_32)((*(buf + 2)) & 0xff) << 8) +
77 ((png_uint_32)((*(buf + 3)) & 0xff) );
78
79 return (i);
80 }
81
82 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
83 * data is stored in the PNG file in two's complement format, and it is
84 * assumed that the machine format for signed integers is the same.
85 */
86 png_int_32 PNGAPI
87 png_get_int_32(png_bytep buf)
88 {
89 png_int_32 i = ((png_int_32)((*(buf )) & 0xff) << 24) +
90 ((png_int_32)((*(buf + 1)) & 0xff) << 16) +
91 ((png_int_32)((*(buf + 2)) & 0xff) << 8) +
92 ((png_int_32)((*(buf + 3)) & 0xff) );
93
94 return (i);
95 }
96
97 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
98 png_uint_16 PNGAPI
99 png_get_uint_16(png_bytep buf)
100 {
101 png_uint_16 i = ((png_uint_16)((*(buf )) & 0xff) << 8) +
102 ((png_uint_16)((*(buf + 1)) & 0xff) );
103
104 return (i);
105 }
106 #endif /* PNG_READ_BIG_ENDIAN_SUPPORTED */
107 151
108 /* Read the chunk header (length + type name). 152 /* Read the chunk header (length + type name).
109 * Put the type name into png_ptr->chunk_name, and return the length. 153 * Put the type name into png_ptr->chunk_name, and return the length.
110 */ 154 */
111 png_uint_32 /* PRIVATE */ 155 png_uint_32 /* PRIVATE */
112 png_read_chunk_header(png_structp png_ptr) 156 png_read_chunk_header(png_structrp png_ptr)
113 { 157 {
114 png_byte buf[8]; 158 png_byte buf[8];
115 png_uint_32 length; 159 png_uint_32 length;
116 160
117 /* Read the length and the chunk name */ 161 #ifdef PNG_IO_STATE_SUPPORTED
162 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
163 #endif
164
165 /* Read the length and the chunk name.
166 * This must be performed in a single I/O call.
167 */
118 png_read_data(png_ptr, buf, 8); 168 png_read_data(png_ptr, buf, 8);
119 length = png_get_uint_31(png_ptr, buf); 169 length = png_get_uint_31(png_ptr, buf);
120 170
121 /* Put the chunk name into png_ptr->chunk_name */ 171 /* Put the chunk name into png_ptr->chunk_name. */
122 png_memcpy(png_ptr->chunk_name, buf + 4, 4); 172 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
123 173
124 png_debug2(0, "Reading %s chunk, length = %lu", 174 png_debug2(0, "Reading %lx chunk, length = %lu",
125 png_ptr->chunk_name, length); 175 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
126 176
127 /* Reset the crc and run it over the chunk name */ 177 /* Reset the crc and run it over the chunk name. */
128 png_reset_crc(png_ptr); 178 png_reset_crc(png_ptr);
129 png_calculate_crc(png_ptr, png_ptr->chunk_name, 4); 179 png_calculate_crc(png_ptr, buf + 4, 4);
130 180
131 /* Check to see if chunk name is valid */ 181 /* Check to see if chunk name is valid. */
132 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 182 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
133 183
184 #ifdef PNG_IO_STATE_SUPPORTED
185 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
186 #endif
187
134 return length; 188 return length;
135 } 189 }
136 190
137 /* Read data, and (optionally) run it through the CRC. */ 191 /* Read data, and (optionally) run it through the CRC. */
138 void /* PRIVATE */ 192 void /* PRIVATE */
139 png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length) 193 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
140 { 194 {
141 if (png_ptr == NULL) 195 if (png_ptr == NULL)
142 return; 196 return;
197
143 png_read_data(png_ptr, buf, length); 198 png_read_data(png_ptr, buf, length);
144 png_calculate_crc(png_ptr, buf, length); 199 png_calculate_crc(png_ptr, buf, length);
145 } 200 }
146 201
147 /* Optionally skip data and then check the CRC. Depending on whether we 202 /* Optionally skip data and then check the CRC. Depending on whether we
148 * are reading a ancillary or critical chunk, and how the program has set 203 * are reading an ancillary or critical chunk, and how the program has set
149 * things up, we may calculate the CRC on the data and print a message. 204 * things up, we may calculate the CRC on the data and print a message.
150 * Returns '1' if there was a CRC error, '0' otherwise. 205 * Returns '1' if there was a CRC error, '0' otherwise.
151 */ 206 */
152 int /* PRIVATE */ 207 int /* PRIVATE */
153 png_crc_finish(png_structp png_ptr, png_uint_32 skip) 208 png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
154 { 209 {
155 png_size_t i; 210 /* The size of the local buffer for inflate is a good guess as to a
156 png_size_t istop = png_ptr->zbuf_size; 211 * reasonable size to use for buffering reads from the application.
157 212 */
158 for (i = (png_size_t)skip; i > istop; i -= istop) 213 while (skip > 0)
159 { 214 {
160 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size); 215 png_uint_32 len;
216 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
217
218 len = (sizeof tmpbuf);
219 if (len > skip)
220 len = skip;
221 skip -= len;
222
223 png_crc_read(png_ptr, tmpbuf, len);
161 } 224 }
162 if (i) 225
226 if (png_crc_error(png_ptr) != 0)
163 { 227 {
164 png_crc_read(png_ptr, png_ptr->zbuf, i); 228 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?
165 } 229 (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :
166 230 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)
167 if (png_crc_error(png_ptr))
168 {
169 if (((png_ptr->chunk_name[0] & 0x20) && /* Ancillary */
170 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) ||
171 (!(png_ptr->chunk_name[0] & 0x20) && /* Critical */
172 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE)))
173 { 231 {
174 png_chunk_warning(png_ptr, "CRC error"); 232 png_chunk_warning(png_ptr, "CRC error");
175 } 233 }
234
176 else 235 else
177 {
178 png_chunk_error(png_ptr, "CRC error"); 236 png_chunk_error(png_ptr, "CRC error");
179 } 237
180 return (1); 238 return (1);
181 } 239 }
182 240
183 return (0); 241 return (0);
184 } 242 }
185 243
186 /* Compare the CRC stored in the PNG file with that calculated by libpng from 244 /* Compare the CRC stored in the PNG file with that calculated by libpng from
187 * the data it has read thus far. 245 * the data it has read thus far.
188 */ 246 */
189 int /* PRIVATE */ 247 int /* PRIVATE */
190 png_crc_error(png_structp png_ptr) 248 png_crc_error(png_structrp png_ptr)
191 { 249 {
192 png_byte crc_bytes[4]; 250 png_byte crc_bytes[4];
193 png_uint_32 crc; 251 png_uint_32 crc;
194 int need_crc = 1; 252 int need_crc = 1;
195 253
196 if (png_ptr->chunk_name[0] & 0x20) /* ancillary */ 254 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
197 { 255 {
198 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 256 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
199 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 257 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
200 need_crc = 0; 258 need_crc = 0;
201 } 259 }
202 else /* critical */ 260
203 { 261 else /* critical */
204 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) 262 {
263 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
205 need_crc = 0; 264 need_crc = 0;
206 } 265 }
207 266
267 #ifdef PNG_IO_STATE_SUPPORTED
268 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
269 #endif
270
271 /* The chunk CRC must be serialized in a single I/O call. */
208 png_read_data(png_ptr, crc_bytes, 4); 272 png_read_data(png_ptr, crc_bytes, 4);
209 273
210 if (need_crc) 274 if (need_crc != 0)
211 { 275 {
212 crc = png_get_uint_32(crc_bytes); 276 crc = png_get_uint_32(crc_bytes);
213 return ((int)(crc != png_ptr->crc)); 277 return ((int)(crc != png_ptr->crc));
214 } 278 }
279
215 else 280 else
216 return (0); 281 return (0);
217 } 282 }
218 283
219 #if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \ 284 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
220 defined(PNG_READ_iCCP_SUPPORTED) 285 defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
221 static png_size_t 286 defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
222 png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size, 287 defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
223 png_bytep output, png_size_t output_size) 288 /* Manage the read buffer; this simply reallocates the buffer if it is not small
224 { 289 * enough (or if it is not allocated). The routine returns a pointer to the
225 png_size_t count = 0; 290 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
226 291 * it will call png_error (via png_malloc) on failure. (warn == 2 means
227 png_ptr->zstream.next_in = (png_bytep)data; /* const_cast: VALID */ 292 * 'silent').
228 png_ptr->zstream.avail_in = size; 293 */
229 294 static png_bytep
230 while (1) 295 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
231 { 296 {
232 int ret, avail; 297 png_bytep buffer = png_ptr->read_buffer;
233 298
234 /* Reset the output buffer each time round - we empty it 299 if (buffer != NULL && new_size > png_ptr->read_buffer_size)
235 * after every inflate call. 300 {
301 png_ptr->read_buffer = NULL;
302 png_ptr->read_buffer = NULL;
303 png_ptr->read_buffer_size = 0;
304 png_free(png_ptr, buffer);
305 buffer = NULL;
306 }
307
308 if (buffer == NULL)
309 {
310 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
311
312 if (buffer != NULL)
313 {
314 png_ptr->read_buffer = buffer;
315 png_ptr->read_buffer_size = new_size;
316 }
317
318 else if (warn < 2) /* else silent */
319 {
320 if (warn != 0)
321 png_chunk_warning(png_ptr, "insufficient memory to read chunk");
322
323 else
324 png_chunk_error(png_ptr, "insufficient memory to read chunk");
325 }
326 }
327
328 return buffer;
329 }
330 #endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
331
332 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
333 * decompression. Returns Z_OK on success, else a zlib error code. It checks
334 * the owner but, in final release builds, just issues a warning if some other
335 * chunk apparently owns the stream. Prior to release it does a png_error.
336 */
337 static int
338 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
339 {
340 if (png_ptr->zowner != 0)
341 {
342 char msg[64];
343
344 PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
345 /* So the message that results is "<chunk> using zstream"; this is an
346 * internal error, but is very useful for debugging. i18n requirements
347 * are minimal.
236 */ 348 */
237 png_ptr->zstream.next_out = png_ptr->zbuf; 349 (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
238 png_ptr->zstream.avail_out = png_ptr->zbuf_size; 350 #if PNG_RELEASE_BUILD
239 351 png_chunk_warning(png_ptr, msg);
240 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH); 352 png_ptr->zowner = 0;
241 avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out; 353 #else
242 354 png_chunk_error(png_ptr, msg);
243 /* First copy/count any new output - but only if we didn't 355 #endif
244 * get an error code. 356 }
357
358 /* Implementation note: unlike 'png_deflate_claim' this internal function
359 * does not take the size of the data as an argument. Some efficiency could
360 * be gained by using this when it is known *if* the zlib stream itself does
361 * not record the number; however, this is an illusion: the original writer
362 * of the PNG may have selected a lower window size, and we really must
363 * follow that because, for systems with with limited capabilities, we
364 * would otherwise reject the application's attempts to use a smaller window
365 * size (zlib doesn't have an interface to say "this or lower"!).
366 *
367 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
368 * reset, therefore it is necessary to always allocate the maximum window
369 * size with earlier zlibs just in case later compressed chunks need it.
370 */
371 {
372 int ret; /* zlib return code */
373 #if PNG_ZLIB_VERNUM >= 0x1240
374
375 # if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
376 int window_bits;
377
378 if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
379 PNG_OPTION_ON)
380 {
381 window_bits = 15;
382 png_ptr->zstream_start = 0; /* fixed window size */
383 }
384
385 else
386 {
387 window_bits = 0;
388 png_ptr->zstream_start = 1;
389 }
390 # else
391 # define window_bits 0
392 # endif
393 #endif
394
395 /* Set this for safety, just in case the previous owner left pointers to
396 * memory allocations.
245 */ 397 */
246 if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0) 398 png_ptr->zstream.next_in = NULL;
247 { 399 png_ptr->zstream.avail_in = 0;
248 if (output != 0 && output_size > count) 400 png_ptr->zstream.next_out = NULL;
401 png_ptr->zstream.avail_out = 0;
402
403 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
404 {
405 #if PNG_ZLIB_VERNUM < 0x1240
406 ret = inflateReset(&png_ptr->zstream);
407 #else
408 ret = inflateReset2(&png_ptr->zstream, window_bits);
409 #endif
410 }
411
412 else
413 {
414 #if PNG_ZLIB_VERNUM < 0x1240
415 ret = inflateInit(&png_ptr->zstream);
416 #else
417 ret = inflateInit2(&png_ptr->zstream, window_bits);
418 #endif
419
420 if (ret == Z_OK)
421 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
422 }
423
424 if (ret == Z_OK)
425 png_ptr->zowner = owner;
426
427 else
428 png_zstream_error(png_ptr, ret);
429
430 return ret;
431 }
432
433 #ifdef window_bits
434 # undef window_bits
435 #endif
436 }
437
438 #if PNG_ZLIB_VERNUM >= 0x1240
439 /* Handle the start of the inflate stream if we called inflateInit2(strm,0);
440 * in this case some zlib versions skip validation of the CINFO field and, in
441 * certain circumstances, libpng may end up displaying an invalid image, in
442 * contrast to implementations that call zlib in the normal way (e.g. libpng
443 * 1.5).
444 */
445 int /* PRIVATE */
446 png_zlib_inflate(png_structrp png_ptr, int flush)
447 {
448 if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)
449 {
450 if ((*png_ptr->zstream.next_in >> 4) > 7)
451 {
452 png_ptr->zstream.msg = "invalid window size (libpng)";
453 return Z_DATA_ERROR;
454 }
455
456 png_ptr->zstream_start = 0;
457 }
458
459 return inflate(&png_ptr->zstream, flush);
460 }
461 #endif /* Zlib >= 1.2.4 */
462
463 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
464 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
465 * allow the caller to do multiple calls if required. If the 'finish' flag is
466 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
467 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
468 * Z_OK or Z_STREAM_END will be returned on success.
469 *
470 * The input and output sizes are updated to the actual amounts of data consumed
471 * or written, not the amount available (as in a z_stream). The data pointers
472 * are not changed, so the next input is (data+input_size) and the next
473 * available output is (output+output_size).
474 */
475 static int
476 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
477 /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
478 /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
479 {
480 if (png_ptr->zowner == owner) /* Else not claimed */
481 {
482 int ret;
483 png_alloc_size_t avail_out = *output_size_ptr;
484 png_uint_32 avail_in = *input_size_ptr;
485
486 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
487 * can't even necessarily handle 65536 bytes) because the type uInt is
488 * "16 bits or more". Consequently it is necessary to chunk the input to
489 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
490 * maximum value that can be stored in a uInt.) It is possible to set
491 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
492 * a performance advantage, because it reduces the amount of data accessed
493 * at each step and that may give the OS more time to page it in.
494 */
495 png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
496 /* avail_in and avail_out are set below from 'size' */
497 png_ptr->zstream.avail_in = 0;
498 png_ptr->zstream.avail_out = 0;
499
500 /* Read directly into the output if it is available (this is set to
501 * a local buffer below if output is NULL).
502 */
503 if (output != NULL)
504 png_ptr->zstream.next_out = output;
505
506 do
507 {
508 uInt avail;
509 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
510
511 /* zlib INPUT BUFFER */
512 /* The setting of 'avail_in' used to be outside the loop; by setting it
513 * inside it is possible to chunk the input to zlib and simply rely on
514 * zlib to advance the 'next_in' pointer. This allows arbitrary
515 * amounts of data to be passed through zlib at the unavoidable cost of
516 * requiring a window save (memcpy of up to 32768 output bytes)
517 * every ZLIB_IO_MAX input bytes.
518 */
519 avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
520
521 avail = ZLIB_IO_MAX;
522
523 if (avail_in < avail)
524 avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
525
526 avail_in -= avail;
527 png_ptr->zstream.avail_in = avail;
528
529 /* zlib OUTPUT BUFFER */
530 avail_out += png_ptr->zstream.avail_out; /* not written last time */
531
532 avail = ZLIB_IO_MAX; /* maximum zlib can process */
533
534 if (output == NULL)
249 { 535 {
250 png_size_t copy = output_size - count; 536 /* Reset the output buffer each time round if output is NULL and
251 if ((png_size_t) avail < copy) copy = (png_size_t) avail; 537 * make available the full buffer, up to 'remaining_space'
252 png_memcpy(output + count, png_ptr->zbuf, copy); 538 */
539 png_ptr->zstream.next_out = local_buffer;
540 if ((sizeof local_buffer) < avail)
541 avail = (sizeof local_buffer);
253 } 542 }
254 count += avail; 543
255 } 544 if (avail_out < avail)
256 545 avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
257 if (ret == Z_OK) 546
258 continue; 547 png_ptr->zstream.avail_out = avail;
259 548 avail_out -= avail;
260 /* Termination conditions - always reset the zstream, it 549
261 * must be left in inflateInit state. 550 /* zlib inflate call */
551 /* In fact 'avail_out' may be 0 at this point, that happens at the end
552 * of the read when the final LZ end code was not passed at the end of
553 * the previous chunk of input data. Tell zlib if we have reached the
554 * end of the output buffer.
555 */
556 ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH :
557 (finish ? Z_FINISH : Z_SYNC_FLUSH));
558 } while (ret == Z_OK);
559
560 /* For safety kill the local buffer pointer now */
561 if (output == NULL)
562 png_ptr->zstream.next_out = NULL;
563
564 /* Claw back the 'size' and 'remaining_space' byte counts. */
565 avail_in += png_ptr->zstream.avail_in;
566 avail_out += png_ptr->zstream.avail_out;
567
568 /* Update the input and output sizes; the updated values are the amount
569 * consumed or written, effectively the inverse of what zlib uses.
262 */ 570 */
263 png_ptr->zstream.avail_in = 0; 571 if (avail_out > 0)
264 inflateReset(&png_ptr->zstream); 572 *output_size_ptr -= avail_out;
265 573
266 if (ret == Z_STREAM_END) 574 if (avail_in > 0)
267 return count; /* NOTE: may be zero. */ 575 *input_size_ptr -= avail_in;
268 576
269 /* Now handle the error codes - the API always returns 0 577 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
270 * and the error message is dumped into the uncompressed 578 png_zstream_error(png_ptr, ret);
271 * buffer if available. 579 return ret;
580 }
581
582 else
583 {
584 /* This is a bad internal error. The recovery assigns to the zstream msg
585 * pointer, which is not owned by the caller, but this is safe; it's only
586 * used on errors!
272 */ 587 */
273 { 588 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
274 PNG_CONST char *msg; 589 return Z_STREAM_ERROR;
275 if (png_ptr->zstream.msg != 0)
276 msg = png_ptr->zstream.msg;
277 else
278 {
279 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
280 char umsg[52];
281
282 switch (ret)
283 {
284 case Z_BUF_ERROR:
285 msg = "Buffer error in compressed datastream in %s chunk";
286 break;
287 case Z_DATA_ERROR:
288 msg = "Data error in compressed datastream in %s chunk";
289 break;
290 default:
291 msg = "Incomplete compressed datastream in %s chunk";
292 break;
293 }
294
295 png_snprintf(umsg, sizeof umsg, msg, png_ptr->chunk_name);
296 msg = umsg;
297 png_warning(png_ptr, msg);
298 #else
299 msg = "Damaged compressed datastream in chunk other than IDAT";
300 #endif
301 }
302
303 #ifndef PNG_STDIO_SUPPORTED
304 png_warning(png_ptr, msg);
305 #endif
306 }
307
308 /* 0 means an error - notice that this code simple ignores
309 * zero length compressed chunks as a result.
310 */
311 return 0;
312 } 590 }
313 } 591 }
314 592
315 /* 593 /*
316 * Decompress trailing data in a chunk. The assumption is that chunkdata 594 * Decompress trailing data in a chunk. The assumption is that read_buffer
317 * points at an allocated area holding the contents of a chunk with a 595 * points at an allocated area holding the contents of a chunk with a
318 * trailing compressed part. What we get back is an allocated area 596 * trailing compressed part. What we get back is an allocated area
319 * holding the original prefix part and an uncompressed version of the 597 * holding the original prefix part and an uncompressed version of the
320 * trailing part (the malloc area passed in is freed). 598 * trailing part (the malloc area passed in is freed).
321 */ 599 */
600 static int
601 png_decompress_chunk(png_structrp png_ptr,
602 png_uint_32 chunklength, png_uint_32 prefix_size,
603 png_alloc_size_t *newlength /* must be initialized to the maximum! */,
604 int terminate /*add a '\0' to the end of the uncompressed data*/)
605 {
606 /* TODO: implement different limits for different types of chunk.
607 *
608 * The caller supplies *newlength set to the maximum length of the
609 * uncompressed data, but this routine allocates space for the prefix and
610 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is
611 * limited only by the maximum chunk size.
612 */
613 png_alloc_size_t limit = PNG_SIZE_MAX;
614
615 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
616 if (png_ptr->user_chunk_malloc_max > 0 &&
617 png_ptr->user_chunk_malloc_max < limit)
618 limit = png_ptr->user_chunk_malloc_max;
619 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
620 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
621 limit = PNG_USER_CHUNK_MALLOC_MAX;
622 # endif
623
624 if (limit >= prefix_size + (terminate != 0))
625 {
626 int ret;
627
628 limit -= prefix_size + (terminate != 0);
629
630 if (limit < *newlength)
631 *newlength = limit;
632
633 /* Now try to claim the stream. */
634 ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
635
636 if (ret == Z_OK)
637 {
638 png_uint_32 lzsize = chunklength - prefix_size;
639
640 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
641 /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
642 /* output: */ NULL, newlength);
643
644 if (ret == Z_STREAM_END)
645 {
646 /* Use 'inflateReset' here, not 'inflateReset2' because this
647 * preserves the previously decided window size (otherwise it would
648 * be necessary to store the previous window size.) In practice
649 * this doesn't matter anyway, because png_inflate will call inflate
650 * with Z_FINISH in almost all cases, so the window will not be
651 * maintained.
652 */
653 if (inflateReset(&png_ptr->zstream) == Z_OK)
654 {
655 /* Because of the limit checks above we know that the new,
656 * expanded, size will fit in a size_t (let alone an
657 * png_alloc_size_t). Use png_malloc_base here to avoid an
658 * extra OOM message.
659 */
660 png_alloc_size_t new_size = *newlength;
661 png_alloc_size_t buffer_size = prefix_size + new_size +
662 (terminate != 0);
663 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
664 buffer_size));
665
666 if (text != NULL)
667 {
668 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
669 png_ptr->read_buffer + prefix_size, &lzsize,
670 text + prefix_size, newlength);
671
672 if (ret == Z_STREAM_END)
673 {
674 if (new_size == *newlength)
675 {
676 if (terminate != 0)
677 text[prefix_size + *newlength] = 0;
678
679 if (prefix_size > 0)
680 memcpy(text, png_ptr->read_buffer, prefix_size);
681
682 {
683 png_bytep old_ptr = png_ptr->read_buffer;
684
685 png_ptr->read_buffer = text;
686 png_ptr->read_buffer_size = buffer_size;
687 text = old_ptr; /* freed below */
688 }
689 }
690
691 else
692 {
693 /* The size changed on the second read, there can be no
694 * guarantee that anything is correct at this point.
695 * The 'msg' pointer has been set to "unexpected end of
696 * LZ stream", which is fine, but return an error code
697 * that the caller won't accept.
698 */
699 ret = PNG_UNEXPECTED_ZLIB_RETURN;
700 }
701 }
702
703 else if (ret == Z_OK)
704 ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
705
706 /* Free the text pointer (this is the old read_buffer on
707 * success)
708 */
709 png_free(png_ptr, text);
710
711 /* This really is very benign, but it's still an error because
712 * the extra space may otherwise be used as a Trojan Horse.
713 */
714 if (ret == Z_STREAM_END &&
715 chunklength - prefix_size != lzsize)
716 png_chunk_benign_error(png_ptr, "extra compressed data");
717 }
718
719 else
720 {
721 /* Out of memory allocating the buffer */
722 ret = Z_MEM_ERROR;
723 png_zstream_error(png_ptr, Z_MEM_ERROR);
724 }
725 }
726
727 else
728 {
729 /* inflateReset failed, store the error message */
730 png_zstream_error(png_ptr, ret);
731
732 if (ret == Z_STREAM_END)
733 ret = PNG_UNEXPECTED_ZLIB_RETURN;
734 }
735 }
736
737 else if (ret == Z_OK)
738 ret = PNG_UNEXPECTED_ZLIB_RETURN;
739
740 /* Release the claimed stream */
741 png_ptr->zowner = 0;
742 }
743
744 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
745 ret = PNG_UNEXPECTED_ZLIB_RETURN;
746
747 return ret;
748 }
749
750 else
751 {
752 /* Application/configuration limits exceeded */
753 png_zstream_error(png_ptr, Z_MEM_ERROR);
754 return Z_MEM_ERROR;
755 }
756 }
757 #endif /* READ_COMPRESSED_TEXT */
758
759 #ifdef PNG_READ_iCCP_SUPPORTED
760 /* Perform a partial read and decompress, producing 'avail_out' bytes and
761 * reading from the current chunk as required.
762 */
763 static int
764 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
765 png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
766 int finish)
767 {
768 if (png_ptr->zowner == png_ptr->chunk_name)
769 {
770 int ret;
771
772 /* next_in and avail_in must have been initialized by the caller. */
773 png_ptr->zstream.next_out = next_out;
774 png_ptr->zstream.avail_out = 0; /* set in the loop */
775
776 do
777 {
778 if (png_ptr->zstream.avail_in == 0)
779 {
780 if (read_size > *chunk_bytes)
781 read_size = (uInt)*chunk_bytes;
782 *chunk_bytes -= read_size;
783
784 if (read_size > 0)
785 png_crc_read(png_ptr, read_buffer, read_size);
786
787 png_ptr->zstream.next_in = read_buffer;
788 png_ptr->zstream.avail_in = read_size;
789 }
790
791 if (png_ptr->zstream.avail_out == 0)
792 {
793 uInt avail = ZLIB_IO_MAX;
794 if (avail > *out_size)
795 avail = (uInt)*out_size;
796 *out_size -= avail;
797
798 png_ptr->zstream.avail_out = avail;
799 }
800
801 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
802 * the available output is produced; this allows reading of truncated
803 * streams.
804 */
805 ret = PNG_INFLATE(png_ptr,
806 *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
807 }
808 while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
809
810 *out_size += png_ptr->zstream.avail_out;
811 png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
812
813 /* Ensure the error message pointer is always set: */
814 png_zstream_error(png_ptr, ret);
815 return ret;
816 }
817
818 else
819 {
820 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
821 return Z_STREAM_ERROR;
822 }
823 }
824 #endif
825
826 /* Read and check the IDHR chunk */
827
322 void /* PRIVATE */ 828 void /* PRIVATE */
323 png_decompress_chunk(png_structp png_ptr, int comp_type, 829 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
324 png_size_t chunklength,
325 png_size_t prefix_size, png_size_t *newlength)
326 {
327 /* The caller should guarantee this */
328 if (prefix_size > chunklength)
329 {
330 /* The recovery is to delete the chunk. */
331 png_warning(png_ptr, "invalid chunklength");
332 prefix_size = 0; /* To delete everything */
333 }
334
335 else if (comp_type == PNG_COMPRESSION_TYPE_BASE)
336 {
337 png_size_t expanded_size = png_inflate(png_ptr,
338 (png_bytep)(png_ptr->chunkdata + prefix_size),
339 chunklength - prefix_size,
340 0/*output*/, 0/*output size*/);
341
342 /* Now check the limits on this chunk - if the limit fails the
343 * compressed data will be removed, the prefix will remain.
344 */
345 if (prefix_size >= (~(png_size_t)0) - 1 ||
346 expanded_size >= (~(png_size_t)0) - 1 - prefix_size
347 #ifdef PNG_USER_CHUNK_MALLOC_MAX
348 || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
349 prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
350 #endif
351 )
352 png_warning(png_ptr, "Exceeded size limit while expanding chunk");
353
354 /* If the size is zero either there was an error and a message
355 * has already been output (warning) or the size really is zero
356 * and we have nothing to do - the code will exit through the
357 * error case below.
358 */
359 else if (expanded_size > 0)
360 {
361 /* Success (maybe) - really uncompress the chunk. */
362 png_size_t new_size = 0;
363
364 png_charp text = png_malloc_warn(png_ptr,
365 prefix_size + expanded_size + 1);
366
367 if (text != NULL)
368 {
369 png_memcpy(text, png_ptr->chunkdata, prefix_size);
370 new_size = png_inflate(png_ptr,
371 (png_bytep)(png_ptr->chunkdata + prefix_size),
372 chunklength - prefix_size,
373 (png_bytep)(text + prefix_size), expanded_size);
374 text[prefix_size + expanded_size] = 0; /* just in case */
375
376 if (new_size == expanded_size)
377 {
378 png_free(png_ptr, png_ptr->chunkdata);
379 png_ptr->chunkdata = text;
380 *newlength = prefix_size + expanded_size;
381 return; /* The success return! */
382 }
383
384 png_warning(png_ptr, "png_inflate logic error");
385 png_free(png_ptr, text);
386 }
387 else
388 png_warning(png_ptr, "Not enough memory to decompress chunk.");
389 }
390 }
391
392 else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */
393 {
394 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
395 char umsg[50];
396
397 png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d",
398 comp_type);
399 png_warning(png_ptr, umsg);
400 #else
401 png_warning(png_ptr, "Unknown zTXt compression type");
402 #endif
403
404 /* The recovery is to simply drop the data. */
405 }
406
407 /* Generic error return - leave the prefix, delete the compressed
408 * data, reallocate the chunkdata to remove the potentially large
409 * amount of compressed data.
