| blob | 7372a98219ebf72c61831a920f74ab80ab58c069 |
2 /* pngrutil.c - utilities to read a PNG file
3 *
4 * Copyright (c) 2018-2024 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 *
13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image.
15 */
19 #ifdef PNG_READ_SUPPORTED
21 png_uint_32 PNGAPI
23 {
30 }
32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
33 /* The following is a variation on the above for use with the fixed
34 * point values used for gAMA and cHRM. Instead of png_error it
35 * issues a warning and returns (-1) - an invalid value because both
36 * gAMA and cHRM use *unsigned* integers for fixed point values.
37 */
38 #define PNG_FIXED_ERROR (-1)
42 {
48 /* The caller can turn off the warning by passing NULL. */
53 }
54 #endif
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57 /* NOTE: the read macros will obscure these definitions, so that if
58 * PNG_USE_READ_MACROS is set the library will not use them internally,
59 * but the APIs will still be available externally.
60 *
61 * The parentheses around "PNGAPI function_name" in the following three
62 * functions are necessary because they allow the macros to co-exist with
63 * these (unused but exported) functions.
64 */
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
69 {
70 png_uint_32 uval =
77 }
79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
80 * data is stored in the PNG file in two's complement format and there
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82 * the following code does a two's complement to native conversion.
83 */
86 {
94 /* The following has to be safe; this function only gets called on PNG data
95 * and if we get here that data is invalid. 0 is the most safe value and
96 * if not then an attacker would surely just generate a PNG with 0 instead.
97 */
99 }
101 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
104 {
105 /* ANSI-C requires an int value to accommodate at least 16 bits so this
106 * works and allows the compiler not to worry about possible narrowing
107 * on 32-bit systems. (Pre-ANSI systems did not make integers smaller
108 * than 16 bits either.)
109 */
115 }
119 /* Read and check the PNG file signature */
122 {
125 /* Exit if the user application does not expect a signature. */
132 #ifdef PNG_IO_STATE_SUPPORTED
134 #endif
136 /* The signature must be serialized in a single I/O call. */
141 {
145 else
147 }
150 }
152 /* Read the chunk header (length + type name).
153 * Put the type name into png_ptr->chunk_name, and return the length.
154 */
155 png_uint_32 /* PRIVATE */
157 {
159 png_uint_32 length;
161 #ifdef PNG_IO_STATE_SUPPORTED
163 #endif
165 /* Read the length and the chunk name.
166 * This must be performed in a single I/O call.
167 */
171 /* Put the chunk name into png_ptr->chunk_name. */
177 /* Reset the crc and run it over the chunk name. */
181 /* Check to see if chunk name is valid. */
184 /* Check for too-large chunk length */
187 #ifdef PNG_IO_STATE_SUPPORTED
189 #endif
192 }
194 /* Read data, and (optionally) run it through the CRC. */
197 {
203 }
205 /* Optionally skip data and then check the CRC. Depending on whether we
206 * are reading an ancillary or critical chunk, and how the program has set
207 * things up, we may calculate the CRC on the data and print a message.
208 * Returns '1' if there was a CRC error, '0' otherwise.
209 */
212 {
213 /* The size of the local buffer for inflate is a good guess as to a
214 * reasonable size to use for buffering reads from the application.
215 */
217 {
218 png_uint_32 len;
227 }
230 {
234 {
236 }
238 else
242 }
245 }
247 /* Compare the CRC stored in the PNG file with that calculated by libpng from
248 * the data it has read thus far.
249 */
252 {
254 png_uint_32 crc;
258 {
262 }
265 {
268 }
270 #ifdef PNG_IO_STATE_SUPPORTED
272 #endif
274 /* The chunk CRC must be serialized in a single I/O call. */
278 {
281 }
283 else
285 }
287 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
288 defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
289 defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
290 defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
291 /* Manage the read buffer; this simply reallocates the buffer if it is not small
292 * enough (or if it is not allocated). The routine returns a pointer to the
293 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
294 * it will call png_error (via png_malloc) on failure. (warn == 2 means
295 * 'silent').
296 */
297 static png_bytep
299 {
303 {
308 }
311 {
315 {
319 }
322 {
326 else
328 }
329 }
332 }
335 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
336 * decompression. Returns Z_OK on success, else a zlib error code. It checks
337 * the owner but, in final release builds, just issues a warning if some other
338 * chunk apparently owns the stream. Prior to release it does a png_error.
339 */
340 static int
342 {
344 {
348 /* So the message that results is "<chunk> using zstream"; this is an
349 * internal error, but is very useful for debugging. i18n requirements
350 * are minimal.
351 */
353 #if PNG_RELEASE_BUILD
356 #else
358 #endif
359 }
361 /* Implementation note: unlike 'png_deflate_claim' this internal function
362 * does not take the size of the data as an argument. Some efficiency could
363 * be gained by using this when it is known *if* the zlib stream itself does
364 * not record the number; however, this is an illusion: the original writer
365 * of the PNG may have selected a lower window size, and we really must
366 * follow that because, for systems with with limited capabilities, we
367 * would otherwise reject the application's attempts to use a smaller window
368 * size (zlib doesn't have an interface to say "this or lower"!).
369 *
370 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
371 * reset, therefore it is necessary to always allocate the maximum window
372 * size with earlier zlibs just in case later compressed chunks need it.
373 */
374 {
376 #if ZLIB_VERNUM >= 0x1240
379 # if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
381 PNG_OPTION_ON)
382 {
385 }
387 else
388 {
390 }
391 # endif
395 /* Set this for safety, just in case the previous owner left pointers to
396 * memory allocations.
397 */
404 {
405 #if ZLIB_VERNUM >= 0x1240
407 #else
409 #endif
410 }
412 else
413 {
414 #if ZLIB_VERNUM >= 0x1240
416 #else
418 #endif
422 }
424 #ifdef PNG_DISABLE_ADLER32_CHECK_SUPPORTED
426 /* Turn off validation of the ADLER32 checksum in IDAT chunks */
428 #endif
433 else
437 }
439 #ifdef window_bits
440 # undef window_bits
441 #endif
442 }
444 #if ZLIB_VERNUM >= 0x1240
445 /* Handle the start of the inflate stream if we called inflateInit2(strm,0);
446 * in this case some zlib versions skip validation of the CINFO field and, in
447 * certain circumstances, libpng may end up displaying an invalid image, in
448 * contrast to implementations that call zlib in the normal way (e.g. libpng
449 * 1.5).
450 */
453 {
455 {
457 {
460 }
463 }
466 }
469 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
470 #if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED)
471 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
472 * allow the caller to do multiple calls if required. If the 'finish' flag is
473 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
474 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
475 * Z_OK or Z_STREAM_END will be returned on success.
