/src/FreeImage/Source/LibPNG/pngrutil.c

https://bitbucket.org/cabalistic/ogredeps/ · C · 4158 lines · 2951 code · 708 blank · 499 comment · 671 complexity · cc8c2e9fc3841b17fc2925daebc2cb4f MD5 · raw file

Large files are truncated click here to view the full file

  1. /* pngrutil.c - utilities to read a PNG file
  2. *
  3. * Last changed in libpng 1.5.9 [February 18, 2012]
  4. * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  5. * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  6. * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  7. *
  8. * This code is released under the libpng license.
  9. * For conditions of distribution and use, see the disclaimer
  10. * and license in png.h
  11. *
  12. * This file contains routines that are only called from within
  13. * libpng itself during the course of reading an image.
  14. */
  15. #include "pngpriv.h"
  16. #ifdef PNG_READ_SUPPORTED
  17. #define png_strtod(p,a,b) strtod(a,b)
  18. png_uint_32 PNGAPI
  19. png_get_uint_31(png_structp png_ptr, png_const_bytep buf)
  20. {
  21. png_uint_32 uval = png_get_uint_32(buf);
  22. if (uval > PNG_UINT_31_MAX)
  23. png_error(png_ptr, "PNG unsigned integer out of range");
  24. return (uval);
  25. }
  26. #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
  27. /* The following is a variation on the above for use with the fixed
  28. * point values used for gAMA and cHRM. Instead of png_error it
  29. * issues a warning and returns (-1) - an invalid value because both
  30. * gAMA and cHRM use *unsigned* integers for fixed point values.
  31. */
  32. #define PNG_FIXED_ERROR (-1)
  33. static png_fixed_point /* PRIVATE */
  34. png_get_fixed_point(png_structp png_ptr, png_const_bytep buf)
  35. {
  36. png_uint_32 uval = png_get_uint_32(buf);
  37. if (uval <= PNG_UINT_31_MAX)
  38. return (png_fixed_point)uval; /* known to be in range */
  39. /* The caller can turn off the warning by passing NULL. */
  40. if (png_ptr != NULL)
  41. png_warning(png_ptr, "PNG fixed point integer out of range");
  42. return PNG_FIXED_ERROR;
  43. }
  44. #endif
  45. #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
  46. /* NOTE: the read macros will obscure these definitions, so that if
  47. * PNG_USE_READ_MACROS is set the library will not use them internally,
  48. * but the APIs will still be available externally.
  49. *
  50. * The parentheses around "PNGAPI function_name" in the following three
  51. * functions are necessary because they allow the macros to co-exist with
  52. * these (unused but exported) functions.
  53. */
  54. /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
  55. png_uint_32 (PNGAPI
  56. png_get_uint_32)(png_const_bytep buf)
  57. {
  58. png_uint_32 uval =
  59. ((png_uint_32)(*(buf )) << 24) +
  60. ((png_uint_32)(*(buf + 1)) << 16) +
  61. ((png_uint_32)(*(buf + 2)) << 8) +
  62. ((png_uint_32)(*(buf + 3)) ) ;
  63. return uval;
  64. }
  65. /* Grab a signed 32-bit integer from a buffer in big-endian format. The
  66. * data is stored in the PNG file in two's complement format and there
  67. * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
  68. * the following code does a two's complement to native conversion.
  69. */
  70. png_int_32 (PNGAPI
  71. png_get_int_32)(png_const_bytep buf)
  72. {
  73. png_uint_32 uval = png_get_uint_32(buf);
  74. if ((uval & 0x80000000) == 0) /* non-negative */
  75. return uval;
  76. uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
  77. return -(png_int_32)uval;
  78. }
  79. /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
  80. png_uint_16 (PNGAPI
  81. png_get_uint_16)(png_const_bytep buf)
  82. {
  83. /* ANSI-C requires an int value to accomodate at least 16 bits so this
  84. * works and allows the compiler not to worry about possible narrowing
  85. * on 32 bit systems. (Pre-ANSI systems did not make integers smaller
  86. * than 16 bits either.)
  87. */
  88. unsigned int val =
  89. ((unsigned int)(*buf) << 8) +
  90. ((unsigned int)(*(buf + 1)));
  91. return (png_uint_16)val;
  92. }
  93. #endif /* PNG_READ_INT_FUNCTIONS_SUPPORTED */
  94. /* Read and check the PNG file signature */
  95. void /* PRIVATE */
  96. png_read_sig(png_structp png_ptr, png_infop info_ptr)
  97. {
  98. png_size_t num_checked, num_to_check;
  99. /* Exit if the user application does not expect a signature. */
  100. if (png_ptr->sig_bytes >= 8)
  101. return;
  102. num_checked = png_ptr->sig_bytes;
  103. num_to_check = 8 - num_checked;
  104. #ifdef PNG_IO_STATE_SUPPORTED
  105. png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
  106. #endif
  107. /* The signature must be serialized in a single I/O call. */
  108. png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
  109. png_ptr->sig_bytes = 8;
  110. if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
  111. {
  112. if (num_checked < 4 &&
  113. png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
  114. png_error(png_ptr, "Not a PNG file");
  115. else
  116. png_error(png_ptr, "PNG file corrupted by ASCII conversion");
  117. }
  118. if (num_checked < 3)
  119. png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
  120. }
  121. /* Read the chunk header (length + type name).
  122. * Put the type name into png_ptr->chunk_name, and return the length.
  123. */
  124. png_uint_32 /* PRIVATE */
  125. png_read_chunk_header(png_structp png_ptr)
  126. {
  127. png_byte buf[8];
  128. png_uint_32 length;
  129. #ifdef PNG_IO_STATE_SUPPORTED
  130. png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
  131. #endif
  132. /* Read the length and the chunk name.
  133. * This must be performed in a single I/O call.
  134. */
  135. png_read_data(png_ptr, buf, 8);
  136. length = png_get_uint_31(png_ptr, buf);
  137. /* Put the chunk name into png_ptr->chunk_name. */
  138. png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
  139. png_debug2(0, "Reading %lx chunk, length = %lu",
  140. (unsigned long)png_ptr->chunk_name, (unsigned long)length);
  141. /* Reset the crc and run it over the chunk name. */
  142. png_reset_crc(png_ptr);
  143. png_calculate_crc(png_ptr, buf + 4, 4);
  144. /* Check to see if chunk name is valid. */
  145. png_check_chunk_name(png_ptr, png_ptr->chunk_name);
  146. #ifdef PNG_IO_STATE_SUPPORTED
  147. png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
  148. #endif
  149. return length;
  150. }
  151. /* Read data, and (optionally) run it through the CRC. */
  152. void /* PRIVATE */
  153. png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length)
  154. {
  155. if (png_ptr == NULL)
  156. return;
  157. png_read_data(png_ptr, buf, length);
  158. png_calculate_crc(png_ptr, buf, length);
  159. }
  160. /* Optionally skip data and then check the CRC. Depending on whether we
  161. * are reading a ancillary or critical chunk, and how the program has set
  162. * things up, we may calculate the CRC on the data and print a message.
  163. * Returns '1' if there was a CRC error, '0' otherwise.
