1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* png.c - location for general purpose libpng functions 26 * 27 * This file is available under and governed by the GNU General Public 28 * License version 2 only, as published by the Free Software Foundation. 29 * However, the following notice accompanied the original version of this 30 * file and, per its terms, should not be removed: 31 * 32 * Copyright (c) 2018-2019 Cosmin Truta 33 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson 34 * Copyright (c) 1996-1997 Andreas Dilger 35 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. 36 * 37 * This code is released under the libpng license. 38 * For conditions of distribution and use, see the disclaimer 39 * and license in png.h 40 */ 41 42 #include "pngpriv.h" 43 44 /* Generate a compiler error if there is an old png.h in the search path. */ 45 typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37; 46 47 #ifdef __GNUC__ 48 /* The version tests may need to be added to, but the problem warning has 49 * consistently been fixed in GCC versions which obtain wide-spread release. 50 * The problem is that many versions of GCC rearrange comparison expressions in 51 * the optimizer in such a way that the results of the comparison will change 52 * if signed integer overflow occurs. Such comparisons are not permitted in 53 * ANSI C90, however GCC isn't clever enough to work out that that do not occur 54 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with 55 * -Wextra. Unfortunately this is highly dependent on the optimizer and the 56 * machine architecture so the warning comes and goes unpredictably and is 57 * impossible to "fix", even were that a good idea. 58 */ 59 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1 60 #define GCC_STRICT_OVERFLOW 1 61 #endif /* GNU 7.1.x */ 62 #endif /* GNU */ 63 #ifndef GCC_STRICT_OVERFLOW 64 #define GCC_STRICT_OVERFLOW 0 65 #endif 66 67 /* Tells libpng that we have already handled the first "num_bytes" bytes 68 * of the PNG file signature. If the PNG data is embedded into another 69 * stream we can set num_bytes = 8 so that libpng will not attempt to read 70 * or write any of the magic bytes before it starts on the IHDR. 71 */ 72 73 #ifdef PNG_READ_SUPPORTED 74 void PNGAPI 75 png_set_sig_bytes(png_structrp png_ptr, int num_bytes) 76 { 77 unsigned int nb = (unsigned int)num_bytes; 78 79 png_debug(1, "in png_set_sig_bytes"); 80 81 if (png_ptr == NULL) 82 return; 83 84 if (num_bytes < 0) 85 nb = 0; 86 87 if (nb > 8) 88 png_error(png_ptr, "Too many bytes for PNG signature"); 89 90 png_ptr->sig_bytes = (png_byte)nb; 91 } 92 93 /* Checks whether the supplied bytes match the PNG signature. We allow 94 * checking less than the full 8-byte signature so that those apps that 95 * already read the first few bytes of a file to determine the file type 96 * can simply check the remaining bytes for extra assurance. Returns 97 * an integer less than, equal to, or greater than zero if sig is found, 98 * respectively, to be less than, to match, or be greater than the correct 99 * PNG signature (this is the same behavior as strcmp, memcmp, etc). 100 */ 101 int PNGAPI 102 png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check) 103 { 104 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10}; 105 106 if (num_to_check > 8) 107 num_to_check = 8; 108 109 else if (num_to_check < 1) 110 return (-1); 111 112 if (start > 7) 113 return (-1); 114 115 if (start + num_to_check > 8) 116 num_to_check = 8 - start; 117 118 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check))); 119 } 120 121 #endif /* READ */ 122 123 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 124 /* Function to allocate memory for zlib */ 125 PNG_FUNCTION(voidpf /* PRIVATE */, 126 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED) 127 { 128 png_alloc_size_t num_bytes = size; 129 130 if (png_ptr == NULL) 131 return NULL; 132 133 if (items >= (~(png_alloc_size_t)0)/size) 134 { 135 png_warning (png_voidcast(png_structrp, png_ptr), 136 "Potential overflow in png_zalloc()"); 137 return NULL; 138 } 139 140 num_bytes *= items; 141 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes); 142 } 143 144 /* Function to free memory for zlib */ 145 void /* PRIVATE */ 146 png_zfree(voidpf png_ptr, voidpf ptr) 147 { 148 png_free(png_voidcast(png_const_structrp,png_ptr), ptr); 149 } 150 151 /* Reset the CRC variable to 32 bits of 1's. Care must be taken 152 * in case CRC is > 32 bits to leave the top bits 0. 