1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* png.c - location for general purpose libpng functions 26 * 27 * This file is available under and governed by the GNU General Public 28 * License version 2 only, as published by the Free Software Foundation. 29 * However, the following notice accompanied the original version of this 30 * file and, per its terms, should not be removed: 31 * 32 * Last changed in libpng 1.6.33 [September 28, 2017] 33 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson 34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 36 * 37 * This code is released under the libpng license. 38 * For conditions of distribution and use, see the disclaimer 39 * and license in png.h 40 */ 41 42 #include "pngpriv.h" 43 44 /* Generate a compiler error if there is an old png.h in the search path. */ 45 typedef png_libpng_version_1_6_34 Your_png_h_is_not_version_1_6_34; 46 47 #ifdef __GNUC__ 48 /* The version tests may need to be added to, but the problem warning has 49 * consistently been fixed in GCC versions which obtain wide-spread release. 50 * The problem is that many versions of GCC rearrange comparison expressions in 51 * the optimizer in such a way that the results of the comparison will change 52 * if signed integer overflow occurs. Such comparisons are not permitted in 53 * ANSI C90, however GCC isn't clever enough to work out that that do not occur 54 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with 55 * -Wextra. Unfortunately this is highly dependent on the optimizer and the 56 * machine architecture so the warning comes and goes unpredictably and is 57 * impossible to "fix", even were that a good idea. 58 */ 59 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1 60 #define GCC_STRICT_OVERFLOW 1 61 #endif /* GNU 7.1.x */ 62 #endif /* GNU */ 63 #ifndef GCC_STRICT_OVERFLOW 64 #define GCC_STRICT_OVERFLOW 0 65 #endif 66 67 /* Tells libpng that we have already handled the first "num_bytes" bytes 68 * of the PNG file signature. If the PNG data is embedded into another 69 * stream we can set num_bytes = 8 so that libpng will not attempt to read 70 * or write any of the magic bytes before it starts on the IHDR. 71 */ 72 73 #ifdef PNG_READ_SUPPORTED 74 void PNGAPI 75 png_set_sig_bytes(png_structrp png_ptr, int num_bytes) 76 { 77 unsigned int nb = (unsigned int)num_bytes; 78 79 png_debug(1, "in png_set_sig_bytes"); 80 81 if (png_ptr == NULL) 82 return; 83 84 if (num_bytes < 0) 85 nb = 0; 86 87 if (nb > 8) 88 png_error(png_ptr, "Too many bytes for PNG signature"); 89 90 png_ptr->sig_bytes = (png_byte)nb; 91 } 92 93 /* Checks whether the supplied bytes match the PNG signature. We allow 94 * checking less than the full 8-byte signature so that those apps that 95 * already read the first few bytes of a file to determine the file type 96 * can simply check the remaining bytes for extra assurance. Returns 97 * an integer less than, equal to, or greater than zero if sig is found, 98 * respectively, to be less than, to match, or be greater than the correct 99 * PNG signature (this is the same behavior as strcmp, memcmp, etc). 100 */ 101 int PNGAPI 102 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check) 103 { 104 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10}; 105 106 if (num_to_check > 8) 107 num_to_check = 8; 108 109 else if (num_to_check < 1) 110 return (-1); 111 112 if (start > 7) 113 return (-1); 114 115 if (start + num_to_check > 8) 116 num_to_check = 8 - start; 117 118 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check))); 119 } 120 121 #endif /* READ */ 122 123 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 124 /* Function to allocate memory for zlib */ 125 PNG_FUNCTION(voidpf /* PRIVATE */, 126 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED) 127 { 128 png_alloc_size_t num_bytes = size; 129 130 if (png_ptr == NULL) 131 return NULL; 132 133 if (items >= (~(png_alloc_size_t)0)/size) 134 { 135 png_warning (png_voidcast(png_structrp, png_ptr), 136 "Potential overflow in png_zalloc()"); 137 return NULL; 138 } 139 140 num_bytes *= items; 141 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes); 142 } 143 144 /* Function to free memory for zlib */ 145 void /* PRIVATE */ 146 png_zfree(voidpf png_ptr, voidpf ptr) 147 { 148 png_free(png_voidcast(png_const_structrp,png_ptr), ptr); 149 } 150 151 /* Reset the CRC variable to 32 bits of 1's. Care must be taken 152 * in case CRC is > 32 bits to leave the top bits 0. 153 */ 154 void /* PRIVATE */ 155 png_reset_crc(png_structrp png_ptr) 156 { 157 /* The cast is safe because the crc is a 32-bit value. */ 158 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0); 159 } 160 161 /* Calculate the CRC over a section of data. We can only pass as 162 * much data to this routine as the largest single buffer size. We 163 * also check that this data will actually be used before going to the 164 * trouble of calculating it. 165 */ 166 void /* PRIVATE */ 167 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length) 168 { 169 int need_crc = 1; 170 171 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0) 172 { 173 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 174 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 175 need_crc = 0; 176 } 177 178 else /* critical */ 179 { 180 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0) 181 need_crc = 0; 182 } 183 184 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some 185 * systems it is a 64-bit value. crc32, however, returns 32 bits so the 186 * following cast is safe. 'uInt' may be no more than 16 bits, so it is 187 * necessary to perform a loop here. 188 */ 189 if (need_crc != 0 && length > 0) 190 { 191 uLong crc = png_ptr->crc; /* Should never issue a warning */ 192 193 do 194 { 195 uInt safe_length = (uInt)length; 196 #ifndef __COVERITY__ 197 if (safe_length == 0) 198 safe_length = (uInt)-1; /* evil, but safe */ 199 #endif 200 201 crc = crc32(crc, ptr, safe_length); 202 203 /* The following should never issue compiler warnings; if they do the 204 * target system has characteristics that will probably violate other 205 * assumptions within the libpng code. 206 */ 207 ptr += safe_length; 208 length -= safe_length; 209 } 210 while (length > 0); 211 212 /* And the following is always safe because the crc is only 32 bits. */ 213 png_ptr->crc = (png_uint_32)crc; 214 } 215 } 216 217 /* Check a user supplied version number, called from both read and write 218 * functions that create a png_struct. 219 */ 220 int 221 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver) 222 { 223 /* Libpng versions 1.0.0 and later are binary compatible if the version 224 * string matches through the second '.'; we must recompile any 225 * applications that use any older library version. 226 */ 227 228 if (user_png_ver != NULL) 229 { 230 int i = -1; 231 int found_dots = 0; 232 233 do 234 { 235 i++; 236 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) 237 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 238 if (user_png_ver[i] == '.') 239 found_dots++; 240 } while (found_dots < 2 && user_png_ver[i] != 0 && 241 PNG_LIBPNG_VER_STRING[i] != 0); 242 } 243 244 else 245 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 246 247 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0) 248 { 249 #ifdef PNG_WARNINGS_SUPPORTED 250 size_t pos = 0; 251 char m[128]; 252 253 pos = png_safecat(m, (sizeof m), pos, 254 "Application built with libpng-"); 255 pos = png_safecat(m, (sizeof m), pos, user_png_ver); 256 pos = png_safecat(m, (sizeof m), pos, " but running with "); 257 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING); 258 PNG_UNUSED(pos) 259 260 png_warning(png_ptr, m); 261 #endif 262 263 #ifdef PNG_ERROR_NUMBERS_SUPPORTED 264 png_ptr->flags = 0; 265 #endif 266 267 return 0; 268 } 269 270 /* Success return. */ 271 return 1; 272 } 273 274 /* Generic function to create a png_struct for either read or write - this 275 * contains the common initialization. 276 */ 277 PNG_FUNCTION(png_structp /* PRIVATE */, 278 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr, 279 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr, 280 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED) 281 { 282 png_struct create_struct; 283 # ifdef PNG_SETJMP_SUPPORTED 284 jmp_buf create_jmp_buf; 285 # endif 286 287 /* This temporary stack-allocated structure is used to provide a place to 288 * build enough context to allow the user provided memory allocator (if any) 289 * to be called. 290 */ 291 memset(&create_struct, 0, (sizeof create_struct)); 292 293 /* Added at libpng-1.2.6 */ 294 # ifdef PNG_USER_LIMITS_SUPPORTED 295 create_struct.user_width_max = PNG_USER_WIDTH_MAX; 296 create_struct.user_height_max = PNG_USER_HEIGHT_MAX; 297 298 # ifdef PNG_USER_CHUNK_CACHE_MAX 299 /* Added at libpng-1.2.43 and 1.4.0 */ 300 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; 301 # endif 302 303 # ifdef PNG_USER_CHUNK_MALLOC_MAX 304 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists 305 * in png_struct regardless. 306 */ 307 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; 308 # endif 309 # endif 310 311 /* The following two API calls simply set fields in png_struct, so it is safe 312 * to do them now even though error handling is not yet set up. 313 */ 314 # ifdef PNG_USER_MEM_SUPPORTED 315 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn); 316 # else 317 PNG_UNUSED(mem_ptr) 318 PNG_UNUSED(malloc_fn) 319 PNG_UNUSED(free_fn) 320 # endif 321 322 /* (*error_fn) can return control to the caller after the error_ptr is set, 323 * this will result in a memory leak unless the error_fn does something 324 * extremely sophisticated. The design lacks merit but is implicit in the 325 * API. 326 */ 327 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn); 328 329 # ifdef PNG_SETJMP_SUPPORTED 330 if (!setjmp(create_jmp_buf)) 331 # endif 332 { 333 # ifdef PNG_SETJMP_SUPPORTED 334 /* Temporarily fake out the longjmp information until we have 335 * successfully completed this function. This only works if we have 336 * setjmp() support compiled in, but it is safe - this stuff should 337 * never happen. 338 */ 339 create_struct.jmp_buf_ptr = &create_jmp_buf; 340 create_struct.jmp_buf_size = 0; /*stack allocation*/ 341 create_struct.longjmp_fn = longjmp; 342 # endif 343 /* Call the general version checker (shared with read and write code): 344 */ 345 if (png_user_version_check(&create_struct, user_png_ver) != 0) 346 { 347 png_structrp png_ptr = png_voidcast(png_structrp, 348 png_malloc_warn(&create_struct, (sizeof *png_ptr))); 349 350 if (png_ptr != NULL) 351 { 352 /* png_ptr->zstream holds a back-pointer to the png_struct, so 353 * this can only be done now: 354 */ 355 create_struct.zstream.zalloc = png_zalloc; 356 create_struct.zstream.zfree = png_zfree; 357 create_struct.zstream.opaque = png_ptr; 358 359 # ifdef PNG_SETJMP_SUPPORTED 360 /* Eliminate the local error handling: */ 361 create_struct.jmp_buf_ptr = NULL; 362 create_struct.jmp_buf_size = 0; 363 create_struct.longjmp_fn = 0; 364 # endif 365 366 *png_ptr = create_struct; 367 368 /* This is the successful return point */ 369 return png_ptr; 370 } 371 } 372 } 373 374 /* A longjmp because of a bug in the application storage allocator or a 375 * simple failure to allocate the png_struct. 376 */ 377 return NULL; 378 } 379 380 /* Allocate the memory for an info_struct for the application. */ 381 PNG_FUNCTION(png_infop,PNGAPI 382 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED) 383 { 384 png_inforp info_ptr; 385 386 png_debug(1, "in png_create_info_struct"); 387 388 if (png_ptr == NULL) 389 return NULL; 390 391 /* Use the internal API that does not (or at least should not) error out, so 392 * that this call always returns ok. The application typically sets up the 393 * error handling *after* creating the info_struct because this is the way it 394 * has always been done in 'example.c'. 395 */ 396 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr, 397 (sizeof *info_ptr))); 398 399 if (info_ptr != NULL) 400 memset(info_ptr, 0, (sizeof *info_ptr)); 401 402 return info_ptr; 403 } 404 405 /* This function frees the memory associated with a single info struct. 406 * Normally, one would use either png_destroy_read_struct() or 407 * png_destroy_write_struct() to free an info struct, but this may be 408 * useful for some applications. From libpng 1.6.0 this function is also used 409 * internally to implement the png_info release part of the 'struct' destroy 410 * APIs. This ensures that all possible approaches free the same data (all of 411 * it). 412 */ 413 void PNGAPI 414 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr) 415 { 416 png_inforp info_ptr = NULL; 417 418 png_debug(1, "in png_destroy_info_struct"); 419 420 if (png_ptr == NULL) 421 return; 422 423 if (info_ptr_ptr != NULL) 424 info_ptr = *info_ptr_ptr; 425 426 if (info_ptr != NULL) 427 { 428 /* Do this first in case of an error below; if the app implements its own 429 * memory management this can lead to png_free calling png_error, which 430 * will abort this routine and return control to the app error handler. 431 * An infinite loop may result if it then tries to free the same info 432 * ptr. 433 */ 434 *info_ptr_ptr = NULL; 435 436 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1); 437 memset(info_ptr, 0, (sizeof *info_ptr)); 438 png_free(png_ptr, info_ptr); 439 } 440 } 441 442 /* Initialize the info structure. This is now an internal function (0.89) 443 * and applications using it are urged to use png_create_info_struct() 444 * instead. Use deprecated in 1.6.0, internal use removed (used internally it 445 * is just a memset). 446 * 447 * NOTE: it is almost inconceivable that this API is used because it bypasses 448 * the user-memory mechanism and the user error handling/warning mechanisms in 449 * those cases where it does anything other than a memset. 450 */ 451 PNG_FUNCTION(void,PNGAPI 452 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size), 453 PNG_DEPRECATED) 454 { 455 png_inforp info_ptr = *ptr_ptr; 456 457 png_debug(1, "in png_info_init_3"); 458 459 if (info_ptr == NULL) 460 return; 461 462 if ((sizeof (png_info)) > png_info_struct_size) 463 { 464 *ptr_ptr = NULL; 465 /* The following line is why this API should not be used: */ 466 free(info_ptr); 467 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL, 468 (sizeof *info_ptr))); 469 if (info_ptr == NULL) 470 return; 471 *ptr_ptr = info_ptr; 472 } 473 474 /* Set everything to 0 */ 475 memset(info_ptr, 0, (sizeof *info_ptr)); 476 } 477 478 /* The following API is not called internally */ 479 void PNGAPI 480 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr, 481 int freer, png_uint_32 mask) 482 { 483 png_debug(1, "in png_data_freer"); 484 485 if (png_ptr == NULL || info_ptr == NULL) 486 return; 487 488 if (freer == PNG_DESTROY_WILL_FREE_DATA) 489 info_ptr->free_me |= mask; 490 491 else if (freer == PNG_USER_WILL_FREE_DATA) 492 info_ptr->free_me &= ~mask; 493 494 else 495 png_error(png_ptr, "Unknown freer parameter in png_data_freer"); 496 } 497 498 void PNGAPI 499 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, 500 int num) 501 { 502 png_debug(1, "in png_free_data"); 503 504 if (png_ptr == NULL || info_ptr == NULL) 505 return; 506 507 #ifdef PNG_TEXT_SUPPORTED 508 /* Free text item num or (if num == -1) all text items */ 509 if (info_ptr->text != NULL && 510 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0) 511 { 512 if (num != -1) 513 { 514 png_free(png_ptr, info_ptr->text[num].key); 515 info_ptr->text[num].key = NULL; 516 } 517 518 else 519 { 520 int i; 521 522 for (i = 0; i < info_ptr->num_text; i++) 523 png_free(png_ptr, info_ptr->text[i].key); 524 525 png_free(png_ptr, info_ptr->text); 526 info_ptr->text = NULL; 527 info_ptr->num_text = 0; 528 info_ptr->max_text = 0; 529 } 530 } 531 #endif 532 533 #ifdef PNG_tRNS_SUPPORTED 534 /* Free any tRNS entry */ 535 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0) 536 { 537 info_ptr->valid &= ~PNG_INFO_tRNS; 538 png_free(png_ptr, info_ptr->trans_alpha); 539 info_ptr->trans_alpha = NULL; 540 info_ptr->num_trans = 0; 541 } 542 #endif 543 544 #ifdef PNG_sCAL_SUPPORTED 545 /* Free any sCAL entry */ 546 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0) 547 { 548 png_free(png_ptr, info_ptr->scal_s_width); 549 png_free(png_ptr, info_ptr->scal_s_height); 550 info_ptr->scal_s_width = NULL; 551 info_ptr->scal_s_height = NULL; 552 info_ptr->valid &= ~PNG_INFO_sCAL; 553 } 554 #endif 555 556 #ifdef PNG_pCAL_SUPPORTED 557 /* Free any pCAL entry */ 558 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0) 559 { 560 png_free(png_ptr, info_ptr->pcal_purpose); 561 png_free(png_ptr, info_ptr->pcal_units); 562 info_ptr->pcal_purpose = NULL; 563 info_ptr->pcal_units = NULL; 564 565 if (info_ptr->pcal_params != NULL) 566 { 567 int i; 568 569 for (i = 0; i < info_ptr->pcal_nparams; i++) 570 png_free(png_ptr, info_ptr->pcal_params[i]); 571 572 png_free(png_ptr, info_ptr->pcal_params); 573 info_ptr->pcal_params = NULL; 574 } 575 info_ptr->valid &= ~PNG_INFO_pCAL; 576 } 577 #endif 578 579 #ifdef PNG_iCCP_SUPPORTED 580 /* Free any profile entry */ 581 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0) 582 { 583 png_free(png_ptr, info_ptr->iccp_name); 584 png_free(png_ptr, info_ptr->iccp_profile); 585 info_ptr->iccp_name = NULL; 586 info_ptr->iccp_profile = NULL; 587 info_ptr->valid &= ~PNG_INFO_iCCP; 588 } 589 #endif 590 591 #ifdef PNG_sPLT_SUPPORTED 592 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */ 593 if (info_ptr->splt_palettes != NULL && 594 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0) 595 { 596 if (num != -1) 597 { 598 png_free(png_ptr, info_ptr->splt_palettes[num].name); 599 png_free(png_ptr, info_ptr->splt_palettes[num].entries); 600 info_ptr->splt_palettes[num].name = NULL; 601 info_ptr->splt_palettes[num].entries = NULL; 602 } 603 604 else 605 { 606 int i; 607 608 for (i = 0; i < info_ptr->splt_palettes_num; i++) 609 { 610 png_free(png_ptr, info_ptr->splt_palettes[i].name); 611 png_free(png_ptr, info_ptr->splt_palettes[i].entries); 612 } 613 614 png_free(png_ptr, info_ptr->splt_palettes); 615 info_ptr->splt_palettes = NULL; 616 info_ptr->splt_palettes_num = 0; 617 info_ptr->valid &= ~PNG_INFO_sPLT; 618 } 619 } 620 #endif 621 622 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED 623 if (info_ptr->unknown_chunks != NULL && 624 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0) 625 { 626 if (num != -1) 627 { 628 png_free(png_ptr, info_ptr->unknown_chunks[num].data); 629 info_ptr->unknown_chunks[num].data = NULL; 630 } 631 632 else 633 { 634 int i; 635 636 for (i = 0; i < info_ptr->unknown_chunks_num; i++) 637 png_free(png_ptr, info_ptr->unknown_chunks[i].data); 638 639 png_free(png_ptr, info_ptr->unknown_chunks); 640 info_ptr->unknown_chunks = NULL; 641 info_ptr->unknown_chunks_num = 0; 642 } 643 } 644 #endif 645 646 #ifdef PNG_eXIf_SUPPORTED 647 /* Free any eXIf entry */ 648 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0) 649 { 650 # ifdef PNG_READ_eXIf_SUPPORTED 651 if (info_ptr->eXIf_buf) 652 { 653 png_free(png_ptr, info_ptr->eXIf_buf); 654 info_ptr->eXIf_buf = NULL; 655 } 656 # endif 657 if (info_ptr->exif) 658 { 659 png_free(png_ptr, info_ptr->exif); 660 info_ptr->exif = NULL; 661 } 662 info_ptr->valid &= ~PNG_INFO_eXIf; 663 } 664 #endif 665 666 #ifdef PNG_hIST_SUPPORTED 667 /* Free any hIST entry */ 668 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0) 669 { 670 png_free(png_ptr, info_ptr->hist); 671 info_ptr->hist = NULL; 672 info_ptr->valid &= ~PNG_INFO_hIST; 673 } 674 #endif 675 676 /* Free any PLTE entry that was internally allocated */ 677 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0) 678 { 679 png_free(png_ptr, info_ptr->palette); 680 info_ptr->palette = NULL; 681 info_ptr->valid &= ~PNG_INFO_PLTE; 682 info_ptr->num_palette = 0; 683 } 684 685 #ifdef PNG_INFO_IMAGE_SUPPORTED 686 /* Free any image bits attached to the info structure */ 687 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0) 688 { 689 if (info_ptr->row_pointers != NULL) 690 { 691 png_uint_32 row; 692 for (row = 0; row < info_ptr->height; row++) 693 png_free(png_ptr, info_ptr->row_pointers[row]); 694 695 png_free(png_ptr, info_ptr->row_pointers); 696 info_ptr->row_pointers = NULL; 697 } 698 info_ptr->valid &= ~PNG_INFO_IDAT; 699 } 700 #endif 701 702 if (num != -1) 703 mask &= ~PNG_FREE_MUL; 704 705 info_ptr->free_me &= ~mask; 706 } 707 #endif /* READ || WRITE */ 708 709 /* This function returns a pointer to the io_ptr associated with the user 710 * functions. The application should free any memory associated with this 711 * pointer before png_write_destroy() or png_read_destroy() are called. 