12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * version 2 for more details (a copy is included in the LICENSE file that
14 * accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License version
17 * 2 along with this work; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21 * or visit www.oracle.com if you need additional information or have any
22 * questions.
23 */
24
25 /* pngrutil.c - utilities to read a PNG file
26 *
27 * This file is available under and governed by the GNU General Public
28 * License version 2 only, as published by the Free Software Foundation.
29 * However, the following notice accompanied the original version of this
30 * file and, per its terms, should not be removed:
31 *
32 * Last changed in libpng 1.6.27 [January 5, 2017]
33 * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
36 *
37 * This code is released under the libpng license.
38 * For conditions of distribution and use, see the disclaimer
39 * and license in png.h
40 *
41 * This file contains routines that are only called from within
42 * libpng itself during the course of reading an image.
43 */
44
45 #include "pngpriv.h"
46
47 #ifdef PNG_READ_SUPPORTED
48
49 png_uint_32 PNGAPI
50 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
51 {
52 png_uint_32 uval = png_get_uint_32(buf);
53
192
193 /* Read the length and the chunk name.
194 * This must be performed in a single I/O call.
195 */
196 png_read_data(png_ptr, buf, 8);
197 length = png_get_uint_31(png_ptr, buf);
198
199 /* Put the chunk name into png_ptr->chunk_name. */
200 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
201
202 png_debug2(0, "Reading %lx chunk, length = %lu",
203 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
204
205 /* Reset the crc and run it over the chunk name. */
206 png_reset_crc(png_ptr);
207 png_calculate_crc(png_ptr, buf + 4, 4);
208
209 /* Check to see if chunk name is valid. */
210 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
211
212 #ifdef PNG_IO_STATE_SUPPORTED
213 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
214 #endif
215
216 return length;
217 }
218
219 /* Read data, and (optionally) run it through the CRC. */
220 void /* PRIVATE */
221 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
222 {
223 if (png_ptr == NULL)
224 return;
225
226 png_read_data(png_ptr, buf, length);
227 png_calculate_crc(png_ptr, buf, length);
228 }
229
230 /* Optionally skip data and then check the CRC. Depending on whether we
231 * are reading an ancillary or critical chunk, and how the program has set
322 static png_bytep
323 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
324 {
325 png_bytep buffer = png_ptr->read_buffer;
326
327 if (buffer != NULL && new_size > png_ptr->read_buffer_size)
328 {
329 png_ptr->read_buffer = NULL;
330 png_ptr->read_buffer = NULL;
331 png_ptr->read_buffer_size = 0;
332 png_free(png_ptr, buffer);
333 buffer = NULL;
334 }
335
336 if (buffer == NULL)
337 {
338 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
339
340 if (buffer != NULL)
341 {
342 png_ptr->read_buffer = buffer;
343 png_ptr->read_buffer_size = new_size;
344 }
345
346 else if (warn < 2) /* else silent */
347 {
348 if (warn != 0)
349 png_chunk_warning(png_ptr, "insufficient memory to read chunk");
350
351 else
352 png_chunk_error(png_ptr, "insufficient memory to read chunk");
353 }
354 }
355
356 return buffer;
357 }
358 #endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
359
360 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
361 * decompression. Returns Z_OK on success, else a zlib error code. It checks
429 {
430 #if ZLIB_VERNUM >= 0x1240
431 ret = inflateReset2(&png_ptr->zstream, window_bits);
432 #else
433 ret = inflateReset(&png_ptr->zstream);
434 #endif
435 }
436
437 else
438 {
439 #if ZLIB_VERNUM >= 0x1240
440 ret = inflateInit2(&png_ptr->zstream, window_bits);
441 #else
442 ret = inflateInit(&png_ptr->zstream);
443 #endif
444
445 if (ret == Z_OK)
446 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
447 }
448
449 #if ZLIB_VERNUM >= 0x1281 && \
450 defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_IGNORE_ADLER32)
451 if (((png_ptr->options >> PNG_IGNORE_ADLER32) & 3) == PNG_OPTION_ON)
452 /* Turn off validation of the ADLER32 checksum in IDAT chunks */
453 ret = inflateValidate(&png_ptr->zstream, 0);
454 #endif
455
456 if (ret == Z_OK)
457 png_ptr->zowner = owner;
458
459 else
460 png_zstream_error(png_ptr, ret);
461
462 return ret;
463 }
464
465 #ifdef window_bits
466 # undef window_bits
467 #endif
468 }
469
681 * be necessary to store the previous window size.) In practice
682 * this doesn't matter anyway, because png_inflate will call inflate
683 * with Z_FINISH in almost all cases, so the window will not be
684 * maintained.
685 */
686 if (inflateReset(&png_ptr->zstream) == Z_OK)
687 {
688 /* Because of the limit checks above we know that the new,
689 * expanded, size will fit in a size_t (let alone an
690 * png_alloc_size_t). Use png_malloc_base here to avoid an
691 * extra OOM message.
692 */
693 png_alloc_size_t new_size = *newlength;
694 png_alloc_size_t buffer_size = prefix_size + new_size +
695 (terminate != 0);
696 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
697 buffer_size));
698
699 if (text != NULL)
700 {
701 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
702 png_ptr->read_buffer + prefix_size, &lzsize,
703 text + prefix_size, newlength);
704
705 if (ret == Z_STREAM_END)
706 {
707 if (new_size == *newlength)
708 {
709 if (terminate != 0)
710 text[prefix_size + *newlength] = 0;
711
712 if (prefix_size > 0)
713 memcpy(text, png_ptr->read_buffer, prefix_size);
714
715 {
716 png_bytep old_ptr = png_ptr->read_buffer;
717
718 png_ptr->read_buffer = text;
719 png_ptr->read_buffer_size = buffer_size;
720 text = old_ptr; /* freed below */
744 /* This really is very benign, but it's still an error because
745 * the extra space may otherwise be used as a Trojan Horse.
