WebSVN – Kolibri OS – Blame – /programs/develop/libraries/libpng/pngrutil.c

Rev	Author	Line No.	Line
1897	serge	1
		2	*
		3	* Last changed in libpng 1.6.4 [September 14, 2013]
3928	Serge	4	* Copyright (c) 1998-2013 Glenn Randers-Pehrson
		5	* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
1897	serge	6	* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
		7	*
		8	* This code is released under the libpng license.
		9	* For conditions of distribution and use, see the disclaimer
		10	* and license in png.h
		11	*
		12	* This file contains routines that are only called from within
		13	* libpng itself during the course of reading an image.
		14	*/
		15
		16
		17
		18
		19
		20
		21	png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
3928	Serge	22	{
1897	serge	23	png_uint_32 uval = png_get_uint_32(buf);
		24
		25
		26	png_error(png_ptr, "PNG unsigned integer out of range");
		27
		28
		29	}
		30
		31
		32	/* The following is a variation on the above for use with the fixed
		33	* point values used for gAMA and cHRM. Instead of png_error it
		34	* issues a warning and returns (-1) - an invalid value because both
		35	* gAMA and cHRM use unsigned integers for fixed point values.
		36	*/
		37	#define PNG_FIXED_ERROR (-1)
		38
		39
		40	png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
3928	Serge	41	{
1897	serge	42	png_uint_32 uval = png_get_uint_32(buf);
		43
		44
		45	return (png_fixed_point)uval; /* known to be in range */
		46
		47
		48	if (png_ptr != NULL)
		49	png_warning(png_ptr, "PNG fixed point integer out of range");
		50
		51
		52	}
		53	#endif
		54
		55
		56	/* NOTE: the read macros will obscure these definitions, so that if
		57	* PNG_USE_READ_MACROS is set the library will not use them internally,
		58	* but the APIs will still be available externally.
		59	*
		60	* The parentheses around "PNGAPI function_name" in the following three
		61	* functions are necessary because they allow the macros to co-exist with
		62	* these (unused but exported) functions.
		63	*/
		64
		65
		66	png_uint_32 (PNGAPI
		67	png_get_uint_32)(png_const_bytep buf)
		68	{
		69	png_uint_32 uval =
		70	((png_uint_32)(*(buf )) << 24) +
		71	((png_uint_32)(*(buf + 1)) << 16) +
		72	((png_uint_32)(*(buf + 2)) << 8) +
		73	((png_uint_32)(*(buf + 3)) ) ;
		74
		75
		76	}
		77
		78
		79	* data is stored in the PNG file in two's complement format and there
		80	* is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
		81	* the following code does a two's complement to native conversion.
		82	*/
		83	png_int_32 (PNGAPI
		84	png_get_int_32)(png_const_bytep buf)
		85	{
		86	png_uint_32 uval = png_get_uint_32(buf);
		87	if ((uval & 0x80000000) == 0) /* non-negative */
3928	Serge	88	return uval;
1897	serge	89
		90
3928	Serge	91	return -(png_int_32)uval;
1897	serge	92	}
		93
		94
		95	png_uint_16 (PNGAPI
		96	png_get_uint_16)(png_const_bytep buf)
		97	{
		98	/* ANSI-C requires an int value to accomodate at least 16 bits so this
		99	* works and allows the compiler not to worry about possible narrowing
		100	* on 32 bit systems. (Pre-ANSI systems did not make integers smaller
		101	* than 16 bits either.)
		102	*/
		103	unsigned int val =
		104	((unsigned int)(*buf) << 8) +
		105	((unsigned int)(*(buf + 1)));
		106
		107
		108	}
		109
		110
		111
		112
		113	void /* PRIVATE */
		114	png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
3928	Serge	115	{
1897	serge	116	png_size_t num_checked, num_to_check;
		117
		118
		119	if (png_ptr->sig_bytes >= 8)
		120	return;
		121
		122
		123	num_to_check = 8 - num_checked;
		124
		125
		126	png_ptr->io_state = PNG_IO_READING \| PNG_IO_SIGNATURE;
		127	#endif
		128
		129
		130	png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
		131	png_ptr->sig_bytes = 8;
		132
		133
		134	{
		135	if (num_checked < 4 &&
		136	png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
		137	png_error(png_ptr, "Not a PNG file");
		138	else
		139	png_error(png_ptr, "PNG file corrupted by ASCII conversion");
		140	}
		141	if (num_checked < 3)
		142	png_ptr->mode \|= PNG_HAVE_PNG_SIGNATURE;
		143	}
		144
		145
		146	* Put the type name into png_ptr->chunk_name, and return the length.
		147	*/
		148	png_uint_32 /* PRIVATE */
		149	png_read_chunk_header(png_structrp png_ptr)
3928	Serge	150	{
1897	serge	151	png_byte buf[8];
		152	png_uint_32 length;
		153
		154
		155	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_HDR;
		156	#endif
		157
		158
		159	* This must be performed in a single I/O call.
		160	*/
		161	png_read_data(png_ptr, buf, 8);
		162	length = png_get_uint_31(png_ptr, buf);
		163
		164
		165	png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
3928	Serge	166
1897	serge	167
3928	Serge	168	(unsigned long)png_ptr->chunk_name, (unsigned long)length);
		169
1897	serge	170
		171	png_reset_crc(png_ptr);
		172	png_calculate_crc(png_ptr, buf + 4, 4);
3928	Serge	173
1897	serge	174
		175	png_check_chunk_name(png_ptr, png_ptr->chunk_name);
		176
		177
		178	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_DATA;
		179	#endif
		180
		181
		182	}
		183
		184
		185	void /* PRIVATE */
		186	png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
3928	Serge	187	{
1897	serge	188	if (png_ptr == NULL)
		189	return;
		190
		191
		192	png_calculate_crc(png_ptr, buf, length);
		193	}
		194
		195
		196	* are reading an ancillary or critical chunk, and how the program has set
3928	Serge	197	* things up, we may calculate the CRC on the data and print a message.
1897	serge	198	* Returns '1' if there was a CRC error, '0' otherwise.
		199	*/
		200	int /* PRIVATE */
		201	png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
3928	Serge	202	{
1897	serge	203	/* The size of the local buffer for inflate is a good guess as to a
3928	Serge	204	* reasonable size to use for buffering reads from the application.
		205	*/
		206	while (skip > 0)
		207	{
1897	serge	208	png_uint_32 len;
3928	Serge	209	png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
		210
1897	serge	211
3928	Serge	212	if (len > skip)
		213	len = skip;
		214	skip -= len;
		215
		216
		217	}
1897	serge	218
		219
		220	{
		221	if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) ?
3928	Serge	222	!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) :
		223	(png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE))
		224	{
1897	serge	225	png_chunk_warning(png_ptr, "CRC error");
		226	}
		227
		228
		229	{
		230	png_chunk_benign_error(png_ptr, "CRC error");
		231	return (0);
		232	}
		233
		234
		235	}
		236
		237
		238	}
		239
		240
		241	* the data it has read thus far.
		242	*/
		243	int /* PRIVATE */
		244	png_crc_error(png_structrp png_ptr)
3928	Serge	245	{
1897	serge	246	png_byte crc_bytes[4];
		247	png_uint_32 crc;
		248	int need_crc = 1;
		249
		250
3928	Serge	251	{
1897	serge	252	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
		253	(PNG_FLAG_CRC_ANCILLARY_USE \| PNG_FLAG_CRC_ANCILLARY_NOWARN))
		254	need_crc = 0;
		255	}
		256
		257
3928	Serge	258	{
1897	serge	259	if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
		260	need_crc = 0;
		261	}
		262
		263
		264	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_CRC;
		265	#endif
		266
		267
		268	png_read_data(png_ptr, crc_bytes, 4);
		269
		270
		271	{
		272	crc = png_get_uint_32(crc_bytes);
		273	return ((int)(crc != png_ptr->crc));
		274	}
		275
		276
		277	return (0);
		278	}
		279
		280
3928	Serge	281	* enough (or if it is not allocated). The routine returns a pointer to the
		282	* buffer; if an error occurs and 'warn' is set the routine returns NULL, else
		283	* it will call png_error (via png_malloc) on failure. (warn == 2 means
		284	* 'silent').
		285	*/
		286	static png_bytep
		287	png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
		288	{
1897	serge	289	png_bytep buffer = png_ptr->read_buffer;
3928	Serge	290
1897	serge	291
3928	Serge	292	{
		293	png_ptr->read_buffer = NULL;
		294	png_ptr->read_buffer = NULL;
		295	png_ptr->read_buffer_size = 0;
		296	png_free(png_ptr, buffer);
		297	buffer = NULL;
		298	}
		299
1897	serge	300
3928	Serge	301	{
1897	serge	302	buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
3928	Serge	303
1897	serge	304
3928	Serge	305	{
1897	serge	306	png_ptr->read_buffer = buffer;
3928	Serge	307	png_ptr->read_buffer_size = new_size;
		308	}
		309
1897	serge	310
3928	Serge	311	{
		312	#ifdef PNG_WARNINGS_SUPPORTED
		313	if (warn)
		314	png_chunk_warning(png_ptr, "insufficient memory to read chunk");
		315	else
1897	serge	316	#endif
3928	Serge	317	{
1897	serge	318	#ifdef PNG_ERROR_TEXT_SUPPORTED
3928	Serge	319	png_chunk_error(png_ptr, "insufficient memory to read chunk");
		320	#endif
		321	}
1897	serge	322	}
		323	}
3928	Serge	324
1897	serge	325
3928	Serge	326	}
		327
		328
		329	* decompression. Returns Z_OK on success, else a zlib error code. It checks
		330	* the owner but, in final release builds, just issues a warning if some other
		331	* chunk apparently owns the stream. Prior to release it does a png_error.
		332	*/
		333	static int
		334	png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
		335	{
		336	if (png_ptr->zowner != 0)
		337	{
		338	char msg[64];
		339
		340
		341	/* So the message that results is " using zstream"; this is an
		342	* internal error, but is very useful for debugging. i18n requirements
		343	* are minimal.
		344	*/
1897	serge	345	(void)png_safecat(msg, (sizeof msg), 4, " using zstream");
3928	Serge	346	# if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC
		347	png_chunk_warning(png_ptr, msg);
		348	png_ptr->zowner = 0;
		349	# else
		350	png_chunk_error(png_ptr, msg);
		351	# endif
		352	}
		353
1897	serge	354
3928	Serge	355	* does not take the size of the data as an argument. Some efficiency could
		356	* be gained by using this when it is known if the zlib stream itself does
		357	* not record the number; however, this is an illusion: the original writer
		358	* of the PNG may have selected a lower window size, and we really must
		359	* follow that because, for systems with with limited capabilities, we
		360	* would otherwise reject the application's attempts to use a smaller window
		361	* size (zlib doesn't have an interface to say "this or lower"!).
		362	*
		363	* inflateReset2 was added to zlib 1.2.4; before this the window could not be
		364	* reset, therefore it is necessary to always allocate the maximum window
		365	* size with earlier zlibs just in case later compressed chunks need it.
		366	*/
		367	{
		368	int ret; /* zlib return code */
		369	# if PNG_ZLIB_VERNUM >= 0x1240
		370
1897	serge	371
3928	Serge	372	defined(PNG_MAXIMUM_INFLATE_WINDOW)
		373	int window_bits;
		374
		375
		376	PNG_OPTION_ON)
		377	window_bits = 15;
		378
		379
		380	window_bits = 0;
		381	# else
		382	# define window_bits 0
		383	# endif
		384	# endif
		385
		386
		387	* memory allocations.
		388	*/
1897	serge	389	png_ptr->zstream.next_in = NULL;
3928	Serge	390	png_ptr->zstream.avail_in = 0;
		391	png_ptr->zstream.next_out = NULL;
		392	png_ptr->zstream.avail_out = 0;
		393
		394
		395	{
1897	serge	396	# if PNG_ZLIB_VERNUM < 0x1240
3928	Serge	397	ret = inflateReset(&png_ptr->zstream);
		398	# else
		399	ret = inflateReset2(&png_ptr->zstream, window_bits);
		400	# endif
		401	}
		402
1897	serge	403
3928	Serge	404	{
		405	# if PNG_ZLIB_VERNUM < 0x1240
		406	ret = inflateInit(&png_ptr->zstream);
		407	# else
		408	ret = inflateInit2(&png_ptr->zstream, window_bits);
		409	# endif
		410
1897	serge	411
3928	Serge	412	png_ptr->flags \|= PNG_FLAG_ZSTREAM_INITIALIZED;
		413	}
1897	serge	414
		415
		416	png_ptr->zowner = owner;
3928	Serge	417
1897	serge	418
3928	Serge	419	png_zstream_error(png_ptr, ret);
		420
		421
		422	}
		423
		424
		425	# undef window_bits
		426	# endif
		427	}
		428
		429
		430	/* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
		431	* allow the caller to do multiple calls if required. If the 'finish' flag is
		432	* set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
		433	* be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
		434	* Z_OK or Z_STREAM_END will be returned on success.
		435	*
		436	* The input and output sizes are updated to the actual amounts of data consumed
		437	* or written, not the amount available (as in a z_stream). The data pointers
		438	* are not changed, so the next input is (data+input_size) and the next
		439	* available output is (output+output_size).
		440	*/
		441	static int
		442	png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
		443	/* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
		444	/* OUTPUT: / png_bytep output, png_alloc_size_t output_size_ptr)
		445	{
		446	if (png_ptr->zowner == owner) /* Else not claimed */
		447	{
		448	int ret;
		449	png_alloc_size_t avail_out = *output_size_ptr;
		450	png_uint_32 avail_in = *input_size_ptr;
		451
		452
		453	* can't even necessarily handle 65536 bytes) because the type uInt is
		454	* "16 bits or more". Consequently it is necessary to chunk the input to
		455	* zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
		456	* maximum value that can be stored in a uInt.) It is possible to set
		457	* ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
		458	* a performance advantage, because it reduces the amount of data accessed
		459	* at each step and that may give the OS more time to page it in.
		460	*/
1897	serge	461	png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
3928	Serge	462	/* avail_in and avail_out are set below from 'size' */
		463	png_ptr->zstream.avail_in = 0;
1897	serge	464	png_ptr->zstream.avail_out = 0;
3928	Serge	465
1897	serge	466
3928	Serge	467	* a local buffer below if output is NULL).
		468	*/
		469	if (output != NULL)
		470	png_ptr->zstream.next_out = output;
		471
1897	serge	472
3928	Serge	473	{
1897	serge	474	uInt avail;
3928	Serge	475	Byte local_buffer[PNG_INFLATE_BUF_SIZE];
		476
1897	serge	477
3928	Serge	478	/* The setting of 'avail_in' used to be outside the loop; by setting it
		479	* inside it is possible to chunk the input to zlib and simply rely on
		480	* zlib to advance the 'next_in' pointer. This allows arbitrary
		481	* amounts of data to be passed through zlib at the unavoidable cost of
		482	* requiring a window save (memcpy of up to 32768 output bytes)
		483	* every ZLIB_IO_MAX input bytes.
		484	*/
		485	avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
		486
1897	serge	487
3928	Serge	488
1897	serge	489
3928	Serge	490	avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
		491
1897	serge	492
3928	Serge	493	png_ptr->zstream.avail_in = avail;
		494
		495
		496	avail_out += png_ptr->zstream.avail_out; /* not written last time */
		497
		498
		499
		500
		501	{
		502	/* Reset the output buffer each time round if output is NULL and
		503	* make available the full buffer, up to 'remaining_space'
		504	*/
		505	png_ptr->zstream.next_out = local_buffer;
		506	if ((sizeof local_buffer) < avail)
		507	avail = (sizeof local_buffer);
		508	}
1897	serge	509
		510
3928	Serge	511	avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
		512
1897	serge	513
3928	Serge	514	avail_out -= avail;
		515
		516
		517	/* In fact 'avail_out' may be 0 at this point, that happens at the end
		518	* of the read when the final LZ end code was not passed at the end of
		519	* the previous chunk of input data. Tell zlib if we have reached the
		520	* end of the output buffer.
		521	*/
		522	ret = inflate(&png_ptr->zstream, avail_out > 0 ? Z_NO_FLUSH :
		523	(finish ? Z_FINISH : Z_SYNC_FLUSH));
		524	} while (ret == Z_OK);
		525
		526
		527	if (output == NULL)
		528	png_ptr->zstream.next_out = NULL;
		529
		530
		531	avail_in += png_ptr->zstream.avail_in;
		532	avail_out += png_ptr->zstream.avail_out;
		533
		534
		535	* consumed or written, effectively the inverse of what zlib uses.
