| blob | 6c5c37526bc5bc8608fdd62c44922189e4be1298 |
2 /* pngrutil.c - utilities to read a PNG file
3 *
4 * Last changed in libpng 1.6.17 [March 26, 2015]
5 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 *
13 * This file contains routines that are only called from within
14 * libpng itself during the course of reading an image.
15 */
19 #ifdef PNG_READ_SUPPORTED
21 png_uint_32 PNGAPI
23 {
30 }
32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
33 /* The following is a variation on the above for use with the fixed
34 * point values used for gAMA and cHRM. Instead of png_error it
35 * issues a warning and returns (-1) - an invalid value because both
36 * gAMA and cHRM use *unsigned* integers for fixed point values.
37 */
38 #define PNG_FIXED_ERROR (-1)
42 {
48 /* The caller can turn off the warning by passing NULL. */
53 }
54 #endif
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57 /* NOTE: the read macros will obscure these definitions, so that if
58 * PNG_USE_READ_MACROS is set the library will not use them internally,
59 * but the APIs will still be available externally.
60 *
61 * The parentheses around "PNGAPI function_name" in the following three
62 * functions are necessary because they allow the macros to co-exist with
63 * these (unused but exported) functions.
64 */
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
69 {
70 png_uint_32 uval =
77 }
79 /* Grab a signed 32-bit integer from a buffer in big-endian format. The
80 * data is stored in the PNG file in two's complement format and there
81 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82 * the following code does a two's complement to native conversion.
83 */
86 {
93 }
95 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
98 {
99 /* ANSI-C requires an int value to accomodate at least 16 bits so this
100 * works and allows the compiler not to worry about possible narrowing
101 * on 32 bit systems. (Pre-ANSI systems did not make integers smaller
102 * than 16 bits either.)
103 */
109 }
113 /* Read and check the PNG file signature */
116 {
119 /* Exit if the user application does not expect a signature. */
126 #ifdef PNG_IO_STATE_SUPPORTED
128 #endif
130 /* The signature must be serialized in a single I/O call. */
135 {
139 else
141 }
144 }
146 /* Read the chunk header (length + type name).
147 * Put the type name into png_ptr->chunk_name, and return the length.
148 */
149 png_uint_32 /* PRIVATE */
151 {
153 png_uint_32 length;
155 #ifdef PNG_IO_STATE_SUPPORTED
157 #endif
159 /* Read the length and the chunk name.
160 * This must be performed in a single I/O call.
161 */
165 /* Put the chunk name into png_ptr->chunk_name. */
171 /* Reset the crc and run it over the chunk name. */
175 /* Check to see if chunk name is valid. */
178 #ifdef PNG_IO_STATE_SUPPORTED
180 #endif
183 }
185 /* Read data, and (optionally) run it through the CRC. */
188 {
194 }
196 /* Optionally skip data and then check the CRC. Depending on whether we
197 * are reading an ancillary or critical chunk, and how the program has set
198 * things up, we may calculate the CRC on the data and print a message.
199 * Returns '1' if there was a CRC error, '0' otherwise.
200 */
203 {
204 /* The size of the local buffer for inflate is a good guess as to a
205 * reasonable size to use for buffering reads from the application.
206 */
208 {
209 png_uint_32 len;
218 }
221 {
225 {
227 }
229 else
233 }
236 }
238 /* Compare the CRC stored in the PNG file with that calculated by libpng from
239 * the data it has read thus far.
240 */
243 {
245 png_uint_32 crc;
249 {
253 }
256 {
259 }
261 #ifdef PNG_IO_STATE_SUPPORTED
263 #endif
265 /* The chunk CRC must be serialized in a single I/O call. */
269 {
272 }
274 else
276 }
278 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
279 defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
280 defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
281 defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
282 /* Manage the read buffer; this simply reallocates the buffer if it is not small
283 * enough (or if it is not allocated). The routine returns a pointer to the
284 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
285 * it will call png_error (via png_malloc) on failure. (warn == 2 means
286 * 'silent').
287 */
288 static png_bytep
290 {
294 {
300 }
303 {
307 {
310 }
313 {
317 else
319 }
320 }
323 }
326 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
327 * decompression. Returns Z_OK on success, else a zlib error code. It checks
328 * the owner but, in final release builds, just issues a warning if some other
329 * chunk apparently owns the stream. Prior to release it does a png_error.
330 */
331 static int
333 {
335 {
339 /* So the message that results is "<chunk> using zstream"; this is an
340 * internal error, but is very useful for debugging. i18n requirements
341 * are minimal.
342 */
344 #if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC
347 #else
349 #endif
350 }
352 /* Implementation note: unlike 'png_deflate_claim' this internal function
353 * does not take the size of the data as an argument. Some efficiency could
354 * be gained by using this when it is known *if* the zlib stream itself does
355 * not record the number; however, this is an illusion: the original writer
356 * of the PNG may have selected a lower window size, and we really must
357 * follow that because, for systems with with limited capabilities, we
358 * would otherwise reject the application's attempts to use a smaller window
359 * size (zlib doesn't have an interface to say "this or lower"!).
360 *
361 * inflateReset2 was added to zlib 1.2.4; before this the window could not be
362 * reset, therefore it is necessary to always allocate the maximum window
363 * size with earlier zlibs just in case later compressed chunks need it.
364 */
365 {
367 #if PNG_ZLIB_VERNUM >= 0x1240
369 # if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
373 PNG_OPTION_ON)
376 else
378 # else
379 # define window_bits 0
380 # endif
381 #endif
383 /* Set this for safety, just in case the previous owner left pointers to
384 * memory allocations.
385 */
392 {
393 #if PNG_ZLIB_VERNUM < 0x1240
395 #else
397 #endif
398 }
400 else
401 {
402 #if PNG_ZLIB_VERNUM < 0x1240
404 #else
406 #endif
410 }
415 else
419 }
421 #ifdef window_bits
422 # undef window_bits
423 #endif
424 }
426 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
427 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
428 * allow the caller to do multiple calls if required. If the 'finish' flag is
429 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
430 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
431 * Z_OK or Z_STREAM_END will be returned on success.
432 *
433 * The input and output sizes are updated to the actual amounts of data consumed
434 * or written, not the amount available (as in a z_stream). The data pointers
435 * are not changed, so the next input is (data+input_size) and the next
436 * available output is (output+output_size).