476 *
477 * The input and output sizes are updated to the actual amounts of data consumed
478 * or written, not the amount available (as in a z_stream). The data pointers
479 * are not changed, so the next input is (data+input_size) and the next
480 * available output is (output+output_size).
481 */
482 static int
486 {
488 {
493 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
494 * can't even necessarily handle 65536 bytes) because the type uInt is
495 * "16 bits or more". Consequently it is necessary to chunk the input to
496 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
497 * maximum value that can be stored in a uInt.) It is possible to set
498 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
499 * a performance advantage, because it reduces the amount of data accessed
500 * at each step and that may give the OS more time to page it in.
501 */
503 /* avail_in and avail_out are set below from 'size' */
507 /* Read directly into the output if it is available (this is set to
508 * a local buffer below if output is NULL).
509 */
513 do
514 {
515 uInt avail;
518 /* zlib INPUT BUFFER */
519 /* The setting of 'avail_in' used to be outside the loop; by setting it
520 * inside it is possible to chunk the input to zlib and simply rely on
521 * zlib to advance the 'next_in' pointer. This allows arbitrary
522 * amounts of data to be passed through zlib at the unavoidable cost of
523 * requiring a window save (memcpy of up to 32768 output bytes)
524 * every ZLIB_IO_MAX input bytes.
525 */
536 /* zlib OUTPUT BUFFER */
542 {
543 /* Reset the output buffer each time round if output is NULL and
544 * make available the full buffer, up to 'remaining_space'
545 */
549 }
557 /* zlib inflate call */
558 /* In fact 'avail_out' may be 0 at this point, that happens at the end
559 * of the read when the final LZ end code was not passed at the end of
560 * the previous chunk of input data. Tell zlib if we have reached the
561 * end of the output buffer.
562 */
567 /* For safety kill the local buffer pointer now */
571 /* Claw back the 'size' and 'remaining_space' byte counts. */
575 /* Update the input and output sizes; the updated values are the amount
576 * consumed or written, effectively the inverse of what zlib uses.
577 */
584 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
587 }
589 else
590 {
591 /* This is a bad internal error. The recovery assigns to the zstream msg
592 * pointer, which is not owned by the caller, but this is safe; it's only
593 * used on errors!
594 */
597 }
598 }
600 /*
601 * Decompress trailing data in a chunk. The assumption is that read_buffer
602 * points at an allocated area holding the contents of a chunk with a
603 * trailing compressed part. What we get back is an allocated area
604 * holding the original prefix part and an uncompressed version of the
605 * trailing part (the malloc area passed in is freed).
606 */
607 static int
612 {
613 /* TODO: implement different limits for different types of chunk.
614 *
615 * The caller supplies *newlength set to the maximum length of the
616 * uncompressed data, but this routine allocates space for the prefix and
617 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is
618 * limited only by the maximum chunk size.
619 */
622 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
626 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
629 # endif
632 {
640 /* Now try to claim the stream. */
644 {
652 {
653 /* Use 'inflateReset' here, not 'inflateReset2' because this
654 * preserves the previously decided window size (otherwise it would
655 * be necessary to store the previous window size.) In practice
656 * this doesn't matter anyway, because png_inflate will call inflate
657 * with Z_FINISH in almost all cases, so the window will not be
658 * maintained.
659 */
661 {
662 /* Because of the limit checks above we know that the new,
663 * expanded, size will fit in a size_t (let alone an
664 * png_alloc_size_t). Use png_malloc_base here to avoid an
665 * extra OOM message.
666 */
671 buffer_size));
674 {
682 {
684 {
691 {
697 }
698 }
700 else
701 {
702 /* The size changed on the second read, there can be no
703 * guarantee that anything is correct at this point.
704 * The 'msg' pointer has been set to "unexpected end of
705 * LZ stream", which is fine, but return an error code
706 * that the caller won't accept.
707 */
709 }
710 }
715 /* Free the text pointer (this is the old read_buffer on
716 * success)
717 */
720 /* This really is very benign, but it's still an error because
721 * the extra space may otherwise be used as a Trojan Horse.
722 */
726 }
728 else
729 {
730 /* Out of memory allocating the buffer */
733 }
734 }
736 else
737 {
738 /* inflateReset failed, store the error message */
741 }
742 }
747 /* Release the claimed stream */
749 }
755 }
757 else
758 {
759 /* Application/configuration limits exceeded */
762 }
763 }
767 #ifdef PNG_READ_iCCP_SUPPORTED
768 /* Perform a partial read and decompress, producing 'avail_out' bytes and
769 * reading from the current chunk as required.
770 */
771 static int
775 {
777 {
780 /* next_in and avail_in must have been initialized by the caller. */
784 do
785 {
787 {
797 }
800 {
807 }
809 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
810 * the available output is produced; this allows reading of truncated
811 * streams.
812 */
815 }
821 /* Ensure the error message pointer is always set: */
824 }
826 else
827 {
830 }
831 }
834 /* Read and check the IDHR chunk */
838 {
849 /* Check the length */
866 #ifdef PNG_READ_APNG_SUPPORTED
869 #endif
871 /* Set internal variables */
877 #ifdef PNG_MNG_FEATURES_SUPPORTED
879 #endif
882 /* Find number of channels */
884 {
902 }
904 /* Set up other useful info */
912 }
914 /* Read and check the palette */
917 {
920 #ifdef PNG_POINTER_INDEXING_SUPPORTED
921 png_colorp pal_ptr;
922 #endif
929 /* Moved to before the 'after IDAT' check below because otherwise duplicate
930 * PLTE chunks are potentially ignored (the spec says there shall not be more
931 * than one PLTE, the error is not treated as benign, so this check trumps
932 * the requirement that PLTE appears before IDAT.)
933 */
938 {
939 /* This is benign because the non-benign error happened before, when an
940 * IDAT was encountered in a color-mapped image with no PLTE.
941 */
945 }
950 {
954 }
956 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
958 {
961 }
962 #endif
965 {
971 else
975 }
977 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
980 /* If the palette has 256 or fewer entries but is too large for the bit
981 * depth, we don't issue an error, to preserve the behavior of previous
982 * libpng versions. We silently truncate the unused extra palette entries
983 * here.
984 */
987 else
993 #ifdef PNG_POINTER_INDEXING_SUPPORTED
995 {
1002 }
1003 #else
1005 {
1009 /* Don't depend upon png_color being any order */
1013 }
1014 #endif
1016 /* If we actually need the PLTE chunk (ie for a paletted image), we do
1017 * whatever the normal CRC configuration tells us. However, if we
1018 * have an RGB image, the PLTE can be considered ancillary, so
1019 * we will act as though it is.
