|
2296
|
1
|
|
|
2 /* pngrutil.c - utilities to read a PNG file
|
|
|
3 *
|
|
|
4 * Last changed in libpng 1.6.10 [March 6, 2014]
|
|
|
5 * Copyright (c) 1998-2014 Glenn Randers-Pehrson
|
|
|
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
|
|
|
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
|
|
|
8 *
|
|
|
9 * This code is released under the libpng license.
|
|
|
10 * For conditions of distribution and use, see the disclaimer
|
|
|
11 * and license in png.h
|
|
|
12 *
|
|
|
13 * This file contains routines that are only called from within
|
|
|
14 * libpng itself during the course of reading an image.
|
|
|
15 */
|
|
|
16
|
|
|
17 #include "pngpriv.h"
|
|
|
18
|
|
|
19 #ifdef PNG_READ_SUPPORTED
|
|
|
20
|
|
|
21 png_uint_32 PNGAPI
|
|
|
22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
|
|
|
23 {
|
|
|
24 png_uint_32 uval = png_get_uint_32(buf);
|
|
|
25
|
|
|
26 if (uval > PNG_UINT_31_MAX)
|
|
|
27 png_error(png_ptr, "PNG unsigned integer out of range");
|
|
|
28
|
|
|
29 return (uval);
|
|
|
30 }
|
|
|
31
|
|
|
32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
|
|
|
33 /* The following is a variation on the above for use with the fixed
|
|
|
34 * point values used for gAMA and cHRM. Instead of png_error it
|
|
|
35 * issues a warning and returns (-1) - an invalid value because both
|
|
|
36 * gAMA and cHRM use *unsigned* integers for fixed point values.
|
|
|
37 */
|
|
|
38 #define PNG_FIXED_ERROR (-1)
|
|
|
39
|
|
|
40 static png_fixed_point /* PRIVATE */
|
|
|
41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
|
|
|
42 {
|
|
|
43 png_uint_32 uval = png_get_uint_32(buf);
|
|
|
44
|
|
|
45 if (uval <= PNG_UINT_31_MAX)
|
|
|
46 return (png_fixed_point)uval; /* known to be in range */
|
|
|
47
|
|
|
48 /* The caller can turn off the warning by passing NULL. */
|
|
|
49 if (png_ptr != NULL)
|
|
|
50 png_warning(png_ptr, "PNG fixed point integer out of range");
|
|
|
51
|
|
|
52 return PNG_FIXED_ERROR;
|
|
|
53 }
|
|
|
54 #endif
|
|
|
55
|
|
|
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
|
|
|
57 /* NOTE: the read macros will obscure these definitions, so that if
|
|
|
58 * PNG_USE_READ_MACROS is set the library will not use them internally,
|
|
|
59 * but the APIs will still be available externally.
|
|
|
60 *
|
|
|
61 * The parentheses around "PNGAPI function_name" in the following three
|
|
|
62 * functions are necessary because they allow the macros to co-exist with
|
|
|
63 * these (unused but exported) functions.
|
|
|
64 */
|
|
|
65
|
|
|
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
|
|
|
67 png_uint_32 (PNGAPI
|
|
|
68 png_get_uint_32)(png_const_bytep buf)
|
|
|
69 {
|
|
|
70 png_uint_32 uval =
|
|
|
71 ((png_uint_32)(*(buf )) << 24) +
|
|
|
72 ((png_uint_32)(*(buf + 1)) << 16) +
|
|
|
73 ((png_uint_32)(*(buf + 2)) << 8) +
|
|
|
74 ((png_uint_32)(*(buf + 3)) ) ;
|
|
|
75
|
|
|
76 return uval;
|
|
|
77 }
|
|
|
78
|
|
|
79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
|
|
|
80 * data is stored in the PNG file in two's complement format and there
|
|
|
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
|
|
|
82 * the following code does a two's complement to native conversion.
|
|
|
83 */
|
|
|
84 png_int_32 (PNGAPI
|
|
|
85 png_get_int_32)(png_const_bytep buf)
|
|
|
86 {
|
|
|
87 png_uint_32 uval = png_get_uint_32(buf);
|
|
|
88 if ((uval & 0x80000000) == 0) /* non-negative */
|
|
|
89 return uval;
|
|
|
90
|
|
|
91 uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
|
|
|
92 return -(png_int_32)uval;
|
|
|
93 }
|
|
|
94
|
|
|
95 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
|
|
|
96 png_uint_16 (PNGAPI
|
|
|
97 png_get_uint_16)(png_const_bytep buf)
|
|
|
98 {
|
|
|
99 /* ANSI-C requires an int value to accomodate at least 16 bits so this
|
|
|
100 * works and allows the compiler not to worry about possible narrowing
|
|
|
101 * on 32 bit systems. (Pre-ANSI systems did not make integers smaller
|
|
|
102 * than 16 bits either.)
|
|
|
103 */
|
|
|
104 unsigned int val =
|
|
|
105 ((unsigned int)(*buf) << 8) +
|
|
|
106 ((unsigned int)(*(buf + 1)));
|
|
|
107
|
|
|
108 return (png_uint_16)val;
|
|
|
109 }
|
|
|
110
|
|
|
111 #endif /* PNG_READ_INT_FUNCTIONS_SUPPORTED */
|
|
|
112
|
|
|
113 /* Read and check the PNG file signature */
|
|
|
114 void /* PRIVATE */
|
|
|
115 png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
|
|
|
116 {
|
|
|
117 png_size_t num_checked, num_to_check;
|
|
|
118
|
|
|
119 /* Exit if the user application does not expect a signature. */
|
|
|
120 if (png_ptr->sig_bytes >= 8)
|
|
|
121 return;
|
|
|
122
|
|
|
123 num_checked = png_ptr->sig_bytes;
|
|
|
124 num_to_check = 8 - num_checked;
|
|
|
125
|
|
|
126 #ifdef PNG_IO_STATE_SUPPORTED
|
|
|
127 png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
|
|
|
128 #endif
|
|
|
129
|
|
|
130 /* The signature must be serialized in a single I/O call. */
|
|
|
131 png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
|
|
|
132 png_ptr->sig_bytes = 8;
|
|
|
133
|
|
|
134 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
|
|
|
135 {
|
|
|
136 if (num_checked < 4 &&
|
|
|
137 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
|
|
|
138 png_error(png_ptr, "Not a PNG file");
|
|
|
139 else
|
|
|
140 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
|
|
|
141 }
|
|
|
142 if (num_checked < 3)
|
|
|
143 png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
|
|
|
144 }
|
|
|
145
|
|
|
146 /* Read the chunk header (length + type name).
|
|
|
147 * Put the type name into png_ptr->chunk_name, and return the length.
|
|
|
148 */
|
|
|
149 png_uint_32 /* PRIVATE */
|
|
|
150 png_read_chunk_header(png_structrp png_ptr)
|
|
|
151 {
|
|
|
152 png_byte buf[8];
|
|
|
153 png_uint_32 length;
|
|
|
154
|
|
|
155 #ifdef PNG_IO_STATE_SUPPORTED
|
|
|
156 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
|
|
|
157 #endif
|
|
|
158
|
|
|
159 /* Read the length and the chunk name.
|
|
|
160 * This must be performed in a single I/O call.
|
|
|
161 */
|
|
|
162 png_read_data(png_ptr, buf, 8);
|
|
|
163 length = png_get_uint_31(png_ptr, buf);
|
|
|
164
|
|
|
165 /* Put the chunk name into png_ptr->chunk_name. */
|
|
|
166 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
|
|
|
167
|
|
|
168 png_debug2(0, "Reading %lx chunk, length = %lu",
|
|
|
169 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
|
|
|
170
|
|
|
171 /* Reset the crc and run it over the chunk name. */
|
|
|
172 png_reset_crc(png_ptr);
|
|
|
173 png_calculate_crc(png_ptr, buf + 4, 4);
|
|
|
174
|
|
|
175 /* Check to see if chunk name is valid. */
|
|
|
176 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
|
|
|
177
|
|
|
178 #ifdef PNG_IO_STATE_SUPPORTED
|
|
|
179 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
|
|
|
180 #endif
|
|
|
181
|
|
|
182 return length;
|
|
|
183 }
|
|
|
184
|
|
|
185 /* Read data, and (optionally) run it through the CRC. */
|
|
|
186 void /* PRIVATE */
|
|
|
187 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
|
|
|
188 {
|
|
|
189 if (png_ptr == NULL)
|
|
|
190 return;
|
|
|
191
|
|
|
192 png_read_data(png_ptr, buf, length);
|
|
|
193 png_calculate_crc(png_ptr, buf, length);
|
|
|
194 }
|
|
|
195
|
|
|
196 /* Optionally skip data and then check the CRC. Depending on whether we
|
|
|
197 * are reading an ancillary or critical chunk, and how the program has set
|
|
|
198 * things up, we may calculate the CRC on the data and print a message.
|
|
|
199 * Returns '1' if there was a CRC error, '0' otherwise.
|
|
|
200 */
|
|
|
201 int /* PRIVATE */
|
|
|
202 png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
|
|
|
203 {
|
|
|
204 /* The size of the local buffer for inflate is a good guess as to a
|
|
|
205 * reasonable size to use for buffering reads from the application.
|
|
|
206 */
|
|
|
207 while (skip > 0)
|
|
|
208 {
|
|
|
209 png_uint_32 len;
|
|
|
210 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
|
|
|
211
|
|
|
212 len = (sizeof tmpbuf);
|
|
|
213 if (len > skip)
|
|
|
214 len = skip;
|
|
|
215 skip -= len;
|
|
|
216
|
|
|
217 png_crc_read(png_ptr, tmpbuf, len);
|
|
|
218 }
|
|
|
219
|
|
|
220 if (png_crc_error(png_ptr))
|
|
|
221 {
|
|
|
222 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) ?
|
|
|
223 !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) :
|
|
|
224 (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE))
|
|
|
225 {
|
|
|
226 png_chunk_warning(png_ptr, "CRC error");
|
|
|
227 }
|
|
|
228
|
|
|
229 else
|
|
|
230 png_chunk_error(png_ptr, "CRC error");
|
|
|
231
|
|
|
232 return (1);
|
|
|
233 }
|
|
|
234
|
|
|
235 return (0);
|
|
|
236 }
|
|
|
237
|
|
|
238 /* Compare the CRC stored in the PNG file with that calculated by libpng from
|
|
|
239 * the data it has read thus far.
|
|
|
240 */
|
|
|
241 int /* PRIVATE */
|
|
|
242 png_crc_error(png_structrp png_ptr)
|
|
|
243 {
|
|
|
244 png_byte crc_bytes[4];
|
|
|
245 png_uint_32 crc;
|
|
|
246 int need_crc = 1;
|
|
|
247
|
|
|
248 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))
|
|
|
249 {
|
|
|
250 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
|
|
|
251 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
|
|
|
252 need_crc = 0;
|
|
|
253 }
|
|
|
254
|
|
|
255 else /* critical */
|
|
|
256 {
|
|
|
257 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
|
|
|
258 need_crc = 0;
|
|
|
259 }
|
|
|
260
|
|
|
261 #ifdef PNG_IO_STATE_SUPPORTED
|
|
|
262 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
|
|
|
263 #endif
|
|
|
264
|
|
|
265 /* The chunk CRC must be serialized in a single I/O call. */
|
|
|
266 png_read_data(png_ptr, crc_bytes, 4);
|
|
|
267
|
|
|
268 if (need_crc)
|
|
|
269 {
|
|
|
270 crc = png_get_uint_32(crc_bytes);
|
|
|
271 return ((int)(crc != png_ptr->crc));
|
|
|
272 }
|
|
|
273
|
|
|
274 else
|
|
|
275 return (0);
|
|
|
276 }
|
|
|
277
|
|
|
278 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
|
|
|
279 defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
|
|
|
280 defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
|
|
|
281 defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
|
|
|
282 /* Manage the read buffer; this simply reallocates the buffer if it is not small
|
|
|
283 * enough (or if it is not allocated). The routine returns a pointer to the
|
|
|
284 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
|
|
|
285 * it will call png_error (via png_malloc) on failure. (warn == 2 means
|
|
|
286 * 'silent').
|
|
|
287 */
|
|
|
288 static png_bytep
|
|
|
289 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
|
|
|
290 {
|
|
|
291 png_bytep buffer = png_ptr->read_buffer;
|
|
|
292
|
|
|
293 if (buffer != NULL && new_size > png_ptr->read_buffer_size)
|
|
|
294 {
|
|
|
295 png_ptr->read_buffer = NULL;
|
|
|
296 png_ptr->read_buffer = NULL;
|
|
|
297 png_ptr->read_buffer_size = 0;
|
|
|
298 png_free(png_ptr, buffer);
|
|
|
299 buffer = NULL;
|
|
|
300 }
|
|
|
301
|
|
|
302 if (buffer == NULL)
|
|
|
303 {
|
|
|
304 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
|
|
|
305
|
|
|
306 if (buffer != NULL)
|
|
|
307 {
|
|
|
308 png_ptr->read_buffer = buffer;
|
|
|
309 png_ptr->read_buffer_size = new_size;
|
|
|
310 }
|
|
|
311
|
|
|
312 else if (warn < 2) /* else silent */
|
|
|
313 {
|
|
|
314 if (warn)
|
|
|
315 png_chunk_warning(png_ptr, "insufficient memory to read chunk");
|
|
|
316
|
|
|
317 else
|
|
|
318 png_chunk_error(png_ptr, "insufficient memory to read chunk");
|
|
|
319 }
|
|
|
320 }
|
|
|
321
|
|
|
322 return buffer;
|
|
|
323 }
|
|
|
324 #endif /* PNG_READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
|
|
|
325
|
|
|
326 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
|
|
|
327 * decompression. Returns Z_OK on success, else a zlib error code. It checks
|
|
|
328 * the owner but, in final release builds, just issues a warning if some other
|
|
|
329 * chunk apparently owns the stream. Prior to release it does a png_error.
|
|
|
330 */
|
|
|
331 static int
|
|
|
332 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
|
|
|
333 {
|
|
|
334 if (png_ptr->zowner != 0)
|
|
|
335 {
|
|
|
336 char msg[64];
|
|
|
337
|
|
|
338 PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
|
|
|
339 /* So the message that results is "<chunk> using zstream"; this is an
|
|
|
340 * internal error, but is very useful for debugging. i18n requirements
|
|
|
341 * are minimal.
|
|
|
342 */
|
|
|
343 (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
|
|
|
344 # if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC
|
|
|
345 png_chunk_warning(png_ptr, msg);
|
|
|
346 png_ptr->zowner = 0;
|
|
|
347 # else
|
|
|
348 png_chunk_error(png_ptr, msg);
|
|
|
349 # endif
|
|
|
350 }
|
|
|
351
|
|
|
352 /* Implementation note: unlike 'png_deflate_claim' this internal function
|
|
|
353 * does not take the size of the data as an argument. Some efficiency could
|
|
|
354 * be gained by using this when it is known *if* the zlib stream itself does
|
|
|
355 * not record the number; however, this is an illusion: the original writer
|
|
|
356 * of the PNG may have selected a lower window size, and we really must
|
|
|
357 * follow that because, for systems with with limited capabilities, we
|
|
|
358 * would otherwise reject the application's attempts to use a smaller window
|
|
|
359 * size (zlib doesn't have an interface to say "this or lower"!).
|
|
|
360 *
|
|
|
361 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
|
|
|
362 * reset, therefore it is necessary to always allocate the maximum window
|
|
|
363 * size with earlier zlibs just in case later compressed chunks need it.
|
|
|
364 */
|
|
|
365 {
|
|
|
366 int ret; /* zlib return code */
|
|
|
367 # if PNG_ZLIB_VERNUM >= 0x1240
|
|
|
368
|
|
|
369 # if defined(PNG_SET_OPTION_SUPPORTED) && \
|
|
|
370 defined(PNG_MAXIMUM_INFLATE_WINDOW)
|
|
|
371 int window_bits;
|
|
|
372
|
|
|
373 if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
|
|
|
374 PNG_OPTION_ON)
|
|
|
375 window_bits = 15;
|
|
|
376
|
|
|
377 else
|
|
|
378 window_bits = 0;
|
|
|
379 # else
|
|
|
380 # define window_bits 0
|
|
|
381 # endif
|
|
|
382 # endif
|
|
|
383
|
|
|
384 /* Set this for safety, just in case the previous owner left pointers to
|
|
|
385 * memory allocations.
|
|
|
386 */
|
|
|
387 png_ptr->zstream.next_in = NULL;
|
|
|
388 png_ptr->zstream.avail_in = 0;
|
|
|
389 png_ptr->zstream.next_out = NULL;
|
|
|
390 png_ptr->zstream.avail_out = 0;
|
|
|
391
|
|
|
392 if (png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED)
|
|
|
393 {
|
|
|
394 # if PNG_ZLIB_VERNUM < 0x1240
|
|
|
395 ret = inflateReset(&png_ptr->zstream);
|
|
|
396 # else
|
|
|
397 ret = inflateReset2(&png_ptr->zstream, window_bits);
|
|
|
398 # endif
|
|
|
399 }
|
|
|
400
|
|
|
401 else
|
|
|
402 {
|
|
|
403 # if PNG_ZLIB_VERNUM < 0x1240
|
|
|
404 ret = inflateInit(&png_ptr->zstream);
|
|
|
405 # else
|
|
|
406 ret = inflateInit2(&png_ptr->zstream, window_bits);
|
|
|
407 # endif
|
|
|
408
|
|
|
409 if (ret == Z_OK)
|
|
|
410 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
|
|
|
411 }
|
|
|
412
|
|
|
413 if (ret == Z_OK)
|
|
|
414 png_ptr->zowner = owner;
|
|
|
415
|
|
|
416 else
|
|
|
417 png_zstream_error(png_ptr, ret);
|
|
|
418
|
|
|
419 return ret;
|
|
|
420 }
|
|
|
421
|
|
|
422 # ifdef window_bits
|
|
|
423 # undef window_bits
|
|
|
424 # endif
|
|
|
425 }
|
|
|
426
|
|
|
427 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
|
|
|
428 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
|
|
|
429 * allow the caller to do multiple calls if required. If the 'finish' flag is
|
|
|
430 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
|
|
|
431 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
|
|
|
432 * Z_OK or Z_STREAM_END will be returned on success.
|
|
|
433 *
|
|
|
434 * The input and output sizes are updated to the actual amounts of data consumed
|
|
|
435 * or written, not the amount available (as in a z_stream). The data pointers
|
|
|
436 * are not changed, so the next input is (data+input_size) and the next
|
|
|
437 * available output is (output+output_size).
|
|
|
438 */
|
|
|
439 static int
|
|
|
440 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
|
|
|
441 /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
|
|
|
442 /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
|
|
|
443 {
|
|
|
444 if (png_ptr->zowner == owner) /* Else not claimed */
|
|
|
445 {
|
|
|
446 int ret;
|
|
|
447 png_alloc_size_t avail_out = *output_size_ptr;
|
|
|
448 png_uint_32 avail_in = *input_size_ptr;
|
|
|
449
|
|
|
450 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
|
|
|
451 * can't even necessarily handle 65536 bytes) because the type uInt is
|
|
|
452 * "16 bits or more". Consequently it is necessary to chunk the input to
|
|
|
453 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
|
|
|
454 * maximum value that can be stored in a uInt.) It is possible to set
|
|
|
455 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
|
|
|
456 * a performance advantage, because it reduces the amount of data accessed
|
|
|
457 * at each step and that may give the OS more time to page it in.
|
|
|
458 */
|
|
|
459 png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
|
|
|
460 /* avail_in and avail_out are set below from 'size' */
|
|
|
461 png_ptr->zstream.avail_in = 0;
|
|
|
462 png_ptr->zstream.avail_out = 0;
|
|
|
463
|
|
|
464 /* Read directly into the output if it is available (this is set to
|
|
|
465 * a local buffer below if output is NULL).
|
|
|
466 */
|
|
|
467 if (output != NULL)
|
|
|
468 png_ptr->zstream.next_out = output;
|
|
|
469
|
|
|
470 do
|
|
|
471 {
|
|
|
472 uInt avail;
|
|
|
473 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
|
|
|
474
|
|
|
475 /* zlib INPUT BUFFER */
|
|
|
476 /* The setting of 'avail_in' used to be outside the loop; by setting it
|
|
|
477 * inside it is possible to chunk the input to zlib and simply rely on
|
|
|
478 * zlib to advance the 'next_in' pointer. This allows arbitrary
|
|
|
479 * amounts of data to be passed through zlib at the unavoidable cost of
|
|
|
480 * requiring a window save (memcpy of up to 32768 output bytes)
|
|
|
481 * every ZLIB_IO_MAX input bytes.
|
|
|
482 */
|
|
|
483 avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
|
|
|
484
|
|
|
485 avail = ZLIB_IO_MAX;
|
|
|
486
|
|
|
487 if (avail_in < avail)
|
|
|
488 avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
|
|
|
489
|
|
|
490 avail_in -= avail;
|
|
|
491 png_ptr->zstream.avail_in = avail;
|
|
|
492
|
|
|
493 /* zlib OUTPUT BUFFER */
|
|
|
494 avail_out += png_ptr->zstream.avail_out; /* not written last time */
|
|
|
495
|
|
|
496 avail = ZLIB_IO_MAX; /* maximum zlib can process */
|
|
|
497
|
|
|
498 if (output == NULL)
|
|
|
499 {
|
|
|
500 /* Reset the output buffer each time round if output is NULL and
|
|
|
501 * make available the full buffer, up to 'remaining_space'
|
|
|
502 */
|
|
|
503 png_ptr->zstream.next_out = local_buffer;
|
|
|
504 if ((sizeof local_buffer) < avail)
|
|
|
505 avail = (sizeof local_buffer);
|
|
|
506 }
|
|
|
507
|
|
|
508 if (avail_out < avail)
|
|
|
509 avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
|
|
|
510
|
|
|
511 png_ptr->zstream.avail_out = avail;
|
|
|
512 avail_out -= avail;
|
|
|
513
|
|
|
514 /* zlib inflate call */
|
|
|
515 /* In fact 'avail_out' may be 0 at this point, that happens at the end
|
|
|
516 * of the read when the final LZ end code was not passed at the end of
|
|
|
517 * the previous chunk of input data. Tell zlib if we have reached the
|
|
|
518 * end of the output buffer.
|
|
|
519 */
|
|
|
520 ret = inflate(&png_ptr->zstream, avail_out > 0 ? Z_NO_FLUSH :
|
|
|
521 (finish ? Z_FINISH : Z_SYNC_FLUSH));
|
|
|
522 } while (ret == Z_OK);
|
|
|
523
|
|
|
524 /* For safety kill the local buffer pointer now */
|
|
|
525 if (output == NULL)
|
|
|
526 png_ptr->zstream.next_out = NULL;
|
|
|
527
|
|
|
528 /* Claw back the 'size' and 'remaining_space' byte counts. */
|
|
|
529 avail_in += png_ptr->zstream.avail_in;
|
|
|
530 avail_out += png_ptr->zstream.avail_out;
|
|
|
531
|
|
|
532 /* Update the input and output sizes; the updated values are the amount
|
|
|
533 * consumed or written, effectively the inverse of what zlib uses.
|
|
|
534 */
|
|
|
535 if (avail_out > 0)
|
|
|
536 *output_size_ptr -= avail_out;
|
|
|
537
|
|
|
538 if (avail_in > 0)
|
|
|
539 *input_size_ptr -= avail_in;
|
|
|
540
|
|
|
541 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
|
|
|
542 png_zstream_error(png_ptr, ret);
|
|
|
543 return ret;
|
|
|
544 }
|
|
|
545
|
|
|
546 else
|
|
|
547 {
|
|
|
548 /* This is a bad internal error. The recovery assigns to the zstream msg
|
|
|
549 * pointer, which is not owned by the caller, but this is safe; it's only
|
|
|
550 * used on errors!
|
|
|
551 */
|
|
|
552 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
|
|
|
553 return Z_STREAM_ERROR;
|
|
|
554 }
|
|
|
555 }
|
|
|
556
|
|
|
557 /*
|
|
|
558 * Decompress trailing data in a chunk. The assumption is that read_buffer
|
|
|
559 * points at an allocated area holding the contents of a chunk with a
|
|
|
560 * trailing compressed part. What we get back is an allocated area
|
|
|
561 * holding the original prefix part and an uncompressed version of the
|
|
|
562 * trailing part (the malloc area passed in is freed).