712 */ 713 png_voidp PNGAPI 714 png_get_io_ptr(png_const_structrp png_ptr) 715 { 716 if (png_ptr == NULL) 717 return (NULL); 718 719 return (png_ptr->io_ptr); 720 } 721 722 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 723 # ifdef PNG_STDIO_SUPPORTED 724 /* Initialize the default input/output functions for the PNG file. If you 725 * use your own read or write routines, you can call either png_set_read_fn() 726 * or png_set_write_fn() instead of png_init_io(). If you have defined 727 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a 728 * function of your own because "FILE *" isn't necessarily available. 729 */ 730 void PNGAPI 731 png_init_io(png_structrp png_ptr, png_FILE_p fp) 732 { 733 png_debug(1, "in png_init_io"); 734 735 if (png_ptr == NULL) 736 return; 737 738 png_ptr->io_ptr = (png_voidp)fp; 739 } 740 # endif 741 742 # ifdef PNG_SAVE_INT_32_SUPPORTED 743 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90 744 * defines a cast of a signed integer to an unsigned integer either to preserve 745 * the value, if it is positive, or to calculate: 746 * 747 * (UNSIGNED_MAX+1) + integer 748 * 749 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the 750 * negative integral value is added the result will be an unsigned value 751 * correspnding to the 2's complement representation. 752 */ 753 void PNGAPI 754 png_save_int_32(png_bytep buf, png_int_32 i) 755 { 756 png_save_uint_32(buf, (png_uint_32)i); 757 } 758 # endif 759 760 # ifdef PNG_TIME_RFC1123_SUPPORTED 761 /* Convert the supplied time into an RFC 1123 string suitable for use in 762 * a "Creation Time" or other text-based time string. 763 */ 764 int PNGAPI 765 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime) 766 { 767 static PNG_CONST char short_months[12][4] = 768 {"Jan", "Feb", "Mar", "Apr", "May", "Jun", 769 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}; 770 771 if (out == NULL) 772 return 0; 773 774 if (ptime->year > 9999 /* RFC1123 limitation */ || 775 ptime->month == 0 || ptime->month > 12 || 776 ptime->day == 0 || ptime->day > 31 || 777 ptime->hour > 23 || ptime->minute > 59 || 778 ptime->second > 60) 779 return 0; 780 781 { 782 size_t pos = 0; 783 char number_buf[5]; /* enough for a four-digit year */ 784 785 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string)) 786 # define APPEND_NUMBER(format, value)\ 787 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value))) 788 # define APPEND(ch) if (pos < 28) out[pos++] = (ch) 789 790 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day); 791 APPEND(' '); 792 APPEND_STRING(short_months[(ptime->month - 1)]); 793 APPEND(' '); 794 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year); 795 APPEND(' '); 796 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour); 797 APPEND(':'); 798 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute); 799 APPEND(':'); 800 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second); 801 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */ 802 PNG_UNUSED (pos) 803 804 # undef APPEND 805 # undef APPEND_NUMBER 806 # undef APPEND_STRING 807 } 808 809 return 1; 810 } 811 812 # if PNG_LIBPNG_VER < 10700 813 /* To do: remove the following from libpng-1.7 */ 814 /* Original API that uses a private buffer in png_struct. 815 * Deprecated because it causes png_struct to carry a spurious temporary 816 * buffer (png_struct::time_buffer), better to have the caller pass this in. 817 */ 818 png_const_charp PNGAPI 819 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime) 820 { 821 if (png_ptr != NULL) 822 { 823 /* The only failure above if png_ptr != NULL is from an invalid ptime */ 824 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0) 825 png_warning(png_ptr, "Ignoring invalid time value"); 826 827 else 828 return png_ptr->time_buffer; 829 } 830 831 return NULL; 832 } 833 # endif /* LIBPNG_VER < 10700 */ 834 # endif /* TIME_RFC1123 */ 835 836 #endif /* READ || WRITE */ 837 838 png_const_charp PNGAPI 839 png_get_copyright(png_const_structrp png_ptr) 840 { 841 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 842 #ifdef PNG_STRING_COPYRIGHT 843 return PNG_STRING_COPYRIGHT 844 #else 845 # ifdef __STDC__ 846 return PNG_STRING_NEWLINE \ 847 "libpng version 1.6.34 - September 29, 2017" PNG_STRING_NEWLINE \ 848 "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \ 849 PNG_STRING_NEWLINE \ 850 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ 851 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ 852 PNG_STRING_NEWLINE; 853 # else 854 return "libpng version 1.6.34 - September 29, 2017\ 855 Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\ 856 Copyright (c) 1996-1997 Andreas Dilger\ 857 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; 858 # endif 859 #endif 860 } 861 862 /* The following return the library version as a short string in the 863 * format 1.0.0 through 99.99.99zz. To get the version of *.h files 864 * used with your application, print out PNG_LIBPNG_VER_STRING, which 865 * is defined in png.h. 866 * Note: now there is no difference between png_get_libpng_ver() and 867 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard, 868 * it is guaranteed that png.c uses the correct version of png.h. 869 */ 870 png_const_charp PNGAPI 871 png_get_libpng_ver(png_const_structrp png_ptr) 872 { 873 /* Version of *.c files used when building libpng */ 874 return png_get_header_ver(png_ptr); 875 } 876 877 png_const_charp PNGAPI 878 png_get_header_ver(png_const_structrp png_ptr) 879 { 880 /* Version of *.h files used when building libpng */ 881 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 882 return PNG_LIBPNG_VER_STRING; 883 } 884 885 png_const_charp PNGAPI 886 png_get_header_version(png_const_structrp png_ptr) 887 { 888 /* Returns longer string containing both version and date */ 889 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 890 #ifdef __STDC__ 891 return PNG_HEADER_VERSION_STRING 892 # ifndef PNG_READ_SUPPORTED 893 " (NO READ SUPPORT)" 894 # endif 895 PNG_STRING_NEWLINE; 896 #else 897 return PNG_HEADER_VERSION_STRING; 898 #endif 899 } 900 901 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED 902 /* NOTE: this routine is not used internally! */ 903 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth 904 * large of png_color. This lets grayscale images be treated as 905 * paletted. Most useful for gamma correction and simplification 906 * of code. This API is not used internally. 907 */ 908 void PNGAPI 909 png_build_grayscale_palette(int bit_depth, png_colorp palette) 910 { 911 int num_palette; 912 int color_inc; 913 int i; 914 int v; 915 916 png_debug(1, "in png_do_build_grayscale_palette"); 917 918 if (palette == NULL) 919 return; 920 921 switch (bit_depth) 922 { 923 case 1: 924 num_palette = 2; 925 color_inc = 0xff; 926 break; 927 928 case 2: 929 num_palette = 4; 930 color_inc = 0x55; 931 break; 932 933 case 4: 934 num_palette = 16; 935 color_inc = 0x11; 936 break; 937 938 case 8: 939 num_palette = 256; 940 color_inc = 1; 941 break; 942 943 default: 944 num_palette = 0; 945 color_inc = 0; 946 break; 947 } 948 949 for (i = 0, v = 0; i < num_palette; i++, v += color_inc) 950 { 951 palette[i].red = (png_byte)(v & 0xff); 952 palette[i].green = (png_byte)(v & 0xff); 953 palette[i].blue = (png_byte)(v & 0xff); 954 } 955 } 956 #endif 957 958 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED 959 int PNGAPI 960 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name) 961 { 962 /* Check chunk_name and return "keep" value if it's on the list, else 0 */ 963 png_const_bytep p, p_end; 964 965 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0) 966 return PNG_HANDLE_CHUNK_AS_DEFAULT; 967 968 p_end = png_ptr->chunk_list; 969 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */ 970 971 /* The code is the fifth byte after each four byte string. Historically this 972 * code was always searched from the end of the list, this is no longer 973 * necessary because the 'set' routine handles duplicate entries correcty. 974 */ 975 do /* num_chunk_list > 0, so at least one */ 976 { 977 p -= 5; 978 979 if (memcmp(chunk_name, p, 4) == 0) 980 return p[4]; 981 } 982 while (p > p_end); 983 984 /* This means that known chunks should be processed and unknown chunks should 985 * be handled according to the value of png_ptr->unknown_default; this can be 986 * confusing because, as a result, there are two levels of defaulting for 987 * unknown chunks. 988 */ 989 return PNG_HANDLE_CHUNK_AS_DEFAULT; 990 } 991 992 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\ 993 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED) 994 int /* PRIVATE */ 995 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name) 996 { 997 png_byte chunk_string[5]; 998 999 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name); 1000 return png_handle_as_unknown(png_ptr, chunk_string); 1001 } 1002 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */ 1003 #endif /* SET_UNKNOWN_CHUNKS */ 1004 1005 #ifdef PNG_READ_SUPPORTED 1006 /* This function, added to libpng-1.0.6g, is untested. */ 1007 int PNGAPI 1008 png_reset_zstream(png_structrp png_ptr) 1009 { 1010 if (png_ptr == NULL) 1011 return Z_STREAM_ERROR; 1012 1013 /* WARNING: this resets the window bits to the maximum! */ 1014 return (inflateReset(&png_ptr->zstream)); 1015 } 1016 #endif /* READ */ 1017 1018 /* This function was added to libpng-1.0.7 */ 1019 png_uint_32 PNGAPI 1020 png_access_version_number(void) 1021 { 1022 /* Version of *.c files used when building libpng */ 1023 return((png_uint_32)PNG_LIBPNG_VER); 1024 } 1025 1026 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 1027 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string. 1028 * If it doesn't 'ret' is used to set it to something appropriate, even in cases 1029 * like Z_OK or Z_STREAM_END where the error code is apparently a success code. 1030 */ 1031 void /* PRIVATE */ 1032 png_zstream_error(png_structrp png_ptr, int ret) 1033 { 1034 /* Translate 'ret' into an appropriate error string, priority is given to the 1035 * one in zstream if set. This always returns a string, even in cases like 1036 * Z_OK or Z_STREAM_END where the error code is a success code. 1037 */ 1038 if (png_ptr->zstream.msg == NULL) switch (ret) 1039 { 1040 default: 1041 case Z_OK: 1042 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code"); 1043 break; 1044 1045 case Z_STREAM_END: 1046 /* Normal exit */ 1047 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream"); 1048 break; 1049 1050 case Z_NEED_DICT: 1051 /* This means the deflate stream did not have a dictionary; this 1052 * indicates a bogus PNG. 1053 */ 1054 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary"); 1055 break; 1056 1057 case Z_ERRNO: 1058 /* gz APIs only: should not happen */ 1059 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error"); 1060 break; 1061 1062 case Z_STREAM_ERROR: 1063 /* internal libpng error */ 1064 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib"); 1065 break; 1066 1067 case Z_DATA_ERROR: 1068 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream"); 1069 break; 1070 1071 case Z_MEM_ERROR: 1072 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory"); 1073 break; 1074 1075 case Z_BUF_ERROR: 1076 /* End of input or output; not a problem if the caller is doing 1077 * incremental read or write. 1078 */ 1079 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated"); 1080 break; 1081 1082 case Z_VERSION_ERROR: 1083 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version"); 1084 break; 1085 1086 case PNG_UNEXPECTED_ZLIB_RETURN: 1087 /* Compile errors here mean that zlib now uses the value co-opted in 1088 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above 1089 * and change pngpriv.h. Note that this message is "... return", 1090 * whereas the default/Z_OK one is "... return code". 1091 */ 1092 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return"); 1093 break; 1094 } 1095 } 1096 1097 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted 1098 * at libpng 1.5.5! 1099 */ 1100 1101 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */ 1102 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */ 1103 static int 1104 png_colorspace_check_gamma(png_const_structrp png_ptr, 1105 png_colorspacerp colorspace, png_fixed_point gAMA, int from) 1106 /* This is called to check a new gamma value against an existing one. The 1107 * routine returns false if the new gamma value should not be written. 1108 * 1109 * 'from' says where the new gamma value comes from: 1110 * 1111 * 0: the new gamma value is the libpng estimate for an ICC profile 1112 * 1: the new gamma value comes from a gAMA chunk 1113 * 2: the new gamma value comes from an sRGB chunk 1114 */ 1115 { 1116 png_fixed_point gtest; 1117 1118 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 && 1119 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 || 1120 png_gamma_significant(gtest) != 0)) 1121 { 1122 /* Either this is an sRGB image, in which case the calculated gamma 1123 * approximation should match, or this is an image with a profile and the 1124 * value libpng calculates for the gamma of the profile does not match the 1125 * value recorded in the file. The former, sRGB, case is an error, the 1126 * latter is just a warning. 1127 */ 1128 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2) 1129 { 1130 png_chunk_report(png_ptr, "gamma value does not match sRGB", 1131 PNG_CHUNK_ERROR); 1132 /* Do not overwrite an sRGB value */ 1133 return from == 2; 1134 } 1135 1136 else /* sRGB tag not involved */ 1137 { 1138 png_chunk_report(png_ptr, "gamma value does not match libpng estimate", 1139 PNG_CHUNK_WARNING); 1140 return from == 1; 1141 } 1142 } 1143 1144 return 1; 1145 } 1146 1147 void /* PRIVATE */ 1148 png_colorspace_set_gamma(png_const_structrp png_ptr, 1149 png_colorspacerp colorspace, png_fixed_point gAMA) 1150 { 1151 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't 1152 * occur. Since the fixed point representation is asymetrical it is 1153 * possible for 1/gamma to overflow the limit of 21474 and this means the 1154 * gamma value must be at least 5/100000 and hence at most 20000.0. For 1155 * safety the limits here are a little narrower. The values are 0.00016 to 1156 * 6250.0, which are truly ridiculous gamma values (and will produce 1157 * displays that are all black or all white.) 1158 * 1159 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk 1160 * handling code, which only required the value to be >0. 1161 */ 1162 png_const_charp errmsg; 1163 1164 if (gAMA < 16 || gAMA > 625000000) 1165 errmsg = "gamma value out of range"; 1166 1167 # ifdef PNG_READ_gAMA_SUPPORTED 1168 /* Allow the application to set the gamma value more than once */ 1169 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && 1170 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) 1171 errmsg = "duplicate"; 1172 # endif 1173 1174 /* Do nothing if the colorspace is already invalid */ 1175 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1176 return; 1177 1178 else 1179 { 1180 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA, 1181 1/*from gAMA*/) != 0) 1182 { 1183 /* Store this gamma value. */ 1184 colorspace->gamma = gAMA; 1185 colorspace->flags |= 1186 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA); 1187 } 1188 1189 /* At present if the check_gamma test fails the gamma of the colorspace is 1190 * not updated however the colorspace is not invalidated. This 1191 * corresponds to the case where the existing gamma comes from an sRGB 1192 * chunk or profile. An error message has already been output. 1193 */ 1194 return; 1195 } 1196 1197 /* Error exit - errmsg has been set. */ 1198 colorspace->flags |= PNG_COLORSPACE_INVALID; 1199 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR); 1200 } 1201 1202 void /* PRIVATE */ 1203 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr) 1204 { 1205 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) 1206 { 1207 /* Everything is invalid */ 1208 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB| 1209 PNG_INFO_iCCP); 1210 1211 # ifdef PNG_COLORSPACE_SUPPORTED 1212 /* Clean up the iCCP profile now if it won't be used. */ 1213 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); 1214 # else 1215 PNG_UNUSED(png_ptr) 1216 # endif 1217 } 1218 1219 else 1220 { 1221 # ifdef PNG_COLORSPACE_SUPPORTED 1222 /* Leave the INFO_iCCP flag set if the pngset.c code has already set 1223 * it; this allows a PNG to contain a profile which matches sRGB and 1224 * yet still have that profile retrievable by the application. 1225 */ 1226 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) 1227 info_ptr->valid |= PNG_INFO_sRGB; 1228 1229 else 1230 info_ptr->valid &= ~PNG_INFO_sRGB; 1231 1232 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1233 info_ptr->valid |= PNG_INFO_cHRM; 1234 1235 else 1236 info_ptr->valid &= ~PNG_INFO_cHRM; 1237 # endif 1238 1239 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0) 1240 info_ptr->valid |= PNG_INFO_gAMA; 1241 1242 else 1243 info_ptr->valid &= ~PNG_INFO_gAMA; 1244 } 1245 } 1246 1247 #ifdef PNG_READ_SUPPORTED 1248 void /* PRIVATE */ 1249 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr) 1250 { 1251 if (info_ptr == NULL) /* reduce code size; check here not in the caller */ 1252 return; 1253 1254 info_ptr->colorspace = png_ptr->colorspace; 1255 png_colorspace_sync_info(png_ptr, info_ptr); 1256 } 1257 #endif 1258 #endif /* GAMMA */ 1259 1260 #ifdef PNG_COLORSPACE_SUPPORTED 1261 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for 1262 * cHRM, as opposed to using chromaticities. These internal APIs return 1263 * non-zero on a parameter error. The X, Y and Z values are required to be 1264 * positive and less than 1.0. 