1020 */
1021 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
1023 #endif
1024 {
1026 }
1028 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
1030 {
1031 /* If we don't want to use the data from an ancillary chunk,
1032 * we have two options: an error abort, or a warning and we
1033 * ignore the data in this chunk (which should be OK, since
1034 * it's considered ancillary for a RGB or RGBA image).
1035 *
1036 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
1037 * chunk type to determine whether to check the ancillary or the critical
1038 * flags.
1039 */
1041 {
1045 else
1047 }
1049 /* Otherwise, we (optionally) emit a warning and use the chunk. */
1052 }
1053 #endif
1055 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1056 * own copy of the palette. This has the side effect that when png_start_row
1057 * is called (this happens after any call to png_read_update_info) the
1058 * info_ptr palette gets changed. This is extremely unexpected and
1059 * confusing.
1060 *
1061 * Fix this by not sharing the palette in this way.
1062 */
1065 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1066 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1067 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1068 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
1069 * therefore does a benign error if the erroneous condition is detected *and*
1070 * cancels the tRNS if the benign error returns. The alternative is to
1071 * amend the standard since it would be rather hypocritical of the standards
1072 * maintainers to ignore it.
1073 */
1074 #ifdef PNG_READ_tRNS_SUPPORTED
1077 {
1078 /* Cancel this because otherwise it would be used if the transforms
1079 * require it. Don't cancel the 'valid' flag because this would prevent
1080 * detection of duplicate chunks.
1081 */
1088 }
1089 #endif
1091 #ifdef PNG_READ_hIST_SUPPORTED
1094 #endif
1096 #ifdef PNG_READ_bKGD_SUPPORTED
1099 #endif
1100 }
1104 {
1119 }
1121 #ifdef PNG_READ_gAMA_SUPPORTED
1124 {
1125 png_fixed_point igamma;
1134 {
1138 }
1141 {
1145 }
1156 }
1157 #endif
1159 #ifdef PNG_READ_sBIT_SUPPORTED
1162 {
1164 png_byte sample_depth;
1173 {
1177 }
1180 {
1184 }
1187 {
1190 }
1192 else
1193 {
1196 }
1199 {
1203 }
1212 {
1214 {
1217 }
1218 }
1221 {
1226 }
1228 else
1229 {
1235 }
1238 }
1239 #endif
1241 #ifdef PNG_READ_cHRM_SUPPORTED
1244 {
1246 png_xy xy;
1254 {
1258 }
1261 {
1265 }
1289 {
1292 }
1294 /* If a colorspace error has already been output skip this chunk */
1299 {
1304 }
1310 }
1311 #endif
1313 #ifdef PNG_READ_sRGB_SUPPORTED
1316 {
1317 png_byte intent;
1325 {
1329 }
1332 {
1336 }
1343 /* If a colorspace error has already been output skip this chunk */
1347 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1348 * this.
1349 */
1351 {
1356 }
1360 }
1363 #ifdef PNG_READ_iCCP_SUPPORTED
1366 /* Note: this does not properly handle profiles that are > 64K under DOS */
1367 {
1377 {
1381 }
1383 /* Consistent with all the above colorspace handling an obviously *invalid*
1384 * chunk is just ignored, so does not invalidate the color space. An
1385 * alternative is to set the 'invalid' flags at the start of this routine
1386 * and only clear them in they were not set before and all the tests pass.
1387 */
1389 /* The keyword must be at least one character and there is a
1390 * terminator (0) byte and the compression method byte, and the
1391 * 'zlib' datastream is at least 11 bytes.
1392 */
1394 {
1398 }
1400 /* If a colorspace error has already been output skip this chunk */
1402 {
1405 }
1407 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1408 * this.
1409 */
1411 {
1415 /* Find the keyword; the keyword plus separator and compression method
1416 * bytes can be at most 81 characters long.
1417 */
1425 /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
1426 * 5 bytes minimum 'deflate' stream, and the 4 byte checksum.
1427 */
1429 {
1433 }
1440 /* TODO: make the keyword checking common */
1442 {
1443 /* We only understand '0' compression - deflate - so if we get a
1444 * different value we can't safely decode the chunk.
1445 */
1448 {
1452 {
1464 {
1465 /* We have the ICC profile header; do the basic header checks.
1466 */
1471 {
1472 /* The length is apparently ok, so we can check the 132
1473 * byte header.
1474 */
1478 {
1479 /* Now read the tag table; a variable size buffer is
1480 * needed at this point, allocate one for the whole
1481 * profile. The header check has already validated
1482 * that none of this stuff will overflow.
1483 */
1484 png_uint_32 tag_count =
1490 {
1500 /* Still expect a buffer error because we expect
1501 * there to be some tag data!
1502 */
1504 {
1508 {
1509 /* The profile has been validated for basic
1510 * security issues, so read the whole thing in.
1511 */
1521 PNG_FLAG_BENIGN_ERRORS_WARN))
1524 /* But otherwise allow extra data: */
1526 {
1528 {
1529 /* This can be handled completely, so
1530 * keep going.
1531 */
1534 }
1539 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
1540 /* Check for a match against sRGB */
1544 # endif
1546 /* Steal the profile for info_ptr. */
1548 {
1556 {
1560 profile_length;
1565 }
1567 else
1568 {
1570 PNG_COLORSPACE_INVALID;
1572 }
1573 }
1575 /* else the profile remains in the read
1576 * buffer which gets reused for subsequent
1577 * chunks.
1578 */
1584 {
1587 }
1588 }
1591 }
1592 /* else png_icc_check_tag_table output an error */
1593 }
1596 }
1598 else
1600 }
1602 /* else png_icc_check_header output an error */
1603 }
1605 /* else png_icc_check_length output an error */
1606 }
1611 /* Release the stream */
1613 }
1617 }
1619 else
1621 }
1623 else
1625 }
1627 else
1630 /* Failure: the reason is in 'errmsg' */
1638 }
1641 #ifdef PNG_READ_sPLT_SUPPORTED
1644 /* Note: this does not properly handle chunks that are > 64K under DOS */
1645 {
1647 png_sPLT_t new_palette;
1648 png_sPLT_entryp pp;
1649 png_uint_32 data_length;
1652 png_uint_32 dl;
1657 #ifdef PNG_USER_LIMITS_SUPPORTED
1659 {
1661 {
1664 }
1667 {
1671 }
1672 }
1673 #endif
1679 {
1683 }
1685 #ifdef PNG_MAX_MALLOC_64K
1687 {
1691 }
1692 #endif
1696 {
1700 }
1703 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1704 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1705 * potential breakage point if the types in pngconf.h aren't exactly right.
1706 */
1719 /* A sample depth should follow the separator, and we should be on it */
1721 {
1724 }
1728 /* This must fit in a png_uint_32 because it is derived from the original
1729 * chunk data length.
