ReactOS 0.4.15-dev-6056-gb29b268
pngrutil.c
Go to the documentation of this file.
1
2/* pngrutil.c - utilities to read a PNG file
3 *
4 * Copyright (c) 2018-2022 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 *
13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image.
15 */
16
17#include "pngpriv.h"
18
19#ifdef PNG_READ_SUPPORTED
20
21png_uint_32 PNGAPI
22png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
23{
24 png_uint_32 uval = png_get_uint_32(buf);
25
26 if (uval > PNG_UINT_31_MAX)
27 png_error(png_ptr, "PNG unsigned integer out of range");
28
29 return (uval);
30}
31
32#if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
33/* The following is a variation on the above for use with the fixed
34 * point values used for gAMA and cHRM. Instead of png_error it
35 * issues a warning and returns (-1) - an invalid value because both
36 * gAMA and cHRM use *unsigned* integers for fixed point values.
37 */
38#define PNG_FIXED_ERROR (-1)
39
40static png_fixed_point /* PRIVATE */
41png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42{
43 png_uint_32 uval = png_get_uint_32(buf);
44
45 if (uval <= PNG_UINT_31_MAX)
46 return (png_fixed_point)uval; /* known to be in range */
47
48 /* The caller can turn off the warning by passing NULL. */
49 if (png_ptr != NULL)
50 png_warning(png_ptr, "PNG fixed point integer out of range");
51
52 return PNG_FIXED_ERROR;
53}
54#endif
55
56#ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57/* NOTE: the read macros will obscure these definitions, so that if
58 * PNG_USE_READ_MACROS is set the library will not use them internally,
59 * but the APIs will still be available externally.
60 *
61 * The parentheses around "PNGAPI function_name" in the following three
62 * functions are necessary because they allow the macros to co-exist with
63 * these (unused but exported) functions.
64 */
65
66/* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
67png_uint_32 (PNGAPI
68png_get_uint_32)(png_const_bytep buf)
69{
70 png_uint_32 uval =
71 ((png_uint_32)(*(buf )) << 24) +
72 ((png_uint_32)(*(buf + 1)) << 16) +
73 ((png_uint_32)(*(buf + 2)) << 8) +
74 ((png_uint_32)(*(buf + 3)) ) ;
75
76 return uval;
77}
78
79/* Grab a signed 32-bit integer from a buffer in big-endian format. The
80 * data is stored in the PNG file in two's complement format and there
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82 * the following code does a two's complement to native conversion.
83 */
84png_int_32 (PNGAPI
85png_get_int_32)(png_const_bytep buf)
86{
87 png_uint_32 uval = png_get_uint_32(buf);
88 if ((uval & 0x80000000) == 0) /* non-negative */
89 return (png_int_32)uval;
90
91 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
92 if ((uval & 0x80000000) == 0) /* no overflow */
93 return -(png_int_32)uval;
94 /* The following has to be safe; this function only gets called on PNG data
95 * and if we get here that data is invalid. 0 is the most safe value and
96 * if not then an attacker would surely just generate a PNG with 0 instead.
97 */
98 return 0;
99}
100
101/* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
102png_uint_16 (PNGAPI
103png_get_uint_16)(png_const_bytep buf)
104{
105 /* ANSI-C requires an int value to accommodate at least 16 bits so this
106 * works and allows the compiler not to worry about possible narrowing
107 * on 32-bit systems. (Pre-ANSI systems did not make integers smaller
108 * than 16 bits either.)
109 */
110 unsigned int val =
111 ((unsigned int)(*buf) << 8) +
112 ((unsigned int)(*(buf + 1)));
113
114 return (png_uint_16)val;
115}
116
117#endif /* READ_INT_FUNCTIONS */
118
119/* Read and check the PNG file signature */
120void /* PRIVATE */
121png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
122{
123 size_t num_checked, num_to_check;
124
125 /* Exit if the user application does not expect a signature. */
126 if (png_ptr->sig_bytes >= 8)
127 return;
128
129 num_checked = png_ptr->sig_bytes;
130 num_to_check = 8 - num_checked;
131
132#ifdef PNG_IO_STATE_SUPPORTED
133 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
134#endif
135
136 /* The signature must be serialized in a single I/O call. */
137 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
138 png_ptr->sig_bytes = 8;
139
140 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
141 {
142 if (num_checked < 4 &&
143 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
144 png_error(png_ptr, "Not a PNG file");
145 else
146 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
147 }
148 if (num_checked < 3)
149 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
150}
151
152/* Read the chunk header (length + type name).
153 * Put the type name into png_ptr->chunk_name, and return the length.
154 */
155png_uint_32 /* PRIVATE */
156png_read_chunk_header(png_structrp png_ptr)
157{
158 png_byte buf[8];
159 png_uint_32 length;
160
161#ifdef PNG_IO_STATE_SUPPORTED
162 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
163#endif
164
165 /* Read the length and the chunk name.
166 * This must be performed in a single I/O call.
167 */
168 png_read_data(png_ptr, buf, 8);
169 length = png_get_uint_31(png_ptr, buf);
170
171 /* Put the chunk name into png_ptr->chunk_name. */
172 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
173
174 png_debug2(0, "Reading %lx chunk, length = %lu",
175 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
176
177 /* Reset the crc and run it over the chunk name. */
178 png_reset_crc(png_ptr);
179 png_calculate_crc(png_ptr, buf + 4, 4);
180
181 /* Check to see if chunk name is valid. */
182 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
183
184 /* Check for too-large chunk length */
185 png_check_chunk_length(png_ptr, length);
186
187#ifdef PNG_IO_STATE_SUPPORTED
188 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
189#endif
190
191 return length;
192}
193
194/* Read data, and (optionally) run it through the CRC. */
195void /* PRIVATE */
196png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
197{
198 if (png_ptr == NULL)
199 return;
200
201 png_read_data(png_ptr, buf, length);
202 png_calculate_crc(png_ptr, buf, length);
203}
204
205/* Optionally skip data and then check the CRC. Depending on whether we
206 * are reading an ancillary or critical chunk, and how the program has set
207 * things up, we may calculate the CRC on the data and print a message.
208 * Returns '1' if there was a CRC error, '0' otherwise.
209 */
210int /* PRIVATE */
211png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
212{
213 /* The size of the local buffer for inflate is a good guess as to a
214 * reasonable size to use for buffering reads from the application.
215 */
216 while (skip > 0)
217 {
218 png_uint_32 len;
219 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
220
221 len = (sizeof tmpbuf);
222 if (len > skip)
223 len = skip;
224 skip -= len;
225
226 png_crc_read(png_ptr, tmpbuf, len);
227 }
228
229 if (png_crc_error(png_ptr) != 0)
230 {
231 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?
232 (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :
233 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)
234 {
235 png_chunk_warning(png_ptr, "CRC error");
236 }
237
238 else
239 png_chunk_error(png_ptr, "CRC error");
240
241 return (1);
242 }
243
244 return (0);
245}
246
247/* Compare the CRC stored in the PNG file with that calculated by libpng from
248 * the data it has read thus far.
249 */
250int /* PRIVATE */
251png_crc_error(png_structrp png_ptr)
252{
253 png_byte crc_bytes[4];
254 png_uint_32 crc;
255 int need_crc = 1;
256
257 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
258 {
259 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
260 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
261 need_crc = 0;
262 }
263
264 else /* critical */
265 {
266 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
267 need_crc = 0;
268 }
269
270#ifdef PNG_IO_STATE_SUPPORTED
271 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
272#endif
273
274 /* The chunk CRC must be serialized in a single I/O call. */
275 png_read_data(png_ptr, crc_bytes, 4);
276
277 if (need_crc != 0)
278 {
279 crc = png_get_uint_32(crc_bytes);
280 return ((int)(crc != png_ptr->crc));
281 }
282
283 else
284 return (0);
285}
286
287#if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
288 defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
289 defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
290 defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
291/* Manage the read buffer; this simply reallocates the buffer if it is not small
292 * enough (or if it is not allocated). The routine returns a pointer to the
293 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
294 * it will call png_error (via png_malloc) on failure. (warn == 2 means
295 * 'silent').
296 */
297static png_bytep
298png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
299{
300 png_bytep buffer = png_ptr->read_buffer;
301
302 if (buffer != NULL && new_size > png_ptr->read_buffer_size)
303 {
304 png_ptr->read_buffer = NULL;
305 png_ptr->read_buffer_size = 0;
306 png_free(png_ptr, buffer);
307 buffer = NULL;
308 }
309
310 if (buffer == NULL)
311 {
312 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
313
314 if (buffer != NULL)
315 {
316 memset(buffer, 0, new_size); /* just in case */
317 png_ptr->read_buffer = buffer;
318 png_ptr->read_buffer_size = new_size;
319 }
320
321 else if (warn < 2) /* else silent */
322 {
323 if (warn != 0)
324 png_chunk_warning(png_ptr, "insufficient memory to read chunk");
325
326 else
327 png_chunk_error(png_ptr, "insufficient memory to read chunk");
328 }
329 }
330
331 return buffer;
332}
333#endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
334
335/* png_inflate_claim: claim the zstream for some nefarious purpose that involves
336 * decompression. Returns Z_OK on success, else a zlib error code. It checks
337 * the owner but, in final release builds, just issues a warning if some other
338 * chunk apparently owns the stream. Prior to release it does a png_error.
339 */
340static int
341png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
342{
343 if (png_ptr->zowner != 0)
344 {
345 char msg[64];
346
347 PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
348 /* So the message that results is "<chunk> using zstream"; this is an
349 * internal error, but is very useful for debugging. i18n requirements
350 * are minimal.
351 */
352 (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
353#if PNG_RELEASE_BUILD
354 png_chunk_warning(png_ptr, msg);
355 png_ptr->zowner = 0;
356#else
357 png_chunk_error(png_ptr, msg);
358#endif
359 }
360
361 /* Implementation note: unlike 'png_deflate_claim' this internal function
362 * does not take the size of the data as an argument. Some efficiency could
363 * be gained by using this when it is known *if* the zlib stream itself does
364 * not record the number; however, this is an illusion: the original writer
365 * of the PNG may have selected a lower window size, and we really must
366 * follow that because, for systems with with limited capabilities, we
367 * would otherwise reject the application's attempts to use a smaller window
368 * size (zlib doesn't have an interface to say "this or lower"!).
369 *
370 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
371 * reset, therefore it is necessary to always allocate the maximum window
372 * size with earlier zlibs just in case later compressed chunks need it.
373 */
374 {
375 int ret; /* zlib return code */
376#if ZLIB_VERNUM >= 0x1240
377 int window_bits = 0;
378
379# if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
380 if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
381 PNG_OPTION_ON)
382 {
383 window_bits = 15;
384 png_ptr->zstream_start = 0; /* fixed window size */
385 }
386
387 else
388 {
389 png_ptr->zstream_start = 1;
390 }
391# endif
392
393#endif /* ZLIB_VERNUM >= 0x1240 */
394
395 /* Set this for safety, just in case the previous owner left pointers to
396 * memory allocations.
397 */
398 png_ptr->zstream.next_in = NULL;
399 png_ptr->zstream.avail_in = 0;
400 png_ptr->zstream.next_out = NULL;
401 png_ptr->zstream.avail_out = 0;
402
403 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
404 {
405#if ZLIB_VERNUM >= 0x1240
406 ret = inflateReset2(&png_ptr->zstream, window_bits);
407#else
408 ret = inflateReset(&png_ptr->zstream);
409#endif
410 }
411
412 else
413 {
414#if ZLIB_VERNUM >= 0x1240
415 ret = inflateInit2(&png_ptr->zstream, window_bits);
416#else
417 ret = inflateInit(&png_ptr->zstream);
418#endif
419
420 if (ret == Z_OK)
421 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
422 }
423
424#if ZLIB_VERNUM >= 0x1290 && \
425 defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_IGNORE_ADLER32)
426 if (((png_ptr->options >> PNG_IGNORE_ADLER32) & 3) == PNG_OPTION_ON)
427 /* Turn off validation of the ADLER32 checksum in IDAT chunks */
428 ret = inflateValidate(&png_ptr->zstream, 0);
429#endif
430
431 if (ret == Z_OK)
432 png_ptr->zowner = owner;
433
434 else
435 png_zstream_error(png_ptr, ret);
436
437 return ret;
438 }
439
440#ifdef window_bits
441# undef window_bits
442#endif
443}
444
445#if ZLIB_VERNUM >= 0x1240
446/* Handle the start of the inflate stream if we called inflateInit2(strm,0);
447 * in this case some zlib versions skip validation of the CINFO field and, in
448 * certain circumstances, libpng may end up displaying an invalid image, in
449 * contrast to implementations that call zlib in the normal way (e.g. libpng
450 * 1.5).
451 */
452int /* PRIVATE */
453png_zlib_inflate(png_structrp png_ptr, int flush)
454{
455 if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)
456 {
457 if ((*png_ptr->zstream.next_in >> 4) > 7)
458 {
459 png_ptr->zstream.msg = "invalid window size (libpng)";
460 return Z_DATA_ERROR;
461 }
462
463 png_ptr->zstream_start = 0;
464 }
465
466 return inflate(&png_ptr->zstream, flush);
467}
468#endif /* Zlib >= 1.2.4 */
469
470#ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
471#if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED)
472/* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
473 * allow the caller to do multiple calls if required. If the 'finish' flag is
474 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
475 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
476 * Z_OK or Z_STREAM_END will be returned on success.
477 *
478 * The input and output sizes are updated to the actual amounts of data consumed
479 * or written, not the amount available (as in a z_stream). The data pointers
480 * are not changed, so the next input is (data+input_size) and the next
481 * available output is (output+output_size).
482 */
483static int
484png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
485 /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
486 /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
487{
488 if (png_ptr->zowner == owner) /* Else not claimed */
489 {
490 int ret;
491 png_alloc_size_t avail_out = *output_size_ptr;
492 png_uint_32 avail_in = *input_size_ptr;
493
494 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
495 * can't even necessarily handle 65536 bytes) because the type uInt is
496 * "16 bits or more". Consequently it is necessary to chunk the input to
497 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
498 * maximum value that can be stored in a uInt.) It is possible to set
499 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
500 * a performance advantage, because it reduces the amount of data accessed
501 * at each step and that may give the OS more time to page it in.
502 */
503 png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
504 /* avail_in and avail_out are set below from 'size' */
505 png_ptr->zstream.avail_in = 0;
506 png_ptr->zstream.avail_out = 0;
507
508 /* Read directly into the output if it is available (this is set to
509 * a local buffer below if output is NULL).
510 */
511 if (output != NULL)
512 png_ptr->zstream.next_out = output;
513
514 do
515 {
516 uInt avail;
517 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
518
519 /* zlib INPUT BUFFER */
520 /* The setting of 'avail_in' used to be outside the loop; by setting it
521 * inside it is possible to chunk the input to zlib and simply rely on
522 * zlib to advance the 'next_in' pointer. This allows arbitrary
523 * amounts of data to be passed through zlib at the unavoidable cost of
524 * requiring a window save (memcpy of up to 32768 output bytes)
525 * every ZLIB_IO_MAX input bytes.
526 */
527 avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
528
529 avail = ZLIB_IO_MAX;
530
531 if (avail_in < avail)
532 avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
533
534 avail_in -= avail;
535 png_ptr->zstream.avail_in = avail;
536
537 /* zlib OUTPUT BUFFER */
538 avail_out += png_ptr->zstream.avail_out; /* not written last time */
539
540 avail = ZLIB_IO_MAX; /* maximum zlib can process */
541
542 if (output == NULL)
543 {
544 /* Reset the output buffer each time round if output is NULL and
545 * make available the full buffer, up to 'remaining_space'
546 */
547 png_ptr->zstream.next_out = local_buffer;
548 if ((sizeof local_buffer) < avail)
549 avail = (sizeof local_buffer);
550 }
551
552 if (avail_out < avail)
553 avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
554
555 png_ptr->zstream.avail_out = avail;
556 avail_out -= avail;
557
558 /* zlib inflate call */
559 /* In fact 'avail_out' may be 0 at this point, that happens at the end
560 * of the read when the final LZ end code was not passed at the end of
561 * the previous chunk of input data. Tell zlib if we have reached the
562 * end of the output buffer.
563 */
564 ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH :
565 (finish ? Z_FINISH : Z_SYNC_FLUSH));
566 } while (ret == Z_OK);
567
568 /* For safety kill the local buffer pointer now */
569 if (output == NULL)
570 png_ptr->zstream.next_out = NULL;
571
572 /* Claw back the 'size' and 'remaining_space' byte counts. */
573 avail_in += png_ptr->zstream.avail_in;
574 avail_out += png_ptr->zstream.avail_out;
575
576 /* Update the input and output sizes; the updated values are the amount
577 * consumed or written, effectively the inverse of what zlib uses.
578 */
579 if (avail_out > 0)
580 *output_size_ptr -= avail_out;
581
582 if (avail_in > 0)
583 *input_size_ptr -= avail_in;
584
585 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
586 png_zstream_error(png_ptr, ret);
587 return ret;
588 }
589
590 else
591 {
592 /* This is a bad internal error. The recovery assigns to the zstream msg
593 * pointer, which is not owned by the caller, but this is safe; it's only
594 * used on errors!
595 */
596 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
597 return Z_STREAM_ERROR;
598 }
599}
600
601/*
602 * Decompress trailing data in a chunk. The assumption is that read_buffer
603 * points at an allocated area holding the contents of a chunk with a
604 * trailing compressed part. What we get back is an allocated area
605 * holding the original prefix part and an uncompressed version of the
606 * trailing part (the malloc area passed in is freed).
607 */
608static int
609png_decompress_chunk(png_structrp png_ptr,
610 png_uint_32 chunklength, png_uint_32 prefix_size,
611 png_alloc_size_t *newlength /* must be initialized to the maximum! */,
612 int terminate /*add a '\0' to the end of the uncompressed data*/)
613{
614 /* TODO: implement different limits for different types of chunk.
615 *
616 * The caller supplies *newlength set to the maximum length of the
617 * uncompressed data, but this routine allocates space for the prefix and
618 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is
619 * limited only by the maximum chunk size.
620 */
621 png_alloc_size_t limit = PNG_SIZE_MAX;
622
623# ifdef PNG_SET_USER_LIMITS_SUPPORTED
624 if (png_ptr->user_chunk_malloc_max > 0 &&
625 png_ptr->user_chunk_malloc_max < limit)
626 limit = png_ptr->user_chunk_malloc_max;
627# elif PNG_USER_CHUNK_MALLOC_MAX > 0
628 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
629 limit = PNG_USER_CHUNK_MALLOC_MAX;
630# endif
631
632 if (limit >= prefix_size + (terminate != 0))
633 {
634 int ret;
635
636 limit -= prefix_size + (terminate != 0);
637
638 if (limit < *newlength)
639 *newlength = limit;
640
641 /* Now try to claim the stream. */
642 ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
643
644 if (ret == Z_OK)
645 {
646 png_uint_32 lzsize = chunklength - prefix_size;
647
648 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
649 /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
650 /* output: */ NULL, newlength);
651
652 if (ret == Z_STREAM_END)
653 {
654 /* Use 'inflateReset' here, not 'inflateReset2' because this
655 * preserves the previously decided window size (otherwise it would
656 * be necessary to store the previous window size.) In practice
657 * this doesn't matter anyway, because png_inflate will call inflate
658 * with Z_FINISH in almost all cases, so the window will not be
659 * maintained.
660 */
661 if (inflateReset(&png_ptr->zstream) == Z_OK)
662 {
663 /* Because of the limit checks above we know that the new,
664 * expanded, size will fit in a size_t (let alone an
665 * png_alloc_size_t). Use png_malloc_base here to avoid an
666 * extra OOM message.
