1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* pngpread.c - read a png file in push mode 26 * 27 * Copyright (c) 2018 Cosmin Truta 28 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson 29 * Copyright (c) 1996-1997 Andreas Dilger 30 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. 31 * 32 * This code is released under the libpng license. 33 * For conditions of distribution and use, see the disclaimer 34 * and license in png.h 35 */ 36 37 #include "pngpriv.h" 38 39 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED 40 41 /* Push model modes */ 42 #define PNG_READ_SIG_MODE 0 43 #define PNG_READ_CHUNK_MODE 1 44 #define PNG_READ_IDAT_MODE 2 45 #define PNG_READ_tEXt_MODE 4 46 #define PNG_READ_zTXt_MODE 5 47 #define PNG_READ_DONE_MODE 6 48 #define PNG_READ_iTXt_MODE 7 49 #define PNG_ERROR_MODE 8 50 51 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \ 52 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \ 53 { png_push_save_buffer(png_ptr); return; } 54 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \ 55 if (png_ptr->buffer_size < N) \ 56 { png_push_save_buffer(png_ptr); return; } 57 58 void PNGAPI 59 png_process_data(png_structrp png_ptr, png_inforp info_ptr, 60 png_bytep buffer, size_t buffer_size) 61 { 62 if (png_ptr == NULL || info_ptr == NULL) 63 return; 64 65 png_push_restore_buffer(png_ptr, buffer, buffer_size); 66 67 while (png_ptr->buffer_size) 68 { 69 png_process_some_data(png_ptr, info_ptr); 70 } 71 } 72 73 size_t PNGAPI 74 png_process_data_pause(png_structrp png_ptr, int save) 75 { 76 if (png_ptr != NULL) 77 { 78 /* It's easiest for the caller if we do the save; then the caller doesn't 79 * have to supply the same data again: 80 */ 81 if (save != 0) 82 png_push_save_buffer(png_ptr); 83 else 84 { 85 /* This includes any pending saved bytes: */ 86 size_t remaining = png_ptr->buffer_size; 87 png_ptr->buffer_size = 0; 88 89 /* So subtract the saved buffer size, unless all the data 90 * is actually 'saved', in which case we just return 0 91 */ 92 if (png_ptr->save_buffer_size < remaining) 93 return remaining - png_ptr->save_buffer_size; 94 } 95 } 96 97 return 0; 98 } 99 100 png_uint_32 PNGAPI 101 png_process_data_skip(png_structrp png_ptr) 102 { 103 /* TODO: Deprecate and remove this API. 104 * Somewhere the implementation of this seems to have been lost, 105 * or abandoned. It was only to support some internal back-door access 106 * to png_struct) in libpng-1.4.x. 107 */ 108 png_app_warning(png_ptr, 109 "png_process_data_skip is not implemented in any current version of libpng"); 110 return 0; 111 } 112 113 /* What we do with the incoming data depends on what we were previously 114 * doing before we ran out of data... 115 */ 116 void /* PRIVATE */ 117 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 118 { 119 if (png_ptr == NULL) 120 return; 121 122 switch (png_ptr->process_mode) 123 { 124 case PNG_READ_SIG_MODE: 125 { 126 png_push_read_sig(png_ptr, info_ptr); 127 break; 128 } 129 130 case PNG_READ_CHUNK_MODE: 131 { 132 png_push_read_chunk(png_ptr, info_ptr); 133 break; 134 } 135 136 case PNG_READ_IDAT_MODE: 137 { 138 png_push_read_IDAT(png_ptr); 139 break; 140 } 141 142 default: 143 { 144 png_ptr->buffer_size = 0; 145 break; 146 } 147 } 148 } 149 150 /* Read any remaining signature bytes from the stream and compare them with 151 * the correct PNG signature. It is possible that this routine is called 152 * with bytes already read from the signature, either because they have been 153 * checked by the calling application, or because of multiple calls to this 154 * routine. 155 */ 156 void /* PRIVATE */ 157 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 158 { 159 size_t num_checked = png_ptr->sig_bytes; /* SAFE, does not exceed 8 */ 160 size_t num_to_check = 8 - num_checked; 161 162 if (png_ptr->buffer_size < num_to_check) 163 { 164 num_to_check = png_ptr->buffer_size; 165 } 166 167 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 168 num_to_check); 169 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 170 171 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) 172 { 173 if (num_checked < 4 && 174 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) 175 png_error(png_ptr, "Not a PNG file"); 176 177 else 178 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 179 } 180 else 181 { 182 if (png_ptr->sig_bytes >= 8) 