  164. */
  165. int /* PRIVATE */
  166. png_crc_finish(png_structp png_ptr, png_uint_32 skip)
  167. {
  168. png_size_t i;
  169. png_size_t istop = png_ptr->zbuf_size;
  170. for (i = (png_size_t)skip; i > istop; i -= istop)
  171. {
  172. png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size);
  173. }
  174. if (i)
  175. {
  176. png_crc_read(png_ptr, png_ptr->zbuf, i);
  177. }
  178. if (png_crc_error(png_ptr))
  179. {
  180. if (PNG_CHUNK_ANCILLIARY(png_ptr->chunk_name) ?
  181. !(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) :
  182. (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE))
  183. {
  184. png_chunk_warning(png_ptr, "CRC error");
  185. }
  186. else
  187. {
  188. png_chunk_benign_error(png_ptr, "CRC error");
  189. return (0);
  190. }
  191. return (1);
  192. }
  193. return (0);
  194. }
  195. /* Compare the CRC stored in the PNG file with that calculated by libpng from
  196. * the data it has read thus far.
  197. */
  198. int /* PRIVATE */
  199. png_crc_error(png_structp png_ptr)
  200. {
  201. png_byte crc_bytes[4];
  202. png_uint_32 crc;
  203. int need_crc = 1;
  204. if (PNG_CHUNK_ANCILLIARY(png_ptr->chunk_name))
  205. {
  206. if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
  207. (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
  208. need_crc = 0;
  209. }
  210. else /* critical */
  211. {
  212. if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
  213. need_crc = 0;
  214. }
  215. #ifdef PNG_IO_STATE_SUPPORTED
  216. png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
  217. #endif
  218. /* The chunk CRC must be serialized in a single I/O call. */
  219. png_read_data(png_ptr, crc_bytes, 4);
  220. if (need_crc)
  221. {
  222. crc = png_get_uint_32(crc_bytes);
  223. return ((int)(crc != png_ptr->crc));
  224. }
  225. else
  226. return (0);
  227. }
  228. #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
  229. static png_size_t
  230. png_inflate(png_structp png_ptr, png_bytep data, png_size_t size,
  231. png_bytep output, png_size_t output_size)
  232. {
  233. png_size_t count = 0;
  234. /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it can't
  235. * even necessarily handle 65536 bytes) because the type uInt is "16 bits or
  236. * more". Consequently it is necessary to chunk the input to zlib. This
  237. * code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the maximum value
  238. * that can be stored in a uInt.) It is possible to set ZLIB_IO_MAX to a
  239. * lower value in pngpriv.h and this may sometimes have a performance
  240. * advantage, because it forces access of the input data to be separated from
  241. * at least some of the use by some period of time.
  242. */
  243. png_ptr->zstream.next_in = data;
  244. /* avail_in is set below from 'size' */
  245. png_ptr->zstream.avail_in = 0;
  246. while (1)
  247. {
  248. int ret, avail;
  249. /* The setting of 'avail_in' used to be outside the loop; by setting it
  250. * inside it is possible to chunk the input to zlib and simply rely on
  251. * zlib to advance the 'next_in' pointer. This allows arbitrary amounts o
  252. * data to be passed through zlib at the unavoidable cost of requiring a
  253. * window save (memcpy of up to 32768 output bytes) every ZLIB_IO_MAX
  254. * input bytes.
  255. */
  256. if (png_ptr->zstream.avail_in == 0 && size > 0)
  257. {
  258. if (size <= ZLIB_IO_MAX)
  259. {
  260. /* The value is less than ZLIB_IO_MAX so the cast is safe: */
  261. png_ptr->zstream.avail_in = (uInt)size;
  262. size = 0;
  263. }
  264. else
  265. {
  266. png_ptr->zstream.avail_in = ZLIB_IO_MAX;
  267. size -= ZLIB_IO_MAX;
  268. }
  269. }
  270. /* Reset the output buffer each time round - we empty it
  271. * after every inflate call.
  272. */
  273. png_ptr->zstream.next_out = png_ptr->zbuf;
  274. png_ptr->zstream.avail_out = png_ptr->zbuf_size;
  275. ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
  276. avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out;
  277. /* First copy/count any new output - but only if we didn't
  278. * get an error code.
  279. */
  280. if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0)
  281. {
  282. png_size_t space = avail; /* > 0, see above */
  283. if (output != 0 && output_size > count)
  284. {
  285. png_size_t copy = output_size - count;
  286. if (space < copy)
  287. copy = space;
  288. png_memcpy(output + count, png_ptr->zbuf, copy);
  289. }
  290. count += space;
  291. }
  292. if (ret == Z_OK)
  293. continue;
  294. /* Termination conditions - always reset the zstream, it
  295. * must be left in inflateInit state.
  296. */
  297. png_ptr->zstream.avail_in = 0;
  298. inflateReset(&png_ptr->zstream);
  299. if (ret == Z_STREAM_END)
  300. return count; /* NOTE: may be zero. */
  301. /* Now handle the error codes - the API always returns 0
  302. * and the error message is dumped into the uncompressed
  303. * buffer if available.
  304. */
  305. # ifdef PNG_WARNINGS_SUPPORTED
  306. {
  307. png_const_charp msg;
  308. if (png_ptr->zstream.msg != 0)
  309. msg = png_ptr->zstream.msg;
  310. else switch (ret)
  311. {
  312. case Z_BUF_ERROR:
  313. msg = "Buffer error in compressed datastream";
  314. break;
  315. case Z_DATA_ERROR:
  316. msg = "Data error in compressed datastream";
  317. break;
  318. default:
  319. msg = "Incomplete compressed datastream";
  320. break;
  321. }
  322. png_chunk_warning(png_ptr, msg);
  323. }
  324. # endif
  325. /* 0 means an error - notice that this code simply ignores
  326. * zero length compressed chunks as a result.
  327. */
  328. return 0;
  329. }
  330. }
  331. /*
  332. * Decompress trailing data in a chunk. The assumption is that chunkdata
  333. * points at an allocated area holding the contents of a chunk with a
  334. * trailing compressed part. What we get back is an allocated area
  335. * holding the original prefix part and an uncompressed version of the
  336. * trailing part (the malloc area passed in is freed).
  337. */
  338. void /* PRIVATE */
  339. png_decompress_chunk(png_structp png_ptr, int comp_type,
  340. png_size_t chunklength,
  341. png_size_t prefix_size, png_size_t *newlength)
  342. {
  343. /* The caller should guarantee this */
  344. if (prefix_size > chunklength)
  345. {
  346. /* The recovery is to delete the chunk. */
  347. png_warning(png_ptr, "invalid chunklength");
  348. prefix_size = 0; /* To delete everything */
  349. }
  350. else if (comp_type == PNG_COMPRESSION_TYPE_BASE)
  351. {
  352. png_size_t expanded_size = png_inflate(png_ptr,
  353. (png_bytep)(png_ptr->chunkdata + prefix_size),
  354. chunklength - prefix_size,
  355. 0, /* output */
  356. 0); /* output size */
  357. /* Now check the limits on this chunk - if the limit fails the
  358. * compressed data will be removed, the prefix will remain.
