1 /*
   2  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   3  *
   4  * This code is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License version 2 only, as
   6  * published by the Free Software Foundation.  Oracle designates this
   7  * particular file as subject to the "Classpath" exception as provided
   8  * by Oracle in the LICENSE file that accompanied this code.
   9  *
  10  * This code is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  12  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * version 2 for more details (a copy is included in the LICENSE file that
  14  * accompanied this code).
  15  *
  16  * You should have received a copy of the GNU General Public License version
  17  * 2 along with this work; if not, write to the Free Software Foundation,
  18  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  19  *
  20  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  21  * or visit www.oracle.com if you need additional information or have any
  22  * questions.
  23  */
  24 
  25 /* png.c - location for general purpose libpng functions
  26  *
  27  * This file is available under and governed by the GNU General Public
  28  * License version 2 only, as published by the Free Software Foundation.
  29  * However, the following notice accompanied the original version of this
  30  * file and, per its terms, should not be removed:
  31  *
  32  * Last changed in libpng 1.6.28 [January 5, 2017]
  33  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  34  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  35  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  36  *
  37  * This code is released under the libpng license.
  38  * For conditions of distribution and use, see the disclaimer
  39  * and license in png.h
  40  */
  41 
  42 #include "pngpriv.h"
  43 
  44 /* Generate a compiler error if there is an old png.h in the search path. */
  45 typedef png_libpng_version_1_6_28 Your_png_h_is_not_version_1_6_28;
  46 
  47 /* Tells libpng that we have already handled the first "num_bytes" bytes
  48  * of the PNG file signature.  If the PNG data is embedded into another
  49  * stream we can set num_bytes = 8 so that libpng will not attempt to read
  50  * or write any of the magic bytes before it starts on the IHDR.
  51  */
  52 
  53 #ifdef PNG_READ_SUPPORTED
  54 void PNGAPI
  55 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
  56 {
  57    unsigned int nb = (unsigned int)num_bytes;
  58 
  59    png_debug(1, "in png_set_sig_bytes");
  60 
  61    if (png_ptr == NULL)
  62       return;
  63 
  64    if (num_bytes < 0)
  65       nb = 0;
  66 
  67    if (nb > 8)
  68       png_error(png_ptr, "Too many bytes for PNG signature");
  69 
  70    png_ptr->sig_bytes = (png_byte)nb;
  71 }
  72 
  73 /* Checks whether the supplied bytes match the PNG signature.  We allow
  74  * checking less than the full 8-byte signature so that those apps that
  75  * already read the first few bytes of a file to determine the file type
  76  * can simply check the remaining bytes for extra assurance.  Returns
  77  * an integer less than, equal to, or greater than zero if sig is found,
  78  * respectively, to be less than, to match, or be greater than the correct
  79  * PNG signature (this is the same behavior as strcmp, memcmp, etc).
  80  */
  81 int PNGAPI
  82 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
  83 {
  84    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
  85 
  86    if (num_to_check > 8)
  87       num_to_check = 8;
  88 
  89    else if (num_to_check < 1)
  90       return (-1);
  91 
  92    if (start > 7)
  93       return (-1);
  94 
  95    if (start + num_to_check > 8)
  96       num_to_check = 8 - start;
  97 
  98    return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
  99 }
 100 
 101 #endif /* READ */
 102 
 103 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 104 /* Function to allocate memory for zlib */
 105 PNG_FUNCTION(voidpf /* PRIVATE */,
 106 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
 107 {
 108    png_alloc_size_t num_bytes = size;
 109 
 110    if (png_ptr == NULL)
 111       return NULL;
 112 
 113    if (items >= (~(png_alloc_size_t)0)/size)
 114    {
 115       png_warning (png_voidcast(png_structrp, png_ptr),
 116           "Potential overflow in png_zalloc()");
 117       return NULL;
 118    }
 119 
 120    num_bytes *= items;
 121    return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
 122 }
 123 
 124 /* Function to free memory for zlib */
 125 void /* PRIVATE */
 126 png_zfree(voidpf png_ptr, voidpf ptr)
 127 {
 128    png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
 129 }
 130 
 131 /* Reset the CRC variable to 32 bits of 1's.  Care must be taken
 132  * in case CRC is > 32 bits to leave the top bits 0.
 133  */
 134 void /* PRIVATE */
 135 png_reset_crc(png_structrp png_ptr)
 136 {
 137    /* The cast is safe because the crc is a 32-bit value. */
 138    png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
 139 }
 140 
 141 /* Calculate the CRC over a section of data.  We can only pass as
 142  * much data to this routine as the largest single buffer size.  We
 143  * also check that this data will actually be used before going to the
 144  * trouble of calculating it.
 145  */
 146 void /* PRIVATE */
 147 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
 148 {
 149    int need_crc = 1;
 150 
 151    if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
 152    {
 153       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
 154           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
 155          need_crc = 0;
 156    }
 157 
 158    else /* critical */
 159    {
 160       if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
 161          need_crc = 0;
 162    }
 163 
 164    /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
 165     * systems it is a 64-bit value.  crc32, however, returns 32 bits so the
 166     * following cast is safe.  'uInt' may be no more than 16 bits, so it is
 167     * necessary to perform a loop here.
 168     */
 169    if (need_crc != 0 && length > 0)
 170    {
 171       uLong crc = png_ptr->crc; /* Should never issue a warning */
 172 
 173       do
 174       {
 175          uInt safe_length = (uInt)length;
 176 #ifndef __COVERITY__
 177          if (safe_length == 0)
 178             safe_length = (uInt)-1; /* evil, but safe */
 179 #endif
 180 
 181          crc = crc32(crc, ptr, safe_length);
 182 
 183          /* The following should never issue compiler warnings; if they do the
 184           * target system has characteristics that will probably violate other
 185           * assumptions within the libpng code.
 186           */
 187          ptr += safe_length;
 188          length -= safe_length;
 189       }
 190       while (length > 0);
 191 
 192       /* And the following is always safe because the crc is only 32 bits. */
 193       png_ptr->crc = (png_uint_32)crc;
 194    }
 195 }
 196 
 197 /* Check a user supplied version number, called from both read and write
 198  * functions that create a png_struct.
 199  */
 200 int
 201 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
 202 {
 203    /* Libpng versions 1.0.0 and later are binary compatible if the version
 204     * string matches through the second '.'; we must recompile any
 205     * applications that use any older library version.
 206     */
 207 
 208    if (user_png_ver != NULL)
 209    {
 210       int i = -1;
 211       int found_dots = 0;
 212 
 213       do
 214       {
 215          i++;
 216          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
 217             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 218          if (user_png_ver[i] == '.')
 219             found_dots++;
 220       } while (found_dots < 2 && user_png_ver[i] != 0 &&
 221             PNG_LIBPNG_VER_STRING[i] != 0);
 222    }
 223 
 224    else
 225       png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 226 
 227    if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
 228    {
 229 #ifdef PNG_WARNINGS_SUPPORTED
 230       size_t pos = 0;
 231       char m[128];
 232 
 233       pos = png_safecat(m, (sizeof m), pos,
 234           "Application built with libpng-");
 235       pos = png_safecat(m, (sizeof m), pos, user_png_ver);
 236       pos = png_safecat(m, (sizeof m), pos, " but running with ");
 237       pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
 238       PNG_UNUSED(pos)
 239 
 240       png_warning(png_ptr, m);
 241 #endif
 242 
 243 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 244       png_ptr->flags = 0;
 245 #endif
 246 
 247       return 0;
 248    }
 249 
 250    /* Success return. */
 251    return 1;
 252 }
 253 
 254 /* Generic function to create a png_struct for either read or write - this
 255  * contains the common initialization.
 256  */
 257 PNG_FUNCTION(png_structp /* PRIVATE */,
 258 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
 259     png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
 260     png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
 261 {
 262    png_struct create_struct;
 263 #  ifdef PNG_SETJMP_SUPPORTED
 264       jmp_buf create_jmp_buf;
 265 #  endif
 266 
 267    /* This temporary stack-allocated structure is used to provide a place to
 268     * build enough context to allow the user provided memory allocator (if any)
 269     * to be called.
 270     */
 271    memset(&create_struct, 0, (sizeof create_struct));
 272 
 273    /* Added at libpng-1.2.6 */
 274 #  ifdef PNG_USER_LIMITS_SUPPORTED
 275       create_struct.user_width_max = PNG_USER_WIDTH_MAX;
 276       create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
 277 
 278 #     ifdef PNG_USER_CHUNK_CACHE_MAX
 279       /* Added at libpng-1.2.43 and 1.4.0 */
 280       create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
 281 #     endif
 282 
 283 #     ifdef PNG_USER_CHUNK_MALLOC_MAX
 284       /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
 285        * in png_struct regardless.
 286        */
 287       create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
 288 #     endif
 289 #  endif
 290 
 291    /* The following two API calls simply set fields in png_struct, so it is safe
 292     * to do them now even though error handling is not yet set up.
 293     */
 294 #  ifdef PNG_USER_MEM_SUPPORTED
 295       png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
 296 #  else
 297       PNG_UNUSED(mem_ptr)
 298       PNG_UNUSED(malloc_fn)
 299       PNG_UNUSED(free_fn)
 300 #  endif
 301 
 302    /* (*error_fn) can return control to the caller after the error_ptr is set,
 303     * this will result in a memory leak unless the error_fn does something
 304     * extremely sophisticated.  The design lacks merit but is implicit in the
 305     * API.
 306     */
 307    png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
 308 
 309 #  ifdef PNG_SETJMP_SUPPORTED
 310       if (!setjmp(create_jmp_buf))
 311 #  endif
 312       {
 313 #  ifdef PNG_SETJMP_SUPPORTED
 314          /* Temporarily fake out the longjmp information until we have
 315           * successfully completed this function.  This only works if we have
 316           * setjmp() support compiled in, but it is safe - this stuff should
 317           * never happen.
 318           */
 319          create_struct.jmp_buf_ptr = &create_jmp_buf;
 320          create_struct.jmp_buf_size = 0; /*stack allocation*/
 321          create_struct.longjmp_fn = longjmp;
 322 #  endif
 323          /* Call the general version checker (shared with read and write code):
 324           */
 325          if (png_user_version_check(&create_struct, user_png_ver) != 0)
 326          {
 327             png_structrp png_ptr = png_voidcast(png_structrp,
 328                 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
 329 
 330             if (png_ptr != NULL)
 331             {
 332                /* png_ptr->zstream holds a back-pointer to the png_struct, so
 333                 * this can only be done now:
 334                 */
 335                create_struct.zstream.zalloc = png_zalloc;
 336                create_struct.zstream.zfree = png_zfree;
 337                create_struct.zstream.opaque = png_ptr;
 338 
 339 #              ifdef PNG_SETJMP_SUPPORTED
 340                /* Eliminate the local error handling: */
 341                create_struct.jmp_buf_ptr = NULL;
 342                create_struct.jmp_buf_size = 0;
 343                create_struct.longjmp_fn = 0;
 344 #              endif
 345 
 346                *png_ptr = create_struct;
 347 
 348                /* This is the successful return point */
 349                return png_ptr;
 350             }
 351          }
 352       }
 353 
 354    /* A longjmp because of a bug in the application storage allocator or a
 355     * simple failure to allocate the png_struct.
 356     */
 357    return NULL;
 358 }
 359 
 360 /* Allocate the memory for an info_struct for the application. */
 361 PNG_FUNCTION(png_infop,PNGAPI
 362 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
 363 {
 364    png_inforp info_ptr;
 365 
 366    png_debug(1, "in png_create_info_struct");
 367 
 368    if (png_ptr == NULL)
 369       return NULL;
 370 
 371    /* Use the internal API that does not (or at least should not) error out, so
 372     * that this call always returns ok.  The application typically sets up the
 373     * error handling *after* creating the info_struct because this is the way it
 374     * has always been done in 'example.c'.
 375     */
 376    info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
 377        (sizeof *info_ptr)));
 378 
 379    if (info_ptr != NULL)
 380       memset(info_ptr, 0, (sizeof *info_ptr));
 381 
 382    return info_ptr;
 383 }
 384 
 385 /* This function frees the memory associated with a single info struct.
 386  * Normally, one would use either png_destroy_read_struct() or
 387  * png_destroy_write_struct() to free an info struct, but this may be
 388  * useful for some applications.  From libpng 1.6.0 this function is also used
 389  * internally to implement the png_info release part of the 'struct' destroy
 390  * APIs.  This ensures that all possible approaches free the same data (all of
 391  * it).
 392  */
 393 void PNGAPI
 394 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
 395 {
 396    png_inforp info_ptr = NULL;
 397 
 398    png_debug(1, "in png_destroy_info_struct");
 399 
 400    if (png_ptr == NULL)
 401       return;
 402 
 403    if (info_ptr_ptr != NULL)
 404       info_ptr = *info_ptr_ptr;
 405 
 406    if (info_ptr != NULL)
 407    {
 408       /* Do this first in case of an error below; if the app implements its own
 409        * memory management this can lead to png_free calling png_error, which
 410        * will abort this routine and return control to the app error handler.
 411        * An infinite loop may result if it then tries to free the same info
 412        * ptr.
 413        */
 414       *info_ptr_ptr = NULL;
 415 
 416       png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
 417       memset(info_ptr, 0, (sizeof *info_ptr));
 418       png_free(png_ptr, info_ptr);
 419    }
 420 }
 421 
 422 /* Initialize the info structure.  This is now an internal function (0.89)
 423  * and applications using it are urged to use png_create_info_struct()
 424  * instead.  Use deprecated in 1.6.0, internal use removed (used internally it
 425  * is just a memset).
 426  *
 427  * NOTE: it is almost inconceivable that this API is used because it bypasses
 428  * the user-memory mechanism and the user error handling/warning mechanisms in
 429  * those cases where it does anything other than a memset.
 430  */
 431 PNG_FUNCTION(void,PNGAPI
 432 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
 433     PNG_DEPRECATED)
 434 {
 435    png_inforp info_ptr = *ptr_ptr;
 436 
 437    png_debug(1, "in png_info_init_3");
 438 
 439    if (info_ptr == NULL)
 440       return;
 441 
 442    if ((sizeof (png_info)) > png_info_struct_size)
 443    {
 444       *ptr_ptr = NULL;
 445       /* The following line is why this API should not be used: */
 446       free(info_ptr);
 447       info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
 448           (sizeof *info_ptr)));
 449       if (info_ptr == NULL)
 450          return;
 451       *ptr_ptr = info_ptr;
 452    }
 453 
 454    /* Set everything to 0 */
 455    memset(info_ptr, 0, (sizeof *info_ptr));
 456 }
 457 
 458 /* The following API is not called internally */
 459 void PNGAPI
 460 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
 461     int freer, png_uint_32 mask)
 462 {
 463    png_debug(1, "in png_data_freer");
 464 
 465    if (png_ptr == NULL || info_ptr == NULL)
 466       return;
 467 
 468    if (freer == PNG_DESTROY_WILL_FREE_DATA)
 469       info_ptr->free_me |= mask;
 470 
 471    else if (freer == PNG_USER_WILL_FREE_DATA)
 472       info_ptr->free_me &= ~mask;
 473 
 474    else
 475       png_error(png_ptr, "Unknown freer parameter in png_data_freer");
 476 }
 477 
 478 void PNGAPI
 479 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
 480     int num)
 481 {
 482    png_debug(1, "in png_free_data");
 483 
 484    if (png_ptr == NULL || info_ptr == NULL)
 485       return;
 486 
 487 #ifdef PNG_TEXT_SUPPORTED
 488    /* Free text item num or (if num == -1) all text items */
 489    if (info_ptr->text != NULL &&
 490        ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
 491    {
 492       if (num != -1)
 493       {
 494          png_free(png_ptr, info_ptr->text[num].key);
 495          info_ptr->text[num].key = NULL;
 496       }
 497 
 498       else
 499       {
 500          int i;
 501 
 502          for (i = 0; i < info_ptr->num_text; i++)
 503             png_free(png_ptr, info_ptr->text[i].key);
 504 
 505          png_free(png_ptr, info_ptr->text);
 506          info_ptr->text = NULL;
 507          info_ptr->num_text = 0;
 508          info_ptr->max_text = 0;
 509       }
 510    }
 511 #endif
 512 
 513 #ifdef PNG_tRNS_SUPPORTED
 514    /* Free any tRNS entry */
 515    if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
 516    {
 517       info_ptr->valid &= ~PNG_INFO_tRNS;
 518       png_free(png_ptr, info_ptr->trans_alpha);
 519       info_ptr->trans_alpha = NULL;
 520       info_ptr->num_trans = 0;
 521    }
 522 #endif
 523 
 524 #ifdef PNG_sCAL_SUPPORTED
 525    /* Free any sCAL entry */
 526    if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
 527    {
 528       png_free(png_ptr, info_ptr->scal_s_width);
 529       png_free(png_ptr, info_ptr->scal_s_height);
 530       info_ptr->scal_s_width = NULL;
 531       info_ptr->scal_s_height = NULL;
 532       info_ptr->valid &= ~PNG_INFO_sCAL;
 533    }
 534 #endif
 535 
 536 #ifdef PNG_pCAL_SUPPORTED
 537    /* Free any pCAL entry */
 538    if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
 539    {
 540       png_free(png_ptr, info_ptr->pcal_purpose);
 541       png_free(png_ptr, info_ptr->pcal_units);
 542       info_ptr->pcal_purpose = NULL;
 543       info_ptr->pcal_units = NULL;
 544 
 545       if (info_ptr->pcal_params != NULL)
 546          {
 547             int i;
 548 
 549             for (i = 0; i < info_ptr->pcal_nparams; i++)
 550                png_free(png_ptr, info_ptr->pcal_params[i]);
 551 
 552             png_free(png_ptr, info_ptr->pcal_params);
 553             info_ptr->pcal_params = NULL;
 554          }
 555       info_ptr->valid &= ~PNG_INFO_pCAL;
 556    }
 557 #endif
 558 
 559 #ifdef PNG_iCCP_SUPPORTED
 560    /* Free any profile entry */
 561    if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
 562    {
 563       png_free(png_ptr, info_ptr->iccp_name);
 564       png_free(png_ptr, info_ptr->iccp_profile);
 565       info_ptr->iccp_name = NULL;
 566       info_ptr->iccp_profile = NULL;
 567       info_ptr->valid &= ~PNG_INFO_iCCP;
 568    }
 569 #endif
 570 
 571 #ifdef PNG_sPLT_SUPPORTED
 572    /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
 573    if (info_ptr->splt_palettes != NULL &&
 574        ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
 575    {
 576       if (num != -1)
 577       {
 578          png_free(png_ptr, info_ptr->splt_palettes[num].name);
 579          png_free(png_ptr, info_ptr->splt_palettes[num].entries);
 580          info_ptr->splt_palettes[num].name = NULL;
 581          info_ptr->splt_palettes[num].entries = NULL;
 582       }
 583 
 584       else
 585       {
 586          int i;
 587 
 588          for (i = 0; i < info_ptr->splt_palettes_num; i++)
 589          {
 590             png_free(png_ptr, info_ptr->splt_palettes[i].name);
 591             png_free(png_ptr, info_ptr->splt_palettes[i].entries);
 592          }
 593 
 594          png_free(png_ptr, info_ptr->splt_palettes);
 595          info_ptr->splt_palettes = NULL;
 596          info_ptr->splt_palettes_num = 0;
 597          info_ptr->valid &= ~PNG_INFO_sPLT;
 598       }
 599    }
 600 #endif
 601 
 602 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
 603    if (info_ptr->unknown_chunks != NULL &&
 604        ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
 605    {
 606       if (num != -1)
 607       {
 608           png_free(png_ptr, info_ptr->unknown_chunks[num].data);
 609           info_ptr->unknown_chunks[num].data = NULL;
 610       }
 611 
 612       else
 613       {
 614          int i;
 615 
 616          for (i = 0; i < info_ptr->unknown_chunks_num; i++)
 617             png_free(png_ptr, info_ptr->unknown_chunks[i].data);
 618 
 619          png_free(png_ptr, info_ptr->unknown_chunks);
 620          info_ptr->unknown_chunks = NULL;
 621          info_ptr->unknown_chunks_num = 0;
 622       }
 623    }
 624 #endif
 625 
 626 #ifdef PNG_hIST_SUPPORTED
 627    /* Free any hIST entry */
 628    if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
 629    {
 630       png_free(png_ptr, info_ptr->hist);
 631       info_ptr->hist = NULL;
 632       info_ptr->valid &= ~PNG_INFO_hIST;
 633    }
 634 #endif
 635 
 636    /* Free any PLTE entry that was internally allocated */
 637    if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
 638    {
 639       png_free(png_ptr, info_ptr->palette);
 640       info_ptr->palette = NULL;
 641       info_ptr->valid &= ~PNG_INFO_PLTE;
 642       info_ptr->num_palette = 0;
 643    }
 644 
 645 #ifdef PNG_INFO_IMAGE_SUPPORTED
 646    /* Free any image bits attached to the info structure */
 647    if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
 648    {
 649       if (info_ptr->row_pointers != NULL)
 650       {
 651          png_uint_32 row;
 652          for (row = 0; row < info_ptr->height; row++)
 653             png_free(png_ptr, info_ptr->row_pointers[row]);
 654 
 655          png_free(png_ptr, info_ptr->row_pointers);
 656          info_ptr->row_pointers = NULL;
 657       }
 658       info_ptr->valid &= ~PNG_INFO_IDAT;
 659    }
 660 #endif
 661 
 662    if (num != -1)
 663       mask &= ~PNG_FREE_MUL;
 664 
 665    info_ptr->free_me &= ~mask;
 666 }
 667 #endif /* READ || WRITE */
 668 
 669 /* This function returns a pointer to the io_ptr associated with the user
 670  * functions.  The application should free any memory associated with this
 671  * pointer before png_write_destroy() or png_read_destroy() are called.
