1 /*
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
3 *
4 * This code is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License version 2 only, as
6 * published by the Free Software Foundation. Oracle designates this
7 * particular file as subject to the "Classpath" exception as provided
8 * by Oracle in the LICENSE file that accompanied this code.
9 *
10 * This code is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * version 2 for more details (a copy is included in the LICENSE file that
14 * accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License version
17 * 2 along with this work; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21 * or visit www.oracle.com if you need additional information or have any
22 * questions.
23 */
24
25 /* pngpread.c - read a png file in push mode
26 *
27 * Copyright (c) 2018 Cosmin Truta
28 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
29 * Copyright (c) 1996-1997 Andreas Dilger
30 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
31 *
32 * This code is released under the libpng license.
33 * For conditions of distribution and use, see the disclaimer
34 * and license in png.h
35 */
36
37 #include "pngpriv.h"
38
39 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
40
41 /* Push model modes */
42 #define PNG_READ_SIG_MODE 0
43 #define PNG_READ_CHUNK_MODE 1
44 #define PNG_READ_IDAT_MODE 2
45 #define PNG_READ_tEXt_MODE 4
46 #define PNG_READ_zTXt_MODE 5
47 #define PNG_READ_DONE_MODE 6
48 #define PNG_READ_iTXt_MODE 7
49 #define PNG_ERROR_MODE 8
50
51 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \
52 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \
53 { png_push_save_buffer(png_ptr); return; }
54 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \
55 if (png_ptr->buffer_size < N) \
56 { png_push_save_buffer(png_ptr); return; }
57
58 void PNGAPI
59 png_process_data(png_structrp png_ptr, png_inforp info_ptr,
60 png_bytep buffer, size_t buffer_size)
61 {
62 if (png_ptr == NULL || info_ptr == NULL)
63 return;
64
65 png_push_restore_buffer(png_ptr, buffer, buffer_size);
66
67 while (png_ptr->buffer_size)
68 {
69 png_process_some_data(png_ptr, info_ptr);
70 }
71 }
72
73 size_t PNGAPI
74 png_process_data_pause(png_structrp png_ptr, int save)
75 {
76 if (png_ptr != NULL)
77 {
78 /* It's easiest for the caller if we do the save; then the caller doesn't
79 * have to supply the same data again:
80 */
81 if (save != 0)
82 png_push_save_buffer(png_ptr);
83 else
84 {
85 /* This includes any pending saved bytes: */
86 size_t remaining = png_ptr->buffer_size;
87 png_ptr->buffer_size = 0;
88
89 /* So subtract the saved buffer size, unless all the data
90 * is actually 'saved', in which case we just return 0
91 */
92 if (png_ptr->save_buffer_size < remaining)
93 return remaining - png_ptr->save_buffer_size;
94 }
95 }
96
97 return 0;
98 }
99
100 png_uint_32 PNGAPI
101 png_process_data_skip(png_structrp png_ptr)
102 {
103 /* TODO: Deprecate and remove this API.
104 * Somewhere the implementation of this seems to have been lost,
105 * or abandoned. It was only to support some internal back-door access
106 * to png_struct) in libpng-1.4.x.
107 */
108 png_app_warning(png_ptr,
109 "png_process_data_skip is not implemented in any current version of libpng");
110 return 0;
111 }
112
113 /* What we do with the incoming data depends on what we were previously
114 * doing before we ran out of data...
115 */
116 void /* PRIVATE */
117 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
118 {
119 if (png_ptr == NULL)
120 return;
121
122 switch (png_ptr->process_mode)
123 {
124 case PNG_READ_SIG_MODE:
125 {
126 png_push_read_sig(png_ptr, info_ptr);
127 break;
128 }
129
130 case PNG_READ_CHUNK_MODE:
131 {
132 png_push_read_chunk(png_ptr, info_ptr);
133 break;
134 }
135
136 case PNG_READ_IDAT_MODE:
137 {
138 png_push_read_IDAT(png_ptr);
139 break;
140 }
141
142 default:
143 {
144 png_ptr->buffer_size = 0;
145 break;
146 }
147 }
148 }
149
150 /* Read any remaining signature bytes from the stream and compare them with
151 * the correct PNG signature. It is possible that this routine is called
152 * with bytes already read from the signature, either because they have been
153 * checked by the calling application, or because of multiple calls to this
154 * routine.
