1 /*
   2  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   3  *
   4  * This code is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License version 2 only, as
   6  * published by the Free Software Foundation.  Oracle designates this
   7  * particular file as subject to the "Classpath" exception as provided
   8  * by Oracle in the LICENSE file that accompanied this code.
   9  *
  10  * This code is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  12  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * version 2 for more details (a copy is included in the LICENSE file that
  14  * accompanied this code).
  15  *
  16  * You should have received a copy of the GNU General Public License version
  17  * 2 along with this work; if not, write to the Free Software Foundation,
  18  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  19  *
  20  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  21  * or visit www.oracle.com if you need additional information or have any
  22  * questions.
  23  */
  24 
  25 /* png.c - location for general purpose libpng functions
  26  *
  27  * This file is available under and governed by the GNU General Public
  28  * License version 2 only, as published by the Free Software Foundation.
  29  * However, the following notice accompanied the original version of this
  30  * file and, per its terms, should not be removed:
  31  *
  32  * Last changed in libpng 1.6.19 [November 12, 2015]
  33  * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
  34  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  35  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  36  *
  37  * This code is released under the libpng license.
  38  * For conditions of distribution and use, see the disclaimer
  39  * and license in png.h
  40  */
  41 
  42 #include "pngpriv.h"
  43 
  44 /* Generate a compiler error if there is an old png.h in the search path. */
  45 typedef png_libpng_version_1_6_23 Your_png_h_is_not_version_1_6_23;
  46 
  47 /* Tells libpng that we have already handled the first "num_bytes" bytes
  48  * of the PNG file signature.  If the PNG data is embedded into another
  49  * stream we can set num_bytes = 8 so that libpng will not attempt to read
  50  * or write any of the magic bytes before it starts on the IHDR.
  51  */
  52 
  53 #ifdef PNG_READ_SUPPORTED
  54 void PNGAPI
  55 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
  56 {
  57    unsigned int nb = (unsigned int)num_bytes;
  58 
  59    png_debug(1, "in png_set_sig_bytes");
  60 
  61    if (png_ptr == NULL)
  62       return;
  63 
  64    if (num_bytes < 0)
  65       nb = 0;
  66 
  67    if (nb > 8)
  68       png_error(png_ptr, "Too many bytes for PNG signature");
  69 
  70    png_ptr->sig_bytes = (png_byte)nb;
  71 }
  72 
  73 /* Checks whether the supplied bytes match the PNG signature.  We allow
  74  * checking less than the full 8-byte signature so that those apps that
  75  * already read the first few bytes of a file to determine the file type
  76  * can simply check the remaining bytes for extra assurance.  Returns
  77  * an integer less than, equal to, or greater than zero if sig is found,
  78  * respectively, to be less than, to match, or be greater than the correct
  79  * PNG signature (this is the same behavior as strcmp, memcmp, etc).
  80  */
  81 int PNGAPI
  82 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
  83 {
  84    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
  85 
  86    if (num_to_check > 8)
  87       num_to_check = 8;
  88 
  89    else if (num_to_check < 1)
  90       return (-1);
  91 
  92    if (start > 7)
  93       return (-1);
  94 
  95    if (start + num_to_check > 8)
  96       num_to_check = 8 - start;
  97 
  98    return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
  99 }
 100 
 101 #endif /* READ */
 102 
 103 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 104 /* Function to allocate memory for zlib */
 105 PNG_FUNCTION(voidpf /* PRIVATE */,
 106 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
 107 {
 108    png_alloc_size_t num_bytes = size;
 109 
 110    if (png_ptr == NULL)
 111       return NULL;
 112 
 113    if (items >= (~(png_alloc_size_t)0)/size)
 114    {
 115       png_warning (png_voidcast(png_structrp, png_ptr),
 116          "Potential overflow in png_zalloc()");
 117       return NULL;
 118    }
 119 
 120    num_bytes *= items;
 121    return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
 122 }
 123 
 124 /* Function to free memory for zlib */
 125 void /* PRIVATE */
 126 png_zfree(voidpf png_ptr, voidpf ptr)
 127 {
 128    png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
 129 }
 130 
 131 /* Reset the CRC variable to 32 bits of 1's.  Care must be taken
 132  * in case CRC is > 32 bits to leave the top bits 0.
 133  */
 134 void /* PRIVATE */
 135 png_reset_crc(png_structrp png_ptr)
 136 {
 137    /* The cast is safe because the crc is a 32-bit value. */
 138    png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
 139 }
 140 
 141 /* Calculate the CRC over a section of data.  We can only pass as
 142  * much data to this routine as the largest single buffer size.  We
 143  * also check that this data will actually be used before going to the
 144  * trouble of calculating it.
 145  */
 146 void /* PRIVATE */
 147 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
 148 {
 149    int need_crc = 1;
 150 
 151    if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
 152    {
 153       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
 154           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
 155          need_crc = 0;
 156    }
 157 
 158    else /* critical */
 159    {
 160       if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
 161          need_crc = 0;
 162    }
 163 
 164    /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
 165     * systems it is a 64-bit value.  crc32, however, returns 32 bits so the
 166     * following cast is safe.  'uInt' may be no more than 16 bits, so it is
 167     * necessary to perform a loop here.
 168     */
 169    if (need_crc != 0 && length > 0)
 170    {
 171       uLong crc = png_ptr->crc; /* Should never issue a warning */
 172 
 173       do
 174       {
 175          uInt safe_length = (uInt)length;
 176 #ifndef __COVERITY__
 177          if (safe_length == 0)
 178             safe_length = (uInt)-1; /* evil, but safe */
 179 #endif
 180 
 181          crc = crc32(crc, ptr, safe_length);
 182 
 183          /* The following should never issue compiler warnings; if they do the
 184           * target system has characteristics that will probably violate other
 185           * assumptions within the libpng code.
 186           */
 187          ptr += safe_length;
 188          length -= safe_length;
 189       }
 190       while (length > 0);
 191 
 192       /* And the following is always safe because the crc is only 32 bits. */
 193       png_ptr->crc = (png_uint_32)crc;
 194    }
 195 }
 196 
 197 /* Check a user supplied version number, called from both read and write
 198  * functions that create a png_struct.
 199  */
 200 int
 201 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
 202 {
 203      /* Libpng versions 1.0.0 and later are binary compatible if the version
 204       * string matches through the second '.'; we must recompile any
 205       * applications that use any older library version.
 206       */
 207 
 208    if (user_png_ver != NULL)
 209    {
 210       int i = -1;
 211       int found_dots = 0;
 212 
 213       do
 214       {
 215          i++;
 216          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
 217             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 218          if (user_png_ver[i] == '.')
 219             found_dots++;
 220       } while (found_dots < 2 && user_png_ver[i] != 0 &&
 221             PNG_LIBPNG_VER_STRING[i] != 0);
 222    }
 223 
 224    else
 225       png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 226 
 227    if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
 228    {
 229 #ifdef PNG_WARNINGS_SUPPORTED
 230       size_t pos = 0;
 231       char m[128];
 232 
 233       pos = png_safecat(m, (sizeof m), pos,
 234           "Application built with libpng-");
 235       pos = png_safecat(m, (sizeof m), pos, user_png_ver);
 236       pos = png_safecat(m, (sizeof m), pos, " but running with ");
 237       pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
 238       PNG_UNUSED(pos)
 239 
 240       png_warning(png_ptr, m);
 241 #endif
 242 
 243 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 244       png_ptr->flags = 0;
 245 #endif
 246 
 247       return 0;
 248    }
 249 
 250    /* Success return. */
 251    return 1;
 252 }
 253 
 254 /* Generic function to create a png_struct for either read or write - this
 255  * contains the common initialization.
 256  */
 257 PNG_FUNCTION(png_structp /* PRIVATE */,
 258 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
 259     png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
 260     png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
 261 {
 262    png_struct create_struct;
 263 #  ifdef PNG_SETJMP_SUPPORTED
 264       jmp_buf create_jmp_buf;
 265 #  endif
 266 
 267    /* This temporary stack-allocated structure is used to provide a place to
 268     * build enough context to allow the user provided memory allocator (if any)
 269     * to be called.
 270     */
 271    memset(&create_struct, 0, (sizeof create_struct));
 272 
 273    /* Added at libpng-1.2.6 */
 274 #  ifdef PNG_USER_LIMITS_SUPPORTED
 275       create_struct.user_width_max = PNG_USER_WIDTH_MAX;
 276       create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
 277 
 278 #     ifdef PNG_USER_CHUNK_CACHE_MAX
 279       /* Added at libpng-1.2.43 and 1.4.0 */
 280       create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
 281 #     endif
 282 
 283 #     ifdef PNG_USER_CHUNK_MALLOC_MAX
 284       /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
 285        * in png_struct regardless.
 286        */
 287       create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
 288 #     endif
 289 #  endif
 290 
 291    /* The following two API calls simply set fields in png_struct, so it is safe
 292     * to do them now even though error handling is not yet set up.
 293     */
 294 #  ifdef PNG_USER_MEM_SUPPORTED
 295       png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
 296 #  else
 297       PNG_UNUSED(mem_ptr)
 298       PNG_UNUSED(malloc_fn)
 299       PNG_UNUSED(free_fn)
 300 #  endif
 301 
 302    /* (*error_fn) can return control to the caller after the error_ptr is set,
 303     * this will result in a memory leak unless the error_fn does something
 304     * extremely sophisticated.  The design lacks merit but is implicit in the
 305     * API.
 306     */
 307    png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
 308 
 309 #  ifdef PNG_SETJMP_SUPPORTED
 310       if (!setjmp(create_jmp_buf))
 311 #  endif
 312       {
 313 #  ifdef PNG_SETJMP_SUPPORTED
 314          /* Temporarily fake out the longjmp information until we have
 315           * successfully completed this function.  This only works if we have
 316           * setjmp() support compiled in, but it is safe - this stuff should
 317           * never happen.
 318           */
 319          create_struct.jmp_buf_ptr = &create_jmp_buf;
 320          create_struct.jmp_buf_size = 0; /*stack allocation*/
 321          create_struct.longjmp_fn = longjmp;
 322 #  endif
 323          /* Call the general version checker (shared with read and write code):
 324           */
 325          if (png_user_version_check(&create_struct, user_png_ver) != 0)
 326          {
 327             png_structrp png_ptr = png_voidcast(png_structrp,
 328                png_malloc_warn(&create_struct, (sizeof *png_ptr)));
 329 
 330             if (png_ptr != NULL)
 331             {
 332                /* png_ptr->zstream holds a back-pointer to the png_struct, so
 333                 * this can only be done now:
 334                 */
 335                create_struct.zstream.zalloc = png_zalloc;
 336                create_struct.zstream.zfree = png_zfree;
 337                create_struct.zstream.opaque = png_ptr;
 338 
 339 #              ifdef PNG_SETJMP_SUPPORTED
 340                /* Eliminate the local error handling: */
 341                create_struct.jmp_buf_ptr = NULL;
 342                create_struct.jmp_buf_size = 0;
 343                create_struct.longjmp_fn = 0;
 344 #              endif
 345 
 346                *png_ptr = create_struct;
 347 
 348                /* This is the successful return point */
 349                return png_ptr;
 350             }
 351          }
 352       }
 353 
 354    /* A longjmp because of a bug in the application storage allocator or a
 355     * simple failure to allocate the png_struct.
 356     */
 357    return NULL;
 358 }
 359 
 360 /* Allocate the memory for an info_struct for the application. */
 361 PNG_FUNCTION(png_infop,PNGAPI
 362 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
 363 {
 364    png_inforp info_ptr;
 365 
 366    png_debug(1, "in png_create_info_struct");
 367 
 368    if (png_ptr == NULL)
 369       return NULL;
 370 
 371    /* Use the internal API that does not (or at least should not) error out, so
 372     * that this call always returns ok.  The application typically sets up the
 373     * error handling *after* creating the info_struct because this is the way it
 374     * has always been done in 'example.c'.
 375     */
 376    info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
 377       (sizeof *info_ptr)));
 378 
 379    if (info_ptr != NULL)
 380       memset(info_ptr, 0, (sizeof *info_ptr));
 381 
 382    return info_ptr;
 383 }
 384 
 385 /* This function frees the memory associated with a single info struct.
 386  * Normally, one would use either png_destroy_read_struct() or
 387  * png_destroy_write_struct() to free an info struct, but this may be
 388  * useful for some applications.  From libpng 1.6.0 this function is also used
 389  * internally to implement the png_info release part of the 'struct' destroy
 390  * APIs.  This ensures that all possible approaches free the same data (all of
 391  * it).
 392  */
 393 void PNGAPI
 394 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
 395 {
 396    png_inforp info_ptr = NULL;
 397 
 398    png_debug(1, "in png_destroy_info_struct");
 399 
 400    if (png_ptr == NULL)
 401       return;
 402 
 403    if (info_ptr_ptr != NULL)
 404       info_ptr = *info_ptr_ptr;
 405 
 406    if (info_ptr != NULL)
 407    {
 408       /* Do this first in case of an error below; if the app implements its own
 409        * memory management this can lead to png_free calling png_error, which
 410        * will abort this routine and return control to the app error handler.
 411        * An infinite loop may result if it then tries to free the same info
 412        * ptr.
 413        */
 414       *info_ptr_ptr = NULL;
 415 
 416       png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
 417       memset(info_ptr, 0, (sizeof *info_ptr));
 418       png_free(png_ptr, info_ptr);
 419    }
 420 }
 421 
 422 /* Initialize the info structure.  This is now an internal function (0.89)
 423  * and applications using it are urged to use png_create_info_struct()
 424  * instead.  Use deprecated in 1.6.0, internal use removed (used internally it
 425  * is just a memset).
 426  *
 427  * NOTE: it is almost inconceivable that this API is used because it bypasses
 428  * the user-memory mechanism and the user error handling/warning mechanisms in
 429  * those cases where it does anything other than a memset.
 430  */
 431 PNG_FUNCTION(void,PNGAPI
 432 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
 433    PNG_DEPRECATED)
 434 {
 435    png_inforp info_ptr = *ptr_ptr;
 436 
 437    png_debug(1, "in png_info_init_3");
 438 
 439    if (info_ptr == NULL)
 440       return;
 441 
 442    if ((sizeof (png_info)) > png_info_struct_size)
 443    {
 444       *ptr_ptr = NULL;
 445       /* The following line is why this API should not be used: */
 446       free(info_ptr);
 447       info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
 448          (sizeof *info_ptr)));
 449       if (info_ptr == NULL)
 450          return;
 451       *ptr_ptr = info_ptr;
 452    }
 453 
 454    /* Set everything to 0 */
 455    memset(info_ptr, 0, (sizeof *info_ptr));
 456 }
 457 
 458 /* The following API is not called internally */
 459 void PNGAPI
 460 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
 461    int freer, png_uint_32 mask)
 462 {
 463    png_debug(1, "in png_data_freer");
 464 
 465    if (png_ptr == NULL || info_ptr == NULL)
 466       return;
 467 
 468    if (freer == PNG_DESTROY_WILL_FREE_DATA)
 469       info_ptr->free_me |= mask;
 470 
 471    else if (freer == PNG_USER_WILL_FREE_DATA)
 472       info_ptr->free_me &= ~mask;
 473 
 474    else
 475       png_error(png_ptr, "Unknown freer parameter in png_data_freer");
 476 }
 477 
 478 void PNGAPI
 479 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
 480    int num)
 481 {
 482    png_debug(1, "in png_free_data");
 483 
 484    if (png_ptr == NULL || info_ptr == NULL)
 485       return;
 486 
 487 #ifdef PNG_TEXT_SUPPORTED
 488    /* Free text item num or (if num == -1) all text items */
 489    if (info_ptr->text != 0 &&
 490        ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
 491    {
 492       if (num != -1)
 493       {
 494          png_free(png_ptr, info_ptr->text[num].key);
 495          info_ptr->text[num].key = NULL;
 496       }
 497 
 498       else
 499       {
 500          int i;
 501 
 502          for (i = 0; i < info_ptr->num_text; i++)
 503             png_free(png_ptr, info_ptr->text[i].key);
 504 
 505          png_free(png_ptr, info_ptr->text);
 506          info_ptr->text = NULL;
 507          info_ptr->num_text = 0;
 508       }
 509    }
 510 #endif
 511 
 512 #ifdef PNG_tRNS_SUPPORTED
 513    /* Free any tRNS entry */
 514    if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
 515    {
 516       info_ptr->valid &= ~PNG_INFO_tRNS;
 517       png_free(png_ptr, info_ptr->trans_alpha);
 518       info_ptr->trans_alpha = NULL;
 519       info_ptr->num_trans = 0;
 520    }
 521 #endif
 522 
 523 #ifdef PNG_sCAL_SUPPORTED
 524    /* Free any sCAL entry */
 525    if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
 526    {
 527       png_free(png_ptr, info_ptr->scal_s_width);
 528       png_free(png_ptr, info_ptr->scal_s_height);
 529       info_ptr->scal_s_width = NULL;
 530       info_ptr->scal_s_height = NULL;
 531       info_ptr->valid &= ~PNG_INFO_sCAL;
 532    }
 533 #endif
 534 
 535 #ifdef PNG_pCAL_SUPPORTED
 536    /* Free any pCAL entry */
 537    if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
 538    {
 539       png_free(png_ptr, info_ptr->pcal_purpose);
 540       png_free(png_ptr, info_ptr->pcal_units);
 541       info_ptr->pcal_purpose = NULL;
 542       info_ptr->pcal_units = NULL;
 543 
 544       if (info_ptr->pcal_params != NULL)
 545          {
 546             int i;
 547 
 548             for (i = 0; i < info_ptr->pcal_nparams; i++)
 549                png_free(png_ptr, info_ptr->pcal_params[i]);
 550 
 551             png_free(png_ptr, info_ptr->pcal_params);
 552             info_ptr->pcal_params = NULL;
 553          }
 554       info_ptr->valid &= ~PNG_INFO_pCAL;
 555    }
 556 #endif
 557 
 558 #ifdef PNG_iCCP_SUPPORTED
 559    /* Free any profile entry */
 560    if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
 561    {
 562       png_free(png_ptr, info_ptr->iccp_name);
 563       png_free(png_ptr, info_ptr->iccp_profile);
 564       info_ptr->iccp_name = NULL;
 565       info_ptr->iccp_profile = NULL;
 566       info_ptr->valid &= ~PNG_INFO_iCCP;
 567    }
 568 #endif
 569 
 570 #ifdef PNG_sPLT_SUPPORTED
 571    /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
 572    if (info_ptr->splt_palettes != 0 &&
 573        ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
 574    {
 575       if (num != -1)
 576       {
 577          png_free(png_ptr, info_ptr->splt_palettes[num].name);
 578          png_free(png_ptr, info_ptr->splt_palettes[num].entries);
 579          info_ptr->splt_palettes[num].name = NULL;
 580          info_ptr->splt_palettes[num].entries = NULL;
 581       }
 582 
 583       else
 584       {
 585          int i;
 586 
 587          for (i = 0; i < info_ptr->splt_palettes_num; i++)
 588          {
 589             png_free(png_ptr, info_ptr->splt_palettes[i].name);
 590             png_free(png_ptr, info_ptr->splt_palettes[i].entries);
 591          }
 592 
 593          png_free(png_ptr, info_ptr->splt_palettes);
 594          info_ptr->splt_palettes = NULL;
 595          info_ptr->splt_palettes_num = 0;
 596          info_ptr->valid &= ~PNG_INFO_sPLT;
 597       }
 598    }
 599 #endif
 600 
 601 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
 602    if (info_ptr->unknown_chunks != 0 &&
 603        ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
 604    {
 605       if (num != -1)
 606       {
 607           png_free(png_ptr, info_ptr->unknown_chunks[num].data);
 608           info_ptr->unknown_chunks[num].data = NULL;
 609       }
 610 
 611       else
 612       {
 613          int i;
 614 
 615          for (i = 0; i < info_ptr->unknown_chunks_num; i++)
 616             png_free(png_ptr, info_ptr->unknown_chunks[i].data);
 617 
 618          png_free(png_ptr, info_ptr->unknown_chunks);
 619          info_ptr->unknown_chunks = NULL;
 620          info_ptr->unknown_chunks_num = 0;
 621       }
 622    }
 623 #endif
 624 
 625 #ifdef PNG_hIST_SUPPORTED
 626    /* Free any hIST entry */
 627    if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
 628    {
 629       png_free(png_ptr, info_ptr->hist);
 630       info_ptr->hist = NULL;
 631       info_ptr->valid &= ~PNG_INFO_hIST;
 632    }
 633 #endif
 634 
 635    /* Free any PLTE entry that was internally allocated */
 636    if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
 637    {
 638       png_free(png_ptr, info_ptr->palette);
 639       info_ptr->palette = NULL;
 640       info_ptr->valid &= ~PNG_INFO_PLTE;
 641       info_ptr->num_palette = 0;
 642    }
 643 
 644 #ifdef PNG_INFO_IMAGE_SUPPORTED
 645    /* Free any image bits attached to the info structure */
 646    if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
 647    {
 648       if (info_ptr->row_pointers != 0)
 649       {
 650          png_uint_32 row;
 651          for (row = 0; row < info_ptr->height; row++)
 652             png_free(png_ptr, info_ptr->row_pointers[row]);
 653 
 654          png_free(png_ptr, info_ptr->row_pointers);
 655          info_ptr->row_pointers = NULL;
 656       }
 657       info_ptr->valid &= ~PNG_INFO_IDAT;
 658    }
 659 #endif
 660 
 661    if (num != -1)
 662       mask &= ~PNG_FREE_MUL;
 663 
 664    info_ptr->free_me &= ~mask;
 665 }
 666 #endif /* READ || WRITE */
 667 
 668 /* This function returns a pointer to the io_ptr associated with the user
 669  * functions.  The application should free any memory associated with this
 670  * pointer before png_write_destroy() or png_read_destroy() are called.