		536	*/
1897	serge	537	if (avail_out > 0)
3928	Serge	538	*output_size_ptr -= avail_out;
		539
		540
		541	*input_size_ptr -= avail_in;
		542
		543
		544	png_zstream_error(png_ptr, ret);
		545	return ret;
		546	}
1897	serge	547
3928	Serge	548
		549	{
		550	/* This is a bad internal error. The recovery assigns to the zstream msg
		551	* pointer, which is not owned by the caller, but this is safe; it's only
		552	* used on errors!
		553	*/
		554	png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
		555	return Z_STREAM_ERROR;
		556	}
		557	}
1897	serge	558
		559
		560	* Decompress trailing data in a chunk. The assumption is that read_buffer
3928	Serge	561	* points at an allocated area holding the contents of a chunk with a
1897	serge	562	* trailing compressed part. What we get back is an allocated area
		563	* holding the original prefix part and an uncompressed version of the
		564	* trailing part (the malloc area passed in is freed).
		565	*/
		566	static int
3928	Serge	567	png_decompress_chunk(png_structrp png_ptr,
		568	png_uint_32 chunklength, png_uint_32 prefix_size,
		569	png_alloc_size_t newlength / must be initialized to the maximum! */,
		570	int terminate /add a '\0' to the end of the uncompressed data/)
		571	{
1897	serge	572	/* TODO: implement different limits for different types of chunk.
3928	Serge	573	*
		574	* The caller supplies *newlength set to the maximum length of the
		575	* uncompressed data, but this routine allocates space for the prefix and
		576	* maybe a '\0' terminator too. We have to assume that 'prefix_size' is
		577	* limited only by the maximum chunk size.
		578	*/
		579	png_alloc_size_t limit = PNG_SIZE_MAX;
		580
1897	serge	581
3928	Serge	582	if (png_ptr->user_chunk_malloc_max > 0 &&
		583	png_ptr->user_chunk_malloc_max < limit)
		584	limit = png_ptr->user_chunk_malloc_max;
		585	# elif PNG_USER_CHUNK_MALLOC_MAX > 0
		586	if (PNG_USER_CHUNK_MALLOC_MAX < limit)
		587	limit = PNG_USER_CHUNK_MALLOC_MAX;
		588	# endif
		589
		590
		591	{
1897	serge	592	int ret;
3928	Serge	593
1897	serge	594
3928	Serge	595
1897	serge	596
3928	Serge	597	*newlength = limit;
		598
		599
		600	ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
		601
		602
		603	{
1897	serge	604	png_uint_32 lzsize = chunklength - prefix_size;
3928	Serge	605
1897	serge	606
3928	Serge	607	/* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
		608	/* output: */ NULL, newlength);
		609
		610
		611	{
1897	serge	612	/* Use 'inflateReset' here, not 'inflateReset2' because this
3928	Serge	613	* preserves the previously decided window size (otherwise it would
		614	* be necessary to store the previous window size.) In practice
		615	* this doesn't matter anyway, because png_inflate will call inflate
		616	* with Z_FINISH in almost all cases, so the window will not be
		617	* maintained.
		618	*/
		619	if (inflateReset(&png_ptr->zstream) == Z_OK)
		620	{
		621	/* Because of the limit checks above we know that the new,
		622	* expanded, size will fit in a size_t (let alone an
		623	* png_alloc_size_t). Use png_malloc_base here to avoid an
		624	* extra OOM message.
		625	*/
		626	png_alloc_size_t new_size = *newlength;
		627	png_alloc_size_t buffer_size = prefix_size + new_size +
		628	(terminate != 0);
		629	png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
		630	buffer_size));
		631
1897	serge	632
3928	Serge	633	{
		634	ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/finish/,
		635	png_ptr->read_buffer + prefix_size, &lzsize,
		636	text + prefix_size, newlength);
		637
		638
		639	{
		640	if (new_size == *newlength)
		641	{
		642	if (terminate)
		643	text[prefix_size + *newlength] = 0;
		644
		645
		646	memcpy(text, png_ptr->read_buffer, prefix_size);
		647
		648
		649	png_bytep old_ptr = png_ptr->read_buffer;
		650
		651
		652	png_ptr->read_buffer_size = buffer_size;
		653	text = old_ptr; /* freed below */
		654	}
		655	}
		656
		657
		658	{
		659	/* The size changed on the second read, there can be no
		660	* guarantee that anything is correct at this point.
		661	* The 'msg' pointer has been set to "unexpected end of
		662	* LZ stream", which is fine, but return an error code
		663	* that the caller won't accept.
		664	*/
		665	ret = PNG_UNEXPECTED_ZLIB_RETURN;
		666	}
		667	}
		668
		669
		670	ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
		671
		672
		673	* success)
		674	*/
		675	png_free(png_ptr, text);
		676
		677
		678	* the extra space may otherwise be used as a Trojan Horse.
		679	*/
		680	if (ret == Z_STREAM_END &&
		681	chunklength - prefix_size != lzsize)
		682	png_chunk_benign_error(png_ptr, "extra compressed data");
		683	}
		684
		685
		686	{
		687	/* Out of memory allocating the buffer */
		688	ret = Z_MEM_ERROR;
		689	png_zstream_error(png_ptr, Z_MEM_ERROR);
		690	}
		691	}
		692
		693
		694	{
1897	serge	695	/* inflateReset failed, store the error message */
3928	Serge	696	png_zstream_error(png_ptr, ret);
		697
		698
		699	ret = PNG_UNEXPECTED_ZLIB_RETURN;
		700	}
1897	serge	701	}
		702
		703
3928	Serge	704	ret = PNG_UNEXPECTED_ZLIB_RETURN;
		705
		706
		707	png_ptr->zowner = 0;
		708	}
1897	serge	709
3928	Serge	710
		711	ret = PNG_UNEXPECTED_ZLIB_RETURN;
		712
		713
		714	}
1897	serge	715
		716
3928	Serge	717	{
1897	serge	718	/* Application/configuration limits exceeded */
3928	Serge	719	png_zstream_error(png_ptr, Z_MEM_ERROR);
		720	return Z_MEM_ERROR;
		721	}
1897	serge	722	}
3928	Serge	723	#endif /* PNG_READ_COMPRESSED_TEXT_SUPPORTED */
		724
1897	serge	725
3928	Serge	726	/* Perform a partial read and decompress, producing 'avail_out' bytes and
		727	* reading from the current chunk as required.
		728	*/
		729	static int
		730	png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
		731	png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
		732	int finish)
		733	{
		734	if (png_ptr->zowner == png_ptr->chunk_name)
		735	{
1897	serge	736	int ret;
3928	Serge	737
1897	serge	738
3928	Serge	739	png_ptr->zstream.next_out = next_out;
		740	png_ptr->zstream.avail_out = 0; /* set in the loop */
		741
		742
		743	{
1897	serge	744	if (png_ptr->zstream.avail_in == 0)
3928	Serge	745	{
		746	if (read_size > *chunk_bytes)
		747	read_size = (uInt)*chunk_bytes;
		748	*chunk_bytes -= read_size;
		749
1897	serge	750
3928	Serge	751	png_crc_read(png_ptr, read_buffer, read_size);
		752
1897	serge	753
3928	Serge	754	png_ptr->zstream.avail_in = read_size;
		755	}
		756
		757
		758	{
		759	uInt avail = ZLIB_IO_MAX;
		760	if (avail > *out_size)
		761	avail = (uInt)*out_size;
		762	*out_size -= avail;
		763
		764
		765	}
		766
		767
		768	* the available output is produced; this allows reading of truncated
		769	* streams.
		770	*/
		771	ret = inflate(&png_ptr->zstream,
		772	*chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
		773	}
1897	serge	774	while (ret == Z_OK && (*out_size > 0 \|\| png_ptr->zstream.avail_out > 0));
3928	Serge	775
		776
		777	png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
		778
		779
		780	png_zstream_error(png_ptr, ret);
		781	return ret;
		782	}
1897	serge	783
		784
3928	Serge	785	{
		786	png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
		787	return Z_STREAM_ERROR;
		788	}
		789	}
1897	serge	790	#endif
		791
		792
		793	void /* PRIVATE */
		794	png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	795	{
1897	serge	796	png_byte buf[13];
		797	png_uint_32 width, height;
		798	int bit_depth, color_type, compression_type, filter_type;
		799	int interlace_type;
		800
		801
		802
		803
		804	png_chunk_error(png_ptr, "out of place");
3928	Serge	805
1897	serge	806
		807	if (length != 13)
		808	png_chunk_error(png_ptr, "invalid");
3928	Serge	809
1897	serge	810
		811
		812
		813	png_crc_finish(png_ptr, 0);
		814
		815
		816	height = png_get_uint_31(png_ptr, buf + 4);
		817	bit_depth = buf[8];
		818	color_type = buf[9];
		819	compression_type = buf[10];
		820	filter_type = buf[11];
		821	interlace_type = buf[12];
		822
		823
		824	png_ptr->width = width;
		825	png_ptr->height = height;
		826	png_ptr->bit_depth = (png_byte)bit_depth;
		827	png_ptr->interlaced = (png_byte)interlace_type;
		828	png_ptr->color_type = (png_byte)color_type;
		829	#ifdef PNG_MNG_FEATURES_SUPPORTED
		830	png_ptr->filter_type = (png_byte)filter_type;
		831	#endif
		832	png_ptr->compression_type = (png_byte)compression_type;
		833
		834
		835	switch (png_ptr->color_type)
		836	{
		837	default: /* invalid, png_set_IHDR calls png_error */
		838	case PNG_COLOR_TYPE_GRAY:
		839	case PNG_COLOR_TYPE_PALETTE:
		840	png_ptr->channels = 1;
		841	break;
		842
		843
		844	png_ptr->channels = 3;
		845	break;
		846
		847
		848	png_ptr->channels = 2;
		849	break;
		850
		851
		852	png_ptr->channels = 4;
		853	break;
		854	}
		855
		856
		857	png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth *
		858	png_ptr->channels);
		859	png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
		860	png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
		861	png_debug1(3, "channels = %d", png_ptr->channels);
		862	png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
		863	png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
		864	color_type, interlace_type, compression_type, filter_type);
		865	}
		866
		867
		868	void /* PRIVATE */
		869	png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	870	{
1897	serge	871	png_color palette[PNG_MAX_PALETTE_LENGTH];
		872	int num, i;
		873	#ifdef PNG_POINTER_INDEXING_SUPPORTED
		874	png_colorp pal_ptr;
		875	#endif
		876
		877
		878
		879
		880	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	881
1897	serge	882
3928	Serge	883	* PLTE chunks are potentially ignored (the spec says there shall not be more
		884	* than one PLTE, the error is not treated as benign, so this check trumps
		885	* the requirement that PLTE appears before IDAT.)
		886	*/
		887	else if (png_ptr->mode & PNG_HAVE_PLTE)
		888	png_chunk_error(png_ptr, "duplicate");
		889
		890
1897	serge	891	{
		892	/* This is benign because the non-benign error happened before, when an
3928	Serge	893	* IDAT was encountered in a color-mapped image with no PLTE.
		894	*/
		895	png_crc_finish(png_ptr, length);
1897	serge	896	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	897	return;
1897	serge	898	}
		899
		900
		901
		902
3928	Serge	903	{
1897	serge	904	png_crc_finish(png_ptr, length);
		905	png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
3928	Serge	906	return;
1897	serge	907	}
		908
		909
		910	if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
		911	{
		912	png_crc_finish(png_ptr, length);
		913	return;
		914	}
		915	#endif
		916
		917
		918	{
		919	png_crc_finish(png_ptr, length);
3928	Serge	920
		921
1897	serge	922	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	923
1897	serge	924
		925	png_chunk_error(png_ptr, "invalid");
3928	Serge	926
		927
		928	}
1897	serge	929
		930
3928	Serge	931	num = (int)length / 3;
1897	serge	932
		933
		934	for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
		935	{
		936	png_byte buf[3];
		937
		938
		939	pal_ptr->red = buf[0];
		940	pal_ptr->green = buf[1];
		941	pal_ptr->blue = buf[2];
		942	}
		943	#else
		944	for (i = 0; i < num; i++)
		945	{
		946	png_byte buf[3];
		947
		948
		949	/* Don't depend upon png_color being any order */
		950	palette[i].red = buf[0];
		951	palette[i].green = buf[1];
		952	palette[i].blue = buf[2];
		953	}
		954	#endif
		955
		956
		957	* whatever the normal CRC configuration tells us. However, if we
		958	* have an RGB image, the PLTE can be considered ancillary, so
		959	* we will act as though it is.
		960	*/
		961	#ifndef PNG_READ_OPT_PLTE_SUPPORTED
		962	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		963	#endif
		964	{
		965	png_crc_finish(png_ptr, 0);
		966	}
		967
		968
		969	else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */
		970	{
		971	/* If we don't want to use the data from an ancillary chunk,
		972	* we have two options: an error abort, or a warning and we
		973	* ignore the data in this chunk (which should be OK, since
		974	* it's considered ancillary for a RGB or RGBA image).
		975	*
3928	Serge	976	* IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
		977	* chunk type to determine whether to check the ancillary or the critical
		978	* flags.
		979	*/
1897	serge	980	if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE))
		981	{
		982	if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)
		983	{
		984	png_chunk_benign_error(png_ptr, "CRC error");
		985	}
		986
		987
		988	{
		989	png_chunk_warning(png_ptr, "CRC error");
		990	return;
		991	}
		992	}
		993
		994
		995	else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN))
		996	{
		997	png_chunk_warning(png_ptr, "CRC error");
		998	}
		999	}
		1000	#endif
		1001
		1002
3928	Serge	1003	* own copy of the palette. This has the side effect that when png_start_row
		1004	* is called (this happens after any call to png_read_update_info) the
		1005	* info_ptr palette gets changed. This is extremely unexpected and
		1006	* confusing.
		1007	*
		1008	* Fix this by not sharing the palette in this way.
		1009	*/
		1010	png_set_PLTE(png_ptr, info_ptr, palette, num);
1897	serge	1011
		1012
3928	Serge	1013	* IDAT. Prior to 1.6.0 this was not checked; instead the code merely
		1014	* checked the apparent validity of a tRNS chunk inserted before PLTE on a
		1015	* palette PNG. 1.6.0 attempts to rigorously follow the standard and
		1016	* therefore does a benign error if the erroneous condition is detected and
		1017	* cancels the tRNS if the benign error returns. The alternative is to
		1018	* amend the standard since it would be rather hypocritical of the standards
		1019	* maintainers to ignore it.
		1020	*/
		1021	#ifdef PNG_READ_tRNS_SUPPORTED
1897	serge	1022	if (png_ptr->num_trans > 0 \|\|
3928	Serge	1023	(info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
		1024	{
1897	serge	1025	/* Cancel this because otherwise it would be used if the transforms
3928	Serge	1026	* require it. Don't cancel the 'valid' flag because this would prevent
		1027	* detection of duplicate chunks.
