1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* png.c - location for general purpose libpng functions 26 * 27 * This file is available under and governed by the GNU General Public 28 * License version 2 only, as published by the Free Software Foundation. 29 * However, the following notice accompanied the original version of this 30 * file and, per its terms, should not be removed: 31 * 32 * Last changed in libpng 1.6.28 [January 5, 2017] 33 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson 34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 36 * 37 * This code is released under the libpng license. 38 * For conditions of distribution and use, see the disclaimer 39 * and license in png.h 40 */ 41 42 #include "pngpriv.h" 43 44 /* Generate a compiler error if there is an old png.h in the search path. */ 45 typedef png_libpng_version_1_6_28 Your_png_h_is_not_version_1_6_28; 46 47 /* Tells libpng that we have already handled the first "num_bytes" bytes 48 * of the PNG file signature. If the PNG data is embedded into another 49 * stream we can set num_bytes = 8 so that libpng will not attempt to read 50 * or write any of the magic bytes before it starts on the IHDR. 51 */ 52 53 #ifdef PNG_READ_SUPPORTED 54 void PNGAPI 55 png_set_sig_bytes(png_structrp png_ptr, int num_bytes) 56 { 57 unsigned int nb = (unsigned int)num_bytes; 58 59 png_debug(1, "in png_set_sig_bytes"); 60 61 if (png_ptr == NULL) 62 return; 63 64 if (num_bytes < 0) 65 nb = 0; 66 67 if (nb > 8) 68 png_error(png_ptr, "Too many bytes for PNG signature"); 69 70 png_ptr->sig_bytes = (png_byte)nb; 71 } 72 73 /* Checks whether the supplied bytes match the PNG signature. We allow 74 * checking less than the full 8-byte signature so that those apps that 75 * already read the first few bytes of a file to determine the file type 76 * can simply check the remaining bytes for extra assurance. Returns 77 * an integer less than, equal to, or greater than zero if sig is found, 78 * respectively, to be less than, to match, or be greater than the correct 79 * PNG signature (this is the same behavior as strcmp, memcmp, etc). 80 */ 81 int PNGAPI 82 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check) 83 { 84 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10}; 85 86 if (num_to_check > 8) 87 num_to_check = 8; 88 89 else if (num_to_check < 1) 90 return (-1); 91 92 if (start > 7) 93 return (-1); 94 95 if (start + num_to_check > 8) 96 num_to_check = 8 - start; 97 98 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check))); 99 } 100 101 #endif /* READ */ 102 103 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 104 /* Function to allocate memory for zlib */ 105 PNG_FUNCTION(voidpf /* PRIVATE */, 106 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED) 107 { 108 png_alloc_size_t num_bytes = size; 109 110 if (png_ptr == NULL) 111 return NULL; 112 113 if (items >= (~(png_alloc_size_t)0)/size) 114 { 115 png_warning (png_voidcast(png_structrp, png_ptr), 116 "Potential overflow in png_zalloc()"); 117 return NULL; 118 } 119 120 num_bytes *= items; 121 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes); 122 } 123 124 /* Function to free memory for zlib */ 125 void /* PRIVATE */ 126 png_zfree(voidpf png_ptr, voidpf ptr) 127 { 128 png_free(png_voidcast(png_const_structrp,png_ptr), ptr); 129 } 130 131 /* Reset the CRC variable to 32 bits of 1's. Care must be taken 132 * in case CRC is > 32 bits to leave the top bits 0. 133 */ 134 void /* PRIVATE */ 135 png_reset_crc(png_structrp png_ptr) 136 { 137 /* The cast is safe because the crc is a 32-bit value. */ 138 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0); 139 } 140 141 /* Calculate the CRC over a section of data. We can only pass as 142 * much data to this routine as the largest single buffer size. We 143 * also check that this data will actually be used before going to the 144 * trouble of calculating it. 145 */ 146 void /* PRIVATE */ 147 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length) 148 { 149 int need_crc = 1; 150 151 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0) 152 { 153 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 154 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 155 need_crc = 0; 156 } 157 158 else /* critical */ 159 { 160 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0) 161 need_crc = 0; 162 } 163 164 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some 165 * systems it is a 64-bit value. crc32, however, returns 32 bits so the 166 * following cast is safe. 'uInt' may be no more than 16 bits, so it is 167 * necessary to perform a loop here. 168 */ 169 if (need_crc != 0 && length > 0) 170 { 171 uLong crc = png_ptr->crc; /* Should never issue a warning */ 172 173 do 174 { 175 uInt safe_length = (uInt)length; 176 #ifndef __COVERITY__ 177 if (safe_length == 0) 178 safe_length = (uInt)-1; /* evil, but safe */ 179 #endif 180 181 crc = crc32(crc, ptr, safe_length); 182 183 /* The following should never issue compiler warnings; if they do the 184 * target system has characteristics that will probably violate other 185 * assumptions within the libpng code. 186 */ 187 ptr += safe_length; 188 length -= safe_length; 189 } 190 while (length > 0); 191 192 /* And the following is always safe because the crc is only 32 bits. */ 193 png_ptr->crc = (png_uint_32)crc; 194 } 195 } 196 197 /* Check a user supplied version number, called from both read and write 198 * functions that create a png_struct. 199 */ 200 int 201 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver) 202 { 203 /* Libpng versions 1.0.0 and later are binary compatible if the version 204 * string matches through the second '.'; we must recompile any 205 * applications that use any older library version. 206 */ 207 208 if (user_png_ver != NULL) 209 { 210 int i = -1; 211 int found_dots = 0; 212 213 do 214 { 215 i++; 216 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) 217 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 218 if (user_png_ver[i] == '.') 219 found_dots++; 220 } while (found_dots < 2 && user_png_ver[i] != 0 && 221 PNG_LIBPNG_VER_STRING[i] != 0); 222 } 223 224 else 225 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 226 227 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0) 228 { 229 #ifdef PNG_WARNINGS_SUPPORTED 230 size_t pos = 0; 231 char m[128]; 232 233 pos = png_safecat(m, (sizeof m), pos, 234 "Application built with libpng-"); 235 pos = png_safecat(m, (sizeof m), pos, user_png_ver); 236 pos = png_safecat(m, (sizeof m), pos, " but running with "); 237 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING); 238 PNG_UNUSED(pos) 239 240 png_warning(png_ptr, m); 241 #endif 242 243 #ifdef PNG_ERROR_NUMBERS_SUPPORTED 244 png_ptr->flags = 0; 245 #endif 246 247 return 0; 248 } 249 250 /* Success return. */ 251 return 1; 252 } 253 254 /* Generic function to create a png_struct for either read or write - this 255 * contains the common initialization. 256 */ 257 PNG_FUNCTION(png_structp /* PRIVATE */, 258 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr, 259 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr, 260 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED) 261 { 262 png_struct create_struct; 263 # ifdef PNG_SETJMP_SUPPORTED 264 jmp_buf create_jmp_buf; 265 # endif 266 267 /* This temporary stack-allocated structure is used to provide a place to 268 * build enough context to allow the user provided memory allocator (if any) 269 * to be called. 270 */ 271 memset(&create_struct, 0, (sizeof create_struct)); 272 273 /* Added at libpng-1.2.6 */ 274 # ifdef PNG_USER_LIMITS_SUPPORTED 275 create_struct.user_width_max = PNG_USER_WIDTH_MAX; 276 create_struct.user_height_max = PNG_USER_HEIGHT_MAX; 277 278 # ifdef PNG_USER_CHUNK_CACHE_MAX 279 /* Added at libpng-1.2.43 and 1.4.0 */ 280 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; 281 # endif 282 283 # ifdef PNG_USER_CHUNK_MALLOC_MAX 284 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists 285 * in png_struct regardless. 286 */ 287 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; 288 # endif 289 # endif 290 291 /* The following two API calls simply set fields in png_struct, so it is safe 292 * to do them now even though error handling is not yet set up. 293 */ 294 # ifdef PNG_USER_MEM_SUPPORTED 295 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn); 296 # else 297 PNG_UNUSED(mem_ptr) 298 PNG_UNUSED(malloc_fn) 299 PNG_UNUSED(free_fn) 300 # endif 301 302 /* (*error_fn) can return control to the caller after the error_ptr is set, 303 * this will result in a memory leak unless the error_fn does something 304 * extremely sophisticated. The design lacks merit but is implicit in the 305 * API. 306 */ 307 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn); 308 309 # ifdef PNG_SETJMP_SUPPORTED 310 if (!setjmp(create_jmp_buf)) 311 # endif 312 { 313 # ifdef PNG_SETJMP_SUPPORTED 314 /* Temporarily fake out the longjmp information until we have 315 * successfully completed this function. This only works if we have 316 * setjmp() support compiled in, but it is safe - this stuff should 317 * never happen. 318 */ 319 create_struct.jmp_buf_ptr = &create_jmp_buf; 320 create_struct.jmp_buf_size = 0; /*stack allocation*/ 321 create_struct.longjmp_fn = longjmp; 322 # endif 323 /* Call the general version checker (shared with read and write code): 324 */ 325 if (png_user_version_check(&create_struct, user_png_ver) != 0) 326 { 327 png_structrp png_ptr = png_voidcast(png_structrp, 328 png_malloc_warn(&create_struct, (sizeof *png_ptr))); 329 330 if (png_ptr != NULL) 331 { 332 /* png_ptr->zstream holds a back-pointer to the png_struct, so 333 * this can only be done now: 334 */ 335 create_struct.zstream.zalloc = png_zalloc; 336 create_struct.zstream.zfree = png_zfree; 337 create_struct.zstream.opaque = png_ptr; 338 339 # ifdef PNG_SETJMP_SUPPORTED 340 /* Eliminate the local error handling: */ 341 create_struct.jmp_buf_ptr = NULL; 342 create_struct.jmp_buf_size = 0; 343 create_struct.longjmp_fn = 0; 344 # endif 345 346 *png_ptr = create_struct; 347 348 /* This is the successful return point */ 349 return png_ptr; 350 } 351 } 352 } 353 354 /* A longjmp because of a bug in the application storage allocator or a 355 * simple failure to allocate the png_struct. 356 */ 357 return NULL; 358 } 359 360 /* Allocate the memory for an info_struct for the application. */ 361 PNG_FUNCTION(png_infop,PNGAPI 362 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED) 363 { 364 png_inforp info_ptr; 365 366 png_debug(1, "in png_create_info_struct"); 367 368 if (png_ptr == NULL) 369 return NULL; 370 371 /* Use the internal API that does not (or at least should not) error out, so 372 * that this call always returns ok. The application typically sets up the 373 * error handling *after* creating the info_struct because this is the way it 374 * has always been done in 'example.c'. 375 */ 376 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr, 377 (sizeof *info_ptr))); 378 379 if (info_ptr != NULL) 380 memset(info_ptr, 0, (sizeof *info_ptr)); 381 382 return info_ptr; 383 } 384 385 /* This function frees the memory associated with a single info struct. 386 * Normally, one would use either png_destroy_read_struct() or 387 * png_destroy_write_struct() to free an info struct, but this may be 388 * useful for some applications. From libpng 1.6.0 this function is also used 389 * internally to implement the png_info release part of the 'struct' destroy 390 * APIs. This ensures that all possible approaches free the same data (all of 391 * it). 392 */ 393 void PNGAPI 394 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr) 395 { 396 png_inforp info_ptr = NULL; 397 398 png_debug(1, "in png_destroy_info_struct"); 399 400 if (png_ptr == NULL) 401 return; 402 403 if (info_ptr_ptr != NULL) 404 info_ptr = *info_ptr_ptr; 405 406 if (info_ptr != NULL) 407 { 408 /* Do this first in case of an error below; if the app implements its own 409 * memory management this can lead to png_free calling png_error, which 410 * will abort this routine and return control to the app error handler. 411 * An infinite loop may result if it then tries to free the same info 412 * ptr. 413 */ 414 *info_ptr_ptr = NULL; 415 416 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1); 417 memset(info_ptr, 0, (sizeof *info_ptr)); 418 png_free(png_ptr, info_ptr); 419 } 420 } 421 422 /* Initialize the info structure. This is now an internal function (0.89) 423 * and applications using it are urged to use png_create_info_struct() 424 * instead. Use deprecated in 1.6.0, internal use removed (used internally it 425 * is just a memset). 426 * 427 * NOTE: it is almost inconceivable that this API is used because it bypasses 428 * the user-memory mechanism and the user error handling/warning mechanisms in 429 * those cases where it does anything other than a memset. 430 */ 431 PNG_FUNCTION(void,PNGAPI 432 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size), 433 PNG_DEPRECATED) 434 { 435 png_inforp info_ptr = *ptr_ptr; 436 437 png_debug(1, "in png_info_init_3"); 438 439 if (info_ptr == NULL) 440 return; 441 442 if ((sizeof (png_info)) > png_info_struct_size) 443 { 444 *ptr_ptr = NULL; 445 /* The following line is why this API should not be used: */ 446 free(info_ptr); 447 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL, 448 (sizeof *info_ptr))); 449 if (info_ptr == NULL) 450 return; 451 *ptr_ptr = info_ptr; 452 } 453 454 /* Set everything to 0 */ 455 memset(info_ptr, 0, (sizeof *info_ptr)); 456 } 457 458 /* The following API is not called internally */ 459 void PNGAPI 460 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr, 461 int freer, png_uint_32 mask) 462 { 463 png_debug(1, "in png_data_freer"); 464 465 if (png_ptr == NULL || info_ptr == NULL) 466 return; 467 468 if (freer == PNG_DESTROY_WILL_FREE_DATA) 469 info_ptr->free_me |= mask; 470 471 else if (freer == PNG_USER_WILL_FREE_DATA) 472 info_ptr->free_me &= ~mask; 473 474 else 475 png_error(png_ptr, "Unknown freer parameter in png_data_freer"); 476 } 477 478 void PNGAPI 479 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, 480 int num) 481 { 482 png_debug(1, "in png_free_data"); 483 484 if (png_ptr == NULL || info_ptr == NULL) 485 return; 486 487 #ifdef PNG_TEXT_SUPPORTED 488 /* Free text item num or (if num == -1) all text items */ 489 if (info_ptr->text != NULL && 490 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0) 491 { 492 if (num != -1) 493 { 494 png_free(png_ptr, info_ptr->text[num].key); 495 info_ptr->text[num].key = NULL; 496 } 497 498 else 499 { 500 int i; 501 502 for (i = 0; i < info_ptr->num_text; i++) 503 png_free(png_ptr, info_ptr->text[i].key); 504 505 png_free(png_ptr, info_ptr->text); 506 info_ptr->text = NULL; 507 info_ptr->num_text = 0; 508 info_ptr->max_text = 0; 509 } 510 } 511 #endif 512 513 #ifdef PNG_tRNS_SUPPORTED 514 /* Free any tRNS entry */ 515 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0) 516 { 517 info_ptr->valid &= ~PNG_INFO_tRNS; 518 png_free(png_ptr, info_ptr->trans_alpha); 519 info_ptr->trans_alpha = NULL; 520 info_ptr->num_trans = 0; 521 } 522 #endif 523 524 #ifdef PNG_sCAL_SUPPORTED 525 /* Free any sCAL entry */ 526 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0) 527 { 528 png_free(png_ptr, info_ptr->scal_s_width); 529 png_free(png_ptr, info_ptr->scal_s_height); 530 info_ptr->scal_s_width = NULL; 531 info_ptr->scal_s_height = NULL; 532 info_ptr->valid &= ~PNG_INFO_sCAL; 533 } 534 #endif 535 536 #ifdef PNG_pCAL_SUPPORTED 537 /* Free any pCAL entry */ 538 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0) 539 { 540 png_free(png_ptr, info_ptr->pcal_purpose); 541 png_free(png_ptr, info_ptr->pcal_units); 542 info_ptr->pcal_purpose = NULL; 543 info_ptr->pcal_units = NULL; 544 545 if (info_ptr->pcal_params != NULL) 546 { 547 int i; 548 549 for (i = 0; i < info_ptr->pcal_nparams; i++) 550 png_free(png_ptr, info_ptr->pcal_params[i]); 551 552 png_free(png_ptr, info_ptr->pcal_params); 553 info_ptr->pcal_params = NULL; 554 } 555 info_ptr->valid &= ~PNG_INFO_pCAL; 556 } 557 #endif 558 559 #ifdef PNG_iCCP_SUPPORTED 560 /* Free any profile entry */ 561 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0) 562 { 563 png_free(png_ptr, info_ptr->iccp_name); 564 png_free(png_ptr, info_ptr->iccp_profile); 565 info_ptr->iccp_name = NULL; 566 info_ptr->iccp_profile = NULL; 567 info_ptr->valid &= ~PNG_INFO_iCCP; 568 } 569 #endif 570 571 #ifdef PNG_sPLT_SUPPORTED 572 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */ 573 if (info_ptr->splt_palettes != NULL && 574 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0) 575 { 576 if (num != -1) 577 { 578 png_free(png_ptr, info_ptr->splt_palettes[num].name); 579 png_free(png_ptr, info_ptr->splt_palettes[num].entries); 580 info_ptr->splt_palettes[num].name = NULL; 581 info_ptr->splt_palettes[num].entries = NULL; 582 } 583 584 else 585 { 586 int i; 587 588 for (i = 0; i < info_ptr->splt_palettes_num; i++) 589 { 590 png_free(png_ptr, info_ptr->splt_palettes[i].name); 591 png_free(png_ptr, info_ptr->splt_palettes[i].entries); 592 } 593 594 png_free(png_ptr, info_ptr->splt_palettes); 595 info_ptr->splt_palettes = NULL; 596 info_ptr->splt_palettes_num = 0; 597 info_ptr->valid &= ~PNG_INFO_sPLT; 598 } 599 } 600 #endif 601 602 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED 603 if (info_ptr->unknown_chunks != NULL && 604 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0) 605 { 606 if (num != -1) 607 { 608 png_free(png_ptr, info_ptr->unknown_chunks[num].data); 609 info_ptr->unknown_chunks[num].data = NULL; 610 } 611 612 else 613 { 614 int i; 615 616 for (i = 0; i < info_ptr->unknown_chunks_num; i++) 617 png_free(png_ptr, info_ptr->unknown_chunks[i].data); 618 619 png_free(png_ptr, info_ptr->unknown_chunks); 620 info_ptr->unknown_chunks = NULL; 621 info_ptr->unknown_chunks_num = 0; 622 } 623 } 624 #endif 625 626 #ifdef PNG_hIST_SUPPORTED 627 /* Free any hIST entry */ 628 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0) 629 { 630 png_free(png_ptr, info_ptr->hist); 631 info_ptr->hist = NULL; 632 info_ptr->valid &= ~PNG_INFO_hIST; 633 } 634 #endif 635 636 /* Free any PLTE entry that was internally allocated */ 637 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0) 638 { 639 png_free(png_ptr, info_ptr->palette); 640 info_ptr->palette = NULL; 641 info_ptr->valid &= ~PNG_INFO_PLTE; 642 info_ptr->num_palette = 0; 643 } 644 645 #ifdef PNG_INFO_IMAGE_SUPPORTED 646 /* Free any image bits attached to the info structure */ 647 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0) 648 { 649 if (info_ptr->row_pointers != NULL) 650 { 651 png_uint_32 row; 652 for (row = 0; row < info_ptr->height; row++) 653 png_free(png_ptr, info_ptr->row_pointers[row]); 654 655 png_free(png_ptr, info_ptr->row_pointers); 656 info_ptr->row_pointers = NULL; 657 } 658 info_ptr->valid &= ~PNG_INFO_IDAT; 659 } 660 #endif 661 662 if (num != -1) 663 mask &= ~PNG_FREE_MUL; 664 665 info_ptr->free_me &= ~mask; 666 } 667 #endif /* READ || WRITE */ 668 669 /* This function returns a pointer to the io_ptr associated with the user 670 * functions. The application should free any memory associated with this 671 * pointer before png_write_destroy() or png_read_destroy() are called. 