 672  */
 673 png_voidp PNGAPI
 674 png_get_io_ptr(png_const_structrp png_ptr)
 675 {
 676    if (png_ptr == NULL)
 677       return (NULL);
 678 
 679    return (png_ptr->io_ptr);
 680 }
 681 
 682 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 683 #  ifdef PNG_STDIO_SUPPORTED
 684 /* Initialize the default input/output functions for the PNG file.  If you
 685  * use your own read or write routines, you can call either png_set_read_fn()
 686  * or png_set_write_fn() instead of png_init_io().  If you have defined
 687  * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
 688  * function of your own because "FILE *" isn't necessarily available.
 689  */
 690 void PNGAPI
 691 png_init_io(png_structrp png_ptr, png_FILE_p fp)
 692 {
 693    png_debug(1, "in png_init_io");
 694 
 695    if (png_ptr == NULL)
 696       return;
 697 
 698    png_ptr->io_ptr = (png_voidp)fp;
 699 }
 700 #  endif
 701 
 702 #  ifdef PNG_SAVE_INT_32_SUPPORTED
 703 /* PNG signed integers are saved in 32-bit 2's complement format.  ANSI C-90
 704  * defines a cast of a signed integer to an unsigned integer either to preserve
 705  * the value, if it is positive, or to calculate:
 706  *
 707  *     (UNSIGNED_MAX+1) + integer
 708  *
 709  * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
 710  * negative integral value is added the result will be an unsigned value
 711  * correspnding to the 2's complement representation.
 712  */
 713 void PNGAPI
 714 png_save_int_32(png_bytep buf, png_int_32 i)
 715 {
 716    png_save_uint_32(buf, (png_uint_32)i);
 717 }
 718 #  endif
 719 
 720 #  ifdef PNG_TIME_RFC1123_SUPPORTED
 721 /* Convert the supplied time into an RFC 1123 string suitable for use in
 722  * a "Creation Time" or other text-based time string.
 723  */
 724 int PNGAPI
 725 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
 726 {
 727    static PNG_CONST char short_months[12][4] =
 728         {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
 729          "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
 730 
 731    if (out == NULL)
 732       return 0;
 733 
 734    if (ptime->year > 9999 /* RFC1123 limitation */ ||
 735        ptime->month == 0    ||  ptime->month > 12  ||
 736        ptime->day   == 0    ||  ptime->day   > 31  ||
 737        ptime->hour  > 23    ||  ptime->minute > 59 ||
 738        ptime->second > 60)
 739       return 0;
 740 
 741    {
 742       size_t pos = 0;
 743       char number_buf[5]; /* enough for a four-digit year */
 744 
 745 #     define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
 746 #     define APPEND_NUMBER(format, value)\
 747          APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
 748 #     define APPEND(ch) if (pos < 28) out[pos++] = (ch)
 749 
 750       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
 751       APPEND(' ');
 752       APPEND_STRING(short_months[(ptime->month - 1)]);
 753       APPEND(' ');
 754       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
 755       APPEND(' ');
 756       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
 757       APPEND(':');
 758       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
 759       APPEND(':');
 760       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
 761       APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
 762       PNG_UNUSED (pos)
 763 
 764 #     undef APPEND
 765 #     undef APPEND_NUMBER
 766 #     undef APPEND_STRING
 767    }
 768 
 769    return 1;
 770 }
 771 
 772 #    if PNG_LIBPNG_VER < 10700
 773 /* To do: remove the following from libpng-1.7 */
 774 /* Original API that uses a private buffer in png_struct.
 775  * Deprecated because it causes png_struct to carry a spurious temporary
 776  * buffer (png_struct::time_buffer), better to have the caller pass this in.
 777  */
 778 png_const_charp PNGAPI
 779 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
 780 {
 781    if (png_ptr != NULL)
 782    {
 783       /* The only failure above if png_ptr != NULL is from an invalid ptime */
 784       if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
 785          png_warning(png_ptr, "Ignoring invalid time value");
 786 
 787       else
 788          return png_ptr->time_buffer;
 789    }
 790 
 791    return NULL;
 792 }
 793 #    endif /* LIBPNG_VER < 10700 */
 794 #  endif /* TIME_RFC1123 */
 795 
 796 #endif /* READ || WRITE */
 797 
 798 png_const_charp PNGAPI
 799 png_get_copyright(png_const_structrp png_ptr)
 800 {
 801    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 802 #ifdef PNG_STRING_COPYRIGHT
 803    return PNG_STRING_COPYRIGHT
 804 #else
 805 #  ifdef __STDC__
 806    return PNG_STRING_NEWLINE \
 807       "libpng version 1.6.28 - January 5, 2017" PNG_STRING_NEWLINE \
 808       "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \
 809       PNG_STRING_NEWLINE \
 810       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
 811       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
 812       PNG_STRING_NEWLINE;
 813 #  else
 814    return "libpng version 1.6.28 - January 5, 2017\
 815       Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\
 816       Copyright (c) 1996-1997 Andreas Dilger\
 817       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
 818 #  endif
 819 #endif
 820 }
 821 
 822 /* The following return the library version as a short string in the
 823  * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
 824  * used with your application, print out PNG_LIBPNG_VER_STRING, which
 825  * is defined in png.h.
 826  * Note: now there is no difference between png_get_libpng_ver() and
 827  * png_get_header_ver().  Due to the version_nn_nn_nn typedef guard,
 828  * it is guaranteed that png.c uses the correct version of png.h.
 829  */
 830 png_const_charp PNGAPI
 831 png_get_libpng_ver(png_const_structrp png_ptr)
 832 {
 833    /* Version of *.c files used when building libpng */
 834    return png_get_header_ver(png_ptr);
 835 }
 836 
 837 png_const_charp PNGAPI
 838 png_get_header_ver(png_const_structrp png_ptr)
 839 {
 840    /* Version of *.h files used when building libpng */
 841    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 842    return PNG_LIBPNG_VER_STRING;
 843 }
 844 
 845 png_const_charp PNGAPI
 846 png_get_header_version(png_const_structrp png_ptr)
 847 {
 848    /* Returns longer string containing both version and date */
 849    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 850 #ifdef __STDC__
 851    return PNG_HEADER_VERSION_STRING
 852 #  ifndef PNG_READ_SUPPORTED
 853       " (NO READ SUPPORT)"
 854 #  endif
 855       PNG_STRING_NEWLINE;
 856 #else
 857    return PNG_HEADER_VERSION_STRING;
 858 #endif
 859 }
 860 
 861 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
 862 /* NOTE: this routine is not used internally! */
 863 /* Build a grayscale palette.  Palette is assumed to be 1 << bit_depth
 864  * large of png_color.  This lets grayscale images be treated as
 865  * paletted.  Most useful for gamma correction and simplification
 866  * of code.  This API is not used internally.
 867  */
 868 void PNGAPI
 869 png_build_grayscale_palette(int bit_depth, png_colorp palette)
 870 {
 871    int num_palette;
 872    int color_inc;
 873    int i;
 874    int v;
 875 
 876    png_debug(1, "in png_do_build_grayscale_palette");
 877 
 878    if (palette == NULL)
 879       return;
 880 
 881    switch (bit_depth)
 882    {
 883       case 1:
 884          num_palette = 2;
 885          color_inc = 0xff;
 886          break;
 887 
 888       case 2:
 889          num_palette = 4;
 890          color_inc = 0x55;
 891          break;
 892 
 893       case 4:
 894          num_palette = 16;
 895          color_inc = 0x11;
 896          break;
 897 
 898       case 8:
 899          num_palette = 256;
 900          color_inc = 1;
 901          break;
 902 
 903       default:
 904          num_palette = 0;
 905          color_inc = 0;
 906          break;
 907    }
 908 
 909    for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
 910    {
 911       palette[i].red = (png_byte)(v & 0xff);
 912       palette[i].green = (png_byte)(v & 0xff);
 913       palette[i].blue = (png_byte)(v & 0xff);
 914    }
 915 }
 916 #endif
 917 
 918 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 919 int PNGAPI
 920 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
 921 {
 922    /* Check chunk_name and return "keep" value if it's on the list, else 0 */
 923    png_const_bytep p, p_end;
 924 
 925    if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
 926       return PNG_HANDLE_CHUNK_AS_DEFAULT;
 927 
 928    p_end = png_ptr->chunk_list;
 929    p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
 930 
 931    /* The code is the fifth byte after each four byte string.  Historically this
 932     * code was always searched from the end of the list, this is no longer
 933     * necessary because the 'set' routine handles duplicate entries correcty.
 934     */
 935    do /* num_chunk_list > 0, so at least one */
 936    {
 937       p -= 5;
 938 
 939       if (memcmp(chunk_name, p, 4) == 0)
 940          return p[4];
 941    }
 942    while (p > p_end);
 943 
 944    /* This means that known chunks should be processed and unknown chunks should
 945     * be handled according to the value of png_ptr->unknown_default; this can be
 946     * confusing because, as a result, there are two levels of defaulting for
 947     * unknown chunks.
 948     */
 949    return PNG_HANDLE_CHUNK_AS_DEFAULT;
 950 }
 951 
 952 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
 953    defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
 954 int /* PRIVATE */
 955 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
 956 {
 957    png_byte chunk_string[5];
 958 
 959    PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
 960    return png_handle_as_unknown(png_ptr, chunk_string);
 961 }
 962 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
 963 #endif /* SET_UNKNOWN_CHUNKS */
 964 
 965 #ifdef PNG_READ_SUPPORTED
 966 /* This function, added to libpng-1.0.6g, is untested. */
 967 int PNGAPI
 968 png_reset_zstream(png_structrp png_ptr)
 969 {
 970    if (png_ptr == NULL)
 971       return Z_STREAM_ERROR;
 972 
 973    /* WARNING: this resets the window bits to the maximum! */
 974    return (inflateReset(&png_ptr->zstream));
 975 }
 976 #endif /* READ */
 977 
 978 /* This function was added to libpng-1.0.7 */
 979 png_uint_32 PNGAPI
 980 png_access_version_number(void)
 981 {
 982    /* Version of *.c files used when building libpng */
 983    return((png_uint_32)PNG_LIBPNG_VER);
 984 }
 985 
 986 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 987 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
 988  * If it doesn't 'ret' is used to set it to something appropriate, even in cases
 989  * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
 990  */
 991 void /* PRIVATE */
 992 png_zstream_error(png_structrp png_ptr, int ret)
 993 {
 994    /* Translate 'ret' into an appropriate error string, priority is given to the
 995     * one in zstream if set.  This always returns a string, even in cases like
 996     * Z_OK or Z_STREAM_END where the error code is a success code.
 997     */
 998    if (png_ptr->zstream.msg == NULL) switch (ret)
 999    {
1000       default:
1001       case Z_OK:
1002          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1003          break;
1004 
1005       case Z_STREAM_END:
1006          /* Normal exit */
1007          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1008          break;
1009 
1010       case Z_NEED_DICT:
1011          /* This means the deflate stream did not have a dictionary; this
1012           * indicates a bogus PNG.
1013           */
1014          png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1015          break;
1016 
1017       case Z_ERRNO:
1018          /* gz APIs only: should not happen */
1019          png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1020          break;
1021 
1022       case Z_STREAM_ERROR:
1023          /* internal libpng error */
1024          png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1025          break;
1026 
1027       case Z_DATA_ERROR:
1028          png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1029          break;
1030 
1031       case Z_MEM_ERROR:
1032          png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1033          break;
1034 
1035       case Z_BUF_ERROR:
1036          /* End of input or output; not a problem if the caller is doing
1037           * incremental read or write.
1038           */
1039          png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1040          break;
1041 
1042       case Z_VERSION_ERROR:
1043          png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1044          break;
1045 
1046       case PNG_UNEXPECTED_ZLIB_RETURN:
1047          /* Compile errors here mean that zlib now uses the value co-opted in
1048           * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1049           * and change pngpriv.h.  Note that this message is "... return",
1050           * whereas the default/Z_OK one is "... return code".
1051           */
1052          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1053          break;
1054    }
1055 }
1056 
1057 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1058  * at libpng 1.5.5!
1059  */
1060 
1061 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1062 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1063 static int
1064 png_colorspace_check_gamma(png_const_structrp png_ptr,
1065     png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1066    /* This is called to check a new gamma value against an existing one.  The
1067     * routine returns false if the new gamma value should not be written.
1068     *
1069     * 'from' says where the new gamma value comes from:
1070     *
1071     *    0: the new gamma value is the libpng estimate for an ICC profile
1072     *    1: the new gamma value comes from a gAMA chunk
1073     *    2: the new gamma value comes from an sRGB chunk
1074     */
1075 {
1076    png_fixed_point gtest;
1077 
1078    if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1079        (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0  ||
1080       png_gamma_significant(gtest) != 0))
1081    {
1082       /* Either this is an sRGB image, in which case the calculated gamma
1083        * approximation should match, or this is an image with a profile and the
1084        * value libpng calculates for the gamma of the profile does not match the
1085        * value recorded in the file.  The former, sRGB, case is an error, the
1086        * latter is just a warning.
1087        */
1088       if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1089       {
1090          png_chunk_report(png_ptr, "gamma value does not match sRGB",
1091              PNG_CHUNK_ERROR);
1092          /* Do not overwrite an sRGB value */
1093          return from == 2;
1094       }
1095 
1096       else /* sRGB tag not involved */
1097       {
1098          png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1099              PNG_CHUNK_WARNING);
1100          return from == 1;
1101       }
1102    }
1103 
1104    return 1;
1105 }
1106 
1107 void /* PRIVATE */
1108 png_colorspace_set_gamma(png_const_structrp png_ptr,
1109     png_colorspacerp colorspace, png_fixed_point gAMA)
1110 {
1111    /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1112     * occur.  Since the fixed point representation is asymetrical it is
1113     * possible for 1/gamma to overflow the limit of 21474 and this means the
1114     * gamma value must be at least 5/100000 and hence at most 20000.0.  For
1115     * safety the limits here are a little narrower.  The values are 0.00016 to
1116     * 6250.0, which are truly ridiculous gamma values (and will produce
1117     * displays that are all black or all white.)
1118     *
1119     * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1120     * handling code, which only required the value to be >0.