1265 */ 1266 static int 1267 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ) 1268 { 1269 png_int_32 d, dwhite, whiteX, whiteY; 1270 1271 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z; 1272 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0) 1273 return 1; 1274 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0) 1275 return 1; 1276 dwhite = d; 1277 whiteX = XYZ->red_X; 1278 whiteY = XYZ->red_Y; 1279 1280 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z; 1281 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0) 1282 return 1; 1283 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0) 1284 return 1; 1285 dwhite += d; 1286 whiteX += XYZ->green_X; 1287 whiteY += XYZ->green_Y; 1288 1289 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z; 1290 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0) 1291 return 1; 1292 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0) 1293 return 1; 1294 dwhite += d; 1295 whiteX += XYZ->blue_X; 1296 whiteY += XYZ->blue_Y; 1297 1298 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors, 1299 * thus: 1300 */ 1301 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0) 1302 return 1; 1303 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0) 1304 return 1; 1305 1306 return 0; 1307 } 1308 1309 static int 1310 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy) 1311 { 1312 png_fixed_point red_inverse, green_inverse, blue_scale; 1313 png_fixed_point left, right, denominator; 1314 1315 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically 1316 * have end points with 0 tristimulus values (these are impossible end 1317 * points, but they are used to cover the possible colors). We check 1318 * xy->whitey against 5, not 0, to avoid a possible integer overflow. 1319 */ 1320 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; 1321 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; 1322 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1; 1323 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1; 1324 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; 1325 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; 1326 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1; 1327 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1; 1328 1329 /* The reverse calculation is more difficult because the original tristimulus 1330 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8 1331 * derived values were recorded in the cHRM chunk; 1332 * (red,green,blue,white)x(x,y). This loses one degree of freedom and 1333 * therefore an arbitrary ninth value has to be introduced to undo the 1334 * original transformations. 1335 * 1336 * Think of the original end-points as points in (X,Y,Z) space. The 1337 * chromaticity values (c) have the property: 1338 * 1339 * C 1340 * c = --------- 1341 * X + Y + Z 1342 * 1343 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the 1344 * three chromaticity values (x,y,z) for each end-point obey the 1345 * relationship: 1346 * 1347 * x + y + z = 1 1348 * 1349 * This describes the plane in (X,Y,Z) space that intersects each axis at the 1350 * value 1.0; call this the chromaticity plane. Thus the chromaticity 1351 * calculation has scaled each end-point so that it is on the x+y+z=1 plane 1352 * and chromaticity is the intersection of the vector from the origin to the 1353 * (X,Y,Z) value with the chromaticity plane. 1354 * 1355 * To fully invert the chromaticity calculation we would need the three 1356 * end-point scale factors, (red-scale, green-scale, blue-scale), but these 1357 * were not recorded. Instead we calculated the reference white (X,Y,Z) and 1358 * recorded the chromaticity of this. The reference white (X,Y,Z) would have 1359 * given all three of the scale factors since: 1360 * 1361 * color-C = color-c * color-scale 1362 * white-C = red-C + green-C + blue-C 1363 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1364 * 1365 * But cHRM records only white-x and white-y, so we have lost the white scale 1366 * factor: 1367 * 1368 * white-C = white-c*white-scale 1369 * 1370 * To handle this the inverse transformation makes an arbitrary assumption 1371 * about white-scale: 1372 * 1373 * Assume: white-Y = 1.0 1374 * Hence: white-scale = 1/white-y 1375 * Or: red-Y + green-Y + blue-Y = 1.0 1376 * 1377 * Notice the last statement of the assumption gives an equation in three of 1378 * the nine values we want to calculate. 8 more equations come from the 1379 * above routine as summarised at the top above (the chromaticity 1380 * calculation): 1381 * 1382 * Given: color-x = color-X / (color-X + color-Y + color-Z) 1383 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0 1384 * 1385 * This is 9 simultaneous equations in the 9 variables "color-C" and can be 1386 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix 1387 * determinants, however this is not as bad as it seems because only 28 of 1388 * the total of 90 terms in the various matrices are non-zero. Nevertheless 1389 * Cramer's rule is notoriously numerically unstable because the determinant 1390 * calculation involves the difference of large, but similar, numbers. It is 1391 * difficult to be sure that the calculation is stable for real world values 1392 * and it is certain that it becomes unstable where the end points are close 1393 * together. 1394 * 1395 * So this code uses the perhaps slightly less optimal but more 1396 * understandable and totally obvious approach of calculating color-scale. 1397 * 1398 * This algorithm depends on the precision in white-scale and that is 1399 * (1/white-y), so we can immediately see that as white-y approaches 0 the 1400 * accuracy inherent in the cHRM chunk drops off substantially. 1401 * 1402 * libpng arithmetic: a simple inversion of the above equations 1403 * ------------------------------------------------------------ 1404 * 1405 * white_scale = 1/white-y 1406 * white-X = white-x * white-scale 1407 * white-Y = 1.0 1408 * white-Z = (1 - white-x - white-y) * white_scale 1409 * 1410 * white-C = red-C + green-C + blue-C 1411 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1412 * 1413 * This gives us three equations in (red-scale,green-scale,blue-scale) where 1414 * all the coefficients are now known: 1415 * 1416 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale 1417 * = white-x/white-y 1418 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1 1419 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale 1420 * = (1 - white-x - white-y)/white-y 1421 * 1422 * In the last equation color-z is (1 - color-x - color-y) so we can add all 1423 * three equations together to get an alternative third: 1424 * 1425 * red-scale + green-scale + blue-scale = 1/white-y = white-scale 1426 * 1427 * So now we have a Cramer's rule solution where the determinants are just 1428 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve 1429 * multiplication of three coefficients so we can't guarantee to avoid 1430 * overflow in the libpng fixed point representation. Using Cramer's rule in 1431 * floating point is probably a good choice here, but it's not an option for 1432 * fixed point. Instead proceed to simplify the first two equations by 1433 * eliminating what is likely to be the largest value, blue-scale: 1434 * 1435 * blue-scale = white-scale - red-scale - green-scale 1436 * 1437 * Hence: 1438 * 1439 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale = 1440 * (white-x - blue-x)*white-scale 1441 * 1442 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale = 1443 * 1 - blue-y*white-scale 1444 * 1445 * And now we can trivially solve for (red-scale,green-scale): 1446 * 1447 * green-scale = 1448 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale 1449 * ----------------------------------------------------------- 1450 * green-x - blue-x 1451 * 1452 * red-scale = 1453 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale 1454 * --------------------------------------------------------- 1455 * red-y - blue-y 1456 * 1457 * Hence: 1458 * 1459 * red-scale = 1460 * ( (green-x - blue-x) * (white-y - blue-y) - 1461 * (green-y - blue-y) * (white-x - blue-x) ) / white-y 1462 * ------------------------------------------------------------------------- 1463 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1464 * 1465 * green-scale = 1466 * ( (red-y - blue-y) * (white-x - blue-x) - 1467 * (red-x - blue-x) * (white-y - blue-y) ) / white-y 1468 * ------------------------------------------------------------------------- 1469 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1470 * 1471 * Accuracy: 1472 * The input values have 5 decimal digits of accuracy. The values are all in 1473 * the range 0 < value < 1, so simple products are in the same range but may 1474 * need up to 10 decimal digits to preserve the original precision and avoid 1475 * underflow. Because we are using a 32-bit signed representation we cannot 1476 * match this; the best is a little over 9 decimal digits, less than 10. 1477 * 1478 * The approach used here is to preserve the maximum precision within the 1479 * signed representation. Because the red-scale calculation above uses the 1480 * difference between two products of values that must be in the range -1..+1 1481 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The 1482 * factor is irrelevant in the calculation because it is applied to both 1483 * numerator and denominator. 1484 * 1485 * Note that the values of the differences of the products of the 1486 * chromaticities in the above equations tend to be small, for example for 1487 * the sRGB chromaticities they are: 1488 * 1489 * red numerator: -0.04751 1490 * green numerator: -0.08788 1491 * denominator: -0.2241 (without white-y multiplication) 1492 * 1493 * The resultant Y coefficients from the chromaticities of some widely used 1494 * color space definitions are (to 15 decimal places): 1495 * 1496 * sRGB 1497 * 0.212639005871510 0.715168678767756 0.072192315360734 1498 * Kodak ProPhoto 1499 * 0.288071128229293 0.711843217810102 0.000085653960605 1500 * Adobe RGB 1501 * 0.297344975250536 0.627363566255466 0.075291458493998 1502 * Adobe Wide Gamut RGB 1503 * 0.258728243040113 0.724682314948566 0.016589442011321 1504 */ 1505 /* By the argument, above overflow should be impossible here. The return 1506 * value of 2 indicates an internal error to the caller. 1507 */ 1508 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0) 1509 return 2; 1510 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0) 1511 return 2; 1512 denominator = left - right; 1513 1514 /* Now find the red numerator. */ 1515 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1516 return 2; 1517 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1518 return 2; 1519 1520 /* Overflow is possible here and it indicates an extreme set of PNG cHRM 1521 * chunk values. This calculation actually returns the reciprocal of the 1522 * scale value because this allows us to delay the multiplication of white-y 1523 * into the denominator, which tends to produce a small number. 1524 */ 1525 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 || 1526 red_inverse <= xy->whitey /* r+g+b scales = white scale */) 1527 return 1; 1528 1529 /* Similarly for green_inverse: */ 1530 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1531 return 2; 1532 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1533 return 2; 1534 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 || 1535 green_inverse <= xy->whitey) 1536 return 1; 1537 1538 /* And the blue scale, the checks above guarantee this can't overflow but it 1539 * can still produce 0 for extreme cHRM values. 1540 */ 1541 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) - 1542 png_reciprocal(green_inverse); 1543 if (blue_scale <= 0) 1544 return 1; 1545 1546 1547 /* And fill in the png_XYZ: */ 1548 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0) 1549 return 1; 1550 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0) 1551 return 1; 1552 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1, 1553 red_inverse) == 0) 1554 return 1; 1555 1556 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0) 1557 return 1; 1558 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0) 1559 return 1; 1560 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1, 1561 green_inverse) == 0) 1562 return 1; 1563 1564 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0) 1565 return 1; 1566 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0) 1567 return 1; 1568 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale, 1569 PNG_FP_1) == 0) 1570 return 1; 1571 1572 return 0; /*success*/ 1573 } 1574 1575 static int 1576 png_XYZ_normalize(png_XYZ *XYZ) 1577 { 1578 png_int_32 Y; 1579 1580 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 || 1581 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 || 1582 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0) 1583 return 1; 1584 1585 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. 1586 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore 1587 * relying on addition of two positive values producing a negative one is not 1588 * safe. 1589 */ 1590 Y = XYZ->red_Y; 1591 if (0x7fffffff - Y < XYZ->green_X) 1592 return 1; 1593 Y += XYZ->green_Y; 1594 if (0x7fffffff - Y < XYZ->blue_X) 1595 return 1; 1596 Y += XYZ->blue_Y; 1597 1598 if (Y != PNG_FP_1) 1599 { 1600 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0) 1601 return 1; 1602 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0) 1603 return 1; 1604 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0) 1605 return 1; 1606 1607 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0) 1608 return 1; 1609 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0) 1610 return 1; 1611 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0) 1612 return 1; 1613 1614 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0) 1615 return 1; 1616 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0) 1617 return 1; 1618 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0) 1619 return 1; 1620 } 1621 1622 return 0; 1623 } 1624 1625 static int 1626 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta) 1627 { 1628 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */ 1629 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) || 1630 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) || 1631 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) || 1632 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) || 1633 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) || 1634 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) || 1635 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) || 1636 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta)) 1637 return 0; 1638 return 1; 1639 } 1640 1641 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM 1642 * chunk chromaticities. Earlier checks used to simply look for the overflow 1643 * condition (where the determinant of the matrix to solve for XYZ ends up zero 1644 * because the chromaticity values are not all distinct.) Despite this it is 1645 * theoretically possible to produce chromaticities that are apparently valid 1646 * but that rapidly degrade to invalid, potentially crashing, sets because of 1647 * arithmetic inaccuracies when calculations are performed on them. The new 1648 * check is to round-trip xy -> XYZ -> xy and then check that the result is 1649 * within a small percentage of the original. 1650 */ 1651 static int 1652 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy) 1653 { 1654 int result; 1655 png_xy xy_test; 1656 1657 /* As a side-effect this routine also returns the XYZ endpoints. */ 1658 result = png_XYZ_from_xy(XYZ, xy); 1659 if (result != 0) 1660 return result; 1661 1662 result = png_xy_from_XYZ(&xy_test, XYZ); 1663 if (result != 0) 1664 return result; 1665 1666 if (png_colorspace_endpoints_match(xy, &xy_test, 1667 5/*actually, the math is pretty accurate*/) != 0) 1668 return 0; 1669 1670 /* Too much slip */ 1671 return 1; 1672 } 1673 1674 /* This is the check going the other way. The XYZ is modified to normalize it 1675 * (another side-effect) and the xy chromaticities are returned. 1676 */ 1677 static int 1678 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ) 1679 { 1680 int result; 1681 png_XYZ XYZtemp; 1682 1683 result = png_XYZ_normalize(XYZ); 1684 if (result != 0) 1685 return result; 1686 1687 result = png_xy_from_XYZ(xy, XYZ); 1688 if (result != 0) 1689 return result; 1690 1691 XYZtemp = *XYZ; 1692 return png_colorspace_check_xy(&XYZtemp, xy); 1693 } 1694 1695 /* Used to check for an endpoint match against sRGB */ 1696 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */ 1697 { 1698 /* color x y */ 1699 /* red */ 64000, 33000, 1700 /* green */ 30000, 60000, 1701 /* blue */ 15000, 6000, 1702 /* white */ 31270, 32900 1703 }; 1704 1705 static int 1706 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr, 1707 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ, 1708 int preferred) 1709 { 1710 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1711 return 0; 1712 1713 /* The consistency check is performed on the chromaticities; this factors out 1714 * variations because of the normalization (or not) of the end point Y 1715 * values. 1716 */ 1717 if (preferred < 2 && 1718 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1719 { 1720 /* The end points must be reasonably close to any we already have. The 1721 * following allows an error of up to +/-.001 1722 */ 1723 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy, 1724 100) == 0) 1725 { 1726 colorspace->flags |= PNG_COLORSPACE_INVALID; 1727 png_benign_error(png_ptr, "inconsistent chromaticities"); 1728 return 0; /* failed */ 1729 } 1730 1731 /* Only overwrite with preferred values */ 1732 if (preferred == 0) 1733 return 1; /* ok, but no change */ 1734 } 1735 1736 colorspace->end_points_xy = *xy; 1737 colorspace->end_points_XYZ = *XYZ; 1738 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS; 1739 1740 /* The end points are normally quoted to two decimal digits, so allow +/-0.01 1741 * on this test. 1742 */ 1743 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0) 1744 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB; 1745 1746 else 1747 colorspace->flags &= PNG_COLORSPACE_CANCEL( 1748 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1749 1750 return 2; /* ok and changed */ 1751 } 1752 1753 int /* PRIVATE */ 1754 png_colorspace_set_chromaticities(png_const_structrp png_ptr, 1755 png_colorspacerp colorspace, const png_xy *xy, int preferred) 1756 { 1757 /* We must check the end points to ensure they are reasonable - in the past 1758 * color management systems have crashed as a result of getting bogus 1759 * colorant values, while this isn't the fault of libpng it is the 1760 * responsibility of libpng because PNG carries the bomb and libpng is in a 1761 * position to protect against it. 1762 */ 1763 png_XYZ XYZ; 1764 1765 switch (png_colorspace_check_xy(&XYZ, xy)) 1766 { 1767 case 0: /* success */ 1768 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ, 1769 preferred); 1770 1771 case 1: 1772 /* We can't invert the chromaticities so we can't produce value XYZ 1773 * values. Likely as not a color management system will fail too. 1774 */ 1775 colorspace->flags |= PNG_COLORSPACE_INVALID; 1776 png_benign_error(png_ptr, "invalid chromaticities"); 1777 break; 1778 1779 default: 1780 /* libpng is broken; this should be a warning but if it happens we 1781 * want error reports so for the moment it is an error. 