672 */ 673 png_voidp PNGAPI 674 png_get_io_ptr(png_const_structrp png_ptr) 675 { 676 if (png_ptr == NULL) 677 return (NULL); 678 679 return (png_ptr->io_ptr); 680 } 681 682 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 683 # ifdef PNG_STDIO_SUPPORTED 684 /* Initialize the default input/output functions for the PNG file. If you 685 * use your own read or write routines, you can call either png_set_read_fn() 686 * or png_set_write_fn() instead of png_init_io(). If you have defined 687 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a 688 * function of your own because "FILE *" isn't necessarily available. 689 */ 690 void PNGAPI 691 png_init_io(png_structrp png_ptr, png_FILE_p fp) 692 { 693 png_debug(1, "in png_init_io"); 694 695 if (png_ptr == NULL) 696 return; 697 698 png_ptr->io_ptr = (png_voidp)fp; 699 } 700 # endif 701 702 # ifdef PNG_SAVE_INT_32_SUPPORTED 703 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90 704 * defines a cast of a signed integer to an unsigned integer either to preserve 705 * the value, if it is positive, or to calculate: 706 * 707 * (UNSIGNED_MAX+1) + integer 708 * 709 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the 710 * negative integral value is added the result will be an unsigned value 711 * correspnding to the 2's complement representation. 712 */ 713 void PNGAPI 714 png_save_int_32(png_bytep buf, png_int_32 i) 715 { 716 png_save_uint_32(buf, (png_uint_32)i); 717 } 718 # endif 719 720 # ifdef PNG_TIME_RFC1123_SUPPORTED 721 /* Convert the supplied time into an RFC 1123 string suitable for use in 722 * a "Creation Time" or other text-based time string. 723 */ 724 int PNGAPI 725 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime) 726 { 727 static PNG_CONST char short_months[12][4] = 728 {"Jan", "Feb", "Mar", "Apr", "May", "Jun", 729 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}; 730 731 if (out == NULL) 732 return 0; 733 734 if (ptime->year > 9999 /* RFC1123 limitation */ || 735 ptime->month == 0 || ptime->month > 12 || 736 ptime->day == 0 || ptime->day > 31 || 737 ptime->hour > 23 || ptime->minute > 59 || 738 ptime->second > 60) 739 return 0; 740 741 { 742 size_t pos = 0; 743 char number_buf[5]; /* enough for a four-digit year */ 744 745 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string)) 746 # define APPEND_NUMBER(format, value)\ 747 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value))) 748 # define APPEND(ch) if (pos < 28) out[pos++] = (ch) 749 750 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day); 751 APPEND(' '); 752 APPEND_STRING(short_months[(ptime->month - 1)]); 753 APPEND(' '); 754 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year); 755 APPEND(' '); 756 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour); 757 APPEND(':'); 758 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute); 759 APPEND(':'); 760 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second); 761 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */ 762 PNG_UNUSED (pos) 763 764 # undef APPEND 765 # undef APPEND_NUMBER 766 # undef APPEND_STRING 767 } 768 769 return 1; 770 } 771 772 # if PNG_LIBPNG_VER < 10700 773 /* To do: remove the following from libpng-1.7 */ 774 /* Original API that uses a private buffer in png_struct. 775 * Deprecated because it causes png_struct to carry a spurious temporary 776 * buffer (png_struct::time_buffer), better to have the caller pass this in. 777 */ 778 png_const_charp PNGAPI 779 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime) 780 { 781 if (png_ptr != NULL) 782 { 783 /* The only failure above if png_ptr != NULL is from an invalid ptime */ 784 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0) 785 png_warning(png_ptr, "Ignoring invalid time value"); 786 787 else 788 return png_ptr->time_buffer; 789 } 790 791 return NULL; 792 } 793 # endif /* LIBPNG_VER < 10700 */ 794 # endif /* TIME_RFC1123 */ 795 796 #endif /* READ || WRITE */ 797 798 png_const_charp PNGAPI 799 png_get_copyright(png_const_structrp png_ptr) 800 { 801 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 802 #ifdef PNG_STRING_COPYRIGHT 803 return PNG_STRING_COPYRIGHT 804 #else 805 # ifdef __STDC__ 806 return PNG_STRING_NEWLINE \ 807 "libpng version 1.6.28 - January 5, 2017" PNG_STRING_NEWLINE \ 808 "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \ 809 PNG_STRING_NEWLINE \ 810 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ 811 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ 812 PNG_STRING_NEWLINE; 813 # else 814 return "libpng version 1.6.28 - January 5, 2017\ 815 Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\ 816 Copyright (c) 1996-1997 Andreas Dilger\ 817 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; 818 # endif 819 #endif 820 } 821 822 /* The following return the library version as a short string in the 823 * format 1.0.0 through 99.99.99zz. To get the version of *.h files 824 * used with your application, print out PNG_LIBPNG_VER_STRING, which 825 * is defined in png.h. 826 * Note: now there is no difference between png_get_libpng_ver() and 827 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard, 828 * it is guaranteed that png.c uses the correct version of png.h. 829 */ 830 png_const_charp PNGAPI 831 png_get_libpng_ver(png_const_structrp png_ptr) 832 { 833 /* Version of *.c files used when building libpng */ 834 return png_get_header_ver(png_ptr); 835 } 836 837 png_const_charp PNGAPI 838 png_get_header_ver(png_const_structrp png_ptr) 839 { 840 /* Version of *.h files used when building libpng */ 841 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 842 return PNG_LIBPNG_VER_STRING; 843 } 844 845 png_const_charp PNGAPI 846 png_get_header_version(png_const_structrp png_ptr) 847 { 848 /* Returns longer string containing both version and date */ 849 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 850 #ifdef __STDC__ 851 return PNG_HEADER_VERSION_STRING 852 # ifndef PNG_READ_SUPPORTED 853 " (NO READ SUPPORT)" 854 # endif 855 PNG_STRING_NEWLINE; 856 #else 857 return PNG_HEADER_VERSION_STRING; 858 #endif 859 } 860 861 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED 862 /* NOTE: this routine is not used internally! */ 863 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth 864 * large of png_color. This lets grayscale images be treated as 865 * paletted. Most useful for gamma correction and simplification 866 * of code. This API is not used internally. 867 */ 868 void PNGAPI 869 png_build_grayscale_palette(int bit_depth, png_colorp palette) 870 { 871 int num_palette; 872 int color_inc; 873 int i; 874 int v; 875 876 png_debug(1, "in png_do_build_grayscale_palette"); 877 878 if (palette == NULL) 879 return; 880 881 switch (bit_depth) 882 { 883 case 1: 884 num_palette = 2; 885 color_inc = 0xff; 886 break; 887 888 case 2: 889 num_palette = 4; 890 color_inc = 0x55; 891 break; 892 893 case 4: 894 num_palette = 16; 895 color_inc = 0x11; 896 break; 897 898 case 8: 899 num_palette = 256; 900 color_inc = 1; 901 break; 902 903 default: 904 num_palette = 0; 905 color_inc = 0; 906 break; 907 } 908 909 for (i = 0, v = 0; i < num_palette; i++, v += color_inc) 910 { 911 palette[i].red = (png_byte)(v & 0xff); 912 palette[i].green = (png_byte)(v & 0xff); 913 palette[i].blue = (png_byte)(v & 0xff); 914 } 915 } 916 #endif 917 918 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED 919 int PNGAPI 920 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name) 921 { 922 /* Check chunk_name and return "keep" value if it's on the list, else 0 */ 923 png_const_bytep p, p_end; 924 925 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0) 926 return PNG_HANDLE_CHUNK_AS_DEFAULT; 927 928 p_end = png_ptr->chunk_list; 929 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */ 930 931 /* The code is the fifth byte after each four byte string. Historically this 932 * code was always searched from the end of the list, this is no longer 933 * necessary because the 'set' routine handles duplicate entries correcty. 934 */ 935 do /* num_chunk_list > 0, so at least one */ 936 { 937 p -= 5; 938 939 if (memcmp(chunk_name, p, 4) == 0) 940 return p[4]; 941 } 942 while (p > p_end); 943 944 /* This means that known chunks should be processed and unknown chunks should 945 * be handled according to the value of png_ptr->unknown_default; this can be 946 * confusing because, as a result, there are two levels of defaulting for 947 * unknown chunks. 948 */ 949 return PNG_HANDLE_CHUNK_AS_DEFAULT; 950 } 951 952 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\ 953 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED) 954 int /* PRIVATE */ 955 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name) 956 { 957 png_byte chunk_string[5]; 958 959 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name); 960 return png_handle_as_unknown(png_ptr, chunk_string); 961 } 962 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */ 963 #endif /* SET_UNKNOWN_CHUNKS */ 964 965 #ifdef PNG_READ_SUPPORTED 966 /* This function, added to libpng-1.0.6g, is untested. */ 967 int PNGAPI 968 png_reset_zstream(png_structrp png_ptr) 969 { 970 if (png_ptr == NULL) 971 return Z_STREAM_ERROR; 972 973 /* WARNING: this resets the window bits to the maximum! */ 974 return (inflateReset(&png_ptr->zstream)); 975 } 976 #endif /* READ */ 977 978 /* This function was added to libpng-1.0.7 */ 979 png_uint_32 PNGAPI 980 png_access_version_number(void) 981 { 982 /* Version of *.c files used when building libpng */ 983 return((png_uint_32)PNG_LIBPNG_VER); 984 } 985 986 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 987 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string. 988 * If it doesn't 'ret' is used to set it to something appropriate, even in cases 989 * like Z_OK or Z_STREAM_END where the error code is apparently a success code. 990 */ 991 void /* PRIVATE */ 992 png_zstream_error(png_structrp png_ptr, int ret) 993 { 994 /* Translate 'ret' into an appropriate error string, priority is given to the 995 * one in zstream if set. This always returns a string, even in cases like 996 * Z_OK or Z_STREAM_END where the error code is a success code. 997 */ 998 if (png_ptr->zstream.msg == NULL) switch (ret) 999 { 1000 default: 1001 case Z_OK: 1002 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code"); 1003 break; 1004 1005 case Z_STREAM_END: 1006 /* Normal exit */ 1007 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream"); 1008 break; 1009 1010 case Z_NEED_DICT: 1011 /* This means the deflate stream did not have a dictionary; this 1012 * indicates a bogus PNG. 1013 */ 1014 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary"); 1015 break; 1016 1017 case Z_ERRNO: 1018 /* gz APIs only: should not happen */ 1019 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error"); 1020 break; 1021 1022 case Z_STREAM_ERROR: 1023 /* internal libpng error */ 1024 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib"); 1025 break; 1026 1027 case Z_DATA_ERROR: 1028 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream"); 1029 break; 1030 1031 case Z_MEM_ERROR: 1032 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory"); 1033 break; 1034 1035 case Z_BUF_ERROR: 1036 /* End of input or output; not a problem if the caller is doing 1037 * incremental read or write. 1038 */ 1039 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated"); 1040 break; 1041 1042 case Z_VERSION_ERROR: 1043 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version"); 1044 break; 1045 1046 case PNG_UNEXPECTED_ZLIB_RETURN: 1047 /* Compile errors here mean that zlib now uses the value co-opted in 1048 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above 1049 * and change pngpriv.h. Note that this message is "... return", 1050 * whereas the default/Z_OK one is "... return code". 1051 */ 1052 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return"); 1053 break; 1054 } 1055 } 1056 1057 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted 1058 * at libpng 1.5.5! 1059 */ 1060 1061 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */ 1062 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */ 1063 static int 1064 png_colorspace_check_gamma(png_const_structrp png_ptr, 1065 png_colorspacerp colorspace, png_fixed_point gAMA, int from) 1066 /* This is called to check a new gamma value against an existing one. The 1067 * routine returns false if the new gamma value should not be written. 1068 * 1069 * 'from' says where the new gamma value comes from: 1070 * 1071 * 0: the new gamma value is the libpng estimate for an ICC profile 1072 * 1: the new gamma value comes from a gAMA chunk 1073 * 2: the new gamma value comes from an sRGB chunk 1074 */ 1075 { 1076 png_fixed_point gtest; 1077 1078 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 && 1079 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 || 1080 png_gamma_significant(gtest) != 0)) 1081 { 1082 /* Either this is an sRGB image, in which case the calculated gamma 1083 * approximation should match, or this is an image with a profile and the 1084 * value libpng calculates for the gamma of the profile does not match the 1085 * value recorded in the file. The former, sRGB, case is an error, the 1086 * latter is just a warning. 1087 */ 1088 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2) 1089 { 1090 png_chunk_report(png_ptr, "gamma value does not match sRGB", 1091 PNG_CHUNK_ERROR); 1092 /* Do not overwrite an sRGB value */ 1093 return from == 2; 1094 } 1095 1096 else /* sRGB tag not involved */ 1097 { 1098 png_chunk_report(png_ptr, "gamma value does not match libpng estimate", 1099 PNG_CHUNK_WARNING); 1100 return from == 1; 1101 } 1102 } 1103 1104 return 1; 1105 } 1106 1107 void /* PRIVATE */ 1108 png_colorspace_set_gamma(png_const_structrp png_ptr, 1109 png_colorspacerp colorspace, png_fixed_point gAMA) 1110 { 1111 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't 1112 * occur. Since the fixed point representation is asymetrical it is 1113 * possible for 1/gamma to overflow the limit of 21474 and this means the 1114 * gamma value must be at least 5/100000 and hence at most 20000.0. For 1115 * safety the limits here are a little narrower. The values are 0.00016 to 1116 * 6250.0, which are truly ridiculous gamma values (and will produce 1117 * displays that are all black or all white.) 1118 * 1119 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk 1120 * handling code, which only required the value to be >0. 1121 */ 1122 png_const_charp errmsg; 1123 1124 if (gAMA < 16 || gAMA > 625000000) 1125 errmsg = "gamma value out of range"; 1126 1127 # ifdef PNG_READ_gAMA_SUPPORTED 1128 /* Allow the application to set the gamma value more than once */ 1129 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && 1130 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) 1131 errmsg = "duplicate"; 1132 # endif 1133 1134 /* Do nothing if the colorspace is already invalid */ 1135 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1136 return; 1137 1138 else 1139 { 1140 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA, 1141 1/*from gAMA*/) != 0) 1142 { 1143 /* Store this gamma value. */ 1144 colorspace->gamma = gAMA; 1145 colorspace->flags |= 1146 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA); 1147 } 1148 1149 /* At present if the check_gamma test fails the gamma of the colorspace is 1150 * not updated however the colorspace is not invalidated. This 1151 * corresponds to the case where the existing gamma comes from an sRGB 1152 * chunk or profile. An error message has already been output. 1153 */ 1154 return; 1155 } 1156 1157 /* Error exit - errmsg has been set. */ 1158 colorspace->flags |= PNG_COLORSPACE_INVALID; 1159 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR); 1160 } 1161 1162 void /* PRIVATE */ 1163 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr) 1164 { 1165 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) 1166 { 1167 /* Everything is invalid */ 1168 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB| 1169 PNG_INFO_iCCP); 1170 1171 # ifdef PNG_COLORSPACE_SUPPORTED 1172 /* Clean up the iCCP profile now if it won't be used. */ 1173 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); 1174 # else 1175 PNG_UNUSED(png_ptr) 1176 # endif 1177 } 1178 1179 else 1180 { 1181 # ifdef PNG_COLORSPACE_SUPPORTED 1182 /* Leave the INFO_iCCP flag set if the pngset.c code has already set 1183 * it; this allows a PNG to contain a profile which matches sRGB and 1184 * yet still have that profile retrievable by the application. 1185 */ 1186 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) 1187 info_ptr->valid |= PNG_INFO_sRGB; 1188 1189 else 1190 info_ptr->valid &= ~PNG_INFO_sRGB; 1191 1192 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1193 info_ptr->valid |= PNG_INFO_cHRM; 1194 1195 else 1196 info_ptr->valid &= ~PNG_INFO_cHRM; 1197 # endif 1198 1199 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0) 1200 info_ptr->valid |= PNG_INFO_gAMA; 1201 1202 else 1203 info_ptr->valid &= ~PNG_INFO_gAMA; 1204 } 1205 } 1206 1207 #ifdef PNG_READ_SUPPORTED 1208 void /* PRIVATE */ 1209 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr) 1210 { 1211 if (info_ptr == NULL) /* reduce code size; check here not in the caller */ 1212 return; 1213 1214 info_ptr->colorspace = png_ptr->colorspace; 1215 png_colorspace_sync_info(png_ptr, info_ptr); 1216 } 1217 #endif 1218 #endif /* GAMMA */ 1219 1220 #ifdef PNG_COLORSPACE_SUPPORTED 1221 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for 1222 * cHRM, as opposed to using chromaticities. These internal APIs return 1223 * non-zero on a parameter error. The X, Y and Z values are required to be 1224 * positive and less than 1.0. 