  359. */
  360. if (prefix_size >= (~(png_size_t)0) - 1 ||
  361. expanded_size >= (~(png_size_t)0) - 1 - prefix_size
  362. #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
  363. || (png_ptr->user_chunk_malloc_max &&
  364. (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
  365. #else
  366. # ifdef PNG_USER_CHUNK_MALLOC_MAX
  367. || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
  368. prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
  369. # endif
  370. #endif
  371. )
  372. png_warning(png_ptr, "Exceeded size limit while expanding chunk");
  373. /* If the size is zero either there was an error and a message
  374. * has already been output (warning) or the size really is zero
  375. * and we have nothing to do - the code will exit through the
  376. * error case below.
  377. */
  378. else if (expanded_size > 0)
  379. {
  380. /* Success (maybe) - really uncompress the chunk. */
  381. png_size_t new_size = 0;
  382. png_charp text = (png_charp)png_malloc_warn(png_ptr,
  383. prefix_size + expanded_size + 1);
  384. if (text != NULL)
  385. {
  386. png_memcpy(text, png_ptr->chunkdata, prefix_size);
  387. new_size = png_inflate(png_ptr,
  388. (png_bytep)(png_ptr->chunkdata + prefix_size),
  389. chunklength - prefix_size,
  390. (png_bytep)(text + prefix_size), expanded_size);
  391. text[prefix_size + expanded_size] = 0; /* just in case */
  392. if (new_size == expanded_size)
  393. {
  394. png_free(png_ptr, png_ptr->chunkdata);
  395. png_ptr->chunkdata = text;
  396. *newlength = prefix_size + expanded_size;
  397. return; /* The success return! */
  398. }
  399. png_warning(png_ptr, "png_inflate logic error");
  400. png_free(png_ptr, text);
  401. }
  402. else
  403. png_warning(png_ptr, "Not enough memory to decompress chunk");
  404. }
  405. }
  406. else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */
  407. {
  408. PNG_WARNING_PARAMETERS(p)
  409. png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_d, comp_type);
  410. png_formatted_warning(png_ptr, p, "Unknown compression type @1");
  411. /* The recovery is to simply drop the data. */
  412. }
  413. /* Generic error return - leave the prefix, delete the compressed
  414. * data, reallocate the chunkdata to remove the potentially large
  415. * amount of compressed data.
  416. */
  417. {
  418. png_charp text = (png_charp)png_malloc_warn(png_ptr, prefix_size + 1);
  419. if (text != NULL)
  420. {
  421. if (prefix_size > 0)
  422. png_memcpy(text, png_ptr->chunkdata, prefix_size);
  423. png_free(png_ptr, png_ptr->chunkdata);
  424. png_ptr->chunkdata = text;
  425. /* This is an extra zero in the 'uncompressed' part. */
  426. *(png_ptr->chunkdata + prefix_size) = 0x00;
  427. }
  428. /* Ignore a malloc error here - it is safe. */
  429. }
  430. *newlength = prefix_size;
  431. }
  432. #endif /* PNG_READ_COMPRESSED_TEXT_SUPPORTED */
  433. /* Read and check the IDHR chunk */
  434. void /* PRIVATE */
  435. png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  436. {
  437. png_byte buf[13];
  438. png_uint_32 width, height;
  439. int bit_depth, color_type, compression_type, filter_type;
  440. int interlace_type;
  441. png_debug(1, "in png_handle_IHDR");
  442. if (png_ptr->mode & PNG_HAVE_IHDR)
  443. png_error(png_ptr, "Out of place IHDR");
  444. /* Check the length */
  445. if (length != 13)
  446. png_error(png_ptr, "Invalid IHDR chunk");
  447. png_ptr->mode |= PNG_HAVE_IHDR;
  448. png_crc_read(png_ptr, buf, 13);
  449. png_crc_finish(png_ptr, 0);
  450. width = png_get_uint_31(png_ptr, buf);
  451. height = png_get_uint_31(png_ptr, buf + 4);
  452. bit_depth = buf[8];
  453. color_type = buf[9];
  454. compression_type = buf[10];
  455. filter_type = buf[11];
  456. interlace_type = buf[12];
  457. /* Set internal variables */
  458. png_ptr->width = width;
  459. png_ptr->height = height;
  460. png_ptr->bit_depth = (png_byte)bit_depth;
  461. png_ptr->interlaced = (png_byte)interlace_type;
  462. png_ptr->color_type = (png_byte)color_type;
  463. #ifdef PNG_MNG_FEATURES_SUPPORTED
  464. png_ptr->filter_type = (png_byte)filter_type;
  465. #endif
  466. png_ptr->compression_type = (png_byte)compression_type;
  467. /* Find number of channels */
  468. switch (png_ptr->color_type)
  469. {
  470. default: /* invalid, png_set_IHDR calls png_error */
  471. case PNG_COLOR_TYPE_GRAY:
  472. case PNG_COLOR_TYPE_PALETTE:
  473. png_ptr->channels = 1;
  474. break;
  475. case PNG_COLOR_TYPE_RGB:
  476. png_ptr->channels = 3;
  477. break;
  478. case PNG_COLOR_TYPE_GRAY_ALPHA:
  479. png_ptr->channels = 2;
  480. break;
  481. case PNG_COLOR_TYPE_RGB_ALPHA:
  482. png_ptr->channels = 4;
  483. break;
  484. }
  485. /* Set up other useful info */
  486. png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth *
  487. png_ptr->channels);
  488. png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
  489. png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
  490. png_debug1(3, "channels = %d", png_ptr->channels);
  491. png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
  492. png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
  493. color_type, interlace_type, compression_type, filter_type);
  494. }
  495. /* Read and check the palette */
  496. void /* PRIVATE */
  497. png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  498. {
  499. png_color palette[PNG_MAX_PALETTE_LENGTH];
  500. int num, i;
  501. #ifdef PNG_POINTER_INDEXING_SUPPORTED
  502. png_colorp pal_ptr;
  503. #endif
  504. png_debug(1, "in png_handle_PLTE");
  505. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  506. png_error(png_ptr, "Missing IHDR before PLTE");
  507. else if (png_ptr->mode & PNG_HAVE_IDAT)
  508. {
  509. png_warning(png_ptr, "Invalid PLTE after IDAT");
  510. png_crc_finish(png_ptr, length);
  511. return;
  512. }
  513. else if (png_ptr->mode & PNG_HAVE_PLTE)
  514. png_error(png_ptr, "Duplicate PLTE chunk");
  515. png_ptr->mode |= PNG_HAVE_PLTE;
  516. if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR))
  517. {
  518. png_warning(png_ptr,
  519. "Ignoring PLTE chunk in grayscale PNG");
  520. png_crc_finish(png_ptr, length);
  521. return;
  522. }
  523. #ifndef PNG_READ_OPT_PLTE_SUPPORTED
  524. if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
  525. {
  526. png_crc_finish(png_ptr, length);
  527. return;
  528. }
  529. #endif
  530. if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
  531. {
  532. if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
  533. {
  534. png_warning(png_ptr, "Invalid palette chunk");
  535. png_crc_finish(png_ptr, length);
  536. return;
  537. }
  538. else
  539. {
  540. png_error(png_ptr, "Invalid palette chunk");
  541. }
  542. }
  543. num = (int)length / 3;
  544. #ifdef PNG_POINTER_INDEXING_SUPPORTED
  545. for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
  546. {
  547. png_byte buf[3];
  548. png_crc_read(png_ptr, buf, 3);
  549. pal_ptr->red = buf[0];
  550. pal_ptr->green = buf[1];
  551. pal_ptr->blue = buf[2];
  552. }
  553. #else
  554. for (i = 0; i < num; i++)
  555. {
  556. png_byte buf[3];
  557. png_crc_read(png_ptr, buf, 3);
  558. /* Don't depend upon png_color being any order */
  559. palette[i].red = buf[0];
  560. palette[i].green = buf[1];
  561. palette[i].blue = buf[2];
  562. }
  563. #endif
  564. /* If we actually need the PLTE chunk (ie for a paletted image), we do
  565. * whatever the normal CRC configuration tells us. However, if we
  566. * have an RGB image, the PLTE can be considered ancillary, so
  567. * we will act as though it is.