|
|
|
563 */
|
|
|
564 static int
|
|
|
565 png_decompress_chunk(png_structrp png_ptr,
|
|
|
566 png_uint_32 chunklength, png_uint_32 prefix_size,
|
|
|
567 png_alloc_size_t *newlength /* must be initialized to the maximum! */,
|
|
|
568 int terminate /*add a '\0' to the end of the uncompressed data*/)
|
|
|
569 {
|
|
|
570 /* TODO: implement different limits for different types of chunk.
|
|
|
571 *
|
|
|
572 * The caller supplies *newlength set to the maximum length of the
|
|
|
573 * uncompressed data, but this routine allocates space for the prefix and
|
|
|
574 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is
|
|
|
575 * limited only by the maximum chunk size.
|
|
|
576 */
|
|
|
577 png_alloc_size_t limit = PNG_SIZE_MAX;
|
|
|
578
|
|
|
579 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
|
|
|
580 if (png_ptr->user_chunk_malloc_max > 0 &&
|
|
|
581 png_ptr->user_chunk_malloc_max < limit)
|
|
|
582 limit = png_ptr->user_chunk_malloc_max;
|
|
|
583 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
|
|
|
584 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
|
|
|
585 limit = PNG_USER_CHUNK_MALLOC_MAX;
|
|
|
586 # endif
|
|
|
587
|
|
|
588 if (limit >= prefix_size + (terminate != 0))
|
|
|
589 {
|
|
|
590 int ret;
|
|
|
591
|
|
|
592 limit -= prefix_size + (terminate != 0);
|
|
|
593
|
|
|
594 if (limit < *newlength)
|
|
|
595 *newlength = limit;
|
|
|
596
|
|
|
597 /* Now try to claim the stream. */
|
|
|
598 ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
|
|
|
599
|
|
|
600 if (ret == Z_OK)
|
|
|
601 {
|
|
|
602 png_uint_32 lzsize = chunklength - prefix_size;
|
|
|
603
|
|
|
604 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
|
|
|
605 /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
|
|
|
606 /* output: */ NULL, newlength);
|
|
|
607
|
|
|
608 if (ret == Z_STREAM_END)
|
|
|
609 {
|
|
|
610 /* Use 'inflateReset' here, not 'inflateReset2' because this
|
|
|
611 * preserves the previously decided window size (otherwise it would
|
|
|
612 * be necessary to store the previous window size.) In practice
|
|
|
613 * this doesn't matter anyway, because png_inflate will call inflate
|
|
|
614 * with Z_FINISH in almost all cases, so the window will not be
|
|
|
615 * maintained.
|
|
|
616 */
|
|
|
617 if (inflateReset(&png_ptr->zstream) == Z_OK)
|
|
|
618 {
|
|
|
619 /* Because of the limit checks above we know that the new,
|
|
|
620 * expanded, size will fit in a size_t (let alone an
|
|
|
621 * png_alloc_size_t). Use png_malloc_base here to avoid an
|
|
|
622 * extra OOM message.
|
|
|
623 */
|
|
|
624 png_alloc_size_t new_size = *newlength;
|
|
|
625 png_alloc_size_t buffer_size = prefix_size + new_size +
|
|
|
626 (terminate != 0);
|
|
|
627 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
|
|
|
628 buffer_size));
|
|
|
629
|
|
|
630 if (text != NULL)
|
|
|
631 {
|
|
|
632 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
|
|
|
633 png_ptr->read_buffer + prefix_size, &lzsize,
|
|
|
634 text + prefix_size, newlength);
|
|
|
635
|
|
|
636 if (ret == Z_STREAM_END)
|
|
|
637 {
|
|
|
638 if (new_size == *newlength)
|
|
|
639 {
|
|
|
640 if (terminate)
|
|
|
641 text[prefix_size + *newlength] = 0;
|
|
|
642
|
|
|
643 if (prefix_size > 0)
|
|
|
644 memcpy(text, png_ptr->read_buffer, prefix_size);
|
|
|
645
|
|
|
646 {
|
|
|
647 png_bytep old_ptr = png_ptr->read_buffer;
|
|
|
648
|
|
|
649 png_ptr->read_buffer = text;
|
|
|
650 png_ptr->read_buffer_size = buffer_size;
|
|
|
651 text = old_ptr; /* freed below */
|
|
|
652 }
|
|
|
653 }
|
|
|
654
|
|
|
655 else
|
|
|
656 {
|
|
|
657 /* The size changed on the second read, there can be no
|
|
|
658 * guarantee that anything is correct at this point.
|
|
|
659 * The 'msg' pointer has been set to "unexpected end of
|
|
|
660 * LZ stream", which is fine, but return an error code
|
|
|
661 * that the caller won't accept.
|
|
|
662 */
|
|
|
663 ret = PNG_UNEXPECTED_ZLIB_RETURN;
|
|
|
664 }
|
|
|
665 }
|
|
|
666
|
|
|
667 else if (ret == Z_OK)
|
|
|
668 ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
|
|
|
669
|
|
|
670 /* Free the text pointer (this is the old read_buffer on
|
|
|
671 * success)
|
|
|
672 */
|
|
|
673 png_free(png_ptr, text);
|
|
|
674
|
|
|
675 /* This really is very benign, but it's still an error because
|
|
|
676 * the extra space may otherwise be used as a Trojan Horse.
|
|
|
677 */
|
|
|
678 if (ret == Z_STREAM_END &&
|
|
|
679 chunklength - prefix_size != lzsize)
|
|
|
680 png_chunk_benign_error(png_ptr, "extra compressed data");
|
|
|
681 }
|
|
|
682
|
|
|
683 else
|
|
|
684 {
|
|
|
685 /* Out of memory allocating the buffer */
|
|
|
686 ret = Z_MEM_ERROR;
|
|
|
687 png_zstream_error(png_ptr, Z_MEM_ERROR);
|
|
|
688 }
|
|
|
689 }
|
|
|
690
|
|
|
691 else
|
|
|
692 {
|
|
|
693 /* inflateReset failed, store the error message */
|
|
|
694 png_zstream_error(png_ptr, ret);
|
|
|
695
|
|
|
696 if (ret == Z_STREAM_END)
|
|
|
697 ret = PNG_UNEXPECTED_ZLIB_RETURN;
|
|
|
698 }
|
|
|
699 }
|
|
|
700
|
|
|
701 else if (ret == Z_OK)
|
|
|
702 ret = PNG_UNEXPECTED_ZLIB_RETURN;
|
|
|
703
|
|
|
704 /* Release the claimed stream */
|
|
|
705 png_ptr->zowner = 0;
|
|
|
706 }
|
|
|
707
|
|
|
708 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
|
|
|
709 ret = PNG_UNEXPECTED_ZLIB_RETURN;
|
|
|
710
|
|
|
711 return ret;
|
|
|
712 }
|
|
|
713
|
|
|
714 else
|
|
|
715 {
|
|
|
716 /* Application/configuration limits exceeded */
|
|
|
717 png_zstream_error(png_ptr, Z_MEM_ERROR);
|
|
|
718 return Z_MEM_ERROR;
|
|
|
719 }
|
|
|
720 }
|
|
|
721 #endif /* PNG_READ_COMPRESSED_TEXT_SUPPORTED */
|
|
|
722
|
|
|
723 #ifdef PNG_READ_iCCP_SUPPORTED
|
|
|
724 /* Perform a partial read and decompress, producing 'avail_out' bytes and
|
|
|
725 * reading from the current chunk as required.
|
|
|
726 */
|
|
|
727 static int
|
|
|
728 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
|
|
|
729 png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
|
|
|
730 int finish)
|
|
|
731 {
|
|
|
732 if (png_ptr->zowner == png_ptr->chunk_name)
|
|
|
733 {
|
|
|
734 int ret;
|
|
|
735
|
|
|
736 /* next_in and avail_in must have been initialized by the caller. */
|
|
|
737 png_ptr->zstream.next_out = next_out;
|
|
|
738 png_ptr->zstream.avail_out = 0; /* set in the loop */
|
|
|
739
|
|
|
740 do
|
|
|
741 {
|
|
|
742 if (png_ptr->zstream.avail_in == 0)
|
|
|
743 {
|
|
|
744 if (read_size > *chunk_bytes)
|
|
|
745 read_size = (uInt)*chunk_bytes;
|
|
|
746 *chunk_bytes -= read_size;
|
|
|
747
|
|
|
748 if (read_size > 0)
|
|
|
749 png_crc_read(png_ptr, read_buffer, read_size);
|
|
|
750
|
|
|
751 png_ptr->zstream.next_in = read_buffer;
|
|
|
752 png_ptr->zstream.avail_in = read_size;
|
|
|
753 }
|
|
|
754
|
|
|
755 if (png_ptr->zstream.avail_out == 0)
|
|
|
756 {
|
|
|
757 uInt avail = ZLIB_IO_MAX;
|
|
|
758 if (avail > *out_size)
|
|
|
759 avail = (uInt)*out_size;
|
|
|
760 *out_size -= avail;
|
|
|
761
|
|
|
762 png_ptr->zstream.avail_out = avail;
|
|
|
763 }
|
|
|
764
|
|
|
765 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
|
|
|
766 * the available output is produced; this allows reading of truncated
|
|
|
767 * streams.
|
|
|
768 */
|
|
|
769 ret = inflate(&png_ptr->zstream,
|
|
|
770 *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
|
|
|
771 }
|
|
|
772 while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
|
|
|
773
|
|
|
774 *out_size += png_ptr->zstream.avail_out;
|
|
|
775 png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
|
|
|
776
|
|
|
777 /* Ensure the error message pointer is always set: */
|
|
|
778 png_zstream_error(png_ptr, ret);
|
|
|
779 return ret;
|
|
|
780 }
|
|
|
781
|
|
|
782 else
|
|
|
783 {
|
|
|
784 png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
|
|
|
785 return Z_STREAM_ERROR;
|
|
|
786 }
|
|
|
787 }
|
|
|
788 #endif
|
|
|
789
|
|
|
790 /* Read and check the IDHR chunk */
|
|
|
791 void /* PRIVATE */
|
|
|
792 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
793 {
|
|
|
794 png_byte buf[13];
|
|
|
795 png_uint_32 width, height;
|
|
|
796 int bit_depth, color_type, compression_type, filter_type;
|
|
|
797 int interlace_type;
|
|
|
798
|
|
|
799 png_debug(1, "in png_handle_IHDR");
|
|
|
800
|
|
|
801 if (png_ptr->mode & PNG_HAVE_IHDR)
|
|
|
802 png_chunk_error(png_ptr, "out of place");
|
|
|
803
|
|
|
804 /* Check the length */
|
|
|
805 if (length != 13)
|
|
|
806 png_chunk_error(png_ptr, "invalid");
|
|
|
807
|
|
|
808 png_ptr->mode |= PNG_HAVE_IHDR;
|
|
|
809
|
|
|
810 png_crc_read(png_ptr, buf, 13);
|
|
|
811 png_crc_finish(png_ptr, 0);
|
|
|
812
|
|
|
813 width = png_get_uint_31(png_ptr, buf);
|
|
|
814 height = png_get_uint_31(png_ptr, buf + 4);
|
|
|
815 bit_depth = buf[8];
|
|
|
816 color_type = buf[9];
|
|
|
817 compression_type = buf[10];
|
|
|
818 filter_type = buf[11];
|
|
|
819 interlace_type = buf[12];
|
|
|
820
|
|
|
821 /* Set internal variables */
|
|
|
822 png_ptr->width = width;
|
|
|
823 png_ptr->height = height;
|
|
|
824 png_ptr->bit_depth = (png_byte)bit_depth;
|
|
|
825 png_ptr->interlaced = (png_byte)interlace_type;
|
|
|
826 png_ptr->color_type = (png_byte)color_type;
|
|
|
827 #ifdef PNG_MNG_FEATURES_SUPPORTED
|
|
|
828 png_ptr->filter_type = (png_byte)filter_type;
|
|
|
829 #endif
|
|
|
830 png_ptr->compression_type = (png_byte)compression_type;
|
|
|
831
|
|
|
832 /* Find number of channels */
|
|
|
833 switch (png_ptr->color_type)
|
|
|
834 {
|
|
|
835 default: /* invalid, png_set_IHDR calls png_error */
|
|
|
836 case PNG_COLOR_TYPE_GRAY:
|
|
|
837 case PNG_COLOR_TYPE_PALETTE:
|
|
|
838 png_ptr->channels = 1;
|
|
|
839 break;
|
|
|
840
|
|
|
841 case PNG_COLOR_TYPE_RGB:
|
|
|
842 png_ptr->channels = 3;
|
|
|
843 break;
|
|
|
844
|
|
|
845 case PNG_COLOR_TYPE_GRAY_ALPHA:
|
|
|
846 png_ptr->channels = 2;
|
|
|
847 break;
|
|
|
848
|
|
|
849 case PNG_COLOR_TYPE_RGB_ALPHA:
|
|
|
850 png_ptr->channels = 4;
|
|
|
851 break;
|
|
|
852 }
|
|
|
853
|
|
|
854 /* Set up other useful info */
|
|
|
855 png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth *
|
|
|
856 png_ptr->channels);
|
|
|
857 png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
|
|
|
858 png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
|
|
|
859 png_debug1(3, "channels = %d", png_ptr->channels);
|
|
|
860 png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
|
|
|
861 png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
|
|
|
862 color_type, interlace_type, compression_type, filter_type);
|
|
|
863 }
|
|
|
864
|
|
|
865 /* Read and check the palette */
|
|
|
866 void /* PRIVATE */
|
|
|
867 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
868 {
|
|
|
869 png_color palette[PNG_MAX_PALETTE_LENGTH];
|
|
|
870 int num, i;
|
|
|
871 #ifdef PNG_POINTER_INDEXING_SUPPORTED
|
|
|
872 png_colorp pal_ptr;
|
|
|
873 #endif
|
|
|
874
|
|
|
875 png_debug(1, "in png_handle_PLTE");
|
|
|
876
|
|
|
877 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
878 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
879
|
|
|
880 /* Moved to before the 'after IDAT' check below because otherwise duplicate
|
|
|
881 * PLTE chunks are potentially ignored (the spec says there shall not be more
|
|
|
882 * than one PLTE, the error is not treated as benign, so this check trumps
|
|
|
883 * the requirement that PLTE appears before IDAT.)
|
|
|
884 */
|
|
|
885 else if (png_ptr->mode & PNG_HAVE_PLTE)
|
|
|
886 png_chunk_error(png_ptr, "duplicate");
|
|
|
887
|
|
|
888 else if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
889 {
|
|
|
890 /* This is benign because the non-benign error happened before, when an
|
|
|
891 * IDAT was encountered in a color-mapped image with no PLTE.
|
|
|
892 */
|
|
|
893 png_crc_finish(png_ptr, length);
|
|
|
894 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
895 return;
|
|
|
896 }
|
|
|
897
|
|
|
898 png_ptr->mode |= PNG_HAVE_PLTE;
|
|
|
899
|
|
|
900 if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR))
|
|
|
901 {
|
|
|
902 png_crc_finish(png_ptr, length);
|
|
|
903 png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
|
|
|
904 return;
|
|
|
905 }
|
|
|
906
|
|
|
907 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
|
|
|
908 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
|
|
|
909 {
|
|
|
910 png_crc_finish(png_ptr, length);
|
|
|
911 return;
|
|
|
912 }
|
|
|
913 #endif
|
|
|
914
|
|
|
915 if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
|
|
|
916 {
|
|
|
917 png_crc_finish(png_ptr, length);
|
|
|
918
|
|
|
919 if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
|
|
|
920 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
921
|
|
|
922 else
|
|
|
923 png_chunk_error(png_ptr, "invalid");
|
|
|
924
|
|
|
925 return;
|
|
|
926 }
|
|
|
927
|
|
|
928 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
|
|
|
929 num = (int)length / 3;
|
|
|
930
|
|
|
931 #ifdef PNG_POINTER_INDEXING_SUPPORTED
|
|
|
932 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
|
|
|
933 {
|
|
|
934 png_byte buf[3];
|
|
|
935
|
|
|
936 png_crc_read(png_ptr, buf, 3);
|
|
|
937 pal_ptr->red = buf[0];
|
|
|
938 pal_ptr->green = buf[1];
|
|
|
939 pal_ptr->blue = buf[2];
|
|
|
940 }
|
|
|
941 #else
|
|
|
942 for (i = 0; i < num; i++)
|
|
|
943 {
|
|
|
944 png_byte buf[3];
|
|
|
945
|
|
|
946 png_crc_read(png_ptr, buf, 3);
|
|
|
947 /* Don't depend upon png_color being any order */
|
|
|
948 palette[i].red = buf[0];
|
|
|
949 palette[i].green = buf[1];
|
|
|
950 palette[i].blue = buf[2];
|
|
|
951 }
|
|
|
952 #endif
|
|
|
953
|
|
|
954 /* If we actually need the PLTE chunk (ie for a paletted image), we do
|
|
|
955 * whatever the normal CRC configuration tells us. However, if we
|
|
|
956 * have an RGB image, the PLTE can be considered ancillary, so
|
|
|
957 * we will act as though it is.
|
|
|
958 */
|
|
|
959 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
|
|
|
960 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
|
|
961 #endif
|
|
|
962 {
|
|
|
963 png_crc_finish(png_ptr, 0);
|
|
|
964 }
|
|
|
965
|
|
|
966 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
|
|
|
967 else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */
|
|
|
968 {
|
|
|
969 /* If we don't want to use the data from an ancillary chunk,
|
|
|
970 * we have two options: an error abort, or a warning and we
|
|
|
971 * ignore the data in this chunk (which should be OK, since
|
|
|
972 * it's considered ancillary for a RGB or RGBA image).
|
|
|
973 *
|
|
|
974 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
|
|
|
975 * chunk type to determine whether to check the ancillary or the critical
|
|
|
976 * flags.
|
|
|
977 */
|
|
|
978 if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE))
|
|
|
979 {
|
|
|
980 if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)
|
|
|
981 return;
|
|
|
982
|
|
|
983 else
|
|
|
984 png_chunk_error(png_ptr, "CRC error");
|
|
|
985 }
|
|
|
986
|
|
|
987 /* Otherwise, we (optionally) emit a warning and use the chunk. */
|
|
|
988 else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN))
|
|
|
989 png_chunk_warning(png_ptr, "CRC error");
|
|
|
990 }
|
|
|
991 #endif
|
|
|
992
|
|
|
993 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
|
|
|
994 * own copy of the palette. This has the side effect that when png_start_row
|
|
|
995 * is called (this happens after any call to png_read_update_info) the
|
|
|
996 * info_ptr palette gets changed. This is extremely unexpected and
|
|
|
997 * confusing.
|
|
|
998 *
|
|
|
999 * Fix this by not sharing the palette in this way.
|
|
|
1000 */
|
|
|
1001 png_set_PLTE(png_ptr, info_ptr, palette, num);
|
|
|
1002
|
|
|
1003 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
|
|
|
1004 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
|
|
|
1005 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
|
|
|
1006 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
|
|
|
1007 * therefore does a benign error if the erroneous condition is detected *and*
|
|
|
1008 * cancels the tRNS if the benign error returns. The alternative is to
|
|
|
1009 * amend the standard since it would be rather hypocritical of the standards
|
|
|
1010 * maintainers to ignore it.
|
|
|
1011 */
|
|
|
1012 #ifdef PNG_READ_tRNS_SUPPORTED
|
|
|
1013 if (png_ptr->num_trans > 0 ||
|
|
|
1014 (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
|
|
|
1015 {
|
|
|
1016 /* Cancel this because otherwise it would be used if the transforms
|
|
|
1017 * require it. Don't cancel the 'valid' flag because this would prevent
|
|
|
1018 * detection of duplicate chunks.
