Chameleon

Chameleon Svn Source Tree

Root/branches/cparm/i386/modules/Libpng/pngrutil.c

  • Property svn:executable set to *
1
2/* pngrutil.c - utilities to read a PNG file
3 *
4 * Last changed in libpng 1.5.10 [March 8, 2012]
5 * Copyright (c) 1998-2012 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 *
13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image.
15 */
16
17#include "pngpriv.h"
18
19#ifdef PNG_READ_SUPPORTED
20
21#define png_strtod(p,a,b) strtod(a,b)
22
23png_uint_32 PNGAPI
24png_get_uint_31(png_structp png_ptr, png_const_bytep buf)
25{
26 png_uint_32 uval = png_get_uint_32(buf);
27
28 if (uval > PNG_UINT_31_MAX)
29 png_error(png_ptr, "PNG unsigned integer out of range");
30
31 return (uval);
32}
33
34#if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
35/* The following is a variation on the above for use with the fixed
36 * point values used for gAMA and cHRM. Instead of png_error it
37 * issues a warning and returns (-1) - an invalid value because both
38 * gAMA and cHRM use *unsigned* integers for fixed point values.
39 */
40#define PNG_FIXED_ERROR (-1)
41
42static png_fixed_point /* PRIVATE */
43png_get_fixed_point(png_structp png_ptr, png_const_bytep buf)
44{
45 png_uint_32 uval = png_get_uint_32(buf);
46
47 if (uval <= PNG_UINT_31_MAX)
48 return (png_fixed_point)uval; /* known to be in range */
49
50 /* The caller can turn off the warning by passing NULL. */
51 if (png_ptr != NULL)
52 png_warning(png_ptr, "PNG fixed point integer out of range");
53
54 return PNG_FIXED_ERROR;
55}
56#endif
57
58#ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
59/* NOTE: the read macros will obscure these definitions, so that if
60 * PNG_USE_READ_MACROS is set the library will not use them internally,
61 * but the APIs will still be available externally.
62 *
63 * The parentheses around "PNGAPI function_name" in the following three
64 * functions are necessary because they allow the macros to co-exist with
65 * these (unused but exported) functions.
66 */
67
68/* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
69png_uint_32 (PNGAPI
70png_get_uint_32)(png_const_bytep buf)
71{
72 png_uint_32 uval =
73 ((png_uint_32)(*(buf )) << 24) +
74 ((png_uint_32)(*(buf + 1)) << 16) +
75 ((png_uint_32)(*(buf + 2)) << 8) +
76 ((png_uint_32)(*(buf + 3)) ) ;
77
78 return uval;
79}
80
81/* Grab a signed 32-bit integer from a buffer in big-endian format. The
82 * data is stored in the PNG file in two's complement format and there
83 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
84 * the following code does a two's complement to native conversion.
85 */
86png_int_32 (PNGAPI
87png_get_int_32)(png_const_bytep buf)
88{
89 png_uint_32 uval = png_get_uint_32(buf);
90 if ((uval & 0x80000000) == 0) /* non-negative */
91 return uval;
92
93 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
94 return -(png_int_32)uval;
95}
96
97/* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
98png_uint_16 (PNGAPI
99png_get_uint_16)(png_const_bytep buf)
100{
101 /* ANSI-C requires an int value to accomodate at least 16 bits so this
102 * works and allows the compiler not to worry about possible narrowing
103 * on 32 bit systems. (Pre-ANSI systems did not make integers smaller
104 * than 16 bits either.)
105 */
106 unsigned int val =
107 ((unsigned int)(*buf) << 8) +
108 ((unsigned int)(*(buf + 1)));
109
110 return (png_uint_16)val;
111}
112
113#endif /* PNG_READ_INT_FUNCTIONS_SUPPORTED */
114
115/* Read and check the PNG file signature */
116void /* PRIVATE */
117png_read_sig(png_structp png_ptr, png_infop info_ptr)
118{
119 png_size_t num_checked, num_to_check;
120
121 /* Exit if the user application does not expect a signature. */
122 if (png_ptr->sig_bytes >= 8)
123 return;
124
125 num_checked = png_ptr->sig_bytes;
126 num_to_check = 8 - num_checked;
127
128#ifdef PNG_IO_STATE_SUPPORTED
129 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
130#endif
131
132 /* The signature must be serialized in a single I/O call. */
133 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
134 png_ptr->sig_bytes = 8;
135
136 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
137 {
138 if (num_checked < 4 &&
139 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
140 png_error(png_ptr, "Not a PNG file");
141 else
142 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
143 }
144 if (num_checked < 3)
145 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
146}
147
148/* Read the chunk header (length + type name).
149 * Put the type name into png_ptr->chunk_name, and return the length.
150 */
151png_uint_32 /* PRIVATE */
152png_read_chunk_header(png_structp png_ptr)
153{
154 png_byte buf[8];
155 png_uint_32 length;
156
157#ifdef PNG_IO_STATE_SUPPORTED
158 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
159#endif
160
161 /* Read the length and the chunk name.
162 * This must be performed in a single I/O call.
163 */
164 png_read_data(png_ptr, buf, 8);
165 length = png_get_uint_31(png_ptr, buf);
166
167 /* Put the chunk name into png_ptr->chunk_name. */
168 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
169
170 png_debug2(0, "Reading %lx chunk, length = %lu",
171 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
172
173 /* Reset the crc and run it over the chunk name. */
174 png_reset_crc(png_ptr);
175 png_calculate_crc(png_ptr, buf + 4, 4);
176
177 /* Check to see if chunk name is valid. */
178 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
179
180#ifdef PNG_IO_STATE_SUPPORTED
181 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
182#endif
183
184 return length;
185}
186
187/* Read data, and (optionally) run it through the CRC. */
188void /* PRIVATE */
189png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length)
190{
191 if (png_ptr == NULL)
192 return;
193
194 png_read_data(png_ptr, buf, length);
195 png_calculate_crc(png_ptr, buf, length);
196}
197
198/* Optionally skip data and then check the CRC. Depending on whether we
199 * are reading a ancillary or critical chunk, and how the program has set
200 * things up, we may calculate the CRC on the data and print a message.
201 * Returns '1' if there was a CRC error, '0' otherwise.
202 */
203int /* PRIVATE */
204png_crc_finish(png_structp png_ptr, png_uint_32 skip)
205{
206 png_size_t i;
207 png_size_t istop = png_ptr->zbuf_size;
208
209 for (i = (png_size_t)skip; i > istop; i -= istop)
210 {
211 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size);
212 }
213
214 if (i)
215 {
216 png_crc_read(png_ptr, png_ptr->zbuf, i);
217 }
218
219 if (png_crc_error(png_ptr))
220 {
221 if (PNG_CHUNK_ANCILLIARY(png_ptr->chunk_name) ?
222 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) :
223 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE))
224 {
225 png_chunk_warning(png_ptr, "CRC error");
226 }
227
228 else
229 {
230 png_chunk_benign_error(png_ptr, "CRC error");
231 return (0);
232 }
233
234 return (1);
235 }
236
237 return (0);
238}
239
240/* Compare the CRC stored in the PNG file with that calculated by libpng from
241 * the data it has read thus far.
242 */
243int /* PRIVATE */
244png_crc_error(png_structp png_ptr)
245{
246 png_byte crc_bytes[4];
247 png_uint_32 crc;
248 int need_crc = 1;
249
250 if (PNG_CHUNK_ANCILLIARY(png_ptr->chunk_name))
251 {
252 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
253 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
254 need_crc = 0;
255 }
256
257 else /* critical */
258 {
259 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
260 need_crc = 0;
261 }
262
263#ifdef PNG_IO_STATE_SUPPORTED
264 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
265#endif
266
267 /* The chunk CRC must be serialized in a single I/O call. */
268 png_read_data(png_ptr, crc_bytes, 4);
269
270 if (need_crc)
271 {
272 crc = png_get_uint_32(crc_bytes);
273 return ((int)(crc != png_ptr->crc));
274 }
275
276 else
277 return (0);
278}
279
280#ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
281static png_size_t
282png_inflate(png_structp png_ptr, png_bytep data, png_size_t size,
283 png_bytep output, png_size_t output_size)
284{
285 png_size_t count = 0;
286
287 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it can't
288 * even necessarily handle 65536 bytes) because the type uInt is "16 bits or
289 * more". Consequently it is necessary to chunk the input to zlib. This
290 * code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the maximum value
291 * that can be stored in a uInt.) It is possible to set ZLIB_IO_MAX to a
292 * lower value in pngpriv.h and this may sometimes have a performance
293 * advantage, because it forces access of the input data to be separated from
294 * at least some of the use by some period of time.
295 */
296 png_ptr->zstream.next_in = data;
297 /* avail_in is set below from 'size' */
298 png_ptr->zstream.avail_in = 0;
299
300 while (1)
301 {
302 int ret, avail;
303
304 /* The setting of 'avail_in' used to be outside the loop; by setting it
305 * inside it is possible to chunk the input to zlib and simply rely on
306 * zlib to advance the 'next_in' pointer. This allows arbitrary amounts o
307 * data to be passed through zlib at the unavoidable cost of requiring a
308 * window save (memcpy of up to 32768 output bytes) every ZLIB_IO_MAX
309 * input bytes.
310 */
311 if (png_ptr->zstream.avail_in == 0 && size > 0)
312 {
313 if (size <= ZLIB_IO_MAX)
314 {
315 /* The value is less than ZLIB_IO_MAX so the cast is safe: */
316 png_ptr->zstream.avail_in = (uInt)size;
317 size = 0;
318 }
319
320 else
321 {
322 png_ptr->zstream.avail_in = ZLIB_IO_MAX;
323 size -= ZLIB_IO_MAX;
324 }
325 }
326
327 /* Reset the output buffer each time round - we empty it
328 * after every inflate call.
329 */
330 png_ptr->zstream.next_out = png_ptr->zbuf;
331 png_ptr->zstream.avail_out = png_ptr->zbuf_size;
332
333#if 1
334 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
335#else
336 int flush = Z_NO_FLUSH;
337 execut_hook("inflate", &png_ptr->zstream, &flush, &ret, NULL, NULL, NULL );
338#endif
339 avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out;
340
341 /* First copy/count any new output - but only if we didn't
342 * get an error code.
343 */
344 if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0)
345 {
346 png_size_t space = avail; /* > 0, see above */
347
348 if (output != 0 && output_size > count)
349 {
350 png_size_t copy = output_size - count;
351
352 if (space < copy)
353 copy = space;
354
355 png_memcpy(output + count, png_ptr->zbuf, copy);
356 }
357 count += space;
358 }
359
360 if (ret == Z_OK)
361 continue;
362
363 /* Termination conditions - always reset the zstream, it
364 * must be left in inflateInit state.
365 */
366 png_ptr->zstream.avail_in = 0;
367#if 1
368 inflateReset(&png_ptr->zstream);
369#else
370 int resetret;
371 execut_hook("inflateReset", &png_ptr->zstream &resetret, NULL, NULL, NULL, NULL );
372#endif
373 if (ret == Z_STREAM_END)
374 return count; /* NOTE: may be zero. */
375
376 /* Now handle the error codes - the API always returns 0
377 * and the error message is dumped into the uncompressed
378 * buffer if available.
379 */
380# ifdef PNG_WARNINGS_SUPPORTED
381 {
382 png_const_charp msg;
383
384 if (png_ptr->zstream.msg != 0)
385 msg = png_ptr->zstream.msg;
386
387 else switch (ret)
388 {
389 case Z_BUF_ERROR:
390 msg = "Buffer error in compressed datastream";
391 break;
392
393 case Z_DATA_ERROR:
394 msg = "Data error in compressed datastream";
395 break;
396
397 default:
398 msg = "Incomplete compressed datastream";
399 break;
400 }
401
402 png_chunk_warning(png_ptr, msg);
403 }
404# endif
405
406 /* 0 means an error - notice that this code simply ignores
407 * zero length compressed chunks as a result.
408 */
409 return 0;
410 }
411}
412
413/*
414 * Decompress trailing data in a chunk. The assumption is that chunkdata
415 * points at an allocated area holding the contents of a chunk with a
416 * trailing compressed part. What we get back is an allocated area
417 * holding the original prefix part and an uncompressed version of the
418 * trailing part (the malloc area passed in is freed).
419 */
420void /* PRIVATE */
421png_decompress_chunk(png_structp png_ptr, int comp_type,
422 png_size_t chunklength,
423 png_size_t prefix_size, png_size_t *newlength)
424{
425 /* The caller should guarantee this */
426 if (prefix_size > chunklength)
427 {
428 /* The recovery is to delete the chunk. */
429 png_warning(png_ptr, "invalid chunklength");
430 prefix_size = 0; /* To delete everything */
431 }
432
433 else if (comp_type == PNG_COMPRESSION_TYPE_BASE)
434 {
435 png_size_t expanded_size = png_inflate(png_ptr,
436 (png_bytep)(png_ptr->chunkdata + prefix_size),
437 chunklength - prefix_size,
438 0, /* output */
439 0); /* output size */
440
441 /* Now check the limits on this chunk - if the limit fails the
442 * compressed data will be removed, the prefix will remain.
443 */
444 if (prefix_size >= (~(png_size_t)0) - 1 ||
445 expanded_size >= (~(png_size_t)0) - 1 - prefix_size
446#ifdef PNG_USER_LIMITS_SUPPORTED
447 || (png_ptr->user_chunk_malloc_max &&
448 (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
449#else
450 || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
451 prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
452#endif
453 )
454 png_warning(png_ptr, "Exceeded size limit while expanding chunk");
455
456 /* If the size is zero either there was an error and a message
457 * has already been output (warning) or the size really is zero
458 * and we have nothing to do - the code will exit through the
459 * error case below.
460 */
461 else if (expanded_size > 0)
462 {
463 /* Success (maybe) - really uncompress the chunk. */
464 png_size_t new_size = 0;
465 png_charp text = (png_charp)png_malloc_warn(png_ptr,
466 prefix_size + expanded_size + 1);
467
468 if (text != NULL)
469 {
470 png_memcpy(text, png_ptr->chunkdata, prefix_size);
471 new_size = png_inflate(png_ptr,
472 (png_bytep)(png_ptr->chunkdata + prefix_size),
473 chunklength - prefix_size,
474 (png_bytep)(text + prefix_size), expanded_size);
475 text[prefix_size + expanded_size] = 0; /* just in case */
476
477 if (new_size == expanded_size)
478 {
479 png_free(png_ptr, png_ptr->chunkdata);
480 png_ptr->chunkdata = text;
481 *newlength = prefix_size + expanded_size;
482 return; /* The success return! */
483 }
484
485 png_warning(png_ptr, "png_inflate logic error");
486 png_free(png_ptr, text);
487 }
488
489 else
490 png_warning(png_ptr, "Not enough memory to decompress chunk");
491 }
492 }
493
494 else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */
495 {
496 PNG_WARNING_PARAMETERS(p)
497 png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_d, comp_type);
498 png_formatted_warning(png_ptr, p, "Unknown compression type @1");
499
500 /* The recovery is to simply drop the data. */
501 }
502
503 /* Generic error return - leave the prefix, delete the compressed
504 * data, reallocate the chunkdata to remove the potentially large
505 * amount of compressed data.
