1 /*
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
3 *
4 * This code is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License version 2 only, as
6 * published by the Free Software Foundation. Oracle designates this
7 * particular file as subject to the "Classpath" exception as provided
8 * by Oracle in the LICENSE file that accompanied this code.
9 *
10 * This code is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * version 2 for more details (a copy is included in the LICENSE file that
14 * accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License version
17 * 2 along with this work; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21 * or visit www.oracle.com if you need additional information or have any
22 * questions.
23 */
24
25 /* png.c - location for general purpose libpng functions
26 *
27 * This file is available under and governed by the GNU General Public
28 * License version 2 only, as published by the Free Software Foundation.
29 * However, the following notice accompanied the original version of this
30 * file and, per its terms, should not be removed:
31 *
32 * Last changed in libpng 1.6.28 [January 5, 2017]
33 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
36 *
37 * This code is released under the libpng license.
38 * For conditions of distribution and use, see the disclaimer
39 * and license in png.h
40 */
41
42 #include "pngpriv.h"
43
44 /* Generate a compiler error if there is an old png.h in the search path. */
45 typedef png_libpng_version_1_6_28 Your_png_h_is_not_version_1_6_28;
46
47 /* Tells libpng that we have already handled the first "num_bytes" bytes
48 * of the PNG file signature. If the PNG data is embedded into another
49 * stream we can set num_bytes = 8 so that libpng will not attempt to read
50 * or write any of the magic bytes before it starts on the IHDR.
51 */
52
53 #ifdef PNG_READ_SUPPORTED
54 void PNGAPI
55 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
56 {
57 unsigned int nb = (unsigned int)num_bytes;
58
59 png_debug(1, "in png_set_sig_bytes");
60
61 if (png_ptr == NULL)
62 return;
63
64 if (num_bytes < 0)
65 nb = 0;
66
67 if (nb > 8)
68 png_error(png_ptr, "Too many bytes for PNG signature");
69
70 png_ptr->sig_bytes = (png_byte)nb;
71 }
72
73 /* Checks whether the supplied bytes match the PNG signature. We allow
74 * checking less than the full 8-byte signature so that those apps that
75 * already read the first few bytes of a file to determine the file type
76 * can simply check the remaining bytes for extra assurance. Returns
77 * an integer less than, equal to, or greater than zero if sig is found,
78 * respectively, to be less than, to match, or be greater than the correct
79 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
80 */
81 int PNGAPI
82 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
83 {
84 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
85
86 if (num_to_check > 8)
87 num_to_check = 8;
88
89 else if (num_to_check < 1)
90 return (-1);
91
92 if (start > 7)
93 return (-1);
94
95 if (start + num_to_check > 8)
96 num_to_check = 8 - start;
97
98 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
99 }
100
101 #endif /* READ */
102
103 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
104 /* Function to allocate memory for zlib */
105 PNG_FUNCTION(voidpf /* PRIVATE */,
106 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
107 {
108 png_alloc_size_t num_bytes = size;
109
110 if (png_ptr == NULL)
111 return NULL;
112
113 if (items >= (~(png_alloc_size_t)0)/size)
114 {
115 png_warning (png_voidcast(png_structrp, png_ptr),
116 "Potential overflow in png_zalloc()");
117 return NULL;
118 }
119
120 num_bytes *= items;
121 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
122 }
123
124 /* Function to free memory for zlib */
125 void /* PRIVATE */
126 png_zfree(voidpf png_ptr, voidpf ptr)
127 {
128 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
129 }
130
131 /* Reset the CRC variable to 32 bits of 1's. Care must be taken
132 * in case CRC is > 32 bits to leave the top bits 0.
133 */
134 void /* PRIVATE */
135 png_reset_crc(png_structrp png_ptr)
136 {
137 /* The cast is safe because the crc is a 32-bit value. */
138 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
139 }
140
141 /* Calculate the CRC over a section of data. We can only pass as
142 * much data to this routine as the largest single buffer size. We
143 * also check that this data will actually be used before going to the
144 * trouble of calculating it.
145 */
146 void /* PRIVATE */
147 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
148 {
149 int need_crc = 1;
150
151 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
152 {
153 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
154 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
155 need_crc = 0;
156 }
157
158 else /* critical */
159 {
160 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
161 need_crc = 0;
162 }
163
164 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
165 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
166 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
167 * necessary to perform a loop here.
168 */
169 if (need_crc != 0 && length > 0)
170 {
171 uLong crc = png_ptr->crc; /* Should never issue a warning */
172
173 do
174 {
175 uInt safe_length = (uInt)length;
176 #ifndef __COVERITY__
177 if (safe_length == 0)
178 safe_length = (uInt)-1; /* evil, but safe */
179 #endif
180
181 crc = crc32(crc, ptr, safe_length);
182
183 /* The following should never issue compiler warnings; if they do the
184 * target system has characteristics that will probably violate other
185 * assumptions within the libpng code.
186 */
187 ptr += safe_length;
188 length -= safe_length;
189 }
190 while (length > 0);
191
192 /* And the following is always safe because the crc is only 32 bits. */
193 png_ptr->crc = (png_uint_32)crc;
194 }
195 }
196
197 /* Check a user supplied version number, called from both read and write
198 * functions that create a png_struct.
199 */
200 int
201 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
202 {
203 /* Libpng versions 1.0.0 and later are binary compatible if the version
204 * string matches through the second '.'; we must recompile any
205 * applications that use any older library version.
206 */
207
208 if (user_png_ver != NULL)
209 {
210 int i = -1;
211 int found_dots = 0;
212
213 do
214 {
215 i++;
216 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
217 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
218 if (user_png_ver[i] == '.')
219 found_dots++;
220 } while (found_dots < 2 && user_png_ver[i] != 0 &&
221 PNG_LIBPNG_VER_STRING[i] != 0);
222 }
223
224 else
225 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
226
227 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
228 {
229 #ifdef PNG_WARNINGS_SUPPORTED
230 size_t pos = 0;
231 char m[128];
232
233 pos = png_safecat(m, (sizeof m), pos,
234 "Application built with libpng-");
235 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
236 pos = png_safecat(m, (sizeof m), pos, " but running with ");
237 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
238 PNG_UNUSED(pos)
239
240 png_warning(png_ptr, m);
241 #endif
242
243 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
244 png_ptr->flags = 0;
245 #endif
246
247 return 0;
248 }
249
250 /* Success return. */
251 return 1;
252 }
253
254 /* Generic function to create a png_struct for either read or write - this
255 * contains the common initialization.
256 */
257 PNG_FUNCTION(png_structp /* PRIVATE */,
258 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
259 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
260 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
261 {
262 png_struct create_struct;
263 # ifdef PNG_SETJMP_SUPPORTED
264 jmp_buf create_jmp_buf;
265 # endif
266
267 /* This temporary stack-allocated structure is used to provide a place to
268 * build enough context to allow the user provided memory allocator (if any)
269 * to be called.
270 */
271 memset(&create_struct, 0, (sizeof create_struct));
272
273 /* Added at libpng-1.2.6 */
274 # ifdef PNG_USER_LIMITS_SUPPORTED
275 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
276 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
277
278 # ifdef PNG_USER_CHUNK_CACHE_MAX
279 /* Added at libpng-1.2.43 and 1.4.0 */
280 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
281 # endif
282
283 # ifdef PNG_USER_CHUNK_MALLOC_MAX
284 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
285 * in png_struct regardless.
286 */
287 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
288 # endif
289 # endif
290
291 /* The following two API calls simply set fields in png_struct, so it is safe
292 * to do them now even though error handling is not yet set up.
293 */
294 # ifdef PNG_USER_MEM_SUPPORTED
295 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
296 # else
297 PNG_UNUSED(mem_ptr)
298 PNG_UNUSED(malloc_fn)
299 PNG_UNUSED(free_fn)
300 # endif
301
302 /* (*error_fn) can return control to the caller after the error_ptr is set,
303 * this will result in a memory leak unless the error_fn does something
304 * extremely sophisticated. The design lacks merit but is implicit in the
305 * API.
306 */
307 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
308
309 # ifdef PNG_SETJMP_SUPPORTED
310 if (!setjmp(create_jmp_buf))
311 # endif
312 {
313 # ifdef PNG_SETJMP_SUPPORTED
314 /* Temporarily fake out the longjmp information until we have
315 * successfully completed this function. This only works if we have
316 * setjmp() support compiled in, but it is safe - this stuff should
317 * never happen.
318 */
319 create_struct.jmp_buf_ptr = &create_jmp_buf;
320 create_struct.jmp_buf_size = 0; /*stack allocation*/
321 create_struct.longjmp_fn = longjmp;
322 # endif
323 /* Call the general version checker (shared with read and write code):
324 */
325 if (png_user_version_check(&create_struct, user_png_ver) != 0)
326 {
327 png_structrp png_ptr = png_voidcast(png_structrp,
328 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
329
330 if (png_ptr != NULL)
331 {
332 /* png_ptr->zstream holds a back-pointer to the png_struct, so
333 * this can only be done now:
334 */
335 create_struct.zstream.zalloc = png_zalloc;
336 create_struct.zstream.zfree = png_zfree;
337 create_struct.zstream.opaque = png_ptr;
338
339 # ifdef PNG_SETJMP_SUPPORTED
340 /* Eliminate the local error handling: */
341 create_struct.jmp_buf_ptr = NULL;
342 create_struct.jmp_buf_size = 0;
343 create_struct.longjmp_fn = 0;
344 # endif
345
346 *png_ptr = create_struct;
347
348 /* This is the successful return point */
349 return png_ptr;
350 }
351 }
352 }
353
354 /* A longjmp because of a bug in the application storage allocator or a
355 * simple failure to allocate the png_struct.
356 */
357 return NULL;
358 }
359
360 /* Allocate the memory for an info_struct for the application. */
361 PNG_FUNCTION(png_infop,PNGAPI
362 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
363 {
364 png_inforp info_ptr;
365
366 png_debug(1, "in png_create_info_struct");
367
368 if (png_ptr == NULL)
369 return NULL;
370
371 /* Use the internal API that does not (or at least should not) error out, so
372 * that this call always returns ok. The application typically sets up the
373 * error handling *after* creating the info_struct because this is the way it
374 * has always been done in 'example.c'.
375 */
376 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
377 (sizeof *info_ptr)));
378
379 if (info_ptr != NULL)
380 memset(info_ptr, 0, (sizeof *info_ptr));
381
382 return info_ptr;
383 }
384
385 /* This function frees the memory associated with a single info struct.
386 * Normally, one would use either png_destroy_read_struct() or
387 * png_destroy_write_struct() to free an info struct, but this may be
388 * useful for some applications. From libpng 1.6.0 this function is also used
389 * internally to implement the png_info release part of the 'struct' destroy
390 * APIs. This ensures that all possible approaches free the same data (all of
391 * it).
392 */
393 void PNGAPI
394 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
395 {
396 png_inforp info_ptr = NULL;
397
398 png_debug(1, "in png_destroy_info_struct");
399
400 if (png_ptr == NULL)
401 return;
402
403 if (info_ptr_ptr != NULL)
404 info_ptr = *info_ptr_ptr;
405
406 if (info_ptr != NULL)
407 {
408 /* Do this first in case of an error below; if the app implements its own
409 * memory management this can lead to png_free calling png_error, which
410 * will abort this routine and return control to the app error handler.
411 * An infinite loop may result if it then tries to free the same info
412 * ptr.
413 */
414 *info_ptr_ptr = NULL;
415
416 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
417 memset(info_ptr, 0, (sizeof *info_ptr));
418 png_free(png_ptr, info_ptr);
419 }
420 }
421
422 /* Initialize the info structure. This is now an internal function (0.89)
423 * and applications using it are urged to use png_create_info_struct()
424 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
425 * is just a memset).
426 *
427 * NOTE: it is almost inconceivable that this API is used because it bypasses
428 * the user-memory mechanism and the user error handling/warning mechanisms in
429 * those cases where it does anything other than a memset.
430 */
431 PNG_FUNCTION(void,PNGAPI
432 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
433 PNG_DEPRECATED)
434 {
435 png_inforp info_ptr = *ptr_ptr;
436
437 png_debug(1, "in png_info_init_3");
438
439 if (info_ptr == NULL)
440 return;
441
442 if ((sizeof (png_info)) > png_info_struct_size)
443 {
444 *ptr_ptr = NULL;
445 /* The following line is why this API should not be used: */
446 free(info_ptr);
447 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
448 (sizeof *info_ptr)));
449 if (info_ptr == NULL)
450 return;
451 *ptr_ptr = info_ptr;
452 }
453
454 /* Set everything to 0 */
455 memset(info_ptr, 0, (sizeof *info_ptr));
456 }
457
458 /* The following API is not called internally */
459 void PNGAPI
460 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
461 int freer, png_uint_32 mask)
462 {
463 png_debug(1, "in png_data_freer");
464
465 if (png_ptr == NULL || info_ptr == NULL)
466 return;
467
468 if (freer == PNG_DESTROY_WILL_FREE_DATA)
469 info_ptr->free_me |= mask;
470
471 else if (freer == PNG_USER_WILL_FREE_DATA)
472 info_ptr->free_me &= ~mask;
473
474 else
475 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
476 }
477
478 void PNGAPI
479 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
480 int num)
481 {
482 png_debug(1, "in png_free_data");
483
484 if (png_ptr == NULL || info_ptr == NULL)
485 return;
486
487 #ifdef PNG_TEXT_SUPPORTED
488 /* Free text item num or (if num == -1) all text items */
489 if (info_ptr->text != NULL &&
490 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
491 {
492 if (num != -1)
493 {
494 png_free(png_ptr, info_ptr->text[num].key);
495 info_ptr->text[num].key = NULL;
496 }
497
498 else
499 {
500 int i;
501
502 for (i = 0; i < info_ptr->num_text; i++)
503 png_free(png_ptr, info_ptr->text[i].key);
504
505 png_free(png_ptr, info_ptr->text);
506 info_ptr->text = NULL;
507 info_ptr->num_text = 0;
508 info_ptr->max_text = 0;
509 }
510 }
511 #endif
512
513 #ifdef PNG_tRNS_SUPPORTED
514 /* Free any tRNS entry */
515 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
516 {
517 info_ptr->valid &= ~PNG_INFO_tRNS;
518 png_free(png_ptr, info_ptr->trans_alpha);
519 info_ptr->trans_alpha = NULL;
520 info_ptr->num_trans = 0;
521 }
522 #endif
523
524 #ifdef PNG_sCAL_SUPPORTED
525 /* Free any sCAL entry */
526 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
527 {
528 png_free(png_ptr, info_ptr->scal_s_width);
529 png_free(png_ptr, info_ptr->scal_s_height);
530 info_ptr->scal_s_width = NULL;
531 info_ptr->scal_s_height = NULL;
532 info_ptr->valid &= ~PNG_INFO_sCAL;
533 }
534 #endif
535
536 #ifdef PNG_pCAL_SUPPORTED
537 /* Free any pCAL entry */
538 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
539 {
540 png_free(png_ptr, info_ptr->pcal_purpose);
541 png_free(png_ptr, info_ptr->pcal_units);
542 info_ptr->pcal_purpose = NULL;
543 info_ptr->pcal_units = NULL;
544
545 if (info_ptr->pcal_params != NULL)
546 {
547 int i;
548
549 for (i = 0; i < info_ptr->pcal_nparams; i++)
550 png_free(png_ptr, info_ptr->pcal_params[i]);
551
552 png_free(png_ptr, info_ptr->pcal_params);
553 info_ptr->pcal_params = NULL;
554 }
555 info_ptr->valid &= ~PNG_INFO_pCAL;
556 }
557 #endif
558
559 #ifdef PNG_iCCP_SUPPORTED
560 /* Free any profile entry */
561 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
562 {
563 png_free(png_ptr, info_ptr->iccp_name);
564 png_free(png_ptr, info_ptr->iccp_profile);
565 info_ptr->iccp_name = NULL;
566 info_ptr->iccp_profile = NULL;
567 info_ptr->valid &= ~PNG_INFO_iCCP;
568 }
569 #endif
570
571 #ifdef PNG_sPLT_SUPPORTED
572 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
573 if (info_ptr->splt_palettes != NULL &&
574 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
575 {
576 if (num != -1)
577 {
578 png_free(png_ptr, info_ptr->splt_palettes[num].name);
579 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
580 info_ptr->splt_palettes[num].name = NULL;
581 info_ptr->splt_palettes[num].entries = NULL;
582 }
583
584 else
585 {
586 int i;
587
588 for (i = 0; i < info_ptr->splt_palettes_num; i++)
589 {
590 png_free(png_ptr, info_ptr->splt_palettes[i].name);
591 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
592 }
593
594 png_free(png_ptr, info_ptr->splt_palettes);
595 info_ptr->splt_palettes = NULL;
596 info_ptr->splt_palettes_num = 0;
597 info_ptr->valid &= ~PNG_INFO_sPLT;
598 }
599 }
600 #endif
601
602 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
603 if (info_ptr->unknown_chunks != NULL &&
604 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
605 {
606 if (num != -1)
607 {
608 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
609 info_ptr->unknown_chunks[num].data = NULL;
610 }
611
612 else
613 {
614 int i;
615
616 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
617 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
618
619 png_free(png_ptr, info_ptr->unknown_chunks);
620 info_ptr->unknown_chunks = NULL;
621 info_ptr->unknown_chunks_num = 0;
622 }
623 }
624 #endif
625
626 #ifdef PNG_hIST_SUPPORTED
627 /* Free any hIST entry */
628 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
629 {
630 png_free(png_ptr, info_ptr->hist);
631 info_ptr->hist = NULL;
632 info_ptr->valid &= ~PNG_INFO_hIST;
633 }
634 #endif
635
636 /* Free any PLTE entry that was internally allocated */
637 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
638 {
639 png_free(png_ptr, info_ptr->palette);
640 info_ptr->palette = NULL;
641 info_ptr->valid &= ~PNG_INFO_PLTE;
642 info_ptr->num_palette = 0;
643 }
644
645 #ifdef PNG_INFO_IMAGE_SUPPORTED
646 /* Free any image bits attached to the info structure */
647 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
648 {
649 if (info_ptr->row_pointers != NULL)
650 {
651 png_uint_32 row;
652 for (row = 0; row < info_ptr->height; row++)
653 png_free(png_ptr, info_ptr->row_pointers[row]);
654
655 png_free(png_ptr, info_ptr->row_pointers);
656 info_ptr->row_pointers = NULL;
657 }
658 info_ptr->valid &= ~PNG_INFO_IDAT;
659 }
660 #endif
661
662 if (num != -1)
663 mask &= ~PNG_FREE_MUL;
664
665 info_ptr->free_me &= ~mask;
666 }
667 #endif /* READ || WRITE */
668
669 /* This function returns a pointer to the io_ptr associated with the user
670 * functions. The application should free any memory associated with this
671 * pointer before png_write_destroy() or png_read_destroy() are called.