  568. */
  569. #ifndef PNG_READ_OPT_PLTE_SUPPORTED
  570. if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
  571. #endif
  572. {
  573. png_crc_finish(png_ptr, 0);
  574. }
  575. #ifndef PNG_READ_OPT_PLTE_SUPPORTED
  576. else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */
  577. {
  578. /* If we don't want to use the data from an ancillary chunk,
  579. * we have two options: an error abort, or a warning and we
  580. * ignore the data in this chunk (which should be OK, since
  581. * it's considered ancillary for a RGB or RGBA image).
  582. */
  583. if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE))
  584. {
  585. if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)
  586. {
  587. png_chunk_benign_error(png_ptr, "CRC error");
  588. }
  589. else
  590. {
  591. png_chunk_warning(png_ptr, "CRC error");
  592. return;
  593. }
  594. }
  595. /* Otherwise, we (optionally) emit a warning and use the chunk. */
  596. else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN))
  597. {
  598. png_chunk_warning(png_ptr, "CRC error");
  599. }
  600. }
  601. #endif
  602. png_set_PLTE(png_ptr, info_ptr, palette, num);
  603. #ifdef PNG_READ_tRNS_SUPPORTED
  604. if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
  605. {
  606. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
  607. {
  608. if (png_ptr->num_trans > (png_uint_16)num)
  609. {
  610. png_warning(png_ptr, "Truncating incorrect tRNS chunk length");
  611. png_ptr->num_trans = (png_uint_16)num;
  612. }
  613. if (info_ptr->num_trans > (png_uint_16)num)
  614. {
  615. png_warning(png_ptr, "Truncating incorrect info tRNS chunk length");
  616. info_ptr->num_trans = (png_uint_16)num;
  617. }
  618. }
  619. }
  620. #endif
  621. }
  622. void /* PRIVATE */
  623. png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  624. {
  625. png_debug(1, "in png_handle_IEND");
  626. if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT))
  627. {
  628. png_error(png_ptr, "No image in file");
  629. }
  630. png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
  631. if (length != 0)
  632. {
  633. png_warning(png_ptr, "Incorrect IEND chunk length");
  634. }
  635. png_crc_finish(png_ptr, length);
  636. PNG_UNUSED(info_ptr) /* Quiet compiler warnings about unused info_ptr */
  637. }
  638. #ifdef PNG_READ_gAMA_SUPPORTED
  639. void /* PRIVATE */
  640. png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  641. {
  642. png_fixed_point igamma;
  643. png_byte buf[4];
  644. png_debug(1, "in png_handle_gAMA");
  645. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  646. png_error(png_ptr, "Missing IHDR before gAMA");
  647. else if (png_ptr->mode & PNG_HAVE_IDAT)
  648. {
  649. png_warning(png_ptr, "Invalid gAMA after IDAT");
  650. png_crc_finish(png_ptr, length);
  651. return;
  652. }
  653. else if (png_ptr->mode & PNG_HAVE_PLTE)
  654. /* Should be an error, but we can cope with it */
  655. png_warning(png_ptr, "Out of place gAMA chunk");
  656. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
  657. #ifdef PNG_READ_sRGB_SUPPORTED
  658. && !(info_ptr->valid & PNG_INFO_sRGB)
  659. #endif
  660. )
  661. {
  662. png_warning(png_ptr, "Duplicate gAMA chunk");
  663. png_crc_finish(png_ptr, length);
  664. return;
  665. }
  666. if (length != 4)
  667. {
  668. png_warning(png_ptr, "Incorrect gAMA chunk length");
  669. png_crc_finish(png_ptr, length);
  670. return;
  671. }
  672. png_crc_read(png_ptr, buf, 4);
  673. if (png_crc_finish(png_ptr, 0))
  674. return;
  675. igamma = png_get_fixed_point(NULL, buf);
  676. /* Check for zero gamma or an error. */
  677. if (igamma <= 0)
  678. {
  679. png_warning(png_ptr,
  680. "Ignoring gAMA chunk with out of range gamma");
  681. return;
  682. }
  683. # ifdef PNG_READ_sRGB_SUPPORTED
  684. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
  685. {
  686. if (PNG_OUT_OF_RANGE(igamma, 45500, 500))
  687. {
  688. PNG_WARNING_PARAMETERS(p)
  689. png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_fixed, igamma);
  690. png_formatted_warning(png_ptr, p,
  691. "Ignoring incorrect gAMA value @1 when sRGB is also present");
  692. return;
  693. }
  694. }
  695. # endif /* PNG_READ_sRGB_SUPPORTED */
  696. # ifdef PNG_READ_GAMMA_SUPPORTED
  697. /* Gamma correction on read is supported. */
  698. png_ptr->gamma = igamma;
  699. # endif
  700. /* And set the 'info' structure members. */
  701. png_set_gAMA_fixed(png_ptr, info_ptr, igamma);
  702. }
  703. #endif
  704. #ifdef PNG_READ_sBIT_SUPPORTED
  705. void /* PRIVATE */
  706. png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  707. {
  708. png_size_t truelen;
  709. png_byte buf[4];
  710. png_debug(1, "in png_handle_sBIT");
  711. buf[0] = buf[1] = buf[2] = buf[3] = 0;
  712. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  713. png_error(png_ptr, "Missing IHDR before sBIT");
  714. else if (png_ptr->mode & PNG_HAVE_IDAT)
  715. {
  716. png_warning(png_ptr, "Invalid sBIT after IDAT");
  717. png_crc_finish(png_ptr, length);
  718. return;
  719. }
  720. else if (png_ptr->mode & PNG_HAVE_PLTE)
  721. {
  722. /* Should be an error, but we can cope with it */
  723. png_warning(png_ptr, "Out of place sBIT chunk");
  724. }
  725. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
  726. {
  727. png_warning(png_ptr, "Duplicate sBIT chunk");
  728. png_crc_finish(png_ptr, length);
  729. return;
  730. }
  731. if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
  732. truelen = 3;
  733. else
  734. truelen = (png_size_t)png_ptr->channels;
  735. if (length != truelen || length > 4)
  736. {
  737. png_warning(png_ptr, "Incorrect sBIT chunk length");
  738. png_crc_finish(png_ptr, length);
  739. return;
  740. }
  741. png_crc_read(png_ptr, buf, truelen);
  742. if (png_crc_finish(png_ptr, 0))
  743. return;
  744. if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
  745. {
  746. png_ptr->sig_bit.red = buf[0];
  747. png_ptr->sig_bit.green = buf[1];
  748. png_ptr->sig_bit.blue = buf[2];
  749. png_ptr->sig_bit.alpha = buf[3];
  750. }
  751. else
  752. {
