< prev index next >
src/java.desktop/share/native/libsplashscreen/libpng/png.c
Print this page
@@ -27,11 +27,11 @@
* This file is available under and governed by the GNU General Public
* License version 2 only, as published by the Free Software Foundation.
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
- * Last changed in libpng 1.6.28 [January 5, 2017]
+ * Last changed in libpng 1.6.33 [September 28, 2017]
* Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
* This code is released under the libpng license.
@@ -40,11 +40,31 @@
*/
#include "pngpriv.h"
/* Generate a compiler error if there is an old png.h in the search path. */
-typedef png_libpng_version_1_6_28 Your_png_h_is_not_version_1_6_28;
+typedef png_libpng_version_1_6_34 Your_png_h_is_not_version_1_6_34;
+
+#ifdef __GNUC__
+/* The version tests may need to be added to, but the problem warning has
+ * consistently been fixed in GCC versions which obtain wide-spread release.
+ * The problem is that many versions of GCC rearrange comparison expressions in
+ * the optimizer in such a way that the results of the comparison will change
+ * if signed integer overflow occurs. Such comparisons are not permitted in
+ * ANSI C90, however GCC isn't clever enough to work out that that do not occur
+ * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
+ * -Wextra. Unfortunately this is highly dependent on the optimizer and the
+ * machine architecture so the warning comes and goes unpredictably and is
+ * impossible to "fix", even were that a good idea.
+ */
+#if __GNUC__ == 7 && __GNUC_MINOR__ == 1
+#define GCC_STRICT_OVERFLOW 1
+#endif /* GNU 7.1.x */
+#endif /* GNU */
+#ifndef GCC_STRICT_OVERFLOW
+#define GCC_STRICT_OVERFLOW 0
+#endif
/* Tells libpng that we have already handled the first "num_bytes" bytes
* of the PNG file signature. If the PNG data is embedded into another
* stream we can set num_bytes = 8 so that libpng will not attempt to read
* or write any of the magic bytes before it starts on the IHDR.
@@ -621,10 +641,30 @@
info_ptr->unknown_chunks_num = 0;
}
}
#endif
+#ifdef PNG_eXIf_SUPPORTED
+ /* Free any eXIf entry */
+ if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
+ {
+# ifdef PNG_READ_eXIf_SUPPORTED
+ if (info_ptr->eXIf_buf)
+ {
+ png_free(png_ptr, info_ptr->eXIf_buf);
+ info_ptr->eXIf_buf = NULL;
+ }
+# endif
+ if (info_ptr->exif)
+ {
+ png_free(png_ptr, info_ptr->exif);
+ info_ptr->exif = NULL;
+ }
+ info_ptr->valid &= ~PNG_INFO_eXIf;
+ }
+#endif
+
#ifdef PNG_hIST_SUPPORTED
/* Free any hIST entry */
if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
{
png_free(png_ptr, info_ptr->hist);
@@ -802,18 +842,18 @@
#ifdef PNG_STRING_COPYRIGHT
return PNG_STRING_COPYRIGHT
#else
# ifdef __STDC__
return PNG_STRING_NEWLINE \
- "libpng version 1.6.28 - January 5, 2017" PNG_STRING_NEWLINE \
+ "libpng version 1.6.34 - September 29, 2017" PNG_STRING_NEWLINE \
"Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \
PNG_STRING_NEWLINE \
"Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
"Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
PNG_STRING_NEWLINE;
# else
- return "libpng version 1.6.28 - January 5, 2017\
+ return "libpng version 1.6.34 - September 29, 2017\
Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\
Copyright (c) 1996-1997 Andreas Dilger\
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
# endif
#endif
@@ -1899,16 +1939,16 @@
* *not* invalidate the profile (though it still produces an error, which can
* be ignored.)
*/
if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
return png_icc_profile_error(png_ptr, colorspace, "sRGB",
- (unsigned)intent, "invalid sRGB rendering intent");
+ (png_alloc_size_t)intent, "invalid sRGB rendering intent");
if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
colorspace->rendering_intent != intent)
return png_icc_profile_error(png_ptr, colorspace, "sRGB",
- (unsigned)intent, "inconsistent rendering intents");
+ (png_alloc_size_t)intent, "inconsistent rendering intents");
if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
{
png_benign_error(png_ptr, "duplicate sRGB information ignored");
return 0;
@@ -1965,11 +2005,10 @@
png_const_charp name, png_uint_32 profile_length)
{
if (profile_length < 132)
return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
"too short");
-
return 1;
}
#ifdef PNG_READ_iCCP_SUPPORTED
int /* PRIVATE */
@@ -2210,26 +2249,27 @@
* start might actually be anywhere if there is no data, but this would be
* a clear abuse of the intent of the standard so the start is checked for
* being in range. All defined tag types have an 8 byte header - a 4 byte
* type signature then 0.
*/
+
+ /* This is a hard error; potentially it can cause read outside the
+ * profile.