183 { 184 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 185 } 186 } 187 } 188 189 void /* PRIVATE */ 190 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 191 { 192 png_uint_32 chunk_name; 193 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 194 int keep; /* unknown handling method */ 195 #endif 196 197 /* First we make sure we have enough data for the 4-byte chunk name 198 * and the 4-byte chunk length before proceeding with decoding the 199 * chunk data. To fully decode each of these chunks, we also make 200 * sure we have enough data in the buffer for the 4-byte CRC at the 201 * end of every chunk (except IDAT, which is handled separately). 202 */ 203 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 204 { 205 png_byte chunk_length[4]; 206 png_byte chunk_tag[4]; 207 208 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 209 png_push_fill_buffer(png_ptr, chunk_length, 4); 210 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 211 png_reset_crc(png_ptr); 212 png_crc_read(png_ptr, chunk_tag, 4); 213 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 214 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 215 png_check_chunk_length(png_ptr, png_ptr->push_length); 216 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 217 } 218 219 chunk_name = png_ptr->chunk_name; 220 221 if (chunk_name == png_IDAT) 222 { 223 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 224 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 225 226 /* If we reach an IDAT chunk, this means we have read all of the 227 * header chunks, and we can start reading the image (or if this 228 * is called after the image has been read - we have an error). 229 */ 230 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) 231 png_error(png_ptr, "Missing IHDR before IDAT"); 232 233 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 234 (png_ptr->mode & PNG_HAVE_PLTE) == 0) 235 png_error(png_ptr, "Missing PLTE before IDAT"); 236 237 png_ptr->process_mode = PNG_READ_IDAT_MODE; 238 239 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) 240 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0) 241 if (png_ptr->push_length == 0) 242 return; 243 244 png_ptr->mode |= PNG_HAVE_IDAT; 245 246 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 247 png_benign_error(png_ptr, "Too many IDATs found"); 248 } 249 250 if (chunk_name == png_IHDR) 251 { 252 if (png_ptr->push_length != 13) 253 png_error(png_ptr, "Invalid IHDR length"); 254 255 PNG_PUSH_SAVE_BUFFER_IF_FULL 256 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); 257 } 258 259 else if (chunk_name == png_IEND) 260 { 261 PNG_PUSH_SAVE_BUFFER_IF_FULL 262 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); 263 264 png_ptr->process_mode = PNG_READ_DONE_MODE; 265 png_push_have_end(png_ptr, info_ptr); 266 } 267 268 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 269 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 270 { 271 PNG_PUSH_SAVE_BUFFER_IF_FULL 272 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 273 274 if (chunk_name == png_PLTE) 275 png_ptr->mode |= PNG_HAVE_PLTE; 276 } 277 #endif 278 279 else if (chunk_name == png_PLTE) 280 { 281 PNG_PUSH_SAVE_BUFFER_IF_FULL 282 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); 283 } 284 285 else if (chunk_name == png_IDAT) 286 { 287 png_ptr->idat_size = png_ptr->push_length; 288 png_ptr->process_mode = PNG_READ_IDAT_MODE; 289 png_push_have_info(png_ptr, info_ptr); 290 png_ptr->zstream.avail_out = 291 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 292 png_ptr->iwidth) + 1; 293 png_ptr->zstream.next_out = png_ptr->row_buf; 294 return; 295 } 296 297 #ifdef PNG_READ_gAMA_SUPPORTED 298 else if (png_ptr->chunk_name == png_gAMA) 299 { 300 PNG_PUSH_SAVE_BUFFER_IF_FULL 301 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); 302 } 303 304 #endif 305 #ifdef PNG_READ_sBIT_SUPPORTED 306 else if (png_ptr->chunk_name == png_sBIT) 307 { 308 PNG_PUSH_SAVE_BUFFER_IF_FULL 309 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); 310 } 311 312 #endif 313 #ifdef PNG_READ_cHRM_SUPPORTED 314 else if (png_ptr->chunk_name == png_cHRM) 315 { 316 PNG_PUSH_SAVE_BUFFER_IF_FULL 317 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); 318 } 319 320 #endif 321 #ifdef PNG_READ_sRGB_SUPPORTED 322 else if (chunk_name == png_sRGB) 323 { 324 PNG_PUSH_SAVE_BUFFER_IF_FULL 325 