1121     */
1122    png_const_charp errmsg;
1123 
1124    if (gAMA < 16 || gAMA > 625000000)
1125       errmsg = "gamma value out of range";
1126 
1127 #  ifdef PNG_READ_gAMA_SUPPORTED
1128    /* Allow the application to set the gamma value more than once */
1129    else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1130       (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1131       errmsg = "duplicate";
1132 #  endif
1133 
1134    /* Do nothing if the colorspace is already invalid */
1135    else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1136       return;
1137 
1138    else
1139    {
1140       if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1141           1/*from gAMA*/) != 0)
1142       {
1143          /* Store this gamma value. */
1144          colorspace->gamma = gAMA;
1145          colorspace->flags |=
1146             (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1147       }
1148 
1149       /* At present if the check_gamma test fails the gamma of the colorspace is
1150        * not updated however the colorspace is not invalidated.  This
1151        * corresponds to the case where the existing gamma comes from an sRGB
1152        * chunk or profile.  An error message has already been output.
1153        */
1154       return;
1155    }
1156 
1157    /* Error exit - errmsg has been set. */
1158    colorspace->flags |= PNG_COLORSPACE_INVALID;
1159    png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1160 }
1161 
1162 void /* PRIVATE */
1163 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1164 {
1165    if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1166    {
1167       /* Everything is invalid */
1168       info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1169          PNG_INFO_iCCP);
1170 
1171 #     ifdef PNG_COLORSPACE_SUPPORTED
1172       /* Clean up the iCCP profile now if it won't be used. */
1173       png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1174 #     else
1175       PNG_UNUSED(png_ptr)
1176 #     endif
1177    }
1178 
1179    else
1180    {
1181 #     ifdef PNG_COLORSPACE_SUPPORTED
1182       /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1183        * it; this allows a PNG to contain a profile which matches sRGB and
1184        * yet still have that profile retrievable by the application.
1185        */
1186       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1187          info_ptr->valid |= PNG_INFO_sRGB;
1188 
1189       else
1190          info_ptr->valid &= ~PNG_INFO_sRGB;
1191 
1192       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1193          info_ptr->valid |= PNG_INFO_cHRM;
1194 
1195       else
1196          info_ptr->valid &= ~PNG_INFO_cHRM;
1197 #     endif
1198 
1199       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1200          info_ptr->valid |= PNG_INFO_gAMA;
1201 
1202       else
1203          info_ptr->valid &= ~PNG_INFO_gAMA;
1204    }
1205 }
1206 
1207 #ifdef PNG_READ_SUPPORTED
1208 void /* PRIVATE */
1209 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1210 {
1211    if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1212       return;
1213 
1214    info_ptr->colorspace = png_ptr->colorspace;
1215    png_colorspace_sync_info(png_ptr, info_ptr);
1216 }
1217 #endif
1218 #endif /* GAMMA */
1219 
1220 #ifdef PNG_COLORSPACE_SUPPORTED
1221 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1222  * cHRM, as opposed to using chromaticities.  These internal APIs return
1223  * non-zero on a parameter error.  The X, Y and Z values are required to be
1224  * positive and less than 1.0.
1225  */
1226 static int
1227 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1228 {
1229    png_int_32 d, dwhite, whiteX, whiteY;
1230 
1231    d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1232    if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1233       return 1;
1234    if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1235       return 1;
1236    dwhite = d;
1237    whiteX = XYZ->red_X;
1238    whiteY = XYZ->red_Y;
1239 
1240    d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1241    if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1242       return 1;
1243    if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1244       return 1;
1245    dwhite += d;
1246    whiteX += XYZ->green_X;
1247    whiteY += XYZ->green_Y;
1248 
1249    d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1250    if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1251       return 1;
1252    if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1253       return 1;
1254    dwhite += d;
1255    whiteX += XYZ->blue_X;
1256    whiteY += XYZ->blue_Y;
1257 
1258    /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1259     * thus:
1260     */
1261    if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1262       return 1;
1263    if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1264       return 1;
1265 
1266    return 0;
1267 }
1268 
1269 static int
1270 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1271 {
1272    png_fixed_point red_inverse, green_inverse, blue_scale;
1273    png_fixed_point left, right, denominator;
1274 
1275    /* Check xy and, implicitly, z.  Note that wide gamut color spaces typically
1276     * have end points with 0 tristimulus values (these are impossible end
1277     * points, but they are used to cover the possible colors).  We check
1278     * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1279     */
1280    if (xy->redx   < 0 || xy->redx > PNG_FP_1) return 1;
1281    if (xy->redy   < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1282    if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1283    if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1284    if (xy->bluex  < 0 || xy->bluex > PNG_FP_1) return 1;
1285    if (xy->bluey  < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1286    if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1287    if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1288 
1289    /* The reverse calculation is more difficult because the original tristimulus
1290     * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1291     * derived values were recorded in the cHRM chunk;
1292     * (red,green,blue,white)x(x,y).  This loses one degree of freedom and
1293     * therefore an arbitrary ninth value has to be introduced to undo the
1294     * original transformations.
1295     *
1296     * Think of the original end-points as points in (X,Y,Z) space.  The
1297     * chromaticity values (c) have the property:
1298     *
1299     *           C
1300     *   c = ---------
1301     *       X + Y + Z
1302     *
1303     * For each c (x,y,z) from the corresponding original C (X,Y,Z).  Thus the
1304     * three chromaticity values (x,y,z) for each end-point obey the
1305     * relationship:
1306     *
1307     *   x + y + z = 1
1308     *
1309     * This describes the plane in (X,Y,Z) space that intersects each axis at the
1310     * value 1.0; call this the chromaticity plane.  Thus the chromaticity
1311     * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1312     * and chromaticity is the intersection of the vector from the origin to the
1313     * (X,Y,Z) value with the chromaticity plane.
1314     *
1315     * To fully invert the chromaticity calculation we would need the three
1316     * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1317     * were not recorded.  Instead we calculated the reference white (X,Y,Z) and
1318     * recorded the chromaticity of this.  The reference white (X,Y,Z) would have
1319     * given all three of the scale factors since:
1320     *
1321     *    color-C = color-c * color-scale
1322     *    white-C = red-C + green-C + blue-C
1323     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1324     *
1325     * But cHRM records only white-x and white-y, so we have lost the white scale
1326     * factor:
1327     *
1328     *    white-C = white-c*white-scale
1329     *
1330     * To handle this the inverse transformation makes an arbitrary assumption
1331     * about white-scale:
1332     *
1333     *    Assume: white-Y = 1.0
1334     *    Hence:  white-scale = 1/white-y
1335     *    Or:     red-Y + green-Y + blue-Y = 1.0
1336     *
1337     * Notice the last statement of the assumption gives an equation in three of
1338     * the nine values we want to calculate.  8 more equations come from the
1339     * above routine as summarised at the top above (the chromaticity
1340     * calculation):
1341     *
1342     *    Given: color-x = color-X / (color-X + color-Y + color-Z)
1343     *    Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1344     *
1345     * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1346     * solved by Cramer's rule.  Cramer's rule requires calculating 10 9x9 matrix
1347     * determinants, however this is not as bad as it seems because only 28 of
1348     * the total of 90 terms in the various matrices are non-zero.  Nevertheless
1349     * Cramer's rule is notoriously numerically unstable because the determinant
1350     * calculation involves the difference of large, but similar, numbers.  It is
1351     * difficult to be sure that the calculation is stable for real world values
1352     * and it is certain that it becomes unstable where the end points are close
1353     * together.
1354     *
1355     * So this code uses the perhaps slightly less optimal but more
1356     * understandable and totally obvious approach of calculating color-scale.
1357     *
1358     * This algorithm depends on the precision in white-scale and that is
1359     * (1/white-y), so we can immediately see that as white-y approaches 0 the
1360     * accuracy inherent in the cHRM chunk drops off substantially.
1361     *
1362     * libpng arithmetic: a simple inversion of the above equations
1363     * ------------------------------------------------------------
1364     *
1365     *    white_scale = 1/white-y
1366     *    white-X = white-x * white-scale
1367     *    white-Y = 1.0
1368     *    white-Z = (1 - white-x - white-y) * white_scale
1369     *
1370     *    white-C = red-C + green-C + blue-C
1371     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1372     *
1373     * This gives us three equations in (red-scale,green-scale,blue-scale) where
1374     * all the coefficients are now known:
1375     *
1376     *    red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1377     *       = white-x/white-y
1378     *    red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1379     *    red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1380     *       = (1 - white-x - white-y)/white-y
1381     *
1382     * In the last equation color-z is (1 - color-x - color-y) so we can add all
1383     * three equations together to get an alternative third:
1384     *
1385     *    red-scale + green-scale + blue-scale = 1/white-y = white-scale
1386     *
1387     * So now we have a Cramer's rule solution where the determinants are just
1388     * 3x3 - far more tractible.  Unfortunately 3x3 determinants still involve
1389     * multiplication of three coefficients so we can't guarantee to avoid
1390     * overflow in the libpng fixed point representation.  Using Cramer's rule in
1391     * floating point is probably a good choice here, but it's not an option for
1392     * fixed point.  Instead proceed to simplify the first two equations by
1393     * eliminating what is likely to be the largest value, blue-scale:
1394     *
1395     *    blue-scale = white-scale - red-scale - green-scale
1396     *
1397     * Hence:
1398     *
1399     *    (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1400     *                (white-x - blue-x)*white-scale
1401     *
1402     *    (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1403     *                1 - blue-y*white-scale
1404     *
1405     * And now we can trivially solve for (red-scale,green-scale):
1406     *
1407     *    green-scale =
1408     *                (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1409     *                -----------------------------------------------------------
1410     *                                  green-x - blue-x
1411     *
1412     *    red-scale =
1413     *                1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1414     *                ---------------------------------------------------------
1415     *                                  red-y - blue-y
1416     *
1417     * Hence:
1418     *
1419     *    red-scale =
1420     *          ( (green-x - blue-x) * (white-y - blue-y) -
1421     *            (green-y - blue-y) * (white-x - blue-x) ) / white-y
1422     * -------------------------------------------------------------------------
1423     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1424     *
1425     *    green-scale =
1426     *          ( (red-y - blue-y) * (white-x - blue-x) -
1427     *            (red-x - blue-x) * (white-y - blue-y) ) / white-y
1428     * -------------------------------------------------------------------------
1429     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1430     *
1431     * Accuracy:
1432     * The input values have 5 decimal digits of accuracy.  The values are all in
1433     * the range 0 < value < 1, so simple products are in the same range but may
1434     * need up to 10 decimal digits to preserve the original precision and avoid
1435     * underflow.  Because we are using a 32-bit signed representation we cannot
1436     * match this; the best is a little over 9 decimal digits, less than 10.
1437     *
1438     * The approach used here is to preserve the maximum precision within the
1439     * signed representation.  Because the red-scale calculation above uses the
1440     * difference between two products of values that must be in the range -1..+1
1441     * it is sufficient to divide the product by 7; ceil(100,000/32767*2).  The
1442     * factor is irrelevant in the calculation because it is applied to both
1443     * numerator and denominator.
1444     *
1445     * Note that the values of the differences of the products of the
1446     * chromaticities in the above equations tend to be small, for example for
1447     * the sRGB chromaticities they are:
1448     *
1449     * red numerator:    -0.04751
1450     * green numerator:  -0.08788
1451     * denominator:      -0.2241 (without white-y multiplication)
1452     *
1453     *  The resultant Y coefficients from the chromaticities of some widely used
1454     *  color space definitions are (to 15 decimal places):
1455     *
1456     *  sRGB
1457     *    0.212639005871510 0.715168678767756 0.072192315360734
1458     *  Kodak ProPhoto
1459     *    0.288071128229293 0.711843217810102 0.000085653960605
1460     *  Adobe RGB
1461     *    0.297344975250536 0.627363566255466 0.075291458493998
1462     *  Adobe Wide Gamut RGB
1463     *    0.258728243040113 0.724682314948566 0.016589442011321
1464     */
1465    /* By the argument, above overflow should be impossible here. The return
1466     * value of 2 indicates an internal error to the caller.
1467     */
1468    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1469       return 2;
1470    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1471       return 2;
1472    denominator = left - right;
1473 
1474    /* Now find the red numerator. */
1475    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1476       return 2;
1477    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1478       return 2;
1479 
1480    /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1481     * chunk values.  This calculation actually returns the reciprocal of the
1482     * scale value because this allows us to delay the multiplication of white-y
1483     * into the denominator, which tends to produce a small number.
1484     */
1485    if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1486        red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1487       return 1;
1488 
1489    /* Similarly for green_inverse: */
1490    if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1491       return 2;
1492    if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1493       return 2;
1494    if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1495        green_inverse <= xy->whitey)
1496       return 1;
1497 
1498    /* And the blue scale, the checks above guarantee this can't overflow but it
1499     * can still produce 0 for extreme cHRM values.
1500     */
1501    blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1502        png_reciprocal(green_inverse);
1503    if (blue_scale <= 0)
1504       return 1;
1505 
1506 
1507    /* And fill in the png_XYZ: */
1508    if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1509       return 1;
1510    if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1511       return 1;
1512    if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1513        red_inverse) == 0)
1514       return 1;
1515 
1516    if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1517       return 1;
1518    if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1519       return 1;
1520    if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1521        green_inverse) == 0)
1522       return 1;
1523 
1524    if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1525       return 1;
1526    if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1527       return 1;
1528    if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1529        PNG_FP_1) == 0)
1530       return 1;
1531 
1532    return 0; /*success*/
1533 }
1534 
1535 static int
1536 png_XYZ_normalize(png_XYZ *XYZ)
1537 {
1538    png_int_32 Y;
1539 
1540    if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1541       XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1542       XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1543       return 1;
1544 
1545    /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1546     * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1547     * relying on addition of two positive values producing a negative one is not
1548     * safe.
1549     */
1550    Y = XYZ->red_Y;
1551    if (0x7fffffff - Y < XYZ->green_X)
1552       return 1;
1553    Y += XYZ->green_Y;
1554    if (0x7fffffff - Y < XYZ->blue_X)
1555       return 1;
1556    Y += XYZ->blue_Y;
1557 
1558    if (Y != PNG_FP_1)
1559    {
1560       if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1561          return 1;
1562       if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1563          return 1;
1564       if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1565          return 1;
1566 
1567       if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1568          return 1;
1569       if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1570          return 1;
1571       if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1572          return 1;
1573 
1574       if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1575          return 1;
1576       if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1577          return 1;
1578       if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1579          return 1;
1580    }
1581 
1582    return 0;
1583 }
1584 
1585 static int
1586 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1587 {
1588    /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1589    if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1590        PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1591        PNG_OUT_OF_RANGE(xy1->redx,   xy2->redx,  delta) ||
1592        PNG_OUT_OF_RANGE(xy1->redy,   xy2->redy,  delta) ||
1593        PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1594        PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1595        PNG_OUT_OF_RANGE(xy1->bluex,  xy2->bluex, delta) ||
1596        PNG_OUT_OF_RANGE(xy1->bluey,  xy2->bluey, delta))
1597       return 0;
1598    return 1;
1599 }
1600 
1601 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1602  * chunk chromaticities.  Earlier checks used to simply look for the overflow
1603  * condition (where the determinant of the matrix to solve for XYZ ends up zero
1604  * because the chromaticity values are not all distinct.)  Despite this it is
1605  * theoretically possible to produce chromaticities that are apparently valid
1606  * but that rapidly degrade to invalid, potentially crashing, sets because of
1607  * arithmetic inaccuracies when calculations are performed on them.  The new
1608  * check is to round-trip xy -> XYZ -> xy and then check that the result is
1609  * within a small percentage of the original.
1610  */
1611 static int
1612 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1613 {
1614    int result;
1615    png_xy xy_test;
1616 
1617    /* As a side-effect this routine also returns the XYZ endpoints. */
1618    result = png_XYZ_from_xy(XYZ, xy);
1619    if (result != 0)
1620       return result;
1621 
1622    result = png_xy_from_XYZ(&xy_test, XYZ);
1623    if (result != 0)
1624       return result;
1625 
1626    if (png_colorspace_endpoints_match(xy, &xy_test,
1627        5/*actually, the math is pretty accurate*/) != 0)
1628       return 0;
1629 
1630    /* Too much slip */
1631    return 1;
1632 }
1633 
1634 /* This is the check going the other way.  The XYZ is modified to normalize it
1635  * (another side-effect) and the xy chromaticities are returned.
1636  */
1637 static int
1638 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1639 {
1640    int result;
1641    png_XYZ XYZtemp;
1642 
1643    result = png_XYZ_normalize(XYZ);
1644    if (result != 0)
1645       return result;
1646 
1647    result = png_xy_from_XYZ(xy, XYZ);
1648    if (result != 0)
1649       return result;
1650 
1651    XYZtemp = *XYZ;
1652    return png_colorspace_check_xy(&XYZtemp, xy);
1653 }
1654 
1655 /* Used to check for an endpoint match against sRGB */
1656 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1657 {
1658    /* color      x       y */
1659    /* red   */ 64000, 33000,
1660    /* green */ 30000, 60000,
1661    /* blue  */ 15000,  6000,
1662    /* white */ 31270, 32900
1663 };
1664 
1665 static int
1666 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1667     png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1668     int preferred)
1669 {
1670    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1671       return 0;
1672 
1673    /* The consistency check is performed on the chromaticities; this factors out
1674     * variations because of the normalization (or not) of the end point Y
1675     * values.
1676     */
1677    if (preferred < 2 &&
1678        (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1679    {
1680       /* The end points must be reasonably close to any we already have.  The
1681        * following allows an error of up to +/-.001
1682        */
1683       if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1684           100) == 0)
1685       {
1686          colorspace->flags |= PNG_COLORSPACE_INVALID;
1687          png_benign_error(png_ptr, "inconsistent chromaticities");
1688          return 0; /* failed */
1689       }
1690 
1691       /* Only overwrite with preferred values */
1692       if (preferred == 0)
1693          return 1; /* ok, but no change */
1694    }
1695 
1696    colorspace->end_points_xy = *xy;
1697    colorspace->end_points_XYZ = *XYZ;
1698    colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1699 
1700    /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1701     * on this test.