410 */
411 {
412 png_charp text = png_malloc_warn(png_ptr, prefix_size + 1);
413 if (text != NULL)
414 {
415 if (prefix_size > 0)
416 png_memcpy(text, png_ptr->chunkdata, prefix_size);
417 png_free(png_ptr, png_ptr->chunkdata);
418 png_ptr->chunkdata = text;
419
420 /* This is an extra zero in the 'uncompressed' part. */
421 *(png_ptr->chunkdata + prefix_size) = 0x00;
422 }
423 /* Ignore a malloc error here - it is safe. */
424 }
425
426 *newlength = prefix_size;
427 }
428 #endif
429
430 /* Read and check the IDHR chunk */
431 void /* PRIVATE */
432 png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
433 { 830 {
434 png_byte buf[13]; 831 png_byte buf[13];
435 png_uint_32 width, height; 832 png_uint_32 width, height;
436 int bit_depth, color_type, compression_type, filter_type; 833 int bit_depth, color_type, compression_type, filter_type;
437 int interlace_type; 834 int interlace_type;
438 835
439 png_debug(1, "in png_handle_IHDR"); 836 png_debug(1, "in png_handle_IHDR");
440 837
441 if (png_ptr->mode & PNG_HAVE_IHDR) 838 if ((png_ptr->mode & PNG_HAVE_IHDR) != 0)
442 png_error(png_ptr, "Out of place IHDR"); 839 png_chunk_error(png_ptr, "out of place");
443 840
444 /* Check the length */ 841 /* Check the length */
445 if (length != 13) 842 if (length != 13)
446 png_error(png_ptr, "Invalid IHDR chunk"); 843 png_chunk_error(png_ptr, "invalid");
447 844
448 png_ptr->mode |= PNG_HAVE_IHDR; 845 png_ptr->mode |= PNG_HAVE_IHDR;
449 846
450 png_crc_read(png_ptr, buf, 13); 847 png_crc_read(png_ptr, buf, 13);
451 png_crc_finish(png_ptr, 0); 848 png_crc_finish(png_ptr, 0);
452 849
453 width = png_get_uint_31(png_ptr, buf); 850 width = png_get_uint_31(png_ptr, buf);
454 height = png_get_uint_31(png_ptr, buf + 4); 851 height = png_get_uint_31(png_ptr, buf + 4);
455 bit_depth = buf[8]; 852 bit_depth = buf[8];
456 color_type = buf[9]; 853 color_type = buf[9];
457 compression_type = buf[10]; 854 compression_type = buf[10];
458 filter_type = buf[11]; 855 filter_type = buf[11];
459 interlace_type = buf[12]; 856 interlace_type = buf[12];
460 857
461 /* Set internal variables */ 858 /* Set internal variables */
462 png_ptr->width = width; 859 png_ptr->width = width;
463 png_ptr->height = height; 860 png_ptr->height = height;
464 png_ptr->bit_depth = (png_byte)bit_depth; 861 png_ptr->bit_depth = (png_byte)bit_depth;
465 png_ptr->interlaced = (png_byte)interlace_type; 862 png_ptr->interlaced = (png_byte)interlace_type;
466 png_ptr->color_type = (png_byte)color_type; 863 png_ptr->color_type = (png_byte)color_type;
467 #ifdef PNG_MNG_FEATURES_SUPPORTED 864 #ifdef PNG_MNG_FEATURES_SUPPORTED
468 png_ptr->filter_type = (png_byte)filter_type; 865 png_ptr->filter_type = (png_byte)filter_type;
469 #endif 866 #endif
470 png_ptr->compression_type = (png_byte)compression_type; 867 png_ptr->compression_type = (png_byte)compression_type;
471 868
472 /* Find number of channels */ 869 /* Find number of channels */
473 switch (png_ptr->color_type) 870 switch (png_ptr->color_type)
474 { 871 {
872 default: /* invalid, png_set_IHDR calls png_error */
475 case PNG_COLOR_TYPE_GRAY: 873 case PNG_COLOR_TYPE_GRAY:
476 case PNG_COLOR_TYPE_PALETTE: 874 case PNG_COLOR_TYPE_PALETTE:
477 png_ptr->channels = 1; 875 png_ptr->channels = 1;
478 break; 876 break;
479 877
480 case PNG_COLOR_TYPE_RGB: 878 case PNG_COLOR_TYPE_RGB:
481 png_ptr->channels = 3; 879 png_ptr->channels = 3;
482 break; 880 break;
483 881
484 case PNG_COLOR_TYPE_GRAY_ALPHA: 882 case PNG_COLOR_TYPE_GRAY_ALPHA:
485 png_ptr->channels = 2; 883 png_ptr->channels = 2;
486 break; 884 break;
487 885
488 case PNG_COLOR_TYPE_RGB_ALPHA: 886 case PNG_COLOR_TYPE_RGB_ALPHA:
489 png_ptr->channels = 4; 887 png_ptr->channels = 4;
490 break; 888 break;
491 } 889 }
492 890
493 /* Set up other useful info */ 891 /* Set up other useful info */
494 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * 892 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
495 png_ptr->channels);
496 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width); 893 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
497 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth); 894 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
498 png_debug1(3, "channels = %d", png_ptr->channels); 895 png_debug1(3, "channels = %d", png_ptr->channels);
499 png_debug1(3, "rowbytes = %lu", png_ptr->rowbytes); 896 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
500 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth, 897 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
501 color_type, interlace_type, compression_type, filter_type); 898 color_type, interlace_type, compression_type, filter_type);
502 } 899 }
503 900
504 /* Read and check the palette */ 901 /* Read and check the palette */
505 void /* PRIVATE */ 902 void /* PRIVATE */
506 png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 903 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
507 { 904 {
508 png_color palette[PNG_MAX_PALETTE_LENGTH]; 905 png_color palette[PNG_MAX_PALETTE_LENGTH];
509 int max_palette_length, num, i; 906 int max_palette_length, num, i;
510 #ifdef PNG_POINTER_INDEXING_SUPPORTED 907 #ifdef PNG_POINTER_INDEXING_SUPPORTED
511 png_colorp pal_ptr; 908 png_colorp pal_ptr;
512 #endif 909 #endif
513 910
514 png_debug(1, "in png_handle_PLTE"); 911 png_debug(1, "in png_handle_PLTE");
515 912
516 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 913 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
517 png_error(png_ptr, "Missing IHDR before PLTE"); 914 png_chunk_error(png_ptr, "missing IHDR");
518 915
519 else if (png_ptr->mode & PNG_HAVE_IDAT) 916 /* Moved to before the 'after IDAT' check below because otherwise duplicate
917 * PLTE chunks are potentially ignored (the spec says there shall not be more
918 * than one PLTE, the error is not treated as benign, so this check trumps
919 * the requirement that PLTE appears before IDAT.)
920 */
921 else if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)
922 png_chunk_error(png_ptr, "duplicate");
923
924 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
520 { 925 {
521 png_warning(png_ptr, "Invalid PLTE after IDAT"); 926 /* This is benign because the non-benign error happened before, when an
927 * IDAT was encountered in a color-mapped image with no PLTE.
928 */
522 png_crc_finish(png_ptr, length); 929 png_crc_finish(png_ptr, length);
930 png_chunk_benign_error(png_ptr, "out of place");
523 return; 931 return;
524 } 932 }
525 933
526 else if (png_ptr->mode & PNG_HAVE_PLTE)
527 png_error(png_ptr, "Duplicate PLTE chunk");
528
529 png_ptr->mode |= PNG_HAVE_PLTE; 934 png_ptr->mode |= PNG_HAVE_PLTE;
530 935
531 if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR)) 936 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
532 { 937 {
533 png_warning(png_ptr,
534 "Ignoring PLTE chunk in grayscale PNG");
535 png_crc_finish(png_ptr, length); 938 png_crc_finish(png_ptr, length);
939 png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
536 return; 940 return;
537 } 941 }
942
538 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 943 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
539 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 944 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
540 { 945 {
541 png_crc_finish(png_ptr, length); 946 png_crc_finish(png_ptr, length);
542 return; 947 return;
543 } 948 }
544 #endif 949 #endif
545 950
546 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3) 951 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
547 { 952 {
953 png_crc_finish(png_ptr, length);
954
548 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 955 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
549 { 956 png_chunk_benign_error(png_ptr, "invalid");
550 png_warning(png_ptr, "Invalid palette chunk");
551 png_crc_finish(png_ptr, length);
552 return;
553 }
554 957
555 else 958 else
556 { 959 png_chunk_error(png_ptr, "invalid");
557 png_error(png_ptr, "Invalid palette chunk"); 960
558 } 961 return;
559 } 962 }
560 963
561 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ 964 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
562 num = (int)length / 3; 965 num = (int)length / 3;
563 966
564 /* If the palette has 256 or fewer entries but is too large for the bit 967 /* If the palette has 256 or fewer entries but is too large for the bit
565 * depth, we don't issue an error, to preserve the behavior of previous 968 * depth, we don't issue an error, to preserve the behavior of previous
566 * libpng versions. We silently truncate the unused extra palette entries 969 * libpng versions. We silently truncate the unused extra palette entries
567 * here. 970 * here.
568 */ 971 */
(...skipping 21 matching lines...) Expand all
590 png_byte buf[3]; 993 png_byte buf[3];
591 994
592 png_crc_read(png_ptr, buf, 3); 995 png_crc_read(png_ptr, buf, 3);
593 /* Don't depend upon png_color being any order */ 996 /* Don't depend upon png_color being any order */
594 palette[i].red = buf[0]; 997 palette[i].red = buf[0];
595 palette[i].green = buf[1]; 998 palette[i].green = buf[1];
596 palette[i].blue = buf[2]; 999 palette[i].blue = buf[2];
597 } 1000 }
598 #endif 1001 #endif
599 1002
600 /* If we actually NEED the PLTE chunk (ie for a paletted image), we do 1003 /* If we actually need the PLTE chunk (ie for a paletted image), we do
601 * whatever the normal CRC configuration tells us. However, if we 1004 * whatever the normal CRC configuration tells us. However, if we
602 * have an RGB image, the PLTE can be considered ancillary, so 1005 * have an RGB image, the PLTE can be considered ancillary, so
603 * we will act as though it is. 1006 * we will act as though it is.
604 */ 1007 */
605 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 1008 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
606 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1009 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
607 #endif 1010 #endif
608 { 1011 {
609 png_crc_finish(png_ptr, (int) length - num * 3); 1012 png_crc_finish(png_ptr, (int) length - num * 3);
610 } 1013 }
1014
611 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 1015 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
612 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */ 1016 else if (png_crc_error(png_ptr) != 0) /* Only if we have a CRC error */
613 { 1017 {
614 /* If we don't want to use the data from an ancillary chunk, 1018 /* If we don't want to use the data from an ancillary chunk,
615 we have two options: an error abort, or a warning and we 1019 * we have two options: an error abort, or a warning and we
616 ignore the data in this chunk (which should be OK, since 1020 * ignore the data in this chunk (which should be OK, since
617 it's considered ancillary for a RGB or RGBA image). */ 1021 * it's considered ancillary for a RGB or RGBA image).
618 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE)) 1022 *
1023 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
1024 * chunk type to determine whether to check the ancillary or the critical
1025 * flags.
1026 */
1027 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == 0)
619 { 1028 {
620 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) 1029 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != 0)
621 { 1030 return;
1031
1032 else
622 png_chunk_error(png_ptr, "CRC error"); 1033 png_chunk_error(png_ptr, "CRC error");
623 }
624 else
625 {
626 png_chunk_warning(png_ptr, "CRC error");
627 return;
628 }
629 } 1034 }
1035
630 /* Otherwise, we (optionally) emit a warning and use the chunk. */ 1036 /* Otherwise, we (optionally) emit a warning and use the chunk. */
631 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) 1037 else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0)
632 {
633 png_chunk_warning(png_ptr, "CRC error"); 1038 png_chunk_warning(png_ptr, "CRC error");
634 } 1039 }
635 } 1040 #endif
636 #endif 1041
637 1042 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1043 * own copy of the palette. This has the side effect that when png_start_row
1044 * is called (this happens after any call to png_read_update_info) the
1045 * info_ptr palette gets changed. This is extremely unexpected and
1046 * confusing.
1047 *
1048 * Fix this by not sharing the palette in this way.
1049 */
638 png_set_PLTE(png_ptr, info_ptr, palette, num); 1050 png_set_PLTE(png_ptr, info_ptr, palette, num);
639 1051
1052 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1053 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1054 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1055 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
1056 * therefore does a benign error if the erroneous condition is detected *and*
1057 * cancels the tRNS if the benign error returns. The alternative is to
1058 * amend the standard since it would be rather hypocritical of the standards
1059 * maintainers to ignore it.
1060 */
640 #ifdef PNG_READ_tRNS_SUPPORTED 1061 #ifdef PNG_READ_tRNS_SUPPORTED
641 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1062 if (png_ptr->num_trans > 0 ||
642 { 1063 (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
643 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS)) 1064 {
644 { 1065 /* Cancel this because otherwise it would be used if the transforms
645 if (png_ptr->num_trans > (png_uint_16)num) 1066 * require it. Don't cancel the 'valid' flag because this would prevent
646 { 1067 * detection of duplicate chunks.
647 png_warning(png_ptr, "Truncating incorrect tRNS chunk length"); 1068 */
648 png_ptr->num_trans = (png_uint_16)num; 1069 png_ptr->num_trans = 0;
649 } 1070
650 if (info_ptr->num_trans > (png_uint_16)num) 1071 if (info_ptr != NULL)
651 { 1072 info_ptr->num_trans = 0;
652 png_warning(png_ptr, "Truncating incorrect info tRNS chunk length"); 1073
653 info_ptr->num_trans = (png_uint_16)num; 1074 png_chunk_benign_error(png_ptr, "tRNS must be after");
654 } 1075 }
655 } 1076 #endif
656 } 1077
657 #endif 1078 #ifdef PNG_READ_hIST_SUPPORTED
658 1079 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1080 png_chunk_benign_error(png_ptr, "hIST must be after");
1081 #endif
1082
1083 #ifdef PNG_READ_bKGD_SUPPORTED
1084 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1085 png_chunk_benign_error(png_ptr, "bKGD must be after");
1086 #endif
659 } 1087 }
660 1088
661 void /* PRIVATE */ 1089 void /* PRIVATE */
662 png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1090 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
663 { 1091 {
664 png_debug(1, "in png_handle_IEND"); 1092 png_debug(1, "in png_handle_IEND");
665 1093
666 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT)) 1094 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0 ||
667 { 1095 (png_ptr->mode & PNG_HAVE_IDAT) == 0)
668 png_error(png_ptr, "No image in file"); 1096 png_chunk_error(png_ptr, "out of place");
669 }
670 1097
671 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND); 1098 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
672 1099
1100 png_crc_finish(png_ptr, length);
1101
673 if (length != 0) 1102 if (length != 0)
674 { 1103 png_chunk_benign_error(png_ptr, "invalid");
675 png_warning(png_ptr, "Incorrect IEND chunk length"); 1104
676 } 1105 PNG_UNUSED(info_ptr)
677 png_crc_finish(png_ptr, length);
678
679 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */
680 } 1106 }
681 1107
682 #ifdef PNG_READ_gAMA_SUPPORTED 1108 #ifdef PNG_READ_gAMA_SUPPORTED
683 void /* PRIVATE */ 1109 void /* PRIVATE */
684 png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1110 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
685 { 1111 {
686 png_fixed_point igamma; 1112 png_fixed_point igamma;
687 #ifdef PNG_FLOATING_POINT_SUPPORTED
688 float file_gamma;
689 #endif
690 png_byte buf[4]; 1113 png_byte buf[4];
691 1114
692 png_debug(1, "in png_handle_gAMA"); 1115 png_debug(1, "in png_handle_gAMA");
693 1116
694 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1117 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
695 png_error(png_ptr, "Missing IHDR before gAMA"); 1118 png_chunk_error(png_ptr, "missing IHDR");
696 else if (png_ptr->mode & PNG_HAVE_IDAT) 1119
697 { 1120 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
698 png_warning(png_ptr, "Invalid gAMA after IDAT"); 1121 {
699 png_crc_finish(png_ptr, length); 1122 png_crc_finish(png_ptr, length);
700 return; 1123 png_chunk_benign_error(png_ptr, "out of place");
701 }
702 else if (png_ptr->mode & PNG_HAVE_PLTE)
703 /* Should be an error, but we can cope with it */
704 png_warning(png_ptr, "Out of place gAMA chunk");
705
706 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
707 #ifdef PNG_READ_sRGB_SUPPORTED
708 && !(info_ptr->valid & PNG_INFO_sRGB)
709 #endif
710 )
711 {
712 png_warning(png_ptr, "Duplicate gAMA chunk");
713 png_crc_finish(png_ptr, length);
714 return; 1124 return;
715 } 1125 }
716 1126
717 if (length != 4) 1127 if (length != 4)
718 { 1128 {
719 png_warning(png_ptr, "Incorrect gAMA chunk length"); 1129 png_crc_finish(png_ptr, length);
720 png_crc_finish(png_ptr, length); 1130 png_chunk_benign_error(png_ptr, "invalid");
721 return; 1131 return;
722 } 1132 }
723 1133
724 png_crc_read(png_ptr, buf, 4); 1134 png_crc_read(png_ptr, buf, 4);
725 if (png_crc_finish(png_ptr, 0)) 1135
726 return; 1136 if (png_crc_finish(png_ptr, 0) != 0)
727 1137 return;
728 igamma = (png_fixed_point)png_get_uint_32(buf); 1138
729 /* Check for zero gamma */ 1139 igamma = png_get_fixed_point(NULL, buf);
730 if (igamma == 0) 1140
1141 png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
1142 png_colorspace_sync(png_ptr, info_ptr);
1143 }
1144 #endif
1145
1146 #ifdef PNG_READ_sBIT_SUPPORTED
1147 void /* PRIVATE */
1148 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1149 {
1150 unsigned int truelen, i;
1151 png_byte sample_depth;
1152 png_byte buf[4];
1153
1154 png_debug(1, "in png_handle_sBIT");
1155
1156 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1157 png_chunk_error(png_ptr, "missing IHDR");
1158
1159 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1160 {
1161 png_crc_finish(png_ptr, length);
1162 png_chunk_benign_error(png_ptr, "out of place");
1163 return;
1164 }
1165
1166 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != 0)
1167 {
1168 png_crc_finish(png_ptr, length);
1169 png_chunk_benign_error(png_ptr, "duplicate");
1170 return;
1171 }
1172
1173 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1174 {
1175 truelen = 3;
1176 sample_depth = 8;
1177 }
1178
1179 else
1180 {
1181 truelen = png_ptr->channels;
1182 sample_depth = png_ptr->bit_depth;
1183 }
1184
1185 if (length != truelen || length > 4)
1186 {
1187 png_chunk_benign_error(png_ptr, "invalid");
1188 png_crc_finish(png_ptr, length);
1189 return;
1190 }
1191
1192 buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
1193 png_crc_read(png_ptr, buf, truelen);
1194
1195 if (png_crc_finish(png_ptr, 0) != 0)
1196 return;
1197
1198 for (i=0; i<truelen; ++i)
1199 {
1200 if (buf[i] == 0 || buf[i] > sample_depth)
731 { 1201 {
732 png_warning(png_ptr, 1202 png_chunk_benign_error(png_ptr, "invalid");
733 "Ignoring gAMA chunk with gamma=0");
734 return; 1203 return;
735 } 1204 }
736 1205 }
737 #ifdef PNG_READ_sRGB_SUPPORTED 1206
738 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) 1207 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
739 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
740 {
741 png_warning(png_ptr,
742 "Ignoring incorrect gAMA value when sRGB is also present");
743 #ifdef PNG_CONSOLE_IO_SUPPORTED
744 fprintf(stderr, "gamma = (%d/100000)", (int)igamma);
745 #endif
746 return;
747 }
748 #endif /* PNG_READ_sRGB_SUPPORTED */
749
750 #ifdef PNG_FLOATING_POINT_SUPPORTED
751 file_gamma = (float)igamma / (float)100000.0;
752 # ifdef PNG_READ_GAMMA_SUPPORTED
753 png_ptr->gamma = file_gamma;
754 # endif
755 png_set_gAMA(png_ptr, info_ptr, file_gamma);
756 #endif
757 #ifdef PNG_FIXED_POINT_SUPPORTED
758 png_set_gAMA_fixed(png_ptr, info_ptr, igamma);
759 #endif
760 }
761 #endif
762
763 #ifdef PNG_READ_sBIT_SUPPORTED
764 void /* PRIVATE */
765 png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
766 {
767 png_size_t truelen;
768 png_byte buf[4];
769
770 png_debug(1, "in png_handle_sBIT");
771
772 buf[0] = buf[1] = buf[2] = buf[3] = 0;
773
774 if (!(png_ptr->mode & PNG_HAVE_IHDR))
775 png_error(png_ptr, "Missing IHDR before sBIT");
776 else if (png_ptr->mode & PNG_HAVE_IDAT)
777 {
778 png_warning(png_ptr, "Invalid sBIT after IDAT");
779 png_crc_finish(png_ptr, length);
780 return;
781 }
782 else if (png_ptr->mode & PNG_HAVE_PLTE)
783 {
784 /* Should be an error, but we can cope with it */
785 png_warning(png_ptr, "Out of place sBIT chunk");
786 }
787 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
788 {
789 png_warning(png_ptr, "Duplicate sBIT chunk");
790 png_crc_finish(png_ptr, length);
791 return;
792 }
793
794 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
795 truelen = 3;
796 else
797 truelen = (png_size_t)png_ptr->channels;
798
799 if (length != truelen || length > 4)
800 {
801 png_warning(png_ptr, "Incorrect sBIT chunk length");
802 png_crc_finish(png_ptr, length);
803 return;
804 }
805
806 png_crc_read(png_ptr, buf, truelen);
807 if (png_crc_finish(png_ptr, 0))
808 return;
809
810 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
811 { 1208 {
812 png_ptr->sig_bit.red = buf[0]; 1209 png_ptr->sig_bit.red = buf[0];
813 png_ptr->sig_bit.green = buf[1]; 1210 png_ptr->sig_bit.green = buf[1];
814 png_ptr->sig_bit.blue = buf[2]; 1211 png_ptr->sig_bit.blue = buf[2];
815 png_ptr->sig_bit.alpha = buf[3]; 1212 png_ptr->sig_bit.alpha = buf[3];
816 } 1213 }
1214
817 else 1215 else
818 { 1216 {
819 png_ptr->sig_bit.gray = buf[0]; 1217 png_ptr->sig_bit.gray = buf[0];
820 png_ptr->sig_bit.red = buf[0]; 1218 png_ptr->sig_bit.red = buf[0];
821 png_ptr->sig_bit.green = buf[0]; 1219 png_ptr->sig_bit.green = buf[0];
822 png_ptr->sig_bit.blue = buf[0]; 1220 png_ptr->sig_bit.blue = buf[0];
823 png_ptr->sig_bit.alpha = buf[1]; 1221 png_ptr->sig_bit.alpha = buf[1];
824 } 1222 }
1223
825 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit)); 1224 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
826 } 1225 }
827 #endif 1226 #endif
828 1227
829 #ifdef PNG_READ_cHRM_SUPPORTED 1228 #ifdef PNG_READ_cHRM_SUPPORTED
830 void /* PRIVATE */ 1229 void /* PRIVATE */
831 png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1230 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
832 { 1231 {
833 png_byte buf[32]; 1232 png_byte buf[32];
834 #ifdef PNG_FLOATING_POINT_SUPPORTED 1233 png_xy xy;
835 float white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y;
836 #endif
837 png_fixed_point int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
838 int_y_green, int_x_blue, int_y_blue;
839
840 png_uint_32 uint_x, uint_y;
841 1234
842 png_debug(1, "in png_handle_cHRM"); 1235 png_debug(1, "in png_handle_cHRM");
843 1236
844 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1237 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
845 png_error(png_ptr, "Missing IHDR before cHRM"); 1238 png_chunk_error(png_ptr, "missing IHDR");
846 else if (png_ptr->mode & PNG_HAVE_IDAT) 1239
847 { 1240 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
848 png_warning(png_ptr, "Invalid cHRM after IDAT"); 1241 {
849 png_crc_finish(png_ptr, length); 1242 png_crc_finish(png_ptr, length);
850 return; 1243 png_chunk_benign_error(png_ptr, "out of place");
851 }
852 else if (png_ptr->mode & PNG_HAVE_PLTE)
853 /* Should be an error, but we can cope with it */
854 png_warning(png_ptr, "Missing PLTE before cHRM");
855
856 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
857 #ifdef PNG_READ_sRGB_SUPPORTED
858 && !(info_ptr->valid & PNG_INFO_sRGB)
859 #endif
860 )
861 {
862 png_warning(png_ptr, "Duplicate cHRM chunk");
863 png_crc_finish(png_ptr, length);
864 return; 1244 return;
865 } 1245 }
866 1246
867 if (length != 32) 1247 if (length != 32)
868 { 1248 {
869 png_warning(png_ptr, "Incorrect cHRM chunk length"); 1249 png_crc_finish(png_ptr, length);
870 png_crc_finish(png_ptr, length); 1250 png_chunk_benign_error(png_ptr, "invalid");
871 return; 1251 return;
872 } 1252 }
873 1253
874 png_crc_read(png_ptr, buf, 32); 1254 png_crc_read(png_ptr, buf, 32);
875 if (png_crc_finish(png_ptr, 0)) 1255
876 return; 1256 if (png_crc_finish(png_ptr, 0) != 0)
877 1257 return;
878 uint_x = png_get_uint_32(buf); 1258
879 uint_y = png_get_uint_32(buf + 4); 1259 xy.whitex = png_get_fixed_point(NULL, buf);
880 int_x_white = (png_fixed_point)uint_x; 1260 xy.whitey = png_get_fixed_point(NULL, buf + 4);
881 int_y_white = (png_fixed_point)uint_y; 1261 xy.redx = png_get_fixed_point(NULL, buf + 8);
882 1262 xy.redy = png_get_fixed_point(NULL, buf + 12);
883 uint_x = png_get_uint_32(buf + 8); 1263 xy.greenx = png_get_fixed_point(NULL, buf + 16);
884 uint_y = png_get_uint_32(buf + 12); 1264 xy.greeny = png_get_fixed_point(NULL, buf + 20);
885 int_x_red = (png_fixed_point)uint_x; 1265 xy.bluex = png_get_fixed_point(NULL, buf + 24);
886 int_y_red = (png_fixed_point)uint_y; 1266 xy.bluey = png_get_fixed_point(NULL, buf + 28);
887 1267
888 uint_x = png_get_uint_32(buf + 16); 1268 if (xy.whitex == PNG_FIXED_ERROR ||
889 uint_y = png_get_uint_32(buf + 20); 1269 xy.whitey == PNG_FIXED_ERROR ||
890 int_x_green = (png_fixed_point)uint_x; 1270 xy.redx == PNG_FIXED_ERROR ||
891 int_y_green = (png_fixed_point)uint_y; 1271 xy.redy == PNG_FIXED_ERROR ||
892 1272 xy.greenx == PNG_FIXED_ERROR ||
893 uint_x = png_get_uint_32(buf + 24); 1273 xy.greeny == PNG_FIXED_ERROR ||
894 uint_y = png_get_uint_32(buf + 28); 1274 xy.bluex == PNG_FIXED_ERROR ||
895 int_x_blue = (png_fixed_point)uint_x; 1275 xy.bluey == PNG_FIXED_ERROR)
896 int_y_blue = (png_fixed_point)uint_y; 1276 {
897 1277 png_chunk_benign_error(png_ptr, "invalid values");
898 #ifdef PNG_FLOATING_POINT_SUPPORTED 1278 return;
899 white_x = (float)int_x_white / (float)100000.0; 1279 }
900 white_y = (float)int_y_white / (float)100000.0; 1280
901 red_x = (float)int_x_red / (float)100000.0; 1281 /* If a colorspace error has already been output skip this chunk */
902 red_y = (float)int_y_red / (float)100000.0; 1282 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
903 green_x = (float)int_x_green / (float)100000.0; 1283 return;
904 green_y = (float)int_y_green / (float)100000.0; 1284
905 blue_x = (float)int_x_blue / (float)100000.0; 1285 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0)
906 blue_y = (float)int_y_blue / (float)100000.0; 1286 {
907 #endif 1287 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
908 1288 png_colorspace_sync(png_ptr, info_ptr);
909 #ifdef PNG_READ_sRGB_SUPPORTED 1289 png_chunk_benign_error(png_ptr, "duplicate");
910 if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB)) 1290 return;
911 { 1291 }
912 if (PNG_OUT_OF_RANGE(int_x_white, 31270, 1000) || 1292
913 PNG_OUT_OF_RANGE(int_y_white, 32900, 1000) || 1293 png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
914 PNG_OUT_OF_RANGE(int_x_red, 64000L, 1000) || 1294 (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
915 PNG_OUT_OF_RANGE(int_y_red, 33000, 1000) || 1295 1/*prefer cHRM values*/);
916 PNG_OUT_OF_RANGE(int_x_green, 30000, 1000) || 1296 png_colorspace_sync(png_ptr, info_ptr);
917 PNG_OUT_OF_RANGE(int_y_green, 60000L, 1000) ||
918 PNG_OUT_OF_RANGE(int_x_blue, 15000, 1000) ||
919 PNG_OUT_OF_RANGE(int_y_blue, 6000, 1000))
920 {
921 png_warning(png_ptr,
922 "Ignoring incorrect cHRM value when sRGB is also present");
923 #ifdef PNG_CONSOLE_IO_SUPPORTED
924 #ifdef PNG_FLOATING_POINT_SUPPORTED
925 fprintf(stderr, "wx=%f, wy=%f, rx=%f, ry=%f\n",
926 white_x, white_y, red_x, red_y);
927 fprintf(stderr, "gx=%f, gy=%f, bx=%f, by=%f\n",
928 green_x, green_y, blue_x, blue_y);
929 #else
930 fprintf(stderr, "wx=%ld, wy=%ld, rx=%ld, ry=%ld\n",
931 (long)int_x_white, (long)int_y_white,
932 (long)int_x_red, (long)int_y_red);
933 fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n",
934 (long)int_x_green, (long)int_y_green,
935 (long)int_x_blue, (long)int_y_blue);
936 #endif
937 #endif /* PNG_CONSOLE_IO_SUPPORTED */
938 }
939 return;
940 }
941 #endif /* PNG_READ_sRGB_SUPPORTED */
942
943 #ifdef PNG_FLOATING_POINT_SUPPORTED
944 png_set_cHRM(png_ptr, info_ptr,
945 white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y);
946 #endif
947 #ifdef PNG_FIXED_POINT_SUPPORTED
948 png_set_cHRM_fixed(png_ptr, info_ptr,
949 int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
950 int_y_green, int_x_blue, int_y_blue);
951 #endif
952 } 1297 }
953 #endif 1298 #endif
954 1299
955 #ifdef PNG_READ_sRGB_SUPPORTED 1300 #ifdef PNG_READ_sRGB_SUPPORTED
956 void /* PRIVATE */ 1301 void /* PRIVATE */
957 png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1302 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
958 { 1303 {
959 int intent; 1304 png_byte intent;
960 png_byte buf[1];
961 1305
962 png_debug(1, "in png_handle_sRGB"); 1306 png_debug(1, "in png_handle_sRGB");
963 1307
964 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1308 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
965 png_error(png_ptr, "Missing IHDR before sRGB"); 1309 png_chunk_error(png_ptr, "missing IHDR");
966 else if (png_ptr->mode & PNG_HAVE_IDAT) 1310
967 { 1311 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
968 png_warning(png_ptr, "Invalid sRGB after IDAT"); 1312 {
969 png_crc_finish(png_ptr, length); 1313 png_crc_finish(png_ptr, length);
970 return; 1314 png_chunk_benign_error(png_ptr, "out of place");
971 }
972 else if (png_ptr->mode & PNG_HAVE_PLTE)
973 /* Should be an error, but we can cope with it */
974 png_warning(png_ptr, "Out of place sRGB chunk");
975
976 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
977 {
978 png_warning(png_ptr, "Duplicate sRGB chunk");
979 png_crc_finish(png_ptr, length);
980 return; 1315 return;
981 } 1316 }
982 1317
983 if (length != 1) 1318 if (length != 1)
984 { 1319 {
985 png_warning(png_ptr, "Incorrect sRGB chunk length"); 1320 png_crc_finish(png_ptr, length);
986 png_crc_finish(png_ptr, length); 1321 png_chunk_benign_error(png_ptr, "invalid");
987 return; 1322 return;
988 } 1323 }
989 1324
990 png_crc_read(png_ptr, buf, 1); 1325 png_crc_read(png_ptr, &intent, 1);
991 if (png_crc_finish(png_ptr, 0)) 1326
992 return; 1327 if (png_crc_finish(png_ptr, 0) != 0)
993 1328 return;
994 intent = buf[0]; 1329
995 /* Check for bad intent */ 1330 /* If a colorspace error has already been output skip this chunk */
996 if (intent >= PNG_sRGB_INTENT_LAST) 1331 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
997 { 1332 return;
998 png_warning(png_ptr, "Unknown sRGB intent"); 1333
999 return; 1334 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1000 } 1335 * this.