672 */
673 png_voidp PNGAPI
674 png_get_io_ptr(png_const_structrp png_ptr)
675 {
676 if (png_ptr == NULL)
677 return (NULL);
678
679 return (png_ptr->io_ptr);
680 }
681
682 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
683 # ifdef PNG_STDIO_SUPPORTED
684 /* Initialize the default input/output functions for the PNG file. If you
685 * use your own read or write routines, you can call either png_set_read_fn()
686 * or png_set_write_fn() instead of png_init_io(). If you have defined
687 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
688 * function of your own because "FILE *" isn't necessarily available.
689 */
690 void PNGAPI
691 png_init_io(png_structrp png_ptr, png_FILE_p fp)
692 {
693 png_debug(1, "in png_init_io");
694
695 if (png_ptr == NULL)
696 return;
697
698 png_ptr->io_ptr = (png_voidp)fp;
699 }
700 # endif
701
702 # ifdef PNG_SAVE_INT_32_SUPPORTED
703 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
704 * defines a cast of a signed integer to an unsigned integer either to preserve
705 * the value, if it is positive, or to calculate:
706 *
707 * (UNSIGNED_MAX+1) + integer
708 *
709 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
710 * negative integral value is added the result will be an unsigned value
711 * correspnding to the 2's complement representation.
712 */
713 void PNGAPI
714 png_save_int_32(png_bytep buf, png_int_32 i)
715 {
716 png_save_uint_32(buf, (png_uint_32)i);
717 }
718 # endif
719
720 # ifdef PNG_TIME_RFC1123_SUPPORTED
721 /* Convert the supplied time into an RFC 1123 string suitable for use in
722 * a "Creation Time" or other text-based time string.
723 */
724 int PNGAPI
725 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
726 {
727 static PNG_CONST char short_months[12][4] =
728 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
729 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
730
731 if (out == NULL)
732 return 0;
733
734 if (ptime->year > 9999 /* RFC1123 limitation */ ||
735 ptime->month == 0 || ptime->month > 12 ||
736 ptime->day == 0 || ptime->day > 31 ||
737 ptime->hour > 23 || ptime->minute > 59 ||
738 ptime->second > 60)
739 return 0;
740
741 {
742 size_t pos = 0;
743 char number_buf[5]; /* enough for a four-digit year */
744
745 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
746 # define APPEND_NUMBER(format, value)\
747 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
748 # define APPEND(ch) if (pos < 28) out[pos++] = (ch)
749
750 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
751 APPEND(' ');
752 APPEND_STRING(short_months[(ptime->month - 1)]);
753 APPEND(' ');
754 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
755 APPEND(' ');
756 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
757 APPEND(':');
758 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
759 APPEND(':');
760 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
761 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
762 PNG_UNUSED (pos)
763
764 # undef APPEND
765 # undef APPEND_NUMBER
766 # undef APPEND_STRING
767 }
768
769 return 1;
770 }
771
772 # if PNG_LIBPNG_VER < 10700
773 /* To do: remove the following from libpng-1.7 */
774 /* Original API that uses a private buffer in png_struct.
775 * Deprecated because it causes png_struct to carry a spurious temporary
776 * buffer (png_struct::time_buffer), better to have the caller pass this in.
777 */
778 png_const_charp PNGAPI
779 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
780 {
781 if (png_ptr != NULL)
782 {
783 /* The only failure above if png_ptr != NULL is from an invalid ptime */
784 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
785 png_warning(png_ptr, "Ignoring invalid time value");
786
787 else
788 return png_ptr->time_buffer;
789 }
790
791 return NULL;
792 }
793 # endif /* LIBPNG_VER < 10700 */
794 # endif /* TIME_RFC1123 */
795
796 #endif /* READ || WRITE */
797
798 png_const_charp PNGAPI
799 png_get_copyright(png_const_structrp png_ptr)
800 {
801 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
802 #ifdef PNG_STRING_COPYRIGHT
803 return PNG_STRING_COPYRIGHT
804 #else
805 # ifdef __STDC__
806 return PNG_STRING_NEWLINE \
807 "libpng version 1.6.28 - January 5, 2017" PNG_STRING_NEWLINE \
808 "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \
809 PNG_STRING_NEWLINE \
810 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
811 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
812 PNG_STRING_NEWLINE;
813 # else
814 return "libpng version 1.6.28 - January 5, 2017\
815 Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\
816 Copyright (c) 1996-1997 Andreas Dilger\
817 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
818 # endif
819 #endif
820 }
821
822 /* The following return the library version as a short string in the
823 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
824 * used with your application, print out PNG_LIBPNG_VER_STRING, which
825 * is defined in png.h.
826 * Note: now there is no difference between png_get_libpng_ver() and
827 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
828 * it is guaranteed that png.c uses the correct version of png.h.
829 */
830 png_const_charp PNGAPI
831 png_get_libpng_ver(png_const_structrp png_ptr)
832 {
833 /* Version of *.c files used when building libpng */
834 return png_get_header_ver(png_ptr);
835 }
836
837 png_const_charp PNGAPI
838 png_get_header_ver(png_const_structrp png_ptr)
839 {
840 /* Version of *.h files used when building libpng */
841 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
842 return PNG_LIBPNG_VER_STRING;
843 }
844
845 png_const_charp PNGAPI
846 png_get_header_version(png_const_structrp png_ptr)
847 {
848 /* Returns longer string containing both version and date */
849 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
850 #ifdef __STDC__
851 return PNG_HEADER_VERSION_STRING
852 # ifndef PNG_READ_SUPPORTED
853 " (NO READ SUPPORT)"
854 # endif
855 PNG_STRING_NEWLINE;
856 #else
857 return PNG_HEADER_VERSION_STRING;
858 #endif
859 }
860
861 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
862 /* NOTE: this routine is not used internally! */
863 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
864 * large of png_color. This lets grayscale images be treated as
865 * paletted. Most useful for gamma correction and simplification
866 * of code. This API is not used internally.
867 */
868 void PNGAPI
869 png_build_grayscale_palette(int bit_depth, png_colorp palette)
870 {
871 int num_palette;
872 int color_inc;
873 int i;
874 int v;
875
876 png_debug(1, "in png_do_build_grayscale_palette");
877
878 if (palette == NULL)
879 return;
880
881 switch (bit_depth)
882 {
883 case 1:
884 num_palette = 2;
885 color_inc = 0xff;
886 break;
887
888 case 2:
889 num_palette = 4;
890 color_inc = 0x55;
891 break;
892
893 case 4:
894 num_palette = 16;
895 color_inc = 0x11;
896 break;
897
898 case 8:
899 num_palette = 256;
900 color_inc = 1;
901 break;
902
903 default:
904 num_palette = 0;
905 color_inc = 0;
906 break;
907 }
908
909 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
910 {
911 palette[i].red = (png_byte)(v & 0xff);
912 palette[i].green = (png_byte)(v & 0xff);
913 palette[i].blue = (png_byte)(v & 0xff);
914 }
915 }
916 #endif
917
918 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
919 int PNGAPI
920 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
921 {
922 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
923 png_const_bytep p, p_end;
924
925 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
926 return PNG_HANDLE_CHUNK_AS_DEFAULT;
927
928 p_end = png_ptr->chunk_list;
929 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
930
931 /* The code is the fifth byte after each four byte string. Historically this
932 * code was always searched from the end of the list, this is no longer
933 * necessary because the 'set' routine handles duplicate entries correcty.
934 */
935 do /* num_chunk_list > 0, so at least one */
936 {
937 p -= 5;
938
939 if (memcmp(chunk_name, p, 4) == 0)
940 return p[4];
941 }
942 while (p > p_end);
943
944 /* This means that known chunks should be processed and unknown chunks should
945 * be handled according to the value of png_ptr->unknown_default; this can be
946 * confusing because, as a result, there are two levels of defaulting for
947 * unknown chunks.
948 */
949 return PNG_HANDLE_CHUNK_AS_DEFAULT;
950 }
951
952 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
953 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
954 int /* PRIVATE */
955 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
956 {
957 png_byte chunk_string[5];
958
959 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
960 return png_handle_as_unknown(png_ptr, chunk_string);
961 }
962 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
963 #endif /* SET_UNKNOWN_CHUNKS */
964
965 #ifdef PNG_READ_SUPPORTED
966 /* This function, added to libpng-1.0.6g, is untested. */
967 int PNGAPI
968 png_reset_zstream(png_structrp png_ptr)
969 {
970 if (png_ptr == NULL)
971 return Z_STREAM_ERROR;
972
973 /* WARNING: this resets the window bits to the maximum! */
974 return (inflateReset(&png_ptr->zstream));
975 }
976 #endif /* READ */
977
978 /* This function was added to libpng-1.0.7 */
979 png_uint_32 PNGAPI
980 png_access_version_number(void)
981 {
982 /* Version of *.c files used when building libpng */
983 return((png_uint_32)PNG_LIBPNG_VER);
984 }
985
986 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
987 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
988 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
989 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
990 */
991 void /* PRIVATE */
992 png_zstream_error(png_structrp png_ptr, int ret)
993 {
994 /* Translate 'ret' into an appropriate error string, priority is given to the
995 * one in zstream if set. This always returns a string, even in cases like
996 * Z_OK or Z_STREAM_END where the error code is a success code.
997 */
998 if (png_ptr->zstream.msg == NULL) switch (ret)
999 {
1000 default:
1001 case Z_OK:
1002 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1003 break;
1004
1005 case Z_STREAM_END:
1006 /* Normal exit */
1007 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1008 break;
1009
1010 case Z_NEED_DICT:
1011 /* This means the deflate stream did not have a dictionary; this
1012 * indicates a bogus PNG.
1013 */
1014 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1015 break;
1016
1017 case Z_ERRNO:
1018 /* gz APIs only: should not happen */
1019 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1020 break;
1021
1022 case Z_STREAM_ERROR:
1023 /* internal libpng error */
1024 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1025 break;
1026
1027 case Z_DATA_ERROR:
1028 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1029 break;
1030
1031 case Z_MEM_ERROR:
1032 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1033 break;
1034
1035 case Z_BUF_ERROR:
1036 /* End of input or output; not a problem if the caller is doing
1037 * incremental read or write.
1038 */
1039 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1040 break;
1041
1042 case Z_VERSION_ERROR:
1043 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1044 break;
1045
1046 case PNG_UNEXPECTED_ZLIB_RETURN:
1047 /* Compile errors here mean that zlib now uses the value co-opted in
1048 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1049 * and change pngpriv.h. Note that this message is "... return",
1050 * whereas the default/Z_OK one is "... return code".
1051 */
1052 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1053 break;
1054 }
1055 }
1056
1057 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1058 * at libpng 1.5.5!
1059 */
1060
1061 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1062 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1063 static int
1064 png_colorspace_check_gamma(png_const_structrp png_ptr,
1065 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1066 /* This is called to check a new gamma value against an existing one. The
1067 * routine returns false if the new gamma value should not be written.
1068 *
1069 * 'from' says where the new gamma value comes from:
1070 *
1071 * 0: the new gamma value is the libpng estimate for an ICC profile
1072 * 1: the new gamma value comes from a gAMA chunk
1073 * 2: the new gamma value comes from an sRGB chunk
1074 */
1075 {
1076 png_fixed_point gtest;
1077
1078 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1079 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1080 png_gamma_significant(gtest) != 0))
1081 {
1082 /* Either this is an sRGB image, in which case the calculated gamma
1083 * approximation should match, or this is an image with a profile and the
1084 * value libpng calculates for the gamma of the profile does not match the
1085 * value recorded in the file. The former, sRGB, case is an error, the
1086 * latter is just a warning.
1087 */
1088 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1089 {
1090 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1091 PNG_CHUNK_ERROR);
1092 /* Do not overwrite an sRGB value */
1093 return from == 2;
1094 }
1095
1096 else /* sRGB tag not involved */
1097 {
1098 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1099 PNG_CHUNK_WARNING);
1100 return from == 1;
1101 }
1102 }
1103
1104 return 1;
1105 }
1106
1107 void /* PRIVATE */
1108 png_colorspace_set_gamma(png_const_structrp png_ptr,
1109 png_colorspacerp colorspace, png_fixed_point gAMA)
1110 {
1111 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1112 * occur. Since the fixed point representation is asymetrical it is
1113 * possible for 1/gamma to overflow the limit of 21474 and this means the
1114 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1115 * safety the limits here are a little narrower. The values are 0.00016 to
1116 * 6250.0, which are truly ridiculous gamma values (and will produce
1117 * displays that are all black or all white.)
1118 *
1119 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1120 * handling code, which only required the value to be >0.
1121 */
1122 png_const_charp errmsg;
1123
1124 if (gAMA < 16 || gAMA > 625000000)
1125 errmsg = "gamma value out of range";
1126
1127 # ifdef PNG_READ_gAMA_SUPPORTED
1128 /* Allow the application to set the gamma value more than once */
1129 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1130 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1131 errmsg = "duplicate";
1132 # endif
1133
1134 /* Do nothing if the colorspace is already invalid */
1135 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1136 return;
1137
1138 else
1139 {
1140 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1141 1/*from gAMA*/) != 0)
1142 {
1143 /* Store this gamma value. */
1144 colorspace->gamma = gAMA;
1145 colorspace->flags |=
1146 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1147 }
1148
1149 /* At present if the check_gamma test fails the gamma of the colorspace is
1150 * not updated however the colorspace is not invalidated. This
1151 * corresponds to the case where the existing gamma comes from an sRGB
1152 * chunk or profile. An error message has already been output.
1153 */
1154 return;
1155 }
1156
1157 /* Error exit - errmsg has been set. */
1158 colorspace->flags |= PNG_COLORSPACE_INVALID;
1159 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1160 }
1161
1162 void /* PRIVATE */
1163 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1164 {
1165 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1166 {
1167 /* Everything is invalid */
1168 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1169 PNG_INFO_iCCP);
1170
1171 # ifdef PNG_COLORSPACE_SUPPORTED
1172 /* Clean up the iCCP profile now if it won't be used. */
1173 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1174 # else
1175 PNG_UNUSED(png_ptr)
1176 # endif
1177 }
1178
1179 else
1180 {
1181 # ifdef PNG_COLORSPACE_SUPPORTED
1182 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1183 * it; this allows a PNG to contain a profile which matches sRGB and
1184 * yet still have that profile retrievable by the application.