1702     */
1703    if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1704       colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1705 
1706    else
1707       colorspace->flags &= PNG_COLORSPACE_CANCEL(
1708          PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1709 
1710    return 2; /* ok and changed */
1711 }
1712 
1713 int /* PRIVATE */
1714 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1715     png_colorspacerp colorspace, const png_xy *xy, int preferred)
1716 {
1717    /* We must check the end points to ensure they are reasonable - in the past
1718     * color management systems have crashed as a result of getting bogus
1719     * colorant values, while this isn't the fault of libpng it is the
1720     * responsibility of libpng because PNG carries the bomb and libpng is in a
1721     * position to protect against it.
1722     */
1723    png_XYZ XYZ;
1724 
1725    switch (png_colorspace_check_xy(&XYZ, xy))
1726    {
1727       case 0: /* success */
1728          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1729              preferred);
1730 
1731       case 1:
1732          /* We can't invert the chromaticities so we can't produce value XYZ
1733           * values.  Likely as not a color management system will fail too.
1734           */
1735          colorspace->flags |= PNG_COLORSPACE_INVALID;
1736          png_benign_error(png_ptr, "invalid chromaticities");
1737          break;
1738 
1739       default:
1740          /* libpng is broken; this should be a warning but if it happens we
1741           * want error reports so for the moment it is an error.
1742           */
1743          colorspace->flags |= PNG_COLORSPACE_INVALID;
1744          png_error(png_ptr, "internal error checking chromaticities");
1745    }
1746 
1747    return 0; /* failed */
1748 }
1749 
1750 int /* PRIVATE */
1751 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1752     png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1753 {
1754    png_XYZ XYZ = *XYZ_in;
1755    png_xy xy;
1756 
1757    switch (png_colorspace_check_XYZ(&xy, &XYZ))
1758    {
1759       case 0:
1760          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1761              preferred);
1762 
1763       case 1:
1764          /* End points are invalid. */
1765          colorspace->flags |= PNG_COLORSPACE_INVALID;
1766          png_benign_error(png_ptr, "invalid end points");
1767          break;
1768 
1769       default:
1770          colorspace->flags |= PNG_COLORSPACE_INVALID;
1771          png_error(png_ptr, "internal error checking chromaticities");
1772    }
1773 
1774    return 0; /* failed */
1775 }
1776 
1777 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1778 /* Error message generation */
1779 static char
1780 png_icc_tag_char(png_uint_32 byte)
1781 {
1782    byte &= 0xff;
1783    if (byte >= 32 && byte <= 126)
1784       return (char)byte;
1785    else
1786       return '?';
1787 }
1788 
1789 static void
1790 png_icc_tag_name(char *name, png_uint_32 tag)
1791 {
1792    name[0] = '\'';
1793    name[1] = png_icc_tag_char(tag >> 24);
1794    name[2] = png_icc_tag_char(tag >> 16);
1795    name[3] = png_icc_tag_char(tag >>  8);
1796    name[4] = png_icc_tag_char(tag      );
1797    name[5] = '\'';
1798 }
1799 
1800 static int
1801 is_ICC_signature_char(png_alloc_size_t it)
1802 {
1803    return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1804       (it >= 97 && it <= 122);
1805 }
1806 
1807 static int
1808 is_ICC_signature(png_alloc_size_t it)
1809 {
1810    return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1811       is_ICC_signature_char((it >> 16) & 0xff) &&
1812       is_ICC_signature_char((it >> 8) & 0xff) &&
1813       is_ICC_signature_char(it & 0xff);
1814 }
1815 
1816 static int
1817 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1818     png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1819 {
1820    size_t pos;
1821    char message[196]; /* see below for calculation */
1822 
1823    if (colorspace != NULL)
1824       colorspace->flags |= PNG_COLORSPACE_INVALID;
1825 
1826    pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1827    pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1828    pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1829    if (is_ICC_signature(value) != 0)
1830    {
1831       /* So 'value' is at most 4 bytes and the following cast is safe */
1832       png_icc_tag_name(message+pos, (png_uint_32)value);
1833       pos += 6; /* total +8; less than the else clause */
1834       message[pos++] = ':';
1835       message[pos++] = ' ';
1836    }
1837 #  ifdef PNG_WARNINGS_SUPPORTED
1838    else
1839       {
1840          char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1841 
1842          pos = png_safecat(message, (sizeof message), pos,
1843              png_format_number(number, number+(sizeof number),
1844              PNG_NUMBER_FORMAT_x, value));
1845          pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1846       }
1847 #  endif
1848    /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1849    pos = png_safecat(message, (sizeof message), pos, reason);
1850    PNG_UNUSED(pos)
1851 
1852    /* This is recoverable, but make it unconditionally an app_error on write to
1853     * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1854     * on read, with a warning, but on write unless the app turns off
1855     * application errors the PNG won't be written.)
1856     */
1857    png_chunk_report(png_ptr, message,
1858        (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1859 
1860    return 0;
1861 }
1862 #endif /* sRGB || iCCP */
1863 
1864 #ifdef PNG_sRGB_SUPPORTED
1865 int /* PRIVATE */
1866 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1867     int intent)
1868 {
1869    /* sRGB sets known gamma, end points and (from the chunk) intent. */
1870    /* IMPORTANT: these are not necessarily the values found in an ICC profile
1871     * because ICC profiles store values adapted to a D50 environment; it is
1872     * expected that the ICC profile mediaWhitePointTag will be D50; see the
1873     * checks and code elsewhere to understand this better.
1874     *
1875     * These XYZ values, which are accurate to 5dp, produce rgb to gray
1876     * coefficients of (6968,23435,2366), which are reduced (because they add up
1877     * to 32769 not 32768) to (6968,23434,2366).  These are the values that
1878     * libpng has traditionally used (and are the best values given the 15bit
1879     * algorithm used by the rgb to gray code.)
1880     */
1881    static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1882    {
1883       /* color      X      Y      Z */
1884       /* red   */ 41239, 21264,  1933,
1885       /* green */ 35758, 71517, 11919,
1886       /* blue  */ 18048,  7219, 95053
1887    };
1888 
1889    /* Do nothing if the colorspace is already invalidated. */
1890    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1891       return 0;
1892 
1893    /* Check the intent, then check for existing settings.  It is valid for the
1894     * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1895     * be consistent with the correct values.  If, however, this function is
1896     * called below because an iCCP chunk matches sRGB then it is quite
1897     * conceivable that an older app recorded incorrect gAMA and cHRM because of
1898     * an incorrect calculation based on the values in the profile - this does
1899     * *not* invalidate the profile (though it still produces an error, which can
1900     * be ignored.)
1901     */
1902    if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1903       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1904           (unsigned)intent, "invalid sRGB rendering intent");
1905 
1906    if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1907        colorspace->rendering_intent != intent)
1908       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1909          (unsigned)intent, "inconsistent rendering intents");
1910 
1911    if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1912    {
1913       png_benign_error(png_ptr, "duplicate sRGB information ignored");
1914       return 0;
1915    }
1916 
1917    /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1918     * warn but overwrite the value with the correct one.
1919     */
1920    if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1921        !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1922        100))
1923       png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1924          PNG_CHUNK_ERROR);
1925 
1926    /* This check is just done for the error reporting - the routine always
1927     * returns true when the 'from' argument corresponds to sRGB (2).
1928     */
1929    (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1930        2/*from sRGB*/);
1931 
1932    /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1933    colorspace->rendering_intent = (png_uint_16)intent;
1934    colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1935 
1936    /* endpoints */
1937    colorspace->end_points_xy = sRGB_xy;
1938    colorspace->end_points_XYZ = sRGB_XYZ;
1939    colorspace->flags |=
1940       (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1941 
1942    /* gamma */
1943    colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1944    colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1945 
1946    /* Finally record that we have an sRGB profile */
1947    colorspace->flags |=
1948       (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1949 
1950    return 1; /* set */
1951 }
1952 #endif /* sRGB */
1953 
1954 #ifdef PNG_iCCP_SUPPORTED
1955 /* Encoded value of D50 as an ICC XYZNumber.  From the ICC 2010 spec the value
1956  * is XYZ(0.9642,1.0,0.8249), which scales to:
1957  *
1958  *    (63189.8112, 65536, 54060.6464)
1959  */
1960 static const png_byte D50_nCIEXYZ[12] =
1961    { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1962 
1963 static int /* bool */
1964 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1965     png_const_charp name, png_uint_32 profile_length)
1966 {
1967    if (profile_length < 132)
1968       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1969           "too short");
1970 
1971    return 1;
1972 }
1973 
1974 #ifdef PNG_READ_iCCP_SUPPORTED
1975 int /* PRIVATE */
1976 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1977     png_const_charp name, png_uint_32 profile_length)
1978 {
1979    if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1980       return 0;
1981 
1982    /* This needs to be here because the 'normal' check is in
1983     * png_decompress_chunk, yet this happens after the attempt to
1984     * png_malloc_base the required data.  We only need this on read; on write
1985     * the caller supplies the profile buffer so libpng doesn't allocate it.  See
1986     * the call to icc_check_length below (the write case).
1987     */
1988 #  ifdef PNG_SET_USER_LIMITS_SUPPORTED
1989       else if (png_ptr->user_chunk_malloc_max > 0 &&
1990                png_ptr->user_chunk_malloc_max < profile_length)
1991          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1992              "exceeds application limits");
1993 #  elif PNG_USER_CHUNK_MALLOC_MAX > 0
1994       else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
1995          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1996              "exceeds libpng limits");
1997 #  else /* !SET_USER_LIMITS */
1998       /* This will get compiled out on all 32-bit and better systems. */
1999       else if (PNG_SIZE_MAX < profile_length)
2000          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2001              "exceeds system limits");
2002 #  endif /* !SET_USER_LIMITS */
2003 
2004    return 1;
2005 }
2006 #endif /* READ_iCCP */
2007 
2008 int /* PRIVATE */
2009 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2010     png_const_charp name, png_uint_32 profile_length,
2011     png_const_bytep profile/* first 132 bytes only */, int color_type)
2012 {
2013    png_uint_32 temp;
2014 
2015    /* Length check; this cannot be ignored in this code because profile_length
2016     * is used later to check the tag table, so even if the profile seems over
2017     * long profile_length from the caller must be correct.  The caller can fix
2018     * this up on read or write by just passing in the profile header length.
2019     */
2020    temp = png_get_uint_32(profile);
2021    if (temp != profile_length)
2022       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2023           "length does not match profile");
2024 
2025    temp = (png_uint_32) (*(profile+8));
2026    if (temp > 3 && (profile_length & 3))
2027       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2028           "invalid length");
2029 
2030    temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2031    if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2032       profile_length < 132+12*temp) /* truncated tag table */
2033       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2034           "tag count too large");
2035 
2036    /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2037     * 16 bits.
2038     */
2039    temp = png_get_uint_32(profile+64);
2040    if (temp >= 0xffff) /* The ICC limit */
2041       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2042           "invalid rendering intent");
2043 
2044    /* This is just a warning because the profile may be valid in future
2045     * versions.
2046     */
2047    if (temp >= PNG_sRGB_INTENT_LAST)
2048       (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2049           "intent outside defined range");
2050 
2051    /* At this point the tag table can't be checked because it hasn't necessarily
2052     * been loaded; however, various header fields can be checked.  These checks
2053     * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2054     * restricts the profiles that can be passed in an iCCP chunk (they must be
2055     * appropriate to processing PNG data!)
2056     */
2057 
2058    /* Data checks (could be skipped).  These checks must be independent of the
2059     * version number; however, the version number doesn't accomodate changes in
2060     * the header fields (just the known tags and the interpretation of the
2061     * data.)
2062     */
2063    temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2064    if (temp != 0x61637370)
2065       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2066           "invalid signature");
2067 
2068    /* Currently the PCS illuminant/adopted white point (the computational
2069     * white point) are required to be D50,
2070     * however the profile contains a record of the illuminant so perhaps ICC
2071     * expects to be able to change this in the future (despite the rationale in
2072     * the introduction for using a fixed PCS adopted white.)  Consequently the
2073     * following is just a warning.
2074     */
2075    if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2076       (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2077           "PCS illuminant is not D50");
2078 
2079    /* The PNG spec requires this:
2080     * "If the iCCP chunk is present, the image samples conform to the colour
2081     * space represented by the embedded ICC profile as defined by the
2082     * International Color Consortium [ICC]. The colour space of the ICC profile
2083     * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2084     * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2085     * and 4)."
2086     *
2087     * This checking code ensures the embedded profile (on either read or write)
2088     * conforms to the specification requirements.  Notice that an ICC 'gray'
2089     * color-space profile contains the information to transform the monochrome
2090     * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2091     * should be used in preference to the standard libpng K channel replication
2092     * into R, G and B channels.
2093     *
2094     * Previously it was suggested that an RGB profile on grayscale data could be
2095     * handled.  However it it is clear that using an RGB profile in this context
2096     * must be an error - there is no specification of what it means.  Thus it is
2097     * almost certainly more correct to ignore the profile.
2098     */
2099    temp = png_get_uint_32(profile+16); /* data colour space field */
2100    switch (temp)
2101    {
2102       case 0x52474220: /* 'RGB ' */
2103          if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2104             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2105                 "RGB color space not permitted on grayscale PNG");
2106          break;
2107 
2108       case 0x47524159: /* 'GRAY' */
2109          if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2110             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2111                 "Gray color space not permitted on RGB PNG");
2112          break;
2113 
2114       default:
2115          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116              "invalid ICC profile color space");
2117    }
2118 
2119    /* It is up to the application to check that the profile class matches the
2120     * application requirements; the spec provides no guidance, but it's pretty
2121     * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2122     * ('prtr') or 'spac' (for generic color spaces).  Issue a warning in these
2123     * cases.  Issue an error for device link or abstract profiles - these don't
2124     * contain the records necessary to transform the color-space to anything
2125     * other than the target device (and not even that for an abstract profile).
2126     * Profiles of these classes may not be embedded in images.
2127     */
2128    temp = png_get_uint_32(profile+12); /* profile/device class */
2129    switch (temp)
2130    {
2131       case 0x73636e72: /* 'scnr' */
2132       case 0x6d6e7472: /* 'mntr' */
2133       case 0x70727472: /* 'prtr' */
2134       case 0x73706163: /* 'spac' */
2135          /* All supported */
2136          break;
2137 
2138       case 0x61627374: /* 'abst' */
2139          /* May not be embedded in an image */
2140          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2141              "invalid embedded Abstract ICC profile");
2142 
2143       case 0x6c696e6b: /* 'link' */
2144          /* DeviceLink profiles cannot be interpreted in a non-device specific
2145           * fashion, if an app uses the AToB0Tag in the profile the results are
2146           * undefined unless the result is sent to the intended device,
2147           * therefore a DeviceLink profile should not be found embedded in a
2148           * PNG.
2149           */
2150          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2151              "unexpected DeviceLink ICC profile class");
2152 
2153       case 0x6e6d636c: /* 'nmcl' */
2154          /* A NamedColor profile is also device specific, however it doesn't
2155           * contain an AToB0 tag that is open to misinterpretation.  Almost
2156           * certainly it will fail the tests below.
2157           */
2158          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2159              "unexpected NamedColor ICC profile class");
2160          break;
2161 
2162       default:
2163          /* To allow for future enhancements to the profile accept unrecognized
2164           * profile classes with a warning, these then hit the test below on the
2165           * tag content to ensure they are backward compatible with one of the
2166           * understood profiles.
2167           */
2168          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2169              "unrecognized ICC profile class");
2170          break;
2171    }
2172 
2173    /* For any profile other than a device link one the PCS must be encoded
2174     * either in XYZ or Lab.
2175     */
2176    temp = png_get_uint_32(profile+20);
2177    switch (temp)
2178    {
2179       case 0x58595a20: /* 'XYZ ' */
2180       case 0x4c616220: /* 'Lab ' */
2181          break;
2182 
2183       default:
2184          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2185              "unexpected ICC PCS encoding");
2186    }
2187 
2188    return 1;
2189 }
2190 
2191 int /* PRIVATE */
2192 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2193     png_const_charp name, png_uint_32 profile_length,
2194     png_const_bytep profile /* header plus whole tag table */)
2195 {
2196    png_uint_32 tag_count = png_get_uint_32(profile+128);
2197    png_uint_32 itag;
2198    png_const_bytep tag = profile+132; /* The first tag */
2199 
2200    /* First scan all the tags in the table and add bits to the icc_info value
2201     * (temporarily in 'tags').
2202     */
2203    for (itag=0; itag < tag_count; ++itag, tag += 12)
2204    {
2205       png_uint_32 tag_id = png_get_uint_32(tag+0);
2206       png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2207       png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2208 
2209       /* The ICC specification does not exclude zero length tags, therefore the
2210        * start might actually be anywhere if there is no data, but this would be
2211        * a clear abuse of the intent of the standard so the start is checked for
2212        * being in range.  All defined tag types have an 8 byte header - a 4 byte
2213        * type signature then 0.
2214        */
2215       if ((tag_start & 3) != 0)
2216       {
2217          /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is
2218           * only a warning here because libpng does not care about the
2219           * alignment.
2220           */
2221          (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2222              "ICC profile tag start not a multiple of 4");
2223       }
2224 
2225       /* This is a hard error; potentially it can cause read outside the
2226        * profile.
2227        */
2228       if (tag_start > profile_length || tag_length > profile_length - tag_start)
2229          return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2230              "ICC profile tag outside profile");
2231    }
2232 
2233    return 1; /* success, maybe with warnings */
2234 }
2235 
2236 #ifdef PNG_sRGB_SUPPORTED
2237 #if PNG_sRGB_PROFILE_CHECKS >= 0
2238 /* Information about the known ICC sRGB profiles */
2239 static const struct
2240 {
2241    png_uint_32 adler, crc, length;
2242    png_uint_32 md5[4];
2243    png_byte    have_md5;
2244    png_byte    is_broken;
2245    png_uint_16 intent;
2246 
2247 #  define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2248 #  define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2249       { adler, crc, length, md5, broke, intent },
2250 
2251 } png_sRGB_checks[] =
2252 {
2253    /* This data comes from contrib/tools/checksum-icc run on downloads of
2254     * all four ICC sRGB profiles from www.color.org.
