Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(69)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libpng/pngrutil.c

Issue 23494067: Revert "libpng 1.6.3" (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 1
2 /* pngrutil.c - utilities to read a PNG file 2 /* pngrutil.c - utilities to read a PNG file
3 * 3 *
4 * Last changed in libpng 1.6.3 [July 18, 2013] 4 * Last changed in libpng 1.2.45 [July 7, 2011]
5 * Copyright (c) 1998-2013 Glenn Randers-Pehrson 5 * Copyright (c) 1998-2011 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 * 8 *
9 * This code is released under the libpng license. 9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer 10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h 11 * and license in png.h
12 * 12 *
13 * This file contains routines that are only called from within 13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image. 14 * libpng itself during the course of reading an image.
15 */ 15 */
16 16
17 #include "pngpriv.h" 17 #define PNG_INTERNAL
18 18 #define PNG_NO_PEDANTIC_WARNINGS
19 #include "png.h"
19 #ifdef PNG_READ_SUPPORTED 20 #ifdef PNG_READ_SUPPORTED
20 21
21 png_uint_32 PNGAPI 22 #if defined(_WIN32_WCE) && (_WIN32_WCE<0x500)
22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf) 23 # define WIN32_WCE_OLD
23 {
24 png_uint_32 uval = png_get_uint_32(buf);
25
26 if (uval > PNG_UINT_31_MAX)
27 png_error(png_ptr, "PNG unsigned integer out of range");
28
29 return (uval);
30 }
31
32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
33 /* The following is a variation on the above for use with the fixed
34 * point values used for gAMA and cHRM. Instead of png_error it
35 * issues a warning and returns (-1) - an invalid value because both
36 * gAMA and cHRM use *unsigned* integers for fixed point values.
37 */
38 #define PNG_FIXED_ERROR (-1)
39
40 static png_fixed_point /* PRIVATE */
41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42 {
43 png_uint_32 uval = png_get_uint_32(buf);
44
45 if (uval <= PNG_UINT_31_MAX)
46 return (png_fixed_point)uval; /* known to be in range */
47
48 /* The caller can turn off the warning by passing NULL. */
49 if (png_ptr != NULL)
50 png_warning(png_ptr, "PNG fixed point integer out of range");
51
52 return PNG_FIXED_ERROR;
53 }
54 #endif 24 #endif
55 25
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED 26 #ifdef PNG_FLOATING_POINT_SUPPORTED
57 /* NOTE: the read macros will obscure these definitions, so that if 27 # ifdef WIN32_WCE_OLD
58 * PNG_USE_READ_MACROS is set the library will not use them internally, 28 /* The strtod() function is not supported on WindowsCE */
59 * but the APIs will still be available externally. 29 __inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr,
60 * 30 char **endptr)
61 * The parentheses around "PNGAPI function_name" in the following three 31 {
62 * functions are necessary because they allow the macros to co-exist with 32 double result = 0;
63 * these (unused but exported) functions. 33 int len;
64 */ 34 wchar_t *str, *end;
65 35
36 len = MultiByteToWideChar(CP_ACP, 0, nptr, -1, NULL, 0);
37 str = (wchar_t *)png_malloc(png_ptr, len * png_sizeof(wchar_t));
38 if ( NULL != str )
39 {
40 MultiByteToWideChar(CP_ACP, 0, nptr, -1, str, len);
41 result = wcstod(str, &end);
42 len = WideCharToMultiByte(CP_ACP, 0, end, -1, NULL, 0, NULL, NULL);
43 *endptr = (char *)nptr + (png_strlen(nptr) - len + 1);
44 png_free(png_ptr, str);
45 }
46 return result;
47 }
48 # else
49 # define png_strtod(p,a,b) strtod(a,b)
50 # endif
51 #endif
52
53 png_uint_32 PNGAPI
54 png_get_uint_31(png_structp png_ptr, png_bytep buf)
55 {
56 #ifdef PNG_READ_BIG_ENDIAN_SUPPORTED
57 png_uint_32 i = png_get_uint_32(buf);
58 #else
59 /* Avoid an extra function call by inlining the result. */
60 png_uint_32 i = ((png_uint_32)(*buf) << 24) +
61 ((png_uint_32)(*(buf + 1)) << 16) +
62 ((png_uint_32)(*(buf + 2)) << 8) +
63 (png_uint_32)(*(buf + 3));
64 #endif
65 if (i > PNG_UINT_31_MAX)
66 png_error(png_ptr, "PNG unsigned integer out of range.");
67 return (i);
68 }
69 #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ 70 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
67 png_uint_32 (PNGAPI 71 png_uint_32 PNGAPI
68 png_get_uint_32)(png_const_bytep buf) 72 png_get_uint_32(png_bytep buf)
69 { 73 {
70 png_uint_32 uval = 74 png_uint_32 i = ((png_uint_32)(*buf) << 24) +
71 ((png_uint_32)(*(buf )) << 24) + 75 ((png_uint_32)(*(buf + 1)) << 16) +
72 ((png_uint_32)(*(buf + 1)) << 16) + 76 ((png_uint_32)(*(buf + 2)) << 8) +
73 ((png_uint_32)(*(buf + 2)) << 8) + 77 (png_uint_32)(*(buf + 3));
74 ((png_uint_32)(*(buf + 3)) ) ;
75 78
76 return uval; 79 return (i);
77 } 80 }
78 81
79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The 82 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
80 * data is stored in the PNG file in two's complement format and there 83 * data is stored in the PNG file in two's complement format, and it is
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore 84 * assumed that the machine format for signed integers is the same.
82 * the following code does a two's complement to native conversion.
83 */ 85 */
84 png_int_32 (PNGAPI 86 png_int_32 PNGAPI
85 png_get_int_32)(png_const_bytep buf) 87 png_get_int_32(png_bytep buf)
86 { 88 {
87 png_uint_32 uval = png_get_uint_32(buf); 89 png_int_32 i = ((png_int_32)(*buf) << 24) +
88 if ((uval & 0x80000000) == 0) /* non-negative */ 90 ((png_int_32)(*(buf + 1)) << 16) +
89 return uval; 91 ((png_int_32)(*(buf + 2)) << 8) +
92 (png_int_32)(*(buf + 3));
90 93
91 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ 94 return (i);
92 return -(png_int_32)uval;
93 } 95 }
94 96
95 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ 97 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
96 png_uint_16 (PNGAPI 98 png_uint_16 PNGAPI
97 png_get_uint_16)(png_const_bytep buf) 99 png_get_uint_16(png_bytep buf)
98 { 100 {
99 /* ANSI-C requires an int value to accomodate at least 16 bits so this 101 png_uint_16 i = (png_uint_16)(((png_uint_16)(*buf) << 8) +
100 * works and allows the compiler not to worry about possible narrowing 102 (png_uint_16)(*(buf + 1)));
101 * on 32 bit systems. (Pre-ANSI systems did not make integers smaller
102 * than 16 bits either.)
103 */
104 unsigned int val =
105 ((unsigned int)(*buf) << 8) +
106 ((unsigned int)(*(buf + 1)));
107 103
108 return (png_uint_16)val; 104 return (i);
109 } 105 }
110 106 #endif /* PNG_READ_BIG_ENDIAN_SUPPORTED */
111 #endif /* PNG_READ_INT_FUNCTIONS_SUPPORTED */
112
113 /* Read and check the PNG file signature */
114 void /* PRIVATE */
115 png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
116 {
117 png_size_t num_checked, num_to_check;
118
119 /* Exit if the user application does not expect a signature. */
120 if (png_ptr->sig_bytes >= 8)
121 return;
122
123 num_checked = png_ptr->sig_bytes;
124 num_to_check = 8 - num_checked;
125
126 #ifdef PNG_IO_STATE_SUPPORTED
127 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
128 #endif
129
130 /* The signature must be serialized in a single I/O call. */
131 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
132 png_ptr->sig_bytes = 8;
133
134 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
135 {
136 if (num_checked < 4 &&
137 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
138 png_error(png_ptr, "Not a PNG file");
139 else
140 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
141 }
142 if (num_checked < 3)
143 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
144 }
145 107
146 /* Read the chunk header (length + type name). 108 /* Read the chunk header (length + type name).
147 * Put the type name into png_ptr->chunk_name, and return the length. 109 * Put the type name into png_ptr->chunk_name, and return the length.
148 */ 110 */
149 png_uint_32 /* PRIVATE */ 111 png_uint_32 /* PRIVATE */
150 png_read_chunk_header(png_structrp png_ptr) 112 png_read_chunk_header(png_structp png_ptr)
151 { 113 {
152 png_byte buf[8]; 114 png_byte buf[8];
153 png_uint_32 length; 115 png_uint_32 length;
154 116
155 #ifdef PNG_IO_STATE_SUPPORTED 117 /* Read the length and the chunk name */
156 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
157 #endif
158
159 /* Read the length and the chunk name.
160 * This must be performed in a single I/O call.
161 */
162 png_read_data(png_ptr, buf, 8); 118 png_read_data(png_ptr, buf, 8);
163 length = png_get_uint_31(png_ptr, buf); 119 length = png_get_uint_31(png_ptr, buf);
164 120
165 /* Put the chunk name into png_ptr->chunk_name. */ 121 /* Put the chunk name into png_ptr->chunk_name */
166 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4); 122 png_memcpy(png_ptr->chunk_name, buf + 4, 4);
167 123
168 png_debug2(0, "Reading %lx chunk, length = %lu", 124 png_debug2(0, "Reading %s chunk, length = %lu",
169 (unsigned long)png_ptr->chunk_name, (unsigned long)length); 125 png_ptr->chunk_name, length);
170 126
171 /* Reset the crc and run it over the chunk name. */ 127 /* Reset the crc and run it over the chunk name */
172 png_reset_crc(png_ptr); 128 png_reset_crc(png_ptr);
173 png_calculate_crc(png_ptr, buf + 4, 4); 129 png_calculate_crc(png_ptr, png_ptr->chunk_name, 4);
174 130
175 /* Check to see if chunk name is valid. */ 131 /* Check to see if chunk name is valid */
176 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 132 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
177 133
178 #ifdef PNG_IO_STATE_SUPPORTED
179 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
180 #endif
181
182 return length; 134 return length;
183 } 135 }
184 136
185 /* Read data, and (optionally) run it through the CRC. */ 137 /* Read data, and (optionally) run it through the CRC. */
186 void /* PRIVATE */ 138 void /* PRIVATE */
187 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length) 139 png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length)
188 { 140 {
189 if (png_ptr == NULL) 141 if (png_ptr == NULL)
190 return; 142 return;
191
192 png_read_data(png_ptr, buf, length); 143 png_read_data(png_ptr, buf, length);
193 png_calculate_crc(png_ptr, buf, length); 144 png_calculate_crc(png_ptr, buf, length);
194 } 145 }
195 146
196 /* Optionally skip data and then check the CRC. Depending on whether we 147 /* Optionally skip data and then check the CRC. Depending on whether we
197 * are reading an ancillary or critical chunk, and how the program has set 148 * are reading a ancillary or critical chunk, and how the program has set
198 * things up, we may calculate the CRC on the data and print a message. 149 * things up, we may calculate the CRC on the data and print a message.
199 * Returns '1' if there was a CRC error, '0' otherwise. 150 * Returns '1' if there was a CRC error, '0' otherwise.
200 */ 151 */
201 int /* PRIVATE */ 152 int /* PRIVATE */
202 png_crc_finish(png_structrp png_ptr, png_uint_32 skip) 153 png_crc_finish(png_structp png_ptr, png_uint_32 skip)
203 { 154 {
204 /* The size of the local buffer for inflate is a good guess as to a 155 png_size_t i;
205 * reasonable size to use for buffering reads from the application. 156 png_size_t istop = png_ptr->zbuf_size;
206 */ 157
207 while (skip > 0) 158 for (i = (png_size_t)skip; i > istop; i -= istop)
208 { 159 {
209 png_uint_32 len; 160 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size);
210 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE]; 161 }
211 162 if (i)
212 len = (sizeof tmpbuf); 163 {
213 if (len > skip) 164 png_crc_read(png_ptr, png_ptr->zbuf, i);
214 len = skip;
215 skip -= len;
216
217 png_crc_read(png_ptr, tmpbuf, len);
218 } 165 }
219 166
220 if (png_crc_error(png_ptr)) 167 if (png_crc_error(png_ptr))
221 { 168 {
222 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) ? 169 if (((png_ptr->chunk_name[0] & 0x20) && /* Ancillary */
223 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) : 170 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) ||
224 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE)) 171 (!(png_ptr->chunk_name[0] & 0x20) && /* Critical */
172 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE)))
225 { 173 {
226 png_chunk_warning(png_ptr, "CRC error"); 174 png_chunk_warning(png_ptr, "CRC error");
227 } 175 }
228
229 else 176 else
230 { 177 {
231 png_chunk_benign_error(png_ptr, "CRC error"); 178 png_chunk_error(png_ptr, "CRC error");
232 return (0);
233 } 179 }
234
235 return (1); 180 return (1);
236 } 181 }
237 182
238 return (0); 183 return (0);
239 } 184 }
240 185
241 /* Compare the CRC stored in the PNG file with that calculated by libpng from 186 /* Compare the CRC stored in the PNG file with that calculated by libpng from
242 * the data it has read thus far. 187 * the data it has read thus far.
243 */ 188 */
244 int /* PRIVATE */ 189 int /* PRIVATE */
245 png_crc_error(png_structrp png_ptr) 190 png_crc_error(png_structp png_ptr)
246 { 191 {
247 png_byte crc_bytes[4]; 192 png_byte crc_bytes[4];
248 png_uint_32 crc; 193 png_uint_32 crc;
249 int need_crc = 1; 194 int need_crc = 1;
250 195
251 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)) 196 if (png_ptr->chunk_name[0] & 0x20) /* ancillary */
252 { 197 {
253 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 198 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
254 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 199 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
255 need_crc = 0; 200 need_crc = 0;
256 } 201 }
257 202 else /* critical */
258 else /* critical */
259 { 203 {
260 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) 204 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
261 need_crc = 0; 205 need_crc = 0;
262 } 206 }
263 207
264 #ifdef PNG_IO_STATE_SUPPORTED
265 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
266 #endif
267
268 /* The chunk CRC must be serialized in a single I/O call. */
269 png_read_data(png_ptr, crc_bytes, 4); 208 png_read_data(png_ptr, crc_bytes, 4);
270 209
271 if (need_crc) 210 if (need_crc)
272 { 211 {
273 crc = png_get_uint_32(crc_bytes); 212 crc = png_get_uint_32(crc_bytes);
274 return ((int)(crc != png_ptr->crc)); 213 return ((int)(crc != png_ptr->crc));
275 } 214 }
276
277 else 215 else
278 return (0); 216 return (0);
279 } 217 }
280 218
281 /* Manage the read buffer; this simply reallocates the buffer if it is not small 219 #if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \
282 * enough (or if it is not allocated). The routine returns a pointer to the 220 defined(PNG_READ_iCCP_SUPPORTED)
283 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else 221 static png_size_t
284 * it will call png_error (via png_malloc) on failure. (warn == 2 means 222 png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size,
285 * 'silent'). 223 png_bytep output, png_size_t output_size)
286 */
287 static png_bytep
288 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
289 { 224 {
290 png_bytep buffer = png_ptr->read_buffer; 225 png_size_t count = 0;
291 226
292 if (buffer != NULL && new_size > png_ptr->read_buffer_size) 227 png_ptr->zstream.next_in = (png_bytep)data; /* const_cast: VALID */
293 { 228 png_ptr->zstream.avail_in = size;
294 png_ptr->read_buffer = NULL; 229
295 png_ptr->read_buffer = NULL; 230 while (1)
296 png_ptr->read_buffer_size = 0; 231 {
297 png_free(png_ptr, buffer); 232 int ret, avail;
298 buffer = NULL; 233
299 } 234 /* Reset the output buffer each time round - we empty it
300 235 * after every inflate call.
301 if (buffer == NULL) 236 */
302 { 237 png_ptr->zstream.next_out = png_ptr->zbuf;
303 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size)); 238 png_ptr->zstream.avail_out = png_ptr->zbuf_size;
304 239
305 if (buffer != NULL) 240 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
306 { 241 avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out;
307 png_ptr->read_buffer = buffer; 242
308 png_ptr->read_buffer_size = new_size; 243 /* First copy/count any new output - but only if we didn't
309 } 244 * get an error code.
310 245 */
311 else if (warn < 2) /* else silent */ 246 if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0)
312 { 247 {
313 #ifdef PNG_WARNINGS_SUPPORTED 248 if (output != 0 && output_size > count)
314 if (warn) 249 {
315 png_chunk_warning(png_ptr, "insufficient memory to read chunk"); 250 png_size_t copy = output_size - count;
251 if ((png_size_t) avail < copy) copy = (png_size_t) avail;
252 png_memcpy(output + count, png_ptr->zbuf, copy);
253 }
254 count += avail;
255 }
256
257 if (ret == Z_OK)
258 continue;
259
260 /* Termination conditions - always reset the zstream, it
261 * must be left in inflateInit state.
262 */
263 png_ptr->zstream.avail_in = 0;
264 inflateReset(&png_ptr->zstream);
265
266 if (ret == Z_STREAM_END)
267 return count; /* NOTE: may be zero. */
268
269 /* Now handle the error codes - the API always returns 0
270 * and the error message is dumped into the uncompressed
271 * buffer if available.
272 */
273 {
274 PNG_CONST char *msg;
275 if (png_ptr->zstream.msg != 0)
276 msg = png_ptr->zstream.msg;
316 else 277 else
317 #endif 278 {
318 { 279 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
319 #ifdef PNG_ERROR_TEXT_SUPPORTED 280 char umsg[52];
320 png_chunk_error(png_ptr, "insufficient memory to read chunk"); 281
321 #endif 282 switch (ret)
322 } 283 {
323 } 284 case Z_BUF_ERROR:
324 } 285 msg = "Buffer error in compressed datastream in %s chunk";
325 286 break;
326 return buffer; 287 case Z_DATA_ERROR:
288 msg = "Data error in compressed datastream in %s chunk";
289 break;
290 default:
291 msg = "Incomplete compressed datastream in %s chunk";
292 break;
293 }
294
295 png_snprintf(umsg, sizeof umsg, msg, png_ptr->chunk_name);
296 msg = umsg;
297 #else
298 msg = "Damaged compressed datastream in chunk other than IDAT";
299 #endif
300 }
301
302 png_warning(png_ptr, msg);
303 }
304
305 /* 0 means an error - notice that this code simple ignores
306 * zero length compressed chunks as a result.
307 */
308 return 0;
309 }
327 } 310 }
328 311
329 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
330 * decompression. Returns Z_OK on success, else a zlib error code. It checks
331 * the owner but, in final release builds, just issues a warning if some other
332 * chunk apparently owns the stream. Prior to release it does a png_error.
333 */
334 static int
335 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
336 {
337 if (png_ptr->zowner != 0)
338 {
339 char msg[64];
340
341 PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
342 /* So the message that results is "<chunk> using zstream"; this is an
343 * internal error, but is very useful for debugging. i18n requirements
344 * are minimal.
345 */
346 (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
347 # if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC
348 png_chunk_warning(png_ptr, msg);
349 png_ptr->zowner = 0;
350 # else
351 png_chunk_error(png_ptr, msg);
352 # endif
353 }
354
355 /* Implementation note: unlike 'png_deflate_claim' this internal function
356 * does not take the size of the data as an argument. Some efficiency could
357 * be gained by using this when it is known *if* the zlib stream itself does
358 * not record the number; however, this is an illusion: the original writer
359 * of the PNG may have selected a lower window size, and we really must
360 * follow that because, for systems with with limited capabilities, we
361 * would otherwise reject the application's attempts to use a smaller window
362 * size (zlib doesn't have an interface to say "this or lower"!).
363 *
364 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
365 * reset, therefore it is necessary to always allocate the maximum window
366 * size with earlier zlibs just in case later compressed chunks need it.
367 */
368 {
369 int ret; /* zlib return code */
370 # if PNG_ZLIB_VERNUM >= 0x1240
371
372 # if defined(PNG_SET_OPTION_SUPPORTED) && \
373 defined(PNG_MAXIMUM_INFLATE_WINDOW)
374 int window_bits;
375
376 if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
377 PNG_OPTION_ON)
378 window_bits = 15;
379
380 else
381 window_bits = 0;
382 # else
383 # define window_bits 0
384 # endif
385 # endif
386
387 /* Set this for safety, just in case the previous owner left pointers to
388 * memory allocations.
389 */
390 png_ptr->zstream.next_in = NULL;
391 png_ptr->zstream.avail_in = 0;
392 png_ptr->zstream.next_out = NULL;
393 png_ptr->zstream.avail_out = 0;
394
395 if (png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED)
396 {
397 # if PNG_ZLIB_VERNUM < 0x1240
398 ret = inflateReset(&png_ptr->zstream);
399 # else
400 ret = inflateReset2(&png_ptr->zstream, window_bits);
401 # endif
402 }
403
404 else
405 {
406 # if PNG_ZLIB_VERNUM < 0x1240
407 ret = inflateInit(&png_ptr->zstream);
408 # else
409 ret = inflateInit2(&png_ptr->zstream, window_bits);
410 # endif
411
412 if (ret == Z_OK)
413 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
414 }
415
416 if (ret == Z_OK)
417 png_ptr->zowner = owner;
418
419 else
420 png_zstream_error(png_ptr, ret);
421
422 return ret;
423 }
424
425 # ifdef window_bits
426 # undef window_bits
427 # endif
428 }
429
430 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
431 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
432 * allow the caller to do multiple calls if required. If the 'finish' flag is
433 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
434 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
435 * Z_OK or Z_STREAM_END will be returned on success.
436 *
437 * The input and output sizes are updated to the actual amounts of data consumed
438 * or written, not the amount available (as in a z_stream). The data pointers
439 * are not changed, so the next input is (data+input_size) and the next
440 * available output is (output+output_size).
441 */
442 static int
443 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
444 /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
445 /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
446 {
447 if (png_ptr->zowner == owner) /* Else not claimed */
448 {
449 int ret;
450 png_alloc_size_t avail_out = *output_size_ptr;
451 png_uint_32 avail_in = *input_size_ptr;
452
453 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
454 * can't even necessarily handle 65536 bytes) because the type uInt is
455 * "16 bits or more". Consequently it is necessary to chunk the input to
456 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
457 * maximum value that can be stored in a uInt.) It is possible to set
458 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
459 * a performance advantage, because it reduces the amount of data accessed
460 * at each step and that may give the OS more time to page it in.
461 */
462 png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
463 /* avail_in and avail_out are set below from 'size' */
464 png_ptr->zstream.avail_in = 0;
465 png_ptr->zstream.avail_out = 0;
466
467 /* Read directly into the output if it is available (this is set to
468 * a local buffer below if output is NULL).
469 */
470 if (output != NULL)
471 png_ptr->zstream.next_out = output;
472
473 do
474 {
475 uInt avail;
476 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
477
478 /* zlib INPUT BUFFER */
479 /* The setting of 'avail_in' used to be outside the loop; by setting it
480 * inside it is possible to chunk the input to zlib and simply rely on
481 * zlib to advance the 'next_in' pointer. This allows arbitrary
482 * amounts of data to be passed through zlib at the unavoidable cost of
483 * requiring a window save (memcpy of up to 32768 output bytes)
484 * every ZLIB_IO_MAX input bytes.
485 */
486 avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
487
488 avail = ZLIB_IO_MAX;
489
490 if (avail_in < avail)
491 avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
492
493 avail_in -= avail;
494 png_ptr->zstream.avail_in = avail;
495
496 /* zlib OUTPUT BUFFER */
497 avail_out += png_ptr->zstream.avail_out; /* not written last time */
498
499 avail = ZLIB_IO_MAX; /* maximum zlib can process */
500
501 if (output == NULL)
502 {
503 /* Reset the output buffer each time round if output is NULL and
504 * make available the full buffer, up to 'remaining_space'
505 */
506 png_ptr->zstream.next_out = local_buffer;
507 if ((sizeof local_buffer) < avail)
508 avail = (sizeof local_buffer);
509 }
510
511 if (avail_out < avail)
512 avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
513
514 png_ptr->zstream.avail_out = avail;
515 avail_out -= avail;
516
517 /* zlib inflate call */
518 /* In fact 'avail_out' may be 0 at this point, that happens at the end
519 * of the read when the final LZ end code was not passed at the end of
520 * the previous chunk of input data. Tell zlib if we have reached the
521 * end of the output buffer.
522 */
523 ret = inflate(&png_ptr->zstream, avail_out > 0 ? Z_NO_FLUSH :
524 (finish ? Z_FINISH : Z_SYNC_FLUSH));
525 } while (ret == Z_OK);
526
527 /* For safety kill the local buffer pointer now */
528 if (output == NULL)
529 png_ptr->zstream.next_out = NULL;
530
531 /* Claw back the 'size' and 'remaining_space' byte counts. */
532 avail_in += png_ptr->zstream.avail_in;
533 avail_out += png_ptr->zstream.avail_out;
534
535 /* Update the input and output sizes; the updated values are the amount
536 * consumed or written, effectively the inverse of what zlib uses.
537 */
538 if (avail_out > 0)
539 *output_size_ptr -= avail_out;
540
541 if (avail_in > 0)
542 *input_size_ptr -= avail_in;
543
544 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
545 png_zstream_error(png_ptr, ret);
546 return ret;
547 }
548
549 else
550 {
551 /* This is a bad internal error. The recovery assigns to the zstream msg
552 * pointer, which is not owned by the caller, but this is safe; it's only
553 * used on errors!
554 */
555 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
556 return Z_STREAM_ERROR;
557 }
558 }
559
560 /* 312 /*
561 * Decompress trailing data in a chunk. The assumption is that read_buffer 313 * Decompress trailing data in a chunk. The assumption is that chunkdata
562 * points at an allocated area holding the contents of a chunk with a 314 * points at an allocated area holding the contents of a chunk with a
563 * trailing compressed part. What we get back is an allocated area 315 * trailing compressed part. What we get back is an allocated area
564 * holding the original prefix part and an uncompressed version of the 316 * holding the original prefix part and an uncompressed version of the
565 * trailing part (the malloc area passed in is freed). 317 * trailing part (the malloc area passed in is freed).
566 */ 318 */
567 static int 319 void /* PRIVATE */
568 png_decompress_chunk(png_structrp png_ptr, 320 png_decompress_chunk(png_structp png_ptr, int comp_type,
569 png_uint_32 chunklength, png_uint_32 prefix_size, 321 png_size_t chunklength,
570 png_alloc_size_t *newlength /* must be initialized to the maximum! */, 322 png_size_t prefix_size, png_size_t *newlength)
571 int terminate /*add a '\0' to the end of the uncompressed data*/)
572 { 323 {
573 /* TODO: implement different limits for different types of chunk. 324 /* The caller should guarantee this */
574 * 325 if (prefix_size > chunklength)
575 * The caller supplies *newlength set to the maximum length of the 326 {
576 * uncompressed data, but this routine allocates space for the prefix and 327 /* The recovery is to delete the chunk. */
577 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is 328 png_warning(png_ptr, "invalid chunklength");
578 * limited only by the maximum chunk size. 329 prefix_size = 0; /* To delete everything */
330 }
331
332 else if (comp_type == PNG_COMPRESSION_TYPE_BASE)
333 {
334 png_size_t expanded_size = png_inflate(png_ptr,
335 (png_bytep)(png_ptr->chunkdata + prefix_size),
336 chunklength - prefix_size,
337 0/*output*/, 0/*output size*/);
338
339 /* Now check the limits on this chunk - if the limit fails the
340 * compressed data will be removed, the prefix will remain.
341 */
342 #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
343 if (png_ptr->user_chunk_malloc_max &&
344 (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
345 #else
346 # ifdef PNG_USER_CHUNK_MALLOC_MAX
347 if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
348 prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
349 # endif
350 #endif
351 png_warning(png_ptr, "Exceeded size limit while expanding chunk");
352
353 /* If the size is zero either there was an error and a message
354 * has already been output (warning) or the size really is zero
355 * and we have nothing to do - the code will exit through the
356 * error case below.
357 */
358 #if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \
359 defined(PNG_USER_CHUNK_MALLOC_MAX)
360 else
361 #endif
362 if (expanded_size > 0)
363 {
364 /* Success (maybe) - really uncompress the chunk. */
365 png_size_t new_size = 0;
366 png_charp text = NULL;
367 /* Need to check for both truncation (64-bit platforms) and integer
368 * overflow.
369 */
370 if (prefix_size + expanded_size > prefix_size &&
371 prefix_size + expanded_size < 0xffffffffU)
372 {
373 text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
374 }
375
376 if (text != NULL)
377 {
378 png_memcpy(text, png_ptr->chunkdata, prefix_size);
379 new_size = png_inflate(png_ptr,
380 (png_bytep)(png_ptr->chunkdata + prefix_size),
381 chunklength - prefix_size,
382 (png_bytep)(text + prefix_size), expanded_size);
383 text[prefix_size + expanded_size] = 0; /* just in case */
384
385 if (new_size == expanded_size)
386 {
387 png_free(png_ptr, png_ptr->chunkdata);
388 png_ptr->chunkdata = text;
389 *newlength = prefix_size + expanded_size;
390 return; /* The success return! */
391 }
392
393 png_warning(png_ptr, "png_inflate logic error");
394 png_free(png_ptr, text);
395 }
396 else
397 png_warning(png_ptr, "Not enough memory to decompress chunk.");
398 }
399 }
400
401 else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */
402 {
403 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
404 char umsg[50];
405
406 png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d",
407 comp_type);
408 png_warning(png_ptr, umsg);
409 #else
410 png_warning(png_ptr, "Unknown zTXt compression type");
411 #endif
412
413 /* The recovery is to simply drop the data. */
414 }
415
416 /* Generic error return - leave the prefix, delete the compressed
417 * data, reallocate the chunkdata to remove the potentially large
418 * amount of compressed data.