155 */
156 void /* PRIVATE */
157 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
158 {
159 size_t num_checked = png_ptr->sig_bytes; /* SAFE, does not exceed 8 */
160 size_t num_to_check = 8 - num_checked;
161
162 if (png_ptr->buffer_size < num_to_check)
163 {
164 num_to_check = png_ptr->buffer_size;
165 }
166
167 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
168 num_to_check);
169 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
170
171 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
172 {
173 if (num_checked < 4 &&
174 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
175 png_error(png_ptr, "Not a PNG file");
176
177 else
178 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
179 }
180 else
181 {
182 if (png_ptr->sig_bytes >= 8)
183 {
184 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
185 }
186 }
187 }
188
189 void /* PRIVATE */
190 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
191 {
192 png_uint_32 chunk_name;
193 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
194 int keep; /* unknown handling method */
195 #endif
196
197 /* First we make sure we have enough data for the 4-byte chunk name
198 * and the 4-byte chunk length before proceeding with decoding the
199 * chunk data. To fully decode each of these chunks, we also make
200 * sure we have enough data in the buffer for the 4-byte CRC at the
201 * end of every chunk (except IDAT, which is handled separately).
202 */
203 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
204 {
205 png_byte chunk_length[4];
206 png_byte chunk_tag[4];
207
208 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
209 png_push_fill_buffer(png_ptr, chunk_length, 4);
210 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
211 png_reset_crc(png_ptr);
212 png_crc_read(png_ptr, chunk_tag, 4);
213 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
214 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
215 png_check_chunk_length(png_ptr, png_ptr->push_length);
216 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
217 }
218
219 chunk_name = png_ptr->chunk_name;
220
221 if (chunk_name == png_IDAT)
222 {
223 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
224 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
225
226 /* If we reach an IDAT chunk, this means we have read all of the
227 * header chunks, and we can start reading the image (or if this
228 * is called after the image has been read - we have an error).
229 */
230 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
231 png_error(png_ptr, "Missing IHDR before IDAT");
232
233 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
234 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
235 png_error(png_ptr, "Missing PLTE before IDAT");
236
237 png_ptr->process_mode = PNG_READ_IDAT_MODE;
238
239 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
240 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
241 if (png_ptr->push_length == 0)
242 return;
243
244 png_ptr->mode |= PNG_HAVE_IDAT;
245
246 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
247 png_benign_error(png_ptr, "Too many IDATs found");
248 }
249
250 if (chunk_name == png_IHDR)
251 {
252 if (png_ptr->push_length != 13)
253 png_error(png_ptr, "Invalid IHDR length");
254
255 PNG_PUSH_SAVE_BUFFER_IF_FULL
256 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
257 }
258
259 else if (chunk_name == png_IEND)
260 {
261 PNG_PUSH_SAVE_BUFFER_IF_FULL
262 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
263
264 png_ptr->process_mode = PNG_READ_DONE_MODE;
265 png_push_have_end(png_ptr, info_ptr);
266 }
267
268 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
269 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
270 {
271 PNG_PUSH_SAVE_BUFFER_IF_FULL
272 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
273
274 if (chunk_name == png_PLTE)
275 png_ptr->mode |= PNG_HAVE_PLTE;
276 }
277 #endif
278
279 else if (chunk_name == png_PLTE)
280 {
281 PNG_PUSH_SAVE_BUFFER_IF_FULL
282 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
283 }
284
285 else if (chunk_name == png_IDAT)
286 {
287 png_ptr->idat_size = png_ptr->push_length;