1185 */
1186 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1187 info_ptr->valid |= PNG_INFO_sRGB;
1188
1189 else
1190 info_ptr->valid &= ~PNG_INFO_sRGB;
1191
1192 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1193 info_ptr->valid |= PNG_INFO_cHRM;
1194
1195 else
1196 info_ptr->valid &= ~PNG_INFO_cHRM;
1197 # endif
1198
1199 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1200 info_ptr->valid |= PNG_INFO_gAMA;
1201
1202 else
1203 info_ptr->valid &= ~PNG_INFO_gAMA;
1204 }
1205 }
1206
1207 #ifdef PNG_READ_SUPPORTED
1208 void /* PRIVATE */
1209 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1210 {
1211 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1212 return;
1213
1214 info_ptr->colorspace = png_ptr->colorspace;
1215 png_colorspace_sync_info(png_ptr, info_ptr);
1216 }
1217 #endif
1218 #endif /* GAMMA */
1219
1220 #ifdef PNG_COLORSPACE_SUPPORTED
1221 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1222 * cHRM, as opposed to using chromaticities. These internal APIs return
1223 * non-zero on a parameter error. The X, Y and Z values are required to be
1224 * positive and less than 1.0.
1225 */
1226 static int
1227 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1228 {
1229 png_int_32 d, dwhite, whiteX, whiteY;
1230
1231 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1232 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1233 return 1;
1234 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1235 return 1;
1236 dwhite = d;
1237 whiteX = XYZ->red_X;
1238 whiteY = XYZ->red_Y;
1239
1240 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1241 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1242 return 1;
1243 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1244 return 1;
1245 dwhite += d;
1246 whiteX += XYZ->green_X;
1247 whiteY += XYZ->green_Y;
1248
1249 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1250 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1251 return 1;
1252 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1253 return 1;
1254 dwhite += d;
1255 whiteX += XYZ->blue_X;
1256 whiteY += XYZ->blue_Y;
1257
1258 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1259 * thus:
1260 */
1261 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1262 return 1;
1263 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1264 return 1;
1265
1266 return 0;
1267 }
1268
1269 static int
1270 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1271 {
1272 png_fixed_point red_inverse, green_inverse, blue_scale;
1273 png_fixed_point left, right, denominator;
1274
1275 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1276 * have end points with 0 tristimulus values (these are impossible end
1277 * points, but they are used to cover the possible colors). We check
1278 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1279 */
1280 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1281 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1282 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1283 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1284 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1285 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1286 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1287 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1288
1289 /* The reverse calculation is more difficult because the original tristimulus
1290 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1291 * derived values were recorded in the cHRM chunk;
1292 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1293 * therefore an arbitrary ninth value has to be introduced to undo the
1294 * original transformations.
1295 *
1296 * Think of the original end-points as points in (X,Y,Z) space. The
1297 * chromaticity values (c) have the property:
1298 *
1299 * C
1300 * c = ---------
1301 * X + Y + Z
1302 *
1303 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1304 * three chromaticity values (x,y,z) for each end-point obey the
1305 * relationship:
1306 *
1307 * x + y + z = 1
1308 *
1309 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1310 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1311 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1312 * and chromaticity is the intersection of the vector from the origin to the
1313 * (X,Y,Z) value with the chromaticity plane.
1314 *
1315 * To fully invert the chromaticity calculation we would need the three
1316 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1317 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1318 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1319 * given all three of the scale factors since:
1320 *
1321 * color-C = color-c * color-scale
1322 * white-C = red-C + green-C + blue-C
1323 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1324 *
1325 * But cHRM records only white-x and white-y, so we have lost the white scale
1326 * factor:
1327 *
1328 * white-C = white-c*white-scale
1329 *
1330 * To handle this the inverse transformation makes an arbitrary assumption
1331 * about white-scale:
1332 *
1333 * Assume: white-Y = 1.0
1334 * Hence: white-scale = 1/white-y
1335 * Or: red-Y + green-Y + blue-Y = 1.0
1336 *
1337 * Notice the last statement of the assumption gives an equation in three of
1338 * the nine values we want to calculate. 8 more equations come from the
1339 * above routine as summarised at the top above (the chromaticity
1340 * calculation):
1341 *
1342 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1343 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1344 *
1345 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1346 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1347 * determinants, however this is not as bad as it seems because only 28 of
1348 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1349 * Cramer's rule is notoriously numerically unstable because the determinant
1350 * calculation involves the difference of large, but similar, numbers. It is
1351 * difficult to be sure that the calculation is stable for real world values
1352 * and it is certain that it becomes unstable where the end points are close
1353 * together.
1354 *
1355 * So this code uses the perhaps slightly less optimal but more
1356 * understandable and totally obvious approach of calculating color-scale.
1357 *
1358 * This algorithm depends on the precision in white-scale and that is
1359 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1360 * accuracy inherent in the cHRM chunk drops off substantially.
1361 *
1362 * libpng arithmetic: a simple inversion of the above equations
1363 * ------------------------------------------------------------
1364 *
1365 * white_scale = 1/white-y
1366 * white-X = white-x * white-scale
1367 * white-Y = 1.0
1368 * white-Z = (1 - white-x - white-y) * white_scale
1369 *
1370 * white-C = red-C + green-C + blue-C
1371 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1372 *
1373 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1374 * all the coefficients are now known:
1375 *
1376 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1377 * = white-x/white-y
1378 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1379 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1380 * = (1 - white-x - white-y)/white-y
1381 *
1382 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1383 * three equations together to get an alternative third:
1384 *
1385 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1386 *
1387 * So now we have a Cramer's rule solution where the determinants are just
1388 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1389 * multiplication of three coefficients so we can't guarantee to avoid
1390 * overflow in the libpng fixed point representation. Using Cramer's rule in
1391 * floating point is probably a good choice here, but it's not an option for
1392 * fixed point. Instead proceed to simplify the first two equations by
1393 * eliminating what is likely to be the largest value, blue-scale:
1394 *
1395 * blue-scale = white-scale - red-scale - green-scale
1396 *
1397 * Hence:
1398 *
1399 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1400 * (white-x - blue-x)*white-scale
1401 *
1402 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1403 * 1 - blue-y*white-scale
1404 *
1405 * And now we can trivially solve for (red-scale,green-scale):
1406 *
1407 * green-scale =
1408 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1409 * -----------------------------------------------------------
1410 * green-x - blue-x
1411 *
1412 * red-scale =
1413 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1414 * ---------------------------------------------------------
1415 * red-y - blue-y
1416 *
1417 * Hence:
1418 *
1419 * red-scale =
1420 * ( (green-x - blue-x) * (white-y - blue-y) -
1421 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1422 * -------------------------------------------------------------------------
1423 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1424 *
1425 * green-scale =
1426 * ( (red-y - blue-y) * (white-x - blue-x) -
1427 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1428 * -------------------------------------------------------------------------
1429 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1430 *
1431 * Accuracy:
1432 * The input values have 5 decimal digits of accuracy. The values are all in
1433 * the range 0 < value < 1, so simple products are in the same range but may
1434 * need up to 10 decimal digits to preserve the original precision and avoid
1435 * underflow. Because we are using a 32-bit signed representation we cannot
1436 * match this; the best is a little over 9 decimal digits, less than 10.
1437 *
1438 * The approach used here is to preserve the maximum precision within the
1439 * signed representation. Because the red-scale calculation above uses the
1440 * difference between two products of values that must be in the range -1..+1
1441 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1442 * factor is irrelevant in the calculation because it is applied to both
1443 * numerator and denominator.
1444 *
1445 * Note that the values of the differences of the products of the
1446 * chromaticities in the above equations tend to be small, for example for
1447 * the sRGB chromaticities they are:
1448 *
1449 * red numerator: -0.04751
1450 * green numerator: -0.08788
1451 * denominator: -0.2241 (without white-y multiplication)
1452 *
1453 * The resultant Y coefficients from the chromaticities of some widely used
1454 * color space definitions are (to 15 decimal places):
1455 *
1456 * sRGB
1457 * 0.212639005871510 0.715168678767756 0.072192315360734
1458 * Kodak ProPhoto
1459 * 0.288071128229293 0.711843217810102 0.000085653960605
1460 * Adobe RGB
1461 * 0.297344975250536 0.627363566255466 0.075291458493998
1462 * Adobe Wide Gamut RGB
1463 * 0.258728243040113 0.724682314948566 0.016589442011321
1464 */
1465 /* By the argument, above overflow should be impossible here. The return
1466 * value of 2 indicates an internal error to the caller.
1467 */
1468 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1469 return 2;
1470 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1471 return 2;
1472 denominator = left - right;
1473
1474 /* Now find the red numerator. */
1475 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1476 return 2;
1477 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1478 return 2;
1479
1480 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1481 * chunk values. This calculation actually returns the reciprocal of the
1482 * scale value because this allows us to delay the multiplication of white-y
1483 * into the denominator, which tends to produce a small number.
1484 */
1485 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1486 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1487 return 1;
1488
1489 /* Similarly for green_inverse: */
1490 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1491 return 2;
1492 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1493 return 2;
1494 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1495 green_inverse <= xy->whitey)
1496 return 1;
1497
1498 /* And the blue scale, the checks above guarantee this can't overflow but it
1499 * can still produce 0 for extreme cHRM values.
1500 */
1501 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1502 png_reciprocal(green_inverse);
1503 if (blue_scale <= 0)
1504 return 1;
1505
1506
1507 /* And fill in the png_XYZ: */
1508 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1509 return 1;
1510 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1511 return 1;
1512 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1513 red_inverse) == 0)
1514 return 1;
1515
1516 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1517 return 1;
1518 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1519 return 1;
1520 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1521 green_inverse) == 0)
1522 return 1;
1523
1524 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1525 return 1;
1526 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1527 return 1;
1528 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1529 PNG_FP_1) == 0)
1530 return 1;
1531
1532 return 0; /*success*/
1533 }
1534
1535 static int
1536 png_XYZ_normalize(png_XYZ *XYZ)
1537 {
1538 png_int_32 Y;
1539
1540 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1541 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1542 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1543 return 1;
1544
1545 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1546 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1547 * relying on addition of two positive values producing a negative one is not
1548 * safe.
1549 */
1550 Y = XYZ->red_Y;
1551 if (0x7fffffff - Y < XYZ->green_X)
1552 return 1;
1553 Y += XYZ->green_Y;
1554 if (0x7fffffff - Y < XYZ->blue_X)
1555 return 1;
1556 Y += XYZ->blue_Y;
1557
1558 if (Y != PNG_FP_1)
1559 {
1560 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1561 return 1;
1562 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1563 return 1;
1564 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1565 return 1;
1566
1567 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1568 return 1;
1569 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1570 return 1;
1571 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1572 return 1;
1573
1574 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1575 return 1;
1576 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1577 return 1;
1578 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1579 return 1;
1580 }
1581
1582 return 0;
1583 }
1584
1585 static int
1586 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1587 {
1588 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1589 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1590 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1591 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1592 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1593 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1594 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1595 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1596 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1597 return 0;
1598 return 1;
1599 }
1600
1601 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1602 * chunk chromaticities. Earlier checks used to simply look for the overflow
1603 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1604 * because the chromaticity values are not all distinct.) Despite this it is
1605 * theoretically possible to produce chromaticities that are apparently valid
1606 * but that rapidly degrade to invalid, potentially crashing, sets because of
1607 * arithmetic inaccuracies when calculations are performed on them. The new
1608 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1609 * within a small percentage of the original.
1610 */
1611 static int
1612 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1613 {
1614 int result;
1615 png_xy xy_test;
1616
1617 /* As a side-effect this routine also returns the XYZ endpoints. */
1618 result = png_XYZ_from_xy(XYZ, xy);
1619 if (result != 0)
1620 return result;
1621
1622 result = png_xy_from_XYZ(&xy_test, XYZ);
1623 if (result != 0)
1624 return result;
1625
1626 if (png_colorspace_endpoints_match(xy, &xy_test,
1627 5/*actually, the math is pretty accurate*/) != 0)
1628 return 0;
1629
1630 /* Too much slip */
1631 return 1;
1632 }
1633
1634 /* This is the check going the other way. The XYZ is modified to normalize it
1635 * (another side-effect) and the xy chromaticities are returned.
1636 */
1637 static int
1638 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1639 {
1640 int result;
1641 png_XYZ XYZtemp;
1642
1643 result = png_XYZ_normalize(XYZ);
1644 if (result != 0)
1645 return result;
1646
1647 result = png_xy_from_XYZ(xy, XYZ);
1648 if (result != 0)
1649 return result;
1650
1651 XYZtemp = *XYZ;
1652 return png_colorspace_check_xy(&XYZtemp, xy);
1653 }
1654
1655 /* Used to check for an endpoint match against sRGB */
1656 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1657 {
1658 /* color x y */
1659 /* red */ 64000, 33000,
1660 /* green */ 30000, 60000,
1661 /* blue */ 15000, 6000,
1662 /* white */ 31270, 32900
1663 };
1664
1665 static int
1666 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1667 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1668 int preferred)
1669 {
1670 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1671 return 0;
1672
1673 /* The consistency check is performed on the chromaticities; this factors out
1674 * variations because of the normalization (or not) of the end point Y
1675 * values.
1676 */
1677 if (preferred < 2 &&
1678 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1679 {
1680 /* The end points must be reasonably close to any we already have. The
1681 * following allows an error of up to +/-.001
1682 */
1683 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1684 100) == 0)
1685 {
1686 colorspace->flags |= PNG_COLORSPACE_INVALID;
1687 png_benign_error(png_ptr, "inconsistent chromaticities");
1688 return 0; /* failed */
1689 }
1690
1691 /* Only overwrite with preferred values */
1692 if (preferred == 0)
1693 return 1; /* ok, but no change */
1694 }
1695
1696 colorspace->end_points_xy = *xy;
1697 colorspace->end_points_XYZ = *XYZ;
1698 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1699
1700 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1701 * on this test.
1702 */
1703 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1704 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1705
1706 else
1707 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1708 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1709
1710 return 2; /* ok and changed */
1711 }
1712
1713 int /* PRIVATE */
1714 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1715 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1716 {
1717 /* We must check the end points to ensure they are reasonable - in the past
1718 * color management systems have crashed as a result of getting bogus
1719 * colorant values, while this isn't the fault of libpng it is the
1720 * responsibility of libpng because PNG carries the bomb and libpng is in a
1721 * position to protect against it.
1722 */
1723 png_XYZ XYZ;
1724
1725 switch (png_colorspace_check_xy(&XYZ, xy))
1726 {
1727 case 0: /* success */
1728 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1729 preferred);
1730
1731 case 1:
1732 /* We can't invert the chromaticities so we can't produce value XYZ
1733 * values. Likely as not a color management system will fail too.
1734 */
1735 colorspace->flags |= PNG_COLORSPACE_INVALID;
1736 png_benign_error(png_ptr, "invalid chromaticities");
1737 break;
1738
1739 default:
1740 /* libpng is broken; this should be a warning but if it happens we
1741 * want error reports so for the moment it is an error.
