Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(25)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libpng/pngrutil.c

Issue 23271006: libpng 1.6.3 (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Remove trailing whitespaces. Created 7 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 1
2 /* pngrutil.c - utilities to read a PNG file 2 /* pngrutil.c - utilities to read a PNG file
3 * 3 *
4 * Last changed in libpng 1.2.45 [July 7, 2011] 4 * Last changed in libpng 1.6.3 [July 18, 2013]
5 * Copyright (c) 1998-2011 Glenn Randers-Pehrson 5 * Copyright (c) 1998-2013 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 * 8 *
9 * This code is released under the libpng license. 9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer 10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h 11 * and license in png.h
12 * 12 *
13 * This file contains routines that are only called from within 13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image. 14 * libpng itself during the course of reading an image.
15 */ 15 */
16 16
17 #define PNG_INTERNAL 17 #include "pngpriv.h"
18 #define PNG_NO_PEDANTIC_WARNINGS 18
19 #include "png.h"
20 #ifdef PNG_READ_SUPPORTED 19 #ifdef PNG_READ_SUPPORTED
21 20
22 #if defined(_WIN32_WCE) && (_WIN32_WCE<0x500) 21 png_uint_32 PNGAPI
23 # define WIN32_WCE_OLD 22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
24 #endif 23 {
25 24 png_uint_32 uval = png_get_uint_32(buf);
26 #ifdef PNG_FLOATING_POINT_SUPPORTED 25
27 # ifdef WIN32_WCE_OLD 26 if (uval > PNG_UINT_31_MAX)
28 /* The strtod() function is not supported on WindowsCE */ 27 png_error(png_ptr, "PNG unsigned integer out of range");
29 __inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr, 28
30 char **endptr) 29 return (uval);
31 { 30 }
32 double result = 0; 31
33 int len; 32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
34 wchar_t *str, *end; 33 /* The following is a variation on the above for use with the fixed
35 34 * point values used for gAMA and cHRM. Instead of png_error it
36 len = MultiByteToWideChar(CP_ACP, 0, nptr, -1, NULL, 0); 35 * issues a warning and returns (-1) - an invalid value because both
37 str = (wchar_t *)png_malloc(png_ptr, len * png_sizeof(wchar_t)); 36 * gAMA and cHRM use *unsigned* integers for fixed point values.
38 if ( NULL != str ) 37 */
38 #define PNG_FIXED_ERROR (-1)
39
40 static png_fixed_point /* PRIVATE */
41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42 {
43 png_uint_32 uval = png_get_uint_32(buf);
44
45 if (uval <= PNG_UINT_31_MAX)
46 return (png_fixed_point)uval; /* known to be in range */
47
48 /* The caller can turn off the warning by passing NULL. */
49 if (png_ptr != NULL)
50 png_warning(png_ptr, "PNG fixed point integer out of range");
51
52 return PNG_FIXED_ERROR;
53 }
54 #endif
55
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57 /* NOTE: the read macros will obscure these definitions, so that if
58 * PNG_USE_READ_MACROS is set the library will not use them internally,
59 * but the APIs will still be available externally.
60 *
61 * The parentheses around "PNGAPI function_name" in the following three
62 * functions are necessary because they allow the macros to co-exist with
63 * these (unused but exported) functions.
64 */
65
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
67 png_uint_32 (PNGAPI
68 png_get_uint_32)(png_const_bytep buf)
69 {
70 png_uint_32 uval =
71 ((png_uint_32)(*(buf )) << 24) +
72 ((png_uint_32)(*(buf + 1)) << 16) +
73 ((png_uint_32)(*(buf + 2)) << 8) +
74 ((png_uint_32)(*(buf + 3)) ) ;
75
76 return uval;
77 }
78
79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
80 * data is stored in the PNG file in two's complement format and there
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82 * the following code does a two's complement to native conversion.
83 */
84 png_int_32 (PNGAPI
85 png_get_int_32)(png_const_bytep buf)
86 {
87 png_uint_32 uval = png_get_uint_32(buf);
88 if ((uval & 0x80000000) == 0) /* non-negative */
89 return uval;
90
91 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
92 return -(png_int_32)uval;
93 }
94
95 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
96 png_uint_16 (PNGAPI
97 png_get_uint_16)(png_const_bytep buf)
98 {
99 /* ANSI-C requires an int value to accomodate at least 16 bits so this
100 * works and allows the compiler not to worry about possible narrowing
101 * on 32 bit systems. (Pre-ANSI systems did not make integers smaller
102 * than 16 bits either.)
103 */
104 unsigned int val =
105 ((unsigned int)(*buf) << 8) +
106 ((unsigned int)(*(buf + 1)));
107
108 return (png_uint_16)val;
109 }
110
111 #endif /* PNG_READ_INT_FUNCTIONS_SUPPORTED */
112
113 /* Read and check the PNG file signature */
114 void /* PRIVATE */
115 png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
116 {
117 png_size_t num_checked, num_to_check;
118
119 /* Exit if the user application does not expect a signature. */
120 if (png_ptr->sig_bytes >= 8)
121 return;
122
123 num_checked = png_ptr->sig_bytes;
124 num_to_check = 8 - num_checked;
125
126 #ifdef PNG_IO_STATE_SUPPORTED
127 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
128 #endif
129
130 /* The signature must be serialized in a single I/O call. */
131 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
132 png_ptr->sig_bytes = 8;
133
134 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
39 { 135 {
40 MultiByteToWideChar(CP_ACP, 0, nptr, -1, str, len); 136 if (num_checked < 4 &&
41 result = wcstod(str, &end); 137 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
42 len = WideCharToMultiByte(CP_ACP, 0, end, -1, NULL, 0, NULL, NULL); 138 png_error(png_ptr, "Not a PNG file");
43 *endptr = (char *)nptr + (png_strlen(nptr) - len + 1); 139 else
44 png_free(png_ptr, str); 140 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
45 } 141 }
46 return result; 142 if (num_checked < 3)
47 } 143 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
48 # else 144 }
49 # define png_strtod(p,a,b) strtod(a,b)
50 # endif
51 #endif
52
53 png_uint_32 PNGAPI
54 png_get_uint_31(png_structp png_ptr, png_bytep buf)
55 {
56 #ifdef PNG_READ_BIG_ENDIAN_SUPPORTED
57 png_uint_32 i = png_get_uint_32(buf);
58 #else
59 /* Avoid an extra function call by inlining the result. */
60 png_uint_32 i = ((png_uint_32)(*buf) << 24) +
61 ((png_uint_32)(*(buf + 1)) << 16) +
62 ((png_uint_32)(*(buf + 2)) << 8) +
63 (png_uint_32)(*(buf + 3));
64 #endif
65 if (i > PNG_UINT_31_MAX)
66 png_error(png_ptr, "PNG unsigned integer out of range.");
67 return (i);
68 }
69 #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
70 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
71 png_uint_32 PNGAPI
72 png_get_uint_32(png_bytep buf)
73 {
74 png_uint_32 i = ((png_uint_32)(*buf) << 24) +
75 ((png_uint_32)(*(buf + 1)) << 16) +
76 ((png_uint_32)(*(buf + 2)) << 8) +
77 (png_uint_32)(*(buf + 3));
78
79 return (i);
80 }
81
82 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
83 * data is stored in the PNG file in two's complement format, and it is
84 * assumed that the machine format for signed integers is the same.
85 */
86 png_int_32 PNGAPI
87 png_get_int_32(png_bytep buf)
88 {
89 png_int_32 i = ((png_int_32)(*buf) << 24) +
90 ((png_int_32)(*(buf + 1)) << 16) +
91 ((png_int_32)(*(buf + 2)) << 8) +
92 (png_int_32)(*(buf + 3));
93
94 return (i);
95 }
96
97 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
98 png_uint_16 PNGAPI
99 png_get_uint_16(png_bytep buf)
100 {
101 png_uint_16 i = (png_uint_16)(((png_uint_16)(*buf) << 8) +
102 (png_uint_16)(*(buf + 1)));
103
104 return (i);
105 }
106 #endif /* PNG_READ_BIG_ENDIAN_SUPPORTED */
107 145
108 /* Read the chunk header (length + type name). 146 /* Read the chunk header (length + type name).
109 * Put the type name into png_ptr->chunk_name, and return the length. 147 * Put the type name into png_ptr->chunk_name, and return the length.
110 */ 148 */
111 png_uint_32 /* PRIVATE */ 149 png_uint_32 /* PRIVATE */
112 png_read_chunk_header(png_structp png_ptr) 150 png_read_chunk_header(png_structrp png_ptr)
113 { 151 {
114 png_byte buf[8]; 152 png_byte buf[8];
115 png_uint_32 length; 153 png_uint_32 length;
116 154
117 /* Read the length and the chunk name */ 155 #ifdef PNG_IO_STATE_SUPPORTED
156 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
157 #endif
158
159 /* Read the length and the chunk name.
160 * This must be performed in a single I/O call.
161 */
118 png_read_data(png_ptr, buf, 8); 162 png_read_data(png_ptr, buf, 8);
119 length = png_get_uint_31(png_ptr, buf); 163 length = png_get_uint_31(png_ptr, buf);
120 164
121 /* Put the chunk name into png_ptr->chunk_name */ 165 /* Put the chunk name into png_ptr->chunk_name. */
122 png_memcpy(png_ptr->chunk_name, buf + 4, 4); 166 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
123 167
124 png_debug2(0, "Reading %s chunk, length = %lu", 168 png_debug2(0, "Reading %lx chunk, length = %lu",
125 png_ptr->chunk_name, length); 169 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
126 170
127 /* Reset the crc and run it over the chunk name */ 171 /* Reset the crc and run it over the chunk name. */
128 png_reset_crc(png_ptr); 172 png_reset_crc(png_ptr);
129 png_calculate_crc(png_ptr, png_ptr->chunk_name, 4); 173 png_calculate_crc(png_ptr, buf + 4, 4);
130 174
131 /* Check to see if chunk name is valid */ 175 /* Check to see if chunk name is valid. */
132 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 176 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
133 177
178 #ifdef PNG_IO_STATE_SUPPORTED
179 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
180 #endif
181
134 return length; 182 return length;
135 } 183 }
136 184
137 /* Read data, and (optionally) run it through the CRC. */ 185 /* Read data, and (optionally) run it through the CRC. */
138 void /* PRIVATE */ 186 void /* PRIVATE */
139 png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length) 187 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
140 { 188 {
141 if (png_ptr == NULL) 189 if (png_ptr == NULL)
142 return; 190 return;
191
143 png_read_data(png_ptr, buf, length); 192 png_read_data(png_ptr, buf, length);
144 png_calculate_crc(png_ptr, buf, length); 193 png_calculate_crc(png_ptr, buf, length);
145 } 194 }
146 195
147 /* Optionally skip data and then check the CRC. Depending on whether we 196 /* Optionally skip data and then check the CRC. Depending on whether we
148 * are reading a ancillary or critical chunk, and how the program has set 197 * are reading an ancillary or critical chunk, and how the program has set
149 * things up, we may calculate the CRC on the data and print a message. 198 * things up, we may calculate the CRC on the data and print a message.
150 * Returns '1' if there was a CRC error, '0' otherwise. 199 * Returns '1' if there was a CRC error, '0' otherwise.
151 */ 200 */
152 int /* PRIVATE */ 201 int /* PRIVATE */
153 png_crc_finish(png_structp png_ptr, png_uint_32 skip) 202 png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
154 { 203 {
155 png_size_t i; 204 /* The size of the local buffer for inflate is a good guess as to a
156 png_size_t istop = png_ptr->zbuf_size; 205 * reasonable size to use for buffering reads from the application.
157 206 */
158 for (i = (png_size_t)skip; i > istop; i -= istop) 207 while (skip > 0)
159 { 208 {
160 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size); 209 png_uint_32 len;
161 } 210 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
162 if (i) 211
163 { 212 len = (sizeof tmpbuf);
164 png_crc_read(png_ptr, png_ptr->zbuf, i); 213 if (len > skip)
214 len = skip;
215 skip -= len;
216
217 png_crc_read(png_ptr, tmpbuf, len);
165 } 218 }
166 219
167 if (png_crc_error(png_ptr)) 220 if (png_crc_error(png_ptr))
168 { 221 {
169 if (((png_ptr->chunk_name[0] & 0x20) && /* Ancillary */ 222 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) ?
170 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) || 223 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) :
171 (!(png_ptr->chunk_name[0] & 0x20) && /* Critical */ 224 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE))
172 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE)))
173 { 225 {
174 png_chunk_warning(png_ptr, "CRC error"); 226 png_chunk_warning(png_ptr, "CRC error");
175 } 227 }
228
176 else 229 else
177 { 230 {
178 png_chunk_error(png_ptr, "CRC error"); 231 png_chunk_benign_error(png_ptr, "CRC error");
232 return (0);
179 } 233 }
234
180 return (1); 235 return (1);
181 } 236 }
182 237
183 return (0); 238 return (0);
184 } 239 }
185 240
186 /* Compare the CRC stored in the PNG file with that calculated by libpng from 241 /* Compare the CRC stored in the PNG file with that calculated by libpng from
187 * the data it has read thus far. 242 * the data it has read thus far.
188 */ 243 */
189 int /* PRIVATE */ 244 int /* PRIVATE */
190 png_crc_error(png_structp png_ptr) 245 png_crc_error(png_structrp png_ptr)
191 { 246 {
192 png_byte crc_bytes[4]; 247 png_byte crc_bytes[4];
193 png_uint_32 crc; 248 png_uint_32 crc;
194 int need_crc = 1; 249 int need_crc = 1;
195 250
196 if (png_ptr->chunk_name[0] & 0x20) /* ancillary */ 251 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))
197 { 252 {
198 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 253 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
199 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 254 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
200 need_crc = 0; 255 need_crc = 0;
201 } 256 }
202 else /* critical */ 257
258 else /* critical */
203 { 259 {
204 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) 260 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
205 need_crc = 0; 261 need_crc = 0;
206 } 262 }
207 263
264 #ifdef PNG_IO_STATE_SUPPORTED
265 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
266 #endif
267
268 /* The chunk CRC must be serialized in a single I/O call. */
208 png_read_data(png_ptr, crc_bytes, 4); 269 png_read_data(png_ptr, crc_bytes, 4);
209 270
210 if (need_crc) 271 if (need_crc)
211 { 272 {
212 crc = png_get_uint_32(crc_bytes); 273 crc = png_get_uint_32(crc_bytes);
213 return ((int)(crc != png_ptr->crc)); 274 return ((int)(crc != png_ptr->crc));
214 } 275 }
276
215 else 277 else
216 return (0); 278 return (0);
217 } 279 }
218 280
219 #if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \ 281 /* Manage the read buffer; this simply reallocates the buffer if it is not small
220 defined(PNG_READ_iCCP_SUPPORTED) 282 * enough (or if it is not allocated). The routine returns a pointer to the
221 static png_size_t 283 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
222 png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size, 284 * it will call png_error (via png_malloc) on failure. (warn == 2 means
223 png_bytep output, png_size_t output_size) 285 * 'silent').
286 */
287 static png_bytep
288 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
224 { 289 {
225 png_size_t count = 0; 290 png_bytep buffer = png_ptr->read_buffer;
226 291
227 png_ptr->zstream.next_in = (png_bytep)data; /* const_cast: VALID */ 292 if (buffer != NULL && new_size > png_ptr->read_buffer_size)
228 png_ptr->zstream.avail_in = size; 293 {
229 294 png_ptr->read_buffer = NULL;
230 while (1) 295 png_ptr->read_buffer = NULL;
231 { 296 png_ptr->read_buffer_size = 0;
232 int ret, avail; 297 png_free(png_ptr, buffer);
233 298 buffer = NULL;
234 /* Reset the output buffer each time round - we empty it 299 }
235 * after every inflate call. 300
236 */ 301 if (buffer == NULL)
237 png_ptr->zstream.next_out = png_ptr->zbuf; 302 {
238 png_ptr->zstream.avail_out = png_ptr->zbuf_size; 303 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
239 304
240 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH); 305 if (buffer != NULL)
241 avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out; 306 {
242 307 png_ptr->read_buffer = buffer;
243 /* First copy/count any new output - but only if we didn't 308 png_ptr->read_buffer_size = new_size;
244 * get an error code. 309 }
245 */ 310
246 if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0) 311 else if (warn < 2) /* else silent */
247 { 312 {
248 if (output != 0 && output_size > count) 313 #ifdef PNG_WARNINGS_SUPPORTED
314 if (warn)
315 png_chunk_warning(png_ptr, "insufficient memory to read chunk");
316 else
317 #endif
249 { 318 {
250 png_size_t copy = output_size - count; 319 #ifdef PNG_ERROR_TEXT_SUPPORTED
251 if ((png_size_t) avail < copy) copy = (png_size_t) avail; 320 png_chunk_error(png_ptr, "insufficient memory to read chunk");
252 png_memcpy(output + count, png_ptr->zbuf, copy);
253 }
254 count += avail;
255 }
256
257 if (ret == Z_OK)
258 continue;
259
260 /* Termination conditions - always reset the zstream, it
261 * must be left in inflateInit state.
262 */
263 png_ptr->zstream.avail_in = 0;
264 inflateReset(&png_ptr->zstream);
265
266 if (ret == Z_STREAM_END)
267 return count; /* NOTE: may be zero. */
268
269 /* Now handle the error codes - the API always returns 0
270 * and the error message is dumped into the uncompressed
271 * buffer if available.
272 */
273 {
274 PNG_CONST char *msg;
275 if (png_ptr->zstream.msg != 0)
276 msg = png_ptr->zstream.msg;
277 else
278 {
279 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
280 char umsg[52];
281
282 switch (ret)
283 {
284 case Z_BUF_ERROR:
285 msg = "Buffer error in compressed datastream in %s chunk";
286 break;
287 case Z_DATA_ERROR:
288 msg = "Data error in compressed datastream in %s chunk";
289 break;
290 default:
291 msg = "Incomplete compressed datastream in %s chunk";
292 break;
293 }
294
295 png_snprintf(umsg, sizeof umsg, msg, png_ptr->chunk_name);
296 msg = umsg;
297 #else
298 msg = "Damaged compressed datastream in chunk other than IDAT";
299 #endif 321 #endif
300 } 322 }
301
302 png_warning(png_ptr, msg);
303 } 323 }
304 324 }
305 /* 0 means an error - notice that this code simple ignores 325
306 * zero length compressed chunks as a result. 326 return buffer;
327 }
328
329 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
330 * decompression. Returns Z_OK on success, else a zlib error code. It checks
331 * the owner but, in final release builds, just issues a warning if some other
332 * chunk apparently owns the stream. Prior to release it does a png_error.
333 */
334 static int
335 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
336 {
337 if (png_ptr->zowner != 0)
338 {
339 char msg[64];
340
341 PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
342 /* So the message that results is "<chunk> using zstream"; this is an
343 * internal error, but is very useful for debugging. i18n requirements
344 * are minimal.
307 */ 345 */
308 return 0; 346 (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
309 } 347 # if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC
348 png_chunk_warning(png_ptr, msg);
349 png_ptr->zowner = 0;
350 # else
351 png_chunk_error(png_ptr, msg);
352 # endif
353 }
354
355 /* Implementation note: unlike 'png_deflate_claim' this internal function
356 * does not take the size of the data as an argument. Some efficiency could
357 * be gained by using this when it is known *if* the zlib stream itself does
358 * not record the number; however, this is an illusion: the original writer
359 * of the PNG may have selected a lower window size, and we really must
360 * follow that because, for systems with with limited capabilities, we
361 * would otherwise reject the application's attempts to use a smaller window
362 * size (zlib doesn't have an interface to say "this or lower"!).
363 *
364 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
365 * reset, therefore it is necessary to always allocate the maximum window
366 * size with earlier zlibs just in case later compressed chunks need it.
367 */
368 {
369 int ret; /* zlib return code */
370 # if PNG_ZLIB_VERNUM >= 0x1240
371
372 # if defined(PNG_SET_OPTION_SUPPORTED) && \
373 defined(PNG_MAXIMUM_INFLATE_WINDOW)
374 int window_bits;
375
376 if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
377 PNG_OPTION_ON)
378 window_bits = 15;
379
380 else
381 window_bits = 0;
382 # else
383 # define window_bits 0
384 # endif
385 # endif
386
387 /* Set this for safety, just in case the previous owner left pointers to
388 * memory allocations.
389 */
390 png_ptr->zstream.next_in = NULL;
391 png_ptr->zstream.avail_in = 0;
392 png_ptr->zstream.next_out = NULL;
393 png_ptr->zstream.avail_out = 0;
394
395 if (png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED)
396 {
397 # if PNG_ZLIB_VERNUM < 0x1240
398 ret = inflateReset(&png_ptr->zstream);
399 # else
400 ret = inflateReset2(&png_ptr->zstream, window_bits);
401 # endif
402 }
403
404 else
405 {
406 # if PNG_ZLIB_VERNUM < 0x1240
407 ret = inflateInit(&png_ptr->zstream);
408 # else
409 ret = inflateInit2(&png_ptr->zstream, window_bits);
410 # endif
411
412 if (ret == Z_OK)
413 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
414 }
415
416 if (ret == Z_OK)
417 png_ptr->zowner = owner;
418
419 else
420 png_zstream_error(png_ptr, ret);
421
422 return ret;
423 }
424
425 # ifdef window_bits
426 # undef window_bits
427 # endif
310 } 428 }
311 429
430 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
431 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
432 * allow the caller to do multiple calls if required. If the 'finish' flag is
433 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
434 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
435 * Z_OK or Z_STREAM_END will be returned on success.
436 *
437 * The input and output sizes are updated to the actual amounts of data consumed
438 * or written, not the amount available (as in a z_stream). The data pointers
439 * are not changed, so the next input is (data+input_size) and the next
440 * available output is (output+output_size).
441 */
442 static int
443 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
444 /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
445 /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
446 {
447 if (png_ptr->zowner == owner) /* Else not claimed */
448 {
449 int ret;
450 png_alloc_size_t avail_out = *output_size_ptr;
451 png_uint_32 avail_in = *input_size_ptr;
452
453 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
454 * can't even necessarily handle 65536 bytes) because the type uInt is
455 * "16 bits or more". Consequently it is necessary to chunk the input to
456 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
457 * maximum value that can be stored in a uInt.) It is possible to set
458 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
459 * a performance advantage, because it reduces the amount of data accessed
460 * at each step and that may give the OS more time to page it in.
461 */
462 png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
463 /* avail_in and avail_out are set below from 'size' */
464 png_ptr->zstream.avail_in = 0;
465 png_ptr->zstream.avail_out = 0;
466
467 /* Read directly into the output if it is available (this is set to
468 * a local buffer below if output is NULL).
469 */
470 if (output != NULL)
471 png_ptr->zstream.next_out = output;
472
473 do
474 {
475 uInt avail;
476 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
477
478 /* zlib INPUT BUFFER */
479 /* The setting of 'avail_in' used to be outside the loop; by setting it
480 * inside it is possible to chunk the input to zlib and simply rely on
481 * zlib to advance the 'next_in' pointer. This allows arbitrary
482 * amounts of data to be passed through zlib at the unavoidable cost of
483 * requiring a window save (memcpy of up to 32768 output bytes)
484 * every ZLIB_IO_MAX input bytes.
485 */
486 avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
487
488 avail = ZLIB_IO_MAX;
489
490 if (avail_in < avail)
491 avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
492
493 avail_in -= avail;
494 png_ptr->zstream.avail_in = avail;
495
496 /* zlib OUTPUT BUFFER */
497 avail_out += png_ptr->zstream.avail_out; /* not written last time */
498
499 avail = ZLIB_IO_MAX; /* maximum zlib can process */
500
501 if (output == NULL)
502 {
503 /* Reset the output buffer each time round if output is NULL and
504 * make available the full buffer, up to 'remaining_space'
505 */
506 png_ptr->zstream.next_out = local_buffer;
507 if ((sizeof local_buffer) < avail)
508 avail = (sizeof local_buffer);
509 }
510
511 if (avail_out < avail)
512 avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
513
514 png_ptr->zstream.avail_out = avail;
515 avail_out -= avail;
516
517 /* zlib inflate call */
518 /* In fact 'avail_out' may be 0 at this point, that happens at the end
519 * of the read when the final LZ end code was not passed at the end of
520 * the previous chunk of input data. Tell zlib if we have reached the
521 * end of the output buffer.
522 */
523 ret = inflate(&png_ptr->zstream, avail_out > 0 ? Z_NO_FLUSH :
524 (finish ? Z_FINISH : Z_SYNC_FLUSH));
525 } while (ret == Z_OK);
526
527 /* For safety kill the local buffer pointer now */
528 if (output == NULL)
529 png_ptr->zstream.next_out = NULL;
530
531 /* Claw back the 'size' and 'remaining_space' byte counts. */
532 avail_in += png_ptr->zstream.avail_in;
533 avail_out += png_ptr->zstream.avail_out;
534
535 /* Update the input and output sizes; the updated values are the amount
536 * consumed or written, effectively the inverse of what zlib uses.
537 */
538 if (avail_out > 0)
539 *output_size_ptr -= avail_out;
540
541 if (avail_in > 0)
542 *input_size_ptr -= avail_in;
543
544 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
545 png_zstream_error(png_ptr, ret);
546 return ret;
547 }
548
549 else
550 {
551 /* This is a bad internal error. The recovery assigns to the zstream msg
552 * pointer, which is not owned by the caller, but this is safe; it's only
553 * used on errors!
554 */
555 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
556 return Z_STREAM_ERROR;
557 }
558 }
559
312 /* 560 /*
313 * Decompress trailing data in a chunk. The assumption is that chunkdata 561 * Decompress trailing data in a chunk. The assumption is that read_buffer
314 * points at an allocated area holding the contents of a chunk with a 562 * points at an allocated area holding the contents of a chunk with a
315 * trailing compressed part. What we get back is an allocated area 563 * trailing compressed part. What we get back is an allocated area
316 * holding the original prefix part and an uncompressed version of the 564 * holding the original prefix part and an uncompressed version of the
317 * trailing part (the malloc area passed in is freed). 565 * trailing part (the malloc area passed in is freed).
318 */ 566 */
319 void /* PRIVATE */ 567 static int
320 png_decompress_chunk(png_structp png_ptr, int comp_type, 568 png_decompress_chunk(png_structrp png_ptr,
321 png_size_t chunklength, 569 png_uint_32 chunklength, png_uint_32 prefix_size,
322 png_size_t prefix_size, png_size_t *newlength) 570 png_alloc_size_t *newlength /* must be initialized to the maximum! */,
571 int terminate /*add a '\0' to the end of the uncompressed data*/)
323 { 572 {
324 /* The caller should guarantee this */ 573 /* TODO: implement different limits for different types of chunk.
325 if (prefix_size > chunklength) 574 *
326 { 575 * The caller supplies *newlength set to the maximum length of the
327 /* The recovery is to delete the chunk. */ 576 * uncompressed data, but this routine allocates space for the prefix and
328 png_warning(png_ptr, "invalid chunklength"); 577 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is
329 prefix_size = 0; /* To delete everything */ 578 * limited only by the maximum chunk size.
330 } 579 */
331 580 png_alloc_size_t limit = PNG_SIZE_MAX;
332 else if (comp_type == PNG_COMPRESSION_TYPE_BASE) 581
333 { 582 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
334 png_size_t expanded_size = png_inflate(png_ptr, 583 if (png_ptr->user_chunk_malloc_max > 0 &&
335 (png_bytep)(png_ptr->chunkdata + prefix_size), 584 png_ptr->user_chunk_malloc_max < limit)
336 chunklength - prefix_size, 585 limit = png_ptr->user_chunk_malloc_max;
337 0/*output*/, 0/*output size*/); 586 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
338 587 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
339 /* Now check the limits on this chunk - if the limit fails the 588 limit = PNG_USER_CHUNK_MALLOC_MAX;
340 * compressed data will be removed, the prefix will remain.
341 */
342 #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
343 if (png_ptr->user_chunk_malloc_max &&
344 (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
345 #else
346 # ifdef PNG_USER_CHUNK_MALLOC_MAX
347 if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
348 prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
349 # endif 589 # endif
350 #endif 590
351 png_warning(png_ptr, "Exceeded size limit while expanding chunk"); 591 if (limit >= prefix_size + (terminate != 0))
352 592 {
353 /* If the size is zero either there was an error and a message 593 int ret;
354 * has already been output (warning) or the size really is zero 594
355 * and we have nothing to do - the code will exit through the 595 limit -= prefix_size + (terminate != 0);
356 * error case below. 596
357 */ 597 if (limit < *newlength)
358 #if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \ 598 *newlength = limit;
359 defined(PNG_USER_CHUNK_MALLOC_MAX) 599
360 else 600 /* Now try to claim the stream. */
361 #endif 601 ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
362 if (expanded_size > 0) 602
363 { 603 if (ret == Z_OK)
364 /* Success (maybe) - really uncompress the chunk. */ 604 {
365 png_size_t new_size = 0; 605 png_uint_32 lzsize = chunklength - prefix_size;
366 png_charp text = NULL; 606
367 /* Need to check for both truncation (64-bit platforms) and integer 607 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
368 * overflow. 608 /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
609 /* output: */ NULL, newlength);
610
611 if (ret == Z_STREAM_END)
612 {
613 /* Use 'inflateReset' here, not 'inflateReset2' because this
614 * preserves the previously decided window size (otherwise it would
615 * be necessary to store the previous window size.) In practice
616 * this doesn't matter anyway, because png_inflate will call inflate
617 * with Z_FINISH in almost all cases, so the window will not be
618 * maintained.
619 */
620 if (inflateReset(&png_ptr->zstream) == Z_OK)
621 {
622 /* Because of the limit checks above we know that the new,
623 * expanded, size will fit in a size_t (let alone an
624 * png_alloc_size_t). Use png_malloc_base here to avoid an
625 * extra OOM message.
626 */
627 png_alloc_size_t new_size = *newlength;
628 png_alloc_size_t buffer_size = prefix_size + new_size +
629 (terminate != 0);
630 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
631 buffer_size));
632
633 if (text != NULL)
634 {
635 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
636 png_ptr->read_buffer + prefix_size, &lzsize,
637 text + prefix_size, newlength);
638
639 if (ret == Z_STREAM_END)
640 {
641 if (new_size == *newlength)
642 {
643 if (terminate)
644 text[prefix_size + *newlength] = 0;
645
646 if (prefix_size > 0)
647 memcpy(text, png_ptr->read_buffer, prefix_size);
648
649 {
650 png_bytep old_ptr = png_ptr->read_buffer;
651
652 png_ptr->read_buffer = text;
653 png_ptr->read_buffer_size = buffer_size;
654 text = old_ptr; /* freed below */
655 }
656 }
657
658 else
659 {
660 /* The size changed on the second read, there can be no
661 * guarantee that anything is correct at this point.