746 */
747 if (ret == Z_STREAM_END &&
748 chunklength - prefix_size != lzsize)
749 png_chunk_benign_error(png_ptr, "extra compressed data");
750 }
751
752 else
753 {
754 /* Out of memory allocating the buffer */
755 ret = Z_MEM_ERROR;
756 png_zstream_error(png_ptr, Z_MEM_ERROR);
757 }
758 }
759
760 else
761 {
762 /* inflateReset failed, store the error message */
763 png_zstream_error(png_ptr, ret);
764
765 if (ret == Z_STREAM_END)
766 ret = PNG_UNEXPECTED_ZLIB_RETURN;
767 }
768 }
769
770 else if (ret == Z_OK)
771 ret = PNG_UNEXPECTED_ZLIB_RETURN;
772
773 /* Release the claimed stream */
774 png_ptr->zowner = 0;
775 }
776
777 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
778 ret = PNG_UNEXPECTED_ZLIB_RETURN;
779
780 return ret;
781 }
782
783 else
784 {
785 /* Application/configuration limits exceeded */
1388 {
1389 png_const_charp errmsg = NULL; /* error message output, or no error */
1390 int finished = 0; /* crc checked */
1391
1392 png_debug(1, "in png_handle_iCCP");
1393
1394 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1395 png_chunk_error(png_ptr, "missing IHDR");
1396
1397 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1398 {
1399 png_crc_finish(png_ptr, length);
1400 png_chunk_benign_error(png_ptr, "out of place");
1401 return;
1402 }
1403
1404 /* Consistent with all the above colorspace handling an obviously *invalid*
1405 * chunk is just ignored, so does not invalidate the color space. An
1406 * alternative is to set the 'invalid' flags at the start of this routine
1407 * and only clear them in they were not set before and all the tests pass.
1408 * The minimum 'deflate' stream is assumed to be just the 2 byte header and
1409 * 4 byte checksum. The keyword must be at least one character and there is
1410 * a terminator (0) byte and the compression method.
1411 */
1412 if (length < 9)
1413 {
1414 png_crc_finish(png_ptr, length);
1415 png_chunk_benign_error(png_ptr, "too short");
1416 return;
1417 }
1418
1419 /* If a colorspace error has already been output skip this chunk */
1420 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1421 {
1422 png_crc_finish(png_ptr, length);
1423 return;
1424 }
1425
1426 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1427 * this.
1428 */
1429 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1430 {
1431 uInt read_length, keyword_length;
1432 char keyword[81];
1433
1434 /* Find the keyword; the keyword plus separator and compression method
1435 * bytes can be at most 81 characters long.
1436 */
1437 read_length = 81; /* maximum */
1438 if (read_length > length)
1439 read_length = (uInt)length;
1440
1441 png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1442 length -= read_length;
1443
1444 keyword_length = 0;
1445 while (keyword_length < 80 && keyword_length < read_length &&
1446 keyword[keyword_length] != 0)
1447 ++keyword_length;
1448
1449 /* TODO: make the keyword checking common */
1450 if (keyword_length >= 1 && keyword_length <= 79)
1451 {
1452 /* We only understand '0' compression - deflate - so if we get a
1453 * different value we can't safely decode the chunk.
1454 */
1455 if (keyword_length+1 < read_length &&
1456 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1457 {
1458 read_length -= keyword_length+2;
1459
1460 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1461 {
1462 Byte profile_header[132];
1463 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1464 png_alloc_size_t size = (sizeof profile_header);
1465
1466 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1467 png_ptr->zstream.avail_in = read_length;
1468 (void)png_inflate_read(png_ptr, local_buffer,
1469 (sizeof local_buffer), &length, profile_header, &size,
1470 0/*finish: don't, because the output is too small*/);
1471
1472 if (size == 0)
1473 {
1474 /* We have the ICC profile header; do the basic header checks.
1475 */
1476 const png_uint_32 profile_length =
1477 png_get_uint_32(profile_header);
1478
1479 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1480 keyword, profile_length) != 0)
1481 {
1482 /* The length is apparently ok, so we can check the 132
1483 * byte header.
1484 */
1485 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1486 keyword, profile_length, profile_header,
1487 png_ptr->color_type) != 0)
1488 {
1489 /* Now read the tag table; a variable size buffer is
1490 * needed at this point, allocate one for the whole
1491 * profile. The header check has already validated
1492 * that none of these stuff will overflow.
1493 */
1494 const png_uint_32 tag_count = png_get_uint_32(
1495 profile_header+128);
1496 png_bytep profile = png_read_buffer(png_ptr,
1497 profile_length, 2/*silent*/);
1498
1499 if (profile != NULL)
1500 {
1501 memcpy(profile, profile_header,
1502 (sizeof profile_header));
1503
1504 size = 12 * tag_count;
1505
1506 (void)png_inflate_read(png_ptr, local_buffer,
1507 (sizeof local_buffer), &length,
1508 profile + (sizeof profile_header), &size, 0);
1509
1510 /* Still expect a buffer error because we expect
1511 * there to be some tag data!
1512 */
1579 png_ptr->colorspace.flags |=
1580 PNG_COLORSPACE_INVALID;
1581 errmsg = "out of memory";
1582 }
1583 }
1584
1585 /* else the profile remains in the read
1586 * buffer which gets reused for subsequent
1587 * chunks.
1588 */
1589
1590 if (info_ptr != NULL)
1591 png_colorspace_sync(png_ptr, info_ptr);
1592
1593 if (errmsg == NULL)
1594 {
1595 png_ptr->zowner = 0;
1596 return;
1597 }
1598 }
1599
1600 else if (size > 0)
1601 errmsg = "truncated";
1602
1603 #ifndef __COVERITY__
1604 else
1605 errmsg = png_ptr->zstream.msg;
1606 #endif
1607 }
1608
1609 /* else png_icc_check_tag_table output an error */
1610 }
1611
1612 else /* profile truncated */
1613 errmsg = png_ptr->zstream.msg;
1614 }
1615
1616 else
1617 errmsg = "out of memory";
1618 }
1619
1620 /* else png_icc_check_header output an error */
1621 }
1622
1623 /* else png_icc_check_length output an error */
1624 }
1625
1626 else /* profile truncated */
1627 errmsg = png_ptr->zstream.msg;
1628
1629 /* Release the stream */
1630 png_ptr->zowner = 0;
1631 }
2020 background.index = 0;
2021 background.red =
2022 background.green =
2023 background.blue =
2024 background.gray = png_get_uint_16(buf);
2025 }
2026
2027 else
2028 {
2029 background.index = 0;
2030 background.red = png_get_uint_16(buf);
2031 background.green = png_get_uint_16(buf + 2);
2032 background.blue = png_get_uint_16(buf + 4);
2033 background.gray = 0;
2034 }
2035
2036 png_set_bKGD(png_ptr, info_ptr, &background);
2037 }
2038 #endif
2039
2040 #ifdef PNG_READ_hIST_SUPPORTED
2041 void /* PRIVATE */
2042 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2043 {
2044 unsigned int num, i;
2045 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2046
2047 png_debug(1, "in png_handle_hIST");
2048
2049 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2050 png_chunk_error(png_ptr, "missing IHDR");
2051
2052 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
2053 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
2054 {
2055 png_crc_finish(png_ptr, length);
2056 png_chunk_benign_error(png_ptr, "out of place");
2057 return;
2058 }
2059
2548 {
2549 png_crc_finish(png_ptr, length);
2550 return;
2551 }
2552
2553 if (--png_ptr->user_chunk_cache_max == 1)
2554 {
2555 png_crc_finish(png_ptr, length);
2556 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2557 return;
2558 }
2559 }
2560 #endif
2561
2562 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2563 png_chunk_error(png_ptr, "missing IHDR");
2564
2565 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2566 png_ptr->mode |= PNG_AFTER_IDAT;
2567
2568 buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2569
2570 if (buffer == NULL)
2571 {
2572 png_crc_finish(png_ptr, length);
2573 png_chunk_benign_error(png_ptr, "out of memory");
2574 return;
2575 }
2576
2577 png_crc_read(png_ptr, buffer, length);
2578
2579 if (png_crc_finish(png_ptr, 0) != 0)
2580 return;
2581
2582 /* TODO: also check that the keyword contents match the spec! */
2583 for (keyword_length = 0;
2584 keyword_length < length && buffer[keyword_length] != 0;
2585 ++keyword_length)
2586 /* Empty loop to find end of name */ ;
2587
2594 */
2595 else if (keyword_length + 3 > length)
2596 errmsg = "truncated";
2597
2598 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2599 errmsg = "unknown compression type";
2600
2601 else
2602 {
2603 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2604
2605 /* TODO: at present png_decompress_chunk imposes a single application
2606 * level memory limit, this should be split to different values for iCCP
2607 * and text chunks.