+ */
+ if (tag_start > profile_length || tag_length > profile_length - tag_start)
+ return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
+ "ICC profile tag outside profile");
+
if ((tag_start & 3) != 0)
{
- /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is
+ /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
* only a warning here because libpng does not care about the
* alignment.
*/
(void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
"ICC profile tag start not a multiple of 4");
}
-
- /* This is a hard error; potentially it can cause read outside the
- * profile.
- */
- if (tag_start > profile_length || tag_length > profile_length - tag_start)
- return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
- "ICC profile tag outside profile");
}
return 1; /* success, maybe with warnings */
}
@@ -2858,11 +2898,11 @@
* 10 is exact whereas .1 is inexact in base 2
*/
if (power < 0)
{
if (power < DBL_MIN_10_EXP) return 0;
- recip = 1, power = -power;
+ recip = 1; power = -power;
}
if (power > 0)
{
/* Decompose power bitwise. */
@@ -2883,10 +2923,18 @@
}
/* Function to format a floating point value in ASCII with a given
* precision.
*/
+#if GCC_STRICT_OVERFLOW
+#pragma GCC diagnostic push
+/* The problem arises below with exp_b10, which can never overflow because it
+ * comes, originally, from frexp and is therefore limited to a range which is
+ * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
+ */
+#pragma GCC diagnostic warning "-Wstrict-overflow=2"
+#endif /* GCC_STRICT_OVERFLOW */
void /* PRIVATE */
png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
double fp, unsigned int precision)
{
/* We use standard functions from math.h, but not printf because
@@ -2936,11 +2984,13 @@
{
/* And this may overflow. */
double test = png_pow10(exp_b10+1);
if (test <= DBL_MAX)
- ++exp_b10, base = test;
+ {
+ ++exp_b10; base = test;
+ }
else
break;
}
@@ -2950,11 +3000,14 @@
* (starting with 0 for the first digit). Note that this
* works even if 10^exp_b10 is out of range because of the
* test on DBL_MAX above.
*/
fp /= base;
- while (fp >= 1) fp /= 10, ++exp_b10;
+ while (fp >= 1)
+ {
+ fp /= 10; ++exp_b10;
+ }
/* Because of the code above fp may, at this point, be
* less than .1, this is ok because the code below can
* handle the leading zeros this generates, so no attempt
* is made to correct that here.
@@ -2967,11 +3020,11 @@
/* Allow up to two leading zeros - this will not lengthen
* the number compared to using E-n.
*/
if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
{
- czero = (unsigned int)(-exp_b10); /* PLUS 2 digits: TOTAL 3 */
+ czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
exp_b10 = 0; /* Dot added below before first output. */
}
else
czero = 0; /* No zeros to add */
@@ -3001,11 +3054,11 @@
if (d > 9)
{
/* Rounding up to 10, handle that here. */
if (czero > 0)
{
- --czero, d = 1;
+ --czero; d = 1;
if (cdigits == 0) --clead;
}
else
{
while (cdigits > 0 && d > 9)
@@ -3015,11 +3068,11 @@
if (exp_b10 != (-1))
++exp_b10;
else if (ch == 46)
{
- ch = *--ascii, ++size;
+ ch = *--ascii; ++size;
/* Advance exp_b10 to '1', so that the
* decimal point happens after the
* previous digit.
*/
exp_b10 = 1;
@@ -3042,11 +3095,13 @@
* be reentered below.
*/
int ch = *--ascii;
if (ch == 46)
- ++size, exp_b10 = 1;
+ {
+ ++size; exp_b10 = 1;
+ }
/* Else lost a leading zero, so 'exp_b10' is
* still ok at (-1)
*/
}
@@ -3078,34 +3133,39 @@
* place - after the DP don't adjust 'exp_b10' any
* more!
*/
if (exp_b10 != (-1))
{
- if (exp_b10 == 0) *ascii++ = 46, --size;
+ if (exp_b10 == 0)
+ {
+ *ascii++ = 46; --size;
+ }
/* PLUS 1: TOTAL 4 */
--exp_b10;
}
- *ascii++ = 48, --czero;
+ *ascii++ = 48; --czero;
}
if (exp_b10 != (-1))
{
if (exp_b10 == 0)
- *ascii++ = 46, --size; /* counted above */
+ {
+ *ascii++ = 46; --size; /* counted above */
+ }
--exp_b10;
}
- *ascii++ = (char)(48 + (int)d), ++cdigits;
+ *ascii++ = (char)(48 + (int)d); ++cdigits;
}
}
while (cdigits+czero < precision+clead && fp > DBL_MIN);
/* The total output count (max) is now 4+precision */
/* Check for an exponent, if we don't need one we are
* done and just need to terminate the string. At
- * this point exp_b10==(-1) is effectively if flag - it got
+ * this point exp_b10==(-1) is effectively a flag - it got
* to '-1' because of the decrement after outputting
* the decimal point above (the exponent required is
* *not* -1!)
*/
if (exp_b10 >= (-1) && exp_b10 <= 2)
@@ -3115,11 +3175,11 @@
* doesn't add to the digit requirement. Note that the
* two zeros here can only be output if the two leading
* zeros were *not* output, so this doesn't increase
* the output count.
