1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* pngpread.c - read a png file in push mode 26 * 27 * This file is available under and governed by the GNU General Public 28 * License version 2 only, as published by the Free Software Foundation. 29 * However, the following notice accompanied the original version of this 30 * file and, per its terms, should not be removed: 31 * 32 * Last changed in libpng 1.6.24 [August 4, 2016] 33 * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson 34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 36 * 37 * This code is released under the libpng license. 38 * For conditions of distribution and use, see the disclaimer 39 * and license in png.h 40 */ 41 42 #include "pngpriv.h" 43 44 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED 45 46 /* Push model modes */ 47 #define PNG_READ_SIG_MODE 0 48 #define PNG_READ_CHUNK_MODE 1 49 #define PNG_READ_IDAT_MODE 2 50 #define PNG_READ_tEXt_MODE 4 51 #define PNG_READ_zTXt_MODE 5 52 #define PNG_READ_DONE_MODE 6 53 #define PNG_READ_iTXt_MODE 7 54 #define PNG_ERROR_MODE 8 55 56 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \ 57 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \ 58 { png_push_save_buffer(png_ptr); return; } 59 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \ 60 if (png_ptr->buffer_size < N) \ 61 { png_push_save_buffer(png_ptr); return; } 62 63 void PNGAPI 64 png_process_data(png_structrp png_ptr, png_inforp info_ptr, 65 png_bytep buffer, png_size_t buffer_size) 66 { 67 if (png_ptr == NULL || info_ptr == NULL) 68 return; 69 70 png_push_restore_buffer(png_ptr, buffer, buffer_size); 71 72 while (png_ptr->buffer_size) 73 { 74 png_process_some_data(png_ptr, info_ptr); 75 } 76 } 77 78 png_size_t PNGAPI 79 png_process_data_pause(png_structrp png_ptr, int save) 80 { 81 if (png_ptr != NULL) 82 { 83 /* It's easiest for the caller if we do the save; then the caller doesn't 84 * have to supply the same data again: 85 */ 86 if (save != 0) 87 png_push_save_buffer(png_ptr); 88 else 89 { 90 /* This includes any pending saved bytes: */ 91 png_size_t remaining = png_ptr->buffer_size; 92 png_ptr->buffer_size = 0; 93 94 /* So subtract the saved buffer size, unless all the data 95 * is actually 'saved', in which case we just return 0 96 */ 97 if (png_ptr->save_buffer_size < remaining) 98 return remaining - png_ptr->save_buffer_size; 99 } 100 } 101 102 return 0; 103 } 104 105 png_uint_32 PNGAPI 106 png_process_data_skip(png_structrp png_ptr) 107 { 108 /* TODO: Deprecate and remove this API. 109 * Somewhere the implementation of this seems to have been lost, 110 * or abandoned. It was only to support some internal back-door access 111 * to png_struct) in libpng-1.4.x. 112 */ 113 png_app_warning(png_ptr, 114 "png_process_data_skip is not implemented in any current version of libpng"); 115 return 0; 116 } 117 118 /* What we do with the incoming data depends on what we were previously 119 * doing before we ran out of data... 120 */ 121 void /* PRIVATE */ 122 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 123 { 124 if (png_ptr == NULL) 125 return; 126 127 switch (png_ptr->process_mode) 128 { 129 case PNG_READ_SIG_MODE: 130 { 131 png_push_read_sig(png_ptr, info_ptr); 132 break; 133 } 134 135 case PNG_READ_CHUNK_MODE: 136 { 137 png_push_read_chunk(png_ptr, info_ptr); 138 break; 139 } 140 141 case PNG_READ_IDAT_MODE: 142 { 143 png_push_read_IDAT(png_ptr); 144 break; 145 } 146 147 default: 148 { 149 png_ptr->buffer_size = 0; 150 break; 151 } 152 } 153 } 154 155 /* Read any remaining signature bytes from the stream and compare them with 156 * the correct PNG signature. It is possible that this routine is called 157 * with bytes already read from the signature, either because they have been 158 * checked by the calling application, or because of multiple calls to this 159 * routine. 