opencv

pngrutil.c
4679 строк · 144.0 Кб
Перенос по словам
1

2
/* pngrutil.c - utilities to read a PNG file
3
 *
4
 * Copyright (c) 2018-2024 Cosmin Truta
5
 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6
 * Copyright (c) 1996-1997 Andreas Dilger
7
 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8
 *
9
 * This code is released under the libpng license.
10
 * For conditions of distribution and use, see the disclaimer
11
 * and license in png.h
12
 *
13
 * This file contains routines that are only called from within
14
 * libpng itself during the course of reading an image.
15
 */
16

17
#include "pngpriv.h"
18

19
#ifdef PNG_READ_SUPPORTED
20

21
png_uint_32 PNGAPI
22
png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
23
{
24
   png_uint_32 uval = png_get_uint_32(buf);
25

26
   if (uval > PNG_UINT_31_MAX)
27
      png_error(png_ptr, "PNG unsigned integer out of range");
28

29
   return uval;
30
}
31

32
#if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
33
/* The following is a variation on the above for use with the fixed
34
 * point values used for gAMA and cHRM.  Instead of png_error it
35
 * issues a warning and returns (-1) - an invalid value because both
36
 * gAMA and cHRM use *unsigned* integers for fixed point values.
37
 */
38
#define PNG_FIXED_ERROR (-1)
39

40
static png_fixed_point /* PRIVATE */
41
png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42
{
43
   png_uint_32 uval = png_get_uint_32(buf);
44

45
   if (uval <= PNG_UINT_31_MAX)
46
      return (png_fixed_point)uval; /* known to be in range */
47

48
   /* The caller can turn off the warning by passing NULL. */
49
   if (png_ptr != NULL)
50
      png_warning(png_ptr, "PNG fixed point integer out of range");
51

52
   return PNG_FIXED_ERROR;
53
}
54
#endif
55

56
#ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57
/* NOTE: the read macros will obscure these definitions, so that if
58
 * PNG_USE_READ_MACROS is set the library will not use them internally,
59
 * but the APIs will still be available externally.
60
 *
61
 * The parentheses around "PNGAPI function_name" in the following three
62
 * functions are necessary because they allow the macros to co-exist with
63
 * these (unused but exported) functions.
64
 */
65

66
/* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
67
png_uint_32 (PNGAPI
68
png_get_uint_32)(png_const_bytep buf)
69
{
70
   png_uint_32 uval =
71
       ((png_uint_32)(*(buf    )) << 24) +
72
       ((png_uint_32)(*(buf + 1)) << 16) +
73
       ((png_uint_32)(*(buf + 2)) <<  8) +
74
       ((png_uint_32)(*(buf + 3))      ) ;
75

76
   return uval;
77
}
78

79
/* Grab a signed 32-bit integer from a buffer in big-endian format.  The
80
 * data is stored in the PNG file in two's complement format and there
81
 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82
 * the following code does a two's complement to native conversion.
83
 */
84
png_int_32 (PNGAPI
85
png_get_int_32)(png_const_bytep buf)
86
{
87
   png_uint_32 uval = png_get_uint_32(buf);
88
   if ((uval & 0x80000000) == 0) /* non-negative */
89
      return (png_int_32)uval;
90

91
   uval = (uval ^ 0xffffffff) + 1;  /* 2's complement: -x = ~x+1 */
92
   if ((uval & 0x80000000) == 0) /* no overflow */
93
      return -(png_int_32)uval;
94
   /* The following has to be safe; this function only gets called on PNG data
95
    * and if we get here that data is invalid.  0 is the most safe value and
96
    * if not then an attacker would surely just generate a PNG with 0 instead.
97
    */
98
   return 0;
99
}
100

101
/* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
102
png_uint_16 (PNGAPI
103
png_get_uint_16)(png_const_bytep buf)
104
{
105
   /* ANSI-C requires an int value to accommodate at least 16 bits so this
106
    * works and allows the compiler not to worry about possible narrowing
107
    * on 32-bit systems.  (Pre-ANSI systems did not make integers smaller
108
    * than 16 bits either.)
109
    */
110
   unsigned int val =
111
       ((unsigned int)(*buf) << 8) +
112
       ((unsigned int)(*(buf + 1)));
113

114
   return (png_uint_16)val;
115
}
116

117
#endif /* READ_INT_FUNCTIONS */
118

119
/* Read and check the PNG file signature */
120
void /* PRIVATE */
121
png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
122
{
123
   size_t num_checked, num_to_check;
124

125
   /* Exit if the user application does not expect a signature. */
126
   if (png_ptr->sig_bytes >= 8)
127
      return;
128

129
   num_checked = png_ptr->sig_bytes;
130
   num_to_check = 8 - num_checked;
131

132
#ifdef PNG_IO_STATE_SUPPORTED
133
   png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
134
#endif
135

136
   /* The signature must be serialized in a single I/O call. */
137
   png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
138
   png_ptr->sig_bytes = 8;
139

140
   if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
141
   {
142
      if (num_checked < 4 &&
143
          png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4) != 0)
144
         png_error(png_ptr, "Not a PNG file");
145
      else
146
         png_error(png_ptr, "PNG file corrupted by ASCII conversion");
147
   }
148
   if (num_checked < 3)
149
      png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
150
}
151

152
/* Read the chunk header (length + type name).
153
 * Put the type name into png_ptr->chunk_name, and return the length.
154
 */
155
png_uint_32 /* PRIVATE */
156
png_read_chunk_header(png_structrp png_ptr)
157
{
158
   png_byte buf[8];
159
   png_uint_32 length;
160

161
#ifdef PNG_IO_STATE_SUPPORTED
162
   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
163
#endif
164

165
   /* Read the length and the chunk name.
166
    * This must be performed in a single I/O call.
167
    */
168
   png_read_data(png_ptr, buf, 8);
169
   length = png_get_uint_31(png_ptr, buf);
170

171
   /* Put the chunk name into png_ptr->chunk_name. */
172
   png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
173

174
   png_debug2(0, "Reading chunk typeid = 0x%lx, length = %lu",
175
       (unsigned long)png_ptr->chunk_name, (unsigned long)length);
176

177
   /* Reset the crc and run it over the chunk name. */
178
   png_reset_crc(png_ptr);
179
   png_calculate_crc(png_ptr, buf + 4, 4);
180

181
   /* Check to see if chunk name is valid. */
182
   png_check_chunk_name(png_ptr, png_ptr->chunk_name);
183

184
   /* Check for too-large chunk length */
185
   png_check_chunk_length(png_ptr, length);
186

187
#ifdef PNG_IO_STATE_SUPPORTED
188
   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
189
#endif
190

191
   return length;
192
}
193

194
/* Read data, and (optionally) run it through the CRC. */
195
void /* PRIVATE */
196
png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
197
{
198
   if (png_ptr == NULL)
199
      return;
200

201
   png_read_data(png_ptr, buf, length);
202
   png_calculate_crc(png_ptr, buf, length);
203
}
204

205
/* Optionally skip data and then check the CRC.  Depending on whether we
206
 * are reading an ancillary or critical chunk, and how the program has set
207
 * things up, we may calculate the CRC on the data and print a message.
208
 * Returns '1' if there was a CRC error, '0' otherwise.
209
 */
210
int /* PRIVATE */
211
png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
212
{
213
   /* The size of the local buffer for inflate is a good guess as to a
214
    * reasonable size to use for buffering reads from the application.
215
    */
216
   while (skip > 0)
217
   {
218
      png_uint_32 len;
219
      png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
220

221
      len = (sizeof tmpbuf);
222
      if (len > skip)
223
         len = skip;
224
      skip -= len;
225

226
      png_crc_read(png_ptr, tmpbuf, len);
227
   }
228

229
   if (png_crc_error(png_ptr) != 0)
230
   {
231
      if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?
232
          (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :
233
          (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)
234
      {
235
         png_chunk_warning(png_ptr, "CRC error");
236
      }
237

238
      else
239
         png_chunk_error(png_ptr, "CRC error");
240

241
      return 1;
242
   }
243

244
   return 0;
245
}
246

247
/* Compare the CRC stored in the PNG file with that calculated by libpng from
248
 * the data it has read thus far.
249
 */
250
int /* PRIVATE */
251
png_crc_error(png_structrp png_ptr)
252
{
253
   png_byte crc_bytes[4];
254
   png_uint_32 crc;
255
   int need_crc = 1;
256

257
   if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
258
   {
259
      if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
260
          (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
261
         need_crc = 0;
262
   }
263

264
   else /* critical */
265
   {
266
      if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
267
         need_crc = 0;
268
   }
269

270
#ifdef PNG_IO_STATE_SUPPORTED
271
   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
272
#endif
273

274
   /* The chunk CRC must be serialized in a single I/O call. */
275
   png_read_data(png_ptr, crc_bytes, 4);
276

277
   if (need_crc != 0)
278
   {
279
      crc = png_get_uint_32(crc_bytes);
280
      return crc != png_ptr->crc;
281
   }
282

283
   else
284
      return 0;
285
}
286

287
#if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
288
    defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
289
    defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
290
    defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
291
/* Manage the read buffer; this simply reallocates the buffer if it is not small
292
 * enough (or if it is not allocated).  The routine returns a pointer to the
293
 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
294
 * it will call png_error (via png_malloc) on failure.  (warn == 2 means
295
 * 'silent').
296
 */
297
static png_bytep
298
png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
299
{
300
   png_bytep buffer = png_ptr->read_buffer;
301

302
   if (buffer != NULL && new_size > png_ptr->read_buffer_size)
303
   {
304
      png_ptr->read_buffer = NULL;
305
      png_ptr->read_buffer_size = 0;
306
      png_free(png_ptr, buffer);
307
      buffer = NULL;
308
   }
309

310
   if (buffer == NULL)
311
   {
312
      buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
313

314
      if (buffer != NULL)
315
      {
316
         memset(buffer, 0, new_size); /* just in case */
317
         png_ptr->read_buffer = buffer;
318
         png_ptr->read_buffer_size = new_size;
319
      }
320

321
      else if (warn < 2) /* else silent */
322
      {
323
         if (warn != 0)
324
             png_chunk_warning(png_ptr, "insufficient memory to read chunk");
325

326
         else
327
             png_chunk_error(png_ptr, "insufficient memory to read chunk");
328
      }
329
   }
330

331
   return buffer;
332
}
333
#endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
334

335
/* png_inflate_claim: claim the zstream for some nefarious purpose that involves
336
 * decompression.  Returns Z_OK on success, else a zlib error code.  It checks
337
 * the owner but, in final release builds, just issues a warning if some other
338
 * chunk apparently owns the stream.  Prior to release it does a png_error.
339
 */
340
static int
341
png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
342
{
343
   if (png_ptr->zowner != 0)
344
   {
345
      char msg[64];
346

347
      PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
348
      /* So the message that results is "<chunk> using zstream"; this is an
349
       * internal error, but is very useful for debugging.  i18n requirements
350
       * are minimal.
351
       */
352
      (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
353
#if PNG_RELEASE_BUILD
354
      png_chunk_warning(png_ptr, msg);
355
      png_ptr->zowner = 0;
356
#else
357
      png_chunk_error(png_ptr, msg);
358
#endif
359
   }
360

361
   /* Implementation note: unlike 'png_deflate_claim' this internal function
362
    * does not take the size of the data as an argument.  Some efficiency could
363
    * be gained by using this when it is known *if* the zlib stream itself does
364
    * not record the number; however, this is an illusion: the original writer
365
    * of the PNG may have selected a lower window size, and we really must
366
    * follow that because, for systems with with limited capabilities, we
367
    * would otherwise reject the application's attempts to use a smaller window
368
    * size (zlib doesn't have an interface to say "this or lower"!).
369
    *
370
    * inflateReset2 was added to zlib 1.2.4; before this the window could not be
371
    * reset, therefore it is necessary to always allocate the maximum window
372
    * size with earlier zlibs just in case later compressed chunks need it.
373
    */
374
   {
375
      int ret; /* zlib return code */
376
#if ZLIB_VERNUM >= 0x1240
377
      int window_bits = 0;
378

379
# if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
380
      if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
381
          PNG_OPTION_ON)
382
      {
383
         window_bits = 15;
384
         png_ptr->zstream_start = 0; /* fixed window size */
385
      }
386

387
      else
388
      {
389
         png_ptr->zstream_start = 1;
390
      }
391
# endif
392

393
#endif /* ZLIB_VERNUM >= 0x1240 */
394

395
      /* Set this for safety, just in case the previous owner left pointers to
396
       * memory allocations.
397
       */
398
      png_ptr->zstream.next_in = NULL;
399
      png_ptr->zstream.avail_in = 0;
400
      png_ptr->zstream.next_out = NULL;
401
      png_ptr->zstream.avail_out = 0;
402

403
      if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
404
      {
405
#if ZLIB_VERNUM >= 0x1240
406
         ret = inflateReset2(&png_ptr->zstream, window_bits);
407
#else
408
         ret = inflateReset(&png_ptr->zstream);
409
#endif
410
      }
411

412
      else
413
      {
414
#if ZLIB_VERNUM >= 0x1240
415
         ret = inflateInit2(&png_ptr->zstream, window_bits);
416
#else
417
         ret = inflateInit(&png_ptr->zstream);
418
#endif
419

420
         if (ret == Z_OK)
421
            png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
422
      }
423

424
#ifdef PNG_DISABLE_ADLER32_CHECK_SUPPORTED
425
      if (((png_ptr->options >> PNG_IGNORE_ADLER32) & 3) == PNG_OPTION_ON)
426
         /* Turn off validation of the ADLER32 checksum in IDAT chunks */
427
         ret = inflateValidate(&png_ptr->zstream, 0);
428
#endif
429

430
      if (ret == Z_OK)
431
         png_ptr->zowner = owner;
432

433
      else
434
         png_zstream_error(png_ptr, ret);
435

436
      return ret;
437
   }
438

439
#ifdef window_bits
440
# undef window_bits
441
#endif
442
}
443

444
#if ZLIB_VERNUM >= 0x1240
445
/* Handle the start of the inflate stream if we called inflateInit2(strm,0);
446
 * in this case some zlib versions skip validation of the CINFO field and, in
447
 * certain circumstances, libpng may end up displaying an invalid image, in
448
 * contrast to implementations that call zlib in the normal way (e.g. libpng
449
 * 1.5).
450
 */
451
int /* PRIVATE */
452
png_zlib_inflate(png_structrp png_ptr, int flush)
453
{
454
   if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)
455
   {
456
      if ((*png_ptr->zstream.next_in >> 4) > 7)
457
      {
458
         png_ptr->zstream.msg = "invalid window size (libpng)";
459
         return Z_DATA_ERROR;
460
      }
461

462
      png_ptr->zstream_start = 0;
463
   }
464

465
   return inflate(&png_ptr->zstream, flush);
466
}
467
#endif /* Zlib >= 1.2.4 */
468

469
#ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
470
#if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED)
471
/* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
472
 * allow the caller to do multiple calls if required.  If the 'finish' flag is
473
 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
474
 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
475
 * Z_OK or Z_STREAM_END will be returned on success.
476
 *
477
 * The input and output sizes are updated to the actual amounts of data consumed
478
 * or written, not the amount available (as in a z_stream).  The data pointers
479
 * are not changed, so the next input is (data+input_size) and the next
480
 * available output is (output+output_size).
481
 */
482
static int
483
png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
484
    /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
485
    /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
486
{
487
   if (png_ptr->zowner == owner) /* Else not claimed */
488
   {
489
      int ret;
490
      png_alloc_size_t avail_out = *output_size_ptr;
491
      png_uint_32 avail_in = *input_size_ptr;
492

493
      /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
494
       * can't even necessarily handle 65536 bytes) because the type uInt is
495
       * "16 bits or more".  Consequently it is necessary to chunk the input to
496
       * zlib.  This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
497
       * maximum value that can be stored in a uInt.)  It is possible to set
498
       * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
499
       * a performance advantage, because it reduces the amount of data accessed
500
       * at each step and that may give the OS more time to page it in.
501
       */
502
      png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
503
      /* avail_in and avail_out are set below from 'size' */
504
      png_ptr->zstream.avail_in = 0;
505
      png_ptr->zstream.avail_out = 0;
506

507
      /* Read directly into the output if it is available (this is set to
508
       * a local buffer below if output is NULL).
509
       */
510
      if (output != NULL)
511
         png_ptr->zstream.next_out = output;
512

513
      do
514
      {
515
         uInt avail;
516
         Byte local_buffer[PNG_INFLATE_BUF_SIZE];
517

518
         /* zlib INPUT BUFFER */
519
         /* The setting of 'avail_in' used to be outside the loop; by setting it
520
          * inside it is possible to chunk the input to zlib and simply rely on
521
          * zlib to advance the 'next_in' pointer.  This allows arbitrary
522
          * amounts of data to be passed through zlib at the unavoidable cost of
523
          * requiring a window save (memcpy of up to 32768 output bytes)
524
          * every ZLIB_IO_MAX input bytes.
525
          */
526
         avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
527

528
         avail = ZLIB_IO_MAX;
529

530
         if (avail_in < avail)
531
            avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
532

533
         avail_in -= avail;
534
         png_ptr->zstream.avail_in = avail;
535

536
         /* zlib OUTPUT BUFFER */
537
         avail_out += png_ptr->zstream.avail_out; /* not written last time */
538

539
         avail = ZLIB_IO_MAX; /* maximum zlib can process */
540

541
         if (output == NULL)
542
         {
543
            /* Reset the output buffer each time round if output is NULL and
544
             * make available the full buffer, up to 'remaining_space'
545
             */
546
            png_ptr->zstream.next_out = local_buffer;
547
            if ((sizeof local_buffer) < avail)
548
               avail = (sizeof local_buffer);
549
         }
550

551
         if (avail_out < avail)
552
            avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
553

554
         png_ptr->zstream.avail_out = avail;
555
         avail_out -= avail;
556

557
         /* zlib inflate call */
558
         /* In fact 'avail_out' may be 0 at this point, that happens at the end
559
          * of the read when the final LZ end code was not passed at the end of
560
          * the previous chunk of input data.  Tell zlib if we have reached the
561
          * end of the output buffer.
562
          */
563
         ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH :
564
             (finish ? Z_FINISH : Z_SYNC_FLUSH));
565
      } while (ret == Z_OK);
566

567
      /* For safety kill the local buffer pointer now */
568
      if (output == NULL)
569
         png_ptr->zstream.next_out = NULL;
570

571
      /* Claw back the 'size' and 'remaining_space' byte counts. */
572
      avail_in += png_ptr->zstream.avail_in;
573
      avail_out += png_ptr->zstream.avail_out;
574

575
      /* Update the input and output sizes; the updated values are the amount
576
       * consumed or written, effectively the inverse of what zlib uses.
577
       */
578
      if (avail_out > 0)
579
         *output_size_ptr -= avail_out;
580

581
      if (avail_in > 0)
582
         *input_size_ptr -= avail_in;
583

584
      /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
585
      png_zstream_error(png_ptr, ret);
586
      return ret;
587
   }
588