1730 */
1733 /* Integrity-check the data length */
1735 {
1738 }
1744 {
1747 }
1755 {
1758 }
1760 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1762 {
1766 {
1771 }
1773 else
1774 {
1779 }
1782 }
1783 #else
1787 {
1790 {
1795 }
1797 else
1798 {
1803 }
1806 }
1807 #endif
1809 /* Discard all chunk data except the name and stash that */
1815 }
1818 #ifdef PNG_READ_tRNS_SUPPORTED
1821 {
1830 {
1834 }
1837 {
1841 }
1844 {
1848 {
1852 }
1857 }
1860 {
1864 {
1868 }
1875 }
1878 {
1880 {
1881 /* TODO: is this actually an error in the ISO spec? */
1885 }
1890 {
1894 }
1898 }
1900 else
1901 {
1905 }
1908 {
1911 }
1913 /* TODO: this is a horrible side effect in the palette case because the
1914 * png_struct ends up with a pointer to the tRNS buffer owned by the
1915 * png_info. Fix this.
1916 */
1919 }
1920 #endif
1922 #ifdef PNG_READ_bKGD_SUPPORTED
1925 {
1928 png_color_16 background;
1938 {
1942 }
1945 {
1949 }
1957 else
1961 {
1965 }
1972 /* We convert the index value into RGB components so that we can allow
1973 * arbitrary RGB values for background when we have transparency, and
1974 * so it is easy to determine the RGB values of the background color
1975 * from the info_ptr struct.
1976 */
1978 {
1982 {
1984 {
1987 }
1992 }
1994 else
1998 }
2001 {
2003 {
2005 {
2008 }
2009 }
2016 }
2018 else
2019 {
2021 {
2023 {
2026 }
2027 }
2034 }
2037 }
2038 #endif
2040 #ifdef PNG_READ_eXIf_SUPPORTED
2043 {
2052 {
2056 }
2059 {
2063 }
2071 {
2075 }
2078 {
2083 {
2086 {
2092 }
2093 }
2094 }
2101 }
2102 #endif
2104 #ifdef PNG_READ_hIST_SUPPORTED
2107 {
2118 {
2122 }
2125 {
2129 }
2136 {
2140 }
2143 {
2148 }
2154 }
2155 #endif
2157 #ifdef PNG_READ_pHYs_SUPPORTED
2160 {
2171 {
2175 }
2178 {
2182 }
2185 {
2189 }
2200 }
2201 #endif
2203 #ifdef PNG_READ_oFFs_SUPPORTED
2206 {
2217 {
2221 }
2224 {
2228 }
2231 {
2235 }
2246 }
2247 #endif
2249 #ifdef PNG_READ_pCAL_SUPPORTED
2250 /* Read the pCAL chunk (described in the PNG Extensions document) */
2253 {
2257 png_charpp params;
2266 {
2270 }
2273 {
2277 }
2285 {
2289 }
2304 /* We need to have at least 12 bytes after the purpose string
2305 * in order to get the parameter information.
2306 */
2308 {
2311 }
2321 /* Check that we have the right number of parameters for known
2322 * equation types.
2323 */
2328 {
2331 }
2334 {
2336 }
2347 {
2350 }
2352 /* Get pointers to the start of each parameter string. */
2354 {
2362 /* Make sure we haven't run out of data yet */
2364 {
2368 }
2369 }
2375 }
2376 #endif
2378 #ifdef PNG_READ_sCAL_SUPPORTED
2379 /* Read the sCAL chunk */
2382 {
2383 png_bytep buffer;
2393 {
2397 }
2400 {
2404 }
2406 /* Need unit type, width, \0, height: minimum 4 bytes */
2408 {
2412 }
2420 {
2424 }
2432 /* Validate the unit. */
2434 {
2437 }
2439 /* Validate the ASCII numbers, need two ASCII numbers separated by
2440 * a '\0' and they need to fit exactly in the chunk data.
2441 */
2452 else
2453 {
2464 else
2465 /* This is the (only) success case. */
2468 }
2469 }
2470 #endif
2472 #ifdef PNG_READ_tIME_SUPPORTED
2475 {
2477 png_time mod_time;
2485 {
2489 }
2495 {
2499 }
2514 }
2515 #endif
2517 #ifdef PNG_READ_tEXt_SUPPORTED
2518 /* Note: this does not properly handle chunks that are > 64K under DOS */
2521 {
2522 png_text text_info;
2523 png_bytep buffer;
2524 png_charp key;
2525 png_charp text;
2530 #ifdef PNG_USER_LIMITS_SUPPORTED
2532 {
2534 {
2537 }
2540 {
2544 }
2545 }
2546 #endif
2554 #ifdef PNG_MAX_MALLOC_64K
2556 {
2560 }
2561 #endif
2566 {
2569 }
2583 text++;
2595 }
2596 #endif
2598 #ifdef PNG_READ_zTXt_SUPPORTED
2599 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2602 {
2604 png_bytep buffer;
2605 png_uint_32 keyword_length;
2609 #ifdef PNG_USER_LIMITS_SUPPORTED
2611 {
2613 {
2616 }
2619 {
2623 }
2624 }
2625 #endif
2633 /* Note, "length" is sufficient here; we won't be adding
2634 * a null terminator later.
2635 */
2639 {
2643 }
2650 /* TODO: also check that the keyword contents match the spec! */
2659 /* zTXt must have some LZ data after the keyword, although it may expand to
2660 * zero bytes; we need a '\0' at the end of the keyword, the compression type
2661 * then the LZ data:
2662 */
2669 else
2670 {
2673 /* TODO: at present png_decompress_chunk imposes a single application
2674 * level memory limit, this should be split to different values for iCCP
2675 * and text chunks.
2676 */
2679 {
2680 png_text text;
2684 else
2685 {
2686 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
2687 * except for the extra compression type byte and the fact that
2688 * it isn't necessarily '\0' terminated.
2689 */
2703 }
2704 }
2706 else
2708 }
2712 }
2713 #endif
2715 #ifdef PNG_READ_iTXt_SUPPORTED
2716 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2719 {
2721 png_bytep buffer;
2722 png_uint_32 prefix_length;
2726 #ifdef PNG_USER_LIMITS_SUPPORTED
2728 {
2730 {
2733 }
2736 {
2740 }
2741 }
2742 #endif
2753 {
2757 }
2764 /* First the keyword. */
2770 /* Perform a basic check on the keyword length here. */
2774 /* Expect keyword, compression flag, compression type, language, translated
2775 * keyword (both may be empty but are 0 terminated) then the text, which may
2776 * be empty.