 671  */
 672 png_voidp PNGAPI
 673 png_get_io_ptr(png_const_structrp png_ptr)
 674 {
 675    if (png_ptr == NULL)
 676       return (NULL);
 677 
 678    return (png_ptr->io_ptr);
 679 }
 680 
 681 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 682 #  ifdef PNG_STDIO_SUPPORTED
 683 /* Initialize the default input/output functions for the PNG file.  If you
 684  * use your own read or write routines, you can call either png_set_read_fn()
 685  * or png_set_write_fn() instead of png_init_io().  If you have defined
 686  * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
 687  * function of your own because "FILE *" isn't necessarily available.
 688  */
 689 void PNGAPI
 690 png_init_io(png_structrp png_ptr, png_FILE_p fp)
 691 {
 692    png_debug(1, "in png_init_io");
 693 
 694    if (png_ptr == NULL)
 695       return;
 696 
 697    png_ptr->io_ptr = (png_voidp)fp;
 698 }
 699 #  endif
 700 
 701 #  ifdef PNG_SAVE_INT_32_SUPPORTED
 702 /* PNG signed integers are saved in 32-bit 2's complement format.  ANSI C-90
 703  * defines a cast of a signed integer to an unsigned integer either to preserve
 704  * the value, if it is positive, or to calculate:
 705  *
 706  *     (UNSIGNED_MAX+1) + integer
 707  *
 708  * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
 709  * negative integral value is added the result will be an unsigned value
 710  * correspnding to the 2's complement representation.
 711  */
 712 void PNGAPI
 713 png_save_int_32(png_bytep buf, png_int_32 i)
 714 {
 715    png_save_uint_32(buf, i);
 716 }
 717 #  endif
 718 
 719 #  ifdef PNG_TIME_RFC1123_SUPPORTED
 720 /* Convert the supplied time into an RFC 1123 string suitable for use in
 721  * a "Creation Time" or other text-based time string.
 722  */
 723 int PNGAPI
 724 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
 725 {
 726    static PNG_CONST char short_months[12][4] =
 727         {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
 728          "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
 729 
 730    if (out == NULL)
 731       return 0;
 732 
 733    if (ptime->year > 9999 /* RFC1123 limitation */ ||
 734        ptime->month == 0    ||  ptime->month > 12  ||
 735        ptime->day   == 0    ||  ptime->day   > 31  ||
 736        ptime->hour  > 23    ||  ptime->minute > 59 ||
 737        ptime->second > 60)
 738       return 0;
 739 
 740    {
 741       size_t pos = 0;
 742       char number_buf[5]; /* enough for a four-digit year */
 743 
 744 #     define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
 745 #     define APPEND_NUMBER(format, value)\
 746          APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
 747 #     define APPEND(ch) if (pos < 28) out[pos++] = (ch)
 748 
 749       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
 750       APPEND(' ');
 751       APPEND_STRING(short_months[(ptime->month - 1)]);
 752       APPEND(' ');
 753       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
 754       APPEND(' ');
 755       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
 756       APPEND(':');
 757       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
 758       APPEND(':');
 759       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
 760       APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
 761       PNG_UNUSED (pos)
 762 
 763 #     undef APPEND
 764 #     undef APPEND_NUMBER
 765 #     undef APPEND_STRING
 766    }
 767 
 768    return 1;
 769 }
 770 
 771 #    if PNG_LIBPNG_VER < 10700
 772 /* To do: remove the following from libpng-1.7 */
 773 /* Original API that uses a private buffer in png_struct.
 774  * Deprecated because it causes png_struct to carry a spurious temporary
 775  * buffer (png_struct::time_buffer), better to have the caller pass this in.
 776  */
 777 png_const_charp PNGAPI
 778 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
 779 {
 780    if (png_ptr != NULL)
 781    {
 782       /* The only failure above if png_ptr != NULL is from an invalid ptime */
 783       if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
 784          png_warning(png_ptr, "Ignoring invalid time value");
 785 
 786       else
 787          return png_ptr->time_buffer;
 788    }
 789 
 790    return NULL;
 791 }
 792 #    endif /* LIBPNG_VER < 10700 */
 793 #  endif /* TIME_RFC1123 */
 794 
 795 #endif /* READ || WRITE */
 796 
 797 png_const_charp PNGAPI
 798 png_get_copyright(png_const_structrp png_ptr)
 799 {
 800    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 801 #ifdef PNG_STRING_COPYRIGHT
 802    return PNG_STRING_COPYRIGHT
 803 #else
 804 #  ifdef __STDC__
 805    return PNG_STRING_NEWLINE \
 806       "libpng version 1.6.23 - June 9, 2016" PNG_STRING_NEWLINE \
 807       "Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson" \
 808       PNG_STRING_NEWLINE \
 809       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
 810       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
 811       PNG_STRING_NEWLINE;
 812 #  else
 813    return "libpng version 1.6.23 - June 9, 2016\
 814       Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson\
 815       Copyright (c) 1996-1997 Andreas Dilger\
 816       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
 817 #  endif
 818 #endif
 819 }
 820 
 821 /* The following return the library version as a short string in the
 822  * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
 823  * used with your application, print out PNG_LIBPNG_VER_STRING, which
 824  * is defined in png.h.
 825  * Note: now there is no difference between png_get_libpng_ver() and
 826  * png_get_header_ver().  Due to the version_nn_nn_nn typedef guard,
 827  * it is guaranteed that png.c uses the correct version of png.h.
 828  */
 829 png_const_charp PNGAPI
 830 png_get_libpng_ver(png_const_structrp png_ptr)
 831 {
 832    /* Version of *.c files used when building libpng */
 833    return png_get_header_ver(png_ptr);
 834 }
 835 
 836 png_const_charp PNGAPI
 837 png_get_header_ver(png_const_structrp png_ptr)
 838 {
 839    /* Version of *.h files used when building libpng */
 840    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 841    return PNG_LIBPNG_VER_STRING;
 842 }
 843 
 844 png_const_charp PNGAPI
 845 png_get_header_version(png_const_structrp png_ptr)
 846 {
 847    /* Returns longer string containing both version and date */
 848    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 849 #ifdef __STDC__
 850    return PNG_HEADER_VERSION_STRING
 851 #  ifndef PNG_READ_SUPPORTED
 852       " (NO READ SUPPORT)"
 853 #  endif
 854       PNG_STRING_NEWLINE;
 855 #else
 856    return PNG_HEADER_VERSION_STRING;
 857 #endif
 858 }
 859 
 860 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
 861 /* NOTE: this routine is not used internally! */
 862 /* Build a grayscale palette.  Palette is assumed to be 1 << bit_depth
 863  * large of png_color.  This lets grayscale images be treated as
 864  * paletted.  Most useful for gamma correction and simplification
 865  * of code.  This API is not used internally.
 866  */
 867 void PNGAPI
 868 png_build_grayscale_palette(int bit_depth, png_colorp palette)
 869 {
 870    int num_palette;
 871    int color_inc;
 872    int i;
 873    int v;
 874 
 875    png_debug(1, "in png_do_build_grayscale_palette");
 876 
 877    if (palette == NULL)
 878       return;
 879 
 880    switch (bit_depth)
 881    {
 882       case 1:
 883          num_palette = 2;
 884          color_inc = 0xff;
 885          break;
 886 
 887       case 2:
 888          num_palette = 4;
 889          color_inc = 0x55;
 890          break;
 891 
 892       case 4:
 893          num_palette = 16;
 894          color_inc = 0x11;
 895          break;
 896 
 897       case 8:
 898          num_palette = 256;
 899          color_inc = 1;
 900          break;
 901 
 902       default:
 903          num_palette = 0;
 904          color_inc = 0;
 905          break;
 906    }
 907 
 908    for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
 909    {
 910       palette[i].red = (png_byte)(v & 0xff);
 911       palette[i].green = (png_byte)(v & 0xff);
 912       palette[i].blue = (png_byte)(v & 0xff);
 913    }
 914 }
 915 #endif
 916 
 917 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 918 int PNGAPI
 919 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
 920 {
 921    /* Check chunk_name and return "keep" value if it's on the list, else 0 */
 922    png_const_bytep p, p_end;
 923 
 924    if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
 925       return PNG_HANDLE_CHUNK_AS_DEFAULT;
 926 
 927    p_end = png_ptr->chunk_list;
 928    p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
 929 
 930    /* The code is the fifth byte after each four byte string.  Historically this
 931     * code was always searched from the end of the list, this is no longer
 932     * necessary because the 'set' routine handles duplicate entries correcty.
 933     */
 934    do /* num_chunk_list > 0, so at least one */
 935    {
 936       p -= 5;
 937 
 938       if (memcmp(chunk_name, p, 4) == 0)
 939          return p[4];
 940    }
 941    while (p > p_end);
 942 
 943    /* This means that known chunks should be processed and unknown chunks should
 944     * be handled according to the value of png_ptr->unknown_default; this can be
 945     * confusing because, as a result, there are two levels of defaulting for
 946     * unknown chunks.
 947     */
 948    return PNG_HANDLE_CHUNK_AS_DEFAULT;
 949 }
 950 
 951 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
 952    defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
 953 int /* PRIVATE */
 954 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
 955 {
 956    png_byte chunk_string[5];
 957 
 958    PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
 959    return png_handle_as_unknown(png_ptr, chunk_string);
 960 }
 961 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
 962 #endif /* SET_UNKNOWN_CHUNKS */
 963 
 964 #ifdef PNG_READ_SUPPORTED
 965 /* This function, added to libpng-1.0.6g, is untested. */
 966 int PNGAPI
 967 png_reset_zstream(png_structrp png_ptr)
 968 {
 969    if (png_ptr == NULL)
 970       return Z_STREAM_ERROR;
 971 
 972    /* WARNING: this resets the window bits to the maximum! */
 973    return (inflateReset(&png_ptr->zstream));
 974 }
 975 #endif /* READ */
 976 
 977 /* This function was added to libpng-1.0.7 */
 978 png_uint_32 PNGAPI
 979 png_access_version_number(void)
 980 {
 981    /* Version of *.c files used when building libpng */
 982    return((png_uint_32)PNG_LIBPNG_VER);
 983 }
 984 
 985 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 986 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
 987  * If it doesn't 'ret' is used to set it to something appropriate, even in cases
 988  * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
 989  */
 990 void /* PRIVATE */
 991 png_zstream_error(png_structrp png_ptr, int ret)
 992 {
 993    /* Translate 'ret' into an appropriate error string, priority is given to the
 994     * one in zstream if set.  This always returns a string, even in cases like
 995     * Z_OK or Z_STREAM_END where the error code is a success code.
 996     */
 997    if (png_ptr->zstream.msg == NULL) switch (ret)
 998    {
 999       default:
1000       case Z_OK:
1001          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1002          break;
1003 
1004       case Z_STREAM_END:
1005          /* Normal exit */
1006          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1007          break;
1008 
1009       case Z_NEED_DICT:
1010          /* This means the deflate stream did not have a dictionary; this
1011           * indicates a bogus PNG.
1012           */
1013          png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1014          break;
1015 
1016       case Z_ERRNO:
1017          /* gz APIs only: should not happen */
1018          png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1019          break;
1020 
1021       case Z_STREAM_ERROR:
1022          /* internal libpng error */
1023          png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1024          break;
1025 
1026       case Z_DATA_ERROR:
1027          png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1028          break;
1029 
1030       case Z_MEM_ERROR:
1031          png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1032          break;
1033 
1034       case Z_BUF_ERROR:
1035          /* End of input or output; not a problem if the caller is doing
1036           * incremental read or write.
1037           */
1038          png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1039          break;
1040 
1041       case Z_VERSION_ERROR:
1042          png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1043          break;
1044 
1045       case PNG_UNEXPECTED_ZLIB_RETURN:
1046          /* Compile errors here mean that zlib now uses the value co-opted in
1047           * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1048           * and change pngpriv.h.  Note that this message is "... return",
1049           * whereas the default/Z_OK one is "... return code".
1050           */
1051          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1052          break;
1053    }
1054 }
1055 
1056 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1057  * at libpng 1.5.5!
1058  */
1059 
1060 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1061 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1062 static int
1063 png_colorspace_check_gamma(png_const_structrp png_ptr,
1064    png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1065    /* This is called to check a new gamma value against an existing one.  The
1066     * routine returns false if the new gamma value should not be written.
1067     *
1068     * 'from' says where the new gamma value comes from:
1069     *
1070     *    0: the new gamma value is the libpng estimate for an ICC profile
1071     *    1: the new gamma value comes from a gAMA chunk
1072     *    2: the new gamma value comes from an sRGB chunk
1073     */
1074 {
1075    png_fixed_point gtest;
1076 
1077    if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1078       (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0  ||
1079       png_gamma_significant(gtest) != 0))
1080    {
1081       /* Either this is an sRGB image, in which case the calculated gamma
1082        * approximation should match, or this is an image with a profile and the
1083        * value libpng calculates for the gamma of the profile does not match the
1084        * value recorded in the file.  The former, sRGB, case is an error, the
1085        * latter is just a warning.
1086        */
1087       if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1088       {
1089          png_chunk_report(png_ptr, "gamma value does not match sRGB",
1090             PNG_CHUNK_ERROR);
1091          /* Do not overwrite an sRGB value */
1092          return from == 2;
1093       }
1094 
1095       else /* sRGB tag not involved */
1096       {
1097          png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1098             PNG_CHUNK_WARNING);
1099          return from == 1;
1100       }
1101    }
1102 
1103    return 1;
1104 }
1105 
1106 void /* PRIVATE */
1107 png_colorspace_set_gamma(png_const_structrp png_ptr,
1108    png_colorspacerp colorspace, png_fixed_point gAMA)
1109 {
1110    /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1111     * occur.  Since the fixed point representation is asymetrical it is
1112     * possible for 1/gamma to overflow the limit of 21474 and this means the
1113     * gamma value must be at least 5/100000 and hence at most 20000.0.  For
1114     * safety the limits here are a little narrower.  The values are 0.00016 to
1115     * 6250.0, which are truly ridiculous gamma values (and will produce
1116     * displays that are all black or all white.)
1117     *
1118     * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1119     * handling code, which only required the value to be >0.