667 */
668 png_alloc_size_t new_size = *newlength;
669 png_alloc_size_t buffer_size = prefix_size + new_size +
670 (terminate != 0);
671 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
672 buffer_size));
673
674 if (text != NULL)
675 {
676 memset(text, 0, buffer_size);
677
678 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
679 png_ptr->read_buffer + prefix_size, &lzsize,
680 text + prefix_size, newlength);
681
682 if (ret == Z_STREAM_END)
683 {
684 if (new_size == *newlength)
685 {
686 if (terminate != 0)
687 text[prefix_size + *newlength] = 0;
688
689 if (prefix_size > 0)
690 memcpy(text, png_ptr->read_buffer, prefix_size);
691
692 {
693 png_bytep old_ptr = png_ptr->read_buffer;
694
695 png_ptr->read_buffer = text;
696 png_ptr->read_buffer_size = buffer_size;
697 text = old_ptr; /* freed below */
698 }
699 }
700
701 else
702 {
703 /* The size changed on the second read, there can be no
704 * guarantee that anything is correct at this point.
705 * The 'msg' pointer has been set to "unexpected end of
706 * LZ stream", which is fine, but return an error code
707 * that the caller won't accept.
708 */
709 ret = PNG_UNEXPECTED_ZLIB_RETURN;
710 }
711 }
712
713 else if (ret == Z_OK)
714 ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
715
716 /* Free the text pointer (this is the old read_buffer on
717 * success)
718 */
719 png_free(png_ptr, text);
720
721 /* This really is very benign, but it's still an error because
722 * the extra space may otherwise be used as a Trojan Horse.
723 */
724 if (ret == Z_STREAM_END &&
725 chunklength - prefix_size != lzsize)
726 png_chunk_benign_error(png_ptr, "extra compressed data");
727 }
728
729 else
730 {
731 /* Out of memory allocating the buffer */
732 ret = Z_MEM_ERROR;
733 png_zstream_error(png_ptr, Z_MEM_ERROR);
734 }
735 }
736
737 else
738 {
739 /* inflateReset failed, store the error message */
740 png_zstream_error(png_ptr, ret);
741 ret = PNG_UNEXPECTED_ZLIB_RETURN;
742 }
743 }
744
745 else if (ret == Z_OK)
746 ret = PNG_UNEXPECTED_ZLIB_RETURN;
747
748 /* Release the claimed stream */
749 png_ptr->zowner = 0;
750 }
751
752 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
753 ret = PNG_UNEXPECTED_ZLIB_RETURN;
754
755 return ret;
756 }
757
758 else
759 {
760 /* Application/configuration limits exceeded */
761 png_zstream_error(png_ptr, Z_MEM_ERROR);
762 return Z_MEM_ERROR;
763 }
764}
765#endif /* READ_zTXt || READ_iTXt */
766#endif /* READ_COMPRESSED_TEXT */
767
768#ifdef PNG_READ_iCCP_SUPPORTED
769/* Perform a partial read and decompress, producing 'avail_out' bytes and
770 * reading from the current chunk as required.
771 */
772static int
773png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
774 png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
775 int finish)
776{
777 if (png_ptr->zowner == png_ptr->chunk_name)
778 {
779 int ret;
780
781 /* next_in and avail_in must have been initialized by the caller. */
782 png_ptr->zstream.next_out = next_out;
783 png_ptr->zstream.avail_out = 0; /* set in the loop */
784
785 do
786 {
787 if (png_ptr->zstream.avail_in == 0)
788 {
789 if (read_size > *chunk_bytes)
790 read_size = (uInt)*chunk_bytes;
791 *chunk_bytes -= read_size;
792
793 if (read_size > 0)
794 png_crc_read(png_ptr, read_buffer, read_size);
795
796 png_ptr->zstream.next_in = read_buffer;
797 png_ptr->zstream.avail_in = read_size;
798 }
799
800 if (png_ptr->zstream.avail_out == 0)
801 {
802 uInt avail = ZLIB_IO_MAX;
803 if (avail > *out_size)
804 avail = (uInt)*out_size;
805 *out_size -= avail;
806
807 png_ptr->zstream.avail_out = avail;
808 }
809
810 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
811 * the available output is produced; this allows reading of truncated
812 * streams.
813 */
814 ret = PNG_INFLATE(png_ptr, *chunk_bytes > 0 ?
815 Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
816 }
817 while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
818
819 *out_size += png_ptr->zstream.avail_out;
820 png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
821
822 /* Ensure the error message pointer is always set: */
823 png_zstream_error(png_ptr, ret);
824 return ret;
825 }
826
827 else
828 {
829 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
830 return Z_STREAM_ERROR;
831 }
832}
833#endif /* READ_iCCP */
834
835/* Read and check the IDHR chunk */
836
837void /* PRIVATE */
838png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
839{
840 png_byte buf[13];
841 png_uint_32 width, height;
842 int bit_depth, color_type, compression_type, filter_type;
843 int interlace_type;
844
845 png_debug(1, "in png_handle_IHDR");
846
847 if ((png_ptr->mode & PNG_HAVE_IHDR) != 0)
848 png_chunk_error(png_ptr, "out of place");
849
850 /* Check the length */
851 if (length != 13)
852 png_chunk_error(png_ptr, "invalid");
853
854 png_ptr->mode |= PNG_HAVE_IHDR;
855
856 png_crc_read(png_ptr, buf, 13);
857 png_crc_finish(png_ptr, 0);
858
859 width = png_get_uint_31(png_ptr, buf);
860 height = png_get_uint_31(png_ptr, buf + 4);
861 bit_depth = buf[8];
862 color_type = buf[9];
863 compression_type = buf[10];
864 filter_type = buf[11];
865 interlace_type = buf[12];
866
867 /* Set internal variables */
868 png_ptr->width = width;
869 png_ptr->height = height;
870 png_ptr->bit_depth = (png_byte)bit_depth;
871 png_ptr->interlaced = (png_byte)interlace_type;
872 png_ptr->color_type = (png_byte)color_type;
873#ifdef PNG_MNG_FEATURES_SUPPORTED
874 png_ptr->filter_type = (png_byte)filter_type;
875#endif
876 png_ptr->compression_type = (png_byte)compression_type;
877
878 /* Find number of channels */
879 switch (png_ptr->color_type)
880 {
881 default: /* invalid, png_set_IHDR calls png_error */
882 case PNG_COLOR_TYPE_GRAY:
883 case PNG_COLOR_TYPE_PALETTE:
884 png_ptr->channels = 1;
885 break;
886
887 case PNG_COLOR_TYPE_RGB:
888 png_ptr->channels = 3;
889 break;
890
891 case PNG_COLOR_TYPE_GRAY_ALPHA:
892 png_ptr->channels = 2;
893 break;
894
895 case PNG_COLOR_TYPE_RGB_ALPHA:
896 png_ptr->channels = 4;
897 break;
898 }
899
900 /* Set up other useful info */
901 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
902 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
903 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
904 png_debug1(3, "channels = %d", png_ptr->channels);
905 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
906 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
907 color_type, interlace_type, compression_type, filter_type);
908}
909
910/* Read and check the palette */
911void /* PRIVATE */
912png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
913{
914 png_color palette[PNG_MAX_PALETTE_LENGTH];
915 int max_palette_length, num, i;
916#ifdef PNG_POINTER_INDEXING_SUPPORTED
917 png_colorp pal_ptr;
918#endif
919
920 png_debug(1, "in png_handle_PLTE");
921
922 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
923 png_chunk_error(png_ptr, "missing IHDR");
924
925 /* Moved to before the 'after IDAT' check below because otherwise duplicate
926 * PLTE chunks are potentially ignored (the spec says there shall not be more
927 * than one PLTE, the error is not treated as benign, so this check trumps
928 * the requirement that PLTE appears before IDAT.)
929 */
930 else if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)
931 png_chunk_error(png_ptr, "duplicate");
932
933 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
934 {
935 /* This is benign because the non-benign error happened before, when an
936 * IDAT was encountered in a color-mapped image with no PLTE.
937 */
938 png_crc_finish(png_ptr, length);
939 png_chunk_benign_error(png_ptr, "out of place");
940 return;
941 }
942
943 png_ptr->mode |= PNG_HAVE_PLTE;
944
945 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
946 {
947 png_crc_finish(png_ptr, length);
948 png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
949 return;
950 }
951
952#ifndef PNG_READ_OPT_PLTE_SUPPORTED
953 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
954 {
955 png_crc_finish(png_ptr, length);
956 return;
957 }
958#endif
959
960 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
961 {
962 png_crc_finish(png_ptr, length);
963
964 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
965 png_chunk_benign_error(png_ptr, "invalid");
966
967 else
968 png_chunk_error(png_ptr, "invalid");
969
970 return;
971 }
972
973 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
974 num = (int)length / 3;
975
976 /* If the palette has 256 or fewer entries but is too large for the bit
977 * depth, we don't issue an error, to preserve the behavior of previous
978 * libpng versions. We silently truncate the unused extra palette entries
979 * here.
980 */
981 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
982 max_palette_length = (1 << png_ptr->bit_depth);
983 else
984 max_palette_length = PNG_MAX_PALETTE_LENGTH;
985
986 if (num > max_palette_length)
987 num = max_palette_length;
988
989#ifdef PNG_POINTER_INDEXING_SUPPORTED
990 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
991 {
992 png_byte buf[3];
993
994 png_crc_read(png_ptr, buf, 3);
995 pal_ptr->red = buf[0];
996 pal_ptr->green = buf[1];
997 pal_ptr->blue = buf[2];
998 }
999#else
1000 for (i = 0; i < num; i++)
1001 {
1002 png_byte buf[3];
1003
1004 png_crc_read(png_ptr, buf, 3);
1005 /* Don't depend upon png_color being any order */
1006 palette[i].red = buf[0];
1007 palette[i].green = buf[1];
1008 palette[i].blue = buf[2];
1009 }
1010#endif
1011
1012 /* If we actually need the PLTE chunk (ie for a paletted image), we do
1013 * whatever the normal CRC configuration tells us. However, if we
1014 * have an RGB image, the PLTE can be considered ancillary, so
1015 * we will act as though it is.
1016 */
1017#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1018 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1019#endif
1020 {
1021 png_crc_finish(png_ptr, (png_uint_32) (length - (unsigned int)num * 3));
1022 }
1023
1024#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1025 else if (png_crc_error(png_ptr) != 0) /* Only if we have a CRC error */
1026 {
1027 /* If we don't want to use the data from an ancillary chunk,
1028 * we have two options: an error abort, or a warning and we
1029 * ignore the data in this chunk (which should be OK, since
1030 * it's considered ancillary for a RGB or RGBA image).
1031 *
1032 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
1033 * chunk type to determine whether to check the ancillary or the critical
1034 * flags.
1035 */
1036 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == 0)
1037 {
1038 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != 0)
1039 return;
1040
1041 else
1042 png_chunk_error(png_ptr, "CRC error");
1043 }
1044
1045 /* Otherwise, we (optionally) emit a warning and use the chunk. */
1046 else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0)
1047 png_chunk_warning(png_ptr, "CRC error");
1048 }
1049#endif
1050
1051 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1052 * own copy of the palette. This has the side effect that when png_start_row
1053 * is called (this happens after any call to png_read_update_info) the
1054 * info_ptr palette gets changed. This is extremely unexpected and
1055 * confusing.
1056 *
1057 * Fix this by not sharing the palette in this way.
1058 */
1059 png_set_PLTE(png_ptr, info_ptr, palette, num);
1060
1061 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1062 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1063 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1064 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
1065 * therefore does a benign error if the erroneous condition is detected *and*
1066 * cancels the tRNS if the benign error returns. The alternative is to
1067 * amend the standard since it would be rather hypocritical of the standards
1068 * maintainers to ignore it.
1069 */
1070#ifdef PNG_READ_tRNS_SUPPORTED
1071 if (png_ptr->num_trans > 0 ||
1072 (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
1073 {
1074 /* Cancel this because otherwise it would be used if the transforms
1075 * require it. Don't cancel the 'valid' flag because this would prevent
1076 * detection of duplicate chunks.
1077 */
1078 png_ptr->num_trans = 0;
1079
1080 if (info_ptr != NULL)
1081 info_ptr->num_trans = 0;
1082
1083 png_chunk_benign_error(png_ptr, "tRNS must be after");
1084 }
1085#endif
1086
1087#ifdef PNG_READ_hIST_SUPPORTED
1088 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1089 png_chunk_benign_error(png_ptr, "hIST must be after");
1090#endif
1091
1092#ifdef PNG_READ_bKGD_SUPPORTED
1093 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1094 png_chunk_benign_error(png_ptr, "bKGD must be after");
1095#endif
1096}
1097
1098void /* PRIVATE */
1099png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1100{
1101 png_debug(1, "in png_handle_IEND");
1102
1103 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0 ||
1104 (png_ptr->mode & PNG_HAVE_IDAT) == 0)
1105 png_chunk_error(png_ptr, "out of place");
1106
1107 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
1108
1109 png_crc_finish(png_ptr, length);
1110
1111 if (length != 0)
1112 png_chunk_benign_error(png_ptr, "invalid");
1113
1114 PNG_UNUSED(info_ptr)
1115}
1116
1117#ifdef PNG_READ_gAMA_SUPPORTED
1118void /* PRIVATE */
1119png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1120{
1121 png_fixed_point igamma;
1122 png_byte buf[4];
1123
1124 png_debug(1, "in png_handle_gAMA");
1125
1126 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1127 png_chunk_error(png_ptr, "missing IHDR");
1128
1129 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1130 {
1131 png_crc_finish(png_ptr, length);
1132 png_chunk_benign_error(png_ptr, "out of place");
1133 return;
1134 }
1135
1136 if (length != 4)
1137 {
1138 png_crc_finish(png_ptr, length);
1139 png_chunk_benign_error(png_ptr, "invalid");
1140 return;
1141 }
1142
1143 png_crc_read(png_ptr, buf, 4);
1144
1145 if (png_crc_finish(png_ptr, 0) != 0)
1146 return;
1147
1148 igamma = png_get_fixed_point(NULL, buf);
1149
1150 png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
1151 png_colorspace_sync(png_ptr, info_ptr);
1152}
1153#endif
1154
1155#ifdef PNG_READ_sBIT_SUPPORTED
1156void /* PRIVATE */
1157png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1158{
1159 unsigned int truelen, i;
1160 png_byte sample_depth;
1161 png_byte buf[4];
1162
1163 png_debug(1, "in png_handle_sBIT");
1164
1165 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1166 png_chunk_error(png_ptr, "missing IHDR");
1167
1168 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1169 {
1170 png_crc_finish(png_ptr, length);
1171 png_chunk_benign_error(png_ptr, "out of place");
1172 return;
1173 }
1174
1175 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != 0)
1176 {
1177 png_crc_finish(png_ptr, length);
1178 png_chunk_benign_error(png_ptr, "duplicate");
1179 return;
1180 }
1181
1182 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1183 {
1184 truelen = 3;
1185 sample_depth = 8;
1186 }
1187
1188 else
1189 {
1190 truelen = png_ptr->channels;
1191 sample_depth = png_ptr->bit_depth;
1192 }
1193
1194 if (length != truelen || length > 4)
1195 {
1196 png_chunk_benign_error(png_ptr, "invalid");
1197 png_crc_finish(png_ptr, length);
1198 return;
1199 }
1200
1201 buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
1202 png_crc_read(png_ptr, buf, truelen);
1203
1204 if (png_crc_finish(png_ptr, 0) != 0)
1205 return;
1206
1207 for (i=0; i<truelen; ++i)
1208 {
1209 if (buf[i] == 0 || buf[i] > sample_depth)
1210 {
1211 png_chunk_benign_error(png_ptr, "invalid");
1212 return;
1213 }
1214 }
1215
1216 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1217 {
1218 png_ptr->sig_bit.red = buf[0];
1219 png_ptr->sig_bit.green = buf[1];
1220 png_ptr->sig_bit.blue = buf[2];
1221 png_ptr->sig_bit.alpha = buf[3];
1222 }
1223
1224 else
1225 {
1226 png_ptr->sig_bit.gray = buf[0];
1227 png_ptr->sig_bit.red = buf[0];
1228 png_ptr->sig_bit.green = buf[0];
1229 png_ptr->sig_bit.blue = buf[0];
1230 png_ptr->sig_bit.alpha = buf[1];
1231 }
1232
1233 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
1234}
1235#endif
1236
1237#ifdef PNG_READ_cHRM_SUPPORTED
1238void /* PRIVATE */
1239png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1240{
1241 png_byte buf[32];
1242 png_xy xy;
1243
1244 png_debug(1, "in png_handle_cHRM");
1245
1246 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1247 png_chunk_error(png_ptr, "missing IHDR");
1248
1249 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1250 {
1251 png_crc_finish(png_ptr, length);
1252 png_chunk_benign_error(png_ptr, "out of place");
1253 return;
1254 }
1255
1256 if (length != 32)
1257 {
1258 png_crc_finish(png_ptr, length);
1259 png_chunk_benign_error(png_ptr, "invalid");
1260 return;
1261 }
1262
1263 png_crc_read(png_ptr, buf, 32);
1264
1265 if (png_crc_finish(png_ptr, 0) != 0)
1266 return;
1267
1268 xy.whitex = png_get_fixed_point(NULL, buf);
1269 xy.whitey = png_get_fixed_point(NULL, buf + 4);
1270 xy.redx = png_get_fixed_point(NULL, buf + 8);
1271 xy.redy = png_get_fixed_point(NULL, buf + 12);
1272 xy.greenx = png_get_fixed_point(NULL, buf + 16);
1273 xy.greeny = png_get_fixed_point(NULL, buf + 20);
1274 xy.bluex = png_get_fixed_point(NULL, buf + 24);
1275 xy.bluey = png_get_fixed_point(NULL, buf + 28);
1276
1277 if (xy.whitex == PNG_FIXED_ERROR ||
1278 xy.whitey == PNG_FIXED_ERROR ||
1279 xy.redx == PNG_FIXED_ERROR ||
1280 xy.redy == PNG_FIXED_ERROR ||
1281 xy.greenx == PNG_FIXED_ERROR ||
1282 xy.greeny == PNG_FIXED_ERROR ||
1283 xy.bluex == PNG_FIXED_ERROR ||
1284 xy.bluey == PNG_FIXED_ERROR)
1285 {
1286 png_chunk_benign_error(png_ptr, "invalid values");
1287 return;
1288 }
1289
1290 /* If a colorspace error has already been output skip this chunk */
1291 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1292 return;
1293
1294 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0)
1295 {
1296 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1297 png_colorspace_sync(png_ptr, info_ptr);
1298 png_chunk_benign_error(png_ptr, "duplicate");
1299 return;
1300 }
1301
1302 png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
1303 (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
1304 1/*prefer cHRM values*/);
1305 png_colorspace_sync(png_ptr, info_ptr);
1306}
1307#endif
1308
1309#ifdef PNG_READ_sRGB_SUPPORTED
1310void /* PRIVATE */
1311png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1312{
1313 png_byte intent;
1314
1315 png_debug(1, "in png_handle_sRGB");
1316
1317 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1318 png_chunk_error(png_ptr, "missing IHDR");
1319
1320 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1321 {
1322 png_crc_finish(png_ptr, length);
1323 png_chunk_benign_error(png_ptr, "out of place");
1324 return;
1325 }
1326
1327 if (length != 1)
1328 {
1329 png_crc_finish(png_ptr, length);
1330 png_chunk_benign_error(png_ptr, "invalid");
1331 return;
1332 }
1333
1334 png_crc_read(png_ptr, &intent, 1);
1335
1336 if (png_crc_finish(png_ptr, 0) != 0)
1337 return;
1338
1339 /* If a colorspace error has already been output skip this chunk */
1340 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1341 return;
1342
1343 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1344 * this.