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); 326 } 327 328 #endif 329 #ifdef PNG_READ_iCCP_SUPPORTED 330 else if (png_ptr->chunk_name == png_iCCP) 331 { 332 PNG_PUSH_SAVE_BUFFER_IF_FULL 333 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); 334 } 335 336 #endif 337 #ifdef PNG_READ_sPLT_SUPPORTED 338 else if (chunk_name == png_sPLT) 339 { 340 PNG_PUSH_SAVE_BUFFER_IF_FULL 341 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); 342 } 343 344 #endif 345 #ifdef PNG_READ_tRNS_SUPPORTED 346 else if (chunk_name == png_tRNS) 347 { 348 PNG_PUSH_SAVE_BUFFER_IF_FULL 349 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); 350 } 351 352 #endif 353 #ifdef PNG_READ_bKGD_SUPPORTED 354 else if (chunk_name == png_bKGD) 355 { 356 PNG_PUSH_SAVE_BUFFER_IF_FULL 357 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); 358 } 359 360 #endif 361 #ifdef PNG_READ_hIST_SUPPORTED 362 else if (chunk_name == png_hIST) 363 { 364 PNG_PUSH_SAVE_BUFFER_IF_FULL 365 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); 366 } 367 368 #endif 369 #ifdef PNG_READ_pHYs_SUPPORTED 370 else if (chunk_name == png_pHYs) 371 { 372 PNG_PUSH_SAVE_BUFFER_IF_FULL 373 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); 374 } 375 376 #endif 377 #ifdef PNG_READ_oFFs_SUPPORTED 378 else if (chunk_name == png_oFFs) 379 { 380 PNG_PUSH_SAVE_BUFFER_IF_FULL 381 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); 382 } 383 #endif 384 385 #ifdef PNG_READ_pCAL_SUPPORTED 386 else if (chunk_name == png_pCAL) 387 { 388 PNG_PUSH_SAVE_BUFFER_IF_FULL 389 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); 390 } 391 392 #endif 393 #ifdef PNG_READ_sCAL_SUPPORTED 394 else if (chunk_name == png_sCAL) 395 { 396 PNG_PUSH_SAVE_BUFFER_IF_FULL 397 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); 398 } 399 400 #endif 401 #ifdef PNG_READ_tIME_SUPPORTED 402 else if (chunk_name == png_tIME) 403 { 404 PNG_PUSH_SAVE_BUFFER_IF_FULL 405 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); 406 } 407 408 #endif 409 #ifdef PNG_READ_tEXt_SUPPORTED 410 else if (chunk_name == png_tEXt) 411 { 412 PNG_PUSH_SAVE_BUFFER_IF_FULL 413 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); 414 } 415 416 #endif 417 #ifdef PNG_READ_zTXt_SUPPORTED 418 else if (chunk_name == png_zTXt) 419 { 420 PNG_PUSH_SAVE_BUFFER_IF_FULL 421 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); 422 } 423 424 #endif 425 #ifdef PNG_READ_iTXt_SUPPORTED 426 else if (chunk_name == png_iTXt) 427 { 428 PNG_PUSH_SAVE_BUFFER_IF_FULL 429 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); 430 } 431 #endif 432 433 else 434 { 435 PNG_PUSH_SAVE_BUFFER_IF_FULL 436 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, 437 PNG_HANDLE_CHUNK_AS_DEFAULT); 438 } 439 440 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 441 } 442 443 void PNGCBAPI 444 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, size_t length) 445 { 446 png_bytep ptr; 447 448 if (png_ptr == NULL) 449 return; 450 451 ptr = buffer; 452 if (png_ptr->save_buffer_size != 0) 453 { 454 size_t save_size; 455 456 if (length < png_ptr->save_buffer_size) 457 save_size = length; 458 459 else 460 save_size = png_ptr->save_buffer_size; 461 462 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 463 length -= save_size; 464 ptr += save_size; 465 png_ptr->buffer_size -= save_size; 466 png_ptr->save_buffer_size -= save_size; 467 png_ptr->save_buffer_ptr += save_size; 468 } 469 if (length != 0 && png_ptr->current_buffer_size != 0) 470 { 471 size_t save_size; 472 473 if (length < png_ptr->current_buffer_size) 474 save_size = length; 475 476 else 477 save_size = png_ptr->current_buffer_size; 478 479 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 480 png_ptr->buffer_size -= save_size; 481 png_ptr->current_buffer_size -= save_size; 482 png_ptr->current_buffer_ptr += save_size; 483 } 484 } 485 486 void /* PRIVATE */ 487 png_push_save_buffer(png_structrp png_ptr) 488 { 489 if (png_ptr->save_buffer_size != 0) 490 { 491 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 492 { 493 size_t i, istop; 494 png_bytep sp; 495 png_bytep dp; 496 497 istop = png_ptr->save_buffer_size; 498 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 499 i < istop; i++, sp++, dp++) 500 { 501 *dp = *sp; 502 } 503 } 504 } 505 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 506 png_ptr->save_buffer_max) 507 { 508 size_t new_max; 509 png_bytep old_buffer; 510 511 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 512 (png_ptr->current_buffer_size + 256)) 513 { 514 png_error(png_ptr, "Potential overflow of save_buffer"); 515 } 516 517 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 518 old_buffer = png_ptr->save_buffer; 519 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 520 (size_t)new_max); 521 522 if (png_ptr->save_buffer == NULL) 523 { 524 png_free(png_ptr, old_buffer); 525 png_error(png_ptr, "Insufficient memory for save_buffer"); 526 } 527 528 if (old_buffer) 529 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 530 else if (png_ptr->save_buffer_size) 531 png_error(png_ptr, "save_buffer error"); 532 png_free(png_ptr, old_buffer); 533 png_ptr->save_buffer_max = new_max; 534 } 535 if (png_ptr->current_buffer_size) 536 { 537 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 538 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 539 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 540 png_ptr->current_buffer_size = 0; 541 } 542 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 543 png_ptr->buffer_size = 0; 544 } 545 546 void /* PRIVATE */ 547 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 548 size_t buffer_length) 549 { 550 png_ptr->current_buffer = buffer; 551 png_ptr->current_buffer_size = buffer_length; 552 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 553 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 554 } 555 556 void /* PRIVATE */ 557 png_push_read_IDAT(png_structrp png_ptr) 558 { 559 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 560 { 561 png_byte chunk_length[4]; 562 png_byte chunk_tag[4]; 563 564 /* TODO: this code can be commoned up with the same code in push_read */ 565 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 566 png_push_fill_buffer(png_ptr, chunk_length, 4); 567 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 568 png_reset_crc(png_ptr); 569 png_crc_read(png_ptr, chunk_tag, 4); 570 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 571 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 572 573 if (png_ptr->chunk_name != png_IDAT) 574 { 575 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 576 577 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 578 png_error(png_ptr, "Not enough compressed data"); 579 580 return; 581 } 582 583 png_ptr->idat_size = png_ptr->push_length; 584 } 585 586 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0) 587 { 588 size_t save_size = png_ptr->save_buffer_size; 589 png_uint_32 idat_size = png_ptr->idat_size; 590 591 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 592 * are of different types and we don't know which variable has the fewest 593 * bits. Carefully select the smaller and cast it to the type of the 594 * larger - this cannot overflow. Do not cast in the following test - it 595 * will break on either 16-bit or 64-bit platforms. 596 */ 597 if (idat_size < save_size) 598 save_size = (size_t)idat_size; 599 600 else 601 idat_size = (png_uint_32)save_size; 602 603 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 604 605 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 606 607 png_ptr->idat_size -= idat_size; 608 png_ptr->buffer_size -= save_size; 609 png_ptr->save_buffer_size -= save_size; 610 png_ptr->save_buffer_ptr += save_size; 611 } 612 613 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0) 614 { 615 size_t save_size = png_ptr->current_buffer_size; 616 png_uint_32 idat_size = png_ptr->idat_size; 617 618 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 619 * are of different types and we don't know which variable has the fewest 620 * bits. Carefully select the smaller and cast it to the type of the 621 * larger - this cannot overflow. 622 */ 623 if (idat_size < save_size) 624 save_size = (size_t)idat_size; 625 626 else 627 idat_size = (png_uint_32)save_size; 628 629 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 630 631 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 632 633 png_ptr->idat_size -= idat_size; 634 png_ptr->buffer_size -= save_size; 635 png_ptr->current_buffer_size -= save_size; 636 png_ptr->current_buffer_ptr += save_size; 637 } 638 639 if (png_ptr->idat_size == 0) 640 { 641 PNG_PUSH_SAVE_BUFFER_IF_LT(4) 642 png_crc_finish(png_ptr, 0); 643 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 644 png_ptr->mode |= PNG_AFTER_IDAT; 645 png_ptr->zowner = 0; 646 } 647 } 648 649 void /* PRIVATE */ 650 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 651 size_t buffer_length) 652 { 653 /* The caller checks for a non-zero buffer length. */ 654 if (!