1782 */ 1783 colorspace->flags |= PNG_COLORSPACE_INVALID; 1784 png_error(png_ptr, "internal error checking chromaticities"); 1785 } 1786 1787 return 0; /* failed */ 1788 } 1789 1790 int /* PRIVATE */ 1791 png_colorspace_set_endpoints(png_const_structrp png_ptr, 1792 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred) 1793 { 1794 png_XYZ XYZ = *XYZ_in; 1795 png_xy xy; 1796 1797 switch (png_colorspace_check_XYZ(&xy, &XYZ)) 1798 { 1799 case 0: 1800 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ, 1801 preferred); 1802 1803 case 1: 1804 /* End points are invalid. */ 1805 colorspace->flags |= PNG_COLORSPACE_INVALID; 1806 png_benign_error(png_ptr, "invalid end points"); 1807 break; 1808 1809 default: 1810 colorspace->flags |= PNG_COLORSPACE_INVALID; 1811 png_error(png_ptr, "internal error checking chromaticities"); 1812 } 1813 1814 return 0; /* failed */ 1815 } 1816 1817 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED) 1818 /* Error message generation */ 1819 static char 1820 png_icc_tag_char(png_uint_32 byte) 1821 { 1822 byte &= 0xff; 1823 if (byte >= 32 && byte <= 126) 1824 return (char)byte; 1825 else 1826 return '?'; 1827 } 1828 1829 static void 1830 png_icc_tag_name(char *name, png_uint_32 tag) 1831 { 1832 name[0] = '\''; 1833 name[1] = png_icc_tag_char(tag >> 24); 1834 name[2] = png_icc_tag_char(tag >> 16); 1835 name[3] = png_icc_tag_char(tag >> 8); 1836 name[4] = png_icc_tag_char(tag ); 1837 name[5] = '\''; 1838 } 1839 1840 static int 1841 is_ICC_signature_char(png_alloc_size_t it) 1842 { 1843 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) || 1844 (it >= 97 && it <= 122); 1845 } 1846 1847 static int 1848 is_ICC_signature(png_alloc_size_t it) 1849 { 1850 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ && 1851 is_ICC_signature_char((it >> 16) & 0xff) && 1852 is_ICC_signature_char((it >> 8) & 0xff) && 1853 is_ICC_signature_char(it & 0xff); 1854 } 1855 1856 static int 1857 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace, 1858 png_const_charp name, png_alloc_size_t value, png_const_charp reason) 1859 { 1860 size_t pos; 1861 char message[196]; /* see below for calculation */ 1862 1863 if (colorspace != NULL) 1864 colorspace->flags |= PNG_COLORSPACE_INVALID; 1865 1866 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */ 1867 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */ 1868 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */ 1869 if (is_ICC_signature(value) != 0) 1870 { 1871 /* So 'value' is at most 4 bytes and the following cast is safe */ 1872 png_icc_tag_name(message+pos, (png_uint_32)value); 1873 pos += 6; /* total +8; less than the else clause */ 1874 message[pos++] = ':'; 1875 message[pos++] = ' '; 1876 } 1877 # ifdef PNG_WARNINGS_SUPPORTED 1878 else 1879 { 1880 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/ 1881 1882 pos = png_safecat(message, (sizeof message), pos, 1883 png_format_number(number, number+(sizeof number), 1884 PNG_NUMBER_FORMAT_x, value)); 1885 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/ 1886 } 1887 # endif 1888 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */ 1889 pos = png_safecat(message, (sizeof message), pos, reason); 1890 PNG_UNUSED(pos) 1891 1892 /* This is recoverable, but make it unconditionally an app_error on write to 1893 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them 1894 * on read, with a warning, but on write unless the app turns off 1895 * application errors the PNG won't be written.) 1896 */ 1897 png_chunk_report(png_ptr, message, 1898 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR); 1899 1900 return 0; 1901 } 1902 #endif /* sRGB || iCCP */ 1903 1904 #ifdef PNG_sRGB_SUPPORTED 1905 int /* PRIVATE */ 1906 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, 1907 int intent) 1908 { 1909 /* sRGB sets known gamma, end points and (from the chunk) intent. */ 1910 /* IMPORTANT: these are not necessarily the values found in an ICC profile 1911 * because ICC profiles store values adapted to a D50 environment; it is 1912 * expected that the ICC profile mediaWhitePointTag will be D50; see the 1913 * checks and code elsewhere to understand this better. 1914 * 1915 * These XYZ values, which are accurate to 5dp, produce rgb to gray 1916 * coefficients of (6968,23435,2366), which are reduced (because they add up 1917 * to 32769 not 32768) to (6968,23434,2366). These are the values that 1918 * libpng has traditionally used (and are the best values given the 15bit 1919 * algorithm used by the rgb to gray code.) 1920 */ 1921 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */ 1922 { 1923 /* color X Y Z */ 1924 /* red */ 41239, 21264, 1933, 1925 /* green */ 35758, 71517, 11919, 1926 /* blue */ 18048, 7219, 95053 1927 }; 1928 1929 /* Do nothing if the colorspace is already invalidated. */ 1930 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1931 return 0; 1932 1933 /* Check the intent, then check for existing settings. It is valid for the 1934 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must 1935 * be consistent with the correct values. If, however, this function is 1936 * called below because an iCCP chunk matches sRGB then it is quite 1937 * conceivable that an older app recorded incorrect gAMA and cHRM because of 1938 * an incorrect calculation based on the values in the profile - this does 1939 * *not* invalidate the profile (though it still produces an error, which can 1940 * be ignored.) 1941 */ 1942 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST) 1943 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1944 (png_alloc_size_t)intent, "invalid sRGB rendering intent"); 1945 1946 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 && 1947 colorspace->rendering_intent != intent) 1948 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1949 (png_alloc_size_t)intent, "inconsistent rendering intents"); 1950 1951 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0) 1952 { 1953 png_benign_error(png_ptr, "duplicate sRGB information ignored"); 1954 return 0; 1955 } 1956 1957 /* If the standard sRGB cHRM chunk does not match the one from the PNG file 1958 * warn but overwrite the value with the correct one. 1959 */ 1960 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 && 1961 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy, 1962 100)) 1963 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB", 1964 PNG_CHUNK_ERROR); 1965 1966 /* This check is just done for the error reporting - the routine always 1967 * returns true when the 'from' argument corresponds to sRGB (2). 1968 */ 1969 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE, 1970 2/*from sRGB*/); 1971 1972 /* intent: bugs in GCC force 'int' to be used as the parameter type. */ 1973 colorspace->rendering_intent = (png_uint_16)intent; 1974 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT; 1975 1976 /* endpoints */ 1977 colorspace->end_points_xy = sRGB_xy; 1978 colorspace->end_points_XYZ = sRGB_XYZ; 1979 colorspace->flags |= 1980 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1981 1982 /* gamma */ 1983 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE; 1984 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA; 1985 1986 /* Finally record that we have an sRGB profile */ 1987 colorspace->flags |= 1988 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB); 1989 1990 return 1; /* set */ 1991 } 1992 #endif /* sRGB */ 1993 1994 #ifdef PNG_iCCP_SUPPORTED 1995 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value 1996 * is XYZ(0.9642,1.0,0.8249), which scales to: 1997 * 1998 * (63189.8112, 65536, 54060.6464) 1999 */ 2000 static const png_byte D50_nCIEXYZ[12] = 2001 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; 2002 2003 static int /* bool */ 2004 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 2005 png_const_charp name, png_uint_32 profile_length) 2006 { 2007 if (profile_length < 132) 2008 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2009 "too short"); 2010 return 1; 2011 } 2012 2013 #ifdef PNG_READ_iCCP_SUPPORTED 2014 int /* PRIVATE */ 2015 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 2016 png_const_charp name, png_uint_32 profile_length) 2017 { 2018 if (!icc_check_length(png_ptr, colorspace, name, profile_length)) 2019 return 0; 2020 2021 /* This needs to be here because the 'normal' check is in 2022 * png_decompress_chunk, yet this happens after the attempt to 2023 * png_malloc_base the required data. We only need this on read; on write 2024 * the caller supplies the profile buffer so libpng doesn't allocate it. See 2025 * the call to icc_check_length below (the write case). 2026 */ 2027 # ifdef PNG_SET_USER_LIMITS_SUPPORTED 2028 else if (png_ptr->user_chunk_malloc_max > 0 && 2029 png_ptr->user_chunk_malloc_max < profile_length) 2030 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2031 "exceeds application limits"); 2032 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 2033 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length) 2034 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2035 "exceeds libpng limits"); 2036 # else /* !SET_USER_LIMITS */ 2037 /* This will get compiled out on all 32-bit and better systems. */ 2038 else if (PNG_SIZE_MAX < profile_length) 2039 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2040 "exceeds system limits"); 2041 # endif /* !SET_USER_LIMITS */ 2042 2043 return 1; 2044 } 2045 #endif /* READ_iCCP */ 2046 2047 int /* PRIVATE */ 2048 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, 2049 png_const_charp name, png_uint_32 profile_length, 2050 png_const_bytep profile/* first 132 bytes only */, int color_type) 2051 { 2052 png_uint_32 temp; 2053 2054 /* Length check; this cannot be ignored in this code because profile_length 2055 * is used later to check the tag table, so even if the profile seems over 2056 * long profile_length from the caller must be correct. The caller can fix 2057 * this up on read or write by just passing in the profile header length. 2058 */ 2059 temp = png_get_uint_32(profile); 2060 if (temp != profile_length) 2061 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2062 "length does not match profile"); 2063 2064 temp = (png_uint_32) (*(profile+8)); 2065 if (temp > 3 && (profile_length & 3)) 2066 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2067 "invalid length"); 2068 2069 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */ 2070 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */ 2071 profile_length < 132+12*temp) /* truncated tag table */ 2072 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2073 "tag count too large"); 2074 2075 /* The 'intent' must be valid or we can't store it, ICC limits the intent to 2076 * 16 bits. 2077 */ 2078 temp = png_get_uint_32(profile+64); 2079 if (temp >= 0xffff) /* The ICC limit */ 2080 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2081 "invalid rendering intent"); 2082 2083 /* This is just a warning because the profile may be valid in future 2084 * versions. 2085 */ 2086 if (temp >= PNG_sRGB_INTENT_LAST) 2087 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2088 "intent outside defined range"); 2089 2090 /* At this point the tag table can't be checked because it hasn't necessarily 2091 * been loaded; however, various header fields can be checked. These checks 2092 * are for values permitted by the PNG spec in an ICC profile; the PNG spec 2093 * restricts the profiles that can be passed in an iCCP chunk (they must be 2094 * appropriate to processing PNG data!) 2095 */ 2096 2097 /* Data checks (could be skipped). These checks must be independent of the 2098 * version number; however, the version number doesn't accomodate changes in 2099 * the header fields (just the known tags and the interpretation of the 2100 * data.) 2101 */ 2102 temp = png_get_uint_32(profile+36); /* signature 'ascp' */ 2103 if (temp != 0x61637370) 2104 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2105 "invalid signature"); 2106 2107 /* Currently the PCS illuminant/adopted white point (the computational 2108 * white point) are required to be D50, 2109 * however the profile contains a record of the illuminant so perhaps ICC 2110 * expects to be able to change this in the future (despite the rationale in 2111 * the introduction for using a fixed PCS adopted white.) Consequently the 2112 * following is just a warning. 2113 */ 2114 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0) 2115 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/, 2116 "PCS illuminant is not D50"); 2117 2118 /* The PNG spec requires this: 2119 * "If the iCCP chunk is present, the image samples conform to the colour 2120 * space represented by the embedded ICC profile as defined by the 2121 * International Color Consortium [ICC]. The colour space of the ICC profile 2122 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and 2123 * 6), or a greyscale colour space for greyscale images (PNG colour types 0 2124 * and 4)." 2125 * 2126 * This checking code ensures the embedded profile (on either read or write) 2127 * conforms to the specification requirements. Notice that an ICC 'gray' 2128 * color-space profile contains the information to transform the monochrome 2129 * data to XYZ or L*a*b (according to which PCS the profile uses) and this 2130 * should be used in preference to the standard libpng K channel replication 2131 * into R, G and B channels. 2132 * 2133 * Previously it was suggested that an RGB profile on grayscale data could be 2134 * handled. However it it is clear that using an RGB profile in this context 2135 * must be an error - there is no specification of what it means. Thus it is 2136 * almost certainly more correct to ignore the profile. 2137 */ 2138 temp = png_get_uint_32(profile+16); /* data colour space field */ 2139 switch (temp) 2140 { 2141 case 0x52474220: /* 'RGB ' */ 2142 if ((color_type & PNG_COLOR_MASK_COLOR) == 0) 2143 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2144 "RGB color space not permitted on grayscale PNG"); 2145 break; 2146 2147 case 0x47524159: /* 'GRAY' */ 2148 if ((color_type & PNG_COLOR_MASK_COLOR) != 0) 2149 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2150 "Gray color space not permitted on RGB PNG"); 2151 break; 2152 2153 default: 2154 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2155 "invalid ICC profile color space"); 2156 } 2157 2158 /* It is up to the application to check that the profile class matches the 2159 * application requirements; the spec provides no guidance, but it's pretty 2160 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer 2161 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these 2162 * cases. Issue an error for device link or abstract profiles - these don't 2163 * contain the records necessary to transform the color-space to anything 2164 * other than the target device (and not even that for an abstract profile). 2165 * Profiles of these classes may not be embedded in images. 2166 */ 2167 temp = png_get_uint_32(profile+12); /* profile/device class */ 2168 switch (temp) 2169 { 2170 case 0x73636e72: /* 'scnr' */ 2171 case 0x6d6e7472: /* 'mntr' */ 2172 case 0x70727472: /* 'prtr' */ 2173 case 0x73706163: /* 'spac' */ 2174 /* All supported */ 2175 break; 2176 2177 case 0x61627374: /* 'abst' */ 2178 /* May not be embedded in an image */ 2179 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2180 "invalid embedded Abstract ICC profile"); 2181 2182 case 0x6c696e6b: /* 'link' */ 2183 /* DeviceLink profiles cannot be interpreted in a non-device specific 2184 * fashion, if an app uses the AToB0Tag in the profile the results are 2185 * undefined unless the result is sent to the intended device, 2186 * therefore a DeviceLink profile should not be found embedded in a 2187 * PNG. 2188 */ 2189 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2190 "unexpected DeviceLink ICC profile class"); 2191 2192 case 0x6e6d636c: /* 'nmcl' */ 2193 /* A NamedColor profile is also device specific, however it doesn't 2194 * contain an AToB0 tag that is open to misinterpretation. Almost 2195 * certainly it will fail the tests below. 2196 */ 2197 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2198 "unexpected NamedColor ICC profile class"); 2199 break; 2200 2201 default: 2202 /* To allow for future enhancements to the profile accept unrecognized 2203 * profile classes with a warning, these then hit the test below on the 2204 * tag content to ensure they are backward compatible with one of the 2205 * understood profiles. 2206 */ 2207 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2208 "unrecognized ICC profile class"); 2209 break; 2210 } 2211 2212 /* For any profile other than a device link one the PCS must be encoded 2213 * either in XYZ or Lab. 2214 */ 2215 temp = png_get_uint_32(profile+20); 2216 switch (temp) 2217 { 2218 case 0x58595a20: /* 'XYZ ' */ 2219 case 0x4c616220: /* 'Lab ' */ 2220 break; 2221 2222 default: 2223 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2224 "unexpected ICC PCS encoding"); 2225 } 2226 2227 return 1; 2228 } 2229 2230 int /* PRIVATE */ 2231 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, 2232 png_const_charp name, png_uint_32 profile_length, 2233 png_const_bytep profile /* header plus whole tag table */) 2234 { 2235 png_uint_32 tag_count = png_get_uint_32(profile+128); 2236 png_uint_32 itag; 2237 png_const_bytep tag = profile+132; /* The first tag */ 2238 2239 /* First scan all the tags in the table and add bits to the icc_info value 2240 * (temporarily in 'tags'). 2241 */ 2242 for (itag=0; itag < tag_count; ++itag, tag += 12) 2243 { 2244 png_uint_32 tag_id = png_get_uint_32(tag+0); 2245 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */ 2246 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */ 2247 2248 /* The ICC specification does not exclude zero length tags, therefore the 2249 * start might actually be anywhere if there is no data, but this would be 2250 * a clear abuse of the intent of the standard so the start is checked for 2251 * being in range. All defined tag types have an 8 byte header - a 4 byte 2252 * type signature then 0. 2253 */ 2254 2255 /* This is a hard error; potentially it can cause read outside the 2256 * profile. 2257 */ 2258 if (tag_start > profile_length || tag_length > profile_length - tag_start) 2259 return png_icc_profile_error(png_ptr, colorspace, name, tag_id, 2260 "ICC profile tag outside profile"); 2261 2262 if ((tag_start & 3) != 0) 2263 { 2264 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is 2265 * only a warning here because libpng does not care about the 2266 * alignment. 