|
|
|
1019 */
|
|
|
1020 png_ptr->num_trans = 0;
|
|
|
1021
|
|
|
1022 if (info_ptr != NULL)
|
|
|
1023 info_ptr->num_trans = 0;
|
|
|
1024
|
|
|
1025 png_chunk_benign_error(png_ptr, "tRNS must be after");
|
|
|
1026 }
|
|
|
1027 #endif
|
|
|
1028
|
|
|
1029 #ifdef PNG_READ_hIST_SUPPORTED
|
|
|
1030 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
|
|
|
1031 png_chunk_benign_error(png_ptr, "hIST must be after");
|
|
|
1032 #endif
|
|
|
1033
|
|
|
1034 #ifdef PNG_READ_bKGD_SUPPORTED
|
|
|
1035 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
|
|
|
1036 png_chunk_benign_error(png_ptr, "bKGD must be after");
|
|
|
1037 #endif
|
|
|
1038 }
|
|
|
1039
|
|
|
1040 void /* PRIVATE */
|
|
|
1041 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1042 {
|
|
|
1043 png_debug(1, "in png_handle_IEND");
|
|
|
1044
|
|
|
1045 if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT))
|
|
|
1046 png_chunk_error(png_ptr, "out of place");
|
|
|
1047
|
|
|
1048 png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
|
|
|
1049
|
|
|
1050 png_crc_finish(png_ptr, length);
|
|
|
1051
|
|
|
1052 if (length != 0)
|
|
|
1053 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1054
|
|
|
1055 PNG_UNUSED(info_ptr)
|
|
|
1056 }
|
|
|
1057
|
|
|
1058 #ifdef PNG_READ_gAMA_SUPPORTED
|
|
|
1059 void /* PRIVATE */
|
|
|
1060 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1061 {
|
|
|
1062 png_fixed_point igamma;
|
|
|
1063 png_byte buf[4];
|
|
|
1064
|
|
|
1065 png_debug(1, "in png_handle_gAMA");
|
|
|
1066
|
|
|
1067 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1068 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1069
|
|
|
1070 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
|
|
|
1071 {
|
|
|
1072 png_crc_finish(png_ptr, length);
|
|
|
1073 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1074 return;
|
|
|
1075 }
|
|
|
1076
|
|
|
1077 if (length != 4)
|
|
|
1078 {
|
|
|
1079 png_crc_finish(png_ptr, length);
|
|
|
1080 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1081 return;
|
|
|
1082 }
|
|
|
1083
|
|
|
1084 png_crc_read(png_ptr, buf, 4);
|
|
|
1085
|
|
|
1086 if (png_crc_finish(png_ptr, 0))
|
|
|
1087 return;
|
|
|
1088
|
|
|
1089 igamma = png_get_fixed_point(NULL, buf);
|
|
|
1090
|
|
|
1091 png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
|
|
|
1092 png_colorspace_sync(png_ptr, info_ptr);
|
|
|
1093 }
|
|
|
1094 #endif
|
|
|
1095
|
|
|
1096 #ifdef PNG_READ_sBIT_SUPPORTED
|
|
|
1097 void /* PRIVATE */
|
|
|
1098 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1099 {
|
|
|
1100 unsigned int truelen, i;
|
|
|
1101 png_byte sample_depth;
|
|
|
1102 png_byte buf[4];
|
|
|
1103
|
|
|
1104 png_debug(1, "in png_handle_sBIT");
|
|
|
1105
|
|
|
1106 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1107 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1108
|
|
|
1109 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
|
|
|
1110 {
|
|
|
1111 png_crc_finish(png_ptr, length);
|
|
|
1112 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1113 return;
|
|
|
1114 }
|
|
|
1115
|
|
|
1116 if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
|
|
|
1117 {
|
|
|
1118 png_crc_finish(png_ptr, length);
|
|
|
1119 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
1120 return;
|
|
|
1121 }
|
|
|
1122
|
|
|
1123 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
|
|
1124 {
|
|
|
1125 truelen = 3;
|
|
|
1126 sample_depth = 8;
|
|
|
1127 }
|
|
|
1128
|
|
|
1129 else
|
|
|
1130 {
|
|
|
1131 truelen = png_ptr->channels;
|
|
|
1132 sample_depth = png_ptr->bit_depth;
|
|
|
1133 }
|
|
|
1134
|
|
|
1135 if (length != truelen || length > 4)
|
|
|
1136 {
|
|
|
1137 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1138 png_crc_finish(png_ptr, length);
|
|
|
1139 return;
|
|
|
1140 }
|
|
|
1141
|
|
|
1142 buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
|
|
|
1143 png_crc_read(png_ptr, buf, truelen);
|
|
|
1144
|
|
|
1145 if (png_crc_finish(png_ptr, 0))
|
|
|
1146 return;
|
|
|
1147
|
|
|
1148 for (i=0; i<truelen; ++i)
|
|
|
1149 if (buf[i] == 0 || buf[i] > sample_depth)
|
|
|
1150 {
|
|
|
1151 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1152 return;
|
|
|
1153 }
|
|
|
1154
|
|
|
1155 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
|
|
|
1156 {
|
|
|
1157 png_ptr->sig_bit.red = buf[0];
|
|
|
1158 png_ptr->sig_bit.green = buf[1];
|
|
|
1159 png_ptr->sig_bit.blue = buf[2];
|
|
|
1160 png_ptr->sig_bit.alpha = buf[3];
|
|
|
1161 }
|
|
|
1162
|
|
|
1163 else
|
|
|
1164 {
|
|
|
1165 png_ptr->sig_bit.gray = buf[0];
|
|
|
1166 png_ptr->sig_bit.red = buf[0];
|
|
|
1167 png_ptr->sig_bit.green = buf[0];
|
|
|
1168 png_ptr->sig_bit.blue = buf[0];
|
|
|
1169 png_ptr->sig_bit.alpha = buf[1];
|
|
|
1170 }
|
|
|
1171
|
|
|
1172 png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
|
|
|
1173 }
|
|
|
1174 #endif
|
|
|
1175
|
|
|
1176 #ifdef PNG_READ_cHRM_SUPPORTED
|
|
|
1177 void /* PRIVATE */
|
|
|
1178 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1179 {
|
|
|
1180 png_byte buf[32];
|
|
|
1181 png_xy xy;
|
|
|
1182
|
|
|
1183 png_debug(1, "in png_handle_cHRM");
|
|
|
1184
|
|
|
1185 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1186 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1187
|
|
|
1188 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
|
|
|
1189 {
|
|
|
1190 png_crc_finish(png_ptr, length);
|
|
|
1191 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1192 return;
|
|
|
1193 }
|
|
|
1194
|
|
|
1195 if (length != 32)
|
|
|
1196 {
|
|
|
1197 png_crc_finish(png_ptr, length);
|
|
|
1198 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1199 return;
|
|
|
1200 }
|
|
|
1201
|
|
|
1202 png_crc_read(png_ptr, buf, 32);
|
|
|
1203
|
|
|
1204 if (png_crc_finish(png_ptr, 0))
|
|
|
1205 return;
|
|
|
1206
|
|
|
1207 xy.whitex = png_get_fixed_point(NULL, buf);
|
|
|
1208 xy.whitey = png_get_fixed_point(NULL, buf + 4);
|
|
|
1209 xy.redx = png_get_fixed_point(NULL, buf + 8);
|
|
|
1210 xy.redy = png_get_fixed_point(NULL, buf + 12);
|
|
|
1211 xy.greenx = png_get_fixed_point(NULL, buf + 16);
|
|
|
1212 xy.greeny = png_get_fixed_point(NULL, buf + 20);
|
|
|
1213 xy.bluex = png_get_fixed_point(NULL, buf + 24);
|
|
|
1214 xy.bluey = png_get_fixed_point(NULL, buf + 28);
|
|
|
1215
|
|
|
1216 if (xy.whitex == PNG_FIXED_ERROR ||
|
|
|
1217 xy.whitey == PNG_FIXED_ERROR ||
|
|
|
1218 xy.redx == PNG_FIXED_ERROR ||
|
|
|
1219 xy.redy == PNG_FIXED_ERROR ||
|
|
|
1220 xy.greenx == PNG_FIXED_ERROR ||
|
|
|
1221 xy.greeny == PNG_FIXED_ERROR ||
|
|
|
1222 xy.bluex == PNG_FIXED_ERROR ||
|
|
|
1223 xy.bluey == PNG_FIXED_ERROR)
|
|
|
1224 {
|
|
|
1225 png_chunk_benign_error(png_ptr, "invalid values");
|
|
|
1226 return;
|
|
|
1227 }
|
|
|
1228
|
|
|
1229 /* If a colorspace error has already been output skip this chunk */
|
|
|
1230 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
|
|
|
1231 return;
|
|
|
1232
|
|
|
1233 if (png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM)
|
|
|
1234 {
|
|
|
1235 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
|
|
|
1236 png_colorspace_sync(png_ptr, info_ptr);
|
|
|
1237 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
1238 return;
|
|
|
1239 }
|
|
|
1240
|
|
|
1241 png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
|
|
|
1242 (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
|
|
|
1243 1/*prefer cHRM values*/);
|
|
|
1244 png_colorspace_sync(png_ptr, info_ptr);
|
|
|
1245 }
|
|
|
1246 #endif
|
|
|
1247
|
|
|
1248 #ifdef PNG_READ_sRGB_SUPPORTED
|
|
|
1249 void /* PRIVATE */
|
|
|
1250 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1251 {
|
|
|
1252 png_byte intent;
|
|
|
1253
|
|
|
1254 png_debug(1, "in png_handle_sRGB");
|
|
|
1255
|
|
|
1256 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1257 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1258
|
|
|
1259 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
|
|
|
1260 {
|
|
|
1261 png_crc_finish(png_ptr, length);
|
|
|
1262 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1263 return;
|
|
|
1264 }
|
|
|
1265
|
|
|
1266 if (length != 1)
|
|
|
1267 {
|
|
|
1268 png_crc_finish(png_ptr, length);
|
|
|
1269 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1270 return;
|
|
|
1271 }
|
|
|
1272
|
|
|
1273 png_crc_read(png_ptr, &intent, 1);
|
|
|
1274
|
|
|
1275 if (png_crc_finish(png_ptr, 0))
|
|
|
1276 return;
|
|
|
1277
|
|
|
1278 /* If a colorspace error has already been output skip this chunk */
|
|
|
1279 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
|
|
|
1280 return;
|
|
|
1281
|
|
|
1282 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
|
|
|
1283 * this.
|
|
|
1284 */
|
|
|
1285 if (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT)
|
|
|
1286 {
|
|
|
1287 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
|
|
|
1288 png_colorspace_sync(png_ptr, info_ptr);
|
|
|
1289 png_chunk_benign_error(png_ptr, "too many profiles");
|
|
|
1290 return;
|
|
|
1291 }
|
|
|
1292
|
|
|
1293 (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
|
|
|
1294 png_colorspace_sync(png_ptr, info_ptr);
|
|
|
1295 }
|
|
|
1296 #endif /* PNG_READ_sRGB_SUPPORTED */
|
|
|
1297
|
|
|
1298 #ifdef PNG_READ_iCCP_SUPPORTED
|
|
|
1299 void /* PRIVATE */
|
|
|
1300 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1301 /* Note: this does not properly handle profiles that are > 64K under DOS */
|
|
|
1302 {
|
|
|
1303 png_const_charp errmsg = NULL; /* error message output, or no error */
|
|
|
1304 int finished = 0; /* crc checked */
|
|
|
1305
|
|
|
1306 png_debug(1, "in png_handle_iCCP");
|
|
|
1307
|
|
|
1308 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1309 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1310
|
|
|
1311 else if (png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE))
|
|
|
1312 {
|
|
|
1313 png_crc_finish(png_ptr, length);
|
|
|
1314 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1315 return;
|
|
|
1316 }
|
|
|
1317
|
|
|
1318 /* Consistent with all the above colorspace handling an obviously *invalid*
|
|
|
1319 * chunk is just ignored, so does not invalidate the color space. An
|
|
|
1320 * alternative is to set the 'invalid' flags at the start of this routine
|
|
|
1321 * and only clear them in they were not set before and all the tests pass.
|
|
|
1322 * The minimum 'deflate' stream is assumed to be just the 2 byte header and 4
|
|
|
1323 * byte checksum. The keyword must be one character and there is a
|
|
|
1324 * terminator (0) byte and the compression method.
|
|
|
1325 */
|
|
|
1326 if (length < 9)
|
|
|
1327 {
|
|
|
1328 png_crc_finish(png_ptr, length);
|
|
|
1329 png_chunk_benign_error(png_ptr, "too short");
|
|
|
1330 return;
|
|
|
1331 }
|
|
|
1332
|
|
|
1333 /* If a colorspace error has already been output skip this chunk */
|
|
|
1334 if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
|
|
|
1335 {
|
|
|
1336 png_crc_finish(png_ptr, length);
|
|
|
1337 return;
|
|
|
1338 }
|
|
|
1339
|
|
|
1340 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
|
|
|
1341 * this.
|
|
|
1342 */
|
|
|
1343 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
|
|
|
1344 {
|
|
|
1345 uInt read_length, keyword_length;
|
|
|
1346 char keyword[81];
|
|
|
1347
|
|
|
1348 /* Find the keyword; the keyword plus separator and compression method
|
|
|
1349 * bytes can be at most 81 characters long.
|
|
|
1350 */
|
|
|
1351 read_length = 81; /* maximum */
|
|
|
1352 if (read_length > length)
|
|
|
1353 read_length = (uInt)length;
|
|
|
1354
|
|
|
1355 png_crc_read(png_ptr, (png_bytep)keyword, read_length);
|
|
|
1356 length -= read_length;
|
|
|
1357
|
|
|
1358 keyword_length = 0;
|
|
|
1359 while (keyword_length < 80 && keyword_length < read_length &&
|
|
|
1360 keyword[keyword_length] != 0)
|
|
|
1361 ++keyword_length;
|
|
|
1362
|
|
|
1363 /* TODO: make the keyword checking common */
|
|
|
1364 if (keyword_length >= 1 && keyword_length <= 79)
|
|
|
1365 {
|
|
|
1366 /* We only understand '0' compression - deflate - so if we get a
|
|
|
1367 * different value we can't safely decode the chunk.
|
|
|
1368 */
|
|
|
1369 if (keyword_length+1 < read_length &&
|
|
|
1370 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
|
|
|
1371 {
|
|
|
1372 read_length -= keyword_length+2;
|
|
|
1373
|
|
|
1374 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
|
|
|
1375 {
|
|
|
1376 Byte profile_header[132];
|
|
|
1377 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
|
|
|
1378 png_alloc_size_t size = (sizeof profile_header);
|
|
|
1379
|
|
|
1380 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
|
|
|
1381 png_ptr->zstream.avail_in = read_length;
|
|
|
1382 (void)png_inflate_read(png_ptr, local_buffer,
|
|
|
1383 (sizeof local_buffer), &length, profile_header, &size,
|
|
|
1384 0/*finish: don't, because the output is too small*/);
|
|
|
1385
|
|
|
1386 if (size == 0)
|
|
|
1387 {
|
|
|
1388 /* We have the ICC profile header; do the basic header checks.
|
|
|
1389 */
|
|
|
1390 const png_uint_32 profile_length =
|
|
|
1391 png_get_uint_32(profile_header);
|
|
|
1392
|
|
|
1393 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
|
|
|
1394 keyword, profile_length))
|
|
|
1395 {
|
|
|
1396 /* The length is apparently ok, so we can check the 132
|
|
|
1397 * byte header.
|
|
|
1398 */
|
|
|
1399 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
|
|
|
1400 keyword, profile_length, profile_header,
|
|
|
1401 png_ptr->color_type))
|
|
|
1402 {
|
|
|
1403 /* Now read the tag table; a variable size buffer is
|
|
|
1404 * needed at this point, allocate one for the whole
|
|
|
1405 * profile. The header check has already validated
|
|
|
1406 * that none of these stuff will overflow.
|
|
|
1407 */
|
|
|
1408 const png_uint_32 tag_count = png_get_uint_32(
|
|
|
1409 profile_header+128);
|
|
|
1410 png_bytep profile = png_read_buffer(png_ptr,
|
|
|
1411 profile_length, 2/*silent*/);
|
|
|
1412
|
|
|
1413 if (profile != NULL)
|
|
|
1414 {
|
|
|
1415 memcpy(profile, profile_header,
|
|
|
1416 (sizeof profile_header));
|
|
|
1417
|
|
|
1418 size = 12 * tag_count;
|
|
|
1419
|
|
|
1420 (void)png_inflate_read(png_ptr, local_buffer,
|
|
|
1421 (sizeof local_buffer), &length,
|
|
|
1422 profile + (sizeof profile_header), &size, 0);
|
|
|
1423
|
|
|
1424 /* Still expect a buffer error because we expect
|
|
|
1425 * there to be some tag data!
|
|
|
1426 */
|
|
|
1427 if (size == 0)
|
|
|
1428 {
|
|
|
1429 if (png_icc_check_tag_table(png_ptr,
|
|
|
1430 &png_ptr->colorspace, keyword, profile_length,
|
|
|
1431 profile))
|
|
|
1432 {
|
|
|
1433 /* The profile has been validated for basic
|
|
|
1434 * security issues, so read the whole thing in.
|
|
|
1435 */
|
|
|
1436 size = profile_length - (sizeof profile_header)
|
|
|
1437 - 12 * tag_count;
|
|
|
1438
|
|
|
1439 (void)png_inflate_read(png_ptr, local_buffer,
|
|
|
1440 (sizeof local_buffer), &length,
|
|
|
1441 profile + (sizeof profile_header) +
|
|
|
1442 12 * tag_count, &size, 1/*finish*/);
|
|
|
1443
|
|
|
1444 if (length > 0 && !(png_ptr->flags &
|
|
|
1445 PNG_FLAG_BENIGN_ERRORS_WARN))
|
|
|
1446 errmsg = "extra compressed data";
|
|
|
1447
|
|
|
1448 /* But otherwise allow extra data: */
|
|
|
1449 else if (size == 0)
|
|
|
1450 {
|
|
|
1451 if (length > 0)
|
|
|
1452 {
|
|
|
1453 /* This can be handled completely, so
|
|
|
1454 * keep going.
|
|
|
1455 */
|
|
|
1456 png_chunk_warning(png_ptr,
|
|
|
1457 "extra compressed data");
|
|
|
1458 }
|
|
|
1459
|
|
|
1460 png_crc_finish(png_ptr, length);
|
|
|
1461 finished = 1;
|
|
|
1462
|
|
|
1463 # ifdef PNG_sRGB_SUPPORTED
|
|
|
1464 /* Check for a match against sRGB */
|
|
|
1465 png_icc_set_sRGB(png_ptr,
|
|
|
1466 &png_ptr->colorspace, profile,
|
|
|
1467 png_ptr->zstream.adler);
|
|
|
1468 # endif
|
|
|
1469
|
|
|
1470 /* Steal the profile for info_ptr. */
|
|
|
1471 if (info_ptr != NULL)
|
|
|
1472 {
|
|
|
1473 png_free_data(png_ptr, info_ptr,
|
|
|
1474 PNG_FREE_ICCP, 0);
|
|
|
1475
|
|
|
1476 info_ptr->iccp_name = png_voidcast(char*,
|
|
|
1477 png_malloc_base(png_ptr,
|
|
|
1478 keyword_length+1));
|
|
|
1479 if (info_ptr->iccp_name != NULL)
|
|
|
1480 {
|
|
|
1481 memcpy(info_ptr->iccp_name, keyword,
|
|
|
1482 keyword_length+1);
|
|
|
1483 info_ptr->iccp_proflen =
|
|
|
1484 profile_length;
|
|
|
1485 info_ptr->iccp_profile = profile;
|
|
|
1486 png_ptr->read_buffer = NULL; /*steal*/
|
|
|
1487 info_ptr->free_me |= PNG_FREE_ICCP;
|
|
|
1488 info_ptr->valid |= PNG_INFO_iCCP;
|
|
|
1489 }
|
|
|
1490
|
|
|
1491 else
|
|
|
1492 {
|
|
|
1493 png_ptr->colorspace.flags |=
|
|
|
1494 PNG_COLORSPACE_INVALID;
|
|
|
1495 errmsg = "out of memory";
|
|
|
1496 }
|
|
|
1497 }
|
|
|
1498
|
|
|
1499 /* else the profile remains in the read
|
|
|
1500 * buffer which gets reused for subsequent
|
|
|
1501 * chunks.
|
|
|
1502 */
|
|
|
1503
|
|
|
1504 if (info_ptr != NULL)
|
|
|
1505 png_colorspace_sync(png_ptr, info_ptr);
|
|
|
1506
|
|
|
1507 if (errmsg == NULL)
|
|
|
1508 {
|
|
|
1509 png_ptr->zowner = 0;
|
|
|
1510 return;
|
|
|
1511 }
|
|
|
1512 }
|
|
|
1513
|
|
|
1514 else if (size > 0)
|
|
|
1515 errmsg = "truncated";
|
|
|
1516
|
|
|
1517 else
|
|
|
1518 errmsg = png_ptr->zstream.msg;
|
|
|
1519 }
|
|
|
1520
|
|
|
1521 /* else png_icc_check_tag_table output an error */
|
|
|
1522 }
|
|
|
1523
|
|
|
1524 else /* profile truncated */
|
|
|
1525 errmsg = png_ptr->zstream.msg;
|
|
|
1526 }
|
|
|
1527
|
|
|
1528 else
|
|
|
1529 errmsg = "out of memory";
|
|
|
1530 }
|
|
|
1531
|
|
|
1532 /* else png_icc_check_header output an error */
|
|
|
1533 }
|
|
|
1534
|
|
|
1535 /* else png_icc_check_length output an error */
|
|
|
1536 }
|
|
|
1537
|
|
|
1538 else /* profile truncated */
|
|
|
1539 errmsg = png_ptr->zstream.msg;
|
|
|
1540
|
|
|
1541 /* Release the stream */
|
|
|
1542 png_ptr->zowner = 0;
|
|
|
1543 }
|
|
|
1544
|
|
|
1545 else /* png_inflate_claim failed */
|
|
|
1546 errmsg = png_ptr->zstream.msg;
|
|
|
1547 }
|
|
|
1548
|
|
|
1549 else
|
|
|
1550 errmsg = "bad compression method"; /* or missing */
|
|
|
1551 }
|
|
|
1552
|
|
|
1553 else
|
|
|
1554 errmsg = "bad keyword";
|
|
|
1555 }
|
|
|
1556
|
|
|
1557 else
|
|
|
1558 errmsg = "too many profiles";
|
|
|
1559
|
|
|
1560 /* Failure: the reason is in 'errmsg' */
|
|
|
1561 if (!finished)
|
|
|
1562 png_crc_finish(png_ptr, length);
|
|
|
1563
|
|
|
1564 png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
|
|
|
1565 png_colorspace_sync(png_ptr, info_ptr);
|
|
|
1566 if (errmsg != NULL) /* else already output */
|
|
|
1567 png_chunk_benign_error(png_ptr, errmsg);
|
|
|
1568 }
|
|
|
1569 #endif /* PNG_READ_iCCP_SUPPORTED */
|
|
|
1570
|
|
|
1571 #ifdef PNG_READ_sPLT_SUPPORTED
|
|
|
1572 void /* PRIVATE */
|
|
|
1573 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1574 /* Note: this does not properly handle chunks that are > 64K under DOS */
|
|
|
1575 {
|
|
|
1576 png_bytep entry_start, buffer;
|
|
|
1577 png_sPLT_t new_palette;
|
|
|
1578 png_sPLT_entryp pp;
|
|
|
1579 png_uint_32 data_length;
|
|
|
1580 int entry_size, i;
|
|
|
1581 png_uint_32 skip = 0;
|
|
|
1582 png_uint_32 dl;
|
|
|
1583 png_size_t max_dl;
|
|
|
1584
|
|
|
1585 png_debug(1, "in png_handle_sPLT");
|
|
|
1586
|
|
|
1587 #ifdef PNG_USER_LIMITS_SUPPORTED
|
|
|
1588 if (png_ptr->user_chunk_cache_max != 0)
|
|
|
1589 {
|
|
|
1590 if (png_ptr->user_chunk_cache_max == 1)
|
|
|
1591 {
|
|
|
1592 png_crc_finish(png_ptr, length);
|
|
|
1593 return;
|
|
|
1594 }
|
|
|
1595
|
|
|
1596 if (--png_ptr->user_chunk_cache_max == 1)
|
|
|
1597 {
|
|
|
1598 png_warning(png_ptr, "No space in chunk cache for sPLT");
|
|
|
1599 png_crc_finish(png_ptr, length);
|
|
|
1600 return;
|
|
|
1601 }
|
|
|
1602 }
|
|
|
1603 #endif
|
|
|
1604
|
|
|
1605 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1606 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1607
|
|
|
1608 else if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
1609 {
|
|
|
1610 png_crc_finish(png_ptr, length);
|
|
|
1611 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1612 return;
|
|
|
1613 }
|
|
|
1614
|
|
|
1615 #ifdef PNG_MAX_MALLOC_64K
|
|
|
1616 if (length > 65535U)
|
|
|
1617 {
|
|
|
1618 png_crc_finish(png_ptr, length);
|
|
|
1619 png_chunk_benign_error(png_ptr, "too large to fit in memory");
|
|
|
1620 return;
|
|
|
1621 }
|
|
|
1622 #endif
|
|
|
1623
|
|
|
1624 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
|
|
|
1625 if (buffer == NULL)
|
|
|
1626 {
|
|
|
1627 png_crc_finish(png_ptr, length);
|
|
|
1628 png_chunk_benign_error(png_ptr, "out of memory");
|
|
|
1629 return;
|
|
|
1630 }
|
|
|
1631
|
|
|
1632
|
|
|
1633 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
|
|
|
1634 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
|
|
|
1635 * potential breakage point if the types in pngconf.h aren't exactly right.
|
|
|
1636 */
|
|
|
1637 png_crc_read(png_ptr, buffer, length);
|
|
|
1638
|
|
|
1639 if (png_crc_finish(png_ptr, skip))
|
|
|
1640 return;
|
|
|
1641
|
|
|
1642 buffer[length] = 0;
|
|
|
1643
|
|
|
1644 for (entry_start = buffer; *entry_start; entry_start++)
|
|
|
1645 /* Empty loop to find end of name */ ;
|
|
|
1646
|
|
|
1647 ++entry_start;
|
|
|
1648
|
|
|
1649 /* A sample depth should follow the separator, and we should be on it */
|
|
|
1650 if (entry_start > buffer + length - 2)
|
|
|
1651 {
|
|
|
1652 png_warning(png_ptr, "malformed sPLT chunk");
|
|
|
1653 return;
|
|
|
1654 }
|
|
|
1655
|
|
|
1656 new_palette.depth = *entry_start++;
|
|
|
1657 entry_size = (new_palette.depth == 8 ? 6 : 10);
|
|
|
1658 /* This must fit in a png_uint_32 because it is derived from the original
|
|
|
1659 * chunk data length.