1345 */
1346 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != 0)
1347 {
1348 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1349 png_colorspace_sync(png_ptr, info_ptr);
1350 png_chunk_benign_error(png_ptr, "too many profiles");
1351 return;
1352 }
1353
1354 (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1355 png_colorspace_sync(png_ptr, info_ptr);
1356}
1357#endif /* READ_sRGB */
1358
1359#ifdef PNG_READ_iCCP_SUPPORTED
1360void /* PRIVATE */
1361png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1362/* Note: this does not properly handle profiles that are > 64K under DOS */
1363{
1364 png_const_charp errmsg = NULL; /* error message output, or no error */
1365 int finished = 0; /* crc checked */
1366
1367 png_debug(1, "in png_handle_iCCP");
1368
1369 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1370 png_chunk_error(png_ptr, "missing IHDR");
1371
1372 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1373 {
1374 png_crc_finish(png_ptr, length);
1375 png_chunk_benign_error(png_ptr, "out of place");
1376 return;
1377 }
1378
1379 /* Consistent with all the above colorspace handling an obviously *invalid*
1380 * chunk is just ignored, so does not invalidate the color space. An
1381 * alternative is to set the 'invalid' flags at the start of this routine
1382 * and only clear them in they were not set before and all the tests pass.
1383 */
1384
1385 /* The keyword must be at least one character and there is a
1386 * terminator (0) byte and the compression method byte, and the
1387 * 'zlib' datastream is at least 11 bytes.
1388 */
1389 if (length < 14)
1390 {
1391 png_crc_finish(png_ptr, length);
1392 png_chunk_benign_error(png_ptr, "too short");
1393 return;
1394 }
1395
1396 /* If a colorspace error has already been output skip this chunk */
1397 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1398 {
1399 png_crc_finish(png_ptr, length);
1400 return;
1401 }
1402
1403 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1404 * this.
1405 */
1406 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1407 {
1408 uInt read_length, keyword_length;
1409 char keyword[81];
1410
1411 /* Find the keyword; the keyword plus separator and compression method
1412 * bytes can be at most 81 characters long.
1413 */
1414 read_length = 81; /* maximum */
1415 if (read_length > length)
1416 read_length = (uInt)length;
1417
1418 png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1419 length -= read_length;
1420
1421 /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
1422 * 5 bytes minimum 'deflate' stream, and the 4 byte checksum.
1423 */
1424 if (length < 11)
1425 {
1426 png_crc_finish(png_ptr, length);
1427 png_chunk_benign_error(png_ptr, "too short");
1428 return;
1429 }
1430
1431 keyword_length = 0;
1432 while (keyword_length < 80 && keyword_length < read_length &&
1433 keyword[keyword_length] != 0)
1434 ++keyword_length;
1435
1436 /* TODO: make the keyword checking common */
1437 if (keyword_length >= 1 && keyword_length <= 79)
1438 {
1439 /* We only understand '0' compression - deflate - so if we get a
1440 * different value we can't safely decode the chunk.
1441 */
1442 if (keyword_length+1 < read_length &&
1443 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1444 {
1445 read_length -= keyword_length+2;
1446
1447 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1448 {
1449 Byte profile_header[132]={0};
1450 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1451 png_alloc_size_t size = (sizeof profile_header);
1452
1453 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1454 png_ptr->zstream.avail_in = read_length;
1455 (void)png_inflate_read(png_ptr, local_buffer,
1456 (sizeof local_buffer), &length, profile_header, &size,
1457 0/*finish: don't, because the output is too small*/);
1458
1459 if (size == 0)
1460 {
1461 /* We have the ICC profile header; do the basic header checks.
1462 */
1463 png_uint_32 profile_length = png_get_uint_32(profile_header);
1464
1465 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1466 keyword, profile_length) != 0)
1467 {
1468 /* The length is apparently ok, so we can check the 132
1469 * byte header.
1470 */
1471 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1472 keyword, profile_length, profile_header,
1473 png_ptr->color_type) != 0)
1474 {
1475 /* Now read the tag table; a variable size buffer is
1476 * needed at this point, allocate one for the whole
1477 * profile. The header check has already validated
1478 * that none of this stuff will overflow.
1479 */
1480 png_uint_32 tag_count =
1481 png_get_uint_32(profile_header + 128);
1482 png_bytep profile = png_read_buffer(png_ptr,
1483 profile_length, 2/*silent*/);
1484
1485 if (profile != NULL)
1486 {
1487 memcpy(profile, profile_header,
1488 (sizeof profile_header));
1489
1490 size = 12 * tag_count;
1491
1492 (void)png_inflate_read(png_ptr, local_buffer,
1493 (sizeof local_buffer), &length,
1494 profile + (sizeof profile_header), &size, 0);
1495
1496 /* Still expect a buffer error because we expect
1497 * there to be some tag data!
1498 */
1499 if (size == 0)
1500 {
1501 if (png_icc_check_tag_table(png_ptr,
1502 &png_ptr->colorspace, keyword, profile_length,
1503 profile) != 0)
1504 {
1505 /* The profile has been validated for basic
1506 * security issues, so read the whole thing in.
1507 */
1508 size = profile_length - (sizeof profile_header)
1509 - 12 * tag_count;
1510
1511 (void)png_inflate_read(png_ptr, local_buffer,
1512 (sizeof local_buffer), &length,
1513 profile + (sizeof profile_header) +
1514 12 * tag_count, &size, 1/*finish*/);
1515
1516 if (length > 0 && !(png_ptr->flags &
1517 PNG_FLAG_BENIGN_ERRORS_WARN))
1518 errmsg = "extra compressed data";
1519
1520 /* But otherwise allow extra data: */
1521 else if (size == 0)
1522 {
1523 if (length > 0)
1524 {
1525 /* This can be handled completely, so
1526 * keep going.
1527 */
1528 png_chunk_warning(png_ptr,
1529 "extra compressed data");
1530 }
1531
1532 png_crc_finish(png_ptr, length);
1533 finished = 1;
1534
1535# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
1536 /* Check for a match against sRGB */
1537 png_icc_set_sRGB(png_ptr,
1538 &png_ptr->colorspace, profile,
1539 png_ptr->zstream.adler);
1540# endif
1541
1542 /* Steal the profile for info_ptr. */
1543 if (info_ptr != NULL)
1544 {
1545 png_free_data(png_ptr, info_ptr,
1546 PNG_FREE_ICCP, 0);
1547
1548 info_ptr->iccp_name = png_voidcast(char*,
1549 png_malloc_base(png_ptr,
1550 keyword_length+1));
1551 if (info_ptr->iccp_name != NULL)
1552 {
1553 memcpy(info_ptr->iccp_name, keyword,
1554 keyword_length+1);
1555 info_ptr->iccp_proflen =
1556 profile_length;
1557 info_ptr->iccp_profile = profile;
1558 png_ptr->read_buffer = NULL; /*steal*/
1559 info_ptr->free_me |= PNG_FREE_ICCP;
1560 info_ptr->valid |= PNG_INFO_iCCP;
1561 }
1562
1563 else
1564 {
1565 png_ptr->colorspace.flags |=
1566 PNG_COLORSPACE_INVALID;
1567 errmsg = "out of memory";
1568 }
1569 }
1570
1571 /* else the profile remains in the read
1572 * buffer which gets reused for subsequent
1573 * chunks.
1574 */
1575
1576 if (info_ptr != NULL)
1577 png_colorspace_sync(png_ptr, info_ptr);
1578
1579 if (errmsg == NULL)
1580 {
1581 png_ptr->zowner = 0;
1582 return;
1583 }
1584 }
1585 if (errmsg == NULL)
1586 errmsg = png_ptr->zstream.msg;
1587 }
1588 /* else png_icc_check_tag_table output an error */
1589 }
1590 else /* profile truncated */
1591 errmsg = png_ptr->zstream.msg;
1592 }
1593
1594 else
1595 errmsg = "out of memory";
1596 }
1597
1598 /* else png_icc_check_header output an error */
1599 }
1600
1601 /* else png_icc_check_length output an error */
1602 }
1603
1604 else /* profile truncated */
1605 errmsg = png_ptr->zstream.msg;
1606
1607 /* Release the stream */
1608 png_ptr->zowner = 0;
1609 }
1610
1611 else /* png_inflate_claim failed */
1612 errmsg = png_ptr->zstream.msg;
1613 }
1614
1615 else
1616 errmsg = "bad compression method"; /* or missing */
1617 }
1618
1619 else
1620 errmsg = "bad keyword";
1621 }
1622
1623 else
1624 errmsg = "too many profiles";
1625
1626 /* Failure: the reason is in 'errmsg' */
1627 if (finished == 0)
1628 png_crc_finish(png_ptr, length);
1629
1630 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1631 png_colorspace_sync(png_ptr, info_ptr);
1632 if (errmsg != NULL) /* else already output */
1633 png_chunk_benign_error(png_ptr, errmsg);
1634}
1635#endif /* READ_iCCP */
1636
1637#ifdef PNG_READ_sPLT_SUPPORTED
1638void /* PRIVATE */
1639png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1640/* Note: this does not properly handle chunks that are > 64K under DOS */
1641{
1642 png_bytep entry_start, buffer;
1643 png_sPLT_t new_palette;
1644 png_sPLT_entryp pp;
1645 png_uint_32 data_length;
1646 int entry_size, i;
1647 png_uint_32 skip = 0;
1648 png_uint_32 dl;
1649 size_t max_dl;
1650
1651 png_debug(1, "in png_handle_sPLT");
1652
1653#ifdef PNG_USER_LIMITS_SUPPORTED
1654 if (png_ptr->user_chunk_cache_max != 0)
1655 {
1656 if (png_ptr->user_chunk_cache_max == 1)
1657 {
1658 png_crc_finish(png_ptr, length);
1659 return;
1660 }
1661
1662 if (--png_ptr->user_chunk_cache_max == 1)
1663 {
1664 png_warning(png_ptr, "No space in chunk cache for sPLT");
1665 png_crc_finish(png_ptr, length);
1666 return;
1667 }
1668 }
1669#endif
1670
1671 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1672 png_chunk_error(png_ptr, "missing IHDR");
1673
1674 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1675 {
1676 png_crc_finish(png_ptr, length);
1677 png_chunk_benign_error(png_ptr, "out of place");
1678 return;
1679 }
1680
1681#ifdef PNG_MAX_MALLOC_64K
1682 if (length > 65535U)
1683 {
1684 png_crc_finish(png_ptr, length);
1685 png_chunk_benign_error(png_ptr, "too large to fit in memory");
1686 return;
1687 }
1688#endif
1689
1690 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1691 if (buffer == NULL)
1692 {
1693 png_crc_finish(png_ptr, length);
1694 png_chunk_benign_error(png_ptr, "out of memory");
1695 return;
1696 }
1697
1698
1699 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1700 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1701 * potential breakage point if the types in pngconf.h aren't exactly right.
1702 */
1703 png_crc_read(png_ptr, buffer, length);
1704
1705 if (png_crc_finish(png_ptr, skip) != 0)
1706 return;
1707
1708 buffer[length] = 0;
1709
1710 for (entry_start = buffer; *entry_start; entry_start++)
1711 /* Empty loop to find end of name */ ;
1712
1713 ++entry_start;
1714
1715 /* A sample depth should follow the separator, and we should be on it */
1716 if (length < 2U || entry_start > buffer + (length - 2U))
1717 {
1718 png_warning(png_ptr, "malformed sPLT chunk");
1719 return;
1720 }
1721
1722 new_palette.depth = *entry_start++;
1723 entry_size = (new_palette.depth == 8 ? 6 : 10);
1724 /* This must fit in a png_uint_32 because it is derived from the original
1725 * chunk data length.
1726 */
1727 data_length = length - (png_uint_32)(entry_start - buffer);
1728
1729 /* Integrity-check the data length */
1730 if ((data_length % (unsigned int)entry_size) != 0)
1731 {
1732 png_warning(png_ptr, "sPLT chunk has bad length");
1733 return;
1734 }
1735
1736 dl = (png_uint_32)(data_length / (unsigned int)entry_size);
1737 max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1738
1739 if (dl > max_dl)
1740 {
1741 png_warning(png_ptr, "sPLT chunk too long");
1742 return;
1743 }
1744
1745 new_palette.nentries = (png_int_32)(data_length / (unsigned int)entry_size);
1746
1747 new_palette.entries = (png_sPLT_entryp)png_malloc_warn(png_ptr,
1748 (png_alloc_size_t) new_palette.nentries * (sizeof (png_sPLT_entry)));
1749
1750 if (new_palette.entries == NULL)
1751 {
1752 png_warning(png_ptr, "sPLT chunk requires too much memory");
1753 return;
1754 }
1755
1756#ifdef PNG_POINTER_INDEXING_SUPPORTED
1757 for (i = 0; i < new_palette.nentries; i++)
1758 {
1759 pp = new_palette.entries + i;
1760
1761 if (new_palette.depth == 8)
1762 {
1763 pp->red = *entry_start++;
1764 pp->green = *entry_start++;
1765 pp->blue = *entry_start++;
1766 pp->alpha = *entry_start++;
1767 }
1768
1769 else
1770 {
1771 pp->red = png_get_uint_16(entry_start); entry_start += 2;
1772 pp->green = png_get_uint_16(entry_start); entry_start += 2;
1773 pp->blue = png_get_uint_16(entry_start); entry_start += 2;
1774 pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1775 }
1776
1777 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1778 }
1779#else
1780 pp = new_palette.entries;
1781
1782 for (i = 0; i < new_palette.nentries; i++)
1783 {
1784
1785 if (new_palette.depth == 8)
1786 {
1787 pp[i].red = *entry_start++;
1788 pp[i].green = *entry_start++;
1789 pp[i].blue = *entry_start++;
1790 pp[i].alpha = *entry_start++;
1791 }
1792
1793 else
1794 {
1795 pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
1796 pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1797 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
1798 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1799 }
1800
1801 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1802 }
1803#endif
1804
1805 /* Discard all chunk data except the name and stash that */
1806 new_palette.name = (png_charp)buffer;
1807
1808 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1809
1810 png_free(png_ptr, new_palette.entries);
1811}
1812#endif /* READ_sPLT */
1813
1814#ifdef PNG_READ_tRNS_SUPPORTED
1815void /* PRIVATE */
1816png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1817{
1818 png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1819
1820 png_debug(1, "in png_handle_tRNS");
1821
1822 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1823 png_chunk_error(png_ptr, "missing IHDR");
1824
1825 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1826 {
1827 png_crc_finish(png_ptr, length);
1828 png_chunk_benign_error(png_ptr, "out of place");
1829 return;
1830 }
1831
1832 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0)
1833 {
1834 png_crc_finish(png_ptr, length);
1835 png_chunk_benign_error(png_ptr, "duplicate");
1836 return;
1837 }
1838
1839 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1840 {
1841 png_byte buf[2];
1842
1843 if (length != 2)
1844 {
1845 png_crc_finish(png_ptr, length);
1846 png_chunk_benign_error(png_ptr, "invalid");
1847 return;
1848 }
1849
1850 png_crc_read(png_ptr, buf, 2);
1851 png_ptr->num_trans = 1;
1852 png_ptr->trans_color.gray = png_get_uint_16(buf);
1853 }
1854
1855 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1856 {
1857 png_byte buf[6];
1858
1859 if (length != 6)
1860 {
1861 png_crc_finish(png_ptr, length);
1862 png_chunk_benign_error(png_ptr, "invalid");
1863 return;
1864 }
1865
1866 png_crc_read(png_ptr, buf, length);
1867 png_ptr->num_trans = 1;
1868 png_ptr->trans_color.red = png_get_uint_16(buf);
1869 png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1870 png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1871 }
1872
1873 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1874 {
1875 if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
1876 {
1877 /* TODO: is this actually an error in the ISO spec? */
1878 png_crc_finish(png_ptr, length);
1879 png_chunk_benign_error(png_ptr, "out of place");
1880 return;
1881 }
1882
1883 if (length > (unsigned int) png_ptr->num_palette ||
1884 length > (unsigned int) PNG_MAX_PALETTE_LENGTH ||
1885 length == 0)
1886 {
1887 png_crc_finish(png_ptr, length);
1888 png_chunk_benign_error(png_ptr, "invalid");
1889 return;
1890 }
1891
1892 png_crc_read(png_ptr, readbuf, length);
1893 png_ptr->num_trans = (png_uint_16)length;
1894 }
1895
1896 else
1897 {
1898 png_crc_finish(png_ptr, length);
1899 png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1900 return;
1901 }
1902
1903 if (png_crc_finish(png_ptr, 0) != 0)
1904 {
1905 png_ptr->num_trans = 0;
1906 return;
1907 }
1908
1909 /* TODO: this is a horrible side effect in the palette case because the
1910 * png_struct ends up with a pointer to the tRNS buffer owned by the
1911 * png_info. Fix this.
1912 */
1913 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1914 &(png_ptr->trans_color));
1915}
1916#endif
1917
1918#ifdef PNG_READ_bKGD_SUPPORTED
1919void /* PRIVATE */
1920png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1921{
1922 unsigned int truelen;
1923 png_byte buf[6];
1924 png_color_16 background;
1925
1926 png_debug(1, "in png_handle_bKGD");
1927
1928 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1929 png_chunk_error(png_ptr, "missing IHDR");
1930
1931 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
1932 (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1933 (png_ptr->mode & PNG_HAVE_PLTE) == 0))
1934 {
1935 png_crc_finish(png_ptr, length);
1936 png_chunk_benign_error(png_ptr, "out of place");
1937 return;
1938 }
1939
1940 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1941 {
1942 png_crc_finish(png_ptr, length);
1943 png_chunk_benign_error(png_ptr, "duplicate");
1944 return;
1945 }
1946
1947 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1948 truelen = 1;
1949
1950 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1951 truelen = 6;
1952
1953 else
1954 truelen = 2;
1955
1956 if (length != truelen)
1957 {
1958 png_crc_finish(png_ptr, length);
1959 png_chunk_benign_error(png_ptr, "invalid");
1960 return;
1961 }
1962
1963 png_crc_read(png_ptr, buf, truelen);
1964
1965 if (png_crc_finish(png_ptr, 0) != 0)
1966 return;
1967
1968 /* We convert the index value into RGB components so that we can allow
1969 * arbitrary RGB values for background when we have transparency, and
1970 * so it is easy to determine the RGB values of the background color
1971 * from the info_ptr struct.