662 * The 'msg' pointer has been set to "unexpected end of
663 * LZ stream", which is fine, but return an error code
664 * that the caller won't accept.
665 */
666 ret = PNG_UNEXPECTED_ZLIB_RETURN;
667 }
668 }
669
670 else if (ret == Z_OK)
671 ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
672
673 /* Free the text pointer (this is the old read_buffer on
674 * success)
675 */
676 png_free(png_ptr, text);
677
678 /* This really is very benign, but it's still an error because
679 * the extra space may otherwise be used as a Trojan Horse.
680 */
681 if (ret == Z_STREAM_END &&
682 chunklength - prefix_size != lzsize)
683 png_chunk_benign_error(png_ptr, "extra compressed data");
684 }
685
686 else
687 {
688 /* Out of memory allocating the buffer */
689 ret = Z_MEM_ERROR;
690 png_zstream_error(png_ptr, Z_MEM_ERROR);
691 }
692 }
693
694 else
695 {
696 /* inflateReset failed, store the error message */
697 png_zstream_error(png_ptr, ret);
698
699 if (ret == Z_STREAM_END)
700 ret = PNG_UNEXPECTED_ZLIB_RETURN;
701 }
702 }
703
704 else if (ret == Z_OK)
705 ret = PNG_UNEXPECTED_ZLIB_RETURN;
706
707 /* Release the claimed stream */
708 png_ptr->zowner = 0;
709 }
710
711 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
712 ret = PNG_UNEXPECTED_ZLIB_RETURN;
713
714 return ret;
715 }
716
717 else
718 {
719 /* Application/configuration limits exceeded */
720 png_zstream_error(png_ptr, Z_MEM_ERROR);
721 return Z_MEM_ERROR;
722 }
723 }
724 #endif /* PNG_READ_COMPRESSED_TEXT_SUPPORTED */
725
726 #ifdef PNG_READ_iCCP_SUPPORTED
727 /* Perform a partial read and decompress, producing 'avail_out' bytes and
728 * reading from the current chunk as required.
729 */
730 static int
731 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
732 png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
733 int finish)
734 {
735 if (png_ptr->zowner == png_ptr->chunk_name)
736 {
737 int ret;
738
739 /* next_in and avail_in must have been initialized by the caller. */
740 png_ptr->zstream.next_out = next_out;
741 png_ptr->zstream.avail_out = 0; /* set in the loop */
742
743 do
744 {
745 if (png_ptr->zstream.avail_in == 0)
746 {
747 if (read_size > *chunk_bytes)
748 read_size = (uInt)*chunk_bytes;
749 *chunk_bytes -= read_size;
750
751 if (read_size > 0)
752 png_crc_read(png_ptr, read_buffer, read_size);
753
754 png_ptr->zstream.next_in = read_buffer;
755 png_ptr->zstream.avail_in = read_size;
756 }
757
758 if (png_ptr->zstream.avail_out == 0)
759 {
760 uInt avail = ZLIB_IO_MAX;
761 if (avail > *out_size)
762 avail = (uInt)*out_size;
763 *out_size -= avail;
764
765 png_ptr->zstream.avail_out = avail;
766 }
767
768 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
769 * the available output is produced; this allows reading of truncated
770 * streams.
369 */ 771 */
370 if (prefix_size + expanded_size > prefix_size && 772 ret = inflate(&png_ptr->zstream,
371 prefix_size + expanded_size < 0xffffffffU) 773 *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
372 {
373 text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
374 }
375
376 if (text != NULL)
377 {
378 png_memcpy(text, png_ptr->chunkdata, prefix_size);
379 new_size = png_inflate(png_ptr,
380 (png_bytep)(png_ptr->chunkdata + prefix_size),
381 chunklength - prefix_size,
382 (png_bytep)(text + prefix_size), expanded_size);
383 text[prefix_size + expanded_size] = 0; /* just in case */
384
385 if (new_size == expanded_size)
386 {
387 png_free(png_ptr, png_ptr->chunkdata);
388 png_ptr->chunkdata = text;
389 *newlength = prefix_size + expanded_size;
390 return; /* The success return! */
391 }
392
393 png_warning(png_ptr, "png_inflate logic error");
394 png_free(png_ptr, text);
395 }
396 else
397 png_warning(png_ptr, "Not enough memory to decompress chunk.");
398 } 774 }
399 } 775 while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
400 776
401 else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */ 777 *out_size += png_ptr->zstream.avail_out;
402 { 778 png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
403 #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) 779
404 char umsg[50]; 780 /* Ensure the error message pointer is always set: */
405 781 png_zstream_error(png_ptr, ret);
406 png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d", 782 return ret;
407 comp_type); 783 }
408 png_warning(png_ptr, umsg); 784
409 #else 785 else
410 png_warning(png_ptr, "Unknown zTXt compression type"); 786 {
411 #endif 787 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
412 788 return Z_STREAM_ERROR;
413 /* The recovery is to simply drop the data. */ 789 }
414 }
415
416 /* Generic error return - leave the prefix, delete the compressed
417 * data, reallocate the chunkdata to remove the potentially large
418 * amount of compressed data.
419 */
420 {
421 png_charp text = png_malloc_warn(png_ptr, prefix_size + 1);
422 if (text != NULL)
423 {
424 if (prefix_size > 0)
425 png_memcpy(text, png_ptr->chunkdata, prefix_size);
426 png_free(png_ptr, png_ptr->chunkdata);
427 png_ptr->chunkdata = text;
428
429 /* This is an extra zero in the 'uncompressed' part. */
430 *(png_ptr->chunkdata + prefix_size) = 0x00;
431 }
432 /* Ignore a malloc error here - it is safe. */
433 }
434
435 *newlength = prefix_size;
436 } 790 }
437 #endif 791 #endif
438 792
439 /* Read and check the IDHR chunk */ 793 /* Read and check the IDHR chunk */
440 void /* PRIVATE */ 794 void /* PRIVATE */
441 png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 795 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
442 { 796 {
443 png_byte buf[13]; 797 png_byte buf[13];
444 png_uint_32 width, height; 798 png_uint_32 width, height;
445 int bit_depth, color_type, compression_type, filter_type; 799 int bit_depth, color_type, compression_type, filter_type;
446 int interlace_type; 800 int interlace_type;
447 801
448 png_debug(1, "in png_handle_IHDR"); 802 png_debug(1, "in png_handle_IHDR");
449 803
450 if (png_ptr->mode & PNG_HAVE_IHDR) 804 if (png_ptr->mode & PNG_HAVE_IHDR)
451 png_error(png_ptr, "Out of place IHDR"); 805 png_chunk_error(png_ptr, "out of place");
452 806
453 /* Check the length */ 807 /* Check the length */
454 if (length != 13) 808 if (length != 13)
455 png_error(png_ptr, "Invalid IHDR chunk"); 809 png_chunk_error(png_ptr, "invalid");
456 810
457 png_ptr->mode |= PNG_HAVE_IHDR; 811 png_ptr->mode |= PNG_HAVE_IHDR;
458 812
459 png_crc_read(png_ptr, buf, 13); 813 png_crc_read(png_ptr, buf, 13);
460 png_crc_finish(png_ptr, 0); 814 png_crc_finish(png_ptr, 0);
461 815
462 width = png_get_uint_31(png_ptr, buf); 816 width = png_get_uint_31(png_ptr, buf);
463 height = png_get_uint_31(png_ptr, buf + 4); 817 height = png_get_uint_31(png_ptr, buf + 4);
464 bit_depth = buf[8]; 818 bit_depth = buf[8];
465 color_type = buf[9]; 819 color_type = buf[9];
466 compression_type = buf[10]; 820 compression_type = buf[10];
467 filter_type = buf[11]; 821 filter_type = buf[11];
468 interlace_type = buf[12]; 822 interlace_type = buf[12];
469 823
470 /* Set internal variables */ 824 /* Set internal variables */
471 png_ptr->width = width; 825 png_ptr->width = width;
472 png_ptr->height = height; 826 png_ptr->height = height;
473 png_ptr->bit_depth = (png_byte)bit_depth; 827 png_ptr->bit_depth = (png_byte)bit_depth;
474 png_ptr->interlaced = (png_byte)interlace_type; 828 png_ptr->interlaced = (png_byte)interlace_type;
475 png_ptr->color_type = (png_byte)color_type; 829 png_ptr->color_type = (png_byte)color_type;
476 #ifdef PNG_MNG_FEATURES_SUPPORTED 830 #ifdef PNG_MNG_FEATURES_SUPPORTED
477 png_ptr->filter_type = (png_byte)filter_type; 831 png_ptr->filter_type = (png_byte)filter_type;
478 #endif 832 #endif
479 png_ptr->compression_type = (png_byte)compression_type; 833 png_ptr->compression_type = (png_byte)compression_type;
480 834
481 /* Find number of channels */ 835 /* Find number of channels */
482 switch (png_ptr->color_type) 836 switch (png_ptr->color_type)
483 { 837 {
838 default: /* invalid, png_set_IHDR calls png_error */
484 case PNG_COLOR_TYPE_GRAY: 839 case PNG_COLOR_TYPE_GRAY:
485 case PNG_COLOR_TYPE_PALETTE: 840 case PNG_COLOR_TYPE_PALETTE:
486 png_ptr->channels = 1; 841 png_ptr->channels = 1;
487 break; 842 break;
488 843
489 case PNG_COLOR_TYPE_RGB: 844 case PNG_COLOR_TYPE_RGB:
490 png_ptr->channels = 3; 845 png_ptr->channels = 3;
491 break; 846 break;
492 847
493 case PNG_COLOR_TYPE_GRAY_ALPHA: 848 case PNG_COLOR_TYPE_GRAY_ALPHA:
494 png_ptr->channels = 2; 849 png_ptr->channels = 2;
495 break; 850 break;
496 851
497 case PNG_COLOR_TYPE_RGB_ALPHA: 852 case PNG_COLOR_TYPE_RGB_ALPHA:
498 png_ptr->channels = 4; 853 png_ptr->channels = 4;
499 break; 854 break;
500 } 855 }
501 856
502 /* Set up other useful info */ 857 /* Set up other useful info */
503 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * 858 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth *
504 png_ptr->channels); 859 png_ptr->channels);
505 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width); 860 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
506 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth); 861 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
507 png_debug1(3, "channels = %d", png_ptr->channels); 862 png_debug1(3, "channels = %d", png_ptr->channels);
508 png_debug1(3, "rowbytes = %lu", png_ptr->rowbytes); 863 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
509 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth, 864 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
510 color_type, interlace_type, compression_type, filter_type); 865 color_type, interlace_type, compression_type, filter_type);
511 } 866 }
512 867
513 /* Read and check the palette */ 868 /* Read and check the palette */
514 void /* PRIVATE */ 869 void /* PRIVATE */
515 png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 870 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
516 { 871 {
517 png_color palette[PNG_MAX_PALETTE_LENGTH]; 872 png_color palette[PNG_MAX_PALETTE_LENGTH];
518 int num, i; 873 int num, i;
519 #ifdef PNG_POINTER_INDEXING_SUPPORTED 874 #ifdef PNG_POINTER_INDEXING_SUPPORTED
520 png_colorp pal_ptr; 875 png_colorp pal_ptr;
521 #endif 876 #endif
522 877
523 png_debug(1, "in png_handle_PLTE"); 878 png_debug(1, "in png_handle_PLTE");
524 879
525 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 880 if (!(png_ptr->mode & PNG_HAVE_IHDR))
526 png_error(png_ptr, "Missing IHDR before PLTE"); 881 png_chunk_error(png_ptr, "missing IHDR");
882
883 /* Moved to before the 'after IDAT' check below because otherwise duplicate
884 * PLTE chunks are potentially ignored (the spec says there shall not be more
885 * than one PLTE, the error is not treated as benign, so this check trumps
886 * the requirement that PLTE appears before IDAT.)
887 */
888 else if (png_ptr->mode & PNG_HAVE_PLTE)
889 png_chunk_error(png_ptr, "duplicate");
527 890
528 else if (png_ptr->mode & PNG_HAVE_IDAT) 891 else if (png_ptr->mode & PNG_HAVE_IDAT)
529 { 892 {
530 png_warning(png_ptr, "Invalid PLTE after IDAT"); 893 /* This is benign because the non-benign error happened before, when an
894 * IDAT was encountered in a color-mapped image with no PLTE.
895 */
531 png_crc_finish(png_ptr, length); 896 png_crc_finish(png_ptr, length);
897 png_chunk_benign_error(png_ptr, "out of place");
532 return; 898 return;
533 } 899 }
534 900
535 else if (png_ptr->mode & PNG_HAVE_PLTE)
536 png_error(png_ptr, "Duplicate PLTE chunk");
537
538 png_ptr->mode |= PNG_HAVE_PLTE; 901 png_ptr->mode |= PNG_HAVE_PLTE;
539 902
540 if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR)) 903 if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR))
541 { 904 {
542 png_warning(png_ptr,
543 "Ignoring PLTE chunk in grayscale PNG");
544 png_crc_finish(png_ptr, length); 905 png_crc_finish(png_ptr, length);
906 png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
545 return; 907 return;
546 } 908 }
909
547 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 910 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
548 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 911 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
549 { 912 {
550 png_crc_finish(png_ptr, length); 913 png_crc_finish(png_ptr, length);
551 return; 914 return;
552 } 915 }
553 #endif 916 #endif
554 917
555 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3) 918 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
556 { 919 {
920 png_crc_finish(png_ptr, length);
921
557 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) 922 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
558 { 923 png_chunk_benign_error(png_ptr, "invalid");
559 png_warning(png_ptr, "Invalid palette chunk");
560 png_crc_finish(png_ptr, length);
561 return;
562 }
563 924
564 else 925 else
565 { 926 png_chunk_error(png_ptr, "invalid");
566 png_error(png_ptr, "Invalid palette chunk"); 927
567 } 928 return;
568 } 929 }
569 930
931 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
570 num = (int)length / 3; 932 num = (int)length / 3;
571 933
572 #ifdef PNG_POINTER_INDEXING_SUPPORTED 934 #ifdef PNG_POINTER_INDEXING_SUPPORTED
573 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) 935 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
574 { 936 {
575 png_byte buf[3]; 937 png_byte buf[3];
576 938
577 png_crc_read(png_ptr, buf, 3); 939 png_crc_read(png_ptr, buf, 3);
578 pal_ptr->red = buf[0]; 940 pal_ptr->red = buf[0];
579 pal_ptr->green = buf[1]; 941 pal_ptr->green = buf[1];
580 pal_ptr->blue = buf[2]; 942 pal_ptr->blue = buf[2];
581 } 943 }
582 #else 944 #else
583 for (i = 0; i < num; i++) 945 for (i = 0; i < num; i++)
584 { 946 {
585 png_byte buf[3]; 947 png_byte buf[3];
586 948
587 png_crc_read(png_ptr, buf, 3); 949 png_crc_read(png_ptr, buf, 3);
588 /* Don't depend upon png_color being any order */ 950 /* Don't depend upon png_color being any order */
589 palette[i].red = buf[0]; 951 palette[i].red = buf[0];
590 palette[i].green = buf[1]; 952 palette[i].green = buf[1];
591 palette[i].blue = buf[2]; 953 palette[i].blue = buf[2];
592 } 954 }
593 #endif 955 #endif
594 956
595 /* If we actually NEED the PLTE chunk (ie for a paletted image), we do 957 /* If we actually need the PLTE chunk (ie for a paletted image), we do
596 * whatever the normal CRC configuration tells us. However, if we 958 * whatever the normal CRC configuration tells us. However, if we
597 * have an RGB image, the PLTE can be considered ancillary, so 959 * have an RGB image, the PLTE can be considered ancillary, so
598 * we will act as though it is. 960 * we will act as though it is.
599 */ 961 */
600 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 962 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
601 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 963 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
602 #endif 964 #endif
603 { 965 {
604 png_crc_finish(png_ptr, 0); 966 png_crc_finish(png_ptr, 0);
605 } 967 }
968
606 #ifndef PNG_READ_OPT_PLTE_SUPPORTED 969 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
607 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */ 970 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */
608 { 971 {
609 /* If we don't want to use the data from an ancillary chunk, 972 /* If we don't want to use the data from an ancillary chunk,
610 we have two options: an error abort, or a warning and we 973 * we have two options: an error abort, or a warning and we
611 ignore the data in this chunk (which should be OK, since 974 * ignore the data in this chunk (which should be OK, since
612 it's considered ancillary for a RGB or RGBA image). */ 975 * it's considered ancillary for a RGB or RGBA image).
976 *
977 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
978 * chunk type to determine whether to check the ancillary or the critical
979 * flags.
980 */
613 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE)) 981 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE))
614 { 982 {
615 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) 983 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)
616 { 984 {
617 png_chunk_error(png_ptr, "CRC error"); 985 png_chunk_benign_error(png_ptr, "CRC error");
618 } 986 }
987
619 else 988 else
620 { 989 {
621 png_chunk_warning(png_ptr, "CRC error"); 990 png_chunk_warning(png_ptr, "CRC error");
622 return; 991 return;
623 } 992 }
624 } 993 }
994
625 /* Otherwise, we (optionally) emit a warning and use the chunk. */ 995 /* Otherwise, we (optionally) emit a warning and use the chunk. */
626 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) 996 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN))
627 { 997 {
628 png_chunk_warning(png_ptr, "CRC error"); 998 png_chunk_warning(png_ptr, "CRC error");
629 } 999 }
630 } 1000 }
631 #endif 1001 #endif
632 1002
1003 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1004 * own copy of the palette. This has the side effect that when png_start_row
1005 * is called (this happens after any call to png_read_update_info) the
1006 * info_ptr palette gets changed. This is extremely unexpected and
1007 * confusing.
1008 *
1009 * Fix this by not sharing the palette in this way.
1010 */
633 png_set_PLTE(png_ptr, info_ptr, palette, num); 1011 png_set_PLTE(png_ptr, info_ptr, palette, num);
634 1012
1013 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1014 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1015 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1016 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
1017 * therefore does a benign error if the erroneous condition is detected *and*
1018 * cancels the tRNS if the benign error returns. The alternative is to
1019 * amend the standard since it would be rather hypocritical of the standards
1020 * maintainers to ignore it.
1021 */
635 #ifdef PNG_READ_tRNS_SUPPORTED 1022 #ifdef PNG_READ_tRNS_SUPPORTED
636 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1023 if (png_ptr->num_trans > 0 ||
1024 (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
637 { 1025 {
638 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS)) 1026 /* Cancel this because otherwise it would be used if the transforms
639 { 1027 * require it. Don't cancel the 'valid' flag because this would prevent
640 if (png_ptr->num_trans > (png_uint_16)num) 1028 * detection of duplicate chunks.
641 { 1029 */
642 png_warning(png_ptr, "Truncating incorrect tRNS chunk length"); 1030 png_ptr->num_trans = 0;
643 png_ptr->num_trans = (png_uint_16)num; 1031
644 } 1032 if (info_ptr != NULL)
645 if (info_ptr->num_trans > (png_uint_16)num) 1033 info_ptr->num_trans = 0;
646 { 1034
647 png_warning(png_ptr, "Truncating incorrect info tRNS chunk length"); 1035 png_chunk_benign_error(png_ptr, "tRNS must be after");
648 info_ptr->num_trans = (png_uint_16)num;
649 }
650 }
651 } 1036 }
652 #endif 1037 #endif
653 1038
1039 #ifdef PNG_READ_hIST_SUPPORTED
1040 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1041 png_chunk_benign_error(png_ptr, "hIST must be after");
1042 #endif
1043
1044 #ifdef PNG_READ_bKGD_SUPPORTED
1045 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1046 png_chunk_benign_error(png_ptr, "bKGD must be after");
1047 #endif
654 } 1048 }
655 1049
656 void /* PRIVATE */ 1050 void /* PRIVATE */
657 png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1051 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
658 { 1052 {
659 png_debug(1, "in png_handle_IEND"); 1053 png_debug(1, "in png_handle_IEND");
660 1054
661 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT)) 1055 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT))
662 { 1056 png_chunk_error(png_ptr, "out of place");
663 png_error(png_ptr, "No image in file");
664 }
665 1057
666 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND); 1058 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
667 1059
668 if (length != 0)
669 {
670 png_warning(png_ptr, "Incorrect IEND chunk length");
671 }
672 png_crc_finish(png_ptr, length); 1060 png_crc_finish(png_ptr, length);
673 1061
674 info_ptr = info_ptr; /* Quiet compiler warnings about unused info_ptr */ 1062 if (length != 0)
1063 png_chunk_benign_error(png_ptr, "invalid");
1064
1065 PNG_UNUSED(info_ptr)
675 } 1066 }
676 1067
677 #ifdef PNG_READ_gAMA_SUPPORTED 1068 #ifdef PNG_READ_gAMA_SUPPORTED
678 void /* PRIVATE */ 1069 void /* PRIVATE */
679 png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1070 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
680 { 1071 {
681 png_fixed_point igamma; 1072 png_fixed_point igamma;
682 #ifdef PNG_FLOATING_POINT_SUPPORTED
683 float file_gamma;
684 #endif
685 png_byte buf[4]; 1073 png_byte buf[4];
686 1074
687 png_debug(1, "in png_handle_gAMA"); 1075 png_debug(1, "in png_handle_gAMA");
688 1076
689 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1077 if (!(png_ptr->mode & PNG_HAVE_IHDR))
690 png_error(png_ptr, "Missing IHDR before gAMA"); 1078 png_chunk_error(png_ptr, "missing IHDR");
691 else if (png_ptr->mode & PNG_HAVE_IDAT) 1079
1080 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
692 { 1081 {
693 png_warning(png_ptr, "Invalid gAMA after IDAT");
694 png_crc_finish(png_ptr, length); 1082 png_crc_finish(png_ptr, length);
695 return; 1083 png_chunk_benign_error(png_ptr, "out of place");
696 }
697 else if (png_ptr->mode & PNG_HAVE_PLTE)
698 /* Should be an error, but we can cope with it */
699 png_warning(png_ptr, "Out of place gAMA chunk");
700
701 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
702 #ifdef PNG_READ_sRGB_SUPPORTED
703 && !(info_ptr->valid & PNG_INFO_sRGB)
704 #endif
705 )
706 {
707 png_warning(png_ptr, "Duplicate gAMA chunk");
708 png_crc_finish(png_ptr, length);
709 return; 1084 return;
710 } 1085 }
711 1086
712 if (length != 4) 1087 if (length != 4)
713 { 1088 {
714 png_warning(png_ptr, "Incorrect gAMA chunk length");
715 png_crc_finish(png_ptr, length); 1089 png_crc_finish(png_ptr, length);
1090 png_chunk_benign_error(png_ptr, "invalid");
716 return; 1091 return;
717 } 1092 }
718 1093
719 png_crc_read(png_ptr, buf, 4); 1094 png_crc_read(png_ptr, buf, 4);
1095
720 if (png_crc_finish(png_ptr, 0)) 1096 if (png_crc_finish(png_ptr, 0))
721 return; 1097 return;
722 1098
723 igamma = (png_fixed_point)png_get_uint_32(buf); 1099 igamma = png_get_fixed_point(NULL, buf);
724 /* Check for zero gamma */
725 if (igamma == 0)
726 {
727 png_warning(png_ptr,
728 "Ignoring gAMA chunk with gamma=0");
729 return;
730 }
731 1100
732 #ifdef PNG_READ_sRGB_SUPPORTED 1101 png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
733 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) 1102 png_colorspace_sync(png_ptr, info_ptr);
734 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
735 {
736 png_warning(png_ptr,
737 "Ignoring incorrect gAMA value when sRGB is also present");
738 #ifdef PNG_CONSOLE_IO_SUPPORTED
739 fprintf(stderr, "gamma = (%d/100000)", (int)igamma);
740 #endif
741 return;
742 }
743 #endif /* PNG_READ_sRGB_SUPPORTED */
744
745 #ifdef PNG_FLOATING_POINT_SUPPORTED
746 file_gamma = (float)igamma / (float)100000.0;
747 # ifdef PNG_READ_GAMMA_SUPPORTED
748 png_ptr->gamma = file_gamma;
749 # endif
750 png_set_gAMA(png_ptr, info_ptr, file_gamma);
751 #endif
752 #ifdef PNG_FIXED_POINT_SUPPORTED
753 png_set_gAMA_fixed(png_ptr, info_ptr, igamma);
754 #endif
755 } 1103 }
756 #endif 1104 #endif
757 1105
758 #ifdef PNG_READ_sBIT_SUPPORTED 1106 #ifdef PNG_READ_sBIT_SUPPORTED
759 void /* PRIVATE */ 1107 void /* PRIVATE */
760 png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1108 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
761 { 1109 {
762 png_size_t truelen; 1110 unsigned int truelen;
763 png_byte buf[4]; 1111 png_byte buf[4];
764 1112
765 png_debug(1, "in png_handle_sBIT"); 1113 png_debug(1, "in png_handle_sBIT");
766 1114
767 buf[0] = buf[1] = buf[2] = buf[3] = 0; 1115 buf[0] = buf[1] = buf[2] = buf[3] = 0;
768 1116
769 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1117 if (!(png_ptr->mode & PNG_HAVE_IHDR))
770 png_error(png_ptr, "Missing IHDR before sBIT"); 1118 png_chunk_error(png_ptr, "missing IHDR");
771 else if (png_ptr->mode & PNG_HAVE_IDAT) 1119
1120 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
772 { 1121 {
773 png_warning(png_ptr, "Invalid sBIT after IDAT");
774 png_crc_finish(png_ptr, length); 1122 png_crc_finish(png_ptr, length);
1123 png_chunk_benign_error(png_ptr, "out of place");
775 return; 1124 return;
776 } 1125 }
777 else if (png_ptr->mode & PNG_HAVE_PLTE) 1126
778 {
779 /* Should be an error, but we can cope with it */
780 png_warning(png_ptr, "Out of place sBIT chunk");
781 }
782 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) 1127 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
783 { 1128 {
784 png_warning(png_ptr, "Duplicate sBIT chunk");
785 png_crc_finish(png_ptr, length); 1129 png_crc_finish(png_ptr, length);
1130 png_chunk_benign_error(png_ptr, "duplicate");
786 return; 1131 return;
787 } 1132 }
788 1133
789 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1134 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
790 truelen = 3; 1135 truelen = 3;
1136
791 else 1137 else
792 truelen = (png_size_t)png_ptr->channels; 1138 truelen = png_ptr->channels;
793 1139
794 if (length != truelen || length > 4) 1140 if (length != truelen || length > 4)
795 { 1141 {
796 png_warning(png_ptr, "Incorrect sBIT chunk length"); 1142 png_chunk_benign_error(png_ptr, "invalid");
797 png_crc_finish(png_ptr, length); 1143 png_crc_finish(png_ptr, length);
798 return; 1144 return;
799 } 1145 }
800 1146
801 png_crc_read(png_ptr, buf, truelen); 1147 png_crc_read(png_ptr, buf, truelen);
1148
802 if (png_crc_finish(png_ptr, 0)) 1149 if (png_crc_finish(png_ptr, 0))
803 return; 1150 return;
804 1151
805 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) 1152 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
806 { 1153 {
807 png_ptr->sig_bit.red = buf[0]; 1154 png_ptr->sig_bit.red = buf[0];
808 png_ptr->sig_bit.green = buf[1]; 1155 png_ptr->sig_bit.green = buf[1];
809 png_ptr->sig_bit.blue = buf[2]; 1156 png_ptr->sig_bit.blue = buf[2];
810 png_ptr->sig_bit.alpha = buf[3]; 1157 png_ptr->sig_bit.alpha = buf[3];
811 } 1158 }
1159
812 else 1160 else
813 { 1161 {
814 png_ptr->sig_bit.gray = buf[0]; 1162 png_ptr->sig_bit.gray = buf[0];
815 png_ptr->sig_bit.red = buf[0]; 1163 png_ptr->sig_bit.red = buf[0];
816 png_ptr->sig_bit.green = buf[0]; 1164 png_ptr->sig_bit.green = buf[0];
817 png_ptr->sig_bit.blue = buf[0]; 1165 png_ptr->sig_bit.blue = buf[0];
818 png_ptr->sig_bit.alpha = buf[1]; 1166 png_ptr->sig_bit.alpha = buf[1];
819 } 1167 }
1168
820 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit)); 1169 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
821 } 1170 }
822 #endif 1171 #endif
823 1172
824 #ifdef PNG_READ_cHRM_SUPPORTED 1173 #ifdef PNG_READ_cHRM_SUPPORTED
825 void /* PRIVATE */ 1174 void /* PRIVATE */
826 png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1175 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
827 { 1176 {
828 png_byte buf[32]; 1177 png_byte buf[32];
829 #ifdef PNG_FLOATING_POINT_SUPPORTED 1178 png_xy xy;
830 float white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y;
831 #endif
832 png_fixed_point int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
833 int_y_green, int_x_blue, int_y_blue;
834
835 png_uint_32 uint_x, uint_y;
836 1179
837 png_debug(1, "in png_handle_cHRM"); 1180 png_debug(1, "in png_handle_cHRM");
838 1181
839 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1182 if (!(png_ptr->mode & PNG_HAVE_IHDR))
840 png_error(png_ptr, "Missing IHDR before cHRM"); 1183 png_chunk_error(png_ptr, "missing IHDR");
841 else if (png_ptr->mode & PNG_HAVE_IDAT) 1184
842 { 1185 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
843 png_warning(png_ptr, "Invalid cHRM after IDAT"); 1186 {
844 png_crc_finish(png_ptr, length); 1187 png_crc_finish(png_ptr, length);
845 return; 1188 png_chunk_benign_error(png_ptr, "out of place");
846 }
847 else if (png_ptr->mode & PNG_HAVE_PLTE)
848 /* Should be an error, but we can cope with it */
849 png_warning(png_ptr, "Missing PLTE before cHRM");
850
851 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
852 #ifdef PNG_READ_sRGB_SUPPORTED
853 && !(info_ptr->valid & PNG_INFO_sRGB)
854 #endif
855 )
856 {
857 png_warning(png_ptr, "Duplicate cHRM chunk");
858 png_crc_finish(png_ptr, length);
859 return; 1189 return;
860 } 1190 }
861 1191
862 if (length != 32) 1192 if (length != 32)
863 { 1193 {
864 png_warning(png_ptr, "Incorrect cHRM chunk length"); 1194 png_crc_finish(png_ptr, length);
865 png_crc_finish(png_ptr, length); 1195 png_chunk_benign_error(png_ptr, "invalid");
866 return; 1196 return;
867 } 1197 }
868 1198
869 png_crc_read(png_ptr, buf, 32); 1199 png_crc_read(png_ptr, buf, 32);
1200
870 if (png_crc_finish(png_ptr, 0)) 1201 if (png_crc_finish(png_ptr, 0))
871 return; 1202 return;
872 1203
873 uint_x = png_get_uint_32(buf); 1204 xy.whitex = png_get_fixed_point(NULL, buf);
874 uint_y = png_get_uint_32(buf + 4); 1205 xy.whitey = png_get_fixed_point(NULL, buf + 4);
875 int_x_white = (png_fixed_point)uint_x; 1206 xy.redx = png_get_fixed_point(NULL, buf + 8);
876 int_y_white = (png_fixed_point)uint_y; 1207 xy.redy = png_get_fixed_point(NULL, buf + 12);
877 1208 xy.greenx = png_get_fixed_point(NULL, buf + 16);
878 uint_x = png_get_uint_32(buf + 8); 1209 xy.greeny = png_get_fixed_point(NULL, buf + 20);
879 uint_y = png_get_uint_32(buf + 12); 1210 xy.bluex = png_get_fixed_point(NULL, buf + 24);
880 int_x_red = (png_fixed_point)uint_x; 1211 xy.bluey = png_get_fixed_point(NULL, buf + 28);
881 int_y_red = (png_fixed_point)uint_y; 1212
882 1213 if (xy.whitex == PNG_FIXED_ERROR ||
883 uint_x = png_get_uint_32(buf + 16); 1214 xy.whitey == PNG_FIXED_ERROR ||
884 uint_y = png_get_uint_32(buf + 20); 1215 xy.redx == PNG_FIXED_ERROR ||
885 int_x_green = (png_fixed_point)uint_x; 1216 xy.redy == PNG_FIXED_ERROR ||
886 int_y_green = (png_fixed_point)uint_y; 1217 xy.greenx == PNG_FIXED_ERROR ||
887 1218 xy.greeny == PNG_FIXED_ERROR ||
888 uint_x = png_get_uint_32(buf + 24); 1219 xy.bluex == PNG_FIXED_ERROR ||
889 uint_y = png_get_uint_32(buf + 28); 1220 xy.bluey == PNG_FIXED_ERROR)
890 int_x_blue = (png_fixed_point)uint_x; 1221 {
891 int_y_blue = (png_fixed_point)uint_y; 1222 png_chunk_benign_error(png_ptr, "invalid values");
892 1223 return;
893 #ifdef PNG_FLOATING_POINT_SUPPORTED 1224 }
894 white_x = (float)int_x_white / (float)100000.0; 1225
895 white_y = (float)int_y_white / (float)100000.0; 1226 /* If a colorspace error has already been output skip this chunk */
896 red_x = (float)int_x_red / (float)100000.0; 1227 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
897 red_y = (float)int_y_red / (float)100000.0; 1228 return;
898 green_x = (float)int_x_green / (float)100000.0; 1229
899 green_y = (float)int_y_green / (float)100000.0; 1230 if (png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM)
900 blue_x = (float)int_x_blue / (float)100000.0; 1231 {
901 blue_y = (float)int_y_blue / (float)100000.0; 1232 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
902 #endif 1233 png_colorspace_sync(png_ptr, info_ptr);
903 1234 png_chunk_benign_error(png_ptr, "duplicate");
904 #ifdef PNG_READ_sRGB_SUPPORTED 1235 return;
905 if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB)) 1236 }
906 { 1237
907 if (PNG_OUT_OF_RANGE(int_x_white, 31270, 1000) || 1238 png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
908 PNG_OUT_OF_RANGE(int_y_white, 32900, 1000) || 1239 (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
909 PNG_OUT_OF_RANGE(int_x_red, 64000L, 1000) || 1240 1/*prefer cHRM values*/);
910 PNG_OUT_OF_RANGE(int_y_red, 33000, 1000) || 1241 png_colorspace_sync(png_ptr, info_ptr);
911 PNG_OUT_OF_RANGE(int_x_green, 30000, 1000) ||
912 PNG_OUT_OF_RANGE(int_y_green, 60000L, 1000) ||
913 PNG_OUT_OF_RANGE(int_x_blue, 15000, 1000) ||
914 PNG_OUT_OF_RANGE(int_y_blue, 6000, 1000))
915 {
916 png_warning(png_ptr,
917 "Ignoring incorrect cHRM value when sRGB is also present");
918 #ifdef PNG_CONSOLE_IO_SUPPORTED
919 #ifdef PNG_FLOATING_POINT_SUPPORTED
920 fprintf(stderr, "wx=%f, wy=%f, rx=%f, ry=%f\n",
921 white_x, white_y, red_x, red_y);
922 fprintf(stderr, "gx=%f, gy=%f, bx=%f, by=%f\n",
923 green_x, green_y, blue_x, blue_y);
924 #else
925 fprintf(stderr, "wx=%ld, wy=%ld, rx=%ld, ry=%ld\n",
926 (long)int_x_white, (long)int_y_white,
927 (long)int_x_red, (long)int_y_red);
928 fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n",
929 (long)int_x_green, (long)int_y_green,
930 (long)int_x_blue, (long)int_y_blue);
931 #endif
932 #endif /* PNG_CONSOLE_IO_SUPPORTED */
933 }
934 return;
935 }
936 #endif /* PNG_READ_sRGB_SUPPORTED */
937
938 #ifdef PNG_FLOATING_POINT_SUPPORTED
939 png_set_cHRM(png_ptr, info_ptr,
940 white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y);
941 #endif
942 #ifdef PNG_FIXED_POINT_SUPPORTED
943 png_set_cHRM_fixed(png_ptr, info_ptr,
944 int_x_white, int_y_white, int_x_red, int_y_red, int_x_green,
945 int_y_green, int_x_blue, int_y_blue);
946 #endif
947 } 1242 }
948 #endif 1243 #endif
949 1244
950 #ifdef PNG_READ_sRGB_SUPPORTED 1245 #ifdef PNG_READ_sRGB_SUPPORTED
951 void /* PRIVATE */ 1246 void /* PRIVATE */
952 png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1247 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
953 { 1248 {
954 int intent; 1249 png_byte intent;
955 png_byte buf[1];
956 1250
957 png_debug(1, "in png_handle_sRGB"); 1251 png_debug(1, "in png_handle_sRGB");
958 1252
959 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1253 if (!(png_ptr->mode & PNG_HAVE_IHDR))
960 png_error(png_ptr, "Missing IHDR before sRGB"); 1254 png_chunk_error(png_ptr, "missing IHDR");
961 else if (png_ptr->mode & PNG_HAVE_IDAT) 1255
962 { 1256 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
963 png_warning(png_ptr, "Invalid sRGB after IDAT"); 1257 {
964 png_crc_finish(png_ptr, length); 1258 png_crc_finish(png_ptr, length);
965 return; 1259 png_chunk_benign_error(png_ptr, "out of place");
966 }
967 else if (png_ptr->mode & PNG_HAVE_PLTE)
968 /* Should be an error, but we can cope with it */
969 png_warning(png_ptr, "Out of place sRGB chunk");
970
971 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
972 {
973 png_warning(png_ptr, "Duplicate sRGB chunk");
974 png_crc_finish(png_ptr, length);
975 return; 1260 return;
976 } 1261 }
977 1262
978 if (length != 1) 1263 if (length != 1)
979 { 1264 {
980 png_warning(png_ptr, "Incorrect sRGB chunk length"); 1265 png_crc_finish(png_ptr, length);
981 png_crc_finish(png_ptr, length); 1266 png_chunk_benign_error(png_ptr, "invalid");
982 return; 1267 return;
983 } 1268 }
984 1269
985 png_crc_read(png_ptr, buf, 1); 1270 png_crc_read(png_ptr, &intent, 1);
1271
986 if (png_crc_finish(png_ptr, 0)) 1272 if (png_crc_finish(png_ptr, 0))
987 return; 1273 return;
988 1274
989 intent = buf[0]; 1275 /* If a colorspace error has already been output skip this chunk */
990 /* Check for bad intent */ 1276 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
991 if (intent >= PNG_sRGB_INTENT_LAST) 1277 return;
992 { 1278
993 png_warning(png_ptr, "Unknown sRGB intent"); 1279 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
994 return; 1280 * this.