1120     */
1121    png_const_charp errmsg;
1122 
1123    if (gAMA < 16 || gAMA > 625000000)
1124       errmsg = "gamma value out of range";
1125 
1126 #  ifdef PNG_READ_gAMA_SUPPORTED
1127    /* Allow the application to set the gamma value more than once */
1128    else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1129       (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1130       errmsg = "duplicate";
1131 #  endif
1132 
1133    /* Do nothing if the colorspace is already invalid */
1134    else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1135       return;
1136 
1137    else
1138    {
1139       if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1140           1/*from gAMA*/) != 0)
1141       {
1142          /* Store this gamma value. */
1143          colorspace->gamma = gAMA;
1144          colorspace->flags |=
1145             (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1146       }
1147 
1148       /* At present if the check_gamma test fails the gamma of the colorspace is
1149        * not updated however the colorspace is not invalidated.  This
1150        * corresponds to the case where the existing gamma comes from an sRGB
1151        * chunk or profile.  An error message has already been output.
1152        */
1153       return;
1154    }
1155 
1156    /* Error exit - errmsg has been set. */
1157    colorspace->flags |= PNG_COLORSPACE_INVALID;
1158    png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1159 }
1160 
1161 void /* PRIVATE */
1162 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1163 {
1164    if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1165    {
1166       /* Everything is invalid */
1167       info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1168          PNG_INFO_iCCP);
1169 
1170 #     ifdef PNG_COLORSPACE_SUPPORTED
1171       /* Clean up the iCCP profile now if it won't be used. */
1172       png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1173 #     else
1174       PNG_UNUSED(png_ptr)
1175 #     endif
1176    }
1177 
1178    else
1179    {
1180 #     ifdef PNG_COLORSPACE_SUPPORTED
1181       /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1182        * it; this allows a PNG to contain a profile which matches sRGB and
1183        * yet still have that profile retrievable by the application.
1184        */
1185       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1186          info_ptr->valid |= PNG_INFO_sRGB;
1187 
1188       else
1189          info_ptr->valid &= ~PNG_INFO_sRGB;
1190 
1191       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1192          info_ptr->valid |= PNG_INFO_cHRM;
1193 
1194       else
1195          info_ptr->valid &= ~PNG_INFO_cHRM;
1196 #     endif
1197 
1198       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1199          info_ptr->valid |= PNG_INFO_gAMA;
1200 
1201       else
1202          info_ptr->valid &= ~PNG_INFO_gAMA;
1203    }
1204 }
1205 
1206 #ifdef PNG_READ_SUPPORTED
1207 void /* PRIVATE */
1208 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1209 {
1210    if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1211       return;
1212 
1213    info_ptr->colorspace = png_ptr->colorspace;
1214    png_colorspace_sync_info(png_ptr, info_ptr);
1215 }
1216 #endif
1217 #endif /* GAMMA */
1218 
1219 #ifdef PNG_COLORSPACE_SUPPORTED
1220 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1221  * cHRM, as opposed to using chromaticities.  These internal APIs return
1222  * non-zero on a parameter error.  The X, Y and Z values are required to be
1223  * positive and less than 1.0.
1224  */
1225 static int
1226 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1227 {
1228    png_int_32 d, dwhite, whiteX, whiteY;
1229 
1230    d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1231    if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1232       return 1;
1233    if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1234       return 1;
1235    dwhite = d;
1236    whiteX = XYZ->red_X;
1237    whiteY = XYZ->red_Y;
1238 
1239    d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1240    if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1241       return 1;
1242    if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1243       return 1;
1244    dwhite += d;
1245    whiteX += XYZ->green_X;
1246    whiteY += XYZ->green_Y;
1247 
1248    d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1249    if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1250       return 1;
1251    if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1252       return 1;
1253    dwhite += d;
1254    whiteX += XYZ->blue_X;
1255    whiteY += XYZ->blue_Y;
1256 
1257    /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1258     * thus:
1259     */
1260    if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1261       return 1;
1262    if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1263       return 1;
1264 
1265    return 0;
1266 }
1267 
1268 static int
1269 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1270 {
1271    png_fixed_point red_inverse, green_inverse, blue_scale;
1272    png_fixed_point left, right, denominator;
1273 
1274    /* Check xy and, implicitly, z.  Note that wide gamut color spaces typically
1275     * have end points with 0 tristimulus values (these are impossible end
1276     * points, but they are used to cover the possible colors).  We check
1277     * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1278     */
1279    if (xy->redx   < 0 || xy->redx > PNG_FP_1) return 1;
1280    if (xy->redy   < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1281    if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1282    if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1283    if (xy->bluex  < 0 || xy->bluex > PNG_FP_1) return 1;
1284    if (xy->bluey  < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1285    if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1286    if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1287 
1288    /* The reverse calculation is more difficult because the original tristimulus
1289     * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1290     * derived values were recorded in the cHRM chunk;
1291     * (red,green,blue,white)x(x,y).  This loses one degree of freedom and
1292     * therefore an arbitrary ninth value has to be introduced to undo the
1293     * original transformations.
1294     *
1295     * Think of the original end-points as points in (X,Y,Z) space.  The
1296     * chromaticity values (c) have the property:
1297     *
1298     *           C
1299     *   c = ---------
1300     *       X + Y + Z
1301     *
1302     * For each c (x,y,z) from the corresponding original C (X,Y,Z).  Thus the
1303     * three chromaticity values (x,y,z) for each end-point obey the
1304     * relationship:
1305     *
1306     *   x + y + z = 1
1307     *
1308     * This describes the plane in (X,Y,Z) space that intersects each axis at the
1309     * value 1.0; call this the chromaticity plane.  Thus the chromaticity
1310     * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1311     * and chromaticity is the intersection of the vector from the origin to the
1312     * (X,Y,Z) value with the chromaticity plane.
1313     *
1314     * To fully invert the chromaticity calculation we would need the three
1315     * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1316     * were not recorded.  Instead we calculated the reference white (X,Y,Z) and
1317     * recorded the chromaticity of this.  The reference white (X,Y,Z) would have
1318     * given all three of the scale factors since:
1319     *
1320     *    color-C = color-c * color-scale
1321     *    white-C = red-C + green-C + blue-C
1322     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1323     *
1324     * But cHRM records only white-x and white-y, so we have lost the white scale
1325     * factor:
1326     *
1327     *    white-C = white-c*white-scale
1328     *
1329     * To handle this the inverse transformation makes an arbitrary assumption
1330     * about white-scale:
1331     *
1332     *    Assume: white-Y = 1.0
1333     *    Hence:  white-scale = 1/white-y
1334     *    Or:     red-Y + green-Y + blue-Y = 1.0
1335     *
1336     * Notice the last statement of the assumption gives an equation in three of
1337     * the nine values we want to calculate.  8 more equations come from the
1338     * above routine as summarised at the top above (the chromaticity
1339     * calculation):
1340     *
1341     *    Given: color-x = color-X / (color-X + color-Y + color-Z)
1342     *    Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1343     *
1344     * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1345     * solved by Cramer's rule.  Cramer's rule requires calculating 10 9x9 matrix
1346     * determinants, however this is not as bad as it seems because only 28 of
1347     * the total of 90 terms in the various matrices are non-zero.  Nevertheless
1348     * Cramer's rule is notoriously numerically unstable because the determinant
1349     * calculation involves the difference of large, but similar, numbers.  It is
1350     * difficult to be sure that the calculation is stable for real world values
1351     * and it is certain that it becomes unstable where the end points are close
1352     * together.
1353     *
1354     * So this code uses the perhaps slightly less optimal but more
1355     * understandable and totally obvious approach of calculating color-scale.
1356     *
1357     * This algorithm depends on the precision in white-scale and that is
1358     * (1/white-y), so we can immediately see that as white-y approaches 0 the
1359     * accuracy inherent in the cHRM chunk drops off substantially.
1360     *
1361     * libpng arithmetic: a simple inversion of the above equations
1362     * ------------------------------------------------------------
1363     *
1364     *    white_scale = 1/white-y
1365     *    white-X = white-x * white-scale
1366     *    white-Y = 1.0
1367     *    white-Z = (1 - white-x - white-y) * white_scale
1368     *
1369     *    white-C = red-C + green-C + blue-C
1370     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1371     *
1372     * This gives us three equations in (red-scale,green-scale,blue-scale) where
1373     * all the coefficients are now known:
1374     *
1375     *    red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1376     *       = white-x/white-y
1377     *    red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1378     *    red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1379     *       = (1 - white-x - white-y)/white-y
1380     *
1381     * In the last equation color-z is (1 - color-x - color-y) so we can add all
1382     * three equations together to get an alternative third:
1383     *
1384     *    red-scale + green-scale + blue-scale = 1/white-y = white-scale
1385     *
1386     * So now we have a Cramer's rule solution where the determinants are just
1387     * 3x3 - far more tractible.  Unfortunately 3x3 determinants still involve
1388     * multiplication of three coefficients so we can't guarantee to avoid
1389     * overflow in the libpng fixed point representation.  Using Cramer's rule in
1390     * floating point is probably a good choice here, but it's not an option for
1391     * fixed point.  Instead proceed to simplify the first two equations by
1392     * eliminating what is likely to be the largest value, blue-scale:
1393     *
1394     *    blue-scale = white-scale - red-scale - green-scale
1395     *
1396     * Hence:
1397     *
1398     *    (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1399     *                (white-x - blue-x)*white-scale
1400     *
1401     *    (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1402     *                1 - blue-y*white-scale
1403     *
1404     * And now we can trivially solve for (red-scale,green-scale):
1405     *
1406     *    green-scale =
1407     *                (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1408     *                -----------------------------------------------------------
1409     *                                  green-x - blue-x
1410     *
1411     *    red-scale =
1412     *                1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1413     *                ---------------------------------------------------------
1414     *                                  red-y - blue-y
1415     *
1416     * Hence:
1417     *
1418     *    red-scale =
1419     *          ( (green-x - blue-x) * (white-y - blue-y) -
1420     *            (green-y - blue-y) * (white-x - blue-x) ) / white-y
1421     * -------------------------------------------------------------------------
1422     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1423     *
1424     *    green-scale =
1425     *          ( (red-y - blue-y) * (white-x - blue-x) -
1426     *            (red-x - blue-x) * (white-y - blue-y) ) / white-y
1427     * -------------------------------------------------------------------------
1428     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1429     *
1430     * Accuracy:
1431     * The input values have 5 decimal digits of accuracy.  The values are all in
1432     * the range 0 < value < 1, so simple products are in the same range but may
1433     * need up to 10 decimal digits to preserve the original precision and avoid
1434     * underflow.  Because we are using a 32-bit signed representation we cannot
1435     * match this; the best is a little over 9 decimal digits, less than 10.
1436     *
1437     * The approach used here is to preserve the maximum precision within the
1438     * signed representation.  Because the red-scale calculation above uses the
1439     * difference between two products of values that must be in the range -1..+1
1440     * it is sufficient to divide the product by 7; ceil(100,000/32767*2).  The
1441     * factor is irrelevant in the calculation because it is applied to both
1442     * numerator and denominator.
1443     *
1444     * Note that the values of the differences of the products of the
1445     * chromaticities in the above equations tend to be small, for example for
1446     * the sRGB chromaticities they are:
1447     *
1448     * red numerator:    -0.04751
1449     * green numerator:  -0.08788
1450     * denominator:      -0.2241 (without white-y multiplication)
1451     *
1452     *  The resultant Y coefficients from the chromaticities of some widely used
1453     *  color space definitions are (to 15 decimal places):
1454     *
1455     *  sRGB
1456     *    0.212639005871510 0.715168678767756 0.072192315360734
1457     *  Kodak ProPhoto
1458     *    0.288071128229293 0.711843217810102 0.000085653960605
1459     *  Adobe RGB
1460     *    0.297344975250536 0.627363566255466 0.075291458493998
1461     *  Adobe Wide Gamut RGB
1462     *    0.258728243040113 0.724682314948566 0.016589442011321
1463     */
1464    /* By the argument, above overflow should be impossible here. The return
1465     * value of 2 indicates an internal error to the caller.
1466     */
1467    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1468       return 2;
1469    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1470       return 2;
1471    denominator = left - right;
1472 
1473    /* Now find the red numerator. */
1474    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1475       return 2;
1476    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1477       return 2;
1478 
1479    /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1480     * chunk values.  This calculation actually returns the reciprocal of the
1481     * scale value because this allows us to delay the multiplication of white-y
1482     * into the denominator, which tends to produce a small number.
1483     */
1484    if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1485        red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1486       return 1;
1487 
1488    /* Similarly for green_inverse: */
1489    if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1490       return 2;
1491    if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1492       return 2;
1493    if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1494        green_inverse <= xy->whitey)
1495       return 1;
1496 
1497    /* And the blue scale, the checks above guarantee this can't overflow but it
1498     * can still produce 0 for extreme cHRM values.
1499     */
1500    blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1501        png_reciprocal(green_inverse);
1502    if (blue_scale <= 0)
1503       return 1;
1504 
1505 
1506    /* And fill in the png_XYZ: */
1507    if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1508       return 1;
1509    if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1510       return 1;
1511    if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1512        red_inverse) == 0)
1513       return 1;
1514 
1515    if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1516       return 1;
1517    if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1518       return 1;
1519    if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1520        green_inverse) == 0)
1521       return 1;
1522 
1523    if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1524       return 1;
1525    if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1526       return 1;
1527    if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1528        PNG_FP_1) == 0)
1529       return 1;
1530 
1531    return 0; /*success*/
1532 }
1533 
1534 static int
1535 png_XYZ_normalize(png_XYZ *XYZ)
1536 {
1537    png_int_32 Y;
1538 
1539    if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1540       XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1541       XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1542       return 1;
1543 
1544    /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1545     * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1546     * relying on addition of two positive values producing a negative one is not
1547     * safe.
1548     */
1549    Y = XYZ->red_Y;
1550    if (0x7fffffff - Y < XYZ->green_X)
1551       return 1;
1552    Y += XYZ->green_Y;
1553    if (0x7fffffff - Y < XYZ->blue_X)
1554       return 1;
1555    Y += XYZ->blue_Y;
1556 
1557    if (Y != PNG_FP_1)
1558    {
1559       if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1560          return 1;
1561       if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1562          return 1;
1563       if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1564          return 1;
1565 
1566       if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1567          return 1;
1568       if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1569          return 1;
1570       if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1571          return 1;
1572 
1573       if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1574          return 1;
1575       if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1576          return 1;
1577       if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1578          return 1;
1579    }
1580 
1581    return 0;
1582 }
1583 
1584 static int
1585 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1586 {
1587    /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1588    if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1589        PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1590        PNG_OUT_OF_RANGE(xy1->redx,   xy2->redx,  delta) ||
1591        PNG_OUT_OF_RANGE(xy1->redy,   xy2->redy,  delta) ||
1592        PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1593        PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1594        PNG_OUT_OF_RANGE(xy1->bluex,  xy2->bluex, delta) ||
1595        PNG_OUT_OF_RANGE(xy1->bluey,  xy2->bluey, delta))
1596       return 0;
1597    return 1;
1598 }
1599 
1600 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1601  * chunk chromaticities.  Earlier checks used to simply look for the overflow
1602  * condition (where the determinant of the matrix to solve for XYZ ends up zero
1603  * because the chromaticity values are not all distinct.)  Despite this it is
1604  * theoretically possible to produce chromaticities that are apparently valid
1605  * but that rapidly degrade to invalid, potentially crashing, sets because of
1606  * arithmetic inaccuracies when calculations are performed on them.  The new
1607  * check is to round-trip xy -> XYZ -> xy and then check that the result is
1608  * within a small percentage of the original.
1609  */
1610 static int
1611 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1612 {
1613    int result;
1614    png_xy xy_test;
1615 
1616    /* As a side-effect this routine also returns the XYZ endpoints. */
1617    result = png_XYZ_from_xy(XYZ, xy);
1618    if (result != 0)
1619       return result;
1620 
1621    result = png_xy_from_XYZ(&xy_test, XYZ);
1622    if (result != 0)
1623       return result;
1624 
1625    if (png_colorspace_endpoints_match(xy, &xy_test,
1626        5/*actually, the math is pretty accurate*/) != 0)
1627       return 0;
1628 
1629    /* Too much slip */
1630    return 1;
1631 }
1632 
1633 /* This is the check going the other way.  The XYZ is modified to normalize it
1634  * (another side-effect) and the xy chromaticities are returned.
1635  */
1636 static int
1637 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1638 {
1639    int result;
1640    png_XYZ XYZtemp;
1641 
1642    result = png_XYZ_normalize(XYZ);
1643    if (result != 0)
1644       return result;
1645 
1646    result = png_xy_from_XYZ(xy, XYZ);
1647    if (result != 0)
1648       return result;
1649 
1650    XYZtemp = *XYZ;
1651    return png_colorspace_check_xy(&XYZtemp, xy);
1652 }
1653 
1654 /* Used to check for an endpoint match against sRGB */
1655 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1656 {
1657    /* color      x       y */
1658    /* red   */ 64000, 33000,
1659    /* green */ 30000, 60000,
1660    /* blue  */ 15000,  6000,
1661    /* white */ 31270, 32900
1662 };
1663 
1664 static int
1665 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1666    png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1667    int preferred)
1668 {
1669    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1670       return 0;
1671 
1672    /* The consistency check is performed on the chromaticities; this factors out
1673     * variations because of the normalization (or not) of the end point Y
1674     * values.
1675     */
1676    if (preferred < 2 &&
1677        (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1678    {
1679       /* The end points must be reasonably close to any we already have.  The
1680        * following allows an error of up to +/-.001
1681        */
1682       if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1683           100) == 0)
1684       {
1685          colorspace->flags |= PNG_COLORSPACE_INVALID;
1686          png_benign_error(png_ptr, "inconsistent chromaticities");
1687          return 0; /* failed */
1688       }
1689 
1690       /* Only overwrite with preferred values */
1691       if (preferred == 0)
1692          return 1; /* ok, but no change */
1693    }
1694 
1695    colorspace->end_points_xy = *xy;
1696    colorspace->end_points_XYZ = *XYZ;
1697    colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1698 
1699    /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1700     * on this test.