288 png_ptr->process_mode = PNG_READ_IDAT_MODE;
289 png_push_have_info(png_ptr, info_ptr);
290 png_ptr->zstream.avail_out =
291 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
292 png_ptr->iwidth) + 1;
293 png_ptr->zstream.next_out = png_ptr->row_buf;
294 return;
295 }
296
297 #ifdef PNG_READ_gAMA_SUPPORTED
298 else if (png_ptr->chunk_name == png_gAMA)
299 {
300 PNG_PUSH_SAVE_BUFFER_IF_FULL
301 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
302 }
303
304 #endif
305 #ifdef PNG_READ_sBIT_SUPPORTED
306 else if (png_ptr->chunk_name == png_sBIT)
307 {
308 PNG_PUSH_SAVE_BUFFER_IF_FULL
309 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
310 }
311
312 #endif
313 #ifdef PNG_READ_cHRM_SUPPORTED
314 else if (png_ptr->chunk_name == png_cHRM)
315 {
316 PNG_PUSH_SAVE_BUFFER_IF_FULL
317 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
318 }
319
320 #endif
321 #ifdef PNG_READ_sRGB_SUPPORTED
322 else if (chunk_name == png_sRGB)
323 {
324 PNG_PUSH_SAVE_BUFFER_IF_FULL
325 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
326 }
327
328 #endif
329 #ifdef PNG_READ_iCCP_SUPPORTED
330 else if (png_ptr->chunk_name == png_iCCP)
331 {
332 PNG_PUSH_SAVE_BUFFER_IF_FULL
333 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
334 }
335
336 #endif
337 #ifdef PNG_READ_sPLT_SUPPORTED
338 else if (chunk_name == png_sPLT)
339 {
340 PNG_PUSH_SAVE_BUFFER_IF_FULL
341 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
342 }
343
344 #endif
345 #ifdef PNG_READ_tRNS_SUPPORTED
346 else if (chunk_name == png_tRNS)
347 {
348 PNG_PUSH_SAVE_BUFFER_IF_FULL
349 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
350 }
351
352 #endif
353 #ifdef PNG_READ_bKGD_SUPPORTED
354 else if (chunk_name == png_bKGD)
355 {
356 PNG_PUSH_SAVE_BUFFER_IF_FULL
357 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
358 }
359
360 #endif
361 #ifdef PNG_READ_hIST_SUPPORTED
362 else if (chunk_name == png_hIST)
363 {
364 PNG_PUSH_SAVE_BUFFER_IF_FULL
365 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
366 }
367
368 #endif
369 #ifdef PNG_READ_pHYs_SUPPORTED
370 else if (chunk_name == png_pHYs)
371 {
372 PNG_PUSH_SAVE_BUFFER_IF_FULL
373 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
374 }
375
376 #endif
377 #ifdef PNG_READ_oFFs_SUPPORTED
378 else if (chunk_name == png_oFFs)
379 {
380 PNG_PUSH_SAVE_BUFFER_IF_FULL
381 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
382 }
383 #endif
384
385 #ifdef PNG_READ_pCAL_SUPPORTED
386 else if (chunk_name == png_pCAL)
387 {
388 PNG_PUSH_SAVE_BUFFER_IF_FULL
389 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
390 }
391
392 #endif
393 #ifdef PNG_READ_sCAL_SUPPORTED
394 else if (chunk_name == png_sCAL)
395 {
396 PNG_PUSH_SAVE_BUFFER_IF_FULL
397 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
398 }
399
400 #endif
401 #ifdef PNG_READ_tIME_SUPPORTED
402 else if (chunk_name == png_tIME)
403 {
404 PNG_PUSH_SAVE_BUFFER_IF_FULL
405 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
406 }
407
408 #endif
409 #ifdef PNG_READ_tEXt_SUPPORTED
410 else if (chunk_name == png_tEXt)
411 {
412 PNG_PUSH_SAVE_BUFFER_IF_FULL
413 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
414 }
415
416 #endif
417 #ifdef PNG_READ_zTXt_SUPPORTED
418 else if (chunk_name == png_zTXt)
419 {
420 PNG_PUSH_SAVE_BUFFER_IF_FULL
421 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
422 }
423
424 #endif
425 #ifdef PNG_READ_iTXt_SUPPORTED
426 else if (chunk_name == png_iTXt)
427 {
428 PNG_PUSH_SAVE_BUFFER_IF_FULL
429 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
430 }
431 #endif
432
433 else
434 {
435 PNG_PUSH_SAVE_BUFFER_IF_FULL
436 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
437 PNG_HANDLE_CHUNK_AS_DEFAULT);
438 }
439
440 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
441 }
442
443 void PNGCBAPI
444 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, size_t length)
445 {
446 png_bytep ptr;
447
448 if (png_ptr == NULL)
449 return;
450
451 ptr = buffer;
452 if (png_ptr->save_buffer_size != 0)
453 {
454 size_t save_size;
455
456 if (length < png_ptr->save_buffer_size)
457 save_size = length;
458
459 else
460 save_size = png_ptr->save_buffer_size;