437 */
438 static int
442 {
444 {
449 /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
450 * can't even necessarily handle 65536 bytes) because the type uInt is
451 * "16 bits or more". Consequently it is necessary to chunk the input to
452 * zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
453 * maximum value that can be stored in a uInt.) It is possible to set
454 * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
455 * a performance advantage, because it reduces the amount of data accessed
456 * at each step and that may give the OS more time to page it in.
457 */
459 /* avail_in and avail_out are set below from 'size' */
463 /* Read directly into the output if it is available (this is set to
464 * a local buffer below if output is NULL).
465 */
469 do
470 {
471 uInt avail;
474 /* zlib INPUT BUFFER */
475 /* The setting of 'avail_in' used to be outside the loop; by setting it
476 * inside it is possible to chunk the input to zlib and simply rely on
477 * zlib to advance the 'next_in' pointer. This allows arbitrary
478 * amounts of data to be passed through zlib at the unavoidable cost of
479 * requiring a window save (memcpy of up to 32768 output bytes)
480 * every ZLIB_IO_MAX input bytes.
481 */
492 /* zlib OUTPUT BUFFER */
498 {
499 /* Reset the output buffer each time round if output is NULL and
500 * make available the full buffer, up to 'remaining_space'
501 */
505 }
513 /* zlib inflate call */
514 /* In fact 'avail_out' may be 0 at this point, that happens at the end
515 * of the read when the final LZ end code was not passed at the end of
516 * the previous chunk of input data. Tell zlib if we have reached the
517 * end of the output buffer.
518 */
523 /* For safety kill the local buffer pointer now */
527 /* Claw back the 'size' and 'remaining_space' byte counts. */
531 /* Update the input and output sizes; the updated values are the amount
532 * consumed or written, effectively the inverse of what zlib uses.
533 */
540 /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
543 }
545 else
546 {
547 /* This is a bad internal error. The recovery assigns to the zstream msg
548 * pointer, which is not owned by the caller, but this is safe; it's only
549 * used on errors!
550 */
553 }
554 }
556 /*
557 * Decompress trailing data in a chunk. The assumption is that read_buffer
558 * points at an allocated area holding the contents of a chunk with a
559 * trailing compressed part. What we get back is an allocated area
560 * holding the original prefix part and an uncompressed version of the
561 * trailing part (the malloc area passed in is freed).
562 */
563 static int
568 {
569 /* TODO: implement different limits for different types of chunk.
570 *
571 * The caller supplies *newlength set to the maximum length of the
572 * uncompressed data, but this routine allocates space for the prefix and
573 * maybe a '\0' terminator too. We have to assume that 'prefix_size' is
574 * limited only by the maximum chunk size.
575 */
578 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
582 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
585 # endif
588 {
596 /* Now try to claim the stream. */
600 {
608 {
609 /* Use 'inflateReset' here, not 'inflateReset2' because this
610 * preserves the previously decided window size (otherwise it would
611 * be necessary to store the previous window size.) In practice
612 * this doesn't matter anyway, because png_inflate will call inflate
613 * with Z_FINISH in almost all cases, so the window will not be
614 * maintained.
615 */
617 {
618 /* Because of the limit checks above we know that the new,
619 * expanded, size will fit in a size_t (let alone an
620 * png_alloc_size_t). Use png_malloc_base here to avoid an
621 * extra OOM message.
622 */
627 buffer_size));
630 {
636 {
638 {
645 {
651 }
652 }
654 else
655 {
656 /* The size changed on the second read, there can be no
657 * guarantee that anything is correct at this point.
658 * The 'msg' pointer has been set to "unexpected end of
659 * LZ stream", which is fine, but return an error code
660 * that the caller won't accept.
661 */
663 }
664 }
669 /* Free the text pointer (this is the old read_buffer on
670 * success)
671 */
675 /* This really is very benign, but it's still an error because
676 * the extra space may otherwise be used as a Trojan Horse.
677 */
681 }
683 else
684 {
685 /* Out of memory allocating the buffer */
688 }
689 }
691 else
692 {
693 /* inflateReset failed, store the error message */
698 }
699 }
704 /* Release the claimed stream */
706 }
712 }
714 else
715 {
716 /* Application/configuration limits exceeded */
719 }
720 }
723 #ifdef PNG_READ_iCCP_SUPPORTED
724 /* Perform a partial read and decompress, producing 'avail_out' bytes and
725 * reading from the current chunk as required.
726 */
727 static int
731 {
733 {
736 /* next_in and avail_in must have been initialized by the caller. */
740 do
741 {
743 {
753 }
756 {
763 }
765 /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
766 * the available output is produced; this allows reading of truncated
767 * streams.
768 */
771 }
777 /* Ensure the error message pointer is always set: */
780 }
782 else
783 {
786 }
787 }
788 #endif
790 /* Read and check the IDHR chunk */
794 {
805 /* Check the length */
822 /* Set internal variables */
828 #ifdef PNG_MNG_FEATURES_SUPPORTED
830 #endif
833 /* Find number of channels */
835 {
853 }
855 /* Set up other useful info */
863 }
865 /* Read and check the palette */
868 {
871 #ifdef PNG_POINTER_INDEXING_SUPPORTED
872 png_colorp pal_ptr;
873 #endif
880 /* Moved to before the 'after IDAT' check below because otherwise duplicate
881 * PLTE chunks are potentially ignored (the spec says there shall not be more
882 * than one PLTE, the error is not treated as benign, so this check trumps
883 * the requirement that PLTE appears before IDAT.)
884 */
889 {
890 /* This is benign because the non-benign error happened before, when an
891 * IDAT was encountered in a color-mapped image with no PLTE.
892 */
896 }
901 {
905 }
907 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
909 {
912 }
913 #endif
916 {
922 else
926 }
928 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
931 #ifdef PNG_POINTER_INDEXING_SUPPORTED
933 {
940 }
941 #else
943 {
947 /* Don't depend upon png_color being any order */
951 }
952 #endif
954 /* If we actually need the PLTE chunk (ie for a paletted image), we do
955 * whatever the normal CRC configuration tells us. However, if we
956 * have an RGB image, the PLTE can be considered ancillary, so
957 * we will act as though it is.