		1028	*/
		1029	png_ptr->num_trans = 0;
		1030
1897	serge	1031
3928	Serge	1032	info_ptr->num_trans = 0;
		1033
		1034
		1035	}
1897	serge	1036	#endif
		1037
		1038
3928	Serge	1039	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
		1040	png_chunk_benign_error(png_ptr, "hIST must be after");
		1041	#endif
		1042
		1043
		1044	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
		1045	png_chunk_benign_error(png_ptr, "bKGD must be after");
		1046	#endif
		1047	}
1897	serge	1048
		1049
		1050	png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1051	{
1897	serge	1052	png_debug(1, "in png_handle_IEND");
		1053
		1054
		1055	png_chunk_error(png_ptr, "out of place");
3928	Serge	1056
1897	serge	1057
		1058
		1059
3928	Serge	1060
		1061
1897	serge	1062	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1063
1897	serge	1064
3928	Serge	1065	}
1897	serge	1066
		1067
		1068	void /* PRIVATE */
		1069	png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1070	{
1897	serge	1071	png_fixed_point igamma;
		1072	png_byte buf[4];
		1073
		1074
		1075
		1076
		1077	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1078
1897	serge	1079
3928	Serge	1080	{
1897	serge	1081	png_crc_finish(png_ptr, length);
		1082	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1083	return;
1897	serge	1084	}
		1085
		1086
		1087	{
		1088	png_crc_finish(png_ptr, length);
		1089	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1090	return;
1897	serge	1091	}
		1092
		1093
		1094
		1095
		1096	return;
		1097
		1098
		1099
		1100
3928	Serge	1101	png_colorspace_sync(png_ptr, info_ptr);
		1102	}
1897	serge	1103	#endif
		1104
		1105
		1106	void /* PRIVATE */
		1107	png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1108	{
1897	serge	1109	unsigned int truelen;
3928	Serge	1110	png_byte buf[4];
1897	serge	1111
		1112
		1113
		1114
		1115
		1116
		1117	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1118
1897	serge	1119
3928	Serge	1120	{
1897	serge	1121	png_crc_finish(png_ptr, length);
		1122	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1123	return;
1897	serge	1124	}
		1125
		1126
		1127	{
		1128	png_crc_finish(png_ptr, length);
		1129	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	1130	return;
1897	serge	1131	}
		1132
		1133
		1134	truelen = 3;
		1135
		1136
		1137	truelen = png_ptr->channels;
3928	Serge	1138
1897	serge	1139
		1140	{
		1141	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1142	png_crc_finish(png_ptr, length);
1897	serge	1143	return;
		1144	}
		1145
		1146
		1147
		1148
		1149	return;
		1150
		1151
		1152	{
		1153	png_ptr->sig_bit.red = buf[0];
		1154	png_ptr->sig_bit.green = buf[1];
		1155	png_ptr->sig_bit.blue = buf[2];
		1156	png_ptr->sig_bit.alpha = buf[3];
		1157	}
		1158
		1159
		1160	{
		1161	png_ptr->sig_bit.gray = buf[0];
		1162	png_ptr->sig_bit.red = buf[0];
		1163	png_ptr->sig_bit.green = buf[0];
		1164	png_ptr->sig_bit.blue = buf[0];
		1165	png_ptr->sig_bit.alpha = buf[1];
		1166	}
		1167
		1168
		1169	}
		1170	#endif
		1171
		1172
		1173	void /* PRIVATE */
		1174	png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1175	{
1897	serge	1176	png_byte buf[32];
		1177	png_xy xy;
3928	Serge	1178
1897	serge	1179
		1180
		1181
		1182	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1183
1897	serge	1184
3928	Serge	1185	{
1897	serge	1186	png_crc_finish(png_ptr, length);
		1187	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1188	return;
1897	serge	1189	}
		1190
		1191
		1192	{
		1193	png_crc_finish(png_ptr, length);
		1194	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1195	return;
1897	serge	1196	}
		1197
		1198
		1199
		1200
		1201	return;
		1202
		1203
3928	Serge	1204	xy.whitey = png_get_fixed_point(NULL, buf + 4);
		1205	xy.redx = png_get_fixed_point(NULL, buf + 8);
		1206	xy.redy = png_get_fixed_point(NULL, buf + 12);
		1207	xy.greenx = png_get_fixed_point(NULL, buf + 16);
		1208	xy.greeny = png_get_fixed_point(NULL, buf + 20);
		1209	xy.bluex = png_get_fixed_point(NULL, buf + 24);
		1210	xy.bluey = png_get_fixed_point(NULL, buf + 28);
		1211
1897	serge	1212
3928	Serge	1213	xy.whitey == PNG_FIXED_ERROR \|\|
		1214	xy.redx == PNG_FIXED_ERROR \|\|
		1215	xy.redy == PNG_FIXED_ERROR \|\|
		1216	xy.greenx == PNG_FIXED_ERROR \|\|
		1217	xy.greeny == PNG_FIXED_ERROR \|\|
		1218	xy.bluex == PNG_FIXED_ERROR \|\|
		1219	xy.bluey == PNG_FIXED_ERROR)
		1220	{
1897	serge	1221	png_chunk_benign_error(png_ptr, "invalid values");
3928	Serge	1222	return;
1897	serge	1223	}
		1224
		1225
3928	Serge	1226	if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
		1227	return;
		1228
		1229
		1230	{
1897	serge	1231	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
3928	Serge	1232	png_colorspace_sync(png_ptr, info_ptr);
		1233	png_chunk_benign_error(png_ptr, "duplicate");
		1234	return;
1897	serge	1235	}
		1236
		1237
3928	Serge	1238	(void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
		1239	1/prefer cHRM values/);
		1240	png_colorspace_sync(png_ptr, info_ptr);
		1241	}
1897	serge	1242	#endif
		1243
		1244
		1245	void /* PRIVATE */
		1246	png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1247	{
1897	serge	1248	png_byte intent;
3928	Serge	1249
1897	serge	1250
		1251
		1252
		1253	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1254
1897	serge	1255
3928	Serge	1256	{
1897	serge	1257	png_crc_finish(png_ptr, length);
		1258	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1259	return;
1897	serge	1260	}
		1261
		1262
		1263	{
		1264	png_crc_finish(png_ptr, length);
		1265	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1266	return;
1897	serge	1267	}
		1268
		1269
3928	Serge	1270
1897	serge	1271
		1272	return;
		1273
		1274
3928	Serge	1275	if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
		1276	return;
		1277
1897	serge	1278
3928	Serge	1279	* this.
		1280	*/
		1281	if (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT)
		1282	{
1897	serge	1283	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
3928	Serge	1284	png_colorspace_sync(png_ptr, info_ptr);
		1285	png_chunk_benign_error(png_ptr, "too many profiles");
		1286	return;
1897	serge	1287	}
		1288
		1289
3928	Serge	1290	png_colorspace_sync(png_ptr, info_ptr);
		1291	}
1897	serge	1292	#endif /* PNG_READ_sRGB_SUPPORTED */
		1293
		1294
		1295	void /* PRIVATE */
		1296	png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1297	/* Note: this does not properly handle profiles that are > 64K under DOS */
		1298	{
1897	serge	1299	png_const_charp errmsg = NULL; /* error message output, or no error */
3928	Serge	1300	int finished = 0; /* crc checked */
		1301
1897	serge	1302
		1303
		1304
		1305	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1306
1897	serge	1307
3928	Serge	1308	{
1897	serge	1309	png_crc_finish(png_ptr, length);
		1310	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1311	return;
1897	serge	1312	}
		1313
		1314
3928	Serge	1315	* chunk is just ignored, so does not invalidate the color space. An
		1316	* alternative is to set the 'invalid' flags at the start of this routine
		1317	* and only clear them in they were not set before and all the tests pass.
		1318	* The minimum 'deflate' stream is assumed to be just the 2 byte header and 4
		1319	* byte checksum. The keyword must be one character and there is a
		1320	* terminator (0) byte and the compression method.
		1321	*/
		1322	if (length < 9)
		1323	{
1897	serge	1324	png_crc_finish(png_ptr, length);
		1325	png_chunk_benign_error(png_ptr, "too short");
3928	Serge	1326	return;
1897	serge	1327	}
		1328
		1329
3928	Serge	1330	if (png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
		1331	{
1897	serge	1332	png_crc_finish(png_ptr, length);
3928	Serge	1333	return;
		1334	}
1897	serge	1335
		1336
3928	Serge	1337	* this.
		1338	*/
		1339	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
		1340	{
1897	serge	1341	uInt read_length, keyword_length;
3928	Serge	1342	char keyword[81];
		1343
1897	serge	1344
3928	Serge	1345	* bytes can be at most 81 characters long.
		1346	*/
		1347	read_length = 81; /* maximum */
		1348	if (read_length > length)
		1349	read_length = (uInt)length;
		1350
1897	serge	1351
3928	Serge	1352	length -= read_length;
		1353
1897	serge	1354
3928	Serge	1355	while (keyword_length < 80 && keyword_length < read_length &&
		1356	keyword[keyword_length] != 0)
		1357	++keyword_length;
		1358
1897	serge	1359
3928	Serge	1360	if (keyword_length >= 1 && keyword_length <= 79)
		1361	{
		1362	/* We only understand '0' compression - deflate - so if we get a
		1363	* different value we can't safely decode the chunk.
		1364	*/
		1365	if (keyword_length+1 < read_length &&
		1366	keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
		1367	{
		1368	read_length -= keyword_length+2;
		1369
1897	serge	1370
3928	Serge	1371	{
		1372	Byte profile_header[132];
		1373	Byte local_buffer[PNG_INFLATE_BUF_SIZE];
		1374	png_alloc_size_t size = (sizeof profile_header);
		1375
1897	serge	1376
3928	Serge	1377	png_ptr->zstream.avail_in = read_length;
		1378	(void)png_inflate_read(png_ptr, local_buffer,
		1379	(sizeof local_buffer), &length, profile_header, &size,
		1380	0/finish: don't, because the output is too small/);
		1381
1897	serge	1382
3928	Serge	1383	{
		1384	/* We have the ICC profile header; do the basic header checks.
		1385	*/
		1386	const png_uint_32 profile_length =
		1387	png_get_uint_32(profile_header);
		1388
1897	serge	1389
3928	Serge	1390	keyword, profile_length))
		1391	{
		1392	/* The length is apparently ok, so we can check the 132
		1393	* byte header.
		1394	*/
		1395	if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
		1396	keyword, profile_length, profile_header,
		1397	png_ptr->color_type))
		1398	{
		1399	/* Now read the tag table; a variable size buffer is
		1400	* needed at this point, allocate one for the whole
		1401	* profile. The header check has already validated
		1402	* that none of these stuff will overflow.
		1403	*/
		1404	const png_uint_32 tag_count = png_get_uint_32(
		1405	profile_header+128);
		1406	png_bytep profile = png_read_buffer(png_ptr,
		1407	profile_length, 2/silent/);
		1408
1897	serge	1409
3928	Serge	1410	{
		1411	memcpy(profile, profile_header,
		1412	(sizeof profile_header));
		1413
1897	serge	1414
3928	Serge	1415
1897	serge	1416
3928	Serge	1417	(sizeof local_buffer), &length,
		1418	profile + (sizeof profile_header), &size, 0);
		1419
1897	serge	1420
3928	Serge	1421	* there to be some tag data!
		1422	*/
		1423	if (size == 0)
		1424	{
		1425	if (png_icc_check_tag_table(png_ptr,
		1426	&png_ptr->colorspace, keyword, profile_length,
		1427	profile))
		1428	{
		1429	/* The profile has been validated for basic
		1430	* security issues, so read the whole thing in.
		1431	*/
		1432	size = profile_length - (sizeof profile_header)
		1433	- 12 * tag_count;
		1434
1897	serge	1435
3928	Serge	1436	(sizeof local_buffer), &length,
		1437	profile + (sizeof profile_header) +
		1438	12 * tag_count, &size, 1/finish/);
		1439
		1440
		1441	PNG_FLAG_BENIGN_ERRORS_WARN))
		1442	errmsg = "extra compressed data";
		1443
		1444
		1445	else if (size == 0)
		1446	{
		1447	if (length > 0)
		1448	{
		1449	/* This can be handled completely, so
		1450	* keep going.
		1451	*/
		1452	png_chunk_warning(png_ptr,
		1453	"extra compressed data");
		1454	}
		1455
		1456
		1457	finished = 1;
		1458
		1459
		1460	/* Check for a match against sRGB */
		1461	png_icc_set_sRGB(png_ptr,
		1462	&png_ptr->colorspace, profile,
		1463	png_ptr->zstream.adler);
		1464	# endif
		1465
		1466
		1467	if (info_ptr != NULL)
		1468	{
		1469	png_free_data(png_ptr, info_ptr,
		1470	PNG_FREE_ICCP, 0);
		1471
		1472
		1473	png_malloc_base(png_ptr,
		1474	keyword_length+1));
		1475	if (info_ptr->iccp_name != NULL)
		1476	{
		1477	memcpy(info_ptr->iccp_name, keyword,
		1478	keyword_length+1);
		1479	info_ptr->iccp_proflen =
		1480	profile_length;
		1481	info_ptr->iccp_profile = profile;
		1482	png_ptr->read_buffer = NULL; /steal/
		1483	info_ptr->free_me \|= PNG_FREE_ICCP;
		1484	info_ptr->valid \|= PNG_INFO_iCCP;
		1485	}
		1486
		1487
		1488	{
		1489	png_ptr->colorspace.flags \|=
		1490	PNG_COLORSPACE_INVALID;
		1491	errmsg = "out of memory";
		1492	}
		1493	}
		1494
		1495
		1496	* buffer which gets reused for subsequent
		1497	* chunks.
		1498	*/
		1499
		1500
		1501	png_colorspace_sync(png_ptr, info_ptr);
		1502
		1503
		1504	{
		1505	png_ptr->zowner = 0;
		1506	return;
		1507	}
		1508	}
		1509
		1510
		1511	errmsg = "truncated";
		1512
		1513
		1514	errmsg = png_ptr->zstream.msg;
		1515	}
		1516
		1517
		1518	}
		1519
		1520
		1521	errmsg = png_ptr->zstream.msg;
		1522	}
		1523
		1524
		1525	errmsg = "out of memory";
		1526	}
		1527
		1528
		1529	}
		1530
		1531
		1532	}
		1533
		1534
		1535	errmsg = png_ptr->zstream.msg;
		1536
		1537
		1538	png_ptr->zowner = 0;
		1539	}
		1540
		1541
		1542	errmsg = png_ptr->zstream.msg;
		1543	}
		1544
		1545
		1546	errmsg = "bad compression method"; /* or missing */
		1547	}
1897	serge	1548
3928	Serge	1549
		1550	errmsg = "bad keyword";
		1551	}
1897	serge	1552
		1553
3928	Serge	1554	errmsg = "too many profiles";
		1555
		1556
		1557	if (!finished)
		1558	png_crc_finish(png_ptr, length);
		1559
		1560
		1561	png_colorspace_sync(png_ptr, info_ptr);
		1562	if (errmsg != NULL) /* else already output */
		1563	png_chunk_benign_error(png_ptr, errmsg);
		1564	}
1897	serge	1565	#endif /* PNG_READ_iCCP_SUPPORTED */
		1566
		1567
		1568	void /* PRIVATE */
		1569	png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1570	/* Note: this does not properly handle chunks that are > 64K under DOS */
1897	serge	1571	{
		1572	png_bytep entry_start, buffer;
3928	Serge	1573	png_sPLT_t new_palette;
1897	serge	1574	png_sPLT_entryp pp;
		1575	png_uint_32 data_length;
		1576	int entry_size, i;
		1577	png_uint_32 skip = 0;
		1578	png_uint_32 dl;
		1579	png_size_t max_dl;
		1580
		1581
		1582
		1583
		1584	if (png_ptr->user_chunk_cache_max != 0)
		1585	{
		1586	if (png_ptr->user_chunk_cache_max == 1)
		1587	{
		1588	png_crc_finish(png_ptr, length);
		1589	return;
		1590	}
		1591
		1592
		1593	{
		1594	png_warning(png_ptr, "No space in chunk cache for sPLT");
		1595	png_crc_finish(png_ptr, length);
		1596	return;
		1597	}
		1598	}
		1599	#endif
		1600
		1601
		1602	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1603
1897	serge	1604
		1605	{
		1606	png_crc_finish(png_ptr, length);
		1607	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1608	return;
1897	serge	1609	}
		1610
		1611
		1612	if (length > 65535U)
3928	Serge	1613	{
1897	serge	1614	png_crc_finish(png_ptr, length);
3928	Serge	1615	png_chunk_benign_error(png_ptr, "too large to fit in memory");
		1616	return;
		1617	}
1897	serge	1618	#endif
		1619
		1620
3928	Serge	1621	if (buffer == NULL)
		1622	{
		1623	png_crc_finish(png_ptr, length);
		1624	png_chunk_benign_error(png_ptr, "out of memory");
		1625	return;
		1626	}
		1627
1897	serge	1628
3928	Serge	1629
1897	serge	1630	* that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
		1631	* potential breakage point if the types in pngconf.h aren't exactly right.
		1632	*/
		1633	png_crc_read(png_ptr, buffer, length);
3928	Serge	1634
1897	serge	1635
		1636	return;
		1637
		1638
3928	Serge	1639
1897	serge	1640
3928	Serge	1641	/* Empty loop to find end of name */ ;
1897	serge	1642
		1643
		1644
		1645
		1646	if (entry_start > buffer + length - 2)
3928	Serge	1647	{
1897	serge	1648	png_warning(png_ptr, "malformed sPLT chunk");
		1649	return;
		1650	}
		1651
		1652
		1653	entry_size = (new_palette.depth == 8 ? 6 : 10);
		1654	/* This must fit in a png_uint_32 because it is derived from the original
		1655	* chunk data length.