461
462 memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
463 length -= save_size;
464 ptr += save_size;
465 png_ptr->buffer_size -= save_size;
466 png_ptr->save_buffer_size -= save_size;
467 png_ptr->save_buffer_ptr += save_size;
468 }
469 if (length != 0 && png_ptr->current_buffer_size != 0)
470 {
471 size_t save_size;
472
473 if (length < png_ptr->current_buffer_size)
474 save_size = length;
475
476 else
477 save_size = png_ptr->current_buffer_size;
478
479 memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
480 png_ptr->buffer_size -= save_size;
481 png_ptr->current_buffer_size -= save_size;
482 png_ptr->current_buffer_ptr += save_size;
483 }
484 }
485
486 void /* PRIVATE */
487 png_push_save_buffer(png_structrp png_ptr)
488 {
489 if (png_ptr->save_buffer_size != 0)
490 {
491 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
492 {
493 size_t i, istop;
494 png_bytep sp;
495 png_bytep dp;
496
497 istop = png_ptr->save_buffer_size;
498 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
499 i < istop; i++, sp++, dp++)
500 {
501 *dp = *sp;
502 }
503 }
504 }
505 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
506 png_ptr->save_buffer_max)
507 {
508 size_t new_max;
509 png_bytep old_buffer;
510
511 if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
512 (png_ptr->current_buffer_size + 256))
513 {
514 png_error(png_ptr, "Potential overflow of save_buffer");
515 }
516
517 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
518 old_buffer = png_ptr->save_buffer;
519 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
520 (size_t)new_max);
521
522 if (png_ptr->save_buffer == NULL)
523 {
524 png_free(png_ptr, old_buffer);
525 png_error(png_ptr, "Insufficient memory for save_buffer");
526 }
527
528 if (old_buffer)
529 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
530 else if (png_ptr->save_buffer_size)
531 png_error(png_ptr, "save_buffer error");
532 png_free(png_ptr, old_buffer);
533 png_ptr->save_buffer_max = new_max;
534 }
535 if (png_ptr->current_buffer_size)
536 {
537 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
538 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
539 png_ptr->save_buffer_size += png_ptr->current_buffer_size;
540 png_ptr->current_buffer_size = 0;
541 }
542 png_ptr->save_buffer_ptr = png_ptr->save_buffer;
543 png_ptr->buffer_size = 0;
544 }
545
546 void /* PRIVATE */
547 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
548 size_t buffer_length)
549 {
550 png_ptr->current_buffer = buffer;
551 png_ptr->current_buffer_size = buffer_length;
552 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
553 png_ptr->current_buffer_ptr = png_ptr->current_buffer;
554 }
555
556 void /* PRIVATE */
557 png_push_read_IDAT(png_structrp png_ptr)
558 {
559 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
560 {
561 png_byte chunk_length[4];
562 png_byte chunk_tag[4];
563
564 /* TODO: this code can be commoned up with the same code in push_read */
565 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
566 png_push_fill_buffer(png_ptr, chunk_length, 4);
567 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
568 png_reset_crc(png_ptr);
569 png_crc_read(png_ptr, chunk_tag, 4);
570 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
571 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
572
573 if (png_ptr->chunk_name != png_IDAT)
574 {
575 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
576
577 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
578 png_error(png_ptr, "Not enough compressed data");
579
580 return;
581 }
582
583 png_ptr->idat_size = png_ptr->push_length;
584 }
585
586 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0)
587 {
588 size_t save_size = png_ptr->save_buffer_size;
589 png_uint_32 idat_size = png_ptr->idat_size;
590
591 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
592 * are of different types and we don't know which variable has the fewest
593 * bits. Carefully select the smaller and cast it to the type of the
594 * larger - this cannot overflow. Do not cast in the following test - it
595 * will break on either 16-bit or 64-bit platforms.