153 */ 154 void /* PRIVATE */ 155 png_reset_crc(png_structrp png_ptr) 156 { 157 /* The cast is safe because the crc is a 32-bit value. */ 158 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0); 159 } 160 161 /* Calculate the CRC over a section of data. We can only pass as 162 * much data to this routine as the largest single buffer size. We 163 * also check that this data will actually be used before going to the 164 * trouble of calculating it. 165 */ 166 void /* PRIVATE */ 167 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length) 168 { 169 int need_crc = 1; 170 171 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0) 172 { 173 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 174 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 175 need_crc = 0; 176 } 177 178 else /* critical */ 179 { 180 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0) 181 need_crc = 0; 182 } 183 184 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some 185 * systems it is a 64-bit value. crc32, however, returns 32 bits so the 186 * following cast is safe. 'uInt' may be no more than 16 bits, so it is 187 * necessary to perform a loop here. 188 */ 189 if (need_crc != 0 && length > 0) 190 { 191 uLong crc = png_ptr->crc; /* Should never issue a warning */ 192 193 do 194 { 195 uInt safe_length = (uInt)length; 196 #ifndef __COVERITY__ 197 if (safe_length == 0) 198 safe_length = (uInt)-1; /* evil, but safe */ 199 #endif 200 201 crc = crc32(crc, ptr, safe_length); 202 203 /* The following should never issue compiler warnings; if they do the 204 * target system has characteristics that will probably violate other 205 * assumptions within the libpng code. 206 */ 207 ptr += safe_length; 208 length -= safe_length; 209 } 210 while (length > 0); 211 212 /* And the following is always safe because the crc is only 32 bits. */ 213 png_ptr->crc = (png_uint_32)crc; 214 } 215 } 216 217 /* Check a user supplied version number, called from both read and write 218 * functions that create a png_struct. 219 */ 220 int 221 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver) 222 { 223 /* Libpng versions 1.0.0 and later are binary compatible if the version 224 * string matches through the second '.'; we must recompile any 225 * applications that use any older library version. 226 */ 227 228 if (user_png_ver != NULL) 229 { 230 int i = -1; 231 int found_dots = 0; 232 233 do 234 { 235 i++; 236 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) 237 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 238 if (user_png_ver[i] == '.') 239 found_dots++; 240 } while (found_dots < 2 && user_png_ver[i] != 0 && 241 PNG_LIBPNG_VER_STRING[i] != 0); 242 } 243 244 else 245 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 246 247 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0) 248 { 249 #ifdef PNG_WARNINGS_SUPPORTED 250 size_t pos = 0; 251 char m[128]; 252 253 pos = png_safecat(m, (sizeof m), pos, 254 "Application built with libpng-"); 255 pos = png_safecat(m, (sizeof m), pos, user_png_ver); 256 pos = png_safecat(m, (sizeof m), pos, " but running with "); 257 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING); 258 PNG_UNUSED(pos) 259 260 png_warning(png_ptr, m); 261 #endif 262 263 #ifdef PNG_ERROR_NUMBERS_SUPPORTED 264 png_ptr->flags = 0; 265 #endif 266 267 return 0; 268 } 269 270 /* Success return. */ 271 return 1; 272 } 273 274 /* Generic function to create a png_struct for either read or write - this 275 * contains the common initialization. 276 */ 277 PNG_FUNCTION(png_structp /* PRIVATE */, 278 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr, 279 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr, 280 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED) 281 { 282 png_struct create_struct; 283 # ifdef PNG_SETJMP_SUPPORTED 284 jmp_buf create_jmp_buf; 285 # endif 286 287 /* This temporary stack-allocated structure is used to provide a place to 288 * build enough context to allow the user provided memory allocator (if any) 289 * to be called. 