1742 */
1743 colorspace->flags |= PNG_COLORSPACE_INVALID;
1744 png_error(png_ptr, "internal error checking chromaticities");
1745 }
1746
1747 return 0; /* failed */
1748 }
1749
1750 int /* PRIVATE */
1751 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1752 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1753 {
1754 png_XYZ XYZ = *XYZ_in;
1755 png_xy xy;
1756
1757 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1758 {
1759 case 0:
1760 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1761 preferred);
1762
1763 case 1:
1764 /* End points are invalid. */
1765 colorspace->flags |= PNG_COLORSPACE_INVALID;
1766 png_benign_error(png_ptr, "invalid end points");
1767 break;
1768
1769 default:
1770 colorspace->flags |= PNG_COLORSPACE_INVALID;
1771 png_error(png_ptr, "internal error checking chromaticities");
1772 }
1773
1774 return 0; /* failed */
1775 }
1776
1777 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1778 /* Error message generation */
1779 static char
1780 png_icc_tag_char(png_uint_32 byte)
1781 {
1782 byte &= 0xff;
1783 if (byte >= 32 && byte <= 126)
1784 return (char)byte;
1785 else
1786 return '?';
1787 }
1788
1789 static void
1790 png_icc_tag_name(char *name, png_uint_32 tag)
1791 {
1792 name[0] = '\'';
1793 name[1] = png_icc_tag_char(tag >> 24);
1794 name[2] = png_icc_tag_char(tag >> 16);
1795 name[3] = png_icc_tag_char(tag >> 8);
1796 name[4] = png_icc_tag_char(tag );
1797 name[5] = '\'';
1798 }
1799
1800 static int
1801 is_ICC_signature_char(png_alloc_size_t it)
1802 {
1803 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1804 (it >= 97 && it <= 122);
1805 }
1806
1807 static int
1808 is_ICC_signature(png_alloc_size_t it)
1809 {
1810 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1811 is_ICC_signature_char((it >> 16) & 0xff) &&
1812 is_ICC_signature_char((it >> 8) & 0xff) &&
1813 is_ICC_signature_char(it & 0xff);
1814 }
1815
1816 static int
1817 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1818 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1819 {
1820 size_t pos;
1821 char message[196]; /* see below for calculation */
1822
1823 if (colorspace != NULL)
1824 colorspace->flags |= PNG_COLORSPACE_INVALID;
1825
1826 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1827 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1828 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1829 if (is_ICC_signature(value) != 0)
1830 {
1831 /* So 'value' is at most 4 bytes and the following cast is safe */
1832 png_icc_tag_name(message+pos, (png_uint_32)value);
1833 pos += 6; /* total +8; less than the else clause */
1834 message[pos++] = ':';
1835 message[pos++] = ' ';
1836 }
1837 # ifdef PNG_WARNINGS_SUPPORTED
1838 else
1839 {
1840 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1841
1842 pos = png_safecat(message, (sizeof message), pos,
1843 png_format_number(number, number+(sizeof number),
1844 PNG_NUMBER_FORMAT_x, value));
1845 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1846 }
1847 # endif
1848 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1849 pos = png_safecat(message, (sizeof message), pos, reason);
1850 PNG_UNUSED(pos)
1851
1852 /* This is recoverable, but make it unconditionally an app_error on write to
1853 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1854 * on read, with a warning, but on write unless the app turns off
1855 * application errors the PNG won't be written.)
1856 */
1857 png_chunk_report(png_ptr, message,
1858 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1859
1860 return 0;
1861 }
1862 #endif /* sRGB || iCCP */
1863
1864 #ifdef PNG_sRGB_SUPPORTED
1865 int /* PRIVATE */
1866 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1867 int intent)
1868 {
1869 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1870 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1871 * because ICC profiles store values adapted to a D50 environment; it is
1872 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1873 * checks and code elsewhere to understand this better.
1874 *
1875 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1876 * coefficients of (6968,23435,2366), which are reduced (because they add up
1877 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1878 * libpng has traditionally used (and are the best values given the 15bit
1879 * algorithm used by the rgb to gray code.)
1880 */
1881 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1882 {
1883 /* color X Y Z */
1884 /* red */ 41239, 21264, 1933,
1885 /* green */ 35758, 71517, 11919,
1886 /* blue */ 18048, 7219, 95053
1887 };
1888
1889 /* Do nothing if the colorspace is already invalidated. */
1890 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1891 return 0;
1892
1893 /* Check the intent, then check for existing settings. It is valid for the
1894 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1895 * be consistent with the correct values. If, however, this function is
1896 * called below because an iCCP chunk matches sRGB then it is quite
1897 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1898 * an incorrect calculation based on the values in the profile - this does
1899 * *not* invalidate the profile (though it still produces an error, which can
1900 * be ignored.)
1901 */
1902 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1903 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1904 (unsigned)intent, "invalid sRGB rendering intent");
1905
1906 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1907 colorspace->rendering_intent != intent)
1908 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1909 (unsigned)intent, "inconsistent rendering intents");
1910
1911 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1912 {
1913 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1914 return 0;
1915 }
1916
1917 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1918 * warn but overwrite the value with the correct one.
1919 */
1920 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1921 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1922 100))
1923 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1924 PNG_CHUNK_ERROR);
1925
1926 /* This check is just done for the error reporting - the routine always
1927 * returns true when the 'from' argument corresponds to sRGB (2).
1928 */
1929 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1930 2/*from sRGB*/);
1931
1932 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1933 colorspace->rendering_intent = (png_uint_16)intent;
1934 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1935
1936 /* endpoints */
1937 colorspace->end_points_xy = sRGB_xy;
1938 colorspace->end_points_XYZ = sRGB_XYZ;
1939 colorspace->flags |=
1940 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1941
1942 /* gamma */
1943 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1944 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1945
1946 /* Finally record that we have an sRGB profile */
1947 colorspace->flags |=
1948 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1949
1950 return 1; /* set */
1951 }
1952 #endif /* sRGB */
1953
1954 #ifdef PNG_iCCP_SUPPORTED
1955 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1956 * is XYZ(0.9642,1.0,0.8249), which scales to:
1957 *
1958 * (63189.8112, 65536, 54060.6464)
1959 */
1960 static const png_byte D50_nCIEXYZ[12] =
1961 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1962
1963 static int /* bool */
1964 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1965 png_const_charp name, png_uint_32 profile_length)
1966 {
1967 if (profile_length < 132)
1968 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1969 "too short");
1970
1971 return 1;
1972 }
1973
1974 #ifdef PNG_READ_iCCP_SUPPORTED
1975 int /* PRIVATE */
1976 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1977 png_const_charp name, png_uint_32 profile_length)
1978 {
1979 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1980 return 0;
1981
1982 /* This needs to be here because the 'normal' check is in
1983 * png_decompress_chunk, yet this happens after the attempt to
1984 * png_malloc_base the required data. We only need this on read; on write
1985 * the caller supplies the profile buffer so libpng doesn't allocate it. See
1986 * the call to icc_check_length below (the write case).
1987 */
1988 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
1989 else if (png_ptr->user_chunk_malloc_max > 0 &&
1990 png_ptr->user_chunk_malloc_max < profile_length)
1991 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1992 "exceeds application limits");
1993 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
1994 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
1995 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1996 "exceeds libpng limits");
1997 # else /* !SET_USER_LIMITS */
1998 /* This will get compiled out on all 32-bit and better systems. */
1999 else if (PNG_SIZE_MAX < profile_length)
2000 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2001 "exceeds system limits");
2002 # endif /* !SET_USER_LIMITS */
2003
2004 return 1;
2005 }
2006 #endif /* READ_iCCP */
2007
2008 int /* PRIVATE */
2009 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2010 png_const_charp name, png_uint_32 profile_length,
2011 png_const_bytep profile/* first 132 bytes only */, int color_type)
2012 {
2013 png_uint_32 temp;
2014
2015 /* Length check; this cannot be ignored in this code because profile_length
2016 * is used later to check the tag table, so even if the profile seems over
2017 * long profile_length from the caller must be correct. The caller can fix
2018 * this up on read or write by just passing in the profile header length.
2019 */
2020 temp = png_get_uint_32(profile);
2021 if (temp != profile_length)
2022 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2023 "length does not match profile");
2024
2025 temp = (png_uint_32) (*(profile+8));
2026 if (temp > 3 && (profile_length & 3))
2027 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2028 "invalid length");
2029
2030 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2031 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2032 profile_length < 132+12*temp) /* truncated tag table */
2033 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2034 "tag count too large");
2035
2036 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2037 * 16 bits.
2038 */
2039 temp = png_get_uint_32(profile+64);
2040 if (temp >= 0xffff) /* The ICC limit */
2041 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2042 "invalid rendering intent");
2043
2044 /* This is just a warning because the profile may be valid in future
2045 * versions.
2046 */
2047 if (temp >= PNG_sRGB_INTENT_LAST)
2048 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2049 "intent outside defined range");
2050
2051 /* At this point the tag table can't be checked because it hasn't necessarily
2052 * been loaded; however, various header fields can be checked. These checks
2053 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2054 * restricts the profiles that can be passed in an iCCP chunk (they must be
2055 * appropriate to processing PNG data!)
2056 */
2057
2058 /* Data checks (could be skipped). These checks must be independent of the
2059 * version number; however, the version number doesn't accomodate changes in
2060 * the header fields (just the known tags and the interpretation of the
2061 * data.)
2062 */
2063 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2064 if (temp != 0x61637370)
2065 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2066 "invalid signature");
2067
2068 /* Currently the PCS illuminant/adopted white point (the computational
2069 * white point) are required to be D50,
2070 * however the profile contains a record of the illuminant so perhaps ICC
2071 * expects to be able to change this in the future (despite the rationale in
2072 * the introduction for using a fixed PCS adopted white.) Consequently the
2073 * following is just a warning.
2074 */
2075 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2076 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2077 "PCS illuminant is not D50");
2078
2079 /* The PNG spec requires this:
2080 * "If the iCCP chunk is present, the image samples conform to the colour
2081 * space represented by the embedded ICC profile as defined by the
2082 * International Color Consortium [ICC]. The colour space of the ICC profile
2083 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2084 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2085 * and 4)."
2086 *
2087 * This checking code ensures the embedded profile (on either read or write)
2088 * conforms to the specification requirements. Notice that an ICC 'gray'
2089 * color-space profile contains the information to transform the monochrome
2090 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2091 * should be used in preference to the standard libpng K channel replication
2092 * into R, G and B channels.
2093 *
2094 * Previously it was suggested that an RGB profile on grayscale data could be
2095 * handled. However it it is clear that using an RGB profile in this context
2096 * must be an error - there is no specification of what it means. Thus it is
2097 * almost certainly more correct to ignore the profile.
2098 */
2099 temp = png_get_uint_32(profile+16); /* data colour space field */
2100 switch (temp)
2101 {
2102 case 0x52474220: /* 'RGB ' */
2103 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2104 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2105 "RGB color space not permitted on grayscale PNG");
2106 break;
2107
2108 case 0x47524159: /* 'GRAY' */
2109 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2110 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2111 "Gray color space not permitted on RGB PNG");
2112 break;
2113
2114 default:
2115 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116 "invalid ICC profile color space");
2117 }
2118
2119 /* It is up to the application to check that the profile class matches the
2120 * application requirements; the spec provides no guidance, but it's pretty
2121 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2122 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2123 * cases. Issue an error for device link or abstract profiles - these don't
2124 * contain the records necessary to transform the color-space to anything
2125 * other than the target device (and not even that for an abstract profile).
2126 * Profiles of these classes may not be embedded in images.
2127 */
2128 temp = png_get_uint_32(profile+12); /* profile/device class */
2129 switch (temp)
2130 {
2131 case 0x73636e72: /* 'scnr' */
2132 case 0x6d6e7472: /* 'mntr' */
2133 case 0x70727472: /* 'prtr' */
2134 case 0x73706163: /* 'spac' */
2135 /* All supported */
2136 break;
2137
2138 case 0x61627374: /* 'abst' */
2139 /* May not be embedded in an image */
2140 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2141 "invalid embedded Abstract ICC profile");
2142
2143 case 0x6c696e6b: /* 'link' */
2144 /* DeviceLink profiles cannot be interpreted in a non-device specific
2145 * fashion, if an app uses the AToB0Tag in the profile the results are
2146 * undefined unless the result is sent to the intended device,
2147 * therefore a DeviceLink profile should not be found embedded in a
2148 * PNG.
2149 */
2150 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2151 "unexpected DeviceLink ICC profile class");
2152
2153 case 0x6e6d636c: /* 'nmcl' */
2154 /* A NamedColor profile is also device specific, however it doesn't
2155 * contain an AToB0 tag that is open to misinterpretation. Almost
2156 * certainly it will fail the tests below.
2157 */
2158 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2159 "unexpected NamedColor ICC profile class");
2160 break;
2161
2162 default:
2163 /* To allow for future enhancements to the profile accept unrecognized
2164 * profile classes with a warning, these then hit the test below on the
2165 * tag content to ensure they are backward compatible with one of the
2166 * understood profiles.
2167 */
2168 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2169 "unrecognized ICC profile class");
2170 break;
2171 }
2172
2173 /* For any profile other than a device link one the PCS must be encoded
2174 * either in XYZ or Lab.
2175 */
2176 temp = png_get_uint_32(profile+20);
2177 switch (temp)
2178 {
2179 case 0x58595a20: /* 'XYZ ' */
2180 case 0x4c616220: /* 'Lab ' */
2181 break;
2182
2183 default:
2184 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2185 "unexpected ICC PCS encoding");
2186 }
2187
2188 return 1;
2189 }
2190
2191 int /* PRIVATE */
2192 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2193 png_const_charp name, png_uint_32 profile_length,
2194 png_const_bytep profile /* header plus whole tag table */)
2195 {
2196 png_uint_32 tag_count = png_get_uint_32(profile+128);
2197 png_uint_32 itag;
2198 png_const_bytep tag = profile+132; /* The first tag */
2199
2200 /* First scan all the tags in the table and add bits to the icc_info value
2201 * (temporarily in 'tags').
2202 */
2203 for (itag=0; itag < tag_count; ++itag, tag += 12)
2204 {
2205 png_uint_32 tag_id = png_get_uint_32(tag+0);
2206 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2207 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2208
2209 /* The ICC specification does not exclude zero length tags, therefore the
2210 * start might actually be anywhere if there is no data, but this would be
2211 * a clear abuse of the intent of the standard so the start is checked for
2212 * being in range. All defined tag types have an 8 byte header - a 4 byte
2213 * type signature then 0.
2214 */
2215 if ((tag_start & 3) != 0)
2216 {
2217 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is
2218 * only a warning here because libpng does not care about the
2219 * alignment.
2220 */
2221 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2222 "ICC profile tag start not a multiple of 4");
2223 }
2224
2225 /* This is a hard error; potentially it can cause read outside the
2226 * profile.
2227 */
2228 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2229 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2230 "ICC profile tag outside profile");
2231 }
2232
2233 return 1; /* success, maybe with warnings */
2234 }
2235
2236 #ifdef PNG_sRGB_SUPPORTED
2237 #if PNG_sRGB_PROFILE_CHECKS >= 0
2238 /* Information about the known ICC sRGB profiles */
2239 static const struct
2240 {
2241 png_uint_32 adler, crc, length;
2242 png_uint_32 md5[4];
2243 png_byte have_md5;
2244 png_byte is_broken;
2245 png_uint_16 intent;
2246
2247 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2248 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2249 { adler, crc, length, md5, broke, intent },
2250
2251 } png_sRGB_checks[] =
2252 {
2253 /* This data comes from contrib/tools/checksum-icc run on downloads of
2254 * all four ICC sRGB profiles from www.color.org.
2255 */
2256 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2257 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2258 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2259 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2260
2261 /* ICC sRGB v2 perceptual no black-compensation: */
2262 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2263 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2264 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2265
2266 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2267 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2268 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2269
2270 /* ICC sRGB v4 perceptual */
2271 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2272 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2273 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2274
2275 /* The following profiles have no known MD5 checksum. If there is a match
2276 * on the (empty) MD5 the other fields are used to attempt a match and
2277 * a warning is produced. The first two of these profiles have a 'cprt' tag
2278 * which suggests that they were also made by Hewlett Packard.
2279 */
2280 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2281 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2282 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2283
2284 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2285 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2286 * so the white point is recorded as the un-adapted value.) The profiles
2287 * below only differ in one byte - the intent - and are basically the same as
2288 * the previous profile except for the mediaWhitePointTag error and a missing
2289 * chromaticAdaptationTag.
2290 */
2291 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2292 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2293 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2294
2295 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2296 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2297 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2298 };
2299
2300 static int
2301 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2302 png_const_bytep profile, uLong adler)
2303 {
2304 /* The quick check is to verify just the MD5 signature and trust the
2305 * rest of the data. Because the profile has already been verified for
2306 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2307 * field too, so if the profile has been edited with an intent not defined
2308 * by sRGB (but maybe defined by a later ICC specification) the read of
2309 * the profile will fail at that point.
2310 */
2311
2312 png_uint_32 length = 0;
2313 png_uint_32 intent = 0x10000; /* invalid */
2314 #if PNG_sRGB_PROFILE_CHECKS > 1
2315 uLong crc = 0; /* the value for 0 length data */
2316 #endif
2317 unsigned int i;
2318
2319 #ifdef PNG_SET_OPTION_SUPPORTED
2320 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2321 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2322 PNG_OPTION_ON)
2323 return 0;
2324 #endif
2325
2326 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2327 {
2328 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2329 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2330 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2331 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2332 {
2333 /* This may be one of the old HP profiles without an MD5, in that
2334 * case we can only use the length and Adler32 (note that these
2335 * are not used by default if there is an MD5!)