1001 1336 */
1002 #if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED) 1337 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != 0)
1003 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)) 1338 {
1004 { 1339 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1005 png_fixed_point igamma; 1340 png_colorspace_sync(png_ptr, info_ptr);
1006 #ifdef PNG_FIXED_POINT_SUPPORTED 1341 png_chunk_benign_error(png_ptr, "too many profiles");
1007 igamma=info_ptr->int_gamma; 1342 return;
1008 #else 1343 }
1009 # ifdef PNG_FLOATING_POINT_SUPPORTED 1344
1010 igamma=(png_fixed_point)(info_ptr->gamma * 100000.); 1345 (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1011 # endif 1346 png_colorspace_sync(png_ptr, info_ptr);
1012 #endif
1013 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
1014 {
1015 png_warning(png_ptr,
1016 "Ignoring incorrect gAMA value when sRGB is also present");
1017 #ifdef PNG_CONSOLE_IO_SUPPORTED
1018 # ifdef PNG_FIXED_POINT_SUPPORTED
1019 fprintf(stderr, "incorrect gamma=(%d/100000)\n",
1020 (int)png_ptr->int_gamma);
1021 # else
1022 # ifdef PNG_FLOATING_POINT_SUPPORTED
1023 fprintf(stderr, "incorrect gamma=%f\n", png_ptr->gamma);
1024 # endif
1025 # endif
1026 #endif
1027 }
1028 }
1029 #endif /* PNG_READ_gAMA_SUPPORTED */
1030
1031 #ifdef PNG_READ_cHRM_SUPPORTED
1032 #ifdef PNG_FIXED_POINT_SUPPORTED
1033 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM))
1034 if (PNG_OUT_OF_RANGE(info_ptr->int_x_white, 31270, 1000) ||
1035 PNG_OUT_OF_RANGE(info_ptr->int_y_white, 32900, 1000) ||
1036 PNG_OUT_OF_RANGE(info_ptr->int_x_red, 64000L, 1000) ||
1037 PNG_OUT_OF_RANGE(info_ptr->int_y_red, 33000, 1000) ||
1038 PNG_OUT_OF_RANGE(info_ptr->int_x_green, 30000, 1000) ||
1039 PNG_OUT_OF_RANGE(info_ptr->int_y_green, 60000L, 1000) ||
1040 PNG_OUT_OF_RANGE(info_ptr->int_x_blue, 15000, 1000) ||
1041 PNG_OUT_OF_RANGE(info_ptr->int_y_blue, 6000, 1000))
1042 {
1043 png_warning(png_ptr,
1044 "Ignoring incorrect cHRM value when sRGB is also present");
1045 }
1046 #endif /* PNG_FIXED_POINT_SUPPORTED */
1047 #endif /* PNG_READ_cHRM_SUPPORTED */
1048
1049 png_set_sRGB_gAMA_and_cHRM(png_ptr, info_ptr, intent);
1050 } 1347 }
1051 #endif /* PNG_READ_sRGB_SUPPORTED */ 1348 #endif /* READ_sRGB */
1052 1349
1053 #ifdef PNG_READ_iCCP_SUPPORTED 1350 #ifdef PNG_READ_iCCP_SUPPORTED
1054 void /* PRIVATE */ 1351 void /* PRIVATE */
1055 png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1352 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1353 /* Note: this does not properly handle profiles that are > 64K under DOS */
1354 {
1355 png_const_charp errmsg = NULL; /* error message output, or no error */
1356 int finished = 0; /* crc checked */
1357
1358 png_debug(1, "in png_handle_iCCP");
1359
1360 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1361 png_chunk_error(png_ptr, "missing IHDR");
1362
1363 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1364 {
1365 png_crc_finish(png_ptr, length);
1366 png_chunk_benign_error(png_ptr, "out of place");
1367 return;
1368 }
1369
1370 /* Consistent with all the above colorspace handling an obviously *invalid*
1371 * chunk is just ignored, so does not invalidate the color space. An
1372 * alternative is to set the 'invalid' flags at the start of this routine
1373 * and only clear them in they were not set before and all the tests pass.
1374 * The minimum 'deflate' stream is assumed to be just the 2 byte header and
1375 * 4 byte checksum. The keyword must be at least one character and there is
1376 * a terminator (0) byte and the compression method.
1377 */
1378 if (length < 9)
1379 {
1380 png_crc_finish(png_ptr, length);
1381 png_chunk_benign_error(png_ptr, "too short");
1382 return;
1383 }
1384
1385 /* If a colorspace error has already been output skip this chunk */
1386 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1387 {
1388 png_crc_finish(png_ptr, length);
1389 return;
1390 }
1391
1392 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1393 * this.
1394 */
1395 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1396 {
1397 uInt read_length, keyword_length;
1398 char keyword[81];
1399
1400 /* Find the keyword; the keyword plus separator and compression method
1401 * bytes can be at most 81 characters long.
1402 */
1403 read_length = 81; /* maximum */
1404 if (read_length > length)
1405 read_length = (uInt)length;
1406
1407 png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1408 length -= read_length;
1409
1410 keyword_length = 0;
1411 while (keyword_length < 80 && keyword_length < read_length &&
1412 keyword[keyword_length] != 0)
1413 ++keyword_length;
1414
1415 /* TODO: make the keyword checking common */
1416 if (keyword_length >= 1 && keyword_length <= 79)
1417 {
1418 /* We only understand '0' compression - deflate - so if we get a
1419 * different value we can't safely decode the chunk.
1420 */
1421 if (keyword_length+1 < read_length &&
1422 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1423 {
1424 read_length -= keyword_length+2;
1425
1426 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1427 {
1428 Byte profile_header[132];
1429 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1430 png_alloc_size_t size = (sizeof profile_header);
1431
1432 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1433 png_ptr->zstream.avail_in = read_length;
1434 (void)png_inflate_read(png_ptr, local_buffer,
1435 (sizeof local_buffer), &length, profile_header, &size,
1436 0/*finish: don't, because the output is too small*/);
1437
1438 if (size == 0)
1439 {
1440 /* We have the ICC profile header; do the basic header checks.
1441 */
1442 const png_uint_32 profile_length =
1443 png_get_uint_32(profile_header);
1444
1445 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1446 keyword, profile_length) != 0)
1447 {
1448 /* The length is apparently ok, so we can check the 132
1449 * byte header.
1450 */
1451 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1452 keyword, profile_length, profile_header,
1453 png_ptr->color_type) != 0)
1454 {
1455 /* Now read the tag table; a variable size buffer is
1456 * needed at this point, allocate one for the whole
1457 * profile. The header check has already validated
1458 * that none of these stuff will overflow.
1459 */
1460 const png_uint_32 tag_count = png_get_uint_32(
1461 profile_header+128);
1462 png_bytep profile = png_read_buffer(png_ptr,
1463 profile_length, 2/*silent*/);
1464
1465 if (profile != NULL)
1466 {
1467 memcpy(profile, profile_header,
1468 (sizeof profile_header));
1469
1470 size = 12 * tag_count;
1471
1472 (void)png_inflate_read(png_ptr, local_buffer,
1473 (sizeof local_buffer), &length,
1474 profile + (sizeof profile_header), &size, 0);
1475
1476 /* Still expect a buffer error because we expect
1477 * there to be some tag data!
1478 */
1479 if (size == 0)
1480 {
1481 if (png_icc_check_tag_table(png_ptr,
1482 &png_ptr->colorspace, keyword, profile_length,
1483 profile) != 0)
1484 {
1485 /* The profile has been validated for basic
1486 * security issues, so read the whole thing in.
1487 */
1488 size = profile_length - (sizeof profile_header)
1489 - 12 * tag_count;
1490
1491 (void)png_inflate_read(png_ptr, local_buffer,
1492 (sizeof local_buffer), &length,
1493 profile + (sizeof profile_header) +
1494 12 * tag_count, &size, 1/*finish*/);
1495
1496 if (length > 0 && !(png_ptr->flags &
1497 PNG_FLAG_BENIGN_ERRORS_WARN))
1498 errmsg = "extra compressed data";
1499
1500 /* But otherwise allow extra data: */
1501 else if (size == 0)
1502 {
1503 if (length > 0)
1504 {
1505 /* This can be handled completely, so
1506 * keep going.
1507 */
1508 png_chunk_warning(png_ptr,
1509 "extra compressed data");
1510 }
1511
1512 png_crc_finish(png_ptr, length);
1513 finished = 1;
1514
1515 # ifdef PNG_sRGB_SUPPORTED
1516 /* Check for a match against sRGB */
1517 png_icc_set_sRGB(png_ptr,
1518 &png_ptr->colorspace, profile,
1519 png_ptr->zstream.adler);
1520 # endif
1521
1522 /* Steal the profile for info_ptr. */
1523 if (info_ptr != NULL)
1524 {
1525 png_free_data(png_ptr, info_ptr,
1526 PNG_FREE_ICCP, 0);
1527
1528 info_ptr->iccp_name = png_voidcast(char*,
1529 png_malloc_base(png_ptr,
1530 keyword_length+1));
1531 if (info_ptr->iccp_name != NULL)
1532 {
1533 memcpy(info_ptr->iccp_name, keyword,
1534 keyword_length+1);
1535 info_ptr->iccp_proflen =
1536 profile_length;
1537 info_ptr->iccp_profile = profile;
1538 png_ptr->read_buffer = NULL; /*steal*/
1539 info_ptr->free_me |= PNG_FREE_ICCP;
1540 info_ptr->valid |= PNG_INFO_iCCP;
1541 }
1542
1543 else
1544 {
1545 png_ptr->colorspace.flags |=
1546 PNG_COLORSPACE_INVALID;
1547 errmsg = "out of memory";
1548 }
1549 }
1550
1551 /* else the profile remains in the read
1552 * buffer which gets reused for subsequent
1553 * chunks.
1554 */
1555
1556 if (info_ptr != NULL)
1557 png_colorspace_sync(png_ptr, info_ptr);
1558
1559 if (errmsg == NULL)
1560 {
1561 png_ptr->zowner = 0;
1562 return;
1563 }
1564 }
1565
1566 else if (size > 0)
1567 errmsg = "truncated";
1568
1569 #ifndef __COVERITY__
1570 else
1571 errmsg = png_ptr->zstream.msg;
1572 #endif
1573 }
1574
1575 /* else png_icc_check_tag_table output an error */
1576 }
1577
1578 else /* profile truncated */
1579 errmsg = png_ptr->zstream.msg;
1580 }
1581
1582 else
1583 errmsg = "out of memory";
1584 }
1585
1586 /* else png_icc_check_header output an error */
1587 }
1588
1589 /* else png_icc_check_length output an error */
1590 }
1591
1592 else /* profile truncated */
1593 errmsg = png_ptr->zstream.msg;
1594
1595 /* Release the stream */
1596 png_ptr->zowner = 0;
1597 }
1598
1599 else /* png_inflate_claim failed */
1600 errmsg = png_ptr->zstream.msg;
1601 }
1602
1603 else
1604 errmsg = "bad compression method"; /* or missing */
1605 }
1606
1607 else
1608 errmsg = "bad keyword";
1609 }
1610
1611 else
1612 errmsg = "too many profiles";
1613
1614 /* Failure: the reason is in 'errmsg' */
1615 if (finished == 0)
1616 png_crc_finish(png_ptr, length);
1617
1618 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1619 png_colorspace_sync(png_ptr, info_ptr);
1620 if (errmsg != NULL) /* else already output */
1621 png_chunk_benign_error(png_ptr, errmsg);
1622 }
1623 #endif /* READ_iCCP */
1624
1625 #ifdef PNG_READ_sPLT_SUPPORTED
1626 void /* PRIVATE */
1627 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1056 /* Note: this does not properly handle chunks that are > 64K under DOS */ 1628 /* Note: this does not properly handle chunks that are > 64K under DOS */
1057 { 1629 {
1058 png_byte compression_type; 1630 png_bytep entry_start, buffer;
1059 png_bytep pC; 1631 png_sPLT_t new_palette;
1060 png_charp profile; 1632 png_sPLT_entryp pp;
1633 png_uint_32 data_length;
1634 int entry_size, i;
1061 png_uint_32 skip = 0; 1635 png_uint_32 skip = 0;
1062 png_uint_32 profile_size, profile_length; 1636 png_uint_32 dl;
1063 png_size_t slength, prefix_length, data_length; 1637 png_size_t max_dl;
1064
1065 png_debug(1, "in png_handle_iCCP");
1066
1067 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1068 png_error(png_ptr, "Missing IHDR before iCCP");
1069 else if (png_ptr->mode & PNG_HAVE_IDAT)
1070 {
1071 png_warning(png_ptr, "Invalid iCCP after IDAT");
1072 png_crc_finish(png_ptr, length);
1073 return;
1074 }
1075 else if (png_ptr->mode & PNG_HAVE_PLTE)
1076 /* Should be an error, but we can cope with it */
1077 png_warning(png_ptr, "Out of place iCCP chunk");
1078
1079 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
1080 {
1081 png_warning(png_ptr, "Duplicate iCCP chunk");
1082 png_crc_finish(png_ptr, length);
1083 return;
1084 }
1085
1086 #ifdef PNG_MAX_MALLOC_64K
1087 if (length > (png_uint_32)65535L)
1088 {
1089 png_warning(png_ptr, "iCCP chunk too large to fit in memory");
1090 skip = length - (png_uint_32)65535L;
1091 length = (png_uint_32)65535L;
1092 }
1093 #endif
1094
1095 png_free(png_ptr, png_ptr->chunkdata);
1096 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
1097 slength = (png_size_t)length;
1098 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1099
1100 if (png_crc_finish(png_ptr, skip))
1101 {
1102 png_free(png_ptr, png_ptr->chunkdata);
1103 png_ptr->chunkdata = NULL;
1104 return;
1105 }
1106
1107 png_ptr->chunkdata[slength] = 0x00;
1108
1109 for (profile = png_ptr->chunkdata; *profile; profile++)
1110 /* Empty loop to find end of name */ ;
1111
1112 ++profile;
1113
1114 /* There should be at least one zero (the compression type byte)
1115 * following the separator, and we should be on it
1116 */
1117 if (slength < 1U || profile >= png_ptr->chunkdata + slength - 1U)
1118 {
1119 png_free(png_ptr, png_ptr->chunkdata);
1120 png_ptr->chunkdata = NULL;
1121 png_warning(png_ptr, "Malformed iCCP chunk");
1122 return;
1123 }
1124
1125 /* Compression_type should always be zero */
1126 compression_type = *profile++;
1127 if (compression_type)
1128 {
1129 png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk");
1130 compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8
1131 wrote nonzero) */
1132 }
1133
1134 prefix_length = profile - png_ptr->chunkdata;
1135 png_decompress_chunk(png_ptr, compression_type,
1136 slength, prefix_length, &data_length);
1137
1138 profile_length = data_length - prefix_length;
1139
1140 if ( prefix_length > data_length || profile_length < 4)
1141 {
1142 png_free(png_ptr, png_ptr->chunkdata);
1143 png_ptr->chunkdata = NULL;
1144 png_warning(png_ptr, "Profile size field missing from iCCP chunk");
1145 return;
1146 }
1147
1148 /* Check the profile_size recorded in the first 32 bits of the ICC profile */
1149 pC = (png_bytep)(png_ptr->chunkdata + prefix_length);
1150 profile_size = ((png_uint_32) (*(pC )<<24)) |
1151 ((png_uint_32) (*(pC + 1)<<16)) |
1152 ((png_uint_32) (*(pC + 2)<< 8)) |
1153 ((png_uint_32) (*(pC + 3) ));
1154
1155 if (profile_size < profile_length)
1156 profile_length = profile_size;
1157
1158 if (profile_size > profile_length)
1159 {
1160 png_free(png_ptr, png_ptr->chunkdata);
1161 png_ptr->chunkdata = NULL;
1162 png_warning(png_ptr, "Ignoring truncated iCCP profile.");
1163 return;
1164 }
1165
1166 png_set_iCCP(png_ptr, info_ptr, png_ptr->chunkdata,
1167 compression_type, png_ptr->chunkdata + prefix_length, profile_length);
1168 png_free(png_ptr, png_ptr->chunkdata);
1169 png_ptr->chunkdata = NULL;
1170 }
1171 #endif /* PNG_READ_iCCP_SUPPORTED */
1172
1173 #ifdef PNG_READ_sPLT_SUPPORTED
1174 void /* PRIVATE */
1175 png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1176 /* Note: this does not properly handle chunks that are > 64K under DOS */
1177 {
1178 png_bytep entry_start;
1179 png_sPLT_t new_palette;
1180 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1181 png_sPLT_entryp pp;
1182 #endif
1183 int data_length, entry_size, i;
1184 png_uint_32 skip = 0;
1185 png_size_t slength;
1186 1638
1187 png_debug(1, "in png_handle_sPLT"); 1639 png_debug(1, "in png_handle_sPLT");
1188 1640
1189 #ifdef PNG_USER_LIMITS_SUPPORTED 1641 #ifdef PNG_USER_LIMITS_SUPPORTED
1190
1191 if (png_ptr->user_chunk_cache_max != 0) 1642 if (png_ptr->user_chunk_cache_max != 0)
1192 { 1643 {
1193 if (png_ptr->user_chunk_cache_max == 1) 1644 if (png_ptr->user_chunk_cache_max == 1)
1194 { 1645 {
1195 png_crc_finish(png_ptr, length); 1646 png_crc_finish(png_ptr, length);
1196 return; 1647 return;
1197 } 1648 }
1649
1198 if (--png_ptr->user_chunk_cache_max == 1) 1650 if (--png_ptr->user_chunk_cache_max == 1)
1199 { 1651 {
1200 png_warning(png_ptr, "No space in chunk cache for sPLT"); 1652 png_warning(png_ptr, "No space in chunk cache for sPLT");
1201 png_crc_finish(png_ptr, length); 1653 png_crc_finish(png_ptr, length);
1202 return; 1654 return;
1203 } 1655 }
1204 } 1656 }
1205 #endif 1657 #endif
1206 1658
1207 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1659 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1208 png_error(png_ptr, "Missing IHDR before sPLT"); 1660 png_chunk_error(png_ptr, "missing IHDR");
1209 else if (png_ptr->mode & PNG_HAVE_IDAT) 1661
1662 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1210 { 1663 {
1211 png_warning(png_ptr, "Invalid sPLT after IDAT");
1212 png_crc_finish(png_ptr, length); 1664 png_crc_finish(png_ptr, length);
1665 png_chunk_benign_error(png_ptr, "out of place");
1213 return; 1666 return;
1214 } 1667 }
1215 1668
1216 #ifdef PNG_MAX_MALLOC_64K 1669 #ifdef PNG_MAX_MALLOC_64K
1217 if (length > (png_uint_32)65535L) 1670 if (length > 65535U)
1218 { 1671 {
1219 png_warning(png_ptr, "sPLT chunk too large to fit in memory"); 1672 png_crc_finish(png_ptr, length);
1220 skip = length - (png_uint_32)65535L; 1673 png_chunk_benign_error(png_ptr, "too large to fit in memory");
1221 length = (png_uint_32)65535L; 1674 return;
1222 } 1675 }
1223 #endif 1676 #endif
1224 1677
1225 png_free(png_ptr, png_ptr->chunkdata); 1678 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1226 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1); 1679 if (buffer == NULL)
1227 slength = (png_size_t)length;
1228 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1229
1230 if (png_crc_finish(png_ptr, skip))
1231 { 1680 {
1232 png_free(png_ptr, png_ptr->chunkdata); 1681 png_crc_finish(png_ptr, length);
1233 png_ptr->chunkdata = NULL; 1682 png_chunk_benign_error(png_ptr, "out of memory");
1234 return; 1683 return;
1235 } 1684 }
1236 1685
1237 png_ptr->chunkdata[slength] = 0x00;
1238 1686
1239 for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start; 1687 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1240 entry_start++) 1688 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1689 * potential breakage point if the types in pngconf.h aren't exactly right.
1690 */
1691 png_crc_read(png_ptr, buffer, length);
1692
1693 if (png_crc_finish(png_ptr, skip) != 0)
1694 return;
1695
1696 buffer[length] = 0;
1697
1698 for (entry_start = buffer; *entry_start; entry_start++)
1241 /* Empty loop to find end of name */ ; 1699 /* Empty loop to find end of name */ ;
1700
1242 ++entry_start; 1701 ++entry_start;
1243 1702
1244 /* A sample depth should follow the separator, and we should be on it */ 1703 /* A sample depth should follow the separator, and we should be on it */
1245 if (slength < 2U || 1704 if (length < 2U || entry_start > buffer + (length - 2U))
1246 entry_start > (png_bytep)png_ptr->chunkdata + slength - 2U)
1247 { 1705 {
1248 png_free(png_ptr, png_ptr->chunkdata);
1249 png_ptr->chunkdata = NULL;
1250 png_warning(png_ptr, "malformed sPLT chunk"); 1706 png_warning(png_ptr, "malformed sPLT chunk");
1251 return; 1707 return;
1252 } 1708 }
1253 1709
1254 new_palette.depth = *entry_start++; 1710 new_palette.depth = *entry_start++;
1255 entry_size = (new_palette.depth == 8 ? 6 : 10); 1711 entry_size = (new_palette.depth == 8 ? 6 : 10);
1256 data_length = (slength - (entry_start - (png_bytep)png_ptr->chunkdata)); 1712 /* This must fit in a png_uint_32 because it is derived from the original
1713 * chunk data length.