2777 */
2784 {
2789 /* Now the language tag */
2797 /* WARNING: the length may be invalid here, this is checked below. */
2804 /* prefix_length should now be at the trailing '\0' of the translated
2805 * keyword, but it may already be over the end. None of this arithmetic
2806 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2807 * systems the available allocation may overflow.
2808 */
2815 {
2818 /* TODO: at present png_decompress_chunk imposes a single application
2819 * level memory limit, this should be split to different values for
2820 * iCCP and text chunks.
2821 */
2826 else
2828 }
2830 else
2834 {
2835 png_text text;
2842 else
2854 }
2855 }
2857 else
2862 }
2863 #endif
2865 #ifdef PNG_READ_APNG_SUPPORTED
2868 {
2870 png_uint_32 num_frames;
2871 png_uint_32 num_plays;
2872 png_uint_32 didSet;
2877 {
2879 }
2881 {
2885 }
2887 {
2891 }
2893 {
2897 }
2905 /* the set function will do error checking on num_frames */
2909 }
2913 {
2915 png_uint_32 width;
2916 png_uint_32 height;
2917 png_uint_32 x_offset;
2918 png_uint_32 y_offset;
2919 png_uint_16 delay_num;
2920 png_uint_16 delay_den;
2921 png_byte dispose_op;
2922 png_byte blend_op;
2929 {
2931 }
2933 {
2934 /* for any frames other then the first this message may be misleading,
2935 * but correct. PNG_HAVE_IDAT is unset before the frame head is read
2936 * i can't think of a better message */
2940 }
2942 {
2946 }
2948 {
2952 }
2967 {
2970 }
2973 {
2976 {
2980 }
2982 /* The set function will do more error checking */
2990 }
2991 }
2995 {
2998 {
3001 }
3002 }
3006 {
3009 /* This function is only called from png_read_end(), png_read_info(),
3010 * and png_push_read_chunk() which means that:
3011 * - the user doesn't want to read this frame
3012 * - or this is an out-of-place fdAT
3013 * in either case it is safe to ignore the chunk with a warning */
3017 }
3021 {
3023 png_uint_32 sequence_number;
3036 }
3039 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
3040 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
3041 static int
3043 {
3047 {
3050 }
3052 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
3057 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
3060 # endif
3063 {
3065 /* The following is safe because of the PNG_SIZE_MAX init above */
3067 /* 'mode' is a flag array, only the bottom four bits matter here */
3073 else
3074 {
3075 /* Do a 'warn' here - it is handled below. */
3078 }
3079 }
3082 {
3083 /* This is benign because we clean up correctly */
3087 }
3089 else
3090 {
3095 }
3096 }
3099 /* Handle an unknown, or known but disabled, chunk */
3103 {
3108 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
3109 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
3110 * the bug which meant that setting a non-default behavior for a specific
3111 * chunk would be ignored (the default was always used unless a user
3112 * callback was installed).
3113 *
3114 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
3115 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
3116 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
3117 * This is just an optimization to avoid multiple calls to the lookup
3118 * function.
3119 */
3120 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
3121 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
3123 # endif
3124 # endif
3126 /* One of the following methods will read the chunk or skip it (at least one
3127 * of these is always defined because this is the only way to switch on
3128 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
3129 */
3130 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED
3131 /* The user callback takes precedence over the chunk keep value, but the
3132 * keep value is still required to validate a save of a critical chunk.
3133 */
3135 {
3137 {
3138 /* Callback to user unknown chunk handler */
3142 /* ret is:
3143 * negative: An error occurred; png_chunk_error will be called.
3144 * zero: The chunk was not handled, the chunk will be discarded
3145 * unless png_set_keep_unknown_chunks has been used to set
3146 * a 'keep' behavior for this particular chunk, in which
3147 * case that will be used. A critical chunk will cause an
3148 * error at this point unless it is to be saved.
3149 * positive: The chunk was handled, libpng will ignore/discard it.
3150 */
3155 {
3156 /* If the keep value is 'default' or 'never' override it, but
3157 * still error out on critical chunks unless the keep value is
3158 * 'always' While this is weird it is the behavior in 1.4.12.
3159 * A possible improvement would be to obey the value set for the
3160 * chunk, but this would be an API change that would probably
3161 * damage some applications.
3162 *
3163 * The png_app_warning below catches the case that matters, where
3164 * the application has not set specific save or ignore for this
3165 * chunk or global save or ignore.
3166 */
3168 {
3169 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
3171 {
3174 "forcing save of an unhandled chunk;"
3176 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
3177 }
3178 # endif
3180 }
3181 }
3184 {
3186 /* Critical chunks can be safely discarded at this point. */
3188 }
3189 }
3191 else
3193 }
3195 else
3196 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
3199 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
3200 {
3201 /* keep is currently just the per-chunk setting, if there was no
3202 * setting change it to the global default now (not that this may
3203 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
3204 * if not simply skip the chunk.
3205 */
3212 {
3215 }
3217 else
3219 }
3220 # else
3221 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED
3222 # error no method to support READ_UNKNOWN_CHUNKS
3223 # endif
3225 {
3226 /* If here there is no read callback pointer set and no support is
3227 * compiled in to just save the unknown chunks, so simply skip this
3228 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
3229 * the app has erroneously asked for unknown chunk saving when there
3230 * is no support.
3231 */
3236 }
3237 # endif
3239 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
3240 /* Now store the chunk in the chunk list if appropriate, and if the limits
3241 * permit it.
3242 */
3246 {
3247 # ifdef PNG_USER_LIMITS_SUPPORTED
3249 {
3253 /* FALLTHROUGH */
3255 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
3256 * chunk being skipped, now there will be a hard error below.
3257 */
3262 /* FALLTHROUGH */
3265 /* Here when the limit isn't reached or when limits are compiled
3266 * out; store the chunk.
3267 */
3271 # ifdef PNG_USER_LIMITS_SUPPORTED
3273 }
3274 # endif
3275 }
3278 # endif
3280 /* Regardless of the error handling below the cached data (if any) can be
3281 * freed now. Notice that the data is not freed if there is a png_error, but
3282 * it will be freed by destroy_read_struct.
3283 */
3289 /* There is no support to read an unknown chunk, so just skip it. */
3295 /* Check for unhandled critical chunks */
3298 }
3300 /* This function is called to verify that a chunk name is valid.
3301 * This function can't have the "critical chunk check" incorporated
3302 * into it, since in the future we will need to be able to call user
3303 * functions to handle unknown critical chunks after we check that
3304 * the chunk name itself is valid.