1701     */
1702    if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1703       colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1704 
1705    else
1706       colorspace->flags &= PNG_COLORSPACE_CANCEL(
1707          PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1708 
1709    return 2; /* ok and changed */
1710 }
1711 
1712 int /* PRIVATE */
1713 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1714    png_colorspacerp colorspace, const png_xy *xy, int preferred)
1715 {
1716    /* We must check the end points to ensure they are reasonable - in the past
1717     * color management systems have crashed as a result of getting bogus
1718     * colorant values, while this isn't the fault of libpng it is the
1719     * responsibility of libpng because PNG carries the bomb and libpng is in a
1720     * position to protect against it.
1721     */
1722    png_XYZ XYZ;
1723 
1724    switch (png_colorspace_check_xy(&XYZ, xy))
1725    {
1726       case 0: /* success */
1727          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1728             preferred);
1729 
1730       case 1:
1731          /* We can't invert the chromaticities so we can't produce value XYZ
1732           * values.  Likely as not a color management system will fail too.
1733           */
1734          colorspace->flags |= PNG_COLORSPACE_INVALID;
1735          png_benign_error(png_ptr, "invalid chromaticities");
1736          break;
1737 
1738       default:
1739          /* libpng is broken; this should be a warning but if it happens we
1740           * want error reports so for the moment it is an error.
1741           */
1742          colorspace->flags |= PNG_COLORSPACE_INVALID;
1743          png_error(png_ptr, "internal error checking chromaticities");
1744    }
1745 
1746    return 0; /* failed */
1747 }
1748 
1749 int /* PRIVATE */
1750 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1751    png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1752 {
1753    png_XYZ XYZ = *XYZ_in;
1754    png_xy xy;
1755 
1756    switch (png_colorspace_check_XYZ(&xy, &XYZ))
1757    {
1758       case 0:
1759          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1760             preferred);
1761 
1762       case 1:
1763          /* End points are invalid. */
1764          colorspace->flags |= PNG_COLORSPACE_INVALID;
1765          png_benign_error(png_ptr, "invalid end points");
1766          break;
1767 
1768       default:
1769          colorspace->flags |= PNG_COLORSPACE_INVALID;
1770          png_error(png_ptr, "internal error checking chromaticities");
1771    }
1772 
1773    return 0; /* failed */
1774 }
1775 
1776 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1777 /* Error message generation */
1778 static char
1779 png_icc_tag_char(png_uint_32 byte)
1780 {
1781    byte &= 0xff;
1782    if (byte >= 32 && byte <= 126)
1783       return (char)byte;
1784    else
1785       return '?';
1786 }
1787 
1788 static void
1789 png_icc_tag_name(char *name, png_uint_32 tag)
1790 {
1791    name[0] = '\'';
1792    name[1] = png_icc_tag_char(tag >> 24);
1793    name[2] = png_icc_tag_char(tag >> 16);
1794    name[3] = png_icc_tag_char(tag >>  8);
1795    name[4] = png_icc_tag_char(tag      );
1796    name[5] = '\'';
1797 }
1798 
1799 static int
1800 is_ICC_signature_char(png_alloc_size_t it)
1801 {
1802    return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1803       (it >= 97 && it <= 122);
1804 }
1805 
1806 static int
1807 is_ICC_signature(png_alloc_size_t it)
1808 {
1809    return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1810       is_ICC_signature_char((it >> 16) & 0xff) &&
1811       is_ICC_signature_char((it >> 8) & 0xff) &&
1812       is_ICC_signature_char(it & 0xff);
1813 }
1814 
1815 static int
1816 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1817    png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1818 {
1819    size_t pos;
1820    char message[196]; /* see below for calculation */
1821 
1822    if (colorspace != NULL)
1823       colorspace->flags |= PNG_COLORSPACE_INVALID;
1824 
1825    pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1826    pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1827    pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1828    if (is_ICC_signature(value) != 0)
1829    {
1830       /* So 'value' is at most 4 bytes and the following cast is safe */
1831       png_icc_tag_name(message+pos, (png_uint_32)value);
1832       pos += 6; /* total +8; less than the else clause */
1833       message[pos++] = ':';
1834       message[pos++] = ' ';
1835    }
1836 #  ifdef PNG_WARNINGS_SUPPORTED
1837    else
1838       {
1839          char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1840 
1841          pos = png_safecat(message, (sizeof message), pos,
1842             png_format_number(number, number+(sizeof number),
1843                PNG_NUMBER_FORMAT_x, value));
1844          pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1845       }
1846 #  endif
1847    /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1848    pos = png_safecat(message, (sizeof message), pos, reason);
1849    PNG_UNUSED(pos)
1850 
1851    /* This is recoverable, but make it unconditionally an app_error on write to
1852     * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1853     * on read, with a warning, but on write unless the app turns off
1854     * application errors the PNG won't be written.)
1855     */
1856    png_chunk_report(png_ptr, message,
1857       (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1858 
1859    return 0;
1860 }
1861 #endif /* sRGB || iCCP */
1862 
1863 #ifdef PNG_sRGB_SUPPORTED
1864 int /* PRIVATE */
1865 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1866    int intent)
1867 {
1868    /* sRGB sets known gamma, end points and (from the chunk) intent. */
1869    /* IMPORTANT: these are not necessarily the values found in an ICC profile
1870     * because ICC profiles store values adapted to a D50 environment; it is
1871     * expected that the ICC profile mediaWhitePointTag will be D50; see the
1872     * checks and code elsewhere to understand this better.
1873     *
1874     * These XYZ values, which are accurate to 5dp, produce rgb to gray
1875     * coefficients of (6968,23435,2366), which are reduced (because they add up
1876     * to 32769 not 32768) to (6968,23434,2366).  These are the values that
1877     * libpng has traditionally used (and are the best values given the 15bit
1878     * algorithm used by the rgb to gray code.)
1879     */
1880    static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1881    {
1882       /* color      X      Y      Z */
1883       /* red   */ 41239, 21264,  1933,
1884       /* green */ 35758, 71517, 11919,
1885       /* blue  */ 18048,  7219, 95053
1886    };
1887 
1888    /* Do nothing if the colorspace is already invalidated. */
1889    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1890       return 0;
1891 
1892    /* Check the intent, then check for existing settings.  It is valid for the
1893     * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1894     * be consistent with the correct values.  If, however, this function is
1895     * called below because an iCCP chunk matches sRGB then it is quite
1896     * conceivable that an older app recorded incorrect gAMA and cHRM because of
1897     * an incorrect calculation based on the values in the profile - this does
1898     * *not* invalidate the profile (though it still produces an error, which can
1899     * be ignored.)
1900     */
1901    if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1902       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1903          (unsigned)intent, "invalid sRGB rendering intent");
1904 
1905    if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1906       colorspace->rendering_intent != intent)
1907       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1908          (unsigned)intent, "inconsistent rendering intents");
1909 
1910    if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1911    {
1912       png_benign_error(png_ptr, "duplicate sRGB information ignored");
1913       return 0;
1914    }
1915 
1916    /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1917     * warn but overwrite the value with the correct one.
1918     */
1919    if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1920       !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1921          100))
1922       png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1923          PNG_CHUNK_ERROR);
1924 
1925    /* This check is just done for the error reporting - the routine always
1926     * returns true when the 'from' argument corresponds to sRGB (2).
1927     */
1928    (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1929       2/*from sRGB*/);
1930 
1931    /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1932    colorspace->rendering_intent = (png_uint_16)intent;
1933    colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1934 
1935    /* endpoints */
1936    colorspace->end_points_xy = sRGB_xy;
1937    colorspace->end_points_XYZ = sRGB_XYZ;
1938    colorspace->flags |=
1939       (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1940 
1941    /* gamma */
1942    colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1943    colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1944 
1945    /* Finally record that we have an sRGB profile */
1946    colorspace->flags |=
1947       (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1948 
1949    return 1; /* set */
1950 }
1951 #endif /* sRGB */
1952 
1953 #ifdef PNG_iCCP_SUPPORTED
1954 /* Encoded value of D50 as an ICC XYZNumber.  From the ICC 2010 spec the value
1955  * is XYZ(0.9642,1.0,0.8249), which scales to:
1956  *
1957  *    (63189.8112, 65536, 54060.6464)
1958  */
1959 static const png_byte D50_nCIEXYZ[12] =
1960    { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1961 
1962 int /* PRIVATE */
1963 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1964    png_const_charp name, png_uint_32 profile_length)
1965 {
1966    if (profile_length < 132)
1967       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1968          "too short");
1969 
1970    return 1;
1971 }
1972 
1973 int /* PRIVATE */
1974 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
1975    png_const_charp name, png_uint_32 profile_length,
1976    png_const_bytep profile/* first 132 bytes only */, int color_type)
1977 {
1978    png_uint_32 temp;
1979 
1980    /* Length check; this cannot be ignored in this code because profile_length
1981     * is used later to check the tag table, so even if the profile seems over
1982     * long profile_length from the caller must be correct.  The caller can fix
1983     * this up on read or write by just passing in the profile header length.
1984     */
1985    temp = png_get_uint_32(profile);
1986    if (temp != profile_length)
1987       return png_icc_profile_error(png_ptr, colorspace, name, temp,
1988          "length does not match profile");
1989 
1990    temp = (png_uint_32) (*(profile+8));
1991    if (temp > 3 && (profile_length & 3))
1992       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1993          "invalid length");
1994 
1995    temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
1996    if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
1997       profile_length < 132+12*temp) /* truncated tag table */
1998       return png_icc_profile_error(png_ptr, colorspace, name, temp,
1999          "tag count too large");
2000 
2001    /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2002     * 16 bits.
2003     */
2004    temp = png_get_uint_32(profile+64);
2005    if (temp >= 0xffff) /* The ICC limit */
2006       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2007          "invalid rendering intent");
2008 
2009    /* This is just a warning because the profile may be valid in future
2010     * versions.
2011     */
2012    if (temp >= PNG_sRGB_INTENT_LAST)
2013       (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2014          "intent outside defined range");
2015 
2016    /* At this point the tag table can't be checked because it hasn't necessarily
2017     * been loaded; however, various header fields can be checked.  These checks
2018     * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2019     * restricts the profiles that can be passed in an iCCP chunk (they must be
2020     * appropriate to processing PNG data!)
2021     */
2022 
2023    /* Data checks (could be skipped).  These checks must be independent of the
2024     * version number; however, the version number doesn't accomodate changes in
2025     * the header fields (just the known tags and the interpretation of the
2026     * data.)
2027     */
2028    temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2029    if (temp != 0x61637370)
2030       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2031          "invalid signature");
2032 
2033    /* Currently the PCS illuminant/adopted white point (the computational
2034     * white point) are required to be D50,
2035     * however the profile contains a record of the illuminant so perhaps ICC
2036     * expects to be able to change this in the future (despite the rationale in
2037     * the introduction for using a fixed PCS adopted white.)  Consequently the
2038     * following is just a warning.
2039     */
2040    if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2041       (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2042          "PCS illuminant is not D50");
2043 
2044    /* The PNG spec requires this:
2045     * "If the iCCP chunk is present, the image samples conform to the colour
2046     * space represented by the embedded ICC profile as defined by the
2047     * International Color Consortium [ICC]. The colour space of the ICC profile
2048     * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2049     * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2050     * and 4)."
2051     *
2052     * This checking code ensures the embedded profile (on either read or write)
2053     * conforms to the specification requirements.  Notice that an ICC 'gray'
2054     * color-space profile contains the information to transform the monochrome
2055     * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2056     * should be used in preference to the standard libpng K channel replication
2057     * into R, G and B channels.
2058     *
2059     * Previously it was suggested that an RGB profile on grayscale data could be
2060     * handled.  However it it is clear that using an RGB profile in this context
2061     * must be an error - there is no specification of what it means.  Thus it is
2062     * almost certainly more correct to ignore the profile.
2063     */
2064    temp = png_get_uint_32(profile+16); /* data colour space field */
2065    switch (temp)
2066    {
2067       case 0x52474220: /* 'RGB ' */
2068          if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2069             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2070                "RGB color space not permitted on grayscale PNG");
2071          break;
2072 
2073       case 0x47524159: /* 'GRAY' */
2074          if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2075             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2076                "Gray color space not permitted on RGB PNG");
2077          break;
2078 
2079       default:
2080          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2081             "invalid ICC profile color space");
2082    }
2083 
2084    /* It is up to the application to check that the profile class matches the
2085     * application requirements; the spec provides no guidance, but it's pretty
2086     * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2087     * ('prtr') or 'spac' (for generic color spaces).  Issue a warning in these
2088     * cases.  Issue an error for device link or abstract profiles - these don't
2089     * contain the records necessary to transform the color-space to anything
2090     * other than the target device (and not even that for an abstract profile).
2091     * Profiles of these classes may not be embedded in images.
2092     */
2093    temp = png_get_uint_32(profile+12); /* profile/device class */
2094    switch (temp)
2095    {
2096       case 0x73636e72: /* 'scnr' */
2097       case 0x6d6e7472: /* 'mntr' */
2098       case 0x70727472: /* 'prtr' */
2099       case 0x73706163: /* 'spac' */
2100          /* All supported */
2101          break;
2102 
2103       case 0x61627374: /* 'abst' */
2104          /* May not be embedded in an image */
2105          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2106             "invalid embedded Abstract ICC profile");
2107 
2108       case 0x6c696e6b: /* 'link' */
2109          /* DeviceLink profiles cannot be interpreted in a non-device specific
2110           * fashion, if an app uses the AToB0Tag in the profile the results are
2111           * undefined unless the result is sent to the intended device,
2112           * therefore a DeviceLink profile should not be found embedded in a
2113           * PNG.
2114           */
2115          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116             "unexpected DeviceLink ICC profile class");
2117 
2118       case 0x6e6d636c: /* 'nmcl' */
2119          /* A NamedColor profile is also device specific, however it doesn't
2120           * contain an AToB0 tag that is open to misinterpretation.  Almost
2121           * certainly it will fail the tests below.
2122           */
2123          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2124             "unexpected NamedColor ICC profile class");
2125          break;
2126 
2127       default:
2128          /* To allow for future enhancements to the profile accept unrecognized
2129           * profile classes with a warning, these then hit the test below on the
2130           * tag content to ensure they are backward compatible with one of the
2131           * understood profiles.
2132           */
2133          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2134             "unrecognized ICC profile class");
2135          break;
2136    }
2137 
2138    /* For any profile other than a device link one the PCS must be encoded
2139     * either in XYZ or Lab.
2140     */
2141    temp = png_get_uint_32(profile+20);
2142    switch (temp)
2143    {
2144       case 0x58595a20: /* 'XYZ ' */
2145       case 0x4c616220: /* 'Lab ' */
2146          break;
2147 
2148       default:
2149          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2150             "unexpected ICC PCS encoding");
2151    }
2152 
2153    return 1;
2154 }
2155 
2156 int /* PRIVATE */
2157 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2158    png_const_charp name, png_uint_32 profile_length,
2159    png_const_bytep profile /* header plus whole tag table */)
2160 {
2161    png_uint_32 tag_count = png_get_uint_32(profile+128);
2162    png_uint_32 itag;
2163    png_const_bytep tag = profile+132; /* The first tag */
2164 
2165    /* First scan all the tags in the table and add bits to the icc_info value
2166     * (temporarily in 'tags').
2167     */
2168    for (itag=0; itag < tag_count; ++itag, tag += 12)
2169    {
2170       png_uint_32 tag_id = png_get_uint_32(tag+0);
2171       png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2172       png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2173 
2174       /* The ICC specification does not exclude zero length tags, therefore the
2175        * start might actually be anywhere if there is no data, but this would be
2176        * a clear abuse of the intent of the standard so the start is checked for
2177        * being in range.  All defined tag types have an 8 byte header - a 4 byte
2178        * type signature then 0.
2179        */
2180       if ((tag_start & 3) != 0)
2181       {
2182          /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is
2183           * only a warning here because libpng does not care about the
2184           * alignment.
2185           */
2186          (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2187             "ICC profile tag start not a multiple of 4");
2188       }
2189 
2190       /* This is a hard error; potentially it can cause read outside the
2191        * profile.
2192        */
2193       if (tag_start > profile_length || tag_length > profile_length - tag_start)
2194          return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2195             "ICC profile tag outside profile");
2196    }
2197 
2198    return 1; /* success, maybe with warnings */
2199 }
2200 
2201 #ifdef PNG_sRGB_SUPPORTED
2202 #if PNG_sRGB_PROFILE_CHECKS >= 0
2203 /* Information about the known ICC sRGB profiles */
2204 static const struct
2205 {
2206    png_uint_32 adler, crc, length;
2207    png_uint_32 md5[4];
2208    png_byte    have_md5;
2209    png_byte    is_broken;
2210    png_uint_16 intent;
2211 
2212 #  define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2213 #  define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2214       { adler, crc, length, md5, broke, intent },
2215 
2216 } png_sRGB_checks[] =
2217 {
2218    /* This data comes from contrib/tools/checksum-icc run on downloads of
2219     * all four ICC sRGB profiles from www.color.org.
2220     */
2221    /* adler32, crc32, MD5[4], intent, date, length, file-name */
2222    PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2223       PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2224       "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2225 
2226    /* ICC sRGB v2 perceptual no black-compensation: */
2227    PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2228       PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2229       "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2230 
2231    PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2232       PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2233       "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2234 
2235    /* ICC sRGB v4 perceptual */
2236    PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2237       PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2238       "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2239 
2240    /* The following profiles have no known MD5 checksum. If there is a match
2241     * on the (empty) MD5 the other fields are used to attempt a match and
2242     * a warning is produced.  The first two of these profiles have a 'cprt' tag
2243     * which suggests that they were also made by Hewlett Packard.
2244     */
2245    PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2246       PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2247       "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2248 
2249    /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2250     * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2251     * so the white point is recorded as the un-adapted value.)  The profiles
2252     * below only differ in one byte - the intent - and are basically the same as
2253     * the previous profile except for the mediaWhitePointTag error and a missing
2254     * chromaticAdaptationTag.