579 */ 419 */
580 png_alloc_size_t limit = PNG_SIZE_MAX; 420 {
581 421 png_charp text = png_malloc_warn(png_ptr, prefix_size + 1);
582 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED 422 if (text != NULL)
583 if (png_ptr->user_chunk_malloc_max > 0 && 423 {
584 png_ptr->user_chunk_malloc_max < limit) 424 if (prefix_size > 0)
585 limit = png_ptr->user_chunk_malloc_max; 425 png_memcpy(text, png_ptr->chunkdata, prefix_size);
586 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 426 png_free(png_ptr, png_ptr->chunkdata);
587 if (PNG_USER_CHUNK_MALLOC_MAX < limit) 427 png_ptr->chunkdata = text;
588 limit = PNG_USER_CHUNK_MALLOC_MAX; 428
589 # endif 429 /* This is an extra zero in the 'uncompressed' part. */
590 430 *(png_ptr->chunkdata + prefix_size) = 0x00;
591 if (limit >= prefix_size + (terminate != 0)) 431 }
592 { 432 /* Ignore a malloc error here - it is safe. */
593 int ret; 433 }
594 434
595 limit -= prefix_size + (terminate != 0); 435 *newlength = prefix_size;
596
597 if (limit < *newlength)
598 *newlength = limit;
599
600 /* Now try to claim the stream. */
601 ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
602
603 if (ret == Z_OK)
604 {
605 png_uint_32 lzsize = chunklength - prefix_size;
606
607 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
608 /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
609 /* output: */ NULL, newlength);
610
611 if (ret == Z_STREAM_END)
612 {
613 /* Use 'inflateReset' here, not 'inflateReset2' because this
614 * preserves the previously decided window size (otherwise it would
615 * be necessary to store the previous window size.) In practice
616 * this doesn't matter anyway, because png_inflate will call inflate
617 * with Z_FINISH in almost all cases, so the window will not be
618 * maintained.
619 */
620 if (inflateReset(&png_ptr->zstream) == Z_OK)
621 {
622 /* Because of the limit checks above we know that the new,
623 * expanded, size will fit in a size_t (let alone an
624 * png_alloc_size_t). Use png_malloc_base here to avoid an
625 * extra OOM message.
626 */
627 png_alloc_size_t new_size = *newlength;
628 png_alloc_size_t buffer_size = prefix_size + new_size +
629 (terminate != 0);
630 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
631 buffer_size));
632
633 if (text != NULL)
634 {
635 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
636 png_ptr->read_buffer + prefix_size, &lzsize,
637 text + prefix_size, newlength);
638
639 if (ret == Z_STREAM_END)
640 {
641 if (new_size == *newlength)
642 {
643 if (terminate)
644 text[prefix_size + *newlength] = 0;
645
646 if (prefix_size > 0)
647 memcpy(text, png_ptr->read_buffer, prefix_size);
648
649 {
650 png_bytep old_ptr = png_ptr->read_buffer;
651
652 png_ptr->read_buffer = text;
653 png_ptr->read_buffer_size = buffer_size;
654 text = old_ptr; /* freed below */
655 }
656 }
657
658 else
659 {
660 /* The size changed on the second read, there can be no
661 * guarantee that anything is correct at this point.
662 * The 'msg' pointer has been set to "unexpected end of
663 * LZ stream", which is fine, but return an error code
664 * that the caller won't accept.
665 */
666 ret = PNG_UNEXPECTED_ZLIB_RETURN;
667 }
668 }
669
670 else if (ret == Z_OK)
671 ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
672
673 /* Free the text pointer (this is the old read_buffer on
674 * success)
675 */
676 png_free(png_ptr, text);
677
678 /* This really is very benign, but it's still an error because
679 * the extra space may otherwise be used as a Trojan Horse.
680 */
681 if (ret == Z_STREAM_END &&
682 chunklength - prefix_size != lzsize)
683 png_chunk_benign_error(png_ptr, "extra compressed data");
684 }
685
686 else
687 {
688 /* Out of memory allocating the buffer */
689 ret = Z_MEM_ERROR;
690 png_zstream_error(png_ptr, Z_MEM_ERROR);
691 }
692 }
693
694 else
695 {
696 /* inflateReset failed, store the error message */
697 png_zstream_error(png_ptr, ret);
698
699 if (ret == Z_STREAM_END)
700 ret = PNG_UNEXPECTED_ZLIB_RETURN;
701 }
702 }
703
704 else if (ret == Z_OK)
705 ret = PNG_UNEXPECTED_ZLIB_RETURN;
706
707 /* Release the claimed stream */
708 png_ptr->zowner = 0;
709 }
710
711 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
712 ret = PNG_UNEXPECTED_ZLIB_RETURN;
713
714 return ret;
715 }
716
717 else
718 {
719 /* Application/configuration limits exceeded */
720 png_zstream_error(png_ptr, Z_MEM_ERROR);
721 return Z_MEM_ERROR;
722 }
723 }
724 #endif /* PNG_READ_COMPRESSED_TEXT_SUPPORTED */
725
726 #ifdef PNG_READ_iCCP_SUPPORTED
727 /* Perform a partial read and decompress, producing 'avail_out' bytes and
728 * reading from the current chunk as required.
729 */
730 static int
731 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
732 png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
733 int finish)
734 {
735 if (png_ptr->zowner == png_ptr->chunk_name)
736 {
737 int ret;
738
739 /* next_in and avail_in must have been initialized by the caller. */
740 png_ptr->zstream.next_out = next_out;
741 png_ptr->zstream.avail_out = 0; /* set in the loop */
742
743 do
744 {
745 if (png_ptr->zstream.avail_in == 0)
746 {
747 if (read_size > *chunk_bytes)
748 read_size = (uInt)*chunk_bytes;
749 *chunk_bytes -= read_size;
750
751 if (read_size > 0)
752 png_crc_read(png_ptr, read_buffer, read_size);
753
754 png_ptr->zstream.next_in = read_buffer;
755 png_ptr->zstream.avail_in = read_size;
756 }
757
758 if (png_ptr->zstream.avail_out == 0)
759 {
760 uInt avail = ZLIB_IO_MAX;
761 if (avail > *out_size)
762 avail = (uInt)*out_size;
763 *out_size -= avail;
764
765 png_ptr->zstream.avail_out = avail;
766 }
767
768 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
769 * the available output is produced; this allows reading of truncated
770 * streams.
771 */
772 ret = inflate(&png_ptr->zstream,
773 *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
774 }
775 while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
776
777 *out_size += png_ptr->zstream.avail_out;
778 png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
779
780 /* Ensure the error message pointer is always set: */
781 png_zstream_error(png_ptr, ret);
782 return ret;
783 }
784
785 else
786 {
787 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
788 return Z_STREAM_ERROR;
789 }
790 } 436 }
791 #endif 437 #endif
792 438
793 /* Read and check the IDHR chunk */ 439 /* Read and check the IDHR chunk */
794 void /* PRIVATE */ 440 void /* PRIVATE */
795 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 441 png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
796 { 442 {
797 png_byte buf[13]; 443 png_byte buf[13];
798 png_uint_32 width, height; 444 png_uint_32 width, height;
799 int bit_depth, color_type, compression_type, filter_type; 445 int bit_depth, color_type, compression_type, filter_type;
800 int interlace_type; 446 int interlace_type;
801 447
802 png_debug(1, "in png_handle_IHDR"); 448 png_debug(1, "in png_handle_IHDR");
803 449
804 if (png_ptr->mode & PNG_HAVE_IHDR) 450 if (png_ptr->mode & PNG_HAVE_IHDR)
805 png_chunk_error(png_ptr, "out of place"); 451 png_error(png_ptr, "Out of place IHDR");
806 452
807 /* Check the length */ 453 /* Check the length */
808 if (length != 13) 454 if (length != 13)
809 png_chunk_error(png_ptr, "invalid"); 455 png_error(png_ptr, "Invalid IHDR chunk");
810 456
811 png_ptr->mode |= PNG_HAVE_IHDR; 457 png_ptr->mode |= PNG_HAVE_IHDR;
812 458
813 png_crc_read(png_ptr, buf, 13); 459 png_crc_read(png_ptr, buf, 13);
814 png_crc_finish(png_ptr, 0); 460 png_crc_finish(png_ptr, 0);
815 461
816 width = png_get_uint_31(png_ptr, buf); 462 width = png_get_uint_31(png_ptr, buf);
817 height = png_get_uint_31(png_ptr, buf + 4); 463 height = png_get_uint_31(png_ptr, buf + 4);
818 bit_depth = buf[8]; 464 bit_depth = buf[8];
819 color_type = buf[9]; 465 color_type = buf[9];
820 compression_type = buf[10]; 466 compression_type = buf[10];
821 filter_type = buf[11]; 467 filter_type = buf[11];
822 interlace_type = buf[12]; 468 interlace_type = buf[12];
823 469
824 /* Set internal variables */ 470 /* Set internal variables */
825 png_ptr->width = width; 471 png_ptr->width = width;
826 png_ptr->height = height; 472 png_ptr->height = height;
827 png_ptr->bit_depth = (png_byte)bit_depth; 473 png_ptr->bit_depth = (png_byte)bit_depth;
828 png_ptr->interlaced = (png_byte)interlace_type; 474 png_ptr->interlaced = (png_byte)interlace_type;
829 png_ptr->color_type = (png_byte)color_type; 475 png_ptr->color_type = (png_byte)color_type;
830 #ifdef PNG_MNG_FEATURES_SUPPORTED 476 #ifdef PNG_MNG_FEATURES_SUPPORTED
831 png_ptr->filter_type = (png_byte)filter_type; 477 png_ptr->filter_type = (png_byte)filter_type;
832 #endif 478 #endif
833 png_ptr->compression_type = (png_byte)compression_type; 479 png_ptr->compression_type = (png_byte)compression_type;
834 480
835 /* Find number of channels */ 481 /* Find number of channels */
836 switch (png_ptr->color_type) 482 switch (png_ptr->color_type)
837 { 483 {
838 default: /* invalid, png_set_IHDR calls png_error */
839 case PNG_COLOR_TYPE_GRAY: 484 case PNG_COLOR_TYPE_GRAY:
840 case PNG_COLOR_TYPE_PALETTE: 485 case PNG_COLOR_TYPE_PALETTE:
841 png_ptr->channels = 1; 486 png_ptr->channels = 1;
842 break; 487 break;
843 488
844 case PNG_COLOR_TYPE_RGB: 489 case PNG_COLOR_TYPE_RGB:
845 png_ptr->channels = 3; 490 png_ptr->channels = 3;
846 break; 491 break;
847 492
848 case PNG_COLOR_TYPE_GRAY_ALPHA: 493 case PNG_COLOR_TYPE_GRAY_ALPHA:
849 png_ptr->channels = 2; 494 png_ptr->channels = 2;
850 break; 495 break;
851 496
852 case PNG_COLOR_TYPE_RGB_ALPHA: 497 case PNG_COLOR_TYPE_RGB_ALPHA:
853 png_ptr->channels = 4; 498 png_ptr->channels = 4;
854 break; 499 break;
855 } 500 }
856 501
857 /* Set up other useful info */ 502 /* Set up other useful info */
858 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * 503 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth *
859 png_ptr->channels); 504 png_ptr->channels);
860 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width); 505 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
861 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth); 506 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
862 png_debug1(3, "channels = %d", png_ptr->channels); 507 png_debug1(3, "channels = %d", png_ptr->channels);
863 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes); 508 png_debug1(3, "rowbytes = %lu", png_ptr->rowbytes);
864 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth, 509 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
865 color_type, interlace_type, compression_type, filter_type); 510 color_type, interlace_type, compression_type, filter_type);
866 } 511 }
867 512
868 /* Read and check the palette */ 513 /* Read and check the palette */
869 void /* PRIVATE */ 514 void /* PRIVATE */
870 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 515 png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
871 { 516 {
872 png_color palette[PNG_MAX_PALETTE_LENGTH]; 517 png_color palette[PNG_MAX_PALETTE_LENGTH];
873 int num, i; 518 int num, i;
874 #ifdef PNG_POINTER_INDEXING_SUPPORTED 519 #ifdef PNG_POINTER_INDEXING_SUPPORTED
875 png_colorp pal_ptr; 520 png_colorp pal_ptr;
876 #endif 521 #endif
877 522
878 png_debug(1, "in png_handle_PLTE"); 523 png_debug(1, "in png_handle_PLTE");
879 524
880 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 525 if (!(png_ptr->mode & PNG_HAVE_IHDR))
881 png_chunk_error(png_ptr, "missing IHDR"); 526 png_error(png_ptr, "Missing IHDR before PLTE");
882
883 /* Moved to before the 'after IDAT' check below because otherwise duplicate
884 * PLTE chunks are potentially ignored (the spec says there shall not be more
885 * than one PLTE, the error is not treated as benign, so this check trumps
886 * the requirement that PLTE appears before IDAT.)
887 */
888 else if (png_ptr->mode & PNG_HAVE_PLTE)
889 png_chunk_error(png_ptr, "duplicate");
890 527
891 else if (png_ptr->mode & PNG_HAVE_IDAT) 528 else if (png_ptr->mode & PNG_HAVE_IDAT)
892 { 529 {
893 /* This is benign because the non-benign error happened before, when an 530 png_warning(png_ptr, "Invalid PLTE after IDAT");
894 * IDAT was encountered in a color-mapped image with no PLTE.
895 */
896 png_crc_finish(png_ptr, length); 531 png_crc_finish(png_ptr, length);
897 png_chunk_benign_error(png_ptr, "out of place");
898 return; 532 return;
899 } 533 }
900 534
535 else if (png_ptr->mode & PNG_HAVE_PLTE)
536 png_error(png_ptr, "Duplicate PLTE chunk");
537
901 png_ptr->mode |= PNG_HAVE_PLTE; 538 png_ptr->mode |= PNG_HAVE_PLTE;
902 539
903 if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) 540 if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR))
904 { 541 {
542 png_warning(png_ptr,
543 "Ignoring PLTE chunk in grayscale PNG");
905 png_crc_finish(png_ptr, length); 544 png_crc_finish(png_ptr, length);
906 png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
907 return; 545 return;
908 } 546 }
909
910 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 547 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
911 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 548 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
912 { 549 {
913 png_crc_finish(png_ptr, length); 550 png_crc_finish(png_ptr, length);
914 return; 551 return;
915 } 552 }
916 #endif 553 #endif
917 554
918 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3) 555 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
919 { 556 {
920 png_crc_finish(png_ptr, length);
921
922 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 557 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
923 png_chunk_benign_error(png_ptr, "invalid"); 558 {
559 png_warning(png_ptr, "Invalid palette chunk");
560 png_crc_finish(png_ptr, length);
561 return;
562 }
924 563
925 else 564 else
926 png_chunk_error(png_ptr, "invalid"); 565 {
927 566 png_error(png_ptr, "Invalid palette chunk");
928 return; 567 }
929 } 568 }
930 569
931 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
932 num = (int)length / 3; 570 num = (int)length / 3;
933 571
934 #ifdef PNG_POINTER_INDEXING_SUPPORTED 572 #ifdef PNG_POINTER_INDEXING_SUPPORTED
935 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) 573 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
936 { 574 {
937 png_byte buf[3]; 575 png_byte buf[3];
938 576
939 png_crc_read(png_ptr, buf, 3); 577 png_crc_read(png_ptr, buf, 3);
940 pal_ptr->red = buf[0]; 578 pal_ptr->red = buf[0];
941 pal_ptr->green = buf[1]; 579 pal_ptr->green = buf[1];
942 pal_ptr->blue = buf[2]; 580 pal_ptr->blue = buf[2];
943 } 581 }
944 #else 582 #else
945 for (i = 0; i < num; i++) 583 for (i = 0; i < num; i++)
946 { 584 {
947 png_byte buf[3]; 585 png_byte buf[3];
948 586
949 png_crc_read(png_ptr, buf, 3); 587 png_crc_read(png_ptr, buf, 3);
950 /* Don't depend upon png_color being any order */ 588 /* Don't depend upon png_color being any order */
951 palette[i].red = buf[0]; 589 palette[i].red = buf[0];
952 palette[i].green = buf[1]; 590 palette[i].green = buf[1];
953 palette[i].blue = buf[2]; 591 palette[i].blue = buf[2];
954 } 592 }
955 #endif 593 #endif
956 594
957 /* If we actually need the PLTE chunk (ie for a paletted image), we do 595 /* If we actually NEED the PLTE chunk (ie for a paletted image), we do
958 * whatever the normal CRC configuration tells us. However, if we 596 * whatever the normal CRC configuration tells us. However, if we
959 * have an RGB image, the PLTE can be considered ancillary, so 597 * have an RGB image, the PLTE can be considered ancillary, so
960 * we will act as though it is. 598 * we will act as though it is.
961 */ 599 */
962 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 600 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
963 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 601 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
964 #endif 602 #endif
965 { 603 {
966 png_crc_finish(png_ptr, 0); 604 png_crc_finish(png_ptr, 0);
967 } 605 }
968
969 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 606 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
970 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */ 607 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */
971 { 608 {
972 /* If we don't want to use the data from an ancillary chunk, 609 /* If we don't want to use the data from an ancillary chunk,
973 * we have two options: an error abort, or a warning and we 610 we have two options: an error abort, or a warning and we
974 * ignore the data in this chunk (which should be OK, since 611 ignore the data in this chunk (which should be OK, since
975 * it's considered ancillary for a RGB or RGBA image). 612 it's considered ancillary for a RGB or RGBA image). */
976 *
977 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
978 * chunk type to determine whether to check the ancillary or the critical
979 * flags.
980 */
981 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE)) 613 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE))
982 { 614 {
983 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) 615 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)
984 { 616 {
985 png_chunk_benign_error(png_ptr, "CRC error"); 617 png_chunk_error(png_ptr, "CRC error");
986 } 618 }
987
988 else 619 else
989 { 620 {
990 png_chunk_warning(png_ptr, "CRC error"); 621 png_chunk_warning(png_ptr, "CRC error");
991 return; 622 return;
992 } 623 }
993 } 624 }
994
995 /* Otherwise, we (optionally) emit a warning and use the chunk. */ 625 /* Otherwise, we (optionally) emit a warning and use the chunk. */
996 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) 626 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN))
997 { 627 {
998 png_chunk_warning(png_ptr, "CRC error"); 628 png_chunk_warning(png_ptr, "CRC error");
999 } 629 }
1000 } 630 }
1001 #endif 631 #endif
1002 632
1003 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1004 * own copy of the palette. This has the side effect that when png_start_row
1005 * is called (this happens after any call to png_read_update_info) the
1006 * info_ptr palette gets changed. This is extremely unexpected and
1007 * confusing.
1008 *
1009 * Fix this by not sharing the palette in this way.
1010 */
1011 png_set_PLTE(png_ptr, info_ptr, palette, num); 633 png_set_PLTE(png_ptr, info_ptr, palette, num);
1012 634
1013 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1014 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1015 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1016 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
1017 * therefore does a benign error if the erroneous condition is detected *and*
1018 * cancels the tRNS if the benign error returns. The alternative is to
1019 * amend the standard since it would be rather hypocritical of the standards
1020 * maintainers to ignore it.
1021 */
1022 #ifdef PNG_READ_tRNS_SUPPORTED 635 #ifdef PNG_READ_tRNS_SUPPORTED
1023 if (png_ptr->num_trans > 0 || 636 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1024 (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
1025 { 637 {
1026 /* Cancel this because otherwise it would be used if the transforms 638 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1027 * require it. Don't cancel the 'valid' flag because this would prevent 639 {
1028 * detection of duplicate chunks. 640 if (png_ptr->num_trans > (png_uint_16)num)
1029 */ 641 {
1030 png_ptr->num_trans = 0; 642 png_warning(png_ptr, "Truncating incorrect tRNS chunk length");
1031 643 png_ptr->num_trans = (png_uint_16)num;
1032 if (info_ptr != NULL) 644 }
1033 info_ptr->num_trans = 0; 645 if (info_ptr->num_trans > (png_uint_16)num)
1034 646 {
1035 png_chunk_benign_error(png_ptr, "tRNS must be after"); 647 png_warning(png_ptr, "Truncating incorrect info tRNS chunk length");
648 info_ptr->num_trans = (png_uint_16)num;
649 }
650 }
1036 } 651 }
1037 #endif 652 #endif
1038 653
1039 #ifdef PNG_READ_hIST_SUPPORTED
1040 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1041 png_chunk_benign_error(png_ptr, "hIST must be after");
1042 #endif
1043
1044 #ifdef PNG_READ_bKGD_SUPPORTED
1045 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1046 png_chunk_benign_error(png_ptr, "bKGD must be after");
1047 #endif
1048 } 654 }
1049 655
1050 void /* PRIVATE */ 656 void /* PRIVATE */
1051 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 657 png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1052 { 658 {
1053 png_debug(1, "in png_handle_IEND"); 659 png_debug(1, "in png_handle_IEND");
1054 660
1055 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT)) 661 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT))
1056 png_chunk_error(png_ptr, "out of place"); 662 {
663 png_error(png_ptr, "No image in file");
664 }
1057 665
1058 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND); 666 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
1059 667
668 if (length != 0)
669 {
670 png_warning(png_ptr, "Incorrect IEND chunk length");
671 }
1060 png_crc_finish(png_ptr, length); 672 png_crc_finish(png_ptr, length);
1061 673
1062 if (length != 0) 674 info_ptr = info_ptr; /* Quiet compiler warnings about unused info_ptr */
1063 png_chunk_benign_error(png_ptr, "invalid");
1064
1065 PNG_UNUSED(info_ptr)
1066 } 675 }
1067 676
1068 #ifdef PNG_READ_gAMA_SUPPORTED 677 #ifdef PNG_READ_gAMA_SUPPORTED
1069 void /* PRIVATE */ 678 void /* PRIVATE */
1070 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 679 png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1071 { 680 {
1072 png_fixed_point igamma; 681 png_fixed_point igamma;
682 #ifdef PNG_FLOATING_POINT_SUPPORTED
683 float file_gamma;
684 #endif
1073 png_byte buf[4]; 685 png_byte buf[4];
1074 686
1075 png_debug(1, "in png_handle_gAMA"); 687 png_debug(1, "in png_handle_gAMA");
1076 688
1077 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 689 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1078 png_chunk_error(png_ptr, "missing IHDR"); 690 png_error(png_ptr, "Missing IHDR before gAMA");
691 else if (png_ptr->mode & PNG_HAVE_IDAT)
692 {
693 png_warning(png_ptr, "Invalid gAMA after IDAT");
694 png_crc_finish(png_ptr, length);
695 return;
696 }
697 else if (png_ptr->mode & PNG_HAVE_PLTE)
698 /* Should be an error, but we can cope with it */
699 png_warning(png_ptr, "Out of place gAMA chunk");
1079 700
1080 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) 701 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
702 #ifdef PNG_READ_sRGB_SUPPORTED
703 && !(info_ptr->valid & PNG_INFO_sRGB)
704 #endif
705 )
1081 { 706 {
707 png_warning(png_ptr, "Duplicate gAMA chunk");
1082 png_crc_finish(png_ptr, length); 708 png_crc_finish(png_ptr, length);
1083 png_chunk_benign_error(png_ptr, "out of place");
1084 return; 709 return;
1085 } 710 }
1086 711
1087 if (length != 4) 712 if (length != 4)
1088 { 713 {
714 png_warning(png_ptr, "Incorrect gAMA chunk length");
1089 png_crc_finish(png_ptr, length); 715 png_crc_finish(png_ptr, length);
1090 png_chunk_benign_error(png_ptr, "invalid");
1091 return; 716 return;
1092 } 717 }
1093 718
1094 png_crc_read(png_ptr, buf, 4); 719 png_crc_read(png_ptr, buf, 4);
1095
1096 if (png_crc_finish(png_ptr, 0)) 720 if (png_crc_finish(png_ptr, 0))
1097 return; 721 return;
1098 722
1099 igamma = png_get_fixed_point(NULL, buf); 723 igamma = (png_fixed_point)png_get_uint_32(buf);
724 /* Check for zero gamma */
725 if (igamma == 0)
726 {
727 png_warning(png_ptr,
728 "Ignoring gAMA chunk with gamma=0");
729 return;
730 }
1100 731
1101 png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma); 732 #ifdef PNG_READ_sRGB_SUPPORTED
1102 png_colorspace_sync(png_ptr, info_ptr); 733 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
734 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
735 {
736 png_warning(png_ptr,
737 "Ignoring incorrect gAMA value when sRGB is also present");
738 #ifdef PNG_CONSOLE_IO_SUPPORTED
739 fprintf(stderr, "gamma = (%d/100000)", (int)igamma);
740 #endif
741 return;
742 }
743 #endif /* PNG_READ_sRGB_SUPPORTED */
744
745 #ifdef PNG_FLOATING_POINT_SUPPORTED
746 file_gamma = (float)igamma / (float)100000.0;
747 # ifdef PNG_READ_GAMMA_SUPPORTED
748 png_ptr->gamma = file_gamma;
749 # endif
750 png_set_gAMA(png_ptr, info_ptr, file_gamma);
751 #endif
752 #ifdef PNG_FIXED_POINT_SUPPORTED
753 png_set_gAMA_fixed(png_ptr, info_ptr, igamma);
754 #endif
1103 } 755 }
1104 #endif 756 #endif
1105 757
1106 #ifdef PNG_READ_sBIT_SUPPORTED 758 #ifdef PNG_READ_sBIT_SUPPORTED
1107 void /* PRIVATE */ 759 void /* PRIVATE */
1108 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 760 png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1109 { 761 {
1110 unsigned int truelen; 762 png_size_t truelen;
1111 png_byte buf[4]; 763 png_byte buf[4];
1112 764
1113 png_debug(1, "in png_handle_sBIT"); 765 png_debug(1, "in png_handle_sBIT");
1114 766
1115 buf[0] = buf[1] = buf[2] = buf[3] = 0; 767 buf[0] = buf[1] = buf[2] = buf[3] = 0;
1116 768
1117 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 769 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1118 png_chunk_error(png_ptr, "missing IHDR"); 770 png_error(png_ptr, "Missing IHDR before sBIT");
1119 771 else if (png_ptr->mode & PNG_HAVE_IDAT)
1120 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
1121 { 772 {
773 png_warning(png_ptr, "Invalid sBIT after IDAT");
1122 png_crc_finish(png_ptr, length); 774 png_crc_finish(png_ptr, length);
1123 png_chunk_benign_error(png_ptr, "out of place");
1124 return; 775 return;
1125 } 776 }
1126 777 else if (png_ptr->mode & PNG_HAVE_PLTE)
778 {
779 /* Should be an error, but we can cope with it */
780 png_warning(png_ptr, "Out of place sBIT chunk");
781 }
1127 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) 782 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
1128 { 783 {
784 png_warning(png_ptr, "Duplicate sBIT chunk");
1129 png_crc_finish(png_ptr, length); 785 png_crc_finish(png_ptr, length);
1130 png_chunk_benign_error(png_ptr, "duplicate");
1131 return; 786 return;
1132 } 787 }
1133 788
1134 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 789 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1135 truelen = 3; 790 truelen = 3;
1136
1137 else 791 else
1138 truelen = png_ptr->channels; 792 truelen = (png_size_t)png_ptr->channels;
1139 793
1140 if (length != truelen || length > 4) 794 if (length != truelen || length > 4)
1141 { 795 {
1142 png_chunk_benign_error(png_ptr, "invalid"); 796 png_warning(png_ptr, "Incorrect sBIT chunk length");
1143 png_crc_finish(png_ptr, length); 797 png_crc_finish(png_ptr, length);
1144 return; 798 return;
1145 } 799 }
1146 800
1147 png_crc_read(png_ptr, buf, truelen); 801 png_crc_read(png_ptr, buf, truelen);
1148
1149 if (png_crc_finish(png_ptr, 0)) 802 if (png_crc_finish(png_ptr, 0))
1150 return; 803 return;
1151 804
1152 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) 805 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
1153 { 806 {
1154 png_ptr->sig_bit.red = buf[0]; 807 png_ptr->sig_bit.red = buf[0];
1155 png_ptr->sig_bit.green = buf[1]; 808 png_ptr->sig_bit.green = buf[1];
1156 png_ptr->sig_bit.blue = buf[2]; 809 png_ptr->sig_bit.blue = buf[2];
1157 png_ptr->sig_bit.alpha = buf[3]; 810 png_ptr->sig_bit.alpha = buf[3];
1158 } 811 }
1159
1160 else 812 else
1161 { 813 {
1162 png_ptr->sig_bit.gray = buf[0]; 814 png_ptr->sig_bit.gray = buf[0];
1163 png_ptr->sig_bit.red = buf[0]; 815 png_ptr->sig_bit.red = buf[0];
1164 png_ptr->sig_bit.green = buf[0]; 816 png_ptr->sig_bit.green = buf[0];
1165 png_ptr->sig_bit.blue = buf[0]; 817 png_ptr->sig_bit.blue = buf[0];