  753. png_ptr->sig_bit.gray = buf[0];
  754. png_ptr->sig_bit.red = buf[0];
  755. png_ptr->sig_bit.green = buf[0];
  756. png_ptr->sig_bit.blue = buf[0];
  757. png_ptr->sig_bit.alpha = buf[1];
  758. }
  759. png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
  760. }
  761. #endif
  762. #ifdef PNG_READ_cHRM_SUPPORTED
  763. void /* PRIVATE */
  764. png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  765. {
  766. png_byte buf[32];
  767. png_fixed_point x_white, y_white, x_red, y_red, x_green, y_green, x_blue,
  768. y_blue;
  769. png_debug(1, "in png_handle_cHRM");
  770. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  771. png_error(png_ptr, "Missing IHDR before cHRM");
  772. else if (png_ptr->mode & PNG_HAVE_IDAT)
  773. {
  774. png_warning(png_ptr, "Invalid cHRM after IDAT");
  775. png_crc_finish(png_ptr, length);
  776. return;
  777. }
  778. else if (png_ptr->mode & PNG_HAVE_PLTE)
  779. /* Should be an error, but we can cope with it */
  780. png_warning(png_ptr, "Out of place cHRM chunk");
  781. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
  782. # ifdef PNG_READ_sRGB_SUPPORTED
  783. && !(info_ptr->valid & PNG_INFO_sRGB)
  784. # endif
  785. )
  786. {
  787. png_warning(png_ptr, "Duplicate cHRM chunk");
  788. png_crc_finish(png_ptr, length);
  789. return;
  790. }
  791. if (length != 32)
  792. {
  793. png_warning(png_ptr, "Incorrect cHRM chunk length");
  794. png_crc_finish(png_ptr, length);
  795. return;
  796. }
  797. png_crc_read(png_ptr, buf, 32);
  798. if (png_crc_finish(png_ptr, 0))
  799. return;
  800. x_white = png_get_fixed_point(NULL, buf);
  801. y_white = png_get_fixed_point(NULL, buf + 4);
  802. x_red = png_get_fixed_point(NULL, buf + 8);
  803. y_red = png_get_fixed_point(NULL, buf + 12);
  804. x_green = png_get_fixed_point(NULL, buf + 16);
  805. y_green = png_get_fixed_point(NULL, buf + 20);
  806. x_blue = png_get_fixed_point(NULL, buf + 24);
  807. y_blue = png_get_fixed_point(NULL, buf + 28);
  808. if (x_white == PNG_FIXED_ERROR ||
  809. y_white == PNG_FIXED_ERROR ||
  810. x_red == PNG_FIXED_ERROR ||
  811. y_red == PNG_FIXED_ERROR ||
  812. x_green == PNG_FIXED_ERROR ||
  813. y_green == PNG_FIXED_ERROR ||
  814. x_blue == PNG_FIXED_ERROR ||
  815. y_blue == PNG_FIXED_ERROR)
  816. {
  817. png_warning(png_ptr, "Ignoring cHRM chunk with negative chromaticities");
  818. return;
  819. }
  820. #ifdef PNG_READ_sRGB_SUPPORTED
  821. if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB))
  822. {
  823. if (PNG_OUT_OF_RANGE(x_white, 31270, 1000) ||
  824. PNG_OUT_OF_RANGE(y_white, 32900, 1000) ||
  825. PNG_OUT_OF_RANGE(x_red, 64000, 1000) ||
  826. PNG_OUT_OF_RANGE(y_red, 33000, 1000) ||
  827. PNG_OUT_OF_RANGE(x_green, 30000, 1000) ||
  828. PNG_OUT_OF_RANGE(y_green, 60000, 1000) ||
  829. PNG_OUT_OF_RANGE(x_blue, 15000, 1000) ||
  830. PNG_OUT_OF_RANGE(y_blue, 6000, 1000))
  831. {
  832. PNG_WARNING_PARAMETERS(p)
  833. png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_fixed, x_white);
  834. png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_fixed, y_white);
  835. png_warning_parameter_signed(p, 3, PNG_NUMBER_FORMAT_fixed, x_red);
  836. png_warning_parameter_signed(p, 4, PNG_NUMBER_FORMAT_fixed, y_red);
  837. png_warning_parameter_signed(p, 5, PNG_NUMBER_FORMAT_fixed, x_green);
  838. png_warning_parameter_signed(p, 6, PNG_NUMBER_FORMAT_fixed, y_green);
  839. png_warning_parameter_signed(p, 7, PNG_NUMBER_FORMAT_fixed, x_blue);
  840. png_warning_parameter_signed(p, 8, PNG_NUMBER_FORMAT_fixed, y_blue);
  841. png_formatted_warning(png_ptr, p,
  842. "Ignoring incorrect cHRM white(@1,@2) r(@3,@4)g(@5,@6)b(@7,@8) "
  843. "when sRGB is also present");
  844. }
  845. return;
  846. }
  847. #endif /* PNG_READ_sRGB_SUPPORTED */
  848. #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
  849. /* Store the _white values as default coefficients for the rgb to gray
  850. * operation if it is supported. Check if the transform is already set to
  851. * avoid destroying the transform values.
  852. */
  853. if (!png_ptr->rgb_to_gray_coefficients_set)
  854. {
  855. /* png_set_background has not been called and we haven't seen an sRGB
  856. * chunk yet. Find the XYZ of the three end points.
  857. */
  858. png_XYZ XYZ;
  859. png_xy xy;
  860. xy.redx = x_red;
  861. xy.redy = y_red;
  862. xy.greenx = x_green;
  863. xy.greeny = y_green;
  864. xy.bluex = x_blue;
  865. xy.bluey = y_blue;
  866. xy.whitex = x_white;
  867. xy.whitey = y_white;
  868. if (png_XYZ_from_xy_checked(png_ptr, &XYZ, xy))
  869. {
  870. /* The success case, because XYZ_from_xy normalises to a reference
  871. * white Y of 1.0 we just need to scale the numbers. This should
  872. * always work just fine. It is an internal error if this overflows.
  873. */
  874. {
  875. png_fixed_point r, g, b;
  876. if (png_muldiv(&r, XYZ.redY, 32768, PNG_FP_1) &&
  877. r >= 0 && r <= 32768 &&
  878. png_muldiv(&g, XYZ.greenY, 32768, PNG_FP_1) &&
  879. g >= 0 && g <= 32768 &&
  880. png_muldiv(&b, XYZ.blueY, 32768, PNG_FP_1) &&
  881. b >= 0 && b <= 32768 &&
  882. r+g+b <= 32769)
  883. {
  884. /* We allow 0 coefficients here. r+g+b may be 32769 if two or
  885. * all of the coefficients were rounded up. Handle this by
  886. * reducing the *largest* coefficient by 1; this matches the
  887. * approach used for the default coefficients in pngrtran.c
  888. */
  889. int add = 0;
  890. if (r+g+b > 32768)
  891. add = -1;
  892. else if (r+g+b < 32768)
  893. add = 1;
  894. if (add != 0)
  895. {
  896. if (g >= r && g >= b)
  897. g += add;
  898. else if (r >= g && r >= b)
  899. r += add;
  900. else
  901. b += add;
  902. }
  903. /* Check for an internal error. */
  904. if (r+g+b != 32768)
  905. png_error(png_ptr,
  906. "internal error handling cHRM coefficients");
  907. png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
  908. png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
  909. }
  910. /* This is a png_error at present even though it could be ignored -
  911. * it should never happen, but it is important that if it does, the
  912. * bug is fixed.