|
|
|
1660 */
|
|
|
1661 data_length = length - (png_uint_32)(entry_start - buffer);
|
|
|
1662
|
|
|
1663 /* Integrity-check the data length */
|
|
|
1664 if (data_length % entry_size)
|
|
|
1665 {
|
|
|
1666 png_warning(png_ptr, "sPLT chunk has bad length");
|
|
|
1667 return;
|
|
|
1668 }
|
|
|
1669
|
|
|
1670 dl = (png_int_32)(data_length / entry_size);
|
|
|
1671 max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
|
|
|
1672
|
|
|
1673 if (dl > max_dl)
|
|
|
1674 {
|
|
|
1675 png_warning(png_ptr, "sPLT chunk too long");
|
|
|
1676 return;
|
|
|
1677 }
|
|
|
1678
|
|
|
1679 new_palette.nentries = (png_int_32)(data_length / entry_size);
|
|
|
1680
|
|
|
1681 new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
|
|
|
1682 png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry)));
|
|
|
1683
|
|
|
1684 if (new_palette.entries == NULL)
|
|
|
1685 {
|
|
|
1686 png_warning(png_ptr, "sPLT chunk requires too much memory");
|
|
|
1687 return;
|
|
|
1688 }
|
|
|
1689
|
|
|
1690 #ifdef PNG_POINTER_INDEXING_SUPPORTED
|
|
|
1691 for (i = 0; i < new_palette.nentries; i++)
|
|
|
1692 {
|
|
|
1693 pp = new_palette.entries + i;
|
|
|
1694
|
|
|
1695 if (new_palette.depth == 8)
|
|
|
1696 {
|
|
|
1697 pp->red = *entry_start++;
|
|
|
1698 pp->green = *entry_start++;
|
|
|
1699 pp->blue = *entry_start++;
|
|
|
1700 pp->alpha = *entry_start++;
|
|
|
1701 }
|
|
|
1702
|
|
|
1703 else
|
|
|
1704 {
|
|
|
1705 pp->red = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1706 pp->green = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1707 pp->blue = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1708 pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1709 }
|
|
|
1710
|
|
|
1711 pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1712 }
|
|
|
1713 #else
|
|
|
1714 pp = new_palette.entries;
|
|
|
1715
|
|
|
1716 for (i = 0; i < new_palette.nentries; i++)
|
|
|
1717 {
|
|
|
1718
|
|
|
1719 if (new_palette.depth == 8)
|
|
|
1720 {
|
|
|
1721 pp[i].red = *entry_start++;
|
|
|
1722 pp[i].green = *entry_start++;
|
|
|
1723 pp[i].blue = *entry_start++;
|
|
|
1724 pp[i].alpha = *entry_start++;
|
|
|
1725 }
|
|
|
1726
|
|
|
1727 else
|
|
|
1728 {
|
|
|
1729 pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1730 pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1731 pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1732 pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1733 }
|
|
|
1734
|
|
|
1735 pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
|
|
|
1736 }
|
|
|
1737 #endif
|
|
|
1738
|
|
|
1739 /* Discard all chunk data except the name and stash that */
|
|
|
1740 new_palette.name = (png_charp)buffer;
|
|
|
1741
|
|
|
1742 png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
|
|
|
1743
|
|
|
1744 png_free(png_ptr, new_palette.entries);
|
|
|
1745 }
|
|
|
1746 #endif /* PNG_READ_sPLT_SUPPORTED */
|
|
|
1747
|
|
|
1748 #ifdef PNG_READ_tRNS_SUPPORTED
|
|
|
1749 void /* PRIVATE */
|
|
|
1750 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1751 {
|
|
|
1752 png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
|
|
|
1753
|
|
|
1754 png_debug(1, "in png_handle_tRNS");
|
|
|
1755
|
|
|
1756 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1757 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1758
|
|
|
1759 else if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
1760 {
|
|
|
1761 png_crc_finish(png_ptr, length);
|
|
|
1762 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1763 return;
|
|
|
1764 }
|
|
|
1765
|
|
|
1766 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
|
|
|
1767 {
|
|
|
1768 png_crc_finish(png_ptr, length);
|
|
|
1769 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
1770 return;
|
|
|
1771 }
|
|
|
1772
|
|
|
1773 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
|
|
|
1774 {
|
|
|
1775 png_byte buf[2];
|
|
|
1776
|
|
|
1777 if (length != 2)
|
|
|
1778 {
|
|
|
1779 png_crc_finish(png_ptr, length);
|
|
|
1780 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1781 return;
|
|
|
1782 }
|
|
|
1783
|
|
|
1784 png_crc_read(png_ptr, buf, 2);
|
|
|
1785 png_ptr->num_trans = 1;
|
|
|
1786 png_ptr->trans_color.gray = png_get_uint_16(buf);
|
|
|
1787 }
|
|
|
1788
|
|
|
1789 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
|
|
|
1790 {
|
|
|
1791 png_byte buf[6];
|
|
|
1792
|
|
|
1793 if (length != 6)
|
|
|
1794 {
|
|
|
1795 png_crc_finish(png_ptr, length);
|
|
|
1796 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1797 return;
|
|
|
1798 }
|
|
|
1799
|
|
|
1800 png_crc_read(png_ptr, buf, length);
|
|
|
1801 png_ptr->num_trans = 1;
|
|
|
1802 png_ptr->trans_color.red = png_get_uint_16(buf);
|
|
|
1803 png_ptr->trans_color.green = png_get_uint_16(buf + 2);
|
|
|
1804 png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
|
|
|
1805 }
|
|
|
1806
|
|
|
1807 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
|
|
1808 {
|
|
|
1809 if (!(png_ptr->mode & PNG_HAVE_PLTE))
|
|
|
1810 {
|
|
|
1811 /* TODO: is this actually an error in the ISO spec? */
|
|
|
1812 png_crc_finish(png_ptr, length);
|
|
|
1813 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1814 return;
|
|
|
1815 }
|
|
|
1816
|
|
|
1817 if (length > png_ptr->num_palette || length > PNG_MAX_PALETTE_LENGTH ||
|
|
|
1818 length == 0)
|
|
|
1819 {
|
|
|
1820 png_crc_finish(png_ptr, length);
|
|
|
1821 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1822 return;
|
|
|
1823 }
|
|
|
1824
|
|
|
1825 png_crc_read(png_ptr, readbuf, length);
|
|
|
1826 png_ptr->num_trans = (png_uint_16)length;
|
|
|
1827 }
|
|
|
1828
|
|
|
1829 else
|
|
|
1830 {
|
|
|
1831 png_crc_finish(png_ptr, length);
|
|
|
1832 png_chunk_benign_error(png_ptr, "invalid with alpha channel");
|
|
|
1833 return;
|
|
|
1834 }
|
|
|
1835
|
|
|
1836 if (png_crc_finish(png_ptr, 0))
|
|
|
1837 {
|
|
|
1838 png_ptr->num_trans = 0;
|
|
|
1839 return;
|
|
|
1840 }
|
|
|
1841
|
|
|
1842 /* TODO: this is a horrible side effect in the palette case because the
|
|
|
1843 * png_struct ends up with a pointer to the tRNS buffer owned by the
|
|
|
1844 * png_info. Fix this.
|
|
|
1845 */
|
|
|
1846 png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
|
|
|
1847 &(png_ptr->trans_color));
|
|
|
1848 }
|
|
|
1849 #endif
|
|
|
1850
|
|
|
1851 #ifdef PNG_READ_bKGD_SUPPORTED
|
|
|
1852 void /* PRIVATE */
|
|
|
1853 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1854 {
|
|
|
1855 unsigned int truelen;
|
|
|
1856 png_byte buf[6];
|
|
|
1857 png_color_16 background;
|
|
|
1858
|
|
|
1859 png_debug(1, "in png_handle_bKGD");
|
|
|
1860
|
|
|
1861 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1862 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1863
|
|
|
1864 else if ((png_ptr->mode & PNG_HAVE_IDAT) ||
|
|
|
1865 (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
|
|
1866 !(png_ptr->mode & PNG_HAVE_PLTE)))
|
|
|
1867 {
|
|
|
1868 png_crc_finish(png_ptr, length);
|
|
|
1869 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1870 return;
|
|
|
1871 }
|
|
|
1872
|
|
|
1873 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD))
|
|
|
1874 {
|
|
|
1875 png_crc_finish(png_ptr, length);
|
|
|
1876 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
1877 return;
|
|
|
1878 }
|
|
|
1879
|
|
|
1880 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
|
|
1881 truelen = 1;
|
|
|
1882
|
|
|
1883 else if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
|
|
|
1884 truelen = 6;
|
|
|
1885
|
|
|
1886 else
|
|
|
1887 truelen = 2;
|
|
|
1888
|
|
|
1889 if (length != truelen)
|
|
|
1890 {
|
|
|
1891 png_crc_finish(png_ptr, length);
|
|
|
1892 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1893 return;
|
|
|
1894 }
|
|
|
1895
|
|
|
1896 png_crc_read(png_ptr, buf, truelen);
|
|
|
1897
|
|
|
1898 if (png_crc_finish(png_ptr, 0))
|
|
|
1899 return;
|
|
|
1900
|
|
|
1901 /* We convert the index value into RGB components so that we can allow
|
|
|
1902 * arbitrary RGB values for background when we have transparency, and
|
|
|
1903 * so it is easy to determine the RGB values of the background color
|
|
|
1904 * from the info_ptr struct.
|
|
|
1905 */
|
|
|
1906 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
|
|
1907 {
|
|
|
1908 background.index = buf[0];
|
|
|
1909
|
|
|
1910 if (info_ptr && info_ptr->num_palette)
|
|
|
1911 {
|
|
|
1912 if (buf[0] >= info_ptr->num_palette)
|
|
|
1913 {
|
|
|
1914 png_chunk_benign_error(png_ptr, "invalid index");
|
|
|
1915 return;
|
|
|
1916 }
|
|
|
1917
|
|
|
1918 background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
|
|
|
1919 background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
|
|
|
1920 background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
|
|
|
1921 }
|
|
|
1922
|
|
|
1923 else
|
|
|
1924 background.red = background.green = background.blue = 0;
|
|
|
1925
|
|
|
1926 background.gray = 0;
|
|
|
1927 }
|
|
|
1928
|
|
|
1929 else if (!(png_ptr->color_type & PNG_COLOR_MASK_COLOR)) /* GRAY */
|
|
|
1930 {
|
|
|
1931 background.index = 0;
|
|
|
1932 background.red =
|
|
|
1933 background.green =
|
|
|
1934 background.blue =
|
|
|
1935 background.gray = png_get_uint_16(buf);
|
|
|
1936 }
|
|
|
1937
|
|
|
1938 else
|
|
|
1939 {
|
|
|
1940 background.index = 0;
|
|
|
1941 background.red = png_get_uint_16(buf);
|
|
|
1942 background.green = png_get_uint_16(buf + 2);
|
|
|
1943 background.blue = png_get_uint_16(buf + 4);
|
|
|
1944 background.gray = 0;
|
|
|
1945 }
|
|
|
1946
|
|
|
1947 png_set_bKGD(png_ptr, info_ptr, &background);
|
|
|
1948 }
|
|
|
1949 #endif
|
|
|
1950
|
|
|
1951 #ifdef PNG_READ_hIST_SUPPORTED
|
|
|
1952 void /* PRIVATE */
|
|
|
1953 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
1954 {
|
|
|
1955 unsigned int num, i;
|
|
|
1956 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
|
|
|
1957
|
|
|
1958 png_debug(1, "in png_handle_hIST");
|
|
|
1959
|
|
|
1960 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
1961 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
1962
|
|
|
1963 else if ((png_ptr->mode & PNG_HAVE_IDAT) || !(png_ptr->mode & PNG_HAVE_PLTE))
|
|
|
1964 {
|
|
|
1965 png_crc_finish(png_ptr, length);
|
|
|
1966 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
1967 return;
|
|
|
1968 }
|
|
|
1969
|
|
|
1970 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST))
|
|
|
1971 {
|
|
|
1972 png_crc_finish(png_ptr, length);
|
|
|
1973 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
1974 return;
|
|
|
1975 }
|
|
|
1976
|
|
|
1977 num = length / 2 ;
|
|
|
1978
|
|
|
1979 if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
|
|
|
1980 {
|
|
|
1981 png_crc_finish(png_ptr, length);
|
|
|
1982 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
1983 return;
|
|
|
1984 }
|
|
|
1985
|
|
|
1986 for (i = 0; i < num; i++)
|
|
|
1987 {
|
|
|
1988 png_byte buf[2];
|
|
|
1989
|
|
|
1990 png_crc_read(png_ptr, buf, 2);
|
|
|
1991 readbuf[i] = png_get_uint_16(buf);
|
|
|
1992 }
|
|
|
1993
|
|
|
1994 if (png_crc_finish(png_ptr, 0))
|
|
|
1995 return;
|
|
|
1996
|
|
|
1997 png_set_hIST(png_ptr, info_ptr, readbuf);
|
|
|
1998 }
|
|
|
1999 #endif
|
|
|
2000
|
|
|
2001 #ifdef PNG_READ_pHYs_SUPPORTED
|
|
|
2002 void /* PRIVATE */
|
|
|
2003 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2004 {
|
|
|
2005 png_byte buf[9];
|
|
|
2006 png_uint_32 res_x, res_y;
|
|
|
2007 int unit_type;
|
|
|
2008
|
|
|
2009 png_debug(1, "in png_handle_pHYs");
|
|
|
2010
|
|
|
2011 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2012 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2013
|
|
|
2014 else if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2015 {
|
|
|
2016 png_crc_finish(png_ptr, length);
|
|
|
2017 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
2018 return;
|
|
|
2019 }
|
|
|
2020
|
|
|
2021 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs))
|
|
|
2022 {
|
|
|
2023 png_crc_finish(png_ptr, length);
|
|
|
2024 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
2025 return;
|
|
|
2026 }
|
|
|
2027
|
|
|
2028 if (length != 9)
|
|
|
2029 {
|
|
|
2030 png_crc_finish(png_ptr, length);
|
|
|
2031 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
2032 return;
|
|
|
2033 }
|
|
|
2034
|
|
|
2035 png_crc_read(png_ptr, buf, 9);
|
|
|
2036
|
|
|
2037 if (png_crc_finish(png_ptr, 0))
|
|
|
2038 return;
|
|
|
2039
|
|
|
2040 res_x = png_get_uint_32(buf);
|
|
|
2041 res_y = png_get_uint_32(buf + 4);
|
|
|
2042 unit_type = buf[8];
|
|
|
2043 png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
|
|
|
2044 }
|
|
|
2045 #endif
|
|
|
2046
|
|
|
2047 #ifdef PNG_READ_oFFs_SUPPORTED
|
|
|
2048 void /* PRIVATE */
|
|
|
2049 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2050 {
|
|
|
2051 png_byte buf[9];
|
|
|
2052 png_int_32 offset_x, offset_y;
|
|
|
2053 int unit_type;
|
|
|
2054
|
|
|
2055 png_debug(1, "in png_handle_oFFs");
|
|
|
2056
|
|
|
2057 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2058 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2059
|
|
|
2060 else if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2061 {
|
|
|
2062 png_crc_finish(png_ptr, length);
|
|
|
2063 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
2064 return;
|
|
|
2065 }
|
|
|
2066
|
|
|
2067 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs))
|
|
|
2068 {
|
|
|
2069 png_crc_finish(png_ptr, length);
|
|
|
2070 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
2071 return;
|
|
|
2072 }
|
|
|
2073
|
|
|
2074 if (length != 9)
|
|
|
2075 {
|
|
|
2076 png_crc_finish(png_ptr, length);
|
|
|
2077 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
2078 return;
|
|
|
2079 }
|
|
|
2080
|
|
|
2081 png_crc_read(png_ptr, buf, 9);
|
|
|
2082
|
|
|
2083 if (png_crc_finish(png_ptr, 0))
|
|
|
2084 return;
|
|
|
2085
|
|
|
2086 offset_x = png_get_int_32(buf);
|
|
|
2087 offset_y = png_get_int_32(buf + 4);
|
|
|
2088 unit_type = buf[8];
|
|
|
2089 png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
|
|
|
2090 }
|
|
|
2091 #endif
|
|
|
2092
|
|
|
2093 #ifdef PNG_READ_pCAL_SUPPORTED
|
|
|
2094 /* Read the pCAL chunk (described in the PNG Extensions document) */
|
|
|
2095 void /* PRIVATE */
|
|
|
2096 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2097 {
|
|
|
2098 png_int_32 X0, X1;
|
|
|
2099 png_byte type, nparams;
|
|
|
2100 png_bytep buffer, buf, units, endptr;
|
|
|
2101 png_charpp params;
|
|
|
2102 int i;
|
|
|
2103
|
|
|
2104 png_debug(1, "in png_handle_pCAL");
|
|
|
2105
|
|
|
2106 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2107 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2108
|
|
|
2109 else if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2110 {
|
|
|
2111 png_crc_finish(png_ptr, length);
|
|
|
2112 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
2113 return;
|
|
|
2114 }
|
|
|
2115
|
|
|
2116 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL))
|
|
|
2117 {
|
|
|
2118 png_crc_finish(png_ptr, length);
|
|
|
2119 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
2120 return;
|
|
|
2121 }
|
|
|
2122
|
|
|
2123 png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
|
|
|
2124 length + 1);
|
|
|
2125
|
|
|
2126 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
|
|
|
2127
|
|
|
2128 if (buffer == NULL)
|
|
|
2129 {
|
|
|
2130 png_crc_finish(png_ptr, length);
|
|
|
2131 png_chunk_benign_error(png_ptr, "out of memory");
|
|
|
2132 return;
|
|
|
2133 }
|
|
|
2134
|
|
|
2135 png_crc_read(png_ptr, buffer, length);
|
|
|
2136
|
|
|
2137 if (png_crc_finish(png_ptr, 0))
|
|
|
2138 return;
|
|
|
2139
|
|
|
2140 buffer[length] = 0; /* Null terminate the last string */
|
|
|
2141
|
|
|
2142 png_debug(3, "Finding end of pCAL purpose string");
|
|
|
2143 for (buf = buffer; *buf; buf++)
|
|
|
2144 /* Empty loop */ ;
|
|
|
2145
|
|
|
2146 endptr = buffer + length;
|
|
|
2147
|
|
|
2148 /* We need to have at least 12 bytes after the purpose string
|
|
|
2149 * in order to get the parameter information.
|
|
|
2150 */
|
|
|
2151 if (endptr <= buf + 12)
|
|
|
2152 {
|
|
|
2153 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
2154 return;
|
|
|
2155 }
|
|
|
2156
|
|
|
2157 png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
|
|
|
2158 X0 = png_get_int_32((png_bytep)buf+1);
|
|
|
2159 X1 = png_get_int_32((png_bytep)buf+5);
|
|
|
2160 type = buf[9];
|
|
|
2161 nparams = buf[10];
|
|
|
2162 units = buf + 11;
|
|
|
2163
|
|
|
2164 png_debug(3, "Checking pCAL equation type and number of parameters");
|
|
|
2165 /* Check that we have the right number of parameters for known
|
|
|
2166 * equation types.
|
|
|
2167 */
|
|
|
2168 if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
|
|
|
2169 (type == PNG_EQUATION_BASE_E && nparams != 3) ||
|
|
|
2170 (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
|
|
|
2171 (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
|
|
|
2172 {
|
|
|
2173 png_chunk_benign_error(png_ptr, "invalid parameter count");
|
|
|
2174 return;
|
|
|
2175 }
|
|
|
2176
|
|
|
2177 else if (type >= PNG_EQUATION_LAST)
|
|
|
2178 {
|
|
|
2179 png_chunk_benign_error(png_ptr, "unrecognized equation type");
|
|
|
2180 }
|
|
|
2181
|
|
|
2182 for (buf = units; *buf; buf++)
|
|
|
2183 /* Empty loop to move past the units string. */ ;
|
|
|
2184
|
|
|
2185 png_debug(3, "Allocating pCAL parameters array");
|
|
|
2186
|
|
|
2187 params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
|
|
|
2188 nparams * (sizeof (png_charp))));
|
|
|
2189
|
|
|
2190 if (params == NULL)
|
|
|
2191 {
|
|
|
2192 png_chunk_benign_error(png_ptr, "out of memory");
|
|
|
2193 return;
|
|
|
2194 }
|
|
|
2195
|
|
|
2196 /* Get pointers to the start of each parameter string. */
|
|
|
2197 for (i = 0; i < nparams; i++)
|
|
|
2198 {
|
|
|
2199 buf++; /* Skip the null string terminator from previous parameter. */
|
|
|
2200
|
|
|
2201 png_debug1(3, "Reading pCAL parameter %d", i);
|
|
|
2202
|
|
|
2203 for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
|
|
|
2204 /* Empty loop to move past each parameter string */ ;
|
|
|
2205
|
|
|
2206 /* Make sure we haven't run out of data yet */
|
|
|
2207 if (buf > endptr)
|
|
|
2208 {
|
|
|
2209 png_free(png_ptr, params);
|
|
|
2210 png_chunk_benign_error(png_ptr, "invalid data");
|
|
|
2211 return;
|
|
|
2212 }
|
|
|
2213 }
|
|
|
2214
|
|
|
2215 png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
|
|
|
2216 (png_charp)units, params);
|
|
|
2217
|
|
|
2218 png_free(png_ptr, params);
|
|
|
2219 }
|
|
|
2220 #endif
|
|
|
2221
|
|
|
2222 #ifdef PNG_READ_sCAL_SUPPORTED
|
|
|
2223 /* Read the sCAL chunk */
|
|
|
2224 void /* PRIVATE */
|
|
|
2225 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2226 {
|
|
|
2227 png_bytep buffer;
|
|
|
2228 png_size_t i;
|
|
|
2229 int state;
|
|
|
2230
|
|
|
2231 png_debug(1, "in png_handle_sCAL");
|
|
|
2232
|
|
|
2233 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2234 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2235
|
|
|
2236 else if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2237 {
|
|
|
2238 png_crc_finish(png_ptr, length);
|
|
|
2239 png_chunk_benign_error(png_ptr, "out of place");
|
|
|
2240 return;
|
|
|
2241 }
|
|
|
2242
|
|
|
2243 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL))
|
|
|
2244 {
|
|
|
2245 png_crc_finish(png_ptr, length);
|
|
|
2246 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
2247 return;
|
|
|
2248 }
|
|
|
2249
|
|
|
2250 /* Need unit type, width, \0, height: minimum 4 bytes */
|
|
|
2251 else if (length < 4)
|
|
|
2252 {
|
|
|
2253 png_crc_finish(png_ptr, length);
|
|
|
2254 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
2255 return;
|
|
|
2256 }
|
|
|
2257
|
|
|
2258 png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
|
|
|
2259 length + 1);
|
|
|
2260
|
|
|
2261 buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
|
|
|
2262
|
|
|
2263 if (buffer == NULL)
|
|
|
2264 {
|
|
|
2265 png_chunk_benign_error(png_ptr, "out of memory");
|
|
|
2266 png_crc_finish(png_ptr, length);
|
|
|
2267 return;
|
|
|
2268 }
|
|
|
2269
|
|
|
2270 png_crc_read(png_ptr, buffer, length);
|
|
|
2271 buffer[length] = 0; /* Null terminate the last string */
|
|
|
2272
|
|
|
2273 if (png_crc_finish(png_ptr, 0))
|
|
|
2274 return;
|
|
|
2275
|
|
|
2276 /* Validate the unit. */
|
|
|
2277 if (buffer[0] != 1 && buffer[0] != 2)
|
|
|
2278 {
|
|
|
2279 png_chunk_benign_error(png_ptr, "invalid unit");
|
|
|
2280 return;
|
|
|
2281 }
|
|
|
2282
|
|
|
2283 /* Validate the ASCII numbers, need two ASCII numbers separated by
|
|
|
2284 * a '\0' and they need to fit exactly in the chunk data.