995 } 1281 */
996 1282 if (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT)
997 #if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED) 1283 {
998 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)) 1284 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
999 { 1285 png_colorspace_sync(png_ptr, info_ptr);
1000 png_fixed_point igamma; 1286 png_chunk_benign_error(png_ptr, "too many profiles");
1001 #ifdef PNG_FIXED_POINT_SUPPORTED 1287 return;
1002 igamma=info_ptr->int_gamma; 1288 }
1003 #else 1289
1004 # ifdef PNG_FLOATING_POINT_SUPPORTED 1290 (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1005 igamma=(png_fixed_point)(info_ptr->gamma * 100000.); 1291 png_colorspace_sync(png_ptr, info_ptr);
1006 # endif
1007 #endif
1008 if (PNG_OUT_OF_RANGE(igamma, 45500L, 500))
1009 {
1010 png_warning(png_ptr,
1011 "Ignoring incorrect gAMA value when sRGB is also present");
1012 #ifdef PNG_CONSOLE_IO_SUPPORTED
1013 # ifdef PNG_FIXED_POINT_SUPPORTED
1014 fprintf(stderr, "incorrect gamma=(%d/100000)\n",
1015 (int)png_ptr->int_gamma);
1016 # else
1017 # ifdef PNG_FLOATING_POINT_SUPPORTED
1018 fprintf(stderr, "incorrect gamma=%f\n", png_ptr->gamma);
1019 # endif
1020 # endif
1021 #endif
1022 }
1023 }
1024 #endif /* PNG_READ_gAMA_SUPPORTED */
1025
1026 #ifdef PNG_READ_cHRM_SUPPORTED
1027 #ifdef PNG_FIXED_POINT_SUPPORTED
1028 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM))
1029 if (PNG_OUT_OF_RANGE(info_ptr->int_x_white, 31270, 1000) ||
1030 PNG_OUT_OF_RANGE(info_ptr->int_y_white, 32900, 1000) ||
1031 PNG_OUT_OF_RANGE(info_ptr->int_x_red, 64000L, 1000) ||
1032 PNG_OUT_OF_RANGE(info_ptr->int_y_red, 33000, 1000) ||
1033 PNG_OUT_OF_RANGE(info_ptr->int_x_green, 30000, 1000) ||
1034 PNG_OUT_OF_RANGE(info_ptr->int_y_green, 60000L, 1000) ||
1035 PNG_OUT_OF_RANGE(info_ptr->int_x_blue, 15000, 1000) ||
1036 PNG_OUT_OF_RANGE(info_ptr->int_y_blue, 6000, 1000))
1037 {
1038 png_warning(png_ptr,
1039 "Ignoring incorrect cHRM value when sRGB is also present");
1040 }
1041 #endif /* PNG_FIXED_POINT_SUPPORTED */
1042 #endif /* PNG_READ_cHRM_SUPPORTED */
1043
1044 png_set_sRGB_gAMA_and_cHRM(png_ptr, info_ptr, intent);
1045 } 1292 }
1046 #endif /* PNG_READ_sRGB_SUPPORTED */ 1293 #endif /* PNG_READ_sRGB_SUPPORTED */
1047 1294
1048 #ifdef PNG_READ_iCCP_SUPPORTED 1295 #ifdef PNG_READ_iCCP_SUPPORTED
1049 void /* PRIVATE */ 1296 void /* PRIVATE */
1050 png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1297 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1298 /* Note: this does not properly handle profiles that are > 64K under DOS */
1299 {
1300 png_const_charp errmsg = NULL; /* error message output, or no error */
1301 int finished = 0; /* crc checked */
1302
1303 png_debug(1, "in png_handle_iCCP");
1304
1305 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1306 png_chunk_error(png_ptr, "missing IHDR");
1307
1308 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
1309 {
1310 png_crc_finish(png_ptr, length);
1311 png_chunk_benign_error(png_ptr, "out of place");
1312 return;
1313 }
1314
1315 /* Consistent with all the above colorspace handling an obviously *invalid*
1316 * chunk is just ignored, so does not invalidate the color space. An
1317 * alternative is to set the 'invalid' flags at the start of this routine
1318 * and only clear them in they were not set before and all the tests pass.
1319 * The minimum 'deflate' stream is assumed to be just the 2 byte header and 4
1320 * byte checksum. The keyword must be one character and there is a
1321 * terminator (0) byte and the compression method.
1322 */
1323 if (length < 9)
1324 {
1325 png_crc_finish(png_ptr, length);
1326 png_chunk_benign_error(png_ptr, "too short");
1327 return;
1328 }
1329
1330 /* If a colorspace error has already been output skip this chunk */
1331 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
1332 {
1333 png_crc_finish(png_ptr, length);
1334 return;
1335 }
1336
1337 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1338 * this.
1339 */
1340 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1341 {
1342 uInt read_length, keyword_length;
1343 char keyword[81];
1344
1345 /* Find the keyword; the keyword plus separator and compression method
1346 * bytes can be at most 81 characters long.
1347 */
1348 read_length = 81; /* maximum */
1349 if (read_length > length)
1350 read_length = (uInt)length;
1351
1352 png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1353 length -= read_length;
1354
1355 keyword_length = 0;
1356 while (keyword_length < 80 && keyword_length < read_length &&
1357 keyword[keyword_length] != 0)
1358 ++keyword_length;
1359
1360 /* TODO: make the keyword checking common */
1361 if (keyword_length >= 1 && keyword_length <= 79)
1362 {
1363 /* We only understand '0' compression - deflate - so if we get a
1364 * different value we can't safely decode the chunk.
1365 */
1366 if (keyword_length+1 < read_length &&
1367 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1368 {
1369 read_length -= keyword_length+2;
1370
1371 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1372 {
1373 Byte profile_header[132];
1374 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1375 png_alloc_size_t size = (sizeof profile_header);
1376
1377 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1378 png_ptr->zstream.avail_in = read_length;
1379 (void)png_inflate_read(png_ptr, local_buffer,
1380 (sizeof local_buffer), &length, profile_header, &size,
1381 0/*finish: don't, because the output is too small*/);
1382
1383 if (size == 0)
1384 {
1385 /* We have the ICC profile header; do the basic header checks.
1386 */
1387 const png_uint_32 profile_length =
1388 png_get_uint_32(profile_header);
1389
1390 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1391 keyword, profile_length))
1392 {
1393 /* The length is apparently ok, so we can check the 132
1394 * byte header.
1395 */
1396 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1397 keyword, profile_length, profile_header,
1398 png_ptr->color_type))
1399 {
1400 /* Now read the tag table; a variable size buffer is
1401 * needed at this point, allocate one for the whole
1402 * profile. The header check has already validated
1403 * that none of these stuff will overflow.
1404 */
1405 const png_uint_32 tag_count = png_get_uint_32(
1406 profile_header+128);
1407 png_bytep profile = png_read_buffer(png_ptr,
1408 profile_length, 2/*silent*/);
1409
1410 if (profile != NULL)
1411 {
1412 memcpy(profile, profile_header,
1413 (sizeof profile_header));
1414
1415 size = 12 * tag_count;
1416
1417 (void)png_inflate_read(png_ptr, local_buffer,
1418 (sizeof local_buffer), &length,
1419 profile + (sizeof profile_header), &size, 0);
1420
1421 /* Still expect a a buffer error because we expect
1422 * there to be some tag data!
1423 */
1424 if (size == 0)
1425 {
1426 if (png_icc_check_tag_table(png_ptr,
1427 &png_ptr->colorspace, keyword, profile_length,
1428 profile))
1429 {
1430 /* The profile has been validated for basic
1431 * security issues, so read the whole thing in.
1432 */
1433 size = profile_length - (sizeof profile_header)
1434 - 12 * tag_count;
1435
1436 (void)png_inflate_read(png_ptr, local_buffer,
1437 (sizeof local_buffer), &length,
1438 profile + (sizeof profile_header) +
1439 12 * tag_count, &size, 1/*finish*/);
1440
1441 if (length > 0 && !(png_ptr->flags &
1442 PNG_FLAG_BENIGN_ERRORS_WARN))
1443 errmsg = "extra compressed data";
1444
1445 /* But otherwise allow extra data: */
1446 else if (size == 0)
1447 {
1448 if (length > 0)
1449 {
1450 /* This can be handled completely, so
1451 * keep going.
1452 */
1453 png_chunk_warning(png_ptr,
1454 "extra compressed data");
1455 }
1456
1457 png_crc_finish(png_ptr, length);
1458 finished = 1;
1459
1460 # ifdef PNG_sRGB_SUPPORTED
1461 /* Check for a match against sRGB */
1462 png_icc_set_sRGB(png_ptr,
1463 &png_ptr->colorspace, profile,
1464 png_ptr->zstream.adler);
1465 # endif
1466
1467 /* Steal the profile for info_ptr. */
1468 if (info_ptr != NULL)
1469 {
1470 png_free_data(png_ptr, info_ptr,
1471 PNG_FREE_ICCP, 0);
1472
1473 info_ptr->iccp_name = png_voidcast(char*,
1474 png_malloc_base(png_ptr,
1475 keyword_length+1));
1476 if (info_ptr->iccp_name != NULL)
1477 {
1478 memcpy(info_ptr->iccp_name, keyword,
1479 keyword_length+1);
1480 info_ptr->iccp_proflen =
1481 profile_length;
1482 info_ptr->iccp_profile = profile;
1483 png_ptr->read_buffer = NULL; /*steal*/
1484 info_ptr->free_me |= PNG_FREE_ICCP;
1485 info_ptr->valid |= PNG_INFO_iCCP;
1486 }
1487
1488 else
1489 {
1490 png_ptr->colorspace.flags |=
1491 PNG_COLORSPACE_INVALID;
1492 errmsg = "out of memory";
1493 }
1494 }
1495
1496 /* else the profile remains in the read
1497 * buffer which gets reused for subsequent
1498 * chunks.
1499 */
1500
1501 if (info_ptr != NULL)
1502 png_colorspace_sync(png_ptr, info_ptr);
1503
1504 if (errmsg == NULL)
1505 {
1506 png_ptr->zowner = 0;
1507 return;
1508 }
1509 }
1510
1511 else if (size > 0)
1512 errmsg = "truncated";
1513
1514 else
1515 errmsg = png_ptr->zstream.msg;
1516 }
1517
1518 /* else png_icc_check_tag_table output an error */
1519 }
1520
1521 else /* profile truncated */
1522 errmsg = png_ptr->zstream.msg;
1523 }
1524
1525 else
1526 errmsg = "out of memory";
1527 }
1528
1529 /* else png_icc_check_header output an error */
1530 }
1531
1532 /* else png_icc_check_length output an error */
1533 }
1534
1535 else /* profile truncated */
1536 errmsg = png_ptr->zstream.msg;
1537
1538 /* Release the stream */
1539 png_ptr->zowner = 0;
1540 }
1541
1542 else /* png_inflate_claim failed */
1543 errmsg = png_ptr->zstream.msg;
1544 }
1545
1546 else
1547 errmsg = "bad compression method"; /* or missing */
1548 }
1549
1550 else
1551 errmsg = "bad keyword";
1552 }
1553
1554 else
1555 errmsg = "too many profiles";
1556
1557 /* Failure: the reason is in 'errmsg' */
1558 if (!finished)
1559 png_crc_finish(png_ptr, length);
1560
1561 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1562 png_colorspace_sync(png_ptr, info_ptr);
1563 if (errmsg != NULL) /* else already output */
1564 png_chunk_benign_error(png_ptr, errmsg);
1565 }
1566 #endif /* PNG_READ_iCCP_SUPPORTED */
1567
1568 #ifdef PNG_READ_sPLT_SUPPORTED
1569 void /* PRIVATE */
1570 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1051 /* Note: this does not properly handle chunks that are > 64K under DOS */ 1571 /* Note: this does not properly handle chunks that are > 64K under DOS */
1052 { 1572 {
1053 png_byte compression_type; 1573 png_bytep entry_start, buffer;
1054 png_bytep pC; 1574 png_sPLT_t new_palette;
1055 png_charp profile; 1575 png_sPLT_entryp pp;
1576 png_uint_32 data_length;
1577 int entry_size, i;
1056 png_uint_32 skip = 0; 1578 png_uint_32 skip = 0;
1057 png_uint_32 profile_size, profile_length; 1579 png_uint_32 dl;
1058 png_size_t slength, prefix_length, data_length; 1580 png_size_t max_dl;
1059
1060 png_debug(1, "in png_handle_iCCP");
1061
1062 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1063 png_error(png_ptr, "Missing IHDR before iCCP");
1064 else if (png_ptr->mode & PNG_HAVE_IDAT)
1065 {
1066 png_warning(png_ptr, "Invalid iCCP after IDAT");
1067 png_crc_finish(png_ptr, length);
1068 return;
1069 }
1070 else if (png_ptr->mode & PNG_HAVE_PLTE)
1071 /* Should be an error, but we can cope with it */
1072 png_warning(png_ptr, "Out of place iCCP chunk");
1073
1074 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
1075 {
1076 png_warning(png_ptr, "Duplicate iCCP chunk");
1077 png_crc_finish(png_ptr, length);
1078 return;
1079 }
1080
1081 #ifdef PNG_MAX_MALLOC_64K
1082 if (length > (png_uint_32)65535L)
1083 {
1084 png_warning(png_ptr, "iCCP chunk too large to fit in memory");
1085 skip = length - (png_uint_32)65535L;
1086 length = (png_uint_32)65535L;
1087 }
1088 #endif
1089
1090 png_free(png_ptr, png_ptr->chunkdata);
1091 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
1092 slength = (png_size_t)length;
1093 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1094
1095 if (png_crc_finish(png_ptr, skip))
1096 {
1097 png_free(png_ptr, png_ptr->chunkdata);
1098 png_ptr->chunkdata = NULL;
1099 return;
1100 }
1101
1102 png_ptr->chunkdata[slength] = 0x00;
1103
1104 for (profile = png_ptr->chunkdata; *profile; profile++)
1105 /* Empty loop to find end of name */ ;
1106
1107 ++profile;
1108
1109 /* There should be at least one zero (the compression type byte)
1110 * following the separator, and we should be on it
1111 */
1112 if ( profile >= png_ptr->chunkdata + slength - 1)
1113 {
1114 png_free(png_ptr, png_ptr->chunkdata);
1115 png_ptr->chunkdata = NULL;
1116 png_warning(png_ptr, "Malformed iCCP chunk");
1117 return;
1118 }
1119
1120 /* Compression_type should always be zero */
1121 compression_type = *profile++;
1122 if (compression_type)
1123 {
1124 png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk");
1125 compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8
1126 wrote nonzero) */
1127 }
1128
1129 prefix_length = profile - png_ptr->chunkdata;
1130 png_decompress_chunk(png_ptr, compression_type,
1131 slength, prefix_length, &data_length);
1132
1133 profile_length = data_length - prefix_length;
1134
1135 if ( prefix_length > data_length || profile_length < 4)
1136 {
1137 png_free(png_ptr, png_ptr->chunkdata);
1138 png_ptr->chunkdata = NULL;
1139 png_warning(png_ptr, "Profile size field missing from iCCP chunk");
1140 return;
1141 }
1142
1143 /* Check the profile_size recorded in the first 32 bits of the ICC profile */
1144 pC = (png_bytep)(png_ptr->chunkdata + prefix_length);
1145 profile_size = ((*(pC ))<<24) |
1146 ((*(pC + 1))<<16) |
1147 ((*(pC + 2))<< 8) |
1148 ((*(pC + 3)) );
1149
1150 if (profile_size < profile_length)
1151 profile_length = profile_size;
1152
1153 if (profile_size > profile_length)
1154 {
1155 png_free(png_ptr, png_ptr->chunkdata);
1156 png_ptr->chunkdata = NULL;
1157 png_warning(png_ptr, "Ignoring truncated iCCP profile.");
1158 return;
1159 }
1160
1161 png_set_iCCP(png_ptr, info_ptr, png_ptr->chunkdata,
1162 compression_type, png_ptr->chunkdata + prefix_length, profile_length);
1163 png_free(png_ptr, png_ptr->chunkdata);
1164 png_ptr->chunkdata = NULL;
1165 }
1166 #endif /* PNG_READ_iCCP_SUPPORTED */
1167
1168 #ifdef PNG_READ_sPLT_SUPPORTED
1169 void /* PRIVATE */
1170 png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1171 /* Note: this does not properly handle chunks that are > 64K under DOS */
1172 {
1173 png_bytep entry_start;
1174 png_sPLT_t new_palette;
1175 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1176 png_sPLT_entryp pp;
1177 #endif
1178 int data_length, entry_size, i;
1179 png_uint_32 skip = 0;
1180 png_size_t slength;
1181 1581
1182 png_debug(1, "in png_handle_sPLT"); 1582 png_debug(1, "in png_handle_sPLT");
1183 1583
1184 #ifdef PNG_USER_LIMITS_SUPPORTED 1584 #ifdef PNG_USER_LIMITS_SUPPORTED
1185
1186 if (png_ptr->user_chunk_cache_max != 0) 1585 if (png_ptr->user_chunk_cache_max != 0)
1187 { 1586 {
1188 if (png_ptr->user_chunk_cache_max == 1) 1587 if (png_ptr->user_chunk_cache_max == 1)
1189 { 1588 {
1190 png_crc_finish(png_ptr, length); 1589 png_crc_finish(png_ptr, length);
1191 return; 1590 return;
1192 } 1591 }
1592
1193 if (--png_ptr->user_chunk_cache_max == 1) 1593 if (--png_ptr->user_chunk_cache_max == 1)
1194 { 1594 {
1195 png_warning(png_ptr, "No space in chunk cache for sPLT"); 1595 png_warning(png_ptr, "No space in chunk cache for sPLT");
1196 png_crc_finish(png_ptr, length); 1596 png_crc_finish(png_ptr, length);
1197 return; 1597 return;
1198 } 1598 }
1199 } 1599 }
1200 #endif 1600 #endif
1201 1601
1202 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1602 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1203 png_error(png_ptr, "Missing IHDR before sPLT"); 1603 png_chunk_error(png_ptr, "missing IHDR");
1604
1204 else if (png_ptr->mode & PNG_HAVE_IDAT) 1605 else if (png_ptr->mode & PNG_HAVE_IDAT)
1205 { 1606 {
1206 png_warning(png_ptr, "Invalid sPLT after IDAT");
1207 png_crc_finish(png_ptr, length); 1607 png_crc_finish(png_ptr, length);
1608 png_chunk_benign_error(png_ptr, "out of place");
1208 return; 1609 return;
1209 } 1610 }
1210 1611
1211 #ifdef PNG_MAX_MALLOC_64K 1612 #ifdef PNG_MAX_MALLOC_64K
1212 if (length > (png_uint_32)65535L) 1613 if (length > 65535U)
1213 { 1614 {
1214 png_warning(png_ptr, "sPLT chunk too large to fit in memory"); 1615 png_crc_finish(png_ptr, length);
1215 skip = length - (png_uint_32)65535L; 1616 png_chunk_benign_error(png_ptr, "too large to fit in memory");
1216 length = (png_uint_32)65535L; 1617 return;
1217 } 1618 }
1218 #endif 1619 #endif
1219 1620
1220 png_free(png_ptr, png_ptr->chunkdata); 1621 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1221 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1); 1622 if (buffer == NULL)
1222 slength = (png_size_t)length;
1223 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1224
1225 if (png_crc_finish(png_ptr, skip))
1226 { 1623 {
1227 png_free(png_ptr, png_ptr->chunkdata); 1624 png_crc_finish(png_ptr, length);
1228 png_ptr->chunkdata = NULL; 1625 png_chunk_benign_error(png_ptr, "out of memory");
1229 return; 1626 return;
1230 } 1627 }
1231 1628
1232 png_ptr->chunkdata[slength] = 0x00;
1233 1629
1234 for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start; 1630 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1235 entry_start++) 1631 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1632 * potential breakage point if the types in pngconf.h aren't exactly right.
1633 */
1634 png_crc_read(png_ptr, buffer, length);
1635
1636 if (png_crc_finish(png_ptr, skip))
1637 return;
1638
1639 buffer[length] = 0;
1640
1641 for (entry_start = buffer; *entry_start; entry_start++)
1236 /* Empty loop to find end of name */ ; 1642 /* Empty loop to find end of name */ ;
1643
1237 ++entry_start; 1644 ++entry_start;
1238 1645
1239 /* A sample depth should follow the separator, and we should be on it */ 1646 /* A sample depth should follow the separator, and we should be on it */
1240 if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2) 1647 if (entry_start > buffer + length - 2)
1241 { 1648 {
1242 png_free(png_ptr, png_ptr->chunkdata);
1243 png_ptr->chunkdata = NULL;
1244 png_warning(png_ptr, "malformed sPLT chunk"); 1649 png_warning(png_ptr, "malformed sPLT chunk");
1245 return; 1650 return;
1246 } 1651 }
1247 1652
1248 new_palette.depth = *entry_start++; 1653 new_palette.depth = *entry_start++;
1249 entry_size = (new_palette.depth == 8 ? 6 : 10); 1654 entry_size = (new_palette.depth == 8 ? 6 : 10);
1250 data_length = (slength - (entry_start - (png_bytep)png_ptr->chunkdata)); 1655 /* This must fit in a png_uint_32 because it is derived from the original
1656 * chunk data length.