506 */
507 {
508 png_charp text = (png_charp)png_malloc_warn(png_ptr, prefix_size + 1);
509
510 if (text != NULL)
511 {
512 if (prefix_size > 0)
513 png_memcpy(text, png_ptr->chunkdata, prefix_size);
514
515 png_free(png_ptr, png_ptr->chunkdata);
516 png_ptr->chunkdata = text;
517
518 /* This is an extra zero in the 'uncompressed' part. */
519 *(png_ptr->chunkdata + prefix_size) = 0x00;
520 }
521 /* Ignore a malloc error here - it is safe. */
522 }
523
524 *newlength = prefix_size;
525}
526#endif /* PNG_READ_COMPRESSED_TEXT_SUPPORTED */
527
528/* Read and check the IDHR chunk */
529void /* PRIVATE */
530png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
531{
532 png_byte buf[13];
533 png_uint_32 width, height;
534 int bit_depth, color_type, compression_type, filter_type;
535 int interlace_type;
536
537 png_debug(1, "in png_handle_IHDR");
538
539 if (png_ptr->mode & PNG_HAVE_IHDR)
540 png_error(png_ptr, "Out of place IHDR");
541
542 /* Check the length */
543 if (length != 13)
544 png_error(png_ptr, "Invalid IHDR chunk");
545
546 png_ptr->mode |= PNG_HAVE_IHDR;
547
548 png_crc_read(png_ptr, buf, 13);
549 png_crc_finish(png_ptr, 0);
550
551 width = png_get_uint_31(png_ptr, buf);
552 height = png_get_uint_31(png_ptr, buf + 4);
553 bit_depth = buf[8];
554 color_type = buf[9];
555 compression_type = buf[10];
556 filter_type = buf[11];
557 interlace_type = buf[12];
558
559 /* Set internal variables */
560 png_ptr->width = width;
561 png_ptr->height = height;
562 png_ptr->bit_depth = (png_byte)bit_depth;
563 png_ptr->interlaced = (png_byte)interlace_type;
564 png_ptr->color_type = (png_byte)color_type;
565#ifdef PNG_MNG_FEATURES_SUPPORTED
566 png_ptr->filter_type = (png_byte)filter_type;
567#endif
568 png_ptr->compression_type = (png_byte)compression_type;
569
570 /* Find number of channels */
571 switch (png_ptr->color_type)
572 {
573 default: /* invalid, png_set_IHDR calls png_error */
574 case PNG_COLOR_TYPE_GRAY:
575 case PNG_COLOR_TYPE_PALETTE:
576 png_ptr->channels = 1;
577 break;
578
579 case PNG_COLOR_TYPE_RGB:
580 png_ptr->channels = 3;
581 break;
582
583 case PNG_COLOR_TYPE_GRAY_ALPHA:
584 png_ptr->channels = 2;
585 break;
586
587 case PNG_COLOR_TYPE_RGB_ALPHA:
588 png_ptr->channels = 4;
589 break;
590 }
591
592 /* Set up other useful info */
593 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth *
594 png_ptr->channels);
595 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
596 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
597 png_debug1(3, "channels = %d", png_ptr->channels);
598 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
599 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
600 color_type, interlace_type, compression_type, filter_type);
601}
602
603/* Read and check the palette */
604void /* PRIVATE */
605png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
606{
607 png_color palette[PNG_MAX_PALETTE_LENGTH];
608 int num, i;
609#ifdef PNG_POINTER_INDEXING_SUPPORTED
610 png_colorp pal_ptr;
611#endif
612
613 png_debug(1, "in png_handle_PLTE");
614
615 if (!(png_ptr->mode & PNG_HAVE_IHDR))
616 png_error(png_ptr, "Missing IHDR before PLTE");
617
618 else if (png_ptr->mode & PNG_HAVE_IDAT)
619 {
620 png_warning(png_ptr, "Invalid PLTE after IDAT");
621 png_crc_finish(png_ptr, length);
622 return;
623 }
624
625 else if (png_ptr->mode & PNG_HAVE_PLTE)
626 png_error(png_ptr, "Duplicate PLTE chunk");
627
628 png_ptr->mode |= PNG_HAVE_PLTE;
629
630 if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR))
631 {
632 png_warning(png_ptr,
633 "Ignoring PLTE chunk in grayscale PNG");
634 png_crc_finish(png_ptr, length);
635 return;
636 }
637
638#ifndef PNG_READ_OPT_PLTE_SUPPORTED
639 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
640 {
641 png_crc_finish(png_ptr, length);
642 return;
643 }
644#endif
645
646 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
647 {
648 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
649 {
650 png_warning(png_ptr, "Invalid palette chunk");
651 png_crc_finish(png_ptr, length);
652 return;
653 }
654
655 else
656 {
657 png_error(png_ptr, "Invalid palette chunk");
658 }
659 }
660
661 num = (int)length / 3;
662
663#ifdef PNG_POINTER_INDEXING_SUPPORTED
664 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
665 {
666 png_byte buf[3];
667
668 png_crc_read(png_ptr, buf, 3);
669 pal_ptr->red = buf[0];
670 pal_ptr->green = buf[1];
671 pal_ptr->blue = buf[2];
672 }
673#else
674 for (i = 0; i < num; i++)
675 {
676 png_byte buf[3];
677
678 png_crc_read(png_ptr, buf, 3);
679 /* Don't depend upon png_color being any order */
680 palette[i].red = buf[0];
681 palette[i].green = buf[1];
682 palette[i].blue = buf[2];
683 }
684#endif
685
686 /* If we actually need the PLTE chunk (ie for a paletted image), we do
687 * whatever the normal CRC configuration tells us. However, if we
688 * have an RGB image, the PLTE can be considered ancillary, so
689 * we will act as though it is.
690 */
691#ifndef PNG_READ_OPT_PLTE_SUPPORTED
692 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
693#endif
694 {
695 png_crc_finish(png_ptr, 0);
696 }
697
698#ifndef PNG_READ_OPT_PLTE_SUPPORTED
699 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */
700 {
701 /* If we don't want to use the data from an ancillary chunk,
702 * we have two options: an error abort, or a warning and we
703 * ignore the data in this chunk (which should be OK, since
704 * it's considered ancillary for a RGB or RGBA image).
705 */
706 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE))
707 {
708 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)
709 {
710 png_chunk_benign_error(png_ptr, "CRC error");
711 }
712
713 else
714 {
715 png_chunk_warning(png_ptr, "CRC error");
716 return;
717 }
718 }
719
720 /* Otherwise, we (optionally) emit a warning and use the chunk. */
721 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN))
722 {
723 png_chunk_warning(png_ptr, "CRC error");
724 }
725 }
726#endif
727
728 png_set_PLTE(png_ptr, info_ptr, palette, num);
729
730#ifdef PNG_READ_tRNS_SUPPORTED
731 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
732 {
733 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
734 {
735 if (png_ptr->num_trans > (png_uint_16)num)
736 {
737 png_warning(png_ptr, "Truncating incorrect tRNS chunk length");
738 png_ptr->num_trans = (png_uint_16)num;
739 }
740
741 if (info_ptr->num_trans > (png_uint_16)num)
742 {
743 png_warning(png_ptr, "Truncating incorrect info tRNS chunk length");
744 info_ptr->num_trans = (png_uint_16)num;
745 }
746 }
747 }
748#endif
749
750}
751
752void /* PRIVATE */
753png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
754{
755 png_debug(1, "in png_handle_IEND");
756
757 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT))
758 {
759 png_error(png_ptr, "No image in file");
760 }
761
762 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
763
764 if (length != 0)
765 {
766 png_warning(png_ptr, "Incorrect IEND chunk length");
767 }
768
769 png_crc_finish(png_ptr, length);
770
771 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */
772}
773
774#ifdef PNG_READ_gAMA_SUPPORTED
775void /* PRIVATE */
776png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
777{
778 png_fixed_point igamma;
779 png_byte buf[4];
780
781 png_debug(1, "in png_handle_gAMA");
782
783 if (!(png_ptr->mode & PNG_HAVE_IHDR))
784 png_error(png_ptr, "Missing IHDR before gAMA");
785
786 else if (png_ptr->mode & PNG_HAVE_IDAT)
787 {
788 png_warning(png_ptr, "Invalid gAMA after IDAT");
789 png_crc_finish(png_ptr, length);
790 return;
791 }
792
793 else if (png_ptr->mode & PNG_HAVE_PLTE)
794 /* Should be an error, but we can cope with it */
795 png_warning(png_ptr, "Out of place gAMA chunk");
796
797 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
798#ifdef PNG_READ_sRGB_SUPPORTED
799 && !(info_ptr->valid & PNG_INFO_sRGB)
800#endif
801 )
802 {
803 png_warning(png_ptr, "Duplicate gAMA chunk");
804 png_crc_finish(png_ptr, length);
805 return;
806 }
807
808 if (length != 4)
809 {
810 png_warning(png_ptr, "Incorrect gAMA chunk length");
811 png_crc_finish(png_ptr, length);
812 return;
813 }
814
815 png_crc_read(png_ptr, buf, 4);
816
817 if (png_crc_finish(png_ptr, 0))
818 return;
819
820 igamma = png_get_fixed_point(NULL, buf);
821
822 /* Check for zero gamma or an error. */
823 if (igamma <= 0)
824 {
825 png_warning(png_ptr,
826 "Ignoring gAMA chunk with out of range gamma");
827
828 return;
829 }
830
831# ifdef PNG_READ_sRGB_SUPPORTED
832 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
833 {
834 if (PNG_OUT_OF_RANGE(igamma, 45500, 500))
835 {
836 PNG_WARNING_PARAMETERS(p)
837 png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_fixed, igamma);
838 png_formatted_warning(png_ptr, p,
839 "Ignoring incorrect gAMA value @1 when sRGB is also present");
840 return;
841 }
842 }
843# endif /* PNG_READ_sRGB_SUPPORTED */
844
845# ifdef PNG_READ_GAMMA_SUPPORTED
846 /* Gamma correction on read is supported. */
847 png_ptr->gamma = igamma;
848# endif
849 /* And set the 'info' structure members. */
850 png_set_gAMA_fixed(png_ptr, info_ptr, igamma);
851}
852#endif
853
854#ifdef PNG_READ_sBIT_SUPPORTED
855void /* PRIVATE */
856png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
857{
858 png_size_t truelen;
859 png_byte buf[4];
860
861 png_debug(1, "in png_handle_sBIT");
862
863 buf[0] = buf[1] = buf[2] = buf[3] = 0;
864
865 if (!(png_ptr->mode & PNG_HAVE_IHDR))
866 png_error(png_ptr, "Missing IHDR before sBIT");
867
868 else if (png_ptr->mode & PNG_HAVE_IDAT)
869 {
870 png_warning(png_ptr, "Invalid sBIT after IDAT");
871 png_crc_finish(png_ptr, length);
872 return;
873 }
874
875 else if (png_ptr->mode & PNG_HAVE_PLTE)
876 {
877 /* Should be an error, but we can cope with it */
878 png_warning(png_ptr, "Out of place sBIT chunk");
879 }
880
881 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
882 {
883 png_warning(png_ptr, "Duplicate sBIT chunk");
884 png_crc_finish(png_ptr, length);
885 return;
886 }
887
888 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
889 truelen = 3;
890
891 else
892 truelen = (png_size_t)png_ptr->channels;
893
894 if (length != truelen || length > 4)
895 {
896 png_warning(png_ptr, "Incorrect sBIT chunk length");
897 png_crc_finish(png_ptr, length);
898 return;
899 }
900
901 png_crc_read(png_ptr, buf, truelen);
902
903 if (png_crc_finish(png_ptr, 0))
904 return;
905
906 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
907 {
908 png_ptr->sig_bit.red = buf[0];
909 png_ptr->sig_bit.green = buf[1];
910 png_ptr->sig_bit.blue = buf[2];
911 png_ptr->sig_bit.alpha = buf[3];
912 }
913
914 else
915 {
916 png_ptr->sig_bit.gray = buf[0];
917 png_ptr->sig_bit.red = buf[0];
918 png_ptr->sig_bit.green = buf[0];
919 png_ptr->sig_bit.blue = buf[0];
920 png_ptr->sig_bit.alpha = buf[1];
921 }
922
923 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
924}
925#endif
926
927#ifdef PNG_READ_cHRM_SUPPORTED
928void /* PRIVATE */
929png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
930{
931 png_byte buf[32];
932 png_fixed_point x_white, y_white, x_red, y_red, x_green, y_green, x_blue,
933 y_blue;
934
935 png_debug(1, "in png_handle_cHRM");
936
937 if (!(png_ptr->mode & PNG_HAVE_IHDR))
938 png_error(png_ptr, "Missing IHDR before cHRM");
939
940 else if (png_ptr->mode & PNG_HAVE_IDAT)
941 {
942 png_warning(png_ptr, "Invalid cHRM after IDAT");
943 png_crc_finish(png_ptr, length);
944 return;
945 }
946
947 else if (png_ptr->mode & PNG_HAVE_PLTE)
948 /* Should be an error, but we can cope with it */
949 png_warning(png_ptr, "Out of place cHRM chunk");
950
951 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
952# ifdef PNG_READ_sRGB_SUPPORTED
953 && !(info_ptr->valid & PNG_INFO_sRGB)
954# endif
955 )
956 {
957 png_warning(png_ptr, "Duplicate cHRM chunk");
958 png_crc_finish(png_ptr, length);
959 return;
960 }
961
962 if (length != 32)
963 {
964 png_warning(png_ptr, "Incorrect cHRM chunk length");
965 png_crc_finish(png_ptr, length);
966 return;
967 }
968
969 png_crc_read(png_ptr, buf, 32);
970
971 if (png_crc_finish(png_ptr, 0))
972 return;
973
974 x_white = png_get_fixed_point(NULL, buf);
975 y_white = png_get_fixed_point(NULL, buf + 4);
976 x_red = png_get_fixed_point(NULL, buf + 8);
977 y_red = png_get_fixed_point(NULL, buf + 12);
978 x_green = png_get_fixed_point(NULL, buf + 16);
979 y_green = png_get_fixed_point(NULL, buf + 20);
980 x_blue = png_get_fixed_point(NULL, buf + 24);
981 y_blue = png_get_fixed_point(NULL, buf + 28);
982
983 if (x_white == PNG_FIXED_ERROR ||
984 y_white == PNG_FIXED_ERROR ||
985 x_red == PNG_FIXED_ERROR ||
986 y_red == PNG_FIXED_ERROR ||
987 x_green == PNG_FIXED_ERROR ||
988 y_green == PNG_FIXED_ERROR ||
989 x_blue == PNG_FIXED_ERROR ||
990 y_blue == PNG_FIXED_ERROR)
991 {
992 png_warning(png_ptr, "Ignoring cHRM chunk with negative chromaticities");
993 return;
994 }
995
996#ifdef PNG_READ_sRGB_SUPPORTED
997 if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB))
998 {
999 if (PNG_OUT_OF_RANGE(x_white, 31270, 1000) ||
1000 PNG_OUT_OF_RANGE(y_white, 32900, 1000) ||
1001 PNG_OUT_OF_RANGE(x_red, 64000, 1000) ||
1002 PNG_OUT_OF_RANGE(y_red, 33000, 1000) ||
1003 PNG_OUT_OF_RANGE(x_green, 30000, 1000) ||
1004 PNG_OUT_OF_RANGE(y_green, 60000, 1000) ||
1005 PNG_OUT_OF_RANGE(x_blue, 15000, 1000) ||
1006 PNG_OUT_OF_RANGE(y_blue, 6000, 1000))
1007 {
1008 PNG_WARNING_PARAMETERS(p)
1009
1010 png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_fixed, x_white);
1011 png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_fixed, y_white);
1012 png_warning_parameter_signed(p, 3, PNG_NUMBER_FORMAT_fixed, x_red);
1013 png_warning_parameter_signed(p, 4, PNG_NUMBER_FORMAT_fixed, y_red);
1014 png_warning_parameter_signed(p, 5, PNG_NUMBER_FORMAT_fixed, x_green);
1015 png_warning_parameter_signed(p, 6, PNG_NUMBER_FORMAT_fixed, y_green);
1016 png_warning_parameter_signed(p, 7, PNG_NUMBER_FORMAT_fixed, x_blue);
1017 png_warning_parameter_signed(p, 8, PNG_NUMBER_FORMAT_fixed, y_blue);
1018
1019 png_formatted_warning(png_ptr, p,
1020 "Ignoring incorrect cHRM white(@1,@2) r(@3,@4)g(@5,@6)b(@7,@8) "
1021 "when sRGB is also present");
1022 }
1023 return;
1024 }
1025#endif /* PNG_READ_sRGB_SUPPORTED */
1026
1027#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
1028 /* Store the _white values as default coefficients for the rgb to gray
1029 * operation if it is supported. Check if the transform is already set to
1030 * avoid destroying the transform values.
1031 */
1032 if (!png_ptr->rgb_to_gray_coefficients_set)
1033 {
1034 /* png_set_background has not been called and we haven't seen an sRGB
1035 * chunk yet. Find the XYZ of the three end points.