160 */ 161 void /* PRIVATE */ 162 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 163 { 164 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ 165 num_to_check = 8 - num_checked; 166 167 if (png_ptr->buffer_size < num_to_check) 168 { 169 num_to_check = png_ptr->buffer_size; 170 } 171 172 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 173 num_to_check); 174 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 175 176 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) 177 { 178 if (num_checked < 4 && 179 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) 180 png_error(png_ptr, "Not a PNG file"); 181 182 else 183 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 184 } 185 else 186 { 187 if (png_ptr->sig_bytes >= 8) 188 { 189 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 190 } 191 } 192 } 193 194 void /* PRIVATE */ 195 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 196 { 197 png_uint_32 chunk_name; 198 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 199 int keep; /* unknown handling method */ 200 #endif 201 202 /* First we make sure we have enough data for the 4-byte chunk name 203 * and the 4-byte chunk length before proceeding with decoding the 204 * chunk data. To fully decode each of these chunks, we also make 205 * sure we have enough data in the buffer for the 4-byte CRC at the 206 * end of every chunk (except IDAT, which is handled separately). 207 */ 208 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 209 { 210 png_byte chunk_length[4]; 211 png_byte chunk_tag[4]; 212 213 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 214 png_push_fill_buffer(png_ptr, chunk_length, 4); 215 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 216 png_reset_crc(png_ptr); 217 png_crc_read(png_ptr, chunk_tag, 4); 218 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 219 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 220 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 221 } 222 223 chunk_name = png_ptr->chunk_name; 224 225 if (chunk_name == png_IDAT) 226 { 227 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 228 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 229 230 /* If we reach an IDAT chunk, this means we have read all of the 231 * header chunks, and we can start reading the image (or if this 232 * is called after the image has been read - we have an error). 233 */ 234 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) 235 png_error(png_ptr, "Missing IHDR before IDAT"); 236 237 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 238 (png_ptr->mode & PNG_HAVE_PLTE) == 0) 239 png_error(png_ptr, "Missing PLTE before IDAT"); 240 241 png_ptr->process_mode = PNG_READ_IDAT_MODE; 242 243 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) 244 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0) 245 if (png_ptr->push_length == 0) 246 return; 247 248 png_ptr->mode |= PNG_HAVE_IDAT; 249 250 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 251 png_benign_error(png_ptr, "Too many IDATs found"); 252 } 253 254 if (chunk_name == png_IHDR) 255 { 256 if (png_ptr->push_length != 13) 257 png_error(png_ptr, "Invalid IHDR length"); 258 259 PNG_PUSH_SAVE_BUFFER_IF_FULL 260 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); 261 } 262 263 else if (chunk_name == png_IEND) 264 { 265 PNG_PUSH_SAVE_BUFFER_IF_FULL 266 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); 267 268 png_ptr->process_mode = PNG_READ_DONE_MODE; 269 png_push_have_end(png_ptr, info_ptr); 270 } 271 272 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 273 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 274 { 275 PNG_PUSH_SAVE_BUFFER_IF_FULL 276 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 277 278 if (chunk_name == png_PLTE) 279 png_ptr->mode |= PNG_HAVE_PLTE; 280 } 281 #endif 282 283 else if (chunk_name == png_PLTE) 284 { 285 PNG_PUSH_SAVE_BUFFER_IF_FULL 286 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); 287 } 288 289 else if (chunk_name == png_IDAT) 290 { 291 png_ptr->idat_size = png_ptr->push_length; 292 png_ptr->process_mode = PNG_READ_IDAT_MODE; 293 png_push_have_info(png_ptr, info_ptr); 294 png_ptr->zstream.avail_out = 295 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 296 png_ptr->iwidth) + 1; 297 png_ptr->zstream.next_out = png_ptr->row_buf; 298 return; 299 } 300 301 #ifdef PNG_READ_gAMA_SUPPORTED 302 else if (png_ptr->chunk_name == png_gAMA) 303 { 304 PNG_PUSH_SAVE_BUFFER_IF_FULL 305 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); 306 } 307 308 #endif 309 #ifdef PNG_READ_sBIT_SUPPORTED 310 else if (png_ptr->chunk_name == png_sBIT) 311 { 312 PNG_PUSH_SAVE_BUFFER_IF_FULL 313 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); 314 } 315 316 #endif 317 #ifdef PNG_READ_cHRM_SUPPORTED 318 else if (png_ptr->chunk_name == png_cHRM) 319 { 320 PNG_PUSH_SAVE_BUFFER_IF_FULL 321 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); 