3305 */
3307 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
3308 *
3309 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
3310 */
3314 {
3321 {
3328 }
3329 }
3333 {
3336 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
3340 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
3343 # endif
3344 #ifdef PNG_READ_APNG_SUPPORTED
3346 #else
3348 #endif
3349 {
3359 else
3365 }
3368 {
3372 }
3373 }
3375 /* Combines the row recently read in with the existing pixels in the row. This
3376 * routine takes care of alpha and transparency if requested. This routine also
3377 * handles the two methods of progressive display of interlaced images,
3378 * depending on the 'display' value; if 'display' is true then the whole row
3379 * (dp) is filled from the start by replicating the available pixels. If
3380 * 'display' is false only those pixels present in the pass are filled in.
3381 */
3384 {
3395 /* Added in 1.5.6: it should not be possible to enter this routine until at
3396 * least one row has been read from the PNG data and transformed.
3397 */
3401 /* Added in 1.5.4: the pixel depth should match the information returned by
3402 * any call to png_read_update_info at this point. Do not continue if we got
3403 * this wrong.
3404 */
3409 /* Don't expect this to ever happen: */
3413 /* Preserve the last byte in cases where only part of it will be overwritten,
3414 * the multiply below may overflow, we don't care because ANSI-C guarantees
3415 * we get the low bits.
3416 */
3419 {
3420 /* end_ptr == NULL is a flag to say do nothing */
3423 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3425 /* little-endian byte */
3429 # endif
3431 /* end_mask is now the bits to *keep* from the destination row */
3432 }
3434 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3435 * will also happen if interlacing isn't supported or if the application
3436 * does not call png_set_interlace_handling(). In the latter cases the
3437 * caller just gets a sequence of the unexpanded rows from each interlace
3438 * pass.
3439 */
3440 #ifdef PNG_READ_INTERLACING_SUPPORTED
3444 /* The following copies everything for 'display' on passes 0, 2 and 4. */
3446 {
3447 /* Narrow images may have no bits in a pass; the caller should handle
3448 * this, but this test is cheap:
3449 */
3454 {
3455 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3456 * into 32 bits, then a single loop over the bytes using the four byte
3457 * values in the 32-bit mask can be used. For the 'display' option the
3458 * expanded mask may also not require any masking within a byte. To
3459 * make this work the PACKSWAP option must be taken into account - it
3460 * simply requires the pixels to be reversed in each byte.
3461 *
3462 * The 'regular' case requires a mask for each of the first 6 passes,
3463 * the 'display' case does a copy for the even passes in the range
3464 * 0..6. This has already been handled in the test above.
3465 *
3466 * The masks are arranged as four bytes with the first byte to use in
3467 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3468 * not) of the pixels in each byte.
3469 *
3470 * NOTE: the whole of this logic depends on the caller of this function
3471 * only calling it on rows appropriate to the pass. This function only
3472 * understands the 'x' logic; the 'y' logic is handled by the caller.
3473 *
3474 * The following defines allow generation of compile time constant bit
3475 * masks for each pixel depth and each possibility of swapped or not
3476 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3477 * is in the range 0..7; and the result is 1 if the pixel is to be
3478 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3479 * for the block method.
3480 *
3481 * With some compilers a compile time expression of the general form:
3482 *
3483 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3484 *
3485 * Produces warnings with values of 'shift' in the range 33 to 63
3486 * because the right hand side of the ?: expression is evaluated by
3487 * the compiler even though it isn't used. Microsoft Visual C (various
3488 * versions) and the Intel C compiler are known to do this. To avoid
3489 * this the following macros are used in 1.5.6. This is a temporary
3490 * solution to avoid destabilizing the code during the release process.
3491 */
3492 # if PNG_USE_COMPILE_TIME_MASKS
3493 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3494 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3495 # else
3496 # define PNG_LSR(x,s) ((x)>>(s))
3497 # define PNG_LSL(x,s) ((x)<<(s))
3498 # endif
3499 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3500 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3501 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3502 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3504 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
3505 * little endian - the first pixel is at bit 0 - however the extra
3506 * parameter 's' can be set to cause the mask position to be swapped
3507 * within each byte, to match the PNG format. This is done by XOR of
3508 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3509 */
3510 # define PIXEL_MASK(p,x,d,s) \
3511 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3513 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3514 */
3515 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3516 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3518 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
3519 * cases the result needs replicating, for the 4-bpp case the above
3520 * generates a full 32 bits.
3521 */
3522 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3524 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3525 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3526 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3528 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3529 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3530 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3532 #if PNG_USE_COMPILE_TIME_MASKS
3533 /* Utility macros to construct all the masks for a depth/swap
3534 * combination. The 's' parameter says whether the format is PNG
3535 * (big endian bytes) or not. Only the three odd-numbered passes are
3536 * required for the display/block algorithm.
3537 */
3538 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3539 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3541 # define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3543 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3545 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3546 * then pass:
3547 */
3549 {
3550 /* Little-endian byte masks for PACKSWAP */
3552 /* Normal (big-endian byte) masks - PNG format */
3554 };
3556 /* display_mask has only three entries for the odd passes, so index by
3557 * pass>>1.
3558 */
3560 {
3561 /* Little-endian byte masks for PACKSWAP */
3563 /* Normal (big-endian byte) masks - PNG format */
3565 };
3567 # define MASK(pass,depth,display,png)\
3568 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3569 row_mask[png][DEPTH_INDEX(depth)][pass])
3572 /* This is the runtime alternative: it seems unlikely that this will
3573 * ever be either smaller or faster than the compile time approach.
3574 */
3575 # define MASK(pass,depth,display,png)\
3576 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3579 /* Use the appropriate mask to copy the required bits. In some cases
3580 * the byte mask will be 0 or 0xff; optimize these cases. row_width is
3581 * the number of pixels, but the code copies bytes, so it is necessary
3582 * to special case the end.
3583 */
3585 png_uint_32 mask;
3587 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3591 else
3592 # endif
3596 {
3597 png_uint_32 m;
3599 /* It doesn't matter in the following if png_uint_32 has more than
3600 * 32 bits because the high bits always match those in m<<24; it is,
3601 * however, essential to use OR here, not +, because of this.
3602 */
3608 {
3611 else
3613 }
3615 /* NOTE: this may overwrite the last byte with garbage if the image
3616 * is not an exact number of bytes wide; libpng has always done
3617 * this.
3618 */
3625 }
3626 }
3629 {
3632 /* Validate the depth - it must be a multiple of 8 */
3639 /* Regardless of pass number the Adam 7 interlace always results in a
3640 * fixed number of pixels to copy then to skip. There may be a
3641 * different number of pixels to skip at the start though.
3642 */
3643 {
3649 }
3651 /* Work out the bytes to copy. */
3653 {
3654 /* When doing the 'block' algorithm the pixel in the pass gets
3655 * replicated to adjacent pixels. This is why the even (0,2,4,6)
3656 * passes are skipped above - the entire expanded row is copied.