1166 png_ptr->sig_bit.alpha = buf[1]; 818 png_ptr->sig_bit.alpha = buf[1];
1167 } 819 }
1168
1169 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit)); 820 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
1170 } 821 }
1171 #endif 822 #endif
1172 823
1173 #ifdef PNG_READ_cHRM_SUPPORTED 824 #ifdef PNG_READ_cHRM_SUPPORTED
1174 void /* PRIVATE */ 825 void /* PRIVATE */
1175 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 826 png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1176 { 827 {
1177 png_byte buf[32]; 828 png_byte buf[32];
1178 png_xy xy; 829 #ifdef PNG_FLOATING_POINT_SUPPORTED
830 float white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y;
831 #endif
832 png_fixed_point int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
833 int_y_green, int_x_blue, int_y_blue;
834
835 png_uint_32 uint_x, uint_y;
1179 836
1180 png_debug(1, "in png_handle_cHRM"); 837 png_debug(1, "in png_handle_cHRM");
1181 838
1182 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 839 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1183 png_chunk_error(png_ptr, "missing IHDR"); 840 png_error(png_ptr, "Missing IHDR before cHRM");
1184 841 else if (png_ptr->mode & PNG_HAVE_IDAT)
1185 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) 842 {
1186 { 843 png_warning(png_ptr, "Invalid cHRM after IDAT");
1187 png_crc_finish(png_ptr, length); 844 png_crc_finish(png_ptr, length);
1188 png_chunk_benign_error(png_ptr, "out of place"); 845 return;
846 }
847 else if (png_ptr->mode & PNG_HAVE_PLTE)
848 /* Should be an error, but we can cope with it */
849 png_warning(png_ptr, "Missing PLTE before cHRM");
850
851 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
852 #ifdef PNG_READ_sRGB_SUPPORTED
853 && !(info_ptr->valid & PNG_INFO_sRGB)
854 #endif
855 )
856 {
857 png_warning(png_ptr, "Duplicate cHRM chunk");
858 png_crc_finish(png_ptr, length);
1189 return; 859 return;
1190 } 860 }
1191 861
1192 if (length != 32) 862 if (length != 32)
1193 { 863 {
1194 png_crc_finish(png_ptr, length); 864 png_warning(png_ptr, "Incorrect cHRM chunk length");
1195 png_chunk_benign_error(png_ptr, "invalid"); 865 png_crc_finish(png_ptr, length);
1196 return; 866 return;
1197 } 867 }
1198 868
1199 png_crc_read(png_ptr, buf, 32); 869 png_crc_read(png_ptr, buf, 32);
1200
1201 if (png_crc_finish(png_ptr, 0)) 870 if (png_crc_finish(png_ptr, 0))
1202 return; 871 return;
1203 872
1204 xy.whitex = png_get_fixed_point(NULL, buf); 873 uint_x = png_get_uint_32(buf);
1205 xy.whitey = png_get_fixed_point(NULL, buf + 4); 874 uint_y = png_get_uint_32(buf + 4);
1206 xy.redx = png_get_fixed_point(NULL, buf + 8); 875 int_x_white = (png_fixed_point)uint_x;
1207 xy.redy = png_get_fixed_point(NULL, buf + 12); 876 int_y_white = (png_fixed_point)uint_y;
1208 xy.greenx = png_get_fixed_point(NULL, buf + 16); 877
1209 xy.greeny = png_get_fixed_point(NULL, buf + 20); 878 uint_x = png_get_uint_32(buf + 8);
1210 xy.bluex = png_get_fixed_point(NULL, buf + 24); 879 uint_y = png_get_uint_32(buf + 12);
1211 xy.bluey = png_get_fixed_point(NULL, buf + 28); 880 int_x_red = (png_fixed_point)uint_x;
1212 881 int_y_red = (png_fixed_point)uint_y;
1213 if (xy.whitex == PNG_FIXED_ERROR || 882
1214 xy.whitey == PNG_FIXED_ERROR || 883 uint_x = png_get_uint_32(buf + 16);
1215 xy.redx == PNG_FIXED_ERROR || 884 uint_y = png_get_uint_32(buf + 20);
1216 xy.redy == PNG_FIXED_ERROR || 885 int_x_green = (png_fixed_point)uint_x;
1217 xy.greenx == PNG_FIXED_ERROR || 886 int_y_green = (png_fixed_point)uint_y;
1218 xy.greeny == PNG_FIXED_ERROR || 887
1219 xy.bluex == PNG_FIXED_ERROR || 888 uint_x = png_get_uint_32(buf + 24);
1220 xy.bluey == PNG_FIXED_ERROR) 889 uint_y = png_get_uint_32(buf + 28);
1221 { 890 int_x_blue = (png_fixed_point)uint_x;
1222 png_chunk_benign_error(png_ptr, "invalid values"); 891 int_y_blue = (png_fixed_point)uint_y;
1223 return; 892
1224 } 893 #ifdef PNG_FLOATING_POINT_SUPPORTED
1225 894 white_x = (float)int_x_white / (float)100000.0;
1226 /* If a colorspace error has already been output skip this chunk */ 895 white_y = (float)int_y_white / (float)100000.0;
1227 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) 896 red_x = (float)int_x_red / (float)100000.0;
1228 return; 897 red_y = (float)int_y_red / (float)100000.0;
1229 898 green_x = (float)int_x_green / (float)100000.0;
1230 if (png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) 899 green_y = (float)int_y_green / (float)100000.0;
1231 { 900 blue_x = (float)int_x_blue / (float)100000.0;
1232 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID; 901 blue_y = (float)int_y_blue / (float)100000.0;
1233 png_colorspace_sync(png_ptr, info_ptr); 902 #endif
1234 png_chunk_benign_error(png_ptr, "duplicate"); 903
1235 return; 904 #ifdef PNG_READ_sRGB_SUPPORTED
1236 } 905 if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB))
1237 906 {
1238 png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM; 907 if (PNG_OUT_OF_RANGE(int_x_white, 31270, 1000) ||
1239 (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy, 908 PNG_OUT_OF_RANGE(int_y_white, 32900, 1000) ||
1240 1/*prefer cHRM values*/); 909 PNG_OUT_OF_RANGE(int_x_red, 64000L, 1000) ||
1241 png_colorspace_sync(png_ptr, info_ptr); 910 PNG_OUT_OF_RANGE(int_y_red, 33000, 1000) ||
911 PNG_OUT_OF_RANGE(int_x_green, 30000, 1000) ||
912 PNG_OUT_OF_RANGE(int_y_green, 60000L, 1000) ||
913 PNG_OUT_OF_RANGE(int_x_blue, 15000, 1000) ||
914 PNG_OUT_OF_RANGE(int_y_blue, 6000, 1000))
915 {
916 png_warning(png_ptr,
917 "Ignoring incorrect cHRM value when sRGB is also present");
918 #ifdef PNG_CONSOLE_IO_SUPPORTED
919 #ifdef PNG_FLOATING_POINT_SUPPORTED
920 fprintf(stderr, "wx=%f, wy=%f, rx=%f, ry=%f\n",
921 white_x, white_y, red_x, red_y);
922 fprintf(stderr, "gx=%f, gy=%f, bx=%f, by=%f\n",
923 green_x, green_y, blue_x, blue_y);
924 #else
925 fprintf(stderr, "wx=%ld, wy=%ld, rx=%ld, ry=%ld\n",
926 (long)int_x_white, (long)int_y_white,
927 (long)int_x_red, (long)int_y_red);
928 fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n",
929 (long)int_x_green, (long)int_y_green,
930 (long)int_x_blue, (long)int_y_blue);
931 #endif
932 #endif /* PNG_CONSOLE_IO_SUPPORTED */
933 }
934 return;
935 }
936 #endif /* PNG_READ_sRGB_SUPPORTED */
937
938 #ifdef PNG_FLOATING_POINT_SUPPORTED
939 png_set_cHRM(png_ptr, info_ptr,
940 white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y);
941 #endif
942 #ifdef PNG_FIXED_POINT_SUPPORTED
943 png_set_cHRM_fixed(png_ptr, info_ptr,
944 int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
945 int_y_green, int_x_blue, int_y_blue);
946 #endif
1242 } 947 }
1243 #endif 948 #endif
1244 949
1245 #ifdef PNG_READ_sRGB_SUPPORTED 950 #ifdef PNG_READ_sRGB_SUPPORTED
1246 void /* PRIVATE */ 951 void /* PRIVATE */
1247 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 952 png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1248 { 953 {
1249 png_byte intent; 954 int intent;
955 png_byte buf[1];
1250 956
1251 png_debug(1, "in png_handle_sRGB"); 957 png_debug(1, "in png_handle_sRGB");
1252 958
1253 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 959 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1254 png_chunk_error(png_ptr, "missing IHDR"); 960 png_error(png_ptr, "Missing IHDR before sRGB");
1255 961 else if (png_ptr->mode & PNG_HAVE_IDAT)
1256 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) 962 {
1257 { 963 png_warning(png_ptr, "Invalid sRGB after IDAT");
1258 png_crc_finish(png_ptr, length); 964 png_crc_finish(png_ptr, length);
1259 png_chunk_benign_error(png_ptr, "out of place"); 965 return;
966 }
967 else if (png_ptr->mode & PNG_HAVE_PLTE)
968 /* Should be an error, but we can cope with it */
969 png_warning(png_ptr, "Out of place sRGB chunk");
970
971 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
972 {
973 png_warning(png_ptr, "Duplicate sRGB chunk");
974 png_crc_finish(png_ptr, length);
1260 return; 975 return;
1261 } 976 }
1262 977
1263 if (length != 1) 978 if (length != 1)
1264 { 979 {
1265 png_crc_finish(png_ptr, length); 980 png_warning(png_ptr, "Incorrect sRGB chunk length");
1266 png_chunk_benign_error(png_ptr, "invalid"); 981 png_crc_finish(png_ptr, length);
1267 return; 982 return;
1268 } 983 }
1269 984
1270 png_crc_read(png_ptr, &intent, 1); 985 png_crc_read(png_ptr, buf, 1);
1271
1272 if (png_crc_finish(png_ptr, 0)) 986 if (png_crc_finish(png_ptr, 0))
1273 return; 987 return;
1274 988
1275 /* If a colorspace error has already been output skip this chunk */ 989 intent = buf[0];
1276 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) 990 /* Check for bad intent */
1277 return; 991 if (intent >= PNG_sRGB_INTENT_LAST)
1278 992 {
1279 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect 993 png_warning(png_ptr, "Unknown sRGB intent");
1280 * this. 994 return;
1281 */ 995 }
1282 if (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) 996
1283 { 997 #if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED)
1284 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID; 998 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA))
1285 png_colorspace_sync(png_ptr, info_ptr); 999 {
1286 png_chunk_benign_error(png_ptr, "too many profiles"); 1000 png_fixed_point igamma;
1287 return; 1001 #ifdef PNG_FIXED_POINT_SUPPORTED
1288 } 1002 igamma=info_ptr->int_gamma;
1289 1003 #else
1290 (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent); 1004 # ifdef PNG_FLOATING_POINT_SUPPORTED
1291 png_colorspace_sync(png_ptr, info_ptr); 1005 igamma=(png_fixed_point)(info_ptr->gamma * 100000.);
1006 # endif
1007 #endif
1008 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
1009 {
1010 png_warning(png_ptr,
1011 "Ignoring incorrect gAMA value when sRGB is also present");
1012 #ifdef PNG_CONSOLE_IO_SUPPORTED
1013 # ifdef PNG_FIXED_POINT_SUPPORTED
1014 fprintf(stderr, "incorrect gamma=(%d/100000)\n",
1015 (int)png_ptr->int_gamma);
1016 # else
1017 # ifdef PNG_FLOATING_POINT_SUPPORTED
1018 fprintf(stderr, "incorrect gamma=%f\n", png_ptr->gamma);
1019 # endif
1020 # endif
1021 #endif
1022 }
1023 }
1024 #endif /* PNG_READ_gAMA_SUPPORTED */
1025
1026 #ifdef PNG_READ_cHRM_SUPPORTED
1027 #ifdef PNG_FIXED_POINT_SUPPORTED
1028 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM))
1029 if (PNG_OUT_OF_RANGE(info_ptr->int_x_white, 31270, 1000) ||
1030 PNG_OUT_OF_RANGE(info_ptr->int_y_white, 32900, 1000) ||
1031 PNG_OUT_OF_RANGE(info_ptr->int_x_red, 64000L, 1000) ||
1032 PNG_OUT_OF_RANGE(info_ptr->int_y_red, 33000, 1000) ||
1033 PNG_OUT_OF_RANGE(info_ptr->int_x_green, 30000, 1000) ||
1034 PNG_OUT_OF_RANGE(info_ptr->int_y_green, 60000L, 1000) ||
1035 PNG_OUT_OF_RANGE(info_ptr->int_x_blue, 15000, 1000) ||
1036 PNG_OUT_OF_RANGE(info_ptr->int_y_blue, 6000, 1000))
1037 {
1038 png_warning(png_ptr,
1039 "Ignoring incorrect cHRM value when sRGB is also present");
1040 }
1041 #endif /* PNG_FIXED_POINT_SUPPORTED */
1042 #endif /* PNG_READ_cHRM_SUPPORTED */
1043
1044 png_set_sRGB_gAMA_and_cHRM(png_ptr, info_ptr, intent);
1292 } 1045 }
1293 #endif /* PNG_READ_sRGB_SUPPORTED */ 1046 #endif /* PNG_READ_sRGB_SUPPORTED */
1294 1047
1295 #ifdef PNG_READ_iCCP_SUPPORTED 1048 #ifdef PNG_READ_iCCP_SUPPORTED
1296 void /* PRIVATE */ 1049 void /* PRIVATE */
1297 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1050 png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1298 /* Note: this does not properly handle profiles that are > 64K under DOS */ 1051 /* Note: this does not properly handle chunks that are > 64K under DOS */
1299 { 1052 {
1300 png_const_charp errmsg = NULL; /* error message output, or no error */ 1053 png_byte compression_type;
1301 int finished = 0; /* crc checked */ 1054 png_bytep pC;
1055 png_charp profile;
1056 png_uint_32 skip = 0;
1057 png_uint_32 profile_size, profile_length;
1058 png_size_t slength, prefix_length, data_length;
1302 1059
1303 png_debug(1, "in png_handle_iCCP"); 1060 png_debug(1, "in png_handle_iCCP");
1304 1061
1305 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1062 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1306 png_chunk_error(png_ptr, "missing IHDR"); 1063 png_error(png_ptr, "Missing IHDR before iCCP");
1307 1064 else if (png_ptr->mode & PNG_HAVE_IDAT)
1308 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) 1065 {
1309 { 1066 png_warning(png_ptr, "Invalid iCCP after IDAT");
1310 png_crc_finish(png_ptr, length); 1067 png_crc_finish(png_ptr, length);
1311 png_chunk_benign_error(png_ptr, "out of place"); 1068 return;
1312 return; 1069 }
1313 } 1070 else if (png_ptr->mode & PNG_HAVE_PLTE)
1314 1071 /* Should be an error, but we can cope with it */
1315 /* Consistent with all the above colorspace handling an obviously *invalid* 1072 png_warning(png_ptr, "Out of place iCCP chunk");
1316 * chunk is just ignored, so does not invalidate the color space. An 1073
1317 * alternative is to set the 'invalid' flags at the start of this routine 1074 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
1318 * and only clear them in they were not set before and all the tests pass. 1075 {
1319 * The minimum 'deflate' stream is assumed to be just the 2 byte header and 4 1076 png_warning(png_ptr, "Duplicate iCCP chunk");
1320 * byte checksum. The keyword must be one character and there is a 1077 png_crc_finish(png_ptr, length);
1321 * terminator (0) byte and the compression method. 1078 return;
1079 }
1080
1081 #ifdef PNG_MAX_MALLOC_64K
1082 if (length > (png_uint_32)65535L)
1083 {
1084 png_warning(png_ptr, "iCCP chunk too large to fit in memory");
1085 skip = length - (png_uint_32)65535L;
1086 length = (png_uint_32)65535L;
1087 }
1088 #endif
1089
1090 png_free(png_ptr, png_ptr->chunkdata);
1091 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
1092 slength = (png_size_t)length;
1093 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1094
1095 if (png_crc_finish(png_ptr, skip))
1096 {
1097 png_free(png_ptr, png_ptr->chunkdata);
1098 png_ptr->chunkdata = NULL;
1099 return;
1100 }
1101
1102 png_ptr->chunkdata[slength] = 0x00;
1103
1104 for (profile = png_ptr->chunkdata; *profile; profile++)
1105 /* Empty loop to find end of name */ ;
1106
1107 ++profile;
1108
1109 /* There should be at least one zero (the compression type byte)
1110 * following the separator, and we should be on it
1322 */ 1111 */
1323 if (length < 9) 1112 if ( profile >= png_ptr->chunkdata + slength - 1)
1324 { 1113 {
1325 png_crc_finish(png_ptr, length); 1114 png_free(png_ptr, png_ptr->chunkdata);
1326 png_chunk_benign_error(png_ptr, "too short"); 1115 png_ptr->chunkdata = NULL;
1327 return; 1116 png_warning(png_ptr, "Malformed iCCP chunk");
1328 } 1117 return;
1329 1118 }
1330 /* If a colorspace error has already been output skip this chunk */ 1119
1331 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) 1120 /* Compression_type should always be zero */
1332 { 1121 compression_type = *profile++;
1333 png_crc_finish(png_ptr, length); 1122 if (compression_type)
1334 return; 1123 {
1335 } 1124 png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk");
1336 1125 compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8
1337 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect 1126 wrote nonzero) */
1338 * this. 1127 }
1339 */ 1128
1340 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0) 1129 prefix_length = profile - png_ptr->chunkdata;
1341 { 1130 png_decompress_chunk(png_ptr, compression_type,
1342 uInt read_length, keyword_length; 1131 slength, prefix_length, &data_length);
1343 char keyword[81]; 1132
1344 1133 profile_length = data_length - prefix_length;
1345 /* Find the keyword; the keyword plus separator and compression method 1134
1346 * bytes can be at most 81 characters long. 1135 if ( prefix_length > data_length || profile_length < 4)
1347 */ 1136 {
1348 read_length = 81; /* maximum */ 1137 png_free(png_ptr, png_ptr->chunkdata);
1349 if (read_length > length) 1138 png_ptr->chunkdata = NULL;
1350 read_length = (uInt)length; 1139 png_warning(png_ptr, "Profile size field missing from iCCP chunk");
1351 1140 return;
1352 png_crc_read(png_ptr, (png_bytep)keyword, read_length); 1141 }
1353 length -= read_length; 1142
1354 1143 /* Check the profile_size recorded in the first 32 bits of the ICC profile */
1355 keyword_length = 0; 1144 pC = (png_bytep)(png_ptr->chunkdata + prefix_length);
1356 while (keyword_length < 80 && keyword_length < read_length && 1145 profile_size = ((*(pC ))<<24) |
1357 keyword[keyword_length] != 0) 1146 ((*(pC + 1))<<16) |
1358 ++keyword_length; 1147 ((*(pC + 2))<< 8) |
1359 1148 ((*(pC + 3)) );
1360 /* TODO: make the keyword checking common */ 1149
1361 if (keyword_length >= 1 && keyword_length <= 79) 1150 if (profile_size < profile_length)
1362 { 1151 profile_length = profile_size;
1363 /* We only understand '0' compression - deflate - so if we get a 1152
1364 * different value we can't safely decode the chunk. 1153 if (profile_size > profile_length)
1365 */ 1154 {
1366 if (keyword_length+1 < read_length && 1155 png_free(png_ptr, png_ptr->chunkdata);
1367 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE) 1156 png_ptr->chunkdata = NULL;
1368 { 1157 png_warning(png_ptr, "Ignoring truncated iCCP profile.");
1369 read_length -= keyword_length+2; 1158 return;
1370 1159 }
1371 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK) 1160
1372 { 1161 png_set_iCCP(png_ptr, info_ptr, png_ptr->chunkdata,
1373 Byte profile_header[132]; 1162 compression_type, png_ptr->chunkdata + prefix_length, profile_length);
1374 Byte local_buffer[PNG_INFLATE_BUF_SIZE]; 1163 png_free(png_ptr, png_ptr->chunkdata);
1375 png_alloc_size_t size = (sizeof profile_header); 1164 png_ptr->chunkdata = NULL;
1376
1377 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1378 png_ptr->zstream.avail_in = read_length;
1379 (void)png_inflate_read(png_ptr, local_buffer,
1380 (sizeof local_buffer), &length, profile_header, &size,
1381 0/*finish: don't, because the output is too small*/);
1382
1383 if (size == 0)
1384 {
1385 /* We have the ICC profile header; do the basic header checks.
1386 */
1387 const png_uint_32 profile_length =
1388 png_get_uint_32(profile_header);
1389
1390 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1391 keyword, profile_length))
1392 {
1393 /* The length is apparently ok, so we can check the 132
1394 * byte header.
1395 */
1396 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1397 keyword, profile_length, profile_header,
1398 png_ptr->color_type))
1399 {
1400 /* Now read the tag table; a variable size buffer is
1401 * needed at this point, allocate one for the whole
1402 * profile. The header check has already validated
1403 * that none of these stuff will overflow.
1404 */
1405 const png_uint_32 tag_count = png_get_uint_32(
1406 profile_header+128);
1407 png_bytep profile = png_read_buffer(png_ptr,
1408 profile_length, 2/*silent*/);
1409
1410 if (profile != NULL)
1411 {
1412 memcpy(profile, profile_header,
1413 (sizeof profile_header));
1414
1415 size = 12 * tag_count;
1416
1417 (void)png_inflate_read(png_ptr, local_buffer,
1418 (sizeof local_buffer), &length,
1419 profile + (sizeof profile_header), &size, 0);
1420
1421 /* Still expect a a buffer error because we expect
1422 * there to be some tag data!
1423 */
1424 if (size == 0)
1425 {
1426 if (png_icc_check_tag_table(png_ptr,
1427 &png_ptr->colorspace, keyword, profile_length,
1428 profile))
1429 {
1430 /* The profile has been validated for basic
1431 * security issues, so read the whole thing in.
1432 */
1433 size = profile_length - (sizeof profile_header)
1434 - 12 * tag_count;
1435
1436 (void)png_inflate_read(png_ptr, local_buffer,
1437 (sizeof local_buffer), &length,
1438 profile + (sizeof profile_header) +
1439 12 * tag_count, &size, 1/*finish*/);
1440
1441 if (length > 0 && !(png_ptr->flags &
1442 PNG_FLAG_BENIGN_ERRORS_WARN))
1443 errmsg = "extra compressed data";
1444
1445 /* But otherwise allow extra data: */
1446 else if (size == 0)
1447 {
1448 if (length > 0)
1449 {
1450 /* This can be handled completely, so
1451 * keep going.
1452 */
1453 png_chunk_warning(png_ptr,
1454 "extra compressed data");
1455 }
1456
1457 png_crc_finish(png_ptr, length);
1458 finished = 1;
1459
1460 # ifdef PNG_sRGB_SUPPORTED
1461 /* Check for a match against sRGB */
1462 png_icc_set_sRGB(png_ptr,
1463 &png_ptr->colorspace, profile,
1464 png_ptr->zstream.adler);
1465 # endif
1466
1467 /* Steal the profile for info_ptr. */
1468 if (info_ptr != NULL)
1469 {
1470 png_free_data(png_ptr, info_ptr,
1471 PNG_FREE_ICCP, 0);
1472
1473 info_ptr->iccp_name = png_voidcast(char*,
1474 png_malloc_base(png_ptr,
1475 keyword_length+1));
1476 if (info_ptr->iccp_name != NULL)
1477 {
1478 memcpy(info_ptr->iccp_name, keyword,
1479 keyword_length+1);
1480 info_ptr->iccp_proflen =
1481 profile_length;
1482 info_ptr->iccp_profile = profile;
1483 png_ptr->read_buffer = NULL; /*steal*/
1484 info_ptr->free_me |= PNG_FREE_ICCP;
1485 info_ptr->valid |= PNG_INFO_iCCP;
1486 }
1487
1488 else
1489 {
1490 png_ptr->colorspace.flags |=
1491 PNG_COLORSPACE_INVALID;
1492 errmsg = "out of memory";
1493 }
1494 }
1495
1496 /* else the profile remains in the read
1497 * buffer which gets reused for subsequent
1498 * chunks.
1499 */
1500
1501 if (info_ptr != NULL)
1502 png_colorspace_sync(png_ptr, info_ptr);
1503
1504 if (errmsg == NULL)
1505 {
1506 png_ptr->zowner = 0;
1507 return;
1508 }
1509 }
1510
1511 else if (size > 0)
1512 errmsg = "truncated";
1513
1514 else
1515 errmsg = png_ptr->zstream.msg;
1516 }
1517
1518 /* else png_icc_check_tag_table output an error */
1519 }
1520
1521 else /* profile truncated */
1522 errmsg = png_ptr->zstream.msg;
1523 }
1524
1525 else
1526 errmsg = "out of memory";
1527 }
1528
1529 /* else png_icc_check_header output an error */
1530 }
1531
1532 /* else png_icc_check_length output an error */
1533 }
1534
1535 else /* profile truncated */
1536 errmsg = png_ptr->zstream.msg;
1537
1538 /* Release the stream */
1539 png_ptr->zowner = 0;
1540 }
1541
1542 else /* png_inflate_claim failed */
1543 errmsg = png_ptr->zstream.msg;
1544 }
1545
1546 else
1547 errmsg = "bad compression method"; /* or missing */
1548 }
1549
1550 else
1551 errmsg = "bad keyword";
1552 }
1553
1554 else
1555 errmsg = "too many profiles";
1556
1557 /* Failure: the reason is in 'errmsg' */
1558 if (!finished)
1559 png_crc_finish(png_ptr, length);
1560
1561 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1562 png_colorspace_sync(png_ptr, info_ptr);
1563 if (errmsg != NULL) /* else already output */
1564 png_chunk_benign_error(png_ptr, errmsg);
1565 } 1165 }
1566 #endif /* PNG_READ_iCCP_SUPPORTED */ 1166 #endif /* PNG_READ_iCCP_SUPPORTED */
1567 1167
1568 #ifdef PNG_READ_sPLT_SUPPORTED 1168 #ifdef PNG_READ_sPLT_SUPPORTED
1569 void /* PRIVATE */ 1169 void /* PRIVATE */
1570 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1170 png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1571 /* Note: this does not properly handle chunks that are > 64K under DOS */ 1171 /* Note: this does not properly handle chunks that are > 64K under DOS */
1572 { 1172 {
1573 png_bytep entry_start, buffer; 1173 png_bytep entry_start;
1574 png_sPLT_t new_palette; 1174 png_sPLT_t new_palette;
1175 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1575 png_sPLT_entryp pp; 1176 png_sPLT_entryp pp;
1576 png_uint_32 data_length; 1177 #endif
1577 int entry_size, i; 1178 int data_length, entry_size, i;
1578 png_uint_32 skip = 0; 1179 png_uint_32 skip = 0;
1579 png_uint_32 dl; 1180 png_size_t slength;
1580 png_size_t max_dl;
1581 1181
1582 png_debug(1, "in png_handle_sPLT"); 1182 png_debug(1, "in png_handle_sPLT");
1583 1183
1584 #ifdef PNG_USER_LIMITS_SUPPORTED 1184 #ifdef PNG_USER_LIMITS_SUPPORTED
1185
1585 if (png_ptr->user_chunk_cache_max != 0) 1186 if (png_ptr->user_chunk_cache_max != 0)
1586 { 1187 {
1587 if (png_ptr->user_chunk_cache_max == 1) 1188 if (png_ptr->user_chunk_cache_max == 1)
1588 { 1189 {
1589 png_crc_finish(png_ptr, length); 1190 png_crc_finish(png_ptr, length);
1590 return; 1191 return;
1591 } 1192 }
1592
1593 if (--png_ptr->user_chunk_cache_max == 1) 1193 if (--png_ptr->user_chunk_cache_max == 1)
1594 { 1194 {
1595 png_warning(png_ptr, "No space in chunk cache for sPLT"); 1195 png_warning(png_ptr, "No space in chunk cache for sPLT");
1596 png_crc_finish(png_ptr, length); 1196 png_crc_finish(png_ptr, length);
1597 return; 1197 return;
1598 } 1198 }
1599 } 1199 }
1600 #endif 1200 #endif
1601 1201
1602 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1202 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1603 png_chunk_error(png_ptr, "missing IHDR"); 1203 png_error(png_ptr, "Missing IHDR before sPLT");
1604
1605 else if (png_ptr->mode & PNG_HAVE_IDAT) 1204 else if (png_ptr->mode & PNG_HAVE_IDAT)
1606 { 1205 {
1206 png_warning(png_ptr, "Invalid sPLT after IDAT");
1607 png_crc_finish(png_ptr, length); 1207 png_crc_finish(png_ptr, length);
1608 png_chunk_benign_error(png_ptr, "out of place");
1609 return; 1208 return;
1610 } 1209 }
1611 1210
1612 #ifdef PNG_MAX_MALLOC_64K 1211 #ifdef PNG_MAX_MALLOC_64K
1613 if (length > 65535U) 1212 if (length > (png_uint_32)65535L)
1614 { 1213 {
1615 png_crc_finish(png_ptr, length); 1214 png_warning(png_ptr, "sPLT chunk too large to fit in memory");
1616 png_chunk_benign_error(png_ptr, "too large to fit in memory"); 1215 skip = length - (png_uint_32)65535L;
1617 return; 1216 length = (png_uint_32)65535L;
1618 } 1217 }
1619 #endif 1218 #endif
1620 1219
1621 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/); 1220 png_free(png_ptr, png_ptr->chunkdata);
1622 if (buffer == NULL) 1221 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
1222 slength = (png_size_t)length;
1223 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1224
1225 if (png_crc_finish(png_ptr, skip))
1623 { 1226 {
1624 png_crc_finish(png_ptr, length); 1227 png_free(png_ptr, png_ptr->chunkdata);
1625 png_chunk_benign_error(png_ptr, "out of memory"); 1228 png_ptr->chunkdata = NULL;
1626 return; 1229 return;
1627 } 1230 }
1628 1231
1232 png_ptr->chunkdata[slength] = 0x00;
1629 1233
1630 /* WARNING: this may break if size_t is less than 32 bits; it is assumed 1234 for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start;
1631 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a 1235 entry_start++)
1632 * potential breakage point if the types in pngconf.h aren't exactly right.
1633 */
1634 png_crc_read(png_ptr, buffer, length);
1635
1636 if (png_crc_finish(png_ptr, skip))
1637 return;
1638
1639 buffer[length] = 0;
1640
1641 for (entry_start = buffer; *entry_start; entry_start++)
1642 /* Empty loop to find end of name */ ; 1236 /* Empty loop to find end of name */ ;
1643
1644 ++entry_start; 1237 ++entry_start;
1645 1238
1646 /* A sample depth should follow the separator, and we should be on it */ 1239 /* A sample depth should follow the separator, and we should be on it */
1647 if (entry_start > buffer + length - 2) 1240 if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
1648 { 1241 {
1242 png_free(png_ptr, png_ptr->chunkdata);
1243 png_ptr->chunkdata = NULL;
1649 png_warning(png_ptr, "malformed sPLT chunk"); 1244 png_warning(png_ptr, "malformed sPLT chunk");
1650 return; 1245 return;
1651 } 1246 }
1652 1247
1653 new_palette.depth = *entry_start++; 1248 new_palette.depth = *entry_start++;
1654 entry_size = (new_palette.depth == 8 ? 6 : 10); 1249 entry_size = (new_palette.depth == 8 ? 6 : 10);
1655 /* This must fit in a png_uint_32 because it is derived from the original 1250 data_length = (slength - (entry_start - (png_bytep)png_ptr->chunkdata));
1656 * chunk data length.