322 } 323 324 #endif 325 #ifdef PNG_READ_sRGB_SUPPORTED 326 else if (chunk_name == png_sRGB) 327 { 328 PNG_PUSH_SAVE_BUFFER_IF_FULL 329 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); 330 } 331 332 #endif 333 #ifdef PNG_READ_iCCP_SUPPORTED 334 else if (png_ptr->chunk_name == png_iCCP) 335 { 336 PNG_PUSH_SAVE_BUFFER_IF_FULL 337 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); 338 } 339 340 #endif 341 #ifdef PNG_READ_sPLT_SUPPORTED 342 else if (chunk_name == png_sPLT) 343 { 344 PNG_PUSH_SAVE_BUFFER_IF_FULL 345 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); 346 } 347 348 #endif 349 #ifdef PNG_READ_tRNS_SUPPORTED 350 else if (chunk_name == png_tRNS) 351 { 352 PNG_PUSH_SAVE_BUFFER_IF_FULL 353 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); 354 } 355 356 #endif 357 #ifdef PNG_READ_bKGD_SUPPORTED 358 else if (chunk_name == png_bKGD) 359 { 360 PNG_PUSH_SAVE_BUFFER_IF_FULL 361 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); 362 } 363 364 #endif 365 #ifdef PNG_READ_hIST_SUPPORTED 366 else if (chunk_name == png_hIST) 367 { 368 PNG_PUSH_SAVE_BUFFER_IF_FULL 369 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); 370 } 371 372 #endif 373 #ifdef PNG_READ_pHYs_SUPPORTED 374 else if (chunk_name == png_pHYs) 375 { 376 PNG_PUSH_SAVE_BUFFER_IF_FULL 377 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); 378 } 379 380 #endif 381 #ifdef PNG_READ_oFFs_SUPPORTED 382 else if (chunk_name == png_oFFs) 383 { 384 PNG_PUSH_SAVE_BUFFER_IF_FULL 385 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); 386 } 387 #endif 388 389 #ifdef PNG_READ_pCAL_SUPPORTED 390 else if (chunk_name == png_pCAL) 391 { 392 PNG_PUSH_SAVE_BUFFER_IF_FULL 393 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); 394 } 395 396 #endif 397 #ifdef PNG_READ_sCAL_SUPPORTED 398 else if (chunk_name == png_sCAL) 399 { 400 PNG_PUSH_SAVE_BUFFER_IF_FULL 401 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); 402 } 403 404 #endif 405 #ifdef PNG_READ_tIME_SUPPORTED 406 else if (chunk_name == png_tIME) 407 { 408 PNG_PUSH_SAVE_BUFFER_IF_FULL 409 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); 410 } 411 412 #endif 413 #ifdef PNG_READ_tEXt_SUPPORTED 414 else if (chunk_name == png_tEXt) 415 { 416 PNG_PUSH_SAVE_BUFFER_IF_FULL 417 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); 418 } 419 420 #endif 421 #ifdef PNG_READ_zTXt_SUPPORTED 422 else if (chunk_name == png_zTXt) 423 { 424 PNG_PUSH_SAVE_BUFFER_IF_FULL 425 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); 426 } 427 428 #endif 429 #ifdef PNG_READ_iTXt_SUPPORTED 430 else if (chunk_name == png_iTXt) 431 { 432 PNG_PUSH_SAVE_BUFFER_IF_FULL 433 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); 434 } 435 #endif 436 437 else 438 { 439 PNG_PUSH_SAVE_BUFFER_IF_FULL 440 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, 441 PNG_HANDLE_CHUNK_AS_DEFAULT); 442 } 443 444 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 445 } 446 447 void PNGCBAPI 448 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) 449 { 450 png_bytep ptr; 451 452 if (png_ptr == NULL) 453 return; 454 455 ptr = buffer; 456 if (png_ptr->save_buffer_size != 0) 457 { 458 png_size_t save_size; 459 460 if (length < png_ptr->save_buffer_size) 461 save_size = length; 462 463 else 464 save_size = png_ptr->save_buffer_size; 465 466 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 467 length -= save_size; 468 ptr += save_size; 469 png_ptr->buffer_size -= save_size; 470 png_ptr->save_buffer_size -= save_size; 471 png_ptr->save_buffer_ptr += save_size; 472 } 473 if (length != 0 && png_ptr->current_buffer_size != 0) 474 { 475 png_size_t save_size; 476 477 if (length < png_ptr->current_buffer_size) 478 save_size = length; 479 480 else 481 save_size = png_ptr->current_buffer_size; 482 483 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 484 png_ptr->buffer_size -= save_size; 485 png_ptr->current_buffer_size -= save_size; 486 png_ptr->current_buffer_ptr += save_size; 487 } 488 } 489 490 void /* PRIVATE */ 491 png_push_save_buffer(png_structrp png_ptr) 492 { 493 if (png_ptr->save_buffer_size != 0) 494 { 495 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 496 { 497 png_size_t i, istop; 498 png_bytep sp; 499 png_bytep dp; 500 501 istop = png_ptr->save_buffer_size; 502 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 503 i < istop; i++, sp++, dp++) 504 { 