1657 */
1658 data_length = length - (png_uint_32)(entry_start - buffer);
1251 1659
1252 /* Integrity-check the data length */ 1660 /* Integrity-check the data length */
1253 if (data_length % entry_size) 1661 if (data_length % entry_size)
1254 { 1662 {
1255 png_free(png_ptr, png_ptr->chunkdata);
1256 png_ptr->chunkdata = NULL;
1257 png_warning(png_ptr, "sPLT chunk has bad length"); 1663 png_warning(png_ptr, "sPLT chunk has bad length");
1258 return; 1664 return;
1259 } 1665 }
1260 1666
1261 new_palette.nentries = (png_int_32) ( data_length / entry_size); 1667 dl = (png_int_32)(data_length / entry_size);
1262 if ((png_uint_32) new_palette.nentries > 1668 max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1263 (png_uint_32) (PNG_SIZE_MAX / png_sizeof(png_sPLT_entry))) 1669
1670 if (dl > max_dl)
1264 { 1671 {
1265 png_warning(png_ptr, "sPLT chunk too long"); 1672 png_warning(png_ptr, "sPLT chunk too long");
1266 return; 1673 return;
1267 } 1674 }
1675
1676 new_palette.nentries = (png_int_32)(data_length / entry_size);
1677
1268 new_palette.entries = (png_sPLT_entryp)png_malloc_warn( 1678 new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
1269 png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry)); 1679 png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry)));
1680
1270 if (new_palette.entries == NULL) 1681 if (new_palette.entries == NULL)
1271 { 1682 {
1272 png_warning(png_ptr, "sPLT chunk requires too much memory"); 1683 png_warning(png_ptr, "sPLT chunk requires too much memory");
1273 return; 1684 return;
1274 } 1685 }
1275 1686
1276 #ifdef PNG_POINTER_INDEXING_SUPPORTED 1687 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1277 for (i = 0; i < new_palette.nentries; i++) 1688 for (i = 0; i < new_palette.nentries; i++)
1278 { 1689 {
1279 pp = new_palette.entries + i; 1690 pp = new_palette.entries + i;
1280 1691
1281 if (new_palette.depth == 8) 1692 if (new_palette.depth == 8)
1282 { 1693 {
1283 pp->red = *entry_start++; 1694 pp->red = *entry_start++;
1284 pp->green = *entry_start++; 1695 pp->green = *entry_start++;
1285 pp->blue = *entry_start++; 1696 pp->blue = *entry_start++;
1286 pp->alpha = *entry_start++; 1697 pp->alpha = *entry_start++;
1287 } 1698 }
1699
1288 else 1700 else
1289 { 1701 {
1290 pp->red = png_get_uint_16(entry_start); entry_start += 2; 1702 pp->red = png_get_uint_16(entry_start); entry_start += 2;
1291 pp->green = png_get_uint_16(entry_start); entry_start += 2; 1703 pp->green = png_get_uint_16(entry_start); entry_start += 2;
1292 pp->blue = png_get_uint_16(entry_start); entry_start += 2; 1704 pp->blue = png_get_uint_16(entry_start); entry_start += 2;
1293 pp->alpha = png_get_uint_16(entry_start); entry_start += 2; 1705 pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1294 } 1706 }
1707
1295 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; 1708 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1296 } 1709 }
1297 #else 1710 #else
1298 pp = new_palette.entries; 1711 pp = new_palette.entries;
1712
1299 for (i = 0; i < new_palette.nentries; i++) 1713 for (i = 0; i < new_palette.nentries; i++)
1300 { 1714 {
1301 1715
1302 if (new_palette.depth == 8) 1716 if (new_palette.depth == 8)
1303 { 1717 {
1304 pp[i].red = *entry_start++; 1718 pp[i].red = *entry_start++;
1305 pp[i].green = *entry_start++; 1719 pp[i].green = *entry_start++;
1306 pp[i].blue = *entry_start++; 1720 pp[i].blue = *entry_start++;
1307 pp[i].alpha = *entry_start++; 1721 pp[i].alpha = *entry_start++;
1308 } 1722 }
1723
1309 else 1724 else
1310 { 1725 {
1311 pp[i].red = png_get_uint_16(entry_start); entry_start += 2; 1726 pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
1312 pp[i].green = png_get_uint_16(entry_start); entry_start += 2; 1727 pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1313 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2; 1728 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
1314 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2; 1729 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1315 } 1730 }
1316 pp->frequency = png_get_uint_16(entry_start); entry_start += 2; 1731
1732 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1317 } 1733 }
1318 #endif 1734 #endif
1319 1735
1320 /* Discard all chunk data except the name and stash that */ 1736 /* Discard all chunk data except the name and stash that */
1321 new_palette.name = png_ptr->chunkdata; 1737 new_palette.name = (png_charp)buffer;
1322 1738
1323 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1); 1739 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1324 1740
1325 png_free(png_ptr, png_ptr->chunkdata);
1326 png_ptr->chunkdata = NULL;
1327 png_free(png_ptr, new_palette.entries); 1741 png_free(png_ptr, new_palette.entries);
1328 } 1742 }
1329 #endif /* PNG_READ_sPLT_SUPPORTED */ 1743 #endif /* PNG_READ_sPLT_SUPPORTED */
1330 1744
1331 #ifdef PNG_READ_tRNS_SUPPORTED 1745 #ifdef PNG_READ_tRNS_SUPPORTED
1332 void /* PRIVATE */ 1746 void /* PRIVATE */
1333 png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1747 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1334 { 1748 {
1335 png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; 1749 png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1336 1750
1337 png_debug(1, "in png_handle_tRNS"); 1751 png_debug(1, "in png_handle_tRNS");
1338 1752
1339 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1753 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1340 png_error(png_ptr, "Missing IHDR before tRNS"); 1754 png_chunk_error(png_ptr, "missing IHDR");
1755
1341 else if (png_ptr->mode & PNG_HAVE_IDAT) 1756 else if (png_ptr->mode & PNG_HAVE_IDAT)
1342 { 1757 {
1343 png_warning(png_ptr, "Invalid tRNS after IDAT");
1344 png_crc_finish(png_ptr, length); 1758 png_crc_finish(png_ptr, length);
1345 return; 1759 png_chunk_benign_error(png_ptr, "out of place");
1346 }
1347 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1348 {
1349 png_warning(png_ptr, "Duplicate tRNS chunk");
1350 png_crc_finish(png_ptr, length);
1351 return; 1760 return;
1352 } 1761 }
1353 1762
1763 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1764 {
1765 png_crc_finish(png_ptr, length);
1766 png_chunk_benign_error(png_ptr, "duplicate");
1767 return;
1768 }
1769
1354 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 1770 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1355 { 1771 {
1356 png_byte buf[2]; 1772 png_byte buf[2];
1357 1773
1358 if (length != 2) 1774 if (length != 2)
1359 { 1775 {
1360 png_warning(png_ptr, "Incorrect tRNS chunk length");
1361 png_crc_finish(png_ptr, length); 1776 png_crc_finish(png_ptr, length);
1777 png_chunk_benign_error(png_ptr, "invalid");
1362 return; 1778 return;
1363 } 1779 }
1364 1780
1365 png_crc_read(png_ptr, buf, 2); 1781 png_crc_read(png_ptr, buf, 2);
1366 png_ptr->num_trans = 1; 1782 png_ptr->num_trans = 1;
1367 png_ptr->trans_values.gray = png_get_uint_16(buf); 1783 png_ptr->trans_color.gray = png_get_uint_16(buf);
1368 } 1784 }
1785
1369 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 1786 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1370 { 1787 {
1371 png_byte buf[6]; 1788 png_byte buf[6];
1372 1789
1373 if (length != 6) 1790 if (length != 6)
1374 { 1791 {
1375 png_warning(png_ptr, "Incorrect tRNS chunk length");
1376 png_crc_finish(png_ptr, length); 1792 png_crc_finish(png_ptr, length);
1793 png_chunk_benign_error(png_ptr, "invalid");
1377 return; 1794 return;
1378 } 1795 }
1379 png_crc_read(png_ptr, buf, (png_size_t)length); 1796
1797 png_crc_read(png_ptr, buf, length);
1380 png_ptr->num_trans = 1; 1798 png_ptr->num_trans = 1;
1381 png_ptr->trans_values.red = png_get_uint_16(buf); 1799 png_ptr->trans_color.red = png_get_uint_16(buf);
1382 png_ptr->trans_values.green = png_get_uint_16(buf + 2); 1800 png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1383 png_ptr->trans_values.blue = png_get_uint_16(buf + 4); 1801 png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1384 } 1802 }
1803
1385 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1804 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1386 { 1805 {
1387 if (!(png_ptr->mode & PNG_HAVE_PLTE)) 1806 if (!(png_ptr->mode & PNG_HAVE_PLTE))
1388 { 1807 {
1389 /* Should be an error, but we can cope with it. */ 1808 /* TODO: is this actually an error in the ISO spec? */
1390 png_warning(png_ptr, "Missing PLTE before tRNS");
1391 }
1392 if (length > (png_uint_32)png_ptr->num_palette ||
1393 length > PNG_MAX_PALETTE_LENGTH)
1394 {
1395 png_warning(png_ptr, "Incorrect tRNS chunk length");
1396 png_crc_finish(png_ptr, length); 1809 png_crc_finish(png_ptr, length);
1810 png_chunk_benign_error(png_ptr, "out of place");
1397 return; 1811 return;
1398 } 1812 }
1399 if (length == 0) 1813
1814 if (length > png_ptr->num_palette || length > PNG_MAX_PALETTE_LENGTH ||
1815 length == 0)
1400 { 1816 {
1401 png_warning(png_ptr, "Zero length tRNS chunk");
1402 png_crc_finish(png_ptr, length); 1817 png_crc_finish(png_ptr, length);
1818 png_chunk_benign_error(png_ptr, "invalid");
1403 return; 1819 return;
1404 } 1820 }
1405 png_crc_read(png_ptr, readbuf, (png_size_t)length); 1821
1822 png_crc_read(png_ptr, readbuf, length);
1406 png_ptr->num_trans = (png_uint_16)length; 1823 png_ptr->num_trans = (png_uint_16)length;
1407 } 1824 }
1825
1408 else 1826 else
1409 { 1827 {
1410 png_warning(png_ptr, "tRNS chunk not allowed with alpha channel");
1411 png_crc_finish(png_ptr, length); 1828 png_crc_finish(png_ptr, length);
1829 png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1412 return; 1830 return;
1413 } 1831 }
1414 1832
1415 if (png_crc_finish(png_ptr, 0)) 1833 if (png_crc_finish(png_ptr, 0))
1416 { 1834 {
1417 png_ptr->num_trans = 0; 1835 png_ptr->num_trans = 0;
1418 return; 1836 return;
1419 } 1837 }
1420 1838
1839 /* TODO: this is a horrible side effect in the palette case because the
1840 * png_struct ends up with a pointer to the tRNS buffer owned by the
1841 * png_info. Fix this.
1842 */
1421 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, 1843 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1422 &(png_ptr->trans_values)); 1844 &(png_ptr->trans_color));
1423 } 1845 }
1424 #endif 1846 #endif
1425 1847
1426 #ifdef PNG_READ_bKGD_SUPPORTED 1848 #ifdef PNG_READ_bKGD_SUPPORTED
1427 void /* PRIVATE */ 1849 void /* PRIVATE */
1428 png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1850 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1429 { 1851 {
1430 png_size_t truelen; 1852 unsigned int truelen;
1431 png_byte buf[6]; 1853 png_byte buf[6];
1854 png_color_16 background;
1432 1855
1433 png_debug(1, "in png_handle_bKGD"); 1856 png_debug(1, "in png_handle_bKGD");
1434 1857
1435 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1858 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1436 png_error(png_ptr, "Missing IHDR before bKGD"); 1859 png_chunk_error(png_ptr, "missing IHDR");
1437 else if (png_ptr->mode & PNG_HAVE_IDAT) 1860
1861 else if ((png_ptr->mode & PNG_HAVE_IDAT) ||
1862 (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1863 !(png_ptr->mode & PNG_HAVE_PLTE)))
1438 { 1864 {
1439 png_warning(png_ptr, "Invalid bKGD after IDAT");
1440 png_crc_finish(png_ptr, length); 1865 png_crc_finish(png_ptr, length);
1866 png_chunk_benign_error(png_ptr, "out of place");
1441 return; 1867 return;
1442 } 1868 }
1443 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 1869
1444 !(png_ptr->mode & PNG_HAVE_PLTE))
1445 {
1446 png_warning(png_ptr, "Missing PLTE before bKGD");
1447 png_crc_finish(png_ptr, length);
1448 return;
1449 }
1450 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD)) 1870 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD))
1451 { 1871 {
1452 png_warning(png_ptr, "Duplicate bKGD chunk");
1453 png_crc_finish(png_ptr, length); 1872 png_crc_finish(png_ptr, length);
1873 png_chunk_benign_error(png_ptr, "duplicate");
1454 return; 1874 return;
1455 } 1875 }
1456 1876
1457 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1877 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1458 truelen = 1; 1878 truelen = 1;
1879
1459 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) 1880 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
1460 truelen = 6; 1881 truelen = 6;
1882
1461 else 1883 else
1462 truelen = 2; 1884 truelen = 2;
1463 1885
1464 if (length != truelen) 1886 if (length != truelen)
1465 { 1887 {
1466 png_warning(png_ptr, "Incorrect bKGD chunk length");
1467 png_crc_finish(png_ptr, length); 1888 png_crc_finish(png_ptr, length);
1889 png_chunk_benign_error(png_ptr, "invalid");
1468 return; 1890 return;
1469 } 1891 }
1470 1892
1471 png_crc_read(png_ptr, buf, truelen); 1893 png_crc_read(png_ptr, buf, truelen);
1894
1472 if (png_crc_finish(png_ptr, 0)) 1895 if (png_crc_finish(png_ptr, 0))
1473 return; 1896 return;
1474 1897
1475 /* We convert the index value into RGB components so that we can allow 1898 /* We convert the index value into RGB components so that we can allow
1476 * arbitrary RGB values for background when we have transparency, and 1899 * arbitrary RGB values for background when we have transparency, and
1477 * so it is easy to determine the RGB values of the background color 1900 * so it is easy to determine the RGB values of the background color
1478 * from the info_ptr struct. */ 1901 * from the info_ptr struct.
1902 */
1479 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 1903 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1480 { 1904 {
1481 png_ptr->background.index = buf[0]; 1905 background.index = buf[0];
1906
1482 if (info_ptr && info_ptr->num_palette) 1907 if (info_ptr && info_ptr->num_palette)
1483 { 1908 {
1484 if (buf[0] >= info_ptr->num_palette) 1909 if (buf[0] >= info_ptr->num_palette)
1485 { 1910 {
1486 png_warning(png_ptr, "Incorrect bKGD chunk index value"); 1911 png_chunk_benign_error(png_ptr, "invalid index");
1487 return; 1912 return;
1488 } 1913 }
1489 png_ptr->background.red = 1914
1490 (png_uint_16)png_ptr->palette[buf[0]].red; 1915 background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1491 png_ptr->background.green = 1916 background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1492 (png_uint_16)png_ptr->palette[buf[0]].green; 1917 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1493 png_ptr->background.blue =
1494 (png_uint_16)png_ptr->palette[buf[0]].blue;
1495 } 1918 }
1919
1920 else
1921 background.red = background.green = background.blue = 0;
1922
1923 background.gray = 0;
1496 } 1924 }
1925
1497 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */ 1926 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */
1498 { 1927 {
1499 png_ptr->background.red = 1928 background.index = 0;
1500 png_ptr->background.green = 1929 background.red =
1501 png_ptr->background.blue = 1930 background.green =
1502 png_ptr->background.gray = png_get_uint_16(buf); 1931 background.blue =
1932 background.gray = png_get_uint_16(buf);
1503 } 1933 }
1934
1504 else 1935 else
1505 { 1936 {
1506 png_ptr->background.red = png_get_uint_16(buf); 1937 background.index = 0;
1507 png_ptr->background.green = png_get_uint_16(buf + 2); 1938 background.red = png_get_uint_16(buf);
1508 png_ptr->background.blue = png_get_uint_16(buf + 4); 1939 background.green = png_get_uint_16(buf + 2);
1940 background.blue = png_get_uint_16(buf + 4);
1941 background.gray = 0;
1509 } 1942 }
1510 1943
1511 png_set_bKGD(png_ptr, info_ptr, &(png_ptr->background)); 1944 png_set_bKGD(png_ptr, info_ptr, &background);
1512 } 1945 }
1513 #endif 1946 #endif
1514 1947
1515 #ifdef PNG_READ_hIST_SUPPORTED 1948 #ifdef PNG_READ_hIST_SUPPORTED
1516 void /* PRIVATE */ 1949 void /* PRIVATE */
1517 png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 1950 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1518 { 1951 {
1519 unsigned int num, i; 1952 unsigned int num, i;
1520 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; 1953 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
1521 1954
1522 png_debug(1, "in png_handle_hIST"); 1955 png_debug(1, "in png_handle_hIST");
1523 1956
1524 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 1957 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1525 png_error(png_ptr, "Missing IHDR before hIST"); 1958 png_chunk_error(png_ptr, "missing IHDR");
1526 else if (png_ptr->mode & PNG_HAVE_IDAT) 1959
1960 else if ((png_ptr->mode & PNG_HAVE_IDAT) || !(png_ptr->mode & PNG_HAVE_PLTE))
1527 { 1961 {
1528 png_warning(png_ptr, "Invalid hIST after IDAT");
1529 png_crc_finish(png_ptr, length); 1962 png_crc_finish(png_ptr, length);
1963 png_chunk_benign_error(png_ptr, "out of place");
1530 return; 1964 return;
1531 } 1965 }
1532 else if (!(png_ptr->mode & PNG_HAVE_PLTE)) 1966
1533 {
1534 png_warning(png_ptr, "Missing PLTE before hIST");
1535 png_crc_finish(png_ptr, length);
1536 return;
1537 }
1538 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST)) 1967 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST))
1539 { 1968 {
1540 png_warning(png_ptr, "Duplicate hIST chunk");
1541 png_crc_finish(png_ptr, length); 1969 png_crc_finish(png_ptr, length);
1970 png_chunk_benign_error(png_ptr, "duplicate");
1542 return; 1971 return;
1543 } 1972 }
1544 1973
1545 num = length / 2 ; 1974 num = length / 2 ;
1546 if (num != (unsigned int) png_ptr->num_palette || num > 1975
1547 (unsigned int) PNG_MAX_PALETTE_LENGTH) 1976 if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
1548 { 1977 {
1549 png_warning(png_ptr, "Incorrect hIST chunk length");
1550 png_crc_finish(png_ptr, length); 1978 png_crc_finish(png_ptr, length);
1979 png_chunk_benign_error(png_ptr, "invalid");
1551 return; 1980 return;
1552 } 1981 }
1553 1982
1554 for (i = 0; i < num; i++) 1983 for (i = 0; i < num; i++)
1555 { 1984 {
1556 png_byte buf[2]; 1985 png_byte buf[2];
1557 1986
1558 png_crc_read(png_ptr, buf, 2); 1987 png_crc_read(png_ptr, buf, 2);
1559 readbuf[i] = png_get_uint_16(buf); 1988 readbuf[i] = png_get_uint_16(buf);
1560 } 1989 }
1561 1990
1562 if (png_crc_finish(png_ptr, 0)) 1991 if (png_crc_finish(png_ptr, 0))
1563 return; 1992 return;
1564 1993
1565 png_set_hIST(png_ptr, info_ptr, readbuf); 1994 png_set_hIST(png_ptr, info_ptr, readbuf);
1566 } 1995 }
1567 #endif 1996 #endif
1568 1997
1569 #ifdef PNG_READ_pHYs_SUPPORTED 1998 #ifdef PNG_READ_pHYs_SUPPORTED
1570 void /* PRIVATE */ 1999 void /* PRIVATE */
1571 png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2000 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1572 { 2001 {
1573 png_byte buf[9]; 2002 png_byte buf[9];
1574 png_uint_32 res_x, res_y; 2003 png_uint_32 res_x, res_y;
1575 int unit_type; 2004 int unit_type;
1576 2005
1577 png_debug(1, "in png_handle_pHYs"); 2006 png_debug(1, "in png_handle_pHYs");
1578 2007
1579 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2008 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1580 png_error(png_ptr, "Missing IHDR before pHYs"); 2009 png_chunk_error(png_ptr, "missing IHDR");
2010
1581 else if (png_ptr->mode & PNG_HAVE_IDAT) 2011 else if (png_ptr->mode & PNG_HAVE_IDAT)
1582 { 2012 {
1583 png_warning(png_ptr, "Invalid pHYs after IDAT");
1584 png_crc_finish(png_ptr, length); 2013 png_crc_finish(png_ptr, length);
2014 png_chunk_benign_error(png_ptr, "out of place");
1585 return; 2015 return;
1586 } 2016 }
2017
1587 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs)) 2018 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs))
1588 { 2019 {
1589 png_warning(png_ptr, "Duplicate pHYs chunk");
1590 png_crc_finish(png_ptr, length); 2020 png_crc_finish(png_ptr, length);
2021 png_chunk_benign_error(png_ptr, "duplicate");
1591 return; 2022 return;
1592 } 2023 }
1593 2024
1594 if (length != 9) 2025 if (length != 9)
1595 { 2026 {
1596 png_warning(png_ptr, "Incorrect pHYs chunk length");
1597 png_crc_finish(png_ptr, length); 2027 png_crc_finish(png_ptr, length);
2028 png_chunk_benign_error(png_ptr, "invalid");
1598 return; 2029 return;
1599 } 2030 }
1600 2031
1601 png_crc_read(png_ptr, buf, 9); 2032 png_crc_read(png_ptr, buf, 9);
2033
1602 if (png_crc_finish(png_ptr, 0)) 2034 if (png_crc_finish(png_ptr, 0))
1603 return; 2035 return;
1604 2036
1605 res_x = png_get_uint_32(buf); 2037 res_x = png_get_uint_32(buf);
1606 res_y = png_get_uint_32(buf + 4); 2038 res_y = png_get_uint_32(buf + 4);
1607 unit_type = buf[8]; 2039 unit_type = buf[8];
1608 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type); 2040 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
1609 } 2041 }
1610 #endif 2042 #endif
1611 2043
1612 #ifdef PNG_READ_oFFs_SUPPORTED 2044 #ifdef PNG_READ_oFFs_SUPPORTED
1613 void /* PRIVATE */ 2045 void /* PRIVATE */
1614 png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2046 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1615 { 2047 {
1616 png_byte buf[9]; 2048 png_byte buf[9];
1617 png_int_32 offset_x, offset_y; 2049 png_int_32 offset_x, offset_y;
1618 int unit_type; 2050 int unit_type;
1619 2051
1620 png_debug(1, "in png_handle_oFFs"); 2052 png_debug(1, "in png_handle_oFFs");
1621 2053
1622 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2054 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1623 png_error(png_ptr, "Missing IHDR before oFFs"); 2055 png_chunk_error(png_ptr, "missing IHDR");
2056
1624 else if (png_ptr->mode & PNG_HAVE_IDAT) 2057 else if (png_ptr->mode & PNG_HAVE_IDAT)
1625 { 2058 {
1626 png_warning(png_ptr, "Invalid oFFs after IDAT");
1627 png_crc_finish(png_ptr, length); 2059 png_crc_finish(png_ptr, length);
2060 png_chunk_benign_error(png_ptr, "out of place");
1628 return; 2061 return;
1629 } 2062 }
2063
1630 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs)) 2064 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs))
1631 { 2065 {
1632 png_warning(png_ptr, "Duplicate oFFs chunk");
1633 png_crc_finish(png_ptr, length); 2066 png_crc_finish(png_ptr, length);
2067 png_chunk_benign_error(png_ptr, "duplicate");
1634 return; 2068 return;
1635 } 2069 }
1636 2070
1637 if (length != 9) 2071 if (length != 9)
1638 { 2072 {
1639 png_warning(png_ptr, "Incorrect oFFs chunk length");
1640 png_crc_finish(png_ptr, length); 2073 png_crc_finish(png_ptr, length);
2074 png_chunk_benign_error(png_ptr, "invalid");
1641 return; 2075 return;
1642 } 2076 }
1643 2077
1644 png_crc_read(png_ptr, buf, 9); 2078 png_crc_read(png_ptr, buf, 9);
2079
1645 if (png_crc_finish(png_ptr, 0)) 2080 if (png_crc_finish(png_ptr, 0))
1646 return; 2081 return;
1647 2082
1648 offset_x = png_get_int_32(buf); 2083 offset_x = png_get_int_32(buf);
1649 offset_y = png_get_int_32(buf + 4); 2084 offset_y = png_get_int_32(buf + 4);
1650 unit_type = buf[8]; 2085 unit_type = buf[8];
1651 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type); 2086 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
1652 } 2087 }
1653 #endif 2088 #endif
1654 2089
1655 #ifdef PNG_READ_pCAL_SUPPORTED 2090 #ifdef PNG_READ_pCAL_SUPPORTED
1656 /* Read the pCAL chunk (described in the PNG Extensions document) */ 2091 /* Read the pCAL chunk (described in the PNG Extensions document) */
1657 void /* PRIVATE */ 2092 void /* PRIVATE */
1658 png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2093 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1659 { 2094 {
1660 png_int_32 X0, X1; 2095 png_int_32 X0, X1;
1661 png_byte type, nparams; 2096 png_byte type, nparams;
1662 png_charp buf, units, endptr; 2097 png_bytep buffer, buf, units, endptr;
1663 png_charpp params; 2098 png_charpp params;
1664 png_size_t slength;
1665 int i; 2099 int i;
1666 2100
1667 png_debug(1, "in png_handle_pCAL"); 2101 png_debug(1, "in png_handle_pCAL");
1668 2102
1669 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2103 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1670 png_error(png_ptr, "Missing IHDR before pCAL"); 2104 png_chunk_error(png_ptr, "missing IHDR");
2105
1671 else if (png_ptr->mode & PNG_HAVE_IDAT) 2106 else if (png_ptr->mode & PNG_HAVE_IDAT)
1672 { 2107 {
1673 png_warning(png_ptr, "Invalid pCAL after IDAT");
1674 png_crc_finish(png_ptr, length); 2108 png_crc_finish(png_ptr, length);
1675 return; 2109 png_chunk_benign_error(png_ptr, "out of place");
1676 }
1677 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL))
1678 {
1679 png_warning(png_ptr, "Duplicate pCAL chunk");
1680 png_crc_finish(png_ptr, length);
1681 return; 2110 return;
1682 } 2111 }
1683 2112
1684 png_debug1(2, "Allocating and reading pCAL chunk data (%lu bytes)", 2113 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL))
1685 length + 1);
1686 png_free(png_ptr, png_ptr->chunkdata);
1687 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
1688 if (png_ptr->chunkdata == NULL)
1689 {
1690 png_warning(png_ptr, "No memory for pCAL purpose.");
1691 return;
1692 }
1693 slength = (png_size_t)length;
1694 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1695
1696 if (png_crc_finish(png_ptr, 0))
1697 { 2114 {
1698 png_free(png_ptr, png_ptr->chunkdata); 2115 png_crc_finish(png_ptr, length);
1699 png_ptr->chunkdata = NULL; 2116 png_chunk_benign_error(png_ptr, "duplicate");
1700 return; 2117 return;
1701 } 2118 }
1702 2119
1703 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ 2120 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
2121 length + 1);
1704 2122
1705 png_debug(3, "Finding end of pCAL purpose string"); 2123 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1706 for (buf = png_ptr->chunkdata; *buf; buf++)
1707 /* Empty loop */ ;
1708 2124
1709 endptr = png_ptr->chunkdata + slength; 2125 if (buffer == NULL)
1710
1711 /* We need to have at least 12 bytes after the purpose string
1712 in order to get the parameter information. */
1713 if (endptr <= buf + 12)
1714 { 2126 {
1715 png_warning(png_ptr, "Invalid pCAL data"); 2127 png_crc_finish(png_ptr, length);
1716 png_free(png_ptr, png_ptr->chunkdata); 2128 png_chunk_benign_error(png_ptr, "out of memory");
1717 png_ptr->chunkdata = NULL;
1718 return; 2129 return;
1719 } 2130 }
1720 2131
2132 png_crc_read(png_ptr, buffer, length);
2133
2134 if (png_crc_finish(png_ptr, 0))
2135 return;
2136
2137 buffer[length] = 0; /* Null terminate the last string */
2138
2139 png_debug(3, "Finding end of pCAL purpose string");
2140 for (buf = buffer; *buf; buf++)
2141 /* Empty loop */ ;
2142
2143 endptr = buffer + length;
2144
2145 /* We need to have at least 12 bytes after the purpose string
2146 * in order to get the parameter information.
2147 */
2148 if (endptr <= buf + 12)
2149 {
2150 png_chunk_benign_error(png_ptr, "invalid");
2151 return;
2152 }
2153
1721 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units"); 2154 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
1722 X0 = png_get_int_32((png_bytep)buf+1); 2155 X0 = png_get_int_32((png_bytep)buf+1);
1723 X1 = png_get_int_32((png_bytep)buf+5); 2156 X1 = png_get_int_32((png_bytep)buf+5);
1724 type = buf[9]; 2157 type = buf[9];
1725 nparams = buf[10]; 2158 nparams = buf[10];
1726 units = buf + 11; 2159 units = buf + 11;
1727 2160
1728 png_debug(3, "Checking pCAL equation type and number of parameters"); 2161 png_debug(3, "Checking pCAL equation type and number of parameters");
1729 /* Check that we have the right number of parameters for known 2162 /* Check that we have the right number of parameters for known
1730 equation types. */ 2163 * equation types.