596 */
597 if (idat_size < save_size)
598 save_size = (size_t)idat_size;
599
600 else
601 idat_size = (png_uint_32)save_size;
602
603 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
604
605 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
606
607 png_ptr->idat_size -= idat_size;
608 png_ptr->buffer_size -= save_size;
609 png_ptr->save_buffer_size -= save_size;
610 png_ptr->save_buffer_ptr += save_size;
611 }
612
613 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0)
614 {
615 size_t save_size = png_ptr->current_buffer_size;
616 png_uint_32 idat_size = png_ptr->idat_size;
617
618 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
619 * are of different types and we don't know which variable has the fewest
620 * bits. Carefully select the smaller and cast it to the type of the
621 * larger - this cannot overflow.
622 */
623 if (idat_size < save_size)
624 save_size = (size_t)idat_size;
625
626 else
627 idat_size = (png_uint_32)save_size;
628
629 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
630
631 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
632
633 png_ptr->idat_size -= idat_size;
634 png_ptr->buffer_size -= save_size;
635 png_ptr->current_buffer_size -= save_size;
636 png_ptr->current_buffer_ptr += save_size;
637 }
638
639 if (png_ptr->idat_size == 0)
640 {
641 PNG_PUSH_SAVE_BUFFER_IF_LT(4)
642 png_crc_finish(png_ptr, 0);
643 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
644 png_ptr->mode |= PNG_AFTER_IDAT;
645 png_ptr->zowner = 0;
646 }
647 }
648
649 void /* PRIVATE */
650 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
651 size_t buffer_length)
652 {
653 /* The caller checks for a non-zero buffer length. */
654 if (!(buffer_length > 0) || buffer == NULL)
655 png_error(png_ptr, "No IDAT data (internal error)");
656
657 /* This routine must process all the data it has been given
658 * before returning, calling the row callback as required to
659 * handle the uncompressed results.
660 */
661 png_ptr->zstream.next_in = buffer;
662 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
663 png_ptr->zstream.avail_in = (uInt)buffer_length;
664
665 /* Keep going until the decompressed data is all processed
666 * or the stream marked as finished.
667 */
668 while (png_ptr->zstream.avail_in > 0 &&
669 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
670 {
671 int ret;
672
673 /* We have data for zlib, but we must check that zlib
674 * has someplace to put the results. It doesn't matter
675 * if we don't expect any results -- it may be the input
676 * data is just the LZ end code.
677 */
678 if (!(png_ptr->zstream.avail_out > 0))
679 {
680 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
681 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
682 png_ptr->iwidth) + 1);
683
684 png_ptr->zstream.next_out = png_ptr->row_buf;
685 }
686
687 /* Using Z_SYNC_FLUSH here means that an unterminated
688 * LZ stream (a stream with a missing end code) can still
689 * be handled, otherwise (Z_NO_FLUSH) a future zlib
690 * implementation might defer output and therefore
691 * change the current behavior (see comments in inflate.c
692 * for why this doesn't happen at present with zlib 1.2.5).