505 *dp = *sp; 506 } 507 } 508 } 509 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 510 png_ptr->save_buffer_max) 511 { 512 png_size_t new_max; 513 png_bytep old_buffer; 514 515 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 516 (png_ptr->current_buffer_size + 256)) 517 { 518 png_error(png_ptr, "Potential overflow of save_buffer"); 519 } 520 521 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 522 old_buffer = png_ptr->save_buffer; 523 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 524 (png_size_t)new_max); 525 526 if (png_ptr->save_buffer == NULL) 527 { 528 png_free(png_ptr, old_buffer); 529 png_error(png_ptr, "Insufficient memory for save_buffer"); 530 } 531 532 if (old_buffer) 533 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 534 else if (png_ptr->save_buffer_size) 535 png_error(png_ptr, "save_buffer error"); 536 png_free(png_ptr, old_buffer); 537 png_ptr->save_buffer_max = new_max; 538 } 539 if (png_ptr->current_buffer_size) 540 { 541 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 542 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 543 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 544 png_ptr->current_buffer_size = 0; 545 } 546 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 547 png_ptr->buffer_size = 0; 548 } 549 550 void /* PRIVATE */ 551 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 552 png_size_t buffer_length) 553 { 554 png_ptr->current_buffer = buffer; 555 png_ptr->current_buffer_size = buffer_length; 556 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 557 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 558 } 559 560 void /* PRIVATE */ 561 png_push_read_IDAT(png_structrp png_ptr) 562 { 563 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 564 { 565 png_byte chunk_length[4]; 566 png_byte chunk_tag[4]; 567 568 /* TODO: this code can be commoned up with the same code in push_read */ 569 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 570 png_push_fill_buffer(png_ptr, chunk_length, 4); 571 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 572 png_reset_crc(png_ptr); 573 png_crc_read(png_ptr, chunk_tag, 4); 574 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 575 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 576 577 if (png_ptr->chunk_name != png_IDAT) 578 { 579 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 580 581 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 582 png_error(png_ptr, "Not enough compressed data"); 583 584 return; 585 } 586 587 png_ptr->idat_size = png_ptr->push_length; 588 } 589 590 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0) 591 { 592 png_size_t save_size = png_ptr->save_buffer_size; 593 png_uint_32 idat_size = png_ptr->idat_size; 594 595 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 596 * are of different types and we don't know which variable has the fewest 597 * bits. Carefully select the smaller and cast it to the type of the 598 * larger - this cannot overflow. Do not cast in the following test - it 599 * will break on either 16-bit or 64-bit platforms. 600 */ 601 if (idat_size < save_size) 602 save_size = (png_size_t)idat_size; 603 604 else 605 idat_size = (png_uint_32)save_size; 606 607 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 608 609 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 610 611 png_ptr->idat_size -= idat_size; 612 png_ptr->buffer_size -= save_size; 613 png_ptr->save_buffer_size -= save_size; 614 png_ptr->save_buffer_ptr += save_size; 615 } 616 617 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0) 618 { 619 png_size_t save_size = png_ptr->current_buffer_size; 620 png_uint_32 idat_size = png_ptr->idat_size; 621 622 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 623 * are of different types and we don't know which variable has the fewest 624 * bits. Carefully select the smaller and cast it to the type of the 625 * larger - this cannot overflow. 626 */ 627 if (idat_size < save_size) 628 save_size = (png_size_t)idat_size; 629 630 else 631 idat_size = (png_uint_32)save_size; 632 633 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 634 635 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 636 637 png_ptr->idat_size -= idat_size; 638 png_ptr->buffer_size -= save_size; 639 png_ptr->current_buffer_size -= save_size; 640 png_ptr->current_buffer_ptr += save_size; 641 } 642 643 if (png_ptr->idat_size == 0) 644 { 645 PNG_PUSH_SAVE_BUFFER_IF_LT(4) 646 png_crc_finish(png_ptr, 0); 647 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 648 png_ptr->mode |= PNG_AFTER_IDAT; 649 png_ptr->zowner = 0; 650 } 651 } 652 653 void /* PRIVATE */ 654 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 655 png_size_t buffer_length) 656 { 657 /* The caller checks for a non-zero buffer length. */ 658 if (!