3657 */
3660 /* But don't allow this number to exceed the actual row width. */
3663 }
3668 /* In Adam7 there is a constant offset between where the pixels go. */
3671 /* And simply copy these bytes. Some optimization is possible here,
3672 * depending on the value of 'bytes_to_copy'. Special case the low
3673 * byte counts, which we know to be frequent.
3674 *
3675 * Notice that these cases all 'return' rather than 'break' - this
3676 * avoids an unnecessary test on whether to restore the last byte
3677 * below.
3678 */
3680 {
3683 {
3692 }
3695 /* There is a possibility of a partial copy at the end here; this
3696 * slows the code down somewhat.
3697 */
3698 do
3699 {
3708 }
3711 /* And there can only be one byte left at this point: */
3716 /* This can only be the RGB case, so each copy is exactly one
3717 * pixel and it is not necessary to check for a partial copy.
3718 */
3720 {
3729 }
3732 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3733 /* Check for double byte alignment and, if possible, use a
3734 * 16-bit copy. Don't attempt this for narrow images - ones that
3735 * are less than an interlace panel wide. Don't attempt it for
3736 * wide bytes_to_copy either - use the memcpy there.
3737 */
3743 {
3744 /* Everything is aligned for png_uint_16 copies, but try for
3745 * png_uint_32 first.
3746 */
3751 {
3758 do
3759 {
3761 do
3762 {
3765 }
3774 }
3777 /* Get to here when the row_width truncates the final copy.
3778 * There will be 1-3 bytes left to copy, so don't try the
3779 * 16-bit loop below.
3780 */
3783 do
3787 }
3789 /* Else do it in 16-bit quantities, but only if the size is
3790 * not too large.
3791 */
3792 else
3793 {
3800 do
3801 {
3803 do
3804 {
3807 }
3816 }
3819 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3822 do
3826 }
3827 }
3830 /* The true default - use a memcpy: */
3832 {
3843 }
3844 }
3846 /* NOT REACHED*/
3849 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3850 }
3851 else
3854 /* If here then the switch above wasn't used so just memcpy the whole row
3855 * from the temporary row buffer (notice that this overwrites the end of the
3856 * destination row if it is a partial byte.)
3857 */
3860 /* Restore the overwritten bits from the last byte if necessary. */
3863 }
3865 #ifdef PNG_READ_INTERLACING_SUPPORTED
3869 {
3870 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3871 /* Offset to next interlace block */
3876 {
3877 png_uint_32 final_width;
3882 {
3884 {
3891 png_byte v;
3892 png_uint_32 i;
3895 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3897 {
3903 }
3905 else
3906 #endif
3907 {
3913 }
3916 {
3919 {
3925 {
3927 dp--;
3928 }
3930 else
3932 }
3935 {
3937 sp--;
3938 }
3940 else
3942 }
3944 }
3947 {
3954 png_uint_32 i;
3956 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3958 {
3964 }
3966 else
3967 #endif
3968 {
3974 }
3977 {
3978 png_byte v;
3983 {
3989 {
3991 dp--;
3992 }
3994 else
3996 }
3999 {
4001 sp--;
4002 }
4004 else
4006 }
4008 }
4011 {
4017 png_uint_32 i;
4020 #ifdef PNG_READ_PACKSWAP_SUPPORTED
4022 {
4028 }
4030 else
4031 #endif
4032 {
4038 }
4041 {
4046 {
4052 {
4054 dp--;
4055 }
4057 else
4059 }
4062 {
4064 sp--;
4065 }
4067 else
4069 }
4071 }
4074 {
4083 png_uint_32 i;
4086 {
4093 {
4096 }
4099 }
4101 }
4102 }
4106 }
4107 #ifndef PNG_READ_PACKSWAP_SUPPORTED
4109 #endif
4110 }
4113 static void
4115 png_const_bytep prev_row)
4116 {
4125 {
4127 rp++;
4128 }
4129 }
4131 static void
4133 png_const_bytep prev_row)
4134 {
4141 {
4143 rp++;
4144 }
4145 }
4147 static void
4149 png_const_bytep prev_row)
4150 {
4158 {
4162 rp++;
4163 }
4166 {
4170 rp++;
4171 }
4172 }
4174 static void
4176 png_const_bytep prev_row)
4177 {
4181 /* First pixel/byte */
4186 /* Remainder */
4188 {
4197 #ifdef PNG_USE_ABS
4201 #else
4205 #endif
4207 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
4208 * ones in the case of a tie.
4209 */
4211 {
4213 }
4216 /* Calculate the current pixel in a, and move the previous row pixel to c
4217 * for the next time round the loop
4218 */
4222 }
4223 }
4225 static void
4227 png_const_bytep prev_row)
4228 {
4232 /* Process the first pixel in the row completely (this is the same as 'up'
4233 * because there is only one candidate predictor for the first row).
4234 */
4236 {
4239 }
4241 /* Remainder */
4245 {
4255 #ifdef PNG_USE_ABS
4259 #else
4263 #endif
4266 {
4268 }
4273 }
4274 }
4276 static void
4278 /* This function is called once for every PNG image (except for PNG images
4279 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
4280 * implementations required to reverse the filtering of PNG rows. Reversing
4281 * the filter is the first transformation performed on the row data. It is
4282 * performed in place, therefore an implementation can be selected based on
4283 * the image pixel format. If the implementation depends on image width then
4284 * take care to ensure that it works correctly if the image is interlaced -
4285 * interlacing causes the actual row width to vary.
4286 */
4287 {
4295 png_read_filter_row_paeth_1byte_pixel;
4296 else
4298 png_read_filter_row_paeth_multibyte_pixel;
4300 #ifdef PNG_FILTER_OPTIMIZATIONS
4301 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
4302 * call to install hardware optimizations for the above functions; simply
4303 * replace whatever elements of the pp->read_filter[] array with a hardware
4304 * specific (or, for that matter, generic) optimization.
4305 *
4306 * To see an example of this examine what configure.ac does when
4307 * --enable-arm-neon is specified on the command line.
4308 */
4310 #endif
4311 }
4316 {
4317 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
4318 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
4319 * implementations. See png_init_filter_functions above.
4320 */
4322 {
4327 }
4328 }
4330 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
4333 png_alloc_size_t avail_out)
4334 {
4335 /* Loop reading IDATs and decompressing the result into output[avail_out] */
4342 do
4343 {
4348 {
4349 uInt avail_in;
4350 png_bytep buffer;
4352 #ifdef PNG_READ_APNG_SUPPORTED
4356 {
4362 {
4365 }
4366 else
4367 {
4371 {
4376 }
4381 }
4382 }
4383 #else
4385 {
4389 /* This is an error even in the 'check' case because the code just
4390 * consumed a non-IDAT header.