2608 */
2609 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2610 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2611 {
2612 png_text text;
2613
2614 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
2615 * for the extra compression type byte and the fact that it isn't
2616 * necessarily '\0' terminated.
2617 */
2618 buffer = png_ptr->read_buffer;
2619 buffer[uncompressed_length+(keyword_length+2)] = 0;
2620
2621 text.compression = PNG_TEXT_COMPRESSION_zTXt;
2622 text.key = (png_charp)buffer;
2623 text.text = (png_charp)(buffer + keyword_length+2);
2624 text.text_length = uncompressed_length;
2625 text.itxt_length = 0;
2626 text.lang = NULL;
2627 text.lang_key = NULL;
2628
2629 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2630 errmsg = "insufficient memory";
2631 }
2632
2633 else
2634 errmsg = png_ptr->zstream.msg;
2635 }
2636
2637 if (errmsg != NULL)
2638 png_chunk_benign_error(png_ptr, errmsg);
2639 }
2640 #endif
2641
2642 #ifdef PNG_READ_iTXt_SUPPORTED
2643 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2644 void /* PRIVATE */
2645 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2646 {
2647 png_const_charp errmsg = NULL;
2648 png_bytep buffer;
2649 png_uint_32 prefix_length;
2650
2651 png_debug(1, "in png_handle_iTXt");
2986 png_app_error(png_ptr, "no unknown chunk support available");
2987
2988 png_crc_finish(png_ptr, length);
2989 }
2990 # endif
2991
2992 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2993 /* Now store the chunk in the chunk list if appropriate, and if the limits
2994 * permit it.
2995 */
2996 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2997 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2998 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2999 {
3000 # ifdef PNG_USER_LIMITS_SUPPORTED
3001 switch (png_ptr->user_chunk_cache_max)
3002 {
3003 case 2:
3004 png_ptr->user_chunk_cache_max = 1;
3005 png_chunk_benign_error(png_ptr, "no space in chunk cache");
3006 /* FALL THROUGH */
3007 case 1:
3008 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
3009 * chunk being skipped, now there will be a hard error below.
3010 */
3011 break;
3012
3013 default: /* not at limit */
3014 --(png_ptr->user_chunk_cache_max);
3015 /* FALL THROUGH */
3016 case 0: /* no limit */
3017 # endif /* USER_LIMITS */
3018 /* Here when the limit isn't reached or when limits are compiled
3019 * out; store the chunk.
3020 */
3021 png_set_unknown_chunks(png_ptr, info_ptr,
3022 &png_ptr->unknown_chunk, 1);
3023 handled = 1;
3024 # ifdef PNG_USER_LIMITS_SUPPORTED
3025 break;
3026 }
3027 # endif
3028 }
3029 # else /* no store support: the chunk must be handled by the user callback */
3030 PNG_UNUSED(info_ptr)
3031 # endif
3032
3033 /* Regardless of the error handling below the cached data (if any) can be
3034 * freed now. Notice that the data is not freed if there is a png_error, but
3035 * it will be freed by destroy_read_struct.
3046 #endif /* !READ_UNKNOWN_CHUNKS */
3047
3048 /* Check for unhandled critical chunks */
3049 if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3050 png_chunk_error(png_ptr, "unhandled critical chunk");
3051 }
3052
3053 /* This function is called to verify that a chunk name is valid.
3054 * This function can't have the "critical chunk check" incorporated
3055 * into it, since in the future we will need to be able to call user
3056 * functions to handle unknown critical chunks after we check that
3057 * the chunk name itself is valid.
3058 */
3059
3060 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
3061 *
3062 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
3063 */
3064
3065 void /* PRIVATE */
3066 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
3067 {
3068 int i;
3069
3070 png_debug(1, "in png_check_chunk_name");
3071
3072 for (i=1; i<=4; ++i)
3073 {
3074 int c = chunk_name & 0xff;
3075
3076 if (c < 65 || c > 122 || (c > 90 && c < 97))
3077 png_chunk_error(png_ptr, "invalid chunk type");
3078
3079 chunk_name >>= 8;
3080 }
3081 }
3082
3083 /* Combines the row recently read in with the existing pixels in the row. This
3084 * routine takes care of alpha and transparency if requested. This routine also
3085 * handles the two methods of progressive display of interlaced images,
3086 * depending on the 'display' value; if 'display' is true then the whole row
3087 * (dp) is filled from the start by replicating the available pixels. If
3088 * 'display' is false only those pixels present in the pass are filled in.