2267 */ 2268 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id, 2269 "ICC profile tag start not a multiple of 4"); 2270 } 2271 } 2272 2273 return 1; /* success, maybe with warnings */ 2274 } 2275 2276 #ifdef PNG_sRGB_SUPPORTED 2277 #if PNG_sRGB_PROFILE_CHECKS >= 0 2278 /* Information about the known ICC sRGB profiles */ 2279 static const struct 2280 { 2281 png_uint_32 adler, crc, length; 2282 png_uint_32 md5[4]; 2283 png_byte have_md5; 2284 png_byte is_broken; 2285 png_uint_16 intent; 2286 2287 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0) 2288 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\ 2289 { adler, crc, length, md5, broke, intent }, 2290 2291 } png_sRGB_checks[] = 2292 { 2293 /* This data comes from contrib/tools/checksum-icc run on downloads of 2294 * all four ICC sRGB profiles from www.color.org. 2295 */ 2296 /* adler32, crc32, MD5[4], intent, date, length, file-name */ 2297 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9, 2298 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0, 2299 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc") 2300 2301 /* ICC sRGB v2 perceptual no black-compensation: */ 2302 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21, 2303 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0, 2304 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc") 2305 2306 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae, 2307 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0, 2308 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc") 2309 2310 /* ICC sRGB v4 perceptual */ 2311 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812, 2312 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0, 2313 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc") 2314 2315 /* The following profiles have no known MD5 checksum. If there is a match 2316 * on the (empty) MD5 the other fields are used to attempt a match and 2317 * a warning is produced. The first two of these profiles have a 'cprt' tag 2318 * which suggests that they were also made by Hewlett Packard. 2319 */ 2320 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce, 2321 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0, 2322 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc") 2323 2324 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not 2325 * match the D50 PCS illuminant in the header (it is in fact the D65 values, 2326 * so the white point is recorded as the un-adapted value.) The profiles 2327 * below only differ in one byte - the intent - and are basically the same as 2328 * the previous profile except for the mediaWhitePointTag error and a missing 2329 * chromaticAdaptationTag. 2330 */ 2331 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552, 2332 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/, 2333 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual") 2334 2335 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d, 2336 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/, 2337 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative") 2338 }; 2339 2340 static int 2341 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, 2342 png_const_bytep profile, uLong adler) 2343 { 2344 /* The quick check is to verify just the MD5 signature and trust the 2345 * rest of the data. Because the profile has already been verified for 2346 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent' 2347 * field too, so if the profile has been edited with an intent not defined 2348 * by sRGB (but maybe defined by a later ICC specification) the read of 2349 * the profile will fail at that point. 2350 */ 2351 2352 png_uint_32 length = 0; 2353 png_uint_32 intent = 0x10000; /* invalid */ 2354 #if PNG_sRGB_PROFILE_CHECKS > 1 2355 uLong crc = 0; /* the value for 0 length data */ 2356 #endif 2357 unsigned int i; 2358 2359 #ifdef PNG_SET_OPTION_SUPPORTED 2360 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */ 2361 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) == 2362 PNG_OPTION_ON) 2363 return 0; 2364 #endif 2365 2366 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i) 2367 { 2368 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] && 2369 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] && 2370 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] && 2371 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3]) 2372 { 2373 /* This may be one of the old HP profiles without an MD5, in that 2374 * case we can only use the length and Adler32 (note that these 2375 * are not used by default if there is an MD5!) 2376 */ 2377 # if PNG_sRGB_PROFILE_CHECKS == 0 2378 if (png_sRGB_checks[i].have_md5 != 0) 2379 return 1+png_sRGB_checks[i].is_broken; 2380 # endif 2381 2382 /* Profile is unsigned or more checks have been configured in. */ 2383 if (length == 0) 2384 { 2385 length = png_get_uint_32(profile); 2386 intent = png_get_uint_32(profile+64); 2387 } 2388 2389 /* Length *and* intent must match */ 2390 if (length == (png_uint_32) png_sRGB_checks[i].length && 2391 intent == (png_uint_32) png_sRGB_checks[i].intent) 2392 { 2393 /* Now calculate the adler32 if not done already. */ 2394 if (adler == 0) 2395 { 2396 adler = adler32(0, NULL, 0); 2397 adler = adler32(adler, profile, length); 2398 } 2399 2400 if (adler == png_sRGB_checks[i].adler) 2401 { 2402 /* These basic checks suggest that the data has not been 2403 * modified, but if the check level is more than 1 perform 2404 * our own crc32 checksum on the data. 2405 */ 2406 # if PNG_sRGB_PROFILE_CHECKS > 1 2407 if (crc == 0) 2408 { 2409 crc = crc32(0, NULL, 0); 2410 crc = crc32(crc, profile, length); 2411 } 2412 2413 /* So this check must pass for the 'return' below to happen. 2414 */ 2415 if (crc == png_sRGB_checks[i].crc) 2416 # endif 2417 { 2418 if (png_sRGB_checks[i].is_broken != 0) 2419 { 2420 /* These profiles are known to have bad data that may cause 2421 * problems if they are used, therefore attempt to 2422 * discourage their use, skip the 'have_md5' warning below, 2423 * which is made irrelevant by this error. 2424 */ 2425 png_chunk_report(png_ptr, "known incorrect sRGB profile", 2426 PNG_CHUNK_ERROR); 2427 } 2428 2429 /* Warn that this being done; this isn't even an error since 2430 * the profile is perfectly valid, but it would be nice if 2431 * people used the up-to-date ones. 2432 */ 2433 else if (png_sRGB_checks[i].have_md5 == 0) 2434 { 2435 png_chunk_report(png_ptr, 2436 "out-of-date sRGB profile with no signature", 2437 PNG_CHUNK_WARNING); 2438 } 2439 2440 return 1+png_sRGB_checks[i].is_broken; 2441 } 2442 } 2443 2444 # if PNG_sRGB_PROFILE_CHECKS > 0 2445 /* The signature matched, but the profile had been changed in some 2446 * way. This probably indicates a data error or uninformed hacking. 2447 * Fall through to "no match". 2448 */ 2449 png_chunk_report(png_ptr, 2450 "Not recognizing known sRGB profile that has been edited", 2451 PNG_CHUNK_WARNING); 2452 break; 2453 # endif 2454 } 2455 } 2456 } 2457 2458 return 0; /* no match */ 2459 } 2460 2461 void /* PRIVATE */ 2462 png_icc_set_sRGB(png_const_structrp png_ptr, 2463 png_colorspacerp colorspace, png_const_bytep profile, uLong adler) 2464 { 2465 /* Is this profile one of the known ICC sRGB profiles? If it is, just set 2466 * the sRGB information. 2467 */ 2468 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0) 2469 (void)png_colorspace_set_sRGB(png_ptr, colorspace, 2470 (int)/*already checked*/png_get_uint_32(profile+64)); 2471 } 2472 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */ 2473 #endif /* sRGB */ 2474 2475 int /* PRIVATE */ 2476 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, 2477 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, 2478 int color_type) 2479 { 2480 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 2481 return 0; 2482 2483 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 2484 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, 2485 color_type) != 0 && 2486 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, 2487 profile) != 0) 2488 { 2489 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0 2490 /* If no sRGB support, don't try storing sRGB information */ 2491 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); 2492 # endif 2493 return 1; 2494 } 2495 2496 /* Failure case */ 2497 return 0; 2498 } 2499 #endif /* iCCP */ 2500 2501 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED 2502 void /* PRIVATE */ 2503 png_colorspace_set_rgb_coefficients(png_structrp png_ptr) 2504 { 2505 /* Set the rgb_to_gray coefficients from the colorspace. */ 2506 if (png_ptr->rgb_to_gray_coefficients_set == 0 && 2507 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 2508 { 2509 /* png_set_background has not been called, get the coefficients from the Y 2510 * values of the colorspace colorants. 2511 */ 2512 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y; 2513 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y; 2514 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y; 2515 png_fixed_point total = r+g+b; 2516 2517 if (total > 0 && 2518 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 && 2519 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 && 2520 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 && 2521 r+g+b <= 32769) 2522 { 2523 /* We allow 0 coefficients here. r+g+b may be 32769 if two or 2524 * all of the coefficients were rounded up. Handle this by 2525 * reducing the *largest* coefficient by 1; this matches the 2526 * approach used for the default coefficients in pngrtran.c 2527 */ 2528 int add = 0; 2529 2530 if (r+g+b > 32768) 2531 add = -1; 2532 else if (r+g+b < 32768) 2533 add = 1; 2534 2535 if (add != 0) 2536 { 2537 if (g >= r && g >= b) 2538 g += add; 2539 else if (r >= g && r >= b) 2540 r += add; 2541 else 2542 b += add; 2543 } 2544 2545 /* Check for an internal error. */ 2546 if (r+g+b != 32768) 2547 png_error(png_ptr, 2548 "internal error handling cHRM coefficients"); 2549 2550 else 2551 { 2552 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r; 2553 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g; 2554 } 2555 } 2556 2557 /* This is a png_error at present even though it could be ignored - 2558 * it should never happen, but it is important that if it does, the 2559 * bug is fixed. 2560 */ 2561 else 2562 png_error(png_ptr, "internal error handling cHRM->XYZ"); 2563 } 2564 } 2565 #endif /* READ_RGB_TO_GRAY */ 2566 2567 #endif /* COLORSPACE */ 2568 2569 #ifdef __GNUC__ 2570 /* This exists solely to work round a warning from GNU C. */ 2571 static int /* PRIVATE */ 2572 png_gt(size_t a, size_t b) 2573 { 2574 return a > b; 2575 } 2576 #else 2577 # define png_gt(a,b) ((a) > (b)) 2578 #endif 2579 2580 void /* PRIVATE */ 2581 png_check_IHDR(png_const_structrp png_ptr, 2582 png_uint_32 width, png_uint_32 height, int bit_depth, 2583 int color_type, int interlace_type, int compression_type, 2584 int filter_type) 2585 { 2586 int error = 0; 2587 2588 /* Check for width and height valid values */ 2589 if (width == 0) 2590 { 2591 png_warning(png_ptr, "Image width is zero in IHDR"); 2592 error = 1; 2593 } 2594 2595 if (width > PNG_UINT_31_MAX) 2596 { 2597 png_warning(png_ptr, "Invalid image width in IHDR"); 2598 error = 1; 2599 } 2600 2601 if (png_gt(((width + 7) & (~7U)), 2602 ((PNG_SIZE_MAX 2603 - 48 /* big_row_buf hack */ 2604 - 1) /* filter byte */ 2605 / 8) /* 8-byte RGBA pixels */ 2606 - 1)) /* extra max_pixel_depth pad */ 2607 { 2608 /* The size of the row must be within the limits of this architecture. 2609 * Because the read code can perform arbitrary transformations the 2610 * maximum size is checked here. Because the code in png_read_start_row 2611 * adds extra space "for safety's sake" in several places a conservative 2612 * limit is used here. 2613 * 2614 * NOTE: it would be far better to check the size that is actually used, 2615 * but the effect in the real world is minor and the changes are more 2616 * extensive, therefore much more dangerous and much more difficult to 2617 * write in a way that avoids compiler warnings. 2618 */ 2619 png_warning(png_ptr, "Image width is too large for this architecture"); 2620 error = 1; 2621 } 2622 2623 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2624 if (width > png_ptr->user_width_max) 2625 #else 2626 if (width > PNG_USER_WIDTH_MAX) 2627 #endif 2628 { 2629 png_warning(png_ptr, "Image width exceeds user limit in IHDR"); 2630 error = 1; 2631 } 2632 2633 if (height == 0) 2634 { 2635 png_warning(png_ptr, "Image height is zero in IHDR"); 2636 error = 1; 2637 } 2638 2639 if (height > PNG_UINT_31_MAX) 2640 { 2641 png_warning(png_ptr, "Invalid image height in IHDR"); 2642 error = 1; 2643 } 2644 2645 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2646 if (height > png_ptr->user_height_max) 2647 #else 2648 if (height > PNG_USER_HEIGHT_MAX) 2649 #endif 2650 { 2651 png_warning(png_ptr, "Image height exceeds user limit in IHDR"); 2652 error = 1; 2653 } 2654 2655 /* Check other values */ 2656 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && 2657 bit_depth != 8 && bit_depth != 16) 2658 { 2659 png_warning(png_ptr, "Invalid bit depth in IHDR"); 2660 error = 1; 2661 } 2662 2663 if (color_type < 0 || color_type == 1 || 2664 color_type == 5 || color_type > 6) 2665 { 2666 png_warning(png_ptr, "Invalid color type in IHDR"); 2667 error = 1; 2668 } 2669 2670 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || 2671 ((color_type == PNG_COLOR_TYPE_RGB || 2672 color_type == PNG_COLOR_TYPE_GRAY_ALPHA || 2673 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) 2674 { 2675 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR"); 2676 error = 1; 2677 } 2678 2679 if (interlace_type >= PNG_INTERLACE_LAST) 2680 { 2681 png_warning(png_ptr, "Unknown interlace method in IHDR"); 2682 error = 1; 2683 } 2684 2685 if (compression_type != PNG_COMPRESSION_TYPE_BASE) 2686 { 2687 png_warning(png_ptr, "Unknown compression method in IHDR"); 2688 error = 1; 2689 } 2690 2691 #ifdef PNG_MNG_FEATURES_SUPPORTED 2692 /* Accept filter_method 64 (intrapixel differencing) only if 2693 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and 2694 * 2. Libpng did not read a PNG signature (this filter_method is only 2695 * used in PNG datastreams that are embedded in MNG datastreams) and 2696 * 3. The application called png_permit_mng_features with a mask that 2697 * included PNG_FLAG_MNG_FILTER_64 and 2698 * 4. The filter_method is 64 and 2699 * 5. The color_type is RGB or RGBA 2700 */ 2701 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && 2702 png_ptr->mng_features_permitted != 0) 2703 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); 2704 2705 if (filter_type != PNG_FILTER_TYPE_BASE) 2706 { 2707 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 && 2708 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && 2709 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) && 2710 (color_type == PNG_COLOR_TYPE_RGB || 2711 color_type == PNG_COLOR_TYPE_RGB_ALPHA))) 2712 { 2713 png_warning(png_ptr, "Unknown filter method in IHDR"); 2714 error = 1; 2715 } 2716 2717 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0) 2718 { 2719 png_warning(png_ptr, "Invalid filter method in IHDR"); 2720 error = 1; 2721 } 2722 } 2723 2724 #else 2725 if (filter_type != PNG_FILTER_TYPE_BASE) 2726 { 2727 png_warning(png_ptr, "Unknown filter method in IHDR"); 2728 error = 1; 2729 } 2730 #endif 2731 2732 if (error == 1) 2733 png_error(png_ptr, "Invalid IHDR data"); 2734 } 2735 2736 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) 2737 /* ASCII to fp functions */ 2738 /* Check an ASCII formated floating point value, see the more detailed 2739 * comments in pngpriv.h 2740 */ 2741 /* The following is used internally to preserve the sticky flags */ 2742 #define png_fp_add(state, flags) ((state) |= (flags)) 2743 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY)) 2744 2745 int /* PRIVATE */ 2746 png_check_fp_number(png_const_charp string, png_size_t size, int *statep, 2747 png_size_tp whereami) 2748 { 2749 int state = *statep; 2750 png_size_t i = *whereami; 2751 2752 while (i < size) 2753 { 2754 int type; 2755 /* First find the type of the next character */ 2756 switch (string[i]) 2757 { 2758 case 43: type = PNG_FP_SAW_SIGN; break; 2759 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break; 2760 case 46: type = PNG_FP_SAW_DOT; break; 2761 case 48: type = PNG_FP_SAW_DIGIT; break; 2762 case 49: case 50: case 51: case 52: 2763 case 53: case 54: case 55: case 56: 2764 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break; 2765 case 69: 2766 case 101: type = PNG_FP_SAW_E; break; 2767 default: goto PNG_FP_End; 2768 } 2769 2770 /* Now deal with this type according to the current 2771 * state, the type is arranged to not overlap the 2772 * bits of the PNG_FP_STATE. 2773 */ 2774 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY)) 2775 { 2776 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN: 2777 if ((state & PNG_FP_SAW_ANY) != 0) 2778 goto PNG_FP_End; /* not a part of the number */ 2779 2780 png_fp_add(state, type); 2781 break; 2782 2783 case PNG_FP_INTEGER + PNG_FP_SAW_DOT: 2784 /* Ok as trailer, ok as lead of fraction. */ 2785 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */ 2786 goto PNG_FP_End; 2787 2788 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */ 2789 png_fp_add(state, type); 2790 2791 else 2792 png_fp_set(state, PNG_FP_FRACTION | type); 2793 2794 break; 2795 2796 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT: 2797 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */ 2798 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT); 2799 2800 png_fp_add(state, type | PNG_FP_WAS_VALID); 2801 2802 break; 2803 2804 case PNG_FP_INTEGER + PNG_FP_SAW_E: 2805 if ((state & PNG_FP_SAW_DIGIT) == 0) 2806 goto PNG_FP_End; 2807 2808 png_fp_set(state, PNG_FP_EXPONENT); 2809 2810 break; 2811 2812 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN: 2813 goto PNG_FP_End; ** no sign in fraction */ 2814 2815 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT: 2816 goto PNG_FP_End; ** Because SAW_DOT is always set */ 2817 2818 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT: 2819 png_fp_add(state, type | PNG_FP_WAS_VALID); 2820 break; 2821 2822 case PNG_FP_FRACTION + PNG_FP_SAW_E: 2823 /* This is correct because the trailing '.' on an 2824 * integer is handled above - so we can only get here 2825 * with the sequence ".E" (with no preceding digits). 2826 */ 2827 if ((state & PNG_FP_SAW_DIGIT) == 0) 2828 goto PNG_FP_End; 2829 2830 png_fp_set(state, PNG_FP_EXPONENT); 2831 2832 break; 2833 2834 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN: 2835 if ((state & PNG_FP_SAW_ANY) != 0) 2836 goto PNG_FP_End; /* not a part of the number */ 2837 2838 png_fp_add(state, PNG_FP_SAW_SIGN); 2839 2840 break; 2841 2842 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT: 2843 goto PNG_FP_End; */ 2844 2845 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT: 2846 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID); 2847 2848 break; 2849 2850 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E: 2851 goto PNG_FP_End; */ 2852 2853 default: goto PNG_FP_End; /* I.e. break 2 */ 2854 } 2855 2856 /* The character seems ok, continue. */ 2857 ++i; 2858 } 2859 2860 PNG_FP_End: 2861 /* Here at the end, update the state and return the correct 2862 * return code. 2863 */ 2864 *statep = state; 2865 *whereami = i; 2866 2867 return (state & PNG_FP_SAW_DIGIT) != 0; 2868 } 2869 2870 2871 /* The same but for a complete string. */ 2872 int 2873 png_check_fp_string(png_const_charp string, png_size_t size) 2874 { 2875 int state=0; 2876 png_size_t char_index=0; 2877 2878 if (png_check_fp_number(string, size, &state, &char_index) != 0 && 2879 (char_index == size || string[char_index] == 0)) 2880 return state /* must be non-zero - see above */; 2881 2882 return 0; /* i.e. fail */ 2883 } 2884 #endif /* pCAL || sCAL */ 2885 2886 #ifdef PNG_sCAL_SUPPORTED 2887 # ifdef PNG_FLOATING_POINT_SUPPORTED 2888 /* Utility used below - a simple accurate power of ten from an integral 2889 * exponent. 