1714 */
1715 data_length = length - (png_uint_32)(entry_start - buffer);
1257 1716
1258 /* Integrity-check the data length */ 1717 /* Integrity-check the data length */
1259 if (data_length % entry_size) 1718 if ((data_length % entry_size) != 0)
1260 { 1719 {
1261 png_free(png_ptr, png_ptr->chunkdata);
1262 png_ptr->chunkdata = NULL;
1263 png_warning(png_ptr, "sPLT chunk has bad length"); 1720 png_warning(png_ptr, "sPLT chunk has bad length");
1264 return; 1721 return;
1265 } 1722 }
1266 1723
1267 new_palette.nentries = (png_int_32) ( data_length / entry_size); 1724 dl = (png_int_32)(data_length / entry_size);
1268 if ((png_uint_32) new_palette.nentries > 1725 max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1269 (png_uint_32) (PNG_SIZE_MAX / png_sizeof(png_sPLT_entry))) 1726
1727 if (dl > max_dl)
1270 { 1728 {
1271 png_warning(png_ptr, "sPLT chunk too long"); 1729 png_warning(png_ptr, "sPLT chunk too long");
1272 return; 1730 return;
1273 } 1731 }
1732
1733 new_palette.nentries = (png_int_32)(data_length / entry_size);
1734
1274 new_palette.entries = (png_sPLT_entryp)png_malloc_warn( 1735 new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
1275 png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry)); 1736 png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry)));
1737
1276 if (new_palette.entries == NULL) 1738 if (new_palette.entries == NULL)
1277 { 1739 {
1278 png_warning(png_ptr, "sPLT chunk requires too much memory"); 1740 png_warning(png_ptr, "sPLT chunk requires too much memory");
1279 return; 1741 return;
1280 } 1742 }
1281 1743
1282 #ifdef PNG_POINTER_INDEXING_SUPPORTED 1744 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1283 for (i = 0; i < new_palette.nentries; i++) 1745 for (i = 0; i < new_palette.nentries; i++)
1284 { 1746 {
1285 pp = new_palette.entries + i; 1747 pp = new_palette.entries + i;
1286 1748
1287 if (new_palette.depth == 8) 1749 if (new_palette.depth == 8)
1288 { 1750 {
1289 pp->red = *entry_start++; 1751 pp->red = *entry_start++;
1290 pp->green = *entry_start++; 1752 pp->green = *entry_start++;
1291 pp->blue = *entry_start++; 1753 pp->blue = *entry_start++;
1292 pp->alpha = *entry_start++; 1754 pp->alpha = *entry_start++;
1293 } 1755 }
1756
1294 else 1757 else
1295 { 1758 {
1296 pp->red = png_get_uint_16(entry_start); entry_start += 2; 1759 pp->red = png_get_uint_16(entry_start); entry_start += 2;
1297 pp->green = png_get_uint_16(entry_start); entry_start += 2; 1760 pp->green = png_get_uint_16(entry_start); entry_start += 2;
1298 pp->blue = png_get_uint_16(entry_start); entry_start += 2; 1761 pp->blue = png_get_uint_16(entry_start); entry_start += 2;
1299 pp->alpha = png_get_uint_16(entry_start); entry_start += 2; 1762 pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1300 } 1763 }
1764
1301 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; 1765 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1302 } 1766 }
1303 #else 1767 #else
1304 pp = new_palette.entries; 1768 pp = new_palette.entries;
1769
1305 for (i = 0; i < new_palette.nentries; i++) 1770 for (i = 0; i < new_palette.nentries; i++)
1306 { 1771 {
1307 1772
1308 if (new_palette.depth == 8) 1773 if (new_palette.depth == 8)
1309 { 1774 {
1310 pp[i].red = *entry_start++; 1775 pp[i].red = *entry_start++;
1311 pp[i].green = *entry_start++; 1776 pp[i].green = *entry_start++;
1312 pp[i].blue = *entry_start++; 1777 pp[i].blue = *entry_start++;
1313 pp[i].alpha = *entry_start++; 1778 pp[i].alpha = *entry_start++;
1314 } 1779 }
1780
1315 else 1781 else
1316 { 1782 {
1317 pp[i].red = png_get_uint_16(entry_start); entry_start += 2; 1783 pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
1318 pp[i].green = png_get_uint_16(entry_start); entry_start += 2; 1784 pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1319 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2; 1785 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
1320 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2; 1786 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1321 } 1787 }
1322 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; 1788
1789 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1323 } 1790 }
1324 #endif 1791 #endif
1325 1792
1326 /* Discard all chunk data except the name and stash that */ 1793 /* Discard all chunk data except the name and stash that */
1327 new_palette.name = png_ptr->chunkdata; 1794 new_palette.name = (png_charp)buffer;
1328 1795
1329 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1); 1796 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1330 1797
1331 png_free(png_ptr, png_ptr->chunkdata);
1332 png_ptr->chunkdata = NULL;
1333 png_free(png_ptr, new_palette.entries); 1798 png_free(png_ptr, new_palette.entries);
1334 } 1799 }
1335 #endif /* PNG_READ_sPLT_SUPPORTED */ 1800 #endif /* READ_sPLT */
1336 1801
1337 #ifdef PNG_READ_tRNS_SUPPORTED 1802 #ifdef PNG_READ_tRNS_SUPPORTED
1338 void /* PRIVATE */ 1803 void /* PRIVATE */
1339 png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1804 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1340 { 1805 {
1341 png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; 1806 png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1342 1807
1343 png_debug(1, "in png_handle_tRNS"); 1808 png_debug(1, "in png_handle_tRNS");
1344 1809
1345 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1810 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1346 png_error(png_ptr, "Missing IHDR before tRNS"); 1811 png_chunk_error(png_ptr, "missing IHDR");
1347 else if (png_ptr->mode & PNG_HAVE_IDAT) 1812
1813 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1348 { 1814 {
1349 png_warning(png_ptr, "Invalid tRNS after IDAT");
1350 png_crc_finish(png_ptr, length); 1815 png_crc_finish(png_ptr, length);
1351 return; 1816 png_chunk_benign_error(png_ptr, "out of place");
1352 }
1353 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1354 {
1355 png_warning(png_ptr, "Duplicate tRNS chunk");
1356 png_crc_finish(png_ptr, length);
1357 return; 1817 return;
1358 } 1818 }
1359 1819
1820 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0)
1821 {
1822 png_crc_finish(png_ptr, length);
1823 png_chunk_benign_error(png_ptr, "duplicate");
1824 return;
1825 }
1826
1360 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 1827 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1361 { 1828 {
1362 png_byte buf[2]; 1829 png_byte buf[2];
1363 1830
1364 if (length != 2) 1831 if (length != 2)
1365 { 1832 {
1366 png_warning(png_ptr, "Incorrect tRNS chunk length"); 1833 png_crc_finish(png_ptr, length);
1367 png_crc_finish(png_ptr, length); 1834 png_chunk_benign_error(png_ptr, "invalid");
1368 return; 1835 return;
1369 } 1836 }
1370 1837
1371 png_crc_read(png_ptr, buf, 2); 1838 png_crc_read(png_ptr, buf, 2);
1372 png_ptr->num_trans = 1; 1839 png_ptr->num_trans = 1;
1373 png_ptr->trans_values.gray = png_get_uint_16(buf); 1840 png_ptr->trans_color.gray = png_get_uint_16(buf);
1374 } 1841 }
1842
1375 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 1843 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1376 { 1844 {
1377 png_byte buf[6]; 1845 png_byte buf[6];
1378 1846
1379 if (length != 6) 1847 if (length != 6)
1380 { 1848 {
1381 png_warning(png_ptr, "Incorrect tRNS chunk length"); 1849 png_crc_finish(png_ptr, length);
1382 png_crc_finish(png_ptr, length); 1850 png_chunk_benign_error(png_ptr, "invalid");
1383 return; 1851 return;
1384 } 1852 }
1385 png_crc_read(png_ptr, buf, (png_size_t)length); 1853
1854 png_crc_read(png_ptr, buf, length);
1386 png_ptr->num_trans = 1; 1855 png_ptr->num_trans = 1;
1387 png_ptr->trans_values.red = png_get_uint_16(buf); 1856 png_ptr->trans_color.red = png_get_uint_16(buf);
1388 png_ptr->trans_values.green = png_get_uint_16(buf + 2); 1857 png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1389 png_ptr->trans_values.blue = png_get_uint_16(buf + 4); 1858 png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1390 } 1859 }
1860
1391 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1861 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1392 { 1862 {
1393 if (!(png_ptr->mode & PNG_HAVE_PLTE)) 1863 if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
1394 { 1864 {
1395 /* Should be an error, but we can cope with it. */ 1865 /* TODO: is this actually an error in the ISO spec? */
1396 png_warning(png_ptr, "Missing PLTE before tRNS"); 1866 png_crc_finish(png_ptr, length);
1397 } 1867 png_chunk_benign_error(png_ptr, "out of place");
1398 if (length > (png_uint_32)png_ptr->num_palette || 1868 return;
1399 length > PNG_MAX_PALETTE_LENGTH) 1869 }
1400 { 1870
1401 png_warning(png_ptr, "Incorrect tRNS chunk length"); 1871 if (length > (unsigned int) png_ptr->num_palette ||
1402 png_crc_finish(png_ptr, length); 1872 length > (unsigned int) PNG_MAX_PALETTE_LENGTH ||
1403 return; 1873 length == 0)
1404 } 1874 {
1405 if (length == 0) 1875 png_crc_finish(png_ptr, length);
1406 { 1876 png_chunk_benign_error(png_ptr, "invalid");
1407 png_warning(png_ptr, "Zero length tRNS chunk"); 1877 return;
1408 png_crc_finish(png_ptr, length); 1878 }
1409 return; 1879
1410 } 1880 png_crc_read(png_ptr, readbuf, length);
1411 png_crc_read(png_ptr, readbuf, (png_size_t)length);
1412 png_ptr->num_trans = (png_uint_16)length; 1881 png_ptr->num_trans = (png_uint_16)length;
1413 } 1882 }
1883
1414 else 1884 else
1415 { 1885 {
1416 png_warning(png_ptr, "tRNS chunk not allowed with alpha channel"); 1886 png_crc_finish(png_ptr, length);
1417 png_crc_finish(png_ptr, length); 1887 png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1418 return; 1888 return;
1419 } 1889 }
1420 1890
1421 if (png_crc_finish(png_ptr, 0)) 1891 if (png_crc_finish(png_ptr, 0) != 0)
1422 { 1892 {
1423 png_ptr->num_trans = 0; 1893 png_ptr->num_trans = 0;
1424 return; 1894 return;
1425 } 1895 }
1426 1896
1897 /* TODO: this is a horrible side effect in the palette case because the
1898 * png_struct ends up with a pointer to the tRNS buffer owned by the
1899 * png_info. Fix this.
1900 */
1427 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, 1901 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1428 &(png_ptr->trans_values)); 1902 &(png_ptr->trans_color));
1429 } 1903 }
1430 #endif 1904 #endif
1431 1905
1432 #ifdef PNG_READ_bKGD_SUPPORTED 1906 #ifdef PNG_READ_bKGD_SUPPORTED
1433 void /* PRIVATE */ 1907 void /* PRIVATE */
1434 png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1908 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1435 { 1909 {
1436 png_size_t truelen; 1910 unsigned int truelen;
1437 png_byte buf[6]; 1911 png_byte buf[6];
1912 png_color_16 background;
1438 1913
1439 png_debug(1, "in png_handle_bKGD"); 1914 png_debug(1, "in png_handle_bKGD");
1440 1915
1441 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1916 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1442 png_error(png_ptr, "Missing IHDR before bKGD"); 1917 png_chunk_error(png_ptr, "missing IHDR");
1443 else if (png_ptr->mode & PNG_HAVE_IDAT) 1918
1444 { 1919 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
1445 png_warning(png_ptr, "Invalid bKGD after IDAT"); 1920 (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1446 png_crc_finish(png_ptr, length); 1921 (png_ptr->mode & PNG_HAVE_PLTE) == 0))
1447 return; 1922 {
1448 } 1923 png_crc_finish(png_ptr, length);
1449 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 1924 png_chunk_benign_error(png_ptr, "out of place");
1450 !(png_ptr->mode & PNG_HAVE_PLTE)) 1925 return;
1451 { 1926 }
1452 png_warning(png_ptr, "Missing PLTE before bKGD"); 1927
1453 png_crc_finish(png_ptr, length); 1928 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1454 return; 1929 {
1455 } 1930 png_crc_finish(png_ptr, length);
1456 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD)) 1931 png_chunk_benign_error(png_ptr, "duplicate");
1457 {
1458 png_warning(png_ptr, "Duplicate bKGD chunk");
1459 png_crc_finish(png_ptr, length);
1460 return; 1932 return;
1461 } 1933 }
1462 1934
1463 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1935 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1464 truelen = 1; 1936 truelen = 1;
1465 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) 1937
1938 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1466 truelen = 6; 1939 truelen = 6;
1940
1467 else 1941 else
1468 truelen = 2; 1942 truelen = 2;
1469 1943
1470 if (length != truelen) 1944 if (length != truelen)
1471 { 1945 {
1472 png_warning(png_ptr, "Incorrect bKGD chunk length"); 1946 png_crc_finish(png_ptr, length);
1473 png_crc_finish(png_ptr, length); 1947 png_chunk_benign_error(png_ptr, "invalid");
1474 return; 1948 return;
1475 } 1949 }
1476 1950
1477 png_crc_read(png_ptr, buf, truelen); 1951 png_crc_read(png_ptr, buf, truelen);
1478 if (png_crc_finish(png_ptr, 0)) 1952
1953 if (png_crc_finish(png_ptr, 0) != 0)
1479 return; 1954 return;
1480 1955
1481 /* We convert the index value into RGB components so that we can allow 1956 /* We convert the index value into RGB components so that we can allow
1482 * arbitrary RGB values for background when we have transparency, and 1957 * arbitrary RGB values for background when we have transparency, and
1483 * so it is easy to determine the RGB values of the background color 1958 * so it is easy to determine the RGB values of the background color
1484 * from the info_ptr struct. */ 1959 * from the info_ptr struct.
1960 */
1485 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1961 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1486 { 1962 {
1487 png_ptr->background.index = buf[0]; 1963 background.index = buf[0];
1488 if (info_ptr && info_ptr->num_palette) 1964
1489 { 1965 if (info_ptr != NULL && info_ptr->num_palette != 0)
1490 if (buf[0] >= info_ptr->num_palette) 1966 {
1491 { 1967 if (buf[0] >= info_ptr->num_palette)
1492 png_warning(png_ptr, "Incorrect bKGD chunk index value"); 1968 {
1493 return; 1969 png_chunk_benign_error(png_ptr, "invalid index");
1494 } 1970 return;
1495 png_ptr->background.red = 1971 }
1496 (png_uint_16)png_ptr->palette[buf[0]].red; 1972
1497 png_ptr->background.green = 1973 background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1498 (png_uint_16)png_ptr->palette[buf[0]].green; 1974 background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1499 png_ptr->background.blue = 1975 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1500 (png_uint_16)png_ptr->palette[buf[0]].blue; 1976 }
1501 } 1977
1502 } 1978 else
1503 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */ 1979 background.red = background.green = background.blue = 0;
1504 { 1980
1505 png_ptr->background.red = 1981 background.gray = 0;
1506 png_ptr->background.green = 1982 }
1507 png_ptr->background.blue = 1983
1508 png_ptr->background.gray = png_get_uint_16(buf); 1984 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */
1509 } 1985 {
1986 background.index = 0;
1987 background.red =
1988 background.green =
1989 background.blue =
1990 background.gray = png_get_uint_16(buf);
1991 }
1992
1510 else 1993 else
1511 { 1994 {
1512 png_ptr->background.red = png_get_uint_16(buf); 1995 background.index = 0;
1513 png_ptr->background.green = png_get_uint_16(buf + 2); 1996 background.red = png_get_uint_16(buf);
1514 png_ptr->background.blue = png_get_uint_16(buf + 4); 1997 background.green = png_get_uint_16(buf + 2);
1515 } 1998 background.blue = png_get_uint_16(buf + 4);
1516 1999 background.gray = 0;
1517 png_set_bKGD(png_ptr, info_ptr, &(png_ptr->background)); 2000 }
2001
2002 png_set_bKGD(png_ptr, info_ptr, &background);
1518 } 2003 }
1519 #endif 2004 #endif
1520 2005
1521 #ifdef PNG_READ_hIST_SUPPORTED 2006 #ifdef PNG_READ_hIST_SUPPORTED
1522 void /* PRIVATE */ 2007 void /* PRIVATE */
1523 png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2008 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1524 { 2009 {
1525 unsigned int num, i; 2010 unsigned int num, i;
1526 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; 2011 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
1527 2012
1528 png_debug(1, "in png_handle_hIST"); 2013 png_debug(1, "in png_handle_hIST");
1529 2014
1530 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2015 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1531 png_error(png_ptr, "Missing IHDR before hIST"); 2016 png_chunk_error(png_ptr, "missing IHDR");
1532 else if (png_ptr->mode & PNG_HAVE_IDAT) 2017
1533 { 2018 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
1534 png_warning(png_ptr, "Invalid hIST after IDAT"); 2019 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
1535 png_crc_finish(png_ptr, length); 2020 {
1536 return; 2021 png_crc_finish(png_ptr, length);
1537 } 2022 png_chunk_benign_error(png_ptr, "out of place");
1538 else if (!(png_ptr->mode & PNG_HAVE_PLTE)) 2023 return;
1539 { 2024 }
1540 png_warning(png_ptr, "Missing PLTE before hIST"); 2025
1541 png_crc_finish(png_ptr, length); 2026 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1542 return; 2027 {
1543 } 2028 png_crc_finish(png_ptr, length);
1544 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST)) 2029 png_chunk_benign_error(png_ptr, "duplicate");
1545 {
1546 png_warning(png_ptr, "Duplicate hIST chunk");
1547 png_crc_finish(png_ptr, length);
1548 return;
1549 }
1550
1551 if (length > 2*PNG_MAX_PALETTE_LENGTH ||
1552 length != (unsigned int) (2*png_ptr->num_palette))
1553 {
1554 png_warning(png_ptr, "Incorrect hIST chunk length");
1555 png_crc_finish(png_ptr, length);
1556 return; 2030 return;
1557 } 2031 }
1558 2032
1559 num = length / 2 ; 2033 num = length / 2 ;
1560 2034
2035 if (num != (unsigned int) png_ptr->num_palette ||
2036 num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
2037 {
2038 png_crc_finish(png_ptr, length);
2039 png_chunk_benign_error(png_ptr, "invalid");
2040 return;
2041 }
2042
1561 for (i = 0; i < num; i++) 2043 for (i = 0; i < num; i++)
1562 { 2044 {
1563 png_byte buf[2]; 2045 png_byte buf[2];
1564 2046
1565 png_crc_read(png_ptr, buf, 2); 2047 png_crc_read(png_ptr, buf, 2);
1566 readbuf[i] = png_get_uint_16(buf); 2048 readbuf[i] = png_get_uint_16(buf);
1567 } 2049 }
1568 2050
1569 if (png_crc_finish(png_ptr, 0)) 2051 if (png_crc_finish(png_ptr, 0) != 0)
1570 return; 2052 return;
1571 2053
1572 png_set_hIST(png_ptr, info_ptr, readbuf); 2054 png_set_hIST(png_ptr, info_ptr, readbuf);
1573 } 2055 }
1574 #endif 2056 #endif
1575 2057
1576 #ifdef PNG_READ_pHYs_SUPPORTED 2058 #ifdef PNG_READ_pHYs_SUPPORTED
1577 void /* PRIVATE */ 2059 void /* PRIVATE */
1578 png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2060 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1579 { 2061 {
1580 png_byte buf[9]; 2062 png_byte buf[9];
1581 png_uint_32 res_x, res_y; 2063 png_uint_32 res_x, res_y;
1582 int unit_type; 2064 int unit_type;
1583 2065
1584 png_debug(1, "in png_handle_pHYs"); 2066 png_debug(1, "in png_handle_pHYs");
1585 2067
1586 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2068 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1587 png_error(png_ptr, "Missing IHDR before pHYs"); 2069 png_chunk_error(png_ptr, "missing IHDR");
1588 else if (png_ptr->mode & PNG_HAVE_IDAT) 2070
2071 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1589 { 2072 {
1590 png_warning(png_ptr, "Invalid pHYs after IDAT");
1591 png_crc_finish(png_ptr, length); 2073 png_crc_finish(png_ptr, length);
2074 png_chunk_benign_error(png_ptr, "out of place");
1592 return; 2075 return;
1593 } 2076 }
1594 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs)) 2077
2078 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != 0)
1595 { 2079 {
1596 png_warning(png_ptr, "Duplicate pHYs chunk");
1597 png_crc_finish(png_ptr, length); 2080 png_crc_finish(png_ptr, length);
2081 png_chunk_benign_error(png_ptr, "duplicate");
1598 return; 2082 return;
1599 } 2083 }
1600 2084
1601 if (length != 9) 2085 if (length != 9)
1602 { 2086 {
1603 png_warning(png_ptr, "Incorrect pHYs chunk length");
1604 png_crc_finish(png_ptr, length); 2087 png_crc_finish(png_ptr, length);
2088 png_chunk_benign_error(png_ptr, "invalid");
1605 return; 2089 return;
1606 } 2090 }
1607 2091
1608 png_crc_read(png_ptr, buf, 9); 2092 png_crc_read(png_ptr, buf, 9);
1609 if (png_crc_finish(png_ptr, 0)) 2093
2094 if (png_crc_finish(png_ptr, 0) != 0)
1610 return; 2095 return;
1611 2096
1612 res_x = png_get_uint_32(buf); 2097 res_x = png_get_uint_32(buf);
1613 res_y = png_get_uint_32(buf + 4); 2098 res_y = png_get_uint_32(buf + 4);
1614 unit_type = buf[8]; 2099 unit_type = buf[8];
1615 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type); 2100 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
1616 } 2101 }
1617 #endif 2102 #endif
1618 2103
1619 #ifdef PNG_READ_oFFs_SUPPORTED 2104 #ifdef PNG_READ_oFFs_SUPPORTED
1620 void /* PRIVATE */ 2105 void /* PRIVATE */
1621 png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2106 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1622 { 2107 {
1623 png_byte buf[9]; 2108 png_byte buf[9];
1624 png_int_32 offset_x, offset_y; 2109 png_int_32 offset_x, offset_y;
1625 int unit_type; 2110 int unit_type;
1626 2111
1627 png_debug(1, "in png_handle_oFFs"); 2112 png_debug(1, "in png_handle_oFFs");
1628 2113
1629 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2114 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1630 png_error(png_ptr, "Missing IHDR before oFFs"); 2115 png_chunk_error(png_ptr, "missing IHDR");
1631 else if (png_ptr->mode & PNG_HAVE_IDAT) 2116
2117 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1632 { 2118 {
1633 png_warning(png_ptr, "Invalid oFFs after IDAT");
1634 png_crc_finish(png_ptr, length); 2119 png_crc_finish(png_ptr, length);
2120 png_chunk_benign_error(png_ptr, "out of place");
1635 return; 2121 return;
1636 } 2122 }
1637 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs)) 2123
2124 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != 0)
1638 { 2125 {
1639 png_warning(png_ptr, "Duplicate oFFs chunk");
1640 png_crc_finish(png_ptr, length); 2126 png_crc_finish(png_ptr, length);
2127 png_chunk_benign_error(png_ptr, "duplicate");
1641 return; 2128 return;
1642 } 2129 }
1643 2130
1644 if (length != 9) 2131 if (length != 9)
1645 { 2132 {
1646 png_warning(png_ptr, "Incorrect oFFs chunk length");
1647 png_crc_finish(png_ptr, length); 2133 png_crc_finish(png_ptr, length);
2134 png_chunk_benign_error(png_ptr, "invalid");
1648 return; 2135 return;
1649 } 2136 }
1650 2137
1651 png_crc_read(png_ptr, buf, 9); 2138 png_crc_read(png_ptr, buf, 9);
1652 if (png_crc_finish(png_ptr, 0)) 2139
2140 if (png_crc_finish(png_ptr, 0) != 0)
1653 return; 2141 return;
1654 2142
1655 offset_x = png_get_int_32(buf); 2143 offset_x = png_get_int_32(buf);
1656 offset_y = png_get_int_32(buf + 4); 2144 offset_y = png_get_int_32(buf + 4);
1657 unit_type = buf[8]; 2145 unit_type = buf[8];
1658 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type); 2146 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
1659 } 2147 }
1660 #endif 2148 #endif
1661 2149
1662 #ifdef PNG_READ_pCAL_SUPPORTED 2150 #ifdef PNG_READ_pCAL_SUPPORTED
1663 /* Read the pCAL chunk (described in the PNG Extensions document) */ 2151 /* Read the pCAL chunk (described in the PNG Extensions document) */
1664 void /* PRIVATE */ 2152 void /* PRIVATE */
1665 png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2153 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1666 { 2154 {
1667 png_int_32 X0, X1; 2155 png_int_32 X0, X1;
1668 png_byte type, nparams; 2156 png_byte type, nparams;
1669 png_charp buf, units, endptr; 2157 png_bytep buffer, buf, units, endptr;
1670 png_charpp params; 2158 png_charpp params;
1671 png_size_t slength;
1672 int i; 2159 int i;
1673 2160
1674 png_debug(1, "in png_handle_pCAL"); 2161 png_debug(1, "in png_handle_pCAL");
1675 2162
1676 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2163 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1677 png_error(png_ptr, "Missing IHDR before pCAL"); 2164 png_chunk_error(png_ptr, "missing IHDR");
1678 else if (png_ptr->mode & PNG_HAVE_IDAT) 2165
2166 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1679 { 2167 {
1680 png_warning(png_ptr, "Invalid pCAL after IDAT");
1681 png_crc_finish(png_ptr, length); 2168 png_crc_finish(png_ptr, length);
1682 return; 2169 png_chunk_benign_error(png_ptr, "out of place");
1683 }
1684 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL))
1685 {
1686 png_warning(png_ptr, "Duplicate pCAL chunk");
1687 png_crc_finish(png_ptr, length);
1688 return; 2170 return;
1689 } 2171 }
1690 2172
1691 png_debug1(2, "Allocating and reading pCAL chunk data (%lu bytes)", 2173 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != 0)
1692 length + 1);
1693 png_free(png_ptr, png_ptr->chunkdata);
1694 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
1695 if (png_ptr->chunkdata == NULL)
1696 {
1697 png_warning(png_ptr, "No memory for pCAL purpose.");
1698 return;
1699 }
1700 slength = (png_size_t)length;
1701 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1702
1703 if (png_crc_finish(png_ptr, 0))
1704 { 2174 {
1705 png_free(png_ptr, png_ptr->chunkdata); 2175 png_crc_finish(png_ptr, length);
1706 png_ptr->chunkdata = NULL; 2176 png_chunk_benign_error(png_ptr, "duplicate");
1707 return; 2177 return;
1708 } 2178 }
1709 2179
1710 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ 2180 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
2181 length + 1);
1711 2182
1712 png_debug(3, "Finding end of pCAL purpose string"); 2183 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1713 for (buf = png_ptr->chunkdata; *buf; buf++)
1714 /* Empty loop */ ;
1715 2184
1716 endptr = png_ptr->chunkdata + slength; 2185 if (buffer == NULL)
1717
1718 /* We need to have at least 12 bytes after the purpose string
1719 in order to get the parameter information. */
1720 if (slength < 12U || endptr - buf <= 12)
1721 { 2186 {
1722 png_warning(png_ptr, "Invalid pCAL data"); 2187 png_crc_finish(png_ptr, length);
1723 png_free(png_ptr, png_ptr->chunkdata); 2188 png_chunk_benign_error(png_ptr, "out of memory");
1724 png_ptr->chunkdata = NULL;
1725 return; 2189 return;
1726 } 2190 }
1727 2191
2192 png_crc_read(png_ptr, buffer, length);
2193
2194 if (png_crc_finish(png_ptr, 0) != 0)
2195 return;
2196
2197 buffer[length] = 0; /* Null terminate the last string */
2198
2199 png_debug(3, "Finding end of pCAL purpose string");
2200 for (buf = buffer; *buf; buf++)
2201 /* Empty loop */ ;
2202
2203 endptr = buffer + length;
2204
2205 /* We need to have at least 12 bytes after the purpose string
2206 * in order to get the parameter information.
2207 */
2208 if (endptr - buf <= 12)
2209 {
2210 png_chunk_benign_error(png_ptr, "invalid");
2211 return;
2212 }
2213
1728 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units"); 2214 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
1729 X0 = png_get_int_32((png_bytep)buf+1); 2215 X0 = png_get_int_32((png_bytep)buf+1);
1730 X1 = png_get_int_32((png_bytep)buf+5); 2216 X1 = png_get_int_32((png_bytep)buf+5);
1731 type = buf[9]; 2217 type = buf[9];
1732 nparams = buf[10]; 2218 nparams = buf[10];
1733 units = buf + 11; 2219 units = buf + 11;
1734 2220
1735 png_debug(3, "Checking pCAL equation type and number of parameters"); 2221 png_debug(3, "Checking pCAL equation type and number of parameters");
1736 /* Check that we have the right number of parameters for known 2222 /* Check that we have the right number of parameters for known
1737 equation types. */ 2223 * equation types.
2224 */
1738 if ((type == PNG_EQUATION_LINEAR && nparams != 2) || 2225 if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
1739 (type == PNG_EQUATION_BASE_E && nparams != 3) || 2226 (type == PNG_EQUATION_BASE_E && nparams != 3) ||
1740 (type == PNG_EQUATION_ARBITRARY && nparams != 3) || 2227 (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
1741 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4)) 2228 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
1742 { 2229 {
1743 png_warning(png_ptr, "Invalid pCAL parameters for equation type"); 2230 png_chunk_benign_error(png_ptr, "invalid parameter count");
1744 png_free(png_ptr, png_ptr->chunkdata);
1745 png_ptr->chunkdata = NULL;
1746 return; 2231 return;
1747 } 2232 }
2233
1748 else if (type >= PNG_EQUATION_LAST) 2234 else if (type >= PNG_EQUATION_LAST)
1749 { 2235 {
1750 png_warning(png_ptr, "Unrecognized equation type for pCAL chunk"); 2236 png_chunk_benign_error(png_ptr, "unrecognized equation type");
1751 } 2237 }
1752 2238
1753 for (buf = units; *buf; buf++) 2239 for (buf = units; *buf; buf++)
1754 /* Empty loop to move past the units string. */ ; 2240 /* Empty loop to move past the units string. */ ;
1755 2241
1756 png_debug(3, "Allocating pCAL parameters array"); 2242 png_debug(3, "Allocating pCAL parameters array");
1757 params = (png_charpp)png_malloc_warn(png_ptr, 2243
1758 (png_uint_32)(nparams * png_sizeof(png_charp))) ; 2244 params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2245 nparams * (sizeof (png_charp))));
2246
1759 if (params == NULL) 2247 if (params == NULL)
1760 { 2248 {
1761 png_free(png_ptr, png_ptr->chunkdata); 2249 png_chunk_benign_error(png_ptr, "out of memory");
1762 png_ptr->chunkdata = NULL; 2250 return;
1763 png_warning(png_ptr, "No memory for pCAL params."); 2251 }
1764 return;
1765 }
1766 2252
1767 /* Get pointers to the start of each parameter string. */ 2253 /* Get pointers to the start of each parameter string. */
1768 for (i = 0; i < (int)nparams; i++) 2254 for (i = 0; i < nparams; i++)
1769 { 2255 {
1770 buf++; /* Skip the null string terminator from previous parameter. */ 2256 buf++; /* Skip the null string terminator from previous parameter. */
1771 2257
1772 png_debug1(3, "Reading pCAL parameter %d", i); 2258 png_debug1(3, "Reading pCAL parameter %d", i);
1773 for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++) 2259
2260 for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
1774 /* Empty loop to move past each parameter string */ ; 2261 /* Empty loop to move past each parameter string */ ;
1775 2262
1776 /* Make sure we haven't run out of data yet */ 2263 /* Make sure we haven't run out of data yet */
1777 if (buf > endptr) 2264 if (buf > endptr)
1778 { 2265 {
1779 png_warning(png_ptr, "Invalid pCAL data");
1780 png_free(png_ptr, png_ptr->chunkdata);
1781 png_ptr->chunkdata = NULL;
1782 png_free(png_ptr, params); 2266 png_free(png_ptr, params);
2267 png_chunk_benign_error(png_ptr, "invalid data");
1783 return; 2268 return;
1784 } 2269 }
1785 } 2270 }
1786 2271
1787 png_set_pCAL(png_ptr, info_ptr, png_ptr->chunkdata, X0, X1, type, nparams, 2272 png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
1788 units, params); 2273 (png_charp)units, params);
1789 2274
1790 png_free(png_ptr, png_ptr->chunkdata);
1791 png_ptr->chunkdata = NULL;
1792 png_free(png_ptr, params); 2275 png_free(png_ptr, params);
1793 } 2276 }
1794 #endif 2277 #endif
1795 2278
1796 #ifdef PNG_READ_sCAL_SUPPORTED 2279 #ifdef PNG_READ_sCAL_SUPPORTED
1797 /* Read the sCAL chunk */ 2280 /* Read the sCAL chunk */
1798 void /* PRIVATE */ 2281 void /* PRIVATE */
1799 png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2282 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1800 { 2283 {
1801 png_charp ep; 2284 png_bytep buffer;
1802 #ifdef PNG_FLOATING_POINT_SUPPORTED 2285 png_size_t i;
1803 double width, height; 2286 int state;
1804 png_charp vp;
1805 #else
1806 #ifdef PNG_FIXED_POINT_SUPPORTED
1807 png_charp swidth, sheight;
1808 #endif
1809 #endif
1810 png_size_t slength;
1811 2287
1812 png_debug(1, "in png_handle_sCAL"); 2288 png_debug(1, "in png_handle_sCAL");
1813 2289
1814 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2290 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1815 png_error(png_ptr, "Missing IHDR before sCAL"); 2291 png_chunk_error(png_ptr, "missing IHDR");
1816 else if (png_ptr->mode & PNG_HAVE_IDAT) 2292
2293 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1817 { 2294 {
1818 png_warning(png_ptr, "Invalid sCAL after IDAT");
1819 png_crc_finish(png_ptr, length); 2295 png_crc_finish(png_ptr, length);
2296 png_chunk_benign_error(png_ptr, "out of place");
1820 return; 2297 return;
1821 } 2298 }
1822 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL)) 2299
2300 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != 0)
1823 { 2301 {
1824 png_warning(png_ptr, "Duplicate sCAL chunk");
1825 png_crc_finish(png_ptr, length); 2302 png_crc_finish(png_ptr, length);
2303 png_chunk_benign_error(png_ptr, "duplicate");
1826 return; 2304 return;
1827 } 2305 }
1828 2306
1829 /* Need unit type, width, \0, height: minimum 4 bytes */ 2307 /* Need unit type, width, \0, height: minimum 4 bytes */
1830 else if (length < 4) 2308 else if (length < 4)
1831 { 2309 {
1832 png_warning(png_ptr, "sCAL chunk too short"); 2310 png_crc_finish(png_ptr, length);
2311 png_chunk_benign_error(png_ptr, "invalid");
2312 return;
2313 }
2314
2315 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2316 length + 1);
2317
2318 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2319
2320 if (buffer == NULL)
2321 {
2322 png_chunk_benign_error(png_ptr, "out of memory");
1833 png_crc_finish(png_ptr, length); 2323 png_crc_finish(png_ptr, length);
1834 return; 2324 return;
1835 } 2325 }
1836 2326
1837 png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", 2327 png_crc_read(png_ptr, buffer, length);
1838 length + 1); 2328 buffer[length] = 0; /* Null terminate the last string */
1839 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); 2329
1840 if (png_ptr->chunkdata == NULL) 2330 if (png_crc_finish(png_ptr, 0) != 0)
2331 return;
2332
2333 /* Validate the unit. */
2334 if (buffer[0] != 1 && buffer[0] != 2)
1841 { 2335 {
1842 png_warning(png_ptr, "Out of memory while processing sCAL chunk"); 2336 png_chunk_benign_error(png_ptr, "invalid unit");
1843 png_crc_finish(png_ptr, length);
1844 return;
1845 }
1846 slength = (png_size_t)length;
1847 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1848
1849 if (png_crc_finish(png_ptr, 0))
1850 {
1851 png_free(png_ptr, png_ptr->chunkdata);
1852 png_ptr->chunkdata = NULL;
1853 return; 2337 return;
1854 } 2338 }
1855 2339
1856 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ 2340 /* Validate the ASCII numbers, need two ASCII numbers separated by
2341 * a '\0' and they need to fit exactly in the chunk data.