(buffer_length > 0) || buffer == NULL) 659 png_error(png_ptr, "No IDAT data (internal error)"); 660 661 /* This routine must process all the data it has been given 662 * before returning, calling the row callback as required to 663 * handle the uncompressed results. 664 */ 665 png_ptr->zstream.next_in = buffer; 666 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 667 png_ptr->zstream.avail_in = (uInt)buffer_length; 668 669 /* Keep going until the decompressed data is all processed 670 * or the stream marked as finished. 671 */ 672 while (png_ptr->zstream.avail_in > 0 && 673 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 674 { 675 int ret; 676 677 /* We have data for zlib, but we must check that zlib 678 * has someplace to put the results. It doesn't matter 679 * if we don't expect any results -- it may be the input 680 * data is just the LZ end code. 681 */ 682 if (!(png_ptr->zstream.avail_out > 0)) 683 { 684 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 685 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 686 png_ptr->iwidth) + 1); 687 688 png_ptr->zstream.next_out = png_ptr->row_buf; 689 } 690 691 /* Using Z_SYNC_FLUSH here means that an unterminated 692 * LZ stream (a stream with a missing end code) can still 693 * be handled, otherwise (Z_NO_FLUSH) a future zlib 694 * implementation might defer output and therefore 695 * change the current behavior (see comments in inflate.c 696 * for why this doesn't happen at present with zlib 1.2.5). 697 */ 698 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH); 699 700 /* Check for any failure before proceeding. */ 701 if (ret != Z_OK && ret != Z_STREAM_END) 702 { 703 /* Terminate the decompression. */ 704 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 705 png_ptr->zowner = 0; 706 707 /* This may be a truncated stream (missing or 708 * damaged end code). Treat that as a warning. 709 */ 710 if (png_ptr->row_number >= png_ptr->num_rows || 711 png_ptr->pass > 6) 712 png_warning(png_ptr, "Truncated compressed data in IDAT"); 713 714 else 715 { 716 if (ret == Z_DATA_ERROR) 717 png_benign_error(png_ptr, "IDAT: ADLER32 checksum mismatch"); 718 else 719 png_error(png_ptr, "Decompression error in IDAT"); 720 } 721 722 /* Skip the check on unprocessed input */ 723 return; 724 } 725 726 /* Did inflate output any data? */ 727 if (png_ptr->zstream.next_out != png_ptr->row_buf) 728 { 729 /* Is this unexpected data after the last row? 730 * If it is, artificially terminate the LZ output 731 * here. 732 */ 733 if (png_ptr->row_number >= png_ptr->num_rows || 734 png_ptr->pass > 6) 735 { 736 /* Extra data. */ 737 png_warning(png_ptr, "Extra compressed data in IDAT"); 738 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 739 png_ptr->zowner = 0; 740 741 /* Do no more processing; skip the unprocessed 742 * input check below. 743 */ 744 return; 745 } 746 747 /* Do we have a complete row? */ 748 if (png_ptr->zstream.avail_out == 0) 749 png_push_process_row(png_ptr); 750 } 751 752 /* And check for the end of the stream. */ 753 if (ret == Z_STREAM_END) 754 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 755 } 756 757 /* All the data should have been processed, if anything 758 * is left at this point we have bytes of IDAT data 759 * after the zlib end code. 760 */ 761 if (png_ptr->zstream.avail_in > 0) 762 png_warning(png_ptr, "Extra compression data in IDAT"); 763 } 764 765 void /* PRIVATE */ 766 png_push_process_row(png_structrp png_ptr) 767 { 768 /* 1.5.6: row_info moved out of png_struct to a local here. */ 769 png_row_info row_info; 770 771 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 772 row_info.color_type = png_ptr->color_type; 773 row_info.bit_depth = png_ptr->bit_depth; 774 row_info.channels = png_ptr->channels; 775 row_info.pixel_depth = png_ptr->pixel_depth; 776 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 777 778 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 779 { 780 