589
   else
590
   {
591
      /* This is a bad internal error.  The recovery assigns to the zstream msg
592
       * pointer, which is not owned by the caller, but this is safe; it's only
593
       * used on errors!
594
       */
595
      png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
596
      return Z_STREAM_ERROR;
597
   }
598
}
599

600
/*
601
 * Decompress trailing data in a chunk.  The assumption is that read_buffer
602
 * points at an allocated area holding the contents of a chunk with a
603
 * trailing compressed part.  What we get back is an allocated area
604
 * holding the original prefix part and an uncompressed version of the
605
 * trailing part (the malloc area passed in is freed).
606
 */
607
static int
608
png_decompress_chunk(png_structrp png_ptr,
609
    png_uint_32 chunklength, png_uint_32 prefix_size,
610
    png_alloc_size_t *newlength /* must be initialized to the maximum! */,
611
    int terminate /*add a '\0' to the end of the uncompressed data*/)
612
{
613
   /* TODO: implement different limits for different types of chunk.
614
    *
615
    * The caller supplies *newlength set to the maximum length of the
616
    * uncompressed data, but this routine allocates space for the prefix and
617
    * maybe a '\0' terminator too.  We have to assume that 'prefix_size' is
618
    * limited only by the maximum chunk size.
619
    */
620
   png_alloc_size_t limit = PNG_SIZE_MAX;
621

622
# ifdef PNG_SET_USER_LIMITS_SUPPORTED
623
   if (png_ptr->user_chunk_malloc_max > 0 &&
624
       png_ptr->user_chunk_malloc_max < limit)
625
      limit = png_ptr->user_chunk_malloc_max;
626
# elif PNG_USER_CHUNK_MALLOC_MAX > 0
627
   if (PNG_USER_CHUNK_MALLOC_MAX < limit)
628
      limit = PNG_USER_CHUNK_MALLOC_MAX;
629
# endif
630

631
   if (limit >= prefix_size + (terminate != 0))
632
   {
633
      int ret;
634

635
      limit -= prefix_size + (terminate != 0);
636

637
      if (limit < *newlength)
638
         *newlength = limit;
639

640
      /* Now try to claim the stream. */
641
      ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
642

643
      if (ret == Z_OK)
644
      {
645
         png_uint_32 lzsize = chunklength - prefix_size;
646

647
         ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
648
             /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
649
             /* output: */ NULL, newlength);
650

651
         if (ret == Z_STREAM_END)
652
         {
653
            /* Use 'inflateReset' here, not 'inflateReset2' because this
654
             * preserves the previously decided window size (otherwise it would
655
             * be necessary to store the previous window size.)  In practice
656
             * this doesn't matter anyway, because png_inflate will call inflate
657
             * with Z_FINISH in almost all cases, so the window will not be
658
             * maintained.
659
             */
660
            if (inflateReset(&png_ptr->zstream) == Z_OK)
661
            {
662
               /* Because of the limit checks above we know that the new,
663
                * expanded, size will fit in a size_t (let alone an
664
                * png_alloc_size_t).  Use png_malloc_base here to avoid an
665
                * extra OOM message.
666
                */
667
               png_alloc_size_t new_size = *newlength;
668
               png_alloc_size_t buffer_size = prefix_size + new_size +
669
                   (terminate != 0);
670
               png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
671
                   buffer_size));
672

673
               if (text != NULL)
674
               {
675
                  memset(text, 0, buffer_size);
676

677
                  ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
678
                      png_ptr->read_buffer + prefix_size, &lzsize,
679
                      text + prefix_size, newlength);
680

681
                  if (ret == Z_STREAM_END)
682
                  {
683
                     if (new_size == *newlength)
684
                     {
685
                        if (terminate != 0)
686
                           text[prefix_size + *newlength] = 0;
687

688
                        if (prefix_size > 0)
689
                           memcpy(text, png_ptr->read_buffer, prefix_size);
690

691
                        {
692
                           png_bytep old_ptr = png_ptr->read_buffer;
693

694
                           png_ptr->read_buffer = text;
695
                           png_ptr->read_buffer_size = buffer_size;
696
                           text = old_ptr; /* freed below */
697
                        }
698
                     }
699

700
                     else
701
                     {
702
                        /* The size changed on the second read, there can be no
703
                         * guarantee that anything is correct at this point.
704
                         * The 'msg' pointer has been set to "unexpected end of
705
                         * LZ stream", which is fine, but return an error code
706
                         * that the caller won't accept.
707
                         */
708
                        ret = PNG_UNEXPECTED_ZLIB_RETURN;
709
                     }
710
                  }
711

712
                  else if (ret == Z_OK)
713
                     ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
714

715
                  /* Free the text pointer (this is the old read_buffer on
716
                   * success)
717
                   */
718
                  png_free(png_ptr, text);
719

720
                  /* This really is very benign, but it's still an error because
721
                   * the extra space may otherwise be used as a Trojan Horse.
722
                   */
723
                  if (ret == Z_STREAM_END &&
724
                      chunklength - prefix_size != lzsize)
725
                     png_chunk_benign_error(png_ptr, "extra compressed data");
726
               }
727

728
               else
729
               {
730
                  /* Out of memory allocating the buffer */
731
                  ret = Z_MEM_ERROR;
732
                  png_zstream_error(png_ptr, Z_MEM_ERROR);
733
               }
734
            }
735

736
            else
737
            {
738
               /* inflateReset failed, store the error message */
739
               png_zstream_error(png_ptr, ret);
740
               ret = PNG_UNEXPECTED_ZLIB_RETURN;
741
            }
742
         }
743

744
         else if (ret == Z_OK)
745
            ret = PNG_UNEXPECTED_ZLIB_RETURN;
746

747
         /* Release the claimed stream */
748
         png_ptr->zowner = 0;
749
      }
750

751
      else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
752
         ret = PNG_UNEXPECTED_ZLIB_RETURN;
753

754
      return ret;
755
   }
756

757
   else
758
   {
759
      /* Application/configuration limits exceeded */
760
      png_zstream_error(png_ptr, Z_MEM_ERROR);
761
      return Z_MEM_ERROR;
762
   }
763
}
764
#endif /* READ_zTXt || READ_iTXt */
765
#endif /* READ_COMPRESSED_TEXT */
766

767
#ifdef PNG_READ_iCCP_SUPPORTED
768
/* Perform a partial read and decompress, producing 'avail_out' bytes and
769
 * reading from the current chunk as required.
770
 */
771
static int
772
png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
773
    png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
774
    int finish)
775
{
776
   if (png_ptr->zowner == png_ptr->chunk_name)
777
   {
778
      int ret;
779

780
      /* next_in and avail_in must have been initialized by the caller. */
781
      png_ptr->zstream.next_out = next_out;
782
      png_ptr->zstream.avail_out = 0; /* set in the loop */
783

784
      do
785
      {
786
         if (png_ptr->zstream.avail_in == 0)
787
         {
788
            if (read_size > *chunk_bytes)
789
               read_size = (uInt)*chunk_bytes;
790
            *chunk_bytes -= read_size;
791

792
            if (read_size > 0)
793
               png_crc_read(png_ptr, read_buffer, read_size);
794

795
            png_ptr->zstream.next_in = read_buffer;
796
            png_ptr->zstream.avail_in = read_size;
797
         }
798

799
         if (png_ptr->zstream.avail_out == 0)
800
         {
801
            uInt avail = ZLIB_IO_MAX;
802
            if (avail > *out_size)
803
               avail = (uInt)*out_size;
804
            *out_size -= avail;
805

806
            png_ptr->zstream.avail_out = avail;
807
         }
808

809
         /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
810
          * the available output is produced; this allows reading of truncated
811
          * streams.
812
          */
813
         ret = PNG_INFLATE(png_ptr, *chunk_bytes > 0 ?
814
             Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
815
      }
816
      while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
817

818
      *out_size += png_ptr->zstream.avail_out;
819
      png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
820

821
      /* Ensure the error message pointer is always set: */
822
      png_zstream_error(png_ptr, ret);
823
      return ret;
824
   }
825

826
   else
827
   {
828
      png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
829
      return Z_STREAM_ERROR;
830
   }
831
}
832
#endif /* READ_iCCP */
833

834
/* Read and check the IDHR chunk */
835

836
void /* PRIVATE */
837
png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
838
{
839
   png_byte buf[13];
840
   png_uint_32 width, height;
841
   int bit_depth, color_type, compression_type, filter_type;
842
   int interlace_type;
843

844
   png_debug(1, "in png_handle_IHDR");
845

846
   if ((png_ptr->mode & PNG_HAVE_IHDR) != 0)
847
      png_chunk_error(png_ptr, "out of place");
848

849
   /* Check the length */
850
   if (length != 13)
851
      png_chunk_error(png_ptr, "invalid");
852

853
   png_ptr->mode |= PNG_HAVE_IHDR;
854

855
   png_crc_read(png_ptr, buf, 13);
856
   png_crc_finish(png_ptr, 0);
857

858
   width = png_get_uint_31(png_ptr, buf);
859
   height = png_get_uint_31(png_ptr, buf + 4);
860
   bit_depth = buf[8];
861
   color_type = buf[9];
862
   compression_type = buf[10];
863
   filter_type = buf[11];
864
   interlace_type = buf[12];
865

866
   /* Set internal variables */
867
   png_ptr->width = width;
868
   png_ptr->height = height;
869
   png_ptr->bit_depth = (png_byte)bit_depth;
870
   png_ptr->interlaced = (png_byte)interlace_type;
871
   png_ptr->color_type = (png_byte)color_type;
872
#ifdef PNG_MNG_FEATURES_SUPPORTED
873
   png_ptr->filter_type = (png_byte)filter_type;
874
#endif
875
   png_ptr->compression_type = (png_byte)compression_type;
876

877
   /* Find number of channels */
878
   switch (png_ptr->color_type)
879
   {
880
      default: /* invalid, png_set_IHDR calls png_error */
881
      case PNG_COLOR_TYPE_GRAY:
882
      case PNG_COLOR_TYPE_PALETTE:
883
         png_ptr->channels = 1;
884
         break;
885

886
      case PNG_COLOR_TYPE_RGB:
887
         png_ptr->channels = 3;
888
         break;
889

890
      case PNG_COLOR_TYPE_GRAY_ALPHA:
891
         png_ptr->channels = 2;
892
         break;
893

894
      case PNG_COLOR_TYPE_RGB_ALPHA:
895
         png_ptr->channels = 4;
896
         break;
897
   }
898

899
   /* Set up other useful info */
900
   png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
901
   png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
902
   png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
903
   png_debug1(3, "channels = %d", png_ptr->channels);
904
   png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
905
   png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
906
       color_type, interlace_type, compression_type, filter_type);
907
}
908

909
/* Read and check the palette */
910
void /* PRIVATE */
911
png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
912
{
913
   png_color palette[PNG_MAX_PALETTE_LENGTH];
914
   int max_palette_length, num, i;
915
#ifdef PNG_POINTER_INDEXING_SUPPORTED
916
   png_colorp pal_ptr;
917
#endif
918

919
   png_debug(1, "in png_handle_PLTE");
920

921
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
922
      png_chunk_error(png_ptr, "missing IHDR");
923

924
   /* Moved to before the 'after IDAT' check below because otherwise duplicate
925
    * PLTE chunks are potentially ignored (the spec says there shall not be more
926
    * than one PLTE, the error is not treated as benign, so this check trumps
927
    * the requirement that PLTE appears before IDAT.)
928
    */
929
   else if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)
930
      png_chunk_error(png_ptr, "duplicate");
931

932
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
933
   {
934
      /* This is benign because the non-benign error happened before, when an
935
       * IDAT was encountered in a color-mapped image with no PLTE.
936
       */
937
      png_crc_finish(png_ptr, length);
938
      png_chunk_benign_error(png_ptr, "out of place");
939
      return;
940
   }
941

942
   png_ptr->mode |= PNG_HAVE_PLTE;
943

944
   if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
945
   {
946
      png_crc_finish(png_ptr, length);
947
      png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
948
      return;
949
   }
950

951
#ifndef PNG_READ_OPT_PLTE_SUPPORTED
952
   if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
953
   {
954
      png_crc_finish(png_ptr, length);
955
      return;
956
   }
957
#endif
958

959
   if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
960
   {
961
      png_crc_finish(png_ptr, length);
962

963
      if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
964
         png_chunk_benign_error(png_ptr, "invalid");
965

966
      else
967
         png_chunk_error(png_ptr, "invalid");
968

969
      return;
970
   }
971

972
   /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
973
   num = (int)length / 3;
974

975
   /* If the palette has 256 or fewer entries but is too large for the bit
976
    * depth, we don't issue an error, to preserve the behavior of previous
977
    * libpng versions. We silently truncate the unused extra palette entries
978
    * here.
979
    */
980
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
981
      max_palette_length = (1 << png_ptr->bit_depth);
982
   else
983
      max_palette_length = PNG_MAX_PALETTE_LENGTH;
984

985
   if (num > max_palette_length)
986
      num = max_palette_length;
987

988
#ifdef PNG_POINTER_INDEXING_SUPPORTED
989
   for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
990
   {
991
      png_byte buf[3];
992

993
      png_crc_read(png_ptr, buf, 3);
994
      pal_ptr->red = buf[0];
995
      pal_ptr->green = buf[1];
996
      pal_ptr->blue = buf[2];
997
   }
998
#else
999
   for (i = 0; i < num; i++)
1000
   {
1001
      png_byte buf[3];
1002

1003
      png_crc_read(png_ptr, buf, 3);
1004
      /* Don't depend upon png_color being any order */
1005
      palette[i].red = buf[0];
1006
      palette[i].green = buf[1];
1007
      palette[i].blue = buf[2];
1008
   }
1009
#endif
1010

1011
   /* If we actually need the PLTE chunk (ie for a paletted image), we do
1012
    * whatever the normal CRC configuration tells us.  However, if we
1013
    * have an RGB image, the PLTE can be considered ancillary, so
1014
    * we will act as though it is.
1015
    */
1016
#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1017
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1018
#endif
1019
   {
1020
      png_crc_finish(png_ptr, (png_uint_32) (length - (unsigned int)num * 3));
1021
   }
1022

1023
#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1024
   else if (png_crc_error(png_ptr) != 0)  /* Only if we have a CRC error */
1025
   {
1026
      /* If we don't want to use the data from an ancillary chunk,
1027
       * we have two options: an error abort, or a warning and we
1028
       * ignore the data in this chunk (which should be OK, since
1029
       * it's considered ancillary for a RGB or RGBA image).
1030
       *
1031
       * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
1032
       * chunk type to determine whether to check the ancillary or the critical
1033
       * flags.
1034
       */
1035
      if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == 0)
1036
      {
1037
         if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != 0)
1038
            return;
1039

1040
         else
1041
            png_chunk_error(png_ptr, "CRC error");
1042
      }
1043

1044
      /* Otherwise, we (optionally) emit a warning and use the chunk. */
1045
      else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0)
1046
         png_chunk_warning(png_ptr, "CRC error");
1047
   }
1048
#endif
1049

1050
   /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1051
    * own copy of the palette.  This has the side effect that when png_start_row
1052
    * is called (this happens after any call to png_read_update_info) the
1053
    * info_ptr palette gets changed.  This is extremely unexpected and
1054
    * confusing.
1055
    *
1056
    * Fix this by not sharing the palette in this way.
1057
    */
1058
   png_set_PLTE(png_ptr, info_ptr, palette, num);
1059

1060
   /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1061
    * IDAT.  Prior to 1.6.0 this was not checked; instead the code merely
1062
    * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1063
    * palette PNG.  1.6.0 attempts to rigorously follow the standard and
1064
    * therefore does a benign error if the erroneous condition is detected *and*
1065
    * cancels the tRNS if the benign error returns.  The alternative is to
1066
    * amend the standard since it would be rather hypocritical of the standards
1067
    * maintainers to ignore it.
1068
    */
1069
#ifdef PNG_READ_tRNS_SUPPORTED
1070
   if (png_ptr->num_trans > 0 ||
1071
       (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
1072
   {
1073
      /* Cancel this because otherwise it would be used if the transforms
1074
       * require it.  Don't cancel the 'valid' flag because this would prevent
1075
       * detection of duplicate chunks.
1076
       */
1077
      png_ptr->num_trans = 0;
1078

1079
      if (info_ptr != NULL)
1080
         info_ptr->num_trans = 0;
1081

1082
      png_chunk_benign_error(png_ptr, "tRNS must be after");
1083
   }
1084
#endif
1085

1086
#ifdef PNG_READ_hIST_SUPPORTED
1087
   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1088
      png_chunk_benign_error(png_ptr, "hIST must be after");
1089
#endif
1090

1091
#ifdef PNG_READ_bKGD_SUPPORTED
1092
   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1093
      png_chunk_benign_error(png_ptr, "bKGD must be after");
1094
#endif
1095
}
1096

1097
void /* PRIVATE */
1098
png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1099
{
1100
   png_debug(1, "in png_handle_IEND");
1101

1102
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0 ||
1103
       (png_ptr->mode & PNG_HAVE_IDAT) == 0)
1104
      png_chunk_error(png_ptr, "out of place");
1105

1106
   png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
1107

1108
   png_crc_finish(png_ptr, length);
1109

1110
   if (length != 0)
1111
      png_chunk_benign_error(png_ptr, "invalid");
1112

1113
   PNG_UNUSED(info_ptr)
1114
}
1115

1116
#ifdef PNG_READ_gAMA_SUPPORTED
1117
void /* PRIVATE */
1118
png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1119
{
1120
   png_fixed_point igamma;
1121
   png_byte buf[4];
1122

1123
   png_debug(1, "in png_handle_gAMA");
1124

1125
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1126
      png_chunk_error(png_ptr, "missing IHDR");
1127

1128
   else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1129
   {
1130
      png_crc_finish(png_ptr, length);
1131
      png_chunk_benign_error(png_ptr, "out of place");
1132
      return;
1133
   }
1134

1135
   if (length != 4)
1136
   {
1137
      png_crc_finish(png_ptr, length);
1138
      png_chunk_benign_error(png_ptr, "invalid");
1139
      return;
1140
   }
1141

1142
   png_crc_read(png_ptr, buf, 4);
1143

1144
   if (png_crc_finish(png_ptr, 0) != 0)
1145
      return;
1146

1147
   igamma = png_get_fixed_point(NULL, buf);
1148

1149
   png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
1150
   png_colorspace_sync(png_ptr, info_ptr);
1151
}
1152
#endif
1153

1154
#ifdef PNG_READ_sBIT_SUPPORTED
1155
void /* PRIVATE */
1156
png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1157
{
1158
   unsigned int truelen, i;
1159
   png_byte sample_depth;
1160
   png_byte buf[4];
1161

1162
   png_debug(1, "in png_handle_sBIT");
1163

1164
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1165
      png_chunk_error(png_ptr, "missing IHDR");
1166

1167
   else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1168
   {
1169
      png_crc_finish(png_ptr, length);
1170
      png_chunk_benign_error(png_ptr, "out of place");
1171
      return;
1172
   }
1173