1972 */
1973 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1974 {
1975 background.index = buf[0];
1976
1977 if (info_ptr != NULL && info_ptr->num_palette != 0)
1978 {
1979 if (buf[0] >= info_ptr->num_palette)
1980 {
1981 png_chunk_benign_error(png_ptr, "invalid index");
1982 return;
1983 }
1984
1985 background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1986 background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1987 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1988 }
1989
1990 else
1991 background.red = background.green = background.blue = 0;
1992
1993 background.gray = 0;
1994 }
1995
1996 else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */
1997 {
1998 if (png_ptr->bit_depth <= 8)
1999 {
2000 if (buf[0] != 0 || buf[1] >= (unsigned int)(1 << png_ptr->bit_depth))
2001 {
2002 png_chunk_benign_error(png_ptr, "invalid gray level");
2003 return;
2004 }
2005 }
2006
2007 background.index = 0;
2008 background.red =
2009 background.green =
2010 background.blue =
2011 background.gray = png_get_uint_16(buf);
2012 }
2013
2014 else
2015 {
2016 if (png_ptr->bit_depth <= 8)
2017 {
2018 if (buf[0] != 0 || buf[2] != 0 || buf[4] != 0)
2019 {
2020 png_chunk_benign_error(png_ptr, "invalid color");
2021 return;
2022 }
2023 }
2024
2025 background.index = 0;
2026 background.red = png_get_uint_16(buf);
2027 background.green = png_get_uint_16(buf + 2);
2028 background.blue = png_get_uint_16(buf + 4);
2029 background.gray = 0;
2030 }
2031
2032 png_set_bKGD(png_ptr, info_ptr, &background);
2033}
2034#endif
2035
2036#ifdef PNG_READ_eXIf_SUPPORTED
2037void /* PRIVATE */
2038png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2039{
2040 unsigned int i;
2041
2042 png_debug(1, "in png_handle_eXIf");
2043
2044 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2045 png_chunk_error(png_ptr, "missing IHDR");
2046
2047 if (length < 2)
2048 {
2049 png_crc_finish(png_ptr, length);
2050 png_chunk_benign_error(png_ptr, "too short");
2051 return;
2052 }
2053
2054 else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
2055 {
2056 png_crc_finish(png_ptr, length);
2057 png_chunk_benign_error(png_ptr, "duplicate");
2058 return;
2059 }
2060
2061 info_ptr->free_me |= PNG_FREE_EXIF;
2062
2063 info_ptr->eXIf_buf = png_voidcast(png_bytep,
2064 png_malloc_warn(png_ptr, length));
2065
2066 if (info_ptr->eXIf_buf == NULL)
2067 {
2068 png_crc_finish(png_ptr, length);
2069 png_chunk_benign_error(png_ptr, "out of memory");
2070 return;
2071 }
2072
2073 for (i = 0; i < length; i++)
2074 {
2075 png_byte buf[1];
2076 png_crc_read(png_ptr, buf, 1);
2077 info_ptr->eXIf_buf[i] = buf[0];
2078 if (i == 1)
2079 {
2080 if ((buf[0] != 'M' && buf[0] != 'I') ||
2081 (info_ptr->eXIf_buf[0] != buf[0]))
2082 {
2083 png_crc_finish(png_ptr, length - 2);
2084 png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
2085 png_free(png_ptr, info_ptr->eXIf_buf);
2086 info_ptr->eXIf_buf = NULL;
2087 return;
2088 }
2089 }
2090 }
2091
2092 if (png_crc_finish(png_ptr, 0) == 0)
2093 png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
2094
2095 png_free(png_ptr, info_ptr->eXIf_buf);
2096 info_ptr->eXIf_buf = NULL;
2097}
2098#endif
2099
2100#ifdef PNG_READ_hIST_SUPPORTED
2101void /* PRIVATE */
2102png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2103{
2104 unsigned int num, i;
2105 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2106
2107 png_debug(1, "in png_handle_hIST");
2108
2109 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2110 png_chunk_error(png_ptr, "missing IHDR");
2111
2112 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
2113 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
2114 {
2115 png_crc_finish(png_ptr, length);
2116 png_chunk_benign_error(png_ptr, "out of place");
2117 return;
2118 }
2119
2120 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
2121 {
2122 png_crc_finish(png_ptr, length);
2123 png_chunk_benign_error(png_ptr, "duplicate");
2124 return;
2125 }
2126
2127 num = length / 2 ;
2128
2129 if (length != num * 2 ||
2130 num != (unsigned int)png_ptr->num_palette ||
2131 num > (unsigned int)PNG_MAX_PALETTE_LENGTH)
2132 {
2133 png_crc_finish(png_ptr, length);
2134 png_chunk_benign_error(png_ptr, "invalid");
2135 return;
2136 }
2137
2138 for (i = 0; i < num; i++)
2139 {
2140 png_byte buf[2];
2141
2142 png_crc_read(png_ptr, buf, 2);
2143 readbuf[i] = png_get_uint_16(buf);
2144 }
2145
2146 if (png_crc_finish(png_ptr, 0) != 0)
2147 return;
2148
2149 png_set_hIST(png_ptr, info_ptr, readbuf);
2150}
2151#endif
2152
2153#ifdef PNG_READ_pHYs_SUPPORTED
2154void /* PRIVATE */
2155png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2156{
2157 png_byte buf[9];
2158 png_uint_32 res_x, res_y;
2159 int unit_type;
2160
2161 png_debug(1, "in png_handle_pHYs");
2162
2163 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2164 png_chunk_error(png_ptr, "missing IHDR");
2165
2166 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2167 {
2168 png_crc_finish(png_ptr, length);
2169 png_chunk_benign_error(png_ptr, "out of place");
2170 return;
2171 }
2172
2173 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != 0)
2174 {
2175 png_crc_finish(png_ptr, length);
2176 png_chunk_benign_error(png_ptr, "duplicate");
2177 return;
2178 }
2179
2180 if (length != 9)
2181 {
2182 png_crc_finish(png_ptr, length);
2183 png_chunk_benign_error(png_ptr, "invalid");
2184 return;
2185 }
2186
2187 png_crc_read(png_ptr, buf, 9);
2188
2189 if (png_crc_finish(png_ptr, 0) != 0)
2190 return;
2191
2192 res_x = png_get_uint_32(buf);
2193 res_y = png_get_uint_32(buf + 4);
2194 unit_type = buf[8];
2195 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
2196}
2197#endif
2198
2199#ifdef PNG_READ_oFFs_SUPPORTED
2200void /* PRIVATE */
2201png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2202{
2203 png_byte buf[9];
2204 png_int_32 offset_x, offset_y;
2205 int unit_type;
2206
2207 png_debug(1, "in png_handle_oFFs");
2208
2209 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2210 png_chunk_error(png_ptr, "missing IHDR");
2211
2212 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2213 {
2214 png_crc_finish(png_ptr, length);
2215 png_chunk_benign_error(png_ptr, "out of place");
2216 return;
2217 }
2218
2219 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != 0)
2220 {
2221 png_crc_finish(png_ptr, length);
2222 png_chunk_benign_error(png_ptr, "duplicate");
2223 return;
2224 }
2225
2226 if (length != 9)
2227 {
2228 png_crc_finish(png_ptr, length);
2229 png_chunk_benign_error(png_ptr, "invalid");
2230 return;
2231 }
2232
2233 png_crc_read(png_ptr, buf, 9);
2234
2235 if (png_crc_finish(png_ptr, 0) != 0)
2236 return;
2237
2238 offset_x = png_get_int_32(buf);
2239 offset_y = png_get_int_32(buf + 4);
2240 unit_type = buf[8];
2241 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
2242}
2243#endif
2244
2245#ifdef PNG_READ_pCAL_SUPPORTED
2246/* Read the pCAL chunk (described in the PNG Extensions document) */
2247void /* PRIVATE */
2248png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2249{
2250 png_int_32 X0, X1;
2251 png_byte type, nparams;
2252 png_bytep buffer, buf, units, endptr;
2253 png_charpp params;
2254 int i;
2255
2256 png_debug(1, "in png_handle_pCAL");
2257
2258 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2259 png_chunk_error(png_ptr, "missing IHDR");
2260
2261 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2262 {
2263 png_crc_finish(png_ptr, length);
2264 png_chunk_benign_error(png_ptr, "out of place");
2265 return;
2266 }
2267
2268 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != 0)
2269 {
2270 png_crc_finish(png_ptr, length);
2271 png_chunk_benign_error(png_ptr, "duplicate");
2272 return;
2273 }
2274
2275 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
2276 length + 1);
2277
2278 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2279
2280 if (buffer == NULL)
2281 {
2282 png_crc_finish(png_ptr, length);
2283 png_chunk_benign_error(png_ptr, "out of memory");
2284 return;
2285 }
2286
2287 png_crc_read(png_ptr, buffer, length);
2288
2289 if (png_crc_finish(png_ptr, 0) != 0)
2290 return;
2291
2292 buffer[length] = 0; /* Null terminate the last string */
2293
2294 png_debug(3, "Finding end of pCAL purpose string");
2295 for (buf = buffer; *buf; buf++)
2296 /* Empty loop */ ;
2297
2298 endptr = buffer + length;
2299
2300 /* We need to have at least 12 bytes after the purpose string
2301 * in order to get the parameter information.
2302 */
2303 if (endptr - buf <= 12)
2304 {
2305 png_chunk_benign_error(png_ptr, "invalid");
2306 return;
2307 }
2308
2309 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
2310 X0 = png_get_int_32((png_bytep)buf+1);
2311 X1 = png_get_int_32((png_bytep)buf+5);
2312 type = buf[9];
2313 nparams = buf[10];
2314 units = buf + 11;
2315
2316 png_debug(3, "Checking pCAL equation type and number of parameters");
2317 /* Check that we have the right number of parameters for known
2318 * equation types.
2319 */
2320 if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
2321 (type == PNG_EQUATION_BASE_E && nparams != 3) ||
2322 (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
2323 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
2324 {
2325 png_chunk_benign_error(png_ptr, "invalid parameter count");
2326 return;
2327 }
2328
2329 else if (type >= PNG_EQUATION_LAST)
2330 {
2331 png_chunk_benign_error(png_ptr, "unrecognized equation type");
2332 }
2333
2334 for (buf = units; *buf; buf++)
2335 /* Empty loop to move past the units string. */ ;
2336
2337 png_debug(3, "Allocating pCAL parameters array");
2338
2339 params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2340 nparams * (sizeof (png_charp))));
2341
2342 if (params == NULL)
2343 {
2344 png_chunk_benign_error(png_ptr, "out of memory");
2345 return;
2346 }
2347
2348 /* Get pointers to the start of each parameter string. */
2349 for (i = 0; i < nparams; i++)
2350 {
2351 buf++; /* Skip the null string terminator from previous parameter. */
2352
2353 png_debug1(3, "Reading pCAL parameter %d", i);
2354
2355 for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
2356 /* Empty loop to move past each parameter string */ ;
2357
2358 /* Make sure we haven't run out of data yet */
2359 if (buf > endptr)
2360 {
2361 png_free(png_ptr, params);
2362 png_chunk_benign_error(png_ptr, "invalid data");
2363 return;
2364 }
2365 }
2366
2367 png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
2368 (png_charp)units, params);
2369
2370 png_free(png_ptr, params);
2371}
2372#endif
2373
2374#ifdef PNG_READ_sCAL_SUPPORTED
2375/* Read the sCAL chunk */
2376void /* PRIVATE */
2377png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2378{
2379 png_bytep buffer;
2380 size_t i;
2381 int state;
2382
2383 png_debug(1, "in png_handle_sCAL");
2384
2385 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2386 png_chunk_error(png_ptr, "missing IHDR");
2387
2388 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2389 {
2390 png_crc_finish(png_ptr, length);
2391 png_chunk_benign_error(png_ptr, "out of place");
2392 return;
2393 }
2394
2395 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != 0)
2396 {
2397 png_crc_finish(png_ptr, length);
2398 png_chunk_benign_error(png_ptr, "duplicate");
2399 return;
2400 }
2401
2402 /* Need unit type, width, \0, height: minimum 4 bytes */
2403 else if (length < 4)
2404 {
2405 png_crc_finish(png_ptr, length);
2406 png_chunk_benign_error(png_ptr, "invalid");
2407 return;
2408 }
2409
2410 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2411 length + 1);
2412
2413 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2414
2415 if (buffer == NULL)
2416 {
2417 png_chunk_benign_error(png_ptr, "out of memory");
2418 png_crc_finish(png_ptr, length);
2419 return;
2420 }
2421
2422 png_crc_read(png_ptr, buffer, length);
2423 buffer[length] = 0; /* Null terminate the last string */
2424
2425 if (png_crc_finish(png_ptr, 0) != 0)
2426 return;
2427
2428 /* Validate the unit. */
2429 if (buffer[0] != 1 && buffer[0] != 2)
2430 {
2431 png_chunk_benign_error(png_ptr, "invalid unit");
2432 return;
2433 }
2434
2435 /* Validate the ASCII numbers, need two ASCII numbers separated by
2436 * a '\0' and they need to fit exactly in the chunk data.
2437 */
2438 i = 1;
2439 state = 0;
2440
2441 if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 ||
2442 i >= length || buffer[i++] != 0)
2443 png_chunk_benign_error(png_ptr, "bad width format");
2444
2445 else if (PNG_FP_IS_POSITIVE(state) == 0)
2446 png_chunk_benign_error(png_ptr, "non-positive width");
2447
2448 else
2449 {
2450 size_t heighti = i;
2451
2452 state = 0;
2453 if (png_check_fp_number((png_const_charp)buffer, length,
2454 &state, &i) == 0 || i != length)
2455 png_chunk_benign_error(png_ptr, "bad height format");
2456
2457 else if (PNG_FP_IS_POSITIVE(state) == 0)
2458 png_chunk_benign_error(png_ptr, "non-positive height");
2459
2460 else
2461 /* This is the (only) success case. */
2462 png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
2463 (png_charp)buffer+1, (png_charp)buffer+heighti);
2464 }
2465}
2466#endif
2467
2468#ifdef PNG_READ_tIME_SUPPORTED
2469void /* PRIVATE */
2470png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2471{
2472 png_byte buf[7];
2473 png_time mod_time;
2474
2475 png_debug(1, "in png_handle_tIME");
2476
2477 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2478 png_chunk_error(png_ptr, "missing IHDR");
2479
2480 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != 0)
2481 {
2482 png_crc_finish(png_ptr, length);
2483 png_chunk_benign_error(png_ptr, "duplicate");
2484 return;
2485 }
2486
2487 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2488 png_ptr->mode |= PNG_AFTER_IDAT;
2489
2490 if (length != 7)
2491 {
2492 png_crc_finish(png_ptr, length);
2493 png_chunk_benign_error(png_ptr, "invalid");
2494 return;
2495 }
2496
2497 png_crc_read(png_ptr, buf, 7);
2498
2499 if (png_crc_finish(png_ptr, 0) != 0)
2500 return;
2501
2502 mod_time.second = buf[6];
2503 mod_time.minute = buf[5];
2504 mod_time.hour = buf[4];
2505 mod_time.day = buf[3];
2506 mod_time.month = buf[2];
2507 mod_time.year = png_get_uint_16(buf);
2508
2509 png_set_tIME(png_ptr, info_ptr, &mod_time);
2510}
2511#endif
2512
2513#ifdef PNG_READ_tEXt_SUPPORTED
2514/* Note: this does not properly handle chunks that are > 64K under DOS */
2515void /* PRIVATE */
2516png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2517{
2518 png_text text_info;
2519 png_bytep buffer;
2520 png_charp key;
2521 png_charp text;
2522 png_uint_32 skip = 0;
2523
2524 png_debug(1, "in png_handle_tEXt");
2525
2526#ifdef PNG_USER_LIMITS_SUPPORTED
2527 if (png_ptr->user_chunk_cache_max != 0)
2528 {
2529 if (png_ptr->user_chunk_cache_max == 1)
2530 {
2531 png_crc_finish(png_ptr, length);
2532 return;
2533 }
2534
2535 if (--png_ptr->user_chunk_cache_max == 1)
2536 {
2537 png_crc_finish(png_ptr, length);
2538 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2539 return;
2540 }
2541 }
2542#endif
2543
2544 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2545 png_chunk_error(png_ptr, "missing IHDR");
2546
2547 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2548 png_ptr->mode |= PNG_AFTER_IDAT;
2549
2550#ifdef PNG_MAX_MALLOC_64K
2551 if (length > 65535U)
2552 {
2553 png_crc_finish(png_ptr, length);
2554 png_chunk_benign_error(png_ptr, "too large to fit in memory");
2555 return;
2556 }
2557#endif
2558
2559 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2560
2561 if (buffer == NULL)
2562 {
2563 png_chunk_benign_error(png_ptr, "out of memory");
2564 return;
2565 }
2566
2567 png_crc_read(png_ptr, buffer, length);
2568
2569 if (png_crc_finish(png_ptr, skip) != 0)
2570 return;
2571
2572 key = (png_charp)buffer;
2573 key[length] = 0;
2574
2575 for (text = key; *text; text++)
2576 /* Empty loop to find end of key */ ;
2577
2578 if (text != key + length)
2579 text++;
2580
2581 text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2582 text_info.key = key;
2583 text_info.lang = NULL;
2584 text_info.lang_key = NULL;
2585 text_info.itxt_length = 0;
2586 text_info.text = text;
2587 text_info.text_length = strlen(text);
2588
2589 if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) != 0)
2590 png_warning(png_ptr, "Insufficient memory to process text chunk");
2591}
2592#endif
2593
2594#ifdef PNG_READ_zTXt_SUPPORTED
2595/* Note: this does not correctly handle chunks that are > 64K under DOS */
2596void /* PRIVATE */
2597png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2598{
2599 png_const_charp errmsg = NULL;
2600 png_bytep buffer;
2601 png_uint_32 keyword_length;
2602
2603 png_debug(1, "in png_handle_zTXt");
2604
2605#ifdef PNG_USER_LIMITS_SUPPORTED
2606 if (png_ptr->user_chunk_cache_max != 0)
2607 {
2608 if (png_ptr->user_chunk_cache_max == 1)
2609 {
2610 png_crc_finish(png_ptr, length);
2611 return;
2612 }
2613
2614 if (--png_ptr->user_chunk_cache_max == 1)
2615 {
2616 png_crc_finish(png_ptr, length);
2617 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2618 return;
2619 }
2620 }
2621#endif
2622
2623 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2624 png_chunk_error(png_ptr, "missing IHDR");
2625
2626 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2627 png_ptr->mode |= PNG_AFTER_IDAT;
2628
2629 /* Note, "length" is sufficient here; we won't be adding
2630 * a null terminator later.
2631 */
2632 buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2633
2634 if (buffer == NULL)
2635 {
2636 png_crc_finish(png_ptr, length);
2637 png_chunk_benign_error(png_ptr, "out of memory");
2638 return;
2639 }
2640
2641 png_crc_read(png_ptr, buffer, length);
2642
2643 if (png_crc_finish(png_ptr, 0) != 0)
2644 return;
2645
2646 /* TODO: also check that the keyword contents match the spec! */
2647 for (keyword_length = 0;
2648 keyword_length < length && buffer[keyword_length] != 0;
2649 ++keyword_length)
2650 /* Empty loop to find end of name */ ;
2651
2652 if (keyword_length > 79 || keyword_length < 1)
2653 errmsg = "bad keyword";
2654
2655 /* zTXt must have some LZ data after the keyword, although it may expand to
2656 * zero bytes; we need a '\0' at the end of the keyword, the compression type
2657 * then the LZ data:
2658 */
2659 else if (keyword_length + 3 > length)
2660 errmsg = "truncated";
2661
2662 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2663 errmsg = "unknown compression type";
2664
2665 else
2666 {
2667 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2668
2669 /* TODO: at present png_decompress_chunk imposes a single application
2670 * level memory limit, this should be split to different values for iCCP
2671 * and text chunks.
2672 */
2673 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2674 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2675 {
2676 png_text text;
2677
2678 if (png_ptr->read_buffer == NULL)
2679 errmsg="Read failure in png_handle_zTXt";
2680 else
2681 {
2682 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
2683 * except for the extra compression type byte and the fact that
2684 * it isn't necessarily '\0' terminated.