3089 */
3090 void /* PRIVATE */
3091 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3092 {
3093 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3094 png_const_bytep sp = png_ptr->row_buf + 1;
3095 png_alloc_size_t row_width = png_ptr->width;
3096 unsigned int pass = png_ptr->pass;
3097 png_bytep end_ptr = 0;
3098 png_byte end_byte = 0;
3099 unsigned int end_mask;
3388 {
3389 case 1:
3390 for (;;)
3391 {
3392 *dp = *sp;
3393
3394 if (row_width <= bytes_to_jump)
3395 return;
3396
3397 dp += bytes_to_jump;
3398 sp += bytes_to_jump;
3399 row_width -= bytes_to_jump;
3400 }
3401
3402 case 2:
3403 /* There is a possibility of a partial copy at the end here; this
3404 * slows the code down somewhat.
3405 */
3406 do
3407 {
3408 dp[0] = sp[0], dp[1] = sp[1];
3409
3410 if (row_width <= bytes_to_jump)
3411 return;
3412
3413 sp += bytes_to_jump;
3414 dp += bytes_to_jump;
3415 row_width -= bytes_to_jump;
3416 }
3417 while (row_width > 1);
3418
3419 /* And there can only be one byte left at this point: */
3420 *dp = *sp;
3421 return;
3422
3423 case 3:
3424 /* This can only be the RGB case, so each copy is exactly one
3425 * pixel and it is not necessary to check for a partial copy.
3426 */
3427 for (;;)
3428 {
3429 dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
3430
3431 if (row_width <= bytes_to_jump)
3432 return;
3433
3434 sp += bytes_to_jump;
3435 dp += bytes_to_jump;
3436 row_width -= bytes_to_jump;
3437 }
3438
3439 default:
3440 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3441 /* Check for double byte alignment and, if possible, use a
3442 * 16-bit copy. Don't attempt this for narrow images - ones that
3443 * are less than an interlace panel wide. Don't attempt it for
3444 * wide bytes_to_copy either - use the memcpy there.
3445 */
3446 if (bytes_to_copy < 16 /*else use memcpy*/ &&
3447 png_isaligned(dp, png_uint_16) &&
3448 png_isaligned(sp, png_uint_16) &&
3449 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3898
3899 a &= 0xff; /* From previous iteration or start */
3900 b = *prev_row++;
3901
3902 p = b - c;
3903 pc = a - c;
3904
3905 #ifdef PNG_USE_ABS
3906 pa = abs(p);
3907 pb = abs(pc);
3908 pc = abs(p + pc);
3909 #else
3910 pa = p < 0 ? -p : p;
3911 pb = pc < 0 ? -pc : pc;
3912 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3913 #endif
3914
3915 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3916 * ones in the case of a tie.
3917 */
3918 if (pb < pa) pa = pb, a = b;
3919 if (pc < pa) a = c;
3920
3921 /* Calculate the current pixel in a, and move the previous row pixel to c
3922 * for the next time round the loop
3923 */
3924 c = b;
3925 a += *row;
3926 *row++ = (png_byte)a;
3927 }
3928 }
3929
3930 static void
3931 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3932 png_const_bytep prev_row)
3933 {
3934 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3935 png_bytep rp_end = row + bpp;
3936
3937 /* Process the first pixel in the row completely (this is the same as 'up'
3938 * because there is only one candidate predictor for the first row).
3950 {
3951 int a, b, c, pa, pb, pc, p;
3952
3953 c = *(prev_row - bpp);
3954 a = *(row - bpp);
3955 b = *prev_row++;
3956
3957 p = b - c;
3958 pc = a - c;
3959
3960 #ifdef PNG_USE_ABS
3961 pa = abs(p);
3962 pb = abs(pc);
3963 pc = abs(p + pc);
3964 #else
3965 pa = p < 0 ? -p : p;
3966 pb = pc < 0 ? -pc : pc;
3967 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3968 #endif
3969
3970 if (pb < pa) pa = pb, a = b;
3971 if (pc < pa) a = c;
3972
3973 a += *row;
3974 *row++ = (png_byte)a;
3975 }
3976 }
3977
3978 static void
3979 png_init_filter_functions(png_structrp pp)
3980 /* This function is called once for every PNG image (except for PNG images
3981 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
3982 * implementations required to reverse the filtering of PNG rows. Reversing
3983 * the filter is the first transformation performed on the row data. It is
3984 * performed in place, therefore an implementation can be selected based on
3985 * the image pixel format. If the implementation depends on image width then
3986 * take care to ensure that it works correctly if the image is interlaced -
3987 * interlacing causes the actual row width to vary.
3988 */
3989 {
3990 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
|
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * version 2 for more details (a copy is included in the LICENSE file that
14 * accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License version
17 * 2 along with this work; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21 * or visit www.oracle.com if you need additional information or have any
22 * questions.
23 */
24
25 /* pngrutil.c - utilities to read a PNG file
26 *
27 * This file is available under and governed by the GNU General Public
28 * License version 2 only, as published by the Free Software Foundation.
29 * However, the following notice accompanied the original version of this
30 * file and, per its terms, should not be removed:
31 *
32 * Last changed in libpng 1.6.33 [September 28, 2017]
33 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
36 *
37 * This code is released under the libpng license.
38 * For conditions of distribution and use, see the disclaimer
39 * and license in png.h
40 *
41 * This file contains routines that are only called from within
42 * libpng itself during the course of reading an image.
43 */
44
45 #include "pngpriv.h"
46
47 #ifdef PNG_READ_SUPPORTED
48
49 png_uint_32 PNGAPI
50 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
51 {
52 png_uint_32 uval = png_get_uint_32(buf);
53
192
193 /* Read the length and the chunk name.
194 * This must be performed in a single I/O call.