290 */ 291 memset(&create_struct, 0, (sizeof create_struct)); 292 293 /* Added at libpng-1.2.6 */ 294 # ifdef PNG_USER_LIMITS_SUPPORTED 295 create_struct.user_width_max = PNG_USER_WIDTH_MAX; 296 create_struct.user_height_max = PNG_USER_HEIGHT_MAX; 297 298 # ifdef PNG_USER_CHUNK_CACHE_MAX 299 /* Added at libpng-1.2.43 and 1.4.0 */ 300 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; 301 # endif 302 303 # ifdef PNG_USER_CHUNK_MALLOC_MAX 304 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists 305 * in png_struct regardless. 306 */ 307 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; 308 # endif 309 # endif 310 311 /* The following two API calls simply set fields in png_struct, so it is safe 312 * to do them now even though error handling is not yet set up. 313 */ 314 # ifdef PNG_USER_MEM_SUPPORTED 315 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn); 316 # else 317 PNG_UNUSED(mem_ptr) 318 PNG_UNUSED(malloc_fn) 319 PNG_UNUSED(free_fn) 320 # endif 321 322 /* (*error_fn) can return control to the caller after the error_ptr is set, 323 * this will result in a memory leak unless the error_fn does something 324 * extremely sophisticated. The design lacks merit but is implicit in the 325 * API. 326 */ 327 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn); 328 329 # ifdef PNG_SETJMP_SUPPORTED 330 if (!setjmp(create_jmp_buf)) 331 # endif 332 { 333 # ifdef PNG_SETJMP_SUPPORTED 334 /* Temporarily fake out the longjmp information until we have 335 * successfully completed this function. This only works if we have 336 * setjmp() support compiled in, but it is safe - this stuff should 337 * never happen. 338 */ 339 create_struct.jmp_buf_ptr = &create_jmp_buf; 340 create_struct.jmp_buf_size = 0; /*stack allocation*/ 341 create_struct.longjmp_fn = longjmp; 342 # endif 343 /* Call the general version checker (shared with read and write code): 344 */ 345 if (png_user_version_check(&create_struct, user_png_ver) != 0) 346 { 347 png_structrp png_ptr = png_voidcast(png_structrp, 348 png_malloc_warn(&create_struct, (sizeof *png_ptr))); 349 350 if (png_ptr != NULL) 351 { 352 /* png_ptr->zstream holds a back-pointer to the png_struct, so 353 * this can only be done now: 354 */ 355 create_struct.zstream.zalloc = png_zalloc; 356 create_struct.zstream.zfree = png_zfree; 357 create_struct.zstream.opaque = png_ptr; 358 359 # ifdef PNG_SETJMP_SUPPORTED 360 /* Eliminate the local error handling: */ 361 create_struct.jmp_buf_ptr = NULL; 362 create_struct.jmp_buf_size = 0; 363 create_struct.longjmp_fn = 0; 364 # endif 365 366 *png_ptr = create_struct; 367 368 /* This is the successful return point */ 369 return png_ptr; 370 } 371 } 372 } 373 374 /* A longjmp because of a bug in the application storage allocator or a 375 * simple failure to allocate the png_struct. 376 */ 377 return NULL; 378 } 379 380 /* Allocate the memory for an info_struct for the application. */ 381 PNG_FUNCTION(png_infop,PNGAPI 382 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED) 383 { 384 png_inforp info_ptr; 385 386 png_debug(1, "in png_create_info_struct"); 387 388 if (png_ptr == NULL) 389 return NULL; 390 391 /* Use the internal API that does not (or at least should not) error out, so 392 * that this call always returns ok. The application typically sets up the 393 * error handling *after* creating the info_struct because this is the way it 394 * has always been done in 'example.c'. 395 */ 396 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr, 397 (sizeof *info_ptr))); 398 399 if (info_ptr != NULL) 400 memset(info_ptr, 0, (sizeof *info_ptr)); 401 402 return info_ptr; 403 } 404 405 /* This function frees the memory associated with a single info struct. 406 * Normally, one would use either png_destroy_read_struct() or 407 * png_destroy_write_struct() to free an info struct, but this may be 408 * useful for some applications. From libpng 1.6.0 this function is also used 409 * internally to implement the png_info release part of the 'struct' destroy 410 * APIs. This ensures that all possible approaches free the same data (all of 411 * it). 