1657 */
1658 data_length = length - (png_uint_32)(entry_start - buffer);
1659 1251
1660 /* Integrity-check the data length */ 1252 /* Integrity-check the data length */
1661 if (data_length % entry_size) 1253 if (data_length % entry_size)
1662 { 1254 {
1255 png_free(png_ptr, png_ptr->chunkdata);
1256 png_ptr->chunkdata = NULL;
1663 png_warning(png_ptr, "sPLT chunk has bad length"); 1257 png_warning(png_ptr, "sPLT chunk has bad length");
1664 return; 1258 return;
1665 } 1259 }
1666 1260
1667 dl = (png_int_32)(data_length / entry_size); 1261 new_palette.nentries = (png_int_32) ( data_length / entry_size);
1668 max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry)); 1262 if ((png_uint_32) new_palette.nentries >
1669 1263 (png_uint_32) (PNG_SIZE_MAX / png_sizeof(png_sPLT_entry)))
1670 if (dl > max_dl)
1671 { 1264 {
1672 png_warning(png_ptr, "sPLT chunk too long"); 1265 png_warning(png_ptr, "sPLT chunk too long");
1673 return; 1266 return;
1674 } 1267 }
1675
1676 new_palette.nentries = (png_int_32)(data_length / entry_size);
1677
1678 new_palette.entries = (png_sPLT_entryp)png_malloc_warn( 1268 new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
1679 png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry))); 1269 png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry));
1680
1681 if (new_palette.entries == NULL) 1270 if (new_palette.entries == NULL)
1682 { 1271 {
1683 png_warning(png_ptr, "sPLT chunk requires too much memory"); 1272 png_warning(png_ptr, "sPLT chunk requires too much memory");
1684 return; 1273 return;
1685 } 1274 }
1686 1275
1687 #ifdef PNG_POINTER_INDEXING_SUPPORTED 1276 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1688 for (i = 0; i < new_palette.nentries; i++) 1277 for (i = 0; i < new_palette.nentries; i++)
1689 { 1278 {
1690 pp = new_palette.entries + i; 1279 pp = new_palette.entries + i;
1691 1280
1692 if (new_palette.depth == 8) 1281 if (new_palette.depth == 8)
1693 { 1282 {
1694 pp->red = *entry_start++; 1283 pp->red = *entry_start++;
1695 pp->green = *entry_start++; 1284 pp->green = *entry_start++;
1696 pp->blue = *entry_start++; 1285 pp->blue = *entry_start++;
1697 pp->alpha = *entry_start++; 1286 pp->alpha = *entry_start++;
1698 } 1287 }
1699
1700 else 1288 else
1701 { 1289 {
1702 pp->red = png_get_uint_16(entry_start); entry_start += 2; 1290 pp->red = png_get_uint_16(entry_start); entry_start += 2;
1703 pp->green = png_get_uint_16(entry_start); entry_start += 2; 1291 pp->green = png_get_uint_16(entry_start); entry_start += 2;
1704 pp->blue = png_get_uint_16(entry_start); entry_start += 2; 1292 pp->blue = png_get_uint_16(entry_start); entry_start += 2;
1705 pp->alpha = png_get_uint_16(entry_start); entry_start += 2; 1293 pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1706 } 1294 }
1707
1708 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; 1295 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1709 } 1296 }
1710 #else 1297 #else
1711 pp = new_palette.entries; 1298 pp = new_palette.entries;
1712
1713 for (i = 0; i < new_palette.nentries; i++) 1299 for (i = 0; i < new_palette.nentries; i++)
1714 { 1300 {
1715 1301
1716 if (new_palette.depth == 8) 1302 if (new_palette.depth == 8)
1717 { 1303 {
1718 pp[i].red = *entry_start++; 1304 pp[i].red = *entry_start++;
1719 pp[i].green = *entry_start++; 1305 pp[i].green = *entry_start++;
1720 pp[i].blue = *entry_start++; 1306 pp[i].blue = *entry_start++;
1721 pp[i].alpha = *entry_start++; 1307 pp[i].alpha = *entry_start++;
1722 } 1308 }
1723
1724 else 1309 else
1725 { 1310 {
1726 pp[i].red = png_get_uint_16(entry_start); entry_start += 2; 1311 pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
1727 pp[i].green = png_get_uint_16(entry_start); entry_start += 2; 1312 pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1728 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2; 1313 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
1729 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2; 1314 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1730 } 1315 }
1731 1316 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1732 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1733 } 1317 }
1734 #endif 1318 #endif
1735 1319
1736 /* Discard all chunk data except the name and stash that */ 1320 /* Discard all chunk data except the name and stash that */
1737 new_palette.name = (png_charp)buffer; 1321 new_palette.name = png_ptr->chunkdata;
1738 1322
1739 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1); 1323 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1740 1324
1325 png_free(png_ptr, png_ptr->chunkdata);
1326 png_ptr->chunkdata = NULL;
1741 png_free(png_ptr, new_palette.entries); 1327 png_free(png_ptr, new_palette.entries);
1742 } 1328 }
1743 #endif /* PNG_READ_sPLT_SUPPORTED */ 1329 #endif /* PNG_READ_sPLT_SUPPORTED */
1744 1330
1745 #ifdef PNG_READ_tRNS_SUPPORTED 1331 #ifdef PNG_READ_tRNS_SUPPORTED
1746 void /* PRIVATE */ 1332 void /* PRIVATE */
1747 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1333 png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1748 { 1334 {
1749 png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; 1335 png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1750 1336
1751 png_debug(1, "in png_handle_tRNS"); 1337 png_debug(1, "in png_handle_tRNS");
1752 1338
1753 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1339 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1754 png_chunk_error(png_ptr, "missing IHDR"); 1340 png_error(png_ptr, "Missing IHDR before tRNS");
1755
1756 else if (png_ptr->mode & PNG_HAVE_IDAT) 1341 else if (png_ptr->mode & PNG_HAVE_IDAT)
1757 { 1342 {
1343 png_warning(png_ptr, "Invalid tRNS after IDAT");
1758 png_crc_finish(png_ptr, length); 1344 png_crc_finish(png_ptr, length);
1759 png_chunk_benign_error(png_ptr, "out of place"); 1345 return;
1346 }
1347 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1348 {
1349 png_warning(png_ptr, "Duplicate tRNS chunk");
1350 png_crc_finish(png_ptr, length);
1760 return; 1351 return;
1761 } 1352 }
1762 1353
1763 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1764 {
1765 png_crc_finish(png_ptr, length);
1766 png_chunk_benign_error(png_ptr, "duplicate");
1767 return;
1768 }
1769
1770 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 1354 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1771 { 1355 {
1772 png_byte buf[2]; 1356 png_byte buf[2];
1773 1357
1774 if (length != 2) 1358 if (length != 2)
1775 { 1359 {
1360 png_warning(png_ptr, "Incorrect tRNS chunk length");
1776 png_crc_finish(png_ptr, length); 1361 png_crc_finish(png_ptr, length);
1777 png_chunk_benign_error(png_ptr, "invalid");
1778 return; 1362 return;
1779 } 1363 }
1780 1364
1781 png_crc_read(png_ptr, buf, 2); 1365 png_crc_read(png_ptr, buf, 2);
1782 png_ptr->num_trans = 1; 1366 png_ptr->num_trans = 1;
1783 png_ptr->trans_color.gray = png_get_uint_16(buf); 1367 png_ptr->trans_values.gray = png_get_uint_16(buf);
1784 } 1368 }
1785
1786 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 1369 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1787 { 1370 {
1788 png_byte buf[6]; 1371 png_byte buf[6];
1789 1372
1790 if (length != 6) 1373 if (length != 6)
1791 { 1374 {
1375 png_warning(png_ptr, "Incorrect tRNS chunk length");
1792 png_crc_finish(png_ptr, length); 1376 png_crc_finish(png_ptr, length);
1793 png_chunk_benign_error(png_ptr, "invalid");
1794 return; 1377 return;
1795 } 1378 }
1796 1379 png_crc_read(png_ptr, buf, (png_size_t)length);
1797 png_crc_read(png_ptr, buf, length);
1798 png_ptr->num_trans = 1; 1380 png_ptr->num_trans = 1;
1799 png_ptr->trans_color.red = png_get_uint_16(buf); 1381 png_ptr->trans_values.red = png_get_uint_16(buf);
1800 png_ptr->trans_color.green = png_get_uint_16(buf + 2); 1382 png_ptr->trans_values.green = png_get_uint_16(buf + 2);
1801 png_ptr->trans_color.blue = png_get_uint_16(buf + 4); 1383 png_ptr->trans_values.blue = png_get_uint_16(buf + 4);
1802 } 1384 }
1803
1804 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1385 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1805 { 1386 {
1806 if (!(png_ptr->mode & PNG_HAVE_PLTE)) 1387 if (!(png_ptr->mode & PNG_HAVE_PLTE))
1807 { 1388 {
1808 /* TODO: is this actually an error in the ISO spec? */ 1389 /* Should be an error, but we can cope with it. */
1390 png_warning(png_ptr, "Missing PLTE before tRNS");
1391 }
1392 if (length > (png_uint_32)png_ptr->num_palette ||
1393 length > PNG_MAX_PALETTE_LENGTH)
1394 {
1395 png_warning(png_ptr, "Incorrect tRNS chunk length");
1809 png_crc_finish(png_ptr, length); 1396 png_crc_finish(png_ptr, length);
1810 png_chunk_benign_error(png_ptr, "out of place");
1811 return; 1397 return;
1812 } 1398 }
1813 1399 if (length == 0)
1814 if (length > png_ptr->num_palette || length > PNG_MAX_PALETTE_LENGTH ||
1815 length == 0)
1816 { 1400 {
1401 png_warning(png_ptr, "Zero length tRNS chunk");
1817 png_crc_finish(png_ptr, length); 1402 png_crc_finish(png_ptr, length);
1818 png_chunk_benign_error(png_ptr, "invalid");
1819 return; 1403 return;
1820 } 1404 }
1821 1405 png_crc_read(png_ptr, readbuf, (png_size_t)length);
1822 png_crc_read(png_ptr, readbuf, length);
1823 png_ptr->num_trans = (png_uint_16)length; 1406 png_ptr->num_trans = (png_uint_16)length;
1824 } 1407 }
1825
1826 else 1408 else
1827 { 1409 {
1410 png_warning(png_ptr, "tRNS chunk not allowed with alpha channel");
1828 png_crc_finish(png_ptr, length); 1411 png_crc_finish(png_ptr, length);
1829 png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1830 return; 1412 return;
1831 } 1413 }
1832 1414
1833 if (png_crc_finish(png_ptr, 0)) 1415 if (png_crc_finish(png_ptr, 0))
1834 { 1416 {
1835 png_ptr->num_trans = 0; 1417 png_ptr->num_trans = 0;
1836 return; 1418 return;
1837 } 1419 }
1838 1420
1839 /* TODO: this is a horrible side effect in the palette case because the
1840 * png_struct ends up with a pointer to the tRNS buffer owned by the
1841 * png_info. Fix this.
1842 */
1843 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, 1421 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1844 &(png_ptr->trans_color)); 1422 &(png_ptr->trans_values));
1845 } 1423 }
1846 #endif 1424 #endif
1847 1425
1848 #ifdef PNG_READ_bKGD_SUPPORTED 1426 #ifdef PNG_READ_bKGD_SUPPORTED
1849 void /* PRIVATE */ 1427 void /* PRIVATE */
1850 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1428 png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1851 { 1429 {
1852 unsigned int truelen; 1430 png_size_t truelen;
1853 png_byte buf[6]; 1431 png_byte buf[6];
1854 png_color_16 background;
1855 1432
1856 png_debug(1, "in png_handle_bKGD"); 1433 png_debug(1, "in png_handle_bKGD");
1857 1434
1858 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1435 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1859 png_chunk_error(png_ptr, "missing IHDR"); 1436 png_error(png_ptr, "Missing IHDR before bKGD");
1860 1437 else if (png_ptr->mode & PNG_HAVE_IDAT)
1861 else if ((png_ptr->mode & PNG_HAVE_IDAT) ||
1862 (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1863 !(png_ptr->mode & PNG_HAVE_PLTE)))
1864 { 1438 {
1439 png_warning(png_ptr, "Invalid bKGD after IDAT");
1865 png_crc_finish(png_ptr, length); 1440 png_crc_finish(png_ptr, length);
1866 png_chunk_benign_error(png_ptr, "out of place");
1867 return; 1441 return;
1868 } 1442 }
1869 1443 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1444 !(png_ptr->mode & PNG_HAVE_PLTE))
1445 {
1446 png_warning(png_ptr, "Missing PLTE before bKGD");
1447 png_crc_finish(png_ptr, length);
1448 return;
1449 }
1870 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD)) 1450 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD))
1871 { 1451 {
1452 png_warning(png_ptr, "Duplicate bKGD chunk");
1872 png_crc_finish(png_ptr, length); 1453 png_crc_finish(png_ptr, length);
1873 png_chunk_benign_error(png_ptr, "duplicate");
1874 return; 1454 return;
1875 } 1455 }
1876 1456
1877 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1457 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1878 truelen = 1; 1458 truelen = 1;
1879
1880 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) 1459 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
1881 truelen = 6; 1460 truelen = 6;
1882
1883 else 1461 else
1884 truelen = 2; 1462 truelen = 2;
1885 1463
1886 if (length != truelen) 1464 if (length != truelen)
1887 { 1465 {
1466 png_warning(png_ptr, "Incorrect bKGD chunk length");
1888 png_crc_finish(png_ptr, length); 1467 png_crc_finish(png_ptr, length);
1889 png_chunk_benign_error(png_ptr, "invalid");
1890 return; 1468 return;
1891 } 1469 }
1892 1470
1893 png_crc_read(png_ptr, buf, truelen); 1471 png_crc_read(png_ptr, buf, truelen);
1894
1895 if (png_crc_finish(png_ptr, 0)) 1472 if (png_crc_finish(png_ptr, 0))
1896 return; 1473 return;
1897 1474
1898 /* We convert the index value into RGB components so that we can allow 1475 /* We convert the index value into RGB components so that we can allow
1899 * arbitrary RGB values for background when we have transparency, and 1476 * arbitrary RGB values for background when we have transparency, and
1900 * so it is easy to determine the RGB values of the background color 1477 * so it is easy to determine the RGB values of the background color
1901 * from the info_ptr struct. 1478 * from the info_ptr struct. */
1902 */
1903 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1479 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1904 { 1480 {
1905 background.index = buf[0]; 1481 png_ptr->background.index = buf[0];
1906
1907 if (info_ptr && info_ptr->num_palette) 1482 if (info_ptr && info_ptr->num_palette)
1908 { 1483 {
1909 if (buf[0] >= info_ptr->num_palette) 1484 if (buf[0] >= info_ptr->num_palette)
1910 { 1485 {
1911 png_chunk_benign_error(png_ptr, "invalid index"); 1486 png_warning(png_ptr, "Incorrect bKGD chunk index value");
1912 return; 1487 return;
1913 } 1488 }
1914 1489 png_ptr->background.red =
1915 background.red = (png_uint_16)png_ptr->palette[buf[0]].red; 1490 (png_uint_16)png_ptr->palette[buf[0]].red;
1916 background.green = (png_uint_16)png_ptr->palette[buf[0]].green; 1491 png_ptr->background.green =
1917 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue; 1492 (png_uint_16)png_ptr->palette[buf[0]].green;
1493 png_ptr->background.blue =
1494 (png_uint_16)png_ptr->palette[buf[0]].blue;
1918 } 1495 }
1919 1496 }
1920 else 1497 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */
1921 background.red = background.green = background.blue = 0; 1498 {
1922 1499 png_ptr->background.red =
1923 background.gray = 0; 1500 png_ptr->background.green =
1501 png_ptr->background.blue =
1502 png_ptr->background.gray = png_get_uint_16(buf);
1503 }
1504 else
1505 {
1506 png_ptr->background.red = png_get_uint_16(buf);
1507 png_ptr->background.green = png_get_uint_16(buf + 2);
1508 png_ptr->background.blue = png_get_uint_16(buf + 4);
1924 } 1509 }
1925 1510
1926 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */ 1511 png_set_bKGD(png_ptr, info_ptr, &(png_ptr->background));
1927 {
1928 background.index = 0;
1929 background.red =
1930 background.green =
1931 background.blue =
1932 background.gray = png_get_uint_16(buf);
1933 }
1934
1935 else
1936 {
1937 background.index = 0;
1938 background.red = png_get_uint_16(buf);
1939 background.green = png_get_uint_16(buf + 2);
1940 background.blue = png_get_uint_16(buf + 4);
1941 background.gray = 0;
1942 }
1943
1944 png_set_bKGD(png_ptr, info_ptr, &background);
1945 } 1512 }
1946 #endif 1513 #endif
1947 1514
1948 #ifdef PNG_READ_hIST_SUPPORTED 1515 #ifdef PNG_READ_hIST_SUPPORTED
1949 void /* PRIVATE */ 1516 void /* PRIVATE */
1950 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1517 png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1951 { 1518 {
1952 unsigned int num, i; 1519 unsigned int num, i;
1953 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; 1520 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
1954 1521
1955 png_debug(1, "in png_handle_hIST"); 1522 png_debug(1, "in png_handle_hIST");
1956 1523
1957 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1524 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1958 png_chunk_error(png_ptr, "missing IHDR"); 1525 png_error(png_ptr, "Missing IHDR before hIST");
1959 1526 else if (png_ptr->mode & PNG_HAVE_IDAT)
1960 else if ((png_ptr->mode & PNG_HAVE_IDAT) || !(png_ptr->mode & PNG_HAVE_PLTE))
1961 { 1527 {
1528 png_warning(png_ptr, "Invalid hIST after IDAT");
1962 png_crc_finish(png_ptr, length); 1529 png_crc_finish(png_ptr, length);
1963 png_chunk_benign_error(png_ptr, "out of place");
1964 return; 1530 return;
1965 } 1531 }
1966 1532 else if (!(png_ptr->mode & PNG_HAVE_PLTE))
1533 {
1534 png_warning(png_ptr, "Missing PLTE before hIST");
1535 png_crc_finish(png_ptr, length);
1536 return;
1537 }
1967 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST)) 1538 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST))
1968 { 1539 {
1540 png_warning(png_ptr, "Duplicate hIST chunk");
1969 png_crc_finish(png_ptr, length); 1541 png_crc_finish(png_ptr, length);
1970 png_chunk_benign_error(png_ptr, "duplicate");
1971 return; 1542 return;
1972 } 1543 }
1973 1544
1974 num = length / 2 ; 1545 num = length / 2 ;
1975 1546 if (num != (unsigned int) png_ptr->num_palette || num >
1976 if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) 1547 (unsigned int) PNG_MAX_PALETTE_LENGTH)
1977 { 1548 {
1549 png_warning(png_ptr, "Incorrect hIST chunk length");
1978 png_crc_finish(png_ptr, length); 1550 png_crc_finish(png_ptr, length);
1979 png_chunk_benign_error(png_ptr, "invalid");
1980 return; 1551 return;
1981 } 1552 }
1982 1553
1983 for (i = 0; i < num; i++) 1554 for (i = 0; i < num; i++)
1984 { 1555 {
1985 png_byte buf[2]; 1556 png_byte buf[2];
1986 1557
1987 png_crc_read(png_ptr, buf, 2); 1558 png_crc_read(png_ptr, buf, 2);
1988 readbuf[i] = png_get_uint_16(buf); 1559 readbuf[i] = png_get_uint_16(buf);
1989 } 1560 }
1990 1561
1991 if (png_crc_finish(png_ptr, 0)) 1562 if (png_crc_finish(png_ptr, 0))
1992 return; 1563 return;
1993 1564
1994 png_set_hIST(png_ptr, info_ptr, readbuf); 1565 png_set_hIST(png_ptr, info_ptr, readbuf);
1995 } 1566 }
1996 #endif 1567 #endif
1997 1568
1998 #ifdef PNG_READ_pHYs_SUPPORTED 1569 #ifdef PNG_READ_pHYs_SUPPORTED
1999 void /* PRIVATE */ 1570 void /* PRIVATE */
2000 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1571 png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2001 { 1572 {
2002 png_byte buf[9]; 1573 png_byte buf[9];
2003 png_uint_32 res_x, res_y; 1574 png_uint_32 res_x, res_y;
2004 int unit_type; 1575 int unit_type;
2005 1576
2006 png_debug(1, "in png_handle_pHYs"); 1577 png_debug(1, "in png_handle_pHYs");
2007 1578
2008 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1579 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2009 png_chunk_error(png_ptr, "missing IHDR"); 1580 png_error(png_ptr, "Missing IHDR before pHYs");
2010
2011 else if (png_ptr->mode & PNG_HAVE_IDAT) 1581 else if (png_ptr->mode & PNG_HAVE_IDAT)
2012 { 1582 {
1583 png_warning(png_ptr, "Invalid pHYs after IDAT");
2013 png_crc_finish(png_ptr, length); 1584 png_crc_finish(png_ptr, length);
2014 png_chunk_benign_error(png_ptr, "out of place");
2015 return; 1585 return;
2016 } 1586 }
2017
2018 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs)) 1587 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs))
2019 { 1588 {
1589 png_warning(png_ptr, "Duplicate pHYs chunk");
2020 png_crc_finish(png_ptr, length); 1590 png_crc_finish(png_ptr, length);
2021 png_chunk_benign_error(png_ptr, "duplicate");
2022 return; 1591 return;
2023 } 1592 }
2024 1593
2025 if (length != 9) 1594 if (length != 9)
2026 { 1595 {
1596 png_warning(png_ptr, "Incorrect pHYs chunk length");
2027 png_crc_finish(png_ptr, length); 1597 png_crc_finish(png_ptr, length);
2028 png_chunk_benign_error(png_ptr, "invalid");
2029 return; 1598 return;
2030 } 1599 }
2031 1600
2032 png_crc_read(png_ptr, buf, 9); 1601 png_crc_read(png_ptr, buf, 9);
2033
2034 if (png_crc_finish(png_ptr, 0)) 1602 if (png_crc_finish(png_ptr, 0))
2035 return; 1603 return;
2036 1604
2037 res_x = png_get_uint_32(buf); 1605 res_x = png_get_uint_32(buf);
2038 res_y = png_get_uint_32(buf + 4); 1606 res_y = png_get_uint_32(buf + 4);
2039 unit_type = buf[8]; 1607 unit_type = buf[8];
2040 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type); 1608 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
2041 } 1609 }
2042 #endif 1610 #endif
2043 1611
2044 #ifdef PNG_READ_oFFs_SUPPORTED 1612 #ifdef PNG_READ_oFFs_SUPPORTED
2045 void /* PRIVATE */ 1613 void /* PRIVATE */
2046 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1614 png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2047 { 1615 {
2048 png_byte buf[9]; 1616 png_byte buf[9];
2049 png_int_32 offset_x, offset_y; 1617 png_int_32 offset_x, offset_y;
2050 int unit_type; 1618 int unit_type;
2051 1619
2052 png_debug(1, "in png_handle_oFFs"); 1620 png_debug(1, "in png_handle_oFFs");
2053 1621
2054 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1622 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2055 png_chunk_error(png_ptr, "missing IHDR"); 1623 png_error(png_ptr, "Missing IHDR before oFFs");
2056
2057 else if (png_ptr->mode & PNG_HAVE_IDAT) 1624 else if (png_ptr->mode & PNG_HAVE_IDAT)
2058 { 1625 {
1626 png_warning(png_ptr, "Invalid oFFs after IDAT");
2059 png_crc_finish(png_ptr, length); 1627 png_crc_finish(png_ptr, length);
2060 png_chunk_benign_error(png_ptr, "out of place");
2061 return; 1628 return;
2062 } 1629 }
2063
2064 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs)) 1630 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs))
2065 { 1631 {
1632 png_warning(png_ptr, "Duplicate oFFs chunk");
2066 png_crc_finish(png_ptr, length); 1633 png_crc_finish(png_ptr, length);
2067 png_chunk_benign_error(png_ptr, "duplicate");
2068 return; 1634 return;
2069 } 1635 }
2070 1636
2071 if (length != 9) 1637 if (length != 9)
2072 { 1638 {
1639 png_warning(png_ptr, "Incorrect oFFs chunk length");
2073 png_crc_finish(png_ptr, length); 1640 png_crc_finish(png_ptr, length);
2074 png_chunk_benign_error(png_ptr, "invalid");
2075 return; 1641 return;
2076 } 1642 }
2077 1643
2078 png_crc_read(png_ptr, buf, 9); 1644 png_crc_read(png_ptr, buf, 9);
2079
2080 if (png_crc_finish(png_ptr, 0)) 1645 if (png_crc_finish(png_ptr, 0))
2081 return; 1646 return;
2082 1647
2083 offset_x = png_get_int_32(buf); 1648 offset_x = png_get_int_32(buf);
2084 offset_y = png_get_int_32(buf + 4); 1649 offset_y = png_get_int_32(buf + 4);
2085 unit_type = buf[8]; 1650 unit_type = buf[8];
2086 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type); 1651 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
2087 } 1652 }
2088 #endif 1653 #endif
2089 1654
2090 #ifdef PNG_READ_pCAL_SUPPORTED 1655 #ifdef PNG_READ_pCAL_SUPPORTED
2091 /* Read the pCAL chunk (described in the PNG Extensions document) */ 1656 /* Read the pCAL chunk (described in the PNG Extensions document) */
2092 void /* PRIVATE */ 1657 void /* PRIVATE */
2093 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1658 png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2094 { 1659 {
2095 png_int_32 X0, X1; 1660 png_int_32 X0, X1;
2096 png_byte type, nparams; 1661 png_byte type, nparams;
2097 png_bytep buffer, buf, units, endptr; 1662 png_charp buf, units, endptr;
2098 png_charpp params; 1663 png_charpp params;
1664 png_size_t slength;
2099 int i; 1665 int i;
2100 1666
2101 png_debug(1, "in png_handle_pCAL"); 1667 png_debug(1, "in png_handle_pCAL");
2102 1668
2103 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1669 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2104 png_chunk_error(png_ptr, "missing IHDR"); 1670 png_error(png_ptr, "Missing IHDR before pCAL");
2105
2106 else if (png_ptr->mode & PNG_HAVE_IDAT) 1671 else if (png_ptr->mode & PNG_HAVE_IDAT)
2107 { 1672 {
1673 png_warning(png_ptr, "Invalid pCAL after IDAT");
2108 png_crc_finish(png_ptr, length); 1674 png_crc_finish(png_ptr, length);
2109 png_chunk_benign_error(png_ptr, "out of place"); 1675 return;
1676 }
1677 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL))
1678 {
1679 png_warning(png_ptr, "Duplicate pCAL chunk");
1680 png_crc_finish(png_ptr, length);
2110 return; 1681 return;
2111 } 1682 }
2112 1683
2113 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL)) 1684 png_debug1(2, "Allocating and reading pCAL chunk data (%lu bytes)",
1685 length + 1);
1686 png_free(png_ptr, png_ptr->chunkdata);
1687 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
1688 if (png_ptr->chunkdata == NULL)
1689 {
1690 png_warning(png_ptr, "No memory for pCAL purpose.");
1691 return;
1692 }
1693 slength = (png_size_t)length;
1694 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1695
1696 if (png_crc_finish(png_ptr, 0))
2114 { 1697 {
2115 png_crc_finish(png_ptr, length); 1698 png_free(png_ptr, png_ptr->chunkdata);
2116 png_chunk_benign_error(png_ptr, "duplicate"); 1699 png_ptr->chunkdata = NULL;
2117 return; 1700 return;
2118 } 1701 }
2119 1702
2120 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)", 1703 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */
2121 length + 1);
2122 1704
2123 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/); 1705 png_debug(3, "Finding end of pCAL purpose string");
1706 for (buf = png_ptr->chunkdata; *buf; buf++)
1707 /* Empty loop */ ;
2124 1708
2125 if (buffer == NULL) 1709 endptr = png_ptr->chunkdata + slength;
1710
1711 /* We need to have at least 12 bytes after the purpose string
1712 in order to get the parameter information. */
1713 if (endptr <= buf + 12)
2126 { 1714 {
2127 png_crc_finish(png_ptr, length); 1715 png_warning(png_ptr, "Invalid pCAL data");
2128 png_chunk_benign_error(png_ptr, "out of memory"); 1716 png_free(png_ptr, png_ptr->chunkdata);
1717 png_ptr->chunkdata = NULL;
2129 return; 1718 return;
2130 } 1719 }
2131 1720
2132 png_crc_read(png_ptr, buffer, length);
2133
2134 if (png_crc_finish(png_ptr, 0))
2135 return;
2136
2137 buffer[length] = 0; /* Null terminate the last string */
2138
2139 png_debug(3, "Finding end of pCAL purpose string");
2140 for (buf = buffer; *buf; buf++)
2141 /* Empty loop */ ;
2142
2143 endptr = buffer + length;
2144
2145 /* We need to have at least 12 bytes after the purpose string
2146 * in order to get the parameter information.