2255     */
2256    /* adler32, crc32, MD5[4], intent, date, length, file-name */
2257    PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2258        PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2259        "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2260 
2261    /* ICC sRGB v2 perceptual no black-compensation: */
2262    PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2263        PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2264        "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2265 
2266    PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2267        PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2268        "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2269 
2270    /* ICC sRGB v4 perceptual */
2271    PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2272        PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2273        "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2274 
2275    /* The following profiles have no known MD5 checksum. If there is a match
2276     * on the (empty) MD5 the other fields are used to attempt a match and
2277     * a warning is produced.  The first two of these profiles have a 'cprt' tag
2278     * which suggests that they were also made by Hewlett Packard.
2279     */
2280    PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2281        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2282        "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2283 
2284    /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2285     * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2286     * so the white point is recorded as the un-adapted value.)  The profiles
2287     * below only differ in one byte - the intent - and are basically the same as
2288     * the previous profile except for the mediaWhitePointTag error and a missing
2289     * chromaticAdaptationTag.
2290     */
2291    PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2292        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2293        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2294 
2295    PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2296        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2297        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2298 };
2299 
2300 static int
2301 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2302     png_const_bytep profile, uLong adler)
2303 {
2304    /* The quick check is to verify just the MD5 signature and trust the
2305     * rest of the data.  Because the profile has already been verified for
2306     * correctness this is safe.  png_colorspace_set_sRGB will check the 'intent'
2307     * field too, so if the profile has been edited with an intent not defined
2308     * by sRGB (but maybe defined by a later ICC specification) the read of
2309     * the profile will fail at that point.
2310     */
2311 
2312    png_uint_32 length = 0;
2313    png_uint_32 intent = 0x10000; /* invalid */
2314 #if PNG_sRGB_PROFILE_CHECKS > 1
2315    uLong crc = 0; /* the value for 0 length data */
2316 #endif
2317    unsigned int i;
2318 
2319 #ifdef PNG_SET_OPTION_SUPPORTED
2320    /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2321    if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2322                PNG_OPTION_ON)
2323       return 0;
2324 #endif
2325 
2326    for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2327    {
2328       if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2329          png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2330          png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2331          png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2332       {
2333          /* This may be one of the old HP profiles without an MD5, in that
2334           * case we can only use the length and Adler32 (note that these
2335           * are not used by default if there is an MD5!)
2336           */
2337 #        if PNG_sRGB_PROFILE_CHECKS == 0
2338             if (png_sRGB_checks[i].have_md5 != 0)
2339                return 1+png_sRGB_checks[i].is_broken;
2340 #        endif
2341 
2342          /* Profile is unsigned or more checks have been configured in. */
2343          if (length == 0)
2344          {
2345             length = png_get_uint_32(profile);
2346             intent = png_get_uint_32(profile+64);
2347          }
2348 
2349          /* Length *and* intent must match */
2350          if (length == (png_uint_32) png_sRGB_checks[i].length &&
2351             intent == (png_uint_32) png_sRGB_checks[i].intent)
2352          {
2353             /* Now calculate the adler32 if not done already. */
2354             if (adler == 0)
2355             {
2356                adler = adler32(0, NULL, 0);
2357                adler = adler32(adler, profile, length);
2358             }
2359 
2360             if (adler == png_sRGB_checks[i].adler)
2361             {
2362                /* These basic checks suggest that the data has not been
2363                 * modified, but if the check level is more than 1 perform
2364                 * our own crc32 checksum on the data.
2365                 */
2366 #              if PNG_sRGB_PROFILE_CHECKS > 1
2367                   if (crc == 0)
2368                   {
2369                      crc = crc32(0, NULL, 0);
2370                      crc = crc32(crc, profile, length);
2371                   }
2372 
2373                   /* So this check must pass for the 'return' below to happen.
2374                    */
2375                   if (crc == png_sRGB_checks[i].crc)
2376 #              endif
2377                {
2378                   if (png_sRGB_checks[i].is_broken != 0)
2379                   {
2380                      /* These profiles are known to have bad data that may cause
2381                       * problems if they are used, therefore attempt to
2382                       * discourage their use, skip the 'have_md5' warning below,
2383                       * which is made irrelevant by this error.
2384                       */
2385                      png_chunk_report(png_ptr, "known incorrect sRGB profile",
2386                          PNG_CHUNK_ERROR);
2387                   }
2388 
2389                   /* Warn that this being done; this isn't even an error since
2390                    * the profile is perfectly valid, but it would be nice if
2391                    * people used the up-to-date ones.
2392                    */
2393                   else if (png_sRGB_checks[i].have_md5 == 0)
2394                   {
2395                      png_chunk_report(png_ptr,
2396                          "out-of-date sRGB profile with no signature",
2397                          PNG_CHUNK_WARNING);
2398                   }
2399 
2400                   return 1+png_sRGB_checks[i].is_broken;
2401                }
2402             }
2403 
2404 # if PNG_sRGB_PROFILE_CHECKS > 0
2405          /* The signature matched, but the profile had been changed in some
2406           * way.  This probably indicates a data error or uninformed hacking.
2407           * Fall through to "no match".
2408           */
2409          png_chunk_report(png_ptr,
2410              "Not recognizing known sRGB profile that has been edited",
2411              PNG_CHUNK_WARNING);
2412          break;
2413 # endif
2414          }
2415       }
2416    }
2417 
2418    return 0; /* no match */
2419 }
2420 
2421 void /* PRIVATE */
2422 png_icc_set_sRGB(png_const_structrp png_ptr,
2423     png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2424 {
2425    /* Is this profile one of the known ICC sRGB profiles?  If it is, just set
2426     * the sRGB information.
2427     */
2428    if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2429       (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2430          (int)/*already checked*/png_get_uint_32(profile+64));
2431 }
2432 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2433 #endif /* sRGB */
2434 
2435 int /* PRIVATE */
2436 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2437     png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2438     int color_type)
2439 {
2440    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2441       return 0;
2442 
2443    if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2444        png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2445            color_type) != 0 &&
2446        png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2447            profile) != 0)
2448    {
2449 #     if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2450          /* If no sRGB support, don't try storing sRGB information */
2451          png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2452 #     endif
2453       return 1;
2454    }
2455 
2456    /* Failure case */
2457    return 0;
2458 }
2459 #endif /* iCCP */
2460 
2461 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2462 void /* PRIVATE */
2463 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2464 {
2465    /* Set the rgb_to_gray coefficients from the colorspace. */
2466    if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2467       (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2468    {
2469       /* png_set_background has not been called, get the coefficients from the Y
2470        * values of the colorspace colorants.
2471        */
2472       png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2473       png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2474       png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2475       png_fixed_point total = r+g+b;
2476 
2477       if (total > 0 &&
2478          r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2479          g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2480          b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2481          r+g+b <= 32769)
2482       {
2483          /* We allow 0 coefficients here.  r+g+b may be 32769 if two or
2484           * all of the coefficients were rounded up.  Handle this by
2485           * reducing the *largest* coefficient by 1; this matches the
2486           * approach used for the default coefficients in pngrtran.c
2487           */
2488          int add = 0;
2489 
2490          if (r+g+b > 32768)
2491             add = -1;
2492          else if (r+g+b < 32768)
2493             add = 1;
2494 
2495          if (add != 0)
2496          {
2497             if (g >= r && g >= b)
2498                g += add;
2499             else if (r >= g && r >= b)
2500                r += add;
2501             else
2502                b += add;
2503          }
2504 
2505          /* Check for an internal error. */
2506          if (r+g+b != 32768)
2507             png_error(png_ptr,
2508                 "internal error handling cHRM coefficients");
2509 
2510          else
2511          {
2512             png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)r;
2513             png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2514          }
2515       }
2516 
2517       /* This is a png_error at present even though it could be ignored -
2518        * it should never happen, but it is important that if it does, the
2519        * bug is fixed.
2520        */
2521       else
2522          png_error(png_ptr, "internal error handling cHRM->XYZ");
2523    }
2524 }
2525 #endif /* READ_RGB_TO_GRAY */
2526 
2527 #endif /* COLORSPACE */
2528 
2529 #ifdef __GNUC__
2530 /* This exists solely to work round a warning from GNU C. */
2531 static int /* PRIVATE */
2532 png_gt(size_t a, size_t b)
2533 {
2534    return a > b;
2535 }
2536 #else
2537 #   define png_gt(a,b) ((a) > (b))
2538 #endif
2539 
2540 void /* PRIVATE */
2541 png_check_IHDR(png_const_structrp png_ptr,
2542     png_uint_32 width, png_uint_32 height, int bit_depth,
2543     int color_type, int interlace_type, int compression_type,
2544     int filter_type)
2545 {
2546    int error = 0;
2547 
2548    /* Check for width and height valid values */
2549    if (width == 0)
2550    {
2551       png_warning(png_ptr, "Image width is zero in IHDR");
2552       error = 1;
2553    }
2554 
2555    if (width > PNG_UINT_31_MAX)
2556    {
2557       png_warning(png_ptr, "Invalid image width in IHDR");
2558       error = 1;
2559    }
2560 
2561    if (png_gt(((width + 7) & (~7U)),
2562        ((PNG_SIZE_MAX
2563            - 48        /* big_row_buf hack */
2564            - 1)        /* filter byte */
2565            / 8)        /* 8-byte RGBA pixels */
2566            - 1))       /* extra max_pixel_depth pad */
2567    {
2568       /* The size of the row must be within the limits of this architecture.
2569        * Because the read code can perform arbitrary transformations the
2570        * maximum size is checked here.  Because the code in png_read_start_row
2571        * adds extra space "for safety's sake" in several places a conservative
2572        * limit is used here.
2573        *
2574        * NOTE: it would be far better to check the size that is actually used,
2575        * but the effect in the real world is minor and the changes are more
2576        * extensive, therefore much more dangerous and much more difficult to
2577        * write in a way that avoids compiler warnings.
2578        */
2579       png_warning(png_ptr, "Image width is too large for this architecture");
2580       error = 1;
2581    }
2582 
2583 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2584    if (width > png_ptr->user_width_max)
2585 #else
2586    if (width > PNG_USER_WIDTH_MAX)
2587 #endif
2588    {
2589       png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2590       error = 1;
2591    }
2592 
2593    if (height == 0)
2594    {
2595       png_warning(png_ptr, "Image height is zero in IHDR");
2596       error = 1;
2597    }
2598 
2599    if (height > PNG_UINT_31_MAX)
2600    {
2601       png_warning(png_ptr, "Invalid image height in IHDR");
2602       error = 1;
2603    }
2604 
2605 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2606    if (height > png_ptr->user_height_max)
2607 #else
2608    if (height > PNG_USER_HEIGHT_MAX)
2609 #endif
2610    {
2611       png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2612       error = 1;
2613    }
2614 
2615    /* Check other values */
2616    if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2617        bit_depth != 8 && bit_depth != 16)
2618    {
2619       png_warning(png_ptr, "Invalid bit depth in IHDR");
2620       error = 1;
2621    }
2622 
2623    if (color_type < 0 || color_type == 1 ||
2624        color_type == 5 || color_type > 6)
2625    {
2626       png_warning(png_ptr, "Invalid color type in IHDR");
2627       error = 1;
2628    }
2629 
2630    if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2631        ((color_type == PNG_COLOR_TYPE_RGB ||
2632          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2633          color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2634    {
2635       png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2636       error = 1;
2637    }
2638 
2639    if (interlace_type >= PNG_INTERLACE_LAST)
2640    {
2641       png_warning(png_ptr, "Unknown interlace method in IHDR");
2642       error = 1;
2643    }
2644 
2645    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2646    {
2647       png_warning(png_ptr, "Unknown compression method in IHDR");
2648       error = 1;
2649    }
2650 
2651 #ifdef PNG_MNG_FEATURES_SUPPORTED
2652    /* Accept filter_method 64 (intrapixel differencing) only if
2653     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2654     * 2. Libpng did not read a PNG signature (this filter_method is only
2655     *    used in PNG datastreams that are embedded in MNG datastreams) and
2656     * 3. The application called png_permit_mng_features with a mask that
2657     *    included PNG_FLAG_MNG_FILTER_64 and
2658     * 4. The filter_method is 64 and
2659     * 5. The color_type is RGB or RGBA
2660     */
2661    if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2662        png_ptr->mng_features_permitted != 0)
2663       png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2664 
2665    if (filter_type != PNG_FILTER_TYPE_BASE)
2666    {
2667       if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2668           (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2669           ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2670           (color_type == PNG_COLOR_TYPE_RGB ||
2671           color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2672       {
2673          png_warning(png_ptr, "Unknown filter method in IHDR");
2674          error = 1;
2675       }
2676 
2677       if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2678       {
2679          png_warning(png_ptr, "Invalid filter method in IHDR");
2680          error = 1;
2681       }
2682    }
2683 
2684 #else
2685    if (filter_type != PNG_FILTER_TYPE_BASE)
2686    {
2687       png_warning(png_ptr, "Unknown filter method in IHDR");
2688       error = 1;
2689    }
2690 #endif
2691 
2692    if (error == 1)
2693       png_error(png_ptr, "Invalid IHDR data");
2694 }
2695 
2696 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2697 /* ASCII to fp functions */
2698 /* Check an ASCII formated floating point value, see the more detailed
2699  * comments in pngpriv.h
2700  */
2701 /* The following is used internally to preserve the sticky flags */
2702 #define png_fp_add(state, flags) ((state) |= (flags))
2703 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2704 
2705 int /* PRIVATE */
2706 png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2707     png_size_tp whereami)
2708 {
2709    int state = *statep;
2710    png_size_t i = *whereami;
2711 
2712    while (i < size)
2713    {
2714       int type;
2715       /* First find the type of the next character */
2716       switch (string[i])
2717       {
2718       case 43:  type = PNG_FP_SAW_SIGN;                   break;
2719       case 45:  type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2720       case 46:  type = PNG_FP_SAW_DOT;                    break;
2721       case 48:  type = PNG_FP_SAW_DIGIT;                  break;
2722       case 49: case 50: case 51: case 52:
2723       case 53: case 54: case 55: case 56:
2724       case 57:  type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2725       case 69:
2726       case 101: type = PNG_FP_SAW_E;                      break;
2727       default:  goto PNG_FP_End;
2728       }
2729 
2730       /* Now deal with this type according to the current
2731        * state, the type is arranged to not overlap the
2732        * bits of the PNG_FP_STATE.
2733        */
2734       switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2735       {
2736       case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2737          if ((state & PNG_FP_SAW_ANY) != 0)
2738             goto PNG_FP_End; /* not a part of the number */
2739 
2740          png_fp_add(state, type);
2741          break;
2742 
2743       case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2744          /* Ok as trailer, ok as lead of fraction. */
2745          if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2746             goto PNG_FP_End;
2747 
2748          else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2749             png_fp_add(state, type);
2750 
2751          else
2752             png_fp_set(state, PNG_FP_FRACTION | type);
2753 
2754          break;
2755 
2756       case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2757          if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2758             png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2759 
2760          png_fp_add(state, type | PNG_FP_WAS_VALID);
2761 
2762          break;
2763 
2764       case PNG_FP_INTEGER + PNG_FP_SAW_E:
2765          if ((state & PNG_FP_SAW_DIGIT) == 0)
2766             goto PNG_FP_End;
2767 
2768          png_fp_set(state, PNG_FP_EXPONENT);
2769 
2770          break;
2771 
2772    /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2773          goto PNG_FP_End; ** no sign in fraction */
2774 
2775    /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2776          goto PNG_FP_End; ** Because SAW_DOT is always set */
2777 
2778       case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2779          png_fp_add(state, type | PNG_FP_WAS_VALID);
2780          break;
2781 
2782       case PNG_FP_FRACTION + PNG_FP_SAW_E:
2783          /* This is correct because the trailing '.' on an
2784           * integer is handled above - so we can only get here
2785           * with the sequence ".E" (with no preceding digits).
2786           */
2787          if ((state & PNG_FP_SAW_DIGIT) == 0)
2788             goto PNG_FP_End;
2789 
2790          png_fp_set(state, PNG_FP_EXPONENT);
2791 
2792          break;
2793 
2794       case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2795          if ((state & PNG_FP_SAW_ANY) != 0)
2796             goto PNG_FP_End; /* not a part of the number */
2797 
2798          png_fp_add(state, PNG_FP_SAW_SIGN);
2799 
2800          break;
2801 
2802    /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2803          goto PNG_FP_End; */
2804 
2805       case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2806          png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2807 
2808          break;
2809 
2810    /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2811          goto PNG_FP_End; */
2812 
2813       default: goto PNG_FP_End; /* I.e. break 2 */
2814       }
2815 
2816       /* The character seems ok, continue. */
2817       ++i;
2818    }
2819 
2820 PNG_FP_End:
2821    /* Here at the end, update the state and return the correct
2822     * return code.
2823     */
2824    *statep = state;
2825    *whereami = i;
2826 
2827    return (state & PNG_FP_SAW_DIGIT) != 0;
2828 }
2829 
2830 
2831 /* The same but for a complete string. */
2832 int
2833 png_check_fp_string(png_const_charp string, png_size_t size)
2834 {
2835    int        state=0;
2836    png_size_t char_index=0;
2837 
2838    if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2839       (char_index == size || string[char_index] == 0))
2840       return state /* must be non-zero - see above */;
2841 
2842    return 0; /* i.e. fail */
2843 }
2844 #endif /* pCAL || sCAL */
2845 
2846 #ifdef PNG_sCAL_SUPPORTED
2847 #  ifdef PNG_FLOATING_POINT_SUPPORTED
2848 /* Utility used below - a simple accurate power of ten from an integral
2849  * exponent.
2850  */
2851 static double
2852 png_pow10(int power)
2853 {
2854    int recip = 0;
2855    double d = 1;
2856 
2857    /* Handle negative exponent with a reciprocal at the end because
2858     * 10 is exact whereas .1 is inexact in base 2
2859     */
2860    if (power < 0)
2861    {
2862       if (power < DBL_MIN_10_EXP) return 0;
2863       recip = 1, power = -power;
2864    }
2865 
2866    if (power > 0)
2867    {
2868       /* Decompose power bitwise. */
2869       double mult = 10;
2870       do
2871       {
2872          if (power & 1) d *= mult;
2873          mult *= mult;
2874          power >>= 1;
2875       }
2876       while (power > 0);
2877 
2878       if (recip != 0) d = 1/d;
2879    }
2880    /* else power is 0 and d is 1 */
2881 
2882    return d;
2883 }
2884 
2885 /* Function to format a floating point value in ASCII with a given
2886  * precision.