2342 */
2343 i = 1;
2344 state = 0;
1857 2345
1858 ep = png_ptr->chunkdata + 1; /* Skip unit byte */ 2346 if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 ||
2347 i >= length || buffer[i++] != 0)
2348 png_chunk_benign_error(png_ptr, "bad width format");
1859 2349
1860 #ifdef PNG_FLOATING_POINT_SUPPORTED 2350 else if (PNG_FP_IS_POSITIVE(state) == 0)
1861 width = png_strtod(png_ptr, ep, &vp); 2351 png_chunk_benign_error(png_ptr, "non-positive width");
1862 if (*vp) 2352
2353 else
1863 { 2354 {
1864 png_warning(png_ptr, "malformed width string in sCAL chunk"); 2355 png_size_t heighti = i;
1865 png_free(png_ptr, png_ptr->chunkdata); 2356
1866 png_ptr->chunkdata = NULL; 2357 state = 0;
1867 return; 2358 if (png_check_fp_number((png_const_charp)buffer, length,
2359 &state, &i) == 0 || i != length)
2360 png_chunk_benign_error(png_ptr, "bad height format");
2361
2362 else if (PNG_FP_IS_POSITIVE(state) == 0)
2363 png_chunk_benign_error(png_ptr, "non-positive height");
2364
2365 else
2366 /* This is the (only) success case. */
2367 png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
2368 (png_charp)buffer+1, (png_charp)buffer+heighti);
1868 } 2369 }
1869 #else
1870 #ifdef PNG_FIXED_POINT_SUPPORTED
1871 swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1872 if (swidth == NULL)
1873 {
1874 png_warning(png_ptr, "Out of memory while processing sCAL chunk width");
1875 png_free(png_ptr, png_ptr->chunkdata);
1876 png_ptr->chunkdata = NULL;
1877 return;
1878 }
1879 png_memcpy(swidth, ep, (png_size_t)png_strlen(ep) + 1);
1880 #endif
1881 #endif
1882
1883 for (ep = png_ptr->chunkdata + 1; *ep; ep++)
1884 /* Empty loop */ ;
1885 ep++;
1886
1887 if (png_ptr->chunkdata + slength < ep)
1888 {
1889 png_warning(png_ptr, "Truncated sCAL chunk");
1890 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1891 png_free(png_ptr, swidth);
1892 #endif
1893 png_free(png_ptr, png_ptr->chunkdata);
1894 png_ptr->chunkdata = NULL;
1895 return;
1896 }
1897
1898 #ifdef PNG_FLOATING_POINT_SUPPORTED
1899 height = png_strtod(png_ptr, ep, &vp);
1900 if (*vp)
1901 {
1902 png_warning(png_ptr, "malformed height string in sCAL chunk");
1903 png_free(png_ptr, png_ptr->chunkdata);
1904 png_ptr->chunkdata = NULL;
1905 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1906 png_free(png_ptr, swidth);
1907 #endif
1908 return;
1909 }
1910 #else
1911 #ifdef PNG_FIXED_POINT_SUPPORTED
1912 sheight = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1913 if (sheight == NULL)
1914 {
1915 png_warning(png_ptr, "Out of memory while processing sCAL chunk height");
1916 png_free(png_ptr, png_ptr->chunkdata);
1917 png_ptr->chunkdata = NULL;
1918 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1919 png_free(png_ptr, swidth);
1920 #endif
1921 return;
1922 }
1923 png_memcpy(sheight, ep, (png_size_t)png_strlen(ep) + 1);
1924 #endif
1925 #endif
1926
1927 if (png_ptr->chunkdata + slength < ep
1928 #ifdef PNG_FLOATING_POINT_SUPPORTED
1929 || width <= 0. || height <= 0.
1930 #endif
1931 )
1932 {
1933 png_warning(png_ptr, "Invalid sCAL data");
1934 png_free(png_ptr, png_ptr->chunkdata);
1935 png_ptr->chunkdata = NULL;
1936 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1937 png_free(png_ptr, swidth);
1938 png_free(png_ptr, sheight);
1939 #endif
1940 return;
1941 }
1942
1943
1944 #ifdef PNG_FLOATING_POINT_SUPPORTED
1945 png_set_sCAL(png_ptr, info_ptr, png_ptr->chunkdata[0], width, height);
1946 #else
1947 #ifdef PNG_FIXED_POINT_SUPPORTED
1948 png_set_sCAL_s(png_ptr, info_ptr, png_ptr->chunkdata[0], swidth, sheight);
1949 #endif
1950 #endif
1951
1952 png_free(png_ptr, png_ptr->chunkdata);
1953 png_ptr->chunkdata = NULL;
1954 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1955 png_free(png_ptr, swidth);
1956 png_free(png_ptr, sheight);
1957 #endif
1958 } 2370 }
1959 #endif 2371 #endif
1960 2372
1961 #ifdef PNG_READ_tIME_SUPPORTED 2373 #ifdef PNG_READ_tIME_SUPPORTED
1962 void /* PRIVATE */ 2374 void /* PRIVATE */
1963 png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2375 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1964 { 2376 {
1965 png_byte buf[7]; 2377 png_byte buf[7];
1966 png_time mod_time; 2378 png_time mod_time;
1967 2379
1968 png_debug(1, "in png_handle_tIME"); 2380 png_debug(1, "in png_handle_tIME");
1969 2381
1970 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2382 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1971 png_error(png_ptr, "Out of place tIME chunk"); 2383 png_chunk_error(png_ptr, "missing IHDR");
1972 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME)) 2384
2385 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != 0)
1973 { 2386 {
1974 png_warning(png_ptr, "Duplicate tIME chunk");
1975 png_crc_finish(png_ptr, length); 2387 png_crc_finish(png_ptr, length);
2388 png_chunk_benign_error(png_ptr, "duplicate");
1976 return; 2389 return;
1977 } 2390 }
1978 2391
1979 if (png_ptr->mode & PNG_HAVE_IDAT) 2392 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1980 png_ptr->mode |= PNG_AFTER_IDAT; 2393 png_ptr->mode |= PNG_AFTER_IDAT;
1981 2394
1982 if (length != 7) 2395 if (length != 7)
1983 { 2396 {
1984 png_warning(png_ptr, "Incorrect tIME chunk length");
1985 png_crc_finish(png_ptr, length); 2397 png_crc_finish(png_ptr, length);
2398 png_chunk_benign_error(png_ptr, "invalid");
1986 return; 2399 return;
1987 } 2400 }
1988 2401
1989 png_crc_read(png_ptr, buf, 7); 2402 png_crc_read(png_ptr, buf, 7);
1990 if (png_crc_finish(png_ptr, 0)) 2403
2404 if (png_crc_finish(png_ptr, 0) != 0)
1991 return; 2405 return;
1992 2406
1993 mod_time.second = buf[6]; 2407 mod_time.second = buf[6];
1994 mod_time.minute = buf[5]; 2408 mod_time.minute = buf[5];
1995 mod_time.hour = buf[4]; 2409 mod_time.hour = buf[4];
1996 mod_time.day = buf[3]; 2410 mod_time.day = buf[3];
1997 mod_time.month = buf[2]; 2411 mod_time.month = buf[2];
1998 mod_time.year = png_get_uint_16(buf); 2412 mod_time.year = png_get_uint_16(buf);
1999 2413
2000 png_set_tIME(png_ptr, info_ptr, &mod_time); 2414 png_set_tIME(png_ptr, info_ptr, &mod_time);
2001 } 2415 }
2002 #endif 2416 #endif
2003 2417
2004 #ifdef PNG_READ_tEXt_SUPPORTED 2418 #ifdef PNG_READ_tEXt_SUPPORTED
2005 /* Note: this does not properly handle chunks that are > 64K under DOS */ 2419 /* Note: this does not properly handle chunks that are > 64K under DOS */
2006 void /* PRIVATE */ 2420 void /* PRIVATE */
2007 png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2421 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2008 { 2422 {
2009 png_textp text_ptr; 2423 png_text text_info;
2424 png_bytep buffer;
2010 png_charp key; 2425 png_charp key;
2011 png_charp text; 2426 png_charp text;
2012 png_uint_32 skip = 0; 2427 png_uint_32 skip = 0;
2013 png_size_t slength;
2014 int ret;
2015 2428
2016 png_debug(1, "in png_handle_tEXt"); 2429 png_debug(1, "in png_handle_tEXt");
2017 2430
2018 #ifdef PNG_USER_LIMITS_SUPPORTED 2431 #ifdef PNG_USER_LIMITS_SUPPORTED
2019 if (png_ptr->user_chunk_cache_max != 0) 2432 if (png_ptr->user_chunk_cache_max != 0)
2020 { 2433 {
2021 if (png_ptr->user_chunk_cache_max == 1) 2434 if (png_ptr->user_chunk_cache_max == 1)
2022 { 2435 {
2023 png_crc_finish(png_ptr, length); 2436 png_crc_finish(png_ptr, length);
2024 return; 2437 return;
2025 } 2438 }
2439
2026 if (--png_ptr->user_chunk_cache_max == 1) 2440 if (--png_ptr->user_chunk_cache_max == 1)
2027 { 2441 {
2028 png_warning(png_ptr, "No space in chunk cache for tEXt");
2029 png_crc_finish(png_ptr, length); 2442 png_crc_finish(png_ptr, length);
2443 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2030 return; 2444 return;
2031 } 2445 }
2032 } 2446 }
2033 #endif 2447 #endif
2034 2448
2035 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2449 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2036 png_error(png_ptr, "Missing IHDR before tEXt"); 2450 png_chunk_error(png_ptr, "missing IHDR");
2037 2451
2038 if (png_ptr->mode & PNG_HAVE_IDAT) 2452 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2039 png_ptr->mode |= PNG_AFTER_IDAT; 2453 png_ptr->mode |= PNG_AFTER_IDAT;
2040 2454
2041 #ifdef PNG_MAX_MALLOC_64K 2455 #ifdef PNG_MAX_MALLOC_64K
2042 if (length > (png_uint_32)65535L) 2456 if (length > 65535U)
2043 { 2457 {
2044 png_warning(png_ptr, "tEXt chunk too large to fit in memory"); 2458 png_crc_finish(png_ptr, length);
2045 skip = length - (png_uint_32)65535L; 2459 png_chunk_benign_error(png_ptr, "too large to fit in memory");
2046 length = (png_uint_32)65535L; 2460 return;
2047 } 2461 }
2048 #endif 2462 #endif
2049 2463
2050 png_free(png_ptr, png_ptr->chunkdata); 2464 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2051 2465
2052 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); 2466 if (buffer == NULL)
2053 if (png_ptr->chunkdata == NULL)
2054 { 2467 {
2055 png_warning(png_ptr, "No memory to process text chunk."); 2468 png_chunk_benign_error(png_ptr, "out of memory");
2056 return; 2469 return;
2057 } 2470 }
2058 slength = (png_size_t)length;
2059 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2060 2471
2061 if (png_crc_finish(png_ptr, skip)) 2472 png_crc_read(png_ptr, buffer, length);
2062 { 2473
2063 png_free(png_ptr, png_ptr->chunkdata); 2474 if (png_crc_finish(png_ptr, skip) != 0)
2064 png_ptr->chunkdata = NULL;
2065 return; 2475 return;
2066 }
2067 2476
2068 key = png_ptr->chunkdata; 2477 key = (png_charp)buffer;
2069 2478 key[length] = 0;
2070 key[slength] = 0x00;
2071 2479
2072 for (text = key; *text; text++) 2480 for (text = key; *text; text++)
2073 /* Empty loop to find end of key */ ; 2481 /* Empty loop to find end of key */ ;
2074 2482
2075 if (text != key + slength) 2483 if (text != key + length)
2076 text++; 2484 text++;
2077 2485
2078 text_ptr = (png_textp)png_malloc_warn(png_ptr, 2486 text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2079 (png_uint_32)png_sizeof(png_text)); 2487 text_info.key = key;
2080 if (text_ptr == NULL) 2488 text_info.lang = NULL;
2081 { 2489 text_info.lang_key = NULL;
2082 png_warning(png_ptr, "Not enough memory to process text chunk."); 2490 text_info.itxt_length = 0;
2083 png_free(png_ptr, png_ptr->chunkdata); 2491 text_info.text = text;
2084 png_ptr->chunkdata = NULL; 2492 text_info.text_length = strlen(text);
2085 return;
2086 }
2087 text_ptr->compression = PNG_TEXT_COMPRESSION_NONE;
2088 text_ptr->key = key;
2089 #ifdef PNG_iTXt_SUPPORTED
2090 text_ptr->lang = NULL;
2091 text_ptr->lang_key = NULL;
2092 text_ptr->itxt_length = 0;
2093 #endif
2094 text_ptr->text = text;
2095 text_ptr->text_length = png_strlen(text);
2096 2493
2097 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); 2494 if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) != 0)
2098 2495 png_warning(png_ptr, "Insufficient memory to process text chunk");
2099 png_free(png_ptr, png_ptr->chunkdata);
2100 png_ptr->chunkdata = NULL;
2101 png_free(png_ptr, text_ptr);
2102 if (ret)
2103 png_warning(png_ptr, "Insufficient memory to process text chunk.");
2104 } 2496 }
2105 #endif 2497 #endif
2106 2498
2107 #ifdef PNG_READ_zTXt_SUPPORTED 2499 #ifdef PNG_READ_zTXt_SUPPORTED
2108 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2500 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2109 void /* PRIVATE */ 2501 void /* PRIVATE */
2110 png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2502 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2111 { 2503 {
2112 png_textp text_ptr; 2504 png_const_charp errmsg = NULL;
2113 png_charp text; 2505 png_bytep buffer;
2114 int comp_type; 2506 png_uint_32 keyword_length;
2115 int ret;
2116 png_size_t slength, prefix_len, data_len;
2117 2507
2118 png_debug(1, "in png_handle_zTXt"); 2508 png_debug(1, "in png_handle_zTXt");
2119 2509
2120 #ifdef PNG_USER_LIMITS_SUPPORTED 2510 #ifdef PNG_USER_LIMITS_SUPPORTED
2121 if (png_ptr->user_chunk_cache_max != 0) 2511 if (png_ptr->user_chunk_cache_max != 0)
2122 { 2512 {
2123 if (png_ptr->user_chunk_cache_max == 1) 2513 if (png_ptr->user_chunk_cache_max == 1)
2124 { 2514 {
2125 png_crc_finish(png_ptr, length); 2515 png_crc_finish(png_ptr, length);
2126 return; 2516 return;
2127 } 2517 }
2518
2128 if (--png_ptr->user_chunk_cache_max == 1) 2519 if (--png_ptr->user_chunk_cache_max == 1)
2129 { 2520 {
2130 png_warning(png_ptr, "No space in chunk cache for zTXt");
2131 png_crc_finish(png_ptr, length); 2521 png_crc_finish(png_ptr, length);
2522 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2132 return; 2523 return;
2133 } 2524 }
2134 } 2525 }
2135 #endif 2526 #endif
2136 2527
2137 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2528 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2138 png_error(png_ptr, "Missing IHDR before zTXt"); 2529 png_chunk_error(png_ptr, "missing IHDR");
2139 2530
2140 if (png_ptr->mode & PNG_HAVE_IDAT) 2531 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2141 png_ptr->mode |= PNG_AFTER_IDAT; 2532 png_ptr->mode |= PNG_AFTER_IDAT;
2142 2533
2143 #ifdef PNG_MAX_MALLOC_64K 2534 buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2144 /* We will no doubt have problems with chunks even half this size, but 2535
2145 there is no hard and fast rule to tell us where to stop. */ 2536 if (buffer == NULL)
2146 if (length > (png_uint_32)65535L)
2147 { 2537 {
2148 png_warning(png_ptr, "zTXt chunk too large to fit in memory"); 2538 png_crc_finish(png_ptr, length);
2149 png_crc_finish(png_ptr, length); 2539 png_chunk_benign_error(png_ptr, "out of memory");
2150 return;
2151 }
2152 #endif
2153
2154 png_free(png_ptr, png_ptr->chunkdata);
2155 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2156 if (png_ptr->chunkdata == NULL)
2157 {
2158 png_warning(png_ptr, "Out of memory processing zTXt chunk.");
2159 return;
2160 }
2161 slength = (png_size_t)length;
2162 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2163 if (png_crc_finish(png_ptr, 0))
2164 {
2165 png_free(png_ptr, png_ptr->chunkdata);
2166 png_ptr->chunkdata = NULL;
2167 return; 2540 return;
2168 } 2541 }
2169 2542
2170 png_ptr->chunkdata[slength] = 0x00; 2543 png_crc_read(png_ptr, buffer, length);
2171 2544
2172 for (text = png_ptr->chunkdata; *text; text++) 2545 if (png_crc_finish(png_ptr, 0) != 0)
2173 /* Empty loop */ ; 2546 return;
2174 2547
2175 /* zTXt must have some text after the chunkdataword */ 2548 /* TODO: also check that the keyword contents match the spec! */
2176 if (slength < 2U || text >= png_ptr->chunkdata + slength - 2U) 2549 for (keyword_length = 0;
2177 { 2550 keyword_length < length && buffer[keyword_length] != 0;
2178 png_warning(png_ptr, "Truncated zTXt chunk"); 2551 ++keyword_length)
2179 png_free(png_ptr, png_ptr->chunkdata); 2552 /* Empty loop to find end of name */ ;
2180 png_ptr->chunkdata = NULL; 2553
2181 return; 2554 if (keyword_length > 79 || keyword_length < 1)
2182 } 2555 errmsg = "bad keyword";
2556
2557 /* zTXt must have some LZ data after the keyword, although it may expand to
2558 * zero bytes; we need a '\0' at the end of the keyword, the compression type
2559 * then the LZ data:
2560 */
2561 else if (keyword_length + 3 > length)
2562 errmsg = "truncated";
2563
2564 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2565 errmsg = "unknown compression type";
2566
2183 else 2567 else
2184 { 2568 {
2185 comp_type = *(++text); 2569 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2186 if (comp_type != PNG_TEXT_COMPRESSION_zTXt) 2570
2187 { 2571 /* TODO: at present png_decompress_chunk imposes a single application
2188 png_warning(png_ptr, "Unknown compression type in zTXt chunk"); 2572 * level memory limit, this should be split to different values for iCCP
2189 comp_type = PNG_TEXT_COMPRESSION_zTXt; 2573 * and text chunks.
2190 } 2574 */
2191 text++; /* Skip the compression_method byte */ 2575 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2576 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2577 {
2578 png_text text;
2579
2580 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
2581 * for the extra compression type byte and the fact that it isn't
2582 * necessarily '\0' terminated.
2583 */
2584 buffer = png_ptr->read_buffer;
2585 buffer[uncompressed_length+(keyword_length+2)] = 0;
2586
2587 text.compression = PNG_TEXT_COMPRESSION_zTXt;
2588 text.key = (png_charp)buffer;
2589 text.text = (png_charp)(buffer + keyword_length+2);
2590 text.text_length = uncompressed_length;
2591 text.itxt_length = 0;
2592 text.lang = NULL;
2593 text.lang_key = NULL;
2594
2595 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2596 errmsg = "insufficient memory";
2597 }
2598
2599 else
2600 errmsg = png_ptr->zstream.msg;
2192 } 2601 }
2193 prefix_len = text - png_ptr->chunkdata;
2194 2602
2195 png_decompress_chunk(png_ptr, comp_type, 2603 if (errmsg != NULL)
2196 (png_size_t)length, prefix_len, &data_len); 2604 png_chunk_benign_error(png_ptr, errmsg);
2197
2198 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2199 (png_uint_32)png_sizeof(png_text));
2200 if (text_ptr == NULL)
2201 {
2202 png_warning(png_ptr, "Not enough memory to process zTXt chunk.");
2203 png_free(png_ptr, png_ptr->chunkdata);
2204 png_ptr->chunkdata = NULL;
2205 return;
2206 }
2207 text_ptr->compression = comp_type;
2208 text_ptr->key = png_ptr->chunkdata;
2209 #ifdef PNG_iTXt_SUPPORTED
2210 text_ptr->lang = NULL;
2211 text_ptr->lang_key = NULL;
2212 text_ptr->itxt_length = 0;
2213 #endif
2214 text_ptr->text = png_ptr->chunkdata + prefix_len;
2215 text_ptr->text_length = data_len;
2216
2217 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2218
2219 png_free(png_ptr, text_ptr);
2220 png_free(png_ptr, png_ptr->chunkdata);
2221 png_ptr->chunkdata = NULL;
2222 if (ret)
2223 png_error(png_ptr, "Insufficient memory to store zTXt chunk.");
2224 } 2605 }
2225 #endif 2606 #endif
2226 2607
2227 #ifdef PNG_READ_iTXt_SUPPORTED 2608 #ifdef PNG_READ_iTXt_SUPPORTED
2228 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2609 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2229 void /* PRIVATE */ 2610 void /* PRIVATE */
2230 png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2611 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2231 { 2612 {
2232 png_textp text_ptr; 2613 png_const_charp errmsg = NULL;
2233 png_charp key, lang, text, lang_key; 2614 png_bytep buffer;
2234 int comp_flag; 2615 png_uint_32 prefix_length;
2235 int comp_type = 0;
2236 int ret;
2237 png_size_t slength, prefix_len, data_len;
2238 2616
2239 png_debug(1, "in png_handle_iTXt"); 2617 png_debug(1, "in png_handle_iTXt");
2240 2618
2241 #ifdef PNG_USER_LIMITS_SUPPORTED 2619 #ifdef PNG_USER_LIMITS_SUPPORTED
2242 if (png_ptr->user_chunk_cache_max != 0) 2620 if (png_ptr->user_chunk_cache_max != 0)
2243 { 2621 {
2244 if (png_ptr->user_chunk_cache_max == 1) 2622 if (png_ptr->user_chunk_cache_max == 1)
2245 { 2623 {
2246 png_crc_finish(png_ptr, length); 2624 png_crc_finish(png_ptr, length);
2247 return; 2625 return;
2248 } 2626 }
2627
2249 if (--png_ptr->user_chunk_cache_max == 1) 2628 if (--png_ptr->user_chunk_cache_max == 1)
2250 { 2629 {
2251 png_warning(png_ptr, "No space in chunk cache for iTXt");
2252 png_crc_finish(png_ptr, length); 2630 png_crc_finish(png_ptr, length);
2631 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2253 return; 2632 return;
2254 } 2633 }
2255 } 2634 }
2256 #endif 2635 #endif
2257 2636
2258 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2637 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2259 png_error(png_ptr, "Missing IHDR before iTXt"); 2638 png_chunk_error(png_ptr, "missing IHDR");
2260 2639
2261 if (png_ptr->mode & PNG_HAVE_IDAT) 2640 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2262 png_ptr->mode |= PNG_AFTER_IDAT; 2641 png_ptr->mode |= PNG_AFTER_IDAT;
2263 2642
2264 #ifdef PNG_MAX_MALLOC_64K 2643 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2265 /* We will no doubt have problems with chunks even half this size, but 2644
2266 there is no hard and fast rule to tell us where to stop. */ 2645 if (buffer == NULL)
2267 if (length > (png_uint_32)65535L) 2646 {
2268 { 2647 png_crc_finish(png_ptr, length);
2269 png_warning(png_ptr, "iTXt chunk too large to fit in memory"); 2648 png_chunk_benign_error(png_ptr, "out of memory");
2270 png_crc_finish(png_ptr, length);
2271 return;
2272 }
2273 #endif
2274
2275 png_free(png_ptr, png_ptr->chunkdata);
2276 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2277 if (png_ptr->chunkdata == NULL)
2278 {
2279 png_warning(png_ptr, "No memory to process iTXt chunk.");
2280 return;
2281 }
2282 slength = (png_size_t)length;
2283 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2284 if (png_crc_finish(png_ptr, 0))
2285 {
2286 png_free(png_ptr, png_ptr->chunkdata);
2287 png_ptr->chunkdata = NULL;
2288 return; 2649 return;
2289 } 2650 }
2290 2651
2291 png_ptr->chunkdata[slength] = 0x00; 2652 png_crc_read(png_ptr, buffer, length);
2292 2653
2293 for (lang = png_ptr->chunkdata; *lang; lang++) 2654 if (png_crc_finish(png_ptr, 0) != 0)
2655 return;
2656
2657 /* First the keyword. */
2658 for (prefix_length=0;
2659 prefix_length < length && buffer[prefix_length] != 0;
2660 ++prefix_length)
2294 /* Empty loop */ ; 2661 /* Empty loop */ ;
2295 lang++; /* Skip NUL separator */ 2662
2296 2663 /* Perform a basic check on the keyword length here. */
2297 /* iTXt must have a language tag (possibly empty), two compression bytes, 2664 if (prefix_length > 79 || prefix_length < 1)
2298 * translated keyword (possibly empty), and possibly some text after the 2665 errmsg = "bad keyword";
2299 * keyword 2666
2300 */ 2667 /* Expect keyword, compression flag, compression type, language, translated
2301 2668 * keyword (both may be empty but are 0 terminated) then the text, which may
2302 if (slength < 3U || lang >= png_ptr->chunkdata + slength - 3U) 2669 * be empty.
2303 { 2670 */
2304 png_warning(png_ptr, "Truncated iTXt chunk"); 2671 else if (prefix_length + 5 > length)
2305 png_free(png_ptr, png_ptr->chunkdata); 2672 errmsg = "truncated";
2306 png_ptr->chunkdata = NULL; 2673
2307 return; 2674 else if (buffer[prefix_length+1] == 0 ||
2308 } 2675 (buffer[prefix_length+1] == 1 &&
2676 buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
2677 {
2678 int compressed = buffer[prefix_length+1] != 0;
2679 png_uint_32 language_offset, translated_keyword_offset;
2680 png_alloc_size_t uncompressed_length = 0;
2681
2682 /* Now the language tag */
2683 prefix_length += 3;
2684 language_offset = prefix_length;
2685
2686 for (; prefix_length < length && buffer[prefix_length] != 0;
2687 ++prefix_length)
2688 /* Empty loop */ ;
2689
2690 /* WARNING: the length may be invalid here, this is checked below. */
2691 translated_keyword_offset = ++prefix_length;
2692
2693 for (; prefix_length < length && buffer[prefix_length] != 0;
2694 ++prefix_length)
2695 /* Empty loop */ ;
2696
2697 /* prefix_length should now be at the trailing '\0' of the translated
2698 * keyword, but it may already be over the end. None of this arithmetic
2699 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2700 * systems the available allocation may overflow.