2685 */
2686 buffer = png_ptr->read_buffer;
2687 buffer[uncompressed_length+(keyword_length+2)] = 0;
2688
2689 text.compression = PNG_TEXT_COMPRESSION_zTXt;
2690 text.key = (png_charp)buffer;
2691 text.text = (png_charp)(buffer + keyword_length+2);
2692 text.text_length = uncompressed_length;
2693 text.itxt_length = 0;
2694 text.lang = NULL;
2695 text.lang_key = NULL;
2696
2697 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2698 errmsg = "insufficient memory";
2699 }
2700 }
2701
2702 else
2703 errmsg = png_ptr->zstream.msg;
2704 }
2705
2706 if (errmsg != NULL)
2707 png_chunk_benign_error(png_ptr, errmsg);
2708}
2709#endif
2710
2711#ifdef PNG_READ_iTXt_SUPPORTED
2712/* Note: this does not correctly handle chunks that are > 64K under DOS */
2713void /* PRIVATE */
2714png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2715{
2716 png_const_charp errmsg = NULL;
2717 png_bytep buffer;
2718 png_uint_32 prefix_length;
2719
2720 png_debug(1, "in png_handle_iTXt");
2721
2722#ifdef PNG_USER_LIMITS_SUPPORTED
2723 if (png_ptr->user_chunk_cache_max != 0)
2724 {
2725 if (png_ptr->user_chunk_cache_max == 1)
2726 {
2727 png_crc_finish(png_ptr, length);
2728 return;
2729 }
2730
2731 if (--png_ptr->user_chunk_cache_max == 1)
2732 {
2733 png_crc_finish(png_ptr, length);
2734 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2735 return;
2736 }
2737 }
2738#endif
2739
2740 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2741 png_chunk_error(png_ptr, "missing IHDR");
2742
2743 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2744 png_ptr->mode |= PNG_AFTER_IDAT;
2745
2746 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2747
2748 if (buffer == NULL)
2749 {
2750 png_crc_finish(png_ptr, length);
2751 png_chunk_benign_error(png_ptr, "out of memory");
2752 return;
2753 }
2754
2755 png_crc_read(png_ptr, buffer, length);
2756
2757 if (png_crc_finish(png_ptr, 0) != 0)
2758 return;
2759
2760 /* First the keyword. */
2761 for (prefix_length=0;
2762 prefix_length < length && buffer[prefix_length] != 0;
2763 ++prefix_length)
2764 /* Empty loop */ ;
2765
2766 /* Perform a basic check on the keyword length here. */
2767 if (prefix_length > 79 || prefix_length < 1)
2768 errmsg = "bad keyword";
2769
2770 /* Expect keyword, compression flag, compression type, language, translated
2771 * keyword (both may be empty but are 0 terminated) then the text, which may
2772 * be empty.
2773 */
2774 else if (prefix_length + 5 > length)
2775 errmsg = "truncated";
2776
2777 else if (buffer[prefix_length+1] == 0 ||
2778 (buffer[prefix_length+1] == 1 &&
2779 buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
2780 {
2781 int compressed = buffer[prefix_length+1] != 0;
2782 png_uint_32 language_offset, translated_keyword_offset;
2783 png_alloc_size_t uncompressed_length = 0;
2784
2785 /* Now the language tag */
2786 prefix_length += 3;
2787 language_offset = prefix_length;
2788
2789 for (; prefix_length < length && buffer[prefix_length] != 0;
2790 ++prefix_length)
2791 /* Empty loop */ ;
2792
2793 /* WARNING: the length may be invalid here, this is checked below. */
2794 translated_keyword_offset = ++prefix_length;
2795
2796 for (; prefix_length < length && buffer[prefix_length] != 0;
2797 ++prefix_length)
2798 /* Empty loop */ ;
2799
2800 /* prefix_length should now be at the trailing '\0' of the translated
2801 * keyword, but it may already be over the end. None of this arithmetic
2802 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2803 * systems the available allocation may overflow.
2804 */
2805 ++prefix_length;
2806
2807 if (compressed == 0 && prefix_length <= length)
2808 uncompressed_length = length - prefix_length;
2809
2810 else if (compressed != 0 && prefix_length < length)
2811 {
2812 uncompressed_length = PNG_SIZE_MAX;
2813
2814 /* TODO: at present png_decompress_chunk imposes a single application
2815 * level memory limit, this should be split to different values for
2816 * iCCP and text chunks.
2817 */
2818 if (png_decompress_chunk(png_ptr, length, prefix_length,
2819 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2820 buffer = png_ptr->read_buffer;
2821
2822 else
2823 errmsg = png_ptr->zstream.msg;
2824 }
2825
2826 else
2827 errmsg = "truncated";
2828
2829 if (errmsg == NULL)
2830 {
2831 png_text text;
2832
2833 buffer[uncompressed_length+prefix_length] = 0;
2834
2835 if (compressed == 0)
2836 text.compression = PNG_ITXT_COMPRESSION_NONE;
2837
2838 else
2839 text.compression = PNG_ITXT_COMPRESSION_zTXt;
2840
2841 text.key = (png_charp)buffer;
2842 text.lang = (png_charp)buffer + language_offset;
2843 text.lang_key = (png_charp)buffer + translated_keyword_offset;
2844 text.text = (png_charp)buffer + prefix_length;
2845 text.text_length = 0;
2846 text.itxt_length = uncompressed_length;
2847
2848 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2849 errmsg = "insufficient memory";
2850 }
2851 }
2852
2853 else
2854 errmsg = "bad compression info";
2855
2856 if (errmsg != NULL)
2857 png_chunk_benign_error(png_ptr, errmsg);
2858}
2859#endif
2860
2861#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2862/* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2863static int
2864png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2865{
2866 png_alloc_size_t limit = PNG_SIZE_MAX;
2867
2868 if (png_ptr->unknown_chunk.data != NULL)
2869 {
2870 png_free(png_ptr, png_ptr->unknown_chunk.data);
2871 png_ptr->unknown_chunk.data = NULL;
2872 }
2873
2874# ifdef PNG_SET_USER_LIMITS_SUPPORTED
2875 if (png_ptr->user_chunk_malloc_max > 0 &&
2876 png_ptr->user_chunk_malloc_max < limit)
2877 limit = png_ptr->user_chunk_malloc_max;
2878
2879# elif PNG_USER_CHUNK_MALLOC_MAX > 0
2880 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2881 limit = PNG_USER_CHUNK_MALLOC_MAX;
2882# endif
2883
2884 if (length <= limit)
2885 {
2886 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2887 /* The following is safe because of the PNG_SIZE_MAX init above */
2888 png_ptr->unknown_chunk.size = (size_t)length/*SAFE*/;
2889 /* 'mode' is a flag array, only the bottom four bits matter here */
2890 png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
2891
2892 if (length == 0)
2893 png_ptr->unknown_chunk.data = NULL;
2894
2895 else
2896 {
2897 /* Do a 'warn' here - it is handled below. */
2898 png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2899 png_malloc_warn(png_ptr, length));
2900 }
2901 }
2902
2903 if (png_ptr->unknown_chunk.data == NULL && length > 0)
2904 {
2905 /* This is benign because we clean up correctly */
2906 png_crc_finish(png_ptr, length);
2907 png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2908 return 0;
2909 }
2910
2911 else
2912 {
2913 if (length > 0)
2914 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2915 png_crc_finish(png_ptr, 0);
2916 return 1;
2917 }
2918}
2919#endif /* READ_UNKNOWN_CHUNKS */
2920
2921/* Handle an unknown, or known but disabled, chunk */
2922void /* PRIVATE */
2923png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2924 png_uint_32 length, int keep)
2925{
2926 int handled = 0; /* the chunk was handled */
2927
2928 png_debug(1, "in png_handle_unknown");
2929
2930#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2931 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2932 * the bug which meant that setting a non-default behavior for a specific
2933 * chunk would be ignored (the default was always used unless a user
2934 * callback was installed).
2935 *
2936 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2937 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2938 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2939 * This is just an optimization to avoid multiple calls to the lookup
2940 * function.
2941 */
2942# ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2943# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2944 keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2945# endif
2946# endif
2947
2948 /* One of the following methods will read the chunk or skip it (at least one
2949 * of these is always defined because this is the only way to switch on
2950 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2951 */
2952# ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2953 /* The user callback takes precedence over the chunk keep value, but the
2954 * keep value is still required to validate a save of a critical chunk.
2955 */
2956 if (png_ptr->read_user_chunk_fn != NULL)
2957 {
2958 if (png_cache_unknown_chunk(png_ptr, length) != 0)
2959 {
2960 /* Callback to user unknown chunk handler */
2961 int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2962 &png_ptr->unknown_chunk);
2963
2964 /* ret is:
2965 * negative: An error occurred; png_chunk_error will be called.
2966 * zero: The chunk was not handled, the chunk will be discarded
2967 * unless png_set_keep_unknown_chunks has been used to set
2968 * a 'keep' behavior for this particular chunk, in which
2969 * case that will be used. A critical chunk will cause an
2970 * error at this point unless it is to be saved.
2971 * positive: The chunk was handled, libpng will ignore/discard it.
2972 */
2973 if (ret < 0)
2974 png_chunk_error(png_ptr, "error in user chunk");
2975
2976 else if (ret == 0)
2977 {
2978 /* If the keep value is 'default' or 'never' override it, but
2979 * still error out on critical chunks unless the keep value is
2980 * 'always' While this is weird it is the behavior in 1.4.12.
2981 * A possible improvement would be to obey the value set for the
2982 * chunk, but this would be an API change that would probably
2983 * damage some applications.
2984 *
2985 * The png_app_warning below catches the case that matters, where
2986 * the application has not set specific save or ignore for this
2987 * chunk or global save or ignore.
2988 */
2989 if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2990 {
2991# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2992 if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2993 {
2994 png_chunk_warning(png_ptr, "Saving unknown chunk:");
2995 png_app_warning(png_ptr,
2996 "forcing save of an unhandled chunk;"
2997 " please call png_set_keep_unknown_chunks");
2998 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2999 }
3000# endif
3001 keep = PNG_HANDLE_CHUNK_IF_SAFE;
3002 }
3003 }
3004
3005 else /* chunk was handled */
3006 {
3007 handled = 1;
3008 /* Critical chunks can be safely discarded at this point. */
3009 keep = PNG_HANDLE_CHUNK_NEVER;
3010 }
3011 }
3012
3013 else
3014 keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
3015 }
3016
3017 else
3018 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
3019# endif /* READ_USER_CHUNKS */
3020
3021# ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
3022 {
3023 /* keep is currently just the per-chunk setting, if there was no
3024 * setting change it to the global default now (not that this may
3025 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
3026 * if not simply skip the chunk.
3027 */
3028 if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
3029 keep = png_ptr->unknown_default;
3030
3031 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
3032 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
3033 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
3034 {
3035 if (png_cache_unknown_chunk(png_ptr, length) == 0)
3036 keep = PNG_HANDLE_CHUNK_NEVER;
3037 }
3038
3039 else
3040 png_crc_finish(png_ptr, length);
3041 }
3042# else
3043# ifndef PNG_READ_USER_CHUNKS_SUPPORTED
3044# error no method to support READ_UNKNOWN_CHUNKS
3045# endif
3046
3047 {
3048 /* If here there is no read callback pointer set and no support is
3049 * compiled in to just save the unknown chunks, so simply skip this
3050 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
3051 * the app has erroneously asked for unknown chunk saving when there
3052 * is no support.
3053 */
3054 if (keep > PNG_HANDLE_CHUNK_NEVER)
3055 png_app_error(png_ptr, "no unknown chunk support available");
3056
3057 png_crc_finish(png_ptr, length);
3058 }
3059# endif
3060
3061# ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
3062 /* Now store the chunk in the chunk list if appropriate, and if the limits
3063 * permit it.
3064 */
3065 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
3066 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
3067 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
3068 {
3069# ifdef PNG_USER_LIMITS_SUPPORTED
3070 switch (png_ptr->user_chunk_cache_max)
3071 {
3072 case 2:
3073 png_ptr->user_chunk_cache_max = 1;
3074 png_chunk_benign_error(png_ptr, "no space in chunk cache");
3075 /* FALLTHROUGH */
3076 case 1:
3077 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
3078 * chunk being skipped, now there will be a hard error below.
3079 */
3080 break;
3081
3082 default: /* not at limit */
3083 --(png_ptr->user_chunk_cache_max);
3084 /* FALLTHROUGH */
3085 case 0: /* no limit */
3086# endif /* USER_LIMITS */
3087 /* Here when the limit isn't reached or when limits are compiled
3088 * out; store the chunk.
3089 */
3090 png_set_unknown_chunks(png_ptr, info_ptr,
3091 &png_ptr->unknown_chunk, 1);
3092 handled = 1;
3093# ifdef PNG_USER_LIMITS_SUPPORTED
3094 break;
3095 }
3096# endif
3097 }
3098# else /* no store support: the chunk must be handled by the user callback */
3099 PNG_UNUSED(info_ptr)
3100# endif
3101
3102 /* Regardless of the error handling below the cached data (if any) can be
3103 * freed now. Notice that the data is not freed if there is a png_error, but
3104 * it will be freed by destroy_read_struct.
3105 */
3106 if (png_ptr->unknown_chunk.data != NULL)
3107 png_free(png_ptr, png_ptr->unknown_chunk.data);
3108 png_ptr->unknown_chunk.data = NULL;
3109
3110#else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
3111 /* There is no support to read an unknown chunk, so just skip it. */
3112 png_crc_finish(png_ptr, length);
3113 PNG_UNUSED(info_ptr)
3114 PNG_UNUSED(keep)
3115#endif /* !READ_UNKNOWN_CHUNKS */
3116
3117 /* Check for unhandled critical chunks */
3118 if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3119 png_chunk_error(png_ptr, "unhandled critical chunk");
3120}
3121
3122/* This function is called to verify that a chunk name is valid.
3123 * This function can't have the "critical chunk check" incorporated
3124 * into it, since in the future we will need to be able to call user
3125 * functions to handle unknown critical chunks after we check that
3126 * the chunk name itself is valid.
3127 */
3128
3129/* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
3130 *
3131 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
3132 */
3133
3134void /* PRIVATE */
3135png_check_chunk_name(png_const_structrp png_ptr, png_uint_32 chunk_name)
3136{
3137 int i;
3138 png_uint_32 cn=chunk_name;
3139
3140 png_debug(1, "in png_check_chunk_name");
3141
3142 for (i=1; i<=4; ++i)
3143 {
3144 int c = cn & 0xff;
3145
3146 if (c < 65 || c > 122 || (c > 90 && c < 97))
3147 png_chunk_error(png_ptr, "invalid chunk type");
3148
3149 cn >>= 8;
3150 }
3151}
3152
3153void /* PRIVATE */
3154png_check_chunk_length(png_const_structrp png_ptr, png_uint_32 length)
3155{
3156 png_alloc_size_t limit = PNG_UINT_31_MAX;
3157
3158# ifdef PNG_SET_USER_LIMITS_SUPPORTED
3159 if (png_ptr->user_chunk_malloc_max > 0 &&
3160 png_ptr->user_chunk_malloc_max < limit)
3161 limit = png_ptr->user_chunk_malloc_max;
3162# elif PNG_USER_CHUNK_MALLOC_MAX > 0
3163 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
3164 limit = PNG_USER_CHUNK_MALLOC_MAX;
3165# endif
3166 if (png_ptr->chunk_name == png_IDAT)
3167 {
3168 png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
3169 size_t row_factor =
3170 (size_t)png_ptr->width
3171 * (size_t)png_ptr->channels
3172 * (png_ptr->bit_depth > 8? 2: 1)
3173 + 1
3174 + (png_ptr->interlaced? 6: 0);
3175 if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
3176 idat_limit = PNG_UINT_31_MAX;
3177 else
3178 idat_limit = png_ptr->height * row_factor;
3179 row_factor = row_factor > 32566? 32566 : row_factor;
3180 idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
3181 idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
3182 limit = limit < idat_limit? idat_limit : limit;
3183 }
3184
3185 if (length > limit)
3186 {
3187 png_debug2(0," length = %lu, limit = %lu",
3188 (unsigned long)length,(unsigned long)limit);
3189 png_benign_error(png_ptr, "chunk data is too large");
3190 }
3191}
3192
3193/* Combines the row recently read in with the existing pixels in the row. This
3194 * routine takes care of alpha and transparency if requested. This routine also
3195 * handles the two methods of progressive display of interlaced images,
3196 * depending on the 'display' value; if 'display' is true then the whole row
3197 * (dp) is filled from the start by replicating the available pixels. If
3198 * 'display' is false only those pixels present in the pass are filled in.
3199 */
3200void /* PRIVATE */
3201png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3202{
3203 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3204 png_const_bytep sp = png_ptr->row_buf + 1;
3205 png_alloc_size_t row_width = png_ptr->width;
3206 unsigned int pass = png_ptr->pass;
3207 png_bytep end_ptr = 0;
3208 png_byte end_byte = 0;
3209 unsigned int end_mask;
3210
3211 png_debug(1, "in png_combine_row");
3212
3213 /* Added in 1.5.6: it should not be possible to enter this routine until at
3214 * least one row has been read from the PNG data and transformed.
3215 */
3216 if (pixel_depth == 0)
3217 png_error(png_ptr, "internal row logic error");
3218
3219 /* Added in 1.5.4: the pixel depth should match the information returned by
3220 * any call to png_read_update_info at this point. Do not continue if we got
3221 * this wrong.
3222 */
3223 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3224 PNG_ROWBYTES(pixel_depth, row_width))
3225 png_error(png_ptr, "internal row size calculation error");
3226
3227 /* Don't expect this to ever happen: */
3228 if (row_width == 0)
3229 png_error(png_ptr, "internal row width error");
3230
3231 /* Preserve the last byte in cases where only part of it will be overwritten,
3232 * the multiply below may overflow, we don't care because ANSI-C guarantees
3233 * we get the low bits.
3234 */
3235 end_mask = (pixel_depth * row_width) & 7;
3236 if (end_mask != 0)
3237 {
3238 /* end_ptr == NULL is a flag to say do nothing */
3239 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
3240 end_byte = *end_ptr;
3241# ifdef PNG_READ_PACKSWAP_SUPPORTED
3242 if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3243 /* little-endian byte */
3244 end_mask = (unsigned int)(0xff << end_mask);
3245
3246 else /* big-endian byte */
3247# endif
3248 end_mask = 0xff >> end_mask;
3249 /* end_mask is now the bits to *keep* from the destination row */
3250 }
3251
3252 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3253 * will also happen if interlacing isn't supported or if the application
3254 * does not call png_set_interlace_handling(). In the latter cases the
3255 * caller just gets a sequence of the unexpanded rows from each interlace
3256 * pass.
3257 */
3258#ifdef PNG_READ_INTERLACING_SUPPORTED
3259 if (png_ptr->interlaced != 0 &&
3260 (png_ptr->transformations & PNG_INTERLACE) != 0 &&
3261 pass < 6 && (display == 0 ||
3262 /* The following copies everything for 'display' on passes 0, 2 and 4. */
3263 (display == 1 && (pass & 1) != 0)))
3264 {
3265 /* Narrow images may have no bits in a pass; the caller should handle
3266 * this, but this test is cheap:
3267 */
3268 if (row_width <= PNG_PASS_START_COL(pass))
3269 return;
3270
3271 if (pixel_depth < 8)
3272 {
3273 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3274 * into 32 bits, then a single loop over the bytes using the four byte
3275 * values in the 32-bit mask can be used. For the 'display' option the
3276 * expanded mask may also not require any masking within a byte. To
3277 * make this work the PACKSWAP option must be taken into account - it
3278 * simply requires the pixels to be reversed in each byte.
3279 *
3280 * The 'regular' case requires a mask for each of the first 6 passes,
3281 * the 'display' case does a copy for the even passes in the range
3282 * 0..6. This has already been handled in the test above.
3283 *
3284 * The masks are arranged as four bytes with the first byte to use in
3285 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3286 * not) of the pixels in each byte.
3287 *
3288 * NOTE: the whole of this logic depends on the caller of this function
3289 * only calling it on rows appropriate to the pass. This function only
3290 * understands the 'x' logic; the 'y' logic is handled by the caller.
3291 *
3292 * The following defines allow generation of compile time constant bit
3293 * masks for each pixel depth and each possibility of swapped or not
3294 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3295 * is in the range 0..7; and the result is 1 if the pixel is to be
3296 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3297 * for the block method.
3298 *
3299 * With some compilers a compile time expression of the general form:
3300 *
3301 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3302 *
3303 * Produces warnings with values of 'shift' in the range 33 to 63
3304 * because the right hand side of the ?: expression is evaluated by
3305 * the compiler even though it isn't used. Microsoft Visual C (various
3306 * versions) and the Intel C compiler are known to do this. To avoid
3307 * this the following macros are used in 1.5.6. This is a temporary
3308 * solution to avoid destabilizing the code during the release process.