3928	Serge	1656	*/
1897	serge	1657	data_length = length - (png_uint_32)(entry_start - buffer);
3928	Serge	1658
1897	serge	1659
		1660	if (data_length % entry_size)
		1661	{
		1662	png_warning(png_ptr, "sPLT chunk has bad length");
		1663	return;
		1664	}
		1665
		1666
		1667	max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
3928	Serge	1668
1897	serge	1669
		1670	{
		1671	png_warning(png_ptr, "sPLT chunk too long");
		1672	return;
		1673	}
		1674
		1675
		1676
		1677
		1678	png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry)));
3928	Serge	1679
1897	serge	1680
		1681	{
		1682	png_warning(png_ptr, "sPLT chunk requires too much memory");
		1683	return;
		1684	}
		1685
		1686
		1687	for (i = 0; i < new_palette.nentries; i++)
		1688	{
		1689	pp = new_palette.entries + i;
		1690
		1691
		1692	{
		1693	pp->red = *entry_start++;
		1694	pp->green = *entry_start++;
		1695	pp->blue = *entry_start++;
		1696	pp->alpha = *entry_start++;
		1697	}
		1698
		1699
		1700	{
		1701	pp->red = png_get_uint_16(entry_start); entry_start += 2;
		1702	pp->green = png_get_uint_16(entry_start); entry_start += 2;
		1703	pp->blue = png_get_uint_16(entry_start); entry_start += 2;
		1704	pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
		1705	}
		1706
		1707
		1708	}
		1709	#else
		1710	pp = new_palette.entries;
		1711
		1712
		1713	{
		1714
		1715
		1716	{
		1717	pp[i].red = *entry_start++;
		1718	pp[i].green = *entry_start++;
		1719	pp[i].blue = *entry_start++;
		1720	pp[i].alpha = *entry_start++;
		1721	}
		1722
		1723
		1724	{
		1725	pp[i].red = png_get_uint_16(entry_start); entry_start += 2;
		1726	pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
		1727	pp[i].blue = png_get_uint_16(entry_start); entry_start += 2;
		1728	pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
		1729	}
		1730
		1731
3928	Serge	1732	}
1897	serge	1733	#endif
		1734
		1735
		1736	new_palette.name = (png_charp)buffer;
3928	Serge	1737
1897	serge	1738
		1739
		1740
		1741	}
		1742	#endif /* PNG_READ_sPLT_SUPPORTED */
		1743
		1744
		1745	void /* PRIVATE */
		1746	png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1747	{
1897	serge	1748	png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
		1749
		1750
		1751
		1752
		1753	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1754
1897	serge	1755
		1756	{
		1757	png_crc_finish(png_ptr, length);
		1758	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1759	return;
1897	serge	1760	}
		1761
		1762
		1763	{
		1764	png_crc_finish(png_ptr, length);
		1765	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	1766	return;
1897	serge	1767	}
		1768
		1769
		1770	{
		1771	png_byte buf[2];
		1772
		1773
		1774	{
		1775	png_crc_finish(png_ptr, length);
		1776	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1777	return;
1897	serge	1778	}
		1779
		1780
		1781	png_ptr->num_trans = 1;
		1782	png_ptr->trans_color.gray = png_get_uint_16(buf);
		1783	}
		1784
		1785
		1786	{
		1787	png_byte buf[6];
		1788
		1789
		1790	{
		1791	png_crc_finish(png_ptr, length);
		1792	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1793	return;
1897	serge	1794	}
		1795
		1796
3928	Serge	1797	png_ptr->num_trans = 1;
1897	serge	1798	png_ptr->trans_color.red = png_get_uint_16(buf);
		1799	png_ptr->trans_color.green = png_get_uint_16(buf + 2);
		1800	png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
		1801	}
		1802
		1803
		1804	{
		1805	if (!(png_ptr->mode & PNG_HAVE_PLTE))
		1806	{
		1807	/* TODO: is this actually an error in the ISO spec? */
3928	Serge	1808	png_crc_finish(png_ptr, length);
1897	serge	1809	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1810	return;
1897	serge	1811	}
		1812
		1813
3928	Serge	1814	length == 0)
		1815	{
1897	serge	1816	png_crc_finish(png_ptr, length);
		1817	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1818	return;
1897	serge	1819	}
		1820
		1821
3928	Serge	1822	png_ptr->num_trans = (png_uint_16)length;
1897	serge	1823	}
		1824
		1825
		1826	{
		1827	png_crc_finish(png_ptr, length);
		1828	png_chunk_benign_error(png_ptr, "invalid with alpha channel");
3928	Serge	1829	return;
1897	serge	1830	}
		1831
		1832
		1833	{
		1834	png_ptr->num_trans = 0;
		1835	return;
		1836	}
		1837
		1838
3928	Serge	1839	* png_struct ends up with a pointer to the tRNS buffer owned by the
		1840	* png_info. Fix this.
		1841	*/
		1842	png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1897	serge	1843	&(png_ptr->trans_color));
		1844	}
		1845	#endif
		1846
		1847
		1848	void /* PRIVATE */
		1849	png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1850	{
1897	serge	1851	unsigned int truelen;
3928	Serge	1852	png_byte buf[6];
1897	serge	1853	png_color_16 background;
3928	Serge	1854
1897	serge	1855
		1856
		1857
		1858	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1859
1897	serge	1860
3928	Serge	1861	(png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
		1862	!(png_ptr->mode & PNG_HAVE_PLTE)))
		1863	{
1897	serge	1864	png_crc_finish(png_ptr, length);
		1865	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1866	return;
1897	serge	1867	}
		1868
		1869
		1870	{
		1871	png_crc_finish(png_ptr, length);
		1872	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	1873	return;
1897	serge	1874	}
		1875
		1876
		1877	truelen = 1;
		1878
		1879
		1880	truelen = 6;
		1881
		1882
		1883	truelen = 2;
		1884
		1885
		1886	{
		1887	png_crc_finish(png_ptr, length);
		1888	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1889	return;
1897	serge	1890	}
		1891
		1892
		1893
		1894
		1895	return;
		1896
		1897
		1898	* arbitrary RGB values for background when we have transparency, and
		1899	* so it is easy to determine the RGB values of the background color
		1900	* from the info_ptr struct.
		1901	*/
		1902	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		1903	{
		1904	background.index = buf[0];
3928	Serge	1905
1897	serge	1906
		1907	{
		1908	if (buf[0] >= info_ptr->num_palette)
		1909	{
		1910	png_chunk_benign_error(png_ptr, "invalid index");
3928	Serge	1911	return;
1897	serge	1912	}
		1913
		1914
3928	Serge	1915	background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
		1916	background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
		1917	}
		1918
1897	serge	1919
3928	Serge	1920	background.red = background.green = background.blue = 0;
		1921
1897	serge	1922
3928	Serge	1923	}
1897	serge	1924
		1925
		1926	{
		1927	background.index = 0;
3928	Serge	1928	background.red =
		1929	background.green =
		1930	background.blue =
		1931	background.gray = png_get_uint_16(buf);
		1932	}
1897	serge	1933
		1934
		1935	{
		1936	background.index = 0;
3928	Serge	1937	background.red = png_get_uint_16(buf);
		1938	background.green = png_get_uint_16(buf + 2);
		1939	background.blue = png_get_uint_16(buf + 4);
		1940	background.gray = 0;
		1941	}
1897	serge	1942
		1943
3928	Serge	1944	}
1897	serge	1945	#endif
		1946
		1947
		1948	void /* PRIVATE */
		1949	png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	1950	{
1897	serge	1951	unsigned int num, i;
		1952	png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
		1953
		1954
		1955
		1956
		1957	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	1958
1897	serge	1959
3928	Serge	1960	{
1897	serge	1961	png_crc_finish(png_ptr, length);
		1962	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	1963	return;
1897	serge	1964	}
		1965
		1966
		1967	{
		1968	png_crc_finish(png_ptr, length);
		1969	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	1970	return;
1897	serge	1971	}
		1972
		1973
		1974
		1975
3928	Serge	1976	{
1897	serge	1977	png_crc_finish(png_ptr, length);
		1978	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	1979	return;
1897	serge	1980	}
		1981
		1982
		1983	{
		1984	png_byte buf[2];
		1985
		1986
		1987	readbuf[i] = png_get_uint_16(buf);
		1988	}
		1989
		1990
		1991	return;
		1992
		1993
		1994	}
		1995	#endif
		1996
		1997
		1998	void /* PRIVATE */
		1999	png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2000	{
1897	serge	2001	png_byte buf[9];
		2002	png_uint_32 res_x, res_y;
		2003	int unit_type;
		2004
		2005
		2006
		2007
		2008	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2009
1897	serge	2010
		2011	{
		2012	png_crc_finish(png_ptr, length);
		2013	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	2014	return;
1897	serge	2015	}
		2016
		2017
		2018	{
		2019	png_crc_finish(png_ptr, length);
		2020	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	2021	return;
1897	serge	2022	}
		2023
		2024
		2025	{
		2026	png_crc_finish(png_ptr, length);
		2027	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	2028	return;
1897	serge	2029	}
		2030
		2031
		2032
		2033
		2034	return;
		2035
		2036
		2037	res_y = png_get_uint_32(buf + 4);
		2038	unit_type = buf[8];
		2039	png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
		2040	}
		2041	#endif
		2042
		2043
		2044	void /* PRIVATE */
		2045	png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2046	{
1897	serge	2047	png_byte buf[9];
		2048	png_int_32 offset_x, offset_y;
		2049	int unit_type;
		2050
		2051
		2052
		2053
		2054	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2055
1897	serge	2056
		2057	{
		2058	png_crc_finish(png_ptr, length);
		2059	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	2060	return;
1897	serge	2061	}
		2062
		2063
		2064	{
		2065	png_crc_finish(png_ptr, length);
		2066	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	2067	return;
1897	serge	2068	}
		2069
		2070
		2071	{
		2072	png_crc_finish(png_ptr, length);
		2073	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	2074	return;
1897	serge	2075	}
		2076
		2077
		2078
		2079
		2080	return;
		2081
		2082
		2083	offset_y = png_get_int_32(buf + 4);
		2084	unit_type = buf[8];
		2085	png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
		2086	}
		2087	#endif
		2088
		2089
		2090	/* Read the pCAL chunk (described in the PNG Extensions document) */
		2091	void /* PRIVATE */
		2092	png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2093	{
1897	serge	2094	png_int_32 X0, X1;
		2095	png_byte type, nparams;
		2096	png_bytep buffer, buf, units, endptr;
3928	Serge	2097	png_charpp params;
1897	serge	2098	int i;
		2099
		2100
		2101
		2102
		2103	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2104
1897	serge	2105
		2106	{
		2107	png_crc_finish(png_ptr, length);
		2108	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	2109	return;
1897	serge	2110	}
		2111
		2112
		2113	{
		2114	png_crc_finish(png_ptr, length);
		2115	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	2116	return;
1897	serge	2117	}
		2118
		2119
		2120	length + 1);
		2121
		2122
3928	Serge	2123
		2124
		2125	{
1897	serge	2126	png_crc_finish(png_ptr, length);
3928	Serge	2127	png_chunk_benign_error(png_ptr, "out of memory");
		2128	return;
1897	serge	2129	}
		2130
		2131
3928	Serge	2132
1897	serge	2133
		2134	return;
		2135
		2136
3928	Serge	2137
1897	serge	2138
		2139	for (buf = buffer; *buf; buf++)
3928	Serge	2140	/* Empty loop */ ;
1897	serge	2141
		2142
3928	Serge	2143
1897	serge	2144
		2145	* in order to get the parameter information.
		2146	*/
		2147	if (endptr <= buf + 12)
		2148	{
		2149	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	2150	return;
1897	serge	2151	}
		2152
		2153
		2154	X0 = png_get_int_32((png_bytep)buf+1);
		2155	X1 = png_get_int_32((png_bytep)buf+5);
		2156	type = buf[9];
		2157	nparams = buf[10];
		2158	units = buf + 11;
		2159
		2160
		2161	/* Check that we have the right number of parameters for known
		2162	* equation types.
		2163	*/
		2164	if ((type == PNG_EQUATION_LINEAR && nparams != 2) \|\|
		2165	(type == PNG_EQUATION_BASE_E && nparams != 3) \|\|
		2166	(type == PNG_EQUATION_ARBITRARY && nparams != 3) \|\|
		2167	(type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
		2168	{
		2169	png_chunk_benign_error(png_ptr, "invalid parameter count");
3928	Serge	2170	return;
1897	serge	2171	}
		2172
		2173
		2174	{
		2175	png_chunk_benign_error(png_ptr, "unrecognized equation type");
3928	Serge	2176	}
1897	serge	2177
		2178
		2179	/* Empty loop to move past the units string. */ ;
		2180
		2181
		2182
		2183
3928	Serge	2184	nparams * (sizeof (png_charp))));
		2185
1897	serge	2186
		2187	{
		2188	png_chunk_benign_error(png_ptr, "out of memory");
3928	Serge	2189	return;
1897	serge	2190	}
		2191
		2192
		2193	for (i = 0; i < nparams; i++)
3928	Serge	2194	{
1897	serge	2195	buf++; /* Skip the null string terminator from previous parameter. */
		2196
		2197
		2198
		2199
3928	Serge	2200	/* Empty loop to move past each parameter string */ ;
1897	serge	2201
		2202
		2203	if (buf > endptr)
		2204	{
		2205	png_free(png_ptr, params);
		2206	png_chunk_benign_error(png_ptr, "invalid data");
3928	Serge	2207	return;
1897	serge	2208	}
		2209	}
		2210
		2211
3928	Serge	2212	(png_charp)units, params);
		2213
1897	serge	2214
		2215	}
		2216	#endif
		2217
		2218
		2219	/* Read the sCAL chunk */
		2220	void /* PRIVATE */
		2221	png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2222	{
1897	serge	2223	png_bytep buffer;
3928	Serge	2224	png_size_t i;
		2225	int state;
1897	serge	2226
		2227
		2228
		2229
		2230	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2231
1897	serge	2232
		2233	{
		2234	png_crc_finish(png_ptr, length);
		2235	png_chunk_benign_error(png_ptr, "out of place");
3928	Serge	2236	return;
1897	serge	2237	}
		2238
		2239
		2240	{
		2241	png_crc_finish(png_ptr, length);
		2242	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	2243	return;
1897	serge	2244	}
		2245
		2246
3928	Serge	2247	else if (length < 4)
		2248	{
		2249	png_crc_finish(png_ptr, length);
		2250	png_chunk_benign_error(png_ptr, "invalid");
		2251	return;
		2252	}
		2253
		2254
1897	serge	2255	length + 1);
		2256
		2257
3928	Serge	2258
1897	serge	2259
3928	Serge	2260	{
1897	serge	2261	png_chunk_benign_error(png_ptr, "out of memory");
3928	Serge	2262	png_crc_finish(png_ptr, length);
1897	serge	2263	return;
		2264	}
		2265
		2266
3928	Serge	2267	buffer[length] = 0; /* Null terminate the last string */
		2268
1897	serge	2269
		2270	return;
		2271
		2272
		2273	if (buffer[0] != 1 && buffer[0] != 2)
3928	Serge	2274	{
1897	serge	2275	png_chunk_benign_error(png_ptr, "invalid unit");
3928	Serge	2276	return;
1897	serge	2277	}
		2278
		2279
		2280	* a '\0' and they need to fit exactly in the chunk data.