(buffer_length > 0) || buffer == NULL) 655 png_error(png_ptr, "No IDAT data (internal error)"); 656 657 /* This routine must process all the data it has been given 658 * before returning, calling the row callback as required to 659 * handle the uncompressed results. 660 */ 661 png_ptr->zstream.next_in = buffer; 662 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 663 png_ptr->zstream.avail_in = (uInt)buffer_length; 664 665 /* Keep going until the decompressed data is all processed 666 * or the stream marked as finished. 667 */ 668 while (png_ptr->zstream.avail_in > 0 && 669 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 670 { 671 int ret; 672 673 /* We have data for zlib, but we must check that zlib 674 * has someplace to put the results. It doesn't matter 675 * if we don't expect any results -- it may be the input 676 * data is just the LZ end code. 677 */ 678 if (!(png_ptr->zstream.avail_out > 0)) 679 { 680 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 681 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 682 png_ptr->iwidth) + 1); 683 684 png_ptr->zstream.next_out = png_ptr->row_buf; 685 } 686 687 /* Using Z_SYNC_FLUSH here means that an unterminated 688 * LZ stream (a stream with a missing end code) can still 689 * be handled, otherwise (Z_NO_FLUSH) a future zlib 690 * implementation might defer output and therefore 691 * change the current behavior (see comments in inflate.c 692 * for why this doesn't happen at present with zlib 1.2.5). 693 */ 694 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH); 695 696 /* Check for any failure before proceeding. */ 697 if (ret != Z_OK && ret != Z_STREAM_END) 698 { 699 /* Terminate the decompression. */ 700 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 701 png_ptr->zowner = 0; 702 703 /* This may be a truncated stream (missing or 704 * damaged end code). Treat that as a warning. 705 */ 706 if (png_ptr->row_number >= png_ptr->num_rows || 707 png_ptr->pass > 6) 708 png_warning(png_ptr, "Truncated compressed data in IDAT"); 709 710 else 711 { 712 if (ret == Z_DATA_ERROR) 713 png_benign_error(png_ptr, "IDAT: ADLER32 checksum mismatch"); 714 else 715 png_error(png_ptr, "Decompression error in IDAT"); 716 } 717 718 /* Skip the check on unprocessed input */ 719 return; 720 } 721 722 /* Did inflate output any data? */ 723 if (png_ptr->zstream.next_out != png_ptr->row_buf) 724 { 725 /* Is this unexpected data after the last row? 726 * If it is, artificially terminate the LZ output 727 * here. 728 */ 729 if (png_ptr->row_number >= png_ptr->num_rows || 730 png_ptr->pass > 6) 731 { 732 /* Extra data. */ 733 png_warning(png_ptr, "Extra compressed data in IDAT"); 734 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 735 png_ptr->zowner = 0; 736 737 /* Do no more processing; skip the unprocessed 738 * input check below. 739 */ 740 return; 741 } 742 743 /* Do we have a complete row? */ 744 if (png_ptr->zstream.avail_out == 0) 745 png_push_process_row(png_ptr); 746 } 747 748 /* And check for the end of the stream. */ 749 if (ret == Z_STREAM_END) 750 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 751 } 752 753 /* All the data should have been processed, if anything 754 * is left at this point we have bytes of IDAT data 755 * after the zlib end code. 756 */ 757 if (png_ptr->zstream.avail_in > 0) 758 png_warning(png_ptr, "Extra compression data in IDAT"); 759 } 760 761 void /* PRIVATE */ 762 png_push_process_row(png_structrp png_ptr) 763 { 764 /* 1.5.6: row_info moved out of png_struct to a local here. */ 765 png_row_info row_info; 766 767 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 768 row_info.color_type = png_ptr->color_type; 769 row_info.bit_depth = png_ptr->bit_depth; 770 row_info.channels = png_ptr->channels; 771 row_info.pixel_depth = png_ptr->pixel_depth; 772 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 773 774 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 775 { 776 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 777 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 778 