1174
   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != 0)
1175
   {
1176
      png_crc_finish(png_ptr, length);
1177
      png_chunk_benign_error(png_ptr, "duplicate");
1178
      return;
1179
   }
1180

1181
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1182
   {
1183
      truelen = 3;
1184
      sample_depth = 8;
1185
   }
1186

1187
   else
1188
   {
1189
      truelen = png_ptr->channels;
1190
      sample_depth = png_ptr->bit_depth;
1191
   }
1192

1193
   if (length != truelen || length > 4)
1194
   {
1195
      png_chunk_benign_error(png_ptr, "invalid");
1196
      png_crc_finish(png_ptr, length);
1197
      return;
1198
   }
1199

1200
   buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
1201
   png_crc_read(png_ptr, buf, truelen);
1202

1203
   if (png_crc_finish(png_ptr, 0) != 0)
1204
      return;
1205

1206
   for (i=0; i<truelen; ++i)
1207
   {
1208
      if (buf[i] == 0 || buf[i] > sample_depth)
1209
      {
1210
         png_chunk_benign_error(png_ptr, "invalid");
1211
         return;
1212
      }
1213
   }
1214

1215
   if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1216
   {
1217
      png_ptr->sig_bit.red = buf[0];
1218
      png_ptr->sig_bit.green = buf[1];
1219
      png_ptr->sig_bit.blue = buf[2];
1220
      png_ptr->sig_bit.alpha = buf[3];
1221
   }
1222

1223
   else
1224
   {
1225
      png_ptr->sig_bit.gray = buf[0];
1226
      png_ptr->sig_bit.red = buf[0];
1227
      png_ptr->sig_bit.green = buf[0];
1228
      png_ptr->sig_bit.blue = buf[0];
1229
      png_ptr->sig_bit.alpha = buf[1];
1230
   }
1231

1232
   png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
1233
}
1234
#endif
1235

1236
#ifdef PNG_READ_cHRM_SUPPORTED
1237
void /* PRIVATE */
1238
png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1239
{
1240
   png_byte buf[32];
1241
   png_xy xy;
1242

1243
   png_debug(1, "in png_handle_cHRM");
1244

1245
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1246
      png_chunk_error(png_ptr, "missing IHDR");
1247

1248
   else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1249
   {
1250
      png_crc_finish(png_ptr, length);
1251
      png_chunk_benign_error(png_ptr, "out of place");
1252
      return;
1253
   }
1254

1255
   if (length != 32)
1256
   {
1257
      png_crc_finish(png_ptr, length);
1258
      png_chunk_benign_error(png_ptr, "invalid");
1259
      return;
1260
   }
1261

1262
   png_crc_read(png_ptr, buf, 32);
1263

1264
   if (png_crc_finish(png_ptr, 0) != 0)
1265
      return;
1266

1267
   xy.whitex = png_get_fixed_point(NULL, buf);
1268
   xy.whitey = png_get_fixed_point(NULL, buf + 4);
1269
   xy.redx   = png_get_fixed_point(NULL, buf + 8);
1270
   xy.redy   = png_get_fixed_point(NULL, buf + 12);
1271
   xy.greenx = png_get_fixed_point(NULL, buf + 16);
1272
   xy.greeny = png_get_fixed_point(NULL, buf + 20);
1273
   xy.bluex  = png_get_fixed_point(NULL, buf + 24);
1274
   xy.bluey  = png_get_fixed_point(NULL, buf + 28);
1275

1276
   if (xy.whitex == PNG_FIXED_ERROR ||
1277
       xy.whitey == PNG_FIXED_ERROR ||
1278
       xy.redx   == PNG_FIXED_ERROR ||
1279
       xy.redy   == PNG_FIXED_ERROR ||
1280
       xy.greenx == PNG_FIXED_ERROR ||
1281
       xy.greeny == PNG_FIXED_ERROR ||
1282
       xy.bluex  == PNG_FIXED_ERROR ||
1283
       xy.bluey  == PNG_FIXED_ERROR)
1284
   {
1285
      png_chunk_benign_error(png_ptr, "invalid values");
1286
      return;
1287
   }
1288

1289
   /* If a colorspace error has already been output skip this chunk */
1290
   if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1291
      return;
1292

1293
   if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0)
1294
   {
1295
      png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1296
      png_colorspace_sync(png_ptr, info_ptr);
1297
      png_chunk_benign_error(png_ptr, "duplicate");
1298
      return;
1299
   }
1300

1301
   png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
1302
   (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
1303
       1/*prefer cHRM values*/);
1304
   png_colorspace_sync(png_ptr, info_ptr);
1305
}
1306
#endif
1307

1308
#ifdef PNG_READ_sRGB_SUPPORTED
1309
void /* PRIVATE */
1310
png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1311
{
1312
   png_byte intent;
1313

1314
   png_debug(1, "in png_handle_sRGB");
1315

1316
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1317
      png_chunk_error(png_ptr, "missing IHDR");
1318

1319
   else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1320
   {
1321
      png_crc_finish(png_ptr, length);
1322
      png_chunk_benign_error(png_ptr, "out of place");
1323
      return;
1324
   }
1325

1326
   if (length != 1)
1327
   {
1328
      png_crc_finish(png_ptr, length);
1329
      png_chunk_benign_error(png_ptr, "invalid");
1330
      return;
1331
   }
1332

1333
   png_crc_read(png_ptr, &intent, 1);
1334

1335
   if (png_crc_finish(png_ptr, 0) != 0)
1336
      return;
1337

1338
   /* If a colorspace error has already been output skip this chunk */
1339
   if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1340
      return;
1341

1342
   /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1343
    * this.
1344
    */
1345
   if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != 0)
1346
   {
1347
      png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1348
      png_colorspace_sync(png_ptr, info_ptr);
1349
      png_chunk_benign_error(png_ptr, "too many profiles");
1350
      return;
1351
   }
1352

1353
   (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1354
   png_colorspace_sync(png_ptr, info_ptr);
1355
}
1356
#endif /* READ_sRGB */
1357

1358
#ifdef PNG_READ_iCCP_SUPPORTED
1359
void /* PRIVATE */
1360
png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1361
/* Note: this does not properly handle profiles that are > 64K under DOS */
1362
{
1363
   png_const_charp errmsg = NULL; /* error message output, or no error */
1364
   int finished = 0; /* crc checked */
1365

1366
   png_debug(1, "in png_handle_iCCP");
1367

1368
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1369
      png_chunk_error(png_ptr, "missing IHDR");
1370

1371
   else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1372
   {
1373
      png_crc_finish(png_ptr, length);
1374
      png_chunk_benign_error(png_ptr, "out of place");
1375
      return;
1376
   }
1377

1378
   /* Consistent with all the above colorspace handling an obviously *invalid*
1379
    * chunk is just ignored, so does not invalidate the color space.  An
1380
    * alternative is to set the 'invalid' flags at the start of this routine
1381
    * and only clear them in they were not set before and all the tests pass.
1382
    */
1383

1384
   /* The keyword must be at least one character and there is a
1385
    * terminator (0) byte and the compression method byte, and the
1386
    * 'zlib' datastream is at least 11 bytes.
1387
    */
1388
   if (length < 14)
1389
   {
1390
      png_crc_finish(png_ptr, length);
1391
      png_chunk_benign_error(png_ptr, "too short");
1392
      return;
1393
   }
1394

1395
   /* If a colorspace error has already been output skip this chunk */
1396
   if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1397
   {
1398
      png_crc_finish(png_ptr, length);
1399
      return;
1400
   }
1401

1402
   /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1403
    * this.
1404
    */
1405
   if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1406
   {
1407
      uInt read_length, keyword_length;
1408
      char keyword[81];
1409

1410
      /* Find the keyword; the keyword plus separator and compression method
1411
       * bytes can be at most 81 characters long.
1412
       */
1413
      read_length = 81; /* maximum */
1414
      if (read_length > length)
1415
         read_length = (uInt)length;
1416

1417
      png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1418
      length -= read_length;
1419

1420
      /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
1421
       * 5 bytes minimum 'deflate' stream, and the 4 byte checksum.
1422
       */
1423
      if (length < 11)
1424
      {
1425
         png_crc_finish(png_ptr, length);
1426
         png_chunk_benign_error(png_ptr, "too short");
1427
         return;
1428
      }
1429

1430
      keyword_length = 0;
1431
      while (keyword_length < 80 && keyword_length < read_length &&
1432
         keyword[keyword_length] != 0)
1433
         ++keyword_length;
1434

1435
      /* TODO: make the keyword checking common */
1436
      if (keyword_length >= 1 && keyword_length <= 79)
1437
      {
1438
         /* We only understand '0' compression - deflate - so if we get a
1439
          * different value we can't safely decode the chunk.
1440
          */
1441
         if (keyword_length+1 < read_length &&
1442
            keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1443
         {
1444
            read_length -= keyword_length+2;
1445

1446
            if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1447
            {
1448
               Byte profile_header[132]={0};
1449
               Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1450
               png_alloc_size_t size = (sizeof profile_header);
1451

1452
               png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1453
               png_ptr->zstream.avail_in = read_length;
1454
               (void)png_inflate_read(png_ptr, local_buffer,
1455
                   (sizeof local_buffer), &length, profile_header, &size,
1456
                   0/*finish: don't, because the output is too small*/);
1457

1458
               if (size == 0)
1459
               {
1460
                  /* We have the ICC profile header; do the basic header checks.
1461
                   */
1462
                  png_uint_32 profile_length = png_get_uint_32(profile_header);
1463

1464
                  if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1465
                      keyword, profile_length) != 0)
1466
                  {
1467
                     /* The length is apparently ok, so we can check the 132
1468
                      * byte header.
1469
                      */
1470
                     if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1471
                         keyword, profile_length, profile_header,
1472
                         png_ptr->color_type) != 0)
1473
                     {
1474
                        /* Now read the tag table; a variable size buffer is
1475
                         * needed at this point, allocate one for the whole
1476
                         * profile.  The header check has already validated
1477
                         * that none of this stuff will overflow.
1478
                         */
1479
                        png_uint_32 tag_count =
1480
                           png_get_uint_32(profile_header + 128);
1481
                        png_bytep profile = png_read_buffer(png_ptr,
1482
                            profile_length, 2/*silent*/);
1483

1484
                        if (profile != NULL)
1485
                        {
1486
                           memcpy(profile, profile_header,
1487
                               (sizeof profile_header));
1488

1489
                           size = 12 * tag_count;
1490

1491
                           (void)png_inflate_read(png_ptr, local_buffer,
1492
                               (sizeof local_buffer), &length,
1493
                               profile + (sizeof profile_header), &size, 0);
1494

1495
                           /* Still expect a buffer error because we expect
1496
                            * there to be some tag data!
1497
                            */
1498
                           if (size == 0)
1499
                           {
1500
                              if (png_icc_check_tag_table(png_ptr,
1501
                                  &png_ptr->colorspace, keyword, profile_length,
1502
                                  profile) != 0)
1503
                              {
1504
                                 /* The profile has been validated for basic
1505
                                  * security issues, so read the whole thing in.
1506
                                  */
1507
                                 size = profile_length - (sizeof profile_header)
1508
                                     - 12 * tag_count;
1509

1510
                                 (void)png_inflate_read(png_ptr, local_buffer,
1511
                                     (sizeof local_buffer), &length,
1512
                                     profile + (sizeof profile_header) +
1513
                                     12 * tag_count, &size, 1/*finish*/);
1514

1515
                                 if (length > 0 && !(png_ptr->flags &
1516
                                     PNG_FLAG_BENIGN_ERRORS_WARN))
1517
                                    errmsg = "extra compressed data";
1518

1519
                                 /* But otherwise allow extra data: */
1520
                                 else if (size == 0)
1521
                                 {
1522
                                    if (length > 0)
1523
                                    {
1524
                                       /* This can be handled completely, so
1525
                                        * keep going.
1526
                                        */
1527
                                       png_chunk_warning(png_ptr,
1528
                                           "extra compressed data");
1529
                                    }
1530

1531
                                    png_crc_finish(png_ptr, length);
1532
                                    finished = 1;
1533

1534
# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
1535
                                    /* Check for a match against sRGB */
1536
                                    png_icc_set_sRGB(png_ptr,
1537
                                        &png_ptr->colorspace, profile,
1538
                                        png_ptr->zstream.adler);
1539
# endif
1540

1541
                                    /* Steal the profile for info_ptr. */
1542
                                    if (info_ptr != NULL)
1543
                                    {
1544
                                       png_free_data(png_ptr, info_ptr,
1545
                                           PNG_FREE_ICCP, 0);
1546

1547
                                       info_ptr->iccp_name = png_voidcast(char*,
1548
                                           png_malloc_base(png_ptr,
1549
                                           keyword_length+1));
1550
                                       if (info_ptr->iccp_name != NULL)
1551
                                       {
1552
                                          memcpy(info_ptr->iccp_name, keyword,
1553
                                              keyword_length+1);
1554
                                          info_ptr->iccp_proflen =
1555
                                              profile_length;
1556
                                          info_ptr->iccp_profile = profile;
1557
                                          png_ptr->read_buffer = NULL; /*steal*/
1558
                                          info_ptr->free_me |= PNG_FREE_ICCP;
1559
                                          info_ptr->valid |= PNG_INFO_iCCP;
1560
                                       }
1561

1562
                                       else
1563
                                       {
1564
                                          png_ptr->colorspace.flags |=
1565
                                             PNG_COLORSPACE_INVALID;
1566
                                          errmsg = "out of memory";
1567
                                       }
1568
                                    }
1569

1570
                                    /* else the profile remains in the read
1571
                                     * buffer which gets reused for subsequent
1572
                                     * chunks.
1573
                                     */
1574

1575
                                    if (info_ptr != NULL)
1576
                                       png_colorspace_sync(png_ptr, info_ptr);
1577

1578
                                    if (errmsg == NULL)
1579
                                    {
1580
                                       png_ptr->zowner = 0;
1581
                                       return;
1582
                                    }
1583
                                 }
1584
                                 if (errmsg == NULL)
1585
                                    errmsg = png_ptr->zstream.msg;
1586
                              }
1587
                              /* else png_icc_check_tag_table output an error */
1588
                           }
1589
                           else /* profile truncated */
1590
                              errmsg = png_ptr->zstream.msg;
1591
                        }
1592

1593
                        else
1594
                           errmsg = "out of memory";
1595
                     }
1596

1597
                     /* else png_icc_check_header output an error */
1598
                  }
1599

1600
                  /* else png_icc_check_length output an error */
1601
               }
1602

1603
               else /* profile truncated */
1604
                  errmsg = png_ptr->zstream.msg;
1605

1606
               /* Release the stream */
1607
               png_ptr->zowner = 0;
1608
            }
1609

1610
            else /* png_inflate_claim failed */
1611
               errmsg = png_ptr->zstream.msg;
1612
         }
1613

1614
         else
1615
            errmsg = "bad compression method"; /* or missing */
1616
      }
1617

1618
      else
1619
         errmsg = "bad keyword";
1620
   }
1621

1622
   else
1623
      errmsg = "too many profiles";
1624

1625
   /* Failure: the reason is in 'errmsg' */
1626
   if (finished == 0)
1627
      png_crc_finish(png_ptr, length);
1628

1629
   png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1630
   png_colorspace_sync(png_ptr, info_ptr);
1631
   if (errmsg != NULL) /* else already output */
1632
      png_chunk_benign_error(png_ptr, errmsg);
1633
}
1634
#endif /* READ_iCCP */
1635

1636
#ifdef PNG_READ_sPLT_SUPPORTED
1637
void /* PRIVATE */
1638
png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1639
/* Note: this does not properly handle chunks that are > 64K under DOS */
1640
{
1641
   png_bytep entry_start, buffer;
1642
   png_sPLT_t new_palette;
1643
   png_sPLT_entryp pp;
1644
   png_uint_32 data_length;
1645
   int entry_size, i;
1646
   png_uint_32 skip = 0;
1647
   png_uint_32 dl;
1648
   size_t max_dl;
1649

1650
   png_debug(1, "in png_handle_sPLT");
1651

1652
#ifdef PNG_USER_LIMITS_SUPPORTED
1653
   if (png_ptr->user_chunk_cache_max != 0)
1654
   {
1655
      if (png_ptr->user_chunk_cache_max == 1)
1656
      {
1657
         png_crc_finish(png_ptr, length);
1658
         return;
1659
      }
1660

1661
      if (--png_ptr->user_chunk_cache_max == 1)
1662
      {
1663
         png_warning(png_ptr, "No space in chunk cache for sPLT");
1664
         png_crc_finish(png_ptr, length);
1665
         return;
1666
      }
1667
   }
1668
#endif
1669

1670
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1671
      png_chunk_error(png_ptr, "missing IHDR");
1672

1673
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1674
   {
1675
      png_crc_finish(png_ptr, length);
1676
      png_chunk_benign_error(png_ptr, "out of place");
1677
      return;
1678
   }
1679

1680
#ifdef PNG_MAX_MALLOC_64K
1681
   if (length > 65535U)
1682
   {
1683
      png_crc_finish(png_ptr, length);
1684
      png_chunk_benign_error(png_ptr, "too large to fit in memory");
1685
      return;
1686
   }
1687
#endif
1688

1689
   buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1690
   if (buffer == NULL)
1691
   {
1692
      png_crc_finish(png_ptr, length);
1693
      png_chunk_benign_error(png_ptr, "out of memory");
1694
      return;
1695
   }
1696

1697

1698
   /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1699
    * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1700
    * potential breakage point if the types in pngconf.h aren't exactly right.
1701
    */
1702
   png_crc_read(png_ptr, buffer, length);
1703

1704
   if (png_crc_finish(png_ptr, skip) != 0)
1705
      return;
1706

1707
   buffer[length] = 0;
1708

1709
   for (entry_start = buffer; *entry_start; entry_start++)
1710
      /* Empty loop to find end of name */ ;
1711

1712
   ++entry_start;
1713

1714
   /* A sample depth should follow the separator, and we should be on it  */
1715
   if (length < 2U || entry_start > buffer + (length - 2U))
1716
   {
1717
      png_warning(png_ptr, "malformed sPLT chunk");
1718
      return;
1719
   }
1720

1721
   new_palette.depth = *entry_start++;
1722
   entry_size = (new_palette.depth == 8 ? 6 : 10);
1723
   /* This must fit in a png_uint_32 because it is derived from the original
1724
    * chunk data length.
1725
    */
1726
   data_length = length - (png_uint_32)(entry_start - buffer);
1727

1728
   /* Integrity-check the data length */
1729
   if ((data_length % (unsigned int)entry_size) != 0)
1730
   {
1731
      png_warning(png_ptr, "sPLT chunk has bad length");
1732
      return;
1733
   }
1734

1735
   dl = (png_uint_32)(data_length / (unsigned int)entry_size);
1736
   max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1737

1738
   if (dl > max_dl)
1739
   {
1740
      png_warning(png_ptr, "sPLT chunk too long");
1741
      return;
1742
   }
1743

1744
   new_palette.nentries = (png_int_32)(data_length / (unsigned int)entry_size);
1745