412 */ 413 void PNGAPI 414 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr) 415 { 416 png_inforp info_ptr = NULL; 417 418 png_debug(1, "in png_destroy_info_struct"); 419 420 if (png_ptr == NULL) 421 return; 422 423 if (info_ptr_ptr != NULL) 424 info_ptr = *info_ptr_ptr; 425 426 if (info_ptr != NULL) 427 { 428 /* Do this first in case of an error below; if the app implements its own 429 * memory management this can lead to png_free calling png_error, which 430 * will abort this routine and return control to the app error handler. 431 * An infinite loop may result if it then tries to free the same info 432 * ptr. 433 */ 434 *info_ptr_ptr = NULL; 435 436 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1); 437 memset(info_ptr, 0, (sizeof *info_ptr)); 438 png_free(png_ptr, info_ptr); 439 } 440 } 441 442 /* Initialize the info structure. This is now an internal function (0.89) 443 * and applications using it are urged to use png_create_info_struct() 444 * instead. Use deprecated in 1.6.0, internal use removed (used internally it 445 * is just a memset). 446 * 447 * NOTE: it is almost inconceivable that this API is used because it bypasses 448 * the user-memory mechanism and the user error handling/warning mechanisms in 449 * those cases where it does anything other than a memset. 450 */ 451 PNG_FUNCTION(void,PNGAPI 452 png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size), 453 PNG_DEPRECATED) 454 { 455 png_inforp info_ptr = *ptr_ptr; 456 457 png_debug(1, "in png_info_init_3"); 458 459 if (info_ptr == NULL) 460 return; 461 462 if ((sizeof (png_info)) > png_info_struct_size) 463 { 464 *ptr_ptr = NULL; 465 /* The following line is why this API should not be used: */ 466 free(info_ptr); 467 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL, 468 (sizeof *info_ptr))); 469 if (info_ptr == NULL) 470 return; 471 *ptr_ptr = info_ptr; 472 } 473 474 /* Set everything to 0 */ 475 memset(info_ptr, 0, (sizeof *info_ptr)); 476 } 477 478 /* The following API is not called internally */ 479 void PNGAPI 480 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr, 481 int freer, png_uint_32 mask) 482 { 483 png_debug(1, "in png_data_freer"); 484 485 if (png_ptr == NULL || info_ptr == NULL) 486 return; 487 488 if (freer == PNG_DESTROY_WILL_FREE_DATA) 489 info_ptr->free_me |= mask; 490 491 else if (freer == PNG_USER_WILL_FREE_DATA) 492 info_ptr->free_me &= ~mask; 493 494 else 495 png_error(png_ptr, "Unknown freer parameter in png_data_freer"); 496 } 497 498 void PNGAPI 499 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, 500 int num) 501 { 502 png_debug(1, "in png_free_data"); 503 504 if (png_ptr == NULL || info_ptr == NULL) 505 return; 506 507 #ifdef PNG_TEXT_SUPPORTED 508 /* Free text item num or (if num == -1) all text items */ 509 if (info_ptr->text != NULL && 510 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0) 511 { 512 if (num != -1) 513 { 514 png_free(png_ptr, info_ptr->text[num].key); 515 info_ptr->text[num].key = NULL; 516 } 517 518 else 519 { 520 int i; 521 522 for (i = 0; i < info_ptr->num_text; i++) 523 png_free(png_ptr, info_ptr->text[i].key); 524 525 png_free(png_ptr, info_ptr->text); 526 info_ptr->text = NULL; 527 info_ptr->num_text = 0; 528 info_ptr->max_text = 0; 529 } 530 } 531 #endif 532 533 #ifdef PNG_tRNS_SUPPORTED 534 /* Free any tRNS entry */ 535 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0) 536 { 537 info_ptr->valid &= ~PNG_INFO_tRNS; 538 png_free(png_ptr, info_ptr->trans_alpha); 539 info_ptr->trans_alpha = NULL; 540 info_ptr->num_trans = 0; 541 } 542 #endif 543 544 #ifdef PNG_sCAL_SUPPORTED 545 /* Free any sCAL entry */ 546 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0) 547 { 548 png_free(png_ptr, info_ptr->scal_s_width); 549 png_free(png_ptr, info_ptr->scal_s_height); 550 info_ptr->scal_s_width = NULL; 551 info_ptr->scal_s_height = NULL; 552 info_ptr->valid &= ~PNG_INFO_sCAL; 553 } 554 #endif 555 556 #ifdef PNG_pCAL_SUPPORTED 557 /* Free any pCAL entry */ 558 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0) 559 { 560 png_free(png_ptr, info_ptr->pcal_purpose); 561 png_free(png_ptr, info_ptr->pcal_units); 562 info_ptr->pcal_purpose = NULL; 563 info_ptr->pcal_units = NULL; 564 565 if (info_ptr->pcal_params != NULL) 566 { 567 int i; 568 569 for (i = 0; i < info_ptr->pcal_nparams; i++) 570 png_free(png_ptr, info_ptr->pcal_params[i]); 571 572 png_free(png_ptr, info_ptr->pcal_params); 573 info_ptr->pcal_params = NULL; 574 } 575 info_ptr->valid &= ~PNG_INFO_pCAL; 576 } 577 #endif 578 579 #ifdef PNG_iCCP_SUPPORTED 580 /* Free any profile entry */ 581 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0) 582 { 583 png_free(png_ptr, info_ptr->iccp_name); 584 png_free(png_ptr, info_ptr->iccp_profile); 585 info_ptr->iccp_name = NULL; 586 info_ptr->iccp_profile = NULL; 587 info_ptr->valid &= ~PNG_INFO_iCCP; 588 } 589 #endif 590 591 #ifdef PNG_sPLT_SUPPORTED 592 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */ 593 if (info_ptr->splt_palettes != NULL && 594 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0) 595 { 596 if (num != -1) 597 { 598 png_free(png_ptr, info_ptr->splt_palettes[num].name); 599 png_free(png_ptr, info_ptr->splt_palettes[num].entries); 600 info_ptr->splt_palettes[num].name = NULL; 601 info_ptr->splt_palettes[num].entries = NULL; 602 } 603 604 else 605 { 606 int i; 607 608 for (i = 0; i < info_ptr->splt_palettes_num; i++) 609 { 610 png_free(png_ptr, info_ptr->splt_palettes[i].name); 611 png_free(png_ptr, info_ptr->splt_palettes[i].entries); 612 } 613 614 png_free(png_ptr, info_ptr->splt_palettes); 615 info_ptr->splt_palettes = NULL; 616 info_ptr->splt_palettes_num = 0; 617 info_ptr->valid &= ~PNG_INFO_sPLT; 618 } 619 } 620 #endif 621 622 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED 623 if (info_ptr->unknown_chunks != NULL && 624 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0) 625 { 626 if (num != -1) 627 { 628 png_free(png_ptr, info_ptr->unknown_chunks[num].data); 629 info_ptr->unknown_chunks[num].data = NULL; 630 } 631 632 else 633 { 634 int i; 635 636 for (i = 0; i < info_ptr->unknown_chunks_num; i++) 637 png_free(png_ptr, info_ptr->unknown_chunks[i].data); 638 639 png_free(png_ptr, info_ptr->unknown_chunks); 640 info_ptr->unknown_chunks = NULL; 641 info_ptr->unknown_chunks_num = 0; 642 } 643 } 644 #endif 645 646 #ifdef PNG_eXIf_SUPPORTED 647 /* Free any eXIf entry */ 648 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0) 649 { 650 # ifdef PNG_READ_eXIf_SUPPORTED 651 if (info_ptr->eXIf_buf) 652 { 653 png_free(png_ptr, info_ptr->eXIf_buf); 654 info_ptr->eXIf_buf = NULL; 655 } 656 # endif 657 if (info_ptr->exif) 658 { 659 png_free(png_ptr, info_ptr->exif); 660 info_ptr->exif = NULL; 661 } 662 info_ptr->valid &= ~PNG_INFO_eXIf; 663 } 664 #endif 665 666 #ifdef PNG_hIST_SUPPORTED 667 /* Free any hIST entry */ 668 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0) 669 { 670 png_free(png_ptr, info_ptr->hist); 671 info_ptr->hist = NULL; 672 info_ptr->valid &= ~PNG_INFO_hIST; 673 } 674 #endif 675 676 /* Free any PLTE entry that was internally allocated */ 677 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0) 678 { 679 png_free(png_ptr, info_ptr->palette); 680 info_ptr->palette = NULL; 681 info_ptr->valid &= ~PNG_INFO_PLTE; 682 info_ptr->num_palette = 0; 683 } 684 685 #ifdef PNG_INFO_IMAGE_SUPPORTED 686 /* Free any image bits attached to the info structure */ 687 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0) 688 { 689 if (info_ptr->row_pointers != NULL) 690 { 691 png_uint_32 row; 692 for (row = 0; row < info_ptr->height; row++) 693 png_free(png_ptr, info_ptr->row_pointers[row]); 694 695 png_free(png_ptr, info_ptr->row_pointers); 696 info_ptr->row_pointers = NULL; 697 } 698 info_ptr->valid &= ~PNG_INFO_IDAT; 699 } 700 #endif 701 702 if (num != -1) 703 mask &= ~PNG_FREE_MUL; 704 705 info_ptr->free_me &= ~mask; 706 } 707 #endif /* READ || WRITE */ 708 709 /* This function returns a pointer to the io_ptr associated with the user 710 * functions. The application should free any memory associated with this 711 * pointer before png_write_destroy() or png_read_destroy() are called. 712 */ 713 png_voidp PNGAPI 714 png_get_io_ptr(png_const_structrp png_ptr) 715 { 716 if (png_ptr == NULL) 717 return (NULL); 718 719 return (png_ptr->io_ptr); 720 } 721 722 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 723 # ifdef PNG_STDIO_SUPPORTED 724 /* Initialize the default input/output functions for the PNG file. If you 725 * use your own read or write routines, you can call either png_set_read_fn() 726 * or png_set_write_fn() instead of png_init_io(). If you have defined 727 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a 728 * function of your own because "FILE *" isn't necessarily available. 