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 779 else 780 png_error(png_ptr, "bad adaptive filter value"); 781 } 782 783 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 784 * 1.5.6, while the buffer really is this big in current versions of libpng 785 * it may not be in the future, so this was changed just to copy the 786 * interlaced row count: 787 */ 788 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 789 790 #ifdef PNG_READ_TRANSFORMS_SUPPORTED 791 if (png_ptr->transformations != 0) 792 png_do_read_transformations(png_ptr, &row_info); 793 #endif 794 795 /* The transformed pixel depth should match the depth now in row_info. */ 796 if (png_ptr->transformed_pixel_depth == 0) 797 { 798 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 799 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 800 png_error(png_ptr, "progressive row overflow"); 801 } 802 803 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 804 png_error(png_ptr, "internal progressive row size calculation error"); 805 806 807 #ifdef PNG_READ_INTERLACING_SUPPORTED 808 /* Expand interlaced rows to full size */ 809 if (png_ptr->interlaced != 0 && 810 (png_ptr->transformations & PNG_INTERLACE) != 0) 811 { 812 if (png_ptr->pass < 6) 813 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 814 png_ptr->transformations); 815 816 switch (png_ptr->pass) 817 { 818 case 0: 819 { 820 int i; 821 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 822 { 823 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 824 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 825 } 826 827 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 828 { 829 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 830 { 831 png_push_have_row(png_ptr, NULL); 832 png_read_push_finish_row(png_ptr); 833 } 834 } 835 836 if (png_ptr->pass == 4 && png_ptr->height <= 4) 837 { 838 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 839 { 840 png_push_have_row(png_ptr, NULL); 841 png_read_push_finish_row(png_ptr); 842 } 843 } 844 845 if (png_ptr->pass == 6 && png_ptr->height <= 4) 846 { 847 png_push_have_row(png_ptr, NULL); 848 png_read_push_finish_row(png_ptr); 849 } 850 851 break; 852 } 853 854 case 1: 855 { 856 int i; 857 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 858 { 859 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 860 png_read_push_finish_row(png_ptr); 861 } 862 863 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 864 { 865 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 866 { 867 png_push_have_row(png_ptr, NULL); 868 png_read_push_finish_row(png_ptr); 869 } 870 } 871 872 break; 873 } 874 875 case 2: 876 { 877 int i; 878 879 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 880 { 881 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 882 png_read_push_finish_row(png_ptr); 883 } 884 885 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 886 { 887 png_push_have_row(png_ptr, NULL); 888 png_read_push_finish_row(png_ptr); 889 } 890 891 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 892 { 893 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 894 { 895 png_push_have_row(png_ptr, NULL); 896 png_read_push_finish_row(png_ptr); 897 } 898 } 899 900 break; 901 } 902 903 case 3: 904 { 905 int i; 906 907 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 908 { 909 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 910 png_read_push_finish_row(png_ptr); 911 } 912 913 if (png_ptr->pass == 4) /* Skip top two generated rows */ 914 { 915 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 916 { 917 png_push_have_row(png_ptr, NULL); 918 png_read_push_finish_row(png_ptr); 919 } 920 } 921 922 break; 923 } 924 925 case 4: 926 { 927 int i; 928 929 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 930 { 931 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 932 png_read_push_finish_row(png_ptr); 933 } 934 935 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 936 { 937 png_push_have_row(png_ptr, NULL); 938 png_read_push_finish_row(png_ptr); 939 } 940 941 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 942 { 943 png_push_have_row(png_ptr, NULL); 944 png_read_push_finish_row(png_ptr); 945 } 946 947 break; 948 } 949 950 case 5: 951 { 952 int i; 953 954 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 955 { 956 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 957 