1746
   new_palette.entries = (png_sPLT_entryp)png_malloc_warn(png_ptr,
1747
       (png_alloc_size_t) new_palette.nentries * (sizeof (png_sPLT_entry)));
1748

1749
   if (new_palette.entries == NULL)
1750
   {
1751
      png_warning(png_ptr, "sPLT chunk requires too much memory");
1752
      return;
1753
   }
1754

1755
#ifdef PNG_POINTER_INDEXING_SUPPORTED
1756
   for (i = 0; i < new_palette.nentries; i++)
1757
   {
1758
      pp = new_palette.entries + i;
1759

1760
      if (new_palette.depth == 8)
1761
      {
1762
         pp->red = *entry_start++;
1763
         pp->green = *entry_start++;
1764
         pp->blue = *entry_start++;
1765
         pp->alpha = *entry_start++;
1766
      }
1767

1768
      else
1769
      {
1770
         pp->red   = png_get_uint_16(entry_start); entry_start += 2;
1771
         pp->green = png_get_uint_16(entry_start); entry_start += 2;
1772
         pp->blue  = png_get_uint_16(entry_start); entry_start += 2;
1773
         pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1774
      }
1775

1776
      pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1777
   }
1778
#else
1779
   pp = new_palette.entries;
1780

1781
   for (i = 0; i < new_palette.nentries; i++)
1782
   {
1783

1784
      if (new_palette.depth == 8)
1785
      {
1786
         pp[i].red   = *entry_start++;
1787
         pp[i].green = *entry_start++;
1788
         pp[i].blue  = *entry_start++;
1789
         pp[i].alpha = *entry_start++;
1790
      }
1791

1792
      else
1793
      {
1794
         pp[i].red   = png_get_uint_16(entry_start); entry_start += 2;
1795
         pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1796
         pp[i].blue  = png_get_uint_16(entry_start); entry_start += 2;
1797
         pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1798
      }
1799

1800
      pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1801
   }
1802
#endif
1803

1804
   /* Discard all chunk data except the name and stash that */
1805
   new_palette.name = (png_charp)buffer;
1806

1807
   png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1808

1809
   png_free(png_ptr, new_palette.entries);
1810
}
1811
#endif /* READ_sPLT */
1812

1813
#ifdef PNG_READ_tRNS_SUPPORTED
1814
void /* PRIVATE */
1815
png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1816
{
1817
   png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1818

1819
   png_debug(1, "in png_handle_tRNS");
1820

1821
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1822
      png_chunk_error(png_ptr, "missing IHDR");
1823

1824
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1825
   {
1826
      png_crc_finish(png_ptr, length);
1827
      png_chunk_benign_error(png_ptr, "out of place");
1828
      return;
1829
   }
1830

1831
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0)
1832
   {
1833
      png_crc_finish(png_ptr, length);
1834
      png_chunk_benign_error(png_ptr, "duplicate");
1835
      return;
1836
   }
1837

1838
   if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1839
   {
1840
      png_byte buf[2];
1841

1842
      if (length != 2)
1843
      {
1844
         png_crc_finish(png_ptr, length);
1845
         png_chunk_benign_error(png_ptr, "invalid");
1846
         return;
1847
      }
1848

1849
      png_crc_read(png_ptr, buf, 2);
1850
      png_ptr->num_trans = 1;
1851
      png_ptr->trans_color.gray = png_get_uint_16(buf);
1852
   }
1853

1854
   else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1855
   {
1856
      png_byte buf[6];
1857

1858
      if (length != 6)
1859
      {
1860
         png_crc_finish(png_ptr, length);
1861
         png_chunk_benign_error(png_ptr, "invalid");
1862
         return;
1863
      }
1864

1865
      png_crc_read(png_ptr, buf, length);
1866
      png_ptr->num_trans = 1;
1867
      png_ptr->trans_color.red = png_get_uint_16(buf);
1868
      png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1869
      png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1870
   }
1871

1872
   else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1873
   {
1874
      if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
1875
      {
1876
         /* TODO: is this actually an error in the ISO spec? */
1877
         png_crc_finish(png_ptr, length);
1878
         png_chunk_benign_error(png_ptr, "out of place");
1879
         return;
1880
      }
1881

1882
      if (length > (unsigned int) png_ptr->num_palette ||
1883
         length > (unsigned int) PNG_MAX_PALETTE_LENGTH ||
1884
         length == 0)
1885
      {
1886
         png_crc_finish(png_ptr, length);
1887
         png_chunk_benign_error(png_ptr, "invalid");
1888
         return;
1889
      }
1890

1891
      png_crc_read(png_ptr, readbuf, length);
1892
      png_ptr->num_trans = (png_uint_16)length;
1893
   }
1894

1895
   else
1896
   {
1897
      png_crc_finish(png_ptr, length);
1898
      png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1899
      return;
1900
   }
1901

1902
   if (png_crc_finish(png_ptr, 0) != 0)
1903
   {
1904
      png_ptr->num_trans = 0;
1905
      return;
1906
   }
1907

1908
   /* TODO: this is a horrible side effect in the palette case because the
1909
    * png_struct ends up with a pointer to the tRNS buffer owned by the
1910
    * png_info.  Fix this.
1911
    */
1912
   png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1913
       &(png_ptr->trans_color));
1914
}
1915
#endif
1916

1917
#ifdef PNG_READ_bKGD_SUPPORTED
1918
void /* PRIVATE */
1919
png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1920
{
1921
   unsigned int truelen;
1922
   png_byte buf[6];
1923
   png_color_16 background;
1924

1925
   png_debug(1, "in png_handle_bKGD");
1926

1927
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1928
      png_chunk_error(png_ptr, "missing IHDR");
1929

1930
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
1931
       (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1932
       (png_ptr->mode & PNG_HAVE_PLTE) == 0))
1933
   {
1934
      png_crc_finish(png_ptr, length);
1935
      png_chunk_benign_error(png_ptr, "out of place");
1936
      return;
1937
   }
1938

1939
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1940
   {
1941
      png_crc_finish(png_ptr, length);
1942
      png_chunk_benign_error(png_ptr, "duplicate");
1943
      return;
1944
   }
1945

1946
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1947
      truelen = 1;
1948

1949
   else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1950
      truelen = 6;
1951

1952
   else
1953
      truelen = 2;
1954

1955
   if (length != truelen)
1956
   {
1957
      png_crc_finish(png_ptr, length);
1958
      png_chunk_benign_error(png_ptr, "invalid");
1959
      return;
1960
   }
1961

1962
   png_crc_read(png_ptr, buf, truelen);
1963

1964
   if (png_crc_finish(png_ptr, 0) != 0)
1965
      return;
1966

1967
   /* We convert the index value into RGB components so that we can allow
1968
    * arbitrary RGB values for background when we have transparency, and
1969
    * so it is easy to determine the RGB values of the background color
1970
    * from the info_ptr struct.
1971
    */
1972
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1973
   {
1974
      background.index = buf[0];
1975

1976
      if (info_ptr != NULL && info_ptr->num_palette != 0)
1977
      {
1978
         if (buf[0] >= info_ptr->num_palette)
1979
         {
1980
            png_chunk_benign_error(png_ptr, "invalid index");
1981
            return;
1982
         }
1983

1984
         background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1985
         background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1986
         background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1987
      }
1988

1989
      else
1990
         background.red = background.green = background.blue = 0;
1991

1992
      background.gray = 0;
1993
   }
1994

1995
   else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */
1996
   {
1997
      if (png_ptr->bit_depth <= 8)
1998
      {
1999
         if (buf[0] != 0 || buf[1] >= (unsigned int)(1 << png_ptr->bit_depth))
2000
         {
2001
            png_chunk_benign_error(png_ptr, "invalid gray level");
2002
            return;
2003
         }
2004
      }
2005

2006
      background.index = 0;
2007
      background.red =
2008
      background.green =
2009
      background.blue =
2010
      background.gray = png_get_uint_16(buf);
2011
   }
2012

2013
   else
2014
   {
2015
      if (png_ptr->bit_depth <= 8)
2016
      {
2017
         if (buf[0] != 0 || buf[2] != 0 || buf[4] != 0)
2018
         {
2019
            png_chunk_benign_error(png_ptr, "invalid color");
2020
            return;
2021
         }
2022
      }
2023

2024
      background.index = 0;
2025
      background.red = png_get_uint_16(buf);
2026
      background.green = png_get_uint_16(buf + 2);
2027
      background.blue = png_get_uint_16(buf + 4);
2028
      background.gray = 0;
2029
   }
2030

2031
   png_set_bKGD(png_ptr, info_ptr, &background);
2032
}
2033
#endif
2034

2035
#ifdef PNG_READ_eXIf_SUPPORTED
2036
void /* PRIVATE */
2037
png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2038
{
2039
   unsigned int i;
2040

2041
   png_debug(1, "in png_handle_eXIf");
2042

2043
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2044
      png_chunk_error(png_ptr, "missing IHDR");
2045

2046
   if (length < 2)
2047
   {
2048
      png_crc_finish(png_ptr, length);
2049
      png_chunk_benign_error(png_ptr, "too short");
2050
      return;
2051
   }
2052

2053
   else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
2054
   {
2055
      png_crc_finish(png_ptr, length);
2056
      png_chunk_benign_error(png_ptr, "duplicate");
2057
      return;
2058
   }
2059

2060
   info_ptr->free_me |= PNG_FREE_EXIF;
2061

2062
   info_ptr->eXIf_buf = png_voidcast(png_bytep,
2063
             png_malloc_warn(png_ptr, length));
2064

2065
   if (info_ptr->eXIf_buf == NULL)
2066
   {
2067
      png_crc_finish(png_ptr, length);
2068
      png_chunk_benign_error(png_ptr, "out of memory");
2069
      return;
2070
   }
2071

2072
   for (i = 0; i < length; i++)
2073
   {
2074
      png_byte buf[1];
2075
      png_crc_read(png_ptr, buf, 1);
2076
      info_ptr->eXIf_buf[i] = buf[0];
2077
      if (i == 1)
2078
      {
2079
         if ((buf[0] != 'M' && buf[0] != 'I') ||
2080
             (info_ptr->eXIf_buf[0] != buf[0]))
2081
         {
2082
            png_crc_finish(png_ptr, length - 2);
2083
            png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
2084
            png_free(png_ptr, info_ptr->eXIf_buf);
2085
            info_ptr->eXIf_buf = NULL;
2086
            return;
2087
         }
2088
      }
2089
   }
2090

2091
   if (png_crc_finish(png_ptr, 0) == 0)
2092
      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
2093

2094
   png_free(png_ptr, info_ptr->eXIf_buf);
2095
   info_ptr->eXIf_buf = NULL;
2096
}
2097
#endif
2098

2099
#ifdef PNG_READ_hIST_SUPPORTED
2100
void /* PRIVATE */
2101
png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2102
{
2103
   unsigned int num, i;
2104
   png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2105

2106
   png_debug(1, "in png_handle_hIST");
2107

2108
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2109
      png_chunk_error(png_ptr, "missing IHDR");
2110

2111
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
2112
       (png_ptr->mode & PNG_HAVE_PLTE) == 0)
2113
   {
2114
      png_crc_finish(png_ptr, length);
2115
      png_chunk_benign_error(png_ptr, "out of place");
2116
      return;
2117
   }
2118

2119
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
2120
   {
2121
      png_crc_finish(png_ptr, length);
2122
      png_chunk_benign_error(png_ptr, "duplicate");
2123
      return;
2124
   }
2125

2126
   num = length / 2 ;
2127

2128
   if (length != num * 2 ||
2129
       num != (unsigned int)png_ptr->num_palette ||
2130
       num > (unsigned int)PNG_MAX_PALETTE_LENGTH)
2131
   {
2132
      png_crc_finish(png_ptr, length);
2133
      png_chunk_benign_error(png_ptr, "invalid");
2134
      return;
2135
   }
2136

2137
   for (i = 0; i < num; i++)
2138
   {
2139
      png_byte buf[2];
2140

2141
      png_crc_read(png_ptr, buf, 2);
2142
      readbuf[i] = png_get_uint_16(buf);
2143
   }
2144

2145
   if (png_crc_finish(png_ptr, 0) != 0)
2146
      return;
2147

2148
   png_set_hIST(png_ptr, info_ptr, readbuf);
2149
}
2150
#endif
2151

2152
#ifdef PNG_READ_pHYs_SUPPORTED
2153
void /* PRIVATE */
2154
png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2155
{
2156
   png_byte buf[9];
2157
   png_uint_32 res_x, res_y;
2158
   int unit_type;
2159

2160
   png_debug(1, "in png_handle_pHYs");
2161

2162
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2163
      png_chunk_error(png_ptr, "missing IHDR");
2164

2165
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2166
   {
2167
      png_crc_finish(png_ptr, length);
2168
      png_chunk_benign_error(png_ptr, "out of place");
2169
      return;
2170
   }
2171

2172
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != 0)
2173
   {
2174
      png_crc_finish(png_ptr, length);
2175
      png_chunk_benign_error(png_ptr, "duplicate");
2176
      return;
2177
   }
2178

2179
   if (length != 9)
2180
   {
2181
      png_crc_finish(png_ptr, length);
2182
      png_chunk_benign_error(png_ptr, "invalid");
2183
      return;
2184
   }
2185

2186
   png_crc_read(png_ptr, buf, 9);
2187

2188
   if (png_crc_finish(png_ptr, 0) != 0)
2189
      return;
2190

2191
   res_x = png_get_uint_32(buf);
2192
   res_y = png_get_uint_32(buf + 4);
2193
   unit_type = buf[8];
2194
   png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
2195
}
2196
#endif
2197

2198
#ifdef PNG_READ_oFFs_SUPPORTED
2199
void /* PRIVATE */
2200
png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2201
{
2202
   png_byte buf[9];
2203
   png_int_32 offset_x, offset_y;
2204
   int unit_type;
2205

2206
   png_debug(1, "in png_handle_oFFs");
2207

2208
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2209
      png_chunk_error(png_ptr, "missing IHDR");
2210

2211
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2212
   {
2213
      png_crc_finish(png_ptr, length);
2214
      png_chunk_benign_error(png_ptr, "out of place");
2215
      return;
2216
   }
2217

2218
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != 0)
2219
   {
2220
      png_crc_finish(png_ptr, length);
2221
      png_chunk_benign_error(png_ptr, "duplicate");
2222
      return;
2223
   }
2224

2225
   if (length != 9)
2226
   {
2227
      png_crc_finish(png_ptr, length);
2228
      png_chunk_benign_error(png_ptr, "invalid");
2229
      return;
2230
   }
2231

2232
   png_crc_read(png_ptr, buf, 9);
2233

2234
   if (png_crc_finish(png_ptr, 0) != 0)
2235
      return;
2236

2237
   offset_x = png_get_int_32(buf);
2238
   offset_y = png_get_int_32(buf + 4);
2239
   unit_type = buf[8];
2240
   png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
2241
}
2242
#endif
2243

2244
#ifdef PNG_READ_pCAL_SUPPORTED
2245
/* Read the pCAL chunk (described in the PNG Extensions document) */
2246
void /* PRIVATE */
2247
png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2248
{
2249
   png_int_32 X0, X1;
2250
   png_byte type, nparams;
2251
   png_bytep buffer, buf, units, endptr;
2252
   png_charpp params;
2253
   int i;
2254

2255
   png_debug(1, "in png_handle_pCAL");
2256

2257
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2258
      png_chunk_error(png_ptr, "missing IHDR");
2259

2260
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2261
   {
2262
      png_crc_finish(png_ptr, length);
2263
      png_chunk_benign_error(png_ptr, "out of place");
2264
      return;
2265
   }
2266

2267
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != 0)
2268
   {
2269
      png_crc_finish(png_ptr, length);
2270
      png_chunk_benign_error(png_ptr, "duplicate");
2271
      return;
2272
   }
2273

2274
   png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
2275
       length + 1);
2276

2277
   buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2278

2279
   if (buffer == NULL)
2280
   {
2281
      png_crc_finish(png_ptr, length);
2282
      png_chunk_benign_error(png_ptr, "out of memory");
2283
      return;
2284
   }
2285

2286
   png_crc_read(png_ptr, buffer, length);
2287

2288
   if (png_crc_finish(png_ptr, 0) != 0)
2289
      return;
2290

2291
   buffer[length] = 0; /* Null terminate the last string */
2292

2293
   png_debug(3, "Finding end of pCAL purpose string");
2294
   for (buf = buffer; *buf; buf++)
2295
      /* Empty loop */ ;
2296

2297
   endptr = buffer + length;
2298

2299
   /* We need to have at least 12 bytes after the purpose string
2300
    * in order to get the parameter information.
2301
    */
2302
   if (endptr - buf <= 12)
2303
   {
2304
      png_chunk_benign_error(png_ptr, "invalid");
2305
      return;
2306
   }
2307

2308
   png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
2309
   X0 = png_get_int_32((png_bytep)buf+1);
2310
   X1 = png_get_int_32((png_bytep)buf+5);
2311
   type = buf[9];
2312
   nparams = buf[10];
2313
   units = buf + 11;
2314

2315
   png_debug(3, "Checking pCAL equation type and number of parameters");
2316
   /* Check that we have the right number of parameters for known
2317
    * equation types.
2318
    */
2319
   if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
2320
       (type == PNG_EQUATION_BASE_E && nparams != 3) ||
2321
       (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
2322
       (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
2323
   {
2324
      png_chunk_benign_error(png_ptr, "invalid parameter count");
2325
      return;
2326
   }
2327

2328
   else if (type >= PNG_EQUATION_LAST)
2329
   {
2330
      png_chunk_benign_error(png_ptr, "unrecognized equation type");
2331
   }
2332

2333
   for (buf = units; *buf; buf++)
2334
      /* Empty loop to move past the units string. */ ;
2335

2336
   png_debug(3, "Allocating pCAL parameters array");
2337

2338
   params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2339
       nparams * (sizeof (png_charp))));
2340

2341
   if (params == NULL)
2342
   {
2343
      png_chunk_benign_error(png_ptr, "out of memory");
2344
      return;
2345
   }
2346

2347
   /* Get pointers to the start of each parameter string. */
2348
   for (i = 0; i < nparams; i++)
2349
   {
2350
      buf++; /* Skip the null string terminator from previous parameter. */
2351

2352
      png_debug1(3, "Reading pCAL parameter %d", i);
2353

2354
      for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
2355
         /* Empty loop to move past each parameter string */ ;
2356

2357
      /* Make sure we haven't run out of data yet */
2358
      if (buf > endptr)
2359
      {
2360
         png_free(png_ptr, params);
2361
         png_chunk_benign_error(png_ptr, "invalid data");
2362
         return;
2363
      }
2364
   }
2365

2366
   png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
2367
       (png_charp)units, params);
2368

2369
   png_free(png_ptr, params);
2370
}
2371
#endif
2372

2373
#ifdef PNG_READ_sCAL_SUPPORTED
2374
/* Read the sCAL chunk */
2375
void /* PRIVATE */
2376
png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2377
{
2378
   png_bytep buffer;
2379
   size_t i;
2380
   int state;
2381