2701 */
2702 ++prefix_length;
2703
2704 if (compressed == 0 && prefix_length <= length)
2705 uncompressed_length = length - prefix_length;
2706
2707 else if (compressed != 0 && prefix_length < length)
2708 {
2709 uncompressed_length = PNG_SIZE_MAX;
2710
2711 /* TODO: at present png_decompress_chunk imposes a single application
2712 * level memory limit, this should be split to different values for
2713 * iCCP and text chunks.
2714 */
2715 if (png_decompress_chunk(png_ptr, length, prefix_length,
2716 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2717 buffer = png_ptr->read_buffer;
2718
2719 else
2720 errmsg = png_ptr->zstream.msg;
2721 }
2722
2723 else
2724 errmsg = "truncated";
2725
2726 if (errmsg == NULL)
2727 {
2728 png_text text;
2729
2730 buffer[uncompressed_length+prefix_length] = 0;
2731
2732 if (compressed == 0)
2733 text.compression = PNG_ITXT_COMPRESSION_NONE;
2734
2735 else
2736 text.compression = PNG_ITXT_COMPRESSION_zTXt;
2737
2738 text.key = (png_charp)buffer;
2739 text.lang = (png_charp)buffer + language_offset;
2740 text.lang_key = (png_charp)buffer + translated_keyword_offset;
2741 text.text = (png_charp)buffer + prefix_length;
2742 text.text_length = 0;
2743 text.itxt_length = uncompressed_length;
2744
2745 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2746 errmsg = "insufficient memory";
2747 }
2748 }
2749
2309 else 2750 else
2310 { 2751 errmsg = "bad compression info";
2311 comp_flag = *lang++; 2752
2312 comp_type = *lang++; 2753 if (errmsg != NULL)
2313 } 2754 png_chunk_benign_error(png_ptr, errmsg);
2314
2315 for (lang_key = lang; *lang_key; lang_key++)
2316 /* Empty loop */ ;
2317 lang_key++; /* Skip NUL separator */
2318
2319 if (lang_key >= png_ptr->chunkdata + slength)
2320 {
2321 png_warning(png_ptr, "Truncated iTXt chunk");
2322 png_free(png_ptr, png_ptr->chunkdata);
2323 png_ptr->chunkdata = NULL;
2324 return;
2325 }
2326
2327 for (text = lang_key; *text; text++)
2328 /* Empty loop */ ;
2329 text++; /* Skip NUL separator */
2330 if (text >= png_ptr->chunkdata + slength)
2331 {
2332 png_warning(png_ptr, "Malformed iTXt chunk");
2333 png_free(png_ptr, png_ptr->chunkdata);
2334 png_ptr->chunkdata = NULL;
2335 return;
2336 }
2337
2338 prefix_len = text - png_ptr->chunkdata;
2339
2340 key=png_ptr->chunkdata;
2341 if (comp_flag)
2342 png_decompress_chunk(png_ptr, comp_type,
2343 (size_t)length, prefix_len, &data_len);
2344 else
2345 data_len = png_strlen(png_ptr->chunkdata + prefix_len);
2346 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2347 (png_uint_32)png_sizeof(png_text));
2348 if (text_ptr == NULL)
2349 {
2350 png_warning(png_ptr, "Not enough memory to process iTXt chunk.");
2351 png_free(png_ptr, png_ptr->chunkdata);
2352 png_ptr->chunkdata = NULL;
2353 return;
2354 }
2355 text_ptr->compression = (int)comp_flag + 1;
2356 text_ptr->lang_key = png_ptr->chunkdata + (lang_key - key);
2357 text_ptr->lang = png_ptr->chunkdata + (lang - key);
2358 text_ptr->itxt_length = data_len;
2359 text_ptr->text_length = 0;
2360 text_ptr->key = png_ptr->chunkdata;
2361 text_ptr->text = png_ptr->chunkdata + prefix_len;
2362
2363 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2364
2365 png_free(png_ptr, text_ptr);
2366 png_free(png_ptr, png_ptr->chunkdata);
2367 png_ptr->chunkdata = NULL;
2368 if (ret)
2369 png_error(png_ptr, "Insufficient memory to store iTXt chunk.");
2370 } 2755 }
2371 #endif 2756 #endif
2372 2757
2373 /* This function is called when we haven't found a handler for a 2758 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2374 chunk. If there isn't a problem with the chunk itself (ie bad 2759 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2375 chunk name, CRC, or a critical chunk), the chunk is silently ignored 2760 static int
2376 -- unless the PNG_FLAG_UNKNOWN_CHUNKS_SUPPORTED flag is on in which 2761 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2377 case it will be saved away to be written out later. */ 2762 {
2763 png_alloc_size_t limit = PNG_SIZE_MAX;
2764
2765 if (png_ptr->unknown_chunk.data != NULL)
2766 {
2767 png_free(png_ptr, png_ptr->unknown_chunk.data);
2768 png_ptr->unknown_chunk.data = NULL;
2769 }
2770
2771 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
2772 if (png_ptr->user_chunk_malloc_max > 0 &&
2773 png_ptr->user_chunk_malloc_max < limit)
2774 limit = png_ptr->user_chunk_malloc_max;
2775
2776 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
2777 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2778 limit = PNG_USER_CHUNK_MALLOC_MAX;
2779 # endif
2780
2781 if (length <= limit)
2782 {
2783 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2784 /* The following is safe because of the PNG_SIZE_MAX init above */
2785 png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/;
2786 /* 'mode' is a flag array, only the bottom four bits matter here */
2787 png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
2788
2789 if (length == 0)
2790 png_ptr->unknown_chunk.data = NULL;
2791
2792 else
2793 {
2794 /* Do a 'warn' here - it is handled below. */
2795 png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2796 png_malloc_warn(png_ptr, length));
2797 }
2798 }
2799
2800 if (png_ptr->unknown_chunk.data == NULL && length > 0)
2801 {
2802 /* This is benign because we clean up correctly */
2803 png_crc_finish(png_ptr, length);
2804 png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2805 return 0;
2806 }
2807
2808 else
2809 {
2810 if (length > 0)
2811 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2812 png_crc_finish(png_ptr, 0);
2813 return 1;
2814 }
2815 }
2816 #endif /* READ_UNKNOWN_CHUNKS */
2817
2818 /* Handle an unknown, or known but disabled, chunk */
2378 void /* PRIVATE */ 2819 void /* PRIVATE */
2379 png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2820 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2821 png_uint_32 length, int keep)
2380 { 2822 {
2381 png_uint_32 skip = 0; 2823 int handled = 0; /* the chunk was handled */
2382 2824
2383 png_debug(1, "in png_handle_unknown"); 2825 png_debug(1, "in png_handle_unknown");
2384 2826
2385 #ifdef PNG_USER_LIMITS_SUPPORTED 2827 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2386 if (png_ptr->user_chunk_cache_max != 0) 2828 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2387 { 2829 * the bug which meant that setting a non-default behavior for a specific
2388 if (png_ptr->user_chunk_cache_max == 1) 2830 * chunk would be ignored (the default was always used unless a user
2831 * callback was installed).
2832 *
2833 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2834 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2835 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2836 * This is just an optimization to avoid multiple calls to the lookup
2837 * function.
2838 */
2839 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2840 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2841 keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2842 # endif
2843 # endif
2844
2845 /* One of the following methods will read the chunk or skip it (at least one
2846 * of these is always defined because this is the only way to switch on
2847 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2848 */
2849 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2850 /* The user callback takes precedence over the chunk keep value, but the
2851 * keep value is still required to validate a save of a critical chunk.
2852 */
2853 if (png_ptr->read_user_chunk_fn != NULL)
2854 {
2855 if (png_cache_unknown_chunk(png_ptr, length) != 0)
2389 { 2856 {
2390 png_crc_finish(png_ptr, length); 2857 /* Callback to user unknown chunk handler */
2391 return; 2858 int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2392 } 2859 &png_ptr->unknown_chunk);
2393 if (--png_ptr->user_chunk_cache_max == 1) 2860
2394 { 2861 /* ret is:
2395 png_warning(png_ptr, "No space in chunk cache for unknown chunk"); 2862 * negative: An error occurred; png_chunk_error will be called.
2396 png_crc_finish(png_ptr, length); 2863 * zero: The chunk was not handled, the chunk will be discarded
2397 return; 2864 * unless png_set_keep_unknown_chunks has been used to set
2398 } 2865 * a 'keep' behavior for this particular chunk, in which
2399 } 2866 * case that will be used. A critical chunk will cause an
2400 #endif 2867 * error at this point unless it is to be saved.
2401 2868 * positive: The chunk was handled, libpng will ignore/discard it.
2402 if (png_ptr->mode & PNG_HAVE_IDAT) 2869 */
2403 { 2870 if (ret < 0)
2404 #ifdef PNG_USE_LOCAL_ARRAYS 2871 png_chunk_error(png_ptr, "error in user chunk");
2405 PNG_CONST PNG_IDAT; 2872
2406 #endif 2873 else if (ret == 0)
2407 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) /* Not an IDAT */
2408 png_ptr->mode |= PNG_AFTER_IDAT;
2409 }
2410
2411 if (!(png_ptr->chunk_name[0] & 0x20))
2412 {
2413 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2414 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) !=
2415 PNG_HANDLE_CHUNK_ALWAYS
2416 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2417 && png_ptr->read_user_chunk_fn == NULL
2418 #endif
2419 )
2420 #endif
2421 png_chunk_error(png_ptr, "unknown critical chunk");
2422 }
2423
2424 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2425 if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS)
2426 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2427 || (png_ptr->read_user_chunk_fn != NULL)
2428 #endif
2429 )
2430 {
2431 #ifdef PNG_MAX_MALLOC_64K
2432 if (length > (png_uint_32)65535L)
2433 {
2434 png_warning(png_ptr, "unknown chunk too large to fit in memory");
2435 skip = length - (png_uint_32)65535L;
2436 length = (png_uint_32)65535L;
2437 }
2438 #endif
2439 png_memcpy((png_charp)png_ptr->unknown_chunk.name,
2440 (png_charp)png_ptr->chunk_name,
2441 png_sizeof(png_ptr->unknown_chunk.name));
2442 png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]
2443 = '\0';
2444 png_ptr->unknown_chunk.size = (png_size_t)length;
2445 if (length == 0)
2446 png_ptr->unknown_chunk.data = NULL;
2447 else
2448 {
2449 png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
2450 png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
2451 }
2452 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2453 if (png_ptr->read_user_chunk_fn != NULL)
2454 {
2455 /* Callback to user unknown chunk handler */
2456 int ret;
2457 ret = (*(png_ptr->read_user_chunk_fn))
2458 (png_ptr, &png_ptr->unknown_chunk);
2459 if (ret < 0)
2460 png_chunk_error(png_ptr, "error in user chunk");
2461 if (ret == 0)
2462 {
2463 if (!(png_ptr->chunk_name[0] & 0x20))
2464 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2465 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) !=
2466 PNG_HANDLE_CHUNK_ALWAYS)
2467 #endif
2468 png_chunk_error(png_ptr, "unknown critical chunk");
2469 png_set_unknown_chunks(png_ptr, info_ptr,
2470 &png_ptr->unknown_chunk, 1);
2471 }
2472 }
2473 else
2474 #endif
2475 png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
2476 png_free(png_ptr, png_ptr->unknown_chunk.data);
2477 png_ptr->unknown_chunk.data = NULL;
2478 }
2479 else
2480 #endif
2481 skip = length;
2482
2483 png_crc_finish(png_ptr, skip);
2484
2485 #ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2486 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */
2487 #endif
2488 }
2489
2490 /* This function is called to verify that a chunk name is valid.
2491 This function can't have the "critical chunk check" incorporated
2492 into it, since in the future we will need to be able to call user
2493 functions to handle unknown critical chunks after we check that
2494 the chunk name itself is valid. */
2495
2496 #define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2497
2498 void /* PRIVATE */
2499 png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
2500 {
2501 png_debug(1, "in png_check_chunk_name");
2502 if (isnonalpha(chunk_name[0]) || isnonalpha(chunk_name[1]) ||
2503 isnonalpha(chunk_name[2]) || isnonalpha(chunk_name[3]))
2504 {
2505 png_chunk_error(png_ptr, "invalid chunk type");
2506 }
2507 }
2508
2509 /* Combines the row recently read in with the existing pixels in the
2510 row. This routine takes care of alpha and transparency if requested.
2511 This routine also handles the two methods of progressive display
2512 of interlaced images, depending on the mask value.
2513 The mask value describes which pixels are to be combined with
2514 the row. The pattern always repeats every 8 pixels, so just 8
2515 bits are needed. A one indicates the pixel is to be combined,
2516 a zero indicates the pixel is to be skipped. This is in addition
2517 to any alpha or transparency value associated with the pixel. If
2518 you want all pixels to be combined, pass 0xff (255) in mask. */
2519
2520 void /* PRIVATE */
2521 png_combine_row(png_structp png_ptr, png_bytep row, int mask)
2522 {
2523 png_debug(1, "in png_combine_row");
2524 if (mask == 0xff)
2525 {
2526 png_memcpy(row, png_ptr->row_buf + 1,
2527 PNG_ROWBYTES(png_ptr->row_info.pixel_depth, png_ptr->width));
2528 }
2529 else
2530 {
2531 switch (png_ptr->row_info.pixel_depth)
2532 {
2533 case 1:
2534 { 2874 {
2535 png_bytep sp = png_ptr->row_buf + 1; 2875 /* If the keep value is 'default' or 'never' override it, but
2536 png_bytep dp = row; 2876 * still error out on critical chunks unless the keep value is
2537 int s_inc, s_start, s_end; 2877 * 'always' While this is weird it is the behavior in 1.4.12.
2538 int m = 0x80; 2878 * A possible improvement would be to obey the value set for the
2539 int shift; 2879 * chunk, but this would be an API change that would probably
2540 png_uint_32 i; 2880 * damage some applications.
2541 png_uint_32 row_width = png_ptr->width; 2881 *
2542 2882 * The png_app_warning below catches the case that matters, where
2543 #ifdef PNG_READ_PACKSWAP_SUPPORTED 2883 * the application has not set specific save or ignore for this
2544 if (png_ptr->transformations & PNG_PACKSWAP) 2884 * chunk or global save or ignore.
2885 */
2886 if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2545 { 2887 {
2546 s_start = 0; 2888 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2547 s_end = 7; 2889 if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2548 s_inc = 1; 2890 {
2891 png_chunk_warning(png_ptr, "Saving unknown chunk:");
2892 png_app_warning(png_ptr,
2893 "forcing save of an unhandled chunk;"
2894 " please call png_set_keep_unknown_chunks");
2895 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2896 }
2897 # endif
2898 keep = PNG_HANDLE_CHUNK_IF_SAFE;
2549 } 2899 }
2550 else
2551 #endif
2552 {
2553 s_start = 7;
2554 s_end = 0;
2555 s_inc = -1;
2556 }
2557
2558 shift = s_start;
2559
2560 for (i = 0; i < row_width; i++)
2561 {
2562 if (m & mask)
2563 {
2564 int value;
2565
2566 value = (*sp >> shift) & 0x01;
2567 *dp &= (png_byte)((0x7f7f >> (7 - shift)) & 0xff);
2568 *dp |= (png_byte)(value << shift);
2569 }
2570
2571 if (shift == s_end)
2572 {
2573 shift = s_start;
2574 sp++;
2575 dp++;
2576 }
2577 else
2578 shift += s_inc;
2579
2580 if (m == 1)
2581 m = 0x80;
2582 else
2583 m >>= 1;
2584 }
2585 break;
2586 } 2900 }
2587 case 2: 2901
2902 else /* chunk was handled */
2588 { 2903 {
2589 png_bytep sp = png_ptr->row_buf + 1; 2904 handled = 1;
2590 png_bytep dp = row; 2905 /* Critical chunks can be safely discarded at this point. */
2591 int s_start, s_end, s_inc; 2906 keep = PNG_HANDLE_CHUNK_NEVER;
2592 int m = 0x80;
2593 int shift;
2594 png_uint_32 i;
2595 png_uint_32 row_width = png_ptr->width;
2596 int value;
2597
2598 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2599 if (png_ptr->transformations & PNG_PACKSWAP)
2600 {
2601 s_start = 0;
2602 s_end = 6;
2603 s_inc = 2;
2604 }
2605 else
2606 #endif
2607 {
2608 s_start = 6;
2609 s_end = 0;
2610 s_inc = -2;
2611 }
2612
2613 shift = s_start;
2614
2615 for (i = 0; i < row_width; i++)
2616 {
2617 if (m & mask)
2618 {
2619 value = (*sp >> shift) & 0x03;
2620 *dp &= (png_byte)((0x3f3f >> (6 - shift)) & 0xff);
2621 *dp |= (png_byte)(value << shift);
2622 }
2623
2624 if (shift == s_end)
2625 {
2626 shift = s_start;
2627 sp++;
2628 dp++;
2629 }
2630 else
2631 shift += s_inc;
2632 if (m == 1)
2633 m = 0x80;
2634 else
2635 m >>= 1;
2636 }
2637 break;
2638 }
2639 case 4:
2640 {
2641 png_bytep sp = png_ptr->row_buf + 1;
2642 png_bytep dp = row;
2643 int s_start, s_end, s_inc;
2644 int m = 0x80;
2645 int shift;
2646 png_uint_32 i;
2647 png_uint_32 row_width = png_ptr->width;
2648 int value;
2649
2650 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2651 if (png_ptr->transformations & PNG_PACKSWAP)
2652 {
2653 s_start = 0;
2654 s_end = 4;
2655 s_inc = 4;
2656 }
2657 else
2658 #endif
2659 {
2660 s_start = 4;
2661 s_end = 0;
2662 s_inc = -4;
2663 }
2664 shift = s_start;
2665
2666 for (i = 0; i < row_width; i++)
2667 {
2668 if (m & mask)
2669 {
2670 value = (*sp >> shift) & 0xf;
2671 *dp &= (png_byte)((0xf0f >> (4 - shift)) & 0xff);
2672 *dp |= (png_byte)(value << shift);
2673 }
2674
2675 if (shift == s_end)
2676 {
2677 shift = s_start;
2678 sp++;
2679 dp++;
2680 }
2681 else
2682 shift += s_inc;
2683 if (m == 1)
2684 m = 0x80;
2685 else
2686 m >>= 1;
2687 }
2688 break;
2689 }
2690 default:
2691 {
2692 png_bytep sp = png_ptr->row_buf + 1;
2693 png_bytep dp = row;
2694 png_size_t pixel_bytes = (png_ptr->row_info.pixel_depth >> 3);
2695 png_uint_32 i;
2696 png_uint_32 row_width = png_ptr->width;
2697 png_byte m = 0x80;
2698
2699
2700 for (i = 0; i < row_width; i++)
2701 {
2702 if (m & mask)
2703 {
2704 png_memcpy(dp, sp, pixel_bytes);
2705 }
2706
2707 sp += pixel_bytes;
2708 dp += pixel_bytes;
2709
2710 if (m == 1)
2711 m = 0x80;
2712 else
2713 m >>= 1;
2714 }
2715 break;
2716 } 2907 }
2717 } 2908 }
2718 } 2909
2910 else
2911 keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
2912 }
2913
2914 else
2915 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
2916 # endif /* READ_USER_CHUNKS */
2917
2918 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2919 {
2920 /* keep is currently just the per-chunk setting, if there was no
2921 * setting change it to the global default now (not that this may
2922 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
2923 * if not simply skip the chunk.
2924 */
2925 if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
2926 keep = png_ptr->unknown_default;
2927
2928 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2929 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2930 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2931 {
2932 if (png_cache_unknown_chunk(png_ptr, length) == 0)
2933 keep = PNG_HANDLE_CHUNK_NEVER;
2934 }
2935
2936 else
2937 png_crc_finish(png_ptr, length);
2938 }
2939 # else
2940 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2941 # error no method to support READ_UNKNOWN_CHUNKS
2942 # endif
2943
2944 {
2945 /* If here there is no read callback pointer set and no support is
2946 * compiled in to just save the unknown chunks, so simply skip this
2947 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
2948 * the app has erroneously asked for unknown chunk saving when there
2949 * is no support.
2950 */
2951 if (keep > PNG_HANDLE_CHUNK_NEVER)
2952 png_app_error(png_ptr, "no unknown chunk support available");
2953
2954 png_crc_finish(png_ptr, length);
2955 }
2956 # endif
2957
2958 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2959 /* Now store the chunk in the chunk list if appropriate, and if the limits
2960 * permit it.
2961 */
2962 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2963 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2964 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2965 {
2966 # ifdef PNG_USER_LIMITS_SUPPORTED
2967 switch (png_ptr->user_chunk_cache_max)
2968 {
2969 case 2:
2970 png_ptr->user_chunk_cache_max = 1;
2971 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2972 /* FALL THROUGH */
2973 case 1:
2974 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
2975 * chunk being skipped, now there will be a hard error below.
2976 */
2977 break;
2978
2979 default: /* not at limit */
2980 --(png_ptr->user_chunk_cache_max);
2981 /* FALL THROUGH */
2982 case 0: /* no limit */
2983 # endif /* USER_LIMITS */
2984 /* Here when the limit isn't reached or when limits are compiled
2985 * out; store the chunk.
2986 */
2987 png_set_unknown_chunks(png_ptr, info_ptr,
2988 &png_ptr->unknown_chunk, 1);
2989 handled = 1;
2990 # ifdef PNG_USER_LIMITS_SUPPORTED
2991 break;
2992 }
2993 # endif
2994 }
2995 # else /* no store support: the chunk must be handled by the user callback */
2996 PNG_UNUSED(info_ptr)
2997 # endif
2998
2999 /* Regardless of the error handling below the cached data (if any) can be
3000 * freed now. Notice that the data is not freed if there is a png_error, but
3001 * it will be freed by destroy_read_struct.
3002 */
3003 if (png_ptr->unknown_chunk.data != NULL)
3004 png_free(png_ptr, png_ptr->unknown_chunk.data);
3005 png_ptr->unknown_chunk.data = NULL;
3006
3007 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
3008 /* There is no support to read an unknown chunk, so just skip it. */
3009 png_crc_finish(png_ptr, length);
3010 PNG_UNUSED(info_ptr)
3011 PNG_UNUSED(keep)
3012 #endif /* !READ_UNKNOWN_CHUNKS */
3013
3014 /* Check for unhandled critical chunks */
3015 if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3016 png_chunk_error(png_ptr, "unhandled critical chunk");
2719 } 3017 }
2720 3018
2721 #ifdef PNG_READ_INTERLACING_SUPPORTED 3019 /* This function is called to verify that a chunk name is valid.
2722 /* OLD pre-1.0.9 interface: 3020 * This function can't have the "critical chunk check" incorporated
2723 void png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass, 3021 * into it, since in the future we will need to be able to call user
2724 png_uint_32 transformations) 3022 * functions to handle unknown critical chunks after we check that
3023 * the chunk name itself is valid.
3024 */
3025
3026 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
3027 *
3028 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
3029 */
3030
3031 void /* PRIVATE */
3032 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
3033 {
3034 int i;
3035
3036 png_debug(1, "in png_check_chunk_name");
3037
3038 for (i=1; i<=4; ++i)
3039 {
3040 int c = chunk_name & 0xff;
3041
3042 if (c < 65 || c > 122 || (c > 90 && c < 97))
3043 png_chunk_error(png_ptr, "invalid chunk type");
3044
3045 chunk_name >>= 8;
3046 }
3047 }
3048
3049 /* Combines the row recently read in with the existing pixels in the row. This
3050 * routine takes care of alpha and transparency if requested. This routine also
3051 * handles the two methods of progressive display of interlaced images,
3052 * depending on the 'display' value; if 'display' is true then the whole row
3053 * (dp) is filled from the start by replicating the available pixels. If
3054 * 'display' is false only those pixels present in the pass are filled in.
2725 */ 3055 */
2726 void /* PRIVATE */ 3056 void /* PRIVATE */
2727 png_do_read_interlace(png_structp png_ptr) 3057 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
2728 { 3058 {
2729 png_row_infop row_info = &(png_ptr->row_info); 3059 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
2730 png_bytep row = png_ptr->row_buf + 1; 3060 png_const_bytep sp = png_ptr->row_buf + 1;
2731 int pass = png_ptr->pass; 3061 png_alloc_size_t row_width = png_ptr->width;
2732 png_uint_32 transformations = png_ptr->transformations; 3062 unsigned int pass = png_ptr->pass;
3063 png_bytep end_ptr = 0;
3064 png_byte end_byte = 0;
3065 unsigned int end_mask;
3066
3067 png_debug(1, "in png_combine_row");
3068
3069 /* Added in 1.5.6: it should not be possible to enter this routine until at
3070 * least one row has been read from the PNG data and transformed.
3071 */
3072 if (pixel_depth == 0)
3073 png_error(png_ptr, "internal row logic error");
3074
3075 /* Added in 1.5.4: the pixel depth should match the information returned by
3076 * any call to png_read_update_info at this point. Do not continue if we got
3077 * this wrong.
3078 */
3079 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3080 PNG_ROWBYTES(pixel_depth, row_width))
3081 png_error(png_ptr, "internal row size calculation error");
3082
3083 /* Don't expect this to ever happen: */
3084 if (row_width == 0)
3085 png_error(png_ptr, "internal row width error");
3086
3087 /* Preserve the last byte in cases where only part of it will be overwritten,
3088 * the multiply below may overflow, we don't care because ANSI-C guarantees
3089 * we get the low bits.
3090 */
3091 end_mask = (pixel_depth * row_width) & 7;
3092 if (end_mask != 0)
3093 {
3094 /* end_ptr == NULL is a flag to say do nothing */
3095 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
3096 end_byte = *end_ptr;
3097 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3098 if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3099 /* little-endian byte */
3100 end_mask = 0xff << end_mask;
3101
3102 else /* big-endian byte */
3103 # endif
3104 end_mask = 0xff >> end_mask;
3105 /* end_mask is now the bits to *keep* from the destination row */
3106 }
3107
3108 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3109 * will also happen if interlacing isn't supported or if the application
3110 * does not call png_set_interlace_handling(). In the latter cases the
3111 * caller just gets a sequence of the unexpanded rows from each interlace
3112 * pass.
3113 */
3114 #ifdef PNG_READ_INTERLACING_SUPPORTED
3115 if (png_ptr->interlaced != 0 &&
3116 (png_ptr->transformations & PNG_INTERLACE) != 0 &&
3117 pass < 6 && (display == 0 ||
3118 /* The following copies everything for 'display' on passes 0, 2 and 4. */
3119 (display == 1 && (pass & 1) != 0)))
3120 {
3121 /* Narrow images may have no bits in a pass; the caller should handle
3122 * this, but this test is cheap:
3123 */
3124 if (row_width <= PNG_PASS_START_COL(pass))
3125 return;
3126
3127 if (pixel_depth < 8)
3128 {
3129 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3130 * into 32 bits, then a single loop over the bytes using the four byte
3131 * values in the 32-bit mask can be used. For the 'display' option the
3132 * expanded mask may also not require any masking within a byte. To
3133 * make this work the PACKSWAP option must be taken into account - it
3134 * simply requires the pixels to be reversed in each byte.
3135 *
3136 * The 'regular' case requires a mask for each of the first 6 passes,
3137 * the 'display' case does a copy for the even passes in the range
3138 * 0..6. This has already been handled in the test above.
3139 *
3140 * The masks are arranged as four bytes with the first byte to use in
3141 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3142 * not) of the pixels in each byte.
3143 *
3144 * NOTE: the whole of this logic depends on the caller of this function
3145 * only calling it on rows appropriate to the pass. This function only
3146 * understands the 'x' logic; the 'y' logic is handled by the caller.
3147 *
3148 * The following defines allow generation of compile time constant bit
3149 * masks for each pixel depth and each possibility of swapped or not
3150 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3151 * is in the range 0..7; and the result is 1 if the pixel is to be
3152 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3153 * for the block method.
3154 *
3155 * With some compilers a compile time expression of the general form:
3156 *
3157 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3158 *
3159 * Produces warnings with values of 'shift' in the range 33 to 63
3160 * because the right hand side of the ?: expression is evaluated by
3161 * the compiler even though it isn't used. Microsoft Visual C (various
3162 * versions) and the Intel C compiler are known to do this. To avoid
3163 * this the following macros are used in 1.5.6. This is a temporary
3164 * solution to avoid destabilizing the code during the release process.
3165 */
3166 # if PNG_USE_COMPILE_TIME_MASKS
3167 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3168 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3169 # else
3170 # define PNG_LSR(x,s) ((x)>>(s))
3171 # define PNG_LSL(x,s) ((x)<<(s))
3172 # endif
3173 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3174 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3175 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3176 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3177
3178 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
3179 * little endian - the first pixel is at bit 0 - however the extra
3180 * parameter 's' can be set to cause the mask position to be swapped
3181 * within each byte, to match the PNG format. This is done by XOR of
3182 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3183 */
3184 # define PIXEL_MASK(p,x,d,s) \
3185 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3186
3187 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3188 */
3189 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3190 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3191
3192 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
3193 * cases the result needs replicating, for the 4-bpp case the above
3194 * generates a full 32 bits.