958 */
959 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
961 #endif
962 {
964 }
966 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
968 {
969 /* If we don't want to use the data from an ancillary chunk,
970 * we have two options: an error abort, or a warning and we
971 * ignore the data in this chunk (which should be OK, since
972 * it's considered ancillary for a RGB or RGBA image).
973 *
974 * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
975 * chunk type to determine whether to check the ancillary or the critical
976 * flags.
977 */
979 {
983 else
985 }
987 /* Otherwise, we (optionally) emit a warning and use the chunk. */
990 }
991 #endif
993 /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
994 * own copy of the palette. This has the side effect that when png_start_row
995 * is called (this happens after any call to png_read_update_info) the
996 * info_ptr palette gets changed. This is extremely unexpected and
997 * confusing.
998 *
999 * Fix this by not sharing the palette in this way.
1000 */
1003 /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1004 * IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1005 * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1006 * palette PNG. 1.6.0 attempts to rigorously follow the standard and
1007 * therefore does a benign error if the erroneous condition is detected *and*
1008 * cancels the tRNS if the benign error returns. The alternative is to
1009 * amend the standard since it would be rather hypocritical of the standards
1010 * maintainers to ignore it.
1011 */
1012 #ifdef PNG_READ_tRNS_SUPPORTED
1015 {
1016 /* Cancel this because otherwise it would be used if the transforms
1017 * require it. Don't cancel the 'valid' flag because this would prevent
1018 * detection of duplicate chunks.
1019 */
1026 }
1027 #endif
1029 #ifdef PNG_READ_hIST_SUPPORTED
1032 #endif
1034 #ifdef PNG_READ_bKGD_SUPPORTED
1037 #endif
1038 }
1042 {
1057 }
1059 #ifdef PNG_READ_gAMA_SUPPORTED
1062 {
1063 png_fixed_point igamma;
1072 {
1076 }
1079 {
1083 }
1094 }
1095 #endif
1097 #ifdef PNG_READ_sBIT_SUPPORTED
1100 {
1102 png_byte sample_depth;
1111 {
1115 }
1118 {
1122 }
1125 {
1128 }
1130 else
1131 {
1134 }
1137 {
1141 }
1151 {
1154 }
1157 {
1162 }
1164 else
1165 {
1171 }
1174 }
1175 #endif
1177 #ifdef PNG_READ_cHRM_SUPPORTED
1180 {
1182 png_xy xy;
1190 {
1194 }
1197 {
1201 }
1225 {
1228 }
1230 /* If a colorspace error has already been output skip this chunk */
1235 {
1240 }
1246 }
1247 #endif
1249 #ifdef PNG_READ_sRGB_SUPPORTED
1252 {
1253 png_byte intent;
1261 {
1265 }
1268 {
1272 }
1279 /* If a colorspace error has already been output skip this chunk */
1283 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1284 * this.
1285 */
1287 {
1292 }
1296 }
1299 #ifdef PNG_READ_iCCP_SUPPORTED
1302 /* Note: this does not properly handle profiles that are > 64K under DOS */
1303 {
1313 {
1317 }
1319 /* Consistent with all the above colorspace handling an obviously *invalid*
1320 * chunk is just ignored, so does not invalidate the color space. An
1321 * alternative is to set the 'invalid' flags at the start of this routine
1322 * and only clear them in they were not set before and all the tests pass.
1323 * The minimum 'deflate' stream is assumed to be just the 2 byte header and
1324 * 4 byte checksum. The keyword must be at least one character and there is
1325 * a terminator (0) byte and the compression method.
1326 */
1328 {
1332 }
1334 /* If a colorspace error has already been output skip this chunk */
1336 {
1339 }
1341 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1342 * this.
1343 */
1345 {
1349 /* Find the keyword; the keyword plus separator and compression method
1350 * bytes can be at most 81 characters long.
1351 */
1364 /* TODO: make the keyword checking common */
1366 {
1367 /* We only understand '0' compression - deflate - so if we get a
1368 * different value we can't safely decode the chunk.
1369 */
1372 {
1376 {
1388 {
1389 /* We have the ICC profile header; do the basic header checks.
1390 */
1396 {
1397 /* The length is apparently ok, so we can check the 132
1398 * byte header.
1399 */
1403 {
1404 /* Now read the tag table; a variable size buffer is
1405 * needed at this point, allocate one for the whole
1406 * profile. The header check has already validated
1407 * that none of these stuff will overflow.
1408 */
1415 {
1425 /* Still expect a buffer error because we expect
1426 * there to be some tag data!
1427 */
1429 {
1433 {
1434 /* The profile has been validated for basic
1435 * security issues, so read the whole thing in.
1436 */
1446 PNG_FLAG_BENIGN_ERRORS_WARN))
1449 /* But otherwise allow extra data: */
1451 {
1453 {
1454 /* This can be handled completely, so
1455 * keep going.
1456 */
1459 }
1464 # ifdef PNG_sRGB_SUPPORTED
1465 /* Check for a match against sRGB */
1469 # endif
1471 /* Steal the profile for info_ptr. */
1473 {
1481 {
1485 profile_length;
1490 }
1492 else
1493 {
1495 PNG_COLORSPACE_INVALID;
1497 }
1498 }
1500 /* else the profile remains in the read
1501 * buffer which gets reused for subsequent
1502 * chunks.
1503 */
1509 {
1512 }
1513 }
1518 #ifndef __COVERITY__
1519 else
1521 #endif
1522 }
1524 /* else png_icc_check_tag_table output an error */
1525 }
1529 }
1531 else
1533 }
1535 /* else png_icc_check_header output an error */
1536 }
1538 /* else png_icc_check_length output an error */
1539 }
1544 /* Release the stream */
1546 }
1550 }
1552 else
1554 }
1556 else
1558 }
1560 else
1563 /* Failure: the reason is in 'errmsg' */
1571 }
1574 #ifdef PNG_READ_sPLT_SUPPORTED
1577 /* Note: this does not properly handle chunks that are > 64K under DOS */
1578 {
1580 png_sPLT_t new_palette;
1581 png_sPLT_entryp pp;
1582 png_uint_32 data_length;
1585 png_uint_32 dl;
1586 png_size_t max_dl;
1590 #ifdef PNG_USER_LIMITS_SUPPORTED
1592 {
1594 {
1597 }
1600 {
1604 }
1605 }
1606 #endif
1612 {
1616 }
1618 #ifdef PNG_MAX_MALLOC_64K
1620 {
1624 }
1625 #endif
1629 {
1633 }
1636 /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1637 * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1638 * potential breakage point if the types in pngconf.h aren't exactly right.