		2281	*/
		2282	i = 1;
3928	Serge	2283	state = 0;
1897	serge	2284
		2285
3928	Serge	2286	i >= length \|\| buffer[i++] != 0)
		2287	png_chunk_benign_error(png_ptr, "bad width format");
		2288
1897	serge	2289
3928	Serge	2290	png_chunk_benign_error(png_ptr, "non-positive width");
		2291
		2292
1897	serge	2293	{
		2294	png_size_t heighti = i;
		2295
		2296
3928	Serge	2297	if (!png_check_fp_number((png_const_charp)buffer, length, &state, &i) \|\|
		2298	i != length)
		2299	png_chunk_benign_error(png_ptr, "bad height format");
		2300
1897	serge	2301
3928	Serge	2302	png_chunk_benign_error(png_ptr, "non-positive height");
		2303
		2304
1897	serge	2305	/* This is the (only) success case. */
		2306	png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
3928	Serge	2307	(png_charp)buffer+1, (png_charp)buffer+heighti);
		2308	}
1897	serge	2309	}
		2310	#endif
		2311
		2312
		2313	void /* PRIVATE */
		2314	png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2315	{
1897	serge	2316	png_byte buf[7];
		2317	png_time mod_time;
		2318
		2319
		2320
		2321
		2322	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2323
1897	serge	2324
		2325	{
		2326	png_crc_finish(png_ptr, length);
		2327	png_chunk_benign_error(png_ptr, "duplicate");
3928	Serge	2328	return;
1897	serge	2329	}
		2330
		2331
		2332	png_ptr->mode \|= PNG_AFTER_IDAT;
		2333
		2334
		2335	{
		2336	png_crc_finish(png_ptr, length);
		2337	png_chunk_benign_error(png_ptr, "invalid");
3928	Serge	2338	return;
1897	serge	2339	}
		2340
		2341
		2342
		2343
		2344	return;
		2345
		2346
		2347	mod_time.minute = buf[5];
		2348	mod_time.hour = buf[4];
		2349	mod_time.day = buf[3];
		2350	mod_time.month = buf[2];
		2351	mod_time.year = png_get_uint_16(buf);
		2352
		2353
		2354	}
		2355	#endif
		2356
		2357
		2358	/* Note: this does not properly handle chunks that are > 64K under DOS */
		2359	void /* PRIVATE */
		2360	png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2361	{
1897	serge	2362	png_text text_info;
3928	Serge	2363	png_bytep buffer;
		2364	png_charp key;
1897	serge	2365	png_charp text;
		2366	png_uint_32 skip = 0;
		2367
		2368
		2369
		2370
		2371	if (png_ptr->user_chunk_cache_max != 0)
		2372	{
		2373	if (png_ptr->user_chunk_cache_max == 1)
		2374	{
		2375	png_crc_finish(png_ptr, length);
		2376	return;
		2377	}
		2378
		2379
		2380	{
		2381	png_crc_finish(png_ptr, length);
		2382	png_chunk_benign_error(png_ptr, "no space in chunk cache");
3928	Serge	2383	return;
1897	serge	2384	}
		2385	}
		2386	#endif
		2387
		2388
		2389	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2390
1897	serge	2391
		2392	png_ptr->mode \|= PNG_AFTER_IDAT;
		2393
		2394
		2395	if (length > 65535U)
3928	Serge	2396	{
1897	serge	2397	png_crc_finish(png_ptr, length);
3928	Serge	2398	png_chunk_benign_error(png_ptr, "too large to fit in memory");
		2399	return;
		2400	}
1897	serge	2401	#endif
		2402
		2403
3928	Serge	2404
1897	serge	2405
3928	Serge	2406	{
1897	serge	2407	png_chunk_benign_error(png_ptr, "out of memory");
3928	Serge	2408	return;
1897	serge	2409	}
		2410
		2411
3928	Serge	2412
1897	serge	2413
		2414	return;
		2415
		2416
3928	Serge	2417	key[length] = 0;
		2418
1897	serge	2419
		2420	/* Empty loop to find end of key */ ;
		2421
		2422
3928	Serge	2423	text++;
1897	serge	2424
		2425
3928	Serge	2426	text_info.key = key;
		2427	text_info.lang = NULL;
		2428	text_info.lang_key = NULL;
		2429	text_info.itxt_length = 0;
		2430	text_info.text = text;
		2431	text_info.text_length = strlen(text);
		2432
1897	serge	2433
3928	Serge	2434	png_warning(png_ptr, "Insufficient memory to process text chunk");
1897	serge	2435	}
		2436	#endif
		2437
		2438
		2439	/* Note: this does not correctly handle chunks that are > 64K under DOS */
		2440	void /* PRIVATE */
		2441	png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2442	{
1897	serge	2443	png_const_charp errmsg = NULL;
3928	Serge	2444	png_bytep buffer;
		2445	png_uint_32 keyword_length;
		2446
1897	serge	2447
		2448
		2449
		2450	if (png_ptr->user_chunk_cache_max != 0)
		2451	{
		2452	if (png_ptr->user_chunk_cache_max == 1)
		2453	{
		2454	png_crc_finish(png_ptr, length);
		2455	return;
		2456	}
		2457
		2458
		2459	{
		2460	png_crc_finish(png_ptr, length);
		2461	png_chunk_benign_error(png_ptr, "no space in chunk cache");
3928	Serge	2462	return;
1897	serge	2463	}
		2464	}
		2465	#endif
		2466
		2467
		2468	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2469
1897	serge	2470
		2471	png_ptr->mode \|= PNG_AFTER_IDAT;
		2472
		2473
3928	Serge	2474
		2475
		2476	{
1897	serge	2477	png_crc_finish(png_ptr, length);
		2478	png_chunk_benign_error(png_ptr, "out of memory");
3928	Serge	2479	return;
1897	serge	2480	}
		2481
		2482
3928	Serge	2483
1897	serge	2484
3928	Serge	2485	return;
1897	serge	2486
		2487
3928	Serge	2488	for (keyword_length = 0;
		2489	keyword_length < length && buffer[keyword_length] != 0;
		2490	++keyword_length)
		2491	/* Empty loop to find end of name */ ;
		2492
1897	serge	2493
3928	Serge	2494	errmsg = "bad keyword";
		2495
1897	serge	2496
3928	Serge	2497	* zero bytes; we need a '\0' at the end of the keyword, the compression type
		2498	* then the LZ data:
		2499	*/
		2500	else if (keyword_length + 3 > length)
		2501	errmsg = "truncated";
		2502
1897	serge	2503
3928	Serge	2504	errmsg = "unknown compression type";
		2505
1897	serge	2506
		2507	{
		2508	png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
3928	Serge	2509
1897	serge	2510
3928	Serge	2511	* level memory limit, this should be split to different values for iCCP
		2512	* and text chunks.
		2513	*/
		2514	if (png_decompress_chunk(png_ptr, length, keyword_length+2,
		2515	&uncompressed_length, 1/terminate/) == Z_STREAM_END)
		2516	{
		2517	png_text text;
		2518
1897	serge	2519
3928	Serge	2520	* for the extra compression type byte and the fact that it isn't
		2521	* necessarily '\0' terminated.
		2522	*/
		2523	buffer = png_ptr->read_buffer;
		2524	buffer[uncompressed_length+(keyword_length+2)] = 0;
		2525
1897	serge	2526
3928	Serge	2527	text.key = (png_charp)buffer;
		2528	text.text = (png_charp)(buffer + keyword_length+2);
		2529	text.text_length = uncompressed_length;
		2530	text.itxt_length = 0;
		2531	text.lang = NULL;
		2532	text.lang_key = NULL;
		2533
1897	serge	2534
3928	Serge	2535	errmsg = "insufficient memory";
		2536	}
		2537
1897	serge	2538
3928	Serge	2539	errmsg = png_ptr->zstream.msg;
		2540	}
1897	serge	2541
		2542
3928	Serge	2543	png_chunk_benign_error(png_ptr, errmsg);
		2544	}
1897	serge	2545	#endif
		2546
		2547
		2548	/* Note: this does not correctly handle chunks that are > 64K under DOS */
		2549	void /* PRIVATE */
		2550	png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3928	Serge	2551	{
1897	serge	2552	png_const_charp errmsg = NULL;
3928	Serge	2553	png_bytep buffer;
		2554	png_uint_32 prefix_length;
		2555
1897	serge	2556
		2557
		2558
		2559	if (png_ptr->user_chunk_cache_max != 0)
		2560	{
		2561	if (png_ptr->user_chunk_cache_max == 1)
		2562	{
		2563	png_crc_finish(png_ptr, length);
		2564	return;
		2565	}
		2566
		2567
		2568	{
		2569	png_crc_finish(png_ptr, length);
		2570	png_chunk_benign_error(png_ptr, "no space in chunk cache");
3928	Serge	2571	return;
1897	serge	2572	}
		2573	}
		2574	#endif
		2575
		2576
		2577	png_chunk_error(png_ptr, "missing IHDR");
3928	Serge	2578
1897	serge	2579
		2580	png_ptr->mode \|= PNG_AFTER_IDAT;
		2581
		2582
3928	Serge	2583
		2584
		2585	{
1897	serge	2586	png_crc_finish(png_ptr, length);
		2587	png_chunk_benign_error(png_ptr, "out of memory");
3928	Serge	2588	return;
1897	serge	2589	}
		2590
		2591
3928	Serge	2592
1897	serge	2593
		2594	return;
		2595
		2596
3928	Serge	2597	for (prefix_length=0;
		2598	prefix_length < length && buffer[prefix_length] != 0;
		2599	++prefix_length)
		2600	/* Empty loop */ ;
1897	serge	2601
		2602
3928	Serge	2603	if (prefix_length > 79 \|\| prefix_length < 1)
		2604	errmsg = "bad keyword";
		2605
1897	serge	2606
3928	Serge	2607	* keyword (both may be empty but are 0 terminated) then the text, which may
		2608	* be empty.
		2609	*/
1897	serge	2610	else if (prefix_length + 5 > length)
3928	Serge	2611	errmsg = "truncated";
		2612
1897	serge	2613
3928	Serge	2614	(buffer[prefix_length+1] == 1 &&
		2615	buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
		2616	{
1897	serge	2617	int compressed = buffer[prefix_length+1] != 0;
3928	Serge	2618	png_uint_32 language_offset, translated_keyword_offset;
		2619	png_alloc_size_t uncompressed_length = 0;
		2620
1897	serge	2621
3928	Serge	2622	prefix_length += 3;
		2623	language_offset = prefix_length;
		2624
1897	serge	2625
3928	Serge	2626	++prefix_length)
		2627	/* Empty loop */ ;
		2628
1897	serge	2629
3928	Serge	2630	translated_keyword_offset = ++prefix_length;
		2631
1897	serge	2632
3928	Serge	2633	++prefix_length)
		2634	/* Empty loop */ ;
		2635
1897	serge	2636
3928	Serge	2637	* keyword, but it may already be over the end. None of this arithmetic
		2638	* can overflow because chunks are at most 2^31 bytes long, but on 16-bit
		2639	* systems the available allocaton may overflow.
		2640	*/
		2641	++prefix_length;
		2642
1897	serge	2643
3928	Serge	2644	uncompressed_length = length - prefix_length;
		2645
1897	serge	2646
3928	Serge	2647	{
		2648	uncompressed_length = PNG_SIZE_MAX;
		2649
1897	serge	2650
3928	Serge	2651	* level memory limit, this should be split to different values for
		2652	* iCCP and text chunks.
		2653	*/
		2654	if (png_decompress_chunk(png_ptr, length, prefix_length,
		2655	&uncompressed_length, 1/terminate/) == Z_STREAM_END)
		2656	buffer = png_ptr->read_buffer;
		2657
1897	serge	2658
3928	Serge	2659	errmsg = png_ptr->zstream.msg;
		2660	}
		2661
1897	serge	2662
3928	Serge	2663	errmsg = "truncated";
		2664
1897	serge	2665
3928	Serge	2666	{
		2667	png_text text;
		2668
1897	serge	2669
3928	Serge	2670
1897	serge	2671
3928	Serge	2672	text.compression = PNG_ITXT_COMPRESSION_NONE;
		2673
1897	serge	2674
3928	Serge	2675	text.compression = PNG_ITXT_COMPRESSION_zTXt;
		2676
1897	serge	2677
3928	Serge	2678	text.lang = (png_charp)buffer + language_offset;
		2679	text.lang_key = (png_charp)buffer + translated_keyword_offset;
		2680	text.text = (png_charp)buffer + prefix_length;
		2681	text.text_length = 0;
		2682	text.itxt_length = uncompressed_length;
		2683
1897	serge	2684
3928	Serge	2685	errmsg = "insufficient memory";
		2686	}
		2687	}
		2688
1897	serge	2689
3928	Serge	2690	errmsg = "bad compression info";
		2691
		2692
		2693	png_chunk_benign_error(png_ptr, errmsg);
		2694	}
1897	serge	2695	#endif
		2696
		2697
3928	Serge	2698	/* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
		2699	static int
		2700	png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
		2701	{
1897	serge	2702	png_alloc_size_t limit = PNG_SIZE_MAX;
3928	Serge	2703
1897	serge	2704
3928	Serge	2705	{
		2706	png_free(png_ptr, png_ptr->unknown_chunk.data);
		2707	png_ptr->unknown_chunk.data = NULL;
		2708	}
		2709
1897	serge	2710
3928	Serge	2711	if (png_ptr->user_chunk_malloc_max > 0 &&
		2712	png_ptr->user_chunk_malloc_max < limit)
		2713	limit = png_ptr->user_chunk_malloc_max;
		2714
		2715
		2716	if (PNG_USER_CHUNK_MALLOC_MAX < limit)
		2717	limit = PNG_USER_CHUNK_MALLOC_MAX;
		2718	# endif
		2719
		2720
		2721	{
1897	serge	2722	PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
3928	Serge	2723	/* The following is safe because of the PNG_SIZE_MAX init above */
		2724	png_ptr->unknown_chunk.size = (png_size_t)length/SAFE/;
		2725	/* 'mode' is a flag array, only the bottom four bits matter here */
		2726	png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/SAFE/;
		2727
1897	serge	2728
3928	Serge	2729	png_ptr->unknown_chunk.data = NULL;
		2730
		2731
		2732	{
1897	serge	2733	/* Do a 'warn' here - it is handled below. */
3928	Serge	2734	png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
		2735	png_malloc_warn(png_ptr, length));
		2736	}
1897	serge	2737	}
		2738
		2739
3928	Serge	2740	{
1897	serge	2741	/* This is benign because we clean up correctly */
3928	Serge	2742	png_crc_finish(png_ptr, length);
		2743	png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
		2744	return 0;
		2745	}
1897	serge	2746
		2747
3928	Serge	2748	{
1897	serge	2749	if (length > 0)
3928	Serge	2750	png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
		2751	png_crc_finish(png_ptr, 0);
		2752	return 1;
		2753	}
1897	serge	2754	}
3928	Serge	2755	#endif /* PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
		2756
1897	serge	2757
3928	Serge	2758	void /* PRIVATE */
		2759	png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
		2760	png_uint_32 length, int keep)
		2761	{
		2762	int handled = 0; /* the chunk was handled */
		2763
		2764
		2765
		2766
		2767	* the bug which meant that setting a non-default behavior for a specific
		2768	* chunk would be ignored (the default was always used unless a user
		2769	* callback was installed).
		2770	*
		2771	* 'keep' is the value from the png_chunk_unknown_handling, the setting for
		2772	* this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
		2773	* will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
		2774	* This is just an optimization to avoid multiple calls to the lookup
		2775	* function.
		2776	*/
		2777	# ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
		2778	keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
		2779	# endif
		2780
		2781
		2782	* of these is always defined because this is the only way to switch on
		2783	* PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
		2784	*/
		2785	#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
1897	serge	2786	# ifdef PNG_READ_USER_CHUNKS_SUPPORTED
3928	Serge	2787	/* The user callback takes precedence over the chunk keep value, but the
		2788	* keep value is still required to validate a save of a critical chunk.
		2789	*/
		2790	if (png_ptr->read_user_chunk_fn != NULL)
		2791	{
1897	serge	2792	if (png_cache_unknown_chunk(png_ptr, length))
3928	Serge	2793	{
		2794	/* Callback to user unknown chunk handler */
		2795	int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
		2796	&png_ptr->unknown_chunk);
		2797
1897	serge	2798
3928	Serge	2799	* negative: An error occured, png_chunk_error will be called.
		2800	* zero: The chunk was not handled, the chunk will be discarded
		2801	* unless png_set_keep_unknown_chunks has been used to set
		2802	* a 'keep' behavior for this particular chunk, in which
		2803	* case that will be used. A critical chunk will cause an
		2804	* error at this point unless it is to be saved.
		2805	* positive: The chunk was handled, libpng will ignore/discard it.
		2806	*/
		2807	if (ret < 0)
		2808	png_chunk_error(png_ptr, "error in user chunk");
		2809
1897	serge	2810
3928	Serge	2811	{
		2812	/* If the keep value is 'default' or 'never' override it, but
		2813	* still error out on critical chunks unless the keep value is
		2814	* 'always' While this is weird it is the behavior in 1.4.12.
		2815	* A possible improvement would be to obey the value set for the
		2816	* chunk, but this would be an API change that would probably
		2817	* damage some applications.
		2818	*
		2819	* The png_app_warning below catches the case that matters, where
		2820	* the application has not set specific save or ignore for this
		2821	* chunk or global save or ignore.
		2822	*/
		2823	if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
		2824	{
		2825	# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
		2826	if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
		2827	{
		2828	png_chunk_warning(png_ptr, "Saving unknown chunk:");
		2829	png_app_warning(png_ptr,
		2830	"forcing save of an unhandled chunk;"
		2831	" please call png_set_keep_unknown_chunks");
		2832	/* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
		2833	}
		2834	# endif
		2835	keep = PNG_HANDLE_CHUNK_IF_SAFE;
		2836	}
		2837	}
		2838
1897	serge	2839
3928	Serge	2840	{
		2841	handled = 1;
		2842	/* Critical chunks can be safely discarded at this point. */
		2843	keep = PNG_HANDLE_CHUNK_NEVER;
		2844	}
		2845	}
		2846
1897	serge	2847
3928	Serge	2848	keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
		2849	}
		2850
1897	serge	2851
		2852	/* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
3928	Serge	2853	# endif /* PNG_READ_USER_CHUNKS_SUPPORTED */
		2854
		2855
		2856	{
1897	serge	2857	/* keep is currently just the per-chunk setting, if there was no
3928	Serge	2858	* setting change it to the global default now (not that this may
		2859	* still be AS_DEFAULT) then obtain the cache of the chunk if required,
		2860	* if not simply skip the chunk.