  913. */
  914. else
  915. png_error(png_ptr, "internal error handling cHRM->XYZ");
  916. }
  917. }
  918. }
  919. #endif
  920. png_set_cHRM_fixed(png_ptr, info_ptr, x_white, y_white, x_red, y_red,
  921. x_green, y_green, x_blue, y_blue);
  922. }
  923. #endif
  924. #ifdef PNG_READ_sRGB_SUPPORTED
  925. void /* PRIVATE */
  926. png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  927. {
  928. int intent;
  929. png_byte buf[1];
  930. png_debug(1, "in png_handle_sRGB");
  931. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  932. png_error(png_ptr, "Missing IHDR before sRGB");
  933. else if (png_ptr->mode & PNG_HAVE_IDAT)
  934. {
  935. png_warning(png_ptr, "Invalid sRGB after IDAT");
  936. png_crc_finish(png_ptr, length);
  937. return;
  938. }
  939. else if (png_ptr->mode & PNG_HAVE_PLTE)
  940. /* Should be an error, but we can cope with it */
  941. png_warning(png_ptr, "Out of place sRGB chunk");
  942. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
  943. {
  944. png_warning(png_ptr, "Duplicate sRGB chunk");
  945. png_crc_finish(png_ptr, length);
  946. return;
  947. }
  948. if (length != 1)
  949. {
  950. png_warning(png_ptr, "Incorrect sRGB chunk length");
  951. png_crc_finish(png_ptr, length);
  952. return;
  953. }
  954. png_crc_read(png_ptr, buf, 1);
  955. if (png_crc_finish(png_ptr, 0))
  956. return;
  957. intent = buf[0];
  958. /* Check for bad intent */
  959. if (intent >= PNG_sRGB_INTENT_LAST)
  960. {
  961. png_warning(png_ptr, "Unknown sRGB intent");
  962. return;
  963. }
  964. #if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED)
  965. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA))
  966. {
  967. if (PNG_OUT_OF_RANGE(info_ptr->gamma, 45500, 500))
  968. {
  969. PNG_WARNING_PARAMETERS(p)
  970. png_warning_parameter_signed(p, 1, PNG_NUMBER_FORMAT_fixed,
  971. info_ptr->gamma);
  972. png_formatted_warning(png_ptr, p,
  973. "Ignoring incorrect gAMA value @1 when sRGB is also present");
  974. }
  975. }
  976. #endif /* PNG_READ_gAMA_SUPPORTED */
  977. #ifdef PNG_READ_cHRM_SUPPORTED
  978. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM))
  979. if (PNG_OUT_OF_RANGE(info_ptr->x_white, 31270, 1000) ||
  980. PNG_OUT_OF_RANGE(info_ptr->y_white, 32900, 1000) ||
  981. PNG_OUT_OF_RANGE(info_ptr->x_red, 64000, 1000) ||
  982. PNG_OUT_OF_RANGE(info_ptr->y_red, 33000, 1000) ||
  983. PNG_OUT_OF_RANGE(info_ptr->x_green, 30000, 1000) ||
  984. PNG_OUT_OF_RANGE(info_ptr->y_green, 60000, 1000) ||
  985. PNG_OUT_OF_RANGE(info_ptr->x_blue, 15000, 1000) ||
  986. PNG_OUT_OF_RANGE(info_ptr->y_blue, 6000, 1000))
  987. {
  988. png_warning(png_ptr,
  989. "Ignoring incorrect cHRM value when sRGB is also present");
  990. }
  991. #endif /* PNG_READ_cHRM_SUPPORTED */
  992. /* This is recorded for use when handling the cHRM chunk above. An sRGB
  993. * chunk unconditionally overwrites the coefficients for grayscale conversion
  994. * too.
  995. */
  996. png_ptr->is_sRGB = 1;
  997. # ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
  998. /* Don't overwrite user supplied values: */
  999. if (!png_ptr->rgb_to_gray_coefficients_set)
  1000. {
  1001. /* These numbers come from the sRGB specification (or, since one has to
  1002. * pay much money to get a copy, the wikipedia sRGB page) the
  1003. * chromaticity values quoted have been inverted to get the reverse
  1004. * transformation from RGB to XYZ and the 'Y' coefficients scaled by
  1005. * 32768 (then rounded).
  1006. *
  1007. * sRGB and ITU Rec-709 both truncate the values for the D65 white
  1008. * point to four digits and, even though it actually stores five
  1009. * digits, the PNG spec gives the truncated value.
  1010. *
  1011. * This means that when the chromaticities are converted back to XYZ
  1012. * end points we end up with (6968,23435,2366), which, as described in
  1013. * pngrtran.c, would overflow. If the five digit precision and up is
  1014. * used we get, instead:
  1015. *
  1016. * 6968*R + 23435*G + 2365*B
  1017. *
  1018. * (Notice that this rounds the blue coefficient down, rather than the
  1019. * choice used in pngrtran.c which is to round the green one down.)
  1020. */
  1021. png_ptr->rgb_to_gray_red_coeff = 6968; /* 0.212639005871510 */
  1022. png_ptr->rgb_to_gray_green_coeff = 23434; /* 0.715168678767756 */
  1023. /* png_ptr->rgb_to_gray_blue_coeff = 2366; 0.072192315360734 */
  1024. /* The following keeps the cHRM chunk from destroying the
  1025. * coefficients again in the event that it follows the sRGB chunk.