2255     */
2256    PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2257       PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2258       "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2259 
2260    PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2261       PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2262       "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2263 };
2264 
2265 static int
2266 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2267    png_const_bytep profile, uLong adler)
2268 {
2269    /* The quick check is to verify just the MD5 signature and trust the
2270     * rest of the data.  Because the profile has already been verified for
2271     * correctness this is safe.  png_colorspace_set_sRGB will check the 'intent'
2272     * field too, so if the profile has been edited with an intent not defined
2273     * by sRGB (but maybe defined by a later ICC specification) the read of
2274     * the profile will fail at that point.
2275     */
2276 
2277    png_uint_32 length = 0;
2278    png_uint_32 intent = 0x10000; /* invalid */
2279 #if PNG_sRGB_PROFILE_CHECKS > 1
2280    uLong crc = 0; /* the value for 0 length data */
2281 #endif
2282    unsigned int i;
2283 
2284 #ifdef PNG_SET_OPTION_SUPPORTED
2285    /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2286    if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2287                PNG_OPTION_ON)
2288       return 0;
2289 #endif
2290 
2291    for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2292    {
2293       if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2294          png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2295          png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2296          png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2297       {
2298          /* This may be one of the old HP profiles without an MD5, in that
2299           * case we can only use the length and Adler32 (note that these
2300           * are not used by default if there is an MD5!)
2301           */
2302 #        if PNG_sRGB_PROFILE_CHECKS == 0
2303             if (png_sRGB_checks[i].have_md5 != 0)
2304                return 1+png_sRGB_checks[i].is_broken;
2305 #        endif
2306 
2307          /* Profile is unsigned or more checks have been configured in. */
2308          if (length == 0)
2309          {
2310             length = png_get_uint_32(profile);
2311             intent = png_get_uint_32(profile+64);
2312          }
2313 
2314          /* Length *and* intent must match */
2315          if (length == (png_uint_32) png_sRGB_checks[i].length &&
2316             intent == (png_uint_32) png_sRGB_checks[i].intent)
2317          {
2318             /* Now calculate the adler32 if not done already. */
2319             if (adler == 0)
2320             {
2321                adler = adler32(0, NULL, 0);
2322                adler = adler32(adler, profile, length);
2323             }
2324 
2325             if (adler == png_sRGB_checks[i].adler)
2326             {
2327                /* These basic checks suggest that the data has not been
2328                 * modified, but if the check level is more than 1 perform
2329                 * our own crc32 checksum on the data.
2330                 */
2331 #              if PNG_sRGB_PROFILE_CHECKS > 1
2332                   if (crc == 0)
2333                   {
2334                      crc = crc32(0, NULL, 0);
2335                      crc = crc32(crc, profile, length);
2336                   }
2337 
2338                   /* So this check must pass for the 'return' below to happen.
2339                    */
2340                   if (crc == png_sRGB_checks[i].crc)
2341 #              endif
2342                {
2343                   if (png_sRGB_checks[i].is_broken != 0)
2344                   {
2345                      /* These profiles are known to have bad data that may cause
2346                       * problems if they are used, therefore attempt to
2347                       * discourage their use, skip the 'have_md5' warning below,
2348                       * which is made irrelevant by this error.
2349                       */
2350                      png_chunk_report(png_ptr, "known incorrect sRGB profile",
2351                         PNG_CHUNK_ERROR);
2352                   }
2353 
2354                   /* Warn that this being done; this isn't even an error since
2355                    * the profile is perfectly valid, but it would be nice if
2356                    * people used the up-to-date ones.
2357                    */
2358                   else if (png_sRGB_checks[i].have_md5 == 0)
2359                   {
2360                      png_chunk_report(png_ptr,
2361                         "out-of-date sRGB profile with no signature",
2362                         PNG_CHUNK_WARNING);
2363                   }
2364 
2365                   return 1+png_sRGB_checks[i].is_broken;
2366                }
2367             }
2368 
2369 # if PNG_sRGB_PROFILE_CHECKS > 0
2370          /* The signature matched, but the profile had been changed in some
2371           * way.  This probably indicates a data error or uninformed hacking.
2372           * Fall through to "no match".
2373           */
2374          png_chunk_report(png_ptr,
2375              "Not recognizing known sRGB profile that has been edited",
2376              PNG_CHUNK_WARNING);
2377          break;
2378 # endif
2379          }
2380       }
2381    }
2382 
2383    return 0; /* no match */
2384 }
2385 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2386 
2387 void /* PRIVATE */
2388 png_icc_set_sRGB(png_const_structrp png_ptr,
2389    png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2390 {
2391    /* Is this profile one of the known ICC sRGB profiles?  If it is, just set
2392     * the sRGB information.
2393     */
2394 #if PNG_sRGB_PROFILE_CHECKS >= 0
2395    if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2396 #endif
2397       (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2398          (int)/*already checked*/png_get_uint_32(profile+64));
2399 }
2400 #endif /* sRGB */
2401 
2402 int /* PRIVATE */
2403 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2404    png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2405    int color_type)
2406 {
2407    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2408       return 0;
2409 
2410    if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2411        png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2412           color_type) != 0 &&
2413        png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2414           profile) != 0)
2415    {
2416 #     ifdef PNG_sRGB_SUPPORTED
2417          /* If no sRGB support, don't try storing sRGB information */
2418          png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2419 #     endif
2420       return 1;
2421    }
2422 
2423    /* Failure case */
2424    return 0;
2425 }
2426 #endif /* iCCP */
2427 
2428 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2429 void /* PRIVATE */
2430 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2431 {
2432    /* Set the rgb_to_gray coefficients from the colorspace. */
2433    if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2434       (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2435    {
2436       /* png_set_background has not been called, get the coefficients from the Y
2437        * values of the colorspace colorants.
2438        */
2439       png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2440       png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2441       png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2442       png_fixed_point total = r+g+b;
2443 
2444       if (total > 0 &&
2445          r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2446          g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2447          b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2448          r+g+b <= 32769)
2449       {
2450          /* We allow 0 coefficients here.  r+g+b may be 32769 if two or
2451           * all of the coefficients were rounded up.  Handle this by
2452           * reducing the *largest* coefficient by 1; this matches the
2453           * approach used for the default coefficients in pngrtran.c
2454           */
2455          int add = 0;
2456 
2457          if (r+g+b > 32768)
2458             add = -1;
2459          else if (r+g+b < 32768)
2460             add = 1;
2461 
2462          if (add != 0)
2463          {
2464             if (g >= r && g >= b)
2465                g += add;
2466             else if (r >= g && r >= b)
2467                r += add;
2468             else
2469                b += add;
2470          }
2471 
2472          /* Check for an internal error. */
2473          if (r+g+b != 32768)
2474             png_error(png_ptr,
2475                "internal error handling cHRM coefficients");
2476 
2477          else
2478          {
2479             png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)r;
2480             png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2481          }
2482       }
2483 
2484       /* This is a png_error at present even though it could be ignored -
2485        * it should never happen, but it is important that if it does, the
2486        * bug is fixed.
2487        */
2488       else
2489          png_error(png_ptr, "internal error handling cHRM->XYZ");
2490    }
2491 }
2492 #endif /* READ_RGB_TO_GRAY */
2493 
2494 #endif /* COLORSPACE */
2495 
2496 #ifdef __GNUC__
2497 /* This exists solely to work round a warning from GNU C. */
2498 static int /* PRIVATE */
2499 png_gt(size_t a, size_t b)
2500 {
2501     return a > b;
2502 }
2503 #else
2504 #   define png_gt(a,b) ((a) > (b))
2505 #endif
2506 
2507 void /* PRIVATE */
2508 png_check_IHDR(png_const_structrp png_ptr,
2509    png_uint_32 width, png_uint_32 height, int bit_depth,
2510    int color_type, int interlace_type, int compression_type,
2511    int filter_type)
2512 {
2513    int error = 0;
2514 
2515    /* Check for width and height valid values */
2516    if (width == 0)
2517    {
2518       png_warning(png_ptr, "Image width is zero in IHDR");
2519       error = 1;
2520    }
2521 
2522    if (width > PNG_UINT_31_MAX)
2523    {
2524       png_warning(png_ptr, "Invalid image width in IHDR");
2525       error = 1;
2526    }
2527 
2528    if (png_gt(((width + 7) & (~7)),
2529        ((PNG_SIZE_MAX
2530            - 48        /* big_row_buf hack */
2531            - 1)        /* filter byte */
2532            / 8)        /* 8-byte RGBA pixels */
2533            - 1))       /* extra max_pixel_depth pad */
2534    {
2535       /* The size of the row must be within the limits of this architecture.
2536        * Because the read code can perform arbitrary transformations the
2537        * maximum size is checked here.  Because the code in png_read_start_row
2538        * adds extra space "for safety's sake" in several places a conservative
2539        * limit is used here.
2540        *
2541        * NOTE: it would be far better to check the size that is actually used,
2542        * but the effect in the real world is minor and the changes are more
2543        * extensive, therefore much more dangerous and much more difficult to
2544        * write in a way that avoids compiler warnings.
2545        */
2546       png_warning(png_ptr, "Image width is too large for this architecture");
2547       error = 1;
2548    }
2549 
2550 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2551    if (width > png_ptr->user_width_max)
2552 #else
2553    if (width > PNG_USER_WIDTH_MAX)
2554 #endif
2555    {
2556       png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2557       error = 1;
2558    }
2559 
2560    if (height == 0)
2561    {
2562       png_warning(png_ptr, "Image height is zero in IHDR");
2563       error = 1;
2564    }
2565 
2566    if (height > PNG_UINT_31_MAX)
2567    {
2568       png_warning(png_ptr, "Invalid image height in IHDR");
2569       error = 1;
2570    }
2571 
2572 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2573    if (height > png_ptr->user_height_max)
2574 #else
2575    if (height > PNG_USER_HEIGHT_MAX)
2576 #endif
2577    {
2578       png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2579       error = 1;
2580    }
2581 
2582    /* Check other values */
2583    if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2584        bit_depth != 8 && bit_depth != 16)
2585    {
2586       png_warning(png_ptr, "Invalid bit depth in IHDR");
2587       error = 1;
2588    }
2589 
2590    if (color_type < 0 || color_type == 1 ||
2591        color_type == 5 || color_type > 6)
2592    {
2593       png_warning(png_ptr, "Invalid color type in IHDR");
2594       error = 1;
2595    }
2596 
2597    if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2598        ((color_type == PNG_COLOR_TYPE_RGB ||
2599          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2600          color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2601    {
2602       png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2603       error = 1;
2604    }
2605 
2606    if (interlace_type >= PNG_INTERLACE_LAST)
2607    {
2608       png_warning(png_ptr, "Unknown interlace method in IHDR");
2609       error = 1;
2610    }
2611 
2612    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2613    {
2614       png_warning(png_ptr, "Unknown compression method in IHDR");
2615       error = 1;
2616    }
2617 
2618 #ifdef PNG_MNG_FEATURES_SUPPORTED
2619    /* Accept filter_method 64 (intrapixel differencing) only if
2620     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2621     * 2. Libpng did not read a PNG signature (this filter_method is only
2622     *    used in PNG datastreams that are embedded in MNG datastreams) and
2623     * 3. The application called png_permit_mng_features with a mask that
2624     *    included PNG_FLAG_MNG_FILTER_64 and
2625     * 4. The filter_method is 64 and
2626     * 5. The color_type is RGB or RGBA
2627     */
2628    if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2629        png_ptr->mng_features_permitted != 0)
2630       png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2631 
2632    if (filter_type != PNG_FILTER_TYPE_BASE)
2633    {
2634       if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2635           (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2636           ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2637           (color_type == PNG_COLOR_TYPE_RGB ||
2638           color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2639       {
2640          png_warning(png_ptr, "Unknown filter method in IHDR");
2641          error = 1;
2642       }
2643 
2644       if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2645       {
2646          png_warning(png_ptr, "Invalid filter method in IHDR");
2647          error = 1;
2648       }
2649    }
2650 
2651 #else
2652    if (filter_type != PNG_FILTER_TYPE_BASE)
2653    {
2654       png_warning(png_ptr, "Unknown filter method in IHDR");
2655       error = 1;
2656    }
2657 #endif
2658 
2659    if (error == 1)
2660       png_error(png_ptr, "Invalid IHDR data");
2661 }
2662 
2663 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2664 /* ASCII to fp functions */
2665 /* Check an ASCII formated floating point value, see the more detailed
2666  * comments in pngpriv.h
2667  */
2668 /* The following is used internally to preserve the sticky flags */
2669 #define png_fp_add(state, flags) ((state) |= (flags))
2670 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2671 
2672 int /* PRIVATE */
2673 png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2674    png_size_tp whereami)
2675 {
2676    int state = *statep;
2677    png_size_t i = *whereami;
2678 
2679    while (i < size)
2680    {
2681       int type;
2682       /* First find the type of the next character */
2683       switch (string[i])
2684       {
2685       case 43:  type = PNG_FP_SAW_SIGN;                   break;
2686       case 45:  type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2687       case 46:  type = PNG_FP_SAW_DOT;                    break;
2688       case 48:  type = PNG_FP_SAW_DIGIT;                  break;
2689       case 49: case 50: case 51: case 52:
2690       case 53: case 54: case 55: case 56:
2691       case 57:  type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2692       case 69:
2693       case 101: type = PNG_FP_SAW_E;                      break;
2694       default:  goto PNG_FP_End;
2695       }
2696 
2697       /* Now deal with this type according to the current
2698        * state, the type is arranged to not overlap the
2699        * bits of the PNG_FP_STATE.
2700        */
2701       switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2702       {
2703       case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2704          if ((state & PNG_FP_SAW_ANY) != 0)
2705             goto PNG_FP_End; /* not a part of the number */
2706 
2707          png_fp_add(state, type);
2708          break;
2709 
2710       case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2711          /* Ok as trailer, ok as lead of fraction. */
2712          if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2713             goto PNG_FP_End;
2714 
2715          else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2716             png_fp_add(state, type);
2717 
2718          else
2719             png_fp_set(state, PNG_FP_FRACTION | type);
2720 
2721          break;
2722 
2723       case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2724          if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2725             png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2726 
2727          png_fp_add(state, type | PNG_FP_WAS_VALID);
2728 
2729          break;
2730 
2731       case PNG_FP_INTEGER + PNG_FP_SAW_E:
2732          if ((state & PNG_FP_SAW_DIGIT) == 0)
2733             goto PNG_FP_End;
2734 
2735          png_fp_set(state, PNG_FP_EXPONENT);
2736 
2737          break;
2738 
2739    /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2740          goto PNG_FP_End; ** no sign in fraction */
2741 
2742    /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2743          goto PNG_FP_End; ** Because SAW_DOT is always set */
2744 
2745       case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2746          png_fp_add(state, type | PNG_FP_WAS_VALID);
2747          break;
2748 
2749       case PNG_FP_FRACTION + PNG_FP_SAW_E:
2750          /* This is correct because the trailing '.' on an
2751           * integer is handled above - so we can only get here
2752           * with the sequence ".E" (with no preceding digits).
2753           */
2754          if ((state & PNG_FP_SAW_DIGIT) == 0)
2755             goto PNG_FP_End;
2756 
2757          png_fp_set(state, PNG_FP_EXPONENT);
2758 
2759          break;
2760 
2761       case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2762          if ((state & PNG_FP_SAW_ANY) != 0)
2763             goto PNG_FP_End; /* not a part of the number */
2764 
2765          png_fp_add(state, PNG_FP_SAW_SIGN);
2766 
2767          break;
2768 
2769    /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2770          goto PNG_FP_End; */
2771 
2772       case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2773          png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2774 
2775          break;
2776 
2777    /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2778          goto PNG_FP_End; */
2779 
2780       default: goto PNG_FP_End; /* I.e. break 2 */
2781       }
2782 
2783       /* The character seems ok, continue. */
2784       ++i;
2785    }
2786 
2787 PNG_FP_End:
2788    /* Here at the end, update the state and return the correct
2789     * return code.
2790     */
2791    *statep = state;
2792    *whereami = i;
2793 
2794    return (state & PNG_FP_SAW_DIGIT) != 0;
2795 }
2796 
2797 
2798 /* The same but for a complete string. */
2799 int
2800 png_check_fp_string(png_const_charp string, png_size_t size)
2801 {
2802    int        state=0;
2803    png_size_t char_index=0;
2804 
2805    if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2806       (char_index == size || string[char_index] == 0))
2807       return state /* must be non-zero - see above */;
2808 
2809    return 0; /* i.e. fail */
2810 }
2811 #endif /* pCAL || sCAL */
2812 
2813 #ifdef PNG_sCAL_SUPPORTED
2814 #  ifdef PNG_FLOATING_POINT_SUPPORTED
2815 /* Utility used below - a simple accurate power of ten from an integral
2816  * exponent.
2817  */
2818 static double
2819 png_pow10(int power)
2820 {
2821    int recip = 0;
2822    double d = 1;
2823 
2824    /* Handle negative exponent with a reciprocal at the end because
2825     * 10 is exact whereas .1 is inexact in base 2
2826     */
2827    if (power < 0)
2828    {
2829       if (power < DBL_MIN_10_EXP) return 0;
2830       recip = 1, power = -power;
2831    }
2832 
2833    if (power > 0)
2834    {
2835       /* Decompose power bitwise. */
2836       double mult = 10;
2837       do
2838       {
2839          if (power & 1) d *= mult;
2840          mult *= mult;
2841          power >>= 1;
2842       }
2843       while (power > 0);
2844 
2845       if (recip != 0) d = 1/d;
2846    }
2847    /* else power is 0 and d is 1 */
2848 
2849    return d;
2850 }
2851 
2852 /* Function to format a floating point value in ASCII with a given
2853  * precision.
2854  */
2855 void /* PRIVATE */
2856 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
2857     double fp, unsigned int precision)
2858 {
2859    /* We use standard functions from math.h, but not printf because
2860     * that would require stdio.  The caller must supply a buffer of
2861     * sufficient size or we will png_error.  The tests on size and
2862     * the space in ascii[] consumed are indicated below.