2890 */ 2891 static double 2892 png_pow10(int power) 2893 { 2894 int recip = 0; 2895 double d = 1; 2896 2897 /* Handle negative exponent with a reciprocal at the end because 2898 * 10 is exact whereas .1 is inexact in base 2 2899 */ 2900 if (power < 0) 2901 { 2902 if (power < DBL_MIN_10_EXP) return 0; 2903 recip = 1; power = -power; 2904 } 2905 2906 if (power > 0) 2907 { 2908 /* Decompose power bitwise. */ 2909 double mult = 10; 2910 do 2911 { 2912 if (power & 1) d *= mult; 2913 mult *= mult; 2914 power >>= 1; 2915 } 2916 while (power > 0); 2917 2918 if (recip != 0) d = 1/d; 2919 } 2920 /* else power is 0 and d is 1 */ 2921 2922 return d; 2923 } 2924 2925 /* Function to format a floating point value in ASCII with a given 2926 * precision. 2927 */ 2928 #if GCC_STRICT_OVERFLOW 2929 #pragma GCC diagnostic push 2930 /* The problem arises below with exp_b10, which can never overflow because it 2931 * comes, originally, from frexp and is therefore limited to a range which is 2932 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)). 2933 */ 2934 #pragma GCC diagnostic warning "-Wstrict-overflow=2" 2935 #endif /* GCC_STRICT_OVERFLOW */ 2936 void /* PRIVATE */ 2937 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size, 2938 double fp, unsigned int precision) 2939 { 2940 /* We use standard functions from math.h, but not printf because 2941 * that would require stdio. The caller must supply a buffer of 2942 * sufficient size or we will png_error. The tests on size and 2943 * the space in ascii[] consumed are indicated below. 2944 */ 2945 if (precision < 1) 2946 precision = DBL_DIG; 2947 2948 /* Enforce the limit of the implementation precision too. */ 2949 if (precision > DBL_DIG+1) 2950 precision = DBL_DIG+1; 2951 2952 /* Basic sanity checks */ 2953 if (size >= precision+5) /* See the requirements below. */ 2954 { 2955 if (fp < 0) 2956 { 2957 fp = -fp; 2958 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */ 2959 --size; 2960 } 2961 2962 if (fp >= DBL_MIN && fp <= DBL_MAX) 2963 { 2964 int exp_b10; /* A base 10 exponent */ 2965 double base; /* 10^exp_b10 */ 2966 2967 /* First extract a base 10 exponent of the number, 2968 * the calculation below rounds down when converting 2969 * from base 2 to base 10 (multiply by log10(2) - 2970 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to 2971 * be increased. Note that the arithmetic shift 2972 * performs a floor() unlike C arithmetic - using a 2973 * C multiply would break the following for negative 2974 * exponents. 2975 */ 2976 (void)frexp(fp, &exp_b10); /* exponent to base 2 */ 2977 2978 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */ 2979 2980 /* Avoid underflow here. */ 2981 base = png_pow10(exp_b10); /* May underflow */ 2982 2983 while (base < DBL_MIN || base < fp) 2984 { 2985 /* And this may overflow. */ 2986 double test = png_pow10(exp_b10+1); 2987 2988 if (test <= DBL_MAX) 2989 { 2990 ++exp_b10; base = test; 2991 } 2992 2993 else 2994 break; 2995 } 2996 2997 /* Normalize fp and correct exp_b10, after this fp is in the 2998 * range [.1,1) and exp_b10 is both the exponent and the digit 2999 * *before* which the decimal point should be inserted 3000 * (starting with 0 for the first digit). Note that this 3001 * works even if 10^exp_b10 is out of range because of the 3002 * test on DBL_MAX above. 3003 */ 3004 fp /= base; 3005 while (fp >= 1) 3006 { 3007 fp /= 10; ++exp_b10; 3008 } 3009 3010 /* Because of the code above fp may, at this point, be 3011 * less than .1, this is ok because the code below can 3012 * handle the leading zeros this generates, so no attempt 3013 * is made to correct that here. 3014 */ 3015 3016 { 3017 unsigned int czero, clead, cdigits; 3018 char exponent[10]; 3019 3020 /* Allow up to two leading zeros - this will not lengthen 3021 * the number compared to using E-n. 3022 */ 3023 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */ 3024 { 3025 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */ 3026 exp_b10 = 0; /* Dot added below before first output. */ 3027 } 3028 else 3029 czero = 0; /* No zeros to add */ 3030 3031 /* Generate the digit list, stripping trailing zeros and 3032 * inserting a '.' before a digit if the exponent is 0. 3033 */ 3034 clead = czero; /* Count of leading zeros */ 3035 cdigits = 0; /* Count of digits in list. */ 3036 3037 do 3038 { 3039 double d; 3040 3041 fp *= 10; 3042 /* Use modf here, not floor and subtract, so that 3043 * the separation is done in one step. At the end 3044 * of the loop don't break the number into parts so 3045 * that the final digit is rounded. 3046 */ 3047 if (cdigits+czero+1 < precision+clead) 3048 fp = modf(fp, &d); 3049 3050 else 3051 { 3052 d = floor(fp + .5); 3053 3054 if (d > 9) 3055 { 3056 /* Rounding up to 10, handle that here. */ 3057 if (czero > 0) 3058 { 3059 --czero; d = 1; 3060 if (cdigits == 0) --clead; 3061 } 3062 else 3063 { 3064 while (cdigits > 0 && d > 9) 3065 { 3066 int ch = *--ascii; 3067 3068 if (exp_b10 != (-1)) 3069 ++exp_b10; 3070 3071 else if (ch == 46) 3072 { 3073 ch = *--ascii; ++size; 3074 /* Advance exp_b10 to '1', so that the 3075 * decimal point happens after the 3076 * previous digit. 3077 */ 3078 exp_b10 = 1; 3079 } 3080 3081 --cdigits; 3082 d = ch - 47; /* I.e. 1+(ch-48) */ 3083 } 3084 3085 /* Did we reach the beginning? If so adjust the 3086 * exponent but take into account the leading 3087 * decimal point. 3088 */ 3089 if (d > 9) /* cdigits == 0 */ 3090 { 3091 if (exp_b10 == (-1)) 3092 { 3093 /* Leading decimal point (plus zeros?), if 3094 * we lose the decimal point here it must 3095 * be reentered below. 3096 */ 3097 int ch = *--ascii; 3098 3099 if (ch == 46) 3100 { 3101 ++size; exp_b10 = 1; 3102 } 3103 3104 /* Else lost a leading zero, so 'exp_b10' is 3105 * still ok at (-1) 3106 */ 3107 } 3108 else 3109 ++exp_b10; 3110 3111 /* In all cases we output a '1' */ 3112 d = 1; 3113 } 3114 } 3115 } 3116 fp = 0; /* Guarantees termination below. */ 3117 } 3118 3119 if (d == 0) 3120 { 3121 ++czero; 3122 if (cdigits == 0) ++clead; 3123 } 3124 else 3125 { 3126 /* Included embedded zeros in the digit count. */ 3127 cdigits += czero - clead; 3128 clead = 0; 3129 3130 while (czero > 0) 3131 { 3132 /* exp_b10 == (-1) means we just output the decimal 3133 * place - after the DP don't adjust 'exp_b10' any 3134 * more! 3135 */ 3136 if (exp_b10 != (-1)) 3137 { 3138 if (exp_b10 == 0) 3139 { 3140 *ascii++ = 46; --size; 3141 } 3142 /* PLUS 1: TOTAL 4 */ 3143 --exp_b10; 3144 } 3145 *ascii++ = 48; --czero; 3146 } 3147 3148 if (exp_b10 != (-1)) 3149 { 3150 if (exp_b10 == 0) 3151 { 3152 *ascii++ = 46; --size; /* counted above */ 3153 } 3154 3155 --exp_b10; 3156 } 3157 *ascii++ = (char)(48 + (int)d); ++cdigits; 3158 } 3159 } 3160 while (cdigits+czero < precision+clead && fp > DBL_MIN); 3161 3162 /* The total output count (max) is now 4+precision */ 3163 3164 /* Check for an exponent, if we don't need one we are 3165 * done and just need to terminate the string. At 3166 * this point exp_b10==(-1) is effectively a flag - it got 3167 * to '-1' because of the decrement after outputting 3168 * the decimal point above (the exponent required is 3169 * *not* -1!) 3170 */ 3171 if (exp_b10 >= (-1) && exp_b10 <= 2) 3172 { 3173 /* The following only happens if we didn't output the 3174 * leading zeros above for negative exponent, so this 3175 * doesn't add to the digit requirement. Note that the 3176 * two zeros here can only be output if the two leading 3177 * zeros were *not* output, so this doesn't increase 3178 * the output count. 3179 */ 3180 while (exp_b10-- > 0) *ascii++ = 48; 3181 3182 *ascii = 0; 3183 3184 /* Total buffer requirement (including the '\0') is 3185 * 5+precision - see check at the start. 3186 */ 3187 return; 3188 } 3189 3190 /* Here if an exponent is required, adjust size for 3191 * the digits we output but did not count. The total 3192 * digit output here so far is at most 1+precision - no 3193 * decimal point and no leading or trailing zeros have 3194 * been output. 3195 */ 3196 size -= cdigits; 3197 3198 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */ 3199 3200 /* The following use of an unsigned temporary avoids ambiguities in 3201 * the signed arithmetic on exp_b10 and permits GCC at least to do 3202 * better optimization. 3203 */ 3204 { 3205 unsigned int uexp_b10; 3206 3207 if (exp_b10 < 0) 3208 { 3209 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */ 3210 uexp_b10 = 0U-exp_b10; 3211 } 3212 3213 else 3214 uexp_b10 = 0U+exp_b10; 3215 3216 cdigits = 0; 3217 3218 while (uexp_b10 > 0) 3219 { 3220 exponent[cdigits++] = (char)(48 + uexp_b10 % 10); 3221 uexp_b10 /= 10; 3222 } 3223 } 3224 3225 /* Need another size check here for the exponent digits, so 3226 * this need not be considered above. 3227 */ 3228 if (size > cdigits) 3229 { 3230 while (cdigits > 0) *ascii++ = exponent[--cdigits]; 3231 3232 *ascii = 0; 3233 3234 return; 3235 } 3236 } 3237 } 3238 else if (!(fp >= DBL_MIN)) 3239 { 3240 *ascii++ = 48; /* '0' */ 3241 *ascii = 0; 3242 return; 3243 } 3244 else 3245 { 3246 *ascii++ = 105; /* 'i' */ 3247 *ascii++ = 110; /* 'n' */ 3248 *ascii++ = 102; /* 'f' */ 3249 *ascii = 0; 3250 return; 3251 } 3252 } 3253 3254 /* Here on buffer too small. */ 3255 png_error(png_ptr, "ASCII conversion buffer too small"); 3256 } 3257 #if GCC_STRICT_OVERFLOW 3258 #pragma GCC diagnostic pop 3259 #endif /* GCC_STRICT_OVERFLOW */ 3260 3261 # endif /* FLOATING_POINT */ 3262 3263 # ifdef PNG_FIXED_POINT_SUPPORTED 3264 /* Function to format a fixed point value in ASCII. 3265 */ 3266 void /* PRIVATE */ 3267 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii, 3268 png_size_t size, png_fixed_point fp) 3269 { 3270 /* Require space for 10 decimal digits, a decimal point, a minus sign and a 3271 * trailing \0, 13 characters: 3272 */ 3273 if (size > 12) 3274 { 3275 png_uint_32 num; 3276 3277 /* Avoid overflow here on the minimum integer. */ 3278 if (fp < 0) 3279 { 3280 *ascii++ = 45; num = (png_uint_32)(-fp); 3281 } 3282 else 3283 num = (png_uint_32)fp; 3284 3285 if (num <= 0x80000000) /* else overflowed */ 3286 { 3287 unsigned int ndigits = 0, first = 16 /* flag value */; 3288 char digits[10]; 3289 3290 while (num) 3291 { 3292 /* Split the low digit off num: */ 3293 unsigned int tmp = num/10; 3294 num -= tmp*10; 3295 digits[ndigits++] = (char)(48 + num); 3296 /* Record the first non-zero digit, note that this is a number 3297 * starting at 1, it's not actually the array index. 3298 */ 3299 if (first == 16 && num > 0) 3300 first = ndigits; 3301 num = tmp; 3302 } 3303 3304 if (ndigits > 0) 3305 { 3306 while (ndigits > 5) *ascii++ = digits[--ndigits]; 3307 /* The remaining digits are fractional digits, ndigits is '5' or 3308 * smaller at this point. It is certainly not zero. Check for a 3309 * non-zero fractional digit: 3310 */ 3311 if (first <= 5) 3312 { 3313 unsigned int i; 3314 *ascii++ = 46; /* decimal point */ 3315 /* ndigits may be <5 for small numbers, output leading zeros 3316 * then ndigits digits to first: 3317 */ 3318 i = 5; 3319 while (ndigits < i) 3320 { 3321 *ascii++ = 48; --i; 3322 } 3323 while (ndigits >= first) *ascii++ = digits[--ndigits]; 3324 /* Don't output the trailing zeros! */ 3325 } 3326 } 3327 else 3328 *ascii++ = 48; 3329 3330 /* And null terminate the string: */ 3331 *ascii = 0; 3332 return; 3333 } 3334 } 3335 3336 /* Here on buffer too small. */ 3337 png_error(png_ptr, "ASCII conversion buffer too small"); 3338 } 3339 # endif /* FIXED_POINT */ 3340 #endif /* SCAL */ 3341 3342 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \ 3343 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \ 3344 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \ 3345 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 3346 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \ 3347 (defined(PNG_sCAL_SUPPORTED) && \ 3348 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED)) 3349 png_fixed_point 3350 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text) 3351 { 3352 double r = floor(100000 * fp + .5); 3353 3354 if (r > 2147483647. || r < -2147483648.) 3355 png_fixed_error(png_ptr, text); 3356 3357 # ifndef PNG_ERROR_TEXT_SUPPORTED 3358 PNG_UNUSED(text) 3359 # endif 3360 3361 return (png_fixed_point)r; 3362 } 3363 #endif 3364 3365 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\ 3366 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED) 3367 /* muldiv functions */ 3368 /* This API takes signed arguments and rounds the result to the nearest 3369 * integer (or, for a fixed point number - the standard argument - to 3370 * the nearest .00001). Overflow and divide by zero are signalled in 3371 * the result, a boolean - true on success, false on overflow. 3372 */ 3373 #if GCC_STRICT_OVERFLOW /* from above */ 3374 /* It is not obvious which comparison below gets optimized in such a way that 3375 * signed overflow would change the result; looking through the code does not 3376 * reveal any tests which have the form GCC complains about, so presumably the 3377 * optimizer is moving an add or subtract into the 'if' somewhere. 3378 */ 3379 #pragma GCC diagnostic push 3380 #pragma GCC diagnostic warning "-Wstrict-overflow=2" 3381 #endif /* GCC_STRICT_OVERFLOW */ 3382 int 3383 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times, 3384 png_int_32 divisor) 3385 { 3386 /* Return a * times / divisor, rounded. */ 3387 if (divisor != 0) 3388 { 3389 if (a == 0 || times == 0) 3390 { 3391 *res = 0; 3392 return 1; 3393 } 3394 else 3395 { 3396 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3397 double r = a; 3398 r *= times; 3399 r /= divisor; 3400 r = floor(r+.5); 3401 3402 /* A png_fixed_point is a 32-bit integer. */ 3403 if (r <= 2147483647. && r >= -2147483648.) 3404 { 3405 *res = (png_fixed_point)r; 3406 return 1; 3407 } 3408 #else 3409 int negative = 0; 3410 png_uint_32 A, T, D; 3411 png_uint_32 s16, s32, s00; 3412 3413 if (a < 0) 3414 negative = 1, A = -a; 3415 else 3416 A = a; 3417 3418 if (times < 0) 3419 negative = !negative, T = -times; 3420 else 3421 T = times; 3422 3423 if (divisor < 0) 3424 negative = !negative, D = -divisor; 3425 else 3426 D = divisor; 3427 3428 /* Following can't overflow because the arguments only 3429 * have 31 bits each, however the result may be 32 bits. 3430 */ 3431 s16 = (A >> 16) * (T & 0xffff) + 3432 (A & 0xffff) * (T >> 16); 3433 /* Can't overflow because the a*times bit is only 30 3434 * bits at most. 3435 */ 3436 s32 = (A >> 16) * (T >> 16) + (s16 >> 16); 3437 s00 = (A & 0xffff) * (T & 0xffff); 3438 3439 s16 = (s16 & 0xffff) << 16; 3440 s00 += s16; 3441 3442 if (s00 < s16) 3443 ++s32; /* carry */ 3444 3445 if (s32 < D) /* else overflow */ 3446 { 3447 /* s32.s00 is now the 64-bit product, do a standard 3448 * division, we know that s32 < D, so the maximum 3449 * required shift is 31. 3450 */ 3451 int bitshift = 32; 3452 png_fixed_point result = 0; /* NOTE: signed */ 3453 3454 while (--bitshift >= 0) 3455 { 3456 png_uint_32 d32, d00; 3457 3458 if (bitshift > 0) 3459 d32 = D >> (32-bitshift), d00 = D << bitshift; 3460 3461 else 3462 d32 = 0, d00 = D; 3463 3464 if (s32 > d32) 3465 { 3466 if (s00 < d00) --s32; /* carry */ 3467 s32 -= d32, s00 -= d00, result += 1<<bitshift; 3468 } 3469 3470 else 3471 if (s32 == d32 && s00 >= d00) 3472 s32 = 0, s00 -= d00, result += 1<<bitshift; 3473 } 3474 3475 /* Handle the rounding. */ 3476 if (s00 >= (D >> 1)) 3477 ++result; 3478 3479 if (negative != 0) 3480 result = -result; 3481 3482 /* Check for overflow. */ 3483 if ((negative != 0 && result <= 0) || 3484 (negative == 0 && result >= 0)) 3485 { 3486 *res = result; 3487 return 1; 3488 } 3489 } 3490 #endif 3491 } 3492 } 3493 3494 return 0; 3495 } 3496 #if GCC_STRICT_OVERFLOW 3497 #pragma GCC diagnostic pop 3498 #endif /* GCC_STRICT_OVERFLOW */ 3499 #endif /* READ_GAMMA || INCH_CONVERSIONS */ 3500 3501 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED) 3502 /* The following is for when the caller doesn't much care about the 3503 * result. 3504 */ 3505 png_fixed_point 3506 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times, 3507 png_int_32 divisor) 3508 { 3509 png_fixed_point result; 3510 3511 if (png_muldiv(&result, a, times, divisor) != 0) 3512 return result; 3513 3514 png_warning(png_ptr, "fixed point overflow ignored"); 3515 return 0; 3516 } 3517 #endif 3518 3519 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */ 3520 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */ 3521 png_fixed_point 3522 png_reciprocal(png_fixed_point a) 3523 { 3524 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3525 double r = floor(1E10/a+.5); 3526 3527 if (r <= 2147483647. && r >= -2147483648.) 3528 return (png_fixed_point)r; 3529 #else 3530 png_fixed_point res; 3531 3532 if (png_muldiv(&res, 100000, 100000, a) != 0) 3533 return res; 3534 #endif 3535 3536 return 0; /* error/overflow */ 3537 } 3538 3539 /* This is the shared test on whether a gamma value is 'significant' - whether 3540 * it is worth doing gamma correction. 3541 */ 3542 int /* PRIVATE */ 3543 png_gamma_significant(png_fixed_point gamma_val) 3544 { 3545 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED || 3546 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED; 3547 } 3548 #endif 3549 3550 #ifdef PNG_READ_GAMMA_SUPPORTED 3551 #ifdef PNG_16BIT_SUPPORTED 3552 /* A local convenience routine. */ 3553 static png_fixed_point 3554 png_product2(png_fixed_point a, png_fixed_point b) 3555 { 3556 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3557 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3558 double r = a * 1E-5; 3559 r *= b; 3560 r = floor(r+.5); 3561 3562 if (r <= 2147483647. && r >= -2147483648.) 3563 return (png_fixed_point)r; 3564 #else 3565 png_fixed_point res; 3566 3567 if (png_muldiv(&res, a, b, 100000) != 0) 3568 return res; 3569 #endif 3570 3571 return 0; /* overflow */ 3572 } 3573 #endif /* 16BIT */ 3574 3575 /* The inverse of the above. */ 3576 png_fixed_point 3577 png_reciprocal2(png_fixed_point a, png_fixed_point b) 3578 { 3579 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3580 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3581 if (a != 0 && b != 0) 3582 { 3583 double r = 1E15/a; 3584 r /= b; 3585 r = floor(r+.5); 3586 3587 if (r <= 2147483647. && r >= -2147483648.) 3588 return (png_fixed_point)r; 3589 } 3590 #else 3591 /* This may overflow because the range of png_fixed_point isn't symmetric, 3592 * but this API is only used for the product of file and screen gamma so it 3593 * doesn't matter that the smallest number it can produce is 1/21474, not 3594 * 1/100000 3595 */ 3596 png_fixed_point res = png_product2(a, b); 3597 3598 if (res != 0) 3599 return png_reciprocal(res); 3600 #endif 3601 3602 return 0; /* overflow */ 3603 } 3604 #endif /* READ_GAMMA */ 3605 3606 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */ 3607 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED 3608 /* Fixed point gamma. 