2336 */
2337 # if PNG_sRGB_PROFILE_CHECKS == 0
2338 if (png_sRGB_checks[i].have_md5 != 0)
2339 return 1+png_sRGB_checks[i].is_broken;
2340 # endif
2341
2342 /* Profile is unsigned or more checks have been configured in. */
2343 if (length == 0)
2344 {
2345 length = png_get_uint_32(profile);
2346 intent = png_get_uint_32(profile+64);
2347 }
2348
2349 /* Length *and* intent must match */
2350 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2351 intent == (png_uint_32) png_sRGB_checks[i].intent)
2352 {
2353 /* Now calculate the adler32 if not done already. */
2354 if (adler == 0)
2355 {
2356 adler = adler32(0, NULL, 0);
2357 adler = adler32(adler, profile, length);
2358 }
2359
2360 if (adler == png_sRGB_checks[i].adler)
2361 {
2362 /* These basic checks suggest that the data has not been
2363 * modified, but if the check level is more than 1 perform
2364 * our own crc32 checksum on the data.
2365 */
2366 # if PNG_sRGB_PROFILE_CHECKS > 1
2367 if (crc == 0)
2368 {
2369 crc = crc32(0, NULL, 0);
2370 crc = crc32(crc, profile, length);
2371 }
2372
2373 /* So this check must pass for the 'return' below to happen.
2374 */
2375 if (crc == png_sRGB_checks[i].crc)
2376 # endif
2377 {
2378 if (png_sRGB_checks[i].is_broken != 0)
2379 {
2380 /* These profiles are known to have bad data that may cause
2381 * problems if they are used, therefore attempt to
2382 * discourage their use, skip the 'have_md5' warning below,
2383 * which is made irrelevant by this error.
2384 */
2385 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2386 PNG_CHUNK_ERROR);
2387 }
2388
2389 /* Warn that this being done; this isn't even an error since
2390 * the profile is perfectly valid, but it would be nice if
2391 * people used the up-to-date ones.
2392 */
2393 else if (png_sRGB_checks[i].have_md5 == 0)
2394 {
2395 png_chunk_report(png_ptr,
2396 "out-of-date sRGB profile with no signature",
2397 PNG_CHUNK_WARNING);
2398 }
2399
2400 return 1+png_sRGB_checks[i].is_broken;
2401 }
2402 }
2403
2404 # if PNG_sRGB_PROFILE_CHECKS > 0
2405 /* The signature matched, but the profile had been changed in some
2406 * way. This probably indicates a data error or uninformed hacking.
2407 * Fall through to "no match".
2408 */
2409 png_chunk_report(png_ptr,
2410 "Not recognizing known sRGB profile that has been edited",
2411 PNG_CHUNK_WARNING);
2412 break;
2413 # endif
2414 }
2415 }
2416 }
2417
2418 return 0; /* no match */
2419 }
2420
2421 void /* PRIVATE */
2422 png_icc_set_sRGB(png_const_structrp png_ptr,
2423 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2424 {
2425 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2426 * the sRGB information.
2427 */
2428 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2429 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2430 (int)/*already checked*/png_get_uint_32(profile+64));
2431 }
2432 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2433 #endif /* sRGB */
2434
2435 int /* PRIVATE */
2436 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2437 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2438 int color_type)
2439 {
2440 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2441 return 0;
2442
2443 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2444 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2445 color_type) != 0 &&
2446 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2447 profile) != 0)
2448 {
2449 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2450 /* If no sRGB support, don't try storing sRGB information */
2451 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2452 # endif
2453 return 1;
2454 }
2455
2456 /* Failure case */
2457 return 0;
2458 }
2459 #endif /* iCCP */
2460
2461 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2462 void /* PRIVATE */
2463 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2464 {
2465 /* Set the rgb_to_gray coefficients from the colorspace. */
2466 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2467 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2468 {
2469 /* png_set_background has not been called, get the coefficients from the Y
2470 * values of the colorspace colorants.
2471 */
2472 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2473 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2474 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2475 png_fixed_point total = r+g+b;
2476
2477 if (total > 0 &&
2478 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2479 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2480 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2481 r+g+b <= 32769)
2482 {
2483 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2484 * all of the coefficients were rounded up. Handle this by
2485 * reducing the *largest* coefficient by 1; this matches the
2486 * approach used for the default coefficients in pngrtran.c
2487 */
2488 int add = 0;
2489
2490 if (r+g+b > 32768)
2491 add = -1;
2492 else if (r+g+b < 32768)
2493 add = 1;
2494
2495 if (add != 0)
2496 {
2497 if (g >= r && g >= b)
2498 g += add;
2499 else if (r >= g && r >= b)
2500 r += add;
2501 else
2502 b += add;
2503 }
2504
2505 /* Check for an internal error. */
2506 if (r+g+b != 32768)
2507 png_error(png_ptr,
2508 "internal error handling cHRM coefficients");
2509
2510 else
2511 {
2512 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2513 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2514 }
2515 }
2516
2517 /* This is a png_error at present even though it could be ignored -
2518 * it should never happen, but it is important that if it does, the
2519 * bug is fixed.
2520 */
2521 else
2522 png_error(png_ptr, "internal error handling cHRM->XYZ");
2523 }
2524 }
2525 #endif /* READ_RGB_TO_GRAY */
2526
2527 #endif /* COLORSPACE */
2528
2529 #ifdef __GNUC__
2530 /* This exists solely to work round a warning from GNU C. */
2531 static int /* PRIVATE */
2532 png_gt(size_t a, size_t b)
2533 {
2534 return a > b;
2535 }
2536 #else
2537 # define png_gt(a,b) ((a) > (b))
2538 #endif
2539
2540 void /* PRIVATE */
2541 png_check_IHDR(png_const_structrp png_ptr,
2542 png_uint_32 width, png_uint_32 height, int bit_depth,
2543 int color_type, int interlace_type, int compression_type,
2544 int filter_type)
2545 {
2546 int error = 0;
2547
2548 /* Check for width and height valid values */
2549 if (width == 0)
2550 {
2551 png_warning(png_ptr, "Image width is zero in IHDR");
2552 error = 1;
2553 }
2554
2555 if (width > PNG_UINT_31_MAX)
2556 {
2557 png_warning(png_ptr, "Invalid image width in IHDR");
2558 error = 1;
2559 }
2560
2561 if (png_gt(((width + 7) & (~7U)),
2562 ((PNG_SIZE_MAX
2563 - 48 /* big_row_buf hack */
2564 - 1) /* filter byte */
2565 / 8) /* 8-byte RGBA pixels */
2566 - 1)) /* extra max_pixel_depth pad */
2567 {
2568 /* The size of the row must be within the limits of this architecture.
2569 * Because the read code can perform arbitrary transformations the
2570 * maximum size is checked here. Because the code in png_read_start_row
2571 * adds extra space "for safety's sake" in several places a conservative
2572 * limit is used here.
2573 *
2574 * NOTE: it would be far better to check the size that is actually used,
2575 * but the effect in the real world is minor and the changes are more
2576 * extensive, therefore much more dangerous and much more difficult to
2577 * write in a way that avoids compiler warnings.
2578 */
2579 png_warning(png_ptr, "Image width is too large for this architecture");
2580 error = 1;
2581 }
2582
2583 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2584 if (width > png_ptr->user_width_max)
2585 #else
2586 if (width > PNG_USER_WIDTH_MAX)
2587 #endif
2588 {
2589 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2590 error = 1;
2591 }
2592
2593 if (height == 0)
2594 {
2595 png_warning(png_ptr, "Image height is zero in IHDR");
2596 error = 1;
2597 }
2598
2599 if (height > PNG_UINT_31_MAX)
2600 {
2601 png_warning(png_ptr, "Invalid image height in IHDR");
2602 error = 1;
2603 }
2604
2605 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2606 if (height > png_ptr->user_height_max)
2607 #else
2608 if (height > PNG_USER_HEIGHT_MAX)
2609 #endif
2610 {
2611 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2612 error = 1;
2613 }
2614
2615 /* Check other values */
2616 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2617 bit_depth != 8 && bit_depth != 16)
2618 {
2619 png_warning(png_ptr, "Invalid bit depth in IHDR");
2620 error = 1;
2621 }
2622
2623 if (color_type < 0 || color_type == 1 ||
2624 color_type == 5 || color_type > 6)
2625 {
2626 png_warning(png_ptr, "Invalid color type in IHDR");
2627 error = 1;
2628 }
2629
2630 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2631 ((color_type == PNG_COLOR_TYPE_RGB ||
2632 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2633 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2634 {
2635 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2636 error = 1;
2637 }
2638
2639 if (interlace_type >= PNG_INTERLACE_LAST)
2640 {
2641 png_warning(png_ptr, "Unknown interlace method in IHDR");
2642 error = 1;
2643 }
2644
2645 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2646 {
2647 png_warning(png_ptr, "Unknown compression method in IHDR");
2648 error = 1;
2649 }
2650
2651 #ifdef PNG_MNG_FEATURES_SUPPORTED
2652 /* Accept filter_method 64 (intrapixel differencing) only if
2653 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2654 * 2. Libpng did not read a PNG signature (this filter_method is only
2655 * used in PNG datastreams that are embedded in MNG datastreams) and
2656 * 3. The application called png_permit_mng_features with a mask that
2657 * included PNG_FLAG_MNG_FILTER_64 and
2658 * 4. The filter_method is 64 and
2659 * 5. The color_type is RGB or RGBA
2660 */
2661 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2662 png_ptr->mng_features_permitted != 0)
2663 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2664
2665 if (filter_type != PNG_FILTER_TYPE_BASE)
2666 {
2667 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2668 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2669 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2670 (color_type == PNG_COLOR_TYPE_RGB ||
2671 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2672 {
2673 png_warning(png_ptr, "Unknown filter method in IHDR");
2674 error = 1;
2675 }
2676
2677 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2678 {
2679 png_warning(png_ptr, "Invalid filter method in IHDR");
2680 error = 1;
2681 }
2682 }
2683
2684 #else
2685 if (filter_type != PNG_FILTER_TYPE_BASE)
2686 {
2687 png_warning(png_ptr, "Unknown filter method in IHDR");
2688 error = 1;
2689 }
2690 #endif
2691
2692 if (error == 1)
2693 png_error(png_ptr, "Invalid IHDR data");
2694 }
2695
2696 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2697 /* ASCII to fp functions */
2698 /* Check an ASCII formated floating point value, see the more detailed
2699 * comments in pngpriv.h
2700 */
2701 /* The following is used internally to preserve the sticky flags */
2702 #define png_fp_add(state, flags) ((state) |= (flags))
2703 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2704
2705 int /* PRIVATE */
2706 png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2707 png_size_tp whereami)
2708 {
2709 int state = *statep;
2710 png_size_t i = *whereami;
2711
2712 while (i < size)
2713 {
2714 int type;
2715 /* First find the type of the next character */
2716 switch (string[i])
2717 {
2718 case 43: type = PNG_FP_SAW_SIGN; break;
2719 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2720 case 46: type = PNG_FP_SAW_DOT; break;
2721 case 48: type = PNG_FP_SAW_DIGIT; break;
2722 case 49: case 50: case 51: case 52:
2723 case 53: case 54: case 55: case 56:
2724 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2725 case 69:
2726 case 101: type = PNG_FP_SAW_E; break;
2727 default: goto PNG_FP_End;
2728 }
2729
2730 /* Now deal with this type according to the current
2731 * state, the type is arranged to not overlap the
2732 * bits of the PNG_FP_STATE.
2733 */
2734 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2735 {
2736 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2737 if ((state & PNG_FP_SAW_ANY) != 0)
2738 goto PNG_FP_End; /* not a part of the number */
2739
2740 png_fp_add(state, type);
2741 break;
2742
2743 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2744 /* Ok as trailer, ok as lead of fraction. */
2745 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2746 goto PNG_FP_End;
2747
2748 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2749 png_fp_add(state, type);
2750
2751 else
2752 png_fp_set(state, PNG_FP_FRACTION | type);
2753
2754 break;
2755
2756 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2757 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2758 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2759
2760 png_fp_add(state, type | PNG_FP_WAS_VALID);
2761
2762 break;
2763
2764 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2765 if ((state & PNG_FP_SAW_DIGIT) == 0)
2766 goto PNG_FP_End;
2767
2768 png_fp_set(state, PNG_FP_EXPONENT);
2769
2770 break;
2771
2772 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2773 goto PNG_FP_End; ** no sign in fraction */
2774
2775 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2776 goto PNG_FP_End; ** Because SAW_DOT is always set */
2777
2778 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2779 png_fp_add(state, type | PNG_FP_WAS_VALID);
2780 break;
2781
2782 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2783 /* This is correct because the trailing '.' on an
2784 * integer is handled above - so we can only get here
2785 * with the sequence ".E" (with no preceding digits).
2786 */
2787 if ((state & PNG_FP_SAW_DIGIT) == 0)
2788 goto PNG_FP_End;
2789
2790 png_fp_set(state, PNG_FP_EXPONENT);
2791
2792 break;
2793
2794 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2795 if ((state & PNG_FP_SAW_ANY) != 0)
2796 goto PNG_FP_End; /* not a part of the number */
2797
2798 png_fp_add(state, PNG_FP_SAW_SIGN);
2799
2800 break;
2801
2802 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2803 goto PNG_FP_End; */
2804
2805 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2806 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2807
2808 break;
2809
2810 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2811 goto PNG_FP_End; */
2812
2813 default: goto PNG_FP_End; /* I.e. break 2 */
2814 }
2815
2816 /* The character seems ok, continue. */
2817 ++i;
2818 }
2819
2820 PNG_FP_End:
2821 /* Here at the end, update the state and return the correct
2822 * return code.
2823 */
2824 *statep = state;
2825 *whereami = i;
2826
2827 return (state & PNG_FP_SAW_DIGIT) != 0;
2828 }
2829
2830
2831 /* The same but for a complete string. */
2832 int
2833 png_check_fp_string(png_const_charp string, png_size_t size)
2834 {
2835 int state=0;
2836 png_size_t char_index=0;
2837
2838 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2839 (char_index == size || string[char_index] == 0))
2840 return state /* must be non-zero - see above */;
2841
2842 return 0; /* i.e. fail */
2843 }
2844 #endif /* pCAL || sCAL */
2845
2846 #ifdef PNG_sCAL_SUPPORTED
2847 # ifdef PNG_FLOATING_POINT_SUPPORTED
2848 /* Utility used below - a simple accurate power of ten from an integral
2849 * exponent.
2850 */
2851 static double
2852 png_pow10(int power)
2853 {
2854 int recip = 0;
2855 double d = 1;
2856
2857 /* Handle negative exponent with a reciprocal at the end because
2858 * 10 is exact whereas .1 is inexact in base 2
2859 */
2860 if (power < 0)
2861 {
2862 if (power < DBL_MIN_10_EXP) return 0;
2863 recip = 1, power = -power;
2864 }
2865
2866 if (power > 0)
2867 {
2868 /* Decompose power bitwise. */
2869 double mult = 10;
2870 do
2871 {
2872 if (power & 1) d *= mult;
2873 mult *= mult;
2874 power >>= 1;
2875 }
2876 while (power > 0);
2877
2878 if (recip != 0) d = 1/d;
2879 }
2880 /* else power is 0 and d is 1 */
2881
2882 return d;
2883 }
2884
2885 /* Function to format a floating point value in ASCII with a given
2886 * precision.
2887 */
2888 void /* PRIVATE */
2889 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
2890 double fp, unsigned int precision)
2891 {
2892 /* We use standard functions from math.h, but not printf because
2893 * that would require stdio. The caller must supply a buffer of
2894 * sufficient size or we will png_error. The tests on size and
2895 * the space in ascii[] consumed are indicated below.
2896 */
2897 if (precision < 1)
2898 precision = DBL_DIG;
2899
2900 /* Enforce the limit of the implementation precision too. */
2901 if (precision > DBL_DIG+1)
2902 precision = DBL_DIG+1;
2903
2904 /* Basic sanity checks */
2905 if (size >= precision+5) /* See the requirements below. */
2906 {
2907 if (fp < 0)
2908 {
2909 fp = -fp;
2910 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2911 --size;
2912 }
2913
2914 if (fp >= DBL_MIN && fp <= DBL_MAX)
2915 {
2916 int exp_b10; /* A base 10 exponent */
2917 double base; /* 10^exp_b10 */
2918
2919 /* First extract a base 10 exponent of the number,
2920 * the calculation below rounds down when converting
2921 * from base 2 to base 10 (multiply by log10(2) -
2922 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2923 * be increased. Note that the arithmetic shift
2924 * performs a floor() unlike C arithmetic - using a
2925 * C multiply would break the following for negative
2926 * exponents.