729 */ 730 void PNGAPI 731 png_init_io(png_structrp png_ptr, png_FILE_p fp) 732 { 733 png_debug(1, "in png_init_io"); 734 735 if (png_ptr == NULL) 736 return; 737 738 png_ptr->io_ptr = (png_voidp)fp; 739 } 740 # endif 741 742 # ifdef PNG_SAVE_INT_32_SUPPORTED 743 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90 744 * defines a cast of a signed integer to an unsigned integer either to preserve 745 * the value, if it is positive, or to calculate: 746 * 747 * (UNSIGNED_MAX+1) + integer 748 * 749 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the 750 * negative integral value is added the result will be an unsigned value 751 * correspnding to the 2's complement representation. 752 */ 753 void PNGAPI 754 png_save_int_32(png_bytep buf, png_int_32 i) 755 { 756 png_save_uint_32(buf, (png_uint_32)i); 757 } 758 # endif 759 760 # ifdef PNG_TIME_RFC1123_SUPPORTED 761 /* Convert the supplied time into an RFC 1123 string suitable for use in 762 * a "Creation Time" or other text-based time string. 763 */ 764 int PNGAPI 765 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime) 766 { 767 static const char short_months[12][4] = 768 {"Jan", "Feb", "Mar", "Apr", "May", "Jun", 769 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}; 770 771 if (out == NULL) 772 return 0; 773 774 if (ptime->year > 9999 /* RFC1123 limitation */ || 775 ptime->month == 0 || ptime->month > 12 || 776 ptime->day == 0 || ptime->day > 31 || 777 ptime->hour > 23 || ptime->minute > 59 || 778 ptime->second > 60) 779 return 0; 780 781 { 782 size_t pos = 0; 783 char number_buf[5]; /* enough for a four-digit year */ 784 785 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string)) 786 # define APPEND_NUMBER(format, value)\ 787 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value))) 788 # define APPEND(ch) if (pos < 28) out[pos++] = (ch) 789 790 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day); 791 APPEND(' '); 792 APPEND_STRING(short_months[(ptime->month - 1)]); 793 APPEND(' '); 794 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year); 795 APPEND(' '); 796 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour); 797 APPEND(':'); 798 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute); 799 APPEND(':'); 800 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second); 801 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */ 802 PNG_UNUSED (pos) 803 804 # undef APPEND 805 # undef APPEND_NUMBER 806 # undef APPEND_STRING 807 } 808 809 return 1; 810 } 811 812 # if PNG_LIBPNG_VER < 10700 813 /* To do: remove the following from libpng-1.7 */ 814 /* Original API that uses a private buffer in png_struct. 815 * Deprecated because it causes png_struct to carry a spurious temporary 816 * buffer (png_struct::time_buffer), better to have the caller pass this in. 817 */ 818 png_const_charp PNGAPI 819 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime) 820 { 821 if (png_ptr != NULL) 822 { 823 /* The only failure above if png_ptr != NULL is from an invalid ptime */ 824 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0) 825 png_warning(png_ptr, "Ignoring invalid time value"); 826 827 else 828 return png_ptr->time_buffer; 829 } 830 831 return NULL; 832 } 833 # endif /* LIBPNG_VER < 10700 */ 834 # endif /* TIME_RFC1123 */ 835 836 #endif /* READ || WRITE */ 837 838 png_const_charp PNGAPI 839 png_get_copyright(png_const_structrp png_ptr) 840 { 841 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 842 #ifdef PNG_STRING_COPYRIGHT 843 return PNG_STRING_COPYRIGHT 844 #else 845 return PNG_STRING_NEWLINE \ 846 "libpng version 1.6.37" PNG_STRING_NEWLINE \ 847 "Copyright (c) 2018-2019 Cosmin Truta" PNG_STRING_NEWLINE \ 848 "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \ 849 PNG_STRING_NEWLINE \ 850 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ 851 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ 852 PNG_STRING_NEWLINE; 853 #endif 854 } 855 856 /* The following return the library version as a short string in the 857 * format 1.0.0 through 99.99.99zz. To get the version of *.h files 858 * used with your application, print out PNG_LIBPNG_VER_STRING, which 859 * is defined in png.h. 860 * Note: now there is no difference between png_get_libpng_ver() and 861 