2887  */
2888 void /* PRIVATE */
2889 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
2890     double fp, unsigned int precision)
2891 {
2892    /* We use standard functions from math.h, but not printf because
2893     * that would require stdio.  The caller must supply a buffer of
2894     * sufficient size or we will png_error.  The tests on size and
2895     * the space in ascii[] consumed are indicated below.
2896     */
2897    if (precision < 1)
2898       precision = DBL_DIG;
2899 
2900    /* Enforce the limit of the implementation precision too. */
2901    if (precision > DBL_DIG+1)
2902       precision = DBL_DIG+1;
2903 
2904    /* Basic sanity checks */
2905    if (size >= precision+5) /* See the requirements below. */
2906    {
2907       if (fp < 0)
2908       {
2909          fp = -fp;
2910          *ascii++ = 45; /* '-'  PLUS 1 TOTAL 1 */
2911          --size;
2912       }
2913 
2914       if (fp >= DBL_MIN && fp <= DBL_MAX)
2915       {
2916          int exp_b10;   /* A base 10 exponent */
2917          double base;   /* 10^exp_b10 */
2918 
2919          /* First extract a base 10 exponent of the number,
2920           * the calculation below rounds down when converting
2921           * from base 2 to base 10 (multiply by log10(2) -
2922           * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2923           * be increased.  Note that the arithmetic shift
2924           * performs a floor() unlike C arithmetic - using a
2925           * C multiply would break the following for negative
2926           * exponents.
2927           */
2928          (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2929 
2930          exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2931 
2932          /* Avoid underflow here. */
2933          base = png_pow10(exp_b10); /* May underflow */
2934 
2935          while (base < DBL_MIN || base < fp)
2936          {
2937             /* And this may overflow. */
2938             double test = png_pow10(exp_b10+1);
2939 
2940             if (test <= DBL_MAX)
2941                ++exp_b10, base = test;
2942 
2943             else
2944                break;
2945          }
2946 
2947          /* Normalize fp and correct exp_b10, after this fp is in the
2948           * range [.1,1) and exp_b10 is both the exponent and the digit
2949           * *before* which the decimal point should be inserted
2950           * (starting with 0 for the first digit).  Note that this
2951           * works even if 10^exp_b10 is out of range because of the
2952           * test on DBL_MAX above.
2953           */
2954          fp /= base;
2955          while (fp >= 1) fp /= 10, ++exp_b10;
2956 
2957          /* Because of the code above fp may, at this point, be
2958           * less than .1, this is ok because the code below can
2959           * handle the leading zeros this generates, so no attempt
2960           * is made to correct that here.
2961           */
2962 
2963          {
2964             unsigned int czero, clead, cdigits;
2965             char exponent[10];
2966 
2967             /* Allow up to two leading zeros - this will not lengthen
2968              * the number compared to using E-n.
2969              */
2970             if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2971             {
2972                czero = (unsigned int)(-exp_b10); /* PLUS 2 digits: TOTAL 3 */
2973                exp_b10 = 0;      /* Dot added below before first output. */
2974             }
2975             else
2976                czero = 0;    /* No zeros to add */
2977 
2978             /* Generate the digit list, stripping trailing zeros and
2979              * inserting a '.' before a digit if the exponent is 0.
2980              */
2981             clead = czero; /* Count of leading zeros */
2982             cdigits = 0;   /* Count of digits in list. */
2983 
2984             do
2985             {
2986                double d;
2987 
2988                fp *= 10;
2989                /* Use modf here, not floor and subtract, so that
2990                 * the separation is done in one step.  At the end
2991                 * of the loop don't break the number into parts so
2992                 * that the final digit is rounded.
2993                 */
2994                if (cdigits+czero+1 < precision+clead)
2995                   fp = modf(fp, &d);
2996 
2997                else
2998                {
2999                   d = floor(fp + .5);
3000 
3001                   if (d > 9)
3002                   {
3003                      /* Rounding up to 10, handle that here. */
3004                      if (czero > 0)
3005                      {
3006                         --czero, d = 1;
3007                         if (cdigits == 0) --clead;
3008                      }
3009                      else
3010                      {
3011                         while (cdigits > 0 && d > 9)
3012                         {
3013                            int ch = *--ascii;
3014 
3015                            if (exp_b10 != (-1))
3016                               ++exp_b10;
3017 
3018                            else if (ch == 46)
3019                            {
3020                               ch = *--ascii, ++size;
3021                               /* Advance exp_b10 to '1', so that the
3022                                * decimal point happens after the
3023                                * previous digit.
3024                                */
3025                               exp_b10 = 1;
3026                            }
3027 
3028                            --cdigits;
3029                            d = ch - 47;  /* I.e. 1+(ch-48) */
3030                         }
3031 
3032                         /* Did we reach the beginning? If so adjust the
3033                          * exponent but take into account the leading
3034                          * decimal point.
3035                          */
3036                         if (d > 9)  /* cdigits == 0 */
3037                         {
3038                            if (exp_b10 == (-1))
3039                            {
3040                               /* Leading decimal point (plus zeros?), if
3041                                * we lose the decimal point here it must
3042                                * be reentered below.
3043                                */
3044                               int ch = *--ascii;
3045 
3046                               if (ch == 46)
3047                                  ++size, exp_b10 = 1;
3048 
3049                               /* Else lost a leading zero, so 'exp_b10' is
3050                                * still ok at (-1)
3051                                */
3052                            }
3053                            else
3054                               ++exp_b10;
3055 
3056                            /* In all cases we output a '1' */
3057                            d = 1;
3058                         }
3059                      }
3060                   }
3061                   fp = 0; /* Guarantees termination below. */
3062                }
3063 
3064                if (d == 0)
3065                {
3066                   ++czero;
3067                   if (cdigits == 0) ++clead;
3068                }
3069                else
3070                {
3071                   /* Included embedded zeros in the digit count. */
3072                   cdigits += czero - clead;
3073                   clead = 0;
3074 
3075                   while (czero > 0)
3076                   {
3077                      /* exp_b10 == (-1) means we just output the decimal
3078                       * place - after the DP don't adjust 'exp_b10' any
3079                       * more!
3080                       */
3081                      if (exp_b10 != (-1))
3082                      {
3083                         if (exp_b10 == 0) *ascii++ = 46, --size;
3084                         /* PLUS 1: TOTAL 4 */
3085                         --exp_b10;
3086                      }
3087                      *ascii++ = 48, --czero;
3088                   }
3089 
3090                   if (exp_b10 != (-1))
3091                   {
3092                      if (exp_b10 == 0)
3093                         *ascii++ = 46, --size; /* counted above */
3094 
3095                      --exp_b10;
3096                   }
3097                   *ascii++ = (char)(48 + (int)d), ++cdigits;
3098                }
3099             }
3100             while (cdigits+czero < precision+clead && fp > DBL_MIN);
3101 
3102             /* The total output count (max) is now 4+precision */
3103 
3104             /* Check for an exponent, if we don't need one we are
3105              * done and just need to terminate the string.  At
3106              * this point exp_b10==(-1) is effectively if flag - it got
3107              * to '-1' because of the decrement after outputting
3108              * the decimal point above (the exponent required is
3109              * *not* -1!)
3110              */
3111             if (exp_b10 >= (-1) && exp_b10 <= 2)
3112             {
3113                /* The following only happens if we didn't output the
3114                 * leading zeros above for negative exponent, so this
3115                 * doesn't add to the digit requirement.  Note that the
3116                 * two zeros here can only be output if the two leading
3117                 * zeros were *not* output, so this doesn't increase
3118                 * the output count.
3119                 */
3120                while (--exp_b10 >= 0) *ascii++ = 48;
3121 
3122                *ascii = 0;
3123 
3124                /* Total buffer requirement (including the '\0') is
3125                 * 5+precision - see check at the start.
3126                 */
3127                return;
3128             }
3129 
3130             /* Here if an exponent is required, adjust size for
3131              * the digits we output but did not count.  The total
3132              * digit output here so far is at most 1+precision - no
3133              * decimal point and no leading or trailing zeros have
3134              * been output.
3135              */
3136             size -= cdigits;
3137 
3138             *ascii++ = 69, --size;    /* 'E': PLUS 1 TOTAL 2+precision */
3139 
3140             /* The following use of an unsigned temporary avoids ambiguities in
3141              * the signed arithmetic on exp_b10 and permits GCC at least to do
3142              * better optimization.
3143              */
3144             {
3145                unsigned int uexp_b10;
3146 
3147                if (exp_b10 < 0)
3148                {
3149                   *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */
3150                   uexp_b10 = (unsigned int)(-exp_b10);
3151                }
3152 
3153                else
3154                   uexp_b10 = (unsigned int)exp_b10;
3155 
3156                cdigits = 0;
3157 
3158                while (uexp_b10 > 0)
3159                {
3160                   exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3161                   uexp_b10 /= 10;
3162                }
3163             }
3164 
3165             /* Need another size check here for the exponent digits, so
3166              * this need not be considered above.
3167              */
3168             if (size > cdigits)
3169             {
3170                while (cdigits > 0) *ascii++ = exponent[--cdigits];
3171 
3172                *ascii = 0;
3173 
3174                return;
3175             }
3176          }
3177       }
3178       else if (!(fp >= DBL_MIN))
3179       {
3180          *ascii++ = 48; /* '0' */
3181          *ascii = 0;
3182          return;
3183       }
3184       else
3185       {
3186          *ascii++ = 105; /* 'i' */
3187          *ascii++ = 110; /* 'n' */
3188          *ascii++ = 102; /* 'f' */
3189          *ascii = 0;
3190          return;
3191       }
3192    }
3193 
3194    /* Here on buffer too small. */
3195    png_error(png_ptr, "ASCII conversion buffer too small");
3196 }
3197 
3198 #  endif /* FLOATING_POINT */
3199 
3200 #  ifdef PNG_FIXED_POINT_SUPPORTED
3201 /* Function to format a fixed point value in ASCII.
3202  */
3203 void /* PRIVATE */
3204 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3205     png_size_t size, png_fixed_point fp)
3206 {
3207    /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3208     * trailing \0, 13 characters:
3209     */
3210    if (size > 12)
3211    {
3212       png_uint_32 num;
3213 
3214       /* Avoid overflow here on the minimum integer. */
3215       if (fp < 0)
3216          *ascii++ = 45, num = (png_uint_32)(-fp);
3217       else
3218          num = (png_uint_32)fp;
3219 
3220       if (num <= 0x80000000) /* else overflowed */
3221       {
3222          unsigned int ndigits = 0, first = 16 /* flag value */;
3223          char digits[10];
3224 
3225          while (num)
3226          {
3227             /* Split the low digit off num: */
3228             unsigned int tmp = num/10;
3229             num -= tmp*10;
3230             digits[ndigits++] = (char)(48 + num);
3231             /* Record the first non-zero digit, note that this is a number
3232              * starting at 1, it's not actually the array index.
3233              */
3234             if (first == 16 && num > 0)
3235                first = ndigits;
3236             num = tmp;
3237          }
3238 
3239          if (ndigits > 0)
3240          {
3241             while (ndigits > 5) *ascii++ = digits[--ndigits];
3242             /* The remaining digits are fractional digits, ndigits is '5' or
3243              * smaller at this point.  It is certainly not zero.  Check for a
3244              * non-zero fractional digit:
3245              */
3246             if (first <= 5)
3247             {
3248                unsigned int i;
3249                *ascii++ = 46; /* decimal point */
3250                /* ndigits may be <5 for small numbers, output leading zeros
3251                 * then ndigits digits to first:
3252                 */
3253                i = 5;
3254                while (ndigits < i) *ascii++ = 48, --i;
3255                while (ndigits >= first) *ascii++ = digits[--ndigits];
3256                /* Don't output the trailing zeros! */
3257             }
3258          }
3259          else
3260             *ascii++ = 48;
3261 
3262          /* And null terminate the string: */
3263          *ascii = 0;
3264          return;
3265       }
3266    }
3267 
3268    /* Here on buffer too small. */
3269    png_error(png_ptr, "ASCII conversion buffer too small");
3270 }
3271 #   endif /* FIXED_POINT */
3272 #endif /* SCAL */
3273 
3274 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3275    !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3276    (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3277    defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3278    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3279    (defined(PNG_sCAL_SUPPORTED) && \
3280    defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3281 png_fixed_point
3282 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3283 {
3284    double r = floor(100000 * fp + .5);
3285 
3286    if (r > 2147483647. || r < -2147483648.)
3287       png_fixed_error(png_ptr, text);
3288 
3289 #  ifndef PNG_ERROR_TEXT_SUPPORTED
3290    PNG_UNUSED(text)
3291 #  endif
3292 
3293    return (png_fixed_point)r;
3294 }
3295 #endif
3296 
3297 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3298     defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3299 /* muldiv functions */
3300 /* This API takes signed arguments and rounds the result to the nearest
3301  * integer (or, for a fixed point number - the standard argument - to
3302  * the nearest .00001).  Overflow and divide by zero are signalled in
3303  * the result, a boolean - true on success, false on overflow.
3304  */
3305 int
3306 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3307     png_int_32 divisor)
3308 {
3309    /* Return a * times / divisor, rounded. */
3310    if (divisor != 0)
3311    {
3312       if (a == 0 || times == 0)
3313       {
3314          *res = 0;
3315          return 1;
3316       }
3317       else
3318       {
3319 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3320          double r = a;
3321          r *= times;
3322          r /= divisor;
3323          r = floor(r+.5);
3324 
3325          /* A png_fixed_point is a 32-bit integer. */
3326          if (r <= 2147483647. && r >= -2147483648.)
3327          {
3328             *res = (png_fixed_point)r;
3329             return 1;
3330          }
3331 #else
3332          int negative = 0;
3333          png_uint_32 A, T, D;
3334          png_uint_32 s16, s32, s00;
3335 
3336          if (a < 0)
3337             negative = 1, A = -a;
3338          else
3339             A = a;
3340 
3341          if (times < 0)
3342             negative = !negative, T = -times;
3343          else
3344             T = times;
3345 
3346          if (divisor < 0)
3347             negative = !negative, D = -divisor;
3348          else
3349             D = divisor;
3350 
3351          /* Following can't overflow because the arguments only
3352           * have 31 bits each, however the result may be 32 bits.
3353           */
3354          s16 = (A >> 16) * (T & 0xffff) +
3355                            (A & 0xffff) * (T >> 16);
3356          /* Can't overflow because the a*times bit is only 30
3357           * bits at most.
3358           */
3359          s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3360          s00 = (A & 0xffff) * (T & 0xffff);
3361 
3362          s16 = (s16 & 0xffff) << 16;
3363          s00 += s16;
3364 
3365          if (s00 < s16)
3366             ++s32; /* carry */
3367 
3368          if (s32 < D) /* else overflow */
3369          {
3370             /* s32.s00 is now the 64-bit product, do a standard
3371              * division, we know that s32 < D, so the maximum
3372              * required shift is 31.
3373              */
3374             int bitshift = 32;
3375             png_fixed_point result = 0; /* NOTE: signed */
3376 
3377             while (--bitshift >= 0)
3378             {
3379                png_uint_32 d32, d00;
3380 
3381                if (bitshift > 0)
3382                   d32 = D >> (32-bitshift), d00 = D << bitshift;
3383 
3384                else
3385                   d32 = 0, d00 = D;
3386 
3387                if (s32 > d32)
3388                {
3389                   if (s00 < d00) --s32; /* carry */
3390                   s32 -= d32, s00 -= d00, result += 1<<bitshift;
3391                }
3392 
3393                else
3394                   if (s32 == d32 && s00 >= d00)
3395                      s32 = 0, s00 -= d00, result += 1<<bitshift;
3396             }
3397 
3398             /* Handle the rounding. */
3399             if (s00 >= (D >> 1))
3400                ++result;
3401 
3402             if (negative != 0)
3403                result = -result;
3404 
3405             /* Check for overflow. */
3406             if ((negative != 0 && result <= 0) ||
3407                 (negative == 0 && result >= 0))
3408             {
3409                *res = result;
3410                return 1;
3411             }
3412          }
3413 #endif
3414       }
3415    }
3416 
3417    return 0;
3418 }
3419 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3420 
3421 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3422 /* The following is for when the caller doesn't much care about the
3423  * result.
3424  */
3425 png_fixed_point
3426 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3427     png_int_32 divisor)
3428 {
3429    png_fixed_point result;
3430 
3431    if (png_muldiv(&result, a, times, divisor) != 0)
3432       return result;
3433 
3434    png_warning(png_ptr, "fixed point overflow ignored");
3435    return 0;
3436 }
3437 #endif
3438 
3439 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3440 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3441 png_fixed_point
3442 png_reciprocal(png_fixed_point a)
3443 {
3444 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3445    double r = floor(1E10/a+.5);
3446 
3447    if (r <= 2147483647. && r >= -2147483648.)
3448       return (png_fixed_point)r;
3449 #else
3450    png_fixed_point res;
3451 
3452    if (png_muldiv(&res, 100000, 100000, a) != 0)
3453       return res;
3454 #endif
3455 
3456    return 0; /* error/overflow */
3457 }
3458 
3459 /* This is the shared test on whether a gamma value is 'significant' - whether
3460  * it is worth doing gamma correction.
3461  */
3462 int /* PRIVATE */
3463 png_gamma_significant(png_fixed_point gamma_val)
3464 {
3465    return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3466        gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3467 }
3468 #endif
3469 
3470 #ifdef PNG_READ_GAMMA_SUPPORTED
3471 #ifdef PNG_16BIT_SUPPORTED
3472 /* A local convenience routine. */
3473 static png_fixed_point
3474 png_product2(png_fixed_point a, png_fixed_point b)
3475 {
3476    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3477 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3478    double r = a * 1E-5;
3479    r *= b;
3480    r = floor(r+.5);
3481 
3482    if (r <= 2147483647. && r >= -2147483648.)