1639 */
1652 /* A sample depth should follow the separator, and we should be on it */
1654 {
1657 }
1661 /* This must fit in a png_uint_32 because it is derived from the original
1662 * chunk data length.
1663 */
1666 /* Integrity-check the data length */
1668 {
1671 }
1677 {
1680 }
1688 {
1691 }
1693 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1695 {
1699 {
1704 }
1706 else
1707 {
1712 }
1715 }
1716 #else
1720 {
1723 {
1728 }
1730 else
1731 {
1736 }
1739 }
1740 #endif
1742 /* Discard all chunk data except the name and stash that */
1748 }
1751 #ifdef PNG_READ_tRNS_SUPPORTED
1754 {
1763 {
1767 }
1770 {
1774 }
1777 {
1781 {
1785 }
1790 }
1793 {
1797 {
1801 }
1808 }
1811 {
1813 {
1814 /* TODO: is this actually an error in the ISO spec? */
1818 }
1822 {
1826 }
1830 }
1832 else
1833 {
1837 }
1840 {
1843 }
1845 /* TODO: this is a horrible side effect in the palette case because the
1846 * png_struct ends up with a pointer to the tRNS buffer owned by the
1847 * png_info. Fix this.
1848 */
1851 }
1852 #endif
1854 #ifdef PNG_READ_bKGD_SUPPORTED
1857 {
1860 png_color_16 background;
1870 {
1874 }
1877 {
1881 }
1889 else
1893 {
1897 }
1904 /* We convert the index value into RGB components so that we can allow
1905 * arbitrary RGB values for background when we have transparency, and
1906 * so it is easy to determine the RGB values of the background color
1907 * from the info_ptr struct.
1908 */
1910 {
1914 {
1916 {
1919 }
1924 }
1926 else
1930 }
1933 {
1939 }
1941 else
1942 {
1948 }
1951 }
1952 #endif
1954 #ifdef PNG_READ_hIST_SUPPORTED
1957 {
1968 {
1972 }
1975 {
1979 }
1984 {
1988 }
1991 {
1996 }
2002 }
2003 #endif
2005 #ifdef PNG_READ_pHYs_SUPPORTED
2008 {
2019 {
2023 }
2026 {
2030 }
2033 {
2037 }
2048 }
2049 #endif
2051 #ifdef PNG_READ_oFFs_SUPPORTED
2054 {
2065 {
2069 }
2072 {
2076 }
2079 {
2083 }
2094 }
2095 #endif
2097 #ifdef PNG_READ_pCAL_SUPPORTED
2098 /* Read the pCAL chunk (described in the PNG Extensions document) */
2101 {
2105 png_charpp params;
2114 {
2118 }
2121 {
2125 }
2133 {
2137 }
2152 /* We need to have at least 12 bytes after the purpose string
2153 * in order to get the parameter information.
2154 */
2156 {
2159 }
2169 /* Check that we have the right number of parameters for known
2170 * equation types.
2171 */
2176 {
2179 }
2182 {
2184 }
2195 {
2198 }
2200 /* Get pointers to the start of each parameter string. */
2202 {
2210 /* Make sure we haven't run out of data yet */
2212 {
2216 }
2217 }
2223 }
2224 #endif
2226 #ifdef PNG_READ_sCAL_SUPPORTED
2227 /* Read the sCAL chunk */
2230 {
2231 png_bytep buffer;
2232 png_size_t i;
2241 {
2245 }
2248 {
2252 }
2254 /* Need unit type, width, \0, height: minimum 4 bytes */
2256 {
2260 }
2268 {
2272 }
2280 /* Validate the unit. */
2282 {
2285 }
2287 /* Validate the ASCII numbers, need two ASCII numbers separated by
2288 * a '\0' and they need to fit exactly in the chunk data.
2289 */
2300 else
2301 {
2312 else
2313 /* This is the (only) success case. */
2316 }
2317 }
2318 #endif
2320 #ifdef PNG_READ_tIME_SUPPORTED
2323 {
2325 png_time mod_time;
2333 {
2337 }
2343 {
2347 }
2362 }
2363 #endif
2365 #ifdef PNG_READ_tEXt_SUPPORTED
2366 /* Note: this does not properly handle chunks that are > 64K under DOS */
2369 {
2370 png_text text_info;
2371 png_bytep buffer;
2372 png_charp key;
2373 png_charp text;
2378 #ifdef PNG_USER_LIMITS_SUPPORTED
2380 {
2382 {
2385 }
2388 {
2392 }
2393 }
2394 #endif
2402 #ifdef PNG_MAX_MALLOC_64K
2404 {
2408 }
2409 #endif
2414 {
2417 }
2431 text++;
2443 }
2444 #endif
2446 #ifdef PNG_READ_zTXt_SUPPORTED
2447 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2450 {
2452 png_bytep buffer;
2453 png_uint_32 keyword_length;
2457 #ifdef PNG_USER_LIMITS_SUPPORTED
2459 {
2461 {
2464 }
2467 {
2471 }
2472 }
2473 #endif
2484 {
2488 }
2495 /* TODO: also check that the keyword contents match the spec! */
2504 /* zTXt must have some LZ data after the keyword, although it may expand to
2505 * zero bytes; we need a '\0' at the end of the keyword, the compression type
2506 * then the LZ data:
2507 */
2514 else
2515 {
2518 /* TODO: at present png_decompress_chunk imposes a single application
2519 * level memory limit, this should be split to different values for iCCP
2520 * and text chunks.
2521 */
2524 {
2525 png_text text;
2527 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
2528 * for the extra compression type byte and the fact that it isn't
2529 * necessarily '\0' terminated.