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 781 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 782 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 783 else 784 png_error(png_ptr, "bad adaptive filter value"); 785 } 786 787 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 788 * 1.5.6, while the buffer really is this big in current versions of libpng 789 * it may not be in the future, so this was changed just to copy the 790 * interlaced row count: 791 */ 792 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 793 794 #ifdef PNG_READ_TRANSFORMS_SUPPORTED 795 if (png_ptr->transformations != 0) 796 png_do_read_transformations(png_ptr, &row_info); 797 #endif 798 799 /* The transformed pixel depth should match the depth now in row_info. */ 800 if (png_ptr->transformed_pixel_depth == 0) 801 { 802 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 803 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 804 png_error(png_ptr, "progressive row overflow"); 805 } 806 807 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 808 png_error(png_ptr, "internal progressive row size calculation error"); 809 810 811 #ifdef PNG_READ_INTERLACING_SUPPORTED 812 /* Expand interlaced rows to full size */ 813 if (png_ptr->interlaced != 0 && 814 (png_ptr->transformations & PNG_INTERLACE) != 0) 815 { 816 if (png_ptr->pass < 6) 817 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 818 png_ptr->transformations); 819 820 switch (png_ptr->pass) 821 { 822 case 0: 823 { 824 int i; 825 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 826 { 827 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 828 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 829 } 830 831 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 832 { 833 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 834 { 835 png_push_have_row(png_ptr, NULL); 836 png_read_push_finish_row(png_ptr); 837 } 838 } 839 840 if (png_ptr->pass == 4 && png_ptr->height <= 4) 841 { 842 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 843 { 844 png_push_have_row(png_ptr, NULL); 845 png_read_push_finish_row(png_ptr); 846 } 847 } 848 849 if (png_ptr->pass == 6 && png_ptr->height <= 4) 850 { 851 png_push_have_row(png_ptr, NULL); 852 png_read_push_finish_row(png_ptr); 853 } 854 855 break; 856 } 857 858 case 1: 859 { 860 int i; 861 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 862 { 863 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 864 png_read_push_finish_row(png_ptr); 865 } 866 867 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 868 { 869 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 870 { 871 png_push_have_row(png_ptr, NULL); 872 png_read_push_finish_row(png_ptr); 873 } 874 } 875 876 break; 877 } 878 879 case 2: 880 { 881 int i; 882 883 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 884 { 885 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 886 png_read_push_finish_row(png_ptr); 887 } 888 889 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 890 { 891 png_push_have_row(png_ptr, NULL); 892 png_read_push_finish_row(png_ptr); 893 } 894 895 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 896 { 897 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 898 { 899 png_push_have_row(png_ptr, NULL); 900 png_read_push_finish_row(png_ptr); 901 } 902 } 903 904 break; 905 } 906 907 case 3: 908 { 909 int i; 910 911 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 912 { 913 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 914 png_read_push_finish_row(png_ptr); 915 } 916 917 if (png_ptr->pass == 4) /* Skip top two generated rows */ 918 { 919 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 920 { 921 png_push_have_row(png_ptr, NULL); 922 png_read_push_finish_row(png_ptr); 923 } 924 } 925 926 break; 927 } 928 929 case 4: 930 { 931 int i; 932 933 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 934 { 935 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 936 png_read_push_finish_row(png_ptr); 937 } 938 939 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 940 { 941 png_push_have_row(png_ptr, NULL); 942 png_read_push_finish_row(png_ptr); 943 } 944 945 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 946 { 947 png_push_have_row(png_ptr, NULL); 948 png_read_push_finish_row(png_ptr); 949 } 950 951 break; 952 } 953 954 case 5: 955 { 956 int i; 957 958 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 