2382
   png_debug(1, "in png_handle_sCAL");
2383

2384
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2385
      png_chunk_error(png_ptr, "missing IHDR");
2386

2387
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2388
   {
2389
      png_crc_finish(png_ptr, length);
2390
      png_chunk_benign_error(png_ptr, "out of place");
2391
      return;
2392
   }
2393

2394
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != 0)
2395
   {
2396
      png_crc_finish(png_ptr, length);
2397
      png_chunk_benign_error(png_ptr, "duplicate");
2398
      return;
2399
   }
2400

2401
   /* Need unit type, width, \0, height: minimum 4 bytes */
2402
   else if (length < 4)
2403
   {
2404
      png_crc_finish(png_ptr, length);
2405
      png_chunk_benign_error(png_ptr, "invalid");
2406
      return;
2407
   }
2408

2409
   png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2410
       length + 1);
2411

2412
   buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2413

2414
   if (buffer == NULL)
2415
   {
2416
      png_chunk_benign_error(png_ptr, "out of memory");
2417
      png_crc_finish(png_ptr, length);
2418
      return;
2419
   }
2420

2421
   png_crc_read(png_ptr, buffer, length);
2422
   buffer[length] = 0; /* Null terminate the last string */
2423

2424
   if (png_crc_finish(png_ptr, 0) != 0)
2425
      return;
2426

2427
   /* Validate the unit. */
2428
   if (buffer[0] != 1 && buffer[0] != 2)
2429
   {
2430
      png_chunk_benign_error(png_ptr, "invalid unit");
2431
      return;
2432
   }
2433

2434
   /* Validate the ASCII numbers, need two ASCII numbers separated by
2435
    * a '\0' and they need to fit exactly in the chunk data.
2436
    */
2437
   i = 1;
2438
   state = 0;
2439

2440
   if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 ||
2441
       i >= length || buffer[i++] != 0)
2442
      png_chunk_benign_error(png_ptr, "bad width format");
2443

2444
   else if (PNG_FP_IS_POSITIVE(state) == 0)
2445
      png_chunk_benign_error(png_ptr, "non-positive width");
2446

2447
   else
2448
   {
2449
      size_t heighti = i;
2450

2451
      state = 0;
2452
      if (png_check_fp_number((png_const_charp)buffer, length,
2453
          &state, &i) == 0 || i != length)
2454
         png_chunk_benign_error(png_ptr, "bad height format");
2455

2456
      else if (PNG_FP_IS_POSITIVE(state) == 0)
2457
         png_chunk_benign_error(png_ptr, "non-positive height");
2458

2459
      else
2460
         /* This is the (only) success case. */
2461
         png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
2462
             (png_charp)buffer+1, (png_charp)buffer+heighti);
2463
   }
2464
}
2465
#endif
2466

2467
#ifdef PNG_READ_tIME_SUPPORTED
2468
void /* PRIVATE */
2469
png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2470
{
2471
   png_byte buf[7];
2472
   png_time mod_time;
2473

2474
   png_debug(1, "in png_handle_tIME");
2475

2476
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2477
      png_chunk_error(png_ptr, "missing IHDR");
2478

2479
   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != 0)
2480
   {
2481
      png_crc_finish(png_ptr, length);
2482
      png_chunk_benign_error(png_ptr, "duplicate");
2483
      return;
2484
   }
2485

2486
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2487
      png_ptr->mode |= PNG_AFTER_IDAT;
2488

2489
   if (length != 7)
2490
   {
2491
      png_crc_finish(png_ptr, length);
2492
      png_chunk_benign_error(png_ptr, "invalid");
2493
      return;
2494
   }
2495

2496
   png_crc_read(png_ptr, buf, 7);
2497

2498
   if (png_crc_finish(png_ptr, 0) != 0)
2499
      return;
2500

2501
   mod_time.second = buf[6];
2502
   mod_time.minute = buf[5];
2503
   mod_time.hour = buf[4];
2504
   mod_time.day = buf[3];
2505
   mod_time.month = buf[2];
2506
   mod_time.year = png_get_uint_16(buf);
2507

2508
   png_set_tIME(png_ptr, info_ptr, &mod_time);
2509
}
2510
#endif
2511

2512
#ifdef PNG_READ_tEXt_SUPPORTED
2513
/* Note: this does not properly handle chunks that are > 64K under DOS */
2514
void /* PRIVATE */
2515
png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2516
{
2517
   png_text  text_info;
2518
   png_bytep buffer;
2519
   png_charp key;
2520
   png_charp text;
2521
   png_uint_32 skip = 0;
2522

2523
   png_debug(1, "in png_handle_tEXt");
2524

2525
#ifdef PNG_USER_LIMITS_SUPPORTED
2526
   if (png_ptr->user_chunk_cache_max != 0)
2527
   {
2528
      if (png_ptr->user_chunk_cache_max == 1)
2529
      {
2530
         png_crc_finish(png_ptr, length);
2531
         return;
2532
      }
2533

2534
      if (--png_ptr->user_chunk_cache_max == 1)
2535
      {
2536
         png_crc_finish(png_ptr, length);
2537
         png_chunk_benign_error(png_ptr, "no space in chunk cache");
2538
         return;
2539
      }
2540
   }
2541
#endif
2542

2543
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2544
      png_chunk_error(png_ptr, "missing IHDR");
2545

2546
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2547
      png_ptr->mode |= PNG_AFTER_IDAT;
2548

2549
#ifdef PNG_MAX_MALLOC_64K
2550
   if (length > 65535U)
2551
   {
2552
      png_crc_finish(png_ptr, length);
2553
      png_chunk_benign_error(png_ptr, "too large to fit in memory");
2554
      return;
2555
   }
2556
#endif
2557

2558
   buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2559

2560
   if (buffer == NULL)
2561
   {
2562
      png_chunk_benign_error(png_ptr, "out of memory");
2563
      return;
2564
   }
2565

2566
   png_crc_read(png_ptr, buffer, length);
2567

2568
   if (png_crc_finish(png_ptr, skip) != 0)
2569
      return;
2570

2571
   key = (png_charp)buffer;
2572
   key[length] = 0;
2573

2574
   for (text = key; *text; text++)
2575
      /* Empty loop to find end of key */ ;
2576

2577
   if (text != key + length)
2578
      text++;
2579

2580
   text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2581
   text_info.key = key;
2582
   text_info.lang = NULL;
2583
   text_info.lang_key = NULL;
2584
   text_info.itxt_length = 0;
2585
   text_info.text = text;
2586
   text_info.text_length = strlen(text);
2587

2588
   if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) != 0)
2589
      png_warning(png_ptr, "Insufficient memory to process text chunk");
2590
}
2591
#endif
2592

2593
#ifdef PNG_READ_zTXt_SUPPORTED
2594
/* Note: this does not correctly handle chunks that are > 64K under DOS */
2595
void /* PRIVATE */
2596
png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2597
{
2598
   png_const_charp errmsg = NULL;
2599
   png_bytep       buffer;
2600
   png_uint_32     keyword_length;
2601

2602
   png_debug(1, "in png_handle_zTXt");
2603

2604
#ifdef PNG_USER_LIMITS_SUPPORTED
2605
   if (png_ptr->user_chunk_cache_max != 0)
2606
   {
2607
      if (png_ptr->user_chunk_cache_max == 1)
2608
      {
2609
         png_crc_finish(png_ptr, length);
2610
         return;
2611
      }
2612

2613
      if (--png_ptr->user_chunk_cache_max == 1)
2614
      {
2615
         png_crc_finish(png_ptr, length);
2616
         png_chunk_benign_error(png_ptr, "no space in chunk cache");
2617
         return;
2618
      }
2619
   }
2620
#endif
2621

2622
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2623
      png_chunk_error(png_ptr, "missing IHDR");
2624

2625
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2626
      png_ptr->mode |= PNG_AFTER_IDAT;
2627

2628
   /* Note, "length" is sufficient here; we won't be adding
2629
    * a null terminator later.
2630
    */
2631
   buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2632

2633
   if (buffer == NULL)
2634
   {
2635
      png_crc_finish(png_ptr, length);
2636
      png_chunk_benign_error(png_ptr, "out of memory");
2637
      return;
2638
   }
2639

2640
   png_crc_read(png_ptr, buffer, length);
2641

2642
   if (png_crc_finish(png_ptr, 0) != 0)
2643
      return;
2644

2645
   /* TODO: also check that the keyword contents match the spec! */
2646
   for (keyword_length = 0;
2647
      keyword_length < length && buffer[keyword_length] != 0;
2648
      ++keyword_length)
2649
      /* Empty loop to find end of name */ ;
2650

2651
   if (keyword_length > 79 || keyword_length < 1)
2652
      errmsg = "bad keyword";
2653

2654
   /* zTXt must have some LZ data after the keyword, although it may expand to
2655
    * zero bytes; we need a '\0' at the end of the keyword, the compression type
2656
    * then the LZ data:
2657
    */
2658
   else if (keyword_length + 3 > length)
2659
      errmsg = "truncated";
2660

2661
   else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2662
      errmsg = "unknown compression type";
2663

2664
   else
2665
   {
2666
      png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2667

2668
      /* TODO: at present png_decompress_chunk imposes a single application
2669
       * level memory limit, this should be split to different values for iCCP
2670
       * and text chunks.
2671
       */
2672
      if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2673
          &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2674
      {
2675
         png_text text;
2676

2677
         if (png_ptr->read_buffer == NULL)
2678
           errmsg="Read failure in png_handle_zTXt";
2679
         else
2680
         {
2681
            /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
2682
             * except for the extra compression type byte and the fact that
2683
             * it isn't necessarily '\0' terminated.
2684
             */
2685
            buffer = png_ptr->read_buffer;
2686
            buffer[uncompressed_length+(keyword_length+2)] = 0;
2687

2688
            text.compression = PNG_TEXT_COMPRESSION_zTXt;
2689
            text.key = (png_charp)buffer;
2690
            text.text = (png_charp)(buffer + keyword_length+2);
2691
            text.text_length = uncompressed_length;
2692
            text.itxt_length = 0;
2693
            text.lang = NULL;
2694
            text.lang_key = NULL;
2695

2696
            if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2697
               errmsg = "insufficient memory";
2698
         }
2699
      }
2700

2701
      else
2702
         errmsg = png_ptr->zstream.msg;
2703
   }
2704

2705
   if (errmsg != NULL)
2706
      png_chunk_benign_error(png_ptr, errmsg);
2707
}
2708
#endif
2709

2710
#ifdef PNG_READ_iTXt_SUPPORTED
2711
/* Note: this does not correctly handle chunks that are > 64K under DOS */
2712
void /* PRIVATE */
2713
png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2714
{
2715
   png_const_charp errmsg = NULL;
2716
   png_bytep buffer;
2717
   png_uint_32 prefix_length;
2718

2719
   png_debug(1, "in png_handle_iTXt");
2720

2721
#ifdef PNG_USER_LIMITS_SUPPORTED
2722
   if (png_ptr->user_chunk_cache_max != 0)
2723
   {
2724
      if (png_ptr->user_chunk_cache_max == 1)
2725
      {
2726
         png_crc_finish(png_ptr, length);
2727
         return;
2728
      }
2729

2730
      if (--png_ptr->user_chunk_cache_max == 1)
2731
      {
2732
         png_crc_finish(png_ptr, length);
2733
         png_chunk_benign_error(png_ptr, "no space in chunk cache");
2734
         return;
2735
      }
2736
   }
2737
#endif
2738

2739
   if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2740
      png_chunk_error(png_ptr, "missing IHDR");
2741

2742
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2743
      png_ptr->mode |= PNG_AFTER_IDAT;
2744

2745
   buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2746

2747
   if (buffer == NULL)
2748
   {
2749
      png_crc_finish(png_ptr, length);
2750
      png_chunk_benign_error(png_ptr, "out of memory");
2751
      return;
2752
   }
2753

2754
   png_crc_read(png_ptr, buffer, length);
2755

2756
   if (png_crc_finish(png_ptr, 0) != 0)
2757
      return;
2758

2759
   /* First the keyword. */
2760
   for (prefix_length=0;
2761
      prefix_length < length && buffer[prefix_length] != 0;
2762
      ++prefix_length)
2763
      /* Empty loop */ ;
2764

2765
   /* Perform a basic check on the keyword length here. */
2766
   if (prefix_length > 79 || prefix_length < 1)
2767
      errmsg = "bad keyword";
2768

2769
   /* Expect keyword, compression flag, compression type, language, translated
2770
    * keyword (both may be empty but are 0 terminated) then the text, which may
2771
    * be empty.
2772
    */
2773
   else if (prefix_length + 5 > length)
2774
      errmsg = "truncated";
2775

2776
   else if (buffer[prefix_length+1] == 0 ||
2777
      (buffer[prefix_length+1] == 1 &&
2778
      buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
2779
   {
2780
      int compressed = buffer[prefix_length+1] != 0;
2781
      png_uint_32 language_offset, translated_keyword_offset;
2782
      png_alloc_size_t uncompressed_length = 0;
2783

2784
      /* Now the language tag */
2785
      prefix_length += 3;
2786
      language_offset = prefix_length;
2787

2788
      for (; prefix_length < length && buffer[prefix_length] != 0;
2789
         ++prefix_length)
2790
         /* Empty loop */ ;
2791

2792
      /* WARNING: the length may be invalid here, this is checked below. */
2793
      translated_keyword_offset = ++prefix_length;
2794

2795
      for (; prefix_length < length && buffer[prefix_length] != 0;
2796
         ++prefix_length)
2797
         /* Empty loop */ ;
2798

2799
      /* prefix_length should now be at the trailing '\0' of the translated
2800
       * keyword, but it may already be over the end.  None of this arithmetic
2801
       * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2802
       * systems the available allocation may overflow.
2803
       */
2804
      ++prefix_length;
2805

2806
      if (compressed == 0 && prefix_length <= length)
2807
         uncompressed_length = length - prefix_length;
2808

2809
      else if (compressed != 0 && prefix_length < length)
2810
      {
2811
         uncompressed_length = PNG_SIZE_MAX;
2812

2813
         /* TODO: at present png_decompress_chunk imposes a single application
2814
          * level memory limit, this should be split to different values for
2815
          * iCCP and text chunks.
2816
          */
2817
         if (png_decompress_chunk(png_ptr, length, prefix_length,
2818
             &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2819
            buffer = png_ptr->read_buffer;
2820

2821
         else
2822
            errmsg = png_ptr->zstream.msg;
2823
      }
2824

2825
      else
2826
         errmsg = "truncated";
2827

2828
      if (errmsg == NULL)
2829
      {
2830
         png_text text;
2831

2832
         buffer[uncompressed_length+prefix_length] = 0;
2833

2834
         if (compressed == 0)
2835
            text.compression = PNG_ITXT_COMPRESSION_NONE;
2836

2837
         else
2838
            text.compression = PNG_ITXT_COMPRESSION_zTXt;
2839

2840
         text.key = (png_charp)buffer;
2841
         text.lang = (png_charp)buffer + language_offset;
2842
         text.lang_key = (png_charp)buffer + translated_keyword_offset;
2843
         text.text = (png_charp)buffer + prefix_length;
2844
         text.text_length = 0;
2845
         text.itxt_length = uncompressed_length;
2846

2847
         if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2848
            errmsg = "insufficient memory";
2849
      }
2850
   }
2851

2852
   else
2853
      errmsg = "bad compression info";
2854

2855
   if (errmsg != NULL)
2856
      png_chunk_benign_error(png_ptr, errmsg);
2857
}
2858
#endif
2859

2860
#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2861
/* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2862
static int
2863
png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2864
{
2865
   png_alloc_size_t limit = PNG_SIZE_MAX;
2866

2867
   if (png_ptr->unknown_chunk.data != NULL)
2868
   {
2869
      png_free(png_ptr, png_ptr->unknown_chunk.data);
2870
      png_ptr->unknown_chunk.data = NULL;
2871
   }
2872

2873
#  ifdef PNG_SET_USER_LIMITS_SUPPORTED
2874
   if (png_ptr->user_chunk_malloc_max > 0 &&
2875
       png_ptr->user_chunk_malloc_max < limit)
2876
      limit = png_ptr->user_chunk_malloc_max;
2877

2878
#  elif PNG_USER_CHUNK_MALLOC_MAX > 0
2879
   if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2880
      limit = PNG_USER_CHUNK_MALLOC_MAX;
2881
#  endif
2882

2883
   if (length <= limit)
2884
   {
2885
      PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2886
      /* The following is safe because of the PNG_SIZE_MAX init above */
2887
      png_ptr->unknown_chunk.size = (size_t)length/*SAFE*/;
2888
      /* 'mode' is a flag array, only the bottom four bits matter here */
2889
      png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
2890

2891
      if (length == 0)
2892
         png_ptr->unknown_chunk.data = NULL;
2893

2894
      else
2895
      {
2896
         /* Do a 'warn' here - it is handled below. */
2897
         png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2898
             png_malloc_warn(png_ptr, length));
2899
      }
2900
   }
2901

2902
   if (png_ptr->unknown_chunk.data == NULL && length > 0)
2903
   {
2904
      /* This is benign because we clean up correctly */
2905
      png_crc_finish(png_ptr, length);
2906
      png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2907
      return 0;
2908
   }
2909

2910
   else
2911
   {
2912
      if (length > 0)
2913
         png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2914
      png_crc_finish(png_ptr, 0);
2915
      return 1;
2916
   }
2917
}
2918
#endif /* READ_UNKNOWN_CHUNKS */
2919

2920
/* Handle an unknown, or known but disabled, chunk */
2921
void /* PRIVATE */
2922
png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2923
    png_uint_32 length, int keep)
2924
{
2925
   int handled = 0; /* the chunk was handled */
2926

2927
   png_debug(1, "in png_handle_unknown");
2928

2929
#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2930
   /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2931
    * the bug which meant that setting a non-default behavior for a specific
2932
    * chunk would be ignored (the default was always used unless a user
2933
    * callback was installed).
2934
    *
2935
    * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2936
    * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2937
    * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2938
    * This is just an optimization to avoid multiple calls to the lookup
2939
    * function.
2940
    */
2941
#  ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2942
#     ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2943
   keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2944
#     endif
2945
#  endif
2946

2947
   /* One of the following methods will read the chunk or skip it (at least one
2948
    * of these is always defined because this is the only way to switch on
2949
    * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2950
    */
2951
#  ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2952
   /* The user callback takes precedence over the chunk keep value, but the
2953
    * keep value is still required to validate a save of a critical chunk.
2954
    */
2955
   if (png_ptr->read_user_chunk_fn != NULL)
2956
   {
2957
      if (png_cache_unknown_chunk(png_ptr, length) != 0)
2958
      {
2959
         /* Callback to user unknown chunk handler */
2960
         int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2961
             &png_ptr->unknown_chunk);
2962