2530 */
2544 }
2546 else
2548 }
2552 }
2553 #endif
2555 #ifdef PNG_READ_iTXt_SUPPORTED
2556 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2559 {
2561 png_bytep buffer;
2562 png_uint_32 prefix_length;
2566 #ifdef PNG_USER_LIMITS_SUPPORTED
2568 {
2570 {
2573 }
2576 {
2580 }
2581 }
2582 #endif
2593 {
2597 }
2604 /* First the keyword. */
2610 /* Perform a basic check on the keyword length here. */
2614 /* Expect keyword, compression flag, compression type, language, translated
2615 * keyword (both may be empty but are 0 terminated) then the text, which may
2616 * be empty.
2617 */
2624 {
2629 /* Now the language tag */
2637 /* WARNING: the length may be invalid here, this is checked below. */
2644 /* prefix_length should now be at the trailing '\0' of the translated
2645 * keyword, but it may already be over the end. None of this arithmetic
2646 * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2647 * systems the available allocation may overflow.
2648 */
2655 {
2658 /* TODO: at present png_decompress_chunk imposes a single application
2659 * level memory limit, this should be split to different values for
2660 * iCCP and text chunks.
2661 */
2666 else
2668 }
2670 else
2674 {
2675 png_text text;
2682 else
2694 }
2695 }
2697 else
2702 }
2703 #endif
2705 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2706 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2707 static int
2709 {
2713 {
2716 }
2718 # ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
2723 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
2726 # endif
2729 {
2731 /* The following is safe because of the PNG_SIZE_MAX init above */
2733 /* 'mode' is a flag array, only the bottom four bits matter here */
2739 else
2740 {
2741 /* Do a 'warn' here - it is handled below. */
2744 }
2745 }
2748 {
2749 /* This is benign because we clean up correctly */
2753 }
2755 else
2756 {
2761 }
2762 }
2765 /* Handle an unknown, or known but disabled, chunk */
2769 {
2774 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2775 /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2776 * the bug which meant that setting a non-default behavior for a specific
2777 * chunk would be ignored (the default was always used unless a user
2778 * callback was installed).
2779 *
2780 * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2781 * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2782 * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2783 * This is just an optimization to avoid multiple calls to the lookup
2784 * function.
2785 */
2786 # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2787 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2789 # endif
2790 # endif
2792 /* One of the following methods will read the chunk or skip it (at least one
2793 * of these is always defined because this is the only way to switch on
2794 * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2795 */
2796 # ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2797 /* The user callback takes precedence over the chunk keep value, but the
2798 * keep value is still required to validate a save of a critical chunk.
2799 */
2801 {
2803 {
2804 /* Callback to user unknown chunk handler */
2808 /* ret is:
2809 * negative: An error occurred; png_chunk_error will be called.
2810 * zero: The chunk was not handled, the chunk will be discarded
2811 * unless png_set_keep_unknown_chunks has been used to set
2812 * a 'keep' behavior for this particular chunk, in which
2813 * case that will be used. A critical chunk will cause an
2814 * error at this point unless it is to be saved.
2815 * positive: The chunk was handled, libpng will ignore/discard it.
2816 */
2821 {
2822 /* If the keep value is 'default' or 'never' override it, but
2823 * still error out on critical chunks unless the keep value is
2824 * 'always' While this is weird it is the behavior in 1.4.12.
2825 * A possible improvement would be to obey the value set for the
2826 * chunk, but this would be an API change that would probably
2827 * damage some applications.
2828 *
2829 * The png_app_warning below catches the case that matters, where
2830 * the application has not set specific save or ignore for this
2831 * chunk or global save or ignore.
2832 */
2834 {
2835 # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2837 {
2840 "forcing save of an unhandled chunk;"
2842 /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2843 }
2844 # endif
2846 }
2847 }
2850 {
2852 /* Critical chunks can be safely discarded at this point. */
2854 }
2855 }
2857 else
2859 }
2861 else
2862 /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
2865 # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2866 {
2867 /* keep is currently just the per-chunk setting, if there was no
2868 * setting change it to the global default now (not that this may
2869 * still be AS_DEFAULT) then obtain the cache of the chunk if required,
2870 * if not simply skip the chunk.
2871 */
2878 {
2881 }
2883 else
2885 }
2886 # else
2887 # ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2888 # error no method to support READ_UNKNOWN_CHUNKS
2889 # endif
2891 {
2892 /* If here there is no read callback pointer set and no support is
2893 * compiled in to just save the unknown chunks, so simply skip this
2894 * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
2895 * the app has erroneously asked for unknown chunk saving when there
2896 * is no support.
2897 */
2902 }
2903 # endif
2905 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2906 /* Now store the chunk in the chunk list if appropriate, and if the limits
2907 * permit it.
2908 */
2912 {
2913 # ifdef PNG_USER_LIMITS_SUPPORTED
2915 {
2919 /* FALL THROUGH */
2921 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
2922 * chunk being skipped, now there will be a hard error below.
2923 */
2928 /* FALL THROUGH */
2931 /* Here when the limit isn't reached or when limits are compiled
2932 * out; store the chunk.
2933 */
2937 # ifdef PNG_USER_LIMITS_SUPPORTED
2939 }
2940 # endif
2941 }
2944 # endif
2946 /* Regardless of the error handling below the cached data (if any) can be
2947 * freed now. Notice that the data is not freed if there is a png_error, but
2948 * it will be freed by destroy_read_struct.
2949 */
2955 /* There is no support to read an unknown chunk, so just skip it. */
2961 /* Check for unhandled critical chunks */
2964 }
2966 /* This function is called to verify that a chunk name is valid.
2967 * This function can't have the "critical chunk check" incorporated
2968 * into it, since in the future we will need to be able to call user
2969 * functions to handle unknown critical chunks after we check that
2970 * the chunk name itself is valid.
2971 */
2973 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
2974 *
2975 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
2976 */
2980 {
2986 {
2993 }
2994 }
2996 /* Combines the row recently read in with the existing pixels in the row. This
2997 * routine takes care of alpha and transparency if requested. This routine also
2998 * handles the two methods of progressive display of interlaced images,
2999 * depending on the 'display' value; if 'display' is true then the whole row
3000 * (dp) is filled from the start by replicating the available pixels. If
3001 * 'display' is false only those pixels present in the pass are filled in.
3002 */
3005 {
3016 /* Added in 1.5.6: it should not be possible to enter this routine until at
3017 * least one row has been read from the PNG data and transformed.