1036 */
1037 png_XYZ XYZ;
1038 png_xy xy;
1039
1040 xy.redx = x_red;
1041 xy.redy = y_red;
1042 xy.greenx = x_green;
1043 xy.greeny = y_green;
1044 xy.bluex = x_blue;
1045 xy.bluey = y_blue;
1046 xy.whitex = x_white;
1047 xy.whitey = y_white;
1048
1049 if (png_XYZ_from_xy_checked(png_ptr, &XYZ, xy))
1050 {
1051 /* The success case, because XYZ_from_xy normalises to a reference
1052 * white Y of 1.0 we just need to scale the numbers. This should
1053 * always work just fine. It is an internal error if this overflows.
1054 */
1055 {
1056 png_fixed_point r, g, b;
1057 if (png_muldiv(&r, XYZ.redY, 32768, PNG_FP_1) &&
1058 r >= 0 && r <= 32768 &&
1059 png_muldiv(&g, XYZ.greenY, 32768, PNG_FP_1) &&
1060 g >= 0 && g <= 32768 &&
1061 png_muldiv(&b, XYZ.blueY, 32768, PNG_FP_1) &&
1062 b >= 0 && b <= 32768 &&
1063 r+g+b <= 32769)
1064 {
1065 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
1066 * all of the coefficients were rounded up. Handle this by
1067 * reducing the *largest* coefficient by 1; this matches the
1068 * approach used for the default coefficients in pngrtran.c
1069 */
1070 int add = 0;
1071
1072 if (r+g+b > 32768)
1073 add = -1;
1074 else if (r+g+b < 32768)
1075 add = 1;
1076
1077 if (add != 0)
1078 {
1079 if (g >= r && g >= b)
1080 g += add;
1081 else if (r >= g && r >= b)
1082 r += add;
1083 else
1084 b += add;
1085 }
1086
1087 /* Check for an internal error. */
1088 if (r+g+b != 32768)
1089 png_error(png_ptr,
1090 "internal error handling cHRM coefficients");
1091
1092 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
1093 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
1094 }
1095
1096 /* This is a png_error at present even though it could be ignored -
1097 * it should never happen, but it is important that if it does, the
1098 * bug is fixed.
1099 */
1100 else
1101 png_error(png_ptr, "internal error handling cHRM->XYZ");
1102 }
1103 }
1104 }
1105#endif
1106
1107 png_set_cHRM_fixed(png_ptr, info_ptr, x_white, y_white, x_red, y_red,
1108 x_green, y_green, x_blue, y_blue);
1109}
1110#endif
1111
1112#ifdef PNG_READ_sRGB_SUPPORTED
1113void /* PRIVATE */
1114png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1115{
1116 int intent;
1117 png_byte buf[1];
1118
1119 png_debug(1, "in png_handle_sRGB");
1120
1121 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1122 png_error(png_ptr, "Missing IHDR before sRGB");
1123
1124 else if (png_ptr->mode & PNG_HAVE_IDAT)
1125 {
1126 png_warning(png_ptr, "Invalid sRGB after IDAT");
1127 png_crc_finish(png_ptr, length);
1128 return;
1129 }
1130
1131 else if (png_ptr->mode & PNG_HAVE_PLTE)
1132 /* Should be an error, but we can cope with it */
1133 png_warning(png_ptr, "Out of place sRGB chunk");
1134
1135 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
1136 {
1137 png_warning(png_ptr, "Duplicate sRGB chunk");
1138 png_crc_finish(png_ptr, length);
1139 return;
1140 }
1141
1142 if (length != 1)
1143 {
1144 png_warning(png_ptr, "Incorrect sRGB chunk length");
1145 png_crc_finish(png_ptr, length);
1146 return;
1147 }
1148
1149 png_crc_read(png_ptr, buf, 1);
1150
1151 if (png_crc_finish(png_ptr, 0))
1152 return;
1153
1154 intent = buf[0];
1155
1156 /* Check for bad intent */
1157 if (intent >= PNG_sRGB_INTENT_LAST)
1158 {
1159 png_warning(png_ptr, "Unknown sRGB intent");
1160 return;
1161 }
1162
1163#if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED)
1164 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA))
1165 {
1166 if (PNG_OUT_OF_RANGE(info_ptr->gamma, 45500, 500))
1167 {
1168 PNG_WARNING_PARAMETERS(p)
1169
1170 png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_fixed,
1171 info_ptr->gamma);
1172
1173 png_formatted_warning(png_ptr, p,
1174 "Ignoring incorrect gAMA value @1 when sRGB is also present");
1175 }
1176 }
1177#endif /* PNG_READ_gAMA_SUPPORTED */
1178
1179#ifdef PNG_READ_cHRM_SUPPORTED
1180 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM))
1181 if (PNG_OUT_OF_RANGE(info_ptr->x_white, 31270, 1000) ||
1182 PNG_OUT_OF_RANGE(info_ptr->y_white, 32900, 1000) ||
1183 PNG_OUT_OF_RANGE(info_ptr->x_red, 64000, 1000) ||
1184 PNG_OUT_OF_RANGE(info_ptr->y_red, 33000, 1000) ||
1185 PNG_OUT_OF_RANGE(info_ptr->x_green, 30000, 1000) ||
1186 PNG_OUT_OF_RANGE(info_ptr->y_green, 60000, 1000) ||
1187 PNG_OUT_OF_RANGE(info_ptr->x_blue, 15000, 1000) ||
1188 PNG_OUT_OF_RANGE(info_ptr->y_blue, 6000, 1000))
1189 {
1190 png_warning(png_ptr,
1191 "Ignoring incorrect cHRM value when sRGB is also present");
1192 }
1193#endif /* PNG_READ_cHRM_SUPPORTED */
1194
1195 /* This is recorded for use when handling the cHRM chunk above. An sRGB
1196 * chunk unconditionally overwrites the coefficients for grayscale conversion
1197 * too.
1198 */
1199 png_ptr->is_sRGB = 1;
1200
1201# ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
1202 /* Don't overwrite user supplied values: */
1203 if (!png_ptr->rgb_to_gray_coefficients_set)
1204 {
1205 /* These numbers come from the sRGB specification (or, since one has to
1206 * pay much money to get a copy, the wikipedia sRGB page) the
1207 * chromaticity values quoted have been inverted to get the reverse
1208 * transformation from RGB to XYZ and the 'Y' coefficients scaled by
1209 * 32768 (then rounded).
1210 *
1211 * sRGB and ITU Rec-709 both truncate the values for the D65 white
1212 * point to four digits and, even though it actually stores five
1213 * digits, the PNG spec gives the truncated value.
1214 *
1215 * This means that when the chromaticities are converted back to XYZ
1216 * end points we end up with (6968,23435,2366), which, as described in
1217 * pngrtran.c, would overflow. If the five digit precision and up is
1218 * used we get, instead:
1219 *
1220 * 6968*R + 23435*G + 2365*B
1221 *
1222 * (Notice that this rounds the blue coefficient down, rather than the
1223 * choice used in pngrtran.c which is to round the green one down.)
1224 */
1225 png_ptr->rgb_to_gray_red_coeff = 6968; /* 0.212639005871510 */
1226 png_ptr->rgb_to_gray_green_coeff = 23434; /* 0.715168678767756 */
1227 /* png_ptr->rgb_to_gray_blue_coeff = 2366; 0.072192315360734*/
1228
1229 /* The following keeps the cHRM chunk from destroying the
1230 * coefficients again in the event that it follows the sRGB chunk.
1231 */
1232 png_ptr->rgb_to_gray_coefficients_set = 1;
1233 }
1234# endif
1235
1236 png_set_sRGB_gAMA_and_cHRM(png_ptr, info_ptr, intent);
1237}
1238#endif /* PNG_READ_sRGB_SUPPORTED */
1239
1240#ifdef PNG_READ_iCCP_SUPPORTED
1241void /* PRIVATE */
1242png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1243/* Note: this does not properly handle chunks that are > 64K under DOS */
1244{
1245 png_byte compression_type;
1246 png_bytep pC;
1247 png_charp profile;
1248 png_uint_32 skip = 0;
1249 png_uint_32 profile_size;
1250 png_alloc_size_t profile_length;
1251 png_size_t slength, prefix_length, data_length;
1252
1253 png_debug(1, "in png_handle_iCCP");
1254
1255 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1256 png_error(png_ptr, "Missing IHDR before iCCP");
1257
1258 else if (png_ptr->mode & PNG_HAVE_IDAT)
1259 {
1260 png_warning(png_ptr, "Invalid iCCP after IDAT");
1261 png_crc_finish(png_ptr, length);
1262 return;
1263 }
1264
1265 else if (png_ptr->mode & PNG_HAVE_PLTE)
1266 /* Should be an error, but we can cope with it */
1267 png_warning(png_ptr, "Out of place iCCP chunk");
1268
1269 if ((png_ptr->mode & PNG_HAVE_iCCP) || (info_ptr != NULL &&
1270 (info_ptr->valid & (PNG_INFO_iCCP|PNG_INFO_sRGB))))
1271 {
1272 png_warning(png_ptr, "Duplicate iCCP chunk");
1273 png_crc_finish(png_ptr, length);
1274 return;
1275 }
1276
1277 png_ptr->mode |= PNG_HAVE_iCCP;
1278
1279#ifdef PNG_MAX_MALLOC_64K
1280 if (length > (png_uint_32)65535L)
1281 {
1282 png_warning(png_ptr, "iCCP chunk too large to fit in memory");
1283 skip = length - (png_uint_32)65535L;
1284 length = (png_uint_32)65535L;
1285 }
1286#endif
1287
1288 png_free(png_ptr, png_ptr->chunkdata);
1289 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
1290 slength = length;
1291 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1292
1293 if (png_crc_finish(png_ptr, skip))
1294 {
1295 png_free(png_ptr, png_ptr->chunkdata);
1296 png_ptr->chunkdata = NULL;
1297 return;
1298 }
1299
1300 png_ptr->chunkdata[slength] = 0x00;
1301
1302 for (profile = png_ptr->chunkdata; *profile; profile++)
1303 /* Empty loop to find end of name */ ;
1304
1305 ++profile;
1306
1307 /* There should be at least one zero (the compression type byte)
1308 * following the separator, and we should be on it
1309 */
1310 if (profile >= png_ptr->chunkdata + slength - 1)
1311 {
1312 png_free(png_ptr, png_ptr->chunkdata);
1313 png_ptr->chunkdata = NULL;
1314 png_warning(png_ptr, "Malformed iCCP chunk");
1315 return;
1316 }
1317
1318 /* Compression_type should always be zero */
1319 compression_type = *profile++;
1320
1321 if (compression_type)
1322 {
1323 png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk");
1324 compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8
1325 wrote nonzero) */
1326 }
1327
1328 prefix_length = profile - png_ptr->chunkdata;
1329 png_decompress_chunk(png_ptr, compression_type,
1330 slength, prefix_length, &data_length);
1331
1332 profile_length = data_length - prefix_length;
1333
1334 if (prefix_length > data_length || profile_length < 4)
1335 {
1336 png_free(png_ptr, png_ptr->chunkdata);
1337 png_ptr->chunkdata = NULL;
1338 png_warning(png_ptr, "Profile size field missing from iCCP chunk");
1339 return;
1340 }
1341
1342 /* Check the profile_size recorded in the first 32 bits of the ICC profile */
1343 pC = (png_bytep)(png_ptr->chunkdata + prefix_length);
1344 profile_size = ((*(pC )) << 24) |
1345 ((*(pC + 1)) << 16) |
1346 ((*(pC + 2)) << 8) |
1347 ((*(pC + 3)) );
1348
1349 /* NOTE: the following guarantees that 'profile_length' fits into 32 bits,
1350 * because profile_size is a 32 bit value.
1351 */
1352 if (profile_size < profile_length)
1353 profile_length = profile_size;
1354
1355 /* And the following guarantees that profile_size == profile_length. */
1356 if (profile_size > profile_length)
1357 {
1358 PNG_WARNING_PARAMETERS(p)
1359
1360 png_free(png_ptr, png_ptr->chunkdata);
1361 png_ptr->chunkdata = NULL;
1362
1363 png_warning_parameter_unsigned(p, 1, PNG_NUMBER_FORMAT_u, profile_size);
1364 png_warning_parameter_unsigned(p, 2, PNG_NUMBER_FORMAT_u, profile_length);
1365 png_formatted_warning(png_ptr, p,
1366 "Ignoring iCCP chunk with declared size = @1 and actual length = @2");
1367 return;
1368 }
1369
1370 png_set_iCCP(png_ptr, info_ptr, png_ptr->chunkdata,
1371 compression_type, (png_bytep)png_ptr->chunkdata + prefix_length,
1372 profile_size);
1373 png_free(png_ptr, png_ptr->chunkdata);
1374 png_ptr->chunkdata = NULL;
1375}
1376#endif /* PNG_READ_iCCP_SUPPORTED */
1377
1378#ifdef PNG_READ_sPLT_SUPPORTED
1379void /* PRIVATE */
1380png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1381/* Note: this does not properly handle chunks that are > 64K under DOS */
1382{
1383 png_bytep entry_start;
1384 png_sPLT_t new_palette;
1385 png_sPLT_entryp pp;
1386 png_uint_32 data_length;
1387 int entry_size, i;
1388 png_uint_32 skip = 0;
1389 png_size_t slength;
1390 png_uint_32 dl;
1391 png_size_t max_dl;
1392
1393 png_debug(1, "in png_handle_sPLT");
1394
1395#ifdef PNG_USER_LIMITS_SUPPORTED
1396
1397 if (png_ptr->user_chunk_cache_max != 0)
1398 {
1399 if (png_ptr->user_chunk_cache_max == 1)
1400 {
1401 png_crc_finish(png_ptr, length);
1402 return;
1403 }
1404
1405 if (--png_ptr->user_chunk_cache_max == 1)
1406 {
1407 png_warning(png_ptr, "No space in chunk cache for sPLT");
1408 png_crc_finish(png_ptr, length);
1409 return;
1410 }
1411 }
1412#endif
1413
1414 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1415 png_error(png_ptr, "Missing IHDR before sPLT");
1416
1417 else if (png_ptr->mode & PNG_HAVE_IDAT)
1418 {
1419 png_warning(png_ptr, "Invalid sPLT after IDAT");
1420 png_crc_finish(png_ptr, length);
1421 return;
1422 }
1423
1424#ifdef PNG_MAX_MALLOC_64K
1425 if (length > (png_uint_32)65535L)
1426 {
1427 png_warning(png_ptr, "sPLT chunk too large to fit in memory");
1428 skip = length - (png_uint_32)65535L;
1429 length = (png_uint_32)65535L;
1430 }
1431#endif
1432
1433 png_free(png_ptr, png_ptr->chunkdata);
1434 png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
1435
1436 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1437 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1438 * potential breakage point if the types in pngconf.h aren't exactly right.
1439 */
1440 slength = length;
1441 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1442
1443 if (png_crc_finish(png_ptr, skip))
1444 {
1445 png_free(png_ptr, png_ptr->chunkdata);
1446 png_ptr->chunkdata = NULL;
1447 return;
1448 }
1449
1450 png_ptr->chunkdata[slength] = 0x00;
1451
1452 for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start;
1453 entry_start++)
1454 /* Empty loop to find end of name */ ;
1455
1456 ++entry_start;
1457
1458 /* A sample depth should follow the separator, and we should be on it */
1459 if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
1460 {
1461 png_free(png_ptr, png_ptr->chunkdata);
1462 png_ptr->chunkdata = NULL;
1463 png_warning(png_ptr, "malformed sPLT chunk");
1464 return;
1465 }
1466
1467 new_palette.depth = *entry_start++;
1468 entry_size = (new_palette.depth == 8 ? 6 : 10);
1469 /* This must fit in a png_uint_32 because it is derived from the original
1470 * chunk data length (and use 'length', not 'slength' here for clarity -
1471 * they are guaranteed to be the same, see the tests above.)