693 */
694 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH);
695
696 /* Check for any failure before proceeding. */
697 if (ret != Z_OK && ret != Z_STREAM_END)
698 {
699 /* Terminate the decompression. */
700 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
701 png_ptr->zowner = 0;
702
703 /* This may be a truncated stream (missing or
704 * damaged end code). Treat that as a warning.
705 */
706 if (png_ptr->row_number >= png_ptr->num_rows ||
707 png_ptr->pass > 6)
708 png_warning(png_ptr, "Truncated compressed data in IDAT");
709
710 else
711 {
712 if (ret == Z_DATA_ERROR)
713 png_benign_error(png_ptr, "IDAT: ADLER32 checksum mismatch");
714 else
715 png_error(png_ptr, "Decompression error in IDAT");
716 }
717
718 /* Skip the check on unprocessed input */
719 return;
720 }
721
722 /* Did inflate output any data? */
723 if (png_ptr->zstream.next_out != png_ptr->row_buf)
724 {
725 /* Is this unexpected data after the last row?
726 * If it is, artificially terminate the LZ output
727 * here.
728 */
729 if (png_ptr->row_number >= png_ptr->num_rows ||
730 png_ptr->pass > 6)
731 {
732 /* Extra data. */
733 png_warning(png_ptr, "Extra compressed data in IDAT");
734 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
735 png_ptr->zowner = 0;
736
737 /* Do no more processing; skip the unprocessed
738 * input check below.
739 */
740 return;
741 }
742
743 /* Do we have a complete row? */
744 if (png_ptr->zstream.avail_out == 0)
745 png_push_process_row(png_ptr);
746 }
747
748 /* And check for the end of the stream. */
749 if (ret == Z_STREAM_END)
750 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
751 }
752
753 /* All the data should have been processed, if anything
754 * is left at this point we have bytes of IDAT data
755 * after the zlib end code.
756 */
757 if (png_ptr->zstream.avail_in > 0)
758 png_warning(png_ptr, "Extra compression data in IDAT");
759 }
760
761 void /* PRIVATE */
762 png_push_process_row(png_structrp png_ptr)
763 {
764 /* 1.5.6: row_info moved out of png_struct to a local here. */
765 png_row_info row_info;
766
767 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
768 row_info.color_type = png_ptr->color_type;
769 row_info.bit_depth = png_ptr->bit_depth;
770 row_info.channels = png_ptr->channels;
771 row_info.pixel_depth = png_ptr->pixel_depth;
772 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
773
774 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
775 {
776 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
777 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
778 png_ptr->prev_row + 1, png_ptr->row_buf[0]);
779 else
780 png_error(png_ptr, "bad adaptive filter value");
781 }
782
783 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
784 * 1.5.6, while the buffer really is this big in current versions of libpng
785 * it may not be in the future, so this was changed just to copy the
786 * interlaced row count:
787 */
788 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
789
790 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
791 if (png_ptr->transformations != 0)
792 png_do_read_transformations(png_ptr, &row_info);
793 #endif
794
795 /* The transformed pixel depth should match the depth now in row_info. */
796 if (png_ptr->transformed_pixel_depth == 0)
797 {
798 png_ptr->transformed_pixel_depth = row_info.pixel_depth;
799 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
800 png_error(png_ptr, "progressive row overflow");
801 }
802
803 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
804 png_error(png_ptr, "internal progressive row size calculation error");
805
806
807 #ifdef PNG_READ_INTERLACING_SUPPORTED
808 /* Expand interlaced rows to full size */
809 if (png_ptr->interlaced != 0 &&