2147 */
2148 if (endptr <= buf + 12)
2149 {
2150 png_chunk_benign_error(png_ptr, "invalid");
2151 return;
2152 }
2153
2154 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units"); 1721 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
2155 X0 = png_get_int_32((png_bytep)buf+1); 1722 X0 = png_get_int_32((png_bytep)buf+1);
2156 X1 = png_get_int_32((png_bytep)buf+5); 1723 X1 = png_get_int_32((png_bytep)buf+5);
2157 type = buf[9]; 1724 type = buf[9];
2158 nparams = buf[10]; 1725 nparams = buf[10];
2159 units = buf + 11; 1726 units = buf + 11;
2160 1727
2161 png_debug(3, "Checking pCAL equation type and number of parameters"); 1728 png_debug(3, "Checking pCAL equation type and number of parameters");
2162 /* Check that we have the right number of parameters for known 1729 /* Check that we have the right number of parameters for known
2163 * equation types. 1730 equation types. */
2164 */
2165 if ((type == PNG_EQUATION_LINEAR && nparams != 2) || 1731 if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
2166 (type == PNG_EQUATION_BASE_E && nparams != 3) || 1732 (type == PNG_EQUATION_BASE_E && nparams != 3) ||
2167 (type == PNG_EQUATION_ARBITRARY && nparams != 3) || 1733 (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
2168 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4)) 1734 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
2169 { 1735 {
2170 png_chunk_benign_error(png_ptr, "invalid parameter count"); 1736 png_warning(png_ptr, "Invalid pCAL parameters for equation type");
1737 png_free(png_ptr, png_ptr->chunkdata);
1738 png_ptr->chunkdata = NULL;
2171 return; 1739 return;
2172 } 1740 }
2173
2174 else if (type >= PNG_EQUATION_LAST) 1741 else if (type >= PNG_EQUATION_LAST)
2175 { 1742 {
2176 png_chunk_benign_error(png_ptr, "unrecognized equation type"); 1743 png_warning(png_ptr, "Unrecognized equation type for pCAL chunk");
2177 } 1744 }
2178 1745
2179 for (buf = units; *buf; buf++) 1746 for (buf = units; *buf; buf++)
2180 /* Empty loop to move past the units string. */ ; 1747 /* Empty loop to move past the units string. */ ;
2181 1748
2182 png_debug(3, "Allocating pCAL parameters array"); 1749 png_debug(3, "Allocating pCAL parameters array");
2183 1750 params = (png_charpp)png_malloc_warn(png_ptr,
2184 params = png_voidcast(png_charpp, png_malloc_warn(png_ptr, 1751 (png_uint_32)(nparams * png_sizeof(png_charp))) ;
2185 nparams * (sizeof (png_charp))));
2186
2187 if (params == NULL) 1752 if (params == NULL)
2188 { 1753 {
2189 png_chunk_benign_error(png_ptr, "out of memory"); 1754 png_free(png_ptr, png_ptr->chunkdata);
2190 return; 1755 png_ptr->chunkdata = NULL;
2191 } 1756 png_warning(png_ptr, "No memory for pCAL params.");
1757 return;
1758 }
2192 1759
2193 /* Get pointers to the start of each parameter string. */ 1760 /* Get pointers to the start of each parameter string. */
2194 for (i = 0; i < nparams; i++) 1761 for (i = 0; i < (int)nparams; i++)
2195 { 1762 {
2196 buf++; /* Skip the null string terminator from previous parameter. */ 1763 buf++; /* Skip the null string terminator from previous parameter. */
2197 1764
2198 png_debug1(3, "Reading pCAL parameter %d", i); 1765 png_debug1(3, "Reading pCAL parameter %d", i);
2199 1766 for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++)
2200 for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
2201 /* Empty loop to move past each parameter string */ ; 1767 /* Empty loop to move past each parameter string */ ;
2202 1768
2203 /* Make sure we haven't run out of data yet */ 1769 /* Make sure we haven't run out of data yet */
2204 if (buf > endptr) 1770 if (buf > endptr)
2205 { 1771 {
1772 png_warning(png_ptr, "Invalid pCAL data");
1773 png_free(png_ptr, png_ptr->chunkdata);
1774 png_ptr->chunkdata = NULL;
2206 png_free(png_ptr, params); 1775 png_free(png_ptr, params);
2207 png_chunk_benign_error(png_ptr, "invalid data");
2208 return; 1776 return;
2209 } 1777 }
2210 } 1778 }
2211 1779
2212 png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams, 1780 png_set_pCAL(png_ptr, info_ptr, png_ptr->chunkdata, X0, X1, type, nparams,
2213 (png_charp)units, params); 1781 units, params);
2214 1782
1783 png_free(png_ptr, png_ptr->chunkdata);
1784 png_ptr->chunkdata = NULL;
2215 png_free(png_ptr, params); 1785 png_free(png_ptr, params);
2216 } 1786 }
2217 #endif 1787 #endif
2218 1788
2219 #ifdef PNG_READ_sCAL_SUPPORTED 1789 #ifdef PNG_READ_sCAL_SUPPORTED
2220 /* Read the sCAL chunk */ 1790 /* Read the sCAL chunk */
2221 void /* PRIVATE */ 1791 void /* PRIVATE */
2222 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1792 png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2223 { 1793 {
2224 png_bytep buffer; 1794 png_charp ep;
2225 png_size_t i; 1795 #ifdef PNG_FLOATING_POINT_SUPPORTED
2226 int state; 1796 double width, height;
1797 png_charp vp;
1798 #else
1799 #ifdef PNG_FIXED_POINT_SUPPORTED
1800 png_charp swidth, sheight;
1801 #endif
1802 #endif
1803 png_size_t slength;
2227 1804
2228 png_debug(1, "in png_handle_sCAL"); 1805 png_debug(1, "in png_handle_sCAL");
2229 1806
2230 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1807 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2231 png_chunk_error(png_ptr, "missing IHDR"); 1808 png_error(png_ptr, "Missing IHDR before sCAL");
2232
2233 else if (png_ptr->mode & PNG_HAVE_IDAT) 1809 else if (png_ptr->mode & PNG_HAVE_IDAT)
2234 { 1810 {
1811 png_warning(png_ptr, "Invalid sCAL after IDAT");
2235 png_crc_finish(png_ptr, length); 1812 png_crc_finish(png_ptr, length);
2236 png_chunk_benign_error(png_ptr, "out of place");
2237 return; 1813 return;
2238 } 1814 }
2239
2240 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL)) 1815 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL))
2241 { 1816 {
1817 png_warning(png_ptr, "Duplicate sCAL chunk");
2242 png_crc_finish(png_ptr, length); 1818 png_crc_finish(png_ptr, length);
2243 png_chunk_benign_error(png_ptr, "duplicate");
2244 return; 1819 return;
2245 } 1820 }
2246 1821
2247 /* Need unit type, width, \0, height: minimum 4 bytes */ 1822 /* Need unit type, width, \0, height: minimum 4 bytes */
2248 else if (length < 4) 1823 else if (length < 4)
2249 { 1824 {
2250 png_crc_finish(png_ptr, length); 1825 png_warning(png_ptr, "sCAL chunk too short");
2251 png_chunk_benign_error(png_ptr, "invalid");
2252 return;
2253 }
2254
2255 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2256 length + 1);
2257
2258 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2259
2260 if (buffer == NULL)
2261 {
2262 png_chunk_benign_error(png_ptr, "out of memory");
2263 png_crc_finish(png_ptr, length); 1826 png_crc_finish(png_ptr, length);
2264 return; 1827 return;
2265 } 1828 }
2266 1829
2267 png_crc_read(png_ptr, buffer, length); 1830 png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
2268 buffer[length] = 0; /* Null terminate the last string */ 1831 length + 1);
1832 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
1833 if (png_ptr->chunkdata == NULL)
1834 {
1835 png_warning(png_ptr, "Out of memory while processing sCAL chunk");
1836 png_crc_finish(png_ptr, length);
1837 return;
1838 }
1839 slength = (png_size_t)length;
1840 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2269 1841
2270 if (png_crc_finish(png_ptr, 0)) 1842 if (png_crc_finish(png_ptr, 0))
2271 return;
2272
2273 /* Validate the unit. */
2274 if (buffer[0] != 1 && buffer[0] != 2)
2275 { 1843 {
2276 png_chunk_benign_error(png_ptr, "invalid unit"); 1844 png_free(png_ptr, png_ptr->chunkdata);
1845 png_ptr->chunkdata = NULL;
2277 return; 1846 return;
2278 } 1847 }
2279 1848
2280 /* Validate the ASCII numbers, need two ASCII numbers separated by 1849 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */
2281 * a '\0' and they need to fit exactly in the chunk data.
2282 */
2283 i = 1;
2284 state = 0;
2285 1850
2286 if (!png_check_fp_number((png_const_charp)buffer, length, &state, &i) || 1851 ep = png_ptr->chunkdata + 1; /* Skip unit byte */
2287 i >= length || buffer[i++] != 0)
2288 png_chunk_benign_error(png_ptr, "bad width format");
2289 1852
2290 else if (!PNG_FP_IS_POSITIVE(state)) 1853 #ifdef PNG_FLOATING_POINT_SUPPORTED
2291 png_chunk_benign_error(png_ptr, "non-positive width"); 1854 width = png_strtod(png_ptr, ep, &vp);
1855 if (*vp)
1856 {
1857 png_warning(png_ptr, "malformed width string in sCAL chunk");
1858 png_free(png_ptr, png_ptr->chunkdata);
1859 png_ptr->chunkdata = NULL;
1860 return;
1861 }
1862 #else
1863 #ifdef PNG_FIXED_POINT_SUPPORTED
1864 swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1865 if (swidth == NULL)
1866 {
1867 png_warning(png_ptr, "Out of memory while processing sCAL chunk width");
1868 png_free(png_ptr, png_ptr->chunkdata);
1869 png_ptr->chunkdata = NULL;
1870 return;
1871 }
1872 png_memcpy(swidth, ep, (png_size_t)png_strlen(ep));
1873 #endif
1874 #endif
2292 1875
2293 else 1876 for (ep = png_ptr->chunkdata; *ep; ep++)
1877 /* Empty loop */ ;
1878 ep++;
1879
1880 if (png_ptr->chunkdata + slength < ep)
2294 { 1881 {
2295 png_size_t heighti = i; 1882 png_warning(png_ptr, "Truncated sCAL chunk");
1883 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1884 png_free(png_ptr, swidth);
1885 #endif
1886 png_free(png_ptr, png_ptr->chunkdata);
1887 png_ptr->chunkdata = NULL;
1888 return;
1889 }
2296 1890
2297 state = 0; 1891 #ifdef PNG_FLOATING_POINT_SUPPORTED
2298 if (!png_check_fp_number((png_const_charp)buffer, length, &state, &i) || 1892 height = png_strtod(png_ptr, ep, &vp);
2299 i != length) 1893 if (*vp)
2300 png_chunk_benign_error(png_ptr, "bad height format"); 1894 {
1895 png_warning(png_ptr, "malformed height string in sCAL chunk");
1896 png_free(png_ptr, png_ptr->chunkdata);
1897 png_ptr->chunkdata = NULL;
1898 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1899 png_free(png_ptr, swidth);
1900 #endif
1901 return;
1902 }
1903 #else
1904 #ifdef PNG_FIXED_POINT_SUPPORTED
1905 sheight = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1906 if (sheight == NULL)
1907 {
1908 png_warning(png_ptr, "Out of memory while processing sCAL chunk height");
1909 png_free(png_ptr, png_ptr->chunkdata);
1910 png_ptr->chunkdata = NULL;
1911 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1912 png_free(png_ptr, swidth);
1913 #endif
1914 return;
1915 }
1916 png_memcpy(sheight, ep, (png_size_t)png_strlen(ep));
1917 #endif
1918 #endif
2301 1919
2302 else if (!PNG_FP_IS_POSITIVE(state)) 1920 if (png_ptr->chunkdata + slength < ep
2303 png_chunk_benign_error(png_ptr, "non-positive height"); 1921 #ifdef PNG_FLOATING_POINT_SUPPORTED
1922 || width <= 0. || height <= 0.
1923 #endif
1924 )
1925 {
1926 png_warning(png_ptr, "Invalid sCAL data");
1927 png_free(png_ptr, png_ptr->chunkdata);
1928 png_ptr->chunkdata = NULL;
1929 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1930 png_free(png_ptr, swidth);
1931 png_free(png_ptr, sheight);
1932 #endif
1933 return;
1934 }
2304 1935
2305 else 1936
2306 /* This is the (only) success case. */ 1937 #ifdef PNG_FLOATING_POINT_SUPPORTED
2307 png_set_sCAL_s(png_ptr, info_ptr, buffer[0], 1938 png_set_sCAL(png_ptr, info_ptr, png_ptr->chunkdata[0], width, height);
2308 (png_charp)buffer+1, (png_charp)buffer+heighti); 1939 #else
2309 } 1940 #ifdef PNG_FIXED_POINT_SUPPORTED
1941 png_set_sCAL_s(png_ptr, info_ptr, png_ptr->chunkdata[0], swidth, sheight);
1942 #endif
1943 #endif
1944
1945 png_free(png_ptr, png_ptr->chunkdata);
1946 png_ptr->chunkdata = NULL;
1947 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1948 png_free(png_ptr, swidth);
1949 png_free(png_ptr, sheight);
1950 #endif
2310 } 1951 }
2311 #endif 1952 #endif
2312 1953
2313 #ifdef PNG_READ_tIME_SUPPORTED 1954 #ifdef PNG_READ_tIME_SUPPORTED
2314 void /* PRIVATE */ 1955 void /* PRIVATE */
2315 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 1956 png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2316 { 1957 {
2317 png_byte buf[7]; 1958 png_byte buf[7];
2318 png_time mod_time; 1959 png_time mod_time;
2319 1960
2320 png_debug(1, "in png_handle_tIME"); 1961 png_debug(1, "in png_handle_tIME");
2321 1962
2322 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1963 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2323 png_chunk_error(png_ptr, "missing IHDR"); 1964 png_error(png_ptr, "Out of place tIME chunk");
2324
2325 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME)) 1965 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME))
2326 { 1966 {
1967 png_warning(png_ptr, "Duplicate tIME chunk");
2327 png_crc_finish(png_ptr, length); 1968 png_crc_finish(png_ptr, length);
2328 png_chunk_benign_error(png_ptr, "duplicate");
2329 return; 1969 return;
2330 } 1970 }
2331 1971
2332 if (png_ptr->mode & PNG_HAVE_IDAT) 1972 if (png_ptr->mode & PNG_HAVE_IDAT)
2333 png_ptr->mode |= PNG_AFTER_IDAT; 1973 png_ptr->mode |= PNG_AFTER_IDAT;
2334 1974
2335 if (length != 7) 1975 if (length != 7)
2336 { 1976 {
1977 png_warning(png_ptr, "Incorrect tIME chunk length");
2337 png_crc_finish(png_ptr, length); 1978 png_crc_finish(png_ptr, length);
2338 png_chunk_benign_error(png_ptr, "invalid");
2339 return; 1979 return;
2340 } 1980 }
2341 1981
2342 png_crc_read(png_ptr, buf, 7); 1982 png_crc_read(png_ptr, buf, 7);
2343
2344 if (png_crc_finish(png_ptr, 0)) 1983 if (png_crc_finish(png_ptr, 0))
2345 return; 1984 return;
2346 1985
2347 mod_time.second = buf[6]; 1986 mod_time.second = buf[6];
2348 mod_time.minute = buf[5]; 1987 mod_time.minute = buf[5];
2349 mod_time.hour = buf[4]; 1988 mod_time.hour = buf[4];
2350 mod_time.day = buf[3]; 1989 mod_time.day = buf[3];
2351 mod_time.month = buf[2]; 1990 mod_time.month = buf[2];
2352 mod_time.year = png_get_uint_16(buf); 1991 mod_time.year = png_get_uint_16(buf);
2353 1992
2354 png_set_tIME(png_ptr, info_ptr, &mod_time); 1993 png_set_tIME(png_ptr, info_ptr, &mod_time);
2355 } 1994 }
2356 #endif 1995 #endif
2357 1996
2358 #ifdef PNG_READ_tEXt_SUPPORTED 1997 #ifdef PNG_READ_tEXt_SUPPORTED
2359 /* Note: this does not properly handle chunks that are > 64K under DOS */ 1998 /* Note: this does not properly handle chunks that are > 64K under DOS */
2360 void /* PRIVATE */ 1999 void /* PRIVATE */
2361 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 2000 png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2362 { 2001 {
2363 png_text text_info; 2002 png_textp text_ptr;
2364 png_bytep buffer;
2365 png_charp key; 2003 png_charp key;
2366 png_charp text; 2004 png_charp text;
2367 png_uint_32 skip = 0; 2005 png_uint_32 skip = 0;
2006 png_size_t slength;
2007 int ret;
2368 2008
2369 png_debug(1, "in png_handle_tEXt"); 2009 png_debug(1, "in png_handle_tEXt");
2370 2010
2371 #ifdef PNG_USER_LIMITS_SUPPORTED 2011 #ifdef PNG_USER_LIMITS_SUPPORTED
2372 if (png_ptr->user_chunk_cache_max != 0) 2012 if (png_ptr->user_chunk_cache_max != 0)
2373 { 2013 {
2374 if (png_ptr->user_chunk_cache_max == 1) 2014 if (png_ptr->user_chunk_cache_max == 1)
2375 { 2015 {
2376 png_crc_finish(png_ptr, length); 2016 png_crc_finish(png_ptr, length);
2377 return; 2017 return;
2378 } 2018 }
2379
2380 if (--png_ptr->user_chunk_cache_max == 1) 2019 if (--png_ptr->user_chunk_cache_max == 1)
2381 { 2020 {
2021 png_warning(png_ptr, "No space in chunk cache for tEXt");
2382 png_crc_finish(png_ptr, length); 2022 png_crc_finish(png_ptr, length);
2383 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2384 return; 2023 return;
2385 } 2024 }
2386 } 2025 }
2387 #endif 2026 #endif
2388 2027
2389 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2028 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2390 png_chunk_error(png_ptr, "missing IHDR"); 2029 png_error(png_ptr, "Missing IHDR before tEXt");
2391 2030
2392 if (png_ptr->mode & PNG_HAVE_IDAT) 2031 if (png_ptr->mode & PNG_HAVE_IDAT)
2393 png_ptr->mode |= PNG_AFTER_IDAT; 2032 png_ptr->mode |= PNG_AFTER_IDAT;
2394 2033
2395 #ifdef PNG_MAX_MALLOC_64K 2034 #ifdef PNG_MAX_MALLOC_64K
2396 if (length > 65535U) 2035 if (length > (png_uint_32)65535L)
2397 { 2036 {
2398 png_crc_finish(png_ptr, length); 2037 png_warning(png_ptr, "tEXt chunk too large to fit in memory");
2399 png_chunk_benign_error(png_ptr, "too large to fit in memory"); 2038 skip = length - (png_uint_32)65535L;
2400 return; 2039 length = (png_uint_32)65535L;
2401 } 2040 }
2402 #endif 2041 #endif
2403 2042
2404 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/); 2043 png_free(png_ptr, png_ptr->chunkdata);
2405 2044
2406 if (buffer == NULL) 2045 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2046 if (png_ptr->chunkdata == NULL)
2407 { 2047 {
2408 png_chunk_benign_error(png_ptr, "out of memory"); 2048 png_warning(png_ptr, "No memory to process text chunk.");
2409 return; 2049 return;
2410 } 2050 }
2411 2051 slength = (png_size_t)length;
2412 png_crc_read(png_ptr, buffer, length); 2052 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2413 2053
2414 if (png_crc_finish(png_ptr, skip)) 2054 if (png_crc_finish(png_ptr, skip))
2055 {
2056 png_free(png_ptr, png_ptr->chunkdata);
2057 png_ptr->chunkdata = NULL;
2415 return; 2058 return;
2059 }
2416 2060
2417 key = (png_charp)buffer; 2061 key = png_ptr->chunkdata;
2418 key[length] = 0; 2062
2063 key[slength] = 0x00;
2419 2064
2420 for (text = key; *text; text++) 2065 for (text = key; *text; text++)
2421 /* Empty loop to find end of key */ ; 2066 /* Empty loop to find end of key */ ;
2422 2067
2423 if (text != key + length) 2068 if (text != key + slength)
2424 text++; 2069 text++;
2425 2070
2426 text_info.compression = PNG_TEXT_COMPRESSION_NONE; 2071 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2427 text_info.key = key; 2072 (png_uint_32)png_sizeof(png_text));
2428 text_info.lang = NULL; 2073 if (text_ptr == NULL)
2429 text_info.lang_key = NULL; 2074 {
2430 text_info.itxt_length = 0; 2075 png_warning(png_ptr, "Not enough memory to process text chunk.");
2431 text_info.text = text; 2076 png_free(png_ptr, png_ptr->chunkdata);
2432 text_info.text_length = strlen(text); 2077 png_ptr->chunkdata = NULL;
2078 return;
2079 }
2080 text_ptr->compression = PNG_TEXT_COMPRESSION_NONE;
2081 text_ptr->key = key;
2082 #ifdef PNG_iTXt_SUPPORTED
2083 text_ptr->lang = NULL;
2084 text_ptr->lang_key = NULL;
2085 text_ptr->itxt_length = 0;
2086 #endif
2087 text_ptr->text = text;
2088 text_ptr->text_length = png_strlen(text);
2433 2089
2434 if (png_set_text_2(png_ptr, info_ptr, &text_info, 1)) 2090 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2435 png_warning(png_ptr, "Insufficient memory to process text chunk"); 2091
2092 png_free(png_ptr, png_ptr->chunkdata);
2093 png_ptr->chunkdata = NULL;
2094 png_free(png_ptr, text_ptr);
2095 if (ret)
2096 png_warning(png_ptr, "Insufficient memory to process text chunk.");
2436 } 2097 }
2437 #endif 2098 #endif
2438 2099
2439 #ifdef PNG_READ_zTXt_SUPPORTED 2100 #ifdef PNG_READ_zTXt_SUPPORTED
2440 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2101 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2441 void /* PRIVATE */ 2102 void /* PRIVATE */
2442 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 2103 png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2443 { 2104 {
2444 png_const_charp errmsg = NULL; 2105 png_textp text_ptr;
2445 png_bytep buffer; 2106 png_charp text;
2446 png_uint_32 keyword_length; 2107 int comp_type;
2108 int ret;
2109 png_size_t slength, prefix_len, data_len;
2447 2110
2448 png_debug(1, "in png_handle_zTXt"); 2111 png_debug(1, "in png_handle_zTXt");
2449 2112
2450 #ifdef PNG_USER_LIMITS_SUPPORTED 2113 #ifdef PNG_USER_LIMITS_SUPPORTED
2451 if (png_ptr->user_chunk_cache_max != 0) 2114 if (png_ptr->user_chunk_cache_max != 0)
2452 { 2115 {
2453 if (png_ptr->user_chunk_cache_max == 1) 2116 if (png_ptr->user_chunk_cache_max == 1)
2454 { 2117 {
2455 png_crc_finish(png_ptr, length); 2118 png_crc_finish(png_ptr, length);
2456 return; 2119 return;
2457 } 2120 }
2458
2459 if (--png_ptr->user_chunk_cache_max == 1) 2121 if (--png_ptr->user_chunk_cache_max == 1)
2460 { 2122 {
2123 png_warning(png_ptr, "No space in chunk cache for zTXt");
2461 png_crc_finish(png_ptr, length); 2124 png_crc_finish(png_ptr, length);
2462 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2463 return; 2125 return;
2464 } 2126 }
2465 } 2127 }
2466 #endif 2128 #endif
2467 2129
2468 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2130 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2469 png_chunk_error(png_ptr, "missing IHDR"); 2131 png_error(png_ptr, "Missing IHDR before zTXt");
2470 2132
2471 if (png_ptr->mode & PNG_HAVE_IDAT) 2133 if (png_ptr->mode & PNG_HAVE_IDAT)
2472 png_ptr->mode |= PNG_AFTER_IDAT; 2134 png_ptr->mode |= PNG_AFTER_IDAT;
2473 2135
2474 buffer = png_read_buffer(png_ptr, length, 2/*silent*/); 2136 #ifdef PNG_MAX_MALLOC_64K
2137 /* We will no doubt have problems with chunks even half this size, but
2138 there is no hard and fast rule to tell us where to stop. */
2139 if (length > (png_uint_32)65535L)
2140 {
2141 png_warning(png_ptr, "zTXt chunk too large to fit in memory");
2142 png_crc_finish(png_ptr, length);
2143 return;
2144 }
2145 #endif
2475 2146
2476 if (buffer == NULL) 2147 png_free(png_ptr, png_ptr->chunkdata);
2148 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2149 if (png_ptr->chunkdata == NULL)
2477 { 2150 {
2478 png_crc_finish(png_ptr, length); 2151 png_warning(png_ptr, "Out of memory processing zTXt chunk.");
2479 png_chunk_benign_error(png_ptr, "out of memory"); 2152 return;
2153 }
2154 slength = (png_size_t)length;
2155 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2156 if (png_crc_finish(png_ptr, 0))
2157 {
2158 png_free(png_ptr, png_ptr->chunkdata);
2159 png_ptr->chunkdata = NULL;
2480 return; 2160 return;
2481 } 2161 }
2482 2162
2483 png_crc_read(png_ptr, buffer, length); 2163 png_ptr->chunkdata[slength] = 0x00;
2484 2164
2485 if (png_crc_finish(png_ptr, 0)) 2165 for (text = png_ptr->chunkdata; *text; text++)
2166 /* Empty loop */ ;
2167
2168 /* zTXt must have some text after the chunkdataword */
2169 if (text >= png_ptr->chunkdata + slength - 2)
2170 {
2171 png_warning(png_ptr, "Truncated zTXt chunk");
2172 png_free(png_ptr, png_ptr->chunkdata);
2173 png_ptr->chunkdata = NULL;
2486 return; 2174 return;
2487 2175 }
2488 /* TODO: also check that the keyword contents match the spec! */
2489 for (keyword_length = 0;
2490 keyword_length < length && buffer[keyword_length] != 0;
2491 ++keyword_length)
2492 /* Empty loop to find end of name */ ;
2493
2494 if (keyword_length > 79 || keyword_length < 1)
2495 errmsg = "bad keyword";
2496
2497 /* zTXt must have some LZ data after the keyword, although it may expand to
2498 * zero bytes; we need a '\0' at the end of the keyword, the compression type
2499 * then the LZ data:
2500 */
2501 else if (keyword_length + 3 > length)
2502 errmsg = "truncated";
2503
2504 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2505 errmsg = "unknown compression type";
2506
2507 else 2176 else
2508 { 2177 {
2509 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX; 2178 comp_type = *(++text);
2179 if (comp_type != PNG_TEXT_COMPRESSION_zTXt)
2180 {
2181 png_warning(png_ptr, "Unknown compression type in zTXt chunk");
2182 comp_type = PNG_TEXT_COMPRESSION_zTXt;
2183 }
2184 text++; /* Skip the compression_method byte */
2185 }
2186 prefix_len = text - png_ptr->chunkdata;
2510 2187
2511 /* TODO: at present png_decompress_chunk imposes a single application 2188 png_decompress_chunk(png_ptr, comp_type,
2512 * level memory limit, this should be split to different values for iCCP 2189 (png_size_t)length, prefix_len, &data_len);
2513 * and text chunks.