2963
         /* ret is:
2964
          * negative: An error occurred; png_chunk_error will be called.
2965
          *     zero: The chunk was not handled, the chunk will be discarded
2966
          *           unless png_set_keep_unknown_chunks has been used to set
2967
          *           a 'keep' behavior for this particular chunk, in which
2968
          *           case that will be used.  A critical chunk will cause an
2969
          *           error at this point unless it is to be saved.
2970
          * positive: The chunk was handled, libpng will ignore/discard it.
2971
          */
2972
         if (ret < 0)
2973
            png_chunk_error(png_ptr, "error in user chunk");
2974

2975
         else if (ret == 0)
2976
         {
2977
            /* If the keep value is 'default' or 'never' override it, but
2978
             * still error out on critical chunks unless the keep value is
2979
             * 'always'  While this is weird it is the behavior in 1.4.12.
2980
             * A possible improvement would be to obey the value set for the
2981
             * chunk, but this would be an API change that would probably
2982
             * damage some applications.
2983
             *
2984
             * The png_app_warning below catches the case that matters, where
2985
             * the application has not set specific save or ignore for this
2986
             * chunk or global save or ignore.
2987
             */
2988
            if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2989
            {
2990
#              ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2991
               if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2992
               {
2993
                  png_chunk_warning(png_ptr, "Saving unknown chunk:");
2994
                  png_app_warning(png_ptr,
2995
                      "forcing save of an unhandled chunk;"
2996
                      " please call png_set_keep_unknown_chunks");
2997
                      /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2998
               }
2999
#              endif
3000
               keep = PNG_HANDLE_CHUNK_IF_SAFE;
3001
            }
3002
         }
3003

3004
         else /* chunk was handled */
3005
         {
3006
            handled = 1;
3007
            /* Critical chunks can be safely discarded at this point. */
3008
            keep = PNG_HANDLE_CHUNK_NEVER;
3009
         }
3010
      }
3011

3012
      else
3013
         keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
3014
   }
3015

3016
   else
3017
   /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
3018
#  endif /* READ_USER_CHUNKS */
3019

3020
#  ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
3021
   {
3022
      /* keep is currently just the per-chunk setting, if there was no
3023
       * setting change it to the global default now (not that this may
3024
       * still be AS_DEFAULT) then obtain the cache of the chunk if required,
3025
       * if not simply skip the chunk.
3026
       */
3027
      if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
3028
         keep = png_ptr->unknown_default;
3029

3030
      if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
3031
         (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
3032
          PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
3033
      {
3034
         if (png_cache_unknown_chunk(png_ptr, length) == 0)
3035
            keep = PNG_HANDLE_CHUNK_NEVER;
3036
      }
3037

3038
      else
3039
         png_crc_finish(png_ptr, length);
3040
   }
3041
#  else
3042
#     ifndef PNG_READ_USER_CHUNKS_SUPPORTED
3043
#        error no method to support READ_UNKNOWN_CHUNKS
3044
#     endif
3045

3046
   {
3047
      /* If here there is no read callback pointer set and no support is
3048
       * compiled in to just save the unknown chunks, so simply skip this
3049
       * chunk.  If 'keep' is something other than AS_DEFAULT or NEVER then
3050
       * the app has erroneously asked for unknown chunk saving when there
3051
       * is no support.
3052
       */
3053
      if (keep > PNG_HANDLE_CHUNK_NEVER)
3054
         png_app_error(png_ptr, "no unknown chunk support available");
3055

3056
      png_crc_finish(png_ptr, length);
3057
   }
3058
#  endif
3059

3060
#  ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
3061
   /* Now store the chunk in the chunk list if appropriate, and if the limits
3062
    * permit it.
3063
    */
3064
   if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
3065
      (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
3066
       PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
3067
   {
3068
#     ifdef PNG_USER_LIMITS_SUPPORTED
3069
      switch (png_ptr->user_chunk_cache_max)
3070
      {
3071
         case 2:
3072
            png_ptr->user_chunk_cache_max = 1;
3073
            png_chunk_benign_error(png_ptr, "no space in chunk cache");
3074
            /* FALLTHROUGH */
3075
         case 1:
3076
            /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
3077
             * chunk being skipped, now there will be a hard error below.
3078
             */
3079
            break;
3080

3081
         default: /* not at limit */
3082
            --(png_ptr->user_chunk_cache_max);
3083
            /* FALLTHROUGH */
3084
         case 0: /* no limit */
3085
#  endif /* USER_LIMITS */
3086
            /* Here when the limit isn't reached or when limits are compiled
3087
             * out; store the chunk.
3088
             */
3089
            png_set_unknown_chunks(png_ptr, info_ptr,
3090
                &png_ptr->unknown_chunk, 1);
3091
            handled = 1;
3092
#  ifdef PNG_USER_LIMITS_SUPPORTED
3093
            break;
3094
      }
3095
#  endif
3096
   }
3097
#  else /* no store support: the chunk must be handled by the user callback */
3098
   PNG_UNUSED(info_ptr)
3099
#  endif
3100

3101
   /* Regardless of the error handling below the cached data (if any) can be
3102
    * freed now.  Notice that the data is not freed if there is a png_error, but
3103
    * it will be freed by destroy_read_struct.
3104
    */
3105
   if (png_ptr->unknown_chunk.data != NULL)
3106
      png_free(png_ptr, png_ptr->unknown_chunk.data);
3107
   png_ptr->unknown_chunk.data = NULL;
3108

3109
#else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
3110
   /* There is no support to read an unknown chunk, so just skip it. */
3111
   png_crc_finish(png_ptr, length);
3112
   PNG_UNUSED(info_ptr)
3113
   PNG_UNUSED(keep)
3114
#endif /* !READ_UNKNOWN_CHUNKS */
3115

3116
   /* Check for unhandled critical chunks */
3117
   if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3118
      png_chunk_error(png_ptr, "unhandled critical chunk");
3119
}
3120

3121
/* This function is called to verify that a chunk name is valid.
3122
 * This function can't have the "critical chunk check" incorporated
3123
 * into it, since in the future we will need to be able to call user
3124
 * functions to handle unknown critical chunks after we check that
3125
 * the chunk name itself is valid.
3126
 */
3127

3128
/* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
3129
 *
3130
 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
3131
 */
3132

3133
void /* PRIVATE */
3134
png_check_chunk_name(png_const_structrp png_ptr, png_uint_32 chunk_name)
3135
{
3136
   int i;
3137
   png_uint_32 cn=chunk_name;
3138

3139
   png_debug(1, "in png_check_chunk_name");
3140

3141
   for (i=1; i<=4; ++i)
3142
   {
3143
      int c = cn & 0xff;
3144

3145
      if (c < 65 || c > 122 || (c > 90 && c < 97))
3146
         png_chunk_error(png_ptr, "invalid chunk type");
3147

3148
      cn >>= 8;
3149
   }
3150
}
3151

3152
void /* PRIVATE */
3153
png_check_chunk_length(png_const_structrp png_ptr, png_uint_32 length)
3154
{
3155
   png_alloc_size_t limit = PNG_UINT_31_MAX;
3156

3157
# ifdef PNG_SET_USER_LIMITS_SUPPORTED
3158
   if (png_ptr->user_chunk_malloc_max > 0 &&
3159
       png_ptr->user_chunk_malloc_max < limit)
3160
      limit = png_ptr->user_chunk_malloc_max;
3161
# elif PNG_USER_CHUNK_MALLOC_MAX > 0
3162
   if (PNG_USER_CHUNK_MALLOC_MAX < limit)
3163
      limit = PNG_USER_CHUNK_MALLOC_MAX;
3164
# endif
3165
   if (png_ptr->chunk_name == png_IDAT)
3166
   {
3167
      png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
3168
      size_t row_factor =
3169
         (size_t)png_ptr->width
3170
         * (size_t)png_ptr->channels
3171
         * (png_ptr->bit_depth > 8? 2: 1)
3172
         + 1
3173
         + (png_ptr->interlaced? 6: 0);
3174
      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
3175
         idat_limit = PNG_UINT_31_MAX;
3176
      else
3177
         idat_limit = png_ptr->height * row_factor;
3178
      row_factor = row_factor > 32566? 32566 : row_factor;
3179
      idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
3180
      idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
3181
      limit = limit < idat_limit? idat_limit : limit;
3182
   }
3183

3184
   if (length > limit)
3185
   {
3186
      png_debug2(0," length = %lu, limit = %lu",
3187
         (unsigned long)length,(unsigned long)limit);
3188
      png_benign_error(png_ptr, "chunk data is too large");
3189
   }
3190
}
3191

3192
/* Combines the row recently read in with the existing pixels in the row.  This
3193
 * routine takes care of alpha and transparency if requested.  This routine also
3194
 * handles the two methods of progressive display of interlaced images,
3195
 * depending on the 'display' value; if 'display' is true then the whole row
3196
 * (dp) is filled from the start by replicating the available pixels.  If
3197
 * 'display' is false only those pixels present in the pass are filled in.
3198
 */
3199
void /* PRIVATE */
3200
png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3201
{
3202
   unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3203
   png_const_bytep sp = png_ptr->row_buf + 1;
3204
   png_alloc_size_t row_width = png_ptr->width;
3205
   unsigned int pass = png_ptr->pass;
3206
   png_bytep end_ptr = 0;
3207
   png_byte end_byte = 0;
3208
   unsigned int end_mask;
3209

3210
   png_debug(1, "in png_combine_row");
3211

3212
   /* Added in 1.5.6: it should not be possible to enter this routine until at
3213
    * least one row has been read from the PNG data and transformed.
3214
    */
3215
   if (pixel_depth == 0)
3216
      png_error(png_ptr, "internal row logic error");
3217

3218
   /* Added in 1.5.4: the pixel depth should match the information returned by
3219
    * any call to png_read_update_info at this point.  Do not continue if we got
3220
    * this wrong.
3221
    */
3222
   if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3223
          PNG_ROWBYTES(pixel_depth, row_width))
3224
      png_error(png_ptr, "internal row size calculation error");
3225

3226
   /* Don't expect this to ever happen: */
3227
   if (row_width == 0)
3228
      png_error(png_ptr, "internal row width error");
3229

3230
   /* Preserve the last byte in cases where only part of it will be overwritten,
3231
    * the multiply below may overflow, we don't care because ANSI-C guarantees
3232
    * we get the low bits.
3233
    */
3234
   end_mask = (pixel_depth * row_width) & 7;
3235
   if (end_mask != 0)
3236
   {
3237
      /* end_ptr == NULL is a flag to say do nothing */
3238
      end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
3239
      end_byte = *end_ptr;
3240
#     ifdef PNG_READ_PACKSWAP_SUPPORTED
3241
      if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3242
         /* little-endian byte */
3243
         end_mask = (unsigned int)(0xff << end_mask);
3244

3245
      else /* big-endian byte */
3246
#     endif
3247
      end_mask = 0xff >> end_mask;
3248
      /* end_mask is now the bits to *keep* from the destination row */
3249
   }
3250

3251
   /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3252
    * will also happen if interlacing isn't supported or if the application
3253
    * does not call png_set_interlace_handling().  In the latter cases the
3254
    * caller just gets a sequence of the unexpanded rows from each interlace
3255
    * pass.
3256
    */
3257
#ifdef PNG_READ_INTERLACING_SUPPORTED
3258
   if (png_ptr->interlaced != 0 &&
3259
       (png_ptr->transformations & PNG_INTERLACE) != 0 &&
3260
       pass < 6 && (display == 0 ||
3261
       /* The following copies everything for 'display' on passes 0, 2 and 4. */
3262
       (display == 1 && (pass & 1) != 0)))
3263
   {
3264
      /* Narrow images may have no bits in a pass; the caller should handle
3265
       * this, but this test is cheap:
3266
       */
3267
      if (row_width <= PNG_PASS_START_COL(pass))
3268
         return;
3269

3270
      if (pixel_depth < 8)
3271
      {
3272
         /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3273
          * into 32 bits, then a single loop over the bytes using the four byte
3274
          * values in the 32-bit mask can be used.  For the 'display' option the
3275
          * expanded mask may also not require any masking within a byte.  To
3276
          * make this work the PACKSWAP option must be taken into account - it
3277
          * simply requires the pixels to be reversed in each byte.
3278
          *
3279
          * The 'regular' case requires a mask for each of the first 6 passes,
3280
          * the 'display' case does a copy for the even passes in the range
3281
          * 0..6.  This has already been handled in the test above.
3282
          *
3283
          * The masks are arranged as four bytes with the first byte to use in
3284
          * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3285
          * not) of the pixels in each byte.
3286
          *
3287
          * NOTE: the whole of this logic depends on the caller of this function
3288
          * only calling it on rows appropriate to the pass.  This function only
3289
          * understands the 'x' logic; the 'y' logic is handled by the caller.
3290
          *
3291
          * The following defines allow generation of compile time constant bit
3292
          * masks for each pixel depth and each possibility of swapped or not
3293
          * swapped bytes.  Pass 'p' is in the range 0..6; 'x', a pixel index,
3294
          * is in the range 0..7; and the result is 1 if the pixel is to be
3295
          * copied in the pass, 0 if not.  'S' is for the sparkle method, 'B'
3296
          * for the block method.
3297
          *
3298
          * With some compilers a compile time expression of the general form:
3299
          *
3300
          *    (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3301
          *
3302
          * Produces warnings with values of 'shift' in the range 33 to 63
3303
          * because the right hand side of the ?: expression is evaluated by
3304
          * the compiler even though it isn't used.  Microsoft Visual C (various
3305
          * versions) and the Intel C compiler are known to do this.  To avoid
3306
          * this the following macros are used in 1.5.6.  This is a temporary
3307
          * solution to avoid destabilizing the code during the release process.
3308
          */
3309
#        if PNG_USE_COMPILE_TIME_MASKS
3310
#           define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3311
#           define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3312
#        else
3313
#           define PNG_LSR(x,s) ((x)>>(s))
3314
#           define PNG_LSL(x,s) ((x)<<(s))
3315
#        endif
3316
#        define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3317
           PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3318
#        define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3319
           PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3320

3321
         /* Return a mask for pass 'p' pixel 'x' at depth 'd'.  The mask is
3322
          * little endian - the first pixel is at bit 0 - however the extra
3323
          * parameter 's' can be set to cause the mask position to be swapped
3324
          * within each byte, to match the PNG format.  This is done by XOR of
3325
          * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3326
          */
3327
#        define PIXEL_MASK(p,x,d,s) \
3328
            (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3329

3330
         /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3331
          */
3332
#        define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3333
#        define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3334

3335
         /* Combine 8 of these to get the full mask.  For the 1-bpp and 2-bpp
3336
          * cases the result needs replicating, for the 4-bpp case the above
3337
          * generates a full 32 bits.
3338
          */
3339
#        define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3340

3341
#        define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3342
            S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3343
            S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3344

3345
#        define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3346
            B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3347
            B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3348

3349
#if PNG_USE_COMPILE_TIME_MASKS
3350
         /* Utility macros to construct all the masks for a depth/swap
3351
          * combination.  The 's' parameter says whether the format is PNG
3352
          * (big endian bytes) or not.  Only the three odd-numbered passes are
3353
          * required for the display/block algorithm.
3354
          */
3355
#        define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3356
            S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3357

3358
#        define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3359

3360
#        define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3361

3362
         /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3363
          * then pass:
3364
          */
3365
         static const png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3366
         {
3367
            /* Little-endian byte masks for PACKSWAP */
3368
            { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3369
            /* Normal (big-endian byte) masks - PNG format */
3370
            { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3371
         };
3372

3373
         /* display_mask has only three entries for the odd passes, so index by
3374
          * pass>>1.
3375
          */
3376
         static const png_uint_32 display_mask[2][3][3] =
3377
         {
3378
            /* Little-endian byte masks for PACKSWAP */
3379
            { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3380
            /* Normal (big-endian byte) masks - PNG format */
3381
            { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3382
         };
3383

3384
#        define MASK(pass,depth,display,png)\
3385
            ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3386
               row_mask[png][DEPTH_INDEX(depth)][pass])
3387

3388
#else /* !PNG_USE_COMPILE_TIME_MASKS */
3389
         /* This is the runtime alternative: it seems unlikely that this will
3390
          * ever be either smaller or faster than the compile time approach.
3391
          */
3392
#        define MASK(pass,depth,display,png)\
3393
            ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3394
#endif /* !USE_COMPILE_TIME_MASKS */
3395

3396
         /* Use the appropriate mask to copy the required bits.  In some cases
3397
          * the byte mask will be 0 or 0xff; optimize these cases.  row_width is
3398
          * the number of pixels, but the code copies bytes, so it is necessary
3399
          * to special case the end.
3400
          */
3401
         png_uint_32 pixels_per_byte = 8 / pixel_depth;
3402
         png_uint_32 mask;
3403

3404
#        ifdef PNG_READ_PACKSWAP_SUPPORTED
3405
         if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3406
            mask = MASK(pass, pixel_depth, display, 0);
3407

3408
         else
3409
#        endif
3410
         mask = MASK(pass, pixel_depth, display, 1);
3411

3412
         for (;;)
3413
         {
3414
            png_uint_32 m;
3415

3416
            /* It doesn't matter in the following if png_uint_32 has more than
3417
             * 32 bits because the high bits always match those in m<<24; it is,
3418
             * however, essential to use OR here, not +, because of this.
3419
             */
3420
            m = mask;
3421
            mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3422
            m &= 0xff;
3423

3424
            if (m != 0) /* something to copy */
3425
            {
3426
               if (m != 0xff)
3427
                  *dp = (png_byte)((*dp & ~m) | (*sp & m));
3428
               else
3429
                  *dp = *sp;
3430
            }
3431

3432
            /* NOTE: this may overwrite the last byte with garbage if the image
3433
             * is not an exact number of bytes wide; libpng has always done
3434
             * this.
3435
             */
3436
            if (row_width <= pixels_per_byte)
3437
               break; /* May need to restore part of the last byte */
3438

3439
            row_width -= pixels_per_byte;
3440
            ++dp;
3441
            ++sp;
3442
         }
3443
      }
3444

3445
      else /* pixel_depth >= 8 */
3446
      {
3447
         unsigned int bytes_to_copy, bytes_to_jump;
3448

3449
         /* Validate the depth - it must be a multiple of 8 */
3450
         if (pixel_depth & 7)
3451
            png_error(png_ptr, "invalid user transform pixel depth");
3452

3453
         pixel_depth >>= 3; /* now in bytes */
3454
         row_width *= pixel_depth;
3455

3456
         /* Regardless of pass number the Adam 7 interlace always results in a
3457
          * fixed number of pixels to copy then to skip.  There may be a
3458
          * different number of pixels to skip at the start though.
3459
          */
3460
         {
3461
            unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3462

3463
            row_width -= offset;
3464
            dp += offset;
3465
            sp += offset;
3466
         }
3467

3468
         /* Work out the bytes to copy. */
3469
         if (display != 0)
3470
         {
3471
            /* When doing the 'block' algorithm the pixel in the pass gets
3472
             * replicated to adjacent pixels.  This is why the even (0,2,4,6)
3473
             * passes are skipped above - the entire expanded row is copied.
3474
             */
3475
            bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3476

3477
            /* But don't allow this number to exceed the actual row width. */
3478
            if (bytes_to_copy > row_width)
3479
               bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3480
         }
3481