3195 */
3196 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3197
3198 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3199 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3200 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3201
3202 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3203 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3204 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3205
3206 #if PNG_USE_COMPILE_TIME_MASKS
3207 /* Utility macros to construct all the masks for a depth/swap
3208 * combination. The 's' parameter says whether the format is PNG
3209 * (big endian bytes) or not. Only the three odd-numbered passes are
3210 * required for the display/block algorithm.
3211 */
3212 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3213 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3214
3215 # define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3216
3217 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3218
3219 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3220 * then pass:
3221 */
3222 static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3223 {
3224 /* Little-endian byte masks for PACKSWAP */
3225 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3226 /* Normal (big-endian byte) masks - PNG format */
3227 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3228 };
3229
3230 /* display_mask has only three entries for the odd passes, so index by
3231 * pass>>1.
3232 */
3233 static PNG_CONST png_uint_32 display_mask[2][3][3] =
3234 {
3235 /* Little-endian byte masks for PACKSWAP */
3236 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3237 /* Normal (big-endian byte) masks - PNG format */
3238 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3239 };
3240
3241 # define MASK(pass,depth,display,png)\
3242 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3243 row_mask[png][DEPTH_INDEX(depth)][pass])
3244
3245 #else /* !PNG_USE_COMPILE_TIME_MASKS */
3246 /* This is the runtime alternative: it seems unlikely that this will
3247 * ever be either smaller or faster than the compile time approach.
3248 */
3249 # define MASK(pass,depth,display,png)\
3250 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3251 #endif /* !USE_COMPILE_TIME_MASKS */
3252
3253 /* Use the appropriate mask to copy the required bits. In some cases
3254 * the byte mask will be 0 or 0xff; optimize these cases. row_width is
3255 * the number of pixels, but the code copies bytes, so it is necessary
3256 * to special case the end.
3257 */
3258 png_uint_32 pixels_per_byte = 8 / pixel_depth;
3259 png_uint_32 mask;
3260
3261 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3262 if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3263 mask = MASK(pass, pixel_depth, display, 0);
3264
3265 else
3266 # endif
3267 mask = MASK(pass, pixel_depth, display, 1);
3268
3269 for (;;)
3270 {
3271 png_uint_32 m;
3272
3273 /* It doesn't matter in the following if png_uint_32 has more than
3274 * 32 bits because the high bits always match those in m<<24; it is,
3275 * however, essential to use OR here, not +, because of this.
3276 */
3277 m = mask;
3278 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3279 m &= 0xff;
3280
3281 if (m != 0) /* something to copy */
3282 {
3283 if (m != 0xff)
3284 *dp = (png_byte)((*dp & ~m) | (*sp & m));
3285 else
3286 *dp = *sp;
3287 }
3288
3289 /* NOTE: this may overwrite the last byte with garbage if the image
3290 * is not an exact number of bytes wide; libpng has always done
3291 * this.
3292 */
3293 if (row_width <= pixels_per_byte)
3294 break; /* May need to restore part of the last byte */
3295
3296 row_width -= pixels_per_byte;
3297 ++dp;
3298 ++sp;
3299 }
3300 }
3301
3302 else /* pixel_depth >= 8 */
3303 {
3304 unsigned int bytes_to_copy, bytes_to_jump;
3305
3306 /* Validate the depth - it must be a multiple of 8 */
3307 if (pixel_depth & 7)
3308 png_error(png_ptr, "invalid user transform pixel depth");
3309
3310 pixel_depth >>= 3; /* now in bytes */
3311 row_width *= pixel_depth;
3312
3313 /* Regardless of pass number the Adam 7 interlace always results in a
3314 * fixed number of pixels to copy then to skip. There may be a
3315 * different number of pixels to skip at the start though.
3316 */
3317 {
3318 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3319
3320 row_width -= offset;
3321 dp += offset;
3322 sp += offset;
3323 }
3324
3325 /* Work out the bytes to copy. */
3326 if (display != 0)
3327 {
3328 /* When doing the 'block' algorithm the pixel in the pass gets
3329 * replicated to adjacent pixels. This is why the even (0,2,4,6)
3330 * passes are skipped above - the entire expanded row is copied.
3331 */
3332 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3333
3334 /* But don't allow this number to exceed the actual row width. */
3335 if (bytes_to_copy > row_width)
3336 bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3337 }
3338
3339 else /* normal row; Adam7 only ever gives us one pixel to copy. */
3340 bytes_to_copy = pixel_depth;
3341
3342 /* In Adam7 there is a constant offset between where the pixels go. */
3343 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3344
3345 /* And simply copy these bytes. Some optimization is possible here,
3346 * depending on the value of 'bytes_to_copy'. Special case the low
3347 * byte counts, which we know to be frequent.
3348 *
3349 * Notice that these cases all 'return' rather than 'break' - this
3350 * avoids an unnecessary test on whether to restore the last byte
3351 * below.
3352 */
3353 switch (bytes_to_copy)
3354 {
3355 case 1:
3356 for (;;)
3357 {
3358 *dp = *sp;
3359
3360 if (row_width <= bytes_to_jump)
3361 return;
3362
3363 dp += bytes_to_jump;
3364 sp += bytes_to_jump;
3365 row_width -= bytes_to_jump;
3366 }
3367
3368 case 2:
3369 /* There is a possibility of a partial copy at the end here; this
3370 * slows the code down somewhat.
3371 */
3372 do
3373 {
3374 dp[0] = sp[0], dp[1] = sp[1];
3375
3376 if (row_width <= bytes_to_jump)
3377 return;
3378
3379 sp += bytes_to_jump;
3380 dp += bytes_to_jump;
3381 row_width -= bytes_to_jump;
3382 }
3383 while (row_width > 1);
3384
3385 /* And there can only be one byte left at this point: */
3386 *dp = *sp;
3387 return;
3388
3389 case 3:
3390 /* This can only be the RGB case, so each copy is exactly one
3391 * pixel and it is not necessary to check for a partial copy.
3392 */
3393 for (;;)
3394 {
3395 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
3396
3397 if (row_width <= bytes_to_jump)
3398 return;
3399
3400 sp += bytes_to_jump;
3401 dp += bytes_to_jump;
3402 row_width -= bytes_to_jump;
3403 }
3404
3405 default:
3406 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3407 /* Check for double byte alignment and, if possible, use a
3408 * 16-bit copy. Don't attempt this for narrow images - ones that
3409 * are less than an interlace panel wide. Don't attempt it for
3410 * wide bytes_to_copy either - use the memcpy there.
3411 */
3412 if (bytes_to_copy < 16 /*else use memcpy*/ &&
3413 png_isaligned(dp, png_uint_16) &&
3414 png_isaligned(sp, png_uint_16) &&
3415 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3416 bytes_to_jump % (sizeof (png_uint_16)) == 0)
3417 {
3418 /* Everything is aligned for png_uint_16 copies, but try for
3419 * png_uint_32 first.
3420 */
3421 if (png_isaligned(dp, png_uint_32) != 0 &&
3422 png_isaligned(sp, png_uint_32) != 0 &&
3423 bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3424 bytes_to_jump % (sizeof (png_uint_32)) == 0)
3425 {
3426 png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3427 png_const_uint_32p sp32 = png_aligncastconst(
3428 png_const_uint_32p, sp);
3429 size_t skip = (bytes_to_jump-bytes_to_copy) /
3430 (sizeof (png_uint_32));
3431
3432 do
3433 {
3434 size_t c = bytes_to_copy;
3435 do
3436 {
3437 *dp32++ = *sp32++;
3438 c -= (sizeof (png_uint_32));
3439 }
3440 while (c > 0);
3441
3442 if (row_width <= bytes_to_jump)
3443 return;
3444
3445 dp32 += skip;
3446 sp32 += skip;
3447 row_width -= bytes_to_jump;
3448 }
3449 while (bytes_to_copy <= row_width);
3450
3451 /* Get to here when the row_width truncates the final copy.
3452 * There will be 1-3 bytes left to copy, so don't try the
3453 * 16-bit loop below.
3454 */
3455 dp = (png_bytep)dp32;
3456 sp = (png_const_bytep)sp32;
3457 do
3458 *dp++ = *sp++;
3459 while (--row_width > 0);
3460 return;
3461 }
3462
3463 /* Else do it in 16-bit quantities, but only if the size is
3464 * not too large.
3465 */
3466 else
3467 {
3468 png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3469 png_const_uint_16p sp16 = png_aligncastconst(
3470 png_const_uint_16p, sp);
3471 size_t skip = (bytes_to_jump-bytes_to_copy) /
3472 (sizeof (png_uint_16));
3473
3474 do
3475 {
3476 size_t c = bytes_to_copy;
3477 do
3478 {
3479 *dp16++ = *sp16++;
3480 c -= (sizeof (png_uint_16));
3481 }
3482 while (c > 0);
3483
3484 if (row_width <= bytes_to_jump)
3485 return;
3486
3487 dp16 += skip;
3488 sp16 += skip;
3489 row_width -= bytes_to_jump;
3490 }
3491 while (bytes_to_copy <= row_width);
3492
3493 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3494 dp = (png_bytep)dp16;
3495 sp = (png_const_bytep)sp16;
3496 do
3497 *dp++ = *sp++;
3498 while (--row_width > 0);
3499 return;
3500 }
3501 }
3502 #endif /* ALIGN_TYPE code */
3503
3504 /* The true default - use a memcpy: */
3505 for (;;)
3506 {
3507 memcpy(dp, sp, bytes_to_copy);
3508
3509 if (row_width <= bytes_to_jump)
3510 return;
3511
3512 sp += bytes_to_jump;
3513 dp += bytes_to_jump;
3514 row_width -= bytes_to_jump;
3515 if (bytes_to_copy > row_width)
3516 bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3517 }
3518 }
3519
3520 /* NOT REACHED*/
3521 } /* pixel_depth >= 8 */
3522
3523 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3524 }
3525 else
3526 #endif /* READ_INTERLACING */
3527
3528 /* If here then the switch above wasn't used so just memcpy the whole row
3529 * from the temporary row buffer (notice that this overwrites the end of the
3530 * destination row if it is a partial byte.)
3531 */
3532 memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3533
3534 /* Restore the overwritten bits from the last byte if necessary. */
3535 if (end_ptr != NULL)
3536 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3537 }
3538
3539 #ifdef PNG_READ_INTERLACING_SUPPORTED
3540 void /* PRIVATE */
3541 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3542 png_uint_32 transformations /* Because these may affect the byte layout */)
3543 {
2733 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 3544 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2734 /* Offset to next interlace block */ 3545 /* Offset to next interlace block */
2735 #ifndef PNG_USE_GLOBAL_ARRAYS 3546 static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2736 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2737 #endif
2738 3547
2739 png_debug(1, "in png_do_read_interlace"); 3548 png_debug(1, "in png_do_read_interlace");
2740 if (row != NULL && row_info != NULL) 3549 if (row != NULL && row_info != NULL)
2741 { 3550 {
2742 png_uint_32 final_width; 3551 png_uint_32 final_width;
2743 3552
2744 final_width = row_info->width * png_pass_inc[pass]; 3553 final_width = row_info->width * png_pass_inc[pass];
2745 3554
2746 switch (row_info->pixel_depth) 3555 switch (row_info->pixel_depth)
2747 { 3556 {
2748 case 1: 3557 case 1:
2749 { 3558 {
2750 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3); 3559 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3);
2751 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3); 3560 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3);
2752 int sshift, dshift; 3561 int sshift, dshift;
2753 int s_start, s_end, s_inc; 3562 int s_start, s_end, s_inc;
2754 int jstop = png_pass_inc[pass]; 3563 int jstop = png_pass_inc[pass];
2755 png_byte v; 3564 png_byte v;
2756 png_uint_32 i; 3565 png_uint_32 i;
2757 int j; 3566 int j;
2758 3567
2759 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3568 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2760 if (transformations & PNG_PACKSWAP) 3569 if ((transformations & PNG_PACKSWAP) != 0)
2761 { 3570 {
2762 sshift = (int)((row_info->width + 7) & 0x07); 3571 sshift = (int)((row_info->width + 7) & 0x07);
2763 dshift = (int)((final_width + 7) & 0x07); 3572 dshift = (int)((final_width + 7) & 0x07);
2764 s_start = 7; 3573 s_start = 7;
2765 s_end = 0; 3574 s_end = 0;
2766 s_inc = -1; 3575 s_inc = -1;
2767 } 3576 }
3577
2768 else 3578 else
2769 #endif 3579 #endif
2770 { 3580 {
2771 sshift = 7 - (int)((row_info->width + 7) & 0x07); 3581 sshift = 7 - (int)((row_info->width + 7) & 0x07);
2772 dshift = 7 - (int)((final_width + 7) & 0x07); 3582 dshift = 7 - (int)((final_width + 7) & 0x07);
2773 s_start = 0; 3583 s_start = 0;
2774 s_end = 7; 3584 s_end = 7;
2775 s_inc = 1; 3585 s_inc = 1;
2776 } 3586 }
2777 3587
2778 for (i = 0; i < row_info->width; i++) 3588 for (i = 0; i < row_info->width; i++)
2779 { 3589 {
2780 v = (png_byte)((*sp >> sshift) & 0x01); 3590 v = (png_byte)((*sp >> sshift) & 0x01);
2781 for (j = 0; j < jstop; j++) 3591 for (j = 0; j < jstop; j++)
2782 { 3592 {
2783 *dp &= (png_byte)((0x7f7f >> (7 - dshift)) & 0xff); 3593 unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
2784 *dp |= (png_byte)(v << dshift); 3594 tmp |= v << dshift;
3595 *dp = (png_byte)(tmp & 0xff);
3596
2785 if (dshift == s_end) 3597 if (dshift == s_end)
2786 { 3598 {
2787 dshift = s_start; 3599 dshift = s_start;
2788 dp--; 3600 dp--;
2789 } 3601 }
3602
2790 else 3603 else
2791 dshift += s_inc; 3604 dshift += s_inc;
2792 } 3605 }
3606
2793 if (sshift == s_end) 3607 if (sshift == s_end)
2794 { 3608 {
2795 sshift = s_start; 3609 sshift = s_start;
2796 sp--; 3610 sp--;
2797 } 3611 }
3612
2798 else 3613 else
2799 sshift += s_inc; 3614 sshift += s_inc;
2800 } 3615 }
2801 break; 3616 break;
2802 } 3617 }
3618
2803 case 2: 3619 case 2:
2804 { 3620 {
2805 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2); 3621 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
2806 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2); 3622 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
2807 int sshift, dshift; 3623 int sshift, dshift;
2808 int s_start, s_end, s_inc; 3624 int s_start, s_end, s_inc;
2809 int jstop = png_pass_inc[pass]; 3625 int jstop = png_pass_inc[pass];
2810 png_uint_32 i; 3626 png_uint_32 i;
2811 3627
2812 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3628 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2813 if (transformations & PNG_PACKSWAP) 3629 if ((transformations & PNG_PACKSWAP) != 0)
2814 { 3630 {
2815 sshift = (int)(((row_info->width + 3) & 0x03) << 1); 3631 sshift = (int)(((row_info->width + 3) & 0x03) << 1);
2816 dshift = (int)(((final_width + 3) & 0x03) << 1); 3632 dshift = (int)(((final_width + 3) & 0x03) << 1);
2817 s_start = 6; 3633 s_start = 6;
2818 s_end = 0; 3634 s_end = 0;
2819 s_inc = -2; 3635 s_inc = -2;
2820 } 3636 }
3637
2821 else 3638 else
2822 #endif 3639 #endif
2823 { 3640 {
2824 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1); 3641 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
2825 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1); 3642 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
2826 s_start = 0; 3643 s_start = 0;
2827 s_end = 6; 3644 s_end = 6;
2828 s_inc = 2; 3645 s_inc = 2;
2829 } 3646 }
2830 3647
2831 for (i = 0; i < row_info->width; i++) 3648 for (i = 0; i < row_info->width; i++)
2832 { 3649 {
2833 png_byte v; 3650 png_byte v;
2834 int j; 3651 int j;
2835 3652
2836 v = (png_byte)((*sp >> sshift) & 0x03); 3653 v = (png_byte)((*sp >> sshift) & 0x03);
2837 for (j = 0; j < jstop; j++) 3654 for (j = 0; j < jstop; j++)
2838 { 3655 {
2839 *dp &= (png_byte)((0x3f3f >> (6 - dshift)) & 0xff); 3656 unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
2840 *dp |= (png_byte)(v << dshift); 3657 tmp |= v << dshift;
3658 *dp = (png_byte)(tmp & 0xff);
3659
2841 if (dshift == s_end) 3660 if (dshift == s_end)
2842 { 3661 {
2843 dshift = s_start; 3662 dshift = s_start;
2844 dp--; 3663 dp--;
2845 } 3664 }
3665
2846 else 3666 else
2847 dshift += s_inc; 3667 dshift += s_inc;
2848 } 3668 }
3669
2849 if (sshift == s_end) 3670 if (sshift == s_end)
2850 { 3671 {
2851 sshift = s_start; 3672 sshift = s_start;
2852 sp--; 3673 sp--;
2853 } 3674 }
3675
2854 else 3676 else
2855 sshift += s_inc; 3677 sshift += s_inc;
2856 } 3678 }
2857 break; 3679 break;
2858 } 3680 }
3681
2859 case 4: 3682 case 4:
2860 { 3683 {
2861 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1); 3684 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
2862 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1); 3685 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
2863 int sshift, dshift; 3686 int sshift, dshift;
2864 int s_start, s_end, s_inc; 3687 int s_start, s_end, s_inc;
2865 png_uint_32 i; 3688 png_uint_32 i;
2866 int jstop = png_pass_inc[pass]; 3689 int jstop = png_pass_inc[pass];
2867 3690
2868 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3691 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2869 if (transformations & PNG_PACKSWAP) 3692 if ((transformations & PNG_PACKSWAP) != 0)
2870 { 3693 {
2871 sshift = (int)(((row_info->width + 1) & 0x01) << 2); 3694 sshift = (int)(((row_info->width + 1) & 0x01) << 2);
2872 dshift = (int)(((final_width + 1) & 0x01) << 2); 3695 dshift = (int)(((final_width + 1) & 0x01) << 2);
2873 s_start = 4; 3696 s_start = 4;
2874 s_end = 0; 3697 s_end = 0;
2875 s_inc = -4; 3698 s_inc = -4;
2876 } 3699 }
3700
2877 else 3701 else
2878 #endif 3702 #endif
2879 { 3703 {
2880 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2); 3704 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
2881 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2); 3705 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
2882 s_start = 0; 3706 s_start = 0;
2883 s_end = 4; 3707 s_end = 4;
2884 s_inc = 4; 3708 s_inc = 4;
2885 } 3709 }
2886 3710
2887 for (i = 0; i < row_info->width; i++) 3711 for (i = 0; i < row_info->width; i++)
2888 { 3712 {
2889 png_byte v = (png_byte)((*sp >> sshift) & 0xf); 3713 png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
2890 int j; 3714 int j;
2891 3715
2892 for (j = 0; j < jstop; j++) 3716 for (j = 0; j < jstop; j++)
2893 { 3717 {
2894 *dp &= (png_byte)((0xf0f >> (4 - dshift)) & 0xff); 3718 unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
2895 *dp |= (png_byte)(v << dshift); 3719 tmp |= v << dshift;
3720 *dp = (png_byte)(tmp & 0xff);
3721
2896 if (dshift == s_end) 3722 if (dshift == s_end)
2897 { 3723 {
2898 dshift = s_start; 3724 dshift = s_start;
2899 dp--; 3725 dp--;
2900 } 3726 }
3727
2901 else 3728 else
2902 dshift += s_inc; 3729 dshift += s_inc;
2903 } 3730 }
3731
2904 if (sshift == s_end) 3732 if (sshift == s_end)
2905 { 3733 {
2906 sshift = s_start; 3734 sshift = s_start;
2907 sp--; 3735 sp--;
2908 } 3736 }
3737
2909 else 3738 else
2910 sshift += s_inc; 3739 sshift += s_inc;
2911 } 3740 }
2912 break; 3741 break;
2913 } 3742 }
3743
2914 default: 3744 default:
2915 { 3745 {
2916 png_size_t pixel_bytes = (row_info->pixel_depth >> 3); 3746 png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
3747
2917 png_bytep sp = row + (png_size_t)(row_info->width - 1) 3748 png_bytep sp = row + (png_size_t)(row_info->width - 1)
2918 * pixel_bytes; 3749 * pixel_bytes;
3750
2919 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes; 3751 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
2920 3752
2921 int jstop = png_pass_inc[pass]; 3753 int jstop = png_pass_inc[pass];
2922 png_uint_32 i; 3754 png_uint_32 i;
2923 3755
2924 for (i = 0; i < row_info->width; i++) 3756 for (i = 0; i < row_info->width; i++)
2925 { 3757 {
2926 png_byte v[8]; 3758 png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
2927 int j; 3759 int j;
2928 3760
2929 png_memcpy(v, sp, pixel_bytes); 3761 memcpy(v, sp, pixel_bytes);
3762
2930 for (j = 0; j < jstop; j++) 3763 for (j = 0; j < jstop; j++)
2931 { 3764 {
2932 png_memcpy(dp, v, pixel_bytes); 3765 memcpy(dp, v, pixel_bytes);
2933 dp -= pixel_bytes; 3766 dp -= pixel_bytes;
2934 } 3767 }
3768
2935 sp -= pixel_bytes; 3769 sp -= pixel_bytes;
2936 } 3770 }
2937 break; 3771 break;
2938 } 3772 }
2939 } 3773 }
3774
2940 row_info->width = final_width; 3775 row_info->width = final_width;
2941 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width); 3776 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
2942 } 3777 }
2943 #ifndef PNG_READ_PACKSWAP_SUPPORTED 3778 #ifndef PNG_READ_PACKSWAP_SUPPORTED
2944 PNG_UNUSED(transformations) /* Silence compiler warning */ 3779 PNG_UNUSED(transformations) /* Silence compiler warning */
2945 #endif 3780 #endif
2946 } 3781 }
2947 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 3782 #endif /* READ_INTERLACING */
3783
3784 static void
3785 png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3786 png_const_bytep prev_row)
3787 {
3788 png_size_t i;
3789 png_size_t istop = row_info->rowbytes;
3790 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3791 png_bytep rp = row + bpp;
3792
3793 PNG_UNUSED(prev_row)
3794
3795 for (i = bpp; i < istop; i++)
3796 {
3797 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3798 rp++;
3799 }
3800 }
3801
3802 static void
3803 png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3804 png_const_bytep prev_row)
3805 {
3806 png_size_t i;
3807 png_size_t istop = row_info->rowbytes;
3808 png_bytep rp = row;
3809 png_const_bytep pp = prev_row;
3810
3811 for (i = 0; i < istop; i++)
3812 {
3813 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3814 rp++;
3815 }
3816 }
3817
3818 static void
3819 png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3820 png_const_bytep prev_row)
3821 {
3822 png_size_t i;
3823 png_bytep rp = row;
3824 png_const_bytep pp = prev_row;
3825 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3826 png_size_t istop = row_info->rowbytes - bpp;
3827
3828 for (i = 0; i < bpp; i++)
3829 {
3830 *rp = (png_byte)(((int)(*rp) +
3831 ((int)(*pp++) / 2 )) & 0xff);
3832
3833 rp++;
3834 }
3835
3836 for (i = 0; i < istop; i++)
3837 {
3838 *rp = (png_byte)(((int)(*rp) +
3839 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3840
3841 rp++;
3842 }
3843 }
3844
3845 static void
3846 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3847 png_const_bytep prev_row)
3848 {
3849 png_bytep rp_end = row + row_info->rowbytes;
3850 int a, c;
3851
3852 /* First pixel/byte */
3853 c = *prev_row++;
3854 a = *row + c;
3855 *row++ = (png_byte)a;
3856
3857 /* Remainder */
3858 while (row < rp_end)
3859 {
3860 int b, pa, pb, pc, p;
3861
3862 a &= 0xff; /* From previous iteration or start */
3863 b = *prev_row++;
3864
3865 p = b - c;
3866 pc = a - c;
3867
3868 #ifdef PNG_USE_ABS
3869 pa = abs(p);
3870 pb = abs(pc);
3871 pc = abs(p + pc);
3872 #else
3873 pa = p < 0 ? -p : p;
3874 pb = pc < 0 ? -pc : pc;
3875 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3876 #endif
3877
3878 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3879 * ones in the case of a tie.
3880 */
3881 if (pb < pa) pa = pb, a = b;
3882 if (pc < pa) a = c;
3883
3884 /* Calculate the current pixel in a, and move the previous row pixel to c
3885 * for the next time round the loop
3886 */
3887 c = b;
3888 a += *row;
3889 *row++ = (png_byte)a;
3890 }
3891 }
3892
3893 static void
3894 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3895 png_const_bytep prev_row)
3896 {
3897 int bpp = (row_info->pixel_depth + 7) >> 3;
3898 png_bytep rp_end = row + bpp;
3899
3900 /* Process the first pixel in the row completely (this is the same as 'up'
3901 * because there is only one candidate predictor for the first row).
3902 */
3903 while (row < rp_end)
3904 {
3905 int a = *row + *prev_row++;
3906 *row++ = (png_byte)a;
3907 }
3908
3909 /* Remainder */
3910 rp_end += row_info->rowbytes - bpp;
3911
3912 while (row < rp_end)
3913 {
3914 int a, b, c, pa, pb, pc, p;
3915
3916 c = *(prev_row - bpp);
3917 a = *(row - bpp);
3918 b = *prev_row++;
3919
3920 p = b - c;
3921 pc = a - c;
3922
3923 #ifdef PNG_USE_ABS
3924 pa = abs(p);
3925 pb = abs(pc);
3926 pc = abs(p + pc);
3927 #else
3928 pa = p < 0 ? -p : p;
3929 pb = pc < 0 ? -pc : pc;
3930 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3931 #endif
3932
3933 if (pb < pa) pa = pb, a = b;
3934 if (pc < pa) a = c;
3935
3936 a += *row;
3937 *row++ = (png_byte)a;
3938 }
3939 }
3940
3941 static void
3942 png_init_filter_functions(png_structrp pp)
3943 /* This function is called once for every PNG image (except for PNG images
3944 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
3945 * implementations required to reverse the filtering of PNG rows. Reversing
3946 * the filter is the first transformation performed on the row data. It is
3947 * performed in place, therefore an implementation can be selected based on
3948 * the image pixel format. If the implementation depends on image width then
3949 * take care to ensure that it works correctly if the image is interlaced -
3950 * interlacing causes the actual row width to vary.
3951 */
3952 {
3953 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
3954
3955 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
3956 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
3957 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
3958 if (bpp == 1)
3959 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3960 png_read_filter_row_paeth_1byte_pixel;
3961 else
3962 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3963 png_read_filter_row_paeth_multibyte_pixel;
3964
3965 #ifdef PNG_FILTER_OPTIMIZATIONS
3966 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
3967 * call to install hardware optimizations for the above functions; simply
3968 * replace whatever elements of the pp->read_filter[] array with a hardware
3969 * specific (or, for that matter, generic) optimization.
3970 *
3971 * To see an example of this examine what configure.ac does when
3972 * --enable-arm-neon is specified on the command line.
3973 */
3974 PNG_FILTER_OPTIMIZATIONS(pp, bpp);
3975 #endif
3976 }
2948 3977
2949 void /* PRIVATE */ 3978 void /* PRIVATE */
2950 png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row, 3979 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
2951 png_bytep prev_row, int filter) 3980 png_const_bytep prev_row, int filter)
2952 { 3981 {
2953 png_debug(1, "in png_read_filter_row"); 3982 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
2954 png_debug2(2, "row = %lu, filter = %d", png_ptr->row_number, filter); 3983 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
2955 switch (filter) 3984 * implementations. See png_init_filter_functions above.