1225 */ 1226 static int 1227 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ) 1228 { 1229 png_int_32 d, dwhite, whiteX, whiteY; 1230 1231 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z; 1232 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0) 1233 return 1; 1234 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0) 1235 return 1; 1236 dwhite = d; 1237 whiteX = XYZ->red_X; 1238 whiteY = XYZ->red_Y; 1239 1240 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z; 1241 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0) 1242 return 1; 1243 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0) 1244 return 1; 1245 dwhite += d; 1246 whiteX += XYZ->green_X; 1247 whiteY += XYZ->green_Y; 1248 1249 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z; 1250 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0) 1251 return 1; 1252 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0) 1253 return 1; 1254 dwhite += d; 1255 whiteX += XYZ->blue_X; 1256 whiteY += XYZ->blue_Y; 1257 1258 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors, 1259 * thus: 1260 */ 1261 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0) 1262 return 1; 1263 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0) 1264 return 1; 1265 1266 return 0; 1267 } 1268 1269 static int 1270 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy) 1271 { 1272 png_fixed_point red_inverse, green_inverse, blue_scale; 1273 png_fixed_point left, right, denominator; 1274 1275 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically 1276 * have end points with 0 tristimulus values (these are impossible end 1277 * points, but they are used to cover the possible colors). We check 1278 * xy->whitey against 5, not 0, to avoid a possible integer overflow. 1279 */ 1280 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; 1281 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; 1282 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1; 1283 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1; 1284 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; 1285 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; 1286 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1; 1287 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1; 1288 1289 /* The reverse calculation is more difficult because the original tristimulus 1290 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8 1291 * derived values were recorded in the cHRM chunk; 1292 * (red,green,blue,white)x(x,y). This loses one degree of freedom and 1293 * therefore an arbitrary ninth value has to be introduced to undo the 1294 * original transformations. 1295 * 1296 * Think of the original end-points as points in (X,Y,Z) space. The 1297 * chromaticity values (c) have the property: 1298 * 1299 * C 1300 * c = --------- 1301 * X + Y + Z 1302 * 1303 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the 1304 * three chromaticity values (x,y,z) for each end-point obey the 1305 * relationship: 1306 * 1307 * x + y + z = 1 1308 * 1309 * This describes the plane in (X,Y,Z) space that intersects each axis at the 1310 * value 1.0; call this the chromaticity plane. Thus the chromaticity 1311 * calculation has scaled each end-point so that it is on the x+y+z=1 plane 1312 * and chromaticity is the intersection of the vector from the origin to the 1313 * (X,Y,Z) value with the chromaticity plane. 1314 * 1315 * To fully invert the chromaticity calculation we would need the three 1316 * end-point scale factors, (red-scale, green-scale, blue-scale), but these 1317 * were not recorded. Instead we calculated the reference white (X,Y,Z) and 1318 * recorded the chromaticity of this. The reference white (X,Y,Z) would have 1319 * given all three of the scale factors since: 1320 * 1321 * color-C = color-c * color-scale 1322 * white-C = red-C + green-C + blue-C 1323 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1324 * 1325 * But cHRM records only white-x and white-y, so we have lost the white scale 1326 * factor: 1327 * 1328 * white-C = white-c*white-scale 1329 * 1330 * To handle this the inverse transformation makes an arbitrary assumption 1331 * about white-scale: 1332 * 1333 * Assume: white-Y = 1.0 1334 * Hence: white-scale = 1/white-y 1335 * Or: red-Y + green-Y + blue-Y = 1.0 1336 * 1337 * Notice the last statement of the assumption gives an equation in three of 1338 * the nine values we want to calculate. 8 more equations come from the 1339 * above routine as summarised at the top above (the chromaticity 1340 * calculation): 1341 * 1342 * Given: color-x = color-X / (color-X + color-Y + color-Z) 1343 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0 1344 * 1345 * This is 9 simultaneous equations in the 9 variables "color-C" and can be 1346 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix 1347 * determinants, however this is not as bad as it seems because only 28 of 1348 * the total of 90 terms in the various matrices are non-zero. Nevertheless 1349 * Cramer's rule is notoriously numerically unstable because the determinant 1350 * calculation involves the difference of large, but similar, numbers. It is 1351 * difficult to be sure that the calculation is stable for real world values 1352 * and it is certain that it becomes unstable where the end points are close 1353 * together. 1354 * 1355 * So this code uses the perhaps slightly less optimal but more 1356 * understandable and totally obvious approach of calculating color-scale. 1357 * 1358 * This algorithm depends on the precision in white-scale and that is 1359 * (1/white-y), so we can immediately see that as white-y approaches 0 the 1360 * accuracy inherent in the cHRM chunk drops off substantially. 1361 * 1362 * libpng arithmetic: a simple inversion of the above equations 1363 * ------------------------------------------------------------ 1364 * 1365 * white_scale = 1/white-y 1366 * white-X = white-x * white-scale 1367 * white-Y = 1.0 1368 * white-Z = (1 - white-x - white-y) * white_scale 1369 * 1370 * white-C = red-C + green-C + blue-C 1371 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1372 * 1373 * This gives us three equations in (red-scale,green-scale,blue-scale) where 1374 * all the coefficients are now known: 1375 * 1376 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale 1377 * = white-x/white-y 1378 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1 1379 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale 1380 * = (1 - white-x - white-y)/white-y 1381 * 1382 * In the last equation color-z is (1 - color-x - color-y) so we can add all 1383 * three equations together to get an alternative third: 1384 * 1385 * red-scale + green-scale + blue-scale = 1/white-y = white-scale 1386 * 1387 * So now we have a Cramer's rule solution where the determinants are just 1388 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve 1389 * multiplication of three coefficients so we can't guarantee to avoid 1390 * overflow in the libpng fixed point representation. Using Cramer's rule in 1391 * floating point is probably a good choice here, but it's not an option for 1392 * fixed point. Instead proceed to simplify the first two equations by 1393 * eliminating what is likely to be the largest value, blue-scale: 1394 * 1395 * blue-scale = white-scale - red-scale - green-scale 1396 * 1397 * Hence: 1398 * 1399 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale = 1400 * (white-x - blue-x)*white-scale 1401 * 1402 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale = 1403 * 1 - blue-y*white-scale 1404 * 1405 * And now we can trivially solve for (red-scale,green-scale): 1406 * 1407 * green-scale = 1408 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale 1409 * ----------------------------------------------------------- 1410 * green-x - blue-x 1411 * 1412 * red-scale = 1413 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale 1414 * --------------------------------------------------------- 1415 * red-y - blue-y 1416 * 1417 * Hence: 1418 * 1419 * red-scale = 1420 * ( (green-x - blue-x) * (white-y - blue-y) - 1421 * (green-y - blue-y) * (white-x - blue-x) ) / white-y 1422 * ------------------------------------------------------------------------- 1423 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1424 * 1425 * green-scale = 1426 * ( (red-y - blue-y) * (white-x - blue-x) - 1427 * (red-x - blue-x) * (white-y - blue-y) ) / white-y 1428 * ------------------------------------------------------------------------- 1429 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1430 * 1431 * Accuracy: 1432 * The input values have 5 decimal digits of accuracy. The values are all in 1433 * the range 0 < value < 1, so simple products are in the same range but may 1434 * need up to 10 decimal digits to preserve the original precision and avoid 1435 * underflow. Because we are using a 32-bit signed representation we cannot 1436 * match this; the best is a little over 9 decimal digits, less than 10. 1437 * 1438 * The approach used here is to preserve the maximum precision within the 1439 * signed representation. Because the red-scale calculation above uses the 1440 * difference between two products of values that must be in the range -1..+1 1441 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The 1442 * factor is irrelevant in the calculation because it is applied to both 1443 * numerator and denominator. 1444 * 1445 * Note that the values of the differences of the products of the 1446 * chromaticities in the above equations tend to be small, for example for 1447 * the sRGB chromaticities they are: 1448 * 1449 * red numerator: -0.04751 1450 * green numerator: -0.08788 1451 * denominator: -0.2241 (without white-y multiplication) 1452 * 1453 * The resultant Y coefficients from the chromaticities of some widely used 1454 * color space definitions are (to 15 decimal places): 1455 * 1456 * sRGB 1457 * 0.212639005871510 0.715168678767756 0.072192315360734 1458 * Kodak ProPhoto 1459 * 0.288071128229293 0.711843217810102 0.000085653960605 1460 * Adobe RGB 1461 * 0.297344975250536 0.627363566255466 0.075291458493998 1462 * Adobe Wide Gamut RGB 1463 * 0.258728243040113 0.724682314948566 0.016589442011321 1464 */ 1465 /* By the argument, above overflow should be impossible here. The return 1466 * value of 2 indicates an internal error to the caller. 1467 */ 1468 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0) 1469 return 2; 1470 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0) 1471 return 2; 1472 denominator = left - right; 1473 1474 /* Now find the red numerator. */ 1475 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1476 return 2; 1477 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1478 return 2; 1479 1480 /* Overflow is possible here and it indicates an extreme set of PNG cHRM 1481 * chunk values. This calculation actually returns the reciprocal of the 1482 * scale value because this allows us to delay the multiplication of white-y 1483 * into the denominator, which tends to produce a small number. 1484 */ 1485 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 || 1486 red_inverse <= xy->whitey /* r+g+b scales = white scale */) 1487 return 1; 1488 1489 /* Similarly for green_inverse: */ 1490 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1491 return 2; 1492 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1493 return 2; 1494 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 || 1495 green_inverse <= xy->whitey) 1496 return 1; 1497 1498 /* And the blue scale, the checks above guarantee this can't overflow but it 1499 * can still produce 0 for extreme cHRM values. 1500 */ 1501 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) - 1502 png_reciprocal(green_inverse); 1503 if (blue_scale <= 0) 1504 return 1; 1505 1506 1507 /* And fill in the png_XYZ: */ 1508 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0) 1509 return 1; 1510 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0) 1511 return 1; 1512 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1, 1513 red_inverse) == 0) 1514 return 1; 1515 1516 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0) 1517 return 1; 1518 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0) 1519 return 1; 1520 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1, 1521 green_inverse) == 0) 1522 return 1; 1523 1524 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0) 1525 return 1; 1526 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0) 1527 return 1; 1528 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale, 1529 PNG_FP_1) == 0) 1530 return 1; 1531 1532 return 0; /*success*/ 1533 } 1534 1535 static int 1536 png_XYZ_normalize(png_XYZ *XYZ) 1537 { 1538 png_int_32 Y; 1539 1540 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 || 1541 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 || 1542 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0) 1543 return 1; 1544 1545 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. 1546 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore 1547 * relying on addition of two positive values producing a negative one is not 1548 * safe. 1549 */ 1550 Y = XYZ->red_Y; 1551 if (0x7fffffff - Y < XYZ->green_X) 1552 return 1; 1553 Y += XYZ->green_Y; 1554 if (0x7fffffff - Y < XYZ->blue_X) 1555 return 1; 1556 Y += XYZ->blue_Y; 1557 1558 if (Y != PNG_FP_1) 1559 { 1560 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0) 1561 return 1; 1562 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0) 1563 return 1; 1564 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0) 1565 return 1; 1566 1567 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0) 1568 return 1; 1569 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0) 1570 return 1; 1571 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0) 1572 return 1; 1573 1574 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0) 1575 return 1; 1576 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0) 1577 return 1; 1578 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0) 1579 return 1; 1580 } 1581 1582 return 0; 1583 } 1584 1585 static int 1586 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta) 1587 { 1588 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */ 1589 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) || 1590 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) || 1591 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) || 1592 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) || 1593 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) || 1594 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) || 1595 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) || 1596 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta)) 1597 return 0; 1598 return 1; 1599 } 1600 1601 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM 1602 * chunk chromaticities. Earlier checks used to simply look for the overflow 1603 * condition (where the determinant of the matrix to solve for XYZ ends up zero 1604 * because the chromaticity values are not all distinct.) Despite this it is 1605 * theoretically possible to produce chromaticities that are apparently valid 1606 * but that rapidly degrade to invalid, potentially crashing, sets because of 1607 * arithmetic inaccuracies when calculations are performed on them. The new 1608 * check is to round-trip xy -> XYZ -> xy and then check that the result is 1609 * within a small percentage of the original. 1610 */ 1611 static int 1612 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy) 1613 { 1614 int result; 1615 png_xy xy_test; 1616 1617 /* As a side-effect this routine also returns the XYZ endpoints. */ 1618 result = png_XYZ_from_xy(XYZ, xy); 1619 if (result != 0) 1620 return result; 1621 1622 result = png_xy_from_XYZ(&xy_test, XYZ); 1623 if (result != 0) 1624 return result; 1625 1626 if (png_colorspace_endpoints_match(xy, &xy_test, 1627 5/*actually, the math is pretty accurate*/) != 0) 1628 return 0; 1629 1630 /* Too much slip */ 1631 return 1; 1632 } 1633 1634 /* This is the check going the other way. The XYZ is modified to normalize it 1635 * (another side-effect) and the xy chromaticities are returned. 1636 */ 1637 static int 1638 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ) 1639 { 1640 int result; 1641 png_XYZ XYZtemp; 1642 1643 result = png_XYZ_normalize(XYZ); 1644 if (result != 0) 1645 return result; 1646 1647 result = png_xy_from_XYZ(xy, XYZ); 1648 if (result != 0) 1649 return result; 1650 1651 XYZtemp = *XYZ; 1652 return png_colorspace_check_xy(&XYZtemp, xy); 1653 } 1654 1655 /* Used to check for an endpoint match against sRGB */ 1656 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */ 1657 { 1658 /* color x y */ 1659 /* red */ 64000, 33000, 1660 /* green */ 30000, 60000, 1661 /* blue */ 15000, 6000, 1662 /* white */ 31270, 32900 1663 }; 1664 1665 static int 1666 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr, 1667 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ, 1668 int preferred) 1669 { 1670 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1671 return 0; 1672 1673 /* The consistency check is performed on the chromaticities; this factors out 1674 * variations because of the normalization (or not) of the end point Y 1675 * values. 1676 */ 1677 if (preferred < 2 && 1678 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1679 { 1680 /* The end points must be reasonably close to any we already have. The 1681 * following allows an error of up to +/-.001 1682 */ 1683 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy, 1684 100) == 0) 1685 { 1686 colorspace->flags |= PNG_COLORSPACE_INVALID; 1687 png_benign_error(png_ptr, "inconsistent chromaticities"); 1688 return 0; /* failed */ 1689 } 1690 1691 /* Only overwrite with preferred values */ 1692 if (preferred == 0) 1693 return 1; /* ok, but no change */ 1694 } 1695 1696 colorspace->end_points_xy = *xy; 1697 colorspace->end_points_XYZ = *XYZ; 1698 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS; 1699 1700 /* The end points are normally quoted to two decimal digits, so allow +/-0.01 1701 * on this test. 1702 */ 1703 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0) 1704 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB; 1705 1706 else 1707 colorspace->flags &= PNG_COLORSPACE_CANCEL( 1708 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1709 1710 return 2; /* ok and changed */ 1711 } 1712 1713 int /* PRIVATE */ 1714 png_colorspace_set_chromaticities(png_const_structrp png_ptr, 1715 png_colorspacerp colorspace, const png_xy *xy, int preferred) 1716 { 1717 /* We must check the end points to ensure they are reasonable - in the past 1718 * color management systems have crashed as a result of getting bogus 1719 * colorant values, while this isn't the fault of libpng it is the 1720 * responsibility of libpng because PNG carries the bomb and libpng is in a 1721 * position to protect against it. 1722 */ 1723 png_XYZ XYZ; 1724 1725 switch (png_colorspace_check_xy(&XYZ, xy)) 1726 { 1727 case 0: /* success */ 1728 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ, 1729 preferred); 1730 1731 case 1: 1732 /* We can't invert the chromaticities so we can't produce value XYZ 1733 * values. Likely as not a color management system will fail too. 1734 */ 1735 colorspace->flags |= PNG_COLORSPACE_INVALID; 1736 png_benign_error(png_ptr, "invalid chromaticities"); 1737 break; 1738 1739 default: 1740 /* libpng is broken; this should be a warning but if it happens we 1741 * want error reports so for the moment it is an error. 