		2861	*/
		2862	if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
		2863	keep = png_ptr->unknown_default;
		2864
		2865
		2866	(keep == PNG_HANDLE_CHUNK_IF_SAFE &&
		2867	PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
		2868	{
		2869	if (!png_cache_unknown_chunk(png_ptr, length))
		2870	keep = PNG_HANDLE_CHUNK_NEVER;
		2871	}
		2872
		2873
		2874	png_crc_finish(png_ptr, length);
		2875	}
1897	serge	2876	# else
3928	Serge	2877	# ifndef PNG_READ_USER_CHUNKS_SUPPORTED
		2878	# error no method to support READ_UNKNOWN_CHUNKS
		2879	# endif
		2880
1897	serge	2881
		2882	/* If here there is no read callback pointer set and no support is
3928	Serge	2883	* compiled in to just save the unknown chunks, so simply skip this
		2884	* chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
		2885	* the app has erroneously asked for unknown chunk saving when there
		2886	* is no support.
		2887	*/
		2888	if (keep > PNG_HANDLE_CHUNK_NEVER)
		2889	png_app_error(png_ptr, "no unknown chunk support available");
		2890
1897	serge	2891
3928	Serge	2892	}
		2893	# endif /* PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED */
		2894
1897	serge	2895
3928	Serge	2896	/* Now store the chunk in the chunk list if appropriate, and if the limits
		2897	* permit it.
		2898	*/
		2899	if (keep == PNG_HANDLE_CHUNK_ALWAYS \|\|
		2900	(keep == PNG_HANDLE_CHUNK_IF_SAFE &&
		2901	PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
		2902	{
		2903	# ifdef PNG_USER_LIMITS_SUPPORTED
		2904	switch (png_ptr->user_chunk_cache_max)
		2905	{
1897	serge	2906	case 2:
3928	Serge	2907	png_ptr->user_chunk_cache_max = 1;
		2908	png_chunk_benign_error(png_ptr, "no space in chunk cache");
		2909	/* FALL THROUGH */
		2910	case 1:
		2911	/* NOTE: prior to 1.6.0 this case resulted in an unknown critical
		2912	* chunk being skipped, now there will be a hard error below.
		2913	*/
		2914	break;
		2915
1897	serge	2916
3928	Serge	2917	--(png_ptr->user_chunk_cache_max);
		2918	/* FALL THROUGH */
		2919	case 0: /* no limit */
		2920	# endif /* PNG_USER_LIMITS_SUPPORTED */
		2921	/* Here when the limit isn't reached or when limits are compiled
		2922	* out; store the chunk.
		2923	*/
		2924	png_set_unknown_chunks(png_ptr, info_ptr,
		2925	&png_ptr->unknown_chunk, 1);
		2926	handled = 1;
		2927	# ifdef PNG_USER_LIMITS_SUPPORTED
		2928	break;
		2929	}
1897	serge	2930	# endif
3928	Serge	2931	}
1897	serge	2932	# else /* no store support! */
3928	Serge	2933	PNG_UNUSED(info_ptr)
		2934	# error untested code (reading unknown chunks with no store support)
		2935	# endif
		2936
1897	serge	2937
3928	Serge	2938	* freed now. Notice that the data is not freed if there is a png_error, but
		2939	* it will be freed by destroy_read_struct.
		2940	*/
		2941	if (png_ptr->unknown_chunk.data != NULL)
		2942	png_free(png_ptr, png_ptr->unknown_chunk.data);
1897	serge	2943	png_ptr->unknown_chunk.data = NULL;
3928	Serge	2944
1897	serge	2945
3928	Serge	2946	/* There is no support to read an unknown chunk, so just skip it. */
		2947	png_crc_finish(png_ptr, length);
		2948	PNG_UNUSED(info_ptr)
		2949	PNG_UNUSED(keep)
		2950	#endif /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
		2951
1897	serge	2952
3928	Serge	2953	if (!handled && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
		2954	png_chunk_error(png_ptr, "unhandled critical chunk");
		2955	}
1897	serge	2956
		2957
		2958	* This function can't have the "critical chunk check" incorporated
		2959	* into it, since in the future we will need to be able to call user
		2960	* functions to handle unknown critical chunks after we check that
		2961	* the chunk name itself is valid.
		2962	*/
		2963
		2964
3928	Serge	2965	*
		2966	* ((c) < 65 \|\| (c) > 122 \|\| ((c) > 90 && (c) < 97))
		2967	*/
		2968
1897	serge	2969
		2970	png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
3928	Serge	2971	{
1897	serge	2972	int i;
3928	Serge	2973
		2974
1897	serge	2975
3928	Serge	2976
		2977	{
1897	serge	2978	int c = chunk_name & 0xff;
3928	Serge	2979
		2980
		2981	png_chunk_error(png_ptr, "invalid chunk type");
		2982
		2983
		2984	}
1897	serge	2985	}
		2986
		2987
3928	Serge	2988	* routine takes care of alpha and transparency if requested. This routine also
		2989	* handles the two methods of progressive display of interlaced images,
		2990	* depending on the 'display' value; if 'display' is true then the whole row
		2991	* (dp) is filled from the start by replicating the available pixels. If
		2992	* 'display' is false only those pixels present in the pass are filled in.
		2993	*/
1897	serge	2994	void /* PRIVATE */
		2995	png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3928	Serge	2996	{
1897	serge	2997	unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3928	Serge	2998	png_const_bytep sp = png_ptr->row_buf + 1;
		2999	png_uint_32 row_width = png_ptr->width;
		3000	unsigned int pass = png_ptr->pass;
		3001	png_bytep end_ptr = 0;
		3002	png_byte end_byte = 0;
		3003	unsigned int end_mask;
		3004
		3005
1897	serge	3006
		3007
3928	Serge	3008	* least one row has been read from the PNG data and transformed.
		3009	*/
		3010	if (pixel_depth == 0)
		3011	png_error(png_ptr, "internal row logic error");
		3012
		3013
		3014	* any call to png_read_update_info at this point. Do not continue if we got
		3015	* this wrong.
		3016	*/
		3017	if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
		3018	PNG_ROWBYTES(pixel_depth, row_width))
		3019	png_error(png_ptr, "internal row size calculation error");
		3020
		3021
		3022	if (row_width == 0)
		3023	png_error(png_ptr, "internal row width error");
		3024
		3025
		3026	* the multiply below may overflow, we don't care because ANSI-C guarantees
		3027	* we get the low bits.
		3028	*/
		3029	end_mask = (pixel_depth * row_width) & 7;
		3030	if (end_mask != 0)
		3031	{
1897	serge	3032	/* end_ptr == NULL is a flag to say do nothing */
3928	Serge	3033	end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
		3034	end_byte = *end_ptr;
		3035	# ifdef PNG_READ_PACKSWAP_SUPPORTED
		3036	if (png_ptr->transformations & PNG_PACKSWAP) /* little-endian byte */
		3037	end_mask = 0xff << end_mask;
		3038
		3039
		3040	# endif
		3041	end_mask = 0xff >> end_mask;
		3042	/* end_mask is now the bits to keep from the destination row */
		3043	}
1897	serge	3044
		3045
3928	Serge	3046	* will also happen if interlacing isn't supported or if the application
		3047	* does not call png_set_interlace_handling(). In the latter cases the
		3048	* caller just gets a sequence of the unexpanded rows from each interlace
		3049	* pass.
		3050	*/
		3051	#ifdef PNG_READ_INTERLACING_SUPPORTED
		3052	if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE) &&
		3053	pass < 6 && (display == 0 \|\|
		3054	/* The following copies everything for 'display' on passes 0, 2 and 4. */
		3055	(display == 1 && (pass & 1) != 0)))
		3056	{
1897	serge	3057	/* Narrow images may have no bits in a pass; the caller should handle
3928	Serge	3058	* this, but this test is cheap:
		3059	*/
		3060	if (row_width <= PNG_PASS_START_COL(pass))
		3061	return;
		3062
		3063
		3064	{
1897	serge	3065	/* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3928	Serge	3066	* into 32 bits, then a single loop over the bytes using the four byte
		3067	* values in the 32-bit mask can be used. For the 'display' option the
		3068	* expanded mask may also not require any masking within a byte. To
		3069	* make this work the PACKSWAP option must be taken into account - it
		3070	* simply requires the pixels to be reversed in each byte.
		3071	*
		3072	* The 'regular' case requires a mask for each of the first 6 passes,
		3073	* the 'display' case does a copy for the even passes in the range
		3074	* 0..6. This has already been handled in the test above.
		3075	*
		3076	* The masks are arranged as four bytes with the first byte to use in
		3077	* the lowest bits (little-endian) regardless of the order (PACKSWAP or
		3078	* not) of the pixels in each byte.
		3079	*
		3080	* NOTE: the whole of this logic depends on the caller of this function
		3081	* only calling it on rows appropriate to the pass. This function only
		3082	* understands the 'x' logic; the 'y' logic is handled by the caller.
		3083	*
		3084	* The following defines allow generation of compile time constant bit
		3085	* masks for each pixel depth and each possibility of swapped or not
		3086	* swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
		3087	* is in the range 0..7; and the result is 1 if the pixel is to be
		3088	* copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
		3089	* for the block method.
		3090	*
		3091	* With some compilers a compile time expression of the general form:
		3092	*
		3093	* (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
		3094	*
		3095	* Produces warnings with values of 'shift' in the range 33 to 63
		3096	* because the right hand side of the ?: expression is evaluated by
		3097	* the compiler even though it isn't used. Microsoft Visual C (various
		3098	* versions) and the Intel C compiler are known to do this. To avoid
		3099	* this the following macros are used in 1.5.6. This is a temporary
		3100	* solution to avoid destabilizing the code during the release process.
		3101	*/
		3102	# if PNG_USE_COMPILE_TIME_MASKS
		3103	# define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
		3104	# define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
		3105	# else
		3106	# define PNG_LSR(x,s) ((x)>>(s))
		3107	# define PNG_LSL(x,s) ((x)<<(s))
		3108	# endif
		3109	# define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
		3110	PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
		3111	# define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
		3112	PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
		3113
1897	serge	3114
3928	Serge	3115	* little endian - the first pixel is at bit 0 - however the extra
		3116	* parameter 's' can be set to cause the mask position to be swapped
		3117	* within each byte, to match the PNG format. This is done by XOR of
		3118	* the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
		3119	*/
		3120	# define PIXEL_MASK(p,x,d,s) \
		3121	(PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
		3122
1897	serge	3123
3928	Serge	3124	*/
		3125	# define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
		3126	# define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
		3127
1897	serge	3128
3928	Serge	3129	* cases the result needs replicating, for the 4-bpp case the above
		3130	* generates a full 32 bits.
		3131	*/
		3132	# define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
		3133
1897	serge	3134
3928	Serge	3135	S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
		3136	S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
		3137
1897	serge	3138
3928	Serge	3139	B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
		3140	B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
		3141
1897	serge	3142
3928	Serge	3143	/* Utility macros to construct all the masks for a depth/swap
		3144	* combination. The 's' parameter says whether the format is PNG
		3145	* (big endian bytes) or not. Only the three odd-numbered passes are
		3146	* required for the display/block algorithm.
		3147	*/
		3148	# define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
		3149	S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
		3150
1897	serge	3151
3928	Serge	3152
1897	serge	3153
3928	Serge	3154
1897	serge	3155
3928	Serge	3156	* then pass:
		3157	*/
		3158	static PNG_CONST png_uint_32 row_mask[2/PACKSWAP/][3/depth/][6] =
		3159	{
		3160	/* Little-endian byte masks for PACKSWAP */
		3161	{ S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
		3162	/* Normal (big-endian byte) masks - PNG format */
		3163	{ S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
		3164	};
		3165
1897	serge	3166
3928	Serge	3167	* pass>>1.
		3168	*/
		3169	static PNG_CONST png_uint_32 display_mask[2][3][3] =
		3170	{
1897	serge	3171	/* Little-endian byte masks for PACKSWAP */
3928	Serge	3172	{ B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
		3173	/* Normal (big-endian byte) masks - PNG format */
		3174	{ B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
		3175	};
		3176
1897	serge	3177
3928	Serge	3178	((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
		3179	row_mask[png][DEPTH_INDEX(depth)][pass])
		3180
		3181
		3182	/* This is the runtime alternative: it seems unlikely that this will
		3183	* ever be either smaller or faster than the compile time approach.
		3184	*/
		3185	# define MASK(pass,depth,display,png)\
		3186	((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
		3187	#endif /* !PNG_USE_COMPILE_TIME_MASKS */
		3188
		3189
		3190	* the byte mask will be 0 or 0xff, optimize these cases. row_width is
		3191	* the number of pixels, but the code copies bytes, so it is necessary
		3192	* to special case the end.
		3193	*/
		3194	png_uint_32 pixels_per_byte = 8 / pixel_depth;
		3195	png_uint_32 mask;
		3196
		3197
		3198	if (png_ptr->transformations & PNG_PACKSWAP)
1897	serge	3199	mask = MASK(pass, pixel_depth, display, 0);
3928	Serge	3200
1897	serge	3201
		3202	# endif
3928	Serge	3203	mask = MASK(pass, pixel_depth, display, 1);
		3204
		3205
		3206	{
		3207	png_uint_32 m;
		3208
		3209
		3210	* 32 bits because the high bits always match those in m<<24; it is,
		3211	* however, essential to use OR here, not +, because of this.
		3212	*/
		3213	m = mask;
		3214	mask = (m >> 8) \| (m << 24); /* rotate right to good compilers */
		3215	m &= 0xff;
		3216
		3217
		3218	{
1897	serge	3219	if (m != 0xff)
3928	Serge	3220	dp = (png_byte)((dp & ~m) \| (*sp & m));
		3221	else
		3222	dp = sp;
		3223	}
1897	serge	3224
		3225
3928	Serge	3226	* is not an exact number of bytes wide; libpng has always done
		3227	* this.
		3228	*/
		3229	if (row_width <= pixels_per_byte)
		3230	break; /* May need to restore part of the last byte */
		3231
1897	serge	3232
3928	Serge	3233	++dp;
		3234	++sp;
		3235	}
		3236	}
		3237
1897	serge	3238
3928	Serge	3239	{
		3240	unsigned int bytes_to_copy, bytes_to_jump;
		3241
1897	serge	3242
3928	Serge	3243	if (pixel_depth & 7)
		3244	png_error(png_ptr, "invalid user transform pixel depth");
		3245
1897	serge	3246
3928	Serge	3247	row_width *= pixel_depth;
		3248
1897	serge	3249
3928	Serge	3250	* fixed number of pixels to copy then to skip. There may be a
		3251	* different number of pixels to skip at the start though.
		3252	*/
		3253	{
		3254	unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
		3255
		3256
		3257	dp += offset;
		3258	sp += offset;
		3259	}
1897	serge	3260
		3261
3928	Serge	3262	if (display)
		3263	{
1897	serge	3264	/* When doing the 'block' algorithm the pixel in the pass gets
3928	Serge	3265	* replicated to adjacent pixels. This is why the even (0,2,4,6)
		3266	* passes are skipped above - the entire expanded row is copied.
		3267	*/
		3268	bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
		3269
1897	serge	3270
3928	Serge	3271	if (bytes_to_copy > row_width)
		3272	bytes_to_copy = row_width;
		3273	}
		3274
1897	serge	3275
3928	Serge	3276	bytes_to_copy = pixel_depth;
		3277
1897	serge	3278
3928	Serge	3279	bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
		3280
		3281
		3282	* depending on the value of 'bytes_to_copy'. Special case the low
		3283	* byte counts, which we know to be frequent.
		3284	*
		3285	* Notice that these cases all 'return' rather than 'break' - this
		3286	* avoids an unnecessary test on whether to restore the last byte
		3287	* below.
		3288	*/
		3289	switch (bytes_to_copy)
		3290	{
		3291	case 1:
		3292	for (;;)
		3293	{
1897	serge	3294	dp = sp;
3928	Serge	3295
		3296
		3297	return;
		3298
		3299
		3300	sp += bytes_to_jump;
		3301	row_width -= bytes_to_jump;
		3302	}
1897	serge	3303
		3304
3928	Serge	3305	/* There is a possibility of a partial copy at the end here; this
		3306	* slows the code down somewhat.
		3307	*/
		3308	do
		3309	{
1897	serge	3310	dp[0] = sp[0], dp[1] = sp[1];
3928	Serge	3311
		3312
		3313	return;
		3314
		3315
		3316	dp += bytes_to_jump;
		3317	row_width -= bytes_to_jump;
		3318	}
1897	serge	3319	while (row_width > 1);
3928	Serge	3320
1897	serge	3321
3928	Serge	3322	dp = sp;
		3323	return;
		3324
1897	serge	3325
3928	Serge	3326	/* This can only be the RGB case, so each copy is exactly one
		3327	* pixel and it is not necessary to check for a partial copy.