3483       return (png_fixed_point)r;
3484 #else
3485    png_fixed_point res;
3486 
3487    if (png_muldiv(&res, a, b, 100000) != 0)
3488       return res;
3489 #endif
3490 
3491    return 0; /* overflow */
3492 }
3493 #endif /* 16BIT */
3494 
3495 /* The inverse of the above. */
3496 png_fixed_point
3497 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3498 {
3499    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3500 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3501    if (a != 0 && b != 0)
3502    {
3503       double r = 1E15/a;
3504       r /= b;
3505       r = floor(r+.5);
3506 
3507       if (r <= 2147483647. && r >= -2147483648.)
3508          return (png_fixed_point)r;
3509    }
3510 #else
3511    /* This may overflow because the range of png_fixed_point isn't symmetric,
3512     * but this API is only used for the product of file and screen gamma so it
3513     * doesn't matter that the smallest number it can produce is 1/21474, not
3514     * 1/100000
3515     */
3516    png_fixed_point res = png_product2(a, b);
3517 
3518    if (res != 0)
3519       return png_reciprocal(res);
3520 #endif
3521 
3522    return 0; /* overflow */
3523 }
3524 #endif /* READ_GAMMA */
3525 
3526 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3527 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3528 /* Fixed point gamma.
3529  *
3530  * The code to calculate the tables used below can be found in the shell script
3531  * contrib/tools/intgamma.sh
3532  *
3533  * To calculate gamma this code implements fast log() and exp() calls using only
3534  * fixed point arithmetic.  This code has sufficient precision for either 8-bit
3535  * or 16-bit sample values.
3536  *
3537  * The tables used here were calculated using simple 'bc' programs, but C double
3538  * precision floating point arithmetic would work fine.
3539  *
3540  * 8-bit log table
3541  *   This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3542  *   255, so it's the base 2 logarithm of a normalized 8-bit floating point
3543  *   mantissa.  The numbers are 32-bit fractions.
3544  */
3545 static const png_uint_32
3546 png_8bit_l2[128] =
3547 {
3548    4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3549    3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3550    3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3551    3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3552    3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3553    2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3554    2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3555    2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3556    2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3557    2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3558    1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3559    1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3560    1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3561    1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3562    1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3563    971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3564    803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3565    639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3566    479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3567    324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3568    172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3569    24347096U, 0U
3570 
3571 #if 0
3572    /* The following are the values for 16-bit tables - these work fine for the
3573     * 8-bit conversions but produce very slightly larger errors in the 16-bit
3574     * log (about 1.2 as opposed to 0.7 absolute error in the final value).  To
3575     * use these all the shifts below must be adjusted appropriately.
3576     */
3577    65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3578    57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3579    50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3580    43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3581    37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3582    31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3583    25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3584    20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3585    15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3586    10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3587    6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3588    1119, 744, 372
3589 #endif
3590 };
3591 
3592 static png_int_32
3593 png_log8bit(unsigned int x)
3594 {
3595    unsigned int lg2 = 0;
3596    /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3597     * because the log is actually negate that means adding 1.  The final
3598     * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3599     * input), return -1 for the overflow (log 0) case, - so the result is
3600     * always at most 19 bits.
3601     */
3602    if ((x &= 0xff) == 0)
3603       return -1;
3604 
3605    if ((x & 0xf0) == 0)
3606       lg2  = 4, x <<= 4;
3607 
3608    if ((x & 0xc0) == 0)
3609       lg2 += 2, x <<= 2;
3610 
3611    if ((x & 0x80) == 0)
3612       lg2 += 1, x <<= 1;
3613 
3614    /* result is at most 19 bits, so this cast is safe: */
3615    return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3616 }
3617 
3618 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3619  * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3620  * get an approximation then multiply the approximation by a correction factor
3621  * determined by the remaining up to 8 bits.  This requires an additional step
3622  * in the 16-bit case.
3623  *
3624  * We want log2(value/65535), we have log2(v'/255), where:
3625  *
3626  *    value = v' * 256 + v''
3627  *          = v' * f
3628  *
3629  * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3630  * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3631  * than 258.  The final factor also needs to correct for the fact that our 8-bit
3632  * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3633  *
3634  * This gives a final formula using a calculated value 'x' which is value/v' and
3635  * scaling by 65536 to match the above table:
3636  *
3637  *   log2(x/257) * 65536
3638  *
3639  * Since these numbers are so close to '1' we can use simple linear
3640  * interpolation between the two end values 256/257 (result -368.61) and 258/257
3641  * (result 367.179).  The values used below are scaled by a further 64 to give
3642  * 16-bit precision in the interpolation:
3643  *
3644  * Start (256): -23591
3645  * Zero  (257):      0
3646  * End   (258):  23499
3647  */
3648 #ifdef PNG_16BIT_SUPPORTED
3649 static png_int_32
3650 png_log16bit(png_uint_32 x)
3651 {
3652    unsigned int lg2 = 0;
3653 
3654    /* As above, but now the input has 16 bits. */
3655    if ((x &= 0xffff) == 0)
3656       return -1;
3657 
3658    if ((x & 0xff00) == 0)
3659       lg2  = 8, x <<= 8;
3660 
3661    if ((x & 0xf000) == 0)
3662       lg2 += 4, x <<= 4;
3663 
3664    if ((x & 0xc000) == 0)
3665       lg2 += 2, x <<= 2;
3666 
3667    if ((x & 0x8000) == 0)
3668       lg2 += 1, x <<= 1;
3669 
3670    /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3671     * value.
3672     */
3673    lg2 <<= 28;
3674    lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3675 
3676    /* Now we need to interpolate the factor, this requires a division by the top
3677     * 8 bits.  Do this with maximum precision.
3678     */
3679    x = ((x << 16) + (x >> 9)) / (x >> 8);
3680 
3681    /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3682     * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3683     * 16 bits to interpolate to get the low bits of the result.  Round the
3684     * answer.  Note that the end point values are scaled by 64 to retain overall
3685     * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3686     * the overall scaling by 6-12.  Round at every step.
3687     */
3688    x -= 1U << 24;
3689 
3690    if (x <= 65536U) /* <= '257' */
3691       lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3692 
3693    else
3694       lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3695 
3696    /* Safe, because the result can't have more than 20 bits: */
3697    return (png_int_32)((lg2 + 2048) >> 12);
3698 }
3699 #endif /* 16BIT */
3700 
3701 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3702  * logarithmic value and returning a 16 or 8-bit number as appropriate.  In
3703  * each case only the low 16 bits are relevant - the fraction - since the
3704  * integer bits (the top 4) simply determine a shift.
3705  *
3706  * The worst case is the 16-bit distinction between 65535 and 65534. This
3707  * requires perhaps spurious accuracy in the decoding of the logarithm to
3708  * distinguish log2(65535/65534.5) - 10^-5 or 17 bits.  There is little chance
3709  * of getting this accuracy in practice.
3710  *
3711  * To deal with this the following exp() function works out the exponent of the
3712  * frational part of the logarithm by using an accurate 32-bit value from the
3713  * top four fractional bits then multiplying in the remaining bits.
3714  */
3715 static const png_uint_32
3716 png_32bit_exp[16] =
3717 {
3718    /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3719    4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3720    3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3721    2553802834U, 2445529972U, 2341847524U, 2242560872U
3722 };
3723 
3724 /* Adjustment table; provided to explain the numbers in the code below. */
3725 #if 0
3726 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3727    11 44937.64284865548751208448
3728    10 45180.98734845585101160448
3729     9 45303.31936980687359311872
3730     8 45364.65110595323018870784
3731     7 45395.35850361789624614912
3732     6 45410.72259715102037508096
3733     5 45418.40724413220722311168
3734     4 45422.25021786898173001728
3735     3 45424.17186732298419044352
3736     2 45425.13273269940811464704
3737     1 45425.61317555035558641664
3738     0 45425.85339951654943850496
3739 #endif
3740 
3741 static png_uint_32
3742 png_exp(png_fixed_point x)
3743 {
3744    if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3745    {
3746       /* Obtain a 4-bit approximation */
3747       png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3748 
3749       /* Incorporate the low 12 bits - these decrease the returned value by
3750        * multiplying by a number less than 1 if the bit is set.  The multiplier
3751        * is determined by the above table and the shift. Notice that the values
3752        * converge on 45426 and this is used to allow linear interpolation of the
3753        * low bits.
3754        */
3755       if (x & 0x800)
3756          e -= (((e >> 16) * 44938U) +  16U) >> 5;
3757 
3758       if (x & 0x400)
3759          e -= (((e >> 16) * 45181U) +  32U) >> 6;
3760 
3761       if (x & 0x200)
3762          e -= (((e >> 16) * 45303U) +  64U) >> 7;
3763 
3764       if (x & 0x100)
3765          e -= (((e >> 16) * 45365U) + 128U) >> 8;
3766 
3767       if (x & 0x080)
3768          e -= (((e >> 16) * 45395U) + 256U) >> 9;
3769 
3770       if (x & 0x040)
3771          e -= (((e >> 16) * 45410U) + 512U) >> 10;
3772 
3773       /* And handle the low 6 bits in a single block. */
3774       e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3775 
3776       /* Handle the upper bits of x. */
3777       e >>= x >> 16;
3778       return e;
3779    }
3780 
3781    /* Check for overflow */
3782    if (x <= 0)
3783       return png_32bit_exp[0];
3784 
3785    /* Else underflow */
3786    return 0;
3787 }
3788 
3789 static png_byte
3790 png_exp8bit(png_fixed_point lg2)
3791 {
3792    /* Get a 32-bit value: */
3793    png_uint_32 x = png_exp(lg2);
3794 
3795    /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3796     * second, rounding, step can't overflow because of the first, subtraction,
3797     * step.
3798     */
3799    x -= x >> 8;
3800    return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3801 }
3802 
3803 #ifdef PNG_16BIT_SUPPORTED
3804 static png_uint_16
3805 png_exp16bit(png_fixed_point lg2)
3806 {
3807    /* Get a 32-bit value: */
3808    png_uint_32 x = png_exp(lg2);
3809 
3810    /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3811    x -= x >> 16;
3812    return (png_uint_16)((x + 32767U) >> 16);
3813 }
3814 #endif /* 16BIT */
3815 #endif /* FLOATING_ARITHMETIC */
3816 
3817 png_byte
3818 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3819 {
3820    if (value > 0 && value < 255)
3821    {
3822 #     ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3823          /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3824           * convert this to a floating point value.  This includes values that
3825           * would overflow if 'value' were to be converted to 'int'.
3826           *
3827           * Apparently GCC, however, does an intermediate conversion to (int)
3828           * on some (ARM) but not all (x86) platforms, possibly because of
3829           * hardware FP limitations.  (E.g. if the hardware conversion always
3830           * assumes the integer register contains a signed value.)  This results
3831           * in ANSI-C undefined behavior for large values.
3832           *
3833           * Other implementations on the same machine might actually be ANSI-C90
3834           * conformant and therefore compile spurious extra code for the large
3835           * values.
3836           *
3837           * We can be reasonably sure that an unsigned to float conversion
3838           * won't be faster than an int to float one.  Therefore this code
3839           * assumes responsibility for the undefined behavior, which it knows
3840           * can't happen because of the check above.
3841           *
3842           * Note the argument to this routine is an (unsigned int) because, on
3843           * 16-bit platforms, it is assigned a value which might be out of
3844           * range for an (int); that would result in undefined behavior in the
3845           * caller if the *argument* ('value') were to be declared (int).
3846           */
3847          double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3848          return (png_byte)r;
3849 #     else
3850          png_int_32 lg2 = png_log8bit(value);
3851          png_fixed_point res;
3852 
3853          if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3854             return png_exp8bit(res);
3855 
3856          /* Overflow. */
3857          value = 0;
3858 #     endif
3859    }
3860 
3861    return (png_byte)(value & 0xff);
3862 }
3863 
3864 #ifdef PNG_16BIT_SUPPORTED
3865 png_uint_16
3866 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3867 {
3868    if (value > 0 && value < 65535)
3869    {
3870 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3871       /* The same (unsigned int)->(double) constraints apply here as above,
3872        * however in this case the (unsigned int) to (int) conversion can
3873        * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3874        * that this is not possible.
3875        */
3876       double r = floor(65535*pow((png_int_32)value/65535.,
3877           gamma_val*.00001)+.5);
3878       return (png_uint_16)r;
3879 # else
3880       png_int_32 lg2 = png_log16bit(value);
3881       png_fixed_point res;
3882 
3883       if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3884          return png_exp16bit(res);
3885 
3886       /* Overflow. */
3887       value = 0;
3888 # endif
3889    }
3890 
3891    return (png_uint_16)value;
3892 }
3893 #endif /* 16BIT */
3894 
3895 /* This does the right thing based on the bit_depth field of the
3896  * png_struct, interpreting values as 8-bit or 16-bit.  While the result
3897  * is nominally a 16-bit value if bit depth is 8 then the result is
3898  * 8-bit (as are the arguments.)
3899  */
3900 png_uint_16 /* PRIVATE */
3901 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3902     png_fixed_point gamma_val)
3903 {
3904    if (png_ptr->bit_depth == 8)
3905       return png_gamma_8bit_correct(value, gamma_val);
3906 
3907 #ifdef PNG_16BIT_SUPPORTED
3908    else
3909       return png_gamma_16bit_correct(value, gamma_val);
3910 #else
3911       /* should not reach this */
3912       return 0;
3913 #endif /* 16BIT */
3914 }
3915 
3916 #ifdef PNG_16BIT_SUPPORTED
3917 /* Internal function to build a single 16-bit table - the table consists of
3918  * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3919  * to shift the input values right (or 16-number_of_signifiant_bits).
3920  *
3921  * The caller is responsible for ensuring that the table gets cleaned up on
3922  * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3923  * should be somewhere that will be cleaned.
3924  */
3925 static void
3926 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3927     PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3928 {
3929    /* Various values derived from 'shift': */
3930    PNG_CONST unsigned int num = 1U << (8U - shift);
3931 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3932    /* CSE the division and work round wacky GCC warnings (see the comments
3933     * in png_gamma_8bit_correct for where these come from.)
3934     */
3935    PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);
3936 #endif
3937    PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3938    PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
3939    unsigned int i;
3940 
3941    png_uint_16pp table = *ptable =
3942        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3943 
3944    for (i = 0; i < num; i++)
3945    {
3946       png_uint_16p sub_table = table[i] =
3947           (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3948 
3949       /* The 'threshold' test is repeated here because it can arise for one of
3950        * the 16-bit tables even if the others don't hit it.
3951        */
3952       if (png_gamma_significant(gamma_val) != 0)
3953       {
3954          /* The old code would overflow at the end and this would cause the
3955           * 'pow' function to return a result >1, resulting in an
3956           * arithmetic error.  This code follows the spec exactly; ig is
3957           * the recovered input sample, it always has 8-16 bits.
3958           *
3959           * We want input * 65535/max, rounded, the arithmetic fits in 32
3960           * bits (unsigned) so long as max <= 32767.
3961           */
3962          unsigned int j;
3963          for (j = 0; j < 256; j++)
3964          {
3965             png_uint_32 ig = (j << (8-shift)) + i;
3966 #           ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3967                /* Inline the 'max' scaling operation: */
3968                /* See png_gamma_8bit_correct for why the cast to (int) is
3969                 * required here.
3970                 */
3971                double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
3972                sub_table[j] = (png_uint_16)d;
3973 #           else
3974                if (shift != 0)
3975                   ig = (ig * 65535U + max_by_2)/max;
3976 
3977                sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
3978 #           endif
3979          }
3980       }
3981       else
3982       {
3983          /* We must still build a table, but do it the fast way. */
3984          unsigned int j;
3985 
3986          for (j = 0; j < 256; j++)
3987          {
3988             png_uint_32 ig = (j << (8-shift)) + i;
3989 
3990             if (shift != 0)
3991                ig = (ig * 65535U + max_by_2)/max;
3992 
3993             sub_table[j] = (png_uint_16)ig;
3994          }
3995       }
3996    }
3997 }
3998 
3999 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4000  * required.
4001  */
4002 static void
4003 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4004     PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
4005 {
4006    PNG_CONST unsigned int num = 1U << (8U - shift);
4007    PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
4008    unsigned int i;
4009    png_uint_32 last;
4010 
4011    png_uint_16pp table = *ptable =
4012        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4013 
4014    /* 'num' is the number of tables and also the number of low bits of low
4015     * bits of the input 16-bit value used to select a table.  Each table is
4016     * itself indexed by the high 8 bits of the value.
4017     */
4018    for (i = 0; i < num; i++)
4019       table[i] = (png_uint_16p)png_malloc(png_ptr,
4020           256 * (sizeof (png_uint_16)));
4021 
4022    /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4023     * pow(out,g) is an *input* value.  'last' is the last input value set.
4024     *
4025     * In the loop 'i' is used to find output values.  Since the output is
4026     * 8-bit there are only 256 possible values.  The tables are set up to
4027     * select the closest possible output value for each input by finding
4028     * the input value at the boundary between each pair of output values
4029     * and filling the table up to that boundary with the lower output
4030     * value.
4031     *
4032     * The boundary values are 0.5,1.5..253.5,254.5.  Since these are 9-bit
4033     * values the code below uses a 16-bit value in i; the values start at
4034     * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4035     * entries are filled with 255).  Start i at 128 and fill all 'last'
4036     * table entries <= 'max'
4037     */
4038    last = 0;
4039    for (i = 0; i < 255; ++i) /* 8-bit output value */
4040    {
4041       /* Find the corresponding maximum input value */
4042       png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4043 
4044       /* Find the boundary value in 16 bits: */
4045       png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4046 
4047       /* Adjust (round) to (16-shift) bits: */
4048       bound = (bound * max + 32768U)/65535U + 1U;
4049 
4050       while (last < bound)
4051       {
4052          table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4053          last++;
4054       }
4055    }
4056 
4057    /* And fill in the final entries. */
4058    while (last < (num << 8))
4059    {
4060       table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4061       last++;
4062    }
4063 }
4064 #endif /* 16BIT */
4065 
4066 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4067  * typically much faster).  Note that libpng currently does no sBIT processing
4068  * (apparently contrary to the spec) so a 256-entry table is always generated.