2164 */
1731 if ((type == PNG_EQUATION_LINEAR && nparams != 2) || 2165 if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
1732 (type == PNG_EQUATION_BASE_E && nparams != 3) || 2166 (type == PNG_EQUATION_BASE_E && nparams != 3) ||
1733 (type == PNG_EQUATION_ARBITRARY && nparams != 3) || 2167 (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
1734 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4)) 2168 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
1735 { 2169 {
1736 png_warning(png_ptr, "Invalid pCAL parameters for equation type"); 2170 png_chunk_benign_error(png_ptr, "invalid parameter count");
1737 png_free(png_ptr, png_ptr->chunkdata);
1738 png_ptr->chunkdata = NULL;
1739 return; 2171 return;
1740 } 2172 }
2173
1741 else if (type >= PNG_EQUATION_LAST) 2174 else if (type >= PNG_EQUATION_LAST)
1742 { 2175 {
1743 png_warning(png_ptr, "Unrecognized equation type for pCAL chunk"); 2176 png_chunk_benign_error(png_ptr, "unrecognized equation type");
1744 } 2177 }
1745 2178
1746 for (buf = units; *buf; buf++) 2179 for (buf = units; *buf; buf++)
1747 /* Empty loop to move past the units string. */ ; 2180 /* Empty loop to move past the units string. */ ;
1748 2181
1749 png_debug(3, "Allocating pCAL parameters array"); 2182 png_debug(3, "Allocating pCAL parameters array");
1750 params = (png_charpp)png_malloc_warn(png_ptr, 2183
1751 (png_uint_32)(nparams * png_sizeof(png_charp))) ; 2184 params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2185 nparams * (sizeof (png_charp))));
2186
1752 if (params == NULL) 2187 if (params == NULL)
1753 { 2188 {
1754 png_free(png_ptr, png_ptr->chunkdata); 2189 png_chunk_benign_error(png_ptr, "out of memory");
1755 png_ptr->chunkdata = NULL; 2190 return;
1756 png_warning(png_ptr, "No memory for pCAL params."); 2191 }
1757 return;
1758 }
1759 2192
1760 /* Get pointers to the start of each parameter string. */ 2193 /* Get pointers to the start of each parameter string. */
1761 for (i = 0; i < (int)nparams; i++) 2194 for (i = 0; i < nparams; i++)
1762 { 2195 {
1763 buf++; /* Skip the null string terminator from previous parameter. */ 2196 buf++; /* Skip the null string terminator from previous parameter. */
1764 2197
1765 png_debug1(3, "Reading pCAL parameter %d", i); 2198 png_debug1(3, "Reading pCAL parameter %d", i);
1766 for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++) 2199
2200 for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
1767 /* Empty loop to move past each parameter string */ ; 2201 /* Empty loop to move past each parameter string */ ;
1768 2202
1769 /* Make sure we haven't run out of data yet */ 2203 /* Make sure we haven't run out of data yet */
1770 if (buf > endptr) 2204 if (buf > endptr)
1771 { 2205 {
1772 png_warning(png_ptr, "Invalid pCAL data");
1773 png_free(png_ptr, png_ptr->chunkdata);
1774 png_ptr->chunkdata = NULL;
1775 png_free(png_ptr, params); 2206 png_free(png_ptr, params);
2207 png_chunk_benign_error(png_ptr, "invalid data");
1776 return; 2208 return;
1777 } 2209 }
1778 } 2210 }
1779 2211
1780 png_set_pCAL(png_ptr, info_ptr, png_ptr->chunkdata, X0, X1, type, nparams, 2212 png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
1781 units, params); 2213 (png_charp)units, params);
1782 2214
1783 png_free(png_ptr, png_ptr->chunkdata);
1784 png_ptr->chunkdata = NULL;
1785 png_free(png_ptr, params); 2215 png_free(png_ptr, params);
1786 } 2216 }
1787 #endif 2217 #endif
1788 2218
1789 #ifdef PNG_READ_sCAL_SUPPORTED 2219 #ifdef PNG_READ_sCAL_SUPPORTED
1790 /* Read the sCAL chunk */ 2220 /* Read the sCAL chunk */
1791 void /* PRIVATE */ 2221 void /* PRIVATE */
1792 png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2222 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1793 { 2223 {
1794 png_charp ep; 2224 png_bytep buffer;
1795 #ifdef PNG_FLOATING_POINT_SUPPORTED 2225 png_size_t i;
1796 double width, height; 2226 int state;
1797 png_charp vp;
1798 #else
1799 #ifdef PNG_FIXED_POINT_SUPPORTED
1800 png_charp swidth, sheight;
1801 #endif
1802 #endif
1803 png_size_t slength;
1804 2227
1805 png_debug(1, "in png_handle_sCAL"); 2228 png_debug(1, "in png_handle_sCAL");
1806 2229
1807 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2230 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1808 png_error(png_ptr, "Missing IHDR before sCAL"); 2231 png_chunk_error(png_ptr, "missing IHDR");
2232
1809 else if (png_ptr->mode & PNG_HAVE_IDAT) 2233 else if (png_ptr->mode & PNG_HAVE_IDAT)
1810 { 2234 {
1811 png_warning(png_ptr, "Invalid sCAL after IDAT");
1812 png_crc_finish(png_ptr, length); 2235 png_crc_finish(png_ptr, length);
2236 png_chunk_benign_error(png_ptr, "out of place");
1813 return; 2237 return;
1814 } 2238 }
2239
1815 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL)) 2240 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL))
1816 { 2241 {
1817 png_warning(png_ptr, "Duplicate sCAL chunk");
1818 png_crc_finish(png_ptr, length); 2242 png_crc_finish(png_ptr, length);
2243 png_chunk_benign_error(png_ptr, "duplicate");
1819 return; 2244 return;
1820 } 2245 }
1821 2246
1822 /* Need unit type, width, \0, height: minimum 4 bytes */ 2247 /* Need unit type, width, \0, height: minimum 4 bytes */
1823 else if (length < 4) 2248 else if (length < 4)
1824 { 2249 {
1825 png_warning(png_ptr, "sCAL chunk too short"); 2250 png_crc_finish(png_ptr, length);
2251 png_chunk_benign_error(png_ptr, "invalid");
2252 return;
2253 }
2254
2255 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2256 length + 1);
2257
2258 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2259
2260 if (buffer == NULL)
2261 {
2262 png_chunk_benign_error(png_ptr, "out of memory");
1826 png_crc_finish(png_ptr, length); 2263 png_crc_finish(png_ptr, length);
1827 return; 2264 return;
1828 } 2265 }
1829 2266
1830 png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", 2267 png_crc_read(png_ptr, buffer, length);
1831 length + 1); 2268 buffer[length] = 0; /* Null terminate the last string */
1832 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
1833 if (png_ptr->chunkdata == NULL)
1834 {
1835 png_warning(png_ptr, "Out of memory while processing sCAL chunk");
1836 png_crc_finish(png_ptr, length);
1837 return;
1838 }
1839 slength = (png_size_t)length;
1840 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1841 2269
1842 if (png_crc_finish(png_ptr, 0)) 2270 if (png_crc_finish(png_ptr, 0))
2271 return;
2272
2273 /* Validate the unit. */
2274 if (buffer[0] != 1 && buffer[0] != 2)
1843 { 2275 {
1844 png_free(png_ptr, png_ptr->chunkdata); 2276 png_chunk_benign_error(png_ptr, "invalid unit");
1845 png_ptr->chunkdata = NULL;
1846 return; 2277 return;
1847 } 2278 }
1848 2279
1849 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ 2280 /* Validate the ASCII numbers, need two ASCII numbers separated by
2281 * a '\0' and they need to fit exactly in the chunk data.
2282 */
2283 i = 1;
2284 state = 0;
1850 2285
1851 ep = png_ptr->chunkdata + 1; /* Skip unit byte */ 2286 if (!png_check_fp_number((png_const_charp)buffer, length, &state, &i) ||
2287 i >= length || buffer[i++] != 0)
2288 png_chunk_benign_error(png_ptr, "bad width format");
1852 2289
1853 #ifdef PNG_FLOATING_POINT_SUPPORTED 2290 else if (!PNG_FP_IS_POSITIVE(state))
1854 width = png_strtod(png_ptr, ep, &vp); 2291 png_chunk_benign_error(png_ptr, "non-positive width");
1855 if (*vp) 2292
2293 else
1856 { 2294 {
1857 png_warning(png_ptr, "malformed width string in sCAL chunk"); 2295 png_size_t heighti = i;
1858 png_free(png_ptr, png_ptr->chunkdata); 2296
1859 png_ptr->chunkdata = NULL; 2297 state = 0;
1860 return; 2298 if (!png_check_fp_number((png_const_charp)buffer, length, &state, &i) ||
2299 i != length)
2300 png_chunk_benign_error(png_ptr, "bad height format");
2301
2302 else if (!PNG_FP_IS_POSITIVE(state))
2303 png_chunk_benign_error(png_ptr, "non-positive height");
2304
2305 else
2306 /* This is the (only) success case. */
2307 png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
2308 (png_charp)buffer+1, (png_charp)buffer+heighti);
1861 } 2309 }
1862 #else
1863 #ifdef PNG_FIXED_POINT_SUPPORTED
1864 swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1865 if (swidth == NULL)
1866 {
1867 png_warning(png_ptr, "Out of memory while processing sCAL chunk width");
1868 png_free(png_ptr, png_ptr->chunkdata);
1869 png_ptr->chunkdata = NULL;
1870 return;
1871 }
1872 png_memcpy(swidth, ep, (png_size_t)png_strlen(ep));
1873 #endif
1874 #endif
1875
1876 for (ep = png_ptr->chunkdata; *ep; ep++)
1877 /* Empty loop */ ;
1878 ep++;
1879
1880 if (png_ptr->chunkdata + slength < ep)
1881 {
1882 png_warning(png_ptr, "Truncated sCAL chunk");
1883 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1884 png_free(png_ptr, swidth);
1885 #endif
1886 png_free(png_ptr, png_ptr->chunkdata);
1887 png_ptr->chunkdata = NULL;
1888 return;
1889 }
1890
1891 #ifdef PNG_FLOATING_POINT_SUPPORTED
1892 height = png_strtod(png_ptr, ep, &vp);
1893 if (*vp)
1894 {
1895 png_warning(png_ptr, "malformed height string in sCAL chunk");
1896 png_free(png_ptr, png_ptr->chunkdata);
1897 png_ptr->chunkdata = NULL;
1898 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1899 png_free(png_ptr, swidth);
1900 #endif
1901 return;
1902 }
1903 #else
1904 #ifdef PNG_FIXED_POINT_SUPPORTED
1905 sheight = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1);
1906 if (sheight == NULL)
1907 {
1908 png_warning(png_ptr, "Out of memory while processing sCAL chunk height");
1909 png_free(png_ptr, png_ptr->chunkdata);
1910 png_ptr->chunkdata = NULL;
1911 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1912 png_free(png_ptr, swidth);
1913 #endif
1914 return;
1915 }
1916 png_memcpy(sheight, ep, (png_size_t)png_strlen(ep));
1917 #endif
1918 #endif
1919
1920 if (png_ptr->chunkdata + slength < ep
1921 #ifdef PNG_FLOATING_POINT_SUPPORTED
1922 || width <= 0. || height <= 0.
1923 #endif
1924 )
1925 {
1926 png_warning(png_ptr, "Invalid sCAL data");
1927 png_free(png_ptr, png_ptr->chunkdata);
1928 png_ptr->chunkdata = NULL;
1929 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1930 png_free(png_ptr, swidth);
1931 png_free(png_ptr, sheight);
1932 #endif
1933 return;
1934 }
1935
1936
1937 #ifdef PNG_FLOATING_POINT_SUPPORTED
1938 png_set_sCAL(png_ptr, info_ptr, png_ptr->chunkdata[0], width, height);
1939 #else
1940 #ifdef PNG_FIXED_POINT_SUPPORTED
1941 png_set_sCAL_s(png_ptr, info_ptr, png_ptr->chunkdata[0], swidth, sheight);
1942 #endif
1943 #endif
1944
1945 png_free(png_ptr, png_ptr->chunkdata);
1946 png_ptr->chunkdata = NULL;
1947 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
1948 png_free(png_ptr, swidth);
1949 png_free(png_ptr, sheight);
1950 #endif
1951 } 2310 }
1952 #endif 2311 #endif
1953 2312
1954 #ifdef PNG_READ_tIME_SUPPORTED 2313 #ifdef PNG_READ_tIME_SUPPORTED
1955 void /* PRIVATE */ 2314 void /* PRIVATE */
1956 png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2315 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1957 { 2316 {
1958 png_byte buf[7]; 2317 png_byte buf[7];
1959 png_time mod_time; 2318 png_time mod_time;
1960 2319
1961 png_debug(1, "in png_handle_tIME"); 2320 png_debug(1, "in png_handle_tIME");
1962 2321
1963 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2322 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1964 png_error(png_ptr, "Out of place tIME chunk"); 2323 png_chunk_error(png_ptr, "missing IHDR");
2324
1965 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME)) 2325 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME))
1966 { 2326 {
1967 png_warning(png_ptr, "Duplicate tIME chunk");
1968 png_crc_finish(png_ptr, length); 2327 png_crc_finish(png_ptr, length);
2328 png_chunk_benign_error(png_ptr, "duplicate");
1969 return; 2329 return;
1970 } 2330 }
1971 2331
1972 if (png_ptr->mode & PNG_HAVE_IDAT) 2332 if (png_ptr->mode & PNG_HAVE_IDAT)
1973 png_ptr->mode |= PNG_AFTER_IDAT; 2333 png_ptr->mode |= PNG_AFTER_IDAT;
1974 2334
1975 if (length != 7) 2335 if (length != 7)
1976 { 2336 {
1977 png_warning(png_ptr, "Incorrect tIME chunk length");
1978 png_crc_finish(png_ptr, length); 2337 png_crc_finish(png_ptr, length);
2338 png_chunk_benign_error(png_ptr, "invalid");
1979 return; 2339 return;
1980 } 2340 }
1981 2341
1982 png_crc_read(png_ptr, buf, 7); 2342 png_crc_read(png_ptr, buf, 7);
2343
1983 if (png_crc_finish(png_ptr, 0)) 2344 if (png_crc_finish(png_ptr, 0))
1984 return; 2345 return;
1985 2346
1986 mod_time.second = buf[6]; 2347 mod_time.second = buf[6];
1987 mod_time.minute = buf[5]; 2348 mod_time.minute = buf[5];
1988 mod_time.hour = buf[4]; 2349 mod_time.hour = buf[4];
1989 mod_time.day = buf[3]; 2350 mod_time.day = buf[3];
1990 mod_time.month = buf[2]; 2351 mod_time.month = buf[2];
1991 mod_time.year = png_get_uint_16(buf); 2352 mod_time.year = png_get_uint_16(buf);
1992 2353
1993 png_set_tIME(png_ptr, info_ptr, &mod_time); 2354 png_set_tIME(png_ptr, info_ptr, &mod_time);
1994 } 2355 }
1995 #endif 2356 #endif
1996 2357
1997 #ifdef PNG_READ_tEXt_SUPPORTED 2358 #ifdef PNG_READ_tEXt_SUPPORTED
1998 /* Note: this does not properly handle chunks that are > 64K under DOS */ 2359 /* Note: this does not properly handle chunks that are > 64K under DOS */
1999 void /* PRIVATE */ 2360 void /* PRIVATE */
2000 png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2361 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2001 { 2362 {
2002 png_textp text_ptr; 2363 png_text text_info;
2364 png_bytep buffer;
2003 png_charp key; 2365 png_charp key;
2004 png_charp text; 2366 png_charp text;
2005 png_uint_32 skip = 0; 2367 png_uint_32 skip = 0;
2006 png_size_t slength;
2007 int ret;
2008 2368
2009 png_debug(1, "in png_handle_tEXt"); 2369 png_debug(1, "in png_handle_tEXt");
2010 2370
2011 #ifdef PNG_USER_LIMITS_SUPPORTED 2371 #ifdef PNG_USER_LIMITS_SUPPORTED
2012 if (png_ptr->user_chunk_cache_max != 0) 2372 if (png_ptr->user_chunk_cache_max != 0)
2013 { 2373 {
2014 if (png_ptr->user_chunk_cache_max == 1) 2374 if (png_ptr->user_chunk_cache_max == 1)
2015 { 2375 {
2016 png_crc_finish(png_ptr, length); 2376 png_crc_finish(png_ptr, length);
2017 return; 2377 return;
2018 } 2378 }
2379
2019 if (--png_ptr->user_chunk_cache_max == 1) 2380 if (--png_ptr->user_chunk_cache_max == 1)
2020 { 2381 {
2021 png_warning(png_ptr, "No space in chunk cache for tEXt");
2022 png_crc_finish(png_ptr, length); 2382 png_crc_finish(png_ptr, length);
2383 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2023 return; 2384 return;
2024 } 2385 }
2025 } 2386 }
2026 #endif 2387 #endif
2027 2388
2028 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2389 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2029 png_error(png_ptr, "Missing IHDR before tEXt"); 2390 png_chunk_error(png_ptr, "missing IHDR");
2030 2391
2031 if (png_ptr->mode & PNG_HAVE_IDAT) 2392 if (png_ptr->mode & PNG_HAVE_IDAT)
2032 png_ptr->mode |= PNG_AFTER_IDAT; 2393 png_ptr->mode |= PNG_AFTER_IDAT;
2033 2394
2034 #ifdef PNG_MAX_MALLOC_64K 2395 #ifdef PNG_MAX_MALLOC_64K
2035 if (length > (png_uint_32)65535L) 2396 if (length > 65535U)
2036 { 2397 {
2037 png_warning(png_ptr, "tEXt chunk too large to fit in memory"); 2398 png_crc_finish(png_ptr, length);
2038 skip = length - (png_uint_32)65535L; 2399 png_chunk_benign_error(png_ptr, "too large to fit in memory");
2039 length = (png_uint_32)65535L; 2400 return;
2040 } 2401 }
2041 #endif 2402 #endif
2042 2403
2043 png_free(png_ptr, png_ptr->chunkdata); 2404 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2044 2405
2045 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); 2406 if (buffer == NULL)
2046 if (png_ptr->chunkdata == NULL)
2047 { 2407 {
2048 png_warning(png_ptr, "No memory to process text chunk."); 2408 png_chunk_benign_error(png_ptr, "out of memory");
2049 return; 2409 return;
2050 } 2410 }
2051 slength = (png_size_t)length; 2411
2052 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); 2412 png_crc_read(png_ptr, buffer, length);
2053 2413
2054 if (png_crc_finish(png_ptr, skip)) 2414 if (png_crc_finish(png_ptr, skip))
2055 {
2056 png_free(png_ptr, png_ptr->chunkdata);
2057 png_ptr->chunkdata = NULL;
2058 return; 2415 return;
2059 }
2060 2416
2061 key = png_ptr->chunkdata; 2417 key = (png_charp)buffer;
2062 2418 key[length] = 0;
2063 key[slength] = 0x00;
2064 2419
2065 for (text = key; *text; text++) 2420 for (text = key; *text; text++)
2066 /* Empty loop to find end of key */ ; 2421 /* Empty loop to find end of key */ ;
2067 2422
2068 if (text != key + slength) 2423 if (text != key + length)
2069 text++; 2424 text++;
2070 2425
2071 text_ptr = (png_textp)png_malloc_warn(png_ptr, 2426 text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2072 (png_uint_32)png_sizeof(png_text)); 2427 text_info.key = key;
2073 if (text_ptr == NULL) 2428 text_info.lang = NULL;
2074 { 2429 text_info.lang_key = NULL;
2075 png_warning(png_ptr, "Not enough memory to process text chunk."); 2430 text_info.itxt_length = 0;
2076 png_free(png_ptr, png_ptr->chunkdata); 2431 text_info.text = text;
2077 png_ptr->chunkdata = NULL; 2432 text_info.text_length = strlen(text);
2078 return;
2079 }
2080 text_ptr->compression = PNG_TEXT_COMPRESSION_NONE;
2081 text_ptr->key = key;
2082 #ifdef PNG_iTXt_SUPPORTED
2083 text_ptr->lang = NULL;
2084 text_ptr->lang_key = NULL;
2085 text_ptr->itxt_length = 0;
2086 #endif
2087 text_ptr->text = text;
2088 text_ptr->text_length = png_strlen(text);
2089 2433
2090 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); 2434 if (png_set_text_2(png_ptr, info_ptr, &text_info, 1))
2091 2435 png_warning(png_ptr, "Insufficient memory to process text chunk");
2092 png_free(png_ptr, png_ptr->chunkdata);
2093 png_ptr->chunkdata = NULL;
2094 png_free(png_ptr, text_ptr);
2095 if (ret)
2096 png_warning(png_ptr, "Insufficient memory to process text chunk.");
2097 } 2436 }
2098 #endif 2437 #endif
2099 2438
2100 #ifdef PNG_READ_zTXt_SUPPORTED 2439 #ifdef PNG_READ_zTXt_SUPPORTED
2101 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2440 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2102 void /* PRIVATE */ 2441 void /* PRIVATE */
2103 png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2442 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2104 { 2443 {
2105 png_textp text_ptr; 2444 png_const_charp errmsg = NULL;
2106 png_charp text; 2445 png_bytep buffer;
2107 int comp_type; 2446 png_uint_32 keyword_length;
2108 int ret;
2109 png_size_t slength, prefix_len, data_len;
2110 2447
2111 png_debug(1, "in png_handle_zTXt"); 2448 png_debug(1, "in png_handle_zTXt");
2112 2449
2113 #ifdef PNG_USER_LIMITS_SUPPORTED 2450 #ifdef PNG_USER_LIMITS_SUPPORTED
2114 if (png_ptr->user_chunk_cache_max != 0) 2451 if (png_ptr->user_chunk_cache_max != 0)
2115 { 2452 {
2116 if (png_ptr->user_chunk_cache_max == 1) 2453 if (png_ptr->user_chunk_cache_max == 1)
2117 { 2454 {
2118 png_crc_finish(png_ptr, length); 2455 png_crc_finish(png_ptr, length);
2119 return; 2456 return;
2120 } 2457 }
2458
2121 if (--png_ptr->user_chunk_cache_max == 1) 2459 if (--png_ptr->user_chunk_cache_max == 1)
2122 { 2460 {
2123 png_warning(png_ptr, "No space in chunk cache for zTXt");
2124 png_crc_finish(png_ptr, length); 2461 png_crc_finish(png_ptr, length);
2462 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2125 return; 2463 return;
2126 } 2464 }
2127 } 2465 }
2128 #endif 2466 #endif
2129 2467
2130 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2468 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2131 png_error(png_ptr, "Missing IHDR before zTXt"); 2469 png_chunk_error(png_ptr, "missing IHDR");
2132 2470
2133 if (png_ptr->mode & PNG_HAVE_IDAT) 2471 if (png_ptr->mode & PNG_HAVE_IDAT)
2134 png_ptr->mode |= PNG_AFTER_IDAT; 2472 png_ptr->mode |= PNG_AFTER_IDAT;
2135 2473
2136 #ifdef PNG_MAX_MALLOC_64K 2474 buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2137 /* We will no doubt have problems with chunks even half this size, but 2475
2138 there is no hard and fast rule to tell us where to stop. */ 2476 if (buffer == NULL)
2139 if (length > (png_uint_32)65535L)
2140 { 2477 {
2141 png_warning(png_ptr, "zTXt chunk too large to fit in memory"); 2478 png_crc_finish(png_ptr, length);
2142 png_crc_finish(png_ptr, length); 2479 png_chunk_benign_error(png_ptr, "out of memory");
2143 return;
2144 }
2145 #endif
2146
2147 png_free(png_ptr, png_ptr->chunkdata);
2148 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2149 if (png_ptr->chunkdata == NULL)
2150 {
2151 png_warning(png_ptr, "Out of memory processing zTXt chunk.");
2152 return;
2153 }
2154 slength = (png_size_t)length;
2155 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2156 if (png_crc_finish(png_ptr, 0))
2157 {
2158 png_free(png_ptr, png_ptr->chunkdata);
2159 png_ptr->chunkdata = NULL;
2160 return; 2480 return;
2161 } 2481 }
2162 2482
2163 png_ptr->chunkdata[slength] = 0x00; 2483 png_crc_read(png_ptr, buffer, length);
2164 2484
2165 for (text = png_ptr->chunkdata; *text; text++) 2485 if (png_crc_finish(png_ptr, 0))
2166 /* Empty loop */ ; 2486 return;
2167 2487
2168 /* zTXt must have some text after the chunkdataword */ 2488 /* TODO: also check that the keyword contents match the spec! */
2169 if (text >= png_ptr->chunkdata + slength - 2) 2489 for (keyword_length = 0;
2170 { 2490 keyword_length < length && buffer[keyword_length] != 0;
2171 png_warning(png_ptr, "Truncated zTXt chunk"); 2491 ++keyword_length)
2172 png_free(png_ptr, png_ptr->chunkdata); 2492 /* Empty loop to find end of name */ ;
2173 png_ptr->chunkdata = NULL; 2493
2174 return; 2494 if (keyword_length > 79 || keyword_length < 1)
2175 } 2495 errmsg = "bad keyword";
2496
2497 /* zTXt must have some LZ data after the keyword, although it may expand to
2498 * zero bytes; we need a '\0' at the end of the keyword, the compression type
2499 * then the LZ data:
2500 */
2501 else if (keyword_length + 3 > length)
2502 errmsg = "truncated";
2503
2504 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2505 errmsg = "unknown compression type";
2506
2176 else 2507 else
2177 { 2508 {
2178 comp_type = *(++text); 2509 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2179 if (comp_type != PNG_TEXT_COMPRESSION_zTXt) 2510
2180 { 2511 /* TODO: at present png_decompress_chunk imposes a single application
2181 png_warning(png_ptr, "Unknown compression type in zTXt chunk"); 2512 * level memory limit, this should be split to different values for iCCP
2182 comp_type = PNG_TEXT_COMPRESSION_zTXt; 2513 * and text chunks.
2183 } 2514 */
2184 text++; /* Skip the compression_method byte */ 2515 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2516 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2517 {
2518 png_text text;
2519
2520 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
2521 * for the extra compression type byte and the fact that it isn't
2522 * necessarily '\0' terminated.
2523 */
2524 buffer = png_ptr->read_buffer;
2525 buffer[uncompressed_length+(keyword_length+2)] = 0;
2526
2527 text.compression = PNG_TEXT_COMPRESSION_zTXt;
2528 text.key = (png_charp)buffer;
2529 text.text = (png_charp)(buffer + keyword_length+2);
2530 text.text_length = uncompressed_length;
2531 text.itxt_length = 0;
2532 text.lang = NULL;
2533 text.lang_key = NULL;
2534
2535 if (png_set_text_2(png_ptr, info_ptr, &text, 1))
2536 errmsg = "insufficient memory";
2537 }
2538
2539 else
2540 errmsg = png_ptr->zstream.msg;
2185 } 2541 }
2186 prefix_len = text - png_ptr->chunkdata;
2187 2542
2188 png_decompress_chunk(png_ptr, comp_type, 2543 if (errmsg != NULL)
2189 (png_size_t)length, prefix_len, &data_len); 2544 png_chunk_benign_error(png_ptr, errmsg);
2190
2191 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2192 (png_uint_32)png_sizeof(png_text));
2193 if (text_ptr == NULL)
2194 {
2195 png_warning(png_ptr, "Not enough memory to process zTXt chunk.");
2196 png_free(png_ptr, png_ptr->chunkdata);
2197 png_ptr->chunkdata = NULL;
2198 return;
2199 }
2200 text_ptr->compression = comp_type;
2201 text_ptr->key = png_ptr->chunkdata;
2202 #ifdef PNG_iTXt_SUPPORTED
2203 text_ptr->lang = NULL;
2204 text_ptr->lang_key = NULL;
2205 text_ptr->itxt_length = 0;
2206 #endif
2207 text_ptr->text = png_ptr->chunkdata + prefix_len;
2208 text_ptr->text_length = data_len;
2209
2210 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2211
2212 png_free(png_ptr, text_ptr);
2213 png_free(png_ptr, png_ptr->chunkdata);
2214 png_ptr->chunkdata = NULL;
2215 if (ret)
2216 png_error(png_ptr, "Insufficient memory to store zTXt chunk.");
2217 } 2545 }
2218 #endif 2546 #endif
2219 2547
2220 #ifdef PNG_READ_iTXt_SUPPORTED 2548 #ifdef PNG_READ_iTXt_SUPPORTED
2221 /* Note: this does not correctly handle chunks that are > 64K under DOS */ 2549 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2222 void /* PRIVATE */ 2550 void /* PRIVATE */
2223 png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) 2551 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2224 { 2552 {
2225 png_textp text_ptr; 2553 png_const_charp errmsg = NULL;
2226 png_charp key, lang, text, lang_key; 2554 png_bytep buffer;
2227 int comp_flag; 2555 png_uint_32 prefix_length;
2228 int comp_type = 0;
2229 int ret;
2230 png_size_t slength, prefix_len, data_len;
2231 2556
2232 png_debug(1, "in png_handle_iTXt"); 2557 png_debug(1, "in png_handle_iTXt");
2233 2558
2234 #ifdef PNG_USER_LIMITS_SUPPORTED 2559 #ifdef PNG_USER_LIMITS_SUPPORTED
2235 if (png_ptr->user_chunk_cache_max != 0) 2560 if (png_ptr->user_chunk_cache_max != 0)
2236 { 2561 {
2237 if (png_ptr->user_chunk_cache_max == 1) 2562 if (png_ptr->user_chunk_cache_max == 1)
2238 { 2563 {
2239 png_crc_finish(png_ptr, length); 2564 png_crc_finish(png_ptr, length);
2240 return; 2565 return;
2241 } 2566 }
2567
2242 if (--png_ptr->user_chunk_cache_max == 1) 2568 if (--png_ptr->user_chunk_cache_max == 1)
2243 { 2569 {
2244 png_warning(png_ptr, "No space in chunk cache for iTXt");
2245 png_crc_finish(png_ptr, length); 2570 png_crc_finish(png_ptr, length);
2571 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2246 return; 2572 return;
2247 } 2573 }
2248 } 2574 }
2249 #endif 2575 #endif
2250 2576
2251 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 2577 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2252 png_error(png_ptr, "Missing IHDR before iTXt"); 2578 png_chunk_error(png_ptr, "missing IHDR");
2253 2579
2254 if (png_ptr->mode & PNG_HAVE_IDAT) 2580 if (png_ptr->mode & PNG_HAVE_IDAT)
2255 png_ptr->mode |= PNG_AFTER_IDAT; 2581 png_ptr->mode |= PNG_AFTER_IDAT;
2256 2582
2257 #ifdef PNG_MAX_MALLOC_64K 2583 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2258 /* We will no doubt have problems with chunks even half this size, but 2584
2259 there is no hard and fast rule to tell us where to stop. */ 2585 if (buffer == NULL)
2260 if (length > (png_uint_32)65535L)
2261 { 2586 {
2262 png_warning(png_ptr, "iTXt chunk too large to fit in memory"); 2587 png_crc_finish(png_ptr, length);
2263 png_crc_finish(png_ptr, length); 2588 png_chunk_benign_error(png_ptr, "out of memory");
2264 return;
2265 }
2266 #endif
2267
2268 png_free(png_ptr, png_ptr->chunkdata);
2269 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2270 if (png_ptr->chunkdata == NULL)
2271 {
2272 png_warning(png_ptr, "No memory to process iTXt chunk.");
2273 return;
2274 }
2275 slength = (png_size_t)length;
2276 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2277 if (png_crc_finish(png_ptr, 0))
2278 {
2279 png_free(png_ptr, png_ptr->chunkdata);
2280 png_ptr->chunkdata = NULL;
2281 return; 2589 return;
2282 } 2590 }
2283 2591
2284 png_ptr->chunkdata[slength] = 0x00; 2592 png_crc_read(png_ptr, buffer, length);
2285 2593
2286 for (lang = png_ptr->chunkdata; *lang; lang++) 2594 if (png_crc_finish(png_ptr, 0))
2595 return;
2596
2597 /* First the keyword. */
2598 for (prefix_length=0;
2599 prefix_length < length && buffer[prefix_length] != 0;
2600 ++prefix_length)
2287 /* Empty loop */ ; 2601 /* Empty loop */ ;
2288 lang++; /* Skip NUL separator */ 2602
2289 2603 /* Perform a basic check on the keyword length here. */
2290 /* iTXt must have a language tag (possibly empty), two compression bytes, 2604 if (prefix_length > 79 || prefix_length < 1)
2291 * translated keyword (possibly empty), and possibly some text after the 2605 errmsg = "bad keyword";
2292 * keyword 2606
2607 /* Expect keyword, compression flag, compression type, language, translated
2608 * keyword (both may be empty but are 0 terminated) then the text, which may
2609 * be empty.