		3328	*/
		3329	for(;;)
		3330	{
		3331	dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
		3332
1897	serge	3333
3928	Serge	3334	return;
		3335
1897	serge	3336
3928	Serge	3337	dp += bytes_to_jump;
		3338	row_width -= bytes_to_jump;
		3339	}
		3340
1897	serge	3341
3928	Serge	3342	#if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
		3343	/* Check for double byte alignment and, if possible, use a
		3344	* 16-bit copy. Don't attempt this for narrow images - ones that
		3345	* are less than an interlace panel wide. Don't attempt it for
		3346	* wide bytes_to_copy either - use the memcpy there.
		3347	*/
		3348	if (bytes_to_copy < 16 /else use memcpy/ &&
		3349	png_isaligned(dp, png_uint_16) &&
		3350	png_isaligned(sp, png_uint_16) &&
		3351	bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
		3352	bytes_to_jump % (sizeof (png_uint_16)) == 0)
		3353	{
1897	serge	3354	/* Everything is aligned for png_uint_16 copies, but try for
3928	Serge	3355	* png_uint_32 first.
		3356	*/
		3357	if (png_isaligned(dp, png_uint_32) &&
		3358	png_isaligned(sp, png_uint_32) &&
		3359	bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
		3360	bytes_to_jump % (sizeof (png_uint_32)) == 0)
		3361	{
		3362	png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
		3363	png_const_uint_32p sp32 = png_aligncastconst(
		3364	png_const_uint_32p, sp);
		3365	size_t skip = (bytes_to_jump-bytes_to_copy) /
		3366	(sizeof (png_uint_32));
		3367
		3368
		3369	{
		3370	size_t c = bytes_to_copy;
		3371	do
		3372	{
		3373	dp32++ = sp32++;
		3374	c -= (sizeof (png_uint_32));
		3375	}
		3376	while (c > 0);
		3377
		3378
		3379	return;
		3380
		3381
		3382	sp32 += skip;
		3383	row_width -= bytes_to_jump;
		3384	}
		3385	while (bytes_to_copy <= row_width);
		3386
		3387
		3388	* There will be 1-3 bytes left to copy, so don't try the
		3389	* 16-bit loop below.
		3390	*/
		3391	dp = (png_bytep)dp32;
		3392	sp = (png_const_bytep)sp32;
		3393	do
		3394	dp++ = sp++;
		3395	while (--row_width > 0);
		3396	return;
		3397	}
		3398
		3399
		3400	* not too large.
		3401	*/
		3402	else
		3403	{
		3404	png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
		3405	png_const_uint_16p sp16 = png_aligncastconst(
		3406	png_const_uint_16p, sp);
		3407	size_t skip = (bytes_to_jump-bytes_to_copy) /
		3408	(sizeof (png_uint_16));
		3409
		3410
		3411	{
		3412	size_t c = bytes_to_copy;
		3413	do
		3414	{
		3415	dp16++ = sp16++;
		3416	c -= (sizeof (png_uint_16));
		3417	}
		3418	while (c > 0);
		3419
		3420
		3421	return;
		3422
		3423
		3424	sp16 += skip;
		3425	row_width -= bytes_to_jump;
		3426	}
		3427	while (bytes_to_copy <= row_width);
		3428
		3429
		3430	dp = (png_bytep)dp16;
		3431	sp = (png_const_bytep)sp16;
		3432	do
		3433	dp++ = sp++;
		3434	while (--row_width > 0);
		3435	return;
		3436	}
		3437	}
1897	serge	3438	#endif /* PNG_ALIGN_ code */
3928	Serge	3439
1897	serge	3440
3928	Serge	3441	for (;;)
		3442	{
		3443	memcpy(dp, sp, bytes_to_copy);
		3444
1897	serge	3445
3928	Serge	3446	return;
		3447
1897	serge	3448
3928	Serge	3449	dp += bytes_to_jump;
		3450	row_width -= bytes_to_jump;
		3451	if (bytes_to_copy > row_width)
		3452	bytes_to_copy = row_width;
		3453	}
		3454	}
1897	serge	3455
3928	Serge	3456
		3457	} /* pixel_depth >= 8 */
		3458
		3459
		3460	}
1897	serge	3461	else
3928	Serge	3462	#endif
		3463
		3464
		3465	* from the temporary row buffer (notice that this overwrites the end of the
		3466	* destination row if it is a partial byte.)
		3467	*/
		3468	memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
		3469
		3470
		3471	if (end_ptr != NULL)
		3472	end_ptr = (png_byte)((end_byte & end_mask) \| (end_ptr & ~end_mask));
		3473	}
1897	serge	3474
		3475
		3476	void /* PRIVATE */
		3477	png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3928	Serge	3478	png_uint_32 transformations /* Because these may affect the byte layout */)
		3479	{
1897	serge	3480	/* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
		3481	/* Offset to next interlace block */
		3482	static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3928	Serge	3483
1897	serge	3484
		3485	if (row != NULL && row_info != NULL)
		3486	{
		3487	png_uint_32 final_width;
		3488
		3489
		3490
		3491
		3492	{
		3493	case 1:
		3494	{
		3495	png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3);
		3496	png_bytep dp = row + (png_size_t)((final_width - 1) >> 3);
		3497	int sshift, dshift;
		3498	int s_start, s_end, s_inc;
		3499	int jstop = png_pass_inc[pass];
		3500	png_byte v;
		3501	png_uint_32 i;
		3502	int j;
		3503
		3504
		3505	if (transformations & PNG_PACKSWAP)
		3506	{
		3507	sshift = (int)((row_info->width + 7) & 0x07);
		3508	dshift = (int)((final_width + 7) & 0x07);
		3509	s_start = 7;
		3510	s_end = 0;
		3511	s_inc = -1;
		3512	}
		3513
		3514
		3515	#endif
		3516	{
		3517	sshift = 7 - (int)((row_info->width + 7) & 0x07);
		3518	dshift = 7 - (int)((final_width + 7) & 0x07);
		3519	s_start = 0;
		3520	s_end = 7;
		3521	s_inc = 1;
		3522	}
		3523
		3524
		3525	{
		3526	v = (png_byte)((*sp >> sshift) & 0x01);
		3527	for (j = 0; j < jstop; j++)
		3528	{
		3529	unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
3928	Serge	3530	tmp \|= v << dshift;
		3531	*dp = (png_byte)(tmp & 0xff);
		3532
1897	serge	3533
		3534	{
		3535	dshift = s_start;
		3536	dp--;
		3537	}
		3538
		3539
		3540	dshift += s_inc;
		3541	}
		3542
		3543
		3544	{
		3545	sshift = s_start;
		3546	sp--;
		3547	}
		3548
		3549
		3550	sshift += s_inc;
		3551	}
		3552	break;
		3553	}
		3554
		3555
		3556	{
		3557	png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
		3558	png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
		3559	int sshift, dshift;
		3560	int s_start, s_end, s_inc;
		3561	int jstop = png_pass_inc[pass];
		3562	png_uint_32 i;
		3563
		3564
		3565	if (transformations & PNG_PACKSWAP)
		3566	{
		3567	sshift = (int)(((row_info->width + 3) & 0x03) << 1);
		3568	dshift = (int)(((final_width + 3) & 0x03) << 1);
		3569	s_start = 6;
		3570	s_end = 0;
		3571	s_inc = -2;
		3572	}
		3573
		3574
		3575	#endif
		3576	{
		3577	sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
		3578	dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
		3579	s_start = 0;
		3580	s_end = 6;
		3581	s_inc = 2;
		3582	}
		3583
		3584
		3585	{
		3586	png_byte v;
		3587	int j;
		3588
		3589
		3590	for (j = 0; j < jstop; j++)
		3591	{
		3592	unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
3928	Serge	3593	tmp \|= v << dshift;
		3594	*dp = (png_byte)(tmp & 0xff);
		3595
1897	serge	3596
		3597	{
		3598	dshift = s_start;
		3599	dp--;
		3600	}
		3601
		3602
		3603	dshift += s_inc;
		3604	}
		3605
		3606
		3607	{
		3608	sshift = s_start;
		3609	sp--;
		3610	}
		3611
		3612
		3613	sshift += s_inc;
		3614	}
		3615	break;
		3616	}
		3617
		3618
		3619	{
		3620	png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
		3621	png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
		3622	int sshift, dshift;
		3623	int s_start, s_end, s_inc;
		3624	png_uint_32 i;
		3625	int jstop = png_pass_inc[pass];
		3626
		3627
		3628	if (transformations & PNG_PACKSWAP)
		3629	{
		3630	sshift = (int)(((row_info->width + 1) & 0x01) << 2);
		3631	dshift = (int)(((final_width + 1) & 0x01) << 2);
		3632	s_start = 4;
		3633	s_end = 0;
		3634	s_inc = -4;
		3635	}
		3636
		3637
		3638	#endif
		3639	{
		3640	sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
		3641	dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
		3642	s_start = 0;
		3643	s_end = 4;
		3644	s_inc = 4;
		3645	}
		3646
		3647
		3648	{
		3649	png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
3928	Serge	3650	int j;
1897	serge	3651
		3652
		3653	{
		3654	unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
3928	Serge	3655	tmp \|= v << dshift;
		3656	*dp = (png_byte)(tmp & 0xff);
		3657
1897	serge	3658
		3659	{
		3660	dshift = s_start;
		3661	dp--;
		3662	}
		3663
		3664
		3665	dshift += s_inc;
		3666	}
		3667
		3668
		3669	{
		3670	sshift = s_start;
		3671	sp--;
		3672	}
		3673
		3674
		3675	sshift += s_inc;
		3676	}
		3677	break;
		3678	}
		3679
3928	Serge	3680
1897	serge	3681	{
		3682	png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
		3683
		3684
		3685	* pixel_bytes;
		3686
		3687
		3688
		3689
		3690	png_uint_32 i;
		3691
		3692
		3693	{
		3694	png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
3928	Serge	3695	int j;
1897	serge	3696
		3697
3928	Serge	3698
1897	serge	3699
		3700	{
		3701	memcpy(dp, v, pixel_bytes);
3928	Serge	3702	dp -= pixel_bytes;
1897	serge	3703	}
		3704
		3705
		3706	}
		3707	break;
		3708	}
		3709	}
		3710
3928	Serge	3711
1897	serge	3712	row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
		3713	}
		3714	#ifndef PNG_READ_PACKSWAP_SUPPORTED
		3715	PNG_UNUSED(transformations) /* Silence compiler warning */
		3716	#endif
		3717	}
		3718	#endif /* PNG_READ_INTERLACING_SUPPORTED */
		3719
		3720
3928	Serge	3721	png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
		3722	png_const_bytep prev_row)
		3723	{
		3724	png_size_t i;
		3725	png_size_t istop = row_info->rowbytes;
		3726	unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
		3727	png_bytep rp = row + bpp;
		3728
		3729
		3730
		3731
		3732	{
		3733	rp = (png_byte)(((int)(rp) + (int)(*(rp-bpp))) & 0xff);
		3734	rp++;
		3735	}
		3736	}
		3737
		3738
		3739	png_read_filter_row_up(png_row_infop row_info, png_bytep row,
		3740	png_const_bytep prev_row)
		3741	{
		3742	png_size_t i;
		3743	png_size_t istop = row_info->rowbytes;
		3744	png_bytep rp = row;
		3745	png_const_bytep pp = prev_row;
		3746
		3747
		3748	{
		3749	rp = (png_byte)(((int)(rp) + (int)(*pp++)) & 0xff);
		3750	rp++;
		3751	}
		3752	}
		3753
		3754
		3755	png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
		3756	png_const_bytep prev_row)
		3757	{
		3758	png_size_t i;
		3759	png_bytep rp = row;
		3760	png_const_bytep pp = prev_row;
		3761	unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
		3762	png_size_t istop = row_info->rowbytes - bpp;
		3763
		3764
		3765	{
		3766	rp = (png_byte)(((int)(rp) +
		3767	((int)(*pp++) / 2 )) & 0xff);
		3768
		3769
		3770	}
		3771
		3772
		3773	{
		3774	rp = (png_byte)(((int)(rp) +
		3775	(int)(pp++ + (rp-bpp)) / 2 ) & 0xff);
		3776
		3777
		3778	}
		3779	}
		3780
		3781
		3782	png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
		3783	png_const_bytep prev_row)
		3784	{
		3785	png_bytep rp_end = row + row_info->rowbytes;
		3786	int a, c;
		3787
		3788
		3789	c = *prev_row++;
		3790	a = *row + c;
		3791	*row++ = (png_byte)a;
		3792
		3793
		3794	while (row < rp_end)
		3795	{
		3796	int b, pa, pb, pc, p;
		3797
		3798
		3799	b = *prev_row++;
		3800
		3801
		3802	pc = a - c;
		3803
		3804
		3805	pa = abs(p);
		3806	pb = abs(pc);
		3807	pc = abs(p + pc);
		3808	# else
		3809	pa = p < 0 ? -p : p;
		3810	pb = pc < 0 ? -pc : pc;
		3811	pc = (p + pc) < 0 ? -(p + pc) : p + pc;
		3812	# endif
		3813
		3814
		3815	* ones in the case of a tie.
		3816	*/
		3817	if (pb < pa) pa = pb, a = b;
		3818	if (pc < pa) a = c;
		3819
		3820
		3821	* for the next time round the loop
		3822	*/
		3823	c = b;
		3824	a += *row;
		3825	*row++ = (png_byte)a;
		3826	}
		3827	}
		3828
		3829
		3830	png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
		3831	png_const_bytep prev_row)
		3832	{
		3833	int bpp = (row_info->pixel_depth + 7) >> 3;
		3834	png_bytep rp_end = row + bpp;
		3835
		3836
		3837	* because there is only one candidate predictor for the first row).
		3838	*/
		3839	while (row < rp_end)
		3840	{
		3841	int a = row + prev_row++;
		3842	*row++ = (png_byte)a;
		3843	}
		3844
		3845
		3846	rp_end += row_info->rowbytes - bpp;
		3847
		3848
		3849	{
		3850	int a, b, c, pa, pb, pc, p;
		3851
		3852
		3853	a = *(row - bpp);
		3854	b = *prev_row++;
		3855
		3856
		3857	pc = a - c;
		3858
		3859
		3860	pa = abs(p);
		3861	pb = abs(pc);
		3862	pc = abs(p + pc);
		3863	# else
		3864	pa = p < 0 ? -p : p;
		3865	pb = pc < 0 ? -pc : pc;
		3866	pc = (p + pc) < 0 ? -(p + pc) : p + pc;
		3867	# endif
		3868
		3869
		3870	if (pc < pa) a = c;
		3871
		3872
		3873	a += *row;
		3874	*row++ = (png_byte)a;
		3875	}
		3876	}
		3877
		3878
		3879	png_init_filter_functions(png_structrp pp)
		3880	/* This function is called once for every PNG image (except for PNG images
		3881	* that only use PNG_FILTER_VALUE_NONE for all rows) to set the
		3882	* implementations required to reverse the filtering of PNG rows. Reversing
		3883	* the filter is the first transformation performed on the row data. It is
		3884	* performed in place, therefore an implementation can be selected based on
		3885	* the image pixel format. If the implementation depends on image width then
		3886	* take care to ensure that it works correctly if the image is interlaced -
		3887	* interlacing causes the actual row width to vary.
		3888	*/
		3889	{
		3890	unsigned int bpp = (pp->pixel_depth + 7) >> 3;
		3891
		3892
		3893	pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
		3894	pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
		3895	if (bpp == 1)
		3896	pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
		3897	png_read_filter_row_paeth_1byte_pixel;
		3898	else
		3899	pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
		3900	png_read_filter_row_paeth_multibyte_pixel;
		3901
		3902
		3903	/* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
		3904	* call to install hardware optimizations for the above functions; simply
		3905	* replace whatever elements of the pp->read_filter[] array with a hardware
		3906	* specific (or, for that matter, generic) optimization.
		3907	*
		3908	* To see an example of this examine what configure.ac does when
		3909	* --enable-arm-neon is specified on the command line.
		3910	*/
		3911	PNG_FILTER_OPTIMIZATIONS(pp, bpp);
		3912	#endif
		3913	}
		3914
		3915
1897	serge	3916	png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
3928	Serge	3917	png_const_bytep prev_row, int filter)
		3918	{
1897	serge	3919	/* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
3928	Serge	3920	* PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
		3921	* implementations. See png_init_filter_functions above.