2927 */
2928 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2929
2930 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2931
2932 /* Avoid underflow here. */
2933 base = png_pow10(exp_b10); /* May underflow */
2934
2935 while (base < DBL_MIN || base < fp)
2936 {
2937 /* And this may overflow. */
2938 double test = png_pow10(exp_b10+1);
2939
2940 if (test <= DBL_MAX)
2941 ++exp_b10, base = test;
2942
2943 else
2944 break;
2945 }
2946
2947 /* Normalize fp and correct exp_b10, after this fp is in the
2948 * range [.1,1) and exp_b10 is both the exponent and the digit
2949 * *before* which the decimal point should be inserted
2950 * (starting with 0 for the first digit). Note that this
2951 * works even if 10^exp_b10 is out of range because of the
2952 * test on DBL_MAX above.
2953 */
2954 fp /= base;
2955 while (fp >= 1) fp /= 10, ++exp_b10;
2956
2957 /* Because of the code above fp may, at this point, be
2958 * less than .1, this is ok because the code below can
2959 * handle the leading zeros this generates, so no attempt
2960 * is made to correct that here.
2961 */
2962
2963 {
2964 unsigned int czero, clead, cdigits;
2965 char exponent[10];
2966
2967 /* Allow up to two leading zeros - this will not lengthen
2968 * the number compared to using E-n.
2969 */
2970 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2971 {
2972 czero = (unsigned int)(-exp_b10); /* PLUS 2 digits: TOTAL 3 */
2973 exp_b10 = 0; /* Dot added below before first output. */
2974 }
2975 else
2976 czero = 0; /* No zeros to add */
2977
2978 /* Generate the digit list, stripping trailing zeros and
2979 * inserting a '.' before a digit if the exponent is 0.
2980 */
2981 clead = czero; /* Count of leading zeros */
2982 cdigits = 0; /* Count of digits in list. */
2983
2984 do
2985 {
2986 double d;
2987
2988 fp *= 10;
2989 /* Use modf here, not floor and subtract, so that
2990 * the separation is done in one step. At the end
2991 * of the loop don't break the number into parts so
2992 * that the final digit is rounded.
2993 */
2994 if (cdigits+czero+1 < precision+clead)
2995 fp = modf(fp, &d);
2996
2997 else
2998 {
2999 d = floor(fp + .5);
3000
3001 if (d > 9)
3002 {
3003 /* Rounding up to 10, handle that here. */
3004 if (czero > 0)
3005 {
3006 --czero, d = 1;
3007 if (cdigits == 0) --clead;
3008 }
3009 else
3010 {
3011 while (cdigits > 0 && d > 9)
3012 {
3013 int ch = *--ascii;
3014
3015 if (exp_b10 != (-1))
3016 ++exp_b10;
3017
3018 else if (ch == 46)
3019 {
3020 ch = *--ascii, ++size;
3021 /* Advance exp_b10 to '1', so that the
3022 * decimal point happens after the
3023 * previous digit.
3024 */
3025 exp_b10 = 1;
3026 }
3027
3028 --cdigits;
3029 d = ch - 47; /* I.e. 1+(ch-48) */
3030 }
3031
3032 /* Did we reach the beginning? If so adjust the
3033 * exponent but take into account the leading
3034 * decimal point.
3035 */
3036 if (d > 9) /* cdigits == 0 */
3037 {
3038 if (exp_b10 == (-1))
3039 {
3040 /* Leading decimal point (plus zeros?), if
3041 * we lose the decimal point here it must
3042 * be reentered below.
3043 */
3044 int ch = *--ascii;
3045
3046 if (ch == 46)
3047 ++size, exp_b10 = 1;
3048
3049 /* Else lost a leading zero, so 'exp_b10' is
3050 * still ok at (-1)
3051 */
3052 }
3053 else
3054 ++exp_b10;
3055
3056 /* In all cases we output a '1' */
3057 d = 1;
3058 }
3059 }
3060 }
3061 fp = 0; /* Guarantees termination below. */
3062 }
3063
3064 if (d == 0)
3065 {
3066 ++czero;
3067 if (cdigits == 0) ++clead;
3068 }
3069 else
3070 {
3071 /* Included embedded zeros in the digit count. */
3072 cdigits += czero - clead;
3073 clead = 0;
3074
3075 while (czero > 0)
3076 {
3077 /* exp_b10 == (-1) means we just output the decimal
3078 * place - after the DP don't adjust 'exp_b10' any
3079 * more!
3080 */
3081 if (exp_b10 != (-1))
3082 {
3083 if (exp_b10 == 0) *ascii++ = 46, --size;
3084 /* PLUS 1: TOTAL 4 */
3085 --exp_b10;
3086 }
3087 *ascii++ = 48, --czero;
3088 }
3089
3090 if (exp_b10 != (-1))
3091 {
3092 if (exp_b10 == 0)
3093 *ascii++ = 46, --size; /* counted above */
3094
3095 --exp_b10;
3096 }
3097 *ascii++ = (char)(48 + (int)d), ++cdigits;
3098 }
3099 }
3100 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3101
3102 /* The total output count (max) is now 4+precision */
3103
3104 /* Check for an exponent, if we don't need one we are
3105 * done and just need to terminate the string. At
3106 * this point exp_b10==(-1) is effectively if flag - it got
3107 * to '-1' because of the decrement after outputting
3108 * the decimal point above (the exponent required is
3109 * *not* -1!)
3110 */
3111 if (exp_b10 >= (-1) && exp_b10 <= 2)
3112 {
3113 /* The following only happens if we didn't output the
3114 * leading zeros above for negative exponent, so this
3115 * doesn't add to the digit requirement. Note that the
3116 * two zeros here can only be output if the two leading
3117 * zeros were *not* output, so this doesn't increase
3118 * the output count.
3119 */
3120 while (--exp_b10 >= 0) *ascii++ = 48;
3121
3122 *ascii = 0;
3123
3124 /* Total buffer requirement (including the '\0') is
3125 * 5+precision - see check at the start.
3126 */
3127 return;
3128 }
3129
3130 /* Here if an exponent is required, adjust size for
3131 * the digits we output but did not count. The total
3132 * digit output here so far is at most 1+precision - no
3133 * decimal point and no leading or trailing zeros have
3134 * been output.
3135 */
3136 size -= cdigits;
3137
3138 *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */
3139
3140 /* The following use of an unsigned temporary avoids ambiguities in
3141 * the signed arithmetic on exp_b10 and permits GCC at least to do
3142 * better optimization.
3143 */
3144 {
3145 unsigned int uexp_b10;
3146
3147 if (exp_b10 < 0)
3148 {
3149 *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */
3150 uexp_b10 = (unsigned int)(-exp_b10);
3151 }
3152
3153 else
3154 uexp_b10 = (unsigned int)exp_b10;
3155
3156 cdigits = 0;
3157
3158 while (uexp_b10 > 0)
3159 {
3160 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3161 uexp_b10 /= 10;
3162 }
3163 }
3164
3165 /* Need another size check here for the exponent digits, so
3166 * this need not be considered above.
3167 */
3168 if (size > cdigits)
3169 {
3170 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3171
3172 *ascii = 0;
3173
3174 return;
3175 }
3176 }
3177 }
3178 else if (!(fp >= DBL_MIN))
3179 {
3180 *ascii++ = 48; /* '0' */
3181 *ascii = 0;
3182 return;
3183 }
3184 else
3185 {
3186 *ascii++ = 105; /* 'i' */
3187 *ascii++ = 110; /* 'n' */
3188 *ascii++ = 102; /* 'f' */
3189 *ascii = 0;
3190 return;
3191 }
3192 }
3193
3194 /* Here on buffer too small. */
3195 png_error(png_ptr, "ASCII conversion buffer too small");
3196 }
3197
3198 # endif /* FLOATING_POINT */
3199
3200 # ifdef PNG_FIXED_POINT_SUPPORTED
3201 /* Function to format a fixed point value in ASCII.
3202 */
3203 void /* PRIVATE */
3204 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3205 png_size_t size, png_fixed_point fp)
3206 {
3207 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3208 * trailing \0, 13 characters:
3209 */
3210 if (size > 12)
3211 {
3212 png_uint_32 num;
3213
3214 /* Avoid overflow here on the minimum integer. */
3215 if (fp < 0)
3216 *ascii++ = 45, num = (png_uint_32)(-fp);
3217 else
3218 num = (png_uint_32)fp;
3219
3220 if (num <= 0x80000000) /* else overflowed */
3221 {
3222 unsigned int ndigits = 0, first = 16 /* flag value */;
3223 char digits[10];
3224
3225 while (num)
3226 {
3227 /* Split the low digit off num: */
3228 unsigned int tmp = num/10;
3229 num -= tmp*10;
3230 digits[ndigits++] = (char)(48 + num);
3231 /* Record the first non-zero digit, note that this is a number
3232 * starting at 1, it's not actually the array index.
3233 */
3234 if (first == 16 && num > 0)
3235 first = ndigits;
3236 num = tmp;
3237 }
3238
3239 if (ndigits > 0)
3240 {
3241 while (ndigits > 5) *ascii++ = digits[--ndigits];
3242 /* The remaining digits are fractional digits, ndigits is '5' or
3243 * smaller at this point. It is certainly not zero. Check for a
3244 * non-zero fractional digit:
3245 */
3246 if (first <= 5)
3247 {
3248 unsigned int i;
3249 *ascii++ = 46; /* decimal point */
3250 /* ndigits may be <5 for small numbers, output leading zeros
3251 * then ndigits digits to first:
3252 */
3253 i = 5;
3254 while (ndigits < i) *ascii++ = 48, --i;
3255 while (ndigits >= first) *ascii++ = digits[--ndigits];
3256 /* Don't output the trailing zeros! */
3257 }
3258 }
3259 else
3260 *ascii++ = 48;
3261
3262 /* And null terminate the string: */
3263 *ascii = 0;
3264 return;
3265 }
3266 }
3267
3268 /* Here on buffer too small. */
3269 png_error(png_ptr, "ASCII conversion buffer too small");
3270 }
3271 # endif /* FIXED_POINT */
3272 #endif /* SCAL */
3273
3274 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3275 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3276 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3277 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3278 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3279 (defined(PNG_sCAL_SUPPORTED) && \
3280 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3281 png_fixed_point
3282 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3283 {
3284 double r = floor(100000 * fp + .5);
3285
3286 if (r > 2147483647. || r < -2147483648.)
3287 png_fixed_error(png_ptr, text);
3288
3289 # ifndef PNG_ERROR_TEXT_SUPPORTED
3290 PNG_UNUSED(text)
3291 # endif
3292
3293 return (png_fixed_point)r;
3294 }
3295 #endif
3296
3297 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3298 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3299 /* muldiv functions */
3300 /* This API takes signed arguments and rounds the result to the nearest
3301 * integer (or, for a fixed point number - the standard argument - to
3302 * the nearest .00001). Overflow and divide by zero are signalled in
3303 * the result, a boolean - true on success, false on overflow.
3304 */
3305 int
3306 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3307 png_int_32 divisor)
3308 {
3309 /* Return a * times / divisor, rounded. */
3310 if (divisor != 0)
3311 {
3312 if (a == 0 || times == 0)
3313 {
3314 *res = 0;
3315 return 1;
3316 }
3317 else
3318 {
3319 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3320 double r = a;
3321 r *= times;
3322 r /= divisor;
3323 r = floor(r+.5);
3324
3325 /* A png_fixed_point is a 32-bit integer. */
3326 if (r <= 2147483647. && r >= -2147483648.)
3327 {
3328 *res = (png_fixed_point)r;
3329 return 1;
3330 }
3331 #else
3332 int negative = 0;
3333 png_uint_32 A, T, D;
3334 png_uint_32 s16, s32, s00;
3335
3336 if (a < 0)
3337 negative = 1, A = -a;
3338 else
3339 A = a;
3340
3341 if (times < 0)
3342 negative = !negative, T = -times;
3343 else
3344 T = times;
3345
3346 if (divisor < 0)
3347 negative = !negative, D = -divisor;
3348 else
3349 D = divisor;
3350
3351 /* Following can't overflow because the arguments only
3352 * have 31 bits each, however the result may be 32 bits.
3353 */
3354 s16 = (A >> 16) * (T & 0xffff) +
3355 (A & 0xffff) * (T >> 16);
3356 /* Can't overflow because the a*times bit is only 30
3357 * bits at most.
3358 */
3359 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3360 s00 = (A & 0xffff) * (T & 0xffff);
3361
3362 s16 = (s16 & 0xffff) << 16;
3363 s00 += s16;
3364
3365 if (s00 < s16)
3366 ++s32; /* carry */
3367
3368 if (s32 < D) /* else overflow */
3369 {
3370 /* s32.s00 is now the 64-bit product, do a standard
3371 * division, we know that s32 < D, so the maximum
3372 * required shift is 31.
3373 */
3374 int bitshift = 32;
3375 png_fixed_point result = 0; /* NOTE: signed */
3376
3377 while (--bitshift >= 0)
3378 {
3379 png_uint_32 d32, d00;
3380
3381 if (bitshift > 0)
3382 d32 = D >> (32-bitshift), d00 = D << bitshift;
3383
3384 else
3385 d32 = 0, d00 = D;
3386
3387 if (s32 > d32)
3388 {
3389 if (s00 < d00) --s32; /* carry */
3390 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3391 }
3392
3393 else
3394 if (s32 == d32 && s00 >= d00)
3395 s32 = 0, s00 -= d00, result += 1<<bitshift;
3396 }
3397
3398 /* Handle the rounding. */
3399 if (s00 >= (D >> 1))
3400 ++result;
3401
3402 if (negative != 0)
3403 result = -result;
3404
3405 /* Check for overflow. */
3406 if ((negative != 0 && result <= 0) ||
3407 (negative == 0 && result >= 0))
3408 {
3409 *res = result;
3410 return 1;
3411 }
3412 }
3413 #endif
3414 }
3415 }
3416
3417 return 0;
3418 }
3419 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3420
3421 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3422 /* The following is for when the caller doesn't much care about the
3423 * result.
3424 */
3425 png_fixed_point
3426 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3427 png_int_32 divisor)
3428 {
3429 png_fixed_point result;
3430
3431 if (png_muldiv(&result, a, times, divisor) != 0)
3432 return result;
3433
3434 png_warning(png_ptr, "fixed point overflow ignored");
3435 return 0;
3436 }
3437 #endif
3438
3439 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3440 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3441 png_fixed_point
3442 png_reciprocal(png_fixed_point a)
3443 {
3444 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3445 double r = floor(1E10/a+.5);
3446
3447 if (r <= 2147483647. && r >= -2147483648.)
3448 return (png_fixed_point)r;
3449 #else
3450 png_fixed_point res;
3451
3452 if (png_muldiv(&res, 100000, 100000, a) != 0)
3453 return res;
3454 #endif
3455
3456 return 0; /* error/overflow */
3457 }
3458
3459 /* This is the shared test on whether a gamma value is 'significant' - whether
3460 * it is worth doing gamma correction.
3461 */
3462 int /* PRIVATE */
3463 png_gamma_significant(png_fixed_point gamma_val)
3464 {
3465 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3466 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3467 }
3468 #endif
3469
3470 #ifdef PNG_READ_GAMMA_SUPPORTED
3471 #ifdef PNG_16BIT_SUPPORTED
3472 /* A local convenience routine. */
3473 static png_fixed_point
3474 png_product2(png_fixed_point a, png_fixed_point b)
3475 {
3476 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3477 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3478 double r = a * 1E-5;
3479 r *= b;
3480 r = floor(r+.5);
3481
3482 if (r <= 2147483647. && r >= -2147483648.)
3483 return (png_fixed_point)r;
3484 #else
3485 png_fixed_point res;
3486
3487 if (png_muldiv(&res, a, b, 100000) != 0)
3488 return res;
3489 #endif
3490
3491 return 0; /* overflow */
3492 }
3493 #endif /* 16BIT */
3494
3495 /* The inverse of the above. */
3496 png_fixed_point
3497 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3498 {
3499 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3500 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3501 if (a != 0 && b != 0)
3502 {
3503 double r = 1E15/a;
3504 r /= b;
3505 r = floor(r+.5);
3506
3507 if (r <= 2147483647. && r >= -2147483648.)
3508 return (png_fixed_point)r;
3509 }
3510 #else
3511 /* This may overflow because the range of png_fixed_point isn't symmetric,
3512 * but this API is only used for the product of file and screen gamma so it
3513 * doesn't matter that the smallest number it can produce is 1/21474, not
3514 * 1/100000
3515 */
3516 png_fixed_point res = png_product2(a, b);
3517
3518 if (res != 0)
3519 return png_reciprocal(res);
3520 #endif
3521
3522 return 0; /* overflow */
3523 }
3524 #endif /* READ_GAMMA */
3525
3526 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3527 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3528 /* Fixed point gamma.