4069  */
4070 static void
4071 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4072     PNG_CONST png_fixed_point gamma_val)
4073 {
4074    unsigned int i;
4075    png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4076 
4077    if (png_gamma_significant(gamma_val) != 0)
4078       for (i=0; i<256; i++)
4079          table[i] = png_gamma_8bit_correct(i, gamma_val);
4080 
4081    else
4082       for (i=0; i<256; ++i)
4083          table[i] = (png_byte)(i & 0xff);
4084 }
4085 
4086 /* Used from png_read_destroy and below to release the memory used by the gamma
4087  * tables.
4088  */
4089 void /* PRIVATE */
4090 png_destroy_gamma_table(png_structrp png_ptr)
4091 {
4092    png_free(png_ptr, png_ptr->gamma_table);
4093    png_ptr->gamma_table = NULL;
4094 
4095 #ifdef PNG_16BIT_SUPPORTED
4096    if (png_ptr->gamma_16_table != NULL)
4097    {
4098       int i;
4099       int istop = (1 << (8 - png_ptr->gamma_shift));
4100       for (i = 0; i < istop; i++)
4101       {
4102          png_free(png_ptr, png_ptr->gamma_16_table[i]);
4103       }
4104    png_free(png_ptr, png_ptr->gamma_16_table);
4105    png_ptr->gamma_16_table = NULL;
4106    }
4107 #endif /* 16BIT */
4108 
4109 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4110    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4111    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4112    png_free(png_ptr, png_ptr->gamma_from_1);
4113    png_ptr->gamma_from_1 = NULL;
4114    png_free(png_ptr, png_ptr->gamma_to_1);
4115    png_ptr->gamma_to_1 = NULL;
4116 
4117 #ifdef PNG_16BIT_SUPPORTED
4118    if (png_ptr->gamma_16_from_1 != NULL)
4119    {
4120       int i;
4121       int istop = (1 << (8 - png_ptr->gamma_shift));
4122       for (i = 0; i < istop; i++)
4123       {
4124          png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4125       }
4126    png_free(png_ptr, png_ptr->gamma_16_from_1);
4127    png_ptr->gamma_16_from_1 = NULL;
4128    }
4129    if (png_ptr->gamma_16_to_1 != NULL)
4130    {
4131       int i;
4132       int istop = (1 << (8 - png_ptr->gamma_shift));
4133       for (i = 0; i < istop; i++)
4134       {
4135          png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4136       }
4137    png_free(png_ptr, png_ptr->gamma_16_to_1);
4138    png_ptr->gamma_16_to_1 = NULL;
4139    }
4140 #endif /* 16BIT */
4141 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4142 }
4143 
4144 /* We build the 8- or 16-bit gamma tables here.  Note that for 16-bit
4145  * tables, we don't make a full table if we are reducing to 8-bit in
4146  * the future.  Note also how the gamma_16 tables are segmented so that
4147  * we don't need to allocate > 64K chunks for a full 16-bit table.
4148  */
4149 void /* PRIVATE */
4150 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4151 {
4152    png_debug(1, "in png_build_gamma_table");
4153 
4154    /* Remove any existing table; this copes with multiple calls to
4155     * png_read_update_info. The warning is because building the gamma tables
4156     * multiple times is a performance hit - it's harmless but the ability to
4157     * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4158     * sensible to warn if the app introduces such a hit.
4159     */
4160    if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4161    {
4162       png_warning(png_ptr, "gamma table being rebuilt");
4163       png_destroy_gamma_table(png_ptr);
4164    }
4165 
4166    if (bit_depth <= 8)
4167    {
4168       png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4169           png_ptr->screen_gamma > 0 ?
4170           png_reciprocal2(png_ptr->colorspace.gamma,
4171           png_ptr->screen_gamma) : PNG_FP_1);
4172 
4173 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4174    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4175    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4176       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4177       {
4178          png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4179              png_reciprocal(png_ptr->colorspace.gamma));
4180 
4181          png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4182              png_ptr->screen_gamma > 0 ?
4183              png_reciprocal(png_ptr->screen_gamma) :
4184              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4185       }
4186 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4187    }
4188 #ifdef PNG_16BIT_SUPPORTED
4189    else
4190    {
4191       png_byte shift, sig_bit;
4192 
4193       if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4194       {
4195          sig_bit = png_ptr->sig_bit.red;
4196 
4197          if (png_ptr->sig_bit.green > sig_bit)
4198             sig_bit = png_ptr->sig_bit.green;
4199 
4200          if (png_ptr->sig_bit.blue > sig_bit)
4201             sig_bit = png_ptr->sig_bit.blue;
4202       }
4203       else
4204          sig_bit = png_ptr->sig_bit.gray;
4205 
4206       /* 16-bit gamma code uses this equation:
4207        *
4208        *   ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4209        *
4210        * Where 'iv' is the input color value and 'ov' is the output value -
4211        * pow(iv, gamma).
4212        *
4213        * Thus the gamma table consists of up to 256 256-entry tables.  The table
4214        * is selected by the (8-gamma_shift) most significant of the low 8 bits
4215        * of the color value then indexed by the upper 8 bits:
4216        *
4217        *   table[low bits][high 8 bits]
4218        *
4219        * So the table 'n' corresponds to all those 'iv' of:
4220        *
4221        *   <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4222        *
4223        */
4224       if (sig_bit > 0 && sig_bit < 16U)
4225          /* shift == insignificant bits */
4226          shift = (png_byte)((16U - sig_bit) & 0xff);
4227 
4228       else
4229          shift = 0; /* keep all 16 bits */
4230 
4231       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4232       {
4233          /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4234           * the significant bits in the *input* when the output will
4235           * eventually be 8 bits.  By default it is 11.
4236           */
4237          if (shift < (16U - PNG_MAX_GAMMA_8))
4238             shift = (16U - PNG_MAX_GAMMA_8);
4239       }
4240 
4241       if (shift > 8U)
4242          shift = 8U; /* Guarantees at least one table! */
4243 
4244       png_ptr->gamma_shift = shift;
4245 
4246       /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4247        * PNG_COMPOSE).  This effectively smashed the background calculation for
4248        * 16-bit output because the 8-bit table assumes the result will be
4249        * reduced to 8 bits.
4250        */
4251       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4252           png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4253           png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4254           png_ptr->screen_gamma) : PNG_FP_1);
4255 
4256       else
4257           png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4258           png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4259           png_ptr->screen_gamma) : PNG_FP_1);
4260 
4261 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4262    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4263    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4264       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4265       {
4266          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4267              png_reciprocal(png_ptr->colorspace.gamma));
4268 
4269          /* Notice that the '16 from 1' table should be full precision, however
4270           * the lookup on this table still uses gamma_shift, so it can't be.
4271           * TODO: fix this.
4272           */
4273          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4274              png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4275              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4276       }
4277 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4278    }
4279 #endif /* 16BIT */
4280 }
4281 #endif /* READ_GAMMA */
4282 
4283 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4284 #ifdef PNG_SET_OPTION_SUPPORTED
4285 int PNGAPI
4286 png_set_option(png_structrp png_ptr, int option, int onoff)
4287 {
4288    if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4289       (option & 1) == 0)
4290    {
4291       png_uint_32 mask = 3 << option;
4292       png_uint_32 setting = (2 + (onoff != 0)) << option;
4293       png_uint_32 current = png_ptr->options;
4294 
4295       png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff);
4296 
4297       return (current & mask) >> option;
4298    }
4299 
4300    return PNG_OPTION_INVALID;
4301 }
4302 #endif
4303 
4304 /* sRGB support */
4305 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4306    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4307 /* sRGB conversion tables; these are machine generated with the code in
4308  * contrib/tools/makesRGB.c.  The actual sRGB transfer curve defined in the
4309  * specification (see the article at http://en.wikipedia.org/wiki/SRGB)
4310  * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4311  * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4312  * The inverse (linear to sRGB) table has accuracies as follows:
4313  *
4314  * For all possible (255*65535+1) input values:
4315  *
4316  *    error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4317  *
4318  * For the input values corresponding to the 65536 16-bit values:
4319  *
4320  *    error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4321  *
4322  * In all cases the inexact readings are only off by one.
4323  */
4324 
4325 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4326 /* The convert-to-sRGB table is only currently required for read. */
4327 const png_uint_16 png_sRGB_table[256] =
4328 {
4329    0,20,40,60,80,99,119,139,
4330    159,179,199,219,241,264,288,313,
4331    340,367,396,427,458,491,526,562,
4332    599,637,677,718,761,805,851,898,
4333    947,997,1048,1101,1156,1212,1270,1330,
4334    1391,1453,1517,1583,1651,1720,1790,1863,
4335    1937,2013,2090,2170,2250,2333,2418,2504,
4336    2592,2681,2773,2866,2961,3058,3157,3258,
4337    3360,3464,3570,3678,3788,3900,4014,4129,
4338    4247,4366,4488,4611,4736,4864,4993,5124,
4339    5257,5392,5530,5669,5810,5953,6099,6246,
4340    6395,6547,6700,6856,7014,7174,7335,7500,
4341    7666,7834,8004,8177,8352,8528,8708,8889,
4342    9072,9258,9445,9635,9828,10022,10219,10417,
4343    10619,10822,11028,11235,11446,11658,11873,12090,
4344    12309,12530,12754,12980,13209,13440,13673,13909,
4345    14146,14387,14629,14874,15122,15371,15623,15878,
4346    16135,16394,16656,16920,17187,17456,17727,18001,
4347    18277,18556,18837,19121,19407,19696,19987,20281,
4348    20577,20876,21177,21481,21787,22096,22407,22721,
4349    23038,23357,23678,24002,24329,24658,24990,25325,
4350    25662,26001,26344,26688,27036,27386,27739,28094,
4351    28452,28813,29176,29542,29911,30282,30656,31033,
4352    31412,31794,32179,32567,32957,33350,33745,34143,
4353    34544,34948,35355,35764,36176,36591,37008,37429,
4354    37852,38278,38706,39138,39572,40009,40449,40891,
4355    41337,41785,42236,42690,43147,43606,44069,44534,
4356    45002,45473,45947,46423,46903,47385,47871,48359,
4357    48850,49344,49841,50341,50844,51349,51858,52369,
4358    52884,53401,53921,54445,54971,55500,56032,56567,
4359    57105,57646,58190,58737,59287,59840,60396,60955,
4360    61517,62082,62650,63221,63795,64372,64952,65535
4361 };
4362 #endif /* SIMPLIFIED_READ */
4363 
4364 /* The base/delta tables are required for both read and write (but currently
4365  * only the simplified versions.)
4366  */
4367 const png_uint_16 png_sRGB_base[512] =
4368 {
4369    128,1782,3383,4644,5675,6564,7357,8074,
4370    8732,9346,9921,10463,10977,11466,11935,12384,
4371    12816,13233,13634,14024,14402,14769,15125,15473,
4372    15812,16142,16466,16781,17090,17393,17690,17981,
4373    18266,18546,18822,19093,19359,19621,19879,20133,
4374    20383,20630,20873,21113,21349,21583,21813,22041,
4375    22265,22487,22707,22923,23138,23350,23559,23767,
4376    23972,24175,24376,24575,24772,24967,25160,25352,
4377    25542,25730,25916,26101,26284,26465,26645,26823,
4378    27000,27176,27350,27523,27695,27865,28034,28201,
4379    28368,28533,28697,28860,29021,29182,29341,29500,
4380    29657,29813,29969,30123,30276,30429,30580,30730,
4381    30880,31028,31176,31323,31469,31614,31758,31902,
4382    32045,32186,32327,32468,32607,32746,32884,33021,
4383    33158,33294,33429,33564,33697,33831,33963,34095,
4384    34226,34357,34486,34616,34744,34873,35000,35127,
4385    35253,35379,35504,35629,35753,35876,35999,36122,
4386    36244,36365,36486,36606,36726,36845,36964,37083,
4387    37201,37318,37435,37551,37668,37783,37898,38013,
4388    38127,38241,38354,38467,38580,38692,38803,38915,
4389    39026,39136,39246,39356,39465,39574,39682,39790,
4390    39898,40005,40112,40219,40325,40431,40537,40642,
4391    40747,40851,40955,41059,41163,41266,41369,41471,
4392    41573,41675,41777,41878,41979,42079,42179,42279,
4393    42379,42478,42577,42676,42775,42873,42971,43068,
4394    43165,43262,43359,43456,43552,43648,43743,43839,
4395    43934,44028,44123,44217,44311,44405,44499,44592,
4396    44685,44778,44870,44962,45054,45146,45238,45329,
4397    45420,45511,45601,45692,45782,45872,45961,46051,
4398    46140,46229,46318,46406,46494,46583,46670,46758,
4399    46846,46933,47020,47107,47193,47280,47366,47452,
4400    47538,47623,47709,47794,47879,47964,48048,48133,
4401    48217,48301,48385,48468,48552,48635,48718,48801,
4402    48884,48966,49048,49131,49213,49294,49376,49458,
4403    49539,49620,49701,49782,49862,49943,50023,50103,
4404    50183,50263,50342,50422,50501,50580,50659,50738,
4405    50816,50895,50973,51051,51129,51207,51285,51362,
4406    51439,51517,51594,51671,51747,51824,51900,51977,
4407    52053,52129,52205,52280,52356,52432,52507,52582,
4408    52657,52732,52807,52881,52956,53030,53104,53178,
4409    53252,53326,53400,53473,53546,53620,53693,53766,
4410    53839,53911,53984,54056,54129,54201,54273,54345,
4411    54417,54489,54560,54632,54703,54774,54845,54916,
4412    54987,55058,55129,55199,55269,55340,55410,55480,
4413    55550,55620,55689,55759,55828,55898,55967,56036,
4414    56105,56174,56243,56311,56380,56448,56517,56585,
4415    56653,56721,56789,56857,56924,56992,57059,57127,
4416    57194,57261,57328,57395,57462,57529,57595,57662,
4417    57728,57795,57861,57927,57993,58059,58125,58191,
4418    58256,58322,58387,58453,58518,58583,58648,58713,
4419    58778,58843,58908,58972,59037,59101,59165,59230,
4420    59294,59358,59422,59486,59549,59613,59677,59740,
4421    59804,59867,59930,59993,60056,60119,60182,60245,
4422    60308,60370,60433,60495,60558,60620,60682,60744,
4423    60806,60868,60930,60992,61054,61115,61177,61238,
4424    61300,61361,61422,61483,61544,61605,61666,61727,
4425    61788,61848,61909,61969,62030,62090,62150,62211,
4426    62271,62331,62391,62450,62510,62570,62630,62689,
4427    62749,62808,62867,62927,62986,63045,63104,63163,
4428    63222,63281,63340,63398,63457,63515,63574,63632,
4429    63691,63749,63807,63865,63923,63981,64039,64097,
4430    64155,64212,64270,64328,64385,64443,64500,64557,
4431    64614,64672,64729,64786,64843,64900,64956,65013,
4432    65070,65126,65183,65239,65296,65352,65409,65465
4433 };
4434 
4435 const png_byte png_sRGB_delta[512] =
4436 {
4437    207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4438    52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4439    35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4440    28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4441    23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4442    21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4443    19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4444    17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4445    16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4446    15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4447    14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4448    13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4449    12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4450    12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4451    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4452    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4453    11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4454    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4455    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4456    10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4457    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4458    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4459    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4460    9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4461    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4462    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4463    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4464    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4465    8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4466    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4467    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4468    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4469 };
4470 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4471 
4472 /* SIMPLIFIED READ/WRITE SUPPORT */
4473 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4474    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4475 static int
4476 png_image_free_function(png_voidp argument)
4477 {
4478    png_imagep image = png_voidcast(png_imagep, argument);
4479    png_controlp cp = image->opaque;
4480    png_control c;
4481 
4482    /* Double check that we have a png_ptr - it should be impossible to get here
4483     * without one.
4484     */
4485    if (cp->png_ptr == NULL)
4486       return 0;
4487 
4488    /* First free any data held in the control structure. */
4489 #  ifdef PNG_STDIO_SUPPORTED
4490       if (cp->owned_file != 0)
4491       {
4492          FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4493          cp->owned_file = 0;
4494 
4495          /* Ignore errors here. */
4496          if (fp != NULL)
4497          {
4498             cp->png_ptr->io_ptr = NULL;
4499             (void)fclose(fp);
4500          }
4501       }
4502 #  endif
4503 
4504    /* Copy the control structure so that the original, allocated, version can be
4505     * safely freed.  Notice that a png_error here stops the remainder of the
4506     * cleanup, but this is probably fine because that would indicate bad memory
4507     * problems anyway.
4508     */
4509    c = *cp;
4510    image->opaque = &c;
4511    png_free(c.png_ptr, cp);
4512 
4513    /* Then the structures, calling the correct API. */
4514    if (c.for_write != 0)
4515    {
4516 #     ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4517          png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4518 #     else
4519          png_error(c.png_ptr, "simplified write not supported");
4520 #     endif
4521    }
4522    else
4523    {
4524 #     ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4525          png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4526 #     else
4527          png_error(c.png_ptr, "simplified read not supported");
4528 #     endif
4529    }
4530 
4531    /* Success. */
4532    return 1;
4533 }
4534 
4535 void PNGAPI
4536 png_image_free(png_imagep image)
4537 {
4538    /* Safely call the real function, but only if doing so is safe at this point
4539     * (if not inside an error handling context).  Otherwise assume
4540     * png_safe_execute will call this API after the return.
4541     */
4542    if (image != NULL && image->opaque != NULL &&
4543       image->opaque->error_buf == NULL)
4544    {
4545       /* Ignore errors here: */
4546       (void)png_safe_execute(image, png_image_free_function, image);
4547       image->opaque = NULL;
4548    }
4549 }
4550 
4551 int /* PRIVATE */
4552 png_image_error(png_imagep image, png_const_charp error_message)
4553 {
4554    /* Utility to log an error. */
4555    png_safecat(image->message, (sizeof image->message), 0, error_message);
4556    image->warning_or_error |= PNG_IMAGE_ERROR;
4557    png_image_free(image);
4558    return 0;
4559 }
4560 
4561 #endif /* SIMPLIFIED READ/WRITE */
4562 #endif /* READ || WRITE */