2863     */
2864    if (precision < 1)
2865       precision = DBL_DIG;
2866 
2867    /* Enforce the limit of the implementation precision too. */
2868    if (precision > DBL_DIG+1)
2869       precision = DBL_DIG+1;
2870 
2871    /* Basic sanity checks */
2872    if (size >= precision+5) /* See the requirements below. */
2873    {
2874       if (fp < 0)
2875       {
2876          fp = -fp;
2877          *ascii++ = 45; /* '-'  PLUS 1 TOTAL 1 */
2878          --size;
2879       }
2880 
2881       if (fp >= DBL_MIN && fp <= DBL_MAX)
2882       {
2883          int exp_b10;   /* A base 10 exponent */
2884          double base;   /* 10^exp_b10 */
2885 
2886          /* First extract a base 10 exponent of the number,
2887           * the calculation below rounds down when converting
2888           * from base 2 to base 10 (multiply by log10(2) -
2889           * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2890           * be increased.  Note that the arithmetic shift
2891           * performs a floor() unlike C arithmetic - using a
2892           * C multiply would break the following for negative
2893           * exponents.
2894           */
2895          (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2896 
2897          exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2898 
2899          /* Avoid underflow here. */
2900          base = png_pow10(exp_b10); /* May underflow */
2901 
2902          while (base < DBL_MIN || base < fp)
2903          {
2904             /* And this may overflow. */
2905             double test = png_pow10(exp_b10+1);
2906 
2907             if (test <= DBL_MAX)
2908                ++exp_b10, base = test;
2909 
2910             else
2911                break;
2912          }
2913 
2914          /* Normalize fp and correct exp_b10, after this fp is in the
2915           * range [.1,1) and exp_b10 is both the exponent and the digit
2916           * *before* which the decimal point should be inserted
2917           * (starting with 0 for the first digit).  Note that this
2918           * works even if 10^exp_b10 is out of range because of the
2919           * test on DBL_MAX above.
2920           */
2921          fp /= base;
2922          while (fp >= 1) fp /= 10, ++exp_b10;
2923 
2924          /* Because of the code above fp may, at this point, be
2925           * less than .1, this is ok because the code below can
2926           * handle the leading zeros this generates, so no attempt
2927           * is made to correct that here.
2928           */
2929 
2930          {
2931             unsigned int czero, clead, cdigits;
2932             char exponent[10];
2933 
2934             /* Allow up to two leading zeros - this will not lengthen
2935              * the number compared to using E-n.
2936              */
2937             if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2938             {
2939                czero = -exp_b10; /* PLUS 2 digits: TOTAL 3 */
2940                exp_b10 = 0;      /* Dot added below before first output. */
2941             }
2942             else
2943                czero = 0;    /* No zeros to add */
2944 
2945             /* Generate the digit list, stripping trailing zeros and
2946              * inserting a '.' before a digit if the exponent is 0.
2947              */
2948             clead = czero; /* Count of leading zeros */
2949             cdigits = 0;   /* Count of digits in list. */
2950 
2951             do
2952             {
2953                double d;
2954 
2955                fp *= 10;
2956                /* Use modf here, not floor and subtract, so that
2957                 * the separation is done in one step.  At the end
2958                 * of the loop don't break the number into parts so
2959                 * that the final digit is rounded.
2960                 */
2961                if (cdigits+czero+1 < precision+clead)
2962                   fp = modf(fp, &d);
2963 
2964                else
2965                {
2966                   d = floor(fp + .5);
2967 
2968                   if (d > 9)
2969                   {
2970                      /* Rounding up to 10, handle that here. */
2971                      if (czero > 0)
2972                      {
2973                         --czero, d = 1;
2974                         if (cdigits == 0) --clead;
2975                      }
2976                      else
2977                      {
2978                         while (cdigits > 0 && d > 9)
2979                         {
2980                            int ch = *--ascii;
2981 
2982                            if (exp_b10 != (-1))
2983                               ++exp_b10;
2984 
2985                            else if (ch == 46)
2986                            {
2987                               ch = *--ascii, ++size;
2988                               /* Advance exp_b10 to '1', so that the
2989                                * decimal point happens after the
2990                                * previous digit.
2991                                */
2992                               exp_b10 = 1;
2993                            }
2994 
2995                            --cdigits;
2996                            d = ch - 47;  /* I.e. 1+(ch-48) */
2997                         }
2998 
2999                         /* Did we reach the beginning? If so adjust the
3000                          * exponent but take into account the leading
3001                          * decimal point.
3002                          */
3003                         if (d > 9)  /* cdigits == 0 */
3004                         {
3005                            if (exp_b10 == (-1))
3006                            {
3007                               /* Leading decimal point (plus zeros?), if
3008                                * we lose the decimal point here it must
3009                                * be reentered below.
3010                                */
3011                               int ch = *--ascii;
3012 
3013                               if (ch == 46)
3014                                  ++size, exp_b10 = 1;
3015 
3016                               /* Else lost a leading zero, so 'exp_b10' is
3017                                * still ok at (-1)
3018                                */
3019                            }
3020                            else
3021                               ++exp_b10;
3022 
3023                            /* In all cases we output a '1' */
3024                            d = 1;
3025                         }
3026                      }
3027                   }
3028                   fp = 0; /* Guarantees termination below. */
3029                }
3030 
3031                if (d == 0)
3032                {
3033                   ++czero;
3034                   if (cdigits == 0) ++clead;
3035                }
3036                else
3037                {
3038                   /* Included embedded zeros in the digit count. */
3039                   cdigits += czero - clead;
3040                   clead = 0;
3041 
3042                   while (czero > 0)
3043                   {
3044                      /* exp_b10 == (-1) means we just output the decimal
3045                       * place - after the DP don't adjust 'exp_b10' any
3046                       * more!
3047                       */
3048                      if (exp_b10 != (-1))
3049                      {
3050                         if (exp_b10 == 0) *ascii++ = 46, --size;
3051                         /* PLUS 1: TOTAL 4 */
3052                         --exp_b10;
3053                      }
3054                      *ascii++ = 48, --czero;
3055                   }
3056 
3057                   if (exp_b10 != (-1))
3058                   {
3059                      if (exp_b10 == 0)
3060                         *ascii++ = 46, --size; /* counted above */
3061 
3062                      --exp_b10;
3063                   }
3064                   *ascii++ = (char)(48 + (int)d), ++cdigits;
3065                }
3066             }
3067             while (cdigits+czero < precision+clead && fp > DBL_MIN);
3068 
3069             /* The total output count (max) is now 4+precision */
3070 
3071             /* Check for an exponent, if we don't need one we are
3072              * done and just need to terminate the string.  At
3073              * this point exp_b10==(-1) is effectively if flag - it got
3074              * to '-1' because of the decrement after outputting
3075              * the decimal point above (the exponent required is
3076              * *not* -1!)
3077              */
3078             if (exp_b10 >= (-1) && exp_b10 <= 2)
3079             {
3080                /* The following only happens if we didn't output the
3081                 * leading zeros above for negative exponent, so this
3082                 * doesn't add to the digit requirement.  Note that the
3083                 * two zeros here can only be output if the two leading
3084                 * zeros were *not* output, so this doesn't increase
3085                 * the output count.
3086                 */
3087                while (--exp_b10 >= 0) *ascii++ = 48;
3088 
3089                *ascii = 0;
3090 
3091                /* Total buffer requirement (including the '\0') is
3092                 * 5+precision - see check at the start.
3093                 */
3094                return;
3095             }
3096 
3097             /* Here if an exponent is required, adjust size for
3098              * the digits we output but did not count.  The total
3099              * digit output here so far is at most 1+precision - no
3100              * decimal point and no leading or trailing zeros have
3101              * been output.
3102              */
3103             size -= cdigits;
3104 
3105             *ascii++ = 69, --size;    /* 'E': PLUS 1 TOTAL 2+precision */
3106 
3107             /* The following use of an unsigned temporary avoids ambiguities in
3108              * the signed arithmetic on exp_b10 and permits GCC at least to do
3109              * better optimization.
3110              */
3111             {
3112                unsigned int uexp_b10;
3113 
3114                if (exp_b10 < 0)
3115                {
3116                   *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */
3117                   uexp_b10 = -exp_b10;
3118                }
3119 
3120                else
3121                   uexp_b10 = exp_b10;
3122 
3123                cdigits = 0;
3124 
3125                while (uexp_b10 > 0)
3126                {
3127                   exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3128                   uexp_b10 /= 10;
3129                }
3130             }
3131 
3132             /* Need another size check here for the exponent digits, so
3133              * this need not be considered above.
3134              */
3135             if (size > cdigits)
3136             {
3137                while (cdigits > 0) *ascii++ = exponent[--cdigits];
3138 
3139                *ascii = 0;
3140 
3141                return;
3142             }
3143          }
3144       }
3145       else if (!(fp >= DBL_MIN))
3146       {
3147          *ascii++ = 48; /* '0' */
3148          *ascii = 0;
3149          return;
3150       }
3151       else
3152       {
3153          *ascii++ = 105; /* 'i' */
3154          *ascii++ = 110; /* 'n' */
3155          *ascii++ = 102; /* 'f' */
3156          *ascii = 0;
3157          return;
3158       }
3159    }
3160 
3161    /* Here on buffer too small. */
3162    png_error(png_ptr, "ASCII conversion buffer too small");
3163 }
3164 
3165 #  endif /* FLOATING_POINT */
3166 
3167 #  ifdef PNG_FIXED_POINT_SUPPORTED
3168 /* Function to format a fixed point value in ASCII.
3169  */
3170 void /* PRIVATE */
3171 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3172     png_size_t size, png_fixed_point fp)
3173 {
3174    /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3175     * trailing \0, 13 characters:
3176     */
3177    if (size > 12)
3178    {
3179       png_uint_32 num;
3180 
3181       /* Avoid overflow here on the minimum integer. */
3182       if (fp < 0)
3183          *ascii++ = 45, num = -fp;
3184       else
3185          num = fp;
3186 
3187       if (num <= 0x80000000) /* else overflowed */
3188       {
3189          unsigned int ndigits = 0, first = 16 /* flag value */;
3190          char digits[10];
3191 
3192          while (num)
3193          {
3194             /* Split the low digit off num: */
3195             unsigned int tmp = num/10;
3196             num -= tmp*10;
3197             digits[ndigits++] = (char)(48 + num);
3198             /* Record the first non-zero digit, note that this is a number
3199              * starting at 1, it's not actually the array index.
3200              */
3201             if (first == 16 && num > 0)
3202                first = ndigits;
3203             num = tmp;
3204          }
3205 
3206          if (ndigits > 0)
3207          {
3208             while (ndigits > 5) *ascii++ = digits[--ndigits];
3209             /* The remaining digits are fractional digits, ndigits is '5' or
3210              * smaller at this point.  It is certainly not zero.  Check for a
3211              * non-zero fractional digit:
3212              */
3213             if (first <= 5)
3214             {
3215                unsigned int i;
3216                *ascii++ = 46; /* decimal point */
3217                /* ndigits may be <5 for small numbers, output leading zeros
3218                 * then ndigits digits to first:
3219                 */
3220                i = 5;
3221                while (ndigits < i) *ascii++ = 48, --i;
3222                while (ndigits >= first) *ascii++ = digits[--ndigits];
3223                /* Don't output the trailing zeros! */
3224             }
3225          }
3226          else
3227             *ascii++ = 48;
3228 
3229          /* And null terminate the string: */
3230          *ascii = 0;
3231          return;
3232       }
3233    }
3234 
3235    /* Here on buffer too small. */
3236    png_error(png_ptr, "ASCII conversion buffer too small");
3237 }
3238 #   endif /* FIXED_POINT */
3239 #endif /* SCAL */
3240 
3241 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3242    !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3243    (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3244    defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3245    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3246    (defined(PNG_sCAL_SUPPORTED) && \
3247    defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3248 png_fixed_point
3249 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3250 {
3251    double r = floor(100000 * fp + .5);
3252 
3253    if (r > 2147483647. || r < -2147483648.)
3254       png_fixed_error(png_ptr, text);
3255 
3256 #  ifndef PNG_ERROR_TEXT_SUPPORTED
3257    PNG_UNUSED(text)
3258 #  endif
3259 
3260    return (png_fixed_point)r;
3261 }
3262 #endif
3263 
3264 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3265     defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3266 /* muldiv functions */
3267 /* This API takes signed arguments and rounds the result to the nearest
3268  * integer (or, for a fixed point number - the standard argument - to
3269  * the nearest .00001).  Overflow and divide by zero are signalled in
3270  * the result, a boolean - true on success, false on overflow.
3271  */
3272 int
3273 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3274     png_int_32 divisor)
3275 {
3276    /* Return a * times / divisor, rounded. */
3277    if (divisor != 0)
3278    {
3279       if (a == 0 || times == 0)
3280       {
3281          *res = 0;
3282          return 1;
3283       }
3284       else
3285       {
3286 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3287          double r = a;
3288          r *= times;
3289          r /= divisor;
3290          r = floor(r+.5);
3291 
3292          /* A png_fixed_point is a 32-bit integer. */
3293          if (r <= 2147483647. && r >= -2147483648.)
3294          {
3295             *res = (png_fixed_point)r;
3296             return 1;
3297          }
3298 #else
3299          int negative = 0;
3300          png_uint_32 A, T, D;
3301          png_uint_32 s16, s32, s00;
3302 
3303          if (a < 0)
3304             negative = 1, A = -a;
3305          else
3306             A = a;
3307 
3308          if (times < 0)
3309             negative = !negative, T = -times;
3310          else
3311             T = times;
3312 
3313          if (divisor < 0)
3314             negative = !negative, D = -divisor;
3315          else
3316             D = divisor;
3317 
3318          /* Following can't overflow because the arguments only
3319           * have 31 bits each, however the result may be 32 bits.
3320           */
3321          s16 = (A >> 16) * (T & 0xffff) +
3322                            (A & 0xffff) * (T >> 16);
3323          /* Can't overflow because the a*times bit is only 30
3324           * bits at most.
3325           */
3326          s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3327          s00 = (A & 0xffff) * (T & 0xffff);
3328 
3329          s16 = (s16 & 0xffff) << 16;
3330          s00 += s16;
3331 
3332          if (s00 < s16)
3333             ++s32; /* carry */
3334 
3335          if (s32 < D) /* else overflow */
3336          {
3337             /* s32.s00 is now the 64-bit product, do a standard
3338              * division, we know that s32 < D, so the maximum
3339              * required shift is 31.
3340              */
3341             int bitshift = 32;
3342             png_fixed_point result = 0; /* NOTE: signed */
3343 
3344             while (--bitshift >= 0)
3345             {
3346                png_uint_32 d32, d00;
3347 
3348                if (bitshift > 0)
3349                   d32 = D >> (32-bitshift), d00 = D << bitshift;
3350 
3351                else
3352                   d32 = 0, d00 = D;
3353 
3354                if (s32 > d32)
3355                {
3356                   if (s00 < d00) --s32; /* carry */
3357                   s32 -= d32, s00 -= d00, result += 1<<bitshift;
3358                }
3359 
3360                else
3361                   if (s32 == d32 && s00 >= d00)
3362                      s32 = 0, s00 -= d00, result += 1<<bitshift;
3363             }
3364 
3365             /* Handle the rounding. */
3366             if (s00 >= (D >> 1))
3367                ++result;
3368 
3369             if (negative != 0)
3370                result = -result;
3371 
3372             /* Check for overflow. */
3373             if ((negative != 0 && result <= 0) ||
3374                 (negative == 0 && result >= 0))
3375             {
3376                *res = result;
3377                return 1;
3378             }
3379          }
3380 #endif
3381       }
3382    }
3383 
3384    return 0;
3385 }
3386 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3387 
3388 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3389 /* The following is for when the caller doesn't much care about the
3390  * result.
3391  */
3392 png_fixed_point
3393 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3394     png_int_32 divisor)
3395 {
3396    png_fixed_point result;
3397 
3398    if (png_muldiv(&result, a, times, divisor) != 0)
3399       return result;
3400 
3401    png_warning(png_ptr, "fixed point overflow ignored");
3402    return 0;
3403 }
3404 #endif
3405 
3406 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3407 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3408 png_fixed_point
3409 png_reciprocal(png_fixed_point a)
3410 {
3411 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3412    double r = floor(1E10/a+.5);
3413 
3414    if (r <= 2147483647. && r >= -2147483648.)
3415       return (png_fixed_point)r;
3416 #else
3417    png_fixed_point res;
3418 
3419    if (png_muldiv(&res, 100000, 100000, a) != 0)
3420       return res;
3421 #endif
3422 
3423    return 0; /* error/overflow */
3424 }
3425 
3426 /* This is the shared test on whether a gamma value is 'significant' - whether
3427  * it is worth doing gamma correction.
3428  */
3429 int /* PRIVATE */
3430 png_gamma_significant(png_fixed_point gamma_val)
3431 {
3432    return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3433        gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3434 }
3435 #endif
3436 
3437 #ifdef PNG_READ_GAMMA_SUPPORTED
3438 #ifdef PNG_16BIT_SUPPORTED
3439 /* A local convenience routine. */
3440 static png_fixed_point
3441 png_product2(png_fixed_point a, png_fixed_point b)
3442 {
3443    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3444 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3445    double r = a * 1E-5;
3446    r *= b;
3447    r = floor(r+.5);
3448 
3449    if (r <= 2147483647. && r >= -2147483648.)
3450       return (png_fixed_point)r;
3451 #else
3452    png_fixed_point res;
3453 
3454    if (png_muldiv(&res, a, b, 100000) != 0)
3455       return res;
3456 #endif
3457 
3458    return 0; /* overflow */
3459 }
3460 #endif /* 16BIT */
3461 
3462 /* The inverse of the above. */
3463 png_fixed_point
3464 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3465 {
3466    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3467 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3468    if (a != 0 && b != 0)
3469    {
3470       double r = 1E15/a;
3471       r /= b;
3472       r = floor(r+.5);
3473 
3474       if (r <= 2147483647. && r >= -2147483648.)