|
|
|
2285 */
|
|
|
2286 i = 1;
|
|
|
2287 state = 0;
|
|
|
2288
|
|
|
2289 if (!png_check_fp_number((png_const_charp)buffer, length, &state, &i) ||
|
|
|
2290 i >= length || buffer[i++] != 0)
|
|
|
2291 png_chunk_benign_error(png_ptr, "bad width format");
|
|
|
2292
|
|
|
2293 else if (!PNG_FP_IS_POSITIVE(state))
|
|
|
2294 png_chunk_benign_error(png_ptr, "non-positive width");
|
|
|
2295
|
|
|
2296 else
|
|
|
2297 {
|
|
|
2298 png_size_t heighti = i;
|
|
|
2299
|
|
|
2300 state = 0;
|
|
|
2301 if (!png_check_fp_number((png_const_charp)buffer, length, &state, &i) ||
|
|
|
2302 i != length)
|
|
|
2303 png_chunk_benign_error(png_ptr, "bad height format");
|
|
|
2304
|
|
|
2305 else if (!PNG_FP_IS_POSITIVE(state))
|
|
|
2306 png_chunk_benign_error(png_ptr, "non-positive height");
|
|
|
2307
|
|
|
2308 else
|
|
|
2309 /* This is the (only) success case. */
|
|
|
2310 png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
|
|
|
2311 (png_charp)buffer+1, (png_charp)buffer+heighti);
|
|
|
2312 }
|
|
|
2313 }
|
|
|
2314 #endif
|
|
|
2315
|
|
|
2316 #ifdef PNG_READ_tIME_SUPPORTED
|
|
|
2317 void /* PRIVATE */
|
|
|
2318 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2319 {
|
|
|
2320 png_byte buf[7];
|
|
|
2321 png_time mod_time;
|
|
|
2322
|
|
|
2323 png_debug(1, "in png_handle_tIME");
|
|
|
2324
|
|
|
2325 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2326 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2327
|
|
|
2328 else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME))
|
|
|
2329 {
|
|
|
2330 png_crc_finish(png_ptr, length);
|
|
|
2331 png_chunk_benign_error(png_ptr, "duplicate");
|
|
|
2332 return;
|
|
|
2333 }
|
|
|
2334
|
|
|
2335 if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2336 png_ptr->mode |= PNG_AFTER_IDAT;
|
|
|
2337
|
|
|
2338 if (length != 7)
|
|
|
2339 {
|
|
|
2340 png_crc_finish(png_ptr, length);
|
|
|
2341 png_chunk_benign_error(png_ptr, "invalid");
|
|
|
2342 return;
|
|
|
2343 }
|
|
|
2344
|
|
|
2345 png_crc_read(png_ptr, buf, 7);
|
|
|
2346
|
|
|
2347 if (png_crc_finish(png_ptr, 0))
|
|
|
2348 return;
|
|
|
2349
|
|
|
2350 mod_time.second = buf[6];
|
|
|
2351 mod_time.minute = buf[5];
|
|
|
2352 mod_time.hour = buf[4];
|
|
|
2353 mod_time.day = buf[3];
|
|
|
2354 mod_time.month = buf[2];
|
|
|
2355 mod_time.year = png_get_uint_16(buf);
|
|
|
2356
|
|
|
2357 png_set_tIME(png_ptr, info_ptr, &mod_time);
|
|
|
2358 }
|
|
|
2359 #endif
|
|
|
2360
|
|
|
2361 #ifdef PNG_READ_tEXt_SUPPORTED
|
|
|
2362 /* Note: this does not properly handle chunks that are > 64K under DOS */
|
|
|
2363 void /* PRIVATE */
|
|
|
2364 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2365 {
|
|
|
2366 png_text text_info;
|
|
|
2367 png_bytep buffer;
|
|
|
2368 png_charp key;
|
|
|
2369 png_charp text;
|
|
|
2370 png_uint_32 skip = 0;
|
|
|
2371
|
|
|
2372 png_debug(1, "in png_handle_tEXt");
|
|
|
2373
|
|
|
2374 #ifdef PNG_USER_LIMITS_SUPPORTED
|
|
|
2375 if (png_ptr->user_chunk_cache_max != 0)
|
|
|
2376 {
|
|
|
2377 if (png_ptr->user_chunk_cache_max == 1)
|
|
|
2378 {
|
|
|
2379 png_crc_finish(png_ptr, length);
|
|
|
2380 return;
|
|
|
2381 }
|
|
|
2382
|
|
|
2383 if (--png_ptr->user_chunk_cache_max == 1)
|
|
|
2384 {
|
|
|
2385 png_crc_finish(png_ptr, length);
|
|
|
2386 png_chunk_benign_error(png_ptr, "no space in chunk cache");
|
|
|
2387 return;
|
|
|
2388 }
|
|
|
2389 }
|
|
|
2390 #endif
|
|
|
2391
|
|
|
2392 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2393 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2394
|
|
|
2395 if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2396 png_ptr->mode |= PNG_AFTER_IDAT;
|
|
|
2397
|
|
|
2398 #ifdef PNG_MAX_MALLOC_64K
|
|
|
2399 if (length > 65535U)
|
|
|
2400 {
|
|
|
2401 png_crc_finish(png_ptr, length);
|
|
|
2402 png_chunk_benign_error(png_ptr, "too large to fit in memory");
|
|
|
2403 return;
|
|
|
2404 }
|
|
|
2405 #endif
|
|
|
2406
|
|
|
2407 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
|
|
|
2408
|
|
|
2409 if (buffer == NULL)
|
|
|
2410 {
|
|
|
2411 png_chunk_benign_error(png_ptr, "out of memory");
|
|
|
2412 return;
|
|
|
2413 }
|
|
|
2414
|
|
|
2415 png_crc_read(png_ptr, buffer, length);
|
|
|
2416
|
|
|
2417 if (png_crc_finish(png_ptr, skip))
|
|
|
2418 return;
|
|
|
2419
|
|
|
2420 key = (png_charp)buffer;
|
|
|
2421 key[length] = 0;
|
|
|
2422
|
|
|
2423 for (text = key; *text; text++)
|
|
|
2424 /* Empty loop to find end of key */ ;
|
|
|
2425
|
|
|
2426 if (text != key + length)
|
|
|
2427 text++;
|
|
|
2428
|
|
|
2429 text_info.compression = PNG_TEXT_COMPRESSION_NONE;
|
|
|
2430 text_info.key = key;
|
|
|
2431 text_info.lang = NULL;
|
|
|
2432 text_info.lang_key = NULL;
|
|
|
2433 text_info.itxt_length = 0;
|
|
|
2434 text_info.text = text;
|
|
|
2435 text_info.text_length = strlen(text);
|
|
|
2436
|
|
|
2437 if (png_set_text_2(png_ptr, info_ptr, &text_info, 1))
|
|
|
2438 png_warning(png_ptr, "Insufficient memory to process text chunk");
|
|
|
2439 }
|
|
|
2440 #endif
|
|
|
2441
|
|
|
2442 #ifdef PNG_READ_zTXt_SUPPORTED
|
|
|
2443 /* Note: this does not correctly handle chunks that are > 64K under DOS */
|
|
|
2444 void /* PRIVATE */
|
|
|
2445 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2446 {
|
|
|
2447 png_const_charp errmsg = NULL;
|
|
|
2448 png_bytep buffer;
|
|
|
2449 png_uint_32 keyword_length;
|
|
|
2450
|
|
|
2451 png_debug(1, "in png_handle_zTXt");
|
|
|
2452
|
|
|
2453 #ifdef PNG_USER_LIMITS_SUPPORTED
|
|
|
2454 if (png_ptr->user_chunk_cache_max != 0)
|
|
|
2455 {
|
|
|
2456 if (png_ptr->user_chunk_cache_max == 1)
|
|
|
2457 {
|
|
|
2458 png_crc_finish(png_ptr, length);
|
|
|
2459 return;
|
|
|
2460 }
|
|
|
2461
|
|
|
2462 if (--png_ptr->user_chunk_cache_max == 1)
|
|
|
2463 {
|
|
|
2464 png_crc_finish(png_ptr, length);
|
|
|
2465 png_chunk_benign_error(png_ptr, "no space in chunk cache");
|
|
|
2466 return;
|
|
|
2467 }
|
|
|
2468 }
|
|
|
2469 #endif
|
|
|
2470
|
|
|
2471 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2472 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2473
|
|
|
2474 if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2475 png_ptr->mode |= PNG_AFTER_IDAT;
|
|
|
2476
|
|
|
2477 buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
|
|
|
2478
|
|
|
2479 if (buffer == NULL)
|
|
|
2480 {
|
|
|
2481 png_crc_finish(png_ptr, length);
|
|
|
2482 png_chunk_benign_error(png_ptr, "out of memory");
|
|
|
2483 return;
|
|
|
2484 }
|
|
|
2485
|
|
|
2486 png_crc_read(png_ptr, buffer, length);
|
|
|
2487
|
|
|
2488 if (png_crc_finish(png_ptr, 0))
|
|
|
2489 return;
|
|
|
2490
|
|
|
2491 /* TODO: also check that the keyword contents match the spec! */
|
|
|
2492 for (keyword_length = 0;
|
|
|
2493 keyword_length < length && buffer[keyword_length] != 0;
|
|
|
2494 ++keyword_length)
|
|
|
2495 /* Empty loop to find end of name */ ;
|
|
|
2496
|
|
|
2497 if (keyword_length > 79 || keyword_length < 1)
|
|
|
2498 errmsg = "bad keyword";
|
|
|
2499
|
|
|
2500 /* zTXt must have some LZ data after the keyword, although it may expand to
|
|
|
2501 * zero bytes; we need a '\0' at the end of the keyword, the compression type
|
|
|
2502 * then the LZ data:
|
|
|
2503 */
|
|
|
2504 else if (keyword_length + 3 > length)
|
|
|
2505 errmsg = "truncated";
|
|
|
2506
|
|
|
2507 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
|
|
|
2508 errmsg = "unknown compression type";
|
|
|
2509
|
|
|
2510 else
|
|
|
2511 {
|
|
|
2512 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
|
|
|
2513
|
|
|
2514 /* TODO: at present png_decompress_chunk imposes a single application
|
|
|
2515 * level memory limit, this should be split to different values for iCCP
|
|
|
2516 * and text chunks.
|
|
|
2517 */
|
|
|
2518 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
|
|
|
2519 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
|
|
|
2520 {
|
|
|
2521 png_text text;
|
|
|
2522
|
|
|
2523 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
|
|
|
2524 * for the extra compression type byte and the fact that it isn't
|
|
|
2525 * necessarily '\0' terminated.
|
|
|
2526 */
|
|
|
2527 buffer = png_ptr->read_buffer;
|
|
|
2528 buffer[uncompressed_length+(keyword_length+2)] = 0;
|
|
|
2529
|
|
|
2530 text.compression = PNG_TEXT_COMPRESSION_zTXt;
|
|
|
2531 text.key = (png_charp)buffer;
|
|
|
2532 text.text = (png_charp)(buffer + keyword_length+2);
|
|
|
2533 text.text_length = uncompressed_length;
|
|
|
2534 text.itxt_length = 0;
|
|
|
2535 text.lang = NULL;
|
|
|
2536 text.lang_key = NULL;
|
|
|
2537
|
|
|
2538 if (png_set_text_2(png_ptr, info_ptr, &text, 1))
|
|
|
2539 errmsg = "insufficient memory";
|
|
|
2540 }
|
|
|
2541
|
|
|
2542 else
|
|
|
2543 errmsg = png_ptr->zstream.msg;
|
|
|
2544 }
|
|
|
2545
|
|
|
2546 if (errmsg != NULL)
|
|
|
2547 png_chunk_benign_error(png_ptr, errmsg);
|
|
|
2548 }
|
|
|
2549 #endif
|
|
|
2550
|
|
|
2551 #ifdef PNG_READ_iTXt_SUPPORTED
|
|
|
2552 /* Note: this does not correctly handle chunks that are > 64K under DOS */
|
|
|
2553 void /* PRIVATE */
|
|
|
2554 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
|
2555 {
|
|
|
2556 png_const_charp errmsg = NULL;
|
|
|
2557 png_bytep buffer;
|
|
|
2558 png_uint_32 prefix_length;
|
|
|
2559
|
|
|
2560 png_debug(1, "in png_handle_iTXt");
|
|
|
2561
|
|
|
2562 #ifdef PNG_USER_LIMITS_SUPPORTED
|
|
|
2563 if (png_ptr->user_chunk_cache_max != 0)
|
|
|
2564 {
|
|
|
2565 if (png_ptr->user_chunk_cache_max == 1)
|
|
|
2566 {
|
|
|
2567 png_crc_finish(png_ptr, length);
|
|
|
2568 return;
|
|
|
2569 }
|
|
|
2570
|
|
|
2571 if (--png_ptr->user_chunk_cache_max == 1)
|
|
|
2572 {
|
|
|
2573 png_crc_finish(png_ptr, length);
|
|
|
2574 png_chunk_benign_error(png_ptr, "no space in chunk cache");
|
|
|
2575 return;
|
|
|
2576 }
|
|
|
2577 }
|
|
|
2578 #endif
|
|
|
2579
|
|
|
2580 if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
|
|
2581 png_chunk_error(png_ptr, "missing IHDR");
|
|
|
2582
|
|
|
2583 if (png_ptr->mode & PNG_HAVE_IDAT)
|
|
|
2584 png_ptr->mode |= PNG_AFTER_IDAT;
|
|
|
2585
|
|
|
2586 buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
|
|
|
2587
|
|
|
2588 if (buffer == NULL)
|
|
|
2589 {
|
|
|
2590 png_crc_finish(png_ptr, length);
|
|
|
2591 png_chunk_benign_error(png_ptr, "out of memory");
|
|
|
2592 return;
|
|
|
2593 }
|
|
|
2594
|
|
|
2595 png_crc_read(png_ptr, buffer, length);
|
|
|
2596
|
|
|
2597 if (png_crc_finish(png_ptr, 0))
|
|
|
2598 return;
|
|
|
2599
|
|
|
2600 /* First the keyword. */
|
|
|
2601 for (prefix_length=0;
|
|
|
2602 prefix_length < length && buffer[prefix_length] != 0;
|
|
|
2603 ++prefix_length)
|
|
|
2604 /* Empty loop */ ;
|
|
|
2605
|
|
|
2606 /* Perform a basic check on the keyword length here. */
|
|
|
2607 if (prefix_length > 79 || prefix_length < 1)
|
|
|
2608 errmsg = "bad keyword";
|
|
|
2609
|
|
|
2610 /* Expect keyword, compression flag, compression type, language, translated
|
|
|
2611 * keyword (both may be empty but are 0 terminated) then the text, which may
|
|
|
2612 * be empty.
|
|
|
2613 */
|
|
|
2614 else if (prefix_length + 5 > length)
|
|
|
2615 errmsg = "truncated";
|
|
|
2616
|
|
|
2617 else if (buffer[prefix_length+1] == 0 ||
|
|
|
2618 (buffer[prefix_length+1] == 1 &&
|
|
|
2619 buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
|
|
|
2620 {
|
|
|
2621 int compressed = buffer[prefix_length+1] != 0;
|
|
|
2622 png_uint_32 language_offset, translated_keyword_offset;
|
|
|
2623 png_alloc_size_t uncompressed_length = 0;
|
|
|
2624
|
|
|
2625 /* Now the language tag */
|
|
|
2626 prefix_length += 3;
|
|
|
2627 language_offset = prefix_length;
|
|
|
2628
|
|
|
2629 for (; prefix_length < length && buffer[prefix_length] != 0;
|
|
|
2630 ++prefix_length)
|
|
|
2631 /* Empty loop */ ;
|
|
|
2632
|
|
|
2633 /* WARNING: the length may be invalid here, this is checked below. */
|
|
|
2634 translated_keyword_offset = ++prefix_length;
|
|
|
2635
|
|
|
2636 for (; prefix_length < length && buffer[prefix_length] != 0;
|
|
|
2637 ++prefix_length)
|
|
|
2638 /* Empty loop */ ;
|
|
|
2639
|
|
|
2640 /* prefix_length should now be at the trailing '\0' of the translated
|
|
|
2641 * keyword, but it may already be over the end. None of this arithmetic
|
|
|
2642 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
|
|
|
2643 * systems the available allocaton may overflow.
|
|
|
2644 */
|
|
|
2645 ++prefix_length;
|
|
|
2646
|
|
|
2647 if (!compressed && prefix_length <= length)
|
|
|
2648 uncompressed_length = length - prefix_length;
|
|
|
2649
|
|
|
2650 else if (compressed && prefix_length < length)
|
|
|
2651 {
|
|
|
2652 uncompressed_length = PNG_SIZE_MAX;
|
|
|
2653
|
|
|
2654 /* TODO: at present png_decompress_chunk imposes a single application
|
|
|
2655 * level memory limit, this should be split to different values for
|
|
|
2656 * iCCP and text chunks.
|
|
|
2657 */
|
|
|
2658 if (png_decompress_chunk(png_ptr, length, prefix_length,
|
|
|
2659 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
|
|
|
2660 buffer = png_ptr->read_buffer;
|
|
|
2661
|
|
|
2662 else
|
|
|
2663 errmsg = png_ptr->zstream.msg;
|
|
|
2664 }
|
|
|
2665
|
|
|
2666 else
|
|
|
2667 errmsg = "truncated";
|
|
|
2668
|
|
|
2669 if (errmsg == NULL)
|
|
|
2670 {
|
|
|
2671 png_text text;
|
|
|
2672
|
|
|
2673 buffer[uncompressed_length+prefix_length] = 0;
|
|
|
2674
|
|
|
2675 if (compressed)
|
|
|
2676 text.compression = PNG_ITXT_COMPRESSION_NONE;
|
|
|
2677
|
|
|
2678 else
|
|
|
2679 text.compression = PNG_ITXT_COMPRESSION_zTXt;
|
|
|
2680
|
|
|
2681 text.key = (png_charp)buffer;
|
|
|
2682 text.lang = (png_charp)buffer + language_offset;
|
|
|
2683 text.lang_key = (png_charp)buffer + translated_keyword_offset;
|
|
|
2684 text.text = (png_charp)buffer + prefix_length;
|
|
|
2685 text.text_length = 0;
|
|
|
2686 text.itxt_length = uncompressed_length;
|
|
|
2687
|
|
|
2688 if (png_set_text_2(png_ptr, info_ptr, &text, 1))
|
|
|
2689 errmsg = "insufficient memory";
|
|
|
2690 }
|
|
|
2691 }
|
|
|
2692
|
|
|
2693 else
|
|
|
2694 errmsg = "bad compression info";
|
|
|
2695
|
|
|
2696 if (errmsg != NULL)
|
|
|
2697 png_chunk_benign_error(png_ptr, errmsg);
|
|
|
2698 }
|
|
|
2699 #endif
|
|
|
2700
|
|
|
2701 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
|
|
|
2702 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
|
|
|
2703 static int
|
|
|
2704 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
|
|
|
2705 {
|
|
|
2706 png_alloc_size_t limit = PNG_SIZE_MAX;
|
|
|
2707
|
|
|
2708 if (png_ptr->unknown_chunk.data != NULL)
|
|
|
2709 {
|
|
|
2710 png_free(png_ptr, png_ptr->unknown_chunk.data);
|
|
|
2711 png_ptr->unknown_chunk.data = NULL;
|
|
|
2712 }
|
|
|
2713
|
|
|
2714 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
|
|
|
2715 if (png_ptr->user_chunk_malloc_max > 0 &&
|
|
|
2716 png_ptr->user_chunk_malloc_max < limit)
|
|
|
2717 limit = png_ptr->user_chunk_malloc_max;
|
|
|
2718
|
|
|
2719 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
|
|
|
2720 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
|
|
|
2721 limit = PNG_USER_CHUNK_MALLOC_MAX;
|
|
|
2722 # endif
|
|
|
2723
|
|
|
2724 if (length <= limit)
|
|
|
2725 {
|
|
|
2726 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
|
|
|
2727 /* The following is safe because of the PNG_SIZE_MAX init above */
|
|
|
2728 png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/;
|
|
|
2729 /* 'mode' is a flag array, only the bottom four bits matter here */
|
|
|
2730 png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
|
|
|
2731
|
|
|
2732 if (length == 0)
|
|
|
2733 png_ptr->unknown_chunk.data = NULL;
|
|
|
2734
|
|
|
2735 else
|
|
|
2736 {
|
|
|
2737 /* Do a 'warn' here - it is handled below. */
|
|
|
2738 png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
|
|
|
2739 png_malloc_warn(png_ptr, length));
|
|
|
2740 }
|
|
|
2741 }
|
|
|
2742
|
|
|
2743 if (png_ptr->unknown_chunk.data == NULL && length > 0)
|
|
|
2744 {
|
|
|
2745 /* This is benign because we clean up correctly */
|
|
|
2746 png_crc_finish(png_ptr, length);
|
|
|
2747 png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
|
|
|
2748 return 0;
|
|
|
2749 }
|
|
|
2750
|
|
|
2751 else
|
|
|
2752 {
|
|
|
2753 if (length > 0)
|
|
|
2754 png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
|
|
|
2755 png_crc_finish(png_ptr, 0);
|
|
|
2756 return 1;
|
|
|
2757 }
|
|
|
2758 }
|
|
|
2759 #endif /* PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
|
|
|
2760
|
|
|
2761 /* Handle an unknown, or known but disabled, chunk */
|
|
|
2762 void /* PRIVATE */
|
|
|
2763 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
|
|
|
2764 png_uint_32 length, int keep)
|
|
|
2765 {
|
|
|
2766 int handled = 0; /* the chunk was handled */
|
|
|
2767
|
|
|
2768 png_debug(1, "in png_handle_unknown");
|
|
|
2769
|
|
|
2770 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
|
|
|
2771 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
|
|
|
2772 * the bug which meant that setting a non-default behavior for a specific
|
|
|
2773 * chunk would be ignored (the default was always used unless a user
|
|
|
2774 * callback was installed).
|
|
|
2775 *
|
|
|
2776 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
|
|
|
2777 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
|
|
|
2778 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
|
|
|
2779 * This is just an optimization to avoid multiple calls to the lookup
|
|
|
2780 * function.
|
|
|
2781 */
|
|
|
2782 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
|
|
|
2783 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
|
|
|
2784 keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
|
|
|
2785 # endif
|
|
|
2786 # endif
|
|
|
2787
|
|
|
2788 /* One of the following methods will read the chunk or skip it (at least one
|
|
|
2789 * of these is always defined because this is the only way to switch on
|
|
|
2790 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
|
|
|
2791 */
|
|
|
2792 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED
|
|
|
2793 /* The user callback takes precedence over the chunk keep value, but the
|
|
|
2794 * keep value is still required to validate a save of a critical chunk.
|
|
|
2795 */
|
|
|
2796 if (png_ptr->read_user_chunk_fn != NULL)
|
|
|
2797 {
|
|
|
2798 if (png_cache_unknown_chunk(png_ptr, length))
|
|
|
2799 {
|
|
|
2800 /* Callback to user unknown chunk handler */
|
|
|
2801 int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
|
|
|
2802 &png_ptr->unknown_chunk);
|
|
|
2803
|
|
|
2804 /* ret is:
|
|
|
2805 * negative: An error occured, png_chunk_error will be called.
|
|
|
2806 * zero: The chunk was not handled, the chunk will be discarded
|
|
|
2807 * unless png_set_keep_unknown_chunks has been used to set
|
|
|
2808 * a 'keep' behavior for this particular chunk, in which
|
|
|
2809 * case that will be used. A critical chunk will cause an
|
|
|
2810 * error at this point unless it is to be saved.
|
|
|
2811 * positive: The chunk was handled, libpng will ignore/discard it.
|
|
|
2812 */
|
|
|
2813 if (ret < 0)
|
|
|
2814 png_chunk_error(png_ptr, "error in user chunk");
|
|
|
2815
|
|
|
2816 else if (ret == 0)
|
|
|
2817 {
|
|
|
2818 /* If the keep value is 'default' or 'never' override it, but
|
|
|
2819 * still error out on critical chunks unless the keep value is
|
|
|
2820 * 'always' While this is weird it is the behavior in 1.4.12.
|
|
|
2821 * A possible improvement would be to obey the value set for the
|
|
|
2822 * chunk, but this would be an API change that would probably
|
|
|
2823 * damage some applications.
|
|
|
2824 *
|
|
|
2825 * The png_app_warning below catches the case that matters, where
|
|
|
2826 * the application has not set specific save or ignore for this
|
|
|
2827 * chunk or global save or ignore.
|
|
|
2828 */
|
|
|
2829 if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
|
|
|
2830 {
|
|
|
2831 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
|
|
|
2832 if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
|
|
|
2833 {
|
|
|
2834 png_chunk_warning(png_ptr, "Saving unknown chunk:");
|
|
|
2835 png_app_warning(png_ptr,
|
|
|
2836 "forcing save of an unhandled chunk;"
|
|
|
2837 " please call png_set_keep_unknown_chunks");
|
|
|
2838 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
|
|
|
2839 }
|
|
|
2840 # endif
|
|
|
2841 keep = PNG_HANDLE_CHUNK_IF_SAFE;
|
|
|
2842 }
|
|
|
2843 }
|
|
|
2844
|
|
|
2845 else /* chunk was handled */
|
|
|
2846 {
|
|
|
2847 handled = 1;
|
|
|
2848 /* Critical chunks can be safely discarded at this point. */
|
|
|
2849 keep = PNG_HANDLE_CHUNK_NEVER;
|
|
|
2850 }
|
|
|
2851 }
|
|
|
2852
|
|
|
2853 else
|
|
|
2854 keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
|
|
|
2855 }
|
|
|
2856
|
|
|
2857 else
|
|
|
2858 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
|
|
|
2859 # endif /* PNG_READ_USER_CHUNKS_SUPPORTED */
|
|
|
2860
|
|
|
2861 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
|
|
|
2862 {
|
|
|
2863 /* keep is currently just the per-chunk setting, if there was no
|
|
|
2864 * setting change it to the global default now (not that this may
|
|
|
2865 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
|
|
|
2866 * if not simply skip the chunk.