2293 */ 2610 */
2294 2611 else if (prefix_length + 5 > length)
2295 if (lang >= png_ptr->chunkdata + slength - 3) 2612 errmsg = "truncated";
2613
2614 else if (buffer[prefix_length+1] == 0 ||
2615 (buffer[prefix_length+1] == 1 &&
2616 buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
2296 { 2617 {
2297 png_warning(png_ptr, "Truncated iTXt chunk"); 2618 int compressed = buffer[prefix_length+1] != 0;
2298 png_free(png_ptr, png_ptr->chunkdata); 2619 png_uint_32 language_offset, translated_keyword_offset;
2299 png_ptr->chunkdata = NULL; 2620 png_alloc_size_t uncompressed_length = 0;
2300 return; 2621
2622 /* Now the language tag */
2623 prefix_length += 3;
2624 language_offset = prefix_length;
2625
2626 for (; prefix_length < length && buffer[prefix_length] != 0;
2627 ++prefix_length)
2628 /* Empty loop */ ;
2629
2630 /* WARNING: the length may be invalid here, this is checked below. */
2631 translated_keyword_offset = ++prefix_length;
2632
2633 for (; prefix_length < length && buffer[prefix_length] != 0;
2634 ++prefix_length)
2635 /* Empty loop */ ;
2636
2637 /* prefix_length should now be at the trailing '\0' of the translated
2638 * keyword, but it may already be over the end. None of this arithmetic
2639 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2640 * systems the available allocaton may overflow.
2641 */
2642 ++prefix_length;
2643
2644 if (!compressed && prefix_length <= length)
2645 uncompressed_length = length - prefix_length;
2646
2647 else if (compressed && prefix_length < length)
2648 {
2649 uncompressed_length = PNG_SIZE_MAX;
2650
2651 /* TODO: at present png_decompress_chunk imposes a single application
2652 * level memory limit, this should be split to different values for
2653 * iCCP and text chunks.
2654 */
2655 if (png_decompress_chunk(png_ptr, length, prefix_length,
2656 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2657 buffer = png_ptr->read_buffer;
2658
2659 else
2660 errmsg = png_ptr->zstream.msg;
2661 }
2662
2663 else
2664 errmsg = "truncated";
2665
2666 if (errmsg == NULL)
2667 {
2668 png_text text;
2669
2670 buffer[uncompressed_length+prefix_length] = 0;
2671
2672 if (compressed)
2673 text.compression = PNG_ITXT_COMPRESSION_NONE;
2674
2675 else
2676 text.compression = PNG_ITXT_COMPRESSION_zTXt;
2677
2678 text.key = (png_charp)buffer;
2679 text.lang = (png_charp)buffer + language_offset;
2680 text.lang_key = (png_charp)buffer + translated_keyword_offset;
2681 text.text = (png_charp)buffer + prefix_length;
2682 text.text_length = 0;
2683 text.itxt_length = uncompressed_length;
2684
2685 if (png_set_text_2(png_ptr, info_ptr, &text, 1))
2686 errmsg = "insufficient memory";
2687 }
2301 } 2688 }
2689
2690 else
2691 errmsg = "bad compression info";
2692
2693 if (errmsg != NULL)
2694 png_chunk_benign_error(png_ptr, errmsg);
2695 }
2696 #endif
2697
2698 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2699 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2700 static int
2701 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2702 {
2703 png_alloc_size_t limit = PNG_SIZE_MAX;
2704
2705 if (png_ptr->unknown_chunk.data != NULL)
2706 {
2707 png_free(png_ptr, png_ptr->unknown_chunk.data);
2708 png_ptr->unknown_chunk.data = NULL;
2709 }
2710
2711 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
2712 if (png_ptr->user_chunk_malloc_max > 0 &&
2713 png_ptr->user_chunk_malloc_max < limit)
2714 limit = png_ptr->user_chunk_malloc_max;
2715
2716 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
2717 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2718 limit = PNG_USER_CHUNK_MALLOC_MAX;
2719 # endif
2720
2721 if (length <= limit)
2722 {
2723 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2724 /* The following is safe because of the PNG_SIZE_MAX init above */
2725 png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/;
2726 /* 'mode' is a flag array, only the bottom four bits matter here */
2727 png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
2728
2729 if (length == 0)
2730 png_ptr->unknown_chunk.data = NULL;
2731
2732 else
2733 {
2734 /* Do a 'warn' here - it is handled below. */
2735 png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2736 png_malloc_warn(png_ptr, length));
2737 }
2738 }
2739
2740 if (png_ptr->unknown_chunk.data == NULL && length > 0)
2741 {
2742 /* This is benign because we clean up correctly */
2743 png_crc_finish(png_ptr, length);
2744 png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2745 return 0;
2746 }
2747
2302 else 2748 else
2303 { 2749 {
2304 comp_flag = *lang++; 2750 if (length > 0)
2305 comp_type = *lang++; 2751 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2752 png_crc_finish(png_ptr, 0);
2753 return 1;
2306 } 2754 }
2307 2755 }
2308 for (lang_key = lang; *lang_key; lang_key++) 2756 #endif /* PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
2309 /* Empty loop */ ; 2757
2310 lang_key++; /* Skip NUL separator */ 2758 /* Handle an unknown, or known but disabled, chunk */
2311 2759 void /* PRIVATE */
2312 if (lang_key >= png_ptr->chunkdata + slength) 2760 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2761 png_uint_32 length, int keep)
2762 {
2763 int handled = 0; /* the chunk was handled */
2764
2765 png_debug(1, "in png_handle_unknown");
2766
2767 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2768 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2769 * the bug which meant that setting a non-default behavior for a specific
2770 * chunk would be ignored (the default was always used unless a user
2771 * callback was installed).
2772 *
2773 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2774 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2775 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2776 * This is just an optimization to avoid multiple calls to the lookup
2777 * function.
2778 */
2779 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2780 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2781 keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2782 # endif
2783 # endif
2784
2785 /* One of the following methods will read the chunk or skip it (at least one
2786 * of these is always defined because this is the only way to switch on
2787 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2788 */
2789 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2790 /* The user callback takes precedence over the chunk keep value, but the
2791 * keep value is still required to validate a save of a critical chunk.
2792 */
2793 if (png_ptr->read_user_chunk_fn != NULL)
2794 {
2795 if (png_cache_unknown_chunk(png_ptr, length))
2796 {
2797 /* Callback to user unknown chunk handler */
2798 int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2799 &png_ptr->unknown_chunk);
2800
2801 /* ret is:
2802 * negative: An error occured, png_chunk_error will be called.
2803 * zero: The chunk was not handled, the chunk will be discarded
2804 * unless png_set_keep_unknown_chunks has been used to set
2805 * a 'keep' behavior for this particular chunk, in which
2806 * case that will be used. A critical chunk will cause an
2807 * error at this point unless it is to be saved.
2808 * positive: The chunk was handled, libpng will ignore/discard it.
2809 */
2810 if (ret < 0)
2811 png_chunk_error(png_ptr, "error in user chunk");
2812
2813 else if (ret == 0)
2814 {
2815 /* If the keep value is 'default' or 'never' override it, but
2816 * still error out on critical chunks unless the keep value is
2817 * 'always' While this is weird it is the behavior in 1.4.12.
2818 * A possible improvement would be to obey the value set for the
2819 * chunk, but this would be an API change that would probably
2820 * damage some applications.
2821 *
2822 * The png_app_warning below catches the case that matters, where
2823 * the application has not set specific save or ignore for this
2824 * chunk or global save or ignore.
2825 */
2826 if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2827 {
2828 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2829 if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2830 {
2831 png_chunk_warning(png_ptr, "Saving unknown chunk:");
2832 png_app_warning(png_ptr,
2833 "forcing save of an unhandled chunk;"
2834 " please call png_set_keep_unknown_chunks");
2835 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2836 }
2837 # endif
2838 keep = PNG_HANDLE_CHUNK_IF_SAFE;
2839 }
2840 }
2841
2842 else /* chunk was handled */
2843 {
2844 handled = 1;
2845 /* Critical chunks can be safely discarded at this point. */
2846 keep = PNG_HANDLE_CHUNK_NEVER;
2847 }
2848 }
2849
2850 else
2851 keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
2852 }
2853
2854 else
2855 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
2856 # endif /* PNG_READ_USER_CHUNKS_SUPPORTED */
2857
2858 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2859 {
2860 /* keep is currently just the per-chunk setting, if there was no
2861 * setting change it to the global default now (not that this may
2862 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
2863 * if not simply skip the chunk.
2864 */
2865 if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
2866 keep = png_ptr->unknown_default;
2867
2868 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2869 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2870 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2871 {
2872 if (!png_cache_unknown_chunk(png_ptr, length))
2873 keep = PNG_HANDLE_CHUNK_NEVER;
2874 }
2875
2876 else
2877 png_crc_finish(png_ptr, length);
2878 }
2879 # else
2880 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2881 # error no method to support READ_UNKNOWN_CHUNKS
2882 # endif
2883
2884 {
2885 /* If here there is no read callback pointer set and no support is
2886 * compiled in to just save the unknown chunks, so simply skip this
2887 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
2888 * the app has erroneously asked for unknown chunk saving when there
2889 * is no support.
2890 */
2891 if (keep > PNG_HANDLE_CHUNK_NEVER)
2892 png_app_error(png_ptr, "no unknown chunk support available");
2893
2894 png_crc_finish(png_ptr, length);
2895 }
2896 # endif
2897
2898 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2899 /* Now store the chunk in the chunk list if appropriate, and if the limits
2900 * permit it.
2901 */
2902 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2903 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2904 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2905 {
2906 # ifdef PNG_USER_LIMITS_SUPPORTED
2907 switch (png_ptr->user_chunk_cache_max)
2908 {
2909 case 2:
2910 png_ptr->user_chunk_cache_max = 1;
2911 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2912 /* FALL THROUGH */
2913 case 1:
2914 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
2915 * chunk being skipped, now there will be a hard error below.
2916 */
2917 break;
2918
2919 default: /* not at limit */
2920 --(png_ptr->user_chunk_cache_max);
2921 /* FALL THROUGH */
2922 case 0: /* no limit */
2923 # endif /* PNG_USER_LIMITS_SUPPORTED */
2924 /* Here when the limit isn't reached or when limits are compiled
2925 * out; store the chunk.
2926 */
2927 png_set_unknown_chunks(png_ptr, info_ptr,
2928 &png_ptr->unknown_chunk, 1);
2929 handled = 1;
2930 # ifdef PNG_USER_LIMITS_SUPPORTED
2931 break;
2932 }
2933 # endif
2934 }
2935 # else /* no store support! */
2936 PNG_UNUSED(info_ptr)
2937 # error untested code (reading unknown chunks with no store support)
2938 # endif
2939
2940 /* Regardless of the error handling below the cached data (if any) can be
2941 * freed now. Notice that the data is not freed if there is a png_error, but
2942 * it will be freed by destroy_read_struct.
2943 */
2944 if (png_ptr->unknown_chunk.data != NULL)
2945 png_free(png_ptr, png_ptr->unknown_chunk.data);
2946 png_ptr->unknown_chunk.data = NULL;
2947
2948 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
2949 /* There is no support to read an unknown chunk, so just skip it. */
2950 png_crc_finish(png_ptr, length);
2951 PNG_UNUSED(info_ptr)
2952 PNG_UNUSED(keep)
2953 #endif /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
2954
2955 /* Check for unhandled critical chunks */
2956 if (!handled && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
2957 png_chunk_error(png_ptr, "unhandled critical chunk");
2958 }
2959
2960 /* This function is called to verify that a chunk name is valid.
2961 * This function can't have the "critical chunk check" incorporated
2962 * into it, since in the future we will need to be able to call user
2963 * functions to handle unknown critical chunks after we check that
2964 * the chunk name itself is valid.
2965 */
2966
2967 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
2968 *
2969 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2970 */
2971
2972 void /* PRIVATE */
2973 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
2974 {
2975 int i;
2976
2977 png_debug(1, "in png_check_chunk_name");
2978
2979 for (i=1; i<=4; ++i)
2313 { 2980 {
2314 png_warning(png_ptr, "Truncated iTXt chunk"); 2981 int c = chunk_name & 0xff;
2315 png_free(png_ptr, png_ptr->chunkdata); 2982
2316 png_ptr->chunkdata = NULL; 2983 if (c < 65 || c > 122 || (c > 90 && c < 97))
2317 return; 2984 png_chunk_error(png_ptr, "invalid chunk type");
2985
2986 chunk_name >>= 8;
2318 } 2987 }
2319 2988 }
2320 for (text = lang_key; *text; text++) 2989
2321 /* Empty loop */ ; 2990 /* Combines the row recently read in with the existing pixels in the row. This
2322 text++; /* Skip NUL separator */ 2991 * routine takes care of alpha and transparency if requested. This routine also
2323 if (text >= png_ptr->chunkdata + slength) 2992 * handles the two methods of progressive display of interlaced images,
2993 * depending on the 'display' value; if 'display' is true then the whole row
2994 * (dp) is filled from the start by replicating the available pixels. If
2995 * 'display' is false only those pixels present in the pass are filled in.
2996 */
2997 void /* PRIVATE */
2998 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
2999 {
3000 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3001 png_const_bytep sp = png_ptr->row_buf + 1;
3002 png_uint_32 row_width = png_ptr->width;
3003 unsigned int pass = png_ptr->pass;
3004 png_bytep end_ptr = 0;
3005 png_byte end_byte = 0;
3006 unsigned int end_mask;
3007
3008 png_debug(1, "in png_combine_row");
3009
3010 /* Added in 1.5.6: it should not be possible to enter this routine until at
3011 * least one row has been read from the PNG data and transformed.
3012 */
3013 if (pixel_depth == 0)
3014 png_error(png_ptr, "internal row logic error");
3015
3016 /* Added in 1.5.4: the pixel depth should match the information returned by
3017 * any call to png_read_update_info at this point. Do not continue if we got
3018 * this wrong.
3019 */
3020 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3021 PNG_ROWBYTES(pixel_depth, row_width))
3022 png_error(png_ptr, "internal row size calculation error");
3023
3024 /* Don't expect this to ever happen: */
3025 if (row_width == 0)
3026 png_error(png_ptr, "internal row width error");
3027
3028 /* Preserve the last byte in cases where only part of it will be overwritten,
3029 * the multiply below may overflow, we don't care because ANSI-C guarantees
3030 * we get the low bits.
3031 */
3032 end_mask = (pixel_depth * row_width) & 7;
3033 if (end_mask != 0)
2324 { 3034 {
2325 png_warning(png_ptr, "Malformed iTXt chunk"); 3035 /* end_ptr == NULL is a flag to say do nothing */
2326 png_free(png_ptr, png_ptr->chunkdata); 3036 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
2327 png_ptr->chunkdata = NULL; 3037 end_byte = *end_ptr;
2328 return; 3038 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3039 if (png_ptr->transformations & PNG_PACKSWAP) /* little-endian byte */
3040 end_mask = 0xff << end_mask;
3041
3042 else /* big-endian byte */
3043 # endif
3044 end_mask = 0xff >> end_mask;
3045 /* end_mask is now the bits to *keep* from the destination row */
2329 } 3046 }
2330 3047
2331 prefix_len = text - png_ptr->chunkdata; 3048 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
2332 3049 * will also happen if interlacing isn't supported or if the application
2333 key=png_ptr->chunkdata; 3050 * does not call png_set_interlace_handling(). In the latter cases the
2334 if (comp_flag) 3051 * caller just gets a sequence of the unexpanded rows from each interlace
2335 png_decompress_chunk(png_ptr, comp_type, 3052 * pass.
2336 (size_t)length, prefix_len, &data_len); 3053 */
2337 else 3054 #ifdef PNG_READ_INTERLACING_SUPPORTED
2338 data_len = png_strlen(png_ptr->chunkdata + prefix_len); 3055 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE) &&
2339 text_ptr = (png_textp)png_malloc_warn(png_ptr, 3056 pass < 6 && (display == 0 ||
2340 (png_uint_32)png_sizeof(png_text)); 3057 /* The following copies everything for 'display' on passes 0, 2 and 4. */
2341 if (text_ptr == NULL) 3058 (display == 1 && (pass & 1) != 0)))
2342 { 3059 {
2343 png_warning(png_ptr, "Not enough memory to process iTXt chunk."); 3060 /* Narrow images may have no bits in a pass; the caller should handle
2344 png_free(png_ptr, png_ptr->chunkdata); 3061 * this, but this test is cheap:
2345 png_ptr->chunkdata = NULL; 3062 */
2346 return; 3063 if (row_width <= PNG_PASS_START_COL(pass))
2347 } 3064 return;
2348 text_ptr->compression = (int)comp_flag + 1; 3065
2349 text_ptr->lang_key = png_ptr->chunkdata + (lang_key - key); 3066 if (pixel_depth < 8)
2350 text_ptr->lang = png_ptr->chunkdata + (lang - key);
2351 text_ptr->itxt_length = data_len;
2352 text_ptr->text_length = 0;
2353 text_ptr->key = png_ptr->chunkdata;
2354 text_ptr->text = png_ptr->chunkdata + prefix_len;
2355
2356 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2357
2358 png_free(png_ptr, text_ptr);
2359 png_free(png_ptr, png_ptr->chunkdata);
2360 png_ptr->chunkdata = NULL;
2361 if (ret)
2362 png_error(png_ptr, "Insufficient memory to store iTXt chunk.");
2363 }
2364 #endif
2365
2366 /* This function is called when we haven't found a handler for a
2367 chunk. If there isn't a problem with the chunk itself (ie bad
2368 chunk name, CRC, or a critical chunk), the chunk is silently ignored
2369 -- unless the PNG_FLAG_UNKNOWN_CHUNKS_SUPPORTED flag is on in which
2370 case it will be saved away to be written out later. */
2371 void /* PRIVATE */
2372 png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2373 {
2374 png_uint_32 skip = 0;
2375
2376 png_debug(1, "in png_handle_unknown");
2377
2378 #ifdef PNG_USER_LIMITS_SUPPORTED
2379 if (png_ptr->user_chunk_cache_max != 0)
2380 {
2381 if (png_ptr->user_chunk_cache_max == 1)
2382 { 3067 {
2383 png_crc_finish(png_ptr, length); 3068 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
2384 return; 3069 * into 32 bits, then a single loop over the bytes using the four byte
3070 * values in the 32-bit mask can be used. For the 'display' option the
3071 * expanded mask may also not require any masking within a byte. To
3072 * make this work the PACKSWAP option must be taken into account - it
3073 * simply requires the pixels to be reversed in each byte.
3074 *
3075 * The 'regular' case requires a mask for each of the first 6 passes,
3076 * the 'display' case does a copy for the even passes in the range
3077 * 0..6. This has already been handled in the test above.
3078 *
3079 * The masks are arranged as four bytes with the first byte to use in
3080 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3081 * not) of the pixels in each byte.
3082 *
3083 * NOTE: the whole of this logic depends on the caller of this function
3084 * only calling it on rows appropriate to the pass. This function only
3085 * understands the 'x' logic; the 'y' logic is handled by the caller.
3086 *
3087 * The following defines allow generation of compile time constant bit
3088 * masks for each pixel depth and each possibility of swapped or not
3089 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3090 * is in the range 0..7; and the result is 1 if the pixel is to be
3091 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3092 * for the block method.
3093 *
3094 * With some compilers a compile time expression of the general form:
3095 *
3096 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3097 *
3098 * Produces warnings with values of 'shift' in the range 33 to 63
3099 * because the right hand side of the ?: expression is evaluated by
3100 * the compiler even though it isn't used. Microsoft Visual C (various
3101 * versions) and the Intel C compiler are known to do this. To avoid
3102 * this the following macros are used in 1.5.6. This is a temporary
3103 * solution to avoid destabilizing the code during the release process.
3104 */
3105 # if PNG_USE_COMPILE_TIME_MASKS
3106 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3107 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3108 # else
3109 # define PNG_LSR(x,s) ((x)>>(s))
3110 # define PNG_LSL(x,s) ((x)<<(s))
3111 # endif
3112 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3113 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3114 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3115 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3116
3117 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
3118 * little endian - the first pixel is at bit 0 - however the extra
3119 * parameter 's' can be set to cause the mask position to be swapped
3120 * within each byte, to match the PNG format. This is done by XOR of
3121 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3122 */
3123 # define PIXEL_MASK(p,x,d,s) \
3124 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3125
3126 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3127 */
3128 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3129 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3130
3131 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
3132 * cases the result needs replicating, for the 4-bpp case the above
3133 * generates a full 32 bits.
3134 */
3135 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3136
3137 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3138 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3139 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3140
3141 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3142 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3143 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3144
3145 #if PNG_USE_COMPILE_TIME_MASKS
3146 /* Utility macros to construct all the masks for a depth/swap
3147 * combination. The 's' parameter says whether the format is PNG
3148 * (big endian bytes) or not. Only the three odd-numbered passes are
3149 * required for the display/block algorithm.
3150 */
3151 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3152 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3153
3154 # define B_MASKS(d,s) { B_MASK(1,d,s), S_MASK(3,d,s), S_MASK(5,d,s) }
3155
3156 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3157
3158 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3159 * then pass:
3160 */
3161 static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3162 {
3163 /* Little-endian byte masks for PACKSWAP */
3164 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3165 /* Normal (big-endian byte) masks - PNG format */
3166 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3167 };
3168
3169 /* display_mask has only three entries for the odd passes, so index by
3170 * pass>>1.
3171 */
3172 static PNG_CONST png_uint_32 display_mask[2][3][3] =
3173 {
3174 /* Little-endian byte masks for PACKSWAP */
3175 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3176 /* Normal (big-endian byte) masks - PNG format */
3177 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3178 };
3179
3180 # define MASK(pass,depth,display,png)\
3181 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3182 row_mask[png][DEPTH_INDEX(depth)][pass])
3183
3184 #else /* !PNG_USE_COMPILE_TIME_MASKS */
3185 /* This is the runtime alternative: it seems unlikely that this will
3186 * ever be either smaller or faster than the compile time approach.
3187 */
3188 # define MASK(pass,depth,display,png)\
3189 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3190 #endif /* !PNG_USE_COMPILE_TIME_MASKS */
3191
3192 /* Use the appropriate mask to copy the required bits. In some cases
3193 * the byte mask will be 0 or 0xff, optimize these cases. row_width is
3194 * the number of pixels, but the code copies bytes, so it is necessary
3195 * to special case the end.
3196 */
3197 png_uint_32 pixels_per_byte = 8 / pixel_depth;
3198 png_uint_32 mask;
3199
3200 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3201 if (png_ptr->transformations & PNG_PACKSWAP)
3202 mask = MASK(pass, pixel_depth, display, 0);
3203
3204 else
3205 # endif
3206 mask = MASK(pass, pixel_depth, display, 1);
3207
3208 for (;;)
3209 {
3210 png_uint_32 m;
3211
3212 /* It doesn't matter in the following if png_uint_32 has more than
3213 * 32 bits because the high bits always match those in m<<24; it is,
3214 * however, essential to use OR here, not +, because of this.
3215 */
3216 m = mask;
3217 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3218 m &= 0xff;
3219
3220 if (m != 0) /* something to copy */
3221 {
3222 if (m != 0xff)
3223 *dp = (png_byte)((*dp & ~m) | (*sp & m));
3224 else
3225 *dp = *sp;
3226 }
3227
3228 /* NOTE: this may overwrite the last byte with garbage if the image
3229 * is not an exact number of bytes wide; libpng has always done
3230 * this.
3231 */
3232 if (row_width <= pixels_per_byte)
3233 break; /* May need to restore part of the last byte */
3234
3235 row_width -= pixels_per_byte;
3236 ++dp;
3237 ++sp;
3238 }
2385 } 3239 }
2386 if (--png_ptr->user_chunk_cache_max == 1) 3240
3241 else /* pixel_depth >= 8 */
2387 { 3242 {
2388 png_warning(png_ptr, "No space in chunk cache for unknown chunk"); 3243 unsigned int bytes_to_copy, bytes_to_jump;
2389 png_crc_finish(png_ptr, length); 3244
2390 return; 3245 /* Validate the depth - it must be a multiple of 8 */
2391 } 3246 if (pixel_depth & 7)
2392 } 3247 png_error(png_ptr, "invalid user transform pixel depth");
2393 #endif 3248
2394 3249 pixel_depth >>= 3; /* now in bytes */
2395 if (png_ptr->mode & PNG_HAVE_IDAT) 3250 row_width *= pixel_depth;
2396 { 3251
2397 #ifdef PNG_USE_LOCAL_ARRAYS 3252 /* Regardless of pass number the Adam 7 interlace always results in a
2398 PNG_CONST PNG_IDAT; 3253 * fixed number of pixels to copy then to skip. There may be a
2399 #endif 3254 * different number of pixels to skip at the start though.
2400 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) /* Not an IDAT */ 3255 */
2401 png_ptr->mode |= PNG_AFTER_IDAT; 3256 {
2402 } 3257 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
2403 3258
2404 if (!(png_ptr->chunk_name[0] & 0x20)) 3259 row_width -= offset;
2405 { 3260 dp += offset;
2406 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 3261 sp += offset;
2407 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != 3262 }
2408 PNG_HANDLE_CHUNK_ALWAYS 3263
2409 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED 3264 /* Work out the bytes to copy. */
2410 && png_ptr->read_user_chunk_fn == NULL 3265 if (display)
2411 #endif 3266 {
2412 ) 3267 /* When doing the 'block' algorithm the pixel in the pass gets
2413 #endif 3268 * replicated to adjacent pixels. This is why the even (0,2,4,6)
2414 png_chunk_error(png_ptr, "unknown critical chunk"); 3269 * passes are skipped above - the entire expanded row is copied.
2415 } 3270 */
2416 3271 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
2417 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED 3272
2418 if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) 3273 /* But don't allow this number to exceed the actual row width. */
2419 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED 3274 if (bytes_to_copy > row_width)
2420 || (png_ptr->read_user_chunk_fn != NULL) 3275 bytes_to_copy = row_width;
2421 #endif 3276 }
2422 ) 3277
2423 { 3278 else /* normal row; Adam7 only ever gives us one pixel to copy. */
2424 #ifdef PNG_MAX_MALLOC_64K 3279 bytes_to_copy = pixel_depth;
2425 if (length > (png_uint_32)65535L) 3280
2426 { 3281 /* In Adam7 there is a constant offset between where the pixels go. */
2427 png_warning(png_ptr, "unknown chunk too large to fit in memory"); 3282 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
2428 skip = length - (png_uint_32)65535L; 3283
2429 length = (png_uint_32)65535L; 3284 /* And simply copy these bytes. Some optimization is possible here,
2430 } 3285 * depending on the value of 'bytes_to_copy'. Special case the low
2431 #endif 3286 * byte counts, which we know to be frequent.
2432 png_memcpy((png_charp)png_ptr->unknown_chunk.name, 3287 *
2433 (png_charp)png_ptr->chunk_name, 3288 * Notice that these cases all 'return' rather than 'break' - this
2434 png_sizeof(png_ptr->unknown_chunk.name)); 3289 * avoids an unnecessary test on whether to restore the last byte
2435 png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] 3290 * below.
2436 = '\0'; 3291 */
2437 png_ptr->unknown_chunk.size = (png_size_t)length; 3292 switch (bytes_to_copy)
2438 if (length == 0) 3293 {
2439 png_ptr->unknown_chunk.data = NULL; 3294 case 1:
2440 else 3295 for (;;)
2441 { 3296 {
2442 png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); 3297 *dp = *sp;
2443 png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); 3298
2444 } 3299 if (row_width <= bytes_to_jump)
2445 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED 3300 return;
2446 if (png_ptr->read_user_chunk_fn != NULL) 3301
2447 { 3302 dp += bytes_to_jump;
2448 /* Callback to user unknown chunk handler */ 3303 sp += bytes_to_jump;
2449 int ret; 3304 row_width -= bytes_to_jump;
2450 ret = (*(png_ptr->read_user_chunk_fn)) 3305 }
2451 (png_ptr, &png_ptr->unknown_chunk); 3306
2452 if (ret < 0) 3307 case 2:
2453 png_chunk_error(png_ptr, "error in user chunk"); 3308 /* There is a possibility of a partial copy at the end here; this
2454 if (ret == 0) 3309 * slows the code down somewhat.