		3922	*/
		3923	if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
		3924	{
1897	serge	3925	if (pp->read_filter[0] == NULL)
3928	Serge	3926	png_init_filter_functions(pp);
		3927
1897	serge	3928
3928	Serge	3929	}
		3930	}
		3931
		3932
		3933	void /* PRIVATE */
		3934	png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
		3935	png_alloc_size_t avail_out)
		3936	{
		3937	/* Loop reading IDATs and decompressing the result into output[avail_out] */
		3938	png_ptr->zstream.next_out = output;
		3939	png_ptr->zstream.avail_out = 0; /* safety: set below */
		3940
		3941
		3942	avail_out = 0;
		3943
		3944
		3945	{
		3946	int ret;
		3947	png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
		3948
		3949
		3950	{
1897	serge	3951	uInt avail_in;
3928	Serge	3952	png_bytep buffer;
		3953
1897	serge	3954
3928	Serge	3955	{
1897	serge	3956	png_crc_finish(png_ptr, 0);
3928	Serge	3957
		3958
		3959	/* This is an error even in the 'check' case because the code just
		3960	* consumed a non-IDAT header.
		3961	*/
		3962	if (png_ptr->chunk_name != png_IDAT)
		3963	png_error(png_ptr, "Not enough image data");
		3964	}
1897	serge	3965
3928	Serge	3966
		3967
		3968
		3969	avail_in = (uInt)png_ptr->idat_size;
		3970
		3971
		3972	* to minimize memory usage by causing lots of re-allocs, but
		3973	* realistically doing IDAT_read_size re-allocs is not likely to be a
		3974	* big problem.
		3975	*/
		3976	buffer = png_read_buffer(png_ptr, avail_in, 0/error/);
		3977
		3978
		3979	png_ptr->idat_size -= avail_in;
		3980
		3981
		3982	png_ptr->zstream.avail_in = avail_in;
		3983	}
1897	serge	3984
3928	Serge	3985
		3986	if (output != NULL) /* standard read */
		3987	{
1897	serge	3988	uInt out = ZLIB_IO_MAX;
3928	Serge	3989
1897	serge	3990
3928	Serge	3991	out = (uInt)avail_out;
		3992
		3993
		3994	png_ptr->zstream.avail_out = out;
		3995	}
1897	serge	3996
3928	Serge	3997
		3998	{
1897	serge	3999	png_ptr->zstream.next_out = tmpbuf;
3928	Serge	4000	png_ptr->zstream.avail_out = (sizeof tmpbuf);
		4001	}
		4002
1897	serge	4003
3928	Serge	4004	* process. If the LZ stream is truncated the sequential reader will
		4005	* terminally damage the stream, above, by reading the chunk header of the
		4006	* following chunk (it then exits with png_error).
		4007	*
		4008	* TODO: deal more elegantly with truncated IDAT lists.
		4009	*/
		4010	ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
		4011
1897	serge	4012
3928	Serge	4013	if (output != NULL)
		4014	avail_out += png_ptr->zstream.avail_out;
		4015
1897	serge	4016
3928	Serge	4017	avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
		4018
1897	serge	4019
3928	Serge	4020
		4021
		4022	{
		4023	/* Do this for safety; we won't read any more into this row. */
		4024	png_ptr->zstream.next_out = NULL;
		4025
		4026
		4027	png_ptr->flags \|= PNG_FLAG_ZSTREAM_ENDED;
		4028
		4029
		4030	png_chunk_benign_error(png_ptr, "Extra compressed data");
		4031	break;
1897	serge	4032	}
		4033
3928	Serge	4034
		4035	{
1897	serge	4036	png_zstream_error(png_ptr, ret);
3928	Serge	4037
1897	serge	4038
3928	Serge	4039	png_chunk_error(png_ptr, png_ptr->zstream.msg);
		4040
		4041
		4042	{
1897	serge	4043	png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
3928	Serge	4044	return;
		4045	}
1897	serge	4046	}
3928	Serge	4047	} while (avail_out > 0);
		4048
1897	serge	4049
3928	Serge	4050	{
		4051	/* The stream ended before the image; this is the same as too few IDATs so
		4052	* should be handled the same way.
		4053	*/
		4054	if (output != NULL)
		4055	png_error(png_ptr, "Not enough image data");
		4056
1897	serge	4057
3928	Serge	4058	png_chunk_benign_error(png_ptr, "Too much image data");
		4059	}
		4060	}
		4061
1897	serge	4062
3928	Serge	4063	png_read_finish_IDAT(png_structrp png_ptr)
		4064	{
		4065	/* We don't need any more data and the stream should have ended, however the
		4066	* LZ end code may actually not have been processed. In this case we must
		4067	* read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
		4068	* may still remain to be consumed.
		4069	*/
		4070	if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
		4071	{
		4072	/* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
		4073	* the compressed stream, but the stream may be damaged too, so even after
		4074	* this call we may need to terminate the zstream ownership.
		4075	*/
		4076	png_read_IDAT_data(png_ptr, NULL, 0);
		4077	png_ptr->zstream.next_out = NULL; /* safety */
		4078
1897	serge	4079
3928	Serge	4080	* done.
		4081	*/
		4082	if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
		4083	{
		4084	png_ptr->mode \|= PNG_AFTER_IDAT;
		4085	png_ptr->flags \|= PNG_FLAG_ZSTREAM_ENDED;
		4086	}
		4087	}
		4088
1897	serge	4089
3928	Serge	4090	* of the final IDAT chunk.
		4091	*/
		4092	if (png_ptr->zowner == png_IDAT)
		4093	{
		4094	/* Always do this; the pointers otherwise point into the read buffer. */
		4095	png_ptr->zstream.next_in = NULL;
		4096	png_ptr->zstream.avail_in = 0;
		4097
1897	serge	4098
3928	Serge	4099	png_ptr->zowner = 0;
		4100
1897	serge	4101
3928	Serge	4102	* are always in or at the end of an IDAT chunk, so we always need to do a
		4103	* crc_finish here. If idat_size is non-zero we also need to read the
		4104	* spurious bytes at the end of the chunk now.
		4105	*/
		4106	(void)png_crc_finish(png_ptr, png_ptr->idat_size);
		4107	}
1897	serge	4108	}
		4109
		4110
		4111	png_read_finish_row(png_structrp png_ptr)
3928	Serge	4112	{
1897	serge	4113	#ifdef PNG_READ_INTERLACING_SUPPORTED
		4114	/* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
		4115
		4116
		4117	static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3928	Serge	4118
1897	serge	4119
		4120	static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3928	Serge	4121
1897	serge	4122
		4123	static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3928	Serge	4124
1897	serge	4125
		4126	static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3928	Serge	4127	#endif /* PNG_READ_INTERLACING_SUPPORTED */
1897	serge	4128
		4129
		4130	png_ptr->row_number++;
		4131	if (png_ptr->row_number < png_ptr->num_rows)
		4132	return;
		4133
		4134
		4135	if (png_ptr->interlaced)
		4136	{
		4137	png_ptr->row_number = 0;
		4138
		4139
3928	Serge	4140	* read-ahead of the next row's filter byte.
		4141	*/
		4142	memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
		4143
1897	serge	4144
		4145	{
		4146	png_ptr->pass++;
		4147
		4148
		4149	break;
		4150
		4151
		4152	png_pass_inc[png_ptr->pass] - 1 -
		4153	png_pass_start[png_ptr->pass]) /
		4154	png_pass_inc[png_ptr->pass];
		4155
		4156
		4157	{
		4158	png_ptr->num_rows = (png_ptr->height +
		4159	png_pass_yinc[png_ptr->pass] - 1 -
		4160	png_pass_ystart[png_ptr->pass]) /
		4161	png_pass_yinc[png_ptr->pass];
		4162	}
		4163
		4164
		4165	break; /* libpng deinterlacing sees every row */
		4166
		4167
		4168
		4169
		4170	return;
		4171	}
		4172	#endif /* PNG_READ_INTERLACING_SUPPORTED */
		4173
		4174
3928	Serge	4175	png_read_finish_IDAT(png_ptr);
		4176	}
1897	serge	4177	#endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
		4178
		4179
		4180	png_read_start_row(png_structrp png_ptr)
3928	Serge	4181	{
1897	serge	4182	#ifdef PNG_READ_INTERLACING_SUPPORTED
		4183	/* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
		4184
		4185
		4186	static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
3928	Serge	4187
1897	serge	4188
		4189	static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3928	Serge	4190
1897	serge	4191
		4192	static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
3928	Serge	4193
1897	serge	4194
		4195	static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
3928	Serge	4196	#endif
1897	serge	4197
		4198
		4199	png_size_t row_bytes;
		4200
		4201
		4202
3928	Serge	4203
		4204	png_init_read_transformations(png_ptr);
1897	serge	4205	#endif
3928	Serge	4206	#ifdef PNG_READ_INTERLACING_SUPPORTED
1897	serge	4207	if (png_ptr->interlaced)
		4208	{
		4209	if (!(png_ptr->transformations & PNG_INTERLACE))
		4210	png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
		4211	png_pass_ystart[0]) / png_pass_yinc[0];
		4212
		4213
		4214	png_ptr->num_rows = png_ptr->height;
		4215
		4216
		4217	png_pass_inc[png_ptr->pass] - 1 -
		4218	png_pass_start[png_ptr->pass]) /
		4219	png_pass_inc[png_ptr->pass];
		4220	}
		4221
		4222
		4223	#endif /* PNG_READ_INTERLACING_SUPPORTED */
		4224	{
		4225	png_ptr->num_rows = png_ptr->height;
		4226	png_ptr->iwidth = png_ptr->width;
		4227	}
		4228
		4229
		4230
		4231
3928	Serge	4232	* calculations to calculate the final pixel depth, then
		4233	* png_do_read_transforms actually does the transforms. This means that the
		4234	* code which effectively calculates this value is actually repeated in three
		4235	* separate places. They must all match. Innocent changes to the order of
		4236	* transformations can and will break libpng in a way that causes memory
		4237	* overwrites.
		4238	*
		4239	* TODO: fix this.
		4240	*/
		4241	#ifdef PNG_READ_PACK_SUPPORTED
1897	serge	4242	if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8)
		4243	max_pixel_depth = 8;
		4244	#endif
		4245
		4246
		4247	if (png_ptr->transformations & PNG_EXPAND)
		4248	{
		4249	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		4250	{
		4251	if (png_ptr->num_trans)
		4252	max_pixel_depth = 32;
		4253
		4254
		4255	max_pixel_depth = 24;
		4256	}
		4257
		4258
		4259	{
		4260	if (max_pixel_depth < 8)
		4261	max_pixel_depth = 8;
		4262
		4263
		4264	max_pixel_depth *= 2;
		4265	}
		4266
		4267
		4268	{
		4269	if (png_ptr->num_trans)
		4270	{
		4271	max_pixel_depth *= 4;
		4272	max_pixel_depth /= 3;
		4273	}
		4274	}
		4275	}
		4276	#endif
		4277
		4278
3928	Serge	4279	if (png_ptr->transformations & PNG_EXPAND_16)
		4280	{
		4281	# ifdef PNG_READ_EXPAND_SUPPORTED
		4282	/* In fact it is an error if it isn't supported, but checking is
		4283	* the safe way.
		4284	*/
		4285	if (png_ptr->transformations & PNG_EXPAND)
		4286	{
		4287	if (png_ptr->bit_depth < 16)
		4288	max_pixel_depth *= 2;
		4289	}
		4290	else
		4291	# endif
		4292	png_ptr->transformations &= ~PNG_EXPAND_16;
		4293	}
		4294	#endif
		4295
		4296
1897	serge	4297	if (png_ptr->transformations & (PNG_FILLER))
		4298	{
		4299	if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
3928	Serge	4300	{
1897	serge	4301	if (max_pixel_depth <= 8)
		4302	max_pixel_depth = 16;
		4303
		4304
		4305	max_pixel_depth = 32;
		4306	}
		4307
		4308
3928	Serge	4309	png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		4310	{
1897	serge	4311	if (max_pixel_depth <= 32)
		4312	max_pixel_depth = 32;
		4313
		4314
		4315	max_pixel_depth = 64;
		4316	}
		4317	}
		4318	#endif
		4319
		4320
		4321	if (png_ptr->transformations & PNG_GRAY_TO_RGB)
		4322	{
		4323	if (
		4324	#ifdef PNG_READ_EXPAND_SUPPORTED
		4325	(png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) \|\|
		4326	#endif
		4327	#ifdef PNG_READ_FILLER_SUPPORTED
		4328	(png_ptr->transformations & (PNG_FILLER)) \|\|
		4329	#endif
		4330	png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
		4331	{
		4332	if (max_pixel_depth <= 16)
		4333	max_pixel_depth = 32;
		4334
		4335
		4336	max_pixel_depth = 64;
		4337	}
		4338
		4339
		4340	{
		4341	if (max_pixel_depth <= 8)
		4342	{
		4343	if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
		4344	max_pixel_depth = 32;
		4345
		4346
		4347	max_pixel_depth = 24;
		4348	}
		4349
		4350
		4351	max_pixel_depth = 64;
		4352
		4353
		4354	max_pixel_depth = 48;
		4355	}
		4356	}
		4357	#endif
		4358
		4359
		4360	defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
		4361	if (png_ptr->transformations & PNG_USER_TRANSFORM)
		4362	{
		4363	int user_pixel_depth = png_ptr->user_transform_depth *
3928	Serge	4364	png_ptr->user_transform_channels;
1897	serge	4365
		4366
		4367	max_pixel_depth = user_pixel_depth;
3928	Serge	4368	}
1897	serge	4369	#endif
		4370
		4371
3928	Serge	4372	* code.
		4373	*/
		4374	png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
		4375	png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
		4376
		4377
1897	serge	4378	* for interlacing
		4379	*/
		4380	row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
		4381	/* Calculate the maximum bytes needed, adding a byte and a pixel
		4382	* for safety's sake
		4383	*/
		4384	row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
		4385	1 + ((max_pixel_depth + 7) >> 3);
		4386
		4387
		4388	if (row_bytes > (png_uint_32)65536L)
		4389	png_error(png_ptr, "This image requires a row greater than 64KB");
		4390	#endif
		4391
		4392
		4393	{
		4394	png_free(png_ptr, png_ptr->big_row_buf);
		4395	png_free(png_ptr, png_ptr->big_prev_row);
3928	Serge	4396
1897	serge	4397
		4398	png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
		4399	row_bytes + 48);
		4400
		4401
		4402	png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
3928	Serge	4403
1897	serge	4404
3928	Serge	4405
1897	serge	4406
		4407	/* Use 16-byte aligned memory for row_buf with at least 16 bytes
		4408	* of padding before and after row_buf; treat prev_row similarly.
3928	Serge	4409	* NOTE: the alignment is to the start of the pixels, one beyond the start
		4410	* of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
		4411	* was incorrect; the filter byte was aligned, which had the exact
		4412	* opposite effect of that intended.
		4413	*/
1897	serge	4414	{
3928	Serge	4415	png_bytep temp = png_ptr->big_row_buf + 32;
		4416	int extra = (int)((temp - (png_bytep)0) & 0x0f);
		4417	png_ptr->row_buf = temp - extra - 1/filter byte/;
		4418
1897	serge	4419
3928	Serge	4420	extra = (int)((temp - (png_bytep)0) & 0x0f);
		4421	png_ptr->prev_row = temp - extra - 1/filter byte/;
		4422	}
		4423
		4424
1897	serge	4425	/* Use 31 bytes of padding before and 17 bytes after row_buf. */
3928	Serge	4426	png_ptr->row_buf = png_ptr->big_row_buf + 31;
		4427	png_ptr->prev_row = png_ptr->big_prev_row + 31;
		4428	#endif
1897	serge	4429	png_ptr->old_big_row_buf_size = row_bytes + 48;
		4430	}
		4431
		4432
		4433	if (png_ptr->rowbytes > 65535)
		4434	png_error(png_ptr, "This image requires a row greater than 64KB");
		4435
		4436
		4437	if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
		4438	png_error(png_ptr, "Row has too many bytes to allocate in memory");
		4439
		4440
3928	Serge	4441
1897	serge	4442
		4443	png_debug1(3, "height = %u,", png_ptr->height);
		4444	png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
		4445	png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
		4446	png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
		4447	png_debug1(3, "irowbytes = %lu",
		4448	(unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
		4449
		4450
3928	Serge	4451	* does not, so free the read buffer now regardless; the sequential reader
		4452	* reallocates it on demand.
		4453	*/
		4454	if (png_ptr->read_buffer)
		4455	{
		4456	png_bytep buffer = png_ptr->read_buffer;
		4457
		4458
		4459	png_ptr->read_buffer = NULL;
		4460	png_free(png_ptr, buffer);
		4461	}
		4462
		4463
		4464	* value from the stream (note that this will result in a fatal error if the
		4465	* IDAT stream has a bogus deflate header window_bits value, but this should
		4466	* not be happening any longer!)
		4467	*/
		4468	if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
		4469	png_error(png_ptr, png_ptr->zstream.msg);
		4470
		4471
1897	serge	4472	}
		4473	#endif /* PNG_READ_SUPPORTED */
		4474	#>

Subversion Repositories Kolibri OS

(root)/programs/develop/libraries/libpng/pngrutil.c – Rev 3928