  1026. */
  1027. png_ptr->rgb_to_gray_coefficients_set = 1;
  1028. }
  1029. # endif
  1030. png_set_sRGB_gAMA_and_cHRM(png_ptr, info_ptr, intent);
  1031. }
  1032. #endif /* PNG_READ_sRGB_SUPPORTED */
  1033. #ifdef PNG_READ_iCCP_SUPPORTED
  1034. void /* PRIVATE */
  1035. png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  1036. /* Note: this does not properly handle chunks that are > 64K under DOS */
  1037. {
  1038. png_byte compression_type;
  1039. png_bytep pC;
  1040. png_charp profile;
  1041. png_uint_32 skip = 0;
  1042. png_uint_32 profile_size;
  1043. png_alloc_size_t profile_length;
  1044. png_size_t slength, prefix_length, data_length;
  1045. png_debug(1, "in png_handle_iCCP");
  1046. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  1047. png_error(png_ptr, "Missing IHDR before iCCP");
  1048. else if (png_ptr->mode & PNG_HAVE_IDAT)
  1049. {
  1050. png_warning(png_ptr, "Invalid iCCP after IDAT");
  1051. png_crc_finish(png_ptr, length);
  1052. return;
  1053. }
  1054. else if (png_ptr->mode & PNG_HAVE_PLTE)
  1055. /* Should be an error, but we can cope with it */
  1056. png_warning(png_ptr, "Out of place iCCP chunk");
  1057. if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
  1058. {
  1059. png_warning(png_ptr, "Duplicate iCCP chunk");
  1060. png_crc_finish(png_ptr, length);
  1061. return;
  1062. }
  1063. #ifdef PNG_MAX_MALLOC_64K
  1064. if (length > (png_uint_32)65535L)
  1065. {
  1066. png_warning(png_ptr, "iCCP chunk too large to fit in memory");
  1067. skip = length - (png_uint_32)65535L;
  1068. length = (png_uint_32)65535L;
  1069. }
  1070. #endif
  1071. png_free(png_ptr, png_ptr->chunkdata);
  1072. png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  1073. slength = length;
  1074. png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
  1075. if (png_crc_finish(png_ptr, skip))
  1076. {
  1077. png_free(png_ptr, png_ptr->chunkdata);
  1078. png_ptr->chunkdata = NULL;
  1079. return;
  1080. }
  1081. png_ptr->chunkdata[slength] = 0x00;
  1082. for (profile = png_ptr->chunkdata; *profile; profile++)
  1083. /* Empty loop to find end of name */ ;
  1084. ++profile;
  1085. /* There should be at least one zero (the compression type byte)
  1086. * following the separator, and we should be on it
  1087. */
  1088. if (profile >= png_ptr->chunkdata + slength - 1)
  1089. {
  1090. png_free(png_ptr, png_ptr->chunkdata);
  1091. png_ptr->chunkdata = NULL;
  1092. png_warning(png_ptr, "Malformed iCCP chunk");
  1093. return;
  1094. }
  1095. /* Compression_type should always be zero */
  1096. compression_type = *profile++;
  1097. if (compression_type)
  1098. {
  1099. png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk");
  1100. compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8
  1101. wrote nonzero) */
  1102. }
  1103. prefix_length = profile - png_ptr->chunkdata;
  1104. png_decompress_chunk(png_ptr, compression_type,
  1105. slength, prefix_length, &data_length);
  1106. profile_length = data_length - prefix_length;
  1107. if (prefix_length > data_length || profile_length < 4)
  1108. {
  1109. png_free(png_ptr, png_ptr->chunkdata);
  1110. png_ptr->chunkdata = NULL;
  1111. png_warning(png_ptr, "Profile size field missing from iCCP chunk");
  1112. return;
  1113. }
  1114. /* Check the profile_size recorded in the first 32 bits of the ICC profile */
  1115. pC = (png_bytep)(png_ptr->chunkdata + prefix_length);
  1116. profile_size = ((*(pC )) << 24) |
  1117. ((*(pC + 1)) << 16) |
  1118. ((*(pC + 2)) << 8) |
  1119. ((*(pC + 3)) );
  1120. /* NOTE: the following guarantees that 'profile_length' fits into 32 bits,
  1121. * because profile_size is a 32 bit value.
  1122. */
  1123. if (profile_size < profile_length)
  1124. profile_length = profile_size;
  1125. /* And the following guarantees that profile_size == profile_length. */
  1126. if (profile_size > profile_length)
  1127. {
  1128. PNG_WARNING_PARAMETERS(p)
  1129. png_free(png_ptr, png_ptr->chunkdata);
  1130. png_ptr->chunkdata = NULL;
  1131. png_warning_parameter_unsigned(p, 1, PNG_NUMBER_FORMAT_u, profile_size);
  1132. png_warning_parameter_unsigned(p, 2, PNG_NUMBER_FORMAT_u, profile_length);
  1133. png_formatted_warning(png_ptr, p,
  1134. "Ignoring iCCP chunk with declared size = @1 and actual length = @2");
  1135. return;
  1136. }
  1137. png_set_iCCP(png_ptr, info_ptr, png_ptr->chunkdata,
  1138. compression_type, (png_bytep)png_ptr->chunkdata + prefix_length,
  1139. profile_size);
  1140. png_free(png_ptr, png_ptr->chunkdata);
  1141. png_ptr->chunkdata = NULL;
  1142. }
  1143. #endif /* PNG_READ_iCCP_SUPPORTED */
  1144. #ifdef PNG_READ_sPLT_SUPPORTED
  1145. void /* PRIVATE */
  1146. png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  1147. /* Note: this does not properly handle chunks that are > 64K under DOS */
  1148. {
  1149. png_bytep entry_start;
  1150. png_sPLT_t new_palette;
  1151. png_sPLT_entryp pp;
  1152. png_uint_32 data_length;
  1153. int entry_size, i;
  1154. png_uint_32 skip = 0;
  1155. png_size_t slength;
  1156. png_uint_32 dl;
  1157. png_size_t max_dl;
  1158. png_debug(1, "in png_handle_sPLT");
  1159. #ifdef PNG_USER_LIMITS_SUPPORTED
  1160. if (png_ptr->user_chunk_cache_max != 0)
  1161. {
  1162. if (png_ptr->user_chunk_cache_max == 1)
  1163. {
  1164. png_crc_finish(png_ptr, length);
  1165. return;
  1166. }
  1167. if (--png_ptr->user_chunk_cache_max == 1)
  1168. {
  1169. png_warning(png_ptr, "No space in chunk cache for sPLT");
  1170. png_crc_finish(png_ptr, length);
  1171. return;
  1172. }
  1173. }
  1174. #endif
  1175. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  1176. png_error(png_ptr, "Missing IHDR before sPLT");
  1177. else if (png_ptr->mode & PNG_HAVE_IDAT)
  1178. {
  1179. png_warning(png_ptr, "Invalid sPLT after IDAT");
  1180. png_crc_finish(png_ptr, length);
  1181. return;
  1182. }
  1183. #ifdef PNG_MAX_MALLOC_64K
  1184. if (length > (png_uint_32)65535L)
  1185. {
  1186. png_warning(png_ptr, "sPLT chunk too large to fit in memory");
  1187. skip = length - (png_uint_32)65535L;
  1188. length = (png_uint_32)65535L;
  1189. }
  1190. #endif
  1191. png_free(png_ptr, png_ptr->chunkdata);
  1192. png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  1193. /* WARNING: this may break if size_t is less than 32 bits; it is assumed
  1194. * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
  1195. * potential breakage point if the types in pngconf.h aren't exactly right.
  1196. */
  1197. slength = length;
  1198. png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
  1199. if (png_crc_finish(png_ptr, skip))
  1200. {
  1201. png_free(png_ptr, png_ptr->chunkdata);
  1202. png_ptr->chunkdata = NULL;
  1203. return;
  1204. }
  1205. png_ptr->chunkdata[slength] = 0x00;
  1206. for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start;
  1207. entry_start++)
  1208. /* Empty loop to find end of name */ ;
  1209. ++entry_start;
  1210. /* A sample depth should follow the separator, and we should be on it */
  1211. if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
  1212. {
  1213. png_free(png_ptr, png_ptr->chunkdata);
  1214. png_ptr->chunkdata = NULL;
  1215. png_warning(png_ptr, "malformed sPLT chunk");
  1216. return;
  1217. }
  1218. new_palette.depth = *entry_start++;
  1219. entry_size = (new_palette.depth == 8 ? 6 : 10);
  1220. /* This must fit in a png_uint_32 because it is derived from the original
  1221. * chunk data length (and use 'length', not 'slength' here for clarity -
  1222. * they are guaranteed to be the same, see the tests above.)