2455 { 3310 */
2456 if (!(png_ptr->chunk_name[0] & 0x20)) 3311 do
2457 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 3312 {
2458 if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != 3313 dp[0] = sp[0], dp[1] = sp[1];
2459 PNG_HANDLE_CHUNK_ALWAYS) 3314
2460 #endif 3315 if (row_width <= bytes_to_jump)
2461 png_chunk_error(png_ptr, "unknown critical chunk"); 3316 return;
2462 png_set_unknown_chunks(png_ptr, info_ptr, 3317
2463 &png_ptr->unknown_chunk, 1); 3318 sp += bytes_to_jump;
2464 } 3319 dp += bytes_to_jump;
2465 } 3320 row_width -= bytes_to_jump;
2466 else 3321 }
2467 #endif 3322 while (row_width > 1);
2468 png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); 3323
2469 png_free(png_ptr, png_ptr->unknown_chunk.data); 3324 /* And there can only be one byte left at this point: */
2470 png_ptr->unknown_chunk.data = NULL; 3325 *dp = *sp;
3326 return;
3327
3328 case 3:
3329 /* This can only be the RGB case, so each copy is exactly one
3330 * pixel and it is not necessary to check for a partial copy.
3331 */
3332 for(;;)
3333 {
3334 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
3335
3336 if (row_width <= bytes_to_jump)
3337 return;
3338
3339 sp += bytes_to_jump;
3340 dp += bytes_to_jump;
3341 row_width -= bytes_to_jump;
3342 }
3343
3344 default:
3345 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3346 /* Check for double byte alignment and, if possible, use a
3347 * 16-bit copy. Don't attempt this for narrow images - ones that
3348 * are less than an interlace panel wide. Don't attempt it for
3349 * wide bytes_to_copy either - use the memcpy there.
3350 */
3351 if (bytes_to_copy < 16 /*else use memcpy*/ &&
3352 png_isaligned(dp, png_uint_16) &&
3353 png_isaligned(sp, png_uint_16) &&
3354 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3355 bytes_to_jump % (sizeof (png_uint_16)) == 0)
3356 {
3357 /* Everything is aligned for png_uint_16 copies, but try for
3358 * png_uint_32 first.
3359 */
3360 if (png_isaligned(dp, png_uint_32) &&
3361 png_isaligned(sp, png_uint_32) &&
3362 bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3363 bytes_to_jump % (sizeof (png_uint_32)) == 0)
3364 {
3365 png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3366 png_const_uint_32p sp32 = png_aligncastconst(
3367 png_const_uint_32p, sp);
3368 size_t skip = (bytes_to_jump-bytes_to_copy) /
3369 (sizeof (png_uint_32));
3370
3371 do
3372 {
3373 size_t c = bytes_to_copy;
3374 do
3375 {
3376 *dp32++ = *sp32++;
3377 c -= (sizeof (png_uint_32));
3378 }
3379 while (c > 0);
3380
3381 if (row_width <= bytes_to_jump)
3382 return;
3383
3384 dp32 += skip;
3385 sp32 += skip;
3386 row_width -= bytes_to_jump;
3387 }
3388 while (bytes_to_copy <= row_width);
3389
3390 /* Get to here when the row_width truncates the final copy.
3391 * There will be 1-3 bytes left to copy, so don't try the
3392 * 16-bit loop below.
3393 */
3394 dp = (png_bytep)dp32;
3395 sp = (png_const_bytep)sp32;
3396 do
3397 *dp++ = *sp++;
3398 while (--row_width > 0);
3399 return;
3400 }
3401
3402 /* Else do it in 16-bit quantities, but only if the size is
3403 * not too large.
3404 */
3405 else
3406 {
3407 png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3408 png_const_uint_16p sp16 = png_aligncastconst(
3409 png_const_uint_16p, sp);
3410 size_t skip = (bytes_to_jump-bytes_to_copy) /
3411 (sizeof (png_uint_16));
3412
3413 do
3414 {
3415 size_t c = bytes_to_copy;
3416 do
3417 {
3418 *dp16++ = *sp16++;
3419 c -= (sizeof (png_uint_16));
3420 }
3421 while (c > 0);
3422
3423 if (row_width <= bytes_to_jump)
3424 return;
3425
3426 dp16 += skip;
3427 sp16 += skip;
3428 row_width -= bytes_to_jump;
3429 }
3430 while (bytes_to_copy <= row_width);
3431
3432 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3433 dp = (png_bytep)dp16;
3434 sp = (png_const_bytep)sp16;
3435 do
3436 *dp++ = *sp++;
3437 while (--row_width > 0);
3438 return;
3439 }
3440 }
3441 #endif /* PNG_ALIGN_ code */
3442
3443 /* The true default - use a memcpy: */
3444 for (;;)
3445 {
3446 memcpy(dp, sp, bytes_to_copy);
3447
3448 if (row_width <= bytes_to_jump)
3449 return;
3450
3451 sp += bytes_to_jump;
3452 dp += bytes_to_jump;
3453 row_width -= bytes_to_jump;
3454 if (bytes_to_copy > row_width)
3455 bytes_to_copy = row_width;
3456 }
3457 }
3458
3459 /* NOT REACHED*/
3460 } /* pixel_depth >= 8 */
3461
3462 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
2471 } 3463 }
2472 else 3464 else
2473 #endif 3465 #endif
2474 skip = length; 3466
2475 3467 /* If here then the switch above wasn't used so just memcpy the whole row
2476 png_crc_finish(png_ptr, skip); 3468 * from the temporary row buffer (notice that this overwrites the end of the
2477 3469 * destination row if it is a partial byte.)
2478 #ifndef PNG_READ_USER_CHUNKS_SUPPORTED 3470 */
2479 info_ptr = info_ptr; /* Quiet compiler warnings about unused info_ptr */ 3471 memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
2480 #endif 3472
3473 /* Restore the overwritten bits from the last byte if necessary. */
3474 if (end_ptr != NULL)
3475 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
2481 } 3476 }
2482 3477
2483 /* This function is called to verify that a chunk name is valid. 3478 #ifdef PNG_READ_INTERLACING_SUPPORTED
2484 This function can't have the "critical chunk check" incorporated
2485 into it, since in the future we will need to be able to call user
2486 functions to handle unknown critical chunks after we check that
2487 the chunk name itself is valid. */
2488
2489 #define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2490
2491 void /* PRIVATE */ 3479 void /* PRIVATE */
2492 png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name) 3480 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3481 png_uint_32 transformations /* Because these may affect the byte layout */)
2493 { 3482 {
2494 png_debug(1, "in png_check_chunk_name");
2495 if (isnonalpha(chunk_name[0]) || isnonalpha(chunk_name[1]) ||
2496 isnonalpha(chunk_name[2]) || isnonalpha(chunk_name[3]))
2497 {
2498 png_chunk_error(png_ptr, "invalid chunk type");
2499 }
2500 }
2501
2502 /* Combines the row recently read in with the existing pixels in the
2503 row. This routine takes care of alpha and transparency if requested.
2504 This routine also handles the two methods of progressive display
2505 of interlaced images, depending on the mask value.
2506 The mask value describes which pixels are to be combined with
2507 the row. The pattern always repeats every 8 pixels, so just 8
2508 bits are needed. A one indicates the pixel is to be combined,
2509 a zero indicates the pixel is to be skipped. This is in addition
2510 to any alpha or transparency value associated with the pixel. If
2511 you want all pixels to be combined, pass 0xff (255) in mask. */
2512
2513 void /* PRIVATE */
2514 png_combine_row(png_structp png_ptr, png_bytep row, int mask)
2515 {
2516 png_debug(1, "in png_combine_row");
2517 if (mask == 0xff)
2518 {
2519 png_memcpy(row, png_ptr->row_buf + 1,
2520 PNG_ROWBYTES(png_ptr->row_info.pixel_depth, png_ptr->width));
2521 }
2522 else
2523 {
2524 switch (png_ptr->row_info.pixel_depth)
2525 {
2526 case 1:
2527 {
2528 png_bytep sp = png_ptr->row_buf + 1;
2529 png_bytep dp = row;
2530 int s_inc, s_start, s_end;
2531 int m = 0x80;
2532 int shift;
2533 png_uint_32 i;
2534 png_uint_32 row_width = png_ptr->width;
2535
2536 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2537 if (png_ptr->transformations & PNG_PACKSWAP)
2538 {
2539 s_start = 0;
2540 s_end = 7;
2541 s_inc = 1;
2542 }
2543 else
2544 #endif
2545 {
2546 s_start = 7;
2547 s_end = 0;
2548 s_inc = -1;
2549 }
2550
2551 shift = s_start;
2552
2553 for (i = 0; i < row_width; i++)
2554 {
2555 if (m & mask)
2556 {
2557 int value;
2558
2559 value = (*sp >> shift) & 0x01;
2560 *dp &= (png_byte)((0x7f7f >> (7 - shift)) & 0xff);
2561 *dp |= (png_byte)(value << shift);
2562 }
2563
2564 if (shift == s_end)
2565 {
2566 shift = s_start;
2567 sp++;
2568 dp++;
2569 }
2570 else
2571 shift += s_inc;
2572
2573 if (m == 1)
2574 m = 0x80;
2575 else
2576 m >>= 1;
2577 }
2578 break;
2579 }
2580 case 2:
2581 {
2582 png_bytep sp = png_ptr->row_buf + 1;
2583 png_bytep dp = row;
2584 int s_start, s_end, s_inc;
2585 int m = 0x80;
2586 int shift;
2587 png_uint_32 i;
2588 png_uint_32 row_width = png_ptr->width;
2589 int value;
2590
2591 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2592 if (png_ptr->transformations & PNG_PACKSWAP)
2593 {
2594 s_start = 0;
2595 s_end = 6;
2596 s_inc = 2;
2597 }
2598 else
2599 #endif
2600 {
2601 s_start = 6;
2602 s_end = 0;
2603 s_inc = -2;
2604 }
2605
2606 shift = s_start;
2607
2608 for (i = 0; i < row_width; i++)
2609 {
2610 if (m & mask)
2611 {
2612 value = (*sp >> shift) & 0x03;
2613 *dp &= (png_byte)((0x3f3f >> (6 - shift)) & 0xff);
2614 *dp |= (png_byte)(value << shift);
2615 }
2616
2617 if (shift == s_end)
2618 {
2619 shift = s_start;
2620 sp++;
2621 dp++;
2622 }
2623 else
2624 shift += s_inc;
2625 if (m == 1)
2626 m = 0x80;
2627 else
2628 m >>= 1;
2629 }
2630 break;
2631 }
2632 case 4:
2633 {
2634 png_bytep sp = png_ptr->row_buf + 1;
2635 png_bytep dp = row;
2636 int s_start, s_end, s_inc;
2637 int m = 0x80;
2638 int shift;
2639 png_uint_32 i;
2640 png_uint_32 row_width = png_ptr->width;
2641 int value;
2642
2643 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2644 if (png_ptr->transformations & PNG_PACKSWAP)
2645 {
2646 s_start = 0;
2647 s_end = 4;
2648 s_inc = 4;
2649 }
2650 else
2651 #endif
2652 {
2653 s_start = 4;
2654 s_end = 0;
2655 s_inc = -4;
2656 }
2657 shift = s_start;
2658
2659 for (i = 0; i < row_width; i++)
2660 {
2661 if (m & mask)
2662 {
2663 value = (*sp >> shift) & 0xf;
2664 *dp &= (png_byte)((0xf0f >> (4 - shift)) & 0xff);
2665 *dp |= (png_byte)(value << shift);
2666 }
2667
2668 if (shift == s_end)
2669 {
2670 shift = s_start;
2671 sp++;
2672 dp++;
2673 }
2674 else
2675 shift += s_inc;
2676 if (m == 1)
2677 m = 0x80;
2678 else
2679 m >>= 1;
2680 }
2681 break;
2682 }
2683 default:
2684 {
2685 png_bytep sp = png_ptr->row_buf + 1;
2686 png_bytep dp = row;
2687 png_size_t pixel_bytes = (png_ptr->row_info.pixel_depth >> 3);
2688 png_uint_32 i;
2689 png_uint_32 row_width = png_ptr->width;
2690 png_byte m = 0x80;
2691
2692
2693 for (i = 0; i < row_width; i++)
2694 {
2695 if (m & mask)
2696 {
2697 png_memcpy(dp, sp, pixel_bytes);
2698 }
2699
2700 sp += pixel_bytes;
2701 dp += pixel_bytes;
2702
2703 if (m == 1)
2704 m = 0x80;
2705 else
2706 m >>= 1;
2707 }
2708 break;
2709 }
2710 }
2711 }
2712 }
2713
2714 #ifdef PNG_READ_INTERLACING_SUPPORTED
2715 /* OLD pre-1.0.9 interface:
2716 void png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
2717 png_uint_32 transformations)
2718 */
2719 void /* PRIVATE */
2720 png_do_read_interlace(png_structp png_ptr)
2721 {
2722 png_row_infop row_info = &(png_ptr->row_info);
2723 png_bytep row = png_ptr->row_buf + 1;
2724 int pass = png_ptr->pass;
2725 png_uint_32 transformations = png_ptr->transformations;
2726 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 3483 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2727 /* Offset to next interlace block */ 3484 /* Offset to next interlace block */
2728 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 3485 static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2729 3486
2730 png_debug(1, "in png_do_read_interlace"); 3487 png_debug(1, "in png_do_read_interlace");
2731 if (row != NULL && row_info != NULL) 3488 if (row != NULL && row_info != NULL)
2732 { 3489 {
2733 png_uint_32 final_width; 3490 png_uint_32 final_width;
2734 3491
2735 final_width = row_info->width * png_pass_inc[pass]; 3492 final_width = row_info->width * png_pass_inc[pass];
2736 3493
2737 switch (row_info->pixel_depth) 3494 switch (row_info->pixel_depth)
2738 { 3495 {
(...skipping 10 matching lines...) Expand all
2749 3506
2750 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3507 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2751 if (transformations & PNG_PACKSWAP) 3508 if (transformations & PNG_PACKSWAP)
2752 { 3509 {
2753 sshift = (int)((row_info->width + 7) & 0x07); 3510 sshift = (int)((row_info->width + 7) & 0x07);
2754 dshift = (int)((final_width + 7) & 0x07); 3511 dshift = (int)((final_width + 7) & 0x07);
2755 s_start = 7; 3512 s_start = 7;
2756 s_end = 0; 3513 s_end = 0;
2757 s_inc = -1; 3514 s_inc = -1;
2758 } 3515 }
3516
2759 else 3517 else
2760 #endif 3518 #endif
2761 { 3519 {
2762 sshift = 7 - (int)((row_info->width + 7) & 0x07); 3520 sshift = 7 - (int)((row_info->width + 7) & 0x07);
2763 dshift = 7 - (int)((final_width + 7) & 0x07); 3521 dshift = 7 - (int)((final_width + 7) & 0x07);
2764 s_start = 0; 3522 s_start = 0;
2765 s_end = 7; 3523 s_end = 7;
2766 s_inc = 1; 3524 s_inc = 1;
2767 } 3525 }
2768 3526
2769 for (i = 0; i < row_info->width; i++) 3527 for (i = 0; i < row_info->width; i++)
2770 { 3528 {
2771 v = (png_byte)((*sp >> sshift) & 0x01); 3529 v = (png_byte)((*sp >> sshift) & 0x01);
2772 for (j = 0; j < jstop; j++) 3530 for (j = 0; j < jstop; j++)
2773 { 3531 {
2774 *dp &= (png_byte)((0x7f7f >> (7 - dshift)) & 0xff); 3532 unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
2775 *dp |= (png_byte)(v << dshift); 3533 tmp |= v << dshift;
3534 *dp = (png_byte)(tmp & 0xff);
3535
2776 if (dshift == s_end) 3536 if (dshift == s_end)
2777 { 3537 {
2778 dshift = s_start; 3538 dshift = s_start;
2779 dp--; 3539 dp--;
2780 } 3540 }
3541
2781 else 3542 else
2782 dshift += s_inc; 3543 dshift += s_inc;
2783 } 3544 }
3545
2784 if (sshift == s_end) 3546 if (sshift == s_end)
2785 { 3547 {
2786 sshift = s_start; 3548 sshift = s_start;
2787 sp--; 3549 sp--;
2788 } 3550 }
3551
2789 else 3552 else
2790 sshift += s_inc; 3553 sshift += s_inc;
2791 } 3554 }
2792 break; 3555 break;
2793 } 3556 }
3557
2794 case 2: 3558 case 2:
2795 { 3559 {
2796 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2); 3560 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
2797 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2); 3561 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
2798 int sshift, dshift; 3562 int sshift, dshift;
2799 int s_start, s_end, s_inc; 3563 int s_start, s_end, s_inc;
2800 int jstop = png_pass_inc[pass]; 3564 int jstop = png_pass_inc[pass];
2801 png_uint_32 i; 3565 png_uint_32 i;
2802 3566
2803 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3567 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2804 if (transformations & PNG_PACKSWAP) 3568 if (transformations & PNG_PACKSWAP)
2805 { 3569 {
2806 sshift = (int)(((row_info->width + 3) & 0x03) << 1); 3570 sshift = (int)(((row_info->width + 3) & 0x03) << 1);
2807 dshift = (int)(((final_width + 3) & 0x03) << 1); 3571 dshift = (int)(((final_width + 3) & 0x03) << 1);
2808 s_start = 6; 3572 s_start = 6;
2809 s_end = 0; 3573 s_end = 0;
2810 s_inc = -2; 3574 s_inc = -2;
2811 } 3575 }
3576
2812 else 3577 else
2813 #endif 3578 #endif
2814 { 3579 {
2815 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1); 3580 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
2816 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1); 3581 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
2817 s_start = 0; 3582 s_start = 0;
2818 s_end = 6; 3583 s_end = 6;
2819 s_inc = 2; 3584 s_inc = 2;
2820 } 3585 }
2821 3586
2822 for (i = 0; i < row_info->width; i++) 3587 for (i = 0; i < row_info->width; i++)
2823 { 3588 {
2824 png_byte v; 3589 png_byte v;
2825 int j; 3590 int j;
2826 3591
2827 v = (png_byte)((*sp >> sshift) & 0x03); 3592 v = (png_byte)((*sp >> sshift) & 0x03);
2828 for (j = 0; j < jstop; j++) 3593 for (j = 0; j < jstop; j++)
2829 { 3594 {
2830 *dp &= (png_byte)((0x3f3f >> (6 - dshift)) & 0xff); 3595 unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
2831 *dp |= (png_byte)(v << dshift); 3596 tmp |= v << dshift;
3597 *dp = (png_byte)(tmp & 0xff);
3598
2832 if (dshift == s_end) 3599 if (dshift == s_end)
2833 { 3600 {
2834 dshift = s_start; 3601 dshift = s_start;
2835 dp--; 3602 dp--;
2836 } 3603 }
3604
2837 else 3605 else
2838 dshift += s_inc; 3606 dshift += s_inc;
2839 } 3607 }
3608
2840 if (sshift == s_end) 3609 if (sshift == s_end)
2841 { 3610 {
2842 sshift = s_start; 3611 sshift = s_start;
2843 sp--; 3612 sp--;
2844 } 3613 }
3614
2845 else 3615 else
2846 sshift += s_inc; 3616 sshift += s_inc;
2847 } 3617 }
2848 break; 3618 break;
2849 } 3619 }
3620
2850 case 4: 3621 case 4:
2851 { 3622 {
2852 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1); 3623 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
2853 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1); 3624 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
2854 int sshift, dshift; 3625 int sshift, dshift;
2855 int s_start, s_end, s_inc; 3626 int s_start, s_end, s_inc;
2856 png_uint_32 i; 3627 png_uint_32 i;
2857 int jstop = png_pass_inc[pass]; 3628 int jstop = png_pass_inc[pass];
2858 3629
2859 #ifdef PNG_READ_PACKSWAP_SUPPORTED 3630 #ifdef PNG_READ_PACKSWAP_SUPPORTED
2860 if (transformations & PNG_PACKSWAP) 3631 if (transformations & PNG_PACKSWAP)
2861 { 3632 {
2862 sshift = (int)(((row_info->width + 1) & 0x01) << 2); 3633 sshift = (int)(((row_info->width + 1) & 0x01) << 2);
2863 dshift = (int)(((final_width + 1) & 0x01) << 2); 3634 dshift = (int)(((final_width + 1) & 0x01) << 2);
2864 s_start = 4; 3635 s_start = 4;
2865 s_end = 0; 3636 s_end = 0;
2866 s_inc = -4; 3637 s_inc = -4;
2867 } 3638 }
3639
2868 else 3640 else
2869 #endif 3641 #endif
2870 { 3642 {
2871 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2); 3643 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
2872 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2); 3644 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
2873 s_start = 0; 3645 s_start = 0;
2874 s_end = 4; 3646 s_end = 4;
2875 s_inc = 4; 3647 s_inc = 4;
2876 } 3648 }
2877 3649
2878 for (i = 0; i < row_info->width; i++) 3650 for (i = 0; i < row_info->width; i++)
2879 { 3651 {
2880 png_byte v = (png_byte)((*sp >> sshift) & 0xf); 3652 png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
2881 int j; 3653 int j;
2882 3654
2883 for (j = 0; j < jstop; j++) 3655 for (j = 0; j < jstop; j++)
2884 { 3656 {
2885 *dp &= (png_byte)((0xf0f >> (4 - dshift)) & 0xff); 3657 unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
2886 *dp |= (png_byte)(v << dshift); 3658 tmp |= v << dshift;
3659 *dp = (png_byte)(tmp & 0xff);
3660
2887 if (dshift == s_end) 3661 if (dshift == s_end)
2888 { 3662 {
2889 dshift = s_start; 3663 dshift = s_start;
2890 dp--; 3664 dp--;
2891 } 3665 }
3666
2892 else 3667 else
2893 dshift += s_inc; 3668 dshift += s_inc;
2894 } 3669 }
3670
2895 if (sshift == s_end) 3671 if (sshift == s_end)
2896 { 3672 {
2897 sshift = s_start; 3673 sshift = s_start;
2898 sp--; 3674 sp--;
2899 } 3675 }
3676
2900 else 3677 else
2901 sshift += s_inc; 3678 sshift += s_inc;
2902 } 3679 }
2903 break; 3680 break;
2904 } 3681 }
3682
2905 default: 3683 default:
2906 { 3684 {
2907 png_size_t pixel_bytes = (row_info->pixel_depth >> 3); 3685 png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
3686
2908 png_bytep sp = row + (png_size_t)(row_info->width - 1) 3687 png_bytep sp = row + (png_size_t)(row_info->width - 1)
2909 * pixel_bytes; 3688 * pixel_bytes;
3689
2910 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes; 3690 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
2911 3691
2912 int jstop = png_pass_inc[pass]; 3692 int jstop = png_pass_inc[pass];
2913 png_uint_32 i; 3693 png_uint_32 i;
2914 3694
2915 for (i = 0; i < row_info->width; i++) 3695 for (i = 0; i < row_info->width; i++)
2916 { 3696 {
2917 png_byte v[8]; 3697 png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
2918 int j; 3698 int j;
2919 3699
2920 png_memcpy(v, sp, pixel_bytes); 3700 memcpy(v, sp, pixel_bytes);
3701
2921 for (j = 0; j < jstop; j++) 3702 for (j = 0; j < jstop; j++)
2922 { 3703 {
2923 png_memcpy(dp, v, pixel_bytes); 3704 memcpy(dp, v, pixel_bytes);
2924 dp -= pixel_bytes; 3705 dp -= pixel_bytes;
2925 } 3706 }
3707
2926 sp -= pixel_bytes; 3708 sp -= pixel_bytes;
2927 } 3709 }
2928 break; 3710 break;
2929 } 3711 }
2930 } 3712 }
3713
2931 row_info->width = final_width; 3714 row_info->width = final_width;
2932 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width); 3715 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
2933 } 3716 }
2934 #ifndef PNG_READ_PACKSWAP_SUPPORTED 3717 #ifndef PNG_READ_PACKSWAP_SUPPORTED
2935 transformations = transformations; /* Silence compiler warning */ 3718 PNG_UNUSED(transformations) /* Silence compiler warning */
2936 #endif 3719 #endif
2937 } 3720 }
2938 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 3721 #endif /* PNG_READ_INTERLACING_SUPPORTED */
2939 3722
3723 static void
3724 png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3725 png_const_bytep prev_row)
3726 {
3727 png_size_t i;
3728 png_size_t istop = row_info->rowbytes;
3729 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3730 png_bytep rp = row + bpp;
3731
3732 PNG_UNUSED(prev_row)
3733
3734 for (i = bpp; i < istop; i++)
3735 {
3736 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3737 rp++;
3738 }
3739 }
3740
3741 static void
3742 png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3743 png_const_bytep prev_row)
3744 {
3745 png_size_t i;
3746 png_size_t istop = row_info->rowbytes;
3747 png_bytep rp = row;
3748 png_const_bytep pp = prev_row;
3749
3750 for (i = 0; i < istop; i++)
3751 {
3752 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3753 rp++;
3754 }
3755 }
3756
3757 static void
3758 png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3759 png_const_bytep prev_row)
3760 {
3761 png_size_t i;
3762 png_bytep rp = row;
3763 png_const_bytep pp = prev_row;
3764 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3765 png_size_t istop = row_info->rowbytes - bpp;
3766
3767 for (i = 0; i < bpp; i++)
3768 {
3769 *rp = (png_byte)(((int)(*rp) +
3770 ((int)(*pp++) / 2 )) & 0xff);
3771
3772 rp++;
3773 }
3774
3775 for (i = 0; i < istop; i++)
3776 {
3777 *rp = (png_byte)(((int)(*rp) +
3778 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3779
3780 rp++;
3781 }
3782 }
3783
3784 static void
3785 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3786 png_const_bytep prev_row)
3787 {
3788 png_bytep rp_end = row + row_info->rowbytes;
3789 int a, c;
3790
3791 /* First pixel/byte */
3792 c = *prev_row++;
3793 a = *row + c;
3794 *row++ = (png_byte)a;
3795
3796 /* Remainder */
3797 while (row < rp_end)
3798 {
3799 int b, pa, pb, pc, p;
3800
3801 a &= 0xff; /* From previous iteration or start */
3802 b = *prev_row++;
3803
3804 p = b - c;
3805 pc = a - c;
3806
3807 # ifdef PNG_USE_ABS
3808 pa = abs(p);
3809 pb = abs(pc);
3810 pc = abs(p + pc);
3811 # else
3812 pa = p < 0 ? -p : p;
3813 pb = pc < 0 ? -pc : pc;
3814 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3815 # endif
3816
3817 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3818 * ones in the case of a tie.
3819 */
3820 if (pb < pa) pa = pb, a = b;
3821 if (pc < pa) a = c;
3822
3823 /* Calculate the current pixel in a, and move the previous row pixel to c
3824 * for the next time round the loop
3825 */
3826 c = b;
3827 a += *row;
3828 *row++ = (png_byte)a;
3829 }
3830 }
3831
3832 static void
3833 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3834 png_const_bytep prev_row)
3835 {
3836 int bpp = (row_info->pixel_depth + 7) >> 3;
3837 png_bytep rp_end = row + bpp;
3838
3839 /* Process the first pixel in the row completely (this is the same as 'up'
3840 * because there is only one candidate predictor for the first row).
3841 */
3842 while (row < rp_end)
3843 {
3844 int a = *row + *prev_row++;
3845 *row++ = (png_byte)a;
3846 }
3847
3848 /* Remainder */
3849 rp_end += row_info->rowbytes - bpp;
3850
3851 while (row < rp_end)
3852 {
3853 int a, b, c, pa, pb, pc, p;
3854
3855 c = *(prev_row - bpp);
3856 a = *(row - bpp);
3857 b = *prev_row++;
3858
3859 p = b - c;
3860 pc = a - c;
3861
3862 # ifdef PNG_USE_ABS
3863 pa = abs(p);
3864 pb = abs(pc);
3865 pc = abs(p + pc);
3866 # else
3867 pa = p < 0 ? -p : p;
3868 pb = pc < 0 ? -pc : pc;
3869 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3870 # endif
3871
3872 if (pb < pa) pa = pb, a = b;
3873 if (pc < pa) a = c;
3874
3875 c = b;
3876 a += *row;
3877 *row++ = (png_byte)a;
3878 }
3879 }
3880
3881 static void
3882 png_init_filter_functions(png_structrp pp)
3883 /* This function is called once for every PNG image to set the
3884 * implementations required to reverse the filtering of PNG rows. Reversing
3885 * the filter is the first transformation performed on the row data. It is
3886 * performed in place, therefore an implementation can be selected based on
3887 * the image pixel format. If the implementation depends on image width then
3888 * take care to ensure that it works correctly if the image is interlaced -
3889 * interlacing causes the actual row width to vary.
3890 */
3891 {
3892 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
3893
3894 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
3895 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
3896 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
3897 if (bpp == 1)
3898 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3899 png_read_filter_row_paeth_1byte_pixel;
3900 else
3901 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3902 png_read_filter_row_paeth_multibyte_pixel;
3903
3904 #ifdef PNG_FILTER_OPTIMIZATIONS
3905 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
3906 * call to install hardware optimizations for the above functions; simply
3907 * replace whatever elements of the pp->read_filter[] array with a hardware
3908 * specific (or, for that matter, generic) optimization.
3909 *
3910 * To see an example of this examine what configure.ac does when
3911 * --enable-arm-neon is specified on the command line.
3912 */
3913 PNG_FILTER_OPTIMIZATIONS(pp, bpp);
3914 #endif
3915 }
3916
2940 void /* PRIVATE */ 3917 void /* PRIVATE */
2941 png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row, 3918 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
2942 png_bytep prev_row, int filter) 3919 png_const_bytep prev_row, int filter)
2943 { 3920 {
2944 png_debug(1, "in png_read_filter_row"); 3921 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
2945 png_debug2(2, "row = %lu, filter = %d", png_ptr->row_number, filter); 3922 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
2946 switch (filter) 3923 * implementations. See png_init_filter_functions above.