3475          return (png_fixed_point)r;
3476    }
3477 #else
3478    /* This may overflow because the range of png_fixed_point isn't symmetric,
3479     * but this API is only used for the product of file and screen gamma so it
3480     * doesn't matter that the smallest number it can produce is 1/21474, not
3481     * 1/100000
3482     */
3483    png_fixed_point res = png_product2(a, b);
3484 
3485    if (res != 0)
3486       return png_reciprocal(res);
3487 #endif
3488 
3489    return 0; /* overflow */
3490 }
3491 #endif /* READ_GAMMA */
3492 
3493 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3494 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3495 /* Fixed point gamma.
3496  *
3497  * The code to calculate the tables used below can be found in the shell script
3498  * contrib/tools/intgamma.sh
3499  *
3500  * To calculate gamma this code implements fast log() and exp() calls using only
3501  * fixed point arithmetic.  This code has sufficient precision for either 8-bit
3502  * or 16-bit sample values.
3503  *
3504  * The tables used here were calculated using simple 'bc' programs, but C double
3505  * precision floating point arithmetic would work fine.
3506  *
3507  * 8-bit log table
3508  *   This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3509  *   255, so it's the base 2 logarithm of a normalized 8-bit floating point
3510  *   mantissa.  The numbers are 32-bit fractions.
3511  */
3512 static const png_uint_32
3513 png_8bit_l2[128] =
3514 {
3515    4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3516    3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3517    3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3518    3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3519    3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3520    2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3521    2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3522    2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3523    2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3524    2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3525    1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3526    1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3527    1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3528    1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3529    1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3530    971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3531    803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3532    639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3533    479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3534    324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3535    172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3536    24347096U, 0U
3537 
3538 #if 0
3539    /* The following are the values for 16-bit tables - these work fine for the
3540     * 8-bit conversions but produce very slightly larger errors in the 16-bit
3541     * log (about 1.2 as opposed to 0.7 absolute error in the final value).  To
3542     * use these all the shifts below must be adjusted appropriately.
3543     */
3544    65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3545    57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3546    50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3547    43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3548    37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3549    31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3550    25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3551    20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3552    15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3553    10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3554    6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3555    1119, 744, 372
3556 #endif
3557 };
3558 
3559 static png_int_32
3560 png_log8bit(unsigned int x)
3561 {
3562    unsigned int lg2 = 0;
3563    /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3564     * because the log is actually negate that means adding 1.  The final
3565     * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3566     * input), return -1 for the overflow (log 0) case, - so the result is
3567     * always at most 19 bits.
3568     */
3569    if ((x &= 0xff) == 0)
3570       return -1;
3571 
3572    if ((x & 0xf0) == 0)
3573       lg2  = 4, x <<= 4;
3574 
3575    if ((x & 0xc0) == 0)
3576       lg2 += 2, x <<= 2;
3577 
3578    if ((x & 0x80) == 0)
3579       lg2 += 1, x <<= 1;
3580 
3581    /* result is at most 19 bits, so this cast is safe: */
3582    return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3583 }
3584 
3585 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3586  * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3587  * get an approximation then multiply the approximation by a correction factor
3588  * determined by the remaining up to 8 bits.  This requires an additional step
3589  * in the 16-bit case.
3590  *
3591  * We want log2(value/65535), we have log2(v'/255), where:
3592  *
3593  *    value = v' * 256 + v''
3594  *          = v' * f
3595  *
3596  * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3597  * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3598  * than 258.  The final factor also needs to correct for the fact that our 8-bit
3599  * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3600  *
3601  * This gives a final formula using a calculated value 'x' which is value/v' and
3602  * scaling by 65536 to match the above table:
3603  *
3604  *   log2(x/257) * 65536
3605  *
3606  * Since these numbers are so close to '1' we can use simple linear
3607  * interpolation between the two end values 256/257 (result -368.61) and 258/257
3608  * (result 367.179).  The values used below are scaled by a further 64 to give
3609  * 16-bit precision in the interpolation:
3610  *
3611  * Start (256): -23591
3612  * Zero  (257):      0
3613  * End   (258):  23499
3614  */
3615 #ifdef PNG_16BIT_SUPPORTED
3616 static png_int_32
3617 png_log16bit(png_uint_32 x)
3618 {
3619    unsigned int lg2 = 0;
3620 
3621    /* As above, but now the input has 16 bits. */
3622    if ((x &= 0xffff) == 0)
3623       return -1;
3624 
3625    if ((x & 0xff00) == 0)
3626       lg2  = 8, x <<= 8;
3627 
3628    if ((x & 0xf000) == 0)
3629       lg2 += 4, x <<= 4;
3630 
3631    if ((x & 0xc000) == 0)
3632       lg2 += 2, x <<= 2;
3633 
3634    if ((x & 0x8000) == 0)
3635       lg2 += 1, x <<= 1;
3636 
3637    /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3638     * value.
3639     */
3640    lg2 <<= 28;
3641    lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3642 
3643    /* Now we need to interpolate the factor, this requires a division by the top
3644     * 8 bits.  Do this with maximum precision.
3645     */
3646    x = ((x << 16) + (x >> 9)) / (x >> 8);
3647 
3648    /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3649     * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3650     * 16 bits to interpolate to get the low bits of the result.  Round the
3651     * answer.  Note that the end point values are scaled by 64 to retain overall
3652     * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3653     * the overall scaling by 6-12.  Round at every step.
3654     */
3655    x -= 1U << 24;
3656 
3657    if (x <= 65536U) /* <= '257' */
3658       lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3659 
3660    else
3661       lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3662 
3663    /* Safe, because the result can't have more than 20 bits: */
3664    return (png_int_32)((lg2 + 2048) >> 12);
3665 }
3666 #endif /* 16BIT */
3667 
3668 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3669  * logarithmic value and returning a 16 or 8-bit number as appropriate.  In
3670  * each case only the low 16 bits are relevant - the fraction - since the
3671  * integer bits (the top 4) simply determine a shift.
3672  *
3673  * The worst case is the 16-bit distinction between 65535 and 65534. This
3674  * requires perhaps spurious accuracy in the decoding of the logarithm to
3675  * distinguish log2(65535/65534.5) - 10^-5 or 17 bits.  There is little chance
3676  * of getting this accuracy in practice.
3677  *
3678  * To deal with this the following exp() function works out the exponent of the
3679  * frational part of the logarithm by using an accurate 32-bit value from the
3680  * top four fractional bits then multiplying in the remaining bits.
3681  */
3682 static const png_uint_32
3683 png_32bit_exp[16] =
3684 {
3685    /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3686    4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3687    3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3688    2553802834U, 2445529972U, 2341847524U, 2242560872U
3689 };
3690 
3691 /* Adjustment table; provided to explain the numbers in the code below. */
3692 #if 0
3693 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3694    11 44937.64284865548751208448
3695    10 45180.98734845585101160448
3696     9 45303.31936980687359311872
3697     8 45364.65110595323018870784
3698     7 45395.35850361789624614912
3699     6 45410.72259715102037508096
3700     5 45418.40724413220722311168
3701     4 45422.25021786898173001728
3702     3 45424.17186732298419044352
3703     2 45425.13273269940811464704
3704     1 45425.61317555035558641664
3705     0 45425.85339951654943850496
3706 #endif
3707 
3708 static png_uint_32
3709 png_exp(png_fixed_point x)
3710 {
3711    if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3712    {
3713       /* Obtain a 4-bit approximation */
3714       png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3715 
3716       /* Incorporate the low 12 bits - these decrease the returned value by
3717        * multiplying by a number less than 1 if the bit is set.  The multiplier
3718        * is determined by the above table and the shift. Notice that the values
3719        * converge on 45426 and this is used to allow linear interpolation of the
3720        * low bits.
3721        */
3722       if (x & 0x800)
3723          e -= (((e >> 16) * 44938U) +  16U) >> 5;
3724 
3725       if (x & 0x400)
3726          e -= (((e >> 16) * 45181U) +  32U) >> 6;
3727 
3728       if (x & 0x200)
3729          e -= (((e >> 16) * 45303U) +  64U) >> 7;
3730 
3731       if (x & 0x100)
3732          e -= (((e >> 16) * 45365U) + 128U) >> 8;
3733 
3734       if (x & 0x080)
3735          e -= (((e >> 16) * 45395U) + 256U) >> 9;
3736 
3737       if (x & 0x040)
3738          e -= (((e >> 16) * 45410U) + 512U) >> 10;
3739 
3740       /* And handle the low 6 bits in a single block. */
3741       e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3742 
3743       /* Handle the upper bits of x. */
3744       e >>= x >> 16;
3745       return e;
3746    }
3747 
3748    /* Check for overflow */
3749    if (x <= 0)
3750       return png_32bit_exp[0];
3751 
3752    /* Else underflow */
3753    return 0;
3754 }
3755 
3756 static png_byte
3757 png_exp8bit(png_fixed_point lg2)
3758 {
3759    /* Get a 32-bit value: */
3760    png_uint_32 x = png_exp(lg2);
3761 
3762    /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3763     * second, rounding, step can't overflow because of the first, subtraction,
3764     * step.
3765     */
3766    x -= x >> 8;
3767    return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3768 }
3769 
3770 #ifdef PNG_16BIT_SUPPORTED
3771 static png_uint_16
3772 png_exp16bit(png_fixed_point lg2)
3773 {
3774    /* Get a 32-bit value: */
3775    png_uint_32 x = png_exp(lg2);
3776 
3777    /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3778    x -= x >> 16;
3779    return (png_uint_16)((x + 32767U) >> 16);
3780 }
3781 #endif /* 16BIT */
3782 #endif /* FLOATING_ARITHMETIC */
3783 
3784 png_byte
3785 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3786 {
3787    if (value > 0 && value < 255)
3788    {
3789 #     ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3790          /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3791           * convert this to a floating point value.  This includes values that
3792           * would overflow if 'value' were to be converted to 'int'.
3793           *
3794           * Apparently GCC, however, does an intermediate conversion to (int)
3795           * on some (ARM) but not all (x86) platforms, possibly because of
3796           * hardware FP limitations.  (E.g. if the hardware conversion always
3797           * assumes the integer register contains a signed value.)  This results
3798           * in ANSI-C undefined behavior for large values.
3799           *
3800           * Other implementations on the same machine might actually be ANSI-C90
3801           * conformant and therefore compile spurious extra code for the large
3802           * values.
3803           *
3804           * We can be reasonably sure that an unsigned to float conversion
3805           * won't be faster than an int to float one.  Therefore this code
3806           * assumes responsibility for the undefined behavior, which it knows
3807           * can't happen because of the check above.
3808           *
3809           * Note the argument to this routine is an (unsigned int) because, on
3810           * 16-bit platforms, it is assigned a value which might be out of
3811           * range for an (int); that would result in undefined behavior in the
3812           * caller if the *argument* ('value') were to be declared (int).
3813           */
3814          double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3815          return (png_byte)r;
3816 #     else
3817          png_int_32 lg2 = png_log8bit(value);
3818          png_fixed_point res;
3819 
3820          if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3821             return png_exp8bit(res);
3822 
3823          /* Overflow. */
3824          value = 0;
3825 #     endif
3826    }
3827 
3828    return (png_byte)(value & 0xff);
3829 }
3830 
3831 #ifdef PNG_16BIT_SUPPORTED
3832 png_uint_16
3833 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3834 {
3835    if (value > 0 && value < 65535)
3836    {
3837 #     ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3838          /* The same (unsigned int)->(double) constraints apply here as above,
3839           * however in this case the (unsigned int) to (int) conversion can
3840           * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3841           * that this is not possible.
3842           */
3843          double r = floor(65535*pow((png_int_32)value/65535.,
3844                      gamma_val*.00001)+.5);
3845          return (png_uint_16)r;
3846 #     else
3847          png_int_32 lg2 = png_log16bit(value);
3848          png_fixed_point res;
3849 
3850          if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3851             return png_exp16bit(res);
3852 
3853          /* Overflow. */
3854          value = 0;
3855 #     endif
3856    }
3857 
3858    return (png_uint_16)value;
3859 }
3860 #endif /* 16BIT */
3861 
3862 /* This does the right thing based on the bit_depth field of the
3863  * png_struct, interpreting values as 8-bit or 16-bit.  While the result
3864  * is nominally a 16-bit value if bit depth is 8 then the result is
3865  * 8-bit (as are the arguments.)
3866  */
3867 png_uint_16 /* PRIVATE */
3868 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3869     png_fixed_point gamma_val)
3870 {
3871    if (png_ptr->bit_depth == 8)
3872       return png_gamma_8bit_correct(value, gamma_val);
3873 
3874 #ifdef PNG_16BIT_SUPPORTED
3875    else
3876       return png_gamma_16bit_correct(value, gamma_val);
3877 #else
3878       /* should not reach this */
3879       return 0;
3880 #endif /* 16BIT */
3881 }
3882 
3883 #ifdef PNG_16BIT_SUPPORTED
3884 /* Internal function to build a single 16-bit table - the table consists of
3885  * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3886  * to shift the input values right (or 16-number_of_signifiant_bits).
3887  *
3888  * The caller is responsible for ensuring that the table gets cleaned up on
3889  * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3890  * should be somewhere that will be cleaned.
3891  */
3892 static void
3893 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3894    PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3895 {
3896    /* Various values derived from 'shift': */
3897    PNG_CONST unsigned int num = 1U << (8U - shift);
3898 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3899    /* CSE the division and work round wacky GCC warnings (see the comments
3900     * in png_gamma_8bit_correct for where these come from.)
3901     */
3902    PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);
3903 #endif
3904    PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3905    PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
3906    unsigned int i;
3907 
3908    png_uint_16pp table = *ptable =
3909        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3910 
3911    for (i = 0; i < num; i++)
3912    {
3913       png_uint_16p sub_table = table[i] =
3914           (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3915 
3916       /* The 'threshold' test is repeated here because it can arise for one of
3917        * the 16-bit tables even if the others don't hit it.
3918        */
3919       if (png_gamma_significant(gamma_val) != 0)
3920       {
3921          /* The old code would overflow at the end and this would cause the
3922           * 'pow' function to return a result >1, resulting in an
3923           * arithmetic error.  This code follows the spec exactly; ig is
3924           * the recovered input sample, it always has 8-16 bits.
3925           *
3926           * We want input * 65535/max, rounded, the arithmetic fits in 32
3927           * bits (unsigned) so long as max <= 32767.
3928           */
3929          unsigned int j;
3930          for (j = 0; j < 256; j++)
3931          {
3932             png_uint_32 ig = (j << (8-shift)) + i;
3933 #           ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3934                /* Inline the 'max' scaling operation: */
3935                /* See png_gamma_8bit_correct for why the cast to (int) is
3936                 * required here.
3937                 */
3938                double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
3939                sub_table[j] = (png_uint_16)d;
3940 #           else
3941                if (shift != 0)
3942                   ig = (ig * 65535U + max_by_2)/max;
3943 
3944                sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
3945 #           endif
3946          }
3947       }
3948       else
3949       {
3950          /* We must still build a table, but do it the fast way. */
3951          unsigned int j;
3952 
3953          for (j = 0; j < 256; j++)
3954          {
3955             png_uint_32 ig = (j << (8-shift)) + i;
3956 
3957             if (shift != 0)
3958                ig = (ig * 65535U + max_by_2)/max;
3959 
3960             sub_table[j] = (png_uint_16)ig;
3961          }
3962       }
3963    }
3964 }
3965 
3966 /* NOTE: this function expects the *inverse* of the overall gamma transformation
3967  * required.
3968  */
3969 static void
3970 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
3971    PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3972 {
3973    PNG_CONST unsigned int num = 1U << (8U - shift);
3974    PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3975    unsigned int i;
3976    png_uint_32 last;
3977 
3978    png_uint_16pp table = *ptable =
3979        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3980 
3981    /* 'num' is the number of tables and also the number of low bits of low
3982     * bits of the input 16-bit value used to select a table.  Each table is
3983     * itself indexed by the high 8 bits of the value.
3984     */
3985    for (i = 0; i < num; i++)
3986       table[i] = (png_uint_16p)png_malloc(png_ptr,
3987           256 * (sizeof (png_uint_16)));
3988 
3989    /* 'gamma_val' is set to the reciprocal of the value calculated above, so
3990     * pow(out,g) is an *input* value.  'last' is the last input value set.
3991     *
3992     * In the loop 'i' is used to find output values.  Since the output is
3993     * 8-bit there are only 256 possible values.  The tables are set up to
3994     * select the closest possible output value for each input by finding
3995     * the input value at the boundary between each pair of output values
3996     * and filling the table up to that boundary with the lower output
3997     * value.
3998     *
3999     * The boundary values are 0.5,1.5..253.5,254.5.  Since these are 9-bit
4000     * values the code below uses a 16-bit value in i; the values start at
4001     * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4002     * entries are filled with 255).  Start i at 128 and fill all 'last'
4003     * table entries <= 'max'
4004     */
4005    last = 0;
4006    for (i = 0; i < 255; ++i) /* 8-bit output value */
4007    {
4008       /* Find the corresponding maximum input value */
4009       png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4010 
4011       /* Find the boundary value in 16 bits: */
4012       png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4013 
4014       /* Adjust (round) to (16-shift) bits: */
4015       bound = (bound * max + 32768U)/65535U + 1U;
4016 
4017       while (last < bound)
4018       {
4019          table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4020          last++;
4021       }
4022    }
4023 
4024    /* And fill in the final entries. */
4025    while (last < (num << 8))
4026    {
4027       table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4028       last++;
4029    }
4030 }
4031 #endif /* 16BIT */
4032 
4033 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4034  * typically much faster).  Note that libpng currently does no sBIT processing
4035  * (apparently contrary to the spec) so a 256-entry table is always generated.