1742 */ 1743 colorspace->flags |= PNG_COLORSPACE_INVALID; 1744 png_error(png_ptr, "internal error checking chromaticities"); 1745 } 1746 1747 return 0; /* failed */ 1748 } 1749 1750 int /* PRIVATE */ 1751 png_colorspace_set_endpoints(png_const_structrp png_ptr, 1752 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred) 1753 { 1754 png_XYZ XYZ = *XYZ_in; 1755 png_xy xy; 1756 1757 switch (png_colorspace_check_XYZ(&xy, &XYZ)) 1758 { 1759 case 0: 1760 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ, 1761 preferred); 1762 1763 case 1: 1764 /* End points are invalid. */ 1765 colorspace->flags |= PNG_COLORSPACE_INVALID; 1766 png_benign_error(png_ptr, "invalid end points"); 1767 break; 1768 1769 default: 1770 colorspace->flags |= PNG_COLORSPACE_INVALID; 1771 png_error(png_ptr, "internal error checking chromaticities"); 1772 } 1773 1774 return 0; /* failed */ 1775 } 1776 1777 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED) 1778 /* Error message generation */ 1779 static char 1780 png_icc_tag_char(png_uint_32 byte) 1781 { 1782 byte &= 0xff; 1783 if (byte >= 32 && byte <= 126) 1784 return (char)byte; 1785 else 1786 return '?'; 1787 } 1788 1789 static void 1790 png_icc_tag_name(char *name, png_uint_32 tag) 1791 { 1792 name[0] = '\''; 1793 name[1] = png_icc_tag_char(tag >> 24); 1794 name[2] = png_icc_tag_char(tag >> 16); 1795 name[3] = png_icc_tag_char(tag >> 8); 1796 name[4] = png_icc_tag_char(tag ); 1797 name[5] = '\''; 1798 } 1799 1800 static int 1801 is_ICC_signature_char(png_alloc_size_t it) 1802 { 1803 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) || 1804 (it >= 97 && it <= 122); 1805 } 1806 1807 static int 1808 is_ICC_signature(png_alloc_size_t it) 1809 { 1810 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ && 1811 is_ICC_signature_char((it >> 16) & 0xff) && 1812 is_ICC_signature_char((it >> 8) & 0xff) && 1813 is_ICC_signature_char(it & 0xff); 1814 } 1815 1816 static int 1817 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace, 1818 png_const_charp name, png_alloc_size_t value, png_const_charp reason) 1819 { 1820 size_t pos; 1821 char message[196]; /* see below for calculation */ 1822 1823 if (colorspace != NULL) 1824 colorspace->flags |= PNG_COLORSPACE_INVALID; 1825 1826 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */ 1827 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */ 1828 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */ 1829 if (is_ICC_signature(value) != 0) 1830 { 1831 /* So 'value' is at most 4 bytes and the following cast is safe */ 1832 png_icc_tag_name(message+pos, (png_uint_32)value); 1833 pos += 6; /* total +8; less than the else clause */ 1834 message[pos++] = ':'; 1835 message[pos++] = ' '; 1836 } 1837 # ifdef PNG_WARNINGS_SUPPORTED 1838 else 1839 { 1840 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/ 1841 1842 pos = png_safecat(message, (sizeof message), pos, 1843 png_format_number(number, number+(sizeof number), 1844 PNG_NUMBER_FORMAT_x, value)); 1845 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/ 1846 } 1847 # endif 1848 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */ 1849 pos = png_safecat(message, (sizeof message), pos, reason); 1850 PNG_UNUSED(pos) 1851 1852 /* This is recoverable, but make it unconditionally an app_error on write to 1853 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them 1854 * on read, with a warning, but on write unless the app turns off 1855 * application errors the PNG won't be written.) 1856 */ 1857 png_chunk_report(png_ptr, message, 1858 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR); 1859 1860 return 0; 1861 } 1862 #endif /* sRGB || iCCP */ 1863 1864 #ifdef PNG_sRGB_SUPPORTED 1865 int /* PRIVATE */ 1866 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, 1867 int intent) 1868 { 1869 /* sRGB sets known gamma, end points and (from the chunk) intent. */ 1870 /* IMPORTANT: these are not necessarily the values found in an ICC profile 1871 * because ICC profiles store values adapted to a D50 environment; it is 1872 * expected that the ICC profile mediaWhitePointTag will be D50; see the 1873 * checks and code elsewhere to understand this better. 1874 * 1875 * These XYZ values, which are accurate to 5dp, produce rgb to gray 1876 * coefficients of (6968,23435,2366), which are reduced (because they add up 1877 * to 32769 not 32768) to (6968,23434,2366). These are the values that 1878 * libpng has traditionally used (and are the best values given the 15bit 1879 * algorithm used by the rgb to gray code.) 1880 */ 1881 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */ 1882 { 1883 /* color X Y Z */ 1884 /* red */ 41239, 21264, 1933, 1885 /* green */ 35758, 71517, 11919, 1886 /* blue */ 18048, 7219, 95053 1887 }; 1888 1889 /* Do nothing if the colorspace is already invalidated. */ 1890 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1891 return 0; 1892 1893 /* Check the intent, then check for existing settings. It is valid for the 1894 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must 1895 * be consistent with the correct values. If, however, this function is 1896 * called below because an iCCP chunk matches sRGB then it is quite 1897 * conceivable that an older app recorded incorrect gAMA and cHRM because of 1898 * an incorrect calculation based on the values in the profile - this does 1899 * *not* invalidate the profile (though it still produces an error, which can 1900 * be ignored.) 1901 */ 1902 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST) 1903 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1904 (unsigned)intent, "invalid sRGB rendering intent"); 1905 1906 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 && 1907 colorspace->rendering_intent != intent) 1908 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1909 (unsigned)intent, "inconsistent rendering intents"); 1910 1911 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0) 1912 { 1913 png_benign_error(png_ptr, "duplicate sRGB information ignored"); 1914 return 0; 1915 } 1916 1917 /* If the standard sRGB cHRM chunk does not match the one from the PNG file 1918 * warn but overwrite the value with the correct one. 1919 */ 1920 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 && 1921 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy, 1922 100)) 1923 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB", 1924 PNG_CHUNK_ERROR); 1925 1926 /* This check is just done for the error reporting - the routine always 1927 * returns true when the 'from' argument corresponds to sRGB (2). 1928 */ 1929 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE, 1930 2/*from sRGB*/); 1931 1932 /* intent: bugs in GCC force 'int' to be used as the parameter type. */ 1933 colorspace->rendering_intent = (png_uint_16)intent; 1934 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT; 1935 1936 /* endpoints */ 1937 colorspace->end_points_xy = sRGB_xy; 1938 colorspace->end_points_XYZ = sRGB_XYZ; 1939 colorspace->flags |= 1940 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1941 1942 /* gamma */ 1943 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE; 1944 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA; 1945 1946 /* Finally record that we have an sRGB profile */ 1947 colorspace->flags |= 1948 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB); 1949 1950 return 1; /* set */ 1951 } 1952 #endif /* sRGB */ 1953 1954 #ifdef PNG_iCCP_SUPPORTED 1955 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value 1956 * is XYZ(0.9642,1.0,0.8249), which scales to: 1957 * 1958 * (63189.8112, 65536, 54060.6464) 1959 */ 1960 static const png_byte D50_nCIEXYZ[12] = 1961 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; 1962 1963 static int /* bool */ 1964 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 1965 png_const_charp name, png_uint_32 profile_length) 1966 { 1967 if (profile_length < 132) 1968 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1969 "too short"); 1970 1971 return 1; 1972 } 1973 1974 #ifdef PNG_READ_iCCP_SUPPORTED 1975 int /* PRIVATE */ 1976 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 1977 png_const_charp name, png_uint_32 profile_length) 1978 { 1979 if (!icc_check_length(png_ptr, colorspace, name, profile_length)) 1980 return 0; 1981 1982 /* This needs to be here because the 'normal' check is in 1983 * png_decompress_chunk, yet this happens after the attempt to 1984 * png_malloc_base the required data. We only need this on read; on write 1985 * the caller supplies the profile buffer so libpng doesn't allocate it. See 1986 * the call to icc_check_length below (the write case). 1987 */ 1988 # ifdef PNG_SET_USER_LIMITS_SUPPORTED 1989 else if (png_ptr->user_chunk_malloc_max > 0 && 1990 png_ptr->user_chunk_malloc_max < profile_length) 1991 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1992 "exceeds application limits"); 1993 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 1994 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length) 1995 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1996 "exceeds libpng limits"); 1997 # else /* !SET_USER_LIMITS */ 1998 /* This will get compiled out on all 32-bit and better systems. */ 1999 else if (PNG_SIZE_MAX < profile_length) 2000 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2001 "exceeds system limits"); 2002 # endif /* !SET_USER_LIMITS */ 2003 2004 return 1; 2005 } 2006 #endif /* READ_iCCP */ 2007 2008 int /* PRIVATE */ 2009 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, 2010 png_const_charp name, png_uint_32 profile_length, 2011 png_const_bytep profile/* first 132 bytes only */, int color_type) 2012 { 2013 png_uint_32 temp; 2014 2015 /* Length check; this cannot be ignored in this code because profile_length 2016 * is used later to check the tag table, so even if the profile seems over 2017 * long profile_length from the caller must be correct. The caller can fix 2018 * this up on read or write by just passing in the profile header length. 2019 */ 2020 temp = png_get_uint_32(profile); 2021 if (temp != profile_length) 2022 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2023 "length does not match profile"); 2024 2025 temp = (png_uint_32) (*(profile+8)); 2026 if (temp > 3 && (profile_length & 3)) 2027 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2028 "invalid length"); 2029 2030 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */ 2031 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */ 2032 profile_length < 132+12*temp) /* truncated tag table */ 2033 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2034 "tag count too large"); 2035 2036 /* The 'intent' must be valid or we can't store it, ICC limits the intent to 2037 * 16 bits. 2038 */ 2039 temp = png_get_uint_32(profile+64); 2040 if (temp >= 0xffff) /* The ICC limit */ 2041 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2042 "invalid rendering intent"); 2043 2044 /* This is just a warning because the profile may be valid in future 2045 * versions. 2046 */ 2047 if (temp >= PNG_sRGB_INTENT_LAST) 2048 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2049 "intent outside defined range"); 2050 2051 /* At this point the tag table can't be checked because it hasn't necessarily 2052 * been loaded; however, various header fields can be checked. These checks 2053 * are for values permitted by the PNG spec in an ICC profile; the PNG spec 2054 * restricts the profiles that can be passed in an iCCP chunk (they must be 2055 * appropriate to processing PNG data!) 2056 */ 2057 2058 /* Data checks (could be skipped). These checks must be independent of the 2059 * version number; however, the version number doesn't accomodate changes in 2060 * the header fields (just the known tags and the interpretation of the 2061 * data.) 2062 */ 2063 temp = png_get_uint_32(profile+36); /* signature 'ascp' */ 2064 if (temp != 0x61637370) 2065 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2066 "invalid signature"); 2067 2068 /* Currently the PCS illuminant/adopted white point (the computational 2069 * white point) are required to be D50, 2070 * however the profile contains a record of the illuminant so perhaps ICC 2071 * expects to be able to change this in the future (despite the rationale in 2072 * the introduction for using a fixed PCS adopted white.) Consequently the 2073 * following is just a warning. 2074 */ 2075 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0) 2076 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/, 2077 "PCS illuminant is not D50"); 2078 2079 /* The PNG spec requires this: 2080 * "If the iCCP chunk is present, the image samples conform to the colour 2081 * space represented by the embedded ICC profile as defined by the 2082 * International Color Consortium [ICC]. The colour space of the ICC profile 2083 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and 2084 * 6), or a greyscale colour space for greyscale images (PNG colour types 0 2085 * and 4)." 2086 * 2087 * This checking code ensures the embedded profile (on either read or write) 2088 * conforms to the specification requirements. Notice that an ICC 'gray' 2089 * color-space profile contains the information to transform the monochrome 2090 * data to XYZ or L*a*b (according to which PCS the profile uses) and this 2091 * should be used in preference to the standard libpng K channel replication 2092 * into R, G and B channels. 2093 * 2094 * Previously it was suggested that an RGB profile on grayscale data could be 2095 * handled. However it it is clear that using an RGB profile in this context 2096 * must be an error - there is no specification of what it means. Thus it is 2097 * almost certainly more correct to ignore the profile. 2098 */ 2099 temp = png_get_uint_32(profile+16); /* data colour space field */ 2100 switch (temp) 2101 { 2102 case 0x52474220: /* 'RGB ' */ 2103 if ((color_type & PNG_COLOR_MASK_COLOR) == 0) 2104 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2105 "RGB color space not permitted on grayscale PNG"); 2106 break; 2107 2108 case 0x47524159: /* 'GRAY' */ 2109 if ((color_type & PNG_COLOR_MASK_COLOR) != 0) 2110 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2111 "Gray color space not permitted on RGB PNG"); 2112 break; 2113 2114 default: 2115 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2116 "invalid ICC profile color space"); 2117 } 2118 2119 /* It is up to the application to check that the profile class matches the 2120 * application requirements; the spec provides no guidance, but it's pretty 2121 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer 2122 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these 2123 * cases. Issue an error for device link or abstract profiles - these don't 2124 * contain the records necessary to transform the color-space to anything 2125 * other than the target device (and not even that for an abstract profile). 2126 * Profiles of these classes may not be embedded in images. 2127 */ 2128 temp = png_get_uint_32(profile+12); /* profile/device class */ 2129 switch (temp) 2130 { 2131 case 0x73636e72: /* 'scnr' */ 2132 case 0x6d6e7472: /* 'mntr' */ 2133 case 0x70727472: /* 'prtr' */ 2134 case 0x73706163: /* 'spac' */ 2135 /* All supported */ 2136 break; 2137 2138 case 0x61627374: /* 'abst' */ 2139 /* May not be embedded in an image */ 2140 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2141 "invalid embedded Abstract ICC profile"); 2142 2143 case 0x6c696e6b: /* 'link' */ 2144 /* DeviceLink profiles cannot be interpreted in a non-device specific 2145 * fashion, if an app uses the AToB0Tag in the profile the results are 2146 * undefined unless the result is sent to the intended device, 2147 * therefore a DeviceLink profile should not be found embedded in a 2148 * PNG. 2149 */ 2150 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2151 "unexpected DeviceLink ICC profile class"); 2152 2153 case 0x6e6d636c: /* 'nmcl' */ 2154 /* A NamedColor profile is also device specific, however it doesn't 2155 * contain an AToB0 tag that is open to misinterpretation. Almost 2156 * certainly it will fail the tests below. 2157 */ 2158 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2159 "unexpected NamedColor ICC profile class"); 2160 break; 2161 2162 default: 2163 /* To allow for future enhancements to the profile accept unrecognized 2164 * profile classes with a warning, these then hit the test below on the 2165 * tag content to ensure they are backward compatible with one of the 2166 * understood profiles. 2167 */ 2168 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2169 "unrecognized ICC profile class"); 2170 break; 2171 } 2172 2173 /* For any profile other than a device link one the PCS must be encoded 2174 * either in XYZ or Lab. 2175 */ 2176 temp = png_get_uint_32(profile+20); 2177 switch (temp) 2178 { 2179 case 0x58595a20: /* 'XYZ ' */ 2180 case 0x4c616220: /* 'Lab ' */ 2181 break; 2182 2183 default: 2184 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2185 "unexpected ICC PCS encoding"); 2186 } 2187 2188 return 1; 2189 } 2190 2191 int /* PRIVATE */ 2192 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, 2193 png_const_charp name, png_uint_32 profile_length, 2194 png_const_bytep profile /* header plus whole tag table */) 2195 { 2196 png_uint_32 tag_count = png_get_uint_32(profile+128); 2197 png_uint_32 itag; 2198 png_const_bytep tag = profile+132; /* The first tag */ 2199 2200 /* First scan all the tags in the table and add bits to the icc_info value 2201 * (temporarily in 'tags'). 2202 */ 2203 for (itag=0; itag < tag_count; ++itag, tag += 12) 2204 { 2205 png_uint_32 tag_id = png_get_uint_32(tag+0); 2206 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */ 2207 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */ 2208 2209 /* The ICC specification does not exclude zero length tags, therefore the 2210 * start might actually be anywhere if there is no data, but this would be 2211 * a clear abuse of the intent of the standard so the start is checked for 2212 * being in range. All defined tag types have an 8 byte header - a 4 byte 2213 * type signature then 0. 2214 */ 2215 if ((tag_start & 3) != 0) 2216 { 2217 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is 2218 * only a warning here because libpng does not care about the 2219 * alignment. 2220 */ 2221 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id, 2222 "ICC profile tag start not a multiple of 4"); 2223 } 2224 2225 /* This is a hard error; potentially it can cause read outside the 2226 * profile. 