4391 */
4394 }
4402 /* A PNG with a gradually increasing IDAT size will defeat this attempt
4403 * to minimize memory usage by causing lots of re-allocs, but
4404 * realistically doing IDAT_read_size re-allocs is not likely to be a
4405 * big problem.
4406 */
4414 }
4416 /* And set up the output side. */
4418 {
4426 }
4429 {
4432 }
4434 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4435 * process. If the LZ stream is truncated the sequential reader will
4436 * terminally damage the stream, above, by reading the chunk header of the
4437 * following chunk (it then exits with png_error).
4438 *
4439 * TODO: deal more elegantly with truncated IDAT lists.
4440 */
4443 /* Take the unconsumed output back. */
4453 {
4454 /* Do this for safety; we won't read any more into this row. */
4459 #ifdef PNG_READ_APNG_SUPPORTED
4461 #endif
4466 }
4469 {
4476 {
4479 }
4480 }
4484 {
4485 /* The stream ended before the image; this is the same as too few IDATs so
4486 * should be handled the same way.
4487 */
4493 }
4494 }
4498 {
4499 /* We don't need any more data and the stream should have ended, however the
4500 * LZ end code may actually not have been processed. In this case we must
4501 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4502 * may still remain to be consumed.
4503 */
4505 {
4506 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4507 * the compressed stream, but the stream may be damaged too, so even after
4508 * this call we may need to terminate the zstream ownership.
4509 */
4513 /* Now clear everything out for safety; the following may not have been
4514 * done.
4515 */
4517 {
4520 }
4521 }
4523 /* If the zstream has not been released do it now *and* terminate the reading
4524 * of the final IDAT chunk.
4525 */
4527 {
4528 /* Always do this; the pointers otherwise point into the read buffer. */
4532 /* Now we no longer own the zstream. */
4535 /* The slightly weird semantics of the sequential IDAT reading is that we
4536 * are always in or at the end of an IDAT chunk, so we always need to do a
4537 * crc_finish here. If idat_size is non-zero we also need to read the
4538 * spurious bytes at the end of the chunk now.
4539 */
4541 }
4542 }
4546 {
4547 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4549 /* Start of interlace block */
4552 /* Offset to next interlace block */
4555 /* Start of interlace block in the y direction */
4558 /* Offset to next interlace block in the y direction */
4567 {
4570 /* TO DO: don't do this if prev_row isn't needed (requires
4571 * read-ahead of the next row's filter byte.
4572 */
4575 do
4576 {
4588 {
4593 }
4602 }
4604 /* Here after at the end of the last row of the last pass. */
4606 }
4611 {
4612 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4614 /* Start of interlace block */
4617 /* Offset to next interlace block */
4620 /* Start of interlace block in the y direction */
4623 /* Offset to next interlace block in the y direction */
4631 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
4633 #endif
4635 {
4640 else
4647 }
4649 else
4650 {
4653 }
4657 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4658 * calculations to calculate the final pixel depth, then
4659 * png_do_read_transforms actually does the transforms. This means that the
4660 * code which effectively calculates this value is actually repeated in three
4661 * separate places. They must all match. Innocent changes to the order of
4662 * transformations can and will break libpng in a way that causes memory
4663 * overwrites.
4664 *
4665 * TODO: fix this.
4666 */
4667 #ifdef PNG_READ_PACK_SUPPORTED
4670 #endif
4672 #ifdef PNG_READ_EXPAND_SUPPORTED
4674 {
4676 {
4680 else
4682 }
4685 {
4691 }
4694 {
4696 {
4699 }
4700 }
4701 }
4702 #endif
4704 #ifdef PNG_READ_EXPAND_16_SUPPORTED
4706 {
4707 # ifdef PNG_READ_EXPAND_SUPPORTED
4708 /* In fact it is an error if it isn't supported, but checking is
4709 * the safe way.
4710 */
4712 {
4715 }
4716 else
4717 # endif
4719 }
4720 #endif
4722 #ifdef PNG_READ_FILLER_SUPPORTED
4724 {
4726 {
4730 else
4732 }
4736 {
4740 else
4742 }
4743 }
4744 #endif
4746 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4748 {
4750 #ifdef PNG_READ_EXPAND_SUPPORTED
4753 #endif
4754 #ifdef PNG_READ_FILLER_SUPPORTED
4756 #endif
4758 {
4762 else
4764 }
4766 else
4767 {
4769 {
4773 else
4775 }
4780 else
4782 }
4783 }
4784 #endif
4786 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4787 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4789 {
4795 }
4796 #endif
4798 /* This value is stored in png_struct and double checked in the row read
4799 * code.
4800 */
4804 /* Align the width on the next larger 8 pixels. Mainly used
4805 * for interlacing
4806 */
4808 /* Calculate the maximum bytes needed, adding a byte and a pixel
4809 * for safety's sake
4810 */
4814 #ifdef PNG_MAX_MALLOC_64K
4817 #endif
4820 {
4828 else
4833 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4834 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4835 * of padding before and after row_buf; treat prev_row similarly.
4836 * NOTE: the alignment is to the start of the pixels, one beyond the start
4837 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4838 * was incorrect; the filter byte was aligned, which had the exact
4839 * opposite effect of that intended.
4840 */
4841 {
4849 }
4850 #else
4851 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4854 #endif
4856 }
4858 #ifdef PNG_MAX_MALLOC_64K
4862 #endif
4876 /* The sequential reader needs a buffer for IDAT, but the progressive reader
4877 * does not, so free the read buffer now regardless; the sequential reader
4878 * reallocates it on demand.
4879 */
4881 {
4887 }
4889 /* Finally claim the zstream for the inflate of the IDAT data, use the bits
4890 * value from the stream (note that this will result in a fatal error if the
4891 * IDAT stream has a bogus deflate header window_bits value, but this should
4892 * not be happening any longer!)
4893 */
4898 }
4900 #ifdef PNG_READ_APNG_SUPPORTED
4901 /* This function is to be called after the main IDAT set has been read and
4902 * before a new IDAT is read. It resets some parts of png_ptr
4903 * to make them usable by the read functions again */
4906 {
4911 }
4915 {
4923 }
4925 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
4926 /* same as png_read_reset() but for the progressive reader */
4929 {
4930 #ifdef PNG_READ_INTERLACING_SUPPORTED
4931 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4933 /* Start of interlace block */
4936 /* Offset to next interlace block */
4939 /* Start of interlace block in the y direction */
4942 /* Offset to next interlace block in the y direction */
4946 {
4950 else
4957 }
4958 else
4960 {
4963 }
4972 }