3309 */
3310# if PNG_USE_COMPILE_TIME_MASKS
3311# define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3312# define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3313# else
3314# define PNG_LSR(x,s) ((x)>>(s))
3315# define PNG_LSL(x,s) ((x)<<(s))
3316# endif
3317# define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3318 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3319# define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3320 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3321
3322 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
3323 * little endian - the first pixel is at bit 0 - however the extra
3324 * parameter 's' can be set to cause the mask position to be swapped
3325 * within each byte, to match the PNG format. This is done by XOR of
3326 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3327 */
3328# define PIXEL_MASK(p,x,d,s) \
3329 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3330
3331 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3332 */
3333# define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3334# define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3335
3336 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
3337 * cases the result needs replicating, for the 4-bpp case the above
3338 * generates a full 32 bits.
3339 */
3340# define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3341
3342# define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3343 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3344 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3345
3346# define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3347 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3348 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3349
3350#if PNG_USE_COMPILE_TIME_MASKS
3351 /* Utility macros to construct all the masks for a depth/swap
3352 * combination. The 's' parameter says whether the format is PNG
3353 * (big endian bytes) or not. Only the three odd-numbered passes are
3354 * required for the display/block algorithm.
3355 */
3356# define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3357 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3358
3359# define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3360
3361# define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3362
3363 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3364 * then pass:
3365 */
3366 static const png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3367 {
3368 /* Little-endian byte masks for PACKSWAP */
3369 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3370 /* Normal (big-endian byte) masks - PNG format */
3371 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3372 };
3373
3374 /* display_mask has only three entries for the odd passes, so index by
3375 * pass>>1.
3376 */
3377 static const png_uint_32 display_mask[2][3][3] =
3378 {
3379 /* Little-endian byte masks for PACKSWAP */
3380 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3381 /* Normal (big-endian byte) masks - PNG format */
3382 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3383 };
3384
3385# define MASK(pass,depth,display,png)\
3386 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3387 row_mask[png][DEPTH_INDEX(depth)][pass])
3388
3389#else /* !PNG_USE_COMPILE_TIME_MASKS */
3390 /* This is the runtime alternative: it seems unlikely that this will
3391 * ever be either smaller or faster than the compile time approach.
3392 */
3393# define MASK(pass,depth,display,png)\
3394 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3395#endif /* !USE_COMPILE_TIME_MASKS */
3396
3397 /* Use the appropriate mask to copy the required bits. In some cases
3398 * the byte mask will be 0 or 0xff; optimize these cases. row_width is
3399 * the number of pixels, but the code copies bytes, so it is necessary
3400 * to special case the end.
3401 */
3402 png_uint_32 pixels_per_byte = 8 / pixel_depth;
3403 png_uint_32 mask;
3404
3405# ifdef PNG_READ_PACKSWAP_SUPPORTED
3406 if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3407 mask = MASK(pass, pixel_depth, display, 0);
3408
3409 else
3410# endif
3411 mask = MASK(pass, pixel_depth, display, 1);
3412
3413 for (;;)
3414 {
3415 png_uint_32 m;
3416
3417 /* It doesn't matter in the following if png_uint_32 has more than
3418 * 32 bits because the high bits always match those in m<<24; it is,
3419 * however, essential to use OR here, not +, because of this.
3420 */
3421 m = mask;
3422 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3423 m &= 0xff;
3424
3425 if (m != 0) /* something to copy */
3426 {
3427 if (m != 0xff)
3428 *dp = (png_byte)((*dp & ~m) | (*sp & m));
3429 else
3430 *dp = *sp;
3431 }
3432
3433 /* NOTE: this may overwrite the last byte with garbage if the image
3434 * is not an exact number of bytes wide; libpng has always done
3435 * this.
3436 */
3437 if (row_width <= pixels_per_byte)
3438 break; /* May need to restore part of the last byte */
3439
3440 row_width -= pixels_per_byte;
3441 ++dp;
3442 ++sp;
3443 }
3444 }
3445
3446 else /* pixel_depth >= 8 */
3447 {
3448 unsigned int bytes_to_copy, bytes_to_jump;
3449
3450 /* Validate the depth - it must be a multiple of 8 */
3451 if (pixel_depth & 7)
3452 png_error(png_ptr, "invalid user transform pixel depth");
3453
3454 pixel_depth >>= 3; /* now in bytes */
3455 row_width *= pixel_depth;
3456
3457 /* Regardless of pass number the Adam 7 interlace always results in a
3458 * fixed number of pixels to copy then to skip. There may be a
3459 * different number of pixels to skip at the start though.
3460 */
3461 {
3462 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3463
3464 row_width -= offset;
3465 dp += offset;
3466 sp += offset;
3467 }
3468
3469 /* Work out the bytes to copy. */
3470 if (display != 0)
3471 {
3472 /* When doing the 'block' algorithm the pixel in the pass gets
3473 * replicated to adjacent pixels. This is why the even (0,2,4,6)
3474 * passes are skipped above - the entire expanded row is copied.
3475 */
3476 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3477
3478 /* But don't allow this number to exceed the actual row width. */
3479 if (bytes_to_copy > row_width)
3480 bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3481 }
3482
3483 else /* normal row; Adam7 only ever gives us one pixel to copy. */
3484 bytes_to_copy = pixel_depth;
3485
3486 /* In Adam7 there is a constant offset between where the pixels go. */
3487 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3488
3489 /* And simply copy these bytes. Some optimization is possible here,
3490 * depending on the value of 'bytes_to_copy'. Special case the low
3491 * byte counts, which we know to be frequent.
3492 *
3493 * Notice that these cases all 'return' rather than 'break' - this
3494 * avoids an unnecessary test on whether to restore the last byte
3495 * below.
3496 */
3497 switch (bytes_to_copy)
3498 {
3499 case 1:
3500 for (;;)
3501 {
3502 *dp = *sp;
3503
3504 if (row_width <= bytes_to_jump)
3505 return;
3506
3507 dp += bytes_to_jump;
3508 sp += bytes_to_jump;
3509 row_width -= bytes_to_jump;
3510 }
3511
3512 case 2:
3513 /* There is a possibility of a partial copy at the end here; this
3514 * slows the code down somewhat.
3515 */
3516 do
3517 {
3518 dp[0] = sp[0]; dp[1] = sp[1];
3519
3520 if (row_width <= bytes_to_jump)
3521 return;
3522
3523 sp += bytes_to_jump;
3524 dp += bytes_to_jump;
3525 row_width -= bytes_to_jump;
3526 }
3527 while (row_width > 1);
3528
3529 /* And there can only be one byte left at this point: */
3530 *dp = *sp;
3531 return;
3532
3533 case 3:
3534 /* This can only be the RGB case, so each copy is exactly one
3535 * pixel and it is not necessary to check for a partial copy.
3536 */
3537 for (;;)
3538 {
3539 dp[0] = sp[0]; dp[1] = sp[1]; dp[2] = sp[2];
3540
3541 if (row_width <= bytes_to_jump)
3542 return;
3543
3544 sp += bytes_to_jump;
3545 dp += bytes_to_jump;
3546 row_width -= bytes_to_jump;
3547 }
3548
3549 default:
3550#if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3551 /* Check for double byte alignment and, if possible, use a
3552 * 16-bit copy. Don't attempt this for narrow images - ones that
3553 * are less than an interlace panel wide. Don't attempt it for
3554 * wide bytes_to_copy either - use the memcpy there.
3555 */
3556 if (bytes_to_copy < 16 /*else use memcpy*/ &&
3557 png_isaligned(dp, png_uint_16) &&
3558 png_isaligned(sp, png_uint_16) &&
3559 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3560 bytes_to_jump % (sizeof (png_uint_16)) == 0)
3561 {
3562 /* Everything is aligned for png_uint_16 copies, but try for
3563 * png_uint_32 first.
3564 */
3565 if (png_isaligned(dp, png_uint_32) &&
3566 png_isaligned(sp, png_uint_32) &&
3567 bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3568 bytes_to_jump % (sizeof (png_uint_32)) == 0)
3569 {
3570 png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3571 png_const_uint_32p sp32 = png_aligncastconst(
3572 png_const_uint_32p, sp);
3573 size_t skip = (bytes_to_jump-bytes_to_copy) /
3574 (sizeof (png_uint_32));
3575
3576 do
3577 {
3578 size_t c = bytes_to_copy;
3579 do
3580 {
3581 *dp32++ = *sp32++;
3582 c -= (sizeof (png_uint_32));
3583 }
3584 while (c > 0);
3585
3586 if (row_width <= bytes_to_jump)
3587 return;
3588
3589 dp32 += skip;
3590 sp32 += skip;
3591 row_width -= bytes_to_jump;
3592 }
3593 while (bytes_to_copy <= row_width);
3594
3595 /* Get to here when the row_width truncates the final copy.
3596 * There will be 1-3 bytes left to copy, so don't try the
3597 * 16-bit loop below.
3598 */
3599 dp = (png_bytep)dp32;
3600 sp = (png_const_bytep)sp32;
3601 do
3602 *dp++ = *sp++;
3603 while (--row_width > 0);
3604 return;
3605 }
3606
3607 /* Else do it in 16-bit quantities, but only if the size is
3608 * not too large.
3609 */
3610 else
3611 {
3612 png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3613 png_const_uint_16p sp16 = png_aligncastconst(
3614 png_const_uint_16p, sp);
3615 size_t skip = (bytes_to_jump-bytes_to_copy) /
3616 (sizeof (png_uint_16));
3617
3618 do
3619 {
3620 size_t c = bytes_to_copy;
3621 do
3622 {
3623 *dp16++ = *sp16++;
3624 c -= (sizeof (png_uint_16));
3625 }
3626 while (c > 0);
3627
3628 if (row_width <= bytes_to_jump)
3629 return;
3630
3631 dp16 += skip;
3632 sp16 += skip;
3633 row_width -= bytes_to_jump;
3634 }
3635 while (bytes_to_copy <= row_width);
3636
3637 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3638 dp = (png_bytep)dp16;
3639 sp = (png_const_bytep)sp16;
3640 do
3641 *dp++ = *sp++;
3642 while (--row_width > 0);
3643 return;
3644 }
3645 }
3646#endif /* ALIGN_TYPE code */
3647
3648 /* The true default - use a memcpy: */
3649 for (;;)
3650 {
3651 memcpy(dp, sp, bytes_to_copy);
3652
3653 if (row_width <= bytes_to_jump)
3654 return;
3655
3656 sp += bytes_to_jump;
3657 dp += bytes_to_jump;
3658 row_width -= bytes_to_jump;
3659 if (bytes_to_copy > row_width)
3660 bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3661 }
3662 }
3663
3664 /* NOT REACHED*/
3665 } /* pixel_depth >= 8 */
3666
3667 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3668 }
3669 else
3670#endif /* READ_INTERLACING */
3671
3672 /* If here then the switch above wasn't used so just memcpy the whole row
3673 * from the temporary row buffer (notice that this overwrites the end of the
3674 * destination row if it is a partial byte.)
3675 */
3676 memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3677
3678 /* Restore the overwritten bits from the last byte if necessary. */
3679 if (end_ptr != NULL)
3680 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3681}
3682
3683#ifdef PNG_READ_INTERLACING_SUPPORTED
3684void /* PRIVATE */
3685png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3686 png_uint_32 transformations /* Because these may affect the byte layout */)
3687{
3688 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3689 /* Offset to next interlace block */
3690 static const unsigned int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3691
3692 png_debug(1, "in png_do_read_interlace");
3693 if (row != NULL && row_info != NULL)
3694 {
3695 png_uint_32 final_width;
3696
3697 final_width = row_info->width * png_pass_inc[pass];
3698
3699 switch (row_info->pixel_depth)
3700 {
3701 case 1:
3702 {
3703 png_bytep sp = row + (size_t)((row_info->width - 1) >> 3);
3704 png_bytep dp = row + (size_t)((final_width - 1) >> 3);
3705 unsigned int sshift, dshift;
3706 unsigned int s_start, s_end;
3707 int s_inc;
3708 int jstop = (int)png_pass_inc[pass];
3709 png_byte v;
3710 png_uint_32 i;
3711 int j;
3712
3713#ifdef PNG_READ_PACKSWAP_SUPPORTED
3714 if ((transformations & PNG_PACKSWAP) != 0)
3715 {
3716 sshift = ((row_info->width + 7) & 0x07);
3717 dshift = ((final_width + 7) & 0x07);
3718 s_start = 7;
3719 s_end = 0;
3720 s_inc = -1;
3721 }
3722
3723 else
3724#endif
3725 {
3726 sshift = 7 - ((row_info->width + 7) & 0x07);
3727 dshift = 7 - ((final_width + 7) & 0x07);
3728 s_start = 0;
3729 s_end = 7;
3730 s_inc = 1;
3731 }
3732
3733 for (i = 0; i < row_info->width; i++)
3734 {
3735 v = (png_byte)((*sp >> sshift) & 0x01);
3736 for (j = 0; j < jstop; j++)
3737 {
3738 unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
3739 tmp |= (unsigned int)(v << dshift);
3740 *dp = (png_byte)(tmp & 0xff);
3741
3742 if (dshift == s_end)
3743 {
3744 dshift = s_start;
3745 dp--;
3746 }
3747
3748 else
3749 dshift = (unsigned int)((int)dshift + s_inc);
3750 }
3751
3752 if (sshift == s_end)
3753 {
3754 sshift = s_start;
3755 sp--;
3756 }
3757
3758 else
3759 sshift = (unsigned int)((int)sshift + s_inc);
3760 }
3761 break;
3762 }
3763
3764 case 2:
3765 {
3766 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
3767 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
3768 unsigned int sshift, dshift;
3769 unsigned int s_start, s_end;
3770 int s_inc;
3771 int jstop = (int)png_pass_inc[pass];
3772 png_uint_32 i;
3773
3774#ifdef PNG_READ_PACKSWAP_SUPPORTED
3775 if ((transformations & PNG_PACKSWAP) != 0)
3776 {
3777 sshift = (((row_info->width + 3) & 0x03) << 1);
3778 dshift = (((final_width + 3) & 0x03) << 1);
3779 s_start = 6;
3780 s_end = 0;
3781 s_inc = -2;
3782 }
3783
3784 else
3785#endif
3786 {
3787 sshift = ((3 - ((row_info->width + 3) & 0x03)) << 1);
3788 dshift = ((3 - ((final_width + 3) & 0x03)) << 1);
3789 s_start = 0;
3790 s_end = 6;
3791 s_inc = 2;
3792 }
3793
3794 for (i = 0; i < row_info->width; i++)
3795 {
3796 png_byte v;
3797 int j;
3798
3799 v = (png_byte)((*sp >> sshift) & 0x03);
3800 for (j = 0; j < jstop; j++)
3801 {
3802 unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
3803 tmp |= (unsigned int)(v << dshift);
3804 *dp = (png_byte)(tmp & 0xff);
3805
3806 if (dshift == s_end)
3807 {
3808 dshift = s_start;
3809 dp--;
3810 }
3811
3812 else
3813 dshift = (unsigned int)((int)dshift + s_inc);
3814 }
3815
3816 if (sshift == s_end)
3817 {
3818 sshift = s_start;
3819 sp--;
3820 }
3821
3822 else
3823 sshift = (unsigned int)((int)sshift + s_inc);
3824 }
3825 break;
3826 }
3827
3828 case 4:
3829 {
3830 png_bytep sp = row + (size_t)((row_info->width - 1) >> 1);
3831 png_bytep dp = row + (size_t)((final_width - 1) >> 1);
3832 unsigned int sshift, dshift;
3833 unsigned int s_start, s_end;
3834 int s_inc;
3835 png_uint_32 i;
3836 int jstop = (int)png_pass_inc[pass];
3837
3838#ifdef PNG_READ_PACKSWAP_SUPPORTED
3839 if ((transformations & PNG_PACKSWAP) != 0)
3840 {
3841 sshift = (((row_info->width + 1) & 0x01) << 2);
3842 dshift = (((final_width + 1) & 0x01) << 2);
3843 s_start = 4;
3844 s_end = 0;
3845 s_inc = -4;
3846 }
3847
3848 else
3849#endif
3850 {
3851 sshift = ((1 - ((row_info->width + 1) & 0x01)) << 2);
3852 dshift = ((1 - ((final_width + 1) & 0x01)) << 2);
3853 s_start = 0;
3854 s_end = 4;
3855 s_inc = 4;
3856 }
3857
3858 for (i = 0; i < row_info->width; i++)
3859 {
3860 png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
3861 int j;
3862
3863 for (j = 0; j < jstop; j++)
3864 {
3865 unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
3866 tmp |= (unsigned int)(v << dshift);
3867 *dp = (png_byte)(tmp & 0xff);
3868
3869 if (dshift == s_end)
3870 {
3871 dshift = s_start;
3872 dp--;
3873 }
3874
3875 else
3876 dshift = (unsigned int)((int)dshift + s_inc);
3877 }
3878
3879 if (sshift == s_end)
3880 {
3881 sshift = s_start;
3882 sp--;
3883 }
3884
3885 else
3886 sshift = (unsigned int)((int)sshift + s_inc);
3887 }
3888 break;
3889 }
3890
3891 default:
3892 {
3893 size_t pixel_bytes = (row_info->pixel_depth >> 3);
3894
3895 png_bytep sp = row + (size_t)(row_info->width - 1)
3896 * pixel_bytes;
3897
3898 png_bytep dp = row + (size_t)(final_width - 1) * pixel_bytes;
3899
3900 int jstop = (int)png_pass_inc[pass];
3901 png_uint_32 i;
3902
3903 for (i = 0; i < row_info->width; i++)
3904 {
3905 png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
3906 int j;
3907
3908 memcpy(v, sp, pixel_bytes);
3909
3910 for (j = 0; j < jstop; j++)
3911 {
3912 memcpy(dp, v, pixel_bytes);
3913 dp -= pixel_bytes;
3914 }
3915
3916 sp -= pixel_bytes;
3917 }
3918 break;
3919 }
3920 }
3921
3922 row_info->width = final_width;
3923 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3924 }
3925#ifndef PNG_READ_PACKSWAP_SUPPORTED
3926 PNG_UNUSED(transformations) /* Silence compiler warning */
3927#endif
3928}
3929#endif /* READ_INTERLACING */
3930
3931static void
3932png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3933 png_const_bytep prev_row)
3934{
3935 size_t i;
3936 size_t istop = row_info->rowbytes;
3937 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3938 png_bytep rp = row + bpp;
3939
3940 PNG_UNUSED(prev_row)
3941
3942 for (i = bpp; i < istop; i++)
3943 {
3944 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3945 rp++;
3946 }
3947}
3948
3949static void
3950png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3951 png_const_bytep prev_row)
3952{
3953 size_t i;
3954 size_t istop = row_info->rowbytes;
3955 png_bytep rp = row;
3956 png_const_bytep pp = prev_row;
3957
3958 for (i = 0; i < istop; i++)
3959 {
3960 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3961 rp++;
3962 }
3963}
3964
3965static void
3966png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3967 png_const_bytep prev_row)
3968{
3969 size_t i;
3970 png_bytep rp = row;
3971 png_const_bytep pp = prev_row;
3972 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3973 size_t istop = row_info->rowbytes - bpp;
3974
3975 for (i = 0; i < bpp; i++)
3976 {
3977 *rp = (png_byte)(((int)(*rp) +
3978 ((int)(*pp++) / 2 )) & 0xff);
3979
3980 rp++;
3981 }
3982
3983 for (i = 0; i < istop; i++)
3984 {
3985 *rp = (png_byte)(((int)(*rp) +
3986 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3987
3988 rp++;
3989 }
3990}
3991
3992static void
3993png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3994 png_const_bytep prev_row)
3995{
3996 png_bytep rp_end = row + row_info->rowbytes;
3997 int a, c;
3998
3999 /* First pixel/byte */
4000 c = *prev_row++;
4001 a = *row + c;
4002 *row++ = (png_byte)a;
4003
4004 /* Remainder */
4005 while (row < rp_end)
4006 {
4007 int b, pa, pb, pc, p;
4008
4009 a &= 0xff; /* From previous iteration or start */
4010 b = *prev_row++;
4011
4012 p = b - c;
4013 pc = a - c;
4014
4015#ifdef PNG_USE_ABS
4016 pa = abs(p);
4017 pb = abs(pc);
4018 pc = abs(p + pc);
4019#else
4020 pa = p < 0 ? -p : p;
4021 pb = pc < 0 ? -pc : pc;
4022 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4023#endif
4024
4025 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
4026 * ones in the case of a tie.