195 */
196 png_read_data(png_ptr, buf, 8);
197 length = png_get_uint_31(png_ptr, buf);
198
199 /* Put the chunk name into png_ptr->chunk_name. */
200 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
201
202 png_debug2(0, "Reading %lx chunk, length = %lu",
203 (unsigned long)png_ptr->chunk_name, (unsigned long)length);
204
205 /* Reset the crc and run it over the chunk name. */
206 png_reset_crc(png_ptr);
207 png_calculate_crc(png_ptr, buf + 4, 4);
208
209 /* Check to see if chunk name is valid. */
210 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
211
212 /* Check for too-large chunk length */
213 png_check_chunk_length(png_ptr, length);
214
215 #ifdef PNG_IO_STATE_SUPPORTED
216 png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
217 #endif
218
219 return length;
220 }
221
222 /* Read data, and (optionally) run it through the CRC. */
223 void /* PRIVATE */
224 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
225 {
226 if (png_ptr == NULL)
227 return;
228
229 png_read_data(png_ptr, buf, length);
230 png_calculate_crc(png_ptr, buf, length);
231 }
232
233 /* Optionally skip data and then check the CRC. Depending on whether we
234 * are reading an ancillary or critical chunk, and how the program has set
325 static png_bytep
326 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
327 {
328 png_bytep buffer = png_ptr->read_buffer;
329
330 if (buffer != NULL && new_size > png_ptr->read_buffer_size)
331 {
332 png_ptr->read_buffer = NULL;
333 png_ptr->read_buffer = NULL;
334 png_ptr->read_buffer_size = 0;
335 png_free(png_ptr, buffer);
336 buffer = NULL;
337 }
338
339 if (buffer == NULL)
340 {
341 buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
342
343 if (buffer != NULL)
344 {
345 memset(buffer, 0, new_size); /* just in case */
346 png_ptr->read_buffer = buffer;
347 png_ptr->read_buffer_size = new_size;
348 }
349
350 else if (warn < 2) /* else silent */
351 {
352 if (warn != 0)
353 png_chunk_warning(png_ptr, "insufficient memory to read chunk");
354
355 else
356 png_chunk_error(png_ptr, "insufficient memory to read chunk");
357 }
358 }
359
360 return buffer;
361 }
362 #endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
363
364 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
365 * decompression. Returns Z_OK on success, else a zlib error code. It checks
433 {
434 #if ZLIB_VERNUM >= 0x1240
435 ret = inflateReset2(&png_ptr->zstream, window_bits);
436 #else
437 ret = inflateReset(&png_ptr->zstream);
438 #endif
439 }
440
441 else
442 {
443 #if ZLIB_VERNUM >= 0x1240
444 ret = inflateInit2(&png_ptr->zstream, window_bits);
445 #else
446 ret = inflateInit(&png_ptr->zstream);
447 #endif
448
449 if (ret == Z_OK)
450 png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
451 }
452
453 #if ZLIB_VERNUM >= 0x1290 && \
454 defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_IGNORE_ADLER32)
455 if (((png_ptr->options >> PNG_IGNORE_ADLER32) & 3) == PNG_OPTION_ON)
456 /* Turn off validation of the ADLER32 checksum in IDAT chunks */
457 ret = inflateValidate(&png_ptr->zstream, 0);
458 #endif
459
460 if (ret == Z_OK)
461 png_ptr->zowner = owner;
462
463 else
464 png_zstream_error(png_ptr, ret);
465
466 return ret;
467 }
468
469 #ifdef window_bits
470 # undef window_bits
471 #endif
472 }
473
685 * be necessary to store the previous window size.) In practice
686 * this doesn't matter anyway, because png_inflate will call inflate
687 * with Z_FINISH in almost all cases, so the window will not be
688 * maintained.
689 */
690 if (inflateReset(&png_ptr->zstream) == Z_OK)
691 {
692 /* Because of the limit checks above we know that the new,
693 * expanded, size will fit in a size_t (let alone an
694 * png_alloc_size_t). Use png_malloc_base here to avoid an
695 * extra OOM message.
696 */
697 png_alloc_size_t new_size = *newlength;
698 png_alloc_size_t buffer_size = prefix_size + new_size +
699 (terminate != 0);
700 png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
701 buffer_size));
702
703 if (text != NULL)
704 {
705 memset(text, 0, buffer_size);
706
707 ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
708 png_ptr->read_buffer + prefix_size, &lzsize,
709 text + prefix_size, newlength);
710
711 if (ret == Z_STREAM_END)
712 {
713 if (new_size == *newlength)
714 {
715 if (terminate != 0)
716 text[prefix_size + *newlength] = 0;
717
718 if (prefix_size > 0)
719 memcpy(text, png_ptr->read_buffer, prefix_size);
720
721 {
722 png_bytep old_ptr = png_ptr->read_buffer;
723
724 png_ptr->read_buffer = text;
725 png_ptr->read_buffer_size = buffer_size;
726 text = old_ptr; /* freed below */
750 /* This really is very benign, but it's still an error because
751 * the extra space may otherwise be used as a Trojan Horse.
752 */
753 if (ret == Z_STREAM_END &&
754 chunklength - prefix_size != lzsize)
755 png_chunk_benign_error(png_ptr, "extra compressed data");
756 }
757
758 else
759 {
760 /* Out of memory allocating the buffer */
761 ret = Z_MEM_ERROR;
762 png_zstream_error(png_ptr, Z_MEM_ERROR);
763 }
764 }
765
766 else
767 {
768 /* inflateReset failed, store the error message */
769 png_zstream_error(png_ptr, ret);
770 ret = PNG_UNEXPECTED_ZLIB_RETURN;
771 }
772 }
773
774 else if (ret == Z_OK)
775 ret = PNG_UNEXPECTED_ZLIB_RETURN;
776
777 /* Release the claimed stream */
778 png_ptr->zowner = 0;
779 }
780
781 else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
782 ret = PNG_UNEXPECTED_ZLIB_RETURN;
783
784 return ret;
785 }
786
787 else
788 {
789 /* Application/configuration limits exceeded */
1392 {
1393 png_const_charp errmsg = NULL; /* error message output, or no error */
1394 int finished = 0; /* crc checked */
1395
1396 png_debug(1, "in png_handle_iCCP");
1397
1398 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1399 png_chunk_error(png_ptr, "missing IHDR");
1400
1401 else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1402 {
1403 png_crc_finish(png_ptr, length);
1404 png_chunk_benign_error(png_ptr, "out of place");
1405 return;
1406 }
1407
1408 /* Consistent with all the above colorspace handling an obviously *invalid*
1409 * chunk is just ignored, so does not invalidate the color space. An
1410 * alternative is to set the 'invalid' flags at the start of this routine
1411 * and only clear them in they were not set before and all the tests pass.
1412 */
1413
1414 /* The keyword must be at least one character and there is a
1415 * terminator (0) byte and the compression method byte, and the
1416 * 'zlib' datastream is at least 11 bytes.
1417 */
1418 if (length < 14)
1419 {
1420 png_crc_finish(png_ptr, length);
1421 png_chunk_benign_error(png_ptr, "too short");
1422 return;
1423 }
1424
1425 /* If a colorspace error has already been output skip this chunk */
1426 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1427 {
1428 png_crc_finish(png_ptr, length);
1429 return;
1430 }
1431
1432 /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1433 * this.
1434 */
1435 if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1436 {
1437 uInt read_length, keyword_length;
1438 char keyword[81];
1439
1440 /* Find the keyword; the keyword plus separator and compression method
1441 * bytes can be at most 81 characters long.