3609 * 3610 * The code to calculate the tables used below can be found in the shell script 3611 * contrib/tools/intgamma.sh 3612 * 3613 * To calculate gamma this code implements fast log() and exp() calls using only 3614 * fixed point arithmetic. This code has sufficient precision for either 8-bit 3615 * or 16-bit sample values. 3616 * 3617 * The tables used here were calculated using simple 'bc' programs, but C double 3618 * precision floating point arithmetic would work fine. 3619 * 3620 * 8-bit log table 3621 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to 3622 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point 3623 * mantissa. The numbers are 32-bit fractions. 3624 */ 3625 static const png_uint_32 3626 png_8bit_l2[128] = 3627 { 3628 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U, 3629 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U, 3630 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U, 3631 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U, 3632 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U, 3633 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U, 3634 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U, 3635 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U, 3636 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U, 3637 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U, 3638 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U, 3639 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U, 3640 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U, 3641 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U, 3642 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U, 3643 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U, 3644 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U, 3645 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U, 3646 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U, 3647 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U, 3648 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U, 3649 24347096U, 0U 3650 3651 #if 0 3652 /* The following are the values for 16-bit tables - these work fine for the 3653 * 8-bit conversions but produce very slightly larger errors in the 16-bit 3654 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To 3655 * use these all the shifts below must be adjusted appropriately. 3656 */ 3657 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054, 3658 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803, 3659 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068, 3660 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782, 3661 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887, 3662 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339, 3663 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098, 3664 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132, 3665 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415, 3666 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523, 3667 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495, 3668 1119, 744, 372 3669 #endif 3670 }; 3671 3672 static png_int_32 3673 png_log8bit(unsigned int x) 3674 { 3675 unsigned int lg2 = 0; 3676 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log, 3677 * because the log is actually negate that means adding 1. The final 3678 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1 3679 * input), return -1 for the overflow (log 0) case, - so the result is 3680 * always at most 19 bits. 3681 */ 3682 if ((x &= 0xff) == 0) 3683 return -1; 3684 3685 if ((x & 0xf0) == 0) 3686 lg2 = 4, x <<= 4; 3687 3688 if ((x & 0xc0) == 0) 3689 lg2 += 2, x <<= 2; 3690 3691 if ((x & 0x80) == 0) 3692 lg2 += 1, x <<= 1; 3693 3694 /* result is at most 19 bits, so this cast is safe: */ 3695 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16)); 3696 } 3697 3698 /* The above gives exact (to 16 binary places) log2 values for 8-bit images, 3699 * for 16-bit images we use the most significant 8 bits of the 16-bit value to 3700 * get an approximation then multiply the approximation by a correction factor 3701 * determined by the remaining up to 8 bits. This requires an additional step 3702 * in the 16-bit case. 3703 * 3704 * We want log2(value/65535), we have log2(v'/255), where: 3705 * 3706 * value = v' * 256 + v'' 3707 * = v' * f 3708 * 3709 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128 3710 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less 3711 * than 258. The final factor also needs to correct for the fact that our 8-bit 3712 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535. 3713 * 3714 * This gives a final formula using a calculated value 'x' which is value/v' and 3715 * scaling by 65536 to match the above table: 3716 * 3717 * log2(x/257) * 65536 3718 * 3719 * Since these numbers are so close to '1' we can use simple linear 3720 * interpolation between the two end values 256/257 (result -368.61) and 258/257 3721 * (result 367.179). The values used below are scaled by a further 64 to give 3722 * 16-bit precision in the interpolation: 3723 * 3724 * Start (256): -23591 3725 * Zero (257): 0 3726 * End (258): 23499 3727 */ 3728 #ifdef PNG_16BIT_SUPPORTED 3729 static png_int_32 3730 png_log16bit(png_uint_32 x) 3731 { 3732 unsigned int lg2 = 0; 3733 3734 /* As above, but now the input has 16 bits. */ 3735 if ((x &= 0xffff) == 0) 3736 return -1; 3737 3738 if ((x & 0xff00) == 0) 3739 lg2 = 8, x <<= 8; 3740 3741 if ((x & 0xf000) == 0) 3742 lg2 += 4, x <<= 4; 3743 3744 if ((x & 0xc000) == 0) 3745 lg2 += 2, x <<= 2; 3746 3747 if ((x & 0x8000) == 0) 3748 lg2 += 1, x <<= 1; 3749 3750 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional 3751 * value. 3752 */ 3753 lg2 <<= 28; 3754 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4; 3755 3756 /* Now we need to interpolate the factor, this requires a division by the top 3757 * 8 bits. Do this with maximum precision. 3758 */ 3759 x = ((x << 16) + (x >> 9)) / (x >> 8); 3760 3761 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24, 3762 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly 3763 * 16 bits to interpolate to get the low bits of the result. Round the 3764 * answer. Note that the end point values are scaled by 64 to retain overall 3765 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust 3766 * the overall scaling by 6-12. Round at every step. 3767 */ 3768 x -= 1U << 24; 3769 3770 if (x <= 65536U) /* <= '257' */ 3771 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12); 3772 3773 else 3774 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12); 3775 3776 /* Safe, because the result can't have more than 20 bits: */ 3777 return (png_int_32)((lg2 + 2048) >> 12); 3778 } 3779 #endif /* 16BIT */ 3780 3781 /* The 'exp()' case must invert the above, taking a 20-bit fixed point 3782 * logarithmic value and returning a 16 or 8-bit number as appropriate. In 3783 * each case only the low 16 bits are relevant - the fraction - since the 3784 * integer bits (the top 4) simply determine a shift. 3785 * 3786 * The worst case is the 16-bit distinction between 65535 and 65534. This 3787 * requires perhaps spurious accuracy in the decoding of the logarithm to 3788 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance 3789 * of getting this accuracy in practice. 3790 * 3791 * To deal with this the following exp() function works out the exponent of the 3792 * fractional part of the logarithm by using an accurate 32-bit value from the 3793 * top four fractional bits then multiplying in the remaining bits. 3794 */ 3795 static const png_uint_32 3796 png_32bit_exp[16] = 3797 { 3798 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */ 3799 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U, 3800 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U, 3801 2553802834U, 2445529972U, 2341847524U, 2242560872U 3802 }; 3803 3804 /* Adjustment table; provided to explain the numbers in the code below. */ 3805 #if 0 3806 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"} 3807 11 44937.64284865548751208448 3808 10 45180.98734845585101160448 3809 9 45303.31936980687359311872 3810 8 45364.65110595323018870784 3811 7 45395.35850361789624614912 3812 6 45410.72259715102037508096 3813 5 45418.40724413220722311168 3814 4 45422.25021786898173001728 3815 3 45424.17186732298419044352 3816 2 45425.13273269940811464704 3817 1 45425.61317555035558641664 3818 0 45425.85339951654943850496 3819 #endif 3820 3821 static png_uint_32 3822 png_exp(png_fixed_point x) 3823 { 3824 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */ 3825 { 3826 /* Obtain a 4-bit approximation */ 3827 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f]; 3828 3829 /* Incorporate the low 12 bits - these decrease the returned value by 3830 * multiplying by a number less than 1 if the bit is set. The multiplier 3831 * is determined by the above table and the shift. Notice that the values 3832 * converge on 45426 and this is used to allow linear interpolation of the 3833 * low bits. 3834 */ 3835 if (x & 0x800) 3836 e -= (((e >> 16) * 44938U) + 16U) >> 5; 3837 3838 if (x & 0x400) 3839 e -= (((e >> 16) * 45181U) + 32U) >> 6; 3840 3841 if (x & 0x200) 3842 e -= (((e >> 16) * 45303U) + 64U) >> 7; 3843 3844 if (x & 0x100) 3845 e -= (((e >> 16) * 45365U) + 128U) >> 8; 3846 3847 if (x & 0x080) 3848 e -= (((e >> 16) * 45395U) + 256U) >> 9; 3849 3850 if (x & 0x040) 3851 e -= (((e >> 16) * 45410U) + 512U) >> 10; 3852 3853 /* And handle the low 6 bits in a single block. */ 3854 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9; 3855 3856 /* Handle the upper bits of x. */ 3857 e >>= x >> 16; 3858 return e; 3859 } 3860 3861 /* Check for overflow */ 3862 if (x <= 0) 3863 return png_32bit_exp[0]; 3864 3865 /* Else underflow */ 3866 return 0; 3867 } 3868 3869 static png_byte 3870 png_exp8bit(png_fixed_point lg2) 3871 { 3872 /* Get a 32-bit value: */ 3873 png_uint_32 x = png_exp(lg2); 3874 3875 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the 3876 * second, rounding, step can't overflow because of the first, subtraction, 3877 * step. 3878 */ 3879 x -= x >> 8; 3880 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff); 3881 } 3882 3883 #ifdef PNG_16BIT_SUPPORTED 3884 static png_uint_16 3885 png_exp16bit(png_fixed_point lg2) 3886 { 3887 /* Get a 32-bit value: */ 3888 png_uint_32 x = png_exp(lg2); 3889 3890 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */ 3891 x -= x >> 16; 3892 return (png_uint_16)((x + 32767U) >> 16); 3893 } 3894 #endif /* 16BIT */ 3895 #endif /* FLOATING_ARITHMETIC */ 3896 3897 png_byte 3898 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val) 3899 { 3900 if (value > 0 && value < 255) 3901 { 3902 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3903 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly 3904 * convert this to a floating point value. This includes values that 3905 * would overflow if 'value' were to be converted to 'int'. 3906 * 3907 * Apparently GCC, however, does an intermediate conversion to (int) 3908 * on some (ARM) but not all (x86) platforms, possibly because of 3909 * hardware FP limitations. (E.g. if the hardware conversion always 3910 * assumes the integer register contains a signed value.) This results 3911 * in ANSI-C undefined behavior for large values. 3912 * 3913 * Other implementations on the same machine might actually be ANSI-C90 3914 * conformant and therefore compile spurious extra code for the large 3915 * values. 3916 * 3917 * We can be reasonably sure that an unsigned to float conversion 3918 * won't be faster than an int to float one. Therefore this code 3919 * assumes responsibility for the undefined behavior, which it knows 3920 * can't happen because of the check above. 3921 * 3922 * Note the argument to this routine is an (unsigned int) because, on 3923 * 16-bit platforms, it is assigned a value which might be out of 3924 * range for an (int); that would result in undefined behavior in the 3925 * caller if the *argument* ('value') were to be declared (int). 3926 */ 3927 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5); 3928 return (png_byte)r; 3929 # else 3930 png_int_32 lg2 = png_log8bit(value); 3931 png_fixed_point res; 3932 3933 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3934 return png_exp8bit(res); 3935 3936 /* Overflow. */ 3937 value = 0; 3938 # endif 3939 } 3940 3941 return (png_byte)(value & 0xff); 3942 } 3943 3944 #ifdef PNG_16BIT_SUPPORTED 3945 png_uint_16 3946 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val) 3947 { 3948 if (value > 0 && value < 65535) 3949 { 3950 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3951 /* The same (unsigned int)->(double) constraints apply here as above, 3952 * however in this case the (unsigned int) to (int) conversion can 3953 * overflow on an ANSI-C90 compliant system so the cast needs to ensure 3954 * that this is not possible. 3955 */ 3956 double r = floor(65535*pow((png_int_32)value/65535., 3957 gamma_val*.00001)+.5); 3958 return (png_uint_16)r; 3959 # else 3960 png_int_32 lg2 = png_log16bit(value); 3961 png_fixed_point res; 3962 3963 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3964 return png_exp16bit(res); 3965 3966 /* Overflow. */ 3967 value = 0; 3968 # endif 3969 } 3970 3971 return (png_uint_16)value; 3972 } 3973 #endif /* 16BIT */ 3974 3975 /* This does the right thing based on the bit_depth field of the 3976 * png_struct, interpreting values as 8-bit or 16-bit. While the result 3977 * is nominally a 16-bit value if bit depth is 8 then the result is 3978 * 8-bit (as are the arguments.) 3979 */ 3980 png_uint_16 /* PRIVATE */ 3981 png_gamma_correct(png_structrp png_ptr, unsigned int value, 3982 png_fixed_point gamma_val) 3983 { 3984 if (png_ptr->bit_depth == 8) 3985 return png_gamma_8bit_correct(value, gamma_val); 3986 3987 #ifdef PNG_16BIT_SUPPORTED 3988 else 3989 return png_gamma_16bit_correct(value, gamma_val); 3990 #else 3991 /* should not reach this */ 3992 return 0; 3993 #endif /* 16BIT */ 3994 } 3995 3996 #ifdef PNG_16BIT_SUPPORTED 3997 /* Internal function to build a single 16-bit table - the table consists of 3998 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount 3999 * to shift the input values right (or 16-number_of_signifiant_bits). 4000 * 4001 * The caller is responsible for ensuring that the table gets cleaned up on 4002 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument 4003 * should be somewhere that will be cleaned. 4004 */ 4005 static void 4006 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable, 4007 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 4008 { 4009 /* Various values derived from 'shift': */ 4010 PNG_CONST unsigned int num = 1U << (8U - shift); 4011 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 4012 /* CSE the division and work round wacky GCC warnings (see the comments 4013 * in png_gamma_8bit_correct for where these come from.) 4014 */ 4015 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1); 4016 #endif 4017 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 4018 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift); 4019 unsigned int i; 4020 4021 png_uint_16pp table = *ptable = 4022 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 4023 4024 for (i = 0; i < num; i++) 4025 { 4026 png_uint_16p sub_table = table[i] = 4027 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16))); 4028 4029 /* The 'threshold' test is repeated here because it can arise for one of 4030 * the 16-bit tables even if the others don't hit it. 4031 */ 4032 if (png_gamma_significant(gamma_val) != 0) 4033 { 4034 /* The old code would overflow at the end and this would cause the 4035 * 'pow' function to return a result >1, resulting in an 4036 * arithmetic error. This code follows the spec exactly; ig is 4037 * the recovered input sample, it always has 8-16 bits. 4038 * 4039 * We want input * 65535/max, rounded, the arithmetic fits in 32 4040 * bits (unsigned) so long as max <= 32767. 4041 */ 4042 unsigned int j; 4043 for (j = 0; j < 256; j++) 4044 { 4045 png_uint_32 ig = (j << (8-shift)) + i; 4046 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 4047 /* Inline the 'max' scaling operation: */ 4048 /* See png_gamma_8bit_correct for why the cast to (int) is 4049 * required here. 4050 */ 4051 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5); 4052 sub_table[j] = (png_uint_16)d; 4053 # else 4054 if (shift != 0) 4055 ig = (ig * 65535U + max_by_2)/max; 4056 4057 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val); 4058 # endif 4059 } 4060 } 4061 else 4062 { 4063 /* We must still build a table, but do it the fast way. */ 4064 unsigned int j; 4065 4066 for (j = 0; j < 256; j++) 4067 { 4068 png_uint_32 ig = (j << (8-shift)) + i; 4069 4070 if (shift != 0) 4071 ig = (ig * 65535U + max_by_2)/max; 4072 4073 sub_table[j] = (png_uint_16)ig; 4074 } 4075 } 4076 } 4077 } 4078 4079 /* NOTE: this function expects the *inverse* of the overall gamma transformation 4080 * required. 4081 */ 4082 static void 4083 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable, 4084 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 4085 { 4086 PNG_CONST unsigned int num = 1U << (8U - shift); 4087 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 4088 unsigned int i; 4089 png_uint_32 last; 4090 4091 png_uint_16pp table = *ptable = 4092 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 4093 4094 /* 'num' is the number of tables and also the number of low bits of low 4095 * bits of the input 16-bit value used to select a table. Each table is 4096 * itself indexed by the high 8 bits of the value. 4097 */ 4098 for (i = 0; i < num; i++) 4099 table[i] = (png_uint_16p)png_malloc(png_ptr, 4100 256 * (sizeof (png_uint_16))); 4101 4102 /* 'gamma_val' is set to the reciprocal of the value calculated above, so 4103 * pow(out,g) is an *input* value. 'last' is the last input value set. 4104 * 4105 * In the loop 'i' is used to find output values. Since the output is 4106 * 8-bit there are only 256 possible values. The tables are set up to 4107 * select the closest possible output value for each input by finding 4108 * the input value at the boundary between each pair of output values 4109 * and filling the table up to that boundary with the lower output 4110 * value. 4111 * 4112 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit 4113 * values the code below uses a 16-bit value in i; the values start at 4114 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last 4115 * entries are filled with 255). Start i at 128 and fill all 'last' 4116 * table entries <= 'max' 4117 */ 4118 last = 0; 4119 for (i = 0; i < 255; ++i) /* 8-bit output value */ 4120 { 4121 /* Find the corresponding maximum input value */ 4122 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */ 4123 4124 /* Find the boundary value in 16 bits: */ 4125 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val); 4126 4127 /* Adjust (round) to (16-shift) bits: */ 4128 bound = (bound * max + 32768U)/65535U + 1U; 4129 4130 while (last < bound) 4131 { 4132 table[last & (0xffU >> shift)][last >> (8U - shift)] = out; 4133 last++; 4134 } 4135 } 4136 4137 /* And fill in the final entries. */ 4138 while (last < (num << 8)) 4139 { 4140 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U; 4141 last++; 4142 } 4143 } 4144 #endif /* 16BIT */ 4145 4146 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and 4147 * typically much faster). Note that libpng currently does no sBIT processing 4148 * (apparently contrary to the spec) so a 256-entry table is always generated. 