png_read_push_finish_row(png_ptr); 958 } 959 960 if (png_ptr->pass == 6) /* Skip top generated row */ 961 { 962 png_push_have_row(png_ptr, NULL); 963 png_read_push_finish_row(png_ptr); 964 } 965 966 break; 967 } 968 969 default: 970 case 6: 971 { 972 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 973 png_read_push_finish_row(png_ptr); 974 975 if (png_ptr->pass != 6) 976 break; 977 978 png_push_have_row(png_ptr, NULL); 979 png_read_push_finish_row(png_ptr); 980 } 981 } 982 } 983 else 984 #endif 985 { 986 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 987 png_read_push_finish_row(png_ptr); 988 } 989 } 990 991 void /* PRIVATE */ 992 png_read_push_finish_row(png_structrp png_ptr) 993 { 994 #ifdef PNG_READ_INTERLACING_SUPPORTED 995 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 996 997 /* Start of interlace block */ 998 static const png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; 999 1000 /* Offset to next interlace block */ 1001 static const png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; 1002 1003 /* Start of interlace block in the y direction */ 1004 static const png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; 1005 1006 /* Offset to next interlace block in the y direction */ 1007 static const png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; 1008 1009 /* Height of interlace block. This is not currently used - if you need 1010 * it, uncomment it here and in png.h 1011 static const png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 1012 */ 1013 #endif 1014 1015 png_ptr->row_number++; 1016 if (png_ptr->row_number < png_ptr->num_rows) 1017 return; 1018 1019 #ifdef PNG_READ_INTERLACING_SUPPORTED 1020 if (png_ptr->interlaced != 0) 1021 { 1022 png_ptr->row_number = 0; 1023 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1024 1025 do 1026 { 1027 png_ptr->pass++; 1028 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1029 (png_ptr->pass == 3 && png_ptr->width < 3) || 1030 (png_ptr->pass == 5 && png_ptr->width < 2)) 1031 png_ptr->pass++; 1032 1033 if (png_ptr->pass > 7) 1034 png_ptr->pass--; 1035 1036 if (png_ptr->pass >= 7) 1037 break; 1038 1039 png_ptr->iwidth = (png_ptr->width + 1040 png_pass_inc[png_ptr->pass] - 1 - 1041 png_pass_start[png_ptr->pass]) / 1042 png_pass_inc[png_ptr->pass]; 1043 1044 if ((png_ptr->transformations & PNG_INTERLACE) != 0) 1045 break; 1046 1047 png_ptr->num_rows = (png_ptr->height + 1048 png_pass_yinc[png_ptr->pass] - 1 - 1049 png_pass_ystart[png_ptr->pass]) / 1050 png_pass_yinc[png_ptr->pass]; 1051 1052 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1053 } 1054 #endif /* READ_INTERLACING */ 1055 } 1056 1057 void /* PRIVATE */ 1058 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1059 { 1060 if (png_ptr->info_fn != NULL) 1061 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1062 } 1063 1064 void /* PRIVATE */ 1065 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1066 { 1067 if (png_ptr->end_fn != NULL) 1068 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1069 } 1070 1071 void /* PRIVATE */ 1072 png_push_have_row(png_structrp png_ptr, png_bytep row) 1073 { 1074 if (png_ptr->row_fn != NULL) 1075 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1076 (int)png_ptr->pass); 1077 } 1078 1079 #ifdef PNG_READ_INTERLACING_SUPPORTED 1080 void PNGAPI 1081 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1082 png_const_bytep new_row) 1083 { 1084 if (png_ptr == NULL) 1085 return; 1086 1087 /* new_row is a flag here - if it is NULL then the app callback was called 1088 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1089 * it must be png_ptr->row_buf+1 1090 */ 1091 if (new_row != NULL) 1092 png_combine_row(png_ptr, old_row, 1/*blocky display*/); 1093 } 1094 #endif /* READ_INTERLACING */ 1095 1096 void PNGAPI 1097 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1098 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1099 png_progressive_end_ptr end_fn) 1100 { 1101 if (png_ptr == NULL) 1102 return; 1103 1104 png_ptr->info_fn = info_fn; 1105 png_ptr->row_fn = row_fn; 1106 png_ptr->end_fn = end_fn; 1107 1108 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1109 } 1110 1111 png_voidp PNGAPI 1112 png_get_progressive_ptr(png_const_structrp png_ptr) 1113 { 1114 if (png_ptr == NULL) 1115 return (NULL); 1116 1117 return png_ptr->io_ptr; 1118 } 1119 #endif /* PROGRESSIVE_READ */