3529 *
3530 * The code to calculate the tables used below can be found in the shell script
3531 * contrib/tools/intgamma.sh
3532 *
3533 * To calculate gamma this code implements fast log() and exp() calls using only
3534 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3535 * or 16-bit sample values.
3536 *
3537 * The tables used here were calculated using simple 'bc' programs, but C double
3538 * precision floating point arithmetic would work fine.
3539 *
3540 * 8-bit log table
3541 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3542 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3543 * mantissa. The numbers are 32-bit fractions.
3544 */
3545 static const png_uint_32
3546 png_8bit_l2[128] =
3547 {
3548 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3549 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3550 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3551 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3552 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3553 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3554 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3555 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3556 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3557 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3558 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3559 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3560 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3561 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3562 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3563 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3564 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3565 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3566 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3567 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3568 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3569 24347096U, 0U
3570
3571 #if 0
3572 /* The following are the values for 16-bit tables - these work fine for the
3573 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3574 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3575 * use these all the shifts below must be adjusted appropriately.
3576 */
3577 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3578 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3579 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3580 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3581 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3582 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3583 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3584 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3585 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3586 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3587 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3588 1119, 744, 372
3589 #endif
3590 };
3591
3592 static png_int_32
3593 png_log8bit(unsigned int x)
3594 {
3595 unsigned int lg2 = 0;
3596 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3597 * because the log is actually negate that means adding 1. The final
3598 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3599 * input), return -1 for the overflow (log 0) case, - so the result is
3600 * always at most 19 bits.
3601 */
3602 if ((x &= 0xff) == 0)
3603 return -1;
3604
3605 if ((x & 0xf0) == 0)
3606 lg2 = 4, x <<= 4;
3607
3608 if ((x & 0xc0) == 0)
3609 lg2 += 2, x <<= 2;
3610
3611 if ((x & 0x80) == 0)
3612 lg2 += 1, x <<= 1;
3613
3614 /* result is at most 19 bits, so this cast is safe: */
3615 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3616 }
3617
3618 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3619 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3620 * get an approximation then multiply the approximation by a correction factor
3621 * determined by the remaining up to 8 bits. This requires an additional step
3622 * in the 16-bit case.
3623 *
3624 * We want log2(value/65535), we have log2(v'/255), where:
3625 *
3626 * value = v' * 256 + v''
3627 * = v' * f
3628 *
3629 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3630 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3631 * than 258. The final factor also needs to correct for the fact that our 8-bit
3632 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3633 *
3634 * This gives a final formula using a calculated value 'x' which is value/v' and
3635 * scaling by 65536 to match the above table:
3636 *
3637 * log2(x/257) * 65536
3638 *
3639 * Since these numbers are so close to '1' we can use simple linear
3640 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3641 * (result 367.179). The values used below are scaled by a further 64 to give
3642 * 16-bit precision in the interpolation:
3643 *
3644 * Start (256): -23591
3645 * Zero (257): 0
3646 * End (258): 23499
3647 */
3648 #ifdef PNG_16BIT_SUPPORTED
3649 static png_int_32
3650 png_log16bit(png_uint_32 x)
3651 {
3652 unsigned int lg2 = 0;
3653
3654 /* As above, but now the input has 16 bits. */
3655 if ((x &= 0xffff) == 0)
3656 return -1;
3657
3658 if ((x & 0xff00) == 0)
3659 lg2 = 8, x <<= 8;
3660
3661 if ((x & 0xf000) == 0)
3662 lg2 += 4, x <<= 4;
3663
3664 if ((x & 0xc000) == 0)
3665 lg2 += 2, x <<= 2;
3666
3667 if ((x & 0x8000) == 0)
3668 lg2 += 1, x <<= 1;
3669
3670 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3671 * value.
3672 */
3673 lg2 <<= 28;
3674 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3675
3676 /* Now we need to interpolate the factor, this requires a division by the top
3677 * 8 bits. Do this with maximum precision.
3678 */
3679 x = ((x << 16) + (x >> 9)) / (x >> 8);
3680
3681 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3682 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3683 * 16 bits to interpolate to get the low bits of the result. Round the
3684 * answer. Note that the end point values are scaled by 64 to retain overall
3685 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3686 * the overall scaling by 6-12. Round at every step.
3687 */
3688 x -= 1U << 24;
3689
3690 if (x <= 65536U) /* <= '257' */
3691 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3692
3693 else
3694 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3695
3696 /* Safe, because the result can't have more than 20 bits: */
3697 return (png_int_32)((lg2 + 2048) >> 12);
3698 }
3699 #endif /* 16BIT */
3700
3701 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3702 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3703 * each case only the low 16 bits are relevant - the fraction - since the
3704 * integer bits (the top 4) simply determine a shift.
3705 *
3706 * The worst case is the 16-bit distinction between 65535 and 65534. This
3707 * requires perhaps spurious accuracy in the decoding of the logarithm to
3708 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3709 * of getting this accuracy in practice.
3710 *
3711 * To deal with this the following exp() function works out the exponent of the
3712 * frational part of the logarithm by using an accurate 32-bit value from the
3713 * top four fractional bits then multiplying in the remaining bits.
3714 */
3715 static const png_uint_32
3716 png_32bit_exp[16] =
3717 {
3718 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3719 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3720 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3721 2553802834U, 2445529972U, 2341847524U, 2242560872U
3722 };
3723
3724 /* Adjustment table; provided to explain the numbers in the code below. */
3725 #if 0
3726 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3727 11 44937.64284865548751208448
3728 10 45180.98734845585101160448
3729 9 45303.31936980687359311872
3730 8 45364.65110595323018870784
3731 7 45395.35850361789624614912
3732 6 45410.72259715102037508096
3733 5 45418.40724413220722311168
3734 4 45422.25021786898173001728
3735 3 45424.17186732298419044352
3736 2 45425.13273269940811464704
3737 1 45425.61317555035558641664
3738 0 45425.85339951654943850496
3739 #endif
3740
3741 static png_uint_32
3742 png_exp(png_fixed_point x)
3743 {
3744 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3745 {
3746 /* Obtain a 4-bit approximation */
3747 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3748
3749 /* Incorporate the low 12 bits - these decrease the returned value by
3750 * multiplying by a number less than 1 if the bit is set. The multiplier
3751 * is determined by the above table and the shift. Notice that the values
3752 * converge on 45426 and this is used to allow linear interpolation of the
3753 * low bits.
3754 */
3755 if (x & 0x800)
3756 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3757
3758 if (x & 0x400)
3759 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3760
3761 if (x & 0x200)
3762 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3763
3764 if (x & 0x100)
3765 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3766
3767 if (x & 0x080)
3768 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3769
3770 if (x & 0x040)
3771 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3772
3773 /* And handle the low 6 bits in a single block. */
3774 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3775
3776 /* Handle the upper bits of x. */
3777 e >>= x >> 16;
3778 return e;
3779 }
3780
3781 /* Check for overflow */
3782 if (x <= 0)
3783 return png_32bit_exp[0];
3784
3785 /* Else underflow */
3786 return 0;
3787 }
3788
3789 static png_byte
3790 png_exp8bit(png_fixed_point lg2)
3791 {
3792 /* Get a 32-bit value: */
3793 png_uint_32 x = png_exp(lg2);
3794
3795 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3796 * second, rounding, step can't overflow because of the first, subtraction,
3797 * step.
3798 */
3799 x -= x >> 8;
3800 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3801 }
3802
3803 #ifdef PNG_16BIT_SUPPORTED
3804 static png_uint_16
3805 png_exp16bit(png_fixed_point lg2)
3806 {
3807 /* Get a 32-bit value: */
3808 png_uint_32 x = png_exp(lg2);
3809
3810 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3811 x -= x >> 16;
3812 return (png_uint_16)((x + 32767U) >> 16);
3813 }
3814 #endif /* 16BIT */
3815 #endif /* FLOATING_ARITHMETIC */
3816
3817 png_byte
3818 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3819 {
3820 if (value > 0 && value < 255)
3821 {
3822 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3823 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3824 * convert this to a floating point value. This includes values that
3825 * would overflow if 'value' were to be converted to 'int'.
3826 *
3827 * Apparently GCC, however, does an intermediate conversion to (int)
3828 * on some (ARM) but not all (x86) platforms, possibly because of
3829 * hardware FP limitations. (E.g. if the hardware conversion always
3830 * assumes the integer register contains a signed value.) This results
3831 * in ANSI-C undefined behavior for large values.
3832 *
3833 * Other implementations on the same machine might actually be ANSI-C90
3834 * conformant and therefore compile spurious extra code for the large
3835 * values.
3836 *
3837 * We can be reasonably sure that an unsigned to float conversion
3838 * won't be faster than an int to float one. Therefore this code
3839 * assumes responsibility for the undefined behavior, which it knows
3840 * can't happen because of the check above.
3841 *
3842 * Note the argument to this routine is an (unsigned int) because, on
3843 * 16-bit platforms, it is assigned a value which might be out of
3844 * range for an (int); that would result in undefined behavior in the
3845 * caller if the *argument* ('value') were to be declared (int).
3846 */
3847 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3848 return (png_byte)r;
3849 # else
3850 png_int_32 lg2 = png_log8bit(value);
3851 png_fixed_point res;
3852
3853 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3854 return png_exp8bit(res);
3855
3856 /* Overflow. */
3857 value = 0;
3858 # endif
3859 }
3860
3861 return (png_byte)(value & 0xff);
3862 }
3863
3864 #ifdef PNG_16BIT_SUPPORTED
3865 png_uint_16
3866 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3867 {
3868 if (value > 0 && value < 65535)
3869 {
3870 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3871 /* The same (unsigned int)->(double) constraints apply here as above,
3872 * however in this case the (unsigned int) to (int) conversion can
3873 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3874 * that this is not possible.
3875 */
3876 double r = floor(65535*pow((png_int_32)value/65535.,
3877 gamma_val*.00001)+.5);
3878 return (png_uint_16)r;
3879 # else
3880 png_int_32 lg2 = png_log16bit(value);
3881 png_fixed_point res;
3882
3883 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3884 return png_exp16bit(res);
3885
3886 /* Overflow. */
3887 value = 0;
3888 # endif
3889 }
3890
3891 return (png_uint_16)value;
3892 }
3893 #endif /* 16BIT */
3894
3895 /* This does the right thing based on the bit_depth field of the
3896 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3897 * is nominally a 16-bit value if bit depth is 8 then the result is
3898 * 8-bit (as are the arguments.)
3899 */
3900 png_uint_16 /* PRIVATE */
3901 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3902 png_fixed_point gamma_val)
3903 {
3904 if (png_ptr->bit_depth == 8)
3905 return png_gamma_8bit_correct(value, gamma_val);
3906
3907 #ifdef PNG_16BIT_SUPPORTED
3908 else
3909 return png_gamma_16bit_correct(value, gamma_val);
3910 #else
3911 /* should not reach this */
3912 return 0;
3913 #endif /* 16BIT */
3914 }
3915
3916 #ifdef PNG_16BIT_SUPPORTED
3917 /* Internal function to build a single 16-bit table - the table consists of
3918 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3919 * to shift the input values right (or 16-number_of_signifiant_bits).
3920 *
3921 * The caller is responsible for ensuring that the table gets cleaned up on
3922 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3923 * should be somewhere that will be cleaned.
3924 */
3925 static void
3926 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3927 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3928 {
3929 /* Various values derived from 'shift': */
3930 PNG_CONST unsigned int num = 1U << (8U - shift);
3931 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3932 /* CSE the division and work round wacky GCC warnings (see the comments
3933 * in png_gamma_8bit_correct for where these come from.)
3934 */
3935 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);
3936 #endif
3937 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3938 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
3939 unsigned int i;
3940
3941 png_uint_16pp table = *ptable =
3942 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3943
3944 for (i = 0; i < num; i++)
3945 {
3946 png_uint_16p sub_table = table[i] =
3947 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3948
3949 /* The 'threshold' test is repeated here because it can arise for one of
3950 * the 16-bit tables even if the others don't hit it.
3951 */
3952 if (png_gamma_significant(gamma_val) != 0)
3953 {
3954 /* The old code would overflow at the end and this would cause the
3955 * 'pow' function to return a result >1, resulting in an
3956 * arithmetic error. This code follows the spec exactly; ig is
3957 * the recovered input sample, it always has 8-16 bits.
3958 *
3959 * We want input * 65535/max, rounded, the arithmetic fits in 32
3960 * bits (unsigned) so long as max <= 32767.
3961 */
3962 unsigned int j;
3963 for (j = 0; j < 256; j++)
3964 {
3965 png_uint_32 ig = (j << (8-shift)) + i;
3966 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3967 /* Inline the 'max' scaling operation: */
3968 /* See png_gamma_8bit_correct for why the cast to (int) is
3969 * required here.
3970 */
3971 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
3972 sub_table[j] = (png_uint_16)d;
3973 # else
3974 if (shift != 0)
3975 ig = (ig * 65535U + max_by_2)/max;
3976
3977 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
3978 # endif
3979 }
3980 }
3981 else
3982 {
3983 /* We must still build a table, but do it the fast way. */
3984 unsigned int j;
3985
3986 for (j = 0; j < 256; j++)
3987 {
3988 png_uint_32 ig = (j << (8-shift)) + i;
3989
3990 if (shift != 0)
3991 ig = (ig * 65535U + max_by_2)/max;
3992
3993 sub_table[j] = (png_uint_16)ig;
3994 }
3995 }
3996 }
3997 }
3998
3999 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4000 * required.
4001 */
4002 static void
4003 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4004 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
4005 {
4006 PNG_CONST unsigned int num = 1U << (8U - shift);
4007 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
4008 unsigned int i;
4009 png_uint_32 last;
4010
4011 png_uint_16pp table = *ptable =
4012 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4013
4014 /* 'num' is the number of tables and also the number of low bits of low
4015 * bits of the input 16-bit value used to select a table. Each table is
4016 * itself indexed by the high 8 bits of the value.
4017 */
4018 for (i = 0; i < num; i++)
4019 table[i] = (png_uint_16p)png_malloc(png_ptr,
4020 256 * (sizeof (png_uint_16)));
4021
4022 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4023 * pow(out,g) is an *input* value. 'last' is the last input value set.
4024 *
4025 * In the loop 'i' is used to find output values. Since the output is
4026 * 8-bit there are only 256 possible values. The tables are set up to
4027 * select the closest possible output value for each input by finding
4028 * the input value at the boundary between each pair of output values
4029 * and filling the table up to that boundary with the lower output
4030 * value.
4031 *
4032 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4033 * values the code below uses a 16-bit value in i; the values start at
4034 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4035 * entries are filled with 255). Start i at 128 and fill all 'last'
4036 * table entries <= 'max'
4037 */
4038 last = 0;
4039 for (i = 0; i < 255; ++i) /* 8-bit output value */
4040 {
4041 /* Find the corresponding maximum input value */
4042 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4043
4044 /* Find the boundary value in 16 bits: */
4045 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4046
4047 /* Adjust (round) to (16-shift) bits: */
4048 bound = (bound * max + 32768U)/65535U + 1U;
4049
4050 while (last < bound)
4051 {
4052 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4053 last++;
4054 }
4055 }
4056
4057 /* And fill in the final entries. */
4058 while (last < (num << 8))
4059 {
4060 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4061 last++;
4062 }
4063 }
4064 #endif /* 16BIT */
4065
4066 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4067 * typically much faster). Note that libpng currently does no sBIT processing
4068 * (apparently contrary to the spec) so a 256-entry table is always generated.
4069 */
4070 static void
4071 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4072 PNG_CONST png_fixed_point gamma_val)
4073 {
4074 unsigned int i;
4075 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4076
4077 if (png_gamma_significant(gamma_val) != 0)
4078 for (i=0; i<256; i++)
4079 table[i] = png_gamma_8bit_correct(i, gamma_val);
4080
4081 else
4082 for (i=0; i<256; ++i)
4083 table[i] = (png_byte)(i & 0xff);
4084 }
4085
4086 /* Used from png_read_destroy and below to release the memory used by the gamma
4087 * tables.