|
|
|
2867 */
|
|
|
2868 if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
|
|
|
2869 keep = png_ptr->unknown_default;
|
|
|
2870
|
|
|
2871 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
|
|
|
2872 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
|
|
|
2873 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
|
|
|
2874 {
|
|
|
2875 if (!png_cache_unknown_chunk(png_ptr, length))
|
|
|
2876 keep = PNG_HANDLE_CHUNK_NEVER;
|
|
|
2877 }
|
|
|
2878
|
|
|
2879 else
|
|
|
2880 png_crc_finish(png_ptr, length);
|
|
|
2881 }
|
|
|
2882 # else
|
|
|
2883 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED
|
|
|
2884 # error no method to support READ_UNKNOWN_CHUNKS
|
|
|
2885 # endif
|
|
|
2886
|
|
|
2887 {
|
|
|
2888 /* If here there is no read callback pointer set and no support is
|
|
|
2889 * compiled in to just save the unknown chunks, so simply skip this
|
|
|
2890 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
|
|
|
2891 * the app has erroneously asked for unknown chunk saving when there
|
|
|
2892 * is no support.
|
|
|
2893 */
|
|
|
2894 if (keep > PNG_HANDLE_CHUNK_NEVER)
|
|
|
2895 png_app_error(png_ptr, "no unknown chunk support available");
|
|
|
2896
|
|
|
2897 png_crc_finish(png_ptr, length);
|
|
|
2898 }
|
|
|
2899 # endif
|
|
|
2900
|
|
|
2901 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
|
|
|
2902 /* Now store the chunk in the chunk list if appropriate, and if the limits
|
|
|
2903 * permit it.
|
|
|
2904 */
|
|
|
2905 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
|
|
|
2906 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
|
|
|
2907 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
|
|
|
2908 {
|
|
|
2909 # ifdef PNG_USER_LIMITS_SUPPORTED
|
|
|
2910 switch (png_ptr->user_chunk_cache_max)
|
|
|
2911 {
|
|
|
2912 case 2:
|
|
|
2913 png_ptr->user_chunk_cache_max = 1;
|
|
|
2914 png_chunk_benign_error(png_ptr, "no space in chunk cache");
|
|
|
2915 /* FALL THROUGH */
|
|
|
2916 case 1:
|
|
|
2917 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
|
|
|
2918 * chunk being skipped, now there will be a hard error below.
|
|
|
2919 */
|
|
|
2920 break;
|
|
|
2921
|
|
|
2922 default: /* not at limit */
|
|
|
2923 --(png_ptr->user_chunk_cache_max);
|
|
|
2924 /* FALL THROUGH */
|
|
|
2925 case 0: /* no limit */
|
|
|
2926 # endif /* PNG_USER_LIMITS_SUPPORTED */
|
|
|
2927 /* Here when the limit isn't reached or when limits are compiled
|
|
|
2928 * out; store the chunk.
|
|
|
2929 */
|
|
|
2930 png_set_unknown_chunks(png_ptr, info_ptr,
|
|
|
2931 &png_ptr->unknown_chunk, 1);
|
|
|
2932 handled = 1;
|
|
|
2933 # ifdef PNG_USER_LIMITS_SUPPORTED
|
|
|
2934 break;
|
|
|
2935 }
|
|
|
2936 # endif
|
|
|
2937 }
|
|
|
2938 # else /* no store support: the chunk must be handled by the user callback */
|
|
|
2939 PNG_UNUSED(info_ptr)
|
|
|
2940 # endif
|
|
|
2941
|
|
|
2942 /* Regardless of the error handling below the cached data (if any) can be
|
|
|
2943 * freed now. Notice that the data is not freed if there is a png_error, but
|
|
|
2944 * it will be freed by destroy_read_struct.
|
|
|
2945 */
|
|
|
2946 if (png_ptr->unknown_chunk.data != NULL)
|
|
|
2947 png_free(png_ptr, png_ptr->unknown_chunk.data);
|
|
|
2948 png_ptr->unknown_chunk.data = NULL;
|
|
|
2949
|
|
|
2950 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
|
|
|
2951 /* There is no support to read an unknown chunk, so just skip it. */
|
|
|
2952 png_crc_finish(png_ptr, length);
|
|
|
2953 PNG_UNUSED(info_ptr)
|
|
|
2954 PNG_UNUSED(keep)
|
|
|
2955 #endif /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
|
|
|
2956
|
|
|
2957 /* Check for unhandled critical chunks */
|
|
|
2958 if (!handled && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
|
|
|
2959 png_chunk_error(png_ptr, "unhandled critical chunk");
|
|
|
2960 }
|
|
|
2961
|
|
|
2962 /* This function is called to verify that a chunk name is valid.
|
|
|
2963 * This function can't have the "critical chunk check" incorporated
|
|
|
2964 * into it, since in the future we will need to be able to call user
|
|
|
2965 * functions to handle unknown critical chunks after we check that
|
|
|
2966 * the chunk name itself is valid.
|
|
|
2967 */
|
|
|
2968
|
|
|
2969 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
|
|
|
2970 *
|
|
|
2971 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
|
|
|
2972 */
|
|
|
2973
|
|
|
2974 void /* PRIVATE */
|
|
|
2975 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
|
|
|
2976 {
|
|
|
2977 int i;
|
|
|
2978
|
|
|
2979 png_debug(1, "in png_check_chunk_name");
|
|
|
2980
|
|
|
2981 for (i=1; i<=4; ++i)
|
|
|
2982 {
|
|
|
2983 int c = chunk_name & 0xff;
|
|
|
2984
|
|
|
2985 if (c < 65 || c > 122 || (c > 90 && c < 97))
|
|
|
2986 png_chunk_error(png_ptr, "invalid chunk type");
|
|
|
2987
|
|
|
2988 chunk_name >>= 8;
|
|
|
2989 }
|
|
|
2990 }
|
|
|
2991
|
|
|
2992 /* Combines the row recently read in with the existing pixels in the row. This
|
|
|
2993 * routine takes care of alpha and transparency if requested. This routine also
|
|
|
2994 * handles the two methods of progressive display of interlaced images,
|
|
|
2995 * depending on the 'display' value; if 'display' is true then the whole row
|
|
|
2996 * (dp) is filled from the start by replicating the available pixels. If
|
|
|
2997 * 'display' is false only those pixels present in the pass are filled in.
|
|
|
2998 */
|
|
|
2999 void /* PRIVATE */
|
|
|
3000 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
|
|
|
3001 {
|
|
|
3002 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
|
|
|
3003 png_const_bytep sp = png_ptr->row_buf + 1;
|
|
|
3004 png_uint_32 row_width = png_ptr->width;
|
|
|
3005 unsigned int pass = png_ptr->pass;
|
|
|
3006 png_bytep end_ptr = 0;
|
|
|
3007 png_byte end_byte = 0;
|
|
|
3008 unsigned int end_mask;
|
|
|
3009
|
|
|
3010 png_debug(1, "in png_combine_row");
|
|
|
3011
|
|
|
3012 /* Added in 1.5.6: it should not be possible to enter this routine until at
|
|
|
3013 * least one row has been read from the PNG data and transformed.
|
|
|
3014 */
|
|
|
3015 if (pixel_depth == 0)
|
|
|
3016 png_error(png_ptr, "internal row logic error");
|
|
|
3017
|
|
|
3018 /* Added in 1.5.4: the pixel depth should match the information returned by
|
|
|
3019 * any call to png_read_update_info at this point. Do not continue if we got
|
|
|
3020 * this wrong.
|
|
|
3021 */
|
|
|
3022 if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
|
|
|
3023 PNG_ROWBYTES(pixel_depth, row_width))
|
|
|
3024 png_error(png_ptr, "internal row size calculation error");
|
|
|
3025
|
|
|
3026 /* Don't expect this to ever happen: */
|
|
|
3027 if (row_width == 0)
|
|
|
3028 png_error(png_ptr, "internal row width error");
|
|
|
3029
|
|
|
3030 /* Preserve the last byte in cases where only part of it will be overwritten,
|
|
|
3031 * the multiply below may overflow, we don't care because ANSI-C guarantees
|
|
|
3032 * we get the low bits.
|
|
|
3033 */
|
|
|
3034 end_mask = (pixel_depth * row_width) & 7;
|
|
|
3035 if (end_mask != 0)
|
|
|
3036 {
|
|
|
3037 /* end_ptr == NULL is a flag to say do nothing */
|
|
|
3038 end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
|
|
|
3039 end_byte = *end_ptr;
|
|
|
3040 # ifdef PNG_READ_PACKSWAP_SUPPORTED
|
|
|
3041 if (png_ptr->transformations & PNG_PACKSWAP) /* little-endian byte */
|
|
|
3042 end_mask = 0xff << end_mask;
|
|
|
3043
|
|
|
3044 else /* big-endian byte */
|
|
|
3045 # endif
|
|
|
3046 end_mask = 0xff >> end_mask;
|
|
|
3047 /* end_mask is now the bits to *keep* from the destination row */
|
|
|
3048 }
|
|
|
3049
|
|
|
3050 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
|
|
|
3051 * will also happen if interlacing isn't supported or if the application
|
|
|
3052 * does not call png_set_interlace_handling(). In the latter cases the
|
|
|
3053 * caller just gets a sequence of the unexpanded rows from each interlace
|
|
|
3054 * pass.
|
|
|
3055 */
|
|
|
3056 #ifdef PNG_READ_INTERLACING_SUPPORTED
|
|
|
3057 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE) &&
|
|
|
3058 pass < 6 && (display == 0 ||
|
|
|
3059 /* The following copies everything for 'display' on passes 0, 2 and 4. */
|
|
|
3060 (display == 1 && (pass & 1) != 0)))
|
|
|
3061 {
|
|
|
3062 /* Narrow images may have no bits in a pass; the caller should handle
|
|
|
3063 * this, but this test is cheap:
|
|
|
3064 */
|
|
|
3065 if (row_width <= PNG_PASS_START_COL(pass))
|
|
|
3066 return;
|
|
|
3067
|
|
|
3068 if (pixel_depth < 8)
|
|
|
3069 {
|
|
|
3070 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
|
|
|
3071 * into 32 bits, then a single loop over the bytes using the four byte
|
|
|
3072 * values in the 32-bit mask can be used. For the 'display' option the
|
|
|
3073 * expanded mask may also not require any masking within a byte. To
|
|
|
3074 * make this work the PACKSWAP option must be taken into account - it
|
|
|
3075 * simply requires the pixels to be reversed in each byte.
|
|
|
3076 *
|
|
|
3077 * The 'regular' case requires a mask for each of the first 6 passes,
|
|
|
3078 * the 'display' case does a copy for the even passes in the range
|
|
|
3079 * 0..6. This has already been handled in the test above.
|
|
|
3080 *
|
|
|
3081 * The masks are arranged as four bytes with the first byte to use in
|
|
|
3082 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
|
|
|
3083 * not) of the pixels in each byte.
|
|
|
3084 *
|
|
|
3085 * NOTE: the whole of this logic depends on the caller of this function
|
|
|
3086 * only calling it on rows appropriate to the pass. This function only
|
|
|
3087 * understands the 'x' logic; the 'y' logic is handled by the caller.
|
|
|
3088 *
|
|
|
3089 * The following defines allow generation of compile time constant bit
|
|
|
3090 * masks for each pixel depth and each possibility of swapped or not
|
|
|
3091 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
|
|
|
3092 * is in the range 0..7; and the result is 1 if the pixel is to be
|
|
|
3093 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
|
|
|
3094 * for the block method.
|
|
|
3095 *
|
|
|
3096 * With some compilers a compile time expression of the general form:
|
|
|
3097 *
|
|
|
3098 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
|
|
|
3099 *
|
|
|
3100 * Produces warnings with values of 'shift' in the range 33 to 63
|
|
|
3101 * because the right hand side of the ?: expression is evaluated by
|
|
|
3102 * the compiler even though it isn't used. Microsoft Visual C (various
|
|
|
3103 * versions) and the Intel C compiler are known to do this. To avoid
|
|
|
3104 * this the following macros are used in 1.5.6. This is a temporary
|
|
|
3105 * solution to avoid destabilizing the code during the release process.
|
|
|
3106 */
|
|
|
3107 # if PNG_USE_COMPILE_TIME_MASKS
|
|
|
3108 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
|
|
|
3109 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
|
|
|
3110 # else
|
|
|
3111 # define PNG_LSR(x,s) ((x)>>(s))
|
|
|
3112 # define PNG_LSL(x,s) ((x)<<(s))
|
|
|
3113 # endif
|
|
|
3114 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
|
|
|
3115 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
|
|
|
3116 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
|
|
|
3117 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
|
|
|
3118
|
|
|
3119 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
|
|
|
3120 * little endian - the first pixel is at bit 0 - however the extra
|
|
|
3121 * parameter 's' can be set to cause the mask position to be swapped
|
|
|
3122 * within each byte, to match the PNG format. This is done by XOR of
|
|
|
3123 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
|
|
|
3124 */
|
|
|
3125 # define PIXEL_MASK(p,x,d,s) \
|
|
|
3126 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
|
|
|
3127
|
|
|
3128 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
|
|
|
3129 */
|
|
|
3130 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
|
|
|
3131 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
|
|
|
3132
|
|
|
3133 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
|
|
|
3134 * cases the result needs replicating, for the 4-bpp case the above
|
|
|
3135 * generates a full 32 bits.
|
|
|
3136 */
|
|
|
3137 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
|
|
|
3138
|
|
|
3139 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
|
|
|
3140 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
|
|
|
3141 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
|
|
|
3142
|
|
|
3143 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
|
|
|
3144 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
|
|
|
3145 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
|
|
|
3146
|
|
|
3147 #if PNG_USE_COMPILE_TIME_MASKS
|
|
|
3148 /* Utility macros to construct all the masks for a depth/swap
|
|
|
3149 * combination. The 's' parameter says whether the format is PNG
|
|
|
3150 * (big endian bytes) or not. Only the three odd-numbered passes are
|
|
|
3151 * required for the display/block algorithm.
|
|
|
3152 */
|
|
|
3153 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
|
|
|
3154 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
|
|
|
3155
|
|
|
3156 # define B_MASKS(d,s) { B_MASK(1,d,s), S_MASK(3,d,s), S_MASK(5,d,s) }
|
|
|
3157
|
|
|
3158 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
|
|
|
3159
|
|
|
3160 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
|
|
|
3161 * then pass:
|
|
|
3162 */
|
|
|
3163 static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
|
|
|
3164 {
|
|
|
3165 /* Little-endian byte masks for PACKSWAP */
|
|
|
3166 { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
|
|
|
3167 /* Normal (big-endian byte) masks - PNG format */
|
|
|
3168 { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
|
|
|
3169 };
|
|
|
3170
|
|
|
3171 /* display_mask has only three entries for the odd passes, so index by
|
|
|
3172 * pass>>1.
|
|
|
3173 */
|
|
|
3174 static PNG_CONST png_uint_32 display_mask[2][3][3] =
|
|
|
3175 {
|
|
|
3176 /* Little-endian byte masks for PACKSWAP */
|
|
|
3177 { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
|
|
|
3178 /* Normal (big-endian byte) masks - PNG format */
|
|
|
3179 { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
|
|
|
3180 };
|
|
|
3181
|
|
|
3182 # define MASK(pass,depth,display,png)\
|
|
|
3183 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
|
|
|
3184 row_mask[png][DEPTH_INDEX(depth)][pass])
|
|
|
3185
|
|
|
3186 #else /* !PNG_USE_COMPILE_TIME_MASKS */
|
|
|
3187 /* This is the runtime alternative: it seems unlikely that this will
|
|
|
3188 * ever be either smaller or faster than the compile time approach.
|
|
|
3189 */
|
|
|
3190 # define MASK(pass,depth,display,png)\
|
|
|
3191 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
|
|
|
3192 #endif /* !PNG_USE_COMPILE_TIME_MASKS */
|
|
|
3193
|
|
|
3194 /* Use the appropriate mask to copy the required bits. In some cases
|
|
|
3195 * the byte mask will be 0 or 0xff, optimize these cases. row_width is
|
|
|
3196 * the number of pixels, but the code copies bytes, so it is necessary
|
|
|
3197 * to special case the end.
|
|
|
3198 */
|
|
|
3199 png_uint_32 pixels_per_byte = 8 / pixel_depth;
|
|
|
3200 png_uint_32 mask;
|
|
|
3201
|
|
|
3202 # ifdef PNG_READ_PACKSWAP_SUPPORTED
|
|
|
3203 if (png_ptr->transformations & PNG_PACKSWAP)
|
|
|
3204 mask = MASK(pass, pixel_depth, display, 0);
|
|
|
3205
|
|
|
3206 else
|
|
|
3207 # endif
|
|
|
3208 mask = MASK(pass, pixel_depth, display, 1);
|
|
|
3209
|
|
|
3210 for (;;)
|
|
|
3211 {
|
|
|
3212 png_uint_32 m;
|
|
|
3213
|
|
|
3214 /* It doesn't matter in the following if png_uint_32 has more than
|
|
|
3215 * 32 bits because the high bits always match those in m<<24; it is,
|
|
|
3216 * however, essential to use OR here, not +, because of this.
|
|
|
3217 */
|
|
|
3218 m = mask;
|
|
|
3219 mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
|
|
|
3220 m &= 0xff;
|
|
|
3221
|
|
|
3222 if (m != 0) /* something to copy */
|
|
|
3223 {
|
|
|
3224 if (m != 0xff)
|
|
|
3225 *dp = (png_byte)((*dp & ~m) | (*sp & m));
|
|
|
3226 else
|
|
|
3227 *dp = *sp;
|
|
|
3228 }
|
|
|
3229
|
|
|
3230 /* NOTE: this may overwrite the last byte with garbage if the image
|
|
|
3231 * is not an exact number of bytes wide; libpng has always done
|
|
|
3232 * this.
|
|
|
3233 */
|
|
|
3234 if (row_width <= pixels_per_byte)
|
|
|
3235 break; /* May need to restore part of the last byte */
|
|
|
3236
|
|
|
3237 row_width -= pixels_per_byte;
|
|
|
3238 ++dp;
|
|
|
3239 ++sp;
|
|
|
3240 }
|
|
|
3241 }
|
|
|
3242
|
|
|
3243 else /* pixel_depth >= 8 */
|
|
|
3244 {
|
|
|
3245 unsigned int bytes_to_copy, bytes_to_jump;
|
|
|
3246
|
|
|
3247 /* Validate the depth - it must be a multiple of 8 */
|
|
|
3248 if (pixel_depth & 7)
|
|
|
3249 png_error(png_ptr, "invalid user transform pixel depth");
|
|
|
3250
|
|
|
3251 pixel_depth >>= 3; /* now in bytes */
|
|
|
3252 row_width *= pixel_depth;
|
|
|
3253
|
|
|
3254 /* Regardless of pass number the Adam 7 interlace always results in a
|
|
|
3255 * fixed number of pixels to copy then to skip. There may be a
|
|
|
3256 * different number of pixels to skip at the start though.
|
|
|
3257 */
|
|
|
3258 {
|
|
|
3259 unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
|
|
|
3260
|
|
|
3261 row_width -= offset;
|
|
|
3262 dp += offset;
|
|
|
3263 sp += offset;
|
|
|
3264 }
|
|
|
3265
|
|
|
3266 /* Work out the bytes to copy. */
|
|
|
3267 if (display)
|
|
|
3268 {
|
|
|
3269 /* When doing the 'block' algorithm the pixel in the pass gets
|
|
|
3270 * replicated to adjacent pixels. This is why the even (0,2,4,6)
|
|
|
3271 * passes are skipped above - the entire expanded row is copied.
|
|
|
3272 */
|
|
|
3273 bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
|
|
|
3274
|
|
|
3275 /* But don't allow this number to exceed the actual row width. */
|
|
|
3276 if (bytes_to_copy > row_width)
|
|
|
3277 bytes_to_copy = row_width;
|
|
|
3278 }
|
|
|
3279
|
|
|
3280 else /* normal row; Adam7 only ever gives us one pixel to copy. */
|
|
|
3281 bytes_to_copy = pixel_depth;
|
|
|
3282
|
|
|
3283 /* In Adam7 there is a constant offset between where the pixels go. */
|
|
|
3284 bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
|
|
|
3285
|
|
|
3286 /* And simply copy these bytes. Some optimization is possible here,
|
|
|
3287 * depending on the value of 'bytes_to_copy'. Special case the low
|
|
|
3288 * byte counts, which we know to be frequent.
|
|
|
3289 *
|
|
|
3290 * Notice that these cases all 'return' rather than 'break' - this
|
|
|
3291 * avoids an unnecessary test on whether to restore the last byte
|
|
|
3292 * below.
|
|
|
3293 */
|
|
|
3294 switch (bytes_to_copy)
|
|
|
3295 {
|
|
|
3296 case 1:
|
|
|
3297 for (;;)
|
|
|
3298 {
|
|
|
3299 *dp = *sp;
|
|
|
3300
|
|
|
3301 if (row_width <= bytes_to_jump)
|
|
|
3302 return;
|
|
|
3303
|
|
|
3304 dp += bytes_to_jump;
|
|
|
3305 sp += bytes_to_jump;
|
|
|
3306 row_width -= bytes_to_jump;
|
|
|
3307 }
|
|
|
3308
|
|
|
3309 case 2:
|
|
|
3310 /* There is a possibility of a partial copy at the end here; this
|
|
|
3311 * slows the code down somewhat.
|
|
|
3312 */
|
|
|
3313 do
|
|
|
3314 {
|
|
|
3315 dp[0] = sp[0], dp[1] = sp[1];
|
|
|
3316
|
|
|
3317 if (row_width <= bytes_to_jump)
|
|
|
3318 return;
|
|
|
3319
|
|
|
3320 sp += bytes_to_jump;
|
|
|
3321 dp += bytes_to_jump;
|
|
|
3322 row_width -= bytes_to_jump;
|
|
|
3323 }
|
|
|
3324 while (row_width > 1);
|
|
|
3325
|
|
|
3326 /* And there can only be one byte left at this point: */
|
|
|
3327 *dp = *sp;
|
|
|
3328 return;
|
|
|
3329
|
|
|
3330 case 3:
|
|
|
3331 /* This can only be the RGB case, so each copy is exactly one
|
|
|
3332 * pixel and it is not necessary to check for a partial copy.
|
|
|
3333 */
|
|
|
3334 for(;;)
|
|
|
3335 {
|
|
|
3336 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
|
|
|
3337
|
|
|
3338 if (row_width <= bytes_to_jump)
|
|
|
3339 return;
|
|
|
3340
|
|
|
3341 sp += bytes_to_jump;
|
|
|
3342 dp += bytes_to_jump;
|
|
|
3343 row_width -= bytes_to_jump;
|
|
|
3344 }
|
|
|
3345
|
|
|
3346 default:
|
|
|
3347 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
|
|
|
3348 /* Check for double byte alignment and, if possible, use a
|
|
|
3349 * 16-bit copy. Don't attempt this for narrow images - ones that
|
|
|
3350 * are less than an interlace panel wide. Don't attempt it for
|
|
|
3351 * wide bytes_to_copy either - use the memcpy there.
|
|
|
3352 */
|
|
|
3353 if (bytes_to_copy < 16 /*else use memcpy*/ &&
|
|
|
3354 png_isaligned(dp, png_uint_16) &&
|
|
|
3355 png_isaligned(sp, png_uint_16) &&
|
|
|
3356 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
|
|
|
3357 bytes_to_jump % (sizeof (png_uint_16)) == 0)
|
|
|
3358 {
|
|
|
3359 /* Everything is aligned for png_uint_16 copies, but try for
|
|
|
3360 * png_uint_32 first.