2227 */ 2228 if (tag_start > profile_length || tag_length > profile_length - tag_start) 2229 return png_icc_profile_error(png_ptr, colorspace, name, tag_id, 2230 "ICC profile tag outside profile"); 2231 } 2232 2233 return 1; /* success, maybe with warnings */ 2234 } 2235 2236 #ifdef PNG_sRGB_SUPPORTED 2237 #if PNG_sRGB_PROFILE_CHECKS >= 0 2238 /* Information about the known ICC sRGB profiles */ 2239 static const struct 2240 { 2241 png_uint_32 adler, crc, length; 2242 png_uint_32 md5[4]; 2243 png_byte have_md5; 2244 png_byte is_broken; 2245 png_uint_16 intent; 2246 2247 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0) 2248 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\ 2249 { adler, crc, length, md5, broke, intent }, 2250 2251 } png_sRGB_checks[] = 2252 { 2253 /* This data comes from contrib/tools/checksum-icc run on downloads of 2254 * all four ICC sRGB profiles from www.color.org. 2255 */ 2256 /* adler32, crc32, MD5[4], intent, date, length, file-name */ 2257 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9, 2258 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0, 2259 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc") 2260 2261 /* ICC sRGB v2 perceptual no black-compensation: */ 2262 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21, 2263 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0, 2264 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc") 2265 2266 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae, 2267 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0, 2268 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc") 2269 2270 /* ICC sRGB v4 perceptual */ 2271 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812, 2272 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0, 2273 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc") 2274 2275 /* The following profiles have no known MD5 checksum. If there is a match 2276 * on the (empty) MD5 the other fields are used to attempt a match and 2277 * a warning is produced. The first two of these profiles have a 'cprt' tag 2278 * which suggests that they were also made by Hewlett Packard. 2279 */ 2280 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce, 2281 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0, 2282 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc") 2283 2284 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not 2285 * match the D50 PCS illuminant in the header (it is in fact the D65 values, 2286 * so the white point is recorded as the un-adapted value.) The profiles 2287 * below only differ in one byte - the intent - and are basically the same as 2288 * the previous profile except for the mediaWhitePointTag error and a missing 2289 * chromaticAdaptationTag. 2290 */ 2291 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552, 2292 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/, 2293 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual") 2294 2295 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d, 2296 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/, 2297 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative") 2298 }; 2299 2300 static int 2301 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, 2302 png_const_bytep profile, uLong adler) 2303 { 2304 /* The quick check is to verify just the MD5 signature and trust the 2305 * rest of the data. Because the profile has already been verified for 2306 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent' 2307 * field too, so if the profile has been edited with an intent not defined 2308 * by sRGB (but maybe defined by a later ICC specification) the read of 2309 * the profile will fail at that point. 2310 */ 2311 2312 png_uint_32 length = 0; 2313 png_uint_32 intent = 0x10000; /* invalid */ 2314 #if PNG_sRGB_PROFILE_CHECKS > 1 2315 uLong crc = 0; /* the value for 0 length data */ 2316 #endif 2317 unsigned int i; 2318 2319 #ifdef PNG_SET_OPTION_SUPPORTED 2320 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */ 2321 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) == 2322 PNG_OPTION_ON) 2323 return 0; 2324 #endif 2325 2326 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i) 2327 { 2328 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] && 2329 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] && 2330 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] && 2331 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3]) 2332 { 2333 /* This may be one of the old HP profiles without an MD5, in that 2334 * case we can only use the length and Adler32 (note that these 2335 * are not used by default if there is an MD5!) 2336 */ 2337 # if PNG_sRGB_PROFILE_CHECKS == 0 2338 if (png_sRGB_checks[i].have_md5 != 0) 2339 return 1+png_sRGB_checks[i].is_broken; 2340 # endif 2341 2342 /* Profile is unsigned or more checks have been configured in. */ 2343 if (length == 0) 2344 { 2345 length = png_get_uint_32(profile); 2346 intent = png_get_uint_32(profile+64); 2347 } 2348 2349 /* Length *and* intent must match */ 2350 if (length == (png_uint_32) png_sRGB_checks[i].length && 2351 intent == (png_uint_32) png_sRGB_checks[i].intent) 2352 { 2353 /* Now calculate the adler32 if not done already. */ 2354 if (adler == 0) 2355 { 2356 adler = adler32(0, NULL, 0); 2357 adler = adler32(adler, profile, length); 2358 } 2359 2360 if (adler == png_sRGB_checks[i].adler) 2361 { 2362 /* These basic checks suggest that the data has not been 2363 * modified, but if the check level is more than 1 perform 2364 * our own crc32 checksum on the data. 2365 */ 2366 # if PNG_sRGB_PROFILE_CHECKS > 1 2367 if (crc == 0) 2368 { 2369 crc = crc32(0, NULL, 0); 2370 crc = crc32(crc, profile, length); 2371 } 2372 2373 /* So this check must pass for the 'return' below to happen. 2374 */ 2375 if (crc == png_sRGB_checks[i].crc) 2376 # endif 2377 { 2378 if (png_sRGB_checks[i].is_broken != 0) 2379 { 2380 /* These profiles are known to have bad data that may cause 2381 * problems if they are used, therefore attempt to 2382 * discourage their use, skip the 'have_md5' warning below, 2383 * which is made irrelevant by this error. 2384 */ 2385 png_chunk_report(png_ptr, "known incorrect sRGB profile", 2386 PNG_CHUNK_ERROR); 2387 } 2388 2389 /* Warn that this being done; this isn't even an error since 2390 * the profile is perfectly valid, but it would be nice if 2391 * people used the up-to-date ones. 2392 */ 2393 else if (png_sRGB_checks[i].have_md5 == 0) 2394 { 2395 png_chunk_report(png_ptr, 2396 "out-of-date sRGB profile with no signature", 2397 PNG_CHUNK_WARNING); 2398 } 2399 2400 return 1+png_sRGB_checks[i].is_broken; 2401 } 2402 } 2403 2404 # if PNG_sRGB_PROFILE_CHECKS > 0 2405 /* The signature matched, but the profile had been changed in some 2406 * way. This probably indicates a data error or uninformed hacking. 2407 * Fall through to "no match". 2408 */ 2409 png_chunk_report(png_ptr, 2410 "Not recognizing known sRGB profile that has been edited", 2411 PNG_CHUNK_WARNING); 2412 break; 2413 # endif 2414 } 2415 } 2416 } 2417 2418 return 0; /* no match */ 2419 } 2420 2421 void /* PRIVATE */ 2422 png_icc_set_sRGB(png_const_structrp png_ptr, 2423 png_colorspacerp colorspace, png_const_bytep profile, uLong adler) 2424 { 2425 /* Is this profile one of the known ICC sRGB profiles? If it is, just set 2426 * the sRGB information. 2427 */ 2428 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0) 2429 (void)png_colorspace_set_sRGB(png_ptr, colorspace, 2430 (int)/*already checked*/png_get_uint_32(profile+64)); 2431 } 2432 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */ 2433 #endif /* sRGB */ 2434 2435 int /* PRIVATE */ 2436 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, 2437 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, 2438 int color_type) 2439 { 2440 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 2441 return 0; 2442 2443 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 2444 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, 2445 color_type) != 0 && 2446 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, 2447 profile) != 0) 2448 { 2449 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0 2450 /* If no sRGB support, don't try storing sRGB information */ 2451 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); 2452 # endif 2453 return 1; 2454 } 2455 2456 /* Failure case */ 2457 return 0; 2458 } 2459 #endif /* iCCP */ 2460 2461 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED 2462 void /* PRIVATE */ 2463 png_colorspace_set_rgb_coefficients(png_structrp png_ptr) 2464 { 2465 /* Set the rgb_to_gray coefficients from the colorspace. */ 2466 if (png_ptr->rgb_to_gray_coefficients_set == 0 && 2467 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 2468 { 2469 /* png_set_background has not been called, get the coefficients from the Y 2470 * values of the colorspace colorants. 2471 */ 2472 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y; 2473 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y; 2474 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y; 2475 png_fixed_point total = r+g+b; 2476 2477 if (total > 0 && 2478 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 && 2479 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 && 2480 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 && 2481 r+g+b <= 32769) 2482 { 2483 /* We allow 0 coefficients here. r+g+b may be 32769 if two or 2484 * all of the coefficients were rounded up. Handle this by 2485 * reducing the *largest* coefficient by 1; this matches the 2486 * approach used for the default coefficients in pngrtran.c 2487 */ 2488 int add = 0; 2489 2490 if (r+g+b > 32768) 2491 add = -1; 2492 else if (r+g+b < 32768) 2493 add = 1; 2494 2495 if (add != 0) 2496 { 2497 if (g >= r && g >= b) 2498 g += add; 2499 else if (r >= g && r >= b) 2500 r += add; 2501 else 2502 b += add; 2503 } 2504 2505 /* Check for an internal error. */ 2506 if (r+g+b != 32768) 2507 png_error(png_ptr, 2508 "internal error handling cHRM coefficients"); 2509 2510 else 2511 { 2512 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r; 2513 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g; 2514 } 2515 } 2516 2517 /* This is a png_error at present even though it could be ignored - 2518 * it should never happen, but it is important that if it does, the 2519 * bug is fixed. 2520 */ 2521 else 2522 png_error(png_ptr, "internal error handling cHRM->XYZ"); 2523 } 2524 } 2525 #endif /* READ_RGB_TO_GRAY */ 2526 2527 #endif /* COLORSPACE */ 2528 2529 #ifdef __GNUC__ 2530 /* This exists solely to work round a warning from GNU C. */ 2531 static int /* PRIVATE */ 2532 png_gt(size_t a, size_t b) 2533 { 2534 return a > b; 2535 } 2536 #else 2537 # define png_gt(a,b) ((a) > (b)) 2538 #endif 2539 2540 void /* PRIVATE */ 2541 png_check_IHDR(png_const_structrp png_ptr, 2542 png_uint_32 width, png_uint_32 height, int bit_depth, 2543 int color_type, int interlace_type, int compression_type, 2544 int filter_type) 2545 { 2546 int error = 0; 2547 2548 /* Check for width and height valid values */ 2549 if (width == 0) 2550 { 2551 png_warning(png_ptr, "Image width is zero in IHDR"); 2552 error = 1; 2553 } 2554 2555 if (width > PNG_UINT_31_MAX) 2556 { 2557 png_warning(png_ptr, "Invalid image width in IHDR"); 2558 error = 1; 2559 } 2560 2561 if (png_gt(((width + 7) & (~7U)), 2562 ((PNG_SIZE_MAX 2563 - 48 /* big_row_buf hack */ 2564 - 1) /* filter byte */ 2565 / 8) /* 8-byte RGBA pixels */ 2566 - 1)) /* extra max_pixel_depth pad */ 2567 { 2568 /* The size of the row must be within the limits of this architecture. 2569 * Because the read code can perform arbitrary transformations the 2570 * maximum size is checked here. Because the code in png_read_start_row 2571 * adds extra space "for safety's sake" in several places a conservative 2572 * limit is used here. 2573 * 2574 * NOTE: it would be far better to check the size that is actually used, 2575 * but the effect in the real world is minor and the changes are more 2576 * extensive, therefore much more dangerous and much more difficult to 2577 * write in a way that avoids compiler warnings. 2578 */ 2579 png_warning(png_ptr, "Image width is too large for this architecture"); 2580 error = 1; 2581 } 2582 2583 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2584 if (width > png_ptr->user_width_max) 2585 #else 2586 if (width > PNG_USER_WIDTH_MAX) 2587 #endif 2588 { 2589 png_warning(png_ptr, "Image width exceeds user limit in IHDR"); 2590 error = 1; 2591 } 2592 2593 if (height == 0) 2594 { 2595 png_warning(png_ptr, "Image height is zero in IHDR"); 2596 error = 1; 2597 } 2598 2599 if (height > PNG_UINT_31_MAX) 2600 { 2601 png_warning(png_ptr, "Invalid image height in IHDR"); 2602 error = 1; 2603 } 2604 2605 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2606 if (height > png_ptr->user_height_max) 2607 #else 2608 if (height > PNG_USER_HEIGHT_MAX) 2609 #endif 2610 { 2611 png_warning(png_ptr, "Image height exceeds user limit in IHDR"); 2612 error = 1; 2613 } 2614 2615 /* Check other values */ 2616 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && 2617 bit_depth != 8 && bit_depth != 16) 2618 { 2619 png_warning(png_ptr, "Invalid bit depth in IHDR"); 2620 error = 1; 2621 } 2622 2623 if (color_type < 0 || color_type == 1 || 2624 color_type == 5 || color_type > 6) 2625 { 2626 png_warning(png_ptr, "Invalid color type in IHDR"); 2627 error = 1; 2628 } 2629 2630 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || 2631 ((color_type == PNG_COLOR_TYPE_RGB || 2632 color_type == PNG_COLOR_TYPE_GRAY_ALPHA || 2633 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) 2634 { 2635 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR"); 2636 error = 1; 2637 } 2638 2639 if (interlace_type >= PNG_INTERLACE_LAST) 2640 { 2641 png_warning(png_ptr, "Unknown interlace method in IHDR"); 2642 error = 1; 2643 } 2644 2645 if (compression_type != PNG_COMPRESSION_TYPE_BASE) 2646 { 2647 png_warning(png_ptr, "Unknown compression method in IHDR"); 2648 error = 1; 2649 } 2650 2651 #ifdef PNG_MNG_FEATURES_SUPPORTED 2652 /* Accept filter_method 64 (intrapixel differencing) only if 2653 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and 2654 * 2. Libpng did not read a PNG signature (this filter_method is only 2655 * used in PNG datastreams that are embedded in MNG datastreams) and 2656 * 3. The application called png_permit_mng_features with a mask that 2657 * included PNG_FLAG_MNG_FILTER_64 and 2658 * 4. The filter_method is 64 and 2659 * 5. The color_type is RGB or RGBA 2660 */ 2661 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && 2662 png_ptr->mng_features_permitted != 0) 2663 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); 2664 2665 if (filter_type != PNG_FILTER_TYPE_BASE) 2666 { 2667 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 && 2668 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && 2669 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) && 2670 (color_type == PNG_COLOR_TYPE_RGB || 2671 color_type == PNG_COLOR_TYPE_RGB_ALPHA))) 2672 { 2673 png_warning(png_ptr, "Unknown filter method in IHDR"); 2674 error = 1; 2675 } 2676 2677 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0) 2678 { 2679 png_warning(png_ptr, "Invalid filter method in IHDR"); 2680 error = 1; 2681 } 2682 } 2683 2684 #else 2685 if (filter_type != PNG_FILTER_TYPE_BASE) 2686 { 2687 png_warning(png_ptr, "Unknown filter method in IHDR"); 2688 error = 1; 2689 } 2690 #endif 2691 2692 if (error == 1) 2693 png_error(png_ptr, "Invalid IHDR data"); 2694 } 2695 2696 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) 2697 /* ASCII to fp functions */ 2698 /* Check an ASCII formated floating point value, see the more detailed 2699 * comments in pngpriv.h 2700 */ 2701 /* The following is used internally to preserve the sticky flags */ 2702 #define png_fp_add(state, flags) ((state) |= (flags)) 2703 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY)) 2704 2705 int /* PRIVATE */ 2706 png_check_fp_number(png_const_charp string, png_size_t size, int *statep, 2707 png_size_tp whereami) 2708 { 2709 int state = *statep; 2710 png_size_t i = *whereami; 2711 2712 while (i < size) 2713 { 2714 int type; 2715 /* First find the type of the next character */ 2716 switch (string[i]) 2717 { 2718 case 43: type = PNG_FP_SAW_SIGN; break; 2719 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break; 2720 case 46: type = PNG_FP_SAW_DOT; break; 2721 case 48: type = PNG_FP_SAW_DIGIT; break; 2722 case 49: case 50: case 51: case 52: 2723 case 53: case 54: case 55: case 56: 2724 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break; 2725 case 69: 2726 case 101: type = PNG_FP_SAW_E; break; 2727 default: goto PNG_FP_End; 2728 } 2729 2730 /* Now deal with this type according to the current 2731 * state, the type is arranged to not overlap the 2732 * bits of the PNG_FP_STATE. 2733 */ 2734 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY)) 2735 { 2736 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN: 2737 if ((state & PNG_FP_SAW_ANY) != 0) 2738 goto PNG_FP_End; /* not a part of the number */ 2739 2740 png_fp_add(state, type); 2741 break; 2742 2743 case PNG_FP_INTEGER + PNG_FP_SAW_DOT: 2744 /* Ok as trailer, ok as lead of fraction. */ 2745 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */ 2746 goto PNG_FP_End; 2747 2748 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */ 2749 png_fp_add(state, type); 2750 2751 else 2752 png_fp_set(state, PNG_FP_FRACTION | type); 2753 2754 break; 2755 2756 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT: 2757 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */ 2758 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT); 2759 2760 png_fp_add(state, type | PNG_FP_WAS_VALID); 2761 2762 break; 2763 2764 case PNG_FP_INTEGER + PNG_FP_SAW_E: 2765 if ((state & PNG_FP_SAW_DIGIT) == 0) 2766 goto PNG_FP_End; 2767 2768 png_fp_set(state, PNG_FP_EXPONENT); 2769 2770 break; 2771 2772 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN: 2773 goto PNG_FP_End; ** no sign in fraction */ 2774 2775 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT: 2776 goto PNG_FP_End; ** Because SAW_DOT is always set */ 2777 2778 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT: 2779 png_fp_add(state, type | PNG_FP_WAS_VALID); 2780 break; 2781 2782 case PNG_FP_FRACTION + PNG_FP_SAW_E: 2783 /* This is correct because the trailing '.' on an 2784 * integer is handled above - so we can only get here 2785 * with the sequence ".E" (with no preceding digits). 2786 */ 2787 if ((state & PNG_FP_SAW_DIGIT) == 0) 2788 goto PNG_FP_End; 2789 2790 png_fp_set(state, PNG_FP_EXPONENT); 2791 2792 break; 2793 2794 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN: 2795 if ((state & PNG_FP_SAW_ANY) != 0) 2796 goto PNG_FP_End; /* not a part of the number */ 2797 2798 png_fp_add(state, PNG_FP_SAW_SIGN); 2799 2800 break; 2801 2802 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT: 2803 goto PNG_FP_End; */ 2804 2805 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT: 2806 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID); 2807 2808 break; 2809 2810 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E: 2811 goto PNG_FP_End; */ 2812 2813 default: goto PNG_FP_End; /* I.e. break 2 */ 2814 } 2815 2816 /* The character seems ok, continue. */ 2817 ++i; 2818 } 2819 2820 PNG_FP_End: 2821 /* Here at the end, update the state and return the correct 2822 * return code. 2823 */ 2824 *statep = state; 2825 *whereami = i; 2826 2827 return (state & PNG_FP_SAW_DIGIT) != 0; 2828 } 2829 2830 2831 /* The same but for a complete string. */ 2832 int 2833 png_check_fp_string(png_const_charp string, png_size_t size) 2834 { 2835 int state=0; 2836 png_size_t char_index=0; 2837 2838 if (png_check_fp_number(string, size, &state, &char_index) != 0 && 2839 (char_index == size || string[char_index] == 0)) 2840 return state /* must be non-zero - see above */; 2841 2842 return 0; /* i.e. fail */ 2843 } 2844 #endif /* pCAL || sCAL */ 2845 2846 #ifdef PNG_sCAL_SUPPORTED 2847 # ifdef PNG_FLOATING_POINT_SUPPORTED 2848 /* Utility used below - a simple accurate power of ten from an integral 2849 * exponent. 