3018 */
3022 /* Added in 1.5.4: the pixel depth should match the information returned by
3023 * any call to png_read_update_info at this point. Do not continue if we got
3024 * this wrong.
3025 */
3030 /* Don't expect this to ever happen: */
3034 /* Preserve the last byte in cases where only part of it will be overwritten,
3035 * the multiply below may overflow, we don't care because ANSI-C guarantees
3036 * we get the low bits.
3037 */
3040 {
3041 /* end_ptr == NULL is a flag to say do nothing */
3044 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3046 /* little-endian byte */
3050 # endif
3052 /* end_mask is now the bits to *keep* from the destination row */
3053 }
3055 /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3056 * will also happen if interlacing isn't supported or if the application
3057 * does not call png_set_interlace_handling(). In the latter cases the
3058 * caller just gets a sequence of the unexpanded rows from each interlace
3059 * pass.
3060 */
3061 #ifdef PNG_READ_INTERLACING_SUPPORTED
3065 /* The following copies everything for 'display' on passes 0, 2 and 4. */
3067 {
3068 /* Narrow images may have no bits in a pass; the caller should handle
3069 * this, but this test is cheap:
3070 */
3075 {
3076 /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3077 * into 32 bits, then a single loop over the bytes using the four byte
3078 * values in the 32-bit mask can be used. For the 'display' option the
3079 * expanded mask may also not require any masking within a byte. To
3080 * make this work the PACKSWAP option must be taken into account - it
3081 * simply requires the pixels to be reversed in each byte.
3082 *
3083 * The 'regular' case requires a mask for each of the first 6 passes,
3084 * the 'display' case does a copy for the even passes in the range
3085 * 0..6. This has already been handled in the test above.
3086 *
3087 * The masks are arranged as four bytes with the first byte to use in
3088 * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3089 * not) of the pixels in each byte.
3090 *
3091 * NOTE: the whole of this logic depends on the caller of this function
3092 * only calling it on rows appropriate to the pass. This function only
3093 * understands the 'x' logic; the 'y' logic is handled by the caller.
3094 *
3095 * The following defines allow generation of compile time constant bit
3096 * masks for each pixel depth and each possibility of swapped or not
3097 * swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3098 * is in the range 0..7; and the result is 1 if the pixel is to be
3099 * copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3100 * for the block method.
3101 *
3102 * With some compilers a compile time expression of the general form:
3103 *
3104 * (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3105 *
3106 * Produces warnings with values of 'shift' in the range 33 to 63
3107 * because the right hand side of the ?: expression is evaluated by
3108 * the compiler even though it isn't used. Microsoft Visual C (various
3109 * versions) and the Intel C compiler are known to do this. To avoid
3110 * this the following macros are used in 1.5.6. This is a temporary
3111 * solution to avoid destabilizing the code during the release process.
3112 */
3113 # if PNG_USE_COMPILE_TIME_MASKS
3114 # define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3115 # define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3116 # else
3117 # define PNG_LSR(x,s) ((x)>>(s))
3118 # define PNG_LSL(x,s) ((x)<<(s))
3119 # endif
3120 # define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3121 PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3122 # define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3123 PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3125 /* Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is
3126 * little endian - the first pixel is at bit 0 - however the extra
3127 * parameter 's' can be set to cause the mask position to be swapped
3128 * within each byte, to match the PNG format. This is done by XOR of
3129 * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3130 */
3131 # define PIXEL_MASK(p,x,d,s) \
3132 (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3134 /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3135 */
3136 # define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3137 # define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3139 /* Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp
3140 * cases the result needs replicating, for the 4-bpp case the above
3141 * generates a full 32 bits.
3142 */
3143 # define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3145 # define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3146 S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3147 S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3149 # define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3150 B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3151 B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3153 #if PNG_USE_COMPILE_TIME_MASKS
3154 /* Utility macros to construct all the masks for a depth/swap
3155 * combination. The 's' parameter says whether the format is PNG
3156 * (big endian bytes) or not. Only the three odd-numbered passes are
3157 * required for the display/block algorithm.
3158 */
3159 # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3160 S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3162 # define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3164 # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3166 /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3167 * then pass:
3168 */
3170 {
3171 /* Little-endian byte masks for PACKSWAP */
3173 /* Normal (big-endian byte) masks - PNG format */
3175 };
3177 /* display_mask has only three entries for the odd passes, so index by
3178 * pass>>1.
3179 */
3181 {
3182 /* Little-endian byte masks for PACKSWAP */
3184 /* Normal (big-endian byte) masks - PNG format */
3186 };
3188 # define MASK(pass,depth,display,png)\
3189 ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3190 row_mask[png][DEPTH_INDEX(depth)][pass])
3193 /* This is the runtime alternative: it seems unlikely that this will
3194 * ever be either smaller or faster than the compile time approach.
3195 */
3196 # define MASK(pass,depth,display,png)\
3197 ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3200 /* Use the appropriate mask to copy the required bits. In some cases
3201 * the byte mask will be 0 or 0xff; optimize these cases. row_width is
3202 * the number of pixels, but the code copies bytes, so it is necessary
3203 * to special case the end.
3204 */
3206 png_uint_32 mask;
3208 # ifdef PNG_READ_PACKSWAP_SUPPORTED
3212 else
3213 # endif
3217 {
3218 png_uint_32 m;
3220 /* It doesn't matter in the following if png_uint_32 has more than
3221 * 32 bits because the high bits always match those in m<<24; it is,
3222 * however, essential to use OR here, not +, because of this.
3223 */
3229 {
3232 else
3234 }
3236 /* NOTE: this may overwrite the last byte with garbage if the image
3237 * is not an exact number of bytes wide; libpng has always done
3238 * this.
3239 */
3246 }
3247 }
3250 {
3253 /* Validate the depth - it must be a multiple of 8 */
3260 /* Regardless of pass number the Adam 7 interlace always results in a
3261 * fixed number of pixels to copy then to skip. There may be a
3262 * different number of pixels to skip at the start though.
3263 */
3264 {
3270 }
3272 /* Work out the bytes to copy. */
3274 {
3275 /* When doing the 'block' algorithm the pixel in the pass gets
3276 * replicated to adjacent pixels. This is why the even (0,2,4,6)
3277 * passes are skipped above - the entire expanded row is copied.