1472 */
1473 data_length = length - (png_uint_32)(entry_start -
1474 (png_bytep)png_ptr->chunkdata);
1475
1476 /* Integrity-check the data length */
1477 if (data_length % entry_size)
1478 {
1479 png_free(png_ptr, png_ptr->chunkdata);
1480 png_ptr->chunkdata = NULL;
1481 png_warning(png_ptr, "sPLT chunk has bad length");
1482 return;
1483 }
1484
1485 dl = (png_int_32)(data_length / entry_size);
1486 max_dl = PNG_SIZE_MAX / png_sizeof(png_sPLT_entry);
1487
1488 if (dl > max_dl)
1489 {
1490 png_warning(png_ptr, "sPLT chunk too long");
1491 return;
1492 }
1493
1494 new_palette.nentries = (png_int_32)(data_length / entry_size);
1495
1496 new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
1497 png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry));
1498
1499 if (new_palette.entries == NULL)
1500 {
1501 png_warning(png_ptr, "sPLT chunk requires too much memory");
1502 return;
1503 }
1504
1505#ifdef PNG_POINTER_INDEXING_SUPPORTED
1506 for (i = 0; i < new_palette.nentries; i++)
1507 {
1508 pp = new_palette.entries + i;
1509
1510 if (new_palette.depth == 8)
1511 {
1512 pp->red = *entry_start++;
1513 pp->green = *entry_start++;
1514 pp->blue = *entry_start++;
1515 pp->alpha = *entry_start++;
1516 }
1517
1518 else
1519 {
1520 pp->red = png_get_uint_16(entry_start); entry_start += 2;
1521 pp->green = png_get_uint_16(entry_start); entry_start += 2;
1522 pp->blue = png_get_uint_16(entry_start); entry_start += 2;
1523 pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1524 }
1525
1526 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1527 }
1528#else
1529 pp = new_palette.entries;
1530
1531 for (i = 0; i < new_palette.nentries; i++)
1532 {
1533
1534 if (new_palette.depth == 8)
1535 {
1536 pp[i].red = *entry_start++;
1537 pp[i].green = *entry_start++;
1538 pp[i].blue = *entry_start++;
1539 pp[i].alpha = *entry_start++;
1540 }
1541
1542 else
1543 {
1544 pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
1545 pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1546 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
1547 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1548 }
1549
1550 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1551 }
1552#endif
1553
1554 /* Discard all chunk data except the name and stash that */
1555 new_palette.name = png_ptr->chunkdata;
1556
1557 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1558
1559 png_free(png_ptr, png_ptr->chunkdata);
1560 png_ptr->chunkdata = NULL;
1561 png_free(png_ptr, new_palette.entries);
1562}
1563#endif /* PNG_READ_sPLT_SUPPORTED */
1564
1565#ifdef PNG_READ_tRNS_SUPPORTED
1566void /* PRIVATE */
1567png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1568{
1569 png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1570
1571 png_debug(1, "in png_handle_tRNS");
1572
1573 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1574 png_error(png_ptr, "Missing IHDR before tRNS");
1575
1576 else if (png_ptr->mode & PNG_HAVE_IDAT)
1577 {
1578 png_warning(png_ptr, "Invalid tRNS after IDAT");
1579 png_crc_finish(png_ptr, length);
1580 return;
1581 }
1582
1583 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
1584 {
1585 png_warning(png_ptr, "Duplicate tRNS chunk");
1586 png_crc_finish(png_ptr, length);
1587 return;
1588 }
1589
1590 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1591 {
1592 png_byte buf[2];
1593
1594 if (length != 2)
1595 {
1596 png_warning(png_ptr, "Incorrect tRNS chunk length");
1597 png_crc_finish(png_ptr, length);
1598 return;
1599 }
1600
1601 png_crc_read(png_ptr, buf, 2);
1602 png_ptr->num_trans = 1;
1603 png_ptr->trans_color.gray = png_get_uint_16(buf);
1604 }
1605
1606 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1607 {
1608 png_byte buf[6];
1609
1610 if (length != 6)
1611 {
1612 png_warning(png_ptr, "Incorrect tRNS chunk length");
1613 png_crc_finish(png_ptr, length);
1614 return;
1615 }
1616
1617 png_crc_read(png_ptr, buf, (png_size_t)length);
1618 png_ptr->num_trans = 1;
1619 png_ptr->trans_color.red = png_get_uint_16(buf);
1620 png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1621 png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1622 }
1623
1624 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1625 {
1626 if (!(png_ptr->mode & PNG_HAVE_PLTE))
1627 {
1628 /* Should be an error, but we can cope with it. */
1629 png_warning(png_ptr, "Missing PLTE before tRNS");
1630 }
1631
1632 if (length > (png_uint_32)png_ptr->num_palette ||
1633 length > PNG_MAX_PALETTE_LENGTH)
1634 {
1635 png_warning(png_ptr, "Incorrect tRNS chunk length");
1636 png_crc_finish(png_ptr, length);
1637 return;
1638 }
1639
1640 if (length == 0)
1641 {
1642 png_warning(png_ptr, "Zero length tRNS chunk");
1643 png_crc_finish(png_ptr, length);
1644 return;
1645 }
1646
1647 png_crc_read(png_ptr, readbuf, (png_size_t)length);
1648 png_ptr->num_trans = (png_uint_16)length;
1649 }
1650
1651 else
1652 {
1653 png_warning(png_ptr, "tRNS chunk not allowed with alpha channel");
1654 png_crc_finish(png_ptr, length);
1655 return;
1656 }
1657
1658 if (png_crc_finish(png_ptr, 0))
1659 {
1660 png_ptr->num_trans = 0;
1661 return;
1662 }
1663
1664 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1665 &(png_ptr->trans_color));
1666}
1667#endif
1668
1669#ifdef PNG_READ_bKGD_SUPPORTED
1670void /* PRIVATE */
1671png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1672{
1673 png_size_t truelen;
1674 png_byte buf[6];
1675 png_color_16 background;
1676
1677 png_debug(1, "in png_handle_bKGD");
1678
1679 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1680 png_error(png_ptr, "Missing IHDR before bKGD");
1681
1682 else if (png_ptr->mode & PNG_HAVE_IDAT)
1683 {
1684 png_warning(png_ptr, "Invalid bKGD after IDAT");
1685 png_crc_finish(png_ptr, length);
1686 return;
1687 }
1688
1689 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1690 !(png_ptr->mode & PNG_HAVE_PLTE))
1691 {
1692 png_warning(png_ptr, "Missing PLTE before bKGD");
1693 png_crc_finish(png_ptr, length);
1694 return;
1695 }
1696
1697 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD))
1698 {
1699 png_warning(png_ptr, "Duplicate bKGD chunk");
1700 png_crc_finish(png_ptr, length);
1701 return;
1702 }
1703
1704 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1705 truelen = 1;
1706
1707 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
1708 truelen = 6;
1709
1710 else
1711 truelen = 2;
1712
1713 if (length != truelen)
1714 {
1715 png_warning(png_ptr, "Incorrect bKGD chunk length");
1716 png_crc_finish(png_ptr, length);
1717 return;
1718 }
1719
1720 png_crc_read(png_ptr, buf, truelen);
1721
1722 if (png_crc_finish(png_ptr, 0))
1723 return;
1724
1725 /* We convert the index value into RGB components so that we can allow
1726 * arbitrary RGB values for background when we have transparency, and
1727 * so it is easy to determine the RGB values of the background color
1728 * from the info_ptr struct.
1729 */
1730 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1731 {
1732 background.index = buf[0];
1733
1734 if (info_ptr && info_ptr->num_palette)
1735 {
1736 if (buf[0] >= info_ptr->num_palette)
1737 {
1738 png_warning(png_ptr, "Incorrect bKGD chunk index value");
1739 return;
1740 }
1741
1742 background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1743 background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1744 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1745 }
1746
1747 else
1748 background.red = background.green = background.blue = 0;
1749
1750 background.gray = 0;
1751 }
1752
1753 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */
1754 {
1755 background.index = 0;
1756 background.red =
1757 background.green =
1758 background.blue =
1759 background.gray = png_get_uint_16(buf);
1760 }
1761
1762 else
1763 {
1764 background.index = 0;
1765 background.red = png_get_uint_16(buf);
1766 background.green = png_get_uint_16(buf + 2);
1767 background.blue = png_get_uint_16(buf + 4);
1768 background.gray = 0;
1769 }
1770
1771 png_set_bKGD(png_ptr, info_ptr, &background);
1772}
1773#endif
1774
1775#ifdef PNG_READ_hIST_SUPPORTED
1776void /* PRIVATE */
1777png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1778{
1779 unsigned int num, i;
1780 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
1781
1782 png_debug(1, "in png_handle_hIST");
1783
1784 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1785 png_error(png_ptr, "Missing IHDR before hIST");
1786
1787 else if (png_ptr->mode & PNG_HAVE_IDAT)
1788 {
1789 png_warning(png_ptr, "Invalid hIST after IDAT");
1790 png_crc_finish(png_ptr, length);
1791 return;
1792 }
1793
1794 else if (!(png_ptr->mode & PNG_HAVE_PLTE))
1795 {
1796 png_warning(png_ptr, "Missing PLTE before hIST");
1797 png_crc_finish(png_ptr, length);
1798 return;
1799 }
1800
1801 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST))
1802 {
1803 png_warning(png_ptr, "Duplicate hIST chunk");
1804 png_crc_finish(png_ptr, length);
1805 return;
1806 }
1807
1808 if (length > 2*PNG_MAX_PALETTE_LENGTH ||
1809 length != (unsigned int) (2*png_ptr->num_palette))
1810 {
1811 png_warning(png_ptr, "Incorrect hIST chunk length");
1812 png_crc_finish(png_ptr, length);
1813 return;
1814 }
1815
1816 num = length / 2 ;
1817
1818 for (i = 0; i < num; i++)
1819 {
1820 png_byte buf[2];
1821
1822 png_crc_read(png_ptr, buf, 2);
1823 readbuf[i] = png_get_uint_16(buf);
1824 }
1825
1826 if (png_crc_finish(png_ptr, 0))
1827 return;
1828
1829 png_set_hIST(png_ptr, info_ptr, readbuf);
1830}
1831#endif
1832
1833#ifdef PNG_READ_pHYs_SUPPORTED
1834void /* PRIVATE */
1835png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1836{
1837 png_byte buf[9];
1838 png_uint_32 res_x, res_y;
1839 int unit_type;
1840
1841 png_debug(1, "in png_handle_pHYs");
1842
1843 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1844 png_error(png_ptr, "Missing IHDR before pHYs");
1845
1846 else if (png_ptr->mode & PNG_HAVE_IDAT)
1847 {
1848 png_warning(png_ptr, "Invalid pHYs after IDAT");
1849 png_crc_finish(png_ptr, length);
1850 return;
1851 }
1852
1853 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs))
1854 {
1855 png_warning(png_ptr, "Duplicate pHYs chunk");
1856 png_crc_finish(png_ptr, length);
1857 return;
1858 }
1859
1860 if (length != 9)
1861 {
1862 png_warning(png_ptr, "Incorrect pHYs chunk length");
1863 png_crc_finish(png_ptr, length);
1864 return;
1865 }
1866
1867 png_crc_read(png_ptr, buf, 9);
1868
1869 if (png_crc_finish(png_ptr, 0))
1870 return;
1871
1872 res_x = png_get_uint_32(buf);
1873 res_y = png_get_uint_32(buf + 4);
1874 unit_type = buf[8];
1875 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
1876}
1877#endif
1878
1879#ifdef PNG_READ_oFFs_SUPPORTED
1880void /* PRIVATE */
1881png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1882{
1883 png_byte buf[9];
1884 png_int_32 offset_x, offset_y;
1885 int unit_type;
1886
1887 png_debug(1, "in png_handle_oFFs");
1888
1889 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1890 png_error(png_ptr, "Missing IHDR before oFFs");
1891
1892 else if (png_ptr->mode & PNG_HAVE_IDAT)
1893 {
1894 png_warning(png_ptr, "Invalid oFFs after IDAT");
1895 png_crc_finish(png_ptr, length);
1896 return;
1897 }
1898
1899 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs))
1900 {
1901 png_warning(png_ptr, "Duplicate oFFs chunk");
1902 png_crc_finish(png_ptr, length);
1903 return;
1904 }
1905
1906 if (length != 9)
1907 {
1908 png_warning(png_ptr, "Incorrect oFFs chunk length");
1909 png_crc_finish(png_ptr, length);
1910 return;
1911 }
1912
1913 png_crc_read(png_ptr, buf, 9);
1914
1915 if (png_crc_finish(png_ptr, 0))
1916 return;
1917
1918 offset_x = png_get_int_32(buf);
1919 offset_y = png_get_int_32(buf + 4);
1920 unit_type = buf[8];
1921 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
1922}
1923#endif
1924
1925#ifdef PNG_READ_pCAL_SUPPORTED
1926/* Read the pCAL chunk (described in the PNG Extensions document) */
1927void /* PRIVATE */
1928png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1929{
1930 png_int_32 X0, X1;
1931 png_byte type, nparams;
1932 png_charp buf, units, endptr;
1933 png_charpp params;
1934 png_size_t slength;
1935 int i;
1936
1937 png_debug(1, "in png_handle_pCAL");
1938
1939 if (!(png_ptr->mode & PNG_HAVE_IHDR))
1940 png_error(png_ptr, "Missing IHDR before pCAL");
1941
1942 else if (png_ptr->mode & PNG_HAVE_IDAT)
1943 {
1944 png_warning(png_ptr, "Invalid pCAL after IDAT");
1945 png_crc_finish(png_ptr, length);
1946 return;
1947 }
1948
1949 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL))
1950 {
1951 png_warning(png_ptr, "Duplicate pCAL chunk");
1952 png_crc_finish(png_ptr, length);
1953 return;
1954 }
1955
1956 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
1957 length + 1);
1958 png_free(png_ptr, png_ptr->chunkdata);
1959 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
1960
1961 if (png_ptr->chunkdata == NULL)
1962 {
1963 png_warning(png_ptr, "No memory for pCAL purpose");
1964 return;
1965 }
1966
1967 slength = length;
1968 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
1969
1970 if (png_crc_finish(png_ptr, 0))
1971 {
1972 png_free(png_ptr, png_ptr->chunkdata);
1973 png_ptr->chunkdata = NULL;
1974 return;
1975 }
1976
1977 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */
1978
1979 png_debug(3, "Finding end of pCAL purpose string");
1980 for (buf = png_ptr->chunkdata; *buf; buf++)
1981 /* Empty loop */ ;
1982
1983 endptr = png_ptr->chunkdata + slength;
1984
1985 /* We need to have at least 12 bytes after the purpose string
1986 * in order to get the parameter information.
1987 */
1988 if (endptr <= buf + 12)
1989 {
1990 png_warning(png_ptr, "Invalid pCAL data");
1991 png_free(png_ptr, png_ptr->chunkdata);
1992 png_ptr->chunkdata = NULL;
1993 return;
1994 }
1995
1996 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
1997 X0 = png_get_int_32((png_bytep)buf+1);
1998 X1 = png_get_int_32((png_bytep)buf+5);
1999 type = buf[9];
2000 nparams = buf[10];
2001 units = buf + 11;
2002
2003 png_debug(3, "Checking pCAL equation type and number of parameters");
2004 /* Check that we have the right number of parameters for known
2005 * equation types.