  1223. */
  1224. data_length = length - (png_uint_32)(entry_start -
  1225. (png_bytep)png_ptr->chunkdata);
  1226. /* Integrity-check the data length */
  1227. if (data_length % entry_size)
  1228. {
  1229. png_free(png_ptr, png_ptr->chunkdata);
  1230. png_ptr->chunkdata = NULL;
  1231. png_warning(png_ptr, "sPLT chunk has bad length");
  1232. return;
  1233. }
  1234. dl = (png_int_32)(data_length / entry_size);
  1235. max_dl = PNG_SIZE_MAX / png_sizeof(png_sPLT_entry);
  1236. if (dl > max_dl)
  1237. {
  1238. png_warning(png_ptr, "sPLT chunk too long");
  1239. return;
  1240. }
  1241. new_palette.nentries = (png_int_32)(data_length / entry_size);
  1242. new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
  1243. png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry));
  1244. if (new_palette.entries == NULL)
  1245. {
  1246. png_warning(png_ptr, "sPLT chunk requires too much memory");
  1247. return;
  1248. }
  1249. #ifdef PNG_POINTER_INDEXING_SUPPORTED
  1250. for (i = 0; i < new_palette.nentries; i++)
  1251. {
  1252. pp = new_palette.entries + i;
  1253. if (new_palette.depth == 8)
  1254. {
  1255. pp->red = *entry_start++;
  1256. pp->green = *entry_start++;
  1257. pp->blue = *entry_start++;
  1258. pp->alpha = *entry_start++;
  1259. }
  1260. else
  1261. {
  1262. pp->red = png_get_uint_16(entry_start); entry_start += 2;
  1263. pp->green = png_get_uint_16(entry_start); entry_start += 2;
  1264. pp->blue = png_get_uint_16(entry_start); entry_start += 2;
  1265. pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
  1266. }
  1267. pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
  1268. }
  1269. #else
  1270. pp = new_palette.entries;
  1271. for (i = 0; i < new_palette.nentries; i++)
  1272. {
  1273. if (new_palette.depth == 8)
  1274. {
  1275. pp[i].red = *entry_start++;
  1276. pp[i].green = *entry_start++;
  1277. pp[i].blue = *entry_start++;
  1278. pp[i].alpha = *entry_start++;
  1279. }
  1280. else
  1281. {
  1282. pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
  1283. pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
  1284. pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
  1285. pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
  1286. }
  1287. pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
  1288. }
  1289. #endif
  1290. /* Discard all chunk data except the name and stash that */
  1291. new_palette.name = png_ptr->chunkdata;
  1292. png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
  1293. png_free(png_ptr, png_ptr->chunkdata);
  1294. png_ptr->chunkdata = NULL;
  1295. png_free(png_ptr, new_palette.entries);
  1296. }
  1297. #endif /* PNG_READ_sPLT_SUPPORTED */
  1298. #ifdef PNG_READ_tRNS_SUPPORTED
  1299. void /* PRIVATE */
  1300. png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  1301. {
  1302. png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
  1303. png_debug(1, "in png_handle_tRNS");
  1304. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  1305. png_error(png_ptr, "Missing IHDR before tRNS");
  1306. else if (png_ptr->mode & PNG_HAVE_IDAT)
  1307. {
  1308. png_warning(png_ptr, "Invalid tRNS after IDAT");
  1309. png_crc_finish(png_ptr, length);
  1310. return;
  1311. }
  1312. else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS))
  1313. {
  1314. png_warning(png_ptr, "Duplicate tRNS chunk");
  1315. png_crc_finish(png_ptr, length);
  1316. return;
  1317. }
  1318. if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
  1319. {
  1320. png_byte buf[2];
  1321. if (length != 2)
  1322. {
  1323. png_warning(png_ptr, "Incorrect tRNS chunk length");
  1324. png_crc_finish(png_ptr, length);
  1325. return;
  1326. }
  1327. png_crc_read(png_ptr, buf, 2);
  1328. png_ptr->num_trans = 1;
  1329. png_ptr->trans_color.gray = png_get_uint_16(buf);
  1330. }
  1331. else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
  1332. {
  1333. png_byte buf[6];
  1334. if (length != 6)
  1335. {
  1336. png_warning(png_ptr, "Incorrect tRNS chunk length");
  1337. png_crc_finish(png_ptr, length);
  1338. return;
  1339. }
  1340. png_crc_read(png_ptr, buf, (png_size_t)length);
  1341. png_ptr->num_trans = 1;
  1342. png_ptr->trans_color.red = png_get_uint_16(buf);
  1343. png_ptr->trans_color.green = png_get_uint_16(buf + 2);
  1344. png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
  1345. }
  1346. else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
  1347. {
  1348. if (!(png_ptr->mode & PNG_HAVE_PLTE))
  1349. {
  1350. /* Should be an error, but we can cope with it. */
  1351. png_warning(png_ptr, "Missing PLTE before tRNS");
  1352. }
  1353. if (length > (png_uint_32)png_ptr->num_palette ||
  1354. length > PNG_MAX_PALETTE_LENGTH)
  1355. {
  1356. png_warning(png_ptr, "Incorrect tRNS chunk length");
  1357. png_crc_finish(png_ptr, length);
  1358. return;
  1359. }
  1360. if (length == 0)
  1361. {
  1362. png_warning(png_ptr, "Zero length tRNS chunk");
  1363. png_crc_finish(png_ptr, length);
  1364. return;
  1365. }
  1366. png_crc_read(png_ptr, readbuf, (png_size_t)length);
  1367. png_ptr->num_trans = (png_uint_16)length;
  1368. }
  1369. else
  1370. {
  1371. png_warning(png_ptr, "tRNS chunk not allowed with alpha channel");
  1372. png_crc_finish(png_ptr, length);
  1373. return;
  1374. }
  1375. if (png_crc_finish(png_ptr, 0))
  1376. {
  1377. png_ptr->num_trans = 0;
  1378. return;
  1379. }
  1380. png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
  1381. &(png_ptr->trans_color));
  1382. }
  1383. #endif
  1384. #ifdef PNG_READ_bKGD_SUPPORTED
  1385. void /* PRIVATE */
  1386. png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
  1387. {
  1388. png_size_t truelen;
  1389. png_byte buf[6];
  1390. png_color_16 background;
  1391. png_debug(1, "in png_handle_bKGD");
  1392. if (!(png_ptr->mode & PNG_HAVE_IHDR))
  1393. png_error(png_ptr, "Missing IHDR before bKGD");
  1394. else if (png_ptr->mode & PNG_HAVE_IDAT)
  1395. {
  1396. png_warning(png_ptr, "Invalid bKGD after IDAT");
  1397. png_crc_finish(png_ptr, length);
  1398. return;
  1399. }
  1400. else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
  1401. !(png_ptr->mode & PNG_HAVE_PLTE))
  1402. {
  1403. png_warning(png_ptr, "Missing PLTE before bKGD");
  1404. png_crc_finish(png_ptr, length);
  1405. return;
  1406. }
  1407. else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD))
  1408. {
  1409. png_warning(png_ptr, "Duplicate bKGD chunk");
  1410. png_crc_finish(png_ptr, length);