|
|
|
3361 */
|
|
|
3362 if (png_isaligned(dp, png_uint_32) &&
|
|
|
3363 png_isaligned(sp, png_uint_32) &&
|
|
|
3364 bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
|
|
|
3365 bytes_to_jump % (sizeof (png_uint_32)) == 0)
|
|
|
3366 {
|
|
|
3367 png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
|
|
|
3368 png_const_uint_32p sp32 = png_aligncastconst(
|
|
|
3369 png_const_uint_32p, sp);
|
|
|
3370 size_t skip = (bytes_to_jump-bytes_to_copy) /
|
|
|
3371 (sizeof (png_uint_32));
|
|
|
3372
|
|
|
3373 do
|
|
|
3374 {
|
|
|
3375 size_t c = bytes_to_copy;
|
|
|
3376 do
|
|
|
3377 {
|
|
|
3378 *dp32++ = *sp32++;
|
|
|
3379 c -= (sizeof (png_uint_32));
|
|
|
3380 }
|
|
|
3381 while (c > 0);
|
|
|
3382
|
|
|
3383 if (row_width <= bytes_to_jump)
|
|
|
3384 return;
|
|
|
3385
|
|
|
3386 dp32 += skip;
|
|
|
3387 sp32 += skip;
|
|
|
3388 row_width -= bytes_to_jump;
|
|
|
3389 }
|
|
|
3390 while (bytes_to_copy <= row_width);
|
|
|
3391
|
|
|
3392 /* Get to here when the row_width truncates the final copy.
|
|
|
3393 * There will be 1-3 bytes left to copy, so don't try the
|
|
|
3394 * 16-bit loop below.
|
|
|
3395 */
|
|
|
3396 dp = (png_bytep)dp32;
|
|
|
3397 sp = (png_const_bytep)sp32;
|
|
|
3398 do
|
|
|
3399 *dp++ = *sp++;
|
|
|
3400 while (--row_width > 0);
|
|
|
3401 return;
|
|
|
3402 }
|
|
|
3403
|
|
|
3404 /* Else do it in 16-bit quantities, but only if the size is
|
|
|
3405 * not too large.
|
|
|
3406 */
|
|
|
3407 else
|
|
|
3408 {
|
|
|
3409 png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
|
|
|
3410 png_const_uint_16p sp16 = png_aligncastconst(
|
|
|
3411 png_const_uint_16p, sp);
|
|
|
3412 size_t skip = (bytes_to_jump-bytes_to_copy) /
|
|
|
3413 (sizeof (png_uint_16));
|
|
|
3414
|
|
|
3415 do
|
|
|
3416 {
|
|
|
3417 size_t c = bytes_to_copy;
|
|
|
3418 do
|
|
|
3419 {
|
|
|
3420 *dp16++ = *sp16++;
|
|
|
3421 c -= (sizeof (png_uint_16));
|
|
|
3422 }
|
|
|
3423 while (c > 0);
|
|
|
3424
|
|
|
3425 if (row_width <= bytes_to_jump)
|
|
|
3426 return;
|
|
|
3427
|
|
|
3428 dp16 += skip;
|
|
|
3429 sp16 += skip;
|
|
|
3430 row_width -= bytes_to_jump;
|
|
|
3431 }
|
|
|
3432 while (bytes_to_copy <= row_width);
|
|
|
3433
|
|
|
3434 /* End of row - 1 byte left, bytes_to_copy > row_width: */
|
|
|
3435 dp = (png_bytep)dp16;
|
|
|
3436 sp = (png_const_bytep)sp16;
|
|
|
3437 do
|
|
|
3438 *dp++ = *sp++;
|
|
|
3439 while (--row_width > 0);
|
|
|
3440 return;
|
|
|
3441 }
|
|
|
3442 }
|
|
|
3443 #endif /* PNG_ALIGN_ code */
|
|
|
3444
|
|
|
3445 /* The true default - use a memcpy: */
|
|
|
3446 for (;;)
|
|
|
3447 {
|
|
|
3448 memcpy(dp, sp, bytes_to_copy);
|
|
|
3449
|
|
|
3450 if (row_width <= bytes_to_jump)
|
|
|
3451 return;
|
|
|
3452
|
|
|
3453 sp += bytes_to_jump;
|
|
|
3454 dp += bytes_to_jump;
|
|
|
3455 row_width -= bytes_to_jump;
|
|
|
3456 if (bytes_to_copy > row_width)
|
|
|
3457 bytes_to_copy = row_width;
|
|
|
3458 }
|
|
|
3459 }
|
|
|
3460
|
|
|
3461 /* NOT REACHED*/
|
|
|
3462 } /* pixel_depth >= 8 */
|
|
|
3463
|
|
|
3464 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
|
|
|
3465 }
|
|
|
3466 else
|
|
|
3467 #endif
|
|
|
3468
|
|
|
3469 /* If here then the switch above wasn't used so just memcpy the whole row
|
|
|
3470 * from the temporary row buffer (notice that this overwrites the end of the
|
|
|
3471 * destination row if it is a partial byte.)
|
|
|
3472 */
|
|
|
3473 memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
|
|
|
3474
|
|
|
3475 /* Restore the overwritten bits from the last byte if necessary. */
|
|
|
3476 if (end_ptr != NULL)
|
|
|
3477 *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
|
|
|
3478 }
|
|
|
3479
|
|
|
3480 #ifdef PNG_READ_INTERLACING_SUPPORTED
|
|
|
3481 void /* PRIVATE */
|
|
|
3482 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
|
|
|
3483 png_uint_32 transformations /* Because these may affect the byte layout */)
|
|
|
3484 {
|
|
|
3485 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
|
|
|
3486 /* Offset to next interlace block */
|
|
|
3487 static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
|
|
|
3488
|
|
|
3489 png_debug(1, "in png_do_read_interlace");
|
|
|
3490 if (row != NULL && row_info != NULL)
|
|
|
3491 {
|
|
|
3492 png_uint_32 final_width;
|
|
|
3493
|
|
|
3494 final_width = row_info->width * png_pass_inc[pass];
|
|
|
3495
|
|
|
3496 switch (row_info->pixel_depth)
|
|
|
3497 {
|
|
|
3498 case 1:
|
|
|
3499 {
|
|
|
3500 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3);
|
|
|
3501 png_bytep dp = row + (png_size_t)((final_width - 1) >> 3);
|
|
|
3502 int sshift, dshift;
|
|
|
3503 int s_start, s_end, s_inc;
|
|
|
3504 int jstop = png_pass_inc[pass];
|
|
|
3505 png_byte v;
|
|
|
3506 png_uint_32 i;
|
|
|
3507 int j;
|
|
|
3508
|
|
|
3509 #ifdef PNG_READ_PACKSWAP_SUPPORTED
|
|
|
3510 if (transformations & PNG_PACKSWAP)
|
|
|
3511 {
|
|
|
3512 sshift = (int)((row_info->width + 7) & 0x07);
|
|
|
3513 dshift = (int)((final_width + 7) & 0x07);
|
|
|
3514 s_start = 7;
|
|
|
3515 s_end = 0;
|
|
|
3516 s_inc = -1;
|
|
|
3517 }
|
|
|
3518
|
|
|
3519 else
|
|
|
3520 #endif
|
|
|
3521 {
|
|
|
3522 sshift = 7 - (int)((row_info->width + 7) & 0x07);
|
|
|
3523 dshift = 7 - (int)((final_width + 7) & 0x07);
|
|
|
3524 s_start = 0;
|
|
|
3525 s_end = 7;
|
|
|
3526 s_inc = 1;
|
|
|
3527 }
|
|
|
3528
|
|
|
3529 for (i = 0; i < row_info->width; i++)
|
|
|
3530 {
|
|
|
3531 v = (png_byte)((*sp >> sshift) & 0x01);
|
|
|
3532 for (j = 0; j < jstop; j++)
|
|
|
3533 {
|
|
|
3534 unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
|
|
|
3535 tmp |= v << dshift;
|
|
|
3536 *dp = (png_byte)(tmp & 0xff);
|
|
|
3537
|
|
|
3538 if (dshift == s_end)
|
|
|
3539 {
|
|
|
3540 dshift = s_start;
|
|
|
3541 dp--;
|
|
|
3542 }
|
|
|
3543
|
|
|
3544 else
|
|
|
3545 dshift += s_inc;
|
|
|
3546 }
|
|
|
3547
|
|
|
3548 if (sshift == s_end)
|
|
|
3549 {
|
|
|
3550 sshift = s_start;
|
|
|
3551 sp--;
|
|
|
3552 }
|
|
|
3553
|
|
|
3554 else
|
|
|
3555 sshift += s_inc;
|
|
|
3556 }
|
|
|
3557 break;
|
|
|
3558 }
|
|
|
3559
|
|
|
3560 case 2:
|
|
|
3561 {
|
|
|
3562 png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
|
|
|
3563 png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
|
|
|
3564 int sshift, dshift;
|
|
|
3565 int s_start, s_end, s_inc;
|
|
|
3566 int jstop = png_pass_inc[pass];
|
|
|
3567 png_uint_32 i;
|
|
|
3568
|
|
|
3569 #ifdef PNG_READ_PACKSWAP_SUPPORTED
|
|
|
3570 if (transformations & PNG_PACKSWAP)
|
|
|
3571 {
|
|
|
3572 sshift = (int)(((row_info->width + 3) & 0x03) << 1);
|
|
|
3573 dshift = (int)(((final_width + 3) & 0x03) << 1);
|
|
|
3574 s_start = 6;
|
|
|
3575 s_end = 0;
|
|
|
3576 s_inc = -2;
|
|
|
3577 }
|
|
|
3578
|
|
|
3579 else
|
|
|
3580 #endif
|
|
|
3581 {
|
|
|
3582 sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
|
|
|
3583 dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
|
|
|
3584 s_start = 0;
|
|
|
3585 s_end = 6;
|
|
|
3586 s_inc = 2;
|
|
|
3587 }
|
|
|
3588
|
|
|
3589 for (i = 0; i < row_info->width; i++)
|
|
|
3590 {
|
|
|
3591 png_byte v;
|
|
|
3592 int j;
|
|
|
3593
|
|
|
3594 v = (png_byte)((*sp >> sshift) & 0x03);
|
|
|
3595 for (j = 0; j < jstop; j++)
|
|
|
3596 {
|
|
|
3597 unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
|
|
|
3598 tmp |= v << dshift;
|
|
|
3599 *dp = (png_byte)(tmp & 0xff);
|
|
|
3600
|
|
|
3601 if (dshift == s_end)
|
|
|
3602 {
|
|
|
3603 dshift = s_start;
|
|
|
3604 dp--;
|
|
|
3605 }
|
|
|
3606
|
|
|
3607 else
|
|
|
3608 dshift += s_inc;
|
|
|
3609 }
|
|
|
3610
|
|
|
3611 if (sshift == s_end)
|
|
|
3612 {
|
|
|
3613 sshift = s_start;
|
|
|
3614 sp--;
|
|
|
3615 }
|
|
|
3616
|
|
|
3617 else
|
|
|
3618 sshift += s_inc;
|
|
|
3619 }
|
|
|
3620 break;
|
|
|
3621 }
|
|
|
3622
|
|
|
3623 case 4:
|
|
|
3624 {
|
|
|
3625 png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
|
|
|
3626 png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
|
|
|
3627 int sshift, dshift;
|
|
|
3628 int s_start, s_end, s_inc;
|
|
|
3629 png_uint_32 i;
|
|
|
3630 int jstop = png_pass_inc[pass];
|
|
|
3631
|
|
|
3632 #ifdef PNG_READ_PACKSWAP_SUPPORTED
|
|
|
3633 if (transformations & PNG_PACKSWAP)
|
|
|
3634 {
|
|
|
3635 sshift = (int)(((row_info->width + 1) & 0x01) << 2);
|
|
|
3636 dshift = (int)(((final_width + 1) & 0x01) << 2);
|
|
|
3637 s_start = 4;
|
|
|
3638 s_end = 0;
|
|
|
3639 s_inc = -4;
|
|
|
3640 }
|
|
|
3641
|
|
|
3642 else
|
|
|
3643 #endif
|
|
|
3644 {
|
|
|
3645 sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
|
|
|
3646 dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
|
|
|
3647 s_start = 0;
|
|
|
3648 s_end = 4;
|
|
|
3649 s_inc = 4;
|
|
|
3650 }
|
|
|
3651
|
|
|
3652 for (i = 0; i < row_info->width; i++)
|
|
|
3653 {
|
|
|
3654 png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
|
|
|
3655 int j;
|
|
|
3656
|
|
|
3657 for (j = 0; j < jstop; j++)
|
|
|
3658 {
|
|
|
3659 unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
|
|
|
3660 tmp |= v << dshift;
|
|
|
3661 *dp = (png_byte)(tmp & 0xff);
|
|
|
3662
|
|
|
3663 if (dshift == s_end)
|
|
|
3664 {
|
|
|
3665 dshift = s_start;
|
|
|
3666 dp--;
|
|
|
3667 }
|
|
|
3668
|
|
|
3669 else
|
|
|
3670 dshift += s_inc;
|
|
|
3671 }
|
|
|
3672
|
|
|
3673 if (sshift == s_end)
|
|
|
3674 {
|
|
|
3675 sshift = s_start;
|
|
|
3676 sp--;
|
|
|
3677 }
|
|
|
3678
|
|
|
3679 else
|
|
|
3680 sshift += s_inc;
|
|
|
3681 }
|
|
|
3682 break;
|
|
|
3683 }
|
|
|
3684
|
|
|
3685 default:
|
|
|
3686 {
|
|
|
3687 png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
|
|
|
3688
|
|
|
3689 png_bytep sp = row + (png_size_t)(row_info->width - 1)
|
|
|
3690 * pixel_bytes;
|
|
|
3691
|
|
|
3692 png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
|
|
|
3693
|
|
|
3694 int jstop = png_pass_inc[pass];
|
|
|
3695 png_uint_32 i;
|
|
|
3696
|
|
|
3697 for (i = 0; i < row_info->width; i++)
|
|
|
3698 {
|
|
|
3699 png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
|
|
|
3700 int j;
|
|
|
3701
|
|
|
3702 memcpy(v, sp, pixel_bytes);
|
|
|
3703
|
|
|
3704 for (j = 0; j < jstop; j++)
|
|
|
3705 {
|
|
|
3706 memcpy(dp, v, pixel_bytes);
|
|
|
3707 dp -= pixel_bytes;
|
|
|
3708 }
|
|
|
3709
|
|
|
3710 sp -= pixel_bytes;
|
|
|
3711 }
|
|
|
3712 break;
|
|
|
3713 }
|
|
|
3714 }
|
|
|
3715
|
|
|
3716 row_info->width = final_width;
|
|
|
3717 row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
|
|
|
3718 }
|
|
|
3719 #ifndef PNG_READ_PACKSWAP_SUPPORTED
|
|
|
3720 PNG_UNUSED(transformations) /* Silence compiler warning */
|
|
|
3721 #endif
|
|
|
3722 }
|
|
|
3723 #endif /* PNG_READ_INTERLACING_SUPPORTED */
|
|
|
3724
|
|
|
3725 static void
|
|
|
3726 png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
|
|
|
3727 png_const_bytep prev_row)
|
|
|
3728 {
|
|
|
3729 png_size_t i;
|
|
|
3730 png_size_t istop = row_info->rowbytes;
|
|
|
3731 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
|
|
|
3732 png_bytep rp = row + bpp;
|
|
|
3733
|
|
|
3734 PNG_UNUSED(prev_row)
|
|
|
3735
|
|
|
3736 for (i = bpp; i < istop; i++)
|
|
|
3737 {
|
|
|
3738 *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
|
|
|
3739 rp++;
|
|
|
3740 }
|
|
|
3741 }
|
|
|
3742
|
|
|
3743 static void
|
|
|
3744 png_read_filter_row_up(png_row_infop row_info, png_bytep row,
|
|
|
3745 png_const_bytep prev_row)
|
|
|
3746 {
|
|
|
3747 png_size_t i;
|
|
|
3748 png_size_t istop = row_info->rowbytes;
|
|
|
3749 png_bytep rp = row;
|
|
|
3750 png_const_bytep pp = prev_row;
|
|
|
3751
|
|
|
3752 for (i = 0; i < istop; i++)
|
|
|
3753 {
|
|
|
3754 *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
|
|
|
3755 rp++;
|
|
|
3756 }
|
|
|
3757 }
|
|
|
3758
|
|
|
3759 static void
|
|
|
3760 png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
|
|
|
3761 png_const_bytep prev_row)
|
|
|
3762 {
|
|
|
3763 png_size_t i;
|
|
|
3764 png_bytep rp = row;
|
|
|
3765 png_const_bytep pp = prev_row;
|
|
|
3766 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
|
|
|
3767 png_size_t istop = row_info->rowbytes - bpp;
|
|
|
3768
|
|
|
3769 for (i = 0; i < bpp; i++)
|
|
|
3770 {
|
|
|
3771 *rp = (png_byte)(((int)(*rp) +
|
|
|
3772 ((int)(*pp++) / 2 )) & 0xff);
|
|
|
3773
|
|
|
3774 rp++;
|
|
|
3775 }
|
|
|
3776
|
|
|
3777 for (i = 0; i < istop; i++)
|
|
|
3778 {
|
|
|
3779 *rp = (png_byte)(((int)(*rp) +
|
|
|
3780 (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
|
|
|
3781
|
|
|
3782 rp++;
|
|
|
3783 }
|
|
|
3784 }
|
|
|
3785
|
|
|
3786 static void
|
|
|
3787 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
|
|
|
3788 png_const_bytep prev_row)
|
|
|
3789 {
|
|
|
3790 png_bytep rp_end = row + row_info->rowbytes;
|
|
|
3791 int a, c;
|
|
|
3792
|
|
|
3793 /* First pixel/byte */
|
|
|
3794 c = *prev_row++;
|
|
|
3795 a = *row + c;
|
|
|
3796 *row++ = (png_byte)a;
|
|
|
3797
|
|
|
3798 /* Remainder */
|
|
|
3799 while (row < rp_end)
|
|
|
3800 {
|
|
|
3801 int b, pa, pb, pc, p;
|
|
|
3802
|
|
|
3803 a &= 0xff; /* From previous iteration or start */
|
|
|
3804 b = *prev_row++;
|
|
|
3805
|
|
|
3806 p = b - c;
|
|
|
3807 pc = a - c;
|
|
|
3808
|
|
|
3809 # ifdef PNG_USE_ABS
|
|
|
3810 pa = abs(p);
|
|
|
3811 pb = abs(pc);
|
|
|
3812 pc = abs(p + pc);
|
|
|
3813 # else
|
|
|
3814 pa = p < 0 ? -p : p;
|
|
|
3815 pb = pc < 0 ? -pc : pc;
|
|
|
3816 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
|
|
|
3817 # endif
|
|
|
3818
|
|
|
3819 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
|
|
|
3820 * ones in the case of a tie.
|
|
|
3821 */
|
|
|
3822 if (pb < pa) pa = pb, a = b;
|
|
|
3823 if (pc < pa) a = c;
|
|
|
3824
|
|
|
3825 /* Calculate the current pixel in a, and move the previous row pixel to c
|
|
|
3826 * for the next time round the loop
|
|
|
3827 */
|
|
|
3828 c = b;
|
|
|
3829 a += *row;
|
|
|
3830 *row++ = (png_byte)a;
|
|
|
3831 }
|
|
|
3832 }
|
|
|
3833
|
|
|
3834 static void
|
|
|
3835 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
|
|
|
3836 png_const_bytep prev_row)
|
|
|
3837 {
|
|
|
3838 int bpp = (row_info->pixel_depth + 7) >> 3;
|
|
|
3839 png_bytep rp_end = row + bpp;
|
|
|
3840
|
|
|
3841 /* Process the first pixel in the row completely (this is the same as 'up'
|
|
|
3842 * because there is only one candidate predictor for the first row).
|
|
|
3843 */
|
|
|
3844 while (row < rp_end)
|
|
|
3845 {
|
|
|
3846 int a = *row + *prev_row++;
|
|
|
3847 *row++ = (png_byte)a;
|
|
|
3848 }
|
|
|
3849
|
|
|
3850 /* Remainder */
|
|
|
3851 rp_end += row_info->rowbytes - bpp;
|
|
|
3852
|
|
|
3853 while (row < rp_end)
|
|
|
3854 {
|
|
|
3855 int a, b, c, pa, pb, pc, p;
|
|
|
3856
|
|
|
3857 c = *(prev_row - bpp);
|
|
|
3858 a = *(row - bpp);
|
|
|
3859 b = *prev_row++;
|
|
|
3860
|
|
|
3861 p = b - c;
|
|
|
3862 pc = a - c;
|
|
|
3863
|
|
|
3864 # ifdef PNG_USE_ABS
|
|
|
3865 pa = abs(p);
|
|
|
3866 pb = abs(pc);
|
|
|
3867 pc = abs(p + pc);
|
|
|
3868 # else
|
|
|
3869 pa = p < 0 ? -p : p;
|
|
|
3870 pb = pc < 0 ? -pc : pc;
|
|
|
3871 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
|
|
|
3872 # endif
|
|
|
3873
|
|
|
3874 if (pb < pa) pa = pb, a = b;
|
|
|
3875 if (pc < pa) a = c;
|
|
|
3876
|
|
|
3877 a += *row;
|
|
|
3878 *row++ = (png_byte)a;
|
|
|
3879 }
|
|
|
3880 }
|
|
|
3881
|
|
|
3882 static void
|
|
|
3883 png_init_filter_functions(png_structrp pp)
|
|
|
3884 /* This function is called once for every PNG image (except for PNG images
|
|
|
3885 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
|
|
|
3886 * implementations required to reverse the filtering of PNG rows. Reversing
|
|
|
3887 * the filter is the first transformation performed on the row data. It is
|
|
|
3888 * performed in place, therefore an implementation can be selected based on
|
|
|
3889 * the image pixel format. If the implementation depends on image width then
|
|
|
3890 * take care to ensure that it works correctly if the image is interlaced -
|
|
|
3891 * interlacing causes the actual row width to vary.
|
|
|
3892 */
|
|
|
3893 {
|
|
|
3894 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
|
|
|
3895
|
|
|
3896 pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
|
|
|
3897 pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
|
|
|
3898 pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
|
|
|
3899 if (bpp == 1)
|
|
|
3900 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
|
|
|
3901 png_read_filter_row_paeth_1byte_pixel;
|
|
|
3902 else
|
|
|
3903 pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
|
|
|
3904 png_read_filter_row_paeth_multibyte_pixel;
|
|
|
3905
|
|
|
3906 #ifdef PNG_FILTER_OPTIMIZATIONS
|
|
|
3907 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
|
|
|
3908 * call to install hardware optimizations for the above functions; simply
|
|
|
3909 * replace whatever elements of the pp->read_filter[] array with a hardware
|
|
|
3910 * specific (or, for that matter, generic) optimization.
|
|
|
3911 *
|
|
|
3912 * To see an example of this examine what configure.ac does when
|
|
|
3913 * --enable-arm-neon is specified on the command line.
|
|
|
3914 */
|
|
|
3915 PNG_FILTER_OPTIMIZATIONS(pp, bpp);
|
|
|
3916 #endif
|
|
|
3917 }
|
|
|
3918
|
|
|
3919 void /* PRIVATE */
|
|
|
3920 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
|
|
|
3921 png_const_bytep prev_row, int filter)
|
|
|
3922 {
|
|
|
3923 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
|
|
|
3924 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
|
|
|
3925 * implementations. See png_init_filter_functions above.
|
|
|
3926 */
|
|
|
3927 if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
|
|
|
3928 {
|
|
|
3929 if (pp->read_filter[0] == NULL)
|
|
|
3930 png_init_filter_functions(pp);
|
|
|
3931
|
|
|
3932 pp->read_filter[filter-1](row_info, row, prev_row);
|
|
|
3933 }
|
|
|
3934 }
|
|
|
3935
|
|
|
3936 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
|
|
|
3937 void /* PRIVATE */
|
|
|
3938 png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
|
|
|
3939 png_alloc_size_t avail_out)
|
|
|
3940 {
|
|
|
3941 /* Loop reading IDATs and decompressing the result into output[avail_out] */
|
|
|
3942 png_ptr->zstream.next_out = output;
|
|
|
3943 png_ptr->zstream.avail_out = 0; /* safety: set below */
|
|
|
3944
|
|
|
3945 if (output == NULL)
|
|
|
3946 avail_out = 0;
|
|
|
3947
|
|
|
3948 do
|
|
|
3949 {
|
|
|
3950 int ret;
|
|
|
3951 png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
|
|
|
3952
|
|
|
3953 if (png_ptr->zstream.avail_in == 0)
|
|
|
3954 {
|
|
|
3955 uInt avail_in;
|
|
|
3956 png_bytep buffer;
|
|
|
3957
|
|
|
3958 while (png_ptr->idat_size == 0)
|
|
|
3959 {
|
|
|
3960 png_crc_finish(png_ptr, 0);
|
|
|
3961
|
|
|
3962 png_ptr->idat_size = png_read_chunk_header(png_ptr);
|
|
|
3963 /* This is an error even in the 'check' case because the code just
|
|
|
3964 * consumed a non-IDAT header.