2850 */ 2851 static double 2852 png_pow10(int power) 2853 { 2854 int recip = 0; 2855 double d = 1; 2856 2857 /* Handle negative exponent with a reciprocal at the end because 2858 * 10 is exact whereas .1 is inexact in base 2 2859 */ 2860 if (power < 0) 2861 { 2862 if (power < DBL_MIN_10_EXP) return 0; 2863 recip = 1, power = -power; 2864 } 2865 2866 if (power > 0) 2867 { 2868 /* Decompose power bitwise. */ 2869 double mult = 10; 2870 do 2871 { 2872 if (power & 1) d *= mult; 2873 mult *= mult; 2874 power >>= 1; 2875 } 2876 while (power > 0); 2877 2878 if (recip != 0) d = 1/d; 2879 } 2880 /* else power is 0 and d is 1 */ 2881 2882 return d; 2883 } 2884 2885 /* Function to format a floating point value in ASCII with a given 2886 * precision. 2887 */ 2888 void /* PRIVATE */ 2889 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size, 2890 double fp, unsigned int precision) 2891 { 2892 /* We use standard functions from math.h, but not printf because 2893 * that would require stdio. The caller must supply a buffer of 2894 * sufficient size or we will png_error. The tests on size and 2895 * the space in ascii[] consumed are indicated below. 2896 */ 2897 if (precision < 1) 2898 precision = DBL_DIG; 2899 2900 /* Enforce the limit of the implementation precision too. */ 2901 if (precision > DBL_DIG+1) 2902 precision = DBL_DIG+1; 2903 2904 /* Basic sanity checks */ 2905 if (size >= precision+5) /* See the requirements below. */ 2906 { 2907 if (fp < 0) 2908 { 2909 fp = -fp; 2910 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */ 2911 --size; 2912 } 2913 2914 if (fp >= DBL_MIN && fp <= DBL_MAX) 2915 { 2916 int exp_b10; /* A base 10 exponent */ 2917 double base; /* 10^exp_b10 */ 2918 2919 /* First extract a base 10 exponent of the number, 2920 * the calculation below rounds down when converting 2921 * from base 2 to base 10 (multiply by log10(2) - 2922 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to 2923 * be increased. Note that the arithmetic shift 2924 * performs a floor() unlike C arithmetic - using a 2925 * C multiply would break the following for negative 2926 * exponents. 2927 */ 2928 (void)frexp(fp, &exp_b10); /* exponent to base 2 */ 2929 2930 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */ 2931 2932 /* Avoid underflow here. */ 2933 base = png_pow10(exp_b10); /* May underflow */ 2934 2935 while (base < DBL_MIN || base < fp) 2936 { 2937 /* And this may overflow. */ 2938 double test = png_pow10(exp_b10+1); 2939 2940 if (test <= DBL_MAX) 2941 ++exp_b10, base = test; 2942 2943 else 2944 break; 2945 } 2946 2947 /* Normalize fp and correct exp_b10, after this fp is in the 2948 * range [.1,1) and exp_b10 is both the exponent and the digit 2949 * *before* which the decimal point should be inserted 2950 * (starting with 0 for the first digit). Note that this 2951 * works even if 10^exp_b10 is out of range because of the 2952 * test on DBL_MAX above. 2953 */ 2954 fp /= base; 2955 while (fp >= 1) fp /= 10, ++exp_b10; 2956 2957 /* Because of the code above fp may, at this point, be 2958 * less than .1, this is ok because the code below can 2959 * handle the leading zeros this generates, so no attempt 2960 * is made to correct that here. 2961 */ 2962 2963 { 2964 unsigned int czero, clead, cdigits; 2965 char exponent[10]; 2966 2967 /* Allow up to two leading zeros - this will not lengthen 2968 * the number compared to using E-n. 2969 */ 2970 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */ 2971 { 2972 czero = (unsigned int)(-exp_b10); /* PLUS 2 digits: TOTAL 3 */ 2973 exp_b10 = 0; /* Dot added below before first output. */ 2974 } 2975 else 2976 czero = 0; /* No zeros to add */ 2977 2978 /* Generate the digit list, stripping trailing zeros and 2979 * inserting a '.' before a digit if the exponent is 0. 2980 */ 2981 clead = czero; /* Count of leading zeros */ 2982 cdigits = 0; /* Count of digits in list. */ 2983 2984 do 2985 { 2986 double d; 2987 2988 fp *= 10; 2989 /* Use modf here, not floor and subtract, so that 2990 * the separation is done in one step. At the end 2991 * of the loop don't break the number into parts so 2992 * that the final digit is rounded. 2993 */ 2994 if (cdigits+czero+1 < precision+clead) 2995 fp = modf(fp, &d); 2996 2997 else 2998 { 2999 d = floor(fp + .5); 3000 3001 if (d > 9) 3002 { 3003 /* Rounding up to 10, handle that here. */ 3004 if (czero > 0) 3005 { 3006 --czero, d = 1; 3007 if (cdigits == 0) --clead; 3008 } 3009 else 3010 { 3011 while (cdigits > 0 && d > 9) 3012 { 3013 int ch = *--ascii; 3014 3015 if (exp_b10 != (-1)) 3016 ++exp_b10; 3017 3018 else if (ch == 46) 3019 { 3020 ch = *--ascii, ++size; 3021 /* Advance exp_b10 to '1', so that the 3022 * decimal point happens after the 3023 * previous digit. 3024 */ 3025 exp_b10 = 1; 3026 } 3027 3028 --cdigits; 3029 d = ch - 47; /* I.e. 1+(ch-48) */ 3030 } 3031 3032 /* Did we reach the beginning? If so adjust the 3033 * exponent but take into account the leading 3034 * decimal point. 3035 */ 3036 if (d > 9) /* cdigits == 0 */ 3037 { 3038 if (exp_b10 == (-1)) 3039 { 3040 /* Leading decimal point (plus zeros?), if 3041 * we lose the decimal point here it must 3042 * be reentered below. 3043 */ 3044 int ch = *--ascii; 3045 3046 if (ch == 46) 3047 ++size, exp_b10 = 1; 3048 3049 /* Else lost a leading zero, so 'exp_b10' is 3050 * still ok at (-1) 3051 */ 3052 } 3053 else 3054 ++exp_b10; 3055 3056 /* In all cases we output a '1' */ 3057 d = 1; 3058 } 3059 } 3060 } 3061 fp = 0; /* Guarantees termination below. */ 3062 } 3063 3064 if (d == 0) 3065 { 3066 ++czero; 3067 if (cdigits == 0) ++clead; 3068 } 3069 else 3070 { 3071 /* Included embedded zeros in the digit count. */ 3072 cdigits += czero - clead; 3073 clead = 0; 3074 3075 while (czero > 0) 3076 { 3077 /* exp_b10 == (-1) means we just output the decimal 3078 * place - after the DP don't adjust 'exp_b10' any 3079 * more! 3080 */ 3081 if (exp_b10 != (-1)) 3082 { 3083 if (exp_b10 == 0) *ascii++ = 46, --size; 3084 /* PLUS 1: TOTAL 4 */ 3085 --exp_b10; 3086 } 3087 *ascii++ = 48, --czero; 3088 } 3089 3090 if (exp_b10 != (-1)) 3091 { 3092 if (exp_b10 == 0) 3093 *ascii++ = 46, --size; /* counted above */ 3094 3095 --exp_b10; 3096 } 3097 *ascii++ = (char)(48 + (int)d), ++cdigits; 3098 } 3099 } 3100 while (cdigits+czero < precision+clead && fp > DBL_MIN); 3101 3102 /* The total output count (max) is now 4+precision */ 3103 3104 /* Check for an exponent, if we don't need one we are 3105 * done and just need to terminate the string. At 3106 * this point exp_b10==(-1) is effectively if flag - it got 3107 * to '-1' because of the decrement after outputting 3108 * the decimal point above (the exponent required is 3109 * *not* -1!) 3110 */ 3111 if (exp_b10 >= (-1) && exp_b10 <= 2) 3112 { 3113 /* The following only happens if we didn't output the 3114 * leading zeros above for negative exponent, so this 3115 * doesn't add to the digit requirement. Note that the 3116 * two zeros here can only be output if the two leading 3117 * zeros were *not* output, so this doesn't increase 3118 * the output count. 3119 */ 3120 while (--exp_b10 >= 0) *ascii++ = 48; 3121 3122 *ascii = 0; 3123 3124 /* Total buffer requirement (including the '\0') is 3125 * 5+precision - see check at the start. 3126 */ 3127 return; 3128 } 3129 3130 /* Here if an exponent is required, adjust size for 3131 * the digits we output but did not count. The total 3132 * digit output here so far is at most 1+precision - no 3133 * decimal point and no leading or trailing zeros have 3134 * been output. 3135 */ 3136 size -= cdigits; 3137 3138 *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */ 3139 3140 /* The following use of an unsigned temporary avoids ambiguities in 3141 * the signed arithmetic on exp_b10 and permits GCC at least to do 3142 * better optimization. 3143 */ 3144 { 3145 unsigned int uexp_b10; 3146 3147 if (exp_b10 < 0) 3148 { 3149 *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */ 3150 uexp_b10 = (unsigned int)(-exp_b10); 3151 } 3152 3153 else 3154 uexp_b10 = (unsigned int)exp_b10; 3155 3156 cdigits = 0; 3157 3158 while (uexp_b10 > 0) 3159 { 3160 exponent[cdigits++] = (char)(48 + uexp_b10 % 10); 3161 uexp_b10 /= 10; 3162 } 3163 } 3164 3165 /* Need another size check here for the exponent digits, so 3166 * this need not be considered above. 3167 */ 3168 if (size > cdigits) 3169 { 3170 while (cdigits > 0) *ascii++ = exponent[--cdigits]; 3171 3172 *ascii = 0; 3173 3174 return; 3175 } 3176 } 3177 } 3178 else if (!(fp >= DBL_MIN)) 3179 { 3180 *ascii++ = 48; /* '0' */ 3181 *ascii = 0; 3182 return; 3183 } 3184 else 3185 { 3186 *ascii++ = 105; /* 'i' */ 3187 *ascii++ = 110; /* 'n' */ 3188 *ascii++ = 102; /* 'f' */ 3189 *ascii = 0; 3190 return; 3191 } 3192 } 3193 3194 /* Here on buffer too small. */ 3195 png_error(png_ptr, "ASCII conversion buffer too small"); 3196 } 3197 3198 # endif /* FLOATING_POINT */ 3199 3200 # ifdef PNG_FIXED_POINT_SUPPORTED 3201 /* Function to format a fixed point value in ASCII. 3202 */ 3203 void /* PRIVATE */ 3204 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii, 3205 png_size_t size, png_fixed_point fp) 3206 { 3207 /* Require space for 10 decimal digits, a decimal point, a minus sign and a 3208 * trailing \0, 13 characters: 3209 */ 3210 if (size > 12) 3211 { 3212 png_uint_32 num; 3213 3214 /* Avoid overflow here on the minimum integer. */ 3215 if (fp < 0) 3216 *ascii++ = 45, num = (png_uint_32)(-fp); 3217 else 3218 num = (png_uint_32)fp; 3219 3220 if (num <= 0x80000000) /* else overflowed */ 3221 { 3222 unsigned int ndigits = 0, first = 16 /* flag value */; 3223 char digits[10]; 3224 3225 while (num) 3226 { 3227 /* Split the low digit off num: */ 3228 unsigned int tmp = num/10; 3229 num -= tmp*10; 3230 digits[ndigits++] = (char)(48 + num); 3231 /* Record the first non-zero digit, note that this is a number 3232 * starting at 1, it's not actually the array index. 3233 */ 3234 if (first == 16 && num > 0) 3235 first = ndigits; 3236 num = tmp; 3237 } 3238 3239 if (ndigits > 0) 3240 { 3241 while (ndigits > 5) *ascii++ = digits[--ndigits]; 3242 /* The remaining digits are fractional digits, ndigits is '5' or 3243 * smaller at this point. It is certainly not zero. Check for a 3244 * non-zero fractional digit: 3245 */ 3246 if (first <= 5) 3247 { 3248 unsigned int i; 3249 *ascii++ = 46; /* decimal point */ 3250 /* ndigits may be <5 for small numbers, output leading zeros 3251 * then ndigits digits to first: 3252 */ 3253 i = 5; 3254 while (ndigits < i) *ascii++ = 48, --i; 3255 while (ndigits >= first) *ascii++ = digits[--ndigits]; 3256 /* Don't output the trailing zeros! */ 3257 } 3258 } 3259 else 3260 *ascii++ = 48; 3261 3262 /* And null terminate the string: */ 3263 *ascii = 0; 3264 return; 3265 } 3266 } 3267 3268 /* Here on buffer too small. */ 3269 png_error(png_ptr, "ASCII conversion buffer too small"); 3270 } 3271 # endif /* FIXED_POINT */ 3272 #endif /* SCAL */ 3273 3274 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \ 3275 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \ 3276 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \ 3277 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 3278 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \ 3279 (defined(PNG_sCAL_SUPPORTED) && \ 3280 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED)) 3281 png_fixed_point 3282 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text) 3283 { 3284 double r = floor(100000 * fp + .5); 3285 3286 if (r > 2147483647. || r < -2147483648.) 3287 png_fixed_error(png_ptr, text); 3288 3289 # ifndef PNG_ERROR_TEXT_SUPPORTED 3290 PNG_UNUSED(text) 3291 # endif 3292 3293 return (png_fixed_point)r; 3294 } 3295 #endif 3296 3297 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\ 3298 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED) 3299 /* muldiv functions */ 3300 /* This API takes signed arguments and rounds the result to the nearest 3301 * integer (or, for a fixed point number - the standard argument - to 3302 * the nearest .00001). Overflow and divide by zero are signalled in 3303 * the result, a boolean - true on success, false on overflow. 3304 */ 3305 int 3306 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times, 3307 png_int_32 divisor) 3308 { 3309 /* Return a * times / divisor, rounded. */ 3310 if (divisor != 0) 3311 { 3312 if (a == 0 || times == 0) 3313 { 3314 *res = 0; 3315 return 1; 3316 } 3317 else 3318 { 3319 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3320 double r = a; 3321 r *= times; 3322 r /= divisor; 3323 r = floor(r+.5); 3324 3325 /* A png_fixed_point is a 32-bit integer. */ 3326 if (r <= 2147483647. && r >= -2147483648.) 3327 { 3328 *res = (png_fixed_point)r; 3329 return 1; 3330 } 3331 #else 3332 int negative = 0; 3333 png_uint_32 A, T, D; 3334 png_uint_32 s16, s32, s00; 3335 3336 if (a < 0) 3337 negative = 1, A = -a; 3338 else 3339 A = a; 3340 3341 if (times < 0) 3342 negative = !negative, T = -times; 3343 else 3344 T = times; 3345 3346 if (divisor < 0) 3347 negative = !negative, D = -divisor; 3348 else 3349 D = divisor; 3350 3351 /* Following can't overflow because the arguments only 3352 * have 31 bits each, however the result may be 32 bits. 3353 */ 3354 s16 = (A >> 16) * (T & 0xffff) + 3355 (A & 0xffff) * (T >> 16); 3356 /* Can't overflow because the a*times bit is only 30 3357 * bits at most. 3358 */ 3359 s32 = (A >> 16) * (T >> 16) + (s16 >> 16); 3360 s00 = (A & 0xffff) * (T & 0xffff); 3361 3362 s16 = (s16 & 0xffff) << 16; 3363 s00 += s16; 3364 3365 if (s00 < s16) 3366 ++s32; /* carry */ 3367 3368 if (s32 < D) /* else overflow */ 3369 { 3370 /* s32.s00 is now the 64-bit product, do a standard 3371 * division, we know that s32 < D, so the maximum 3372 * required shift is 31. 3373 */ 3374 int bitshift = 32; 3375 png_fixed_point result = 0; /* NOTE: signed */ 3376 3377 while (--bitshift >= 0) 3378 { 3379 png_uint_32 d32, d00; 3380 3381 if (bitshift > 0) 3382 d32 = D >> (32-bitshift), d00 = D << bitshift; 3383 3384 else 3385 d32 = 0, d00 = D; 3386 3387 if (s32 > d32) 3388 { 3389 if (s00 < d00) --s32; /* carry */ 3390 s32 -= d32, s00 -= d00, result += 1<<bitshift; 3391 } 3392 3393 else 3394 if (s32 == d32 && s00 >= d00) 3395 s32 = 0, s00 -= d00, result += 1<<bitshift; 3396 } 3397 3398 /* Handle the rounding. */ 3399 if (s00 >= (D >> 1)) 3400 ++result; 3401 3402 if (negative != 0) 3403 result = -result; 3404 3405 /* Check for overflow. */ 3406 if ((negative != 0 && result <= 0) || 3407 (negative == 0 && result >= 0)) 3408 { 3409 *res = result; 3410 return 1; 3411 } 3412 } 3413 #endif 3414 } 3415 } 3416 3417 return 0; 3418 } 3419 #endif /* READ_GAMMA || INCH_CONVERSIONS */ 3420 3421 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED) 3422 /* The following is for when the caller doesn't much care about the 3423 * result. 3424 */ 3425 png_fixed_point 3426 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times, 3427 png_int_32 divisor) 3428 { 3429 png_fixed_point result; 3430 3431 if (png_muldiv(&result, a, times, divisor) != 0) 3432 return result; 3433 3434 png_warning(png_ptr, "fixed point overflow ignored"); 3435 return 0; 3436 } 3437 #endif 3438 3439 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */ 3440 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */ 3441 png_fixed_point 3442 png_reciprocal(png_fixed_point a) 3443 { 3444 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3445 double r = floor(1E10/a+.5); 3446 3447 if (r <= 2147483647. && r >= -2147483648.) 3448 return (png_fixed_point)r; 3449 #else 3450 png_fixed_point res; 3451 3452 if (png_muldiv(&res, 100000, 100000, a) != 0) 3453 return res; 3454 #endif 3455 3456 return 0; /* error/overflow */ 3457 } 3458 3459 /* This is the shared test on whether a gamma value is 'significant' - whether 3460 * it is worth doing gamma correction. 3461 */ 3462 int /* PRIVATE */ 3463 png_gamma_significant(png_fixed_point gamma_val) 3464 { 3465 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED || 3466 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED; 3467 } 3468 #endif 3469 3470 #ifdef PNG_READ_GAMMA_SUPPORTED 3471 #ifdef PNG_16BIT_SUPPORTED 3472 /* A local convenience routine. */ 3473 static png_fixed_point 3474 png_product2(png_fixed_point a, png_fixed_point b) 3475 { 3476 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3477 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3478 double r = a * 1E-5; 3479 r *= b; 3480 r = floor(r+.5); 3481 3482 if (r <= 2147483647. && r >= -2147483648.) 3483 return (png_fixed_point)r; 3484 #else 3485 png_fixed_point res; 3486 3487 if (png_muldiv(&res, a, b, 100000) != 0) 3488 return res; 3489 #endif 3490 3491 return 0; /* overflow */ 3492 } 3493 #endif /* 16BIT */ 3494 3495 /* The inverse of the above. */ 3496 png_fixed_point 3497 png_reciprocal2(png_fixed_point a, png_fixed_point b) 3498 { 3499 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3500 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3501 if (a != 0 && b != 0) 3502 { 3503 double r = 1E15/a; 3504 r /= b; 3505 r = floor(r+.5); 3506 3507 if (r <= 2147483647. && r >= -2147483648.) 3508 return (png_fixed_point)r; 3509 } 3510 #else 3511 /* This may overflow because the range of png_fixed_point isn't symmetric, 3512 * but this API is only used for the product of file and screen gamma so it 3513 * doesn't matter that the smallest number it can produce is 1/21474, not 3514 * 1/100000 3515 */ 3516 png_fixed_point res = png_product2(a, b); 3517 3518 if (res != 0) 3519 return png_reciprocal(res); 3520 #endif 3521 3522 return 0; /* overflow */ 3523 } 3524 #endif /* READ_GAMMA */ 3525 3526 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */ 3527 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED 3528 /* Fixed point gamma. 3529 * 3530 * The code to calculate the tables used below can be found in the shell script 3531 * contrib/tools/intgamma.sh 3532 * 3533 * To calculate gamma this code implements fast log() and exp() calls using only 3534 * fixed point arithmetic. This code has sufficient precision for either 8-bit 3535 * or 16-bit sample values. 3536 * 3537 * The tables used here were calculated using simple 'bc' programs, but C double 3538 * precision floating point arithmetic would work fine. 3539 * 3540 * 8-bit log table 3541 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to 3542 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point 3543 * mantissa. The numbers are 32-bit fractions. 