3482
         else /* normal row; Adam7 only ever gives us one pixel to copy. */
3483
            bytes_to_copy = pixel_depth;
3484

3485
         /* In Adam7 there is a constant offset between where the pixels go. */
3486
         bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3487

3488
         /* And simply copy these bytes.  Some optimization is possible here,
3489
          * depending on the value of 'bytes_to_copy'.  Special case the low
3490
          * byte counts, which we know to be frequent.
3491
          *
3492
          * Notice that these cases all 'return' rather than 'break' - this
3493
          * avoids an unnecessary test on whether to restore the last byte
3494
          * below.
3495
          */
3496
         switch (bytes_to_copy)
3497
         {
3498
            case 1:
3499
               for (;;)
3500
               {
3501
                  *dp = *sp;
3502

3503
                  if (row_width <= bytes_to_jump)
3504
                     return;
3505

3506
                  dp += bytes_to_jump;
3507
                  sp += bytes_to_jump;
3508
                  row_width -= bytes_to_jump;
3509
               }
3510

3511
            case 2:
3512
               /* There is a possibility of a partial copy at the end here; this
3513
                * slows the code down somewhat.
3514
                */
3515
               do
3516
               {
3517
                  dp[0] = sp[0]; dp[1] = sp[1];
3518

3519
                  if (row_width <= bytes_to_jump)
3520
                     return;
3521

3522
                  sp += bytes_to_jump;
3523
                  dp += bytes_to_jump;
3524
                  row_width -= bytes_to_jump;
3525
               }
3526
               while (row_width > 1);
3527

3528
               /* And there can only be one byte left at this point: */
3529
               *dp = *sp;
3530
               return;
3531

3532
            case 3:
3533
               /* This can only be the RGB case, so each copy is exactly one
3534
                * pixel and it is not necessary to check for a partial copy.
3535
                */
3536
               for (;;)
3537
               {
3538
                  dp[0] = sp[0]; dp[1] = sp[1]; dp[2] = sp[2];
3539

3540
                  if (row_width <= bytes_to_jump)
3541
                     return;
3542

3543
                  sp += bytes_to_jump;
3544
                  dp += bytes_to_jump;
3545
                  row_width -= bytes_to_jump;
3546
               }
3547

3548
            default:
3549
#if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3550
               /* Check for double byte alignment and, if possible, use a
3551
                * 16-bit copy.  Don't attempt this for narrow images - ones that
3552
                * are less than an interlace panel wide.  Don't attempt it for
3553
                * wide bytes_to_copy either - use the memcpy there.
3554
                */
3555
               if (bytes_to_copy < 16 /*else use memcpy*/ &&
3556
                   png_isaligned(dp, png_uint_16) &&
3557
                   png_isaligned(sp, png_uint_16) &&
3558
                   bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3559
                   bytes_to_jump % (sizeof (png_uint_16)) == 0)
3560
               {
3561
                  /* Everything is aligned for png_uint_16 copies, but try for
3562
                   * png_uint_32 first.
3563
                   */
3564
                  if (png_isaligned(dp, png_uint_32) &&
3565
                      png_isaligned(sp, png_uint_32) &&
3566
                      bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3567
                      bytes_to_jump % (sizeof (png_uint_32)) == 0)
3568
                  {
3569
                     png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3570
                     png_const_uint_32p sp32 = png_aligncastconst(
3571
                         png_const_uint_32p, sp);
3572
                     size_t skip = (bytes_to_jump-bytes_to_copy) /
3573
                         (sizeof (png_uint_32));
3574

3575
                     do
3576
                     {
3577
                        size_t c = bytes_to_copy;
3578
                        do
3579
                        {
3580
                           *dp32++ = *sp32++;
3581
                           c -= (sizeof (png_uint_32));
3582
                        }
3583
                        while (c > 0);
3584

3585
                        if (row_width <= bytes_to_jump)
3586
                           return;
3587

3588
                        dp32 += skip;
3589
                        sp32 += skip;
3590
                        row_width -= bytes_to_jump;
3591
                     }
3592
                     while (bytes_to_copy <= row_width);
3593

3594
                     /* Get to here when the row_width truncates the final copy.
3595
                      * There will be 1-3 bytes left to copy, so don't try the
3596
                      * 16-bit loop below.
3597
                      */
3598
                     dp = (png_bytep)dp32;
3599
                     sp = (png_const_bytep)sp32;
3600
                     do
3601
                        *dp++ = *sp++;
3602
                     while (--row_width > 0);
3603
                     return;
3604
                  }
3605

3606
                  /* Else do it in 16-bit quantities, but only if the size is
3607
                   * not too large.
3608
                   */
3609
                  else
3610
                  {
3611
                     png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3612
                     png_const_uint_16p sp16 = png_aligncastconst(
3613
                        png_const_uint_16p, sp);
3614
                     size_t skip = (bytes_to_jump-bytes_to_copy) /
3615
                        (sizeof (png_uint_16));
3616

3617
                     do
3618
                     {
3619
                        size_t c = bytes_to_copy;
3620
                        do
3621
                        {
3622
                           *dp16++ = *sp16++;
3623
                           c -= (sizeof (png_uint_16));
3624
                        }
3625
                        while (c > 0);
3626

3627
                        if (row_width <= bytes_to_jump)
3628
                           return;
3629

3630
                        dp16 += skip;
3631
                        sp16 += skip;
3632
                        row_width -= bytes_to_jump;
3633
                     }
3634
                     while (bytes_to_copy <= row_width);
3635

3636
                     /* End of row - 1 byte left, bytes_to_copy > row_width: */
3637
                     dp = (png_bytep)dp16;
3638
                     sp = (png_const_bytep)sp16;
3639
                     do
3640
                        *dp++ = *sp++;
3641
                     while (--row_width > 0);
3642
                     return;
3643
                  }
3644
               }
3645
#endif /* ALIGN_TYPE code */
3646

3647
               /* The true default - use a memcpy: */
3648
               for (;;)
3649
               {
3650
                  memcpy(dp, sp, bytes_to_copy);
3651

3652
                  if (row_width <= bytes_to_jump)
3653
                     return;
3654

3655
                  sp += bytes_to_jump;
3656
                  dp += bytes_to_jump;
3657
                  row_width -= bytes_to_jump;
3658
                  if (bytes_to_copy > row_width)
3659
                     bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3660
               }
3661
         }
3662

3663
         /* NOT REACHED*/
3664
      } /* pixel_depth >= 8 */
3665

3666
      /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3667
   }
3668
   else
3669
#endif /* READ_INTERLACING */
3670

3671
   /* If here then the switch above wasn't used so just memcpy the whole row
3672
    * from the temporary row buffer (notice that this overwrites the end of the
3673
    * destination row if it is a partial byte.)
3674
    */
3675
   memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3676

3677
   /* Restore the overwritten bits from the last byte if necessary. */
3678
   if (end_ptr != NULL)
3679
      *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3680
}
3681

3682
#ifdef PNG_READ_INTERLACING_SUPPORTED
3683
void /* PRIVATE */
3684
png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3685
    png_uint_32 transformations /* Because these may affect the byte layout */)
3686
{
3687
   /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3688
   /* Offset to next interlace block */
3689
   static const unsigned int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3690

3691
   png_debug(1, "in png_do_read_interlace");
3692
   if (row != NULL && row_info != NULL)
3693
   {
3694
      png_uint_32 final_width;
3695

3696
      final_width = row_info->width * png_pass_inc[pass];
3697

3698
      switch (row_info->pixel_depth)
3699
      {
3700
         case 1:
3701
         {
3702
            png_bytep sp = row + (size_t)((row_info->width - 1) >> 3);
3703
            png_bytep dp = row + (size_t)((final_width - 1) >> 3);
3704
            unsigned int sshift, dshift;
3705
            unsigned int s_start, s_end;
3706
            int s_inc;
3707
            int jstop = (int)png_pass_inc[pass];
3708
            png_byte v;
3709
            png_uint_32 i;
3710
            int j;
3711

3712
#ifdef PNG_READ_PACKSWAP_SUPPORTED
3713
            if ((transformations & PNG_PACKSWAP) != 0)
3714
            {
3715
                sshift = ((row_info->width + 7) & 0x07);
3716
                dshift = ((final_width + 7) & 0x07);
3717
                s_start = 7;
3718
                s_end = 0;
3719
                s_inc = -1;
3720
            }
3721

3722
            else
3723
#endif
3724
            {
3725
                sshift = 7 - ((row_info->width + 7) & 0x07);
3726
                dshift = 7 - ((final_width + 7) & 0x07);
3727
                s_start = 0;
3728
                s_end = 7;
3729
                s_inc = 1;
3730
            }
3731

3732
            for (i = 0; i < row_info->width; i++)
3733
            {
3734
               v = (png_byte)((*sp >> sshift) & 0x01);
3735
               for (j = 0; j < jstop; j++)
3736
               {
3737
                  unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
3738
                  tmp |= (unsigned int)(v << dshift);
3739
                  *dp = (png_byte)(tmp & 0xff);
3740

3741
                  if (dshift == s_end)
3742
                  {
3743
                     dshift = s_start;
3744
                     dp--;
3745
                  }
3746

3747
                  else
3748
                     dshift = (unsigned int)((int)dshift + s_inc);
3749
               }
3750

3751
               if (sshift == s_end)
3752
               {
3753
                  sshift = s_start;
3754
                  sp--;
3755
               }
3756

3757
               else
3758
                  sshift = (unsigned int)((int)sshift + s_inc);
3759
            }
3760
            break;
3761
         }
3762

3763
         case 2:
3764
         {
3765
            png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
3766
            png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
3767
            unsigned int sshift, dshift;
3768
            unsigned int s_start, s_end;
3769
            int s_inc;
3770
            int jstop = (int)png_pass_inc[pass];
3771
            png_uint_32 i;
3772

3773
#ifdef PNG_READ_PACKSWAP_SUPPORTED
3774
            if ((transformations & PNG_PACKSWAP) != 0)
3775
            {
3776
               sshift = (((row_info->width + 3) & 0x03) << 1);
3777
               dshift = (((final_width + 3) & 0x03) << 1);
3778
               s_start = 6;
3779
               s_end = 0;
3780
               s_inc = -2;
3781
            }
3782

3783
            else
3784
#endif
3785
            {
3786
               sshift = ((3 - ((row_info->width + 3) & 0x03)) << 1);
3787
               dshift = ((3 - ((final_width + 3) & 0x03)) << 1);
3788
               s_start = 0;
3789
               s_end = 6;
3790
               s_inc = 2;
3791
            }
3792

3793
            for (i = 0; i < row_info->width; i++)
3794
            {
3795
               png_byte v;
3796
               int j;
3797

3798
               v = (png_byte)((*sp >> sshift) & 0x03);
3799
               for (j = 0; j < jstop; j++)
3800
               {
3801
                  unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
3802
                  tmp |= (unsigned int)(v << dshift);
3803
                  *dp = (png_byte)(tmp & 0xff);
3804

3805
                  if (dshift == s_end)
3806
                  {
3807
                     dshift = s_start;
3808
                     dp--;
3809
                  }
3810

3811
                  else
3812
                     dshift = (unsigned int)((int)dshift + s_inc);
3813
               }
3814

3815
               if (sshift == s_end)
3816
               {
3817
                  sshift = s_start;
3818
                  sp--;
3819
               }
3820

3821
               else
3822
                  sshift = (unsigned int)((int)sshift + s_inc);
3823
            }
3824
            break;
3825
         }
3826

3827
         case 4:
3828
         {
3829
            png_bytep sp = row + (size_t)((row_info->width - 1) >> 1);
3830
            png_bytep dp = row + (size_t)((final_width - 1) >> 1);
3831
            unsigned int sshift, dshift;
3832
            unsigned int s_start, s_end;
3833
            int s_inc;
3834
            png_uint_32 i;
3835
            int jstop = (int)png_pass_inc[pass];
3836

3837
#ifdef PNG_READ_PACKSWAP_SUPPORTED
3838
            if ((transformations & PNG_PACKSWAP) != 0)
3839
            {
3840
               sshift = (((row_info->width + 1) & 0x01) << 2);
3841
               dshift = (((final_width + 1) & 0x01) << 2);
3842
               s_start = 4;
3843
               s_end = 0;
3844
               s_inc = -4;
3845
            }
3846

3847
            else
3848
#endif
3849
            {
3850
               sshift = ((1 - ((row_info->width + 1) & 0x01)) << 2);
3851
               dshift = ((1 - ((final_width + 1) & 0x01)) << 2);
3852
               s_start = 0;
3853
               s_end = 4;
3854
               s_inc = 4;
3855
            }
3856

3857
            for (i = 0; i < row_info->width; i++)
3858
            {
3859
               png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
3860
               int j;
3861

3862
               for (j = 0; j < jstop; j++)
3863
               {
3864
                  unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
3865
                  tmp |= (unsigned int)(v << dshift);
3866
                  *dp = (png_byte)(tmp & 0xff);
3867

3868
                  if (dshift == s_end)
3869
                  {
3870
                     dshift = s_start;
3871
                     dp--;
3872
                  }
3873

3874
                  else
3875
                     dshift = (unsigned int)((int)dshift + s_inc);
3876
               }
3877

3878
               if (sshift == s_end)
3879
               {
3880
                  sshift = s_start;
3881
                  sp--;
3882
               }
3883

3884
               else
3885
                  sshift = (unsigned int)((int)sshift + s_inc);
3886
            }
3887
            break;
3888
         }
3889

3890
         default:
3891
         {
3892
            size_t pixel_bytes = (row_info->pixel_depth >> 3);
3893

3894
            png_bytep sp = row + (size_t)(row_info->width - 1)
3895
                * pixel_bytes;
3896

3897
            png_bytep dp = row + (size_t)(final_width - 1) * pixel_bytes;
3898

3899
            int jstop = (int)png_pass_inc[pass];
3900
            png_uint_32 i;
3901

3902
            for (i = 0; i < row_info->width; i++)
3903
            {
3904
               png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
3905
               int j;
3906

3907
               memcpy(v, sp, pixel_bytes);
3908

3909
               for (j = 0; j < jstop; j++)
3910
               {
3911
                  memcpy(dp, v, pixel_bytes);
3912
                  dp -= pixel_bytes;
3913
               }
3914

3915
               sp -= pixel_bytes;
3916
            }
3917
            break;
3918
         }
3919
      }
3920

3921
      row_info->width = final_width;
3922
      row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3923
   }
3924
#ifndef PNG_READ_PACKSWAP_SUPPORTED
3925
   PNG_UNUSED(transformations)  /* Silence compiler warning */
3926
#endif
3927
}
3928
#endif /* READ_INTERLACING */
3929

3930
static void
3931
png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3932
    png_const_bytep prev_row)
3933
{
3934
   size_t i;
3935
   size_t istop = row_info->rowbytes;
3936
   unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3937
   png_bytep rp = row + bpp;
3938

3939
   PNG_UNUSED(prev_row)
3940

3941
   for (i = bpp; i < istop; i++)
3942
   {
3943
      *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3944
      rp++;
3945
   }
3946
}
3947

3948
static void
3949
png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3950
    png_const_bytep prev_row)
3951
{
3952
   size_t i;
3953
   size_t istop = row_info->rowbytes;
3954
   png_bytep rp = row;
3955
   png_const_bytep pp = prev_row;
3956

3957
   for (i = 0; i < istop; i++)
3958
   {
3959
      *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3960
      rp++;
3961
   }
3962
}
3963

3964
static void
3965
png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3966
    png_const_bytep prev_row)
3967
{
3968
   size_t i;
3969
   png_bytep rp = row;
3970
   png_const_bytep pp = prev_row;
3971
   unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3972
   size_t istop = row_info->rowbytes - bpp;
3973

3974
   for (i = 0; i < bpp; i++)
3975
   {
3976
      *rp = (png_byte)(((int)(*rp) +
3977
         ((int)(*pp++) / 2 )) & 0xff);
3978

3979
      rp++;
3980
   }
3981

3982
   for (i = 0; i < istop; i++)
3983
   {
3984
      *rp = (png_byte)(((int)(*rp) +
3985
         (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3986

3987
      rp++;
3988
   }
3989
}
3990

3991
static void
3992
png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3993
    png_const_bytep prev_row)
3994
{
3995
   png_bytep rp_end = row + row_info->rowbytes;
3996
   int a, c;
3997

3998
   /* First pixel/byte */
3999
   c = *prev_row++;
4000
   a = *row + c;
4001
   *row++ = (png_byte)a;
4002

4003
   /* Remainder */
4004
   while (row < rp_end)
4005
   {
4006
      int b, pa, pb, pc, p;
4007

4008
      a &= 0xff; /* From previous iteration or start */
4009
      b = *prev_row++;
4010

4011
      p = b - c;
4012
      pc = a - c;
4013

4014
#ifdef PNG_USE_ABS
4015
      pa = abs(p);
4016
      pb = abs(pc);
4017
      pc = abs(p + pc);
4018
#else
4019
      pa = p < 0 ? -p : p;
4020
      pb = pc < 0 ? -pc : pc;
4021
      pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4022
#endif
4023

4024
      /* Find the best predictor, the least of pa, pb, pc favoring the earlier
4025
       * ones in the case of a tie.
4026
       */
4027
      if (pb < pa)
4028
      {
4029
         pa = pb; a = b;
4030
      }
4031
      if (pc < pa) a = c;
4032

4033
      /* Calculate the current pixel in a, and move the previous row pixel to c
4034
       * for the next time round the loop
4035
       */
4036
      c = b;
4037
      a += *row;
4038
      *row++ = (png_byte)a;
4039
   }
4040
}
4041

4042
static void
4043
png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
4044
    png_const_bytep prev_row)
4045
{
4046
   unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
4047
   png_bytep rp_end = row + bpp;
4048

4049
   /* Process the first pixel in the row completely (this is the same as 'up'
4050
    * because there is only one candidate predictor for the first row).
4051
    */
4052
   while (row < rp_end)
4053
   {
4054
      int a = *row + *prev_row++;
4055
      *row++ = (png_byte)a;
4056
   }
4057

4058
   /* Remainder */
4059
   rp_end = rp_end + (row_info->rowbytes - bpp);
4060

4061
   while (row < rp_end)
4062
   {
4063
      int a, b, c, pa, pb, pc, p;
4064

4065
      c = *(prev_row - bpp);
4066
      a = *(row - bpp);
4067
      b = *prev_row++;
4068

4069
      p = b - c;
4070
      pc = a - c;
4071

4072
#ifdef PNG_USE_ABS
4073
      pa = abs(p);
4074
      pb = abs(pc);
4075
      pc = abs(p + pc);
4076
#else
4077
      pa = p < 0 ? -p : p;
4078
      pb = pc < 0 ? -pc : pc;
4079
      pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4080
#endif
4081

4082
      if (pb < pa)
4083
      {
4084
         pa = pb; a = b;
4085
      }
4086
      if (pc < pa) a = c;
4087