4036  */
4037 static void
4038 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4039    PNG_CONST png_fixed_point gamma_val)
4040 {
4041    unsigned int i;
4042    png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4043 
4044    if (png_gamma_significant(gamma_val) != 0)
4045       for (i=0; i<256; i++)
4046          table[i] = png_gamma_8bit_correct(i, gamma_val);
4047 
4048    else
4049       for (i=0; i<256; ++i)
4050          table[i] = (png_byte)(i & 0xff);
4051 }
4052 
4053 /* Used from png_read_destroy and below to release the memory used by the gamma
4054  * tables.
4055  */
4056 void /* PRIVATE */
4057 png_destroy_gamma_table(png_structrp png_ptr)
4058 {
4059    png_free(png_ptr, png_ptr->gamma_table);
4060    png_ptr->gamma_table = NULL;
4061 
4062 #ifdef PNG_16BIT_SUPPORTED
4063    if (png_ptr->gamma_16_table != NULL)
4064    {
4065       int i;
4066       int istop = (1 << (8 - png_ptr->gamma_shift));
4067       for (i = 0; i < istop; i++)
4068       {
4069          png_free(png_ptr, png_ptr->gamma_16_table[i]);
4070       }
4071    png_free(png_ptr, png_ptr->gamma_16_table);
4072    png_ptr->gamma_16_table = NULL;
4073    }
4074 #endif /* 16BIT */
4075 
4076 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4077    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4078    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4079    png_free(png_ptr, png_ptr->gamma_from_1);
4080    png_ptr->gamma_from_1 = NULL;
4081    png_free(png_ptr, png_ptr->gamma_to_1);
4082    png_ptr->gamma_to_1 = NULL;
4083 
4084 #ifdef PNG_16BIT_SUPPORTED
4085    if (png_ptr->gamma_16_from_1 != NULL)
4086    {
4087       int i;
4088       int istop = (1 << (8 - png_ptr->gamma_shift));
4089       for (i = 0; i < istop; i++)
4090       {
4091          png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4092       }
4093    png_free(png_ptr, png_ptr->gamma_16_from_1);
4094    png_ptr->gamma_16_from_1 = NULL;
4095    }
4096    if (png_ptr->gamma_16_to_1 != NULL)
4097    {
4098       int i;
4099       int istop = (1 << (8 - png_ptr->gamma_shift));
4100       for (i = 0; i < istop; i++)
4101       {
4102          png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4103       }
4104    png_free(png_ptr, png_ptr->gamma_16_to_1);
4105    png_ptr->gamma_16_to_1 = NULL;
4106    }
4107 #endif /* 16BIT */
4108 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4109 }
4110 
4111 /* We build the 8- or 16-bit gamma tables here.  Note that for 16-bit
4112  * tables, we don't make a full table if we are reducing to 8-bit in
4113  * the future.  Note also how the gamma_16 tables are segmented so that
4114  * we don't need to allocate > 64K chunks for a full 16-bit table.
4115  */
4116 void /* PRIVATE */
4117 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4118 {
4119   png_debug(1, "in png_build_gamma_table");
4120 
4121   /* Remove any existing table; this copes with multiple calls to
4122    * png_read_update_info.  The warning is because building the gamma tables
4123    * multiple times is a performance hit - it's harmless but the ability to call
4124    * png_read_update_info() multiple times is new in 1.5.6 so it seems sensible
4125    * to warn if the app introduces such a hit.
4126    */
4127   if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4128   {
4129     png_warning(png_ptr, "gamma table being rebuilt");
4130     png_destroy_gamma_table(png_ptr);
4131   }
4132 
4133   if (bit_depth <= 8)
4134   {
4135      png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4136          png_ptr->screen_gamma > 0 ?  png_reciprocal2(png_ptr->colorspace.gamma,
4137          png_ptr->screen_gamma) : PNG_FP_1);
4138 
4139 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4140    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4141    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4142      if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4143      {
4144         png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4145             png_reciprocal(png_ptr->colorspace.gamma));
4146 
4147         png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4148             png_ptr->screen_gamma > 0 ?  png_reciprocal(png_ptr->screen_gamma) :
4149             png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4150      }
4151 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4152   }
4153 #ifdef PNG_16BIT_SUPPORTED
4154   else
4155   {
4156      png_byte shift, sig_bit;
4157 
4158      if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4159      {
4160         sig_bit = png_ptr->sig_bit.red;
4161 
4162         if (png_ptr->sig_bit.green > sig_bit)
4163            sig_bit = png_ptr->sig_bit.green;
4164 
4165         if (png_ptr->sig_bit.blue > sig_bit)
4166            sig_bit = png_ptr->sig_bit.blue;
4167      }
4168      else
4169         sig_bit = png_ptr->sig_bit.gray;
4170 
4171      /* 16-bit gamma code uses this equation:
4172       *
4173       *   ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4174       *
4175       * Where 'iv' is the input color value and 'ov' is the output value -
4176       * pow(iv, gamma).
4177       *
4178       * Thus the gamma table consists of up to 256 256-entry tables.  The table
4179       * is selected by the (8-gamma_shift) most significant of the low 8 bits of
4180       * the color value then indexed by the upper 8 bits:
4181       *
4182       *   table[low bits][high 8 bits]
4183       *
4184       * So the table 'n' corresponds to all those 'iv' of:
4185       *
4186       *   <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4187       *
4188       */
4189      if (sig_bit > 0 && sig_bit < 16U)
4190         /* shift == insignificant bits */
4191         shift = (png_byte)((16U - sig_bit) & 0xff);
4192 
4193      else
4194         shift = 0; /* keep all 16 bits */
4195 
4196      if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4197      {
4198         /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4199          * the significant bits in the *input* when the output will
4200          * eventually be 8 bits.  By default it is 11.
4201          */
4202         if (shift < (16U - PNG_MAX_GAMMA_8))
4203            shift = (16U - PNG_MAX_GAMMA_8);
4204      }
4205 
4206      if (shift > 8U)
4207         shift = 8U; /* Guarantees at least one table! */
4208 
4209      png_ptr->gamma_shift = shift;
4210 
4211      /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4212       * PNG_COMPOSE).  This effectively smashed the background calculation for
4213       * 16-bit output because the 8-bit table assumes the result will be reduced
4214       * to 8 bits.
4215       */
4216      if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4217          png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4218          png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4219          png_ptr->screen_gamma) : PNG_FP_1);
4220 
4221      else
4222          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4223          png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4224          png_ptr->screen_gamma) : PNG_FP_1);
4225 
4226 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4227    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4228    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4229      if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4230      {
4231         png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4232             png_reciprocal(png_ptr->colorspace.gamma));
4233 
4234         /* Notice that the '16 from 1' table should be full precision, however
4235          * the lookup on this table still uses gamma_shift, so it can't be.
4236          * TODO: fix this.
4237          */
4238         png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4239             png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4240             png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4241      }
4242 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4243   }
4244 #endif /* 16BIT */
4245 }
4246 #endif /* READ_GAMMA */
4247 
4248 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4249 #ifdef PNG_SET_OPTION_SUPPORTED
4250 int PNGAPI
4251 png_set_option(png_structrp png_ptr, int option, int onoff)
4252 {
4253    if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4254       (option & 1) == 0)
4255    {
4256       int mask = 3 << option;
4257       int setting = (2 + (onoff != 0)) << option;
4258       int current = png_ptr->options;
4259 
4260       png_ptr->options = (png_byte)(((current & ~mask) | setting) & 0xff);
4261 
4262       return (current & mask) >> option;
4263    }
4264 
4265    return PNG_OPTION_INVALID;
4266 }
4267 #endif
4268 
4269 /* sRGB support */
4270 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4271    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4272 /* sRGB conversion tables; these are machine generated with the code in
4273  * contrib/tools/makesRGB.c.  The actual sRGB transfer curve defined in the
4274  * specification (see the article at http://en.wikipedia.org/wiki/SRGB)
4275  * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4276  * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4277  * The inverse (linear to sRGB) table has accuracies as follows:
4278  *
4279  * For all possible (255*65535+1) input values:
4280  *
4281  *    error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4282  *
4283  * For the input values corresponding to the 65536 16-bit values:
4284  *
4285  *    error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4286  *
4287  * In all cases the inexact readings are only off by one.
4288  */
4289 
4290 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4291 /* The convert-to-sRGB table is only currently required for read. */
4292 const png_uint_16 png_sRGB_table[256] =
4293 {
4294    0,20,40,60,80,99,119,139,
4295    159,179,199,219,241,264,288,313,
4296    340,367,396,427,458,491,526,562,
4297    599,637,677,718,761,805,851,898,
4298    947,997,1048,1101,1156,1212,1270,1330,
4299    1391,1453,1517,1583,1651,1720,1790,1863,
4300    1937,2013,2090,2170,2250,2333,2418,2504,
4301    2592,2681,2773,2866,2961,3058,3157,3258,
4302    3360,3464,3570,3678,3788,3900,4014,4129,
4303    4247,4366,4488,4611,4736,4864,4993,5124,
4304    5257,5392,5530,5669,5810,5953,6099,6246,
4305    6395,6547,6700,6856,7014,7174,7335,7500,
4306    7666,7834,8004,8177,8352,8528,8708,8889,
4307    9072,9258,9445,9635,9828,10022,10219,10417,
4308    10619,10822,11028,11235,11446,11658,11873,12090,
4309    12309,12530,12754,12980,13209,13440,13673,13909,
4310    14146,14387,14629,14874,15122,15371,15623,15878,
4311    16135,16394,16656,16920,17187,17456,17727,18001,
4312    18277,18556,18837,19121,19407,19696,19987,20281,
4313    20577,20876,21177,21481,21787,22096,22407,22721,
4314    23038,23357,23678,24002,24329,24658,24990,25325,
4315    25662,26001,26344,26688,27036,27386,27739,28094,
4316    28452,28813,29176,29542,29911,30282,30656,31033,
4317    31412,31794,32179,32567,32957,33350,33745,34143,
4318    34544,34948,35355,35764,36176,36591,37008,37429,
4319    37852,38278,38706,39138,39572,40009,40449,40891,
4320    41337,41785,42236,42690,43147,43606,44069,44534,
4321    45002,45473,45947,46423,46903,47385,47871,48359,
4322    48850,49344,49841,50341,50844,51349,51858,52369,
4323    52884,53401,53921,54445,54971,55500,56032,56567,
4324    57105,57646,58190,58737,59287,59840,60396,60955,
4325    61517,62082,62650,63221,63795,64372,64952,65535
4326 };
4327 #endif /* SIMPLIFIED_READ */
4328 
4329 /* The base/delta tables are required for both read and write (but currently
4330  * only the simplified versions.)
4331  */
4332 const png_uint_16 png_sRGB_base[512] =
4333 {
4334    128,1782,3383,4644,5675,6564,7357,8074,
4335    8732,9346,9921,10463,10977,11466,11935,12384,
4336    12816,13233,13634,14024,14402,14769,15125,15473,
4337    15812,16142,16466,16781,17090,17393,17690,17981,
4338    18266,18546,18822,19093,19359,19621,19879,20133,
4339    20383,20630,20873,21113,21349,21583,21813,22041,
4340    22265,22487,22707,22923,23138,23350,23559,23767,
4341    23972,24175,24376,24575,24772,24967,25160,25352,
4342    25542,25730,25916,26101,26284,26465,26645,26823,
4343    27000,27176,27350,27523,27695,27865,28034,28201,
4344    28368,28533,28697,28860,29021,29182,29341,29500,
4345    29657,29813,29969,30123,30276,30429,30580,30730,
4346    30880,31028,31176,31323,31469,31614,31758,31902,
4347    32045,32186,32327,32468,32607,32746,32884,33021,
4348    33158,33294,33429,33564,33697,33831,33963,34095,
4349    34226,34357,34486,34616,34744,34873,35000,35127,
4350    35253,35379,35504,35629,35753,35876,35999,36122,
4351    36244,36365,36486,36606,36726,36845,36964,37083,
4352    37201,37318,37435,37551,37668,37783,37898,38013,
4353    38127,38241,38354,38467,38580,38692,38803,38915,
4354    39026,39136,39246,39356,39465,39574,39682,39790,
4355    39898,40005,40112,40219,40325,40431,40537,40642,
4356    40747,40851,40955,41059,41163,41266,41369,41471,
4357    41573,41675,41777,41878,41979,42079,42179,42279,
4358    42379,42478,42577,42676,42775,42873,42971,43068,
4359    43165,43262,43359,43456,43552,43648,43743,43839,
4360    43934,44028,44123,44217,44311,44405,44499,44592,
4361    44685,44778,44870,44962,45054,45146,45238,45329,
4362    45420,45511,45601,45692,45782,45872,45961,46051,
4363    46140,46229,46318,46406,46494,46583,46670,46758,
4364    46846,46933,47020,47107,47193,47280,47366,47452,
4365    47538,47623,47709,47794,47879,47964,48048,48133,
4366    48217,48301,48385,48468,48552,48635,48718,48801,
4367    48884,48966,49048,49131,49213,49294,49376,49458,
4368    49539,49620,49701,49782,49862,49943,50023,50103,
4369    50183,50263,50342,50422,50501,50580,50659,50738,
4370    50816,50895,50973,51051,51129,51207,51285,51362,
4371    51439,51517,51594,51671,51747,51824,51900,51977,
4372    52053,52129,52205,52280,52356,52432,52507,52582,
4373    52657,52732,52807,52881,52956,53030,53104,53178,
4374    53252,53326,53400,53473,53546,53620,53693,53766,
4375    53839,53911,53984,54056,54129,54201,54273,54345,
4376    54417,54489,54560,54632,54703,54774,54845,54916,
4377    54987,55058,55129,55199,55269,55340,55410,55480,
4378    55550,55620,55689,55759,55828,55898,55967,56036,
4379    56105,56174,56243,56311,56380,56448,56517,56585,
4380    56653,56721,56789,56857,56924,56992,57059,57127,
4381    57194,57261,57328,57395,57462,57529,57595,57662,
4382    57728,57795,57861,57927,57993,58059,58125,58191,
4383    58256,58322,58387,58453,58518,58583,58648,58713,
4384    58778,58843,58908,58972,59037,59101,59165,59230,
4385    59294,59358,59422,59486,59549,59613,59677,59740,
4386    59804,59867,59930,59993,60056,60119,60182,60245,
4387    60308,60370,60433,60495,60558,60620,60682,60744,
4388    60806,60868,60930,60992,61054,61115,61177,61238,
4389    61300,61361,61422,61483,61544,61605,61666,61727,
4390    61788,61848,61909,61969,62030,62090,62150,62211,
4391    62271,62331,62391,62450,62510,62570,62630,62689,
4392    62749,62808,62867,62927,62986,63045,63104,63163,
4393    63222,63281,63340,63398,63457,63515,63574,63632,
4394    63691,63749,63807,63865,63923,63981,64039,64097,
4395    64155,64212,64270,64328,64385,64443,64500,64557,
4396    64614,64672,64729,64786,64843,64900,64956,65013,
4397    65070,65126,65183,65239,65296,65352,65409,65465
4398 };
4399 
4400 const png_byte png_sRGB_delta[512] =
4401 {
4402    207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4403    52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4404    35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4405    28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4406    23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4407    21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4408    19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4409    17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4410    16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4411    15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4412    14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4413    13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4414    12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4415    12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4416    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4417    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4418    11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4419    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4420    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4421    10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4422    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4423    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4424    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4425    9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4426    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4427    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4428    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4429    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4430    8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4431    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4432    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4433    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4434 };
4435 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4436 
4437 /* SIMPLIFIED READ/WRITE SUPPORT */
4438 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4439    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4440 static int
4441 png_image_free_function(png_voidp argument)
4442 {
4443    png_imagep image = png_voidcast(png_imagep, argument);
4444    png_controlp cp = image->opaque;
4445    png_control c;
4446 
4447    /* Double check that we have a png_ptr - it should be impossible to get here
4448     * without one.
4449     */
4450    if (cp->png_ptr == NULL)
4451       return 0;
4452 
4453    /* First free any data held in the control structure. */
4454 #  ifdef PNG_STDIO_SUPPORTED
4455       if (cp->owned_file != 0)
4456       {
4457          FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4458          cp->owned_file = 0;
4459 
4460          /* Ignore errors here. */
4461          if (fp != NULL)
4462          {
4463             cp->png_ptr->io_ptr = NULL;
4464             (void)fclose(fp);
4465          }
4466       }
4467 #  endif
4468 
4469    /* Copy the control structure so that the original, allocated, version can be
4470     * safely freed.  Notice that a png_error here stops the remainder of the
4471     * cleanup, but this is probably fine because that would indicate bad memory
4472     * problems anyway.
4473     */
4474    c = *cp;
4475    image->opaque = &c;
4476    png_free(c.png_ptr, cp);
4477 
4478    /* Then the structures, calling the correct API. */
4479    if (c.for_write != 0)
4480    {
4481 #     ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4482          png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4483 #     else
4484          png_error(c.png_ptr, "simplified write not supported");
4485 #     endif
4486    }
4487    else
4488    {
4489 #     ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4490          png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4491 #     else
4492          png_error(c.png_ptr, "simplified read not supported");
4493 #     endif
4494    }
4495 
4496    /* Success. */
4497    return 1;
4498 }
4499 
4500 void PNGAPI
4501 png_image_free(png_imagep image)
4502 {
4503    /* Safely call the real function, but only if doing so is safe at this point
4504     * (if not inside an error handling context).  Otherwise assume
4505     * png_safe_execute will call this API after the return.
4506     */
4507    if (image != NULL && image->opaque != NULL &&
4508       image->opaque->error_buf == NULL)
4509    {
4510       /* Ignore errors here: */
4511       (void)png_safe_execute(image, png_image_free_function, image);
4512       image->opaque = NULL;
4513    }
4514 }
4515 
4516 int /* PRIVATE */
4517 png_image_error(png_imagep image, png_const_charp error_message)
4518 {
4519    /* Utility to log an error. */
4520    png_safecat(image->message, (sizeof image->message), 0, error_message);
4521    image->warning_or_error |= PNG_IMAGE_ERROR;
4522    png_image_free(image);
4523    return 0;
4524 }
4525 
4526 #endif /* SIMPLIFIED READ/WRITE */
4527 #endif /* READ || WRITE */