810 (png_ptr->transformations & PNG_INTERLACE) != 0)
811 {
812 if (png_ptr->pass < 6)
813 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
814 png_ptr->transformations);
815
816 switch (png_ptr->pass)
817 {
818 case 0:
819 {
820 int i;
821 for (i = 0; i < 8 && png_ptr->pass == 0; i++)
822 {
823 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
824 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
825 }
826
827 if (png_ptr->pass == 2) /* Pass 1 might be empty */
828 {
829 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
830 {
831 png_push_have_row(png_ptr, NULL);
832 png_read_push_finish_row(png_ptr);
833 }
834 }
835
836 if (png_ptr->pass == 4 && png_ptr->height <= 4)
837 {
838 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
839 {
840 png_push_have_row(png_ptr, NULL);
841 png_read_push_finish_row(png_ptr);
842 }
843 }
844
845 if (png_ptr->pass == 6 && png_ptr->height <= 4)
846 {
847 png_push_have_row(png_ptr, NULL);
848 png_read_push_finish_row(png_ptr);
849 }
850
851 break;
852 }
853
854 case 1:
855 {
856 int i;
857 for (i = 0; i < 8 && png_ptr->pass == 1; i++)
858 {
859 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
860 png_read_push_finish_row(png_ptr);
861 }
862
863 if (png_ptr->pass == 2) /* Skip top 4 generated rows */
864 {
865 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
866 {
867 png_push_have_row(png_ptr, NULL);
868 png_read_push_finish_row(png_ptr);
869 }
870 }
871
872 break;
873 }
874
875 case 2:
876 {
877 int i;
878
879 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
880 {
881 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
882 png_read_push_finish_row(png_ptr);
883 }
884
885 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
886 {
887 png_push_have_row(png_ptr, NULL);
888 png_read_push_finish_row(png_ptr);
889 }
890
891 if (png_ptr->pass == 4) /* Pass 3 might be empty */
892 {
893 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
894 {
895 png_push_have_row(png_ptr, NULL);
896 png_read_push_finish_row(png_ptr);
897 }
898 }
899
900 break;
901 }
902
903 case 3:
904 {
905 int i;
906
907 for (i = 0; i < 4 && png_ptr->pass == 3; i++)
908 {
909 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
910 png_read_push_finish_row(png_ptr);
911 }
912
913 if (png_ptr->pass == 4) /* Skip top two generated rows */
914 {
915 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
916 {
917 png_push_have_row(png_ptr, NULL);
918 png_read_push_finish_row(png_ptr);
919 }
920 }
921
922 break;
923 }
924
925 case 4:
926 {
927 int i;
928
929 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
930 {
931 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
932 png_read_push_finish_row(png_ptr);
933 }
934
935 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
936 {
937 png_push_have_row(png_ptr, NULL);
938 png_read_push_finish_row(png_ptr);
939 }
940
941 if (png_ptr->pass == 6) /* Pass 5 might be empty */
942 {
943 png_push_have_row(png_ptr, NULL);
944 png_read_push_finish_row(png_ptr);
945 }
946
947 break;
948 }
949
950 case 5:
951 {
952 int i;
953
954 for (i = 0; i < 2 && png_ptr->pass == 5; i++)
955 {
956 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
957 png_read_push_finish_row(png_ptr);
958 }
959
960 if (png_ptr->pass == 6) /* Skip top generated row */
961 {
962 png_push_have_row(png_ptr, NULL);
963 png_read_push_finish_row(png_ptr);
964 }
965
966 break;
967 }
968
969 default:
970 case 6:
971 {
972 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
973 png_read_push_finish_row(png_ptr);
974
975 if (png_ptr->pass != 6)
976 break;
977
978 png_push_have_row(png_ptr, NULL);
979 png_read_push_finish_row(png_ptr);
980 }
981 }
982 }
983 else
984 #endif
985 {
986 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
987 png_read_push_finish_row(png_ptr);