959 { 960 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 961 png_read_push_finish_row(png_ptr); 962 } 963 964 if (png_ptr->pass == 6) /* Skip top generated row */ 965 { 966 png_push_have_row(png_ptr, NULL); 967 png_read_push_finish_row(png_ptr); 968 } 969 970 break; 971 } 972 973 default: 974 case 6: 975 { 976 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 977 png_read_push_finish_row(png_ptr); 978 979 if (png_ptr->pass != 6) 980 break; 981 982 png_push_have_row(png_ptr, NULL); 983 png_read_push_finish_row(png_ptr); 984 } 985 } 986 } 987 else 988 #endif 989 { 990 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 991 png_read_push_finish_row(png_ptr); 992 } 993 } 994 995 void /* PRIVATE */ 996 png_read_push_finish_row(png_structrp png_ptr) 997 { 998 #ifdef PNG_READ_INTERLACING_SUPPORTED 999 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 1000 1001 /* Start of interlace block */ 1002 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; 1003 1004 /* Offset to next interlace block */ 1005 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; 1006 1007 /* Start of interlace block in the y direction */ 1008 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; 1009 1010 /* Offset to next interlace block in the y direction */ 1011 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; 1012 1013 /* Height of interlace block. This is not currently used - if you need 1014 * it, uncomment it here and in png.h 1015 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 1016 */ 1017 #endif 1018 1019 png_ptr->row_number++; 1020 if (png_ptr->row_number < png_ptr->num_rows) 1021 return; 1022 1023 #ifdef PNG_READ_INTERLACING_SUPPORTED 1024 if (png_ptr->interlaced != 0) 1025 { 1026 png_ptr->row_number = 0; 1027 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1028 1029 do 1030 { 1031 png_ptr->pass++; 1032 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1033 (png_ptr->pass == 3 && png_ptr->width < 3) || 1034 (png_ptr->pass == 5 && png_ptr->width < 2)) 1035 png_ptr->pass++; 1036 1037 if (png_ptr->pass > 7) 1038 png_ptr->pass--; 1039 1040 if (png_ptr->pass >= 7) 1041 break; 1042 1043 png_ptr->iwidth = (png_ptr->width + 1044 png_pass_inc[png_ptr->pass] - 1 - 1045 png_pass_start[png_ptr->pass]) / 1046 png_pass_inc[png_ptr->pass]; 1047 1048 if ((png_ptr->transformations & PNG_INTERLACE) != 0) 1049 break; 1050 1051 png_ptr->num_rows = (png_ptr->height + 1052 png_pass_yinc[png_ptr->pass] - 1 - 1053 png_pass_ystart[png_ptr->pass]) / 1054 png_pass_yinc[png_ptr->pass]; 1055 1056 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1057 } 1058 #endif /* READ_INTERLACING */ 1059 } 1060 1061 void /* PRIVATE */ 1062 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1063 { 1064 if (png_ptr->info_fn != NULL) 1065 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1066 } 1067 1068 void /* PRIVATE */ 1069 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1070 { 1071 if (png_ptr->end_fn != NULL) 1072 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1073 } 1074 1075 void /* PRIVATE */ 1076 png_push_have_row(png_structrp png_ptr, png_bytep row) 1077 { 1078 if (png_ptr->row_fn != NULL) 1079 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1080 (int)png_ptr->pass); 1081 } 1082 1083 #ifdef PNG_READ_INTERLACING_SUPPORTED 1084 void PNGAPI 1085 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1086 png_const_bytep new_row) 1087 { 1088 if (png_ptr == NULL) 1089 return; 1090 1091 /* new_row is a flag here - if it is NULL then the app callback was called 1092 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1093 * it must be png_ptr->row_buf+1 1094 */ 1095 if (new_row != NULL) 1096 png_combine_row(png_ptr, old_row, 1/*blocky display*/); 1097 } 1098 #endif /* READ_INTERLACING */ 1099 1100 void PNGAPI 1101 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1102 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1103 png_progressive_end_ptr end_fn) 1104 { 1105 if (png_ptr == NULL) 1106 return; 1107 1108 png_ptr->info_fn = info_fn; 1109 png_ptr->row_fn = row_fn; 1110 png_ptr->end_fn = end_fn; 1111 1112 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1113 } 1114 1115 png_voidp PNGAPI 1116 png_get_progressive_ptr(png_const_structrp png_ptr) 1117 { 1118 if (png_ptr == NULL) 1119 return (NULL); 1120 1121 return png_ptr->io_ptr; 1122 } 1123 #endif /* PROGRESSIVE_READ */