1442 */
1443 read_length = 81; /* maximum */
1444 if (read_length > length)
1445 read_length = (uInt)length;
1446
1447 png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1448 length -= read_length;
1449
1450 /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
1451 * 5 bytes minimum 'deflate' stream, and the 4 byte checksum.
1452 */
1453 if (length < 11)
1454 {
1455 png_crc_finish(png_ptr, length);
1456 png_chunk_benign_error(png_ptr, "too short");
1457 return;
1458 }
1459
1460 keyword_length = 0;
1461 while (keyword_length < 80 && keyword_length < read_length &&
1462 keyword[keyword_length] != 0)
1463 ++keyword_length;
1464
1465 /* TODO: make the keyword checking common */
1466 if (keyword_length >= 1 && keyword_length <= 79)
1467 {
1468 /* We only understand '0' compression - deflate - so if we get a
1469 * different value we can't safely decode the chunk.
1470 */
1471 if (keyword_length+1 < read_length &&
1472 keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1473 {
1474 read_length -= keyword_length+2;
1475
1476 if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1477 {
1478 Byte profile_header[132]={0};
1479 Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1480 png_alloc_size_t size = (sizeof profile_header);
1481
1482 png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1483 png_ptr->zstream.avail_in = read_length;
1484 (void)png_inflate_read(png_ptr, local_buffer,
1485 (sizeof local_buffer), &length, profile_header, &size,
1486 0/*finish: don't, because the output is too small*/);
1487
1488 if (size == 0)
1489 {
1490 /* We have the ICC profile header; do the basic header checks.
1491 */
1492 const png_uint_32 profile_length =
1493 png_get_uint_32(profile_header);
1494
1495 if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1496 keyword, profile_length) != 0)
1497 {
1498 /* The length is apparently ok, so we can check the 132
1499 * byte header.
1500 */
1501 if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1502 keyword, profile_length, profile_header,
1503 png_ptr->color_type) != 0)
1504 {
1505 /* Now read the tag table; a variable size buffer is
1506 * needed at this point, allocate one for the whole
1507 * profile. The header check has already validated
1508 * that none of this stuff will overflow.
1509 */
1510 const png_uint_32 tag_count = png_get_uint_32(
1511 profile_header+128);
1512 png_bytep profile = png_read_buffer(png_ptr,
1513 profile_length, 2/*silent*/);
1514
1515 if (profile != NULL)
1516 {
1517 memcpy(profile, profile_header,
1518 (sizeof profile_header));
1519
1520 size = 12 * tag_count;
1521
1522 (void)png_inflate_read(png_ptr, local_buffer,
1523 (sizeof local_buffer), &length,
1524 profile + (sizeof profile_header), &size, 0);
1525
1526 /* Still expect a buffer error because we expect
1527 * there to be some tag data!
1528 */
1595 png_ptr->colorspace.flags |=
1596 PNG_COLORSPACE_INVALID;
1597 errmsg = "out of memory";
1598 }
1599 }
1600
1601 /* else the profile remains in the read
1602 * buffer which gets reused for subsequent
1603 * chunks.
1604 */
1605
1606 if (info_ptr != NULL)
1607 png_colorspace_sync(png_ptr, info_ptr);
1608
1609 if (errmsg == NULL)
1610 {
1611 png_ptr->zowner = 0;
1612 return;
1613 }
1614 }
1615 if (errmsg == NULL)
1616 errmsg = png_ptr->zstream.msg;
1617 }
1618 /* else png_icc_check_tag_table output an error */
1619 }
1620 else /* profile truncated */
1621 errmsg = png_ptr->zstream.msg;
1622 }
1623
1624 else
1625 errmsg = "out of memory";
1626 }
1627
1628 /* else png_icc_check_header output an error */
1629 }
1630
1631 /* else png_icc_check_length output an error */
1632 }
1633
1634 else /* profile truncated */
1635 errmsg = png_ptr->zstream.msg;
1636
1637 /* Release the stream */
1638 png_ptr->zowner = 0;
1639 }
2028 background.index = 0;
2029 background.red =
2030 background.green =
2031 background.blue =
2032 background.gray = png_get_uint_16(buf);
2033 }
2034
2035 else
2036 {
2037 background.index = 0;
2038 background.red = png_get_uint_16(buf);
2039 background.green = png_get_uint_16(buf + 2);
2040 background.blue = png_get_uint_16(buf + 4);
2041 background.gray = 0;
2042 }
2043
2044 png_set_bKGD(png_ptr, info_ptr, &background);
2045 }
2046 #endif
2047
2048 #ifdef PNG_READ_eXIf_SUPPORTED
2049 void /* PRIVATE */
2050 png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2051 {
2052 unsigned int i;
2053
2054 png_debug(1, "in png_handle_eXIf");
2055
2056 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2057 png_chunk_error(png_ptr, "missing IHDR");
2058
2059 if (length < 2)
2060 {
2061 png_crc_finish(png_ptr, length);
2062 png_chunk_benign_error(png_ptr, "too short");
2063 return;
2064 }
2065
2066 else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
2067 {
2068 png_crc_finish(png_ptr, length);
2069 png_chunk_benign_error(png_ptr, "duplicate");
2070 return;
2071 }
2072
2073 info_ptr->free_me |= PNG_FREE_EXIF;
2074
2075 info_ptr->eXIf_buf = png_voidcast(png_bytep,
2076 png_malloc_warn(png_ptr, length));
2077
2078 if (info_ptr->eXIf_buf == NULL)
2079 {
2080 png_crc_finish(png_ptr, length);
2081 png_chunk_benign_error(png_ptr, "out of memory");
2082 return;
2083 }
2084
2085 for (i = 0; i < length; i++)
2086 {
2087 png_byte buf[1];
2088 png_crc_read(png_ptr, buf, 1);
2089 info_ptr->eXIf_buf[i] = buf[0];
2090 if (i == 1 && buf[0] != 'M' && buf[0] != 'I'
2091 && info_ptr->eXIf_buf[0] != buf[0])
2092 {
2093 png_crc_finish(png_ptr, length);
2094 png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
2095 png_free(png_ptr, info_ptr->eXIf_buf);
2096 info_ptr->eXIf_buf = NULL;
2097 return;
2098 }
2099 }
2100
2101 if (png_crc_finish(png_ptr, 0) != 0)
2102 return;
2103
2104 png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
2105
2106 png_free(png_ptr, info_ptr->eXIf_buf);
2107 info_ptr->eXIf_buf = NULL;
2108 }
2109 #endif
2110
2111 #ifdef PNG_READ_hIST_SUPPORTED
2112 void /* PRIVATE */
2113 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2114 {
2115 unsigned int num, i;
2116 png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2117
2118 png_debug(1, "in png_handle_hIST");
2119
2120 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2121 png_chunk_error(png_ptr, "missing IHDR");
2122
2123 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
2124 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
2125 {
2126 png_crc_finish(png_ptr, length);
2127 png_chunk_benign_error(png_ptr, "out of place");
2128 return;
2129 }
2130
2619 {
2620 png_crc_finish(png_ptr, length);
2621 return;
2622 }
2623
2624 if (--png_ptr->user_chunk_cache_max == 1)
2625 {
2626 png_crc_finish(png_ptr, length);
2627 png_chunk_benign_error(png_ptr, "no space in chunk cache");
2628 return;
2629 }
2630 }
2631 #endif
2632
2633 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2634 png_chunk_error(png_ptr, "missing IHDR");
2635
2636 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2637 png_ptr->mode |= PNG_AFTER_IDAT;
2638
2639 /* Note, "length" is sufficient here; we won't be adding
2640 * a null terminator later.