3544 */ 3545 static const png_uint_32 3546 png_8bit_l2[128] = 3547 { 3548 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U, 3549 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U, 3550 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U, 3551 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U, 3552 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U, 3553 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U, 3554 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U, 3555 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U, 3556 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U, 3557 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U, 3558 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U, 3559 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U, 3560 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U, 3561 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U, 3562 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U, 3563 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U, 3564 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U, 3565 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U, 3566 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U, 3567 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U, 3568 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U, 3569 24347096U, 0U 3570 3571 #if 0 3572 /* The following are the values for 16-bit tables - these work fine for the 3573 * 8-bit conversions but produce very slightly larger errors in the 16-bit 3574 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To 3575 * use these all the shifts below must be adjusted appropriately. 3576 */ 3577 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054, 3578 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803, 3579 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068, 3580 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782, 3581 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887, 3582 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339, 3583 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098, 3584 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132, 3585 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415, 3586 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523, 3587 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495, 3588 1119, 744, 372 3589 #endif 3590 }; 3591 3592 static png_int_32 3593 png_log8bit(unsigned int x) 3594 { 3595 unsigned int lg2 = 0; 3596 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log, 3597 * because the log is actually negate that means adding 1. The final 3598 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1 3599 * input), return -1 for the overflow (log 0) case, - so the result is 3600 * always at most 19 bits. 3601 */ 3602 if ((x &= 0xff) == 0) 3603 return -1; 3604 3605 if ((x & 0xf0) == 0) 3606 lg2 = 4, x <<= 4; 3607 3608 if ((x & 0xc0) == 0) 3609 lg2 += 2, x <<= 2; 3610 3611 if ((x & 0x80) == 0) 3612 lg2 += 1, x <<= 1; 3613 3614 /* result is at most 19 bits, so this cast is safe: */ 3615 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16)); 3616 } 3617 3618 /* The above gives exact (to 16 binary places) log2 values for 8-bit images, 3619 * for 16-bit images we use the most significant 8 bits of the 16-bit value to 3620 * get an approximation then multiply the approximation by a correction factor 3621 * determined by the remaining up to 8 bits. This requires an additional step 3622 * in the 16-bit case. 3623 * 3624 * We want log2(value/65535), we have log2(v'/255), where: 3625 * 3626 * value = v' * 256 + v'' 3627 * = v' * f 3628 * 3629 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128 3630 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less 3631 * than 258. The final factor also needs to correct for the fact that our 8-bit 3632 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535. 3633 * 3634 * This gives a final formula using a calculated value 'x' which is value/v' and 3635 * scaling by 65536 to match the above table: 3636 * 3637 * log2(x/257) * 65536 3638 * 3639 * Since these numbers are so close to '1' we can use simple linear 3640 * interpolation between the two end values 256/257 (result -368.61) and 258/257 3641 * (result 367.179). The values used below are scaled by a further 64 to give 3642 * 16-bit precision in the interpolation: 3643 * 3644 * Start (256): -23591 3645 * Zero (257): 0 3646 * End (258): 23499 3647 */ 3648 #ifdef PNG_16BIT_SUPPORTED 3649 static png_int_32 3650 png_log16bit(png_uint_32 x) 3651 { 3652 unsigned int lg2 = 0; 3653 3654 /* As above, but now the input has 16 bits. */ 3655 if ((x &= 0xffff) == 0) 3656 return -1; 3657 3658 if ((x & 0xff00) == 0) 3659 lg2 = 8, x <<= 8; 3660 3661 if ((x & 0xf000) == 0) 3662 lg2 += 4, x <<= 4; 3663 3664 if ((x & 0xc000) == 0) 3665 lg2 += 2, x <<= 2; 3666 3667 if ((x & 0x8000) == 0) 3668 lg2 += 1, x <<= 1; 3669 3670 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional 3671 * value. 3672 */ 3673 lg2 <<= 28; 3674 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4; 3675 3676 /* Now we need to interpolate the factor, this requires a division by the top 3677 * 8 bits. Do this with maximum precision. 3678 */ 3679 x = ((x << 16) + (x >> 9)) / (x >> 8); 3680 3681 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24, 3682 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly 3683 * 16 bits to interpolate to get the low bits of the result. Round the 3684 * answer. Note that the end point values are scaled by 64 to retain overall 3685 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust 3686 * the overall scaling by 6-12. Round at every step. 3687 */ 3688 x -= 1U << 24; 3689 3690 if (x <= 65536U) /* <= '257' */ 3691 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12); 3692 3693 else 3694 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12); 3695 3696 /* Safe, because the result can't have more than 20 bits: */ 3697 return (png_int_32)((lg2 + 2048) >> 12); 3698 } 3699 #endif /* 16BIT */ 3700 3701 /* The 'exp()' case must invert the above, taking a 20-bit fixed point 3702 * logarithmic value and returning a 16 or 8-bit number as appropriate. In 3703 * each case only the low 16 bits are relevant - the fraction - since the 3704 * integer bits (the top 4) simply determine a shift. 3705 * 3706 * The worst case is the 16-bit distinction between 65535 and 65534. This 3707 * requires perhaps spurious accuracy in the decoding of the logarithm to 3708 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance 3709 * of getting this accuracy in practice. 3710 * 3711 * To deal with this the following exp() function works out the exponent of the 3712 * frational part of the logarithm by using an accurate 32-bit value from the 3713 * top four fractional bits then multiplying in the remaining bits. 3714 */ 3715 static const png_uint_32 3716 png_32bit_exp[16] = 3717 { 3718 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */ 3719 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U, 3720 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U, 3721 2553802834U, 2445529972U, 2341847524U, 2242560872U 3722 }; 3723 3724 /* Adjustment table; provided to explain the numbers in the code below. */ 3725 #if 0 3726 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"} 3727 11 44937.64284865548751208448 3728 10 45180.98734845585101160448 3729 9 45303.31936980687359311872 3730 8 45364.65110595323018870784 3731 7 45395.35850361789624614912 3732 6 45410.72259715102037508096 3733 5 45418.40724413220722311168 3734 4 45422.25021786898173001728 3735 3 45424.17186732298419044352 3736 2 45425.13273269940811464704 3737 1 45425.61317555035558641664 3738 0 45425.85339951654943850496 3739 #endif 3740 3741 static png_uint_32 3742 png_exp(png_fixed_point x) 3743 { 3744 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */ 3745 { 3746 /* Obtain a 4-bit approximation */ 3747 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f]; 3748 3749 /* Incorporate the low 12 bits - these decrease the returned value by 3750 * multiplying by a number less than 1 if the bit is set. The multiplier 3751 * is determined by the above table and the shift. Notice that the values 3752 * converge on 45426 and this is used to allow linear interpolation of the 3753 * low bits. 3754 */ 3755 if (x & 0x800) 3756 e -= (((e >> 16) * 44938U) + 16U) >> 5; 3757 3758 if (x & 0x400) 3759 e -= (((e >> 16) * 45181U) + 32U) >> 6; 3760 3761 if (x & 0x200) 3762 e -= (((e >> 16) * 45303U) + 64U) >> 7; 3763 3764 if (x & 0x100) 3765 e -= (((e >> 16) * 45365U) + 128U) >> 8; 3766 3767 if (x & 0x080) 3768 e -= (((e >> 16) * 45395U) + 256U) >> 9; 3769 3770 if (x & 0x040) 3771 e -= (((e >> 16) * 45410U) + 512U) >> 10; 3772 3773 /* And handle the low 6 bits in a single block. */ 3774 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9; 3775 3776 /* Handle the upper bits of x. */ 3777 e >>= x >> 16; 3778 return e; 3779 } 3780 3781 /* Check for overflow */ 3782 if (x <= 0) 3783 return png_32bit_exp[0]; 3784 3785 /* Else underflow */ 3786 return 0; 3787 } 3788 3789 static png_byte 3790 png_exp8bit(png_fixed_point lg2) 3791 { 3792 /* Get a 32-bit value: */ 3793 png_uint_32 x = png_exp(lg2); 3794 3795 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the 3796 * second, rounding, step can't overflow because of the first, subtraction, 3797 * step. 3798 */ 3799 x -= x >> 8; 3800 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff); 3801 } 3802 3803 #ifdef PNG_16BIT_SUPPORTED 3804 static png_uint_16 3805 png_exp16bit(png_fixed_point lg2) 3806 { 3807 /* Get a 32-bit value: */ 3808 png_uint_32 x = png_exp(lg2); 3809 3810 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */ 3811 x -= x >> 16; 3812 return (png_uint_16)((x + 32767U) >> 16); 3813 } 3814 #endif /* 16BIT */ 3815 #endif /* FLOATING_ARITHMETIC */ 3816 3817 png_byte 3818 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val) 3819 { 3820 if (value > 0 && value < 255) 3821 { 3822 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3823 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly 3824 * convert this to a floating point value. This includes values that 3825 * would overflow if 'value' were to be converted to 'int'. 3826 * 3827 * Apparently GCC, however, does an intermediate conversion to (int) 3828 * on some (ARM) but not all (x86) platforms, possibly because of 3829 * hardware FP limitations. (E.g. if the hardware conversion always 3830 * assumes the integer register contains a signed value.) This results 3831 * in ANSI-C undefined behavior for large values. 3832 * 3833 * Other implementations on the same machine might actually be ANSI-C90 3834 * conformant and therefore compile spurious extra code for the large 3835 * values. 3836 * 3837 * We can be reasonably sure that an unsigned to float conversion 3838 * won't be faster than an int to float one. Therefore this code 3839 * assumes responsibility for the undefined behavior, which it knows 3840 * can't happen because of the check above. 3841 * 3842 * Note the argument to this routine is an (unsigned int) because, on 3843 * 16-bit platforms, it is assigned a value which might be out of 3844 * range for an (int); that would result in undefined behavior in the 3845 * caller if the *argument* ('value') were to be declared (int). 3846 */ 3847 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5); 3848 return (png_byte)r; 3849 # else 3850 png_int_32 lg2 = png_log8bit(value); 3851 png_fixed_point res; 3852 3853 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3854 return png_exp8bit(res); 3855 3856 /* Overflow. */ 3857 value = 0; 3858 # endif 3859 } 3860 3861 return (png_byte)(value & 0xff); 3862 } 3863 3864 #ifdef PNG_16BIT_SUPPORTED 3865 png_uint_16 3866 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val) 3867 { 3868 if (value > 0 && value < 65535) 3869 { 3870 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3871 /* The same (unsigned int)->(double) constraints apply here as above, 3872 * however in this case the (unsigned int) to (int) conversion can 3873 * overflow on an ANSI-C90 compliant system so the cast needs to ensure 3874 * that this is not possible. 3875 */ 3876 double r = floor(65535*pow((png_int_32)value/65535., 3877 gamma_val*.00001)+.5); 3878 return (png_uint_16)r; 3879 # else 3880 png_int_32 lg2 = png_log16bit(value); 3881 png_fixed_point res; 3882 3883 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3884 return png_exp16bit(res); 3885 3886 /* Overflow. */ 3887 value = 0; 3888 # endif 3889 } 3890 3891 return (png_uint_16)value; 3892 } 3893 #endif /* 16BIT */ 3894 3895 /* This does the right thing based on the bit_depth field of the 3896 * png_struct, interpreting values as 8-bit or 16-bit. While the result 3897 * is nominally a 16-bit value if bit depth is 8 then the result is 3898 * 8-bit (as are the arguments.) 3899 */ 3900 png_uint_16 /* PRIVATE */ 3901 png_gamma_correct(png_structrp png_ptr, unsigned int value, 3902 png_fixed_point gamma_val) 3903 { 3904 if (png_ptr->bit_depth == 8) 3905 return png_gamma_8bit_correct(value, gamma_val); 3906 3907 #ifdef PNG_16BIT_SUPPORTED 3908 else 3909 return png_gamma_16bit_correct(value, gamma_val); 3910 #else 3911 /* should not reach this */ 3912 return 0; 3913 #endif /* 16BIT */ 3914 } 3915 3916 #ifdef PNG_16BIT_SUPPORTED 3917 /* Internal function to build a single 16-bit table - the table consists of 3918 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount 3919 * to shift the input values right (or 16-number_of_signifiant_bits). 3920 * 3921 * The caller is responsible for ensuring that the table gets cleaned up on 3922 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument 3923 * should be somewhere that will be cleaned. 3924 */ 3925 static void 3926 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable, 3927 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 3928 { 3929 /* Various values derived from 'shift': */ 3930 PNG_CONST unsigned int num = 1U << (8U - shift); 3931 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3932 /* CSE the division and work round wacky GCC warnings (see the comments 3933 * in png_gamma_8bit_correct for where these come from.) 3934 */ 3935 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1); 3936 #endif 3937 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 3938 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift); 3939 unsigned int i; 3940 3941 png_uint_16pp table = *ptable = 3942 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 3943 3944 for (i = 0; i < num; i++) 3945 { 3946 png_uint_16p sub_table = table[i] = 3947 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16))); 3948 3949 /* The 'threshold' test is repeated here because it can arise for one of 3950 * the 16-bit tables even if the others don't hit it. 3951 */ 3952 if (png_gamma_significant(gamma_val) != 0) 3953 { 3954 /* The old code would overflow at the end and this would cause the 3955 * 'pow' function to return a result >1, resulting in an 3956 * arithmetic error. This code follows the spec exactly; ig is 3957 * the recovered input sample, it always has 8-16 bits. 3958 * 3959 * We want input * 65535/max, rounded, the arithmetic fits in 32 3960 * bits (unsigned) so long as max <= 32767. 3961 */ 3962 unsigned int j; 3963 for (j = 0; j < 256; j++) 3964 { 3965 png_uint_32 ig = (j << (8-shift)) + i; 3966 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3967 /* Inline the 'max' scaling operation: */ 3968 /* See png_gamma_8bit_correct for why the cast to (int) is 3969 * required here. 3970 */ 3971 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5); 3972 sub_table[j] = (png_uint_16)d; 3973 # else 3974 if (shift != 0) 3975 ig = (ig * 65535U + max_by_2)/max; 3976 3977 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val); 3978 # endif 3979 } 3980 } 3981 else 3982 { 3983 /* We must still build a table, but do it the fast way. */ 3984 unsigned int j; 3985 3986 for (j = 0; j < 256; j++) 3987 { 3988 png_uint_32 ig = (j << (8-shift)) + i; 3989 3990 if (shift != 0) 3991 ig = (ig * 65535U + max_by_2)/max; 3992 3993 sub_table[j] = (png_uint_16)ig; 3994 } 3995 } 3996 } 3997 } 3998 3999 /* NOTE: this function expects the *inverse* of the overall gamma transformation 4000 * required. 4001 */ 4002 static void 4003 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable, 4004 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 4005 { 4006 PNG_CONST unsigned int num = 1U << (8U - shift); 4007 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 4008 unsigned int i; 4009 png_uint_32 last; 4010 4011 png_uint_16pp table = *ptable = 4012 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 4013 4014 /* 'num' is the number of tables and also the number of low bits of low 4015 * bits of the input 16-bit value used to select a table. Each table is 4016 * itself indexed by the high 8 bits of the value. 4017 */ 4018 for (i = 0; i < num; i++) 4019 table[i] = (png_uint_16p)png_malloc(png_ptr, 4020 256 * (sizeof (png_uint_16))); 4021 4022 /* 'gamma_val' is set to the reciprocal of the value calculated above, so 4023 * pow(out,g) is an *input* value. 'last' is the last input value set. 4024 * 4025 * In the loop 'i' is used to find output values. Since the output is 4026 * 8-bit there are only 256 possible values. The tables are set up to 4027 * select the closest possible output value for each input by finding 4028 * the input value at the boundary between each pair of output values 4029 * and filling the table up to that boundary with the lower output 4030 * value. 4031 * 4032 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit 4033 * values the code below uses a 16-bit value in i; the values start at 4034 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last 4035 * entries are filled with 255). Start i at 128 and fill all 'last' 4036 * table entries <= 'max' 4037 */ 4038 last = 0; 4039 for (i = 0; i < 255; ++i) /* 8-bit output value */ 4040 { 4041 /* Find the corresponding maximum input value */ 4042 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */ 4043 4044 /* Find the boundary value in 16 bits: */ 4045 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val); 4046 4047 /* Adjust (round) to (16-shift) bits: */ 4048 bound = (bound * max + 32768U)/65535U + 1U; 4049 4050 while (last < bound) 4051 { 4052 table[last & (0xffU >> shift)][last >> (8U - shift)] = out; 4053 last++; 4054 } 4055 } 4056 4057 /* And fill in the final entries. */ 4058 while (last < (num << 8)) 4059 { 4060 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U; 4061 last++; 4062 } 4063 } 4064 #endif /* 16BIT */ 4065 4066 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and 4067 * typically much faster). Note that libpng currently does no sBIT processing 4068 * (apparently contrary to the spec) so a 256-entry table is always generated. 