4149 */ 4150 static void 4151 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable, 4152 PNG_CONST png_fixed_point gamma_val) 4153 { 4154 unsigned int i; 4155 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256); 4156 4157 if (png_gamma_significant(gamma_val) != 0) 4158 for (i=0; i<256; i++) 4159 table[i] = png_gamma_8bit_correct(i, gamma_val); 4160 4161 else 4162 for (i=0; i<256; ++i) 4163 table[i] = (png_byte)(i & 0xff); 4164 } 4165 4166 /* Used from png_read_destroy and below to release the memory used by the gamma 4167 * tables. 4168 */ 4169 void /* PRIVATE */ 4170 png_destroy_gamma_table(png_structrp png_ptr) 4171 { 4172 png_free(png_ptr, png_ptr->gamma_table); 4173 png_ptr->gamma_table = NULL; 4174 4175 #ifdef PNG_16BIT_SUPPORTED 4176 if (png_ptr->gamma_16_table != NULL) 4177 { 4178 int i; 4179 int istop = (1 << (8 - png_ptr->gamma_shift)); 4180 for (i = 0; i < istop; i++) 4181 { 4182 png_free(png_ptr, png_ptr->gamma_16_table[i]); 4183 } 4184 png_free(png_ptr, png_ptr->gamma_16_table); 4185 png_ptr->gamma_16_table = NULL; 4186 } 4187 #endif /* 16BIT */ 4188 4189 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4190 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4191 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4192 png_free(png_ptr, png_ptr->gamma_from_1); 4193 png_ptr->gamma_from_1 = NULL; 4194 png_free(png_ptr, png_ptr->gamma_to_1); 4195 png_ptr->gamma_to_1 = NULL; 4196 4197 #ifdef PNG_16BIT_SUPPORTED 4198 if (png_ptr->gamma_16_from_1 != NULL) 4199 { 4200 int i; 4201 int istop = (1 << (8 - png_ptr->gamma_shift)); 4202 for (i = 0; i < istop; i++) 4203 { 4204 png_free(png_ptr, png_ptr->gamma_16_from_1[i]); 4205 } 4206 png_free(png_ptr, png_ptr->gamma_16_from_1); 4207 png_ptr->gamma_16_from_1 = NULL; 4208 } 4209 if (png_ptr->gamma_16_to_1 != NULL) 4210 { 4211 int i; 4212 int istop = (1 << (8 - png_ptr->gamma_shift)); 4213 for (i = 0; i < istop; i++) 4214 { 4215 png_free(png_ptr, png_ptr->gamma_16_to_1[i]); 4216 } 4217 png_free(png_ptr, png_ptr->gamma_16_to_1); 4218 png_ptr->gamma_16_to_1 = NULL; 4219 } 4220 #endif /* 16BIT */ 4221 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4222 } 4223 4224 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit 4225 * tables, we don't make a full table if we are reducing to 8-bit in 4226 * the future. Note also how the gamma_16 tables are segmented so that 4227 * we don't need to allocate > 64K chunks for a full 16-bit table. 4228 */ 4229 void /* PRIVATE */ 4230 png_build_gamma_table(png_structrp png_ptr, int bit_depth) 4231 { 4232 png_debug(1, "in png_build_gamma_table"); 4233 4234 /* Remove any existing table; this copes with multiple calls to 4235 * png_read_update_info. The warning is because building the gamma tables 4236 * multiple times is a performance hit - it's harmless but the ability to 4237 * call png_read_update_info() multiple times is new in 1.5.6 so it seems 4238 * sensible to warn if the app introduces such a hit. 4239 */ 4240 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL) 4241 { 4242 png_warning(png_ptr, "gamma table being rebuilt"); 4243 png_destroy_gamma_table(png_ptr); 4244 } 4245 4246 if (bit_depth <= 8) 4247 { 4248 png_build_8bit_table(png_ptr, &png_ptr->gamma_table, 4249 png_ptr->screen_gamma > 0 ? 4250 png_reciprocal2(png_ptr->colorspace.gamma, 4251 png_ptr->screen_gamma) : PNG_FP_1); 4252 4253 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4254 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4255 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4256 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4257 { 4258 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1, 4259 png_reciprocal(png_ptr->colorspace.gamma)); 4260 4261 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1, 4262 png_ptr->screen_gamma > 0 ? 4263 png_reciprocal(png_ptr->screen_gamma) : 4264 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4265 } 4266 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4267 } 4268 #ifdef PNG_16BIT_SUPPORTED 4269 else 4270 { 4271 png_byte shift, sig_bit; 4272 4273 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) 4274 { 4275 sig_bit = png_ptr->sig_bit.red; 4276 4277 if (png_ptr->sig_bit.green > sig_bit) 4278 sig_bit = png_ptr->sig_bit.green; 4279 4280 if (png_ptr->sig_bit.blue > sig_bit) 4281 sig_bit = png_ptr->sig_bit.blue; 4282 } 4283 else 4284 sig_bit = png_ptr->sig_bit.gray; 4285 4286 /* 16-bit gamma code uses this equation: 4287 * 4288 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8] 4289 * 4290 * Where 'iv' is the input color value and 'ov' is the output value - 4291 * pow(iv, gamma). 4292 * 4293 * Thus the gamma table consists of up to 256 256-entry tables. The table 4294 * is selected by the (8-gamma_shift) most significant of the low 8 bits 4295 * of the color value then indexed by the upper 8 bits: 4296 * 4297 * table[low bits][high 8 bits] 4298 * 4299 * So the table 'n' corresponds to all those 'iv' of: 4300 * 4301 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1> 4302 * 4303 */ 4304 if (sig_bit > 0 && sig_bit < 16U) 4305 /* shift == insignificant bits */ 4306 shift = (png_byte)((16U - sig_bit) & 0xff); 4307 4308 else 4309 shift = 0; /* keep all 16 bits */ 4310 4311 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4312 { 4313 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively 4314 * the significant bits in the *input* when the output will 4315 * eventually be 8 bits. By default it is 11. 4316 */ 4317 if (shift < (16U - PNG_MAX_GAMMA_8)) 4318 shift = (16U - PNG_MAX_GAMMA_8); 4319 } 4320 4321 if (shift > 8U) 4322 shift = 8U; /* Guarantees at least one table! */ 4323 4324 png_ptr->gamma_shift = shift; 4325 4326 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now 4327 * PNG_COMPOSE). This effectively smashed the background calculation for 4328 * 16-bit output because the 8-bit table assumes the result will be 4329 * reduced to 8 bits. 4330 */ 4331 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4332 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift, 4333 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma, 4334 png_ptr->screen_gamma) : PNG_FP_1); 4335 4336 else 4337 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift, 4338 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4339 png_ptr->screen_gamma) : PNG_FP_1); 4340 4341 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4342 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4343 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4344 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4345 { 4346 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift, 4347 png_reciprocal(png_ptr->colorspace.gamma)); 4348 4349 /* Notice that the '16 from 1' table should be full precision, however 4350 * the lookup on this table still uses gamma_shift, so it can't be. 4351 * TODO: fix this. 4352 */ 4353 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift, 4354 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4355 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4356 } 4357 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4358 } 4359 #endif /* 16BIT */ 4360 } 4361 #endif /* READ_GAMMA */ 4362 4363 /* HARDWARE OR SOFTWARE OPTION SUPPORT */ 4364 #ifdef PNG_SET_OPTION_SUPPORTED 4365 int PNGAPI 4366 png_set_option(png_structrp png_ptr, int option, int onoff) 4367 { 4368 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT && 4369 (option & 1) == 0) 4370 { 4371 png_uint_32 mask = 3U << option; 4372 png_uint_32 setting = (2U + (onoff != 0)) << option; 4373 png_uint_32 current = png_ptr->options; 4374 4375 png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff); 4376 4377 return (int)(current & mask) >> option; 4378 } 4379 4380 return PNG_OPTION_INVALID; 4381 } 4382 #endif 4383 4384 /* sRGB support */ 4385 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4386 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4387 /* sRGB conversion tables; these are machine generated with the code in 4388 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the 4389 * specification (see the article at https://en.wikipedia.org/wiki/SRGB) 4390 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng. 4391 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction). 4392 * The inverse (linear to sRGB) table has accuracies as follows: 4393 * 4394 * For all possible (255*65535+1) input values: 4395 * 4396 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact 4397 * 4398 * For the input values corresponding to the 65536 16-bit values: 4399 * 4400 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact 4401 * 4402 * In all cases the inexact readings are only off by one. 4403 */ 4404 4405 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4406 /* The convert-to-sRGB table is only currently required for read. */ 4407 const png_uint_16 png_sRGB_table[256] = 4408 { 4409 0,20,40,60,80,99,119,139, 4410 159,179,199,219,241,264,288,313, 4411 340,367,396,427,458,491,526,562, 4412 599,637,677,718,761,805,851,898, 4413 947,997,1048,1101,1156,1212,1270,1330, 4414 1391,1453,1517,1583,1651,1720,1790,1863, 4415 1937,2013,2090,2170,2250,2333,2418,2504, 4416 2592,2681,2773,2866,2961,3058,3157,3258, 4417 3360,3464,3570,3678,3788,3900,4014,4129, 4418 4247,4366,4488,4611,4736,4864,4993,5124, 4419 5257,5392,5530,5669,5810,5953,6099,6246, 4420 6395,6547,6700,6856,7014,7174,7335,7500, 4421 7666,7834,8004,8177,8352,8528,8708,8889, 4422 9072,9258,9445,9635,9828,10022,10219,10417, 4423 10619,10822,11028,11235,11446,11658,11873,12090, 4424 12309,12530,12754,12980,13209,13440,13673,13909, 4425 14146,14387,14629,14874,15122,15371,15623,15878, 4426 16135,16394,16656,16920,17187,17456,17727,18001, 4427 18277,18556,18837,19121,19407,19696,19987,20281, 4428 20577,20876,21177,21481,21787,22096,22407,22721, 4429 23038,23357,23678,24002,24329,24658,24990,25325, 4430 25662,26001,26344,26688,27036,27386,27739,28094, 4431 28452,28813,29176,29542,29911,30282,30656,31033, 4432 31412,31794,32179,32567,32957,33350,33745,34143, 4433 34544,34948,35355,35764,36176,36591,37008,37429, 4434 37852,38278,38706,39138,39572,40009,40449,40891, 4435 41337,41785,42236,42690,43147,43606,44069,44534, 4436 45002,45473,45947,46423,46903,47385,47871,48359, 4437 48850,49344,49841,50341,50844,51349,51858,52369, 4438 52884,53401,53921,54445,54971,55500,56032,56567, 4439 57105,57646,58190,58737,59287,59840,60396,60955, 4440 61517,62082,62650,63221,63795,64372,64952,65535 4441 }; 4442 #endif /* SIMPLIFIED_READ */ 4443 4444 /* The base/delta tables are required for both read and write (but currently 4445 * only the simplified versions.) 4446 */ 4447 const png_uint_16 png_sRGB_base[512] = 4448 { 4449 128,1782,3383,4644,5675,6564,7357,8074, 4450 8732,9346,9921,10463,10977,11466,11935,12384, 4451 12816,13233,13634,14024,14402,14769,15125,15473, 4452 15812,16142,16466,16781,17090,17393,17690,17981, 4453 18266,18546,18822,19093,19359,19621,19879,20133, 4454 20383,20630,20873,21113,21349,21583,21813,22041, 4455 22265,22487,22707,22923,23138,23350,23559,23767, 4456 23972,24175,24376,24575,24772,24967,25160,25352, 4457 25542,25730,25916,26101,26284,26465,26645,26823, 4458 27000,27176,27350,27523,27695,27865,28034,28201, 4459 28368,28533,28697,28860,29021,29182,29341,29500, 4460 29657,29813,29969,30123,30276,30429,30580,30730, 4461 30880,31028,31176,31323,31469,31614,31758,31902, 4462 32045,32186,32327,32468,32607,32746,32884,33021, 4463 33158,33294,33429,33564,33697,33831,33963,34095, 4464 34226,34357,34486,34616,34744,34873,35000,35127, 4465 35253,35379,35504,35629,35753,35876,35999,36122, 4466 36244,36365,36486,36606,36726,36845,36964,37083, 4467 37201,37318,37435,37551,37668,37783,37898,38013, 4468 38127,38241,38354,38467,38580,38692,38803,38915, 4469 39026,39136,39246,39356,39465,39574,39682,39790, 4470 39898,40005,40112,40219,40325,40431,40537,40642, 4471 40747,40851,40955,41059,41163,41266,41369,41471, 4472 41573,41675,41777,41878,41979,42079,42179,42279, 4473 42379,42478,42577,42676,42775,42873,42971,43068, 4474 43165,43262,43359,43456,43552,43648,43743,43839, 4475 43934,44028,44123,44217,44311,44405,44499,44592, 4476 44685,44778,44870,44962,45054,45146,45238,45329, 4477 45420,45511,45601,45692,45782,45872,45961,46051, 4478 46140,46229,46318,46406,46494,46583,46670,46758, 4479 46846,46933,47020,47107,47193,47280,47366,47452, 4480 47538,47623,47709,47794,47879,47964,48048,48133, 4481 48217,48301,48385,48468,48552,48635,48718,48801, 4482 48884,48966,49048,49131,49213,49294,49376,49458, 4483 49539,49620,49701,49782,49862,49943,50023,50103, 4484 50183,50263,50342,50422,50501,50580,50659,50738, 4485 50816,50895,50973,51051,51129,51207,51285,51362, 4486 51439,51517,51594,51671,51747,51824,51900,51977, 4487 52053,52129,52205,52280,52356,52432,52507,52582, 4488 52657,52732,52807,52881,52956,53030,53104,53178, 4489 53252,53326,53400,53473,53546,53620,53693,53766, 4490 53839,53911,53984,54056,54129,54201,54273,54345, 4491 54417,54489,54560,54632,54703,54774,54845,54916, 4492 54987,55058,55129,55199,55269,55340,55410,55480, 4493 55550,55620,55689,55759,55828,55898,55967,56036, 4494 56105,56174,56243,56311,56380,56448,56517,56585, 4495 56653,56721,56789,56857,56924,56992,57059,57127, 4496 57194,57261,57328,57395,57462,57529,57595,57662, 4497 57728,57795,57861,57927,57993,58059,58125,58191, 4498 58256,58322,58387,58453,58518,58583,58648,58713, 4499 58778,58843,58908,58972,59037,59101,59165,59230, 4500 59294,59358,59422,59486,59549,59613,59677,59740, 4501 59804,59867,59930,59993,60056,60119,60182,60245, 4502 60308,60370,60433,60495,60558,60620,60682,60744, 4503 60806,60868,60930,60992,61054,61115,61177,61238, 4504 61300,61361,61422,61483,61544,61605,61666,61727, 4505 61788,61848,61909,61969,62030,62090,62150,62211, 4506 62271,62331,62391,62450,62510,62570,62630,62689, 4507 62749,62808,62867,62927,62986,63045,63104,63163, 4508 63222,63281,63340,63398,63457,63515,63574,63632, 4509 63691,63749,63807,63865,63923,63981,64039,64097, 4510 64155,64212,64270,64328,64385,64443,64500,64557, 4511 64614,64672,64729,64786,64843,64900,64956,65013, 4512 65070,65126,65183,65239,65296,65352,65409,65465 4513 }; 4514 4515 const png_byte png_sRGB_delta[512] = 4516 { 4517 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54, 4518 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36, 4519 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28, 4520 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24, 4521 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21, 4522 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19, 4523 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17, 4524 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16, 4525 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15, 4526 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14, 4527 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13, 4528 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12, 4529 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12, 4530 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11, 4531 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4532 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4533 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4534 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4535 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4536 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4537 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4538 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4539 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4540 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4541 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4542 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4543 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4544 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4545 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7, 4546 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4547 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4548 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7 4549 }; 4550 #endif /* SIMPLIFIED READ/WRITE sRGB support */ 4551 4552 /* SIMPLIFIED READ/WRITE SUPPORT */ 4553 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4554 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4555 static int 4556 png_image_free_function(png_voidp argument) 4557 { 4558 png_imagep image = png_voidcast(png_imagep, argument); 4559 png_controlp cp = image->opaque; 4560 png_control c; 4561 4562 /* Double check that we have a png_ptr - it should be impossible to get here 4563 * without one. 4564 */ 4565 if (cp->png_ptr == NULL) 4566 return 0; 4567 4568 /* First free any data held in the control structure. */ 4569 # ifdef PNG_STDIO_SUPPORTED 4570 if (cp->owned_file != 0) 4571 { 4572 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr); 4573 cp->owned_file = 0; 4574 4575 /* Ignore errors here. */ 4576 if (fp != NULL) 4577 { 4578 cp->png_ptr->io_ptr = NULL; 4579 (void)fclose(fp); 4580 } 4581 } 4582 # endif 4583 4584 /* Copy the control structure so that the original, allocated, version can be 4585 * safely freed. Notice that a png_error here stops the remainder of the 4586 * cleanup, but this is probably fine because that would indicate bad memory 4587 * problems anyway. 4588 */ 4589 c = *cp; 4590 image->opaque = &c; 4591 png_free(c.png_ptr, cp); 4592 4593 /* Then the structures, calling the correct API. */ 4594 if (c.for_write != 0) 4595 { 4596 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED 4597 png_destroy_write_struct(&c.png_ptr, &c.info_ptr); 4598 # else 4599 png_error(c.png_ptr, "simplified write not supported"); 4600 # endif 4601 } 4602 else 4603 { 4604 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4605 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL); 4606 # else 4607 png_error(c.png_ptr, "simplified read not supported"); 4608 # endif 4609 } 4610 4611 /* Success. */ 4612 return 1; 4613 } 4614 4615 void PNGAPI 4616 png_image_free(png_imagep image) 4617 { 4618 /* Safely call the real function, but only if doing so is safe at this point 4619 * (if not inside an error handling context). Otherwise assume 4620 * png_safe_execute will call this API after the return. 4621 */ 4622 if (image != NULL && image->opaque != NULL && 4623 image->opaque->error_buf == NULL) 4624 { 4625 /* Ignore errors here: */ 4626 (void)png_safe_execute(image, png_image_free_function, image); 4627 image->opaque = NULL; 4628 } 4629 } 4630 4631 int /* PRIVATE */ 4632 png_image_error(png_imagep image, png_const_charp error_message) 4633 { 4634 /* Utility to log an error. */ 4635 png_safecat(image->message, (sizeof image->message), 0, error_message); 4636 image->warning_or_error |= PNG_IMAGE_ERROR; 4637 png_image_free(image); 4638 return 0; 4639 } 4640 4641 #endif /* SIMPLIFIED READ/WRITE */ 4642 #endif /* READ || WRITE */