2514 */
2515 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2516 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2517 {
2518 png_text text;
2519 2190
2520 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except 2191 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2521 * for the extra compression type byte and the fact that it isn't 2192 (png_uint_32)png_sizeof(png_text));
2522 * necessarily '\0' terminated. 2193 if (text_ptr == NULL)
2523 */ 2194 {
2524 buffer = png_ptr->read_buffer; 2195 png_warning(png_ptr, "Not enough memory to process zTXt chunk.");
2525 buffer[uncompressed_length+(keyword_length+2)] = 0; 2196 png_free(png_ptr, png_ptr->chunkdata);
2197 png_ptr->chunkdata = NULL;
2198 return;
2199 }
2200 text_ptr->compression = comp_type;
2201 text_ptr->key = png_ptr->chunkdata;
2202 #ifdef PNG_iTXt_SUPPORTED
2203 text_ptr->lang = NULL;
2204 text_ptr->lang_key = NULL;
2205 text_ptr->itxt_length = 0;
2206 #endif
2207 text_ptr->text = png_ptr->chunkdata + prefix_len;
2208 text_ptr->text_length = data_len;
2526 2209
2527 text.compression = PNG_TEXT_COMPRESSION_zTXt; 2210 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2528 text.key = (png_charp)buffer;
2529 text.text = (png_charp)(buffer + keyword_length+2);
2530 text.text_length = uncompressed_length;
2531 text.itxt_length = 0;
2532 text.lang = NULL;
2533 text.lang_key = NULL;
2534 2211
2535 if (png_set_text_2(png_ptr, info_ptr, &text, 1)) 2212 png_free(png_ptr, text_ptr);
2536 errmsg = "insufficient memory"; 2213 png_free(png_ptr, png_ptr->chunkdata);
2537 } 2214 png_ptr->chunkdata = NULL;
2538 2215 if (ret)
2539 else 2216 png_error(png_ptr, "Insufficient memory to store zTXt chunk.");
2540 errmsg = png_ptr->zstream.msg;
2541 }
2542
2543 if (errmsg != NULL)
2544 png_chunk_benign_error(png_ptr, errmsg);
2545 } 2217 }
2546 #endif 2218 #endif
2547 2219
2548 #ifdef PNG_READ_iTXt_SUPPORTED 2220 #ifdef PNG_READ_iTXt_SUPPORTED
2549 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2221 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2550 void /* PRIVATE */ 2222 void /* PRIVATE */
2551 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) 2223 png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2552 { 2224 {
2553 png_const_charp errmsg = NULL; 2225 png_textp text_ptr;
2554 png_bytep buffer; 2226 png_charp key, lang, text, lang_key;
2555 png_uint_32 prefix_length; 2227 int comp_flag;
2228 int comp_type = 0;
2229 int ret;
2230 png_size_t slength, prefix_len, data_len;
2556 2231
2557 png_debug(1, "in png_handle_iTXt"); 2232 png_debug(1, "in png_handle_iTXt");
2558 2233
2559 #ifdef PNG_USER_LIMITS_SUPPORTED 2234 #ifdef PNG_USER_LIMITS_SUPPORTED
2560 if (png_ptr->user_chunk_cache_max != 0) 2235 if (png_ptr->user_chunk_cache_max != 0)
2561 { 2236 {
2562 if (png_ptr->user_chunk_cache_max == 1) 2237 if (png_ptr->user_chunk_cache_max == 1)
2563 { 2238 {
2564 png_crc_finish(png_ptr, length); 2239 png_crc_finish(png_ptr, length);
2565 return; 2240 return;
2566 } 2241 }
2567
2568 if (--png_ptr->user_chunk_cache_max == 1) 2242 if (--png_ptr->user_chunk_cache_max == 1)
2569 { 2243 {
2244 png_warning(png_ptr, "No space in chunk cache for iTXt");
2570 png_crc_finish(png_ptr, length); 2245 png_crc_finish(png_ptr, length);
2571 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2572 return; 2246 return;
2573 } 2247 }
2574 } 2248 }
2575 #endif 2249 #endif
2576 2250
2577 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2251 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2578 png_chunk_error(png_ptr, "missing IHDR"); 2252 png_error(png_ptr, "Missing IHDR before iTXt");
2579 2253
2580 if (png_ptr->mode & PNG_HAVE_IDAT) 2254 if (png_ptr->mode & PNG_HAVE_IDAT)
2581 png_ptr->mode |= PNG_AFTER_IDAT; 2255 png_ptr->mode |= PNG_AFTER_IDAT;
2582 2256
2583 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/); 2257 #ifdef PNG_MAX_MALLOC_64K
2584 2258 /* We will no doubt have problems with chunks even half this size, but
2585 if (buffer == NULL) 2259 there is no hard and fast rule to tell us where to stop. */
2586 { 2260 if (length > (png_uint_32)65535L)
2587 png_crc_finish(png_ptr, length); 2261 {
2588 png_chunk_benign_error(png_ptr, "out of memory"); 2262 png_warning(png_ptr, "iTXt chunk too large to fit in memory");
2263 png_crc_finish(png_ptr, length);
2264 return;
2265 }
2266 #endif
2267
2268 png_free(png_ptr, png_ptr->chunkdata);
2269 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2270 if (png_ptr->chunkdata == NULL)
2271 {
2272 png_warning(png_ptr, "No memory to process iTXt chunk.");
2273 return;
2274 }
2275 slength = (png_size_t)length;
2276 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2277 if (png_crc_finish(png_ptr, 0))
2278 {
2279 png_free(png_ptr, png_ptr->chunkdata);
2280 png_ptr->chunkdata = NULL;
2589 return; 2281 return;
2590 } 2282 }
2591 2283
2592 png_crc_read(png_ptr, buffer, length); 2284 png_ptr->chunkdata[slength] = 0x00;
2593 2285
2594 if (png_crc_finish(png_ptr, 0)) 2286 for (lang = png_ptr->chunkdata; *lang; lang++)
2287 /* Empty loop */ ;
2288 lang++; /* Skip NUL separator */
2289
2290 /* iTXt must have a language tag (possibly empty), two compression bytes,
2291 * translated keyword (possibly empty), and possibly some text after the
2292 * keyword
2293 */
2294
2295 if (lang >= png_ptr->chunkdata + slength - 3)
2296 {
2297 png_warning(png_ptr, "Truncated iTXt chunk");
2298 png_free(png_ptr, png_ptr->chunkdata);
2299 png_ptr->chunkdata = NULL;
2595 return; 2300 return;
2596 2301 }
2597 /* First the keyword. */ 2302 else
2598 for (prefix_length=0; 2303 {
2599 prefix_length < length && buffer[prefix_length] != 0; 2304 comp_flag = *lang++;
2600 ++prefix_length) 2305 comp_type = *lang++;
2306 }
2307
2308 for (lang_key = lang; *lang_key; lang_key++)
2601 /* Empty loop */ ; 2309 /* Empty loop */ ;
2602 2310 lang_key++; /* Skip NUL separator */
2603 /* Perform a basic check on the keyword length here. */ 2311
2604 if (prefix_length > 79 || prefix_length < 1) 2312 if (lang_key >= png_ptr->chunkdata + slength)
2605 errmsg = "bad keyword"; 2313 {
2606 2314 png_warning(png_ptr, "Truncated iTXt chunk");
2607 /* Expect keyword, compression flag, compression type, language, translated 2315 png_free(png_ptr, png_ptr->chunkdata);
2608 * keyword (both may be empty but are 0 terminated) then the text, which may 2316 png_ptr->chunkdata = NULL;
2609 * be empty. 2317 return;
2610 */ 2318 }
2611 else if (prefix_length + 5 > length) 2319
2612 errmsg = "truncated"; 2320 for (text = lang_key; *text; text++)
2613 2321 /* Empty loop */ ;
2614 else if (buffer[prefix_length+1] == 0 || 2322 text++; /* Skip NUL separator */
2615 (buffer[prefix_length+1] == 1 && 2323 if (text >= png_ptr->chunkdata + slength)
2616 buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE)) 2324 {
2617 { 2325 png_warning(png_ptr, "Malformed iTXt chunk");
2618 int compressed = buffer[prefix_length+1] != 0; 2326 png_free(png_ptr, png_ptr->chunkdata);
2619 png_uint_32 language_offset, translated_keyword_offset; 2327 png_ptr->chunkdata = NULL;
2620 png_alloc_size_t uncompressed_length = 0; 2328 return;
2621 2329 }
2622 /* Now the language tag */ 2330
2623 prefix_length += 3; 2331 prefix_len = text - png_ptr->chunkdata;
2624 language_offset = prefix_length; 2332
2625 2333 key=png_ptr->chunkdata;
2626 for (; prefix_length < length && buffer[prefix_length] != 0; 2334 if (comp_flag)
2627 ++prefix_length) 2335 png_decompress_chunk(png_ptr, comp_type,
2628 /* Empty loop */ ; 2336 (size_t)length, prefix_len, &data_len);
2629 2337 else
2630 /* WARNING: the length may be invalid here, this is checked below. */ 2338 data_len = png_strlen(png_ptr->chunkdata + prefix_len);
2631 translated_keyword_offset = ++prefix_length; 2339 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2632 2340 (png_uint_32)png_sizeof(png_text));
2633 for (; prefix_length < length && buffer[prefix_length] != 0; 2341 if (text_ptr == NULL)
2634 ++prefix_length) 2342 {
2635 /* Empty loop */ ; 2343 png_warning(png_ptr, "Not enough memory to process iTXt chunk.");
2636 2344 png_free(png_ptr, png_ptr->chunkdata);
2637 /* prefix_length should now be at the trailing '\0' of the translated 2345 png_ptr->chunkdata = NULL;
2638 * keyword, but it may already be over the end. None of this arithmetic 2346 return;
2639 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit 2347 }
2640 * systems the available allocaton may overflow. 2348 text_ptr->compression = (int)comp_flag + 1;
2641 */ 2349 text_ptr->lang_key = png_ptr->chunkdata + (lang_key - key);
2642 ++prefix_length; 2350 text_ptr->lang = png_ptr->chunkdata + (lang - key);
2643 2351 text_ptr->itxt_length = data_len;
2644 if (!compressed && prefix_length <= length) 2352 text_ptr->text_length = 0;
2645 uncompressed_length = length - prefix_length; 2353 text_ptr->key = png_ptr->chunkdata;
2646 2354 text_ptr->text = png_ptr->chunkdata + prefix_len;
2647 else if (compressed && prefix_length < length) 2355
2356 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2357
2358 png_free(png_ptr, text_ptr);
2359 png_free(png_ptr, png_ptr->chunkdata);
2360 png_ptr->chunkdata = NULL;
2361 if (ret)
2362 png_error(png_ptr, "Insufficient memory to store iTXt chunk.");
2363 }
2364 #endif
2365
2366 /* This function is called when we haven't found a handler for a
2367 chunk. If there isn't a problem with the chunk itself (ie bad
2368 chunk name, CRC, or a critical chunk), the chunk is silently ignored
2369 -- unless the PNG_FLAG_UNKNOWN_CHUNKS_SUPPORTED flag is on in which
2370 case it will be saved away to be written out later. */
2371 void /* PRIVATE */
2372 png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2373 {
2374 png_uint_32 skip = 0;
2375
2376 png_debug(1, "in png_handle_unknown");
2377
2378 #ifdef PNG_USER_LIMITS_SUPPORTED
2379 if (png_ptr->user_chunk_cache_max != 0)
2380 {
2381 if (png_ptr->user_chunk_cache_max == 1)
2648 { 2382 {
2649 uncompressed_length = PNG_SIZE_MAX; 2383 png_crc_finish(png_ptr, length);
2650 2384 return;
2651 /* TODO: at present png_decompress_chunk imposes a single application
2652 * level memory limit, this should be split to different values for
2653 * iCCP and text chunks.
2654 */
2655 if (png_decompress_chunk(png_ptr, length, prefix_length,
2656 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2657 buffer = png_ptr->read_buffer;
2658
2659 else
2660 errmsg = png_ptr->zstream.msg;
2661 } 2385 }
2662 2386 if (--png_ptr->user_chunk_cache_max == 1)
2663 else
2664 errmsg = "truncated";
2665
2666 if (errmsg == NULL)
2667 { 2387 {
2668 png_text text; 2388 png_warning(png_ptr, "No space in chunk cache for unknown chunk");
2669 2389 png_crc_finish(png_ptr, length);
2670 buffer[uncompressed_length+prefix_length] = 0; 2390 return;
2671
2672 if (compressed)
2673 text.compression = PNG_ITXT_COMPRESSION_NONE;
2674
2675 else
2676 text.compression = PNG_ITXT_COMPRESSION_zTXt;
2677
2678 text.key = (png_charp)buffer;
2679 text.lang = (png_charp)buffer + language_offset;
2680 text.lang_key = (png_charp)buffer + translated_keyword_offset;
2681 text.text = (png_charp)buffer + prefix_length;
2682 text.text_length = 0;
2683 text.itxt_length = uncompressed_length;
2684
2685 if (png_set_text_2(png_ptr, info_ptr, &text, 1))
2686 errmsg = "insufficient memory";
2687 } 2391 }
2688 } 2392 }
2689 2393 #endif
2394
2395 if (png_ptr->mode & PNG_HAVE_IDAT)
2396 {
2397 #ifdef PNG_USE_LOCAL_ARRAYS
2398 PNG_CONST PNG_IDAT;
2399 #endif
2400 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) /* Not an IDAT */
2401 png_ptr->mode |= PNG_AFTER_IDAT;
2402 }
2403
2404 if (!(png_ptr->chunk_name[0] & 0x20))
2405 {
2406 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2407 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) !=
2408 PNG_HANDLE_CHUNK_ALWAYS
2409 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2410 && png_ptr->read_user_chunk_fn == NULL
2411 #endif
2412 )
2413 #endif
2414 png_chunk_error(png_ptr, "unknown critical chunk");
2415 }
2416
2417 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2418 if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS)
2419 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2420 || (png_ptr->read_user_chunk_fn != NULL)
2421 #endif
2422 )
2423 {
2424 #ifdef PNG_MAX_MALLOC_64K
2425 if (length > (png_uint_32)65535L)
2426 {
2427 png_warning(png_ptr, "unknown chunk too large to fit in memory");
2428 skip = length - (png_uint_32)65535L;
2429 length = (png_uint_32)65535L;
2430 }
2431 #endif
2432 png_memcpy((png_charp)png_ptr->unknown_chunk.name,
2433 (png_charp)png_ptr->chunk_name,
2434 png_sizeof(png_ptr->unknown_chunk.name));
2435 png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]
2436 = '\0';
2437 png_ptr->unknown_chunk.size = (png_size_t)length;
2438 if (length == 0)
2439 png_ptr->unknown_chunk.data = NULL;
2440 else
2441 {
2442 png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
2443 png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
2444 }
2445 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2446 if (png_ptr->read_user_chunk_fn != NULL)
2447 {
2448 /* Callback to user unknown chunk handler */
2449 int ret;
2450 ret = (*(png_ptr->read_user_chunk_fn))
2451 (png_ptr, &png_ptr->unknown_chunk);
2452 if (ret < 0)
2453 png_chunk_error(png_ptr, "error in user chunk");
2454 if (ret == 0)
2455 {
2456 if (!(png_ptr->chunk_name[0] & 0x20))
2457 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2458 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) !=
2459 PNG_HANDLE_CHUNK_ALWAYS)
2460 #endif
2461 png_chunk_error(png_ptr, "unknown critical chunk");
2462 png_set_unknown_chunks(png_ptr, info_ptr,
2463 &png_ptr->unknown_chunk, 1);
2464 }
2465 }
2466 else
2467 #endif
2468 png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
2469 png_free(png_ptr, png_ptr->unknown_chunk.data);
2470 png_ptr->unknown_chunk.data = NULL;
2471 }
2690 else 2472 else
2691 errmsg = "bad compression info"; 2473 #endif
2692 2474 skip = length;
2693 if (errmsg != NULL) 2475
2694 png_chunk_benign_error(png_ptr, errmsg); 2476 png_crc_finish(png_ptr, skip);
2477
2478 #ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2479 info_ptr = info_ptr; /* Quiet compiler warnings about unused info_ptr */
2480 #endif
2695 } 2481 }
2696 #endif 2482
2697 2483 /* This function is called to verify that a chunk name is valid.
2698 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED 2484 This function can't have the "critical chunk check" incorporated
2699 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */ 2485 into it, since in the future we will need to be able to call user
2700 static int 2486 functions to handle unknown critical chunks after we check that
2701 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length) 2487 the chunk name itself is valid. */
2488
2489 #define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2490
2491 void /* PRIVATE */
2492 png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
2702 { 2493 {
2703 png_alloc_size_t limit = PNG_SIZE_MAX; 2494 png_debug(1, "in png_check_chunk_name");
2704 2495 if (isnonalpha(chunk_name[0]) || isnonalpha(chunk_name[1]) ||
2705 if (png_ptr->unknown_chunk.data != NULL) 2496 isnonalpha(chunk_name[2]) || isnonalpha(chunk_name[3]))
2706 { 2497 {
2707 png_free(png_ptr, png_ptr->unknown_chunk.data); 2498 png_chunk_error(png_ptr, "invalid chunk type");
2708 png_ptr->unknown_chunk.data = NULL; 2499 }
2709 } 2500 }
2710 2501
2711 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED 2502 /* Combines the row recently read in with the existing pixels in the
2712 if (png_ptr->user_chunk_malloc_max > 0 && 2503 row. This routine takes care of alpha and transparency if requested.
2713 png_ptr->user_chunk_malloc_max < limit) 2504 This routine also handles the two methods of progressive display
2714 limit = png_ptr->user_chunk_malloc_max; 2505 of interlaced images, depending on the mask value.
2715 2506 The mask value describes which pixels are to be combined with
2716 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 2507 the row. The pattern always repeats every 8 pixels, so just 8
2717 if (PNG_USER_CHUNK_MALLOC_MAX < limit) 2508 bits are needed. A one indicates the pixel is to be combined,
2718 limit = PNG_USER_CHUNK_MALLOC_MAX; 2509 a zero indicates the pixel is to be skipped. This is in addition
2719 # endif 2510 to any alpha or transparency value associated with the pixel. If
2720 2511 you want all pixels to be combined, pass 0xff (255) in mask. */
2721 if (length <= limit) 2512
2722 { 2513 void /* PRIVATE */
2723 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name); 2514 png_combine_row(png_structp png_ptr, png_bytep row, int mask)
2724 /* The following is safe because of the PNG_SIZE_MAX init above */ 2515 {
2725 png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/; 2516 png_debug(1, "in png_combine_row");
2726 /* 'mode' is a flag array, only the bottom four bits matter here */ 2517 if (mask == 0xff)
2727 png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/; 2518 {
2728 2519 png_memcpy(row, png_ptr->row_buf + 1,
2729 if (length == 0) 2520 PNG_ROWBYTES(png_ptr->row_info.pixel_depth, png_ptr->width));
2730 png_ptr->unknown_chunk.data = NULL; 2521 }
2731 2522 else
2732 else 2523 {
2524 switch (png_ptr->row_info.pixel_depth)
2733 { 2525 {
2734 /* Do a 'warn' here - it is handled below. */ 2526 case 1:
2735 png_ptr->unknown_chunk.data = png_voidcast(png_bytep, 2527 {
2736 png_malloc_warn(png_ptr, length)); 2528 png_bytep sp = png_ptr->row_buf + 1;
2529 png_bytep dp = row;
2530 int s_inc, s_start, s_end;
2531 int m = 0x80;
2532 int shift;
2533 png_uint_32 i;
2534 png_uint_32 row_width = png_ptr->width;
2535
2536 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2537 if (png_ptr->transformations & PNG_PACKSWAP)
2538 {
2539 s_start = 0;
2540 s_end = 7;
2541 s_inc = 1;
2542 }
2543 else
2544 #endif
2545 {
2546 s_start = 7;
2547 s_end = 0;
2548 s_inc = -1;
2549 }
2550
2551 shift = s_start;
2552
2553 for (i = 0; i < row_width; i++)
2554 {
2555 if (m & mask)
2556 {
2557 int value;
2558
2559 value = (*sp >> shift) & 0x01;
2560 *dp &= (png_byte)((0x7f7f >> (7 - shift)) & 0xff);
2561 *dp |= (png_byte)(value << shift);
2562 }
2563
2564 if (shift == s_end)
2565 {
2566 shift = s_start;
2567 sp++;
2568 dp++;
2569 }
2570 else
2571 shift += s_inc;
2572
2573 if (m == 1)
2574 m = 0x80;
2575 else
2576 m >>= 1;
2577 }
2578 break;
2579 }
2580 case 2:
2581 {
2582 png_bytep sp = png_ptr->row_buf + 1;
2583 png_bytep dp = row;
2584 int s_start, s_end, s_inc;
2585 int m = 0x80;
2586 int shift;
2587 png_uint_32 i;
2588 png_uint_32 row_width = png_ptr->width;
2589 int value;
2590
2591 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2592 if (png_ptr->transformations & PNG_PACKSWAP)
2593 {
2594 s_start = 0;
2595 s_end = 6;
2596 s_inc = 2;
2597 }
2598 else
2599 #endif
2600 {
2601 s_start = 6;
2602 s_end = 0;
2603 s_inc = -2;
2604 }
2605
2606 shift = s_start;
2607
2608 for (i = 0; i < row_width; i++)
2609 {
2610 if (m & mask)
2611 {
2612 value = (*sp >> shift) & 0x03;
2613 *dp &= (png_byte)((0x3f3f >> (6 - shift)) & 0xff);
2614 *dp |= (png_byte)(value << shift);
2615 }
2616
2617 if (shift == s_end)
2618 {
2619 shift = s_start;
2620 sp++;
2621 dp++;
2622 }
2623 else
2624 shift += s_inc;
2625 if (m == 1)
2626 m = 0x80;
2627 else
2628 m >>= 1;
2629 }
2630 break;
2631 }
2632 case 4:
2633 {
2634 png_bytep sp = png_ptr->row_buf + 1;
2635 png_bytep dp = row;
2636 int s_start, s_end, s_inc;
2637 int m = 0x80;
2638 int shift;
2639 png_uint_32 i;
2640 png_uint_32 row_width = png_ptr->width;
2641 int value;
2642
2643 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2644 if (png_ptr->transformations & PNG_PACKSWAP)
2645 {
2646 s_start = 0;
2647 s_end = 4;
2648 s_inc = 4;
2649 }
2650 else
2651 #endif
2652 {
2653 s_start = 4;
2654 s_end = 0;
2655 s_inc = -4;
2656 }
2657 shift = s_start;
2658
2659 for (i = 0; i < row_width; i++)
2660 {
2661 if (m & mask)
2662 {
2663 value = (*sp >> shift) & 0xf;
2664 *dp &= (png_byte)((0xf0f >> (4 - shift)) & 0xff);
2665 *dp |= (png_byte)(value << shift);
2666 }
2667
2668 if (shift == s_end)
2669 {
2670 shift = s_start;
2671 sp++;
2672 dp++;
2673 }
2674 else
2675 shift += s_inc;
2676 if (m == 1)
2677 m = 0x80;
2678 else
2679 m >>= 1;
2680 }
2681 break;
2682 }
2683 default:
2684 {
2685 png_bytep sp = png_ptr->row_buf + 1;
2686 png_bytep dp = row;
2687 png_size_t pixel_bytes = (png_ptr->row_info.pixel_depth >> 3);
2688 png_uint_32 i;
2689 png_uint_32 row_width = png_ptr->width;
2690 png_byte m = 0x80;
2691
2692
2693 for (i = 0; i < row_width; i++)
2694 {
2695 if (m & mask)
2696 {
2697 png_memcpy(dp, sp, pixel_bytes);
2698 }
2699
2700 sp += pixel_bytes;
2701 dp += pixel_bytes;
2702
2703 if (m == 1)
2704 m = 0x80;
2705 else
2706 m >>= 1;
2707 }
2708 break;
2709 }
2737 } 2710 }
2738 } 2711 }
2739
2740 if (png_ptr->unknown_chunk.data == NULL && length > 0)
2741 {
2742 /* This is benign because we clean up correctly */
2743 png_crc_finish(png_ptr, length);
2744 png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2745 return 0;
2746 }
2747
2748 else
2749 {
2750 if (length > 0)
2751 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2752 png_crc_finish(png_ptr, 0);
2753 return 1;
2754 }
2755 } 2712 }
2756 #endif /* PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */ 2713
2757 2714 #ifdef PNG_READ_INTERLACING_SUPPORTED
2758 /* Handle an unknown, or known but disabled, chunk */ 2715 /* OLD pre-1.0.9 interface:
2759 void /* PRIVATE */ 2716 void png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
2760 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr, 2717 png_uint_32 transformations)
2761 png_uint_32 length, int keep)
2762 {
2763 int handled = 0; /* the chunk was handled */
2764
2765 png_debug(1, "in png_handle_unknown");
2766
2767 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2768 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2769 * the bug which meant that setting a non-default behavior for a specific
2770 * chunk would be ignored (the default was always used unless a user
2771 * callback was installed).
2772 *
2773 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2774 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2775 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2776 * This is just an optimization to avoid multiple calls to the lookup
2777 * function.
2778 */
2779 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2780 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2781 keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2782 # endif
2783 # endif
2784
2785 /* One of the following methods will read the chunk or skip it (at least one
2786 * of these is always defined because this is the only way to switch on
2787 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2788 */
2789 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2790 /* The user callback takes precedence over the chunk keep value, but the
2791 * keep value is still required to validate a save of a critical chunk.
2792 */
2793 if (png_ptr->read_user_chunk_fn != NULL)
2794 {
2795 if (png_cache_unknown_chunk(png_ptr, length))
2796 {
2797 /* Callback to user unknown chunk handler */
2798 int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2799 &png_ptr->unknown_chunk);
2800
2801 /* ret is:
2802 * negative: An error occured, png_chunk_error will be called.
2803 * zero: The chunk was not handled, the chunk will be discarded
2804 * unless png_set_keep_unknown_chunks has been used to set
2805 * a 'keep' behavior for this particular chunk, in which
2806 * case that will be used. A critical chunk will cause an
2807 * error at this point unless it is to be saved.
2808 * positive: The chunk was handled, libpng will ignore/discard it.
2809 */
2810 if (ret < 0)
2811 png_chunk_error(png_ptr, "error in user chunk");
2812
2813 else if (ret == 0)
2814 {
2815 /* If the keep value is 'default' or 'never' override it, but
2816 * still error out on critical chunks unless the keep value is
2817 * 'always' While this is weird it is the behavior in 1.4.12.
2818 * A possible improvement would be to obey the value set for the
2819 * chunk, but this would be an API change that would probably
2820 * damage some applications.
2821 *
2822 * The png_app_warning below catches the case that matters, where
2823 * the application has not set specific save or ignore for this
2824 * chunk or global save or ignore.
2825 */
2826 if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2827 {
2828 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2829 if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2830 {
2831 png_chunk_warning(png_ptr, "Saving unknown chunk:");
2832 png_app_warning(png_ptr,
2833 "forcing save of an unhandled chunk;"
2834 " please call png_set_keep_unknown_chunks");
2835 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2836 }
2837 # endif
2838 keep = PNG_HANDLE_CHUNK_IF_SAFE;
2839 }
2840 }
2841
2842 else /* chunk was handled */
2843 {
2844 handled = 1;
2845 /* Critical chunks can be safely discarded at this point. */
2846 keep = PNG_HANDLE_CHUNK_NEVER;
2847 }
2848 }
2849
2850 else
2851 keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
2852 }
2853
2854 else
2855 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
2856 # endif /* PNG_READ_USER_CHUNKS_SUPPORTED */
2857
2858 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2859 {
2860 /* keep is currently just the per-chunk setting, if there was no
2861 * setting change it to the global default now (not that this may
2862 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
2863 * if not simply skip the chunk.
2864 */
2865 if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
2866 keep = png_ptr->unknown_default;
2867
2868 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2869 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2870 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2871 {
2872 if (!png_cache_unknown_chunk(png_ptr, length))
2873 keep = PNG_HANDLE_CHUNK_NEVER;
2874 }
2875
2876 else
2877 png_crc_finish(png_ptr, length);
2878 }
2879 # else
2880 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2881 # error no method to support READ_UNKNOWN_CHUNKS
2882 # endif
2883
2884 {
2885 /* If here there is no read callback pointer set and no support is
2886 * compiled in to just save the unknown chunks, so simply skip this
2887 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
2888 * the app has erroneously asked for unknown chunk saving when there
2889 * is no support.
2890 */
2891 if (keep > PNG_HANDLE_CHUNK_NEVER)
2892 png_app_error(png_ptr, "no unknown chunk support available");
2893
2894 png_crc_finish(png_ptr, length);
2895 }
2896 # endif
2897
2898 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2899 /* Now store the chunk in the chunk list if appropriate, and if the limits
2900 * permit it.
2901 */
2902 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2903 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2904 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2905 {
2906 # ifdef PNG_USER_LIMITS_SUPPORTED
2907 switch (png_ptr->user_chunk_cache_max)
2908 {
2909 case 2:
2910 png_ptr->user_chunk_cache_max = 1;
2911 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2912 /* FALL THROUGH */
2913 case 1:
2914 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
2915 * chunk being skipped, now there will be a hard error below.
2916 */
2917 break;
2918
2919 default: /* not at limit */
2920 --(png_ptr->user_chunk_cache_max);
2921 /* FALL THROUGH */
2922 case 0: /* no limit */
2923 # endif /* PNG_USER_LIMITS_SUPPORTED */
2924 /* Here when the limit isn't reached or when limits are compiled
2925 * out; store the chunk.
2926 */
2927 png_set_unknown_chunks(png_ptr, info_ptr,
2928 &png_ptr->unknown_chunk, 1);
2929 handled = 1;
2930 # ifdef PNG_USER_LIMITS_SUPPORTED
2931 break;
2932 }
2933 # endif
2934 }
2935 # else /* no store support! */
2936 PNG_UNUSED(info_ptr)
2937 # error untested code (reading unknown chunks with no store support)
2938 # endif
2939
2940 /* Regardless of the error handling below the cached data (if any) can be
2941 * freed now. Notice that the data is not freed if there is a png_error, but
2942 * it will be freed by destroy_read_struct.
2943 */
2944 if (png_ptr->unknown_chunk.data != NULL)
2945 png_free(png_ptr, png_ptr->unknown_chunk.data);
2946 png_ptr->unknown_chunk.data = NULL;
2947
2948 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
2949 /* There is no support to read an unknown chunk, so just skip it. */
2950 png_crc_finish(png_ptr, length);
2951 PNG_UNUSED(info_ptr)
2952 PNG_UNUSED(keep)
2953 #endif /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
2954
2955 /* Check for unhandled critical chunks */
2956 if (!handled && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
2957 png_chunk_error(png_ptr, "unhandled critical chunk");
2958 }
2959
2960 /* This function is called to verify that a chunk name is valid.
2961 * This function can't have the "critical chunk check" incorporated
2962 * into it, since in the future we will need to be able to call user
2963 * functions to handle unknown critical chunks after we check that
2964 * the chunk name itself is valid.
2965 */
2966
2967 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
2968 *
2969 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2970 */
2971
2972 void /* PRIVATE */
2973 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
2974 {
2975 int i;
2976
2977 png_debug(1, "in png_check_chunk_name");
2978
2979 for (i=1; i<=4; ++i)
2980 {
2981 int c = chunk_name & 0xff;
2982
2983 if (c < 65 || c > 122 || (c > 90 && c < 97))
2984 png_chunk_error(png_ptr, "invalid chunk type");
2985
2986 chunk_name >>= 8;
2987 }
2988 }
2989
2990 /* Combines the row recently read in with the existing pixels in the row. This
2991 * routine takes care of alpha and transparency if requested. This routine also
2992 * handles the two methods of progressive display of interlaced images,
2993 * depending on the 'display' value; if 'display' is true then the whole row
2994 * (dp) is filled from the start by replicating the available pixels. If
2995 * 'display' is false only those pixels present in the pass are filled in.
2996 */ 2718 */
2997 void /* PRIVATE */ 2719 void /* PRIVATE */
2998 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) 2720 png_do_read_interlace(png_structp png_ptr)
2999 { 2721 {
3000 unsigned int pixel_depth = png_ptr->transformed_pixel_depth; 2722 png_row_infop row_info = &(png_ptr->row_info);
3001 png_const_bytep sp = png_ptr->row_buf + 1; 2723 png_bytep row = png_ptr->row_buf + 1;
3002 png_uint_32 row_width = png_ptr->width; 2724 int pass = png_ptr->pass;
3003 unsigned int pass = png_ptr->pass; 2725 png_uint_32 transformations = png_ptr->transformations;
3004 png_bytep end_ptr = 0;
3005 png_byte end_byte = 0;
3006 unsigned int end_mask;
3007
3008 png_debug(1, "in png_combine_row");
3009
3010 /* Added in 1.5.6: it should not be possible to enter this routine until at
3011 * least one row has been read from the PNG data and transformed.
3012 */
3013 if (pixel_depth == 0)
3014 png_error(png_ptr, "internal row logic error");
3015
3016 /* Added in 1.5.4: the pixel depth should match the information returned by
3017 * any call to png_read_update_info at this point. Do not continue if we got
3018 * this wrong.
3019 */
3020 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3021 PNG_ROWBYTES(pixel_depth, row_width))
3022 png_error(png_ptr, "internal row size calculation error");
3023
3024 /* Don't expect this to ever happen: */
3025 if (row_width == 0)
3026 png_error(png_ptr, "internal row width error");
3027
3028 /* Preserve the last byte in cases where only part of it will be overwritten,
3029 * the multiply below may overflow, we don't care because ANSI-C guarantees
3030 * we get the low bits.
3031 */
3032 end_mask = (pixel_depth * row_width) & 7;
3033 if (end_mask != 0)
3034 {
3035 /* end_ptr == NULL is a flag to say do nothing */
3036 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
3037 end_byte = *end_ptr;
3038 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3039 if (png_ptr->transformations & PNG_PACKSWAP) /* little-endian byte */
3040 end_mask = 0xff << end_mask;
3041
3042 else /* big-endian byte */
3043 # endif
3044 end_mask = 0xff >> end_mask;
3045 /* end_mask is now the bits to *keep* from the destination row */
3046 }
3047
3048 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3049 * will also happen if interlacing isn't supported or if the application
3050 * does not call png_set_interlace_handling(). In the latter cases the
3051 * caller just gets a sequence of the unexpanded rows from each interlace
3052 * pass.
3053 */
3054 #ifdef PNG_READ_INTERLACING_SUPPORTED
3055 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE) &&
3056 pass < 6 && (display == 0 ||
3057 /* The following copies everything for 'display' on passes 0, 2 and 4. */
3058 (display == 1 && (pass & 1) != 0)))
3059 {
3060 /* Narrow images may have no bits in a pass; the caller should handle
3061 * this, but this test is cheap:
3062 */
3063 if (row_width <= PNG_PASS_START_COL(pass))
3064 return;
3065
3066 if (pixel_depth < 8)
3067 {
3068 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3069 * into 32 bits, then a single loop over the bytes using the four byte
3070 * values in the 32-bit mask can be used. For the 'display' option the
3071 * expanded mask may also not require any masking within a byte. To
3072 * make this work the PACKSWAP option must be taken into account - it
3073 * simply requires the pixels to be reversed in each byte.
3074 *
3075 * The 'regular' case requires a mask for each of the first 6 passes,
3076 * the 'display' case does a copy for the even passes in the range
3077 * 0..6. This has already been handled in the test above.
3078 *
3079 * The masks are arranged as four bytes with the first byte to use in
3080 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3081 * not) of the pixels in each byte.