3278 */
3281 /* But don't allow this number to exceed the actual row width. */
3284 }
3289 /* In Adam7 there is a constant offset between where the pixels go. */
3292 /* And simply copy these bytes. Some optimization is possible here,
3293 * depending on the value of 'bytes_to_copy'. Special case the low
3294 * byte counts, which we know to be frequent.
3295 *
3296 * Notice that these cases all 'return' rather than 'break' - this
3297 * avoids an unnecessary test on whether to restore the last byte
3298 * below.
3299 */
3301 {
3304 {
3313 }
3316 /* There is a possibility of a partial copy at the end here; this
3317 * slows the code down somewhat.
3318 */
3319 do
3320 {
3329 }
3332 /* And there can only be one byte left at this point: */
3337 /* This can only be the RGB case, so each copy is exactly one
3338 * pixel and it is not necessary to check for a partial copy.
3339 */
3341 {
3350 }
3353 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3354 /* Check for double byte alignment and, if possible, use a
3355 * 16-bit copy. Don't attempt this for narrow images - ones that
3356 * are less than an interlace panel wide. Don't attempt it for
3357 * wide bytes_to_copy either - use the memcpy there.
3358 */
3364 {
3365 /* Everything is aligned for png_uint_16 copies, but try for
3366 * png_uint_32 first.
3367 */
3372 {
3379 do
3380 {
3382 do
3383 {
3386 }
3395 }
3398 /* Get to here when the row_width truncates the final copy.
3399 * There will be 1-3 bytes left to copy, so don't try the
3400 * 16-bit loop below.
3401 */
3404 do
3408 }
3410 /* Else do it in 16-bit quantities, but only if the size is
3411 * not too large.
3412 */
3413 else
3414 {
3421 do
3422 {
3424 do
3425 {
3428 }
3437 }
3440 /* End of row - 1 byte left, bytes_to_copy > row_width: */
3443 do
3447 }
3448 }
3451 /* The true default - use a memcpy: */
3453 {
3464 }
3465 }
3467 /* NOT REACHED*/
3470 /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3471 }
3472 else
3475 /* If here then the switch above wasn't used so just memcpy the whole row
3476 * from the temporary row buffer (notice that this overwrites the end of the
3477 * destination row if it is a partial byte.)
3478 */
3481 /* Restore the overwritten bits from the last byte if necessary. */
3484 }
3486 #ifdef PNG_READ_INTERLACING_SUPPORTED
3490 {
3491 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3492 /* Offset to next interlace block */
3497 {
3498 png_uint_32 final_width;
3503 {
3505 {
3511 png_byte v;
3512 png_uint_32 i;
3515 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3517 {
3523 }
3525 else
3526 #endif
3527 {
3533 }
3536 {
3539 {
3545 {
3547 dp--;
3548 }
3550 else
3552 }
3555 {
3557 sp--;
3558 }
3560 else
3562 }
3564 }
3567 {
3573 png_uint_32 i;
3575 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3577 {
3583 }
3585 else
3586 #endif
3587 {
3593 }
3596 {
3597 png_byte v;
3602 {
3608 {
3610 dp--;
3611 }
3613 else
3615 }
3618 {
3620 sp--;
3621 }
3623 else
3625 }
3627 }
3630 {
3635 png_uint_32 i;
3638 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3640 {
3646 }
3648 else
3649 #endif
3650 {
3656 }
3659 {
3664 {
3670 {
3672 dp--;
3673 }
3675 else
3677 }
3680 {
3682 sp--;
3683 }
3685 else
3687 }
3689 }
3692 {
3701 png_uint_32 i;
3704 {
3711 {
3714 }
3717 }
3719 }
3720 }
3724 }
3725 #ifndef PNG_READ_PACKSWAP_SUPPORTED
3727 #endif
3728 }
3731 static void
3733 png_const_bytep prev_row)
3734 {
3735 png_size_t i;
3743 {
3745 rp++;
3746 }
3747 }
3749 static void
3751 png_const_bytep prev_row)
3752 {
3753 png_size_t i;
3759 {
3761 rp++;
3762 }
3763 }
3765 static void
3767 png_const_bytep prev_row)
3768 {
3769 png_size_t i;
3776 {
3780 rp++;
3781 }
3784 {
3788 rp++;
3789 }
3790 }
3792 static void
3794 png_const_bytep prev_row)
3795 {
3799 /* First pixel/byte */
3804 /* Remainder */
3806 {
3815 # ifdef PNG_USE_ABS
3819 # else
3823 # endif
3825 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3826 * ones in the case of a tie.
3827 */
3831 /* Calculate the current pixel in a, and move the previous row pixel to c
3832 * for the next time round the loop
3833 */
3837 }
3838 }
3840 static void
3842 png_const_bytep prev_row)
3843 {
3847 /* Process the first pixel in the row completely (this is the same as 'up'
3848 * because there is only one candidate predictor for the first row).
3849 */
3851 {
3854 }
3856 /* Remainder */
3860 {
3870 # ifdef PNG_USE_ABS
3874 # else
3878 # endif
3885 }
3886 }
3888 static void
3890 /* This function is called once for every PNG image (except for PNG images
3891 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
3892 * implementations required to reverse the filtering of PNG rows. Reversing
3893 * the filter is the first transformation performed on the row data. It is
3894 * performed in place, therefore an implementation can be selected based on
3895 * the image pixel format. If the implementation depends on image width then
3896 * take care to ensure that it works correctly if the image is interlaced -
3897 * interlacing causes the actual row width to vary.
3898 */
3899 {
3907 png_read_filter_row_paeth_1byte_pixel;
3908 else
3910 png_read_filter_row_paeth_multibyte_pixel;
3912 #ifdef PNG_FILTER_OPTIMIZATIONS
3913 /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
3914 * call to install hardware optimizations for the above functions; simply
3915 * replace whatever elements of the pp->read_filter[] array with a hardware
3916 * specific (or, for that matter, generic) optimization.
3917 *
3918 * To see an example of this examine what configure.ac does when
3919 * --enable-arm-neon is specified on the command line.
3920 */
3922 #endif
3923 }
3928 {
3929 /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
3930 * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
3931 * implementations. See png_init_filter_functions above.