2006 */
2007 if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
2008 (type == PNG_EQUATION_BASE_E && nparams != 3) ||
2009 (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
2010 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
2011 {
2012 png_warning(png_ptr, "Invalid pCAL parameters for equation type");
2013 png_free(png_ptr, png_ptr->chunkdata);
2014 png_ptr->chunkdata = NULL;
2015 return;
2016 }
2017
2018 else if (type >= PNG_EQUATION_LAST)
2019 {
2020 png_warning(png_ptr, "Unrecognized equation type for pCAL chunk");
2021 }
2022
2023 for (buf = units; *buf; buf++)
2024 /* Empty loop to move past the units string. */ ;
2025
2026 png_debug(3, "Allocating pCAL parameters array");
2027
2028 params = (png_charpp)png_malloc_warn(png_ptr,
2029 (png_size_t)(nparams * png_sizeof(png_charp)));
2030
2031 if (params == NULL)
2032 {
2033 png_free(png_ptr, png_ptr->chunkdata);
2034 png_ptr->chunkdata = NULL;
2035 png_warning(png_ptr, "No memory for pCAL params");
2036 return;
2037 }
2038
2039 /* Get pointers to the start of each parameter string. */
2040 for (i = 0; i < (int)nparams; i++)
2041 {
2042 buf++; /* Skip the null string terminator from previous parameter. */
2043
2044 png_debug1(3, "Reading pCAL parameter %d", i);
2045
2046 for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++)
2047 /* Empty loop to move past each parameter string */ ;
2048
2049 /* Make sure we haven't run out of data yet */
2050 if (buf > endptr)
2051 {
2052 png_warning(png_ptr, "Invalid pCAL data");
2053 png_free(png_ptr, png_ptr->chunkdata);
2054 png_ptr->chunkdata = NULL;
2055 png_free(png_ptr, params);
2056 return;
2057 }
2058 }
2059
2060 png_set_pCAL(png_ptr, info_ptr, png_ptr->chunkdata, X0, X1, type, nparams,
2061 units, params);
2062
2063 png_free(png_ptr, png_ptr->chunkdata);
2064 png_ptr->chunkdata = NULL;
2065 png_free(png_ptr, params);
2066}
2067#endif
2068
2069#ifdef PNG_READ_sCAL_SUPPORTED
2070/* Read the sCAL chunk */
2071void /* PRIVATE */
2072png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2073{
2074 png_size_t slength, i;
2075 int state;
2076
2077 png_debug(1, "in png_handle_sCAL");
2078
2079 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2080 png_error(png_ptr, "Missing IHDR before sCAL");
2081
2082 else if (png_ptr->mode & PNG_HAVE_IDAT)
2083 {
2084 png_warning(png_ptr, "Invalid sCAL after IDAT");
2085 png_crc_finish(png_ptr, length);
2086 return;
2087 }
2088
2089 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL))
2090 {
2091 png_warning(png_ptr, "Duplicate sCAL chunk");
2092 png_crc_finish(png_ptr, length);
2093 return;
2094 }
2095
2096 /* Need unit type, width, \0, height: minimum 4 bytes */
2097 else if (length < 4)
2098 {
2099 png_warning(png_ptr, "sCAL chunk too short");
2100 png_crc_finish(png_ptr, length);
2101 return;
2102 }
2103
2104 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2105 length + 1);
2106
2107 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2108
2109 if (png_ptr->chunkdata == NULL)
2110 {
2111 png_warning(png_ptr, "Out of memory while processing sCAL chunk");
2112 png_crc_finish(png_ptr, length);
2113 return;
2114 }
2115
2116 slength = length;
2117 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2118 png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */
2119
2120 if (png_crc_finish(png_ptr, 0))
2121 {
2122 png_free(png_ptr, png_ptr->chunkdata);
2123 png_ptr->chunkdata = NULL;
2124 return;
2125 }
2126
2127 /* Validate the unit. */
2128 if (png_ptr->chunkdata[0] != 1 && png_ptr->chunkdata[0] != 2)
2129 {
2130 png_warning(png_ptr, "Invalid sCAL ignored: invalid unit");
2131 png_free(png_ptr, png_ptr->chunkdata);
2132 png_ptr->chunkdata = NULL;
2133 return;
2134 }
2135
2136 /* Validate the ASCII numbers, need two ASCII numbers separated by
2137 * a '\0' and they need to fit exactly in the chunk data.
2138 */
2139 i = 1;
2140 state = 0;
2141
2142 if (!png_check_fp_number(png_ptr->chunkdata, slength, &state, &i) ||
2143 i >= slength || png_ptr->chunkdata[i++] != 0)
2144 png_warning(png_ptr, "Invalid sCAL chunk ignored: bad width format");
2145
2146 else if (!PNG_FP_IS_POSITIVE(state))
2147 png_warning(png_ptr, "Invalid sCAL chunk ignored: non-positive width");
2148
2149 else
2150 {
2151 png_size_t heighti = i;
2152
2153 state = 0;
2154 if (!png_check_fp_number(png_ptr->chunkdata, slength, &state, &i) ||
2155 i != slength)
2156 png_warning(png_ptr, "Invalid sCAL chunk ignored: bad height format");
2157
2158 else if (!PNG_FP_IS_POSITIVE(state))
2159 png_warning(png_ptr,
2160 "Invalid sCAL chunk ignored: non-positive height");
2161
2162 else
2163 /* This is the (only) success case. */
2164 png_set_sCAL_s(png_ptr, info_ptr, png_ptr->chunkdata[0],
2165 png_ptr->chunkdata+1, png_ptr->chunkdata+heighti);
2166 }
2167
2168 /* Clean up - just free the temporarily allocated buffer. */
2169 png_free(png_ptr, png_ptr->chunkdata);
2170 png_ptr->chunkdata = NULL;
2171}
2172#endif
2173
2174#ifdef PNG_READ_tIME_SUPPORTED
2175void /* PRIVATE */
2176png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2177{
2178 png_byte buf[7];
2179 png_time mod_time;
2180
2181 png_debug(1, "in png_handle_tIME");
2182
2183 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2184 png_error(png_ptr, "Out of place tIME chunk");
2185
2186 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME))
2187 {
2188 png_warning(png_ptr, "Duplicate tIME chunk");
2189 png_crc_finish(png_ptr, length);
2190 return;
2191 }
2192
2193 if (png_ptr->mode & PNG_HAVE_IDAT)
2194 png_ptr->mode |= PNG_AFTER_IDAT;
2195
2196 if (length != 7)
2197 {
2198 png_warning(png_ptr, "Incorrect tIME chunk length");
2199 png_crc_finish(png_ptr, length);
2200 return;
2201 }
2202
2203 png_crc_read(png_ptr, buf, 7);
2204
2205 if (png_crc_finish(png_ptr, 0))
2206 return;
2207
2208 mod_time.second = buf[6];
2209 mod_time.minute = buf[5];
2210 mod_time.hour = buf[4];
2211 mod_time.day = buf[3];
2212 mod_time.month = buf[2];
2213 mod_time.year = png_get_uint_16(buf);
2214
2215 png_set_tIME(png_ptr, info_ptr, &mod_time);
2216}
2217#endif
2218
2219#ifdef PNG_READ_tEXt_SUPPORTED
2220/* Note: this does not properly handle chunks that are > 64K under DOS */
2221void /* PRIVATE */
2222png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2223{
2224 png_textp text_ptr;
2225 png_charp key;
2226 png_charp text;
2227 png_uint_32 skip = 0;
2228 png_size_t slength;
2229 int ret;
2230
2231 png_debug(1, "in png_handle_tEXt");
2232
2233#ifdef PNG_USER_LIMITS_SUPPORTED
2234 if (png_ptr->user_chunk_cache_max != 0)
2235 {
2236 if (png_ptr->user_chunk_cache_max == 1)
2237 {
2238 png_crc_finish(png_ptr, length);
2239 return;
2240 }
2241
2242 if (--png_ptr->user_chunk_cache_max == 1)
2243 {
2244 png_warning(png_ptr, "No space in chunk cache for tEXt");
2245 png_crc_finish(png_ptr, length);
2246 return;
2247 }
2248 }
2249#endif
2250
2251 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2252 png_error(png_ptr, "Missing IHDR before tEXt");
2253
2254 if (png_ptr->mode & PNG_HAVE_IDAT)
2255 png_ptr->mode |= PNG_AFTER_IDAT;
2256
2257#ifdef PNG_MAX_MALLOC_64K
2258 if (length > (png_uint_32)65535L)
2259 {
2260 png_warning(png_ptr, "tEXt chunk too large to fit in memory");
2261 skip = length - (png_uint_32)65535L;
2262 length = (png_uint_32)65535L;
2263 }
2264#endif
2265
2266 png_free(png_ptr, png_ptr->chunkdata);
2267
2268 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2269
2270 if (png_ptr->chunkdata == NULL)
2271 {
2272 png_warning(png_ptr, "No memory to process text chunk");
2273 return;
2274 }
2275
2276 slength = length;
2277 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2278
2279 if (png_crc_finish(png_ptr, skip))
2280 {
2281 png_free(png_ptr, png_ptr->chunkdata);
2282 png_ptr->chunkdata = NULL;
2283 return;
2284 }
2285
2286 key = png_ptr->chunkdata;
2287
2288 key[slength] = 0x00;
2289
2290 for (text = key; *text; text++)
2291 /* Empty loop to find end of key */ ;
2292
2293 if (text != key + slength)
2294 text++;
2295
2296 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2297 png_sizeof(png_text));
2298
2299 if (text_ptr == NULL)
2300 {
2301 png_warning(png_ptr, "Not enough memory to process text chunk");
2302 png_free(png_ptr, png_ptr->chunkdata);
2303 png_ptr->chunkdata = NULL;
2304 return;
2305 }
2306
2307 text_ptr->compression = PNG_TEXT_COMPRESSION_NONE;
2308 text_ptr->key = key;
2309 text_ptr->lang = NULL;
2310 text_ptr->lang_key = NULL;
2311 text_ptr->itxt_length = 0;
2312 text_ptr->text = text;
2313 text_ptr->text_length = png_strlen(text);
2314
2315 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2316
2317 png_free(png_ptr, png_ptr->chunkdata);
2318 png_ptr->chunkdata = NULL;
2319 png_free(png_ptr, text_ptr);
2320
2321 if (ret)
2322 png_warning(png_ptr, "Insufficient memory to process text chunk");
2323}
2324#endif
2325
2326#ifdef PNG_READ_zTXt_SUPPORTED
2327/* Note: this does not correctly handle chunks that are > 64K under DOS */
2328void /* PRIVATE */
2329png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2330{
2331 png_textp text_ptr;
2332 png_charp text;
2333 int comp_type;
2334 int ret;
2335 png_size_t slength, prefix_len, data_len;
2336
2337 png_debug(1, "in png_handle_zTXt");
2338
2339#ifdef PNG_USER_LIMITS_SUPPORTED
2340 if (png_ptr->user_chunk_cache_max != 0)
2341 {
2342 if (png_ptr->user_chunk_cache_max == 1)
2343 {
2344 png_crc_finish(png_ptr, length);
2345 return;
2346 }
2347
2348 if (--png_ptr->user_chunk_cache_max == 1)
2349 {
2350 png_warning(png_ptr, "No space in chunk cache for zTXt");
2351 png_crc_finish(png_ptr, length);
2352 return;
2353 }
2354 }
2355#endif
2356
2357 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2358 png_error(png_ptr, "Missing IHDR before zTXt");
2359
2360 if (png_ptr->mode & PNG_HAVE_IDAT)
2361 png_ptr->mode |= PNG_AFTER_IDAT;
2362
2363#ifdef PNG_MAX_MALLOC_64K
2364 /* We will no doubt have problems with chunks even half this size, but
2365 * there is no hard and fast rule to tell us where to stop.
2366 */
2367 if (length > (png_uint_32)65535L)
2368 {
2369 png_warning(png_ptr, "zTXt chunk too large to fit in memory");
2370 png_crc_finish(png_ptr, length);
2371 return;
2372 }
2373#endif
2374
2375 png_free(png_ptr, png_ptr->chunkdata);
2376 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2377
2378 if (png_ptr->chunkdata == NULL)
2379 {
2380 png_warning(png_ptr, "Out of memory processing zTXt chunk");
2381 return;
2382 }
2383
2384 slength = length;
2385 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2386
2387 if (png_crc_finish(png_ptr, 0))
2388 {
2389 png_free(png_ptr, png_ptr->chunkdata);
2390 png_ptr->chunkdata = NULL;
2391 return;
2392 }
2393
2394 png_ptr->chunkdata[slength] = 0x00;
2395
2396 for (text = png_ptr->chunkdata; *text; text++)
2397 /* Empty loop */ ;
2398
2399 /* zTXt must have some text after the chunkdataword */
2400 if (text >= png_ptr->chunkdata + slength - 2)
2401 {
2402 png_warning(png_ptr, "Truncated zTXt chunk");
2403 png_free(png_ptr, png_ptr->chunkdata);
2404 png_ptr->chunkdata = NULL;
2405 return;
2406 }
2407
2408 else
2409 {
2410 comp_type = *(++text);
2411
2412 if (comp_type != PNG_TEXT_COMPRESSION_zTXt)
2413 {
2414 png_warning(png_ptr, "Unknown compression type in zTXt chunk");
2415 comp_type = PNG_TEXT_COMPRESSION_zTXt;
2416 }
2417
2418 text++; /* Skip the compression_method byte */
2419 }
2420
2421 prefix_len = text - png_ptr->chunkdata;
2422
2423 png_decompress_chunk(png_ptr, comp_type,
2424 (png_size_t)length, prefix_len, &data_len);
2425
2426 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2427 png_sizeof(png_text));
2428
2429 if (text_ptr == NULL)
2430 {
2431 png_warning(png_ptr, "Not enough memory to process zTXt chunk");
2432 png_free(png_ptr, png_ptr->chunkdata);
2433 png_ptr->chunkdata = NULL;
2434 return;
2435 }
2436
2437 text_ptr->compression = comp_type;
2438 text_ptr->key = png_ptr->chunkdata;
2439 text_ptr->lang = NULL;
2440 text_ptr->lang_key = NULL;
2441 text_ptr->itxt_length = 0;
2442 text_ptr->text = png_ptr->chunkdata + prefix_len;
2443 text_ptr->text_length = data_len;
2444
2445 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2446
2447 png_free(png_ptr, text_ptr);
2448 png_free(png_ptr, png_ptr->chunkdata);
2449 png_ptr->chunkdata = NULL;
2450
2451 if (ret)
2452 png_error(png_ptr, "Insufficient memory to store zTXt chunk");
2453}
2454#endif
2455
2456#ifdef PNG_READ_iTXt_SUPPORTED
2457/* Note: this does not correctly handle chunks that are > 64K under DOS */
2458void /* PRIVATE */
2459png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2460{
2461 png_textp text_ptr;
2462 png_charp key, lang, text, lang_key;
2463 int comp_flag;
2464 int comp_type = 0;
2465 int ret;
2466 png_size_t slength, prefix_len, data_len;
2467
2468 png_debug(1, "in png_handle_iTXt");
2469
2470#ifdef PNG_USER_LIMITS_SUPPORTED
2471 if (png_ptr->user_chunk_cache_max != 0)
2472 {
2473 if (png_ptr->user_chunk_cache_max == 1)
2474 {
2475 png_crc_finish(png_ptr, length);
2476 return;
2477 }
2478
2479 if (--png_ptr->user_chunk_cache_max == 1)
2480 {
2481 png_warning(png_ptr, "No space in chunk cache for iTXt");
2482 png_crc_finish(png_ptr, length);
2483 return;
2484 }
2485 }
2486#endif
2487
2488 if (!(png_ptr->mode & PNG_HAVE_IHDR))
2489 png_error(png_ptr, "Missing IHDR before iTXt");
2490
2491 if (png_ptr->mode & PNG_HAVE_IDAT)
2492 png_ptr->mode |= PNG_AFTER_IDAT;
2493
2494#ifdef PNG_MAX_MALLOC_64K
2495 /* We will no doubt have problems with chunks even half this size, but
2496 * there is no hard and fast rule to tell us where to stop.