|
|
|
3965 */
|
|
|
3966 if (png_ptr->chunk_name != png_IDAT)
|
|
|
3967 png_error(png_ptr, "Not enough image data");
|
|
|
3968 }
|
|
|
3969
|
|
|
3970 avail_in = png_ptr->IDAT_read_size;
|
|
|
3971
|
|
|
3972 if (avail_in > png_ptr->idat_size)
|
|
|
3973 avail_in = (uInt)png_ptr->idat_size;
|
|
|
3974
|
|
|
3975 /* A PNG with a gradually increasing IDAT size will defeat this attempt
|
|
|
3976 * to minimize memory usage by causing lots of re-allocs, but
|
|
|
3977 * realistically doing IDAT_read_size re-allocs is not likely to be a
|
|
|
3978 * big problem.
|
|
|
3979 */
|
|
|
3980 buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
|
|
|
3981
|
|
|
3982 png_crc_read(png_ptr, buffer, avail_in);
|
|
|
3983 png_ptr->idat_size -= avail_in;
|
|
|
3984
|
|
|
3985 png_ptr->zstream.next_in = buffer;
|
|
|
3986 png_ptr->zstream.avail_in = avail_in;
|
|
|
3987 }
|
|
|
3988
|
|
|
3989 /* And set up the output side. */
|
|
|
3990 if (output != NULL) /* standard read */
|
|
|
3991 {
|
|
|
3992 uInt out = ZLIB_IO_MAX;
|
|
|
3993
|
|
|
3994 if (out > avail_out)
|
|
|
3995 out = (uInt)avail_out;
|
|
|
3996
|
|
|
3997 avail_out -= out;
|
|
|
3998 png_ptr->zstream.avail_out = out;
|
|
|
3999 }
|
|
|
4000
|
|
|
4001 else /* after last row, checking for end */
|
|
|
4002 {
|
|
|
4003 png_ptr->zstream.next_out = tmpbuf;
|
|
|
4004 png_ptr->zstream.avail_out = (sizeof tmpbuf);
|
|
|
4005 }
|
|
|
4006
|
|
|
4007 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
|
|
|
4008 * process. If the LZ stream is truncated the sequential reader will
|
|
|
4009 * terminally damage the stream, above, by reading the chunk header of the
|
|
|
4010 * following chunk (it then exits with png_error).
|
|
|
4011 *
|
|
|
4012 * TODO: deal more elegantly with truncated IDAT lists.
|
|
|
4013 */
|
|
|
4014 ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
|
|
|
4015
|
|
|
4016 /* Take the unconsumed output back. */
|
|
|
4017 if (output != NULL)
|
|
|
4018 avail_out += png_ptr->zstream.avail_out;
|
|
|
4019
|
|
|
4020 else /* avail_out counts the extra bytes */
|
|
|
4021 avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
|
|
|
4022
|
|
|
4023 png_ptr->zstream.avail_out = 0;
|
|
|
4024
|
|
|
4025 if (ret == Z_STREAM_END)
|
|
|
4026 {
|
|
|
4027 /* Do this for safety; we won't read any more into this row. */
|
|
|
4028 png_ptr->zstream.next_out = NULL;
|
|
|
4029
|
|
|
4030 png_ptr->mode |= PNG_AFTER_IDAT;
|
|
|
4031 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
|
|
|
4032
|
|
|
4033 if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
|
|
|
4034 png_chunk_benign_error(png_ptr, "Extra compressed data");
|
|
|
4035 break;
|
|
|
4036 }
|
|
|
4037
|
|
|
4038 if (ret != Z_OK)
|
|
|
4039 {
|
|
|
4040 png_zstream_error(png_ptr, ret);
|
|
|
4041
|
|
|
4042 if (output != NULL)
|
|
|
4043 png_chunk_error(png_ptr, png_ptr->zstream.msg);
|
|
|
4044
|
|
|
4045 else /* checking */
|
|
|
4046 {
|
|
|
4047 png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
|
|
|
4048 return;
|
|
|
4049 }
|
|
|
4050 }
|
|
|
4051 } while (avail_out > 0);
|
|
|
4052
|
|
|
4053 if (avail_out > 0)
|
|
|
4054 {
|
|
|
4055 /* The stream ended before the image; this is the same as too few IDATs so
|
|
|
4056 * should be handled the same way.
|
|
|
4057 */
|
|
|
4058 if (output != NULL)
|
|
|
4059 png_error(png_ptr, "Not enough image data");
|
|
|
4060
|
|
|
4061 else /* the deflate stream contained extra data */
|
|
|
4062 png_chunk_benign_error(png_ptr, "Too much image data");
|
|
|
4063 }
|
|
|
4064 }
|
|
|
4065
|
|
|
4066 void /* PRIVATE */
|
|
|
4067 png_read_finish_IDAT(png_structrp png_ptr)
|
|
|
4068 {
|
|
|
4069 /* We don't need any more data and the stream should have ended, however the
|
|
|
4070 * LZ end code may actually not have been processed. In this case we must
|
|
|
4071 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
|
|
|
4072 * may still remain to be consumed.
|
|
|
4073 */
|
|
|
4074 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
|
|
|
4075 {
|
|
|
4076 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
|
|
|
4077 * the compressed stream, but the stream may be damaged too, so even after
|
|
|
4078 * this call we may need to terminate the zstream ownership.
|
|
|
4079 */
|
|
|
4080 png_read_IDAT_data(png_ptr, NULL, 0);
|
|
|
4081 png_ptr->zstream.next_out = NULL; /* safety */
|
|
|
4082
|
|
|
4083 /* Now clear everything out for safety; the following may not have been
|
|
|
4084 * done.
|
|
|
4085 */
|
|
|
4086 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
|
|
|
4087 {
|
|
|
4088 png_ptr->mode |= PNG_AFTER_IDAT;
|
|
|
4089 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
|
|
|
4090 }
|
|
|
4091 }
|
|
|
4092
|
|
|
4093 /* If the zstream has not been released do it now *and* terminate the reading
|
|
|
4094 * of the final IDAT chunk.
|
|
|
4095 */
|
|
|
4096 if (png_ptr->zowner == png_IDAT)
|
|
|
4097 {
|
|
|
4098 /* Always do this; the pointers otherwise point into the read buffer. */
|
|
|
4099 png_ptr->zstream.next_in = NULL;
|
|
|
4100 png_ptr->zstream.avail_in = 0;
|
|
|
4101
|
|
|
4102 /* Now we no longer own the zstream. */
|
|
|
4103 png_ptr->zowner = 0;
|
|
|
4104
|
|
|
4105 /* The slightly weird semantics of the sequential IDAT reading is that we
|
|
|
4106 * are always in or at the end of an IDAT chunk, so we always need to do a
|
|
|
4107 * crc_finish here. If idat_size is non-zero we also need to read the
|
|
|
4108 * spurious bytes at the end of the chunk now.
|
|
|
4109 */
|
|
|
4110 (void)png_crc_finish(png_ptr, png_ptr->idat_size);
|
|
|
4111 }
|
|
|
4112 }
|
|
|
4113
|
|
|
4114 void /* PRIVATE */
|
|
|
4115 png_read_finish_row(png_structrp png_ptr)
|
|
|
4116 {
|
|
|
4117 #ifdef PNG_READ_INTERLACING_SUPPORTED
|
|
|
4118 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
|
|
|
4119
|
|
|
4120 /* Start of interlace block */
|
|
|
4121 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
|
|
|
4122
|
|
|
4123 /* Offset to next interlace block */
|
|
|
4124 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
|
|
|
4125
|
|
|
4126 /* Start of interlace block in the y direction */
|
|
|
4127 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
|
|
|
4128
|
|
|
4129 /* Offset to next interlace block in the y direction */
|
|
|
4130 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
|
|
|
4131 #endif /* PNG_READ_INTERLACING_SUPPORTED */
|
|
|
4132
|
|
|
4133 png_debug(1, "in png_read_finish_row");
|
|
|
4134 png_ptr->row_number++;
|
|
|
4135 if (png_ptr->row_number < png_ptr->num_rows)
|
|
|
4136 return;
|
|
|
4137
|
|
|
4138 #ifdef PNG_READ_INTERLACING_SUPPORTED
|
|
|
4139 if (png_ptr->interlaced)
|
|
|
4140 {
|
|
|
4141 png_ptr->row_number = 0;
|
|
|
4142
|
|
|
4143 /* TO DO: don't do this if prev_row isn't needed (requires
|
|
|
4144 * read-ahead of the next row's filter byte.
|
|
|
4145 */
|
|
|
4146 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
|
|
|
4147
|
|
|
4148 do
|
|
|
4149 {
|
|
|
4150 png_ptr->pass++;
|
|
|
4151
|
|
|
4152 if (png_ptr->pass >= 7)
|
|
|
4153 break;
|
|
|
4154
|
|
|
4155 png_ptr->iwidth = (png_ptr->width +
|
|
|
4156 png_pass_inc[png_ptr->pass] - 1 -
|
|
|
4157 png_pass_start[png_ptr->pass]) /
|
|
|
4158 png_pass_inc[png_ptr->pass];
|
|
|
4159
|
|
|
4160 if (!(png_ptr->transformations & PNG_INTERLACE))
|
|
|
4161 {
|
|
|
4162 png_ptr->num_rows = (png_ptr->height +
|
|
|
4163 png_pass_yinc[png_ptr->pass] - 1 -
|
|
|
4164 png_pass_ystart[png_ptr->pass]) /
|
|
|
4165 png_pass_yinc[png_ptr->pass];
|
|
|
4166 }
|
|
|
4167
|
|
|
4168 else /* if (png_ptr->transformations & PNG_INTERLACE) */
|
|
|
4169 break; /* libpng deinterlacing sees every row */
|
|
|
4170
|
|
|
4171 } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
|
|
|
4172
|
|
|
4173 if (png_ptr->pass < 7)
|
|
|
4174 return;
|
|
|
4175 }
|
|
|
4176 #endif /* PNG_READ_INTERLACING_SUPPORTED */
|
|
|
4177
|
|
|
4178 /* Here after at the end of the last row of the last pass. */
|
|
|
4179 png_read_finish_IDAT(png_ptr);
|
|
|
4180 }
|
|
|
4181 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
|
|
|
4182
|
|
|
4183 void /* PRIVATE */
|
|
|
4184 png_read_start_row(png_structrp png_ptr)
|
|
|
4185 {
|
|
|
4186 #ifdef PNG_READ_INTERLACING_SUPPORTED
|
|
|
4187 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
|
|
|
4188
|
|
|
4189 /* Start of interlace block */
|
|
|
4190 static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
|
|
|
4191
|
|
|
4192 /* Offset to next interlace block */
|
|
|
4193 static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
|
|
|
4194
|
|
|
4195 /* Start of interlace block in the y direction */
|
|
|
4196 static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
|
|
|
4197
|
|
|
4198 /* Offset to next interlace block in the y direction */
|
|
|
4199 static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
|
|
|
4200 #endif
|
|
|
4201
|
|
|
4202 int max_pixel_depth;
|
|
|
4203 png_size_t row_bytes;
|
|
|
4204
|
|
|
4205 png_debug(1, "in png_read_start_row");
|
|
|
4206
|
|
|
4207 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
|
|
|
4208 png_init_read_transformations(png_ptr);
|
|
|
4209 #endif
|
|
|
4210 #ifdef PNG_READ_INTERLACING_SUPPORTED
|
|
|
4211 if (png_ptr->interlaced)
|
|
|
4212 {
|
|
|
4213 if (!(png_ptr->transformations & PNG_INTERLACE))
|
|
|
4214 png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
|
|
|
4215 png_pass_ystart[0]) / png_pass_yinc[0];
|
|
|
4216
|
|
|
4217 else
|
|
|
4218 png_ptr->num_rows = png_ptr->height;
|
|
|
4219
|
|
|
4220 png_ptr->iwidth = (png_ptr->width +
|
|
|
4221 png_pass_inc[png_ptr->pass] - 1 -
|
|
|
4222 png_pass_start[png_ptr->pass]) /
|
|
|
4223 png_pass_inc[png_ptr->pass];
|
|
|
4224 }
|
|
|
4225
|
|
|
4226 else
|
|
|
4227 #endif /* PNG_READ_INTERLACING_SUPPORTED */
|
|
|
4228 {
|
|
|
4229 png_ptr->num_rows = png_ptr->height;
|
|
|
4230 png_ptr->iwidth = png_ptr->width;
|
|
|
4231 }
|
|
|
4232
|
|
|
4233 max_pixel_depth = png_ptr->pixel_depth;
|
|
|
4234
|
|
|
4235 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpliar set of
|
|
|
4236 * calculations to calculate the final pixel depth, then
|
|
|
4237 * png_do_read_transforms actually does the transforms. This means that the
|
|
|
4238 * code which effectively calculates this value is actually repeated in three
|
|
|
4239 * separate places. They must all match. Innocent changes to the order of
|
|
|
4240 * transformations can and will break libpng in a way that causes memory
|
|
|
4241 * overwrites.
|
|
|
4242 *
|
|
|
4243 * TODO: fix this.
|
|
|
4244 */
|
|
|
4245 #ifdef PNG_READ_PACK_SUPPORTED
|
|
|
4246 if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8)
|
|
|
4247 max_pixel_depth = 8;
|
|
|
4248 #endif
|
|
|
4249
|
|
|
4250 #ifdef PNG_READ_EXPAND_SUPPORTED
|
|
|
4251 if (png_ptr->transformations & PNG_EXPAND)
|
|
|
4252 {
|
|
|
4253 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
|
|
4254 {
|
|
|
4255 if (png_ptr->num_trans)
|
|
|
4256 max_pixel_depth = 32;
|
|
|
4257
|
|
|
4258 else
|
|
|
4259 max_pixel_depth = 24;
|
|
|
4260 }
|
|
|
4261
|
|
|
4262 else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
|
|
|
4263 {
|
|
|
4264 if (max_pixel_depth < 8)
|
|
|
4265 max_pixel_depth = 8;
|
|
|
4266
|
|
|
4267 if (png_ptr->num_trans)
|
|
|
4268 max_pixel_depth *= 2;
|
|
|
4269 }
|
|
|
4270
|
|
|
4271 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
|
|
|
4272 {
|
|
|
4273 if (png_ptr->num_trans)
|
|
|
4274 {
|
|
|
4275 max_pixel_depth *= 4;
|
|
|
4276 max_pixel_depth /= 3;
|
|
|
4277 }
|
|
|
4278 }
|
|
|
4279 }
|
|
|
4280 #endif
|
|
|
4281
|
|
|
4282 #ifdef PNG_READ_EXPAND_16_SUPPORTED
|
|
|
4283 if (png_ptr->transformations & PNG_EXPAND_16)
|
|
|
4284 {
|
|
|
4285 # ifdef PNG_READ_EXPAND_SUPPORTED
|
|
|
4286 /* In fact it is an error if it isn't supported, but checking is
|
|
|
4287 * the safe way.
|
|
|
4288 */
|
|
|
4289 if (png_ptr->transformations & PNG_EXPAND)
|
|
|
4290 {
|
|
|
4291 if (png_ptr->bit_depth < 16)
|
|
|
4292 max_pixel_depth *= 2;
|
|
|
4293 }
|
|
|
4294 else
|
|
|
4295 # endif
|
|
|
4296 png_ptr->transformations &= ~PNG_EXPAND_16;
|
|
|
4297 }
|
|
|
4298 #endif
|
|
|
4299
|
|
|
4300 #ifdef PNG_READ_FILLER_SUPPORTED
|
|
|
4301 if (png_ptr->transformations & (PNG_FILLER))
|
|
|
4302 {
|
|
|
4303 if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
|
|
|
4304 {
|
|
|
4305 if (max_pixel_depth <= 8)
|
|
|
4306 max_pixel_depth = 16;
|
|
|
4307
|
|
|
4308 else
|
|
|
4309 max_pixel_depth = 32;
|
|
|
4310 }
|
|
|
4311
|
|
|
4312 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
|
|
|
4313 png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
|
|
4314 {
|
|
|
4315 if (max_pixel_depth <= 32)
|
|
|
4316 max_pixel_depth = 32;
|
|
|
4317
|
|
|
4318 else
|
|
|
4319 max_pixel_depth = 64;
|
|
|
4320 }
|
|
|
4321 }
|
|
|
4322 #endif
|
|
|
4323
|
|
|
4324 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
|
|
|
4325 if (png_ptr->transformations & PNG_GRAY_TO_RGB)
|
|
|
4326 {
|
|
|
4327 if (
|
|
|
4328 #ifdef PNG_READ_EXPAND_SUPPORTED
|
|
|
4329 (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) ||
|
|
|
4330 #endif
|
|
|
4331 #ifdef PNG_READ_FILLER_SUPPORTED
|
|
|
4332 (png_ptr->transformations & (PNG_FILLER)) ||
|
|
|
4333 #endif
|
|
|
4334 png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
|
|
|
4335 {
|
|
|
4336 if (max_pixel_depth <= 16)
|
|
|
4337 max_pixel_depth = 32;
|
|
|
4338
|
|
|
4339 else
|
|
|
4340 max_pixel_depth = 64;
|
|
|
4341 }
|
|
|
4342
|
|
|
4343 else
|
|
|
4344 {
|
|
|
4345 if (max_pixel_depth <= 8)
|
|
|
4346 {
|
|
|
4347 if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
|
|
|
4348 max_pixel_depth = 32;
|
|
|
4349
|
|
|
4350 else
|
|
|
4351 max_pixel_depth = 24;
|
|
|
4352 }
|
|
|
4353
|
|
|
4354 else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
|
|
|
4355 max_pixel_depth = 64;
|
|
|
4356
|
|
|
4357 else
|
|
|
4358 max_pixel_depth = 48;
|
|
|
4359 }
|
|
|
4360 }
|
|
|
4361 #endif
|
|
|
4362
|
|
|
4363 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
|
|
|
4364 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
|
|
|
4365 if (png_ptr->transformations & PNG_USER_TRANSFORM)
|
|
|
4366 {
|
|
|
4367 int user_pixel_depth = png_ptr->user_transform_depth *
|
|
|
4368 png_ptr->user_transform_channels;
|
|
|
4369
|
|
|
4370 if (user_pixel_depth > max_pixel_depth)
|
|
|
4371 max_pixel_depth = user_pixel_depth;
|
|
|
4372 }
|
|
|
4373 #endif
|
|
|
4374
|
|
|
4375 /* This value is stored in png_struct and double checked in the row read
|
|
|
4376 * code.
|
|
|
4377 */
|
|
|
4378 png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
|
|
|
4379 png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
|
|
|
4380
|
|
|
4381 /* Align the width on the next larger 8 pixels. Mainly used
|
|
|
4382 * for interlacing
|
|
|
4383 */
|
|
|
4384 row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
|
|
|
4385 /* Calculate the maximum bytes needed, adding a byte and a pixel
|
|
|
4386 * for safety's sake
|
|
|
4387 */
|
|
|
4388 row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
|
|
|
4389 1 + ((max_pixel_depth + 7) >> 3);
|
|
|
4390
|
|
|
4391 #ifdef PNG_MAX_MALLOC_64K
|
|
|
4392 if (row_bytes > (png_uint_32)65536L)
|
|
|
4393 png_error(png_ptr, "This image requires a row greater than 64KB");
|
|
|
4394 #endif
|
|
|
4395
|
|
|
4396 if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
|
|
|
4397 {
|
|
|
4398 png_free(png_ptr, png_ptr->big_row_buf);
|
|
|
4399 png_free(png_ptr, png_ptr->big_prev_row);
|
|
|
4400
|
|
|
4401 if (png_ptr->interlaced)
|
|
|
4402 png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
|
|
|
4403 row_bytes + 48);
|
|
|
4404
|
|
|
4405 else
|
|
|
4406 png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
|
|
|
4407
|
|
|
4408 png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
|
|
|
4409
|
|
|
4410 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
|
|
|
4411 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
|
|
|
4412 * of padding before and after row_buf; treat prev_row similarly.
|
|
|
4413 * NOTE: the alignment is to the start of the pixels, one beyond the start
|
|
|
4414 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
|
|
|
4415 * was incorrect; the filter byte was aligned, which had the exact
|
|
|
4416 * opposite effect of that intended.
|
|
|
4417 */
|
|
|
4418 {
|
|
|
4419 png_bytep temp = png_ptr->big_row_buf + 32;
|
|
|
4420 int extra = (int)((temp - (png_bytep)0) & 0x0f);
|
|
|
4421 png_ptr->row_buf = temp - extra - 1/*filter byte*/;
|
|
|
4422
|
|
|
4423 temp = png_ptr->big_prev_row + 32;
|
|
|
4424 extra = (int)((temp - (png_bytep)0) & 0x0f);
|
|
|
4425 png_ptr->prev_row = temp - extra - 1/*filter byte*/;
|
|
|
4426 }
|
|
|
4427
|
|
|
4428 #else
|
|
|
4429 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
|
|
|
4430 png_ptr->row_buf = png_ptr->big_row_buf + 31;
|
|
|
4431 png_ptr->prev_row = png_ptr->big_prev_row + 31;
|
|
|
4432 #endif
|
|
|
4433 png_ptr->old_big_row_buf_size = row_bytes + 48;
|
|
|
4434 }
|
|
|
4435
|
|
|
4436 #ifdef PNG_MAX_MALLOC_64K
|
|
|
4437 if (png_ptr->rowbytes > 65535)
|
|
|
4438 png_error(png_ptr, "This image requires a row greater than 64KB");
|
|
|
4439
|
|
|
4440 #endif
|
|
|
4441 if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
|
|
|
4442 png_error(png_ptr, "Row has too many bytes to allocate in memory");
|
|
|
4443
|
|
|
4444 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
|
|
|
4445
|
|
|
4446 png_debug1(3, "width = %u,", png_ptr->width);
|
|
|
4447 png_debug1(3, "height = %u,", png_ptr->height);
|
|
|
4448 png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
|
|
|
4449 png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
|
|
|
4450 png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
|
|
|
4451 png_debug1(3, "irowbytes = %lu",
|
|
|
4452 (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
|
|
|
4453
|
|
|
4454 /* The sequential reader needs a buffer for IDAT, but the progressive reader
|
|
|
4455 * does not, so free the read buffer now regardless; the sequential reader
|
|
|
4456 * reallocates it on demand.
|
|
|
4457 */
|
|
|
4458 if (png_ptr->read_buffer)
|
|
|
4459 {
|
|
|
4460 png_bytep buffer = png_ptr->read_buffer;
|
|
|
4461
|
|
|
4462 png_ptr->read_buffer_size = 0;
|
|
|
4463 png_ptr->read_buffer = NULL;
|
|
|
4464 png_free(png_ptr, buffer);
|
|
|
4465 }
|
|
|
4466
|
|
|
4467 /* Finally claim the zstream for the inflate of the IDAT data, use the bits
|
|
|
4468 * value from the stream (note that this will result in a fatal error if the
|
|
|
4469 * IDAT stream has a bogus deflate header window_bits value, but this should
|
|
|
4470 * not be happening any longer!)
|
|
|
4471 */
|
|
|
4472 if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
|
|
|
4473 png_error(png_ptr, png_ptr->zstream.msg);
|
|
|
4474
|
|
|
4475 png_ptr->flags |= PNG_FLAG_ROW_INIT;
|
|
|
4476 }
|
|
|
4477 #endif /* PNG_READ_SUPPORTED */
|