4027 */
4028 if (pb < pa)
4029 {
4030 pa = pb; a = b;
4031 }
4032 if (pc < pa) a = c;
4033
4034 /* Calculate the current pixel in a, and move the previous row pixel to c
4035 * for the next time round the loop
4036 */
4037 c = b;
4038 a += *row;
4039 *row++ = (png_byte)a;
4040 }
4041}
4042
4043static void
4044png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
4045 png_const_bytep prev_row)
4046{
4047 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
4048 png_bytep rp_end = row + bpp;
4049
4050 /* Process the first pixel in the row completely (this is the same as 'up'
4051 * because there is only one candidate predictor for the first row).
4052 */
4053 while (row < rp_end)
4054 {
4055 int a = *row + *prev_row++;
4056 *row++ = (png_byte)a;
4057 }
4058
4059 /* Remainder */
4060 rp_end = rp_end + (row_info->rowbytes - bpp);
4061
4062 while (row < rp_end)
4063 {
4064 int a, b, c, pa, pb, pc, p;
4065
4066 c = *(prev_row - bpp);
4067 a = *(row - bpp);
4068 b = *prev_row++;
4069
4070 p = b - c;
4071 pc = a - c;
4072
4073#ifdef PNG_USE_ABS
4074 pa = abs(p);
4075 pb = abs(pc);
4076 pc = abs(p + pc);
4077#else
4078 pa = p < 0 ? -p : p;
4079 pb = pc < 0 ? -pc : pc;
4080 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4081#endif
4082
4083 if (pb < pa)
4084 {
4085 pa = pb; a = b;
4086 }
4087 if (pc < pa) a = c;
4088
4089 a += *row;
4090 *row++ = (png_byte)a;
4091 }
4092}
4093
4094static void
4095png_init_filter_functions(png_structrp pp)
4096 /* This function is called once for every PNG image (except for PNG images
4097 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
4098 * implementations required to reverse the filtering of PNG rows. Reversing
4099 * the filter is the first transformation performed on the row data. It is
4100 * performed in place, therefore an implementation can be selected based on
4101 * the image pixel format. If the implementation depends on image width then
4102 * take care to ensure that it works correctly if the image is interlaced -
4103 * interlacing causes the actual row width to vary.
4104 */
4105{
4106 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
4107
4108 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
4109 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
4110 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
4111 if (bpp == 1)
4112 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
4113 png_read_filter_row_paeth_1byte_pixel;
4114 else
4115 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
4116 png_read_filter_row_paeth_multibyte_pixel;
4117
4118#ifdef PNG_FILTER_OPTIMIZATIONS
4119 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
4120 * call to install hardware optimizations for the above functions; simply
4121 * replace whatever elements of the pp->read_filter[] array with a hardware
4122 * specific (or, for that matter, generic) optimization.
4123 *
4124 * To see an example of this examine what configure.ac does when
4125 * --enable-arm-neon is specified on the command line.
4126 */
4127 PNG_FILTER_OPTIMIZATIONS(pp, bpp);
4128#endif
4129}
4130
4131void /* PRIVATE */
4132png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
4133 png_const_bytep prev_row, int filter)
4134{
4135 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
4136 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
4137 * implementations. See png_init_filter_functions above.
4138 */
4139 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
4140 {
4141 if (pp->read_filter[0] == NULL)
4142 png_init_filter_functions(pp);
4143
4144 pp->read_filter[filter-1](row_info, row, prev_row);
4145 }
4146}
4147
4148#ifdef PNG_SEQUENTIAL_READ_SUPPORTED
4149void /* PRIVATE */
4150png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
4151 png_alloc_size_t avail_out)
4152{
4153 /* Loop reading IDATs and decompressing the result into output[avail_out] */
4154 png_ptr->zstream.next_out = output;
4155 png_ptr->zstream.avail_out = 0; /* safety: set below */
4156
4157 if (output == NULL)
4158 avail_out = 0;
4159
4160 do
4161 {
4162 int ret;
4163 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
4164
4165 if (png_ptr->zstream.avail_in == 0)
4166 {
4167 uInt avail_in;
4168 png_bytep buffer;
4169
4170 while (png_ptr->idat_size == 0)
4171 {
4172 png_crc_finish(png_ptr, 0);
4173
4174 png_ptr->idat_size = png_read_chunk_header(png_ptr);
4175 /* This is an error even in the 'check' case because the code just
4176 * consumed a non-IDAT header.
4177 */
4178 if (png_ptr->chunk_name != png_IDAT)
4179 png_error(png_ptr, "Not enough image data");
4180 }
4181
4182 avail_in = png_ptr->IDAT_read_size;
4183
4184 if (avail_in > png_ptr->idat_size)
4185 avail_in = (uInt)png_ptr->idat_size;
4186
4187 /* A PNG with a gradually increasing IDAT size will defeat this attempt
4188 * to minimize memory usage by causing lots of re-allocs, but
4189 * realistically doing IDAT_read_size re-allocs is not likely to be a
4190 * big problem.
4191 */
4192 buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
4193
4194 png_crc_read(png_ptr, buffer, avail_in);
4195 png_ptr->idat_size -= avail_in;
4196
4197 png_ptr->zstream.next_in = buffer;
4198 png_ptr->zstream.avail_in = avail_in;
4199 }
4200
4201 /* And set up the output side. */
4202 if (output != NULL) /* standard read */
4203 {
4204 uInt out = ZLIB_IO_MAX;
4205
4206 if (out > avail_out)
4207 out = (uInt)avail_out;
4208
4209 avail_out -= out;
4210 png_ptr->zstream.avail_out = out;
4211 }
4212
4213 else /* after last row, checking for end */
4214 {
4215 png_ptr->zstream.next_out = tmpbuf;
4216 png_ptr->zstream.avail_out = (sizeof tmpbuf);
4217 }
4218
4219 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4220 * process. If the LZ stream is truncated the sequential reader will
4221 * terminally damage the stream, above, by reading the chunk header of the
4222 * following chunk (it then exits with png_error).
4223 *
4224 * TODO: deal more elegantly with truncated IDAT lists.
4225 */
4226 ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
4227
4228 /* Take the unconsumed output back. */
4229 if (output != NULL)
4230 avail_out += png_ptr->zstream.avail_out;
4231
4232 else /* avail_out counts the extra bytes */
4233 avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4234
4235 png_ptr->zstream.avail_out = 0;
4236
4237 if (ret == Z_STREAM_END)
4238 {
4239 /* Do this for safety; we won't read any more into this row. */
4240 png_ptr->zstream.next_out = NULL;
4241
4242 png_ptr->mode |= PNG_AFTER_IDAT;
4243 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4244
4245 if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4246 png_chunk_benign_error(png_ptr, "Extra compressed data");
4247 break;
4248 }
4249
4250 if (ret != Z_OK)
4251 {
4252 png_zstream_error(png_ptr, ret);
4253
4254 if (output != NULL)
4255 png_chunk_error(png_ptr, png_ptr->zstream.msg);
4256
4257 else /* checking */
4258 {
4259 png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4260 return;
4261 }
4262 }
4263 } while (avail_out > 0);
4264
4265 if (avail_out > 0)
4266 {
4267 /* The stream ended before the image; this is the same as too few IDATs so
4268 * should be handled the same way.
4269 */
4270 if (output != NULL)
4271 png_error(png_ptr, "Not enough image data");
4272
4273 else /* the deflate stream contained extra data */
4274 png_chunk_benign_error(png_ptr, "Too much image data");
4275 }
4276}
4277
4278void /* PRIVATE */
4279png_read_finish_IDAT(png_structrp png_ptr)
4280{
4281 /* We don't need any more data and the stream should have ended, however the
4282 * LZ end code may actually not have been processed. In this case we must
4283 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4284 * may still remain to be consumed.
4285 */
4286 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4287 {
4288 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4289 * the compressed stream, but the stream may be damaged too, so even after
4290 * this call we may need to terminate the zstream ownership.
4291 */
4292 png_read_IDAT_data(png_ptr, NULL, 0);
4293 png_ptr->zstream.next_out = NULL; /* safety */
4294
4295 /* Now clear everything out for safety; the following may not have been
4296 * done.
4297 */
4298 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4299 {
4300 png_ptr->mode |= PNG_AFTER_IDAT;
4301 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4302 }
4303 }
4304
4305 /* If the zstream has not been released do it now *and* terminate the reading
4306 * of the final IDAT chunk.
4307 */
4308 if (png_ptr->zowner == png_IDAT)
4309 {
4310 /* Always do this; the pointers otherwise point into the read buffer. */
4311 png_ptr->zstream.next_in = NULL;
4312 png_ptr->zstream.avail_in = 0;
4313
4314 /* Now we no longer own the zstream. */
4315 png_ptr->zowner = 0;
4316
4317 /* The slightly weird semantics of the sequential IDAT reading is that we
4318 * are always in or at the end of an IDAT chunk, so we always need to do a
4319 * crc_finish here. If idat_size is non-zero we also need to read the
4320 * spurious bytes at the end of the chunk now.
4321 */
4322 (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4323 }
4324}
4325
4326void /* PRIVATE */
4327png_read_finish_row(png_structrp png_ptr)
4328{
4329 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4330
4331 /* Start of interlace block */
4332 static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4333
4334 /* Offset to next interlace block */
4335 static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4336
4337 /* Start of interlace block in the y direction */
4338 static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4339
4340 /* Offset to next interlace block in the y direction */
4341 static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4342
4343 png_debug(1, "in png_read_finish_row");
4344 png_ptr->row_number++;
4345 if (png_ptr->row_number < png_ptr->num_rows)
4346 return;
4347
4348 if (png_ptr->interlaced != 0)
4349 {
4350 png_ptr->row_number = 0;
4351
4352 /* TO DO: don't do this if prev_row isn't needed (requires
4353 * read-ahead of the next row's filter byte.
4354 */
4355 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4356
4357 do
4358 {
4359 png_ptr->pass++;
4360
4361 if (png_ptr->pass >= 7)
4362 break;
4363
4364 png_ptr->iwidth = (png_ptr->width +
4365 png_pass_inc[png_ptr->pass] - 1 -
4366 png_pass_start[png_ptr->pass]) /
4367 png_pass_inc[png_ptr->pass];
4368
4369 if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4370 {
4371 png_ptr->num_rows = (png_ptr->height +
4372 png_pass_yinc[png_ptr->pass] - 1 -
4373 png_pass_ystart[png_ptr->pass]) /
4374 png_pass_yinc[png_ptr->pass];
4375 }
4376
4377 else /* if (png_ptr->transformations & PNG_INTERLACE) */
4378 break; /* libpng deinterlacing sees every row */
4379
4380 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
4381
4382 if (png_ptr->pass < 7)
4383 return;
4384 }
4385
4386 /* Here after at the end of the last row of the last pass. */
4387 png_read_finish_IDAT(png_ptr);
4388}
4389#endif /* SEQUENTIAL_READ */
4390
4391void /* PRIVATE */
4392png_read_start_row(png_structrp png_ptr)
4393{
4394 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4395
4396 /* Start of interlace block */
4397 static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4398
4399 /* Offset to next interlace block */
4400 static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4401
4402 /* Start of interlace block in the y direction */
4403 static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4404
4405 /* Offset to next interlace block in the y direction */
4406 static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4407
4408 unsigned int max_pixel_depth;
4409 size_t row_bytes;
4410
4411 png_debug(1, "in png_read_start_row");
4412
4413#ifdef PNG_READ_TRANSFORMS_SUPPORTED
4414 png_init_read_transformations(png_ptr);
4415#endif
4416 if (png_ptr->interlaced != 0)
4417 {
4418 if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4419 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
4420 png_pass_ystart[0]) / png_pass_yinc[0];
4421
4422 else
4423 png_ptr->num_rows = png_ptr->height;
4424
4425 png_ptr->iwidth = (png_ptr->width +
4426 png_pass_inc[png_ptr->pass] - 1 -
4427 png_pass_start[png_ptr->pass]) /
4428 png_pass_inc[png_ptr->pass];
4429 }
4430
4431 else
4432 {
4433 png_ptr->num_rows = png_ptr->height;
4434 png_ptr->iwidth = png_ptr->width;
4435 }
4436
4437 max_pixel_depth = (unsigned int)png_ptr->pixel_depth;
4438
4439 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4440 * calculations to calculate the final pixel depth, then
4441 * png_do_read_transforms actually does the transforms. This means that the
4442 * code which effectively calculates this value is actually repeated in three
4443 * separate places. They must all match. Innocent changes to the order of
4444 * transformations can and will break libpng in a way that causes memory
4445 * overwrites.
4446 *
4447 * TODO: fix this.
4448 */
4449#ifdef PNG_READ_PACK_SUPPORTED
4450 if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8)
4451 max_pixel_depth = 8;
4452#endif
4453
4454#ifdef PNG_READ_EXPAND_SUPPORTED
4455 if ((png_ptr->transformations & PNG_EXPAND) != 0)
4456 {
4457 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4458 {
4459 if (png_ptr->num_trans != 0)
4460 max_pixel_depth = 32;
4461
4462 else
4463 max_pixel_depth = 24;
4464 }
4465
4466 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4467 {
4468 if (max_pixel_depth < 8)
4469 max_pixel_depth = 8;
4470
4471 if (png_ptr->num_trans != 0)
4472 max_pixel_depth *= 2;
4473 }
4474
4475 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4476 {
4477 if (png_ptr->num_trans != 0)
4478 {
4479 max_pixel_depth *= 4;
4480 max_pixel_depth /= 3;
4481 }
4482 }
4483 }
4484#endif
4485
4486#ifdef PNG_READ_EXPAND_16_SUPPORTED
4487 if ((png_ptr->transformations & PNG_EXPAND_16) != 0)
4488 {
4489# ifdef PNG_READ_EXPAND_SUPPORTED
4490 /* In fact it is an error if it isn't supported, but checking is
4491 * the safe way.
4492 */
4493 if ((png_ptr->transformations & PNG_EXPAND) != 0)
4494 {
4495 if (png_ptr->bit_depth < 16)
4496 max_pixel_depth *= 2;
4497 }
4498 else
4499# endif
4500 png_ptr->transformations &= ~PNG_EXPAND_16;
4501 }
4502#endif
4503
4504#ifdef PNG_READ_FILLER_SUPPORTED
4505 if ((png_ptr->transformations & (PNG_FILLER)) != 0)
4506 {
4507 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4508 {
4509 if (max_pixel_depth <= 8)
4510 max_pixel_depth = 16;
4511
4512 else
4513 max_pixel_depth = 32;
4514 }
4515
4516 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4517 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4518 {
4519 if (max_pixel_depth <= 32)
4520 max_pixel_depth = 32;
4521
4522 else
4523 max_pixel_depth = 64;
4524 }
4525 }
4526#endif
4527
4528#ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4529 if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0)
4530 {
4531 if (
4532#ifdef PNG_READ_EXPAND_SUPPORTED
4533 (png_ptr->num_trans != 0 &&
4534 (png_ptr->transformations & PNG_EXPAND) != 0) ||
4535#endif
4536#ifdef PNG_READ_FILLER_SUPPORTED
4537 (png_ptr->transformations & (PNG_FILLER)) != 0 ||
4538#endif
4539 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4540 {
4541 if (max_pixel_depth <= 16)
4542 max_pixel_depth = 32;
4543
4544 else
4545 max_pixel_depth = 64;
4546 }
4547
4548 else
4549 {
4550 if (max_pixel_depth <= 8)
4551 {
4552 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4553 max_pixel_depth = 32;
4554
4555 else
4556 max_pixel_depth = 24;
4557 }
4558
4559 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4560 max_pixel_depth = 64;
4561
4562 else
4563 max_pixel_depth = 48;
4564 }
4565 }
4566#endif
4567
4568#if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4569defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4570 if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0)
4571 {
4572 unsigned int user_pixel_depth = png_ptr->user_transform_depth *
4573 png_ptr->user_transform_channels;
4574
4575 if (user_pixel_depth > max_pixel_depth)
4576 max_pixel_depth = user_pixel_depth;
4577 }
4578#endif
4579
4580 /* This value is stored in png_struct and double checked in the row read
4581 * code.
4582 */
4583 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4584 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4585
4586 /* Align the width on the next larger 8 pixels. Mainly used
4587 * for interlacing
4588 */
4589 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
4590 /* Calculate the maximum bytes needed, adding a byte and a pixel
4591 * for safety's sake
4592 */
4593 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4594 1 + ((max_pixel_depth + 7) >> 3U);
4595
4596#ifdef PNG_MAX_MALLOC_64K
4597 if (row_bytes > (png_uint_32)65536L)
4598 png_error(png_ptr, "This image requires a row greater than 64KB");
4599#endif
4600
4601 if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
4602 {
4603 png_free(png_ptr, png_ptr->big_row_buf);
4604 png_free(png_ptr, png_ptr->big_prev_row);
4605
4606 if (png_ptr->interlaced != 0)
4607 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4608 row_bytes + 48);
4609
4610 else
4611 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4612
4613 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4614
4615#ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4616 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4617 * of padding before and after row_buf; treat prev_row similarly.
4618 * NOTE: the alignment is to the start of the pixels, one beyond the start
4619 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4620 * was incorrect; the filter byte was aligned, which had the exact
4621 * opposite effect of that intended.
4622 */
4623 {
4624 png_bytep temp = png_ptr->big_row_buf + 32;
4625 size_t extra = (size_t)temp & 0x0f;
4626 png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4627
4628 temp = png_ptr->big_prev_row + 32;
4629 extra = (size_t)temp & 0x0f;
4630 png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4631 }
4632#else
4633 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4634 png_ptr->row_buf = png_ptr->big_row_buf + 31;
4635 png_ptr->prev_row = png_ptr->big_prev_row + 31;
4636#endif
4637 png_ptr->old_big_row_buf_size = row_bytes + 48;
4638 }
4639
4640#ifdef PNG_MAX_MALLOC_64K
4641 if (png_ptr->rowbytes > 65535)
4642 png_error(png_ptr, "This image requires a row greater than 64KB");
4643
4644#endif
4645 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
4646 png_error(png_ptr, "Row has too many bytes to allocate in memory");
4647
4648 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4649
4650 png_debug1(3, "width = %u,", png_ptr->width);
4651 png_debug1(3, "height = %u,", png_ptr->height);
4652 png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4653 png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4654 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4655 png_debug1(3, "irowbytes = %lu",
4656 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4657
4658 /* The sequential reader needs a buffer for IDAT, but the progressive reader
4659 * does not, so free the read buffer now regardless; the sequential reader
4660 * reallocates it on demand.
4661 */
4662 if (png_ptr->read_buffer != NULL)
4663 {
4664 png_bytep buffer = png_ptr->read_buffer;
4665
4666 png_ptr->read_buffer_size = 0;
4667 png_ptr->read_buffer = NULL;
4668 png_free(png_ptr, buffer);
4669 }
4670
4671 /* Finally claim the zstream for the inflate of the IDAT data, use the bits
4672 * value from the stream (note that this will result in a fatal error if the
4673 * IDAT stream has a bogus deflate header window_bits value, but this should
4674 * not be happening any longer!)