*/
- while (--exp_b10 >= 0) *ascii++ = 48;
+ while (exp_b10-- > 0) *ascii++ = 48;
*ascii = 0;
/* Total buffer requirement (including the '\0') is
* 5+precision - see check at the start.
@@ -3133,27 +3193,27 @@
* decimal point and no leading or trailing zeros have
* been output.
*/
size -= cdigits;
- *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */
+ *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */
/* The following use of an unsigned temporary avoids ambiguities in
* the signed arithmetic on exp_b10 and permits GCC at least to do
* better optimization.
*/
{
unsigned int uexp_b10;
if (exp_b10 < 0)
{
- *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */
- uexp_b10 = (unsigned int)(-exp_b10);
+ *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
+ uexp_b10 = 0U-exp_b10;
}
else
- uexp_b10 = (unsigned int)exp_b10;
+ uexp_b10 = 0U+exp_b10;
cdigits = 0;
while (uexp_b10 > 0)
{
@@ -3192,10 +3252,13 @@
}
/* Here on buffer too small. */
png_error(png_ptr, "ASCII conversion buffer too small");
}
+#if GCC_STRICT_OVERFLOW
+#pragma GCC diagnostic pop
+#endif /* GCC_STRICT_OVERFLOW */
# endif /* FLOATING_POINT */
# ifdef PNG_FIXED_POINT_SUPPORTED
/* Function to format a fixed point value in ASCII.
@@ -3211,11 +3274,13 @@
{
png_uint_32 num;
/* Avoid overflow here on the minimum integer. */
if (fp < 0)
- *ascii++ = 45, num = (png_uint_32)(-fp);
+ {
+ *ascii++ = 45; num = (png_uint_32)(-fp);
+ }
else
num = (png_uint_32)fp;
if (num <= 0x80000000) /* else overflowed */
{
@@ -3249,11 +3314,14 @@
*ascii++ = 46; /* decimal point */
/* ndigits may be <5 for small numbers, output leading zeros
* then ndigits digits to first:
*/
i = 5;
- while (ndigits < i) *ascii++ = 48, --i;
+ while (ndigits < i)
+ {
+ *ascii++ = 48; --i;
+ }
while (ndigits >= first) *ascii++ = digits[--ndigits];
/* Don't output the trailing zeros! */
}
}
else
@@ -3300,10 +3368,19 @@
/* This API takes signed arguments and rounds the result to the nearest
* integer (or, for a fixed point number - the standard argument - to
* the nearest .00001). Overflow and divide by zero are signalled in
* the result, a boolean - true on success, false on overflow.
*/
+#if GCC_STRICT_OVERFLOW /* from above */
+/* It is not obvious which comparison below gets optimized in such a way that
+ * signed overflow would change the result; looking through the code does not
+ * reveal any tests which have the form GCC complains about, so presumably the
+ * optimizer is moving an add or subtract into the 'if' somewhere.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic warning "-Wstrict-overflow=2"
+#endif /* GCC_STRICT_OVERFLOW */
int
png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
png_int_32 divisor)
{
/* Return a * times / divisor, rounded. */
@@ -3414,10 +3491,13 @@
}
}
return 0;
}
+#if GCC_STRICT_OVERFLOW
+#pragma GCC diagnostic pop
+#endif /* GCC_STRICT_OVERFLOW */
#endif /* READ_GAMMA || INCH_CONVERSIONS */
#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
/* The following is for when the caller doesn't much care about the
* result.
@@ -3707,11 +3787,11 @@
* requires perhaps spurious accuracy in the decoding of the logarithm to
* distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
* of getting this accuracy in practice.
*
* To deal with this the following exp() function works out the exponent of the
- * frational part of the logarithm by using an accurate 32-bit value from the
+ * fractional part of the logarithm by using an accurate 32-bit value from the
* top four fractional bits then multiplying in the remaining bits.
*/
static const png_uint_32
png_32bit_exp[16] =
{
@@ -4286,17 +4366,17 @@
png_set_option(png_structrp png_ptr, int option, int onoff)
{
if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
(option & 1) == 0)
{
- png_uint_32 mask = 3 << option;
- png_uint_32 setting = (2 + (onoff != 0)) << option;
+ png_uint_32 mask = 3U << option;
+ png_uint_32 setting = (2U + (onoff != 0)) << option;
png_uint_32 current = png_ptr->options;
png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff);
- return (current & mask) >> option;
+ return (int)(current & mask) >> option;
}
return PNG_OPTION_INVALID;
}
#endif
@@ -4304,11 +4384,11 @@
/* sRGB support */
#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
/* sRGB conversion tables; these are machine generated with the code in
* contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
- * specification (see the article at http://en.wikipedia.org/wiki/SRGB)
+ * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
* is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
* The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
* The inverse (linear to sRGB) table has accuracies as follows:
*
* For all possible (255*65535+1) input values:
< prev index next >