4069 */ 4070 static void 4071 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable, 4072 PNG_CONST png_fixed_point gamma_val) 4073 { 4074 unsigned int i; 4075 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256); 4076 4077 if (png_gamma_significant(gamma_val) != 0) 4078 for (i=0; i<256; i++) 4079 table[i] = png_gamma_8bit_correct(i, gamma_val); 4080 4081 else 4082 for (i=0; i<256; ++i) 4083 table[i] = (png_byte)(i & 0xff); 4084 } 4085 4086 /* Used from png_read_destroy and below to release the memory used by the gamma 4087 * tables. 4088 */ 4089 void /* PRIVATE */ 4090 png_destroy_gamma_table(png_structrp png_ptr) 4091 { 4092 png_free(png_ptr, png_ptr->gamma_table); 4093 png_ptr->gamma_table = NULL; 4094 4095 #ifdef PNG_16BIT_SUPPORTED 4096 if (png_ptr->gamma_16_table != NULL) 4097 { 4098 int i; 4099 int istop = (1 << (8 - png_ptr->gamma_shift)); 4100 for (i = 0; i < istop; i++) 4101 { 4102 png_free(png_ptr, png_ptr->gamma_16_table[i]); 4103 } 4104 png_free(png_ptr, png_ptr->gamma_16_table); 4105 png_ptr->gamma_16_table = NULL; 4106 } 4107 #endif /* 16BIT */ 4108 4109 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4110 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4111 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4112 png_free(png_ptr, png_ptr->gamma_from_1); 4113 png_ptr->gamma_from_1 = NULL; 4114 png_free(png_ptr, png_ptr->gamma_to_1); 4115 png_ptr->gamma_to_1 = NULL; 4116 4117 #ifdef PNG_16BIT_SUPPORTED 4118 if (png_ptr->gamma_16_from_1 != NULL) 4119 { 4120 int i; 4121 int istop = (1 << (8 - png_ptr->gamma_shift)); 4122 for (i = 0; i < istop; i++) 4123 { 4124 png_free(png_ptr, png_ptr->gamma_16_from_1[i]); 4125 } 4126 png_free(png_ptr, png_ptr->gamma_16_from_1); 4127 png_ptr->gamma_16_from_1 = NULL; 4128 } 4129 if (png_ptr->gamma_16_to_1 != NULL) 4130 { 4131 int i; 4132 int istop = (1 << (8 - png_ptr->gamma_shift)); 4133 for (i = 0; i < istop; i++) 4134 { 4135 png_free(png_ptr, png_ptr->gamma_16_to_1[i]); 4136 } 4137 png_free(png_ptr, png_ptr->gamma_16_to_1); 4138 png_ptr->gamma_16_to_1 = NULL; 4139 } 4140 #endif /* 16BIT */ 4141 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4142 } 4143 4144 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit 4145 * tables, we don't make a full table if we are reducing to 8-bit in 4146 * the future. Note also how the gamma_16 tables are segmented so that 4147 * we don't need to allocate > 64K chunks for a full 16-bit table. 4148 */ 4149 void /* PRIVATE */ 4150 png_build_gamma_table(png_structrp png_ptr, int bit_depth) 4151 { 4152 png_debug(1, "in png_build_gamma_table"); 4153 4154 /* Remove any existing table; this copes with multiple calls to 4155 * png_read_update_info. The warning is because building the gamma tables 4156 * multiple times is a performance hit - it's harmless but the ability to 4157 * call png_read_update_info() multiple times is new in 1.5.6 so it seems 4158 * sensible to warn if the app introduces such a hit. 4159 */ 4160 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL) 4161 { 4162 png_warning(png_ptr, "gamma table being rebuilt"); 4163 png_destroy_gamma_table(png_ptr); 4164 } 4165 4166 if (bit_depth <= 8) 4167 { 4168 png_build_8bit_table(png_ptr, &png_ptr->gamma_table, 4169 png_ptr->screen_gamma > 0 ? 4170 png_reciprocal2(png_ptr->colorspace.gamma, 4171 png_ptr->screen_gamma) : PNG_FP_1); 4172 4173 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4174 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4175 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4176 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4177 { 4178 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1, 4179 png_reciprocal(png_ptr->colorspace.gamma)); 4180 4181 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1, 4182 png_ptr->screen_gamma > 0 ? 4183 png_reciprocal(png_ptr->screen_gamma) : 4184 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4185 } 4186 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4187 } 4188 #ifdef PNG_16BIT_SUPPORTED 4189 else 4190 { 4191 png_byte shift, sig_bit; 4192 4193 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) 4194 { 4195 sig_bit = png_ptr->sig_bit.red; 4196 4197 if (png_ptr->sig_bit.green > sig_bit) 4198 sig_bit = png_ptr->sig_bit.green; 4199 4200 if (png_ptr->sig_bit.blue > sig_bit) 4201 sig_bit = png_ptr->sig_bit.blue; 4202 } 4203 else 4204 sig_bit = png_ptr->sig_bit.gray; 4205 4206 /* 16-bit gamma code uses this equation: 4207 * 4208 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8] 4209 * 4210 * Where 'iv' is the input color value and 'ov' is the output value - 4211 * pow(iv, gamma). 4212 * 4213 * Thus the gamma table consists of up to 256 256-entry tables. The table 4214 * is selected by the (8-gamma_shift) most significant of the low 8 bits 4215 * of the color value then indexed by the upper 8 bits: 4216 * 4217 * table[low bits][high 8 bits] 4218 * 4219 * So the table 'n' corresponds to all those 'iv' of: 4220 * 4221 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1> 4222 * 4223 */ 4224 if (sig_bit > 0 && sig_bit < 16U) 4225 /* shift == insignificant bits */ 4226 shift = (png_byte)((16U - sig_bit) & 0xff); 4227 4228 else 4229 shift = 0; /* keep all 16 bits */ 4230 4231 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4232 { 4233 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively 4234 * the significant bits in the *input* when the output will 4235 * eventually be 8 bits. By default it is 11. 4236 */ 4237 if (shift < (16U - PNG_MAX_GAMMA_8)) 4238 shift = (16U - PNG_MAX_GAMMA_8); 4239 } 4240 4241 if (shift > 8U) 4242 shift = 8U; /* Guarantees at least one table! */ 4243 4244 png_ptr->gamma_shift = shift; 4245 4246 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now 4247 * PNG_COMPOSE). This effectively smashed the background calculation for 4248 * 16-bit output because the 8-bit table assumes the result will be 4249 * reduced to 8 bits. 4250 */ 4251 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4252 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift, 4253 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma, 4254 png_ptr->screen_gamma) : PNG_FP_1); 4255 4256 else 4257 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift, 4258 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4259 png_ptr->screen_gamma) : PNG_FP_1); 4260 4261 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4262 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4263 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4264 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4265 { 4266 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift, 4267 png_reciprocal(png_ptr->colorspace.gamma)); 4268 4269 /* Notice that the '16 from 1' table should be full precision, however 4270 * the lookup on this table still uses gamma_shift, so it can't be. 4271 * TODO: fix this. 4272 */ 4273 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift, 4274 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4275 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4276 } 4277 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4278 } 4279 #endif /* 16BIT */ 4280 } 4281 #endif /* READ_GAMMA */ 4282 4283 /* HARDWARE OR SOFTWARE OPTION SUPPORT */ 4284 #ifdef PNG_SET_OPTION_SUPPORTED 4285 int PNGAPI 4286 png_set_option(png_structrp png_ptr, int option, int onoff) 4287 { 4288 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT && 4289 (option & 1) == 0) 4290 { 4291 png_uint_32 mask = 3 << option; 4292 png_uint_32 setting = (2 + (onoff != 0)) << option; 4293 png_uint_32 current = png_ptr->options; 4294 4295 png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff); 4296 4297 return (current & mask) >> option; 4298 } 4299 4300 return PNG_OPTION_INVALID; 4301 } 4302 #endif 4303 4304 /* sRGB support */ 4305 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4306 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4307 /* sRGB conversion tables; these are machine generated with the code in 4308 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the 4309 * specification (see the article at http://en.wikipedia.org/wiki/SRGB) 4310 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng. 4311 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction). 4312 * The inverse (linear to sRGB) table has accuracies as follows: 4313 * 4314 * For all possible (255*65535+1) input values: 4315 * 4316 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact 4317 * 4318 * For the input values corresponding to the 65536 16-bit values: 4319 * 4320 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact 4321 * 4322 * In all cases the inexact readings are only off by one. 4323 */ 4324 4325 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4326 /* The convert-to-sRGB table is only currently required for read. */ 4327 const png_uint_16 png_sRGB_table[256] = 4328 { 4329 0,20,40,60,80,99,119,139, 4330 159,179,199,219,241,264,288,313, 4331 340,367,396,427,458,491,526,562, 4332 599,637,677,718,761,805,851,898, 4333 947,997,1048,1101,1156,1212,1270,1330, 4334 1391,1453,1517,1583,1651,1720,1790,1863, 4335 1937,2013,2090,2170,2250,2333,2418,2504, 4336 2592,2681,2773,2866,2961,3058,3157,3258, 4337 3360,3464,3570,3678,3788,3900,4014,4129, 4338 4247,4366,4488,4611,4736,4864,4993,5124, 4339 5257,5392,5530,5669,5810,5953,6099,6246, 4340 6395,6547,6700,6856,7014,7174,7335,7500, 4341 7666,7834,8004,8177,8352,8528,8708,8889, 4342 9072,9258,9445,9635,9828,10022,10219,10417, 4343 10619,10822,11028,11235,11446,11658,11873,12090, 4344 12309,12530,12754,12980,13209,13440,13673,13909, 4345 14146,14387,14629,14874,15122,15371,15623,15878, 4346 16135,16394,16656,16920,17187,17456,17727,18001, 4347 18277,18556,18837,19121,19407,19696,19987,20281, 4348 20577,20876,21177,21481,21787,22096,22407,22721, 4349 23038,23357,23678,24002,24329,24658,24990,25325, 4350 25662,26001,26344,26688,27036,27386,27739,28094, 4351 28452,28813,29176,29542,29911,30282,30656,31033, 4352 31412,31794,32179,32567,32957,33350,33745,34143, 4353 34544,34948,35355,35764,36176,36591,37008,37429, 4354 37852,38278,38706,39138,39572,40009,40449,40891, 4355 41337,41785,42236,42690,43147,43606,44069,44534, 4356 45002,45473,45947,46423,46903,47385,47871,48359, 4357 48850,49344,49841,50341,50844,51349,51858,52369, 4358 52884,53401,53921,54445,54971,55500,56032,56567, 4359 57105,57646,58190,58737,59287,59840,60396,60955, 4360 61517,62082,62650,63221,63795,64372,64952,65535 4361 }; 4362 #endif /* SIMPLIFIED_READ */ 4363 4364 /* The base/delta tables are required for both read and write (but currently 4365 * only the simplified versions.) 4366 */ 4367 const png_uint_16 png_sRGB_base[512] = 4368 { 4369 128,1782,3383,4644,5675,6564,7357,8074, 4370 8732,9346,9921,10463,10977,11466,11935,12384, 4371 12816,13233,13634,14024,14402,14769,15125,15473, 4372 15812,16142,16466,16781,17090,17393,17690,17981, 4373 18266,18546,18822,19093,19359,19621,19879,20133, 4374 20383,20630,20873,21113,21349,21583,21813,22041, 4375 22265,22487,22707,22923,23138,23350,23559,23767, 4376 23972,24175,24376,24575,24772,24967,25160,25352, 4377 25542,25730,25916,26101,26284,26465,26645,26823, 4378 27000,27176,27350,27523,27695,27865,28034,28201, 4379 28368,28533,28697,28860,29021,29182,29341,29500, 4380 29657,29813,29969,30123,30276,30429,30580,30730, 4381 30880,31028,31176,31323,31469,31614,31758,31902, 4382 32045,32186,32327,32468,32607,32746,32884,33021, 4383 33158,33294,33429,33564,33697,33831,33963,34095, 4384 34226,34357,34486,34616,34744,34873,35000,35127, 4385 35253,35379,35504,35629,35753,35876,35999,36122, 4386 36244,36365,36486,36606,36726,36845,36964,37083, 4387 37201,37318,37435,37551,37668,37783,37898,38013, 4388 38127,38241,38354,38467,38580,38692,38803,38915, 4389 39026,39136,39246,39356,39465,39574,39682,39790, 4390 39898,40005,40112,40219,40325,40431,40537,40642, 4391 40747,40851,40955,41059,41163,41266,41369,41471, 4392 41573,41675,41777,41878,41979,42079,42179,42279, 4393 42379,42478,42577,42676,42775,42873,42971,43068, 4394 43165,43262,43359,43456,43552,43648,43743,43839, 4395 43934,44028,44123,44217,44311,44405,44499,44592, 4396 44685,44778,44870,44962,45054,45146,45238,45329, 4397 45420,45511,45601,45692,45782,45872,45961,46051, 4398 46140,46229,46318,46406,46494,46583,46670,46758, 4399 46846,46933,47020,47107,47193,47280,47366,47452, 4400 47538,47623,47709,47794,47879,47964,48048,48133, 4401 48217,48301,48385,48468,48552,48635,48718,48801, 4402 48884,48966,49048,49131,49213,49294,49376,49458, 4403 49539,49620,49701,49782,49862,49943,50023,50103, 4404 50183,50263,50342,50422,50501,50580,50659,50738, 4405 50816,50895,50973,51051,51129,51207,51285,51362, 4406 51439,51517,51594,51671,51747,51824,51900,51977, 4407 52053,52129,52205,52280,52356,52432,52507,52582, 4408 52657,52732,52807,52881,52956,53030,53104,53178, 4409 53252,53326,53400,53473,53546,53620,53693,53766, 4410 53839,53911,53984,54056,54129,54201,54273,54345, 4411 54417,54489,54560,54632,54703,54774,54845,54916, 4412 54987,55058,55129,55199,55269,55340,55410,55480, 4413 55550,55620,55689,55759,55828,55898,55967,56036, 4414 56105,56174,56243,56311,56380,56448,56517,56585, 4415 56653,56721,56789,56857,56924,56992,57059,57127, 4416 57194,57261,57328,57395,57462,57529,57595,57662, 4417 57728,57795,57861,57927,57993,58059,58125,58191, 4418 58256,58322,58387,58453,58518,58583,58648,58713, 4419 58778,58843,58908,58972,59037,59101,59165,59230, 4420 59294,59358,59422,59486,59549,59613,59677,59740, 4421 59804,59867,59930,59993,60056,60119,60182,60245, 4422 60308,60370,60433,60495,60558,60620,60682,60744, 4423 60806,60868,60930,60992,61054,61115,61177,61238, 4424 61300,61361,61422,61483,61544,61605,61666,61727, 4425 61788,61848,61909,61969,62030,62090,62150,62211, 4426 62271,62331,62391,62450,62510,62570,62630,62689, 4427 62749,62808,62867,62927,62986,63045,63104,63163, 4428 63222,63281,63340,63398,63457,63515,63574,63632, 4429 63691,63749,63807,63865,63923,63981,64039,64097, 4430 64155,64212,64270,64328,64385,64443,64500,64557, 4431 64614,64672,64729,64786,64843,64900,64956,65013, 4432 65070,65126,65183,65239,65296,65352,65409,65465 4433 }; 4434 4435 const png_byte png_sRGB_delta[512] = 4436 { 4437 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54, 4438 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36, 4439 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28, 4440 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24, 4441 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21, 4442 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19, 4443 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17, 4444 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16, 4445 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15, 4446 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14, 4447 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13, 4448 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12, 4449 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12, 4450 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11, 4451 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4452 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4453 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4454 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4455 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4456 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4457 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4458 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4459 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4460 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4461 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4462 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4463 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4464 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4465 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7, 4466 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4467 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4468 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7 4469 }; 4470 #endif /* SIMPLIFIED READ/WRITE sRGB support */ 4471 4472 /* SIMPLIFIED READ/WRITE SUPPORT */ 4473 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4474 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4475 static int 4476 png_image_free_function(png_voidp argument) 4477 { 4478 png_imagep image = png_voidcast(png_imagep, argument); 4479 png_controlp cp = image->opaque; 4480 png_control c; 4481 4482 /* Double check that we have a png_ptr - it should be impossible to get here 4483 * without one. 4484 */ 4485 if (cp->png_ptr == NULL) 4486 return 0; 4487 4488 /* First free any data held in the control structure. */ 4489 # ifdef PNG_STDIO_SUPPORTED 4490 if (cp->owned_file != 0) 4491 { 4492 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr); 4493 cp->owned_file = 0; 4494 4495 /* Ignore errors here. */ 4496 if (fp != NULL) 4497 { 4498 cp->png_ptr->io_ptr = NULL; 4499 (void)fclose(fp); 4500 } 4501 } 4502 # endif 4503 4504 /* Copy the control structure so that the original, allocated, version can be 4505 * safely freed. Notice that a png_error here stops the remainder of the 4506 * cleanup, but this is probably fine because that would indicate bad memory 4507 * problems anyway. 4508 */ 4509 c = *cp; 4510 image->opaque = &c; 4511 png_free(c.png_ptr, cp); 4512 4513 /* Then the structures, calling the correct API. */ 4514 if (c.for_write != 0) 4515 { 4516 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED 4517 png_destroy_write_struct(&c.png_ptr, &c.info_ptr); 4518 # else 4519 png_error(c.png_ptr, "simplified write not supported"); 4520 # endif 4521 } 4522 else 4523 { 4524 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4525 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL); 4526 # else 4527 png_error(c.png_ptr, "simplified read not supported"); 4528 # endif 4529 } 4530 4531 /* Success. */ 4532 return 1; 4533 } 4534 4535 void PNGAPI 4536 png_image_free(png_imagep image) 4537 { 4538 /* Safely call the real function, but only if doing so is safe at this point 4539 * (if not inside an error handling context). Otherwise assume 4540 * png_safe_execute will call this API after the return. 4541 */ 4542 if (image != NULL && image->opaque != NULL && 4543 image->opaque->error_buf == NULL) 4544 { 4545 /* Ignore errors here: */ 4546 (void)png_safe_execute(image, png_image_free_function, image); 4547 image->opaque = NULL; 4548 } 4549 } 4550 4551 int /* PRIVATE */ 4552 png_image_error(png_imagep image, png_const_charp error_message) 4553 { 4554 /* Utility to log an error. */ 4555 png_safecat(image->message, (sizeof image->message), 0, error_message); 4556 image->warning_or_error |= PNG_IMAGE_ERROR; 4557 png_image_free(image); 4558 return 0; 4559 } 4560 4561 #endif /* SIMPLIFIED READ/WRITE */ 4562 #endif /* READ || WRITE */