988 }
989 }
990
991 void /* PRIVATE */
992 png_read_push_finish_row(png_structrp png_ptr)
993 {
994 #ifdef PNG_READ_INTERLACING_SUPPORTED
995 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
996
997 /* Start of interlace block */
998 static const png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
999
1000 /* Offset to next interlace block */
1001 static const png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1002
1003 /* Start of interlace block in the y direction */
1004 static const png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1005
1006 /* Offset to next interlace block in the y direction */
1007 static const png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1008
1009 /* Height of interlace block. This is not currently used - if you need
1010 * it, uncomment it here and in png.h
1011 static const png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1012 */
1013 #endif
1014
1015 png_ptr->row_number++;
1016 if (png_ptr->row_number < png_ptr->num_rows)
1017 return;
1018
1019 #ifdef PNG_READ_INTERLACING_SUPPORTED
1020 if (png_ptr->interlaced != 0)
1021 {
1022 png_ptr->row_number = 0;
1023 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1024
1025 do
1026 {
1027 png_ptr->pass++;
1028 if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1029 (png_ptr->pass == 3 && png_ptr->width < 3) ||
1030 (png_ptr->pass == 5 && png_ptr->width < 2))
1031 png_ptr->pass++;
1032
1033 if (png_ptr->pass > 7)
1034 png_ptr->pass--;
1035
1036 if (png_ptr->pass >= 7)
1037 break;
1038
1039 png_ptr->iwidth = (png_ptr->width +
1040 png_pass_inc[png_ptr->pass] - 1 -
1041 png_pass_start[png_ptr->pass]) /
1042 png_pass_inc[png_ptr->pass];
1043
1044 if ((png_ptr->transformations & PNG_INTERLACE) != 0)
1045 break;
1046
1047 png_ptr->num_rows = (png_ptr->height +
1048 png_pass_yinc[png_ptr->pass] - 1 -
1049 png_pass_ystart[png_ptr->pass]) /
1050 png_pass_yinc[png_ptr->pass];
1051
1052 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1053 }
1054 #endif /* READ_INTERLACING */
1055 }
1056
1057 void /* PRIVATE */
1058 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1059 {
1060 if (png_ptr->info_fn != NULL)
1061 (*(png_ptr->info_fn))(png_ptr, info_ptr);
1062 }
1063
1064 void /* PRIVATE */
1065 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1066 {
1067 if (png_ptr->end_fn != NULL)
1068 (*(png_ptr->end_fn))(png_ptr, info_ptr);
1069 }
1070
1071 void /* PRIVATE */
1072 png_push_have_row(png_structrp png_ptr, png_bytep row)
1073 {
1074 if (png_ptr->row_fn != NULL)
1075 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1076 (int)png_ptr->pass);
1077 }
1078
1079 #ifdef PNG_READ_INTERLACING_SUPPORTED
1080 void PNGAPI
1081 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1082 png_const_bytep new_row)
1083 {
1084 if (png_ptr == NULL)
1085 return;
1086
1087 /* new_row is a flag here - if it is NULL then the app callback was called
1088 * from an empty row (see the calls to png_struct::row_fn below), otherwise
1089 * it must be png_ptr->row_buf+1
1090 */
1091 if (new_row != NULL)
1092 png_combine_row(png_ptr, old_row, 1/*blocky display*/);
1093 }
1094 #endif /* READ_INTERLACING */
1095
1096 void PNGAPI
1097 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1098 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1099 png_progressive_end_ptr end_fn)
1100 {
1101 if (png_ptr == NULL)
1102 return;
1103
1104 png_ptr->info_fn = info_fn;
1105 png_ptr->row_fn = row_fn;
1106 png_ptr->end_fn = end_fn;
1107
1108 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1109 }
1110
1111 png_voidp PNGAPI
1112 png_get_progressive_ptr(png_const_structrp png_ptr)
1113 {
1114 if (png_ptr == NULL)
1115 return (NULL);
1116
1117 return png_ptr->io_ptr;
1118 }
1119 #endif /* PROGRESSIVE_READ */