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard, 862 * it is guaranteed that png.c uses the correct version of png.h. 863 */ 864 png_const_charp PNGAPI 865 png_get_libpng_ver(png_const_structrp png_ptr) 866 { 867 /* Version of *.c files used when building libpng */ 868 return png_get_header_ver(png_ptr); 869 } 870 871 png_const_charp PNGAPI 872 png_get_header_ver(png_const_structrp png_ptr) 873 { 874 /* Version of *.h files used when building libpng */ 875 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 876 return PNG_LIBPNG_VER_STRING; 877 } 878 879 png_const_charp PNGAPI 880 png_get_header_version(png_const_structrp png_ptr) 881 { 882 /* Returns longer string containing both version and date */ 883 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 884 #ifdef __STDC__ 885 return PNG_HEADER_VERSION_STRING 886 # ifndef PNG_READ_SUPPORTED 887 " (NO READ SUPPORT)" 888 # endif 889 PNG_STRING_NEWLINE; 890 #else 891 return PNG_HEADER_VERSION_STRING; 892 #endif 893 } 894 895 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED 896 /* NOTE: this routine is not used internally! */ 897 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth 898 * large of png_color. This lets grayscale images be treated as 899 * paletted. Most useful for gamma correction and simplification 900 * of code. This API is not used internally. 901 */ 902 void PNGAPI 903 png_build_grayscale_palette(int bit_depth, png_colorp palette) 904 { 905 int num_palette; 906 int color_inc; 907 int i; 908 int v; 909 910 png_debug(1, "in png_do_build_grayscale_palette"); 911 912 if (palette == NULL) 913 return; 914 915 switch (bit_depth) 916 { 917 case 1: 918 num_palette = 2; 919 color_inc = 0xff; 920 break; 921 922 case 2: 923 num_palette = 4; 924 color_inc = 0x55; 925 break; 926 927 case 4: 928 num_palette = 16; 929 color_inc = 0x11; 930 break; 931 932 case 8: 933 num_palette = 256; 934 color_inc = 1; 935 break; 936 937 default: 938 num_palette = 0; 939 color_inc = 0; 940 break; 941 } 942 943 for (i = 0, v = 0; i < num_palette; i++, v += color_inc) 944 { 945 palette[i].red = (png_byte)(v & 0xff); 946 palette[i].green = (png_byte)(v & 0xff); 947 palette[i].blue = (png_byte)(v & 0xff); 948 } 949 } 950 #endif 951 952 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED 953 int PNGAPI 954 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name) 955 { 956 /* Check chunk_name and return "keep" value if it's on the list, else 0 */ 957 png_const_bytep p, p_end; 958 959 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0) 960 return PNG_HANDLE_CHUNK_AS_DEFAULT; 961 962 p_end = png_ptr->chunk_list; 963 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */ 964 965 /* The code is the fifth byte after each four byte string. Historically this 966 * code was always searched from the end of the list, this is no longer 967 * necessary because the 'set' routine handles duplicate entries correctly. 968 */ 969 do /* num_chunk_list > 0, so at least one */ 970 { 971 p -= 5; 972 973 if (memcmp(chunk_name, p, 4) == 0) 974 return p[4]; 975 } 976 while (p > p_end); 977 978 /* This means that known chunks should be processed and unknown chunks should 979 * be handled according to the value of png_ptr->unknown_default; this can be 980 * confusing because, as a result, there are two levels of defaulting for 981 * unknown chunks. 982 */ 983 return PNG_HANDLE_CHUNK_AS_DEFAULT; 984 } 985 986 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\ 987 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED) 988 int /* PRIVATE */ 989 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name) 990 { 991 png_byte chunk_string[5]; 992 993 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name); 994 return png_handle_as_unknown(png_ptr, chunk_string); 995 } 996 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */ 997 #endif /* SET_UNKNOWN_CHUNKS */ 998 999 #ifdef PNG_READ_SUPPORTED 1000 /* This function, added to libpng-1.0.6g, is untested. */ 1001 int PNGAPI 1002 png_reset_zstream(png_structrp png_ptr) 1003 { 1004 if (png_ptr == NULL) 1005 return Z_STREAM_ERROR; 1006 1007 /* WARNING: this resets the window bits to the maximum! */ 1008 return (inflateReset(&png_ptr->zstream)); 1009 } 1010 #endif /* READ */ 1011 1012 /* This function was added to libpng-1.0.7 */ 1013 png_uint_32 PNGAPI 1014 png_access_version_number(void) 1015 { 1016 /* Version of *.c files used when building libpng */ 1017 return((png_uint_32)PNG_LIBPNG_VER); 1018 } 1019 1020 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 1021 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string. 