3082 *
3083 * NOTE: the whole of this logic depends on the caller of this function
3084 * only calling it on rows appropriate to the pass. This function only
3085 * understands the 'x' logic; the 'y' logic is handled by the caller.
3086 *
3087 * The following defines allow generation of compile time constant bit
3088 * masks for each pixel depth and each possibility of swapped or not
3089 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3090 * is in the range 0..7; and the result is 1 if the pixel is to be
3091 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3092 * for the block method.
3093 *
3094 * With some compilers a compile time expression of the general form:
3095 *
3096 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3097 *
3098 * Produces warnings with values of 'shift' in the range 33 to 63
3099 * because the right hand side of the ?: expression is evaluated by
3100 * the compiler even though it isn't used. Microsoft Visual C (various
3101 * versions) and the Intel C compiler are known to do this. To avoid
3102 * this the following macros are used in 1.5.6. This is a temporary
3103 * solution to avoid destabilizing the code during the release process.
3104 */
3105 # if PNG_USE_COMPILE_TIME_MASKS
3106 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3107 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3108 # else
3109 # define PNG_LSR(x,s) ((x)>>(s))
3110 # define PNG_LSL(x,s) ((x)<<(s))
3111 # endif
3112 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3113 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3114 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3115 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3116
3117 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
3118 * little endian - the first pixel is at bit 0 - however the extra
3119 * parameter 's' can be set to cause the mask position to be swapped
3120 * within each byte, to match the PNG format. This is done by XOR of
3121 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3122 */
3123 # define PIXEL_MASK(p,x,d,s) \
3124 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3125
3126 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3127 */
3128 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3129 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3130
3131 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
3132 * cases the result needs replicating, for the 4-bpp case the above
3133 * generates a full 32 bits.
3134 */
3135 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3136
3137 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3138 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3139 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3140
3141 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3142 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3143 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3144
3145 #if PNG_USE_COMPILE_TIME_MASKS
3146 /* Utility macros to construct all the masks for a depth/swap
3147 * combination. The 's' parameter says whether the format is PNG
3148 * (big endian bytes) or not. Only the three odd-numbered passes are
3149 * required for the display/block algorithm.
3150 */
3151 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3152 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3153
3154 # define B_MASKS(d,s) { B_MASK(1,d,s), S_MASK(3,d,s), S_MASK(5,d,s) }
3155
3156 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3157
3158 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3159 * then pass:
3160 */
3161 static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3162 {
3163 /* Little-endian byte masks for PACKSWAP */
3164 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3165 /* Normal (big-endian byte) masks - PNG format */
3166 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3167 };
3168
3169 /* display_mask has only three entries for the odd passes, so index by
3170 * pass>>1.
3171 */
3172 static PNG_CONST png_uint_32 display_mask[2][3][3] =
3173 {
3174 /* Little-endian byte masks for PACKSWAP */
3175 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3176 /* Normal (big-endian byte) masks - PNG format */
3177 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3178 };
3179
3180 # define MASK(pass,depth,display,png)\
3181 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3182 row_mask[png][DEPTH_INDEX(depth)][pass])
3183
3184 #else /* !PNG_USE_COMPILE_TIME_MASKS */
3185 /* This is the runtime alternative: it seems unlikely that this will
3186 * ever be either smaller or faster than the compile time approach.
3187 */
3188 # define MASK(pass,depth,display,png)\
3189 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3190 #endif /* !PNG_USE_COMPILE_TIME_MASKS */
3191
3192 /* Use the appropriate mask to copy the required bits. In some cases
3193 * the byte mask will be 0 or 0xff, optimize these cases. row_width is
3194 * the number of pixels, but the code copies bytes, so it is necessary
3195 * to special case the end.
3196 */
3197 png_uint_32 pixels_per_byte = 8 / pixel_depth;
3198 png_uint_32 mask;
3199
3200 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3201 if (png_ptr->transformations & PNG_PACKSWAP)
3202 mask = MASK(pass, pixel_depth, display, 0);
3203
3204 else
3205 # endif
3206 mask = MASK(pass, pixel_depth, display, 1);
3207
3208 for (;;)
3209 {
3210 png_uint_32 m;
3211
3212 /* It doesn't matter in the following if png_uint_32 has more than
3213 * 32 bits because the high bits always match those in m<<24; it is,
3214 * however, essential to use OR here, not +, because of this.
3215 */
3216 m = mask;
3217 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3218 m &= 0xff;
3219
3220 if (m != 0) /* something to copy */
3221 {
3222 if (m != 0xff)
3223 *dp = (png_byte)((*dp & ~m) | (*sp & m));
3224 else
3225 *dp = *sp;
3226 }
3227
3228 /* NOTE: this may overwrite the last byte with garbage if the image
3229 * is not an exact number of bytes wide; libpng has always done
3230 * this.
3231 */
3232 if (row_width <= pixels_per_byte)
3233 break; /* May need to restore part of the last byte */
3234
3235 row_width -= pixels_per_byte;
3236 ++dp;
3237 ++sp;
3238 }
3239 }
3240
3241 else /* pixel_depth >= 8 */
3242 {
3243 unsigned int bytes_to_copy, bytes_to_jump;
3244
3245 /* Validate the depth - it must be a multiple of 8 */
3246 if (pixel_depth & 7)
3247 png_error(png_ptr, "invalid user transform pixel depth");
3248
3249 pixel_depth >>= 3; /* now in bytes */
3250 row_width *= pixel_depth;
3251
3252 /* Regardless of pass number the Adam 7 interlace always results in a
3253 * fixed number of pixels to copy then to skip. There may be a
3254 * different number of pixels to skip at the start though.
3255 */
3256 {
3257 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3258
3259 row_width -= offset;
3260 dp += offset;
3261 sp += offset;
3262 }
3263
3264 /* Work out the bytes to copy. */
3265 if (display)
3266 {
3267 /* When doing the 'block' algorithm the pixel in the pass gets
3268 * replicated to adjacent pixels. This is why the even (0,2,4,6)
3269 * passes are skipped above - the entire expanded row is copied.
3270 */
3271 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3272
3273 /* But don't allow this number to exceed the actual row width. */
3274 if (bytes_to_copy > row_width)
3275 bytes_to_copy = row_width;
3276 }
3277
3278 else /* normal row; Adam7 only ever gives us one pixel to copy. */
3279 bytes_to_copy = pixel_depth;
3280
3281 /* In Adam7 there is a constant offset between where the pixels go. */
3282 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3283
3284 /* And simply copy these bytes. Some optimization is possible here,
3285 * depending on the value of 'bytes_to_copy'. Special case the low
3286 * byte counts, which we know to be frequent.
3287 *
3288 * Notice that these cases all 'return' rather than 'break' - this
3289 * avoids an unnecessary test on whether to restore the last byte
3290 * below.
3291 */
3292 switch (bytes_to_copy)
3293 {
3294 case 1:
3295 for (;;)
3296 {
3297 *dp = *sp;
3298
3299 if (row_width <= bytes_to_jump)
3300 return;
3301
3302 dp += bytes_to_jump;
3303 sp += bytes_to_jump;
3304 row_width -= bytes_to_jump;
3305 }
3306
3307 case 2:
3308 /* There is a possibility of a partial copy at the end here; this
3309 * slows the code down somewhat.
3310 */
3311 do
3312 {
3313 dp[0] = sp[0], dp[1] = sp[1];
3314
3315 if (row_width <= bytes_to_jump)
3316 return;
3317
3318 sp += bytes_to_jump;
3319 dp += bytes_to_jump;
3320 row_width -= bytes_to_jump;
3321 }
3322 while (row_width > 1);
3323
3324 /* And there can only be one byte left at this point: */
3325 *dp = *sp;
3326 return;
3327
3328 case 3:
3329 /* This can only be the RGB case, so each copy is exactly one
3330 * pixel and it is not necessary to check for a partial copy.
3331 */
3332 for(;;)
3333 {
3334 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
3335
3336 if (row_width <= bytes_to_jump)
3337 return;
3338
3339 sp += bytes_to_jump;
3340 dp += bytes_to_jump;
3341 row_width -= bytes_to_jump;
3342 }
3343
3344 default:
3345 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3346 /* Check for double byte alignment and, if possible, use a
3347 * 16-bit copy. Don't attempt this for narrow images - ones that
3348 * are less than an interlace panel wide. Don't attempt it for
3349 * wide bytes_to_copy either - use the memcpy there.
3350 */
3351 if (bytes_to_copy < 16 /*else use memcpy*/ &&
3352 png_isaligned(dp, png_uint_16) &&
3353 png_isaligned(sp, png_uint_16) &&
3354 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3355 bytes_to_jump % (sizeof (png_uint_16)) == 0)
3356 {
3357 /* Everything is aligned for png_uint_16 copies, but try for
3358 * png_uint_32 first.
3359 */
3360 if (png_isaligned(dp, png_uint_32) &&
3361 png_isaligned(sp, png_uint_32) &&
3362 bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3363 bytes_to_jump % (sizeof (png_uint_32)) == 0)
3364 {
3365 png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3366 png_const_uint_32p sp32 = png_aligncastconst(
3367 png_const_uint_32p, sp);
3368 size_t skip = (bytes_to_jump-bytes_to_copy) /
3369 (sizeof (png_uint_32));
3370
3371 do
3372 {
3373 size_t c = bytes_to_copy;
3374 do
3375 {
3376 *dp32++ = *sp32++;
3377 c -= (sizeof (png_uint_32));
3378 }
3379 while (c > 0);
3380
3381 if (row_width <= bytes_to_jump)
3382 return;
3383
3384 dp32 += skip;
3385 sp32 += skip;
3386 row_width -= bytes_to_jump;
3387 }
3388 while (bytes_to_copy <= row_width);
3389
3390 /* Get to here when the row_width truncates the final copy.
3391 * There will be 1-3 bytes left to copy, so don't try the
3392 * 16-bit loop below.
3393 */
3394 dp = (png_bytep)dp32;
3395 sp = (png_const_bytep)sp32;
3396 do
3397 *dp++ = *sp++;
3398 while (--row_width > 0);
3399 return;
3400 }
3401
3402 /* Else do it in 16-bit quantities, but only if the size is
3403 * not too large.
3404 */
3405 else
3406 {
3407 png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3408 png_const_uint_16p sp16 = png_aligncastconst(
3409 png_const_uint_16p, sp);
3410 size_t skip = (bytes_to_jump-bytes_to_copy) /
3411 (sizeof (png_uint_16));
3412
3413 do
3414 {
3415 size_t c = bytes_to_copy;
3416 do
3417 {
3418 *dp16++ = *sp16++;
3419 c -= (sizeof (png_uint_16));
3420 }
3421 while (c > 0);
3422
3423 if (row_width <= bytes_to_jump)
3424 return;
3425
3426 dp16 += skip;
3427 sp16 += skip;
3428 row_width -= bytes_to_jump;
3429 }
3430 while (bytes_to_copy <= row_width);
3431
3432 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3433 dp = (png_bytep)dp16;
3434 sp = (png_const_bytep)sp16;
3435 do
3436 *dp++ = *sp++;
3437 while (--row_width > 0);
3438 return;
3439 }
3440 }
3441 #endif /* PNG_ALIGN_ code */
3442
3443 /* The true default - use a memcpy: */
3444 for (;;)
3445 {
3446 memcpy(dp, sp, bytes_to_copy);
3447
3448 if (row_width <= bytes_to_jump)
3449 return;
3450
3451 sp += bytes_to_jump;
3452 dp += bytes_to_jump;
3453 row_width -= bytes_to_jump;
3454 if (bytes_to_copy > row_width)
3455 bytes_to_copy = row_width;
3456 }
3457 }
3458
3459 /* NOT REACHED*/
3460 } /* pixel_depth >= 8 */
3461
3462 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3463 }
3464 else
3465 #endif
3466
3467 /* If here then the switch above wasn't used so just memcpy the whole row
3468 * from the temporary row buffer (notice that this overwrites the end of the
3469 * destination row if it is a partial byte.)
3470 */
3471 memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3472
3473 /* Restore the overwritten bits from the last byte if necessary. */
3474 if (end_ptr != NULL)
3475 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3476 }
3477
3478 #ifdef PNG_READ_INTERLACING_SUPPORTED
3479 void /* PRIVATE */
3480 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3481 png_uint_32 transformations /* Because these may affect the byte layout */)
3482 {
3483 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 2726 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3484 /* Offset to next interlace block */ 2727 /* Offset to next interlace block */
3485 static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 2728 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3486 2729
3487 png_debug(1, "in png_do_read_interlace"); 2730 png_debug(1, "in png_do_read_interlace");
3488 if (row != NULL && row_info != NULL) 2731 if (row != NULL && row_info != NULL)
3489 { 2732 {
3490 png_uint_32 final_width; 2733 png_uint_32 final_width;
3491 2734
3492 final_width = row_info->width * png_pass_inc[pass]; 2735 final_width = row_info->width * png_pass_inc[pass];
3493 2736
3494 switch (row_info->pixel_depth) 2737 switch (row_info->pixel_depth)
3495 { 2738 {
(...skipping 10 matching lines...) Expand all
3506 2749
3507 #ifdef PNG_READ_PACKSWAP_SUPPORTED 2750 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3508 if (transformations & PNG_PACKSWAP) 2751 if (transformations & PNG_PACKSWAP)
3509 { 2752 {
3510 sshift = (int)((row_info->width + 7) & 0x07); 2753 sshift = (int)((row_info->width + 7) & 0x07);
3511 dshift = (int)((final_width + 7) & 0x07); 2754 dshift = (int)((final_width + 7) & 0x07);
3512 s_start = 7; 2755 s_start = 7;
3513 s_end = 0; 2756 s_end = 0;
3514 s_inc = -1; 2757 s_inc = -1;
3515 } 2758 }
3516
3517 else 2759 else
3518 #endif 2760 #endif
3519 { 2761 {
3520 sshift = 7 - (int)((row_info->width + 7) & 0x07); 2762 sshift = 7 - (int)((row_info->width + 7) & 0x07);
3521 dshift = 7 - (int)((final_width + 7) & 0x07); 2763 dshift = 7 - (int)((final_width + 7) & 0x07);
3522 s_start = 0; 2764 s_start = 0;
3523 s_end = 7; 2765 s_end = 7;
3524 s_inc = 1; 2766 s_inc = 1;
3525 } 2767 }
3526 2768
3527 for (i = 0; i < row_info->width; i++) 2769 for (i = 0; i < row_info->width; i++)
3528 { 2770 {
3529 v = (png_byte)((*sp >> sshift) & 0x01); 2771 v = (png_byte)((*sp >> sshift) & 0x01);
3530 for (j = 0; j < jstop; j++) 2772 for (j = 0; j < jstop; j++)
3531 { 2773 {
3532 unsigned int tmp = *dp & (0x7f7f >> (7 - dshift)); 2774 *dp &= (png_byte)((0x7f7f >> (7 - dshift)) & 0xff);
3533 tmp |= v << dshift; 2775 *dp |= (png_byte)(v << dshift);
3534 *dp = (png_byte)(tmp & 0xff);
3535
3536 if (dshift == s_end) 2776 if (dshift == s_end)
3537 { 2777 {
3538 dshift = s_start; 2778 dshift = s_start;
3539 dp--; 2779 dp--;
3540 } 2780 }
3541
3542 else 2781 else
3543 dshift += s_inc; 2782 dshift += s_inc;
3544 } 2783 }
3545
3546 if (sshift == s_end) 2784 if (sshift == s_end)
3547 { 2785 {
3548 sshift = s_start; 2786 sshift = s_start;
3549 sp--; 2787 sp--;
3550 } 2788 }
3551
3552 else 2789 else
3553 sshift += s_inc; 2790 sshift += s_inc;
3554 } 2791 }
3555 break; 2792 break;
3556 } 2793 }
3557
3558 case 2: 2794 case 2:
3559 { 2795 {
3560 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2); 2796 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
3561 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2); 2797 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
3562 int sshift, dshift; 2798 int sshift, dshift;
3563 int s_start, s_end, s_inc; 2799 int s_start, s_end, s_inc;
3564 int jstop = png_pass_inc[pass]; 2800 int jstop = png_pass_inc[pass];
3565 png_uint_32 i; 2801 png_uint_32 i;
3566 2802
3567 #ifdef PNG_READ_PACKSWAP_SUPPORTED 2803 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3568 if (transformations & PNG_PACKSWAP) 2804 if (transformations & PNG_PACKSWAP)
3569 { 2805 {
3570 sshift = (int)(((row_info->width + 3) & 0x03) << 1); 2806 sshift = (int)(((row_info->width + 3) & 0x03) << 1);
3571 dshift = (int)(((final_width + 3) & 0x03) << 1); 2807 dshift = (int)(((final_width + 3) & 0x03) << 1);
3572 s_start = 6; 2808 s_start = 6;
3573 s_end = 0; 2809 s_end = 0;
3574 s_inc = -2; 2810 s_inc = -2;
3575 } 2811 }
3576
3577 else 2812 else
3578 #endif 2813 #endif
3579 { 2814 {
3580 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1); 2815 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
3581 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1); 2816 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
3582 s_start = 0; 2817 s_start = 0;
3583 s_end = 6; 2818 s_end = 6;
3584 s_inc = 2; 2819 s_inc = 2;
3585 } 2820 }
3586 2821
3587 for (i = 0; i < row_info->width; i++) 2822 for (i = 0; i < row_info->width; i++)
3588 { 2823 {
3589 png_byte v; 2824 png_byte v;
3590 int j; 2825 int j;
3591 2826
3592 v = (png_byte)((*sp >> sshift) & 0x03); 2827 v = (png_byte)((*sp >> sshift) & 0x03);
3593 for (j = 0; j < jstop; j++) 2828 for (j = 0; j < jstop; j++)
3594 { 2829 {
3595 unsigned int tmp = *dp & (0x3f3f >> (6 - dshift)); 2830 *dp &= (png_byte)((0x3f3f >> (6 - dshift)) & 0xff);
3596 tmp |= v << dshift; 2831 *dp |= (png_byte)(v << dshift);
3597 *dp = (png_byte)(tmp & 0xff);
3598
3599 if (dshift == s_end) 2832 if (dshift == s_end)
3600 { 2833 {
3601 dshift = s_start; 2834 dshift = s_start;
3602 dp--; 2835 dp--;
3603 } 2836 }
3604
3605 else 2837 else
3606 dshift += s_inc; 2838 dshift += s_inc;
3607 } 2839 }
3608
3609 if (sshift == s_end) 2840 if (sshift == s_end)
3610 { 2841 {
3611 sshift = s_start; 2842 sshift = s_start;
3612 sp--; 2843 sp--;
3613 } 2844 }
3614
3615 else 2845 else
3616 sshift += s_inc; 2846 sshift += s_inc;
3617 } 2847 }
3618 break; 2848 break;
3619 } 2849 }
3620
3621 case 4: 2850 case 4:
3622 { 2851 {
3623 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1); 2852 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
3624 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1); 2853 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
3625 int sshift, dshift; 2854 int sshift, dshift;
3626 int s_start, s_end, s_inc; 2855 int s_start, s_end, s_inc;
3627 png_uint_32 i; 2856 png_uint_32 i;
3628 int jstop = png_pass_inc[pass]; 2857 int jstop = png_pass_inc[pass];
3629 2858
3630 #ifdef PNG_READ_PACKSWAP_SUPPORTED 2859 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3631 if (transformations & PNG_PACKSWAP) 2860 if (transformations & PNG_PACKSWAP)
3632 { 2861 {
3633 sshift = (int)(((row_info->width + 1) & 0x01) << 2); 2862 sshift = (int)(((row_info->width + 1) & 0x01) << 2);
3634 dshift = (int)(((final_width + 1) & 0x01) << 2); 2863 dshift = (int)(((final_width + 1) & 0x01) << 2);
3635 s_start = 4; 2864 s_start = 4;
3636 s_end = 0; 2865 s_end = 0;
3637 s_inc = -4; 2866 s_inc = -4;
3638 } 2867 }
3639
3640 else 2868 else
3641 #endif 2869 #endif
3642 { 2870 {
3643 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2); 2871 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
3644 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2); 2872 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
3645 s_start = 0; 2873 s_start = 0;
3646 s_end = 4; 2874 s_end = 4;
3647 s_inc = 4; 2875 s_inc = 4;
3648 } 2876 }
3649 2877
3650 for (i = 0; i < row_info->width; i++) 2878 for (i = 0; i < row_info->width; i++)
3651 { 2879 {
3652 png_byte v = (png_byte)((*sp >> sshift) & 0x0f); 2880 png_byte v = (png_byte)((*sp >> sshift) & 0xf);
3653 int j; 2881 int j;
3654 2882
3655 for (j = 0; j < jstop; j++) 2883 for (j = 0; j < jstop; j++)
3656 { 2884 {
3657 unsigned int tmp = *dp & (0xf0f >> (4 - dshift)); 2885 *dp &= (png_byte)((0xf0f >> (4 - dshift)) & 0xff);
3658 tmp |= v << dshift; 2886 *dp |= (png_byte)(v << dshift);
3659 *dp = (png_byte)(tmp & 0xff);
3660
3661 if (dshift == s_end) 2887 if (dshift == s_end)
3662 { 2888 {
3663 dshift = s_start; 2889 dshift = s_start;
3664 dp--; 2890 dp--;
3665 } 2891 }
3666
3667 else 2892 else
3668 dshift += s_inc; 2893 dshift += s_inc;
3669 } 2894 }
3670
3671 if (sshift == s_end) 2895 if (sshift == s_end)
3672 { 2896 {
3673 sshift = s_start; 2897 sshift = s_start;
3674 sp--; 2898 sp--;
3675 } 2899 }
3676
3677 else 2900 else
3678 sshift += s_inc; 2901 sshift += s_inc;
3679 } 2902 }
3680 break; 2903 break;
3681 } 2904 }
3682
3683 default: 2905 default:
3684 { 2906 {
3685 png_size_t pixel_bytes = (row_info->pixel_depth >> 3); 2907 png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
3686
3687 png_bytep sp = row + (png_size_t)(row_info->width - 1) 2908 png_bytep sp = row + (png_size_t)(row_info->width - 1)
3688 * pixel_bytes; 2909 * pixel_bytes;
3689
3690 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes; 2910 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
3691 2911
3692 int jstop = png_pass_inc[pass]; 2912 int jstop = png_pass_inc[pass];
3693 png_uint_32 i; 2913 png_uint_32 i;
3694 2914
3695 for (i = 0; i < row_info->width; i++) 2915 for (i = 0; i < row_info->width; i++)
3696 { 2916 {
3697 png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */ 2917 png_byte v[8];
3698 int j; 2918 int j;
3699 2919
3700 memcpy(v, sp, pixel_bytes); 2920 png_memcpy(v, sp, pixel_bytes);
3701
3702 for (j = 0; j < jstop; j++) 2921 for (j = 0; j < jstop; j++)
3703 { 2922 {
3704 memcpy(dp, v, pixel_bytes); 2923 png_memcpy(dp, v, pixel_bytes);
3705 dp -= pixel_bytes; 2924 dp -= pixel_bytes;
3706 } 2925 }
3707
3708 sp -= pixel_bytes; 2926 sp -= pixel_bytes;
3709 } 2927 }
3710 break; 2928 break;
3711 } 2929 }
3712 } 2930 }
3713
3714 row_info->width = final_width; 2931 row_info->width = final_width;
3715 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width); 2932 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3716 } 2933 }
3717 #ifndef PNG_READ_PACKSWAP_SUPPORTED 2934 #ifndef PNG_READ_PACKSWAP_SUPPORTED
3718 PNG_UNUSED(transformations) /* Silence compiler warning */ 2935 transformations = transformations; /* Silence compiler warning */
3719 #endif 2936 #endif
3720 } 2937 }
3721 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 2938 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3722 2939
3723 static void 2940 void /* PRIVATE */
3724 png_read_filter_row_sub(png_row_infop row_info, png_bytep row, 2941 png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row,
3725 png_const_bytep prev_row) 2942 png_bytep prev_row, int filter)
3726 { 2943 {
3727 png_size_t i; 2944 png_debug(1, "in png_read_filter_row");
3728 png_size_t istop = row_info->rowbytes; 2945 png_debug2(2, "row = %lu, filter = %d", png_ptr->row_number, filter);
3729 unsigned int bpp = (row_info->pixel_depth + 7) >> 3; 2946 switch (filter)
3730 png_bytep rp = row + bpp; 2947 {
2948 case PNG_FILTER_VALUE_NONE:
2949 break;
2950 case PNG_FILTER_VALUE_SUB:
2951 {
2952 png_uint_32 i;
2953 png_uint_32 istop = row_info->rowbytes;
2954 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2955 png_bytep rp = row + bpp;
2956 png_bytep lp = row;
3731 2957
3732 PNG_UNUSED(prev_row) 2958 for (i = bpp; i < istop; i++)
2959 {
2960 *rp = (png_byte)(((int)(*rp) + (int)(*lp++)) & 0xff);
2961 rp++;
2962 }
2963 break;
2964 }
2965 case PNG_FILTER_VALUE_UP:
2966 {
2967 png_uint_32 i;
2968 png_uint_32 istop = row_info->rowbytes;
2969 png_bytep rp = row;
2970 png_bytep pp = prev_row;
3733 2971
3734 for (i = bpp; i < istop; i++) 2972 for (i = 0; i < istop; i++)
3735 { 2973 {
3736 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff); 2974 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3737 rp++; 2975 rp++;
2976 }
2977 break;
2978 }
2979 case PNG_FILTER_VALUE_AVG:
2980 {
2981 png_uint_32 i;
2982 png_bytep rp = row;
2983 png_bytep pp = prev_row;
2984 png_bytep lp = row;
2985 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2986 png_uint_32 istop = row_info->rowbytes - bpp;
2987
2988 for (i = 0; i < bpp; i++)
2989 {
2990 *rp = (png_byte)(((int)(*rp) +
2991 ((int)(*pp++) / 2 )) & 0xff);
2992 rp++;
2993 }
2994
2995 for (i = 0; i < istop; i++)
2996 {
2997 *rp = (png_byte)(((int)(*rp) +
2998 (int)(*pp++ + *lp++) / 2 ) & 0xff);
2999 rp++;
3000 }
3001 break;
3002 }
3003 case PNG_FILTER_VALUE_PAETH:
3004 {
3005 png_uint_32 i;
3006 png_bytep rp = row;
3007 png_bytep pp = prev_row;
3008 png_bytep lp = row;
3009 png_bytep cp = prev_row;
3010 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
3011 png_uint_32 istop=row_info->rowbytes - bpp;
3012
3013 for (i = 0; i < bpp; i++)
3014 {
3015 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3016 rp++;
3017 }
3018
3019 for (i = 0; i < istop; i++) /* Use leftover rp,pp */
3020 {
3021 int a, b, c, pa, pb, pc, p;
3022
3023 a = *lp++;
3024 b = *pp++;
3025 c = *cp++;
3026
3027 p = b - c;
3028 pc = a - c;
3029
3030 #ifdef PNG_USE_ABS
3031 pa = abs(p);
3032 pb = abs(pc);
3033 pc = abs(p + pc);
3034 #else
3035 pa = p < 0 ? -p : p;
3036 pb = pc < 0 ? -pc : pc;
3037 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3038 #endif
3039
3040 /*
3041 if (pa <= pb && pa <= pc)
3042 p = a;
3043 else if (pb <= pc)
3044 p = b;
3045 else
3046 p = c;
3047 */
3048
3049 p = (pa <= pb && pa <= pc) ? a : (pb <= pc) ? b : c;
3050
3051 *rp = (png_byte)(((int)(*rp) + p) & 0xff);
3052 rp++;
3053 }
3054 break;
3055 }
3056 default:
3057 png_warning(png_ptr, "Ignoring bad adaptive filter type");
3058 *row = 0;
3059 break;
3738 } 3060 }
3739 } 3061 }
3740 3062
3741 static void
3742 png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3743 png_const_bytep prev_row)
3744 {
3745 png_size_t i;
3746 png_size_t istop = row_info->rowbytes;
3747 png_bytep rp = row;
3748 png_const_bytep pp = prev_row;
3749
3750 for (i = 0; i < istop; i++)
3751 {
3752 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3753 rp++;
3754 }
3755 }
3756
3757 static void
3758 png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3759 png_const_bytep prev_row)
3760 {
3761 png_size_t i;
3762 png_bytep rp = row;
3763 png_const_bytep pp = prev_row;
3764 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3765 png_size_t istop = row_info->rowbytes - bpp;
3766
3767 for (i = 0; i < bpp; i++)
3768 {
3769 *rp = (png_byte)(((int)(*rp) +
3770 ((int)(*pp++) / 2 )) & 0xff);
3771
3772 rp++;
3773 }
3774
3775 for (i = 0; i < istop; i++)
3776 {
3777 *rp = (png_byte)(((int)(*rp) +
3778 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3779
3780 rp++;
3781 }
3782 }
3783
3784 static void
3785 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3786 png_const_bytep prev_row)
3787 {
3788 png_bytep rp_end = row + row_info->rowbytes;
3789 int a, c;
3790
3791 /* First pixel/byte */
3792 c = *prev_row++;
3793 a = *row + c;
3794 *row++ = (png_byte)a;
3795
3796 /* Remainder */
3797 while (row < rp_end)
3798 {
3799 int b, pa, pb, pc, p;
3800
3801 a &= 0xff; /* From previous iteration or start */
3802 b = *prev_row++;
3803
3804 p = b - c;
3805 pc = a - c;
3806
3807 # ifdef PNG_USE_ABS
3808 pa = abs(p);
3809 pb = abs(pc);
3810 pc = abs(p + pc);
3811 # else
3812 pa = p < 0 ? -p : p;
3813 pb = pc < 0 ? -pc : pc;
3814 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3815 # endif
3816
3817 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3818 * ones in the case of a tie.
3819 */
3820 if (pb < pa) pa = pb, a = b;
3821 if (pc < pa) a = c;
3822
3823 /* Calculate the current pixel in a, and move the previous row pixel to c
3824 * for the next time round the loop
3825 */
3826 c = b;
3827 a += *row;
3828 *row++ = (png_byte)a;
3829 }
3830 }
3831
3832 static void
3833 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3834 png_const_bytep prev_row)
3835 {
3836 int bpp = (row_info->pixel_depth + 7) >> 3;
3837 png_bytep rp_end = row + bpp;
3838
3839 /* Process the first pixel in the row completely (this is the same as 'up'
3840 * because there is only one candidate predictor for the first row).