2956 { 3985 */
2957 case PNG_FILTER_VALUE_NONE: 3986 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
2958 break; 3987 {
2959 case PNG_FILTER_VALUE_SUB: 3988 if (pp->read_filter[0] == NULL)
2960 { 3989 png_init_filter_functions(pp);
2961 png_uint_32 i; 3990
2962 png_uint_32 istop = row_info->rowbytes; 3991 pp->read_filter[filter-1](row_info, row, prev_row);
2963 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2964 png_bytep rp = row + bpp;
2965 png_bytep lp = row;
2966
2967 for (i = bpp; i < istop; i++)
2968 {
2969 *rp = (png_byte)(((int)(*rp) + (int)(*lp++)) & 0xff);
2970 rp++;
2971 }
2972 break;
2973 }
2974 case PNG_FILTER_VALUE_UP:
2975 {
2976 png_uint_32 i;
2977 png_uint_32 istop = row_info->rowbytes;
2978 png_bytep rp = row;
2979 png_bytep pp = prev_row;
2980
2981 for (i = 0; i < istop; i++)
2982 {
2983 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
2984 rp++;
2985 }
2986 break;
2987 }
2988 case PNG_FILTER_VALUE_AVG:
2989 {
2990 png_uint_32 i;
2991 png_bytep rp = row;
2992 png_bytep pp = prev_row;
2993 png_bytep lp = row;
2994 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2995 png_uint_32 istop = row_info->rowbytes - bpp;
2996
2997 for (i = 0; i < bpp; i++)
2998 {
2999 *rp = (png_byte)(((int)(*rp) +
3000 ((int)(*pp++) / 2 )) & 0xff);
3001 rp++;
3002 }
3003
3004 for (i = 0; i < istop; i++)
3005 {
3006 *rp = (png_byte)(((int)(*rp) +
3007 (int)(*pp++ + *lp++) / 2 ) & 0xff);
3008 rp++;
3009 }
3010 break;
3011 }
3012 case PNG_FILTER_VALUE_PAETH:
3013 {
3014 png_uint_32 i;
3015 png_bytep rp = row;
3016 png_bytep pp = prev_row;
3017 png_bytep lp = row;
3018 png_bytep cp = prev_row;
3019 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
3020 png_uint_32 istop=row_info->rowbytes - bpp;
3021
3022 for (i = 0; i < bpp; i++)
3023 {
3024 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3025 rp++;
3026 }
3027
3028 for (i = 0; i < istop; i++) /* Use leftover rp,pp */
3029 {
3030 int a, b, c, pa, pb, pc, p;
3031
3032 a = *lp++;
3033 b = *pp++;
3034 c = *cp++;
3035
3036 p = b - c;
3037 pc = a - c;
3038
3039 #ifdef PNG_USE_ABS
3040 pa = abs(p);
3041 pb = abs(pc);
3042 pc = abs(p + pc);
3043 #else
3044 pa = p < 0 ? -p : p;
3045 pb = pc < 0 ? -pc : pc;
3046 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3047 #endif
3048
3049 /*
3050 if (pa <= pb && pa <= pc)
3051 p = a;
3052 else if (pb <= pc)
3053 p = b;
3054 else
3055 p = c;
3056 */
3057
3058 p = (pa <= pb && pa <= pc) ? a : (pb <= pc) ? b : c;
3059
3060 *rp = (png_byte)(((int)(*rp) + p) & 0xff);
3061 rp++;
3062 }
3063 break;
3064 }
3065 default:
3066 png_warning(png_ptr, "Ignoring bad adaptive filter type");
3067 *row = 0;
3068 break;
3069 } 3992 }
3070 } 3993 }
3071 3994
3072 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED 3995 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3073 void /* PRIVATE */ 3996 void /* PRIVATE */
3074 png_read_finish_row(png_structp png_ptr) 3997 png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
3075 { 3998 png_alloc_size_t avail_out)
3076 #ifdef PNG_READ_INTERLACING_SUPPORTED 3999 {
3077 #ifndef PNG_USE_GLOBAL_ARRAYS 4000 /* Loop reading IDATs and decompressing the result into output[avail_out] */
4001 png_ptr->zstream.next_out = output;
4002 png_ptr->zstream.avail_out = 0; /* safety: set below */
4003
4004 if (output == NULL)
4005 avail_out = 0;
4006
4007 do
4008 {
4009 int ret;
4010 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
4011
4012 if (png_ptr->zstream.avail_in == 0)
4013 {
4014 uInt avail_in;
4015 png_bytep buffer;
4016
4017 while (png_ptr->idat_size == 0)
4018 {
4019 png_crc_finish(png_ptr, 0);
4020
4021 png_ptr->idat_size = png_read_chunk_header(png_ptr);
4022 /* This is an error even in the 'check' case because the code just
4023 * consumed a non-IDAT header.
4024 */
4025 if (png_ptr->chunk_name != png_IDAT)
4026 png_error(png_ptr, "Not enough image data");
4027 }
4028
4029 avail_in = png_ptr->IDAT_read_size;
4030
4031 if (avail_in > png_ptr->idat_size)
4032 avail_in = (uInt)png_ptr->idat_size;
4033
4034 /* A PNG with a gradually increasing IDAT size will defeat this attempt
4035 * to minimize memory usage by causing lots of re-allocs, but
4036 * realistically doing IDAT_read_size re-allocs is not likely to be a
4037 * big problem.
4038 */
4039 buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
4040
4041 png_crc_read(png_ptr, buffer, avail_in);
4042 png_ptr->idat_size -= avail_in;
4043
4044 png_ptr->zstream.next_in = buffer;
4045 png_ptr->zstream.avail_in = avail_in;
4046 }
4047
4048 /* And set up the output side. */
4049 if (output != NULL) /* standard read */
4050 {
4051 uInt out = ZLIB_IO_MAX;
4052
4053 if (out > avail_out)
4054 out = (uInt)avail_out;
4055
4056 avail_out -= out;
4057 png_ptr->zstream.avail_out = out;
4058 }
4059
4060 else /* after last row, checking for end */
4061 {
4062 png_ptr->zstream.next_out = tmpbuf;
4063 png_ptr->zstream.avail_out = (sizeof tmpbuf);
4064 }
4065
4066 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4067 * process. If the LZ stream is truncated the sequential reader will
4068 * terminally damage the stream, above, by reading the chunk header of the
4069 * following chunk (it then exits with png_error).
4070 *
4071 * TODO: deal more elegantly with truncated IDAT lists.
4072 */
4073 ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
4074
4075 /* Take the unconsumed output back. */
4076 if (output != NULL)
4077 avail_out += png_ptr->zstream.avail_out;
4078
4079 else /* avail_out counts the extra bytes */
4080 avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4081
4082 png_ptr->zstream.avail_out = 0;
4083
4084 if (ret == Z_STREAM_END)
4085 {
4086 /* Do this for safety; we won't read any more into this row. */
4087 png_ptr->zstream.next_out = NULL;
4088
4089 png_ptr->mode |= PNG_AFTER_IDAT;
4090 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4091
4092 if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4093 png_chunk_benign_error(png_ptr, "Extra compressed data");
4094 break;
4095 }
4096
4097 if (ret != Z_OK)
4098 {
4099 png_zstream_error(png_ptr, ret);
4100
4101 if (output != NULL)
4102 png_chunk_error(png_ptr, png_ptr->zstream.msg);
4103
4104 else /* checking */
4105 {
4106 png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4107 return;
4108 }
4109 }
4110 } while (avail_out > 0);
4111
4112 if (avail_out > 0)
4113 {
4114 /* The stream ended before the image; this is the same as too few IDATs so
4115 * should be handled the same way.
4116 */
4117 if (output != NULL)
4118 png_error(png_ptr, "Not enough image data");
4119
4120 else /* the deflate stream contained extra data */
4121 png_chunk_benign_error(png_ptr, "Too much image data");
4122 }
4123 }
4124
4125 void /* PRIVATE */
4126 png_read_finish_IDAT(png_structrp png_ptr)
4127 {
4128 /* We don't need any more data and the stream should have ended, however the
4129 * LZ end code may actually not have been processed. In this case we must
4130 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4131 * may still remain to be consumed.
4132 */
4133 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4134 {
4135 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4136 * the compressed stream, but the stream may be damaged too, so even after
4137 * this call we may need to terminate the zstream ownership.
4138 */
4139 png_read_IDAT_data(png_ptr, NULL, 0);
4140 png_ptr->zstream.next_out = NULL; /* safety */
4141
4142 /* Now clear everything out for safety; the following may not have been
4143 * done.
4144 */
4145 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4146 {
4147 png_ptr->mode |= PNG_AFTER_IDAT;
4148 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4149 }
4150 }
4151
4152 /* If the zstream has not been released do it now *and* terminate the reading
4153 * of the final IDAT chunk.
4154 */
4155 if (png_ptr->zowner == png_IDAT)
4156 {
4157 /* Always do this; the pointers otherwise point into the read buffer. */
4158 png_ptr->zstream.next_in = NULL;
4159 png_ptr->zstream.avail_in = 0;
4160
4161 /* Now we no longer own the zstream. */
4162 png_ptr->zowner = 0;
4163
4164 /* The slightly weird semantics of the sequential IDAT reading is that we
4165 * are always in or at the end of an IDAT chunk, so we always need to do a
4166 * crc_finish here. If idat_size is non-zero we also need to read the
4167 * spurious bytes at the end of the chunk now.
4168 */
4169 (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4170 }
4171 }
4172
4173 void /* PRIVATE */
4174 png_read_finish_row(png_structrp png_ptr)
4175 {
3078 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 4176 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3079 4177
3080 /* Start of interlace block */ 4178 /* Start of interlace block */
3081 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 4179 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3082 4180
3083 /* Offset to next interlace block */ 4181 /* Offset to next interlace block */
3084 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 4182 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3085 4183
3086 /* Start of interlace block in the y direction */ 4184 /* Start of interlace block in the y direction */
3087 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 4185 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3088 4186
3089 /* Offset to next interlace block in the y direction */ 4187 /* Offset to next interlace block in the y direction */
3090 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 4188 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3091 #endif
3092 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3093 4189
3094 png_debug(1, "in png_read_finish_row"); 4190 png_debug(1, "in png_read_finish_row");
3095 png_ptr->row_number++; 4191 png_ptr->row_number++;
3096 if (png_ptr->row_number < png_ptr->num_rows) 4192 if (png_ptr->row_number < png_ptr->num_rows)
3097 return; 4193 return;
3098 4194
3099 #ifdef PNG_READ_INTERLACING_SUPPORTED 4195 if (png_ptr->interlaced != 0)
3100 if (png_ptr->interlaced)
3101 { 4196 {
3102 png_ptr->row_number = 0; 4197 png_ptr->row_number = 0;
3103 png_memset_check(png_ptr, png_ptr->prev_row, 0, 4198
3104 png_ptr->rowbytes + 1); 4199 /* TO DO: don't do this if prev_row isn't needed (requires
4200 * read-ahead of the next row's filter byte.
4201 */
4202 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4203
3105 do 4204 do
3106 { 4205 {
3107 png_ptr->pass++; 4206 png_ptr->pass++;
4207
3108 if (png_ptr->pass >= 7) 4208 if (png_ptr->pass >= 7)
3109 break; 4209 break;
4210
3110 png_ptr->iwidth = (png_ptr->width + 4211 png_ptr->iwidth = (png_ptr->width +
3111 png_pass_inc[png_ptr->pass] - 1 - 4212 png_pass_inc[png_ptr->pass] - 1 -
3112 png_pass_start[png_ptr->pass]) / 4213 png_pass_start[png_ptr->pass]) /
3113 png_pass_inc[png_ptr->pass]; 4214 png_pass_inc[png_ptr->pass];
3114 4215
3115 if (!(png_ptr->transformations & PNG_INTERLACE)) 4216 if ((png_ptr->transformations & PNG_INTERLACE) == 0)
3116 { 4217 {
3117 png_ptr->num_rows = (png_ptr->height + 4218 png_ptr->num_rows = (png_ptr->height +
3118 png_pass_yinc[png_ptr->pass] - 1 - 4219 png_pass_yinc[png_ptr->pass] - 1 -
3119 png_pass_ystart[png_ptr->pass]) / 4220 png_pass_ystart[png_ptr->pass]) /
3120 png_pass_yinc[png_ptr->pass]; 4221 png_pass_yinc[png_ptr->pass];
3121 if (!(png_ptr->num_rows))
3122 continue;
3123 } 4222 }
4223
3124 else /* if (png_ptr->transformations & PNG_INTERLACE) */ 4224 else /* if (png_ptr->transformations & PNG_INTERLACE) */
3125 break; 4225 break; /* libpng deinterlacing sees every row */
3126 } while (png_ptr->iwidth == 0); 4226
4227 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
3127 4228
3128 if (png_ptr->pass < 7) 4229 if (png_ptr->pass < 7)
3129 return; 4230 return;
3130 } 4231 }
3131 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 4232
3132 4233 /* Here after at the end of the last row of the last pass. */
3133 if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) 4234 png_read_finish_IDAT(png_ptr);
3134 { 4235 }
3135 #ifdef PNG_USE_LOCAL_ARRAYS 4236 #endif /* SEQUENTIAL_READ */
3136 PNG_CONST PNG_IDAT;
3137 #endif
3138 char extra;
3139 int ret;
3140
3141 png_ptr->zstream.next_out = (Byte *)&extra;
3142 png_ptr->zstream.avail_out = (uInt)1;
3143 for (;;)
3144 {
3145 if (!(png_ptr->zstream.avail_in))
3146 {
3147 while (!png_ptr->idat_size)
3148 {
3149 png_byte chunk_length[4];
3150
3151 png_crc_finish(png_ptr, 0);
3152
3153 png_read_data(png_ptr, chunk_length, 4);
3154 png_ptr->idat_size = png_get_uint_31(png_ptr, chunk_length);
3155 png_reset_crc(png_ptr);
3156 png_crc_read(png_ptr, png_ptr->chunk_name, 4);
3157 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))
3158 png_error(png_ptr, "Not enough image data");
3159
3160 }
3161 png_ptr->zstream.avail_in = (uInt)png_ptr->zbuf_size;
3162 png_ptr->zstream.next_in = png_ptr->zbuf;
3163 if (png_ptr->zbuf_size > png_ptr->idat_size)
3164 png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size;
3165 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in);
3166 png_ptr->idat_size -= png_ptr->zstream.avail_in;
3167 }
3168 ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
3169 if (ret == Z_STREAM_END)
3170 {
3171 if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in ||
3172 png_ptr->idat_size)
3173 png_warning(png_ptr, "Extra compressed data.");
3174 png_ptr->mode |= PNG_AFTER_IDAT;
3175 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3176 break;
3177 }
3178 if (ret != Z_OK)
3179 png_error(png_ptr, png_ptr->zstream.msg ? png_ptr->zstream.msg :
3180 "Decompression Error");
3181
3182 if (!(png_ptr->zstream.avail_out))
3183 {
3184 png_warning(png_ptr, "Extra compressed data.");
3185 png_ptr->mode |= PNG_AFTER_IDAT;
3186 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3187 break;
3188 }
3189
3190 }
3191 png_ptr->zstream.avail_out = 0;
3192 }
3193
3194 if (png_ptr->idat_size || png_ptr->zstream.avail_in)
3195 png_warning(png_ptr, "Extra compression data.");
3196
3197 inflateReset(&png_ptr->zstream);
3198
3199 png_ptr->mode |= PNG_AFTER_IDAT;
3200 }
3201 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
3202 4237
3203 void /* PRIVATE */ 4238 void /* PRIVATE */
3204 png_read_start_row(png_structp png_ptr) 4239 png_read_start_row(png_structrp png_ptr)
3205 { 4240 {
3206 #ifdef PNG_READ_INTERLACING_SUPPORTED
3207 #ifndef PNG_USE_GLOBAL_ARRAYS
3208 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 4241 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3209 4242
3210 /* Start of interlace block */ 4243 /* Start of interlace block */
3211 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 4244 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3212 4245
3213 /* Offset to next interlace block */ 4246 /* Offset to next interlace block */
3214 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 4247 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3215 4248
3216 /* Start of interlace block in the y direction */ 4249 /* Start of interlace block in the y direction */
3217 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 4250 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3218 4251
3219 /* Offset to next interlace block in the y direction */ 4252 /* Offset to next interlace block in the y direction */
3220 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 4253 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3221 #endif
3222 #endif
3223 4254
3224 int max_pixel_depth; 4255 int max_pixel_depth;
3225 png_size_t row_bytes; 4256 png_size_t row_bytes;
3226 4257
3227 png_debug(1, "in png_read_start_row"); 4258 png_debug(1, "in png_read_start_row");
3228 png_ptr->zstream.avail_in = 0; 4259
4260 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
3229 png_init_read_transformations(png_ptr); 4261 png_init_read_transformations(png_ptr);
3230 #ifdef PNG_READ_INTERLACING_SUPPORTED 4262 #endif
3231 if (png_ptr->interlaced) 4263 if (png_ptr->interlaced != 0)
3232 { 4264 {
3233 if (!(png_ptr->transformations & PNG_INTERLACE)) 4265 if ((png_ptr->transformations & PNG_INTERLACE) == 0)
3234 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 - 4266 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
3235 png_pass_ystart[0]) / png_pass_yinc[0]; 4267 png_pass_ystart[0]) / png_pass_yinc[0];
4268
3236 else 4269 else
3237 png_ptr->num_rows = png_ptr->height; 4270 png_ptr->num_rows = png_ptr->height;
3238 4271
3239 png_ptr->iwidth = (png_ptr->width + 4272 png_ptr->iwidth = (png_ptr->width +
3240 png_pass_inc[png_ptr->pass] - 1 - 4273 png_pass_inc[png_ptr->pass] - 1 -
3241 png_pass_start[png_ptr->pass]) / 4274 png_pass_start[png_ptr->pass]) /
3242 png_pass_inc[png_ptr->pass]; 4275 png_pass_inc[png_ptr->pass];
3243 } 4276 }
4277
3244 else 4278 else
3245 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3246 { 4279 {
3247 png_ptr->num_rows = png_ptr->height; 4280 png_ptr->num_rows = png_ptr->height;
3248 png_ptr->iwidth = png_ptr->width; 4281 png_ptr->iwidth = png_ptr->width;
3249 } 4282 }
4283
3250 max_pixel_depth = png_ptr->pixel_depth; 4284 max_pixel_depth = png_ptr->pixel_depth;
3251 4285
4286 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4287 * calculations to calculate the final pixel depth, then
4288 * png_do_read_transforms actually does the transforms. This means that the
4289 * code which effectively calculates this value is actually repeated in three
4290 * separate places. They must all match. Innocent changes to the order of
4291 * transformations can and will break libpng in a way that causes memory
4292 * overwrites.
4293 *
4294 * TODO: fix this.
4295 */
3252 #ifdef PNG_READ_PACK_SUPPORTED 4296 #ifdef PNG_READ_PACK_SUPPORTED
3253 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8) 4297 if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8)
3254 max_pixel_depth = 8; 4298 max_pixel_depth = 8;
3255 #endif 4299 #endif
3256 4300
3257 #ifdef PNG_READ_EXPAND_SUPPORTED 4301 #ifdef PNG_READ_EXPAND_SUPPORTED
3258 if (png_ptr->transformations & PNG_EXPAND) 4302 if ((png_ptr->transformations & PNG_EXPAND) != 0)
3259 { 4303 {
3260 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 4304 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3261 { 4305 {
3262 if (png_ptr->num_trans) 4306 if (png_ptr->num_trans != 0)
3263 max_pixel_depth = 32; 4307 max_pixel_depth = 32;
4308
3264 else 4309 else
3265 max_pixel_depth = 24; 4310 max_pixel_depth = 24;
3266 } 4311 }
4312
3267 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 4313 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3268 { 4314 {
3269 if (max_pixel_depth < 8) 4315 if (max_pixel_depth < 8)
3270 max_pixel_depth = 8; 4316 max_pixel_depth = 8;
3271 if (png_ptr->num_trans) 4317
4318 if (png_ptr->num_trans != 0)
3272 max_pixel_depth *= 2; 4319 max_pixel_depth *= 2;
3273 } 4320 }
4321
3274 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 4322 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
3275 { 4323 {
3276 if (png_ptr->num_trans) 4324 if (png_ptr->num_trans != 0)
3277 { 4325 {
3278 max_pixel_depth *= 4; 4326 max_pixel_depth *= 4;
3279 max_pixel_depth /= 3; 4327 max_pixel_depth /= 3;
3280 } 4328 }
3281 } 4329 }
3282 } 4330 }
3283 #endif 4331 #endif
3284 4332
4333 #ifdef PNG_READ_EXPAND_16_SUPPORTED
4334 if ((png_ptr->transformations & PNG_EXPAND_16) != 0)
4335 {
4336 # ifdef PNG_READ_EXPAND_SUPPORTED
4337 /* In fact it is an error if it isn't supported, but checking is
4338 * the safe way.
4339 */
4340 if ((png_ptr->transformations & PNG_EXPAND) != 0)
4341 {
4342 if (png_ptr->bit_depth < 16)
4343 max_pixel_depth *= 2;
4344 }
4345 else
4346 # endif
4347 png_ptr->transformations &= ~PNG_EXPAND_16;
4348 }
4349 #endif
4350
3285 #ifdef PNG_READ_FILLER_SUPPORTED 4351 #ifdef PNG_READ_FILLER_SUPPORTED
3286 if (png_ptr->transformations & (PNG_FILLER)) 4352 if ((png_ptr->transformations & (PNG_FILLER)) != 0)
3287 { 4353 {
3288 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 4354 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3289 max_pixel_depth = 32;
3290 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3291 { 4355 {
3292 if (max_pixel_depth <= 8) 4356 if (max_pixel_depth <= 8)
3293 max_pixel_depth = 16; 4357 max_pixel_depth = 16;
4358
3294 else 4359 else
3295 max_pixel_depth = 32; 4360 max_pixel_depth = 32;
3296 } 4361 }
3297 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 4362
4363 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4364 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3298 { 4365 {
3299 if (max_pixel_depth <= 32) 4366 if (max_pixel_depth <= 32)
3300 max_pixel_depth = 32; 4367 max_pixel_depth = 32;
4368
3301 else 4369 else
3302 max_pixel_depth = 64; 4370 max_pixel_depth = 64;
3303 } 4371 }
3304 } 4372 }
3305 #endif 4373 #endif
3306 4374
3307 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED 4375 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
3308 if (png_ptr->transformations & PNG_GRAY_TO_RGB) 4376 if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0)
3309 { 4377 {
3310 if ( 4378 if (
3311 #ifdef PNG_READ_EXPAND_SUPPORTED 4379 #ifdef PNG_READ_EXPAND_SUPPORTED
3312 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) || 4380 (png_ptr->num_trans != 0 &&
4381 (png_ptr->transformations & PNG_EXPAND) != 0) ||
3313 #endif 4382 #endif
3314 #ifdef PNG_READ_FILLER_SUPPORTED 4383 #ifdef PNG_READ_FILLER_SUPPORTED
3315 (png_ptr->transformations & (PNG_FILLER)) || 4384 (png_ptr->transformations & (PNG_FILLER)) != 0 ||
3316 #endif 4385 #endif
3317 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) 4386 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
3318 { 4387 {
3319 if (max_pixel_depth <= 16) 4388 if (max_pixel_depth <= 16)
3320 max_pixel_depth = 32; 4389 max_pixel_depth = 32;
4390
3321 else 4391 else
3322 max_pixel_depth = 64; 4392 max_pixel_depth = 64;
3323 } 4393 }
4394
3324 else 4395 else
3325 { 4396 {
3326 if (max_pixel_depth <= 8) 4397 if (max_pixel_depth <= 8)
3327 { 4398 {
3328 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 4399 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
3329 max_pixel_depth = 32; 4400 max_pixel_depth = 32;
3330 else 4401
4402 else
3331 max_pixel_depth = 24; 4403 max_pixel_depth = 24;
3332 } 4404 }
4405
3333 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 4406 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
3334 max_pixel_depth = 64; 4407 max_pixel_depth = 64;
4408
3335 else 4409 else
3336 max_pixel_depth = 48; 4410 max_pixel_depth = 48;
3337 } 4411 }
3338 } 4412 }
3339 #endif 4413 #endif
3340 4414
3341 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \ 4415 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
3342 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) 4416 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
3343 if (png_ptr->transformations & PNG_USER_TRANSFORM) 4417 if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0)
3344 { 4418 {
3345 int user_pixel_depth = png_ptr->user_transform_depth* 4419 int user_pixel_depth = png_ptr->user_transform_depth *
3346 png_ptr->user_transform_channels; 4420 png_ptr->user_transform_channels;
3347 if (user_pixel_depth > max_pixel_depth) 4421
3348 max_pixel_depth=user_pixel_depth; 4422 if (user_pixel_depth > max_pixel_depth)
3349 } 4423 max_pixel_depth = user_pixel_depth;
4424 }
3350 #endif 4425 #endif
3351 4426
4427 /* This value is stored in png_struct and double checked in the row read
4428 * code.
4429 */
4430 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4431 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4432
3352 /* Align the width on the next larger 8 pixels. Mainly used 4433 /* Align the width on the next larger 8 pixels. Mainly used
3353 * for interlacing 4434 * for interlacing
3354 */ 4435 */
3355 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7)); 4436 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
3356 /* Calculate the maximum bytes needed, adding a byte and a pixel 4437 /* Calculate the maximum bytes needed, adding a byte and a pixel
3357 * for safety's sake 4438 * for safety's sake
3358 */ 4439 */
3359 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) + 4440 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
3360 1 + ((max_pixel_depth + 7) >> 3); 4441 1 + ((max_pixel_depth + 7) >> 3);
4442
3361 #ifdef PNG_MAX_MALLOC_64K 4443 #ifdef PNG_MAX_MALLOC_64K
3362 if (row_bytes > (png_uint_32)65536L) 4444 if (row_bytes > (png_uint_32)65536L)
3363 png_error(png_ptr, "This image requires a row greater than 64KB"); 4445 png_error(png_ptr, "This image requires a row greater than 64KB");
3364 #endif 4446 #endif
3365 4447
3366 if (row_bytes + 64 > png_ptr->old_big_row_buf_size) 4448 if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
3367 { 4449 {
3368 png_free(png_ptr, png_ptr->big_row_buf); 4450 png_free(png_ptr, png_ptr->big_row_buf);
3369 if (png_ptr->interlaced) 4451 png_free(png_ptr, png_ptr->big_prev_row);
4452
4453 if (png_ptr->interlaced != 0)
3370 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr, 4454 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
3371 row_bytes + 64); 4455 row_bytes + 48);
4456
3372 else 4457 else
3373 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, 4458 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
3374 row_bytes + 64);
3375 png_ptr->old_big_row_buf_size = row_bytes + 64;
3376 4459
3377 /* Use 32 bytes of padding before and after row_buf. */ 4460 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
3378 png_ptr->row_buf = png_ptr->big_row_buf + 32; 4461
3379 png_ptr->old_big_row_buf_size = row_bytes + 64; 4462 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4463 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4464 * of padding before and after row_buf; treat prev_row similarly.
4465 * NOTE: the alignment is to the start of the pixels, one beyond the start
4466 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4467 * was incorrect; the filter byte was aligned, which had the exact
4468 * opposite effect of that intended.
4469 */
4470 {
4471 png_bytep temp = png_ptr->big_row_buf + 32;
4472 int extra = (int)((temp - (png_bytep)0) & 0x0f);
4473 png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4474
4475 temp = png_ptr->big_prev_row + 32;
4476 extra = (int)((temp - (png_bytep)0) & 0x0f);
4477 png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4478 }
4479
4480 #else
4481 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4482 png_ptr->row_buf = png_ptr->big_row_buf + 31;
4483 png_ptr->prev_row = png_ptr->big_prev_row + 31;
4484 #endif
4485 png_ptr->old_big_row_buf_size = row_bytes + 48;
3380 } 4486 }
3381 4487
3382 #ifdef PNG_MAX_MALLOC_64K 4488 #ifdef PNG_MAX_MALLOC_64K
3383 if ((png_uint_32)row_bytes + 1 > (png_uint_32)65536L) 4489 if (png_ptr->rowbytes > 65535)
3384 png_error(png_ptr, "This image requires a row greater than 64KB"); 4490 png_error(png_ptr, "This image requires a row greater than 64KB");
4491
3385 #endif 4492 #endif
3386 if ((png_uint_32)row_bytes > (png_uint_32)(PNG_SIZE_MAX - 1)) 4493 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
3387 png_error(png_ptr, "Row has too many bytes to allocate in memory."); 4494 png_error(png_ptr, "Row has too many bytes to allocate in memory");
3388 4495
3389 if (row_bytes + 1 > png_ptr->old_prev_row_size) 4496 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4497
4498 png_debug1(3, "width = %u,", png_ptr->width);
4499 png_debug1(3, "height = %u,", png_ptr->height);
4500 png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4501 png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4502 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4503 png_debug1(3, "irowbytes = %lu",
4504 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4505
4506 /* The sequential reader needs a buffer for IDAT, but the progressive reader
4507 * does not, so free the read buffer now regardless; the sequential reader
4508 * reallocates it on demand.
4509 */
4510 if (png_ptr->read_buffer != 0)
3390 { 4511 {
3391 png_free(png_ptr, png_ptr->prev_row); 4512 png_bytep buffer = png_ptr->read_buffer;
3392 png_ptr->prev_row = (png_bytep)png_malloc(png_ptr, (png_uint_32)( 4513
3393 row_bytes + 1)); 4514 png_ptr->read_buffer_size = 0;
3394 png_memset_check(png_ptr, png_ptr->prev_row, 0, row_bytes + 1); 4515 png_ptr->read_buffer = NULL;
3395 png_ptr->old_prev_row_size = row_bytes + 1; 4516 png_free(png_ptr, buffer);
3396 } 4517 }
3397 4518
3398 png_ptr->rowbytes = row_bytes; 4519 /* Finally claim the zstream for the inflate of the IDAT data, use the bits
3399 4520 * value from the stream (note that this will result in a fatal error if the
3400 png_debug1(3, "width = %lu,", png_ptr->width); 4521 * IDAT stream has a bogus deflate header window_bits value, but this should
3401 png_debug1(3, "height = %lu,", png_ptr->height); 4522 * not be happening any longer!)
3402 png_debug1(3, "iwidth = %lu,", png_ptr->iwidth); 4523 */
3403 png_debug1(3, "num_rows = %lu,", png_ptr->num_rows); 4524 if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
3404 png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes); 4525 png_error(png_ptr, png_ptr->zstream.msg);
3405 png_debug1(3, "irowbytes = %lu",
3406 PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
3407 4526
3408 png_ptr->flags |= PNG_FLAG_ROW_INIT; 4527 png_ptr->flags |= PNG_FLAG_ROW_INIT;
3409 } 4528 }
3410 #endif /* PNG_READ_SUPPORTED */ 4529 #endif /* READ */
OLDNEW
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698