2497 */
2498 if (length > (png_uint_32)65535L)
2499 {
2500 png_warning(png_ptr, "iTXt chunk too large to fit in memory");
2501 png_crc_finish(png_ptr, length);
2502 return;
2503 }
2504#endif
2505
2506 png_free(png_ptr, png_ptr->chunkdata);
2507 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
2508
2509 if (png_ptr->chunkdata == NULL)
2510 {
2511 png_warning(png_ptr, "No memory to process iTXt chunk");
2512 return;
2513 }
2514
2515 slength = length;
2516 png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
2517
2518 if (png_crc_finish(png_ptr, 0))
2519 {
2520 png_free(png_ptr, png_ptr->chunkdata);
2521 png_ptr->chunkdata = NULL;
2522 return;
2523 }
2524
2525 png_ptr->chunkdata[slength] = 0x00;
2526
2527 for (lang = png_ptr->chunkdata; *lang; lang++)
2528 /* Empty loop */ ;
2529
2530 lang++; /* Skip NUL separator */
2531
2532 /* iTXt must have a language tag (possibly empty), two compression bytes,
2533 * translated keyword (possibly empty), and possibly some text after the
2534 * keyword
2535 */
2536
2537 if (lang >= png_ptr->chunkdata + slength - 3)
2538 {
2539 png_warning(png_ptr, "Truncated iTXt chunk");
2540 png_free(png_ptr, png_ptr->chunkdata);
2541 png_ptr->chunkdata = NULL;
2542 return;
2543 }
2544
2545 else
2546 {
2547 comp_flag = *lang++;
2548 comp_type = *lang++;
2549 }
2550
2551 if (comp_type || (comp_flag && comp_flag != PNG_TEXT_COMPRESSION_zTXt))
2552 {
2553 png_warning(png_ptr, "Unknown iTXt compression type or method");
2554 png_free(png_ptr, png_ptr->chunkdata);
2555 png_ptr->chunkdata = NULL;
2556 return;
2557 }
2558
2559 for (lang_key = lang; *lang_key; lang_key++)
2560 /* Empty loop */ ;
2561
2562 lang_key++; /* Skip NUL separator */
2563
2564 if (lang_key >= png_ptr->chunkdata + slength)
2565 {
2566 png_warning(png_ptr, "Truncated iTXt chunk");
2567 png_free(png_ptr, png_ptr->chunkdata);
2568 png_ptr->chunkdata = NULL;
2569 return;
2570 }
2571
2572 for (text = lang_key; *text; text++)
2573 /* Empty loop */ ;
2574
2575 text++; /* Skip NUL separator */
2576
2577 if (text >= png_ptr->chunkdata + slength)
2578 {
2579 png_warning(png_ptr, "Malformed iTXt chunk");
2580 png_free(png_ptr, png_ptr->chunkdata);
2581 png_ptr->chunkdata = NULL;
2582 return;
2583 }
2584
2585 prefix_len = text - png_ptr->chunkdata;
2586
2587 key=png_ptr->chunkdata;
2588
2589 if (comp_flag)
2590 png_decompress_chunk(png_ptr, comp_type,
2591 (size_t)length, prefix_len, &data_len);
2592
2593 else
2594 data_len = png_strlen(png_ptr->chunkdata + prefix_len);
2595
2596 text_ptr = (png_textp)png_malloc_warn(png_ptr,
2597 png_sizeof(png_text));
2598
2599 if (text_ptr == NULL)
2600 {
2601 png_warning(png_ptr, "Not enough memory to process iTXt chunk");
2602 png_free(png_ptr, png_ptr->chunkdata);
2603 png_ptr->chunkdata = NULL;
2604 return;
2605 }
2606
2607 text_ptr->compression = (int)comp_flag + 1;
2608 text_ptr->lang_key = png_ptr->chunkdata + (lang_key - key);
2609 text_ptr->lang = png_ptr->chunkdata + (lang - key);
2610 text_ptr->itxt_length = data_len;
2611 text_ptr->text_length = 0;
2612 text_ptr->key = png_ptr->chunkdata;
2613 text_ptr->text = png_ptr->chunkdata + prefix_len;
2614
2615 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
2616
2617 png_free(png_ptr, text_ptr);
2618 png_free(png_ptr, png_ptr->chunkdata);
2619 png_ptr->chunkdata = NULL;
2620
2621 if (ret)
2622 png_error(png_ptr, "Insufficient memory to store iTXt chunk");
2623}
2624#endif
2625
2626/* This function is called when we haven't found a handler for a
2627 * chunk. If there isn't a problem with the chunk itself (ie bad
2628 * chunk name, CRC, or a critical chunk), the chunk is silently ignored
2629 * -- unless the PNG_FLAG_UNKNOWN_CHUNKS_SUPPORTED flag is on in which
2630 * case it will be saved away to be written out later.
2631 */
2632void /* PRIVATE */
2633png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
2634{
2635 png_uint_32 skip = 0;
2636
2637 png_debug(1, "in png_handle_unknown");
2638
2639#ifdef PNG_USER_LIMITS_SUPPORTED
2640 if (png_ptr->user_chunk_cache_max != 0)
2641 {
2642 if (png_ptr->user_chunk_cache_max == 1)
2643 {
2644 png_crc_finish(png_ptr, length);
2645 return;
2646 }
2647
2648 if (--png_ptr->user_chunk_cache_max == 1)
2649 {
2650 png_warning(png_ptr, "No space in chunk cache for unknown chunk");
2651 png_crc_finish(png_ptr, length);
2652 return;
2653 }
2654 }
2655#endif
2656
2657 if (png_ptr->mode & PNG_HAVE_IDAT)
2658 {
2659 if (png_ptr->chunk_name != png_IDAT)
2660 png_ptr->mode |= PNG_AFTER_IDAT;
2661 }
2662
2663 if (PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
2664 {
2665#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2666 if (png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name) !=
2667 PNG_HANDLE_CHUNK_ALWAYS
2668#ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2669 && png_ptr->read_user_chunk_fn == NULL
2670#endif
2671 )
2672#endif
2673 png_chunk_error(png_ptr, "unknown critical chunk");
2674 }
2675
2676#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2677 if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS)
2678#ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2679 || (png_ptr->read_user_chunk_fn != NULL)
2680#endif
2681 )
2682 {
2683#ifdef PNG_MAX_MALLOC_64K
2684 if (length > 65535)
2685 {
2686 png_warning(png_ptr, "unknown chunk too large to fit in memory");
2687 skip = length - 65535;
2688 length = 65535;
2689 }
2690#endif
2691
2692 /* TODO: this code is very close to the unknown handling in pngpread.c,
2693 * maybe it can be put into a common utility routine?
2694 * png_struct::unknown_chunk is just used as a temporary variable, along
2695 * with the data into which the chunk is read. These can be eliminated.
2696 */
2697 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2698 png_ptr->unknown_chunk.size = (png_size_t)length;
2699
2700 if (length == 0)
2701 png_ptr->unknown_chunk.data = NULL;
2702
2703 else
2704 {
2705 png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
2706 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2707 }
2708
2709#ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2710 if (png_ptr->read_user_chunk_fn != NULL)
2711 {
2712 /* Callback to user unknown chunk handler */
2713 int ret;
2714
2715 ret = (*(png_ptr->read_user_chunk_fn))
2716 (png_ptr, &png_ptr->unknown_chunk);
2717
2718 if (ret < 0)
2719 png_chunk_error(png_ptr, "error in user chunk");
2720
2721 if (ret == 0)
2722 {
2723 if (PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
2724 {
2725#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2726 if (png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name) !=
2727 PNG_HANDLE_CHUNK_ALWAYS)
2728#endif
2729 png_chunk_error(png_ptr, "unknown critical chunk");
2730 }
2731
2732 png_set_unknown_chunks(png_ptr, info_ptr,
2733 &png_ptr->unknown_chunk, 1);
2734 }
2735 }
2736
2737 else
2738#endif
2739 png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
2740
2741 png_free(png_ptr, png_ptr->unknown_chunk.data);
2742 png_ptr->unknown_chunk.data = NULL;
2743 }
2744
2745 else
2746#endif
2747 skip = length;
2748
2749 png_crc_finish(png_ptr, skip);
2750
2751#ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2752 PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */
2753#endif
2754}
2755
2756/* This function is called to verify that a chunk name is valid.
2757 * This function can't have the "critical chunk check" incorporated
2758 * into it, since in the future we will need to be able to call user
2759 * functions to handle unknown critical chunks after we check that
2760 * the chunk name itself is valid.
2761 */
2762
2763/* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
2764 *
2765 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2766 */
2767
2768void /* PRIVATE */
2769png_check_chunk_name(png_structp png_ptr, png_uint_32 chunk_name)
2770{
2771 int i;
2772
2773 png_debug(1, "in png_check_chunk_name");
2774
2775 for (i=1; i<=4; ++i)
2776 {
2777 int c = chunk_name & 0xff;
2778
2779 if (c < 65 || c > 122 || (c > 90 && c < 97))
2780 png_chunk_error(png_ptr, "invalid chunk type");
2781
2782 chunk_name >>= 8;
2783 }
2784}
2785
2786/* Combines the row recently read in with the existing pixels in the row. This
2787 * routine takes care of alpha and transparency if requested. This routine also
2788 * handles the two methods of progressive display of interlaced images,
2789 * depending on the 'display' value; if 'display' is true then the whole row
2790 * (dp) is filled from the start by replicating the available pixels. If
2791 * 'display' is false only those pixels present in the pass are filled in.
2792 */
2793void /* PRIVATE */
2794png_combine_row(png_structp png_ptr, png_bytep dp, int display)
2795{
2796 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
2797 png_const_bytep sp = png_ptr->row_buf + 1;
2798 png_uint_32 row_width = png_ptr->width;
2799 unsigned int pass = png_ptr->pass;
2800 png_bytep end_ptr = 0;
2801 png_byte end_byte = 0;
2802 unsigned int end_mask;
2803
2804 png_debug(1, "in png_combine_row");
2805
2806 /* Added in 1.5.6: it should not be possible to enter this routine until at
2807 * least one row has been read from the PNG data and transformed.
2808 */
2809 if (pixel_depth == 0)
2810 png_error(png_ptr, "internal row logic error");
2811
2812 /* Added in 1.5.4: the pixel depth should match the information returned by
2813 * any call to png_read_update_info at this point. Do not continue if we got
2814 * this wrong.
2815 */
2816 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
2817 PNG_ROWBYTES(pixel_depth, row_width))
2818 png_error(png_ptr, "internal row size calculation error");
2819
2820 /* Don't expect this to ever happen: */
2821 if (row_width == 0)
2822 png_error(png_ptr, "internal row width error");
2823
2824 /* Preserve the last byte in cases where only part of it will be overwritten,
2825 * the multiply below may overflow, we don't care because ANSI-C guarantees
2826 * we get the low bits.
2827 */
2828 end_mask = (pixel_depth * row_width) & 7;
2829 if (end_mask != 0)
2830 {
2831 /* end_ptr == NULL is a flag to say do nothing */
2832 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
2833 end_byte = *end_ptr;
2834# ifdef PNG_READ_PACKSWAP_SUPPORTED
2835 if (png_ptr->transformations & PNG_PACKSWAP) /* little-endian byte */
2836 end_mask = 0xff << end_mask;
2837
2838 else /* big-endian byte */
2839# endif
2840 end_mask = 0xff >> end_mask;
2841 /* end_mask is now the bits to *keep* from the destination row */
2842 }
2843
2844 /* For non-interlaced images this reduces to a png_memcpy(). A png_memcpy()
2845 * will also happen if interlacing isn't supported or if the application
2846 * does not call png_set_interlace_handling(). In the latter cases the
2847 * caller just gets a sequence of the unexpanded rows from each interlace
2848 * pass.
2849 */
2850#ifdef PNG_READ_INTERLACING_SUPPORTED
2851 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE) &&
2852 pass < 6 && (display == 0 ||
2853 /* The following copies everything for 'display' on passes 0, 2 and 4. */
2854 (display == 1 && (pass & 1) != 0)))
2855 {
2856 /* Narrow images may have no bits in a pass; the caller should handle
2857 * this, but this test is cheap:
2858 */
2859 if (row_width <= PNG_PASS_START_COL(pass))
2860 return;
2861
2862 if (pixel_depth < 8)
2863 {
2864 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
2865 * into 32 bits, then a single loop over the bytes using the four byte
2866 * values in the 32-bit mask can be used. For the 'display' option the
2867 * expanded mask may also not require any masking within a byte. To
2868 * make this work the PACKSWAP option must be taken into account - it
2869 * simply requires the pixels to be reversed in each byte.
2870 *
2871 * The 'regular' case requires a mask for each of the first 6 passes,
2872 * the 'display' case does a copy for the even passes in the range
2873 * 0..6. This has already been handled in the test above.
2874 *
2875 * The masks are arranged as four bytes with the first byte to use in
2876 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
2877 * not) of the pixels in each byte.
2878 *
2879 * NOTE: the whole of this logic depends on the caller of this function
2880 * only calling it on rows appropriate to the pass. This function only
2881 * understands the 'x' logic; the 'y' logic is handled by the caller.
2882 *
2883 * The following defines allow generation of compile time constant bit
2884 * masks for each pixel depth and each possibility of swapped or not
2885 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
2886 * is in the range 0..7; and the result is 1 if the pixel is to be
2887 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
2888 * for the block method.
2889 *
2890 * With some compilers a compile time expression of the general form:
2891 *
2892 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
2893 *
2894 * Produces warnings with values of 'shift' in the range 33 to 63
2895 * because the right hand side of the ?: expression is evaluated by
2896 * the compiler even though it isn't used. Microsoft Visual C (various
2897 * versions) and the Intel C compiler are known to do this. To avoid
2898 * this the following macros are used in 1.5.6. This is a temporary
2899 * solution to avoid destabilizing the code during the release process.
2900 */
2901# if PNG_USE_COMPILE_TIME_MASKS
2902# define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
2903# define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
2904# else
2905# define PNG_LSR(x,s) ((x)>>(s))
2906# define PNG_LSL(x,s) ((x)<<(s))
2907# endif
2908# define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
2909 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
2910# define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
2911 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
2912
2913 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
2914 * little endian - the first pixel is at bit 0 - however the extra
2915 * parameter 's' can be set to cause the mask position to be swapped
2916 * within each byte, to match the PNG format. This is done by XOR of
2917 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
2918 */
2919# define PIXEL_MASK(p,x,d,s) \
2920 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
2921
2922 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
2923 */
2924# define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
2925# define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
2926
2927 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
2928 * cases the result needs replicating, for the 4-bpp case the above
2929 * generates a full 32 bits.
2930 */
2931# define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
2932
2933# define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
2934 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
2935 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
2936
2937# define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
2938 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
2939 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
2940
2941#if PNG_USE_COMPILE_TIME_MASKS
2942 /* Utility macros to construct all the masks for a depth/swap
2943 * combination. The 's' parameter says whether the format is PNG
2944 * (big endian bytes) or not. Only the three odd-numbered passes are
2945 * required for the display/block algorithm.
2946 */
2947# define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
2948 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
2949
2950# define B_MASKS(d,s) { B_MASK(1,d,s), S_MASK(3,d,s), S_MASK(5,d,s) }
2951
2952# define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
2953
2954 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
2955 * then pass:
2956 */
2957 static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
2958 {
2959 /* Little-endian byte masks for PACKSWAP */
2960 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
2961 /* Normal (big-endian byte) masks - PNG format */
2962 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
2963 };
2964
2965 /* display_mask has only three entries for the odd passes, so index by
2966 * pass>>1.
2967 */
2968 static PNG_CONST png_uint_32 display_mask[2][3][3] =
2969 {
2970 /* Little-endian byte masks for PACKSWAP */
2971 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
2972 /* Normal (big-endian byte) masks - PNG format */
2973 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
2974 };
2975
2976# define MASK(pass,depth,display,png)\
2977 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
2978 row_mask[png][DEPTH_INDEX(depth)][pass])
2979
2980#else /* !PNG_USE_COMPILE_TIME_MASKS */
2981 /* This is the runtime alternative: it seems unlikely that this will
2982 * ever be either smaller or faster than the compile time approach.
2983 */
2984# define MASK(pass,depth,display,png)\
2985 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
2986#endif /* !PNG_USE_COMPILE_TIME_MASKS */
2987
2988 /* Use the appropriate mask to copy the required bits. In some cases
2989 * the byte mask will be 0 or 0xff, optimize these cases. row_width is
2990 * the number of pixels, but the code copies bytes, so it is necessary
2991 * to special case the end.
2992 */
2993 png_uint_32 pixels_per_byte = 8 / pixel_depth;
2994 png_uint_32 mask;
2995
2996# ifdef PNG_READ_PACKSWAP_SUPPORTED
2997 if (png_ptr->transformations & PNG_PACKSWAP)
2998 mask = MASK(pass, pixel_depth, display, 0);
2999
3000 else
3001# endif
3002 mask = MASK(pass, pixel_depth, display, 1);
3003
3004 for (;;)
3005 {
3006 png_uint_32 m;
3007
3008 /* It doesn't matter in the following if png_uint_32 has more than
3009 * 32 bits because the high bits always match those in m<<24; it is,
3010 * however, essential to use OR here, not +, because of this.
3011 */
3012 m = mask;
3013 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3014 m &= 0xff;
3015
3016 if (m != 0) /* something to copy */
3017 {
3018 if (m != 0xff)
3019 *dp = (png_byte)((*dp & ~m) | (*sp & m));
3020 else
3021 *dp = *sp;
3022 }
3023
3024 /* NOTE: this may overwrite the last byte with garbage if the image
3025 * is not an exact number of bytes wide; libpng has always done
3026 * this.