2641 */
2642 buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2643
2644 if (buffer == NULL)
2645 {
2646 png_crc_finish(png_ptr, length);
2647 png_chunk_benign_error(png_ptr, "out of memory");
2648 return;
2649 }
2650
2651 png_crc_read(png_ptr, buffer, length);
2652
2653 if (png_crc_finish(png_ptr, 0) != 0)
2654 return;
2655
2656 /* TODO: also check that the keyword contents match the spec! */
2657 for (keyword_length = 0;
2658 keyword_length < length && buffer[keyword_length] != 0;
2659 ++keyword_length)
2660 /* Empty loop to find end of name */ ;
2661
2668 */
2669 else if (keyword_length + 3 > length)
2670 errmsg = "truncated";
2671
2672 else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2673 errmsg = "unknown compression type";
2674
2675 else
2676 {
2677 png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2678
2679 /* TODO: at present png_decompress_chunk imposes a single application
2680 * level memory limit, this should be split to different values for iCCP
2681 * and text chunks.
2682 */
2683 if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2684 &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2685 {
2686 png_text text;
2687
2688 if (png_ptr->read_buffer == NULL)
2689 errmsg="Read failure in png_handle_zTXt";
2690 else
2691 {
2692 /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
2693 * except for the extra compression type byte and the fact that
2694 * it isn't necessarily '\0' terminated.
2695 */
2696 buffer = png_ptr->read_buffer;
2697 buffer[uncompressed_length+(keyword_length+2)] = 0;
2698
2699 text.compression = PNG_TEXT_COMPRESSION_zTXt;
2700 text.key = (png_charp)buffer;
2701 text.text = (png_charp)(buffer + keyword_length+2);
2702 text.text_length = uncompressed_length;
2703 text.itxt_length = 0;
2704 text.lang = NULL;
2705 text.lang_key = NULL;
2706
2707 if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2708 errmsg = "insufficient memory";
2709 }
2710 }
2711
2712 else
2713 errmsg = png_ptr->zstream.msg;
2714 }
2715
2716 if (errmsg != NULL)
2717 png_chunk_benign_error(png_ptr, errmsg);
2718 }
2719 #endif
2720
2721 #ifdef PNG_READ_iTXt_SUPPORTED
2722 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2723 void /* PRIVATE */
2724 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2725 {
2726 png_const_charp errmsg = NULL;
2727 png_bytep buffer;
2728 png_uint_32 prefix_length;
2729
2730 png_debug(1, "in png_handle_iTXt");
3065 png_app_error(png_ptr, "no unknown chunk support available");
3066
3067 png_crc_finish(png_ptr, length);
3068 }
3069 # endif
3070
3071 # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
3072 /* Now store the chunk in the chunk list if appropriate, and if the limits
3073 * permit it.
3074 */
3075 if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
3076 (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
3077 PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
3078 {
3079 # ifdef PNG_USER_LIMITS_SUPPORTED
3080 switch (png_ptr->user_chunk_cache_max)
3081 {
3082 case 2:
3083 png_ptr->user_chunk_cache_max = 1;
3084 png_chunk_benign_error(png_ptr, "no space in chunk cache");
3085 /* FALLTHROUGH */
3086 case 1:
3087 /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
3088 * chunk being skipped, now there will be a hard error below.
3089 */
3090 break;
3091
3092 default: /* not at limit */
3093 --(png_ptr->user_chunk_cache_max);
3094 /* FALLTHROUGH */
3095 case 0: /* no limit */
3096 # endif /* USER_LIMITS */
3097 /* Here when the limit isn't reached or when limits are compiled
3098 * out; store the chunk.
3099 */
3100 png_set_unknown_chunks(png_ptr, info_ptr,
3101 &png_ptr->unknown_chunk, 1);
3102 handled = 1;
3103 # ifdef PNG_USER_LIMITS_SUPPORTED
3104 break;
3105 }
3106 # endif
3107 }
3108 # else /* no store support: the chunk must be handled by the user callback */
3109 PNG_UNUSED(info_ptr)
3110 # endif
3111
3112 /* Regardless of the error handling below the cached data (if any) can be
3113 * freed now. Notice that the data is not freed if there is a png_error, but
3114 * it will be freed by destroy_read_struct.
3125 #endif /* !READ_UNKNOWN_CHUNKS */
3126
3127 /* Check for unhandled critical chunks */
3128 if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3129 png_chunk_error(png_ptr, "unhandled critical chunk");
3130 }
3131
3132 /* This function is called to verify that a chunk name is valid.
3133 * This function can't have the "critical chunk check" incorporated
3134 * into it, since in the future we will need to be able to call user
3135 * functions to handle unknown critical chunks after we check that
3136 * the chunk name itself is valid.