4088
      a += *row;
4089
      *row++ = (png_byte)a;
4090
   }
4091
}
4092

4093
static void
4094
png_init_filter_functions(png_structrp pp)
4095
   /* This function is called once for every PNG image (except for PNG images
4096
    * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
4097
    * implementations required to reverse the filtering of PNG rows.  Reversing
4098
    * the filter is the first transformation performed on the row data.  It is
4099
    * performed in place, therefore an implementation can be selected based on
4100
    * the image pixel format.  If the implementation depends on image width then
4101
    * take care to ensure that it works correctly if the image is interlaced -
4102
    * interlacing causes the actual row width to vary.
4103
    */
4104
{
4105
   unsigned int bpp = (pp->pixel_depth + 7) >> 3;
4106

4107
   pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
4108
   pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
4109
   pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
4110
   if (bpp == 1)
4111
      pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
4112
         png_read_filter_row_paeth_1byte_pixel;
4113
   else
4114
      pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
4115
         png_read_filter_row_paeth_multibyte_pixel;
4116

4117
#ifdef PNG_FILTER_OPTIMIZATIONS
4118
   /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
4119
    * call to install hardware optimizations for the above functions; simply
4120
    * replace whatever elements of the pp->read_filter[] array with a hardware
4121
    * specific (or, for that matter, generic) optimization.
4122
    *
4123
    * To see an example of this examine what configure.ac does when
4124
    * --enable-arm-neon is specified on the command line.
4125
    */
4126
   PNG_FILTER_OPTIMIZATIONS(pp, bpp);
4127
#endif
4128
}
4129

4130
void /* PRIVATE */
4131
png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
4132
    png_const_bytep prev_row, int filter)
4133
{
4134
   /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
4135
    * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
4136
    * implementations.  See png_init_filter_functions above.
4137
    */
4138
   if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
4139
   {
4140
      if (pp->read_filter[0] == NULL)
4141
         png_init_filter_functions(pp);
4142

4143
      pp->read_filter[filter-1](row_info, row, prev_row);
4144
   }
4145
}
4146

4147
#ifdef PNG_SEQUENTIAL_READ_SUPPORTED
4148
void /* PRIVATE */
4149
png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
4150
    png_alloc_size_t avail_out)
4151
{
4152
   /* Loop reading IDATs and decompressing the result into output[avail_out] */
4153
   png_ptr->zstream.next_out = output;
4154
   png_ptr->zstream.avail_out = 0; /* safety: set below */
4155

4156
   if (output == NULL)
4157
      avail_out = 0;
4158

4159
   do
4160
   {
4161
      int ret;
4162
      png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
4163

4164
      if (png_ptr->zstream.avail_in == 0)
4165
      {
4166
         uInt avail_in;
4167
         png_bytep buffer;
4168

4169
         while (png_ptr->idat_size == 0)
4170
         {
4171
            png_crc_finish(png_ptr, 0);
4172

4173
            png_ptr->idat_size = png_read_chunk_header(png_ptr);
4174
            /* This is an error even in the 'check' case because the code just
4175
             * consumed a non-IDAT header.
4176
             */
4177
            if (png_ptr->chunk_name != png_IDAT)
4178
               png_error(png_ptr, "Not enough image data");
4179
         }
4180

4181
         avail_in = png_ptr->IDAT_read_size;
4182

4183
         if (avail_in > png_ptr->idat_size)
4184
            avail_in = (uInt)png_ptr->idat_size;
4185

4186
         /* A PNG with a gradually increasing IDAT size will defeat this attempt
4187
          * to minimize memory usage by causing lots of re-allocs, but
4188
          * realistically doing IDAT_read_size re-allocs is not likely to be a
4189
          * big problem.
4190
          */
4191
         buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
4192

4193
         png_crc_read(png_ptr, buffer, avail_in);
4194
         png_ptr->idat_size -= avail_in;
4195

4196
         png_ptr->zstream.next_in = buffer;
4197
         png_ptr->zstream.avail_in = avail_in;
4198
      }
4199

4200
      /* And set up the output side. */
4201
      if (output != NULL) /* standard read */
4202
      {
4203
         uInt out = ZLIB_IO_MAX;
4204

4205
         if (out > avail_out)
4206
            out = (uInt)avail_out;
4207

4208
         avail_out -= out;
4209
         png_ptr->zstream.avail_out = out;
4210
      }
4211

4212
      else /* after last row, checking for end */
4213
      {
4214
         png_ptr->zstream.next_out = tmpbuf;
4215
         png_ptr->zstream.avail_out = (sizeof tmpbuf);
4216
      }
4217

4218
      /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4219
       * process.  If the LZ stream is truncated the sequential reader will
4220
       * terminally damage the stream, above, by reading the chunk header of the
4221
       * following chunk (it then exits with png_error).
4222
       *
4223
       * TODO: deal more elegantly with truncated IDAT lists.
4224
       */
4225
      ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
4226

4227
      /* Take the unconsumed output back. */
4228
      if (output != NULL)
4229
         avail_out += png_ptr->zstream.avail_out;
4230

4231
      else /* avail_out counts the extra bytes */
4232
         avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4233

4234
      png_ptr->zstream.avail_out = 0;
4235

4236
      if (ret == Z_STREAM_END)
4237
      {
4238
         /* Do this for safety; we won't read any more into this row. */
4239
         png_ptr->zstream.next_out = NULL;
4240

4241
         png_ptr->mode |= PNG_AFTER_IDAT;
4242
         png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4243

4244
         if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4245
            png_chunk_benign_error(png_ptr, "Extra compressed data");
4246
         break;
4247
      }
4248

4249
      if (ret != Z_OK)
4250
      {
4251
         png_zstream_error(png_ptr, ret);
4252

4253
         if (output != NULL)
4254
            png_chunk_error(png_ptr, png_ptr->zstream.msg);
4255

4256
         else /* checking */
4257
         {
4258
            png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4259
            return;
4260
         }
4261
      }
4262
   } while (avail_out > 0);
4263

4264
   if (avail_out > 0)
4265
   {
4266
      /* The stream ended before the image; this is the same as too few IDATs so
4267
       * should be handled the same way.
4268
       */
4269
      if (output != NULL)
4270
         png_error(png_ptr, "Not enough image data");
4271

4272
      else /* the deflate stream contained extra data */
4273
         png_chunk_benign_error(png_ptr, "Too much image data");
4274
   }
4275
}
4276

4277
void /* PRIVATE */
4278
png_read_finish_IDAT(png_structrp png_ptr)
4279
{
4280
   /* We don't need any more data and the stream should have ended, however the
4281
    * LZ end code may actually not have been processed.  In this case we must
4282
    * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4283
    * may still remain to be consumed.
4284
    */
4285
   if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4286
   {
4287
      /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4288
       * the compressed stream, but the stream may be damaged too, so even after
4289
       * this call we may need to terminate the zstream ownership.
4290
       */
4291
      png_read_IDAT_data(png_ptr, NULL, 0);
4292
      png_ptr->zstream.next_out = NULL; /* safety */
4293

4294
      /* Now clear everything out for safety; the following may not have been
4295
       * done.
4296
       */
4297
      if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4298
      {
4299
         png_ptr->mode |= PNG_AFTER_IDAT;
4300
         png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4301
      }
4302
   }
4303

4304
   /* If the zstream has not been released do it now *and* terminate the reading
4305
    * of the final IDAT chunk.
4306
    */
4307
   if (png_ptr->zowner == png_IDAT)
4308
   {
4309
      /* Always do this; the pointers otherwise point into the read buffer. */
4310
      png_ptr->zstream.next_in = NULL;
4311
      png_ptr->zstream.avail_in = 0;
4312

4313
      /* Now we no longer own the zstream. */
4314
      png_ptr->zowner = 0;
4315

4316
      /* The slightly weird semantics of the sequential IDAT reading is that we
4317
       * are always in or at the end of an IDAT chunk, so we always need to do a
4318
       * crc_finish here.  If idat_size is non-zero we also need to read the
4319
       * spurious bytes at the end of the chunk now.
4320
       */
4321
      (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4322
   }
4323
}
4324

4325
void /* PRIVATE */
4326
png_read_finish_row(png_structrp png_ptr)
4327
{
4328
   /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4329

4330
   /* Start of interlace block */
4331
   static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4332

4333
   /* Offset to next interlace block */
4334
   static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4335

4336
   /* Start of interlace block in the y direction */
4337
   static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4338

4339
   /* Offset to next interlace block in the y direction */
4340
   static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4341

4342
   png_debug(1, "in png_read_finish_row");
4343
   png_ptr->row_number++;
4344
   if (png_ptr->row_number < png_ptr->num_rows)
4345
      return;
4346

4347
   if (png_ptr->interlaced != 0)
4348
   {
4349
      png_ptr->row_number = 0;
4350

4351
      /* TO DO: don't do this if prev_row isn't needed (requires
4352
       * read-ahead of the next row's filter byte.
4353
       */
4354
      memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4355

4356
      do
4357
      {
4358
         png_ptr->pass++;
4359

4360
         if (png_ptr->pass >= 7)
4361
            break;
4362

4363
         png_ptr->iwidth = (png_ptr->width +
4364
            png_pass_inc[png_ptr->pass] - 1 -
4365
            png_pass_start[png_ptr->pass]) /
4366
            png_pass_inc[png_ptr->pass];
4367

4368
         if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4369
         {
4370
            png_ptr->num_rows = (png_ptr->height +
4371
                png_pass_yinc[png_ptr->pass] - 1 -
4372
                png_pass_ystart[png_ptr->pass]) /
4373
                png_pass_yinc[png_ptr->pass];
4374
         }
4375

4376
         else  /* if (png_ptr->transformations & PNG_INTERLACE) */
4377
            break; /* libpng deinterlacing sees every row */
4378

4379
      } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
4380

4381
      if (png_ptr->pass < 7)
4382
         return;
4383
   }
4384

4385
   /* Here after at the end of the last row of the last pass. */
4386
   png_read_finish_IDAT(png_ptr);
4387
}
4388
#endif /* SEQUENTIAL_READ */
4389

4390
void /* PRIVATE */
4391
png_read_start_row(png_structrp png_ptr)
4392
{
4393
   /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4394

4395
   /* Start of interlace block */
4396
   static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4397

4398
   /* Offset to next interlace block */
4399
   static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4400

4401
   /* Start of interlace block in the y direction */
4402
   static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4403

4404
   /* Offset to next interlace block in the y direction */
4405
   static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4406

4407
   unsigned int max_pixel_depth;
4408
   size_t row_bytes;
4409

4410
   png_debug(1, "in png_read_start_row");
4411

4412
#ifdef PNG_READ_TRANSFORMS_SUPPORTED
4413
   png_init_read_transformations(png_ptr);
4414
#endif
4415
   if (png_ptr->interlaced != 0)
4416
   {
4417
      if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4418
         png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
4419
             png_pass_ystart[0]) / png_pass_yinc[0];
4420

4421
      else
4422
         png_ptr->num_rows = png_ptr->height;
4423

4424
      png_ptr->iwidth = (png_ptr->width +
4425
          png_pass_inc[png_ptr->pass] - 1 -
4426
          png_pass_start[png_ptr->pass]) /
4427
          png_pass_inc[png_ptr->pass];
4428
   }
4429

4430
   else
4431
   {
4432
      png_ptr->num_rows = png_ptr->height;
4433
      png_ptr->iwidth = png_ptr->width;
4434
   }
4435

4436
   max_pixel_depth = (unsigned int)png_ptr->pixel_depth;
4437

4438
   /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4439
    * calculations to calculate the final pixel depth, then
4440
    * png_do_read_transforms actually does the transforms.  This means that the
4441
    * code which effectively calculates this value is actually repeated in three
4442
    * separate places.  They must all match.  Innocent changes to the order of
4443
    * transformations can and will break libpng in a way that causes memory
4444
    * overwrites.
4445
    *
4446
    * TODO: fix this.
4447
    */
4448
#ifdef PNG_READ_PACK_SUPPORTED
4449
   if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8)
4450
      max_pixel_depth = 8;
4451
#endif
4452

4453
#ifdef PNG_READ_EXPAND_SUPPORTED
4454
   if ((png_ptr->transformations & PNG_EXPAND) != 0)
4455
   {
4456
      if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4457
      {
4458
         if (png_ptr->num_trans != 0)
4459
            max_pixel_depth = 32;
4460

4461
         else
4462
            max_pixel_depth = 24;
4463
      }
4464

4465
      else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4466
      {
4467
         if (max_pixel_depth < 8)
4468
            max_pixel_depth = 8;
4469

4470
         if (png_ptr->num_trans != 0)
4471
            max_pixel_depth *= 2;
4472
      }
4473

4474
      else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4475
      {
4476
         if (png_ptr->num_trans != 0)
4477
         {
4478
            max_pixel_depth *= 4;
4479
            max_pixel_depth /= 3;
4480
         }
4481
      }
4482
   }
4483
#endif
4484

4485
#ifdef PNG_READ_EXPAND_16_SUPPORTED
4486
   if ((png_ptr->transformations & PNG_EXPAND_16) != 0)
4487
   {
4488
#  ifdef PNG_READ_EXPAND_SUPPORTED
4489
      /* In fact it is an error if it isn't supported, but checking is
4490
       * the safe way.
4491
       */
4492
      if ((png_ptr->transformations & PNG_EXPAND) != 0)
4493
      {
4494
         if (png_ptr->bit_depth < 16)
4495
            max_pixel_depth *= 2;
4496
      }
4497
      else
4498
#  endif
4499
      png_ptr->transformations &= ~PNG_EXPAND_16;
4500
   }
4501
#endif
4502

4503
#ifdef PNG_READ_FILLER_SUPPORTED
4504
   if ((png_ptr->transformations & (PNG_FILLER)) != 0)
4505
   {
4506
      if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4507
      {
4508
         if (max_pixel_depth <= 8)
4509
            max_pixel_depth = 16;
4510

4511
         else
4512
            max_pixel_depth = 32;
4513
      }
4514

4515
      else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4516
         png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4517
      {
4518
         if (max_pixel_depth <= 32)
4519
            max_pixel_depth = 32;
4520

4521
         else
4522
            max_pixel_depth = 64;
4523
      }
4524
   }
4525
#endif
4526

4527
#ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4528
   if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0)
4529
   {
4530
      if (
4531
#ifdef PNG_READ_EXPAND_SUPPORTED
4532
          (png_ptr->num_trans != 0 &&
4533
          (png_ptr->transformations & PNG_EXPAND) != 0) ||
4534
#endif
4535
#ifdef PNG_READ_FILLER_SUPPORTED
4536
          (png_ptr->transformations & (PNG_FILLER)) != 0 ||
4537
#endif
4538
          png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4539
      {
4540
         if (max_pixel_depth <= 16)
4541
            max_pixel_depth = 32;
4542

4543
         else
4544
            max_pixel_depth = 64;
4545
      }
4546

4547
      else
4548
      {
4549
         if (max_pixel_depth <= 8)
4550
         {
4551
            if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4552
               max_pixel_depth = 32;
4553

4554
            else
4555
               max_pixel_depth = 24;
4556
         }
4557

4558
         else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4559
            max_pixel_depth = 64;
4560

4561
         else
4562
            max_pixel_depth = 48;
4563
      }
4564
   }
4565
#endif
4566

4567
#if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4568
defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4569
   if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0)
4570
   {
4571
      unsigned int user_pixel_depth = png_ptr->user_transform_depth *
4572
         png_ptr->user_transform_channels;
4573

4574
      if (user_pixel_depth > max_pixel_depth)
4575
         max_pixel_depth = user_pixel_depth;
4576
   }
4577
#endif
4578

4579
   /* This value is stored in png_struct and double checked in the row read
4580
    * code.
4581
    */
4582
   png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4583
   png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4584

4585
   /* Align the width on the next larger 8 pixels.  Mainly used
4586
    * for interlacing
4587
    */
4588
   row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
4589
   /* Calculate the maximum bytes needed, adding a byte and a pixel
4590
    * for safety's sake
4591
    */
4592
   row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4593
       1 + ((max_pixel_depth + 7) >> 3U);
4594

4595
#ifdef PNG_MAX_MALLOC_64K
4596
   if (row_bytes > (png_uint_32)65536L)
4597
      png_error(png_ptr, "This image requires a row greater than 64KB");
4598
#endif
4599

4600
   if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
4601
   {
4602
      png_free(png_ptr, png_ptr->big_row_buf);
4603
      png_free(png_ptr, png_ptr->big_prev_row);
4604

4605
      if (png_ptr->interlaced != 0)
4606
         png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4607
             row_bytes + 48);
4608

4609
      else
4610
         png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4611

4612
      png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4613

4614
#ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4615
      /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4616
       * of padding before and after row_buf; treat prev_row similarly.
4617
       * NOTE: the alignment is to the start of the pixels, one beyond the start
4618
       * of the buffer, because of the filter byte.  Prior to libpng 1.5.6 this
4619
       * was incorrect; the filter byte was aligned, which had the exact
4620
       * opposite effect of that intended.
4621
       */
4622
      {
4623
         png_bytep temp = png_ptr->big_row_buf + 32;
4624
         size_t extra = (size_t)temp & 0x0f;
4625
         png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4626

4627
         temp = png_ptr->big_prev_row + 32;
4628
         extra = (size_t)temp & 0x0f;
4629
         png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4630
      }
4631
#else
4632
      /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4633
      png_ptr->row_buf = png_ptr->big_row_buf + 31;
4634
      png_ptr->prev_row = png_ptr->big_prev_row + 31;
4635
#endif
4636
      png_ptr->old_big_row_buf_size = row_bytes + 48;
4637
   }
4638

4639
#ifdef PNG_MAX_MALLOC_64K
4640
   if (png_ptr->rowbytes > 65535)
4641
      png_error(png_ptr, "This image requires a row greater than 64KB");
4642

4643
#endif
4644
   if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
4645
      png_error(png_ptr, "Row has too many bytes to allocate in memory");
4646

4647
   memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4648

4649
   png_debug1(3, "width = %u,", png_ptr->width);
4650
   png_debug1(3, "height = %u,", png_ptr->height);
4651
   png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4652
   png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4653
   png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4654
   png_debug1(3, "irowbytes = %lu",
4655
       (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4656

4657
   /* The sequential reader needs a buffer for IDAT, but the progressive reader
4658
    * does not, so free the read buffer now regardless; the sequential reader
4659
    * reallocates it on demand.
4660
    */
4661
   if (png_ptr->read_buffer != NULL)
4662
   {
4663
      png_bytep buffer = png_ptr->read_buffer;
4664

4665
      png_ptr->read_buffer_size = 0;
4666
      png_ptr->read_buffer = NULL;
4667
      png_free(png_ptr, buffer);
4668
   }
4669

4670
   /* Finally claim the zstream for the inflate of the IDAT data, use the bits
4671
    * value from the stream (note that this will result in a fatal error if the
4672
    * IDAT stream has a bogus deflate header window_bits value, but this should
4673
    * not be happening any longer!)
4674
    */
4675
   if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
4676
      png_error(png_ptr, png_ptr->zstream.msg);
4677

4678
   png_ptr->flags |= PNG_FLAG_ROW_INIT;
4679
}
4680
#endif /* READ */
4681
opencv

Использование cookies