4088 */
4089 void /* PRIVATE */
4090 png_destroy_gamma_table(png_structrp png_ptr)
4091 {
4092 png_free(png_ptr, png_ptr->gamma_table);
4093 png_ptr->gamma_table = NULL;
4094
4095 #ifdef PNG_16BIT_SUPPORTED
4096 if (png_ptr->gamma_16_table != NULL)
4097 {
4098 int i;
4099 int istop = (1 << (8 - png_ptr->gamma_shift));
4100 for (i = 0; i < istop; i++)
4101 {
4102 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4103 }
4104 png_free(png_ptr, png_ptr->gamma_16_table);
4105 png_ptr->gamma_16_table = NULL;
4106 }
4107 #endif /* 16BIT */
4108
4109 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4110 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4111 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4112 png_free(png_ptr, png_ptr->gamma_from_1);
4113 png_ptr->gamma_from_1 = NULL;
4114 png_free(png_ptr, png_ptr->gamma_to_1);
4115 png_ptr->gamma_to_1 = NULL;
4116
4117 #ifdef PNG_16BIT_SUPPORTED
4118 if (png_ptr->gamma_16_from_1 != NULL)
4119 {
4120 int i;
4121 int istop = (1 << (8 - png_ptr->gamma_shift));
4122 for (i = 0; i < istop; i++)
4123 {
4124 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4125 }
4126 png_free(png_ptr, png_ptr->gamma_16_from_1);
4127 png_ptr->gamma_16_from_1 = NULL;
4128 }
4129 if (png_ptr->gamma_16_to_1 != NULL)
4130 {
4131 int i;
4132 int istop = (1 << (8 - png_ptr->gamma_shift));
4133 for (i = 0; i < istop; i++)
4134 {
4135 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4136 }
4137 png_free(png_ptr, png_ptr->gamma_16_to_1);
4138 png_ptr->gamma_16_to_1 = NULL;
4139 }
4140 #endif /* 16BIT */
4141 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4142 }
4143
4144 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4145 * tables, we don't make a full table if we are reducing to 8-bit in
4146 * the future. Note also how the gamma_16 tables are segmented so that
4147 * we don't need to allocate > 64K chunks for a full 16-bit table.
4148 */
4149 void /* PRIVATE */
4150 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4151 {
4152 png_debug(1, "in png_build_gamma_table");
4153
4154 /* Remove any existing table; this copes with multiple calls to
4155 * png_read_update_info. The warning is because building the gamma tables
4156 * multiple times is a performance hit - it's harmless but the ability to
4157 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4158 * sensible to warn if the app introduces such a hit.
4159 */
4160 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4161 {
4162 png_warning(png_ptr, "gamma table being rebuilt");
4163 png_destroy_gamma_table(png_ptr);
4164 }
4165
4166 if (bit_depth <= 8)
4167 {
4168 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4169 png_ptr->screen_gamma > 0 ?
4170 png_reciprocal2(png_ptr->colorspace.gamma,
4171 png_ptr->screen_gamma) : PNG_FP_1);
4172
4173 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4174 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4175 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4176 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4177 {
4178 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4179 png_reciprocal(png_ptr->colorspace.gamma));
4180
4181 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4182 png_ptr->screen_gamma > 0 ?
4183 png_reciprocal(png_ptr->screen_gamma) :
4184 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4185 }
4186 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4187 }
4188 #ifdef PNG_16BIT_SUPPORTED
4189 else
4190 {
4191 png_byte shift, sig_bit;
4192
4193 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4194 {
4195 sig_bit = png_ptr->sig_bit.red;
4196
4197 if (png_ptr->sig_bit.green > sig_bit)
4198 sig_bit = png_ptr->sig_bit.green;
4199
4200 if (png_ptr->sig_bit.blue > sig_bit)
4201 sig_bit = png_ptr->sig_bit.blue;
4202 }
4203 else
4204 sig_bit = png_ptr->sig_bit.gray;
4205
4206 /* 16-bit gamma code uses this equation:
4207 *
4208 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4209 *
4210 * Where 'iv' is the input color value and 'ov' is the output value -
4211 * pow(iv, gamma).
4212 *
4213 * Thus the gamma table consists of up to 256 256-entry tables. The table
4214 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4215 * of the color value then indexed by the upper 8 bits:
4216 *
4217 * table[low bits][high 8 bits]
4218 *
4219 * So the table 'n' corresponds to all those 'iv' of:
4220 *
4221 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4222 *
4223 */
4224 if (sig_bit > 0 && sig_bit < 16U)
4225 /* shift == insignificant bits */
4226 shift = (png_byte)((16U - sig_bit) & 0xff);
4227
4228 else
4229 shift = 0; /* keep all 16 bits */
4230
4231 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4232 {
4233 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4234 * the significant bits in the *input* when the output will
4235 * eventually be 8 bits. By default it is 11.
4236 */
4237 if (shift < (16U - PNG_MAX_GAMMA_8))
4238 shift = (16U - PNG_MAX_GAMMA_8);
4239 }
4240
4241 if (shift > 8U)
4242 shift = 8U; /* Guarantees at least one table! */
4243
4244 png_ptr->gamma_shift = shift;
4245
4246 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4247 * PNG_COMPOSE). This effectively smashed the background calculation for
4248 * 16-bit output because the 8-bit table assumes the result will be
4249 * reduced to 8 bits.
4250 */
4251 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4252 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4253 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4254 png_ptr->screen_gamma) : PNG_FP_1);
4255
4256 else
4257 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4258 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4259 png_ptr->screen_gamma) : PNG_FP_1);
4260
4261 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4262 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4263 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4264 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4265 {
4266 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4267 png_reciprocal(png_ptr->colorspace.gamma));
4268
4269 /* Notice that the '16 from 1' table should be full precision, however
4270 * the lookup on this table still uses gamma_shift, so it can't be.
4271 * TODO: fix this.
4272 */
4273 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4274 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4275 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4276 }
4277 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4278 }
4279 #endif /* 16BIT */
4280 }
4281 #endif /* READ_GAMMA */
4282
4283 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4284 #ifdef PNG_SET_OPTION_SUPPORTED
4285 int PNGAPI
4286 png_set_option(png_structrp png_ptr, int option, int onoff)
4287 {
4288 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4289 (option & 1) == 0)
4290 {
4291 png_uint_32 mask = 3 << option;
4292 png_uint_32 setting = (2 + (onoff != 0)) << option;
4293 png_uint_32 current = png_ptr->options;
4294
4295 png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff);
4296
4297 return (current & mask) >> option;
4298 }
4299
4300 return PNG_OPTION_INVALID;
4301 }
4302 #endif
4303
4304 /* sRGB support */
4305 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4306 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4307 /* sRGB conversion tables; these are machine generated with the code in
4308 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4309 * specification (see the article at http://en.wikipedia.org/wiki/SRGB)
4310 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4311 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4312 * The inverse (linear to sRGB) table has accuracies as follows:
4313 *
4314 * For all possible (255*65535+1) input values:
4315 *
4316 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4317 *
4318 * For the input values corresponding to the 65536 16-bit values:
4319 *
4320 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4321 *
4322 * In all cases the inexact readings are only off by one.
4323 */
4324
4325 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4326 /* The convert-to-sRGB table is only currently required for read. */
4327 const png_uint_16 png_sRGB_table[256] =
4328 {
4329 0,20,40,60,80,99,119,139,
4330 159,179,199,219,241,264,288,313,
4331 340,367,396,427,458,491,526,562,
4332 599,637,677,718,761,805,851,898,
4333 947,997,1048,1101,1156,1212,1270,1330,
4334 1391,1453,1517,1583,1651,1720,1790,1863,
4335 1937,2013,2090,2170,2250,2333,2418,2504,
4336 2592,2681,2773,2866,2961,3058,3157,3258,
4337 3360,3464,3570,3678,3788,3900,4014,4129,
4338 4247,4366,4488,4611,4736,4864,4993,5124,
4339 5257,5392,5530,5669,5810,5953,6099,6246,
4340 6395,6547,6700,6856,7014,7174,7335,7500,
4341 7666,7834,8004,8177,8352,8528,8708,8889,
4342 9072,9258,9445,9635,9828,10022,10219,10417,
4343 10619,10822,11028,11235,11446,11658,11873,12090,
4344 12309,12530,12754,12980,13209,13440,13673,13909,
4345 14146,14387,14629,14874,15122,15371,15623,15878,
4346 16135,16394,16656,16920,17187,17456,17727,18001,
4347 18277,18556,18837,19121,19407,19696,19987,20281,
4348 20577,20876,21177,21481,21787,22096,22407,22721,
4349 23038,23357,23678,24002,24329,24658,24990,25325,
4350 25662,26001,26344,26688,27036,27386,27739,28094,
4351 28452,28813,29176,29542,29911,30282,30656,31033,
4352 31412,31794,32179,32567,32957,33350,33745,34143,
4353 34544,34948,35355,35764,36176,36591,37008,37429,
4354 37852,38278,38706,39138,39572,40009,40449,40891,
4355 41337,41785,42236,42690,43147,43606,44069,44534,
4356 45002,45473,45947,46423,46903,47385,47871,48359,
4357 48850,49344,49841,50341,50844,51349,51858,52369,
4358 52884,53401,53921,54445,54971,55500,56032,56567,
4359 57105,57646,58190,58737,59287,59840,60396,60955,
4360 61517,62082,62650,63221,63795,64372,64952,65535
4361 };
4362 #endif /* SIMPLIFIED_READ */
4363
4364 /* The base/delta tables are required for both read and write (but currently
4365 * only the simplified versions.)
4366 */
4367 const png_uint_16 png_sRGB_base[512] =
4368 {
4369 128,1782,3383,4644,5675,6564,7357,8074,
4370 8732,9346,9921,10463,10977,11466,11935,12384,
4371 12816,13233,13634,14024,14402,14769,15125,15473,
4372 15812,16142,16466,16781,17090,17393,17690,17981,
4373 18266,18546,18822,19093,19359,19621,19879,20133,
4374 20383,20630,20873,21113,21349,21583,21813,22041,
4375 22265,22487,22707,22923,23138,23350,23559,23767,
4376 23972,24175,24376,24575,24772,24967,25160,25352,
4377 25542,25730,25916,26101,26284,26465,26645,26823,
4378 27000,27176,27350,27523,27695,27865,28034,28201,
4379 28368,28533,28697,28860,29021,29182,29341,29500,
4380 29657,29813,29969,30123,30276,30429,30580,30730,
4381 30880,31028,31176,31323,31469,31614,31758,31902,
4382 32045,32186,32327,32468,32607,32746,32884,33021,
4383 33158,33294,33429,33564,33697,33831,33963,34095,
4384 34226,34357,34486,34616,34744,34873,35000,35127,
4385 35253,35379,35504,35629,35753,35876,35999,36122,
4386 36244,36365,36486,36606,36726,36845,36964,37083,
4387 37201,37318,37435,37551,37668,37783,37898,38013,
4388 38127,38241,38354,38467,38580,38692,38803,38915,
4389 39026,39136,39246,39356,39465,39574,39682,39790,
4390 39898,40005,40112,40219,40325,40431,40537,40642,
4391 40747,40851,40955,41059,41163,41266,41369,41471,
4392 41573,41675,41777,41878,41979,42079,42179,42279,
4393 42379,42478,42577,42676,42775,42873,42971,43068,
4394 43165,43262,43359,43456,43552,43648,43743,43839,
4395 43934,44028,44123,44217,44311,44405,44499,44592,
4396 44685,44778,44870,44962,45054,45146,45238,45329,
4397 45420,45511,45601,45692,45782,45872,45961,46051,
4398 46140,46229,46318,46406,46494,46583,46670,46758,
4399 46846,46933,47020,47107,47193,47280,47366,47452,
4400 47538,47623,47709,47794,47879,47964,48048,48133,
4401 48217,48301,48385,48468,48552,48635,48718,48801,
4402 48884,48966,49048,49131,49213,49294,49376,49458,
4403 49539,49620,49701,49782,49862,49943,50023,50103,
4404 50183,50263,50342,50422,50501,50580,50659,50738,
4405 50816,50895,50973,51051,51129,51207,51285,51362,
4406 51439,51517,51594,51671,51747,51824,51900,51977,
4407 52053,52129,52205,52280,52356,52432,52507,52582,
4408 52657,52732,52807,52881,52956,53030,53104,53178,
4409 53252,53326,53400,53473,53546,53620,53693,53766,
4410 53839,53911,53984,54056,54129,54201,54273,54345,
4411 54417,54489,54560,54632,54703,54774,54845,54916,
4412 54987,55058,55129,55199,55269,55340,55410,55480,
4413 55550,55620,55689,55759,55828,55898,55967,56036,
4414 56105,56174,56243,56311,56380,56448,56517,56585,
4415 56653,56721,56789,56857,56924,56992,57059,57127,
4416 57194,57261,57328,57395,57462,57529,57595,57662,
4417 57728,57795,57861,57927,57993,58059,58125,58191,
4418 58256,58322,58387,58453,58518,58583,58648,58713,
4419 58778,58843,58908,58972,59037,59101,59165,59230,
4420 59294,59358,59422,59486,59549,59613,59677,59740,
4421 59804,59867,59930,59993,60056,60119,60182,60245,
4422 60308,60370,60433,60495,60558,60620,60682,60744,
4423 60806,60868,60930,60992,61054,61115,61177,61238,
4424 61300,61361,61422,61483,61544,61605,61666,61727,
4425 61788,61848,61909,61969,62030,62090,62150,62211,
4426 62271,62331,62391,62450,62510,62570,62630,62689,
4427 62749,62808,62867,62927,62986,63045,63104,63163,
4428 63222,63281,63340,63398,63457,63515,63574,63632,
4429 63691,63749,63807,63865,63923,63981,64039,64097,
4430 64155,64212,64270,64328,64385,64443,64500,64557,
4431 64614,64672,64729,64786,64843,64900,64956,65013,
4432 65070,65126,65183,65239,65296,65352,65409,65465
4433 };
4434
4435 const png_byte png_sRGB_delta[512] =
4436 {
4437 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4438 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4439 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4440 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4441 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4442 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4443 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4444 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4445 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4446 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4447 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4448 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4449 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4450 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4451 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4452 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4453 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4454 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4455 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4456 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4457 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4458 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4459 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4460 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4461 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4462 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4463 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4464 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4465 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4466 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4467 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4468 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4469 };
4470 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4471
4472 /* SIMPLIFIED READ/WRITE SUPPORT */
4473 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4474 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4475 static int
4476 png_image_free_function(png_voidp argument)
4477 {
4478 png_imagep image = png_voidcast(png_imagep, argument);
4479 png_controlp cp = image->opaque;
4480 png_control c;
4481
4482 /* Double check that we have a png_ptr - it should be impossible to get here
4483 * without one.
4484 */
4485 if (cp->png_ptr == NULL)
4486 return 0;
4487
4488 /* First free any data held in the control structure. */
4489 # ifdef PNG_STDIO_SUPPORTED
4490 if (cp->owned_file != 0)
4491 {
4492 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4493 cp->owned_file = 0;
4494
4495 /* Ignore errors here. */
4496 if (fp != NULL)
4497 {
4498 cp->png_ptr->io_ptr = NULL;
4499 (void)fclose(fp);
4500 }
4501 }
4502 # endif
4503
4504 /* Copy the control structure so that the original, allocated, version can be
4505 * safely freed. Notice that a png_error here stops the remainder of the
4506 * cleanup, but this is probably fine because that would indicate bad memory
4507 * problems anyway.
4508 */
4509 c = *cp;
4510 image->opaque = &c;
4511 png_free(c.png_ptr, cp);
4512
4513 /* Then the structures, calling the correct API. */
4514 if (c.for_write != 0)
4515 {
4516 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4517 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4518 # else
4519 png_error(c.png_ptr, "simplified write not supported");
4520 # endif
4521 }
4522 else
4523 {
4524 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4525 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4526 # else
4527 png_error(c.png_ptr, "simplified read not supported");
4528 # endif
4529 }
4530
4531 /* Success. */
4532 return 1;
4533 }
4534
4535 void PNGAPI
4536 png_image_free(png_imagep image)
4537 {
4538 /* Safely call the real function, but only if doing so is safe at this point
4539 * (if not inside an error handling context). Otherwise assume
4540 * png_safe_execute will call this API after the return.
4541 */
4542 if (image != NULL && image->opaque != NULL &&
4543 image->opaque->error_buf == NULL)
4544 {
4545 /* Ignore errors here: */
4546 (void)png_safe_execute(image, png_image_free_function, image);
4547 image->opaque = NULL;
4548 }
4549 }
4550
4551 int /* PRIVATE */
4552 png_image_error(png_imagep image, png_const_charp error_message)
4553 {
4554 /* Utility to log an error. */
4555 png_safecat(image->message, (sizeof image->message), 0, error_message);
4556 image->warning_or_error |= PNG_IMAGE_ERROR;
4557 png_image_free(image);
4558 return 0;
4559 }
4560
4561 #endif /* SIMPLIFIED READ/WRITE */
4562 #endif /* READ || WRITE */