3137 */
3138
3139 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
3140 *
3141 * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
3142 */
3143
3144 void /* PRIVATE */
3145 png_check_chunk_name(png_const_structrp png_ptr, const png_uint_32 chunk_name)
3146 {
3147 int i;
3148 png_uint_32 cn=chunk_name;
3149
3150 png_debug(1, "in png_check_chunk_name");
3151
3152 for (i=1; i<=4; ++i)
3153 {
3154 int c = cn & 0xff;
3155
3156 if (c < 65 || c > 122 || (c > 90 && c < 97))
3157 png_chunk_error(png_ptr, "invalid chunk type");
3158
3159 cn >>= 8;
3160 }
3161 }
3162
3163 void /* PRIVATE */
3164 png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
3165 {
3166 png_alloc_size_t limit = PNG_UINT_31_MAX;
3167
3168 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
3169 if (png_ptr->user_chunk_malloc_max > 0 &&
3170 png_ptr->user_chunk_malloc_max < limit)
3171 limit = png_ptr->user_chunk_malloc_max;
3172 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
3173 if (PNG_USER_CHUNK_MALLOC_MAX < limit)
3174 limit = PNG_USER_CHUNK_MALLOC_MAX;
3175 # endif
3176 if (png_ptr->chunk_name == png_IDAT)
3177 {
3178 png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
3179 size_t row_factor =
3180 (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
3181 + 1 + (png_ptr->interlaced? 6: 0));
3182 if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
3183 idat_limit=PNG_UINT_31_MAX;
3184 else
3185 idat_limit = png_ptr->height * row_factor;
3186 row_factor = row_factor > 32566? 32566 : row_factor;
3187 idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
3188 idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
3189 limit = limit < idat_limit? idat_limit : limit;
3190 }
3191
3192 if (length > limit)
3193 {
3194 png_debug2(0," length = %lu, limit = %lu",
3195 (unsigned long)length,(unsigned long)limit);
3196 png_chunk_error(png_ptr, "chunk data is too large");
3197 }
3198 }
3199
3200 /* Combines the row recently read in with the existing pixels in the row. This
3201 * routine takes care of alpha and transparency if requested. This routine also
3202 * handles the two methods of progressive display of interlaced images,
3203 * depending on the 'display' value; if 'display' is true then the whole row
3204 * (dp) is filled from the start by replicating the available pixels. If
3205 * 'display' is false only those pixels present in the pass are filled in.
3206 */
3207 void /* PRIVATE */
3208 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3209 {
3210 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3211 png_const_bytep sp = png_ptr->row_buf + 1;
3212 png_alloc_size_t row_width = png_ptr->width;
3213 unsigned int pass = png_ptr->pass;
3214 png_bytep end_ptr = 0;
3215 png_byte end_byte = 0;
3216 unsigned int end_mask;
3505 {
3506 case 1:
3507 for (;;)
3508 {
3509 *dp = *sp;
3510
3511 if (row_width <= bytes_to_jump)
3512 return;
3513
3514 dp += bytes_to_jump;
3515 sp += bytes_to_jump;
3516 row_width -= bytes_to_jump;
3517 }
3518
3519 case 2:
3520 /* There is a possibility of a partial copy at the end here; this
3521 * slows the code down somewhat.
3522 */
3523 do
3524 {
3525 dp[0] = sp[0]; dp[1] = sp[1];
3526
3527 if (row_width <= bytes_to_jump)
3528 return;
3529
3530 sp += bytes_to_jump;
3531 dp += bytes_to_jump;
3532 row_width -= bytes_to_jump;
3533 }
3534 while (row_width > 1);
3535
3536 /* And there can only be one byte left at this point: */
3537 *dp = *sp;
3538 return;
3539
3540 case 3:
3541 /* This can only be the RGB case, so each copy is exactly one
3542 * pixel and it is not necessary to check for a partial copy.
3543 */
3544 for (;;)
3545 {
3546 dp[0] = sp[0]; dp[1] = sp[1]; dp[2] = sp[2];
3547
3548 if (row_width <= bytes_to_jump)
3549 return;
3550
3551 sp += bytes_to_jump;
3552 dp += bytes_to_jump;
3553 row_width -= bytes_to_jump;
3554 }
3555
3556 default:
3557 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3558 /* Check for double byte alignment and, if possible, use a
3559 * 16-bit copy. Don't attempt this for narrow images - ones that
3560 * are less than an interlace panel wide. Don't attempt it for
3561 * wide bytes_to_copy either - use the memcpy there.
3562 */
3563 if (bytes_to_copy < 16 /*else use memcpy*/ &&
3564 png_isaligned(dp, png_uint_16) &&
3565 png_isaligned(sp, png_uint_16) &&
3566 bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
4015
4016 a &= 0xff; /* From previous iteration or start */
4017 b = *prev_row++;
4018
4019 p = b - c;
4020 pc = a - c;
4021
4022 #ifdef PNG_USE_ABS
4023 pa = abs(p);
4024 pb = abs(pc);
4025 pc = abs(p + pc);
4026 #else
4027 pa = p < 0 ? -p : p;
4028 pb = pc < 0 ? -pc : pc;
4029 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4030 #endif
4031
4032 /* Find the best predictor, the least of pa, pb, pc favoring the earlier
4033 * ones in the case of a tie.
4034 */
4035 if (pb < pa)
4036 {
4037 pa = pb; a = b;
4038 }
4039 if (pc < pa) a = c;
4040
4041 /* Calculate the current pixel in a, and move the previous row pixel to c
4042 * for the next time round the loop
4043 */
4044 c = b;
4045 a += *row;
4046 *row++ = (png_byte)a;
4047 }
4048 }
4049
4050 static void
4051 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
4052 png_const_bytep prev_row)
4053 {
4054 unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
4055 png_bytep rp_end = row + bpp;
4056
4057 /* Process the first pixel in the row completely (this is the same as 'up'
4058 * because there is only one candidate predictor for the first row).
4070 {
4071 int a, b, c, pa, pb, pc, p;
4072
4073 c = *(prev_row - bpp);
4074 a = *(row - bpp);
4075 b = *prev_row++;
4076
4077 p = b - c;
4078 pc = a - c;
4079
4080 #ifdef PNG_USE_ABS
4081 pa = abs(p);
4082 pb = abs(pc);
4083 pc = abs(p + pc);
4084 #else
4085 pa = p < 0 ? -p : p;
4086 pb = pc < 0 ? -pc : pc;
4087 pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4088 #endif
4089
4090 if (pb < pa)
4091 {
4092 pa = pb; a = b;
4093 }
4094 if (pc < pa) a = c;
4095
4096 a += *row;
4097 *row++ = (png_byte)a;
4098 }
4099 }
4100
4101 static void
4102 png_init_filter_functions(png_structrp pp)
4103 /* This function is called once for every PNG image (except for PNG images
4104 * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
4105 * implementations required to reverse the filtering of PNG rows. Reversing
4106 * the filter is the first transformation performed on the row data. It is
4107 * performed in place, therefore an implementation can be selected based on
4108 * the image pixel format. If the implementation depends on image width then
4109 * take care to ensure that it works correctly if the image is interlaced -
4110 * interlacing causes the actual row width to vary.
4111 */
4112 {
4113 unsigned int bpp = (pp->pixel_depth + 7) >> 3;
|