3027 */
3028 if (row_width <= pixels_per_byte)
3029 break; /* May need to restore part of the last byte */
3030
3031 row_width -= pixels_per_byte;
3032 ++dp;
3033 ++sp;
3034 }
3035 }
3036
3037 else /* pixel_depth >= 8 */
3038 {
3039 unsigned int bytes_to_copy, bytes_to_jump;
3040
3041 /* Validate the depth - it must be a multiple of 8 */
3042 if (pixel_depth & 7)
3043 png_error(png_ptr, "invalid user transform pixel depth");
3044
3045 pixel_depth >>= 3; /* now in bytes */
3046 row_width *= pixel_depth;
3047
3048 /* Regardless of pass number the Adam 7 interlace always results in a
3049 * fixed number of pixels to copy then to skip. There may be a
3050 * different number of pixels to skip at the start though.
3051 */
3052 {
3053 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3054
3055 row_width -= offset;
3056 dp += offset;
3057 sp += offset;
3058 }
3059
3060 /* Work out the bytes to copy. */
3061 if (display)
3062 {
3063 /* When doing the 'block' algorithm the pixel in the pass gets
3064 * replicated to adjacent pixels. This is why the even (0,2,4,6)
3065 * passes are skipped above - the entire expanded row is copied.
3066 */
3067 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3068
3069 /* But don't allow this number to exceed the actual row width. */
3070 if (bytes_to_copy > row_width)
3071 bytes_to_copy = row_width;
3072 }
3073
3074 else /* normal row; Adam7 only ever gives us one pixel to copy. */
3075 bytes_to_copy = pixel_depth;
3076
3077 /* In Adam7 there is a constant offset between where the pixels go. */
3078 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3079
3080 /* And simply copy these bytes. Some optimization is possible here,
3081 * depending on the value of 'bytes_to_copy'. Special case the low
3082 * byte counts, which we know to be frequent.
3083 *
3084 * Notice that these cases all 'return' rather than 'break' - this
3085 * avoids an unnecessary test on whether to restore the last byte
3086 * below.
3087 */
3088 switch (bytes_to_copy)
3089 {
3090 case 1:
3091 for (;;)
3092 {
3093 *dp = *sp;
3094
3095 if (row_width <= bytes_to_jump)
3096 return;
3097
3098 dp += bytes_to_jump;
3099 sp += bytes_to_jump;
3100 row_width -= bytes_to_jump;
3101 }
3102
3103 case 2:
3104 /* There is a possibility of a partial copy at the end here; this
3105 * slows the code down somewhat.
3106 */
3107 do
3108 {
3109 dp[0] = sp[0], dp[1] = sp[1];
3110
3111 if (row_width <= bytes_to_jump)
3112 return;
3113
3114 sp += bytes_to_jump;
3115 dp += bytes_to_jump;
3116 row_width -= bytes_to_jump;
3117 }
3118 while (row_width > 1);
3119
3120 /* And there can only be one byte left at this point: */
3121 *dp = *sp;
3122 return;
3123
3124 case 3:
3125 /* This can only be the RGB case, so each copy is exactly one
3126 * pixel and it is not necessary to check for a partial copy.
3127 */
3128 for(;;)
3129 {
3130 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
3131
3132 if (row_width <= bytes_to_jump)
3133 return;
3134
3135 sp += bytes_to_jump;
3136 dp += bytes_to_jump;
3137 row_width -= bytes_to_jump;
3138 }
3139
3140 default:
3141#if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3142 /* Check for double byte alignment and, if possible, use a
3143 * 16-bit copy. Don't attempt this for narrow images - ones that
3144 * are less than an interlace panel wide. Don't attempt it for
3145 * wide bytes_to_copy either - use the png_memcpy there.
3146 */
3147 if (bytes_to_copy < 16 /*else use png_memcpy*/ &&
3148 png_isaligned(dp, png_uint_16) &&
3149 png_isaligned(sp, png_uint_16) &&
3150 bytes_to_copy % sizeof (png_uint_16) == 0 &&
3151 bytes_to_jump % sizeof (png_uint_16) == 0)
3152 {
3153 /* Everything is aligned for png_uint_16 copies, but try for
3154 * png_uint_32 first.
3155 */
3156 if (png_isaligned(dp, png_uint_32) &&
3157 png_isaligned(sp, png_uint_32) &&
3158 bytes_to_copy % sizeof (png_uint_32) == 0 &&
3159 bytes_to_jump % sizeof (png_uint_32) == 0)
3160 {
3161 png_uint_32p dp32 = (png_uint_32p)dp;
3162 png_const_uint_32p sp32 = (png_const_uint_32p)sp;
3163 unsigned int skip = (bytes_to_jump-bytes_to_copy) /
3164 sizeof (png_uint_32);
3165
3166 do
3167 {
3168 size_t c = bytes_to_copy;
3169 do
3170 {
3171 *dp32++ = *sp32++;
3172 c -= sizeof (png_uint_32);
3173 }
3174 while (c > 0);
3175
3176 if (row_width <= bytes_to_jump)
3177 return;
3178
3179 dp32 += skip;
3180 sp32 += skip;
3181 row_width -= bytes_to_jump;
3182 }
3183 while (bytes_to_copy <= row_width);
3184
3185 /* Get to here when the row_width truncates the final copy.
3186 * There will be 1-3 bytes left to copy, so don't try the
3187 * 16-bit loop below.
3188 */
3189 dp = (png_bytep)dp32;
3190 sp = (png_const_bytep)sp32;
3191 do
3192 *dp++ = *sp++;
3193 while (--row_width > 0);
3194 return;
3195 }
3196
3197 /* Else do it in 16-bit quantities, but only if the size is
3198 * not too large.
3199 */
3200 else
3201 {
3202 png_uint_16p dp16 = (png_uint_16p)dp;
3203 png_const_uint_16p sp16 = (png_const_uint_16p)sp;
3204 unsigned int skip = (bytes_to_jump-bytes_to_copy) /
3205 sizeof (png_uint_16);
3206
3207 do
3208 {
3209 size_t c = bytes_to_copy;
3210 do
3211 {
3212 *dp16++ = *sp16++;
3213 c -= sizeof (png_uint_16);
3214 }
3215 while (c > 0);
3216
3217 if (row_width <= bytes_to_jump)
3218 return;
3219
3220 dp16 += skip;
3221 sp16 += skip;
3222 row_width -= bytes_to_jump;
3223 }
3224 while (bytes_to_copy <= row_width);
3225
3226 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3227 dp = (png_bytep)dp16;
3228 sp = (png_const_bytep)sp16;
3229 do
3230 *dp++ = *sp++;
3231 while (--row_width > 0);
3232 return;
3233 }
3234 }
3235#endif /* PNG_ALIGN_ code */
3236
3237 /* The true default - use a png_memcpy: */
3238 for (;;)
3239 {
3240 png_memcpy(dp, sp, bytes_to_copy);
3241
3242 if (row_width <= bytes_to_jump)
3243 return;
3244
3245 sp += bytes_to_jump;
3246 dp += bytes_to_jump;
3247 row_width -= bytes_to_jump;
3248 if (bytes_to_copy > row_width)
3249 bytes_to_copy = row_width;
3250 }
3251 }
3252
3253 /* NOT REACHED*/
3254 } /* pixel_depth >= 8 */
3255
3256 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3257 }
3258 else
3259#endif
3260
3261 /* If here then the switch above wasn't used so just png_memcpy the whole row
3262 * from the temporary row buffer (notice that this overwrites the end of the
3263 * destination row if it is a partial byte.)
3264 */
3265 png_memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3266
3267 /* Restore the overwritten bits from the last byte if necessary. */
3268 if (end_ptr != NULL)
3269 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3270}
3271
3272#ifdef PNG_READ_INTERLACING_SUPPORTED
3273void /* PRIVATE */
3274png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3275 png_uint_32 transformations /* Because these may affect the byte layout */)
3276{
3277 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3278 /* Offset to next interlace block */
3279 static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3280
3281 png_debug(1, "in png_do_read_interlace");
3282 if (row != NULL && row_info != NULL)
3283 {
3284 png_uint_32 final_width;
3285
3286 final_width = row_info->width * png_pass_inc[pass];
3287
3288 switch (row_info->pixel_depth)
3289 {
3290 case 1:
3291 {
3292 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3);
3293 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3);
3294 int sshift, dshift;
3295 int s_start, s_end, s_inc;
3296 int jstop = png_pass_inc[pass];
3297 png_byte v;
3298 png_uint_32 i;
3299 int j;
3300
3301#ifdef PNG_READ_PACKSWAP_SUPPORTED
3302 if (transformations & PNG_PACKSWAP)
3303 {
3304 sshift = (int)((row_info->width + 7) & 0x07);
3305 dshift = (int)((final_width + 7) & 0x07);
3306 s_start = 7;
3307 s_end = 0;
3308 s_inc = -1;
3309 }
3310
3311 else
3312#endif
3313 {
3314 sshift = 7 - (int)((row_info->width + 7) & 0x07);
3315 dshift = 7 - (int)((final_width + 7) & 0x07);
3316 s_start = 0;
3317 s_end = 7;
3318 s_inc = 1;
3319 }
3320
3321 for (i = 0; i < row_info->width; i++)
3322 {
3323 v = (png_byte)((*sp >> sshift) & 0x01);
3324 for (j = 0; j < jstop; j++)
3325 {
3326 *dp &= (png_byte)((0x7f7f >> (7 - dshift)) & 0xff);
3327 *dp |= (png_byte)(v << dshift);
3328
3329 if (dshift == s_end)
3330 {
3331 dshift = s_start;
3332 dp--;
3333 }
3334
3335 else
3336 dshift += s_inc;
3337 }
3338
3339 if (sshift == s_end)
3340 {
3341 sshift = s_start;
3342 sp--;
3343 }
3344
3345 else
3346 sshift += s_inc;
3347 }
3348 break;
3349 }
3350
3351 case 2:
3352 {
3353 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
3354 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
3355 int sshift, dshift;
3356 int s_start, s_end, s_inc;
3357 int jstop = png_pass_inc[pass];
3358 png_uint_32 i;
3359
3360#ifdef PNG_READ_PACKSWAP_SUPPORTED
3361 if (transformations & PNG_PACKSWAP)
3362 {
3363 sshift = (int)(((row_info->width + 3) & 0x03) << 1);
3364 dshift = (int)(((final_width + 3) & 0x03) << 1);
3365 s_start = 6;
3366 s_end = 0;
3367 s_inc = -2;
3368 }
3369
3370 else
3371#endif
3372 {
3373 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
3374 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
3375 s_start = 0;
3376 s_end = 6;
3377 s_inc = 2;
3378 }
3379
3380 for (i = 0; i < row_info->width; i++)
3381 {
3382 png_byte v;
3383 int j;
3384
3385 v = (png_byte)((*sp >> sshift) & 0x03);
3386 for (j = 0; j < jstop; j++)
3387 {
3388 *dp &= (png_byte)((0x3f3f >> (6 - dshift)) & 0xff);
3389 *dp |= (png_byte)(v << dshift);
3390
3391 if (dshift == s_end)
3392 {
3393 dshift = s_start;
3394 dp--;
3395 }
3396
3397 else
3398 dshift += s_inc;
3399 }
3400
3401 if (sshift == s_end)
3402 {
3403 sshift = s_start;
3404 sp--;
3405 }
3406
3407 else
3408 sshift += s_inc;
3409 }
3410 break;
3411 }
3412
3413 case 4:
3414 {
3415 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
3416 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
3417 int sshift, dshift;
3418 int s_start, s_end, s_inc;
3419 png_uint_32 i;
3420 int jstop = png_pass_inc[pass];
3421
3422#ifdef PNG_READ_PACKSWAP_SUPPORTED
3423 if (transformations & PNG_PACKSWAP)
3424 {
3425 sshift = (int)(((row_info->width + 1) & 0x01) << 2);
3426 dshift = (int)(((final_width + 1) & 0x01) << 2);
3427 s_start = 4;
3428 s_end = 0;
3429 s_inc = -4;
3430 }
3431
3432 else
3433#endif
3434 {
3435 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
3436 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
3437 s_start = 0;
3438 s_end = 4;
3439 s_inc = 4;
3440 }
3441
3442 for (i = 0; i < row_info->width; i++)
3443 {
3444 png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
3445 int j;
3446
3447 for (j = 0; j < jstop; j++)
3448 {
3449 *dp &= (png_byte)((0xf0f >> (4 - dshift)) & 0xff);
3450 *dp |= (png_byte)(v << dshift);
3451
3452 if (dshift == s_end)
3453 {
3454 dshift = s_start;
3455 dp--;
3456 }
3457
3458 else
3459 dshift += s_inc;
3460 }
3461
3462 if (sshift == s_end)
3463 {
3464 sshift = s_start;
3465 sp--;
3466 }
3467
3468 else
3469 sshift += s_inc;
3470 }
3471 break;
3472 }
3473
3474 default:
3475 {
3476 png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
3477
3478 png_bytep sp = row + (png_size_t)(row_info->width - 1)
3479 * pixel_bytes;
3480
3481 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
3482
3483 int jstop = png_pass_inc[pass];
3484 png_uint_32 i;
3485
3486 for (i = 0; i < row_info->width; i++)
3487 {
3488 png_byte v[8];
3489 int j;
3490
3491 png_memcpy(v, sp, pixel_bytes);
3492
3493 for (j = 0; j < jstop; j++)
3494 {
3495 png_memcpy(dp, v, pixel_bytes);
3496 dp -= pixel_bytes;
3497 }
3498
3499 sp -= pixel_bytes;
3500 }
3501 break;
3502 }
3503 }
3504
3505 row_info->width = final_width;
3506 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3507 }
3508#ifndef PNG_READ_PACKSWAP_SUPPORTED
3509 PNG_UNUSED(transformations) /* Silence compiler warning */
3510#endif
3511}
3512#endif /* PNG_READ_INTERLACING_SUPPORTED */
3513
3514static void
3515png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3516 png_const_bytep prev_row)
3517{
3518 png_size_t i;
3519 png_size_t istop = row_info->rowbytes;
3520 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3521 png_bytep rp = row + bpp;
3522
3523 PNG_UNUSED(prev_row)
3524
3525 for (i = bpp; i < istop; i++)
3526 {
3527 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3528 rp++;
3529 }
3530}
3531
3532static void
3533png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3534 png_const_bytep prev_row)
3535{
3536 png_size_t i;
3537 png_size_t istop = row_info->rowbytes;
3538 png_bytep rp = row;
3539 png_const_bytep pp = prev_row;
3540
3541 for (i = 0; i < istop; i++)
3542 {
3543 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3544 rp++;
3545 }
3546}
3547
3548static void
3549png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3550 png_const_bytep prev_row)
3551{
3552 png_size_t i;
3553 png_bytep rp = row;
3554 png_const_bytep pp = prev_row;
3555 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3556 png_size_t istop = row_info->rowbytes - bpp;
3557
3558 for (i = 0; i < bpp; i++)
3559 {
3560 *rp = (png_byte)(((int)(*rp) +
3561 ((int)(*pp++) / 2 )) & 0xff);
3562
3563 rp++;
3564 }
3565
3566 for (i = 0; i < istop; i++)
3567 {
3568 *rp = (png_byte)(((int)(*rp) +
3569 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3570
3571 rp++;
3572 }
3573}
3574
3575static void
3576png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3577 png_const_bytep prev_row)
3578{
3579 png_bytep rp_end = row + row_info->rowbytes;
3580 int a, c;
3581
3582 /* First pixel/byte */
3583 c = *prev_row++;
3584 a = *row + c;
3585 *row++ = (png_byte)a;
3586
3587 /* Remainder */
3588 while (row < rp_end)
3589 {
3590 int b, pa, pb, pc, p;
3591
3592 a &= 0xff; /* From previous iteration or start */
3593 b = *prev_row++;
3594
3595 p = b - c;
3596 pc = a - c;
3597
3598# ifdef PNG_USE_ABS
3599 pa = abs(p);
3600 pb = abs(pc);
3601 pc = abs(p + pc);
3602# else
3603 pa = p < 0 ? -p : p;
3604 pb = pc < 0 ? -pc : pc;
3605 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3606# endif
3607
3608 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3609 * ones in the case of a tie.