3841 */
3842 while (row < rp_end)
3843 {
3844 int a = *row + *prev_row++;
3845 *row++ = (png_byte)a;
3846 }
3847
3848 /* Remainder */
3849 rp_end += row_info->rowbytes - bpp;
3850
3851 while (row < rp_end)
3852 {
3853 int a, b, c, pa, pb, pc, p;
3854
3855 c = *(prev_row - bpp);
3856 a = *(row - bpp);
3857 b = *prev_row++;
3858
3859 p = b - c;
3860 pc = a - c;
3861
3862 # ifdef PNG_USE_ABS
3863 pa = abs(p);
3864 pb = abs(pc);
3865 pc = abs(p + pc);
3866 # else
3867 pa = p < 0 ? -p : p;
3868 pb = pc < 0 ? -pc : pc;
3869 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3870 # endif
3871
3872 if (pb < pa) pa = pb, a = b;
3873 if (pc < pa) a = c;
3874
3875 c = b;
3876 a += *row;
3877 *row++ = (png_byte)a;
3878 }
3879 }
3880
3881 static void
3882 png_init_filter_functions(png_structrp pp)
3883 /* This function is called once for every PNG image to set the
3884 * implementations required to reverse the filtering of PNG rows. Reversing
3885 * the filter is the first transformation performed on the row data. It is
3886 * performed in place, therefore an implementation can be selected based on
3887 * the image pixel format. If the implementation depends on image width then
3888 * take care to ensure that it works correctly if the image is interlaced -
3889 * interlacing causes the actual row width to vary.
3890 */
3891 {
3892 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
3893
3894 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
3895 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
3896 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
3897 if (bpp == 1)
3898 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3899 png_read_filter_row_paeth_1byte_pixel;
3900 else
3901 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3902 png_read_filter_row_paeth_multibyte_pixel;
3903
3904 #ifdef PNG_FILTER_OPTIMIZATIONS
3905 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
3906 * call to install hardware optimizations for the above functions; simply
3907 * replace whatever elements of the pp->read_filter[] array with a hardware
3908 * specific (or, for that matter, generic) optimization.
3909 *
3910 * To see an example of this examine what configure.ac does when
3911 * --enable-arm-neon is specified on the command line.
3912 */
3913 PNG_FILTER_OPTIMIZATIONS(pp, bpp);
3914 #endif
3915 }
3916
3917 void /* PRIVATE */
3918 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
3919 png_const_bytep prev_row, int filter)
3920 {
3921 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
3922 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
3923 * implementations. See png_init_filter_functions above.
3924 */
3925 if (pp->read_filter[0] == NULL)
3926 png_init_filter_functions(pp);
3927 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
3928 pp->read_filter[filter-1](row_info, row, prev_row);
3929 }
3930
3931 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED 3063 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3932 void /* PRIVATE */ 3064 void /* PRIVATE */
3933 png_read_IDAT_data(png_structrp png_ptr, png_bytep output, 3065 png_read_finish_row(png_structp png_ptr)
3934 png_alloc_size_t avail_out)
3935 {
3936 /* Loop reading IDATs and decompressing the result into output[avail_out] */
3937 png_ptr->zstream.next_out = output;
3938 png_ptr->zstream.avail_out = 0; /* safety: set below */
3939
3940 if (output == NULL)
3941 avail_out = 0;
3942
3943 do
3944 {
3945 int ret;
3946 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
3947
3948 if (png_ptr->zstream.avail_in == 0)
3949 {
3950 uInt avail_in;
3951 png_bytep buffer;
3952
3953 while (png_ptr->idat_size == 0)
3954 {
3955 png_crc_finish(png_ptr, 0);
3956
3957 png_ptr->idat_size = png_read_chunk_header(png_ptr);
3958 /* This is an error even in the 'check' case because the code just
3959 * consumed a non-IDAT header.
3960 */
3961 if (png_ptr->chunk_name != png_IDAT)
3962 png_error(png_ptr, "Not enough image data");
3963 }
3964
3965 avail_in = png_ptr->IDAT_read_size;
3966
3967 if (avail_in > png_ptr->idat_size)
3968 avail_in = (uInt)png_ptr->idat_size;
3969
3970 /* A PNG with a gradually increasing IDAT size will defeat this attempt
3971 * to minimize memory usage by causing lots of re-allocs, but
3972 * realistically doing IDAT_read_size re-allocs is not likely to be a
3973 * big problem.
3974 */
3975 buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
3976
3977 png_crc_read(png_ptr, buffer, avail_in);
3978 png_ptr->idat_size -= avail_in;
3979
3980 png_ptr->zstream.next_in = buffer;
3981 png_ptr->zstream.avail_in = avail_in;
3982 }
3983
3984 /* And set up the output side. */
3985 if (output != NULL) /* standard read */
3986 {
3987 uInt out = ZLIB_IO_MAX;
3988
3989 if (out > avail_out)
3990 out = (uInt)avail_out;
3991
3992 avail_out -= out;
3993 png_ptr->zstream.avail_out = out;
3994 }
3995
3996 else /* after last row, checking for end */
3997 {
3998 png_ptr->zstream.next_out = tmpbuf;
3999 png_ptr->zstream.avail_out = (sizeof tmpbuf);
4000 }
4001
4002 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4003 * process. If the LZ stream is truncated the sequential reader will
4004 * terminally damage the stream, above, by reading the chunk header of the
4005 * following chunk (it then exits with png_error).
4006 *
4007 * TODO: deal more elegantly with truncated IDAT lists.
4008 */
4009 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
4010
4011 /* Take the unconsumed output back. */
4012 if (output != NULL)
4013 avail_out += png_ptr->zstream.avail_out;
4014
4015 else /* avail_out counts the extra bytes */
4016 avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4017
4018 png_ptr->zstream.avail_out = 0;
4019
4020 if (ret == Z_STREAM_END)
4021 {
4022 /* Do this for safety; we won't read any more into this row. */
4023 png_ptr->zstream.next_out = NULL;
4024
4025 png_ptr->mode |= PNG_AFTER_IDAT;
4026 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4027
4028 if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4029 png_chunk_benign_error(png_ptr, "Extra compressed data");
4030 break;
4031 }
4032
4033 if (ret != Z_OK)
4034 {
4035 png_zstream_error(png_ptr, ret);
4036
4037 if (output != NULL)
4038 png_chunk_error(png_ptr, png_ptr->zstream.msg);
4039
4040 else /* checking */
4041 {
4042 png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4043 return;
4044 }
4045 }
4046 } while (avail_out > 0);
4047
4048 if (avail_out > 0)
4049 {
4050 /* The stream ended before the image; this is the same as too few IDATs so
4051 * should be handled the same way.
4052 */
4053 if (output != NULL)
4054 png_error(png_ptr, "Not enough image data");
4055
4056 else /* the deflate stream contained extra data */
4057 png_chunk_benign_error(png_ptr, "Too much image data");
4058 }
4059 }
4060
4061 void /* PRIVATE */
4062 png_read_finish_IDAT(png_structrp png_ptr)
4063 {
4064 /* We don't need any more data and the stream should have ended, however the
4065 * LZ end code may actually not have been processed. In this case we must
4066 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4067 * may still remain to be consumed.
4068 */
4069 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
4070 {
4071 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4072 * the compressed stream, but the stream may be damaged too, so even after
4073 * this call we may need to terminate the zstream ownership.
4074 */
4075 png_read_IDAT_data(png_ptr, NULL, 0);
4076 png_ptr->zstream.next_out = NULL; /* safety */
4077
4078 /* Now clear everything out for safety; the following may not have been
4079 * done.
4080 */
4081 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
4082 {
4083 png_ptr->mode |= PNG_AFTER_IDAT;
4084 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4085 }
4086 }
4087
4088 /* If the zstream has not been released do it now *and* terminate the reading
4089 * of the final IDAT chunk.
4090 */
4091 if (png_ptr->zowner == png_IDAT)
4092 {
4093 /* Always do this; the pointers otherwise point into the read buffer. */
4094 png_ptr->zstream.next_in = NULL;
4095 png_ptr->zstream.avail_in = 0;
4096
4097 /* Now we no longer own the zstream. */
4098 png_ptr->zowner = 0;
4099
4100 /* The slightly weird semantics of the sequential IDAT reading is that we
4101 * are always in or at the end of an IDAT chunk, so we always need to do a
4102 * crc_finish here. If idat_size is non-zero we also need to read the
4103 * spurious bytes at the end of the chunk now.
4104 */
4105 (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4106 }
4107 }
4108
4109 void /* PRIVATE */
4110 png_read_finish_row(png_structrp png_ptr)
4111 { 3066 {
4112 #ifdef PNG_READ_INTERLACING_SUPPORTED 3067 #ifdef PNG_READ_INTERLACING_SUPPORTED
4113 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 3068 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4114 3069
4115 /* Start of interlace block */ 3070 /* Start of interlace block */
4116 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 3071 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4117 3072
4118 /* Offset to next interlace block */ 3073 /* Offset to next interlace block */
4119 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 3074 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4120 3075
4121 /* Start of interlace block in the y direction */ 3076 /* Start of interlace block in the y direction */
4122 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 3077 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4123 3078
4124 /* Offset to next interlace block in the y direction */ 3079 /* Offset to next interlace block in the y direction */
4125 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 3080 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4126 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 3081 #endif /* PNG_READ_INTERLACING_SUPPORTED */
4127 3082
4128 png_debug(1, "in png_read_finish_row"); 3083 png_debug(1, "in png_read_finish_row");
4129 png_ptr->row_number++; 3084 png_ptr->row_number++;
4130 if (png_ptr->row_number < png_ptr->num_rows) 3085 if (png_ptr->row_number < png_ptr->num_rows)
4131 return; 3086 return;
4132 3087
4133 #ifdef PNG_READ_INTERLACING_SUPPORTED 3088 #ifdef PNG_READ_INTERLACING_SUPPORTED
4134 if (png_ptr->interlaced) 3089 if (png_ptr->interlaced)
4135 { 3090 {
4136 png_ptr->row_number = 0; 3091 png_ptr->row_number = 0;
4137 3092 png_memset_check(png_ptr, png_ptr->prev_row, 0,
4138 /* TO DO: don't do this if prev_row isn't needed (requires 3093 png_ptr->rowbytes + 1);
4139 * read-ahead of the next row's filter byte.
4140 */
4141 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4142
4143 do 3094 do
4144 { 3095 {
4145 png_ptr->pass++; 3096 png_ptr->pass++;
4146
4147 if (png_ptr->pass >= 7) 3097 if (png_ptr->pass >= 7)
4148 break; 3098 break;
4149
4150 png_ptr->iwidth = (png_ptr->width + 3099 png_ptr->iwidth = (png_ptr->width +
4151 png_pass_inc[png_ptr->pass] - 1 - 3100 png_pass_inc[png_ptr->pass] - 1 -
4152 png_pass_start[png_ptr->pass]) / 3101 png_pass_start[png_ptr->pass]) /
4153 png_pass_inc[png_ptr->pass]; 3102 png_pass_inc[png_ptr->pass];
4154 3103
4155 if (!(png_ptr->transformations & PNG_INTERLACE)) 3104 if (!(png_ptr->transformations & PNG_INTERLACE))
4156 { 3105 {
4157 png_ptr->num_rows = (png_ptr->height + 3106 png_ptr->num_rows = (png_ptr->height +
4158 png_pass_yinc[png_ptr->pass] - 1 - 3107 png_pass_yinc[png_ptr->pass] - 1 -
4159 png_pass_ystart[png_ptr->pass]) / 3108 png_pass_ystart[png_ptr->pass]) /
4160 png_pass_yinc[png_ptr->pass]; 3109 png_pass_yinc[png_ptr->pass];
3110 if (!(png_ptr->num_rows))
3111 continue;
4161 } 3112 }
4162
4163 else /* if (png_ptr->transformations & PNG_INTERLACE) */ 3113 else /* if (png_ptr->transformations & PNG_INTERLACE) */
4164 break; /* libpng deinterlacing sees every row */ 3114 break;
4165 3115 } while (png_ptr->iwidth == 0);
4166 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
4167 3116
4168 if (png_ptr->pass < 7) 3117 if (png_ptr->pass < 7)
4169 return; 3118 return;
4170 } 3119 }
4171 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 3120 #endif /* PNG_READ_INTERLACING_SUPPORTED */
4172 3121
4173 /* Here after at the end of the last row of the last pass. */ 3122 if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
4174 png_read_finish_IDAT(png_ptr); 3123 {
3124 #ifdef PNG_USE_LOCAL_ARRAYS
3125 PNG_CONST PNG_IDAT;
3126 #endif
3127 char extra;
3128 int ret;
3129
3130 png_ptr->zstream.next_out = (Byte *)&extra;
3131 png_ptr->zstream.avail_out = (uInt)1;
3132 for (;;)
3133 {
3134 if (!(png_ptr->zstream.avail_in))
3135 {
3136 while (!png_ptr->idat_size)
3137 {
3138 png_byte chunk_length[4];
3139
3140 png_crc_finish(png_ptr, 0);
3141
3142 png_read_data(png_ptr, chunk_length, 4);
3143 png_ptr->idat_size = png_get_uint_31(png_ptr, chunk_length);
3144 png_reset_crc(png_ptr);
3145 png_crc_read(png_ptr, png_ptr->chunk_name, 4);
3146 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))
3147 png_error(png_ptr, "Not enough image data");
3148
3149 }
3150 png_ptr->zstream.avail_in = (uInt)png_ptr->zbuf_size;
3151 png_ptr->zstream.next_in = png_ptr->zbuf;
3152 if (png_ptr->zbuf_size > png_ptr->idat_size)
3153 png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size;
3154 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in);
3155 png_ptr->idat_size -= png_ptr->zstream.avail_in;
3156 }
3157 ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
3158 if (ret == Z_STREAM_END)
3159 {
3160 if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in ||
3161 png_ptr->idat_size)
3162 png_warning(png_ptr, "Extra compressed data.");
3163 png_ptr->mode |= PNG_AFTER_IDAT;
3164 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3165 break;
3166 }
3167 if (ret != Z_OK)
3168 png_error(png_ptr, png_ptr->zstream.msg ? png_ptr->zstream.msg :
3169 "Decompression Error");
3170
3171 if (!(png_ptr->zstream.avail_out))
3172 {
3173 png_warning(png_ptr, "Extra compressed data.");
3174 png_ptr->mode |= PNG_AFTER_IDAT;
3175 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3176 break;
3177 }
3178
3179 }
3180 png_ptr->zstream.avail_out = 0;
3181 }
3182
3183 if (png_ptr->idat_size || png_ptr->zstream.avail_in)
3184 png_warning(png_ptr, "Extra compression data.");
3185
3186 inflateReset(&png_ptr->zstream);
3187
3188 png_ptr->mode |= PNG_AFTER_IDAT;
4175 } 3189 }
4176 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */ 3190 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
4177 3191
4178 void /* PRIVATE */ 3192 void /* PRIVATE */
4179 png_read_start_row(png_structrp png_ptr) 3193 png_read_start_row(png_structp png_ptr)
4180 { 3194 {
4181 #ifdef PNG_READ_INTERLACING_SUPPORTED 3195 #ifdef PNG_READ_INTERLACING_SUPPORTED
4182 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 3196 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4183 3197
4184 /* Start of interlace block */ 3198 /* Start of interlace block */
4185 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 3199 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4186 3200
4187 /* Offset to next interlace block */ 3201 /* Offset to next interlace block */
4188 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 3202 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4189 3203
4190 /* Start of interlace block in the y direction */ 3204 /* Start of interlace block in the y direction */
4191 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 3205 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4192 3206
4193 /* Offset to next interlace block in the y direction */ 3207 /* Offset to next interlace block in the y direction */
4194 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 3208 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4195 #endif 3209 #endif
4196 3210
4197 int max_pixel_depth; 3211 int max_pixel_depth;
4198 png_size_t row_bytes; 3212 png_size_t row_bytes;
4199 3213
4200 png_debug(1, "in png_read_start_row"); 3214 png_debug(1, "in png_read_start_row");
4201 3215 png_ptr->zstream.avail_in = 0;
4202 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
4203 png_init_read_transformations(png_ptr); 3216 png_init_read_transformations(png_ptr);
4204 #endif
4205 #ifdef PNG_READ_INTERLACING_SUPPORTED 3217 #ifdef PNG_READ_INTERLACING_SUPPORTED
4206 if (png_ptr->interlaced) 3218 if (png_ptr->interlaced)
4207 { 3219 {
4208 if (!(png_ptr->transformations & PNG_INTERLACE)) 3220 if (!(png_ptr->transformations & PNG_INTERLACE))
4209 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 - 3221 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
4210 png_pass_ystart[0]) / png_pass_yinc[0]; 3222 png_pass_ystart[0]) / png_pass_yinc[0];
4211
4212 else 3223 else
4213 png_ptr->num_rows = png_ptr->height; 3224 png_ptr->num_rows = png_ptr->height;
4214 3225
4215 png_ptr->iwidth = (png_ptr->width + 3226 png_ptr->iwidth = (png_ptr->width +
4216 png_pass_inc[png_ptr->pass] - 1 - 3227 png_pass_inc[png_ptr->pass] - 1 -
4217 png_pass_start[png_ptr->pass]) / 3228 png_pass_start[png_ptr->pass]) /
4218 png_pass_inc[png_ptr->pass]; 3229 png_pass_inc[png_ptr->pass];
4219 } 3230 }
4220
4221 else 3231 else
4222 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 3232 #endif /* PNG_READ_INTERLACING_SUPPORTED */
4223 { 3233 {
4224 png_ptr->num_rows = png_ptr->height; 3234 png_ptr->num_rows = png_ptr->height;
4225 png_ptr->iwidth = png_ptr->width; 3235 png_ptr->iwidth = png_ptr->width;
4226 } 3236 }
4227
4228 max_pixel_depth = png_ptr->pixel_depth; 3237 max_pixel_depth = png_ptr->pixel_depth;
4229 3238
4230 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpliar set of
4231 * calculations to calculate the final pixel depth, then
4232 * png_do_read_transforms actually does the transforms. This means that the
4233 * code which effectively calculates this value is actually repeated in three
4234 * separate places. They must all match. Innocent changes to the order of
4235 * transformations can and will break libpng in a way that causes memory
4236 * overwrites.
4237 *
4238 * TODO: fix this.
4239 */
4240 #ifdef PNG_READ_PACK_SUPPORTED 3239 #ifdef PNG_READ_PACK_SUPPORTED
4241 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8) 3240 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8)
4242 max_pixel_depth = 8; 3241 max_pixel_depth = 8;
4243 #endif 3242 #endif
4244 3243
4245 #ifdef PNG_READ_EXPAND_SUPPORTED 3244 #ifdef PNG_READ_EXPAND_SUPPORTED
4246 if (png_ptr->transformations & PNG_EXPAND) 3245 if (png_ptr->transformations & PNG_EXPAND)
4247 { 3246 {
4248 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 3247 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4249 { 3248 {
4250 if (png_ptr->num_trans) 3249 if (png_ptr->num_trans)
4251 max_pixel_depth = 32; 3250 max_pixel_depth = 32;
4252
4253 else 3251 else
4254 max_pixel_depth = 24; 3252 max_pixel_depth = 24;
4255 } 3253 }
4256
4257 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 3254 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4258 { 3255 {
4259 if (max_pixel_depth < 8) 3256 if (max_pixel_depth < 8)
4260 max_pixel_depth = 8; 3257 max_pixel_depth = 8;
4261
4262 if (png_ptr->num_trans) 3258 if (png_ptr->num_trans)
4263 max_pixel_depth *= 2; 3259 max_pixel_depth *= 2;
4264 } 3260 }
4265
4266 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 3261 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4267 { 3262 {
4268 if (png_ptr->num_trans) 3263 if (png_ptr->num_trans)
4269 { 3264 {
4270 max_pixel_depth *= 4; 3265 max_pixel_depth *= 4;
4271 max_pixel_depth /= 3; 3266 max_pixel_depth /= 3;
4272 } 3267 }
4273 } 3268 }
4274 } 3269 }
4275 #endif 3270 #endif
4276 3271
4277 #ifdef PNG_READ_EXPAND_16_SUPPORTED
4278 if (png_ptr->transformations & PNG_EXPAND_16)
4279 {
4280 # ifdef PNG_READ_EXPAND_SUPPORTED
4281 /* In fact it is an error if it isn't supported, but checking is
4282 * the safe way.
4283 */
4284 if (png_ptr->transformations & PNG_EXPAND)
4285 {
4286 if (png_ptr->bit_depth < 16)
4287 max_pixel_depth *= 2;
4288 }
4289 else
4290 # endif
4291 png_ptr->transformations &= ~PNG_EXPAND_16;
4292 }
4293 #endif
4294
4295 #ifdef PNG_READ_FILLER_SUPPORTED 3272 #ifdef PNG_READ_FILLER_SUPPORTED
4296 if (png_ptr->transformations & (PNG_FILLER)) 3273 if (png_ptr->transformations & (PNG_FILLER))
4297 { 3274 {
4298 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 3275 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3276 max_pixel_depth = 32;
3277 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4299 { 3278 {
4300 if (max_pixel_depth <= 8) 3279 if (max_pixel_depth <= 8)
4301 max_pixel_depth = 16; 3280 max_pixel_depth = 16;
4302
4303 else 3281 else
4304 max_pixel_depth = 32; 3282 max_pixel_depth = 32;
4305 } 3283 }
4306 3284 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4307 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4308 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4309 { 3285 {
4310 if (max_pixel_depth <= 32) 3286 if (max_pixel_depth <= 32)
4311 max_pixel_depth = 32; 3287 max_pixel_depth = 32;
4312
4313 else 3288 else
4314 max_pixel_depth = 64; 3289 max_pixel_depth = 64;
4315 } 3290 }
4316 } 3291 }
4317 #endif 3292 #endif
4318 3293
4319 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED 3294 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4320 if (png_ptr->transformations & PNG_GRAY_TO_RGB) 3295 if (png_ptr->transformations & PNG_GRAY_TO_RGB)
4321 { 3296 {
4322 if ( 3297 if (
4323 #ifdef PNG_READ_EXPAND_SUPPORTED 3298 #ifdef PNG_READ_EXPAND_SUPPORTED
4324 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) || 3299 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) ||
4325 #endif 3300 #endif
4326 #ifdef PNG_READ_FILLER_SUPPORTED 3301 #ifdef PNG_READ_FILLER_SUPPORTED
4327 (png_ptr->transformations & (PNG_FILLER)) || 3302 (png_ptr->transformations & (PNG_FILLER)) ||
4328 #endif 3303 #endif
4329 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) 3304 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4330 { 3305 {
4331 if (max_pixel_depth <= 16) 3306 if (max_pixel_depth <= 16)
4332 max_pixel_depth = 32; 3307 max_pixel_depth = 32;
4333
4334 else 3308 else
4335 max_pixel_depth = 64; 3309 max_pixel_depth = 64;
4336 } 3310 }
4337
4338 else 3311 else
4339 { 3312 {
4340 if (max_pixel_depth <= 8) 3313 if (max_pixel_depth <= 8)
4341 { 3314 {
4342 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 3315 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4343 max_pixel_depth = 32; 3316 max_pixel_depth = 32;
4344 3317 else
4345 else
4346 max_pixel_depth = 24; 3318 max_pixel_depth = 24;
4347 } 3319 }
4348
4349 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 3320 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4350 max_pixel_depth = 64; 3321 max_pixel_depth = 64;
4351
4352 else 3322 else
4353 max_pixel_depth = 48; 3323 max_pixel_depth = 48;
4354 } 3324 }
4355 } 3325 }
4356 #endif 3326 #endif
4357 3327
4358 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \ 3328 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4359 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) 3329 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4360 if (png_ptr->transformations & PNG_USER_TRANSFORM) 3330 if (png_ptr->transformations & PNG_USER_TRANSFORM)
4361 { 3331 {
4362 int user_pixel_depth = png_ptr->user_transform_depth * 3332 int user_pixel_depth = png_ptr->user_transform_depth*
4363 png_ptr->user_transform_channels; 3333 png_ptr->user_transform_channels;
4364 3334 if (user_pixel_depth > max_pixel_depth)
4365 if (user_pixel_depth > max_pixel_depth) 3335 max_pixel_depth=user_pixel_depth;
4366 max_pixel_depth = user_pixel_depth; 3336 }
4367 }
4368 #endif 3337 #endif
4369 3338
4370 /* This value is stored in png_struct and double checked in the row read
4371 * code.
4372 */
4373 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4374 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4375
4376 /* Align the width on the next larger 8 pixels. Mainly used 3339 /* Align the width on the next larger 8 pixels. Mainly used
4377 * for interlacing 3340 * for interlacing
4378 */ 3341 */
4379 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7)); 3342 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
4380 /* Calculate the maximum bytes needed, adding a byte and a pixel 3343 /* Calculate the maximum bytes needed, adding a byte and a pixel
4381 * for safety's sake 3344 * for safety's sake
4382 */ 3345 */
4383 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) + 3346 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4384 1 + ((max_pixel_depth + 7) >> 3); 3347 1 + ((max_pixel_depth + 7) >> 3);
4385
4386 #ifdef PNG_MAX_MALLOC_64K 3348 #ifdef PNG_MAX_MALLOC_64K
4387 if (row_bytes > (png_uint_32)65536L) 3349 if (row_bytes > (png_uint_32)65536L)
4388 png_error(png_ptr, "This image requires a row greater than 64KB"); 3350 png_error(png_ptr, "This image requires a row greater than 64KB");
4389 #endif 3351 #endif
4390 3352
4391 if (row_bytes + 48 > png_ptr->old_big_row_buf_size) 3353 if (row_bytes + 64 > png_ptr->old_big_row_buf_size)
4392 { 3354 {
4393 png_free(png_ptr, png_ptr->big_row_buf); 3355 png_free(png_ptr, png_ptr->big_row_buf);
4394 png_free(png_ptr, png_ptr->big_prev_row);
4395
4396 if (png_ptr->interlaced) 3356 if (png_ptr->interlaced)
4397 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr, 3357 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4398 row_bytes + 48); 3358 row_bytes + 64);
3359 else
3360 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr,
3361 row_bytes + 64);
3362 png_ptr->old_big_row_buf_size = row_bytes + 64;
4399 3363
4400 else 3364 /* Use 32 bytes of padding before and after row_buf. */
4401 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48); 3365 png_ptr->row_buf = png_ptr->big_row_buf + 32;
4402 3366 png_ptr->old_big_row_buf_size = row_bytes + 64;
4403 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4404
4405 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4406 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4407 * of padding before and after row_buf; treat prev_row similarly.
4408 * NOTE: the alignment is to the start of the pixels, one beyond the start
4409 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4410 * was incorrect; the filter byte was aligned, which had the exact
4411 * opposite effect of that intended.
4412 */
4413 {
4414 png_bytep temp = png_ptr->big_row_buf + 32;
4415 int extra = (int)((temp - (png_bytep)0) & 0x0f);
4416 png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4417
4418 temp = png_ptr->big_prev_row + 32;
4419 extra = (int)((temp - (png_bytep)0) & 0x0f);
4420 png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4421 }
4422
4423 #else
4424 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4425 png_ptr->row_buf = png_ptr->big_row_buf + 31;
4426 png_ptr->prev_row = png_ptr->big_prev_row + 31;
4427 #endif
4428 png_ptr->old_big_row_buf_size = row_bytes + 48;
4429 } 3367 }
4430 3368
4431 #ifdef PNG_MAX_MALLOC_64K 3369 #ifdef PNG_MAX_MALLOC_64K
4432 if (png_ptr->rowbytes > 65535) 3370 if ((png_uint_32)row_bytes + 1 > (png_uint_32)65536L)
4433 png_error(png_ptr, "This image requires a row greater than 64KB"); 3371 png_error(png_ptr, "This image requires a row greater than 64KB");
3372 #endif
3373 if ((png_uint_32)row_bytes > (png_uint_32)(PNG_SIZE_MAX - 1))
3374 png_error(png_ptr, "Row has too many bytes to allocate in memory.");
4434 3375
4435 #endif 3376 if (row_bytes + 1 > png_ptr->old_prev_row_size)
4436 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
4437 png_error(png_ptr, "Row has too many bytes to allocate in memory");
4438
4439 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4440
4441 png_debug1(3, "width = %u,", png_ptr->width);
4442 png_debug1(3, "height = %u,", png_ptr->height);
4443 png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4444 png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4445 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4446 png_debug1(3, "irowbytes = %lu",
4447 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4448
4449 /* The sequential reader needs a buffer for IDAT, but the progressive reader
4450 * does not, so free the read buffer now regardless; the sequential reader
4451 * reallocates it on demand.
4452 */
4453 if (png_ptr->read_buffer)
4454 { 3377 {
4455 png_bytep buffer = png_ptr->read_buffer; 3378 png_free(png_ptr, png_ptr->prev_row);
4456 3379 png_ptr->prev_row = (png_bytep)png_malloc(png_ptr, (png_uint_32)(
4457 png_ptr->read_buffer_size = 0; 3380 row_bytes + 1));
4458 png_ptr->read_buffer = NULL; 3381 png_memset_check(png_ptr, png_ptr->prev_row, 0, row_bytes + 1);
4459 png_free(png_ptr, buffer); 3382 png_ptr->old_prev_row_size = row_bytes + 1;
4460 } 3383 }
4461 3384
4462 /* Finally claim the zstream for the inflate of the IDAT data, use the bits 3385 png_ptr->rowbytes = row_bytes;
4463 * value from the stream (note that this will result in a fatal error if the 3386
4464 * IDAT stream has a bogus deflate header window_bits value, but this should 3387 png_debug1(3, "width = %lu,", png_ptr->width);
4465 * not be happening any longer!) 3388 png_debug1(3, "height = %lu,", png_ptr->height);
4466 */ 3389 png_debug1(3, "iwidth = %lu,", png_ptr->iwidth);
4467 if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK) 3390 png_debug1(3, "num_rows = %lu,", png_ptr->num_rows);
4468 png_error(png_ptr, png_ptr->zstream.msg); 3391 png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes);
3392 png_debug1(3, "irowbytes = %lu",
3393 PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4469 3394
4470 png_ptr->flags |= PNG_FLAG_ROW_INIT; 3395 png_ptr->flags |= PNG_FLAG_ROW_INIT;
4471 } 3396 }
4472 #endif /* PNG_READ_SUPPORTED */ 3397 #endif /* PNG_READ_SUPPORTED */
OLDNEW
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698