3932 */
3934 {
3939 }
3940 }
3942 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3945 png_alloc_size_t avail_out)
3946 {
3947 /* Loop reading IDATs and decompressing the result into output[avail_out] */
3954 do
3955 {
3960 {
3961 uInt avail_in;
3962 png_bytep buffer;
3965 {
3969 /* This is an error even in the 'check' case because the code just
3970 * consumed a non-IDAT header.
3971 */
3974 }
3981 /* A PNG with a gradually increasing IDAT size will defeat this attempt
3982 * to minimize memory usage by causing lots of re-allocs, but
3983 * realistically doing IDAT_read_size re-allocs is not likely to be a
3984 * big problem.
3985 */
3993 }
3995 /* And set up the output side. */
3997 {
4005 }
4008 {
4011 }
4013 /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4014 * process. If the LZ stream is truncated the sequential reader will
4015 * terminally damage the stream, above, by reading the chunk header of the
4016 * following chunk (it then exits with png_error).
4017 *
4018 * TODO: deal more elegantly with truncated IDAT lists.
4019 */
4022 /* Take the unconsumed output back. */
4032 {
4033 /* Do this for safety; we won't read any more into this row. */
4042 }
4045 {
4052 {
4055 }
4056 }
4060 {
4061 /* The stream ended before the image; this is the same as too few IDATs so
4062 * should be handled the same way.
4063 */
4069 }
4070 }
4074 {
4075 /* We don't need any more data and the stream should have ended, however the
4076 * LZ end code may actually not have been processed. In this case we must
4077 * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4078 * may still remain to be consumed.
4079 */
4081 {
4082 /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4083 * the compressed stream, but the stream may be damaged too, so even after
4084 * this call we may need to terminate the zstream ownership.
4085 */
4089 /* Now clear everything out for safety; the following may not have been
4090 * done.
4091 */
4093 {
4096 }
4097 }
4099 /* If the zstream has not been released do it now *and* terminate the reading
4100 * of the final IDAT chunk.
4101 */
4103 {
4104 /* Always do this; the pointers otherwise point into the read buffer. */
4108 /* Now we no longer own the zstream. */
4111 /* The slightly weird semantics of the sequential IDAT reading is that we
4112 * are always in or at the end of an IDAT chunk, so we always need to do a
4113 * crc_finish here. If idat_size is non-zero we also need to read the
4114 * spurious bytes at the end of the chunk now.
4115 */
4117 }
4118 }
4122 {
4123 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4125 /* Start of interlace block */
4128 /* Offset to next interlace block */
4131 /* Start of interlace block in the y direction */
4134 /* Offset to next interlace block in the y direction */
4143 {
4146 /* TO DO: don't do this if prev_row isn't needed (requires
4147 * read-ahead of the next row's filter byte.
4148 */
4151 do
4152 {
4164 {
4169 }
4178 }
4180 /* Here after at the end of the last row of the last pass. */
4182 }
4187 {
4188 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4190 /* Start of interlace block */
4193 /* Offset to next interlace block */
4196 /* Start of interlace block in the y direction */
4199 /* Offset to next interlace block in the y direction */
4203 png_size_t row_bytes;
4207 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
4209 #endif
4211 {
4216 else
4223 }
4225 else
4226 {
4229 }
4233 /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4234 * calculations to calculate the final pixel depth, then
4235 * png_do_read_transforms actually does the transforms. This means that the
4236 * code which effectively calculates this value is actually repeated in three
4237 * separate places. They must all match. Innocent changes to the order of
4238 * transformations can and will break libpng in a way that causes memory
4239 * overwrites.
4240 *
4241 * TODO: fix this.
4242 */
4243 #ifdef PNG_READ_PACK_SUPPORTED
4246 #endif
4248 #ifdef PNG_READ_EXPAND_SUPPORTED
4250 {
4252 {
4256 else
4258 }
4261 {
4267 }
4270 {
4272 {
4275 }
4276 }
4277 }
4278 #endif
4280 #ifdef PNG_READ_EXPAND_16_SUPPORTED
4282 {
4283 # ifdef PNG_READ_EXPAND_SUPPORTED
4284 /* In fact it is an error if it isn't supported, but checking is
4285 * the safe way.
4286 */
4288 {
4291 }
4292 else
4293 # endif
4295 }
4296 #endif
4298 #ifdef PNG_READ_FILLER_SUPPORTED
4300 {
4302 {
4306 else
4308 }
4312 {
4316 else
4318 }
4319 }
4320 #endif
4322 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4324 {
4326 #ifdef PNG_READ_EXPAND_SUPPORTED
4329 #endif
4330 #ifdef PNG_READ_FILLER_SUPPORTED
4332 #endif
4334 {
4338 else
4340 }
4342 else
4343 {
4345 {
4349 else
4351 }
4356 else
4358 }
4359 }
4360 #endif
4362 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4363 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4365 {
4371 }
4372 #endif
4374 /* This value is stored in png_struct and double checked in the row read
4375 * code.
4376 */
4380 /* Align the width on the next larger 8 pixels. Mainly used
4381 * for interlacing
4382 */
4384 /* Calculate the maximum bytes needed, adding a byte and a pixel
4385 * for safety's sake
4386 */
4390 #ifdef PNG_MAX_MALLOC_64K
4393 #endif
4396 {
4404 else
4409 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4410 /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4411 * of padding before and after row_buf; treat prev_row similarly.
4412 * NOTE: the alignment is to the start of the pixels, one beyond the start
4413 * of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4414 * was incorrect; the filter byte was aligned, which had the exact
4415 * opposite effect of that intended.
4416 */
4417 {
4425 }
4427 #else
4428 /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4431 #endif
4433 }
4435 #ifdef PNG_MAX_MALLOC_64K
4439 #endif
4453 /* The sequential reader needs a buffer for IDAT, but the progressive reader
4454 * does not, so free the read buffer now regardless; the sequential reader
4455 * reallocates it on demand.
4456 */
4458 {
4464 }
4466 /* Finally claim the zstream for the inflate of the IDAT data, use the bits
4467 * value from the stream (note that this will result in a fatal error if the
4468 * IDAT stream has a bogus deflate header window_bits value, but this should
4469 * not be happening any longer!)
4470 */
4475 }