3610 */
3611 if (pb < pa) pa = pb, a = b;
3612 if (pc < pa) a = c;
3613
3614 /* Calculate the current pixel in a, and move the previous row pixel to c
3615 * for the next time round the loop
3616 */
3617 c = b;
3618 a += *row;
3619 *row++ = (png_byte)a;
3620 }
3621}
3622
3623static void
3624png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3625 png_const_bytep prev_row)
3626{
3627 int bpp = (row_info->pixel_depth + 7) >> 3;
3628 png_bytep rp_end = row + bpp;
3629
3630 /* Process the first pixel in the row completely (this is the same as 'up'
3631 * because there is only one candidate predictor for the first row).
3632 */
3633 while (row < rp_end)
3634 {
3635 int a = *row + *prev_row++;
3636 *row++ = (png_byte)a;
3637 }
3638
3639 /* Remainder */
3640 rp_end += row_info->rowbytes - bpp;
3641
3642 while (row < rp_end)
3643 {
3644 int a, b, c, pa, pb, pc, p;
3645
3646 c = *(prev_row - bpp);
3647 a = *(row - bpp);
3648 b = *prev_row++;
3649
3650 p = b - c;
3651 pc = a - c;
3652
3653# ifdef PNG_USE_ABS
3654 pa = abs(p);
3655 pb = abs(pc);
3656 pc = abs(p + pc);
3657# else
3658 pa = p < 0 ? -p : p;
3659 pb = pc < 0 ? -pc : pc;
3660 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3661# endif
3662
3663 if (pb < pa) pa = pb, a = b;
3664 if (pc < pa) a = c;
3665#if 0
3666 c = b;
3667#endif
3668 a += *row;
3669 *row++ = (png_byte)a;
3670 }
3671}
3672
3673#ifdef PNG_ARM_NEON
3674
3675#ifdef __linux__
3676#include <stdio.h>
3677#include <elf.h>
3678#include <asm/hwcap.h>
3679
3680static int png_have_hwcap(unsigned cap)
3681{
3682 FILE *f = fopen("/proc/self/auxv", "r");
3683 Elf32_auxv_t aux;
3684 int have_cap = 0;
3685
3686 if (!f)
3687 return 0;
3688
3689 while (fread(&aux, sizeof(aux), 1, f) > 0)
3690 {
3691 if (aux.a_type == AT_HWCAP &&
3692 aux.a_un.a_val & cap)
3693 {
3694 have_cap = 1;
3695 break;
3696 }
3697 }
3698
3699 fclose(f);
3700
3701 return have_cap;
3702}
3703#endif /* __linux__ */
3704
3705static void
3706png_init_filter_functions_neon(png_structp pp, unsigned int bpp)
3707{
3708#ifdef __linux__
3709 if (!png_have_hwcap(HWCAP_NEON))
3710 return;
3711#endif
3712
3713 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up_neon;
3714
3715 if (bpp == 3)
3716 {
3717 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub3_neon;
3718 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg3_neon;
3719 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3720 png_read_filter_row_paeth3_neon;
3721 }
3722
3723 else if (bpp == 4)
3724 {
3725 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub4_neon;
3726 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg4_neon;
3727 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3728 png_read_filter_row_paeth4_neon;
3729 }
3730}
3731#endif /* PNG_ARM_NEON */
3732
3733static void
3734png_init_filter_functions(png_structp pp)
3735{
3736 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
3737
3738 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
3739 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
3740 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
3741 if (bpp == 1)
3742 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3743 png_read_filter_row_paeth_1byte_pixel;
3744 else
3745 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3746 png_read_filter_row_paeth_multibyte_pixel;
3747
3748#ifdef PNG_ARM_NEON
3749 png_init_filter_functions_neon(pp, bpp);
3750#endif
3751}
3752
3753void /* PRIVATE */
3754png_read_filter_row(png_structp pp, png_row_infop row_info, png_bytep row,
3755 png_const_bytep prev_row, int filter)
3756{
3757 if (pp->read_filter[0] == NULL)
3758 png_init_filter_functions(pp);
3759 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
3760 pp->read_filter[filter-1](row_info, row, prev_row);
3761}
3762
3763#ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3764void /* PRIVATE */
3765png_read_finish_row(png_structp png_ptr)
3766{
3767#ifdef PNG_READ_INTERLACING_SUPPORTED
3768 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3769
3770 /* Start of interlace block */
3771 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3772
3773 /* Offset to next interlace block */
3774 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3775
3776 /* Start of interlace block in the y direction */
3777 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3778
3779 /* Offset to next interlace block in the y direction */
3780 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3781#endif /* PNG_READ_INTERLACING_SUPPORTED */
3782
3783 png_debug(1, "in png_read_finish_row");
3784 png_ptr->row_number++;
3785 if (png_ptr->row_number < png_ptr->num_rows)
3786 return;
3787
3788#ifdef PNG_READ_INTERLACING_SUPPORTED
3789 if (png_ptr->interlaced)
3790 {
3791 png_ptr->row_number = 0;
3792
3793 /* TO DO: don't do this if prev_row isn't needed (requires
3794 * read-ahead of the next row's filter byte.
3795 */
3796 png_memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
3797
3798 do
3799 {
3800 png_ptr->pass++;
3801
3802 if (png_ptr->pass >= 7)
3803 break;
3804
3805 png_ptr->iwidth = (png_ptr->width +
3806 png_pass_inc[png_ptr->pass] - 1 -
3807 png_pass_start[png_ptr->pass]) /
3808 png_pass_inc[png_ptr->pass];
3809
3810 if (!(png_ptr->transformations & PNG_INTERLACE))
3811 {
3812 png_ptr->num_rows = (png_ptr->height +
3813 png_pass_yinc[png_ptr->pass] - 1 -
3814 png_pass_ystart[png_ptr->pass]) /
3815 png_pass_yinc[png_ptr->pass];
3816 }
3817
3818 else /* if (png_ptr->transformations & PNG_INTERLACE) */
3819 break; /* libpng deinterlacing sees every row */
3820
3821 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
3822
3823 if (png_ptr->pass < 7)
3824 return;
3825 }
3826#endif /* PNG_READ_INTERLACING_SUPPORTED */
3827
3828 if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
3829 {
3830 char extra;
3831 int ret;
3832
3833 png_ptr->zstream.next_out = (Byte *)&extra;
3834 png_ptr->zstream.avail_out = (uInt)1;
3835
3836 for (;;)
3837 {
3838 if (!(png_ptr->zstream.avail_in))
3839 {
3840 while (!png_ptr->idat_size)
3841 {
3842 png_crc_finish(png_ptr, 0);
3843 png_ptr->idat_size = png_read_chunk_header(png_ptr);
3844 if (png_ptr->chunk_name != png_IDAT)
3845 png_error(png_ptr, "Not enough image data");
3846 }
3847
3848 png_ptr->zstream.avail_in = (uInt)png_ptr->zbuf_size;
3849 png_ptr->zstream.next_in = png_ptr->zbuf;
3850
3851 if (png_ptr->zbuf_size > png_ptr->idat_size)
3852 png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size;
3853
3854 png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in);
3855 png_ptr->idat_size -= png_ptr->zstream.avail_in;
3856 }
3857
3858#if 1
3859 ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
3860
3861#else
3862 int flush = Z_PARTIAL_FLUSH;
3863 execut_hook("inflate", &png_ptr->zstream, &flush, &ret, NULL, NULL, NULL );
3864#endif
3865 if (ret == Z_STREAM_END)
3866 {
3867 if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in ||
3868 png_ptr->idat_size)
3869 png_warning(png_ptr, "Extra compressed data");
3870
3871 png_ptr->mode |= PNG_AFTER_IDAT;
3872 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3873 break;
3874 }
3875
3876 if (ret != Z_OK)
3877 png_error(png_ptr, png_ptr->zstream.msg ? png_ptr->zstream.msg :
3878 "Decompression Error");
3879
3880 if (!(png_ptr->zstream.avail_out))
3881 {
3882 png_warning(png_ptr, "Extra compressed data");
3883 png_ptr->mode |= PNG_AFTER_IDAT;
3884 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
3885 break;
3886 }
3887
3888 }
3889 png_ptr->zstream.avail_out = 0;
3890 }
3891
3892 if (png_ptr->idat_size || png_ptr->zstream.avail_in)
3893 png_warning(png_ptr, "Extra compression data");
3894
3895#if 1
3896 inflateReset(&png_ptr->zstream);
3897#else
3898 execut_hook("inflateReset", &png_ptr->zstream NULL, NULL, NULL, NULL, NULL );
3899#endif
3900 png_ptr->mode |= PNG_AFTER_IDAT;
3901}
3902#endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
3903
3904void /* PRIVATE */
3905png_read_start_row(png_structp png_ptr)
3906{
3907#ifdef PNG_READ_INTERLACING_SUPPORTED
3908 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3909
3910 /* Start of interlace block */
3911 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3912
3913 /* Offset to next interlace block */
3914 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3915
3916 /* Start of interlace block in the y direction */
3917 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3918
3919 /* Offset to next interlace block in the y direction */
3920 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3921#endif
3922
3923 int max_pixel_depth;
3924 png_size_t row_bytes;
3925
3926 png_debug(1, "in png_read_start_row");
3927 png_ptr->zstream.avail_in = 0;
3928#ifdef PNG_READ_TRANSFORMS_SUPPORTED
3929 png_init_read_transformations(png_ptr);
3930#endif
3931#ifdef PNG_READ_INTERLACING_SUPPORTED
3932 if (png_ptr->interlaced)
3933 {
3934 if (!(png_ptr->transformations & PNG_INTERLACE))
3935 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
3936 png_pass_ystart[0]) / png_pass_yinc[0];
3937
3938 else
3939 png_ptr->num_rows = png_ptr->height;
3940
3941 png_ptr->iwidth = (png_ptr->width +
3942 png_pass_inc[png_ptr->pass] - 1 -
3943 png_pass_start[png_ptr->pass]) /
3944 png_pass_inc[png_ptr->pass];
3945 }
3946
3947 else
3948#endif /* PNG_READ_INTERLACING_SUPPORTED */
3949 {
3950 png_ptr->num_rows = png_ptr->height;
3951 png_ptr->iwidth = png_ptr->width;
3952 }
3953
3954 max_pixel_depth = png_ptr->pixel_depth;
3955
3956 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpliar set of
3957 * calculations to calculate the final pixel depth, then
3958 * png_do_read_transforms actually does the transforms. This means that the
3959 * code which effectively calculates this value is actually repeated in three
3960 * separate places. They must all match. Innocent changes to the order of
3961 * transformations can and will break libpng in a way that causes memory
3962 * overwrites.
3963 *
3964 * TODO: fix this.
3965 */
3966#ifdef PNG_READ_PACK_SUPPORTED
3967 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8)
3968 max_pixel_depth = 8;
3969#endif
3970
3971#ifdef PNG_READ_EXPAND_SUPPORTED
3972 if (png_ptr->transformations & PNG_EXPAND)
3973 {
3974 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
3975 {
3976 if (png_ptr->num_trans)
3977 max_pixel_depth = 32;
3978
3979 else
3980 max_pixel_depth = 24;
3981 }
3982
3983 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3984 {
3985 if (max_pixel_depth < 8)
3986 max_pixel_depth = 8;
3987
3988 if (png_ptr->num_trans)
3989 max_pixel_depth *= 2;
3990 }
3991
3992 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
3993 {
3994 if (png_ptr->num_trans)
3995 {
3996 max_pixel_depth *= 4;
3997 max_pixel_depth /= 3;
3998 }
3999 }
4000 }
4001#endif
4002
4003#ifdef PNG_READ_EXPAND_16_SUPPORTED
4004 if (png_ptr->transformations & PNG_EXPAND_16)
4005 {
4006# ifdef PNG_READ_EXPAND_SUPPORTED
4007 /* In fact it is an error if it isn't supported, but checking is
4008 * the safe way.
4009 */
4010 if (png_ptr->transformations & PNG_EXPAND)
4011 {
4012 if (png_ptr->bit_depth < 16)
4013 max_pixel_depth *= 2;
4014 }
4015 else
4016# endif
4017 png_ptr->transformations &= ~PNG_EXPAND_16;
4018 }
4019#endif
4020
4021#ifdef PNG_READ_FILLER_SUPPORTED
4022 if (png_ptr->transformations & (PNG_FILLER))
4023 {
4024 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4025 {
4026 if (max_pixel_depth <= 8)
4027 max_pixel_depth = 16;
4028
4029 else
4030 max_pixel_depth = 32;
4031 }
4032
4033 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4034 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4035 {
4036 if (max_pixel_depth <= 32)
4037 max_pixel_depth = 32;
4038
4039 else
4040 max_pixel_depth = 64;
4041 }
4042 }
4043#endif
4044
4045#ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4046 if (png_ptr->transformations & PNG_GRAY_TO_RGB)
4047 {
4048 if (
4049#ifdef PNG_READ_EXPAND_SUPPORTED
4050 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) ||
4051#endif
4052#ifdef PNG_READ_FILLER_SUPPORTED
4053 (png_ptr->transformations & (PNG_FILLER)) ||
4054#endif
4055 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4056 {
4057 if (max_pixel_depth <= 16)
4058 max_pixel_depth = 32;
4059
4060 else
4061 max_pixel_depth = 64;
4062 }
4063
4064 else
4065 {
4066 if (max_pixel_depth <= 8)
4067 {
4068 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4069 max_pixel_depth = 32;
4070
4071 else
4072 max_pixel_depth = 24;
4073 }
4074
4075 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4076 max_pixel_depth = 64;
4077
4078 else
4079 max_pixel_depth = 48;
4080 }
4081 }
4082#endif
4083
4084#if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4085defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4086 if (png_ptr->transformations & PNG_USER_TRANSFORM)
4087 {
4088 int user_pixel_depth = png_ptr->user_transform_depth *
4089 png_ptr->user_transform_channels;
4090
4091 if (user_pixel_depth > max_pixel_depth)
4092 max_pixel_depth = user_pixel_depth;
4093 }
4094#endif
4095
4096 /* This value is stored in png_struct and double checked in the row read
4097 * code.
4098 */
4099 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4100 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4101
4102 /* Align the width on the next larger 8 pixels. Mainly used
4103 * for interlacing
4104 */
4105 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
4106 /* Calculate the maximum bytes needed, adding a byte and a pixel
4107 * for safety's sake
4108 */
4109 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4110 1 + ((max_pixel_depth + 7) >> 3);
4111
4112#ifdef PNG_MAX_MALLOC_64K
4113 if (row_bytes > (png_uint_32)65536L)
4114 png_error(png_ptr, "This image requires a row greater than 64KB");
4115#endif
4116
4117 if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
4118 {
4119 png_free(png_ptr, png_ptr->big_row_buf);
4120 png_free(png_ptr, png_ptr->big_prev_row);
4121
4122 if (png_ptr->interlaced)
4123 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4124 row_bytes + 48);
4125
4126 else
4127 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4128
4129 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4130
4131#ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4132 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4133 * of padding before and after row_buf; treat prev_row similarly.
4134 * NOTE: the alignment is to the start of the pixels, one beyond the start
4135 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4136 * was incorrect; the filter byte was aligned, which had the exact
4137 * opposite effect of that intended.
4138 */
4139 {
4140 png_bytep temp = png_ptr->big_row_buf + 32;
4141 int extra = (int)((temp - (png_bytep)0) & 0x0f);
4142 png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4143
4144 temp = png_ptr->big_prev_row + 32;
4145 extra = (int)((temp - (png_bytep)0) & 0x0f);
4146 png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4147 }
4148
4149#else
4150 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4151 png_ptr->row_buf = png_ptr->big_row_buf + 31;
4152 png_ptr->prev_row = png_ptr->big_prev_row + 31;
4153#endif
4154 png_ptr->old_big_row_buf_size = row_bytes + 48;
4155 }
4156
4157#ifdef PNG_MAX_MALLOC_64K
4158 if (png_ptr->rowbytes > 65535)
4159 png_error(png_ptr, "This image requires a row greater than 64KB");
4160
4161#endif
4162 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
4163 png_error(png_ptr, "Row has too many bytes to allocate in memory");
4164
4165 png_memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4166
4167 png_debug1(3, "width = %u,", png_ptr->width);
4168 png_debug1(3, "height = %u,", png_ptr->height);
4169 png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4170 png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4171 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4172 png_debug1(3, "irowbytes = %lu",
4173 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4174
4175 png_ptr->flags |= PNG_FLAG_ROW_INIT;
4176}
4177#endif /* PNG_READ_SUPPORTED */
4178

Archive Download this file

Revision: 2182