2947 { 3924 */
2948 case PNG_FILTER_VALUE_NONE: 3925 if (pp->read_filter[0] == NULL)
2949 break; 3926 png_init_filter_functions(pp);
2950 case PNG_FILTER_VALUE_SUB: 3927 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
2951 { 3928 pp->read_filter[filter-1](row_info, row, prev_row);
2952 png_uint_32 i;
2953 png_uint_32 istop = row_info->rowbytes;
2954 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2955 png_bytep rp = row + bpp;
2956 png_bytep lp = row;
2957
2958 for (i = bpp; i < istop; i++)
2959 {
2960 *rp = (png_byte)(((int)(*rp) + (int)(*lp++)) & 0xff);
2961 rp++;
2962 }
2963 break;
2964 }
2965 case PNG_FILTER_VALUE_UP:
2966 {
2967 png_uint_32 i;
2968 png_uint_32 istop = row_info->rowbytes;
2969 png_bytep rp = row;
2970 png_bytep pp = prev_row;
2971
2972 for (i = 0; i < istop; i++)
2973 {
2974 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
2975 rp++;
2976 }
2977 break;
2978 }
2979 case PNG_FILTER_VALUE_AVG:
2980 {
2981 png_uint_32 i;
2982 png_bytep rp = row;
2983 png_bytep pp = prev_row;
2984 png_bytep lp = row;
2985 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
2986 png_uint_32 istop = row_info->rowbytes - bpp;
2987
2988 for (i = 0; i < bpp; i++)
2989 {
2990 *rp = (png_byte)(((int)(*rp) +
2991 ((int)(*pp++) / 2 )) & 0xff);
2992 rp++;
2993 }
2994
2995 for (i = 0; i < istop; i++)
2996 {
2997 *rp = (png_byte)(((int)(*rp) +
2998 (int)(*pp++ + *lp++) / 2 ) & 0xff);
2999 rp++;
3000 }
3001 break;
3002 }
3003 case PNG_FILTER_VALUE_PAETH:
3004 {
3005 png_uint_32 i;
3006 png_bytep rp = row;
3007 png_bytep pp = prev_row;
3008 png_bytep lp = row;
3009 png_bytep cp = prev_row;
3010 png_uint_32 bpp = (row_info->pixel_depth + 7) >> 3;
3011 png_uint_32 istop=row_info->rowbytes - bpp;
3012
3013 for (i = 0; i < bpp; i++)
3014 {
3015 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3016 rp++;
3017 }
3018
3019 for (i = 0; i < istop; i++) /* Use leftover rp,pp */
3020 {
3021 int a, b, c, pa, pb, pc, p;
3022
3023 a = *lp++;
3024 b = *pp++;
3025 c = *cp++;
3026
3027 p = b - c;
3028 pc = a - c;
3029
3030 #ifdef PNG_USE_ABS
3031 pa = abs(p);
3032 pb = abs(pc);
3033 pc = abs(p + pc);
3034 #else
3035 pa = p < 0 ? -p : p;
3036 pb = pc < 0 ? -pc : pc;
3037 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3038 #endif
3039
3040 /*
3041 if (pa <= pb && pa <= pc)
3042 p = a;
3043 else if (pb <= pc)
3044 p = b;
3045 else
3046 p = c;
3047 */
3048
3049 p = (pa <= pb && pa <= pc) ? a : (pb <= pc) ? b : c;
3050
3051 *rp = (png_byte)(((int)(*rp) + p) & 0xff);
3052 rp++;
3053 }
3054 break;
3055 }
3056 default:
3057 png_warning(png_ptr, "Ignoring bad adaptive filter type");
3058 *row = 0;
3059 break;
3060 }
3061 } 3929 }
3062 3930
3063 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED 3931 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3064 void /* PRIVATE */ 3932 void /* PRIVATE */
3065 png_read_finish_row(png_structp png_ptr) 3933 png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
3934 png_alloc_size_t avail_out)
3935 {
3936 /* Loop reading IDATs and decompressing the result into output[avail_out] */
3937 png_ptr->zstream.next_out = output;
3938 png_ptr->zstream.avail_out = 0; /* safety: set below */
3939
3940 if (output == NULL)
3941 avail_out = 0;
3942
3943 do
3944 {
3945 int ret;
3946 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
3947
3948 if (png_ptr->zstream.avail_in == 0)
3949 {
3950 uInt avail_in;
3951 png_bytep buffer;
3952
3953 while (png_ptr->idat_size == 0)
3954 {
3955 png_crc_finish(png_ptr, 0);
3956
3957 png_ptr->idat_size = png_read_chunk_header(png_ptr);
3958 /* This is an error even in the 'check' case because the code just
3959 * consumed a non-IDAT header.
3960 */
3961 if (png_ptr->chunk_name != png_IDAT)
3962 png_error(png_ptr, "Not enough image data");
3963 }
3964
3965 avail_in = png_ptr->IDAT_read_size;
3966
3967 if (avail_in > png_ptr->idat_size)
3968 avail_in = (uInt)png_ptr->idat_size;
3969
3970 /* A PNG with a gradually increasing IDAT size will defeat this attempt
3971 * to minimize memory usage by causing lots of re-allocs, but
3972 * realistically doing IDAT_read_size re-allocs is not likely to be a
3973 * big problem.
3974 */
3975 buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
3976
3977 png_crc_read(png_ptr, buffer, avail_in);
3978 png_ptr->idat_size -= avail_in;
3979
3980 png_ptr->zstream.next_in = buffer;
3981 png_ptr->zstream.avail_in = avail_in;
3982 }
3983
3984 /* And set up the output side. */
3985 if (output != NULL) /* standard read */
3986 {
3987 uInt out = ZLIB_IO_MAX;
3988
3989 if (out > avail_out)
3990 out = (uInt)avail_out;
3991
3992 avail_out -= out;
3993 png_ptr->zstream.avail_out = out;
3994 }
3995
3996 else /* after last row, checking for end */
3997 {
3998 png_ptr->zstream.next_out = tmpbuf;
3999 png_ptr->zstream.avail_out = (sizeof tmpbuf);
4000 }
4001
4002 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4003 * process. If the LZ stream is truncated the sequential reader will
4004 * terminally damage the stream, above, by reading the chunk header of the
4005 * following chunk (it then exits with png_error).
4006 *
4007 * TODO: deal more elegantly with truncated IDAT lists.
4008 */
4009 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
4010
4011 /* Take the unconsumed output back. */
4012 if (output != NULL)
4013 avail_out += png_ptr->zstream.avail_out;
4014
4015 else /* avail_out counts the extra bytes */
4016 avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4017
4018 png_ptr->zstream.avail_out = 0;
4019
4020 if (ret == Z_STREAM_END)
4021 {
4022 /* Do this for safety; we won't read any more into this row. */
4023 png_ptr->zstream.next_out = NULL;
4024
4025 png_ptr->mode |= PNG_AFTER_IDAT;
4026 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4027
4028 if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4029 png_chunk_benign_error(png_ptr, "Extra compressed data");
4030 break;
4031 }
4032
4033 if (ret != Z_OK)
4034 {
4035 png_zstream_error(png_ptr, ret);
4036
4037 if (output != NULL)
4038 png_chunk_error(png_ptr, png_ptr->zstream.msg);
4039
4040 else /* checking */
4041 {
4042 png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4043 return;
4044 }
4045 }
4046 } while (avail_out > 0);
4047
4048 if (avail_out > 0)
4049 {
4050 /* The stream ended before the image; this is the same as too few IDATs so
4051 * should be handled the same way.
4052 */
4053 if (output != NULL)
4054 png_error(png_ptr, "Not enough image data");
4055
4056 else /* the deflate stream contained extra data */
4057 png_chunk_benign_error(png_ptr, "Too much image data");
4058 }
4059 }
4060
4061 void /* PRIVATE */
4062 png_read_finish_IDAT(png_structrp png_ptr)
4063 {
4064 /* We don't need any more data and the stream should have ended, however the
4065 * LZ end code may actually not have been processed. In this case we must
4066 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4067 * may still remain to be consumed.
4068 */
4069 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
4070 {
4071 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4072 * the compressed stream, but the stream may be damaged too, so even after
4073 * this call we may need to terminate the zstream ownership.
4074 */
4075 png_read_IDAT_data(png_ptr, NULL, 0);
4076 png_ptr->zstream.next_out = NULL; /* safety */
4077
4078 /* Now clear everything out for safety; the following may not have been
4079 * done.
4080 */
4081 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
4082 {
4083 png_ptr->mode |= PNG_AFTER_IDAT;
4084 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4085 }
4086 }
4087
4088 /* If the zstream has not been released do it now *and* terminate the reading
4089 * of the final IDAT chunk.
4090 */
4091 if (png_ptr->zowner == png_IDAT)
4092 {
4093 /* Always do this; the pointers otherwise point into the read buffer. */
4094 png_ptr->zstream.next_in = NULL;
4095 png_ptr->zstream.avail_in = 0;
4096
4097 /* Now we no longer own the zstream. */
4098 png_ptr->zowner = 0;
4099
4100 /* The slightly weird semantics of the sequential IDAT reading is that we
4101 * are always in or at the end of an IDAT chunk, so we always need to do a
4102 * crc_finish here. If idat_size is non-zero we also need to read the
4103 * spurious bytes at the end of the chunk now.
4104 */
4105 (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4106 }
4107 }
4108
4109 void /* PRIVATE */
4110 png_read_finish_row(png_structrp png_ptr)
3066 { 4111 {
3067 #ifdef PNG_READ_INTERLACING_SUPPORTED 4112 #ifdef PNG_READ_INTERLACING_SUPPORTED
3068 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 4113 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3069 4114
3070 /* Start of interlace block */ 4115 /* Start of interlace block */
3071 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 4116 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3072 4117
3073 /* Offset to next interlace block */ 4118 /* Offset to next interlace block */
3074 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 4119 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3075 4120
3076 /* Start of interlace block in the y direction */ 4121 /* Start of interlace block in the y direction */
3077 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 4122 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3078 4123
3079 /* Offset to next interlace block in the y direction */ 4124 /* Offset to next interlace block in the y direction */
3080 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 4125 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3081 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 4126 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3082 4127
3083 png_debug(1, "in png_read_finish_row"); 4128 png_debug(1, "in png_read_finish_row");
3084 png_ptr->row_number++; 4129 png_ptr->row_number++;
3085 if (png_ptr->row_number < png_ptr->num_rows) 4130 if (png_ptr->row_number < png_ptr->num_rows)
3086 return; 4131 return;
3087 4132
3088 #ifdef PNG_READ_INTERLACING_SUPPORTED 4133 #ifdef PNG_READ_INTERLACING_SUPPORTED
3089 if (png_ptr->interlaced) 4134 if (png_ptr->interlaced)
3090 { 4135 {
3091 png_ptr->row_number = 0; 4136 png_ptr->row_number = 0;
3092 png_memset_check(png_ptr, png_ptr->prev_row, 0, 4137
3093 png_ptr->rowbytes + 1); 4138 /* TO DO: don't do this if prev_row isn't needed (requires
4139 * read-ahead of the next row's filter byte.
4140 */
4141 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4142
3094 do 4143 do
3095 { 4144 {
3096 png_ptr->pass++; 4145 png_ptr->pass++;
4146
3097 if (png_ptr->pass >= 7) 4147 if (png_ptr->pass >= 7)
3098 break; 4148 break;
4149
3099 png_ptr->iwidth = (png_ptr->width + 4150 png_ptr->iwidth = (png_ptr->width +
3100 png_pass_inc[png_ptr->pass] - 1 - 4151 png_pass_inc[png_ptr->pass] - 1 -
3101 png_pass_start[png_ptr->pass]) / 4152 png_pass_start[png_ptr->pass]) /
3102 png_pass_inc[png_ptr->pass]; 4153 png_pass_inc[png_ptr->pass];
3103 4154
3104 if (!(png_ptr->transformations & PNG_INTERLACE)) 4155 if (!(png_ptr->transformations & PNG_INTERLACE))
3105 { 4156 {
3106 png_ptr->num_rows = (png_ptr->height + 4157 png_ptr->num_rows = (png_ptr->height +
3107 png_pass_yinc[png_ptr->pass] - 1 - 4158 png_pass_yinc[png_ptr->pass] - 1 -
3108 png_pass_ystart[png_ptr->pass]) / 4159 png_pass_ystart[png_ptr->pass]) /
3109 png_pass_yinc[png_ptr->pass]; 4160 png_pass_yinc[png_ptr->pass];
3110 if (!(png_ptr->num_rows))
3111 continue;
3112 } 4161 }
4162
3113 else /* if (png_ptr->transformations & PNG_INTERLACE) */ 4163 else /* if (png_ptr->transformations & PNG_INTERLACE) */
3114 break; 4164 break; /* libpng deinterlacing sees every row */
3115 } while (png_ptr->iwidth == 0); 4165
4166 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
3116 4167
3117 if (png_ptr->pass < 7) 4168 if (png_ptr->pass < 7)
3118 return; 4169 return;
3119 } 4170 }
3120 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 4171 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3121 4172
3122 if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) 4173 /* Here after at the end of the last row of the last pass. */
3123 { 4174 png_read_finish_IDAT(png_ptr);
3124 #ifdef PNG_USE_LOCAL_ARRAYS
3125 PNG_CONST PNG_IDAT;
3126 #endif
3127 char extra;
3128 int ret;
3129
3130 png_ptr->zstream.next_out = (Byte *)&extra;
3131 png_ptr->zstream.avail_out = (uInt)1;
3132 for (;;)
3133 {
3134 if (!(png_ptr->zstream.avail_in))
3135 {
3136 while (!png_ptr->idat_size)
3137 {
3138 png_byte chunk_length[4];
3139
3140 png_crc_finish(png_ptr, 0);
3141
3142 png_read_data(png_ptr, chunk_length, 4);
3143 png_ptr->idat_size = png_get_uint_31(png_ptr, chunk_length);
3144 png_reset_crc(png_ptr);
3145 png_crc_read(png_ptr, png_ptr->chunk_name, 4);
3146 if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))
3147 png_error(png_ptr, "Not enough image data");
3148
3149 }
3150 png_ptr->zstream.avail_in = (uInt)png_ptr->zbuf_size;
3151 png_ptr->zstream.next_in = png_ptr->zbuf;
3152 if (png_ptr->zbuf_size > png_ptr->idat_size)
3153 png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size;
3154 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in);
3155 png_ptr->idat_size -= png_ptr->zstream.avail_in;
3156 }
3157 ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
3158 if (ret == Z_STREAM_END)
3159 {
3160 if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in ||
3161 png_ptr->idat_size)
3162 png_warning(png_ptr, "Extra compressed data.");
3163 png_ptr->mode |= PNG_AFTER_IDAT;
3164 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3165 break;
3166 }
3167 if (ret != Z_OK)
3168 png_error(png_ptr, png_ptr->zstream.msg ? png_ptr->zstream.msg :
3169 "Decompression Error");
3170
3171 if (!(png_ptr->zstream.avail_out))
3172 {
3173 png_warning(png_ptr, "Extra compressed data.");
3174 png_ptr->mode |= PNG_AFTER_IDAT;
3175 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3176 break;
3177 }
3178
3179 }
3180 png_ptr->zstream.avail_out = 0;
3181 }
3182
3183 if (png_ptr->idat_size || png_ptr->zstream.avail_in)
3184 png_warning(png_ptr, "Extra compression data.");
3185
3186 inflateReset(&png_ptr->zstream);
3187
3188 png_ptr->mode |= PNG_AFTER_IDAT;
3189 } 4175 }
3190 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */ 4176 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
3191 4177
3192 void /* PRIVATE */ 4178 void /* PRIVATE */
3193 png_read_start_row(png_structp png_ptr) 4179 png_read_start_row(png_structrp png_ptr)
3194 { 4180 {
3195 #ifdef PNG_READ_INTERLACING_SUPPORTED 4181 #ifdef PNG_READ_INTERLACING_SUPPORTED
3196 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 4182 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3197 4183
3198 /* Start of interlace block */ 4184 /* Start of interlace block */
3199 PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 4185 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3200 4186
3201 /* Offset to next interlace block */ 4187 /* Offset to next interlace block */
3202 PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 4188 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3203 4189
3204 /* Start of interlace block in the y direction */ 4190 /* Start of interlace block in the y direction */
3205 PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 4191 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3206 4192
3207 /* Offset to next interlace block in the y direction */ 4193 /* Offset to next interlace block in the y direction */
3208 PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 4194 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3209 #endif 4195 #endif
3210 4196
3211 int max_pixel_depth; 4197 int max_pixel_depth;
3212 png_size_t row_bytes; 4198 png_size_t row_bytes;
3213 4199
3214 png_debug(1, "in png_read_start_row"); 4200 png_debug(1, "in png_read_start_row");
3215 png_ptr->zstream.avail_in = 0; 4201
4202 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
3216 png_init_read_transformations(png_ptr); 4203 png_init_read_transformations(png_ptr);
4204 #endif
3217 #ifdef PNG_READ_INTERLACING_SUPPORTED 4205 #ifdef PNG_READ_INTERLACING_SUPPORTED
3218 if (png_ptr->interlaced) 4206 if (png_ptr->interlaced)
3219 { 4207 {
3220 if (!(png_ptr->transformations & PNG_INTERLACE)) 4208 if (!(png_ptr->transformations & PNG_INTERLACE))
3221 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 - 4209 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
3222 png_pass_ystart[0]) / png_pass_yinc[0]; 4210 png_pass_ystart[0]) / png_pass_yinc[0];
4211
3223 else 4212 else
3224 png_ptr->num_rows = png_ptr->height; 4213 png_ptr->num_rows = png_ptr->height;
3225 4214
3226 png_ptr->iwidth = (png_ptr->width + 4215 png_ptr->iwidth = (png_ptr->width +
3227 png_pass_inc[png_ptr->pass] - 1 - 4216 png_pass_inc[png_ptr->pass] - 1 -
3228 png_pass_start[png_ptr->pass]) / 4217 png_pass_start[png_ptr->pass]) /
3229 png_pass_inc[png_ptr->pass]; 4218 png_pass_inc[png_ptr->pass];
3230 } 4219 }
4220
3231 else 4221 else
3232 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 4222 #endif /* PNG_READ_INTERLACING_SUPPORTED */
3233 { 4223 {
3234 png_ptr->num_rows = png_ptr->height; 4224 png_ptr->num_rows = png_ptr->height;
3235 png_ptr->iwidth = png_ptr->width; 4225 png_ptr->iwidth = png_ptr->width;
3236 } 4226 }
4227
3237 max_pixel_depth = png_ptr->pixel_depth; 4228 max_pixel_depth = png_ptr->pixel_depth;
3238 4229
4230 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpliar set of
4231 * calculations to calculate the final pixel depth, then
4232 * png_do_read_transforms actually does the transforms. This means that the
4233 * code which effectively calculates this value is actually repeated in three
4234 * separate places. They must all match. Innocent changes to the order of
4235 * transformations can and will break libpng in a way that causes memory
4236 * overwrites.
4237 *
4238 * TODO: fix this.
4239 */
3239 #ifdef PNG_READ_PACK_SUPPORTED 4240 #ifdef PNG_READ_PACK_SUPPORTED
3240 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8) 4241 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8)
3241 max_pixel_depth = 8; 4242 max_pixel_depth = 8;
3242 #endif 4243 #endif
3243 4244
3244 #ifdef PNG_READ_EXPAND_SUPPORTED 4245 #ifdef PNG_READ_EXPAND_SUPPORTED
3245 if (png_ptr->transformations & PNG_EXPAND) 4246 if (png_ptr->transformations & PNG_EXPAND)
3246 { 4247 {
3247 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 4248 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3248 { 4249 {
3249 if (png_ptr->num_trans) 4250 if (png_ptr->num_trans)
3250 max_pixel_depth = 32; 4251 max_pixel_depth = 32;
4252
3251 else 4253 else
3252 max_pixel_depth = 24; 4254 max_pixel_depth = 24;
3253 } 4255 }
4256
3254 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) 4257 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3255 { 4258 {
3256 if (max_pixel_depth < 8) 4259 if (max_pixel_depth < 8)
3257 max_pixel_depth = 8; 4260 max_pixel_depth = 8;
4261
3258 if (png_ptr->num_trans) 4262 if (png_ptr->num_trans)
3259 max_pixel_depth *= 2; 4263 max_pixel_depth *= 2;
3260 } 4264 }
4265
3261 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 4266 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
3262 { 4267 {
3263 if (png_ptr->num_trans) 4268 if (png_ptr->num_trans)
3264 { 4269 {
3265 max_pixel_depth *= 4; 4270 max_pixel_depth *= 4;
3266 max_pixel_depth /= 3; 4271 max_pixel_depth /= 3;
3267 } 4272 }
3268 } 4273 }
3269 } 4274 }
3270 #endif 4275 #endif
3271 4276
4277 #ifdef PNG_READ_EXPAND_16_SUPPORTED
4278 if (png_ptr->transformations & PNG_EXPAND_16)
4279 {
4280 # ifdef PNG_READ_EXPAND_SUPPORTED
4281 /* In fact it is an error if it isn't supported, but checking is
4282 * the safe way.
4283 */
4284 if (png_ptr->transformations & PNG_EXPAND)
4285 {
4286 if (png_ptr->bit_depth < 16)
4287 max_pixel_depth *= 2;
4288 }
4289 else
4290 # endif
4291 png_ptr->transformations &= ~PNG_EXPAND_16;
4292 }
4293 #endif
4294
3272 #ifdef PNG_READ_FILLER_SUPPORTED 4295 #ifdef PNG_READ_FILLER_SUPPORTED
3273 if (png_ptr->transformations & (PNG_FILLER)) 4296 if (png_ptr->transformations & (PNG_FILLER))
3274 { 4297 {
3275 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) 4298 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3276 max_pixel_depth = 32;
3277 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3278 { 4299 {
3279 if (max_pixel_depth <= 8) 4300 if (max_pixel_depth <= 8)
3280 max_pixel_depth = 16; 4301 max_pixel_depth = 16;
4302
3281 else 4303 else
3282 max_pixel_depth = 32; 4304 max_pixel_depth = 32;
3283 } 4305 }
3284 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) 4306
4307 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4308 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3285 { 4309 {
3286 if (max_pixel_depth <= 32) 4310 if (max_pixel_depth <= 32)
3287 max_pixel_depth = 32; 4311 max_pixel_depth = 32;
4312
3288 else 4313 else
3289 max_pixel_depth = 64; 4314 max_pixel_depth = 64;
3290 } 4315 }
3291 } 4316 }
3292 #endif 4317 #endif
3293 4318
3294 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED 4319 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
3295 if (png_ptr->transformations & PNG_GRAY_TO_RGB) 4320 if (png_ptr->transformations & PNG_GRAY_TO_RGB)
3296 { 4321 {
3297 if ( 4322 if (
3298 #ifdef PNG_READ_EXPAND_SUPPORTED 4323 #ifdef PNG_READ_EXPAND_SUPPORTED
3299 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) || 4324 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) ||
3300 #endif 4325 #endif
3301 #ifdef PNG_READ_FILLER_SUPPORTED 4326 #ifdef PNG_READ_FILLER_SUPPORTED
3302 (png_ptr->transformations & (PNG_FILLER)) || 4327 (png_ptr->transformations & (PNG_FILLER)) ||
3303 #endif 4328 #endif
3304 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) 4329 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
3305 { 4330 {
3306 if (max_pixel_depth <= 16) 4331 if (max_pixel_depth <= 16)
3307 max_pixel_depth = 32; 4332 max_pixel_depth = 32;
4333
3308 else 4334 else
3309 max_pixel_depth = 64; 4335 max_pixel_depth = 64;
3310 } 4336 }
4337
3311 else 4338 else
3312 { 4339 {
3313 if (max_pixel_depth <= 8) 4340 if (max_pixel_depth <= 8)
3314 { 4341 {
3315 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 4342 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
3316 max_pixel_depth = 32; 4343 max_pixel_depth = 32;
3317 else 4344
4345 else
3318 max_pixel_depth = 24; 4346 max_pixel_depth = 24;
3319 } 4347 }
4348
3320 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) 4349 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
3321 max_pixel_depth = 64; 4350 max_pixel_depth = 64;
4351
3322 else 4352 else
3323 max_pixel_depth = 48; 4353 max_pixel_depth = 48;
3324 } 4354 }
3325 } 4355 }
3326 #endif 4356 #endif
3327 4357
3328 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \ 4358 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
3329 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) 4359 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
3330 if (png_ptr->transformations & PNG_USER_TRANSFORM) 4360 if (png_ptr->transformations & PNG_USER_TRANSFORM)
3331 { 4361 {
3332 int user_pixel_depth = png_ptr->user_transform_depth* 4362 int user_pixel_depth = png_ptr->user_transform_depth *
3333 png_ptr->user_transform_channels; 4363 png_ptr->user_transform_channels;
3334 if (user_pixel_depth > max_pixel_depth) 4364
3335 max_pixel_depth=user_pixel_depth; 4365 if (user_pixel_depth > max_pixel_depth)
3336 } 4366 max_pixel_depth = user_pixel_depth;
4367 }
3337 #endif 4368 #endif
3338 4369
4370 /* This value is stored in png_struct and double checked in the row read
4371 * code.
4372 */
4373 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4374 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4375
3339 /* Align the width on the next larger 8 pixels. Mainly used 4376 /* Align the width on the next larger 8 pixels. Mainly used
3340 * for interlacing 4377 * for interlacing
3341 */ 4378 */
3342 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7)); 4379 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
3343 /* Calculate the maximum bytes needed, adding a byte and a pixel 4380 /* Calculate the maximum bytes needed, adding a byte and a pixel
3344 * for safety's sake 4381 * for safety's sake
3345 */ 4382 */
3346 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) + 4383 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
3347 1 + ((max_pixel_depth + 7) >> 3); 4384 1 + ((max_pixel_depth + 7) >> 3);
4385
3348 #ifdef PNG_MAX_MALLOC_64K 4386 #ifdef PNG_MAX_MALLOC_64K
3349 if (row_bytes > (png_uint_32)65536L) 4387 if (row_bytes > (png_uint_32)65536L)
3350 png_error(png_ptr, "This image requires a row greater than 64KB"); 4388 png_error(png_ptr, "This image requires a row greater than 64KB");
3351 #endif 4389 #endif
3352 4390
3353 if (row_bytes + 64 > png_ptr->old_big_row_buf_size) 4391 if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
3354 { 4392 {
3355 png_free(png_ptr, png_ptr->big_row_buf); 4393 png_free(png_ptr, png_ptr->big_row_buf);
4394 png_free(png_ptr, png_ptr->big_prev_row);
4395
3356 if (png_ptr->interlaced) 4396 if (png_ptr->interlaced)
3357 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr, 4397 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
3358 row_bytes + 64); 4398 row_bytes + 48);
4399
3359 else 4400 else
3360 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, 4401 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
3361 row_bytes + 64);
3362 png_ptr->old_big_row_buf_size = row_bytes + 64;
3363 4402
3364 /* Use 32 bytes of padding before and after row_buf. */ 4403 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
3365 png_ptr->row_buf = png_ptr->big_row_buf + 32; 4404
3366 png_ptr->old_big_row_buf_size = row_bytes + 64; 4405 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4406 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4407 * of padding before and after row_buf; treat prev_row similarly.
4408 * NOTE: the alignment is to the start of the pixels, one beyond the start
4409 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4410 * was incorrect; the filter byte was aligned, which had the exact
4411 * opposite effect of that intended.
4412 */
4413 {
4414 png_bytep temp = png_ptr->big_row_buf + 32;
4415 int extra = (int)((temp - (png_bytep)0) & 0x0f);
4416 png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4417
4418 temp = png_ptr->big_prev_row + 32;
4419 extra = (int)((temp - (png_bytep)0) & 0x0f);
4420 png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4421 }
4422
4423 #else
4424 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4425 png_ptr->row_buf = png_ptr->big_row_buf + 31;
4426 png_ptr->prev_row = png_ptr->big_prev_row + 31;
4427 #endif
4428 png_ptr->old_big_row_buf_size = row_bytes + 48;
3367 } 4429 }
3368 4430
3369 #ifdef PNG_MAX_MALLOC_64K 4431 #ifdef PNG_MAX_MALLOC_64K
3370 if ((png_uint_32)row_bytes + 1 > (png_uint_32)65536L) 4432 if (png_ptr->rowbytes > 65535)
3371 png_error(png_ptr, "This image requires a row greater than 64KB"); 4433 png_error(png_ptr, "This image requires a row greater than 64KB");
4434
3372 #endif 4435 #endif
3373 if ((png_uint_32)row_bytes > (png_uint_32)(PNG_SIZE_MAX - 1)) 4436 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
3374 png_error(png_ptr, "Row has too many bytes to allocate in memory."); 4437 png_error(png_ptr, "Row has too many bytes to allocate in memory");
3375 4438
3376 if (row_bytes + 1 > png_ptr->old_prev_row_size) 4439 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4440
4441 png_debug1(3, "width = %u,", png_ptr->width);
4442 png_debug1(3, "height = %u,", png_ptr->height);
4443 png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4444 png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4445 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4446 png_debug1(3, "irowbytes = %lu",
4447 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4448
4449 /* The sequential reader needs a buffer for IDAT, but the progressive reader
4450 * does not, so free the read buffer now regardless; the sequential reader
4451 * reallocates it on demand.
4452 */
4453 if (png_ptr->read_buffer)
3377 { 4454 {
3378 png_free(png_ptr, png_ptr->prev_row); 4455 png_bytep buffer = png_ptr->read_buffer;
3379 png_ptr->prev_row = (png_bytep)png_malloc(png_ptr, (png_uint_32)( 4456
3380 row_bytes + 1)); 4457 png_ptr->read_buffer_size = 0;
3381 png_memset_check(png_ptr, png_ptr->prev_row, 0, row_bytes + 1); 4458 png_ptr->read_buffer = NULL;
3382 png_ptr->old_prev_row_size = row_bytes + 1; 4459 png_free(png_ptr, buffer);
3383 } 4460 }
3384 4461
3385 png_ptr->rowbytes = row_bytes; 4462 /* Finally claim the zstream for the inflate of the IDAT data, use the bits
3386 4463 * value from the stream (note that this will result in a fatal error if the
3387 png_debug1(3, "width = %lu,", png_ptr->width); 4464 * IDAT stream has a bogus deflate header window_bits value, but this should
3388 png_debug1(3, "height = %lu,", png_ptr->height); 4465 * not be happening any longer!)
3389 png_debug1(3, "iwidth = %lu,", png_ptr->iwidth); 4466 */
3390 png_debug1(3, "num_rows = %lu,", png_ptr->num_rows); 4467 if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
3391 png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes); 4468 png_error(png_ptr, png_ptr->zstream.msg);
3392 png_debug1(3, "irowbytes = %lu",
3393 PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
3394 4469
3395 png_ptr->flags |= PNG_FLAG_ROW_INIT; 4470 png_ptr->flags |= PNG_FLAG_ROW_INIT;
3396 } 4471 }
3397 #endif /* PNG_READ_SUPPORTED */ 4472 #endif /* PNG_READ_SUPPORTED */
OLDNEW
« no previous file with comments | « third_party/libpng/pngrtran.c ('k') | third_party/libpng/pngset.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698