4675 */
4676 if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
4677 png_error(png_ptr, png_ptr->zstream.msg);
4678
4679 png_ptr->flags |= PNG_FLAG_ROW_INIT;
4680}
4681#endif /* READ */
strlen
ACPI_SIZE strlen(const char *String)
Definition: utclib.c:269
avail
static int avail
Definition: adh-main.c:39
state
static int state
Definition: maze.c:121
skip
#define skip(...)
Definition: atltest.h:64
msg
#define msg(x)
Definition: auth_time.c:54
errmsg
EXPORT int errmsg(char *msg, va_alist)
Definition: comerr.c:192
NULL
#define NULL
Definition: types.h:112
bpp
DWORD bpp
Definition: surface.c:185
inflateReset2
static int inflateReset2(z_streamp strm, int windowBits)
Definition: inflate.c:851
inflateReset
static int inflateReset(z_streamp strm)
Definition: inflate.c:839
inflate
int inflate(z_streamp strm, int flush)
Definition: inflate.c:1257
Z_STREAM_END
#define Z_STREAM_END
Definition: zlib.h:115
Z_FINISH
#define Z_FINISH
Definition: zlib.h:109
uInt
unsigned int uInt
Definition: zlib.h:38
Z_OK
#define Z_OK
Definition: zlib.h:114
Z_DATA_ERROR
#define Z_DATA_ERROR
Definition: zlib.h:119
Z_SYNC_FLUSH
#define Z_SYNC_FLUSH
Definition: zlib.h:107
Z_STREAM_ERROR
#define Z_STREAM_ERROR
Definition: zlib.h:118
Z_NO_FLUSH
#define Z_NO_FLUSH
Definition: zlib.h:105
Z_MEM_ERROR
#define Z_MEM_ERROR
Definition: zlib.h:120
Byte
unsigned char Byte
Definition: zlib.h:37
Bytef
Byte FAR Bytef
Definition: zlib.h:41
text
const WCHAR * text
Definition: package.c:1799
row
struct png_info_def *typedef unsigned char **typedef struct png_info_def *typedef struct png_info_def *typedef struct png_info_def *typedef unsigned char ** row
Definition: typeof.h:78
int
unsigned int(__cdecl typeof(jpeg_read_scanlines))(struct jpeg_decompress_struct *
Definition: typeof.h:31
size_t
__kernel_size_t size_t
Definition: linux.h:237
abs
#define abs(i)
Definition: fconv.c:206
v
const GLdouble * v
Definition: gl.h:2040
type
GLuint GLuint GLsizei GLenum type
Definition: gl.h:1545
height
GLint GLint GLsizei GLsizei height
Definition: gl.h:1546
width
GLint GLint GLsizei width
Definition: gl.h:1546
size
GLsizeiptr size
Definition: glext.h:5919
buffer
GLuint buffer
Definition: glext.h:5915
c
const GLubyte * c
Definition: glext.h:8905
mask
GLenum GLint GLuint mask
Definition: glext.h:6028
b
GLboolean GLboolean GLboolean b
Definition: glext.h:6204
limit
GLint limit
Definition: glext.h:10326
params
GLenum const GLfloat * params
Definition: glext.h:5645
buf
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
units
GLfloat units
Definition: glext.h:11727
filter
GLint GLint GLint GLint GLint GLint GLint GLbitfield GLenum filter
Definition: glext.h:7005
length
GLuint GLsizei GLsizei * length
Definition: glext.h:6040
val
GLuint GLfloat * val
Definition: glext.h:7180
p
GLfloat GLfloat p
Definition: glext.h:8902
num
GLuint GLuint num
Definition: glext.h:9618
len
GLenum GLsizei len
Definition: glext.h:6722
a
GLboolean GLboolean GLboolean GLboolean a
Definition: glext.h:6204
input
GLenum GLenum GLenum input
Definition: glext.h:9031
offset
GLintptr offset
Definition: glext.h:5920
m
const GLfloat * m
Definition: glext.h:10848
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
j
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint GLint GLint j
Definition: glfuncs.h:250
extra
@ extra
Definition: id3.c:95
a
#define a
Definition: ke_i.h:78
c
#define c
Definition: ke_i.h:80
b
#define b
Definition: ke_i.h:79
profile
#define profile
Definition: kernel32.h:12
terminate
void MSVCRT() terminate()
if
if(dx< 0)
Definition: linetemp.h:194
memcpy
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
MASK
#define MASK
Definition: options.h:31
cn
static BYTE cn[]
Definition: cert.c:2938
PNG_COLOR_TYPE_RGB
#define PNG_COLOR_TYPE_RGB
Definition: image.c:5165
PNG_COLOR_TYPE_RGB_ALPHA
#define PNG_COLOR_TYPE_RGB_ALPHA
Definition: image.c:5168
PNG_COLOR_TYPE_GRAY_ALPHA
#define PNG_COLOR_TYPE_GRAY_ALPHA
Definition: image.c:5167
PNG_COLOR_TYPE_GRAY
#define PNG_COLOR_TYPE_GRAY
Definition: image.c:5164
PNG_COLOR_TYPE_PALETTE
#define PNG_COLOR_TYPE_PALETTE
Definition: image.c:5166
sp
static const WCHAR sp[]
Definition: suminfo.c:287
out_size
static HANDLE PIO_APC_ROUTINE PVOID PIO_STATUS_BLOCK ULONG PVOID ULONG PVOID ULONG out_size
Definition: file.c:100
pa
static int ** pa
Definition: server.c:126
palette
static HPALETTE palette
Definition: clipboard.c:1345
png_get_uint_16
#define png_get_uint_16(buf)
Definition: png.h:2596
PNG_MAXIMUM_INFLATE_WINDOW
#define PNG_MAXIMUM_INFLATE_WINDOW
Definition: png.h:3202
PNG_HANDLE_CHUNK_IF_SAFE
#define PNG_HANDLE_CHUNK_IF_SAFE
Definition: png.h:2344
PNG_UINT_31_MAX
#define PNG_UINT_31_MAX
Definition: png.h:646
PNG_IO_READING
#define PNG_IO_READING
Definition: png.h:2420
PNG_FREE_ICCP
#define PNG_FREE_ICCP
Definition: png.h:1746
PNG_HAVE_PLTE
#define PNG_HAVE_PLTE
Definition: png.h:642
PNG_IO_CHUNK_HDR
#define PNG_IO_CHUNK_HDR
Definition: png.h:2423
png_get_int_32
#define png_get_int_32(buf)
Definition: png.h:2597
PNG_MAX_PALETTE_LENGTH
#define PNG_MAX_PALETTE_LENGTH
Definition: png.h:722
png_ptr
png_structrp png_ptr
Definition: png.h:1080
PNG_ITXT_COMPRESSION_NONE
#define PNG_ITXT_COMPRESSION_NONE
Definition: png.h:587
png_uint_32
png_uint_32
Definition: png.h:1936
PNG_INFO_pHYs
#define PNG_INFO_pHYs
Definition: png.h:736
PNG_EQUATION_ARBITRARY
#define PNG_EQUATION_ARBITRARY
Definition: png.h:696
PNG_TEXT_COMPRESSION_zTXt
#define PNG_TEXT_COMPRESSION_zTXt
Definition: png.h:586
PNG_OPTION_ON
#define PNG_OPTION_ON
Definition: png.h:3217
PNG_INFO_pCAL
#define PNG_INFO_pCAL
Definition: png.h:739
PNG_IO_SIGNATURE
#define PNG_IO_SIGNATURE
Definition: png.h:2422
PNG_FREE_EXIF
#define PNG_FREE_EXIF
Definition: png.h:1758
PNG_EQUATION_BASE_E
#define PNG_EQUATION_BASE_E
Definition: png.h:695
PNG_PASS_START_COL
#define PNG_PASS_START_COL(pass)
Definition: png.h:2441
PNG_TEXT_COMPRESSION_NONE
#define PNG_TEXT_COMPRESSION_NONE
Definition: png.h:585
PNG_EQUATION_LAST
#define PNG_EQUATION_LAST
Definition: png.h:698
PNG_UINT_32_MAX
#define PNG_UINT_32_MAX
Definition: png.h:647
PNG_FILTER_VALUE_AVG
#define PNG_FILTER_VALUE_AVG
Definition: png.h:1476
png_sPLT_entryp
png_sPLT_entry * png_sPLT_entryp
Definition: png.h:521
PNG_COLOR_MASK_COLOR
#define PNG_COLOR_MASK_COLOR
Definition: png.h:661
PNG_INFO_eXIf
#define PNG_INFO_eXIf
Definition: png.h:745
PNG_FILTER_VALUE_LAST
#define PNG_FILTER_VALUE_LAST
Definition: png.h:1478
PNG_FILTER_VALUE_UP
#define PNG_FILTER_VALUE_UP
Definition: png.h:1475
PNG_INFO_tIME
#define PNG_INFO_tIME
Definition: png.h:738
png_sPLT_entry
struct png_sPLT_entry_struct png_sPLT_entry
PNG_IO_CHUNK_DATA
#define PNG_IO_CHUNK_DATA
Definition: png.h:2424
png_get_uint_32
#define png_get_uint_32(buf)
Definition: png.h:2595
PNG_IGNORE_ADLER32
#define PNG_IGNORE_ADLER32
Definition: png.h:3207
PNG_HANDLE_CHUNK_NEVER
#define PNG_HANDLE_CHUNK_NEVER
Definition: png.h:2343
PNG_AFTER_IDAT
#define PNG_AFTER_IDAT
Definition: png.h:643
PNG_HANDLE_CHUNK_ALWAYS
#define PNG_HANDLE_CHUNK_ALWAYS
Definition: png.h:2345
PNG_HAVE_IHDR
#define PNG_HAVE_IHDR
Definition: png.h:641
PNG_INFO_sBIT
#define PNG_INFO_sBIT
Definition: png.h:730
PNG_INFO_tRNS
#define PNG_INFO_tRNS
Definition: png.h:733
PNG_INFO_sCAL
#define PNG_INFO_sCAL
Definition: png.h:743
PNG_INFO_bKGD
#define PNG_INFO_bKGD
Definition: png.h:734
PNG_INFO_hIST
#define PNG_INFO_hIST
Definition: png.h:735
PNG_SIZE_MAX
#define PNG_SIZE_MAX
Definition: png.h:648
png_const_structrp
const png_struct *PNG_RESTRICT png_const_structrp
Definition: png.h:467
PNG_INFO_iCCP
#define PNG_INFO_iCCP
Definition: png.h:741
PNG_EQUATION_HYPERBOLIC
#define PNG_EQUATION_HYPERBOLIC
Definition: png.h:697
PNG_FILTER_VALUE_PAETH
#define PNG_FILTER_VALUE_PAETH
Definition: png.h:1477
PNG_FILTER_VALUE_NONE
#define PNG_FILTER_VALUE_NONE
Definition: png.h:1473
PNG_IO_CHUNK_CRC
#define PNG_IO_CHUNK_CRC
Definition: png.h:2425
PNG_INFO_oFFs
#define PNG_INFO_oFFs
Definition: png.h:737
png_inforp
png_info *PNG_RESTRICT png_inforp
Definition: png.h:468
PNG_PASS_COL_OFFSET
#define PNG_PASS_COL_OFFSET(pass)
Definition: png.h:2449
PNG_EQUATION_LINEAR
#define PNG_EQUATION_LINEAR
Definition: png.h:694
PNG_COMPRESSION_TYPE_BASE
#define PNG_COMPRESSION_TYPE_BASE
Definition: png.h:675
PNG_FILTER_VALUE_SUB
#define PNG_FILTER_VALUE_SUB
Definition: png.h:1474
PNG_HANDLE_CHUNK_AS_DEFAULT
#define PNG_HANDLE_CHUNK_AS_DEFAULT
Definition: png.h:2342
png_structrp
png_struct *PNG_RESTRICT png_structrp
Definition: png.h:466
info_ptr
png_const_structrp png_const_inforp info_ptr
Definition: png.h:1937
PNG_ITXT_COMPRESSION_zTXt
#define PNG_ITXT_COMPRESSION_zTXt
Definition: png.h:588
png_charp
char * png_charp
Definition: pngconf.h:589
png_fixed_point
png_int_32 png_fixed_point
Definition: pngconf.h:574
png_const_bytep
const png_byte * png_const_bytep
Definition: pngconf.h:580
png_const_uint_16p
const png_uint_16 * png_const_uint_16p
Definition: pngconf.h:586
png_charpp
char ** png_charpp
Definition: pngconf.h:612
png_alloc_size_t
size_t png_alloc_size_t
Definition: pngconf.h:557
PNGAPI
#define PNGAPI
Definition: pngconf.h:261
png_bytep
png_byte * png_bytep
Definition: pngconf.h:579
png_uint_16p
png_uint_16 * png_uint_16p
Definition: pngconf.h:585
png_uint_32p
png_uint_32 * png_uint_32p
Definition: pngconf.h:581
png_const_uint_32p
const png_uint_32 * png_const_uint_32p
Definition: pngconf.h:582
png_const_charp
const char * png_const_charp
Definition: pngconf.h:590
png_debug2
#define png_debug2(l, m, p1, p2)
Definition: pngdebug.h:151
png_debug
#define png_debug(l, m)
Definition: pngdebug.h:145
png_debug1
#define png_debug1(l, m, p1)
Definition: pngdebug.h:148
PNG_INFLATE_BUF_SIZE
#define PNG_INFLATE_BUF_SIZE
Definition: pnglibconf.h:196
PNG_READ_EXPAND_SUPPORTED
#define PNG_READ_EXPAND_SUPPORTED
Definition: pnglibconf.h:58
PNG_READ_PACK_SUPPORTED
#define PNG_READ_PACK_SUPPORTED
Definition: pnglibconf.h:69
PNG_USER_CHUNK_MALLOC_MAX
#define PNG_USER_CHUNK_MALLOC_MAX
Definition: pnglibconf.h:208
PNG_READ_FILLER_SUPPORTED
#define PNG_READ_FILLER_SUPPORTED
Definition: pnglibconf.h:59
PNG_UNEXPECTED_ZLIB_RETURN
#define PNG_UNEXPECTED_ZLIB_RETURN
Definition: pngpriv.h:964
PNG_UNUSED
#define PNG_UNUSED(param)
Definition: pngpriv.h:444
PNG_HAVE_PNG_SIGNATURE
#define PNG_HAVE_PNG_SIGNATURE
Definition: pngpriv.h:627
PNG_INTERLACE
#define PNG_INTERLACE
Definition: pngpriv.h:634
PNG_ROWBYTES
#define PNG_ROWBYTES(pixel_bits, width)
Definition: pngpriv.h:729
PNG_FLAG_CRC_CRITICAL_USE
#define PNG_FLAG_CRC_CRITICAL_USE
Definition: pngpriv.h:680
PNG_FLAG_CRC_ANCILLARY_USE
#define PNG_FLAG_CRC_ANCILLARY_USE
Definition: pngpriv.h:678
png_app_error
#define png_app_error(pp, s)
Definition: pngpriv.h:1819
png_iCCP
#define png_iCCP
Definition: pngpriv.h:852
png_app_warning
#define png_app_warning(pp, s)
Definition: pngpriv.h:1818
PNG_FLAG_BENIGN_ERRORS_WARN
#define PNG_FLAG_BENIGN_ERRORS_WARN
Definition: pngpriv.h:690
PNG_FLAG_CRC_ANCILLARY_NOWARN
#define PNG_FLAG_CRC_ANCILLARY_NOWARN
Definition: pngpriv.h:679
PNG_INFLATE
#define PNG_INFLATE(pp, flush)
Definition: pngpriv.h:1389
PNG_EXPAND_16
#define PNG_EXPAND_16
Definition: pngpriv.h:642
PNG_USER_TRANSFORM
#define PNG_USER_TRANSFORM
Definition: pngpriv.h:653
png_aligncastconst
#define png_aligncastconst(type, value)
Definition: pngpriv.h:503
png_aligncast
#define png_aligncast(type, value)
Definition: pngpriv.h:502
PNG_FLAG_CRC_ANCILLARY_MASK
#define PNG_FLAG_CRC_ANCILLARY_MASK
Definition: pngpriv.h:702
PNG_HAVE_IDAT
#define PNG_HAVE_IDAT
Definition: pngpriv.h:617
PNG_CSTRING_FROM_CHUNK
#define PNG_CSTRING_FROM_CHUNK(s, c)
Definition: pngpriv.h:884
PNG_HAVE_IEND
#define PNG_HAVE_IEND
Definition: pngpriv.h:619
PNG_FLAG_CRC_CRITICAL_IGNORE
#define PNG_FLAG_CRC_CRITICAL_IGNORE
Definition: pngpriv.h:681
PNG_CHUNK_FROM_STRING
#define PNG_CHUNK_FROM_STRING(s)
Definition: pngpriv.h:870
PNG_EXPAND
#define PNG_EXPAND
Definition: pngpriv.h:645
PNG_FLAG_ZSTREAM_ENDED
#define PNG_FLAG_ZSTREAM_ENDED
Definition: pngpriv.h:673
PNG_FILLER
#define PNG_FILLER
Definition: pngpriv.h:648
PNG_FLAG_ZSTREAM_INITIALIZED
#define PNG_FLAG_ZSTREAM_INITIALIZED
Definition: pngpriv.h:671
png_isaligned
#define png_isaligned(ptr, type)
Definition: pngpriv.h:597
PNG_FLAG_ROW_INIT
#define PNG_FLAG_ROW_INIT
Definition: pngpriv.h:676
PNG_CHUNK_CRITICAL
#define PNG_CHUNK_CRITICAL(c)
Definition: pngpriv.h:889
PNG_CHUNK_ANCILLARY
#define PNG_CHUNK_ANCILLARY(c)
Definition: pngpriv.h:888
PNG_GRAY_TO_RGB
#define PNG_GRAY_TO_RGB
Definition: pngpriv.h:647
png_voidcast
#define png_voidcast(type, value)
Definition: pngpriv.h:500
PNG_PACK
#define PNG_PACK
Definition: pngpriv.h:635
PNG_PACKSWAP
#define PNG_PACKSWAP
Definition: pngpriv.h:649
PNG_STRING_FROM_CHUNK
#define PNG_STRING_FROM_CHUNK(s, c)
Definition: pngpriv.h:877
png_IDAT
#define png_IDAT
Definition: pngpriv.h:839
PNGZ_MSG_CAST
#define PNGZ_MSG_CAST(s)
Definition: pngstruct.h:40
PNGZ_INPUT_CAST
#define PNGZ_INPUT_CAST(b)
Definition: pngstruct.h:41
ZLIB_IO_MAX
#define ZLIB_IO_MAX
Definition: pngstruct.h:56
warn
#define warn(...)
Definition: reactos_support_code.h:32
out
static FILE * out
Definition: regtests2xml.c:44
temp
static calc_node_t temp
Definition: rpn_ieee.c:38
inflateInit2
#define inflateInit2(strm, windowBits)
Definition: zlib.h:1817
inflateInit
#define inflateInit(strm)
Definition: zlib.h:1812
inflateValidate
int ZEXPORT inflateValidate(z_streamp strm, int check)
Definition: inflate.c:1560
memset
#define memset(x, y, z)
Definition: compat.h:39
finish
#define finish()
Definition: seh0024.c:15
key
Definition: copy.c:22
png_color_16_struct
Definition: png.h:486
png_color_16_struct::red
png_uint_16 red
Definition: png.h:488
png_color_16_struct::index
png_byte index
Definition: png.h:487
png_color_16_struct::gray
png_uint_16 gray
Definition: png.h:491
png_color_16_struct::green
png_uint_16 green
Definition: png.h:489
png_color_16_struct::blue
png_uint_16 blue
Definition: png.h:490
png_color_struct
Definition: png.h:476
png_color_struct::blue
png_byte blue
Definition: png.h:479
png_color_struct::red
png_byte red
Definition: png.h:477
png_color_struct::green