1022 * If it doesn't 'ret' is used to set it to something appropriate, even in cases 1023 * like Z_OK or Z_STREAM_END where the error code is apparently a success code. 1024 */ 1025 void /* PRIVATE */ 1026 png_zstream_error(png_structrp png_ptr, int ret) 1027 { 1028 /* Translate 'ret' into an appropriate error string, priority is given to the 1029 * one in zstream if set. This always returns a string, even in cases like 1030 * Z_OK or Z_STREAM_END where the error code is a success code. 1031 */ 1032 if (png_ptr->zstream.msg == NULL) switch (ret) 1033 { 1034 default: 1035 case Z_OK: 1036 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code"); 1037 break; 1038 1039 case Z_STREAM_END: 1040 /* Normal exit */ 1041 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream"); 1042 break; 1043 1044 case Z_NEED_DICT: 1045 /* This means the deflate stream did not have a dictionary; this 1046 * indicates a bogus PNG. 1047 */ 1048 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary"); 1049 break; 1050 1051 case Z_ERRNO: 1052 /* gz APIs only: should not happen */ 1053 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error"); 1054 break; 1055 1056 case Z_STREAM_ERROR: 1057 /* internal libpng error */ 1058 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib"); 1059 break; 1060 1061 case Z_DATA_ERROR: 1062 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream"); 1063 break; 1064 1065 case Z_MEM_ERROR: 1066 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory"); 1067 break; 1068 1069 case Z_BUF_ERROR: 1070 /* End of input or output; not a problem if the caller is doing 1071 * incremental read or write. 1072 */ 1073 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated"); 1074 break; 1075 1076 case Z_VERSION_ERROR: 1077 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version"); 1078 break; 1079 1080 case PNG_UNEXPECTED_ZLIB_RETURN: 1081 /* Compile errors here mean that zlib now uses the value co-opted in 1082 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above 1083 * and change pngpriv.h. Note that this message is "... return", 1084 * whereas the default/Z_OK one is "... return code". 1085 */ 1086 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return"); 1087 break; 1088 } 1089 } 1090 1091 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted 1092 * at libpng 1.5.5! 1093 */ 1094 1095 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */ 1096 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */ 1097 static int 1098 png_colorspace_check_gamma(png_const_structrp png_ptr, 1099 png_colorspacerp colorspace, png_fixed_point gAMA, int from) 1100 /* This is called to check a new gamma value against an existing one. The 1101 * routine returns false if the new gamma value should not be written. 1102 * 1103 * 'from' says where the new gamma value comes from: 1104 * 1105 * 0: the new gamma value is the libpng estimate for an ICC profile 1106 * 1: the new gamma value comes from a gAMA chunk 1107 * 2: the new gamma value comes from an sRGB chunk 1108 */ 1109 { 1110 png_fixed_point gtest; 1111 1112 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 && 1113 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 || 1114 png_gamma_significant(gtest) != 0)) 1115 { 1116 /* Either this is an sRGB image, in which case the calculated gamma 1117 * approximation should match, or this is an image with a profile and the 1118 * value libpng calculates for the gamma of the profile does not match the 1119 * value recorded in the file. The former, sRGB, case is an error, the 1120 * latter is just a warning. 1121 */ 1122 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2) 1123 { 1124 png_chunk_report(png_ptr, "gamma value does not match sRGB", 1125 PNG_CHUNK_ERROR); 1126 /* Do not overwrite an sRGB value */ 1127 return from == 2; 1128 } 1129 1130 else /* sRGB tag not involved */ 1131 { 1132 png_chunk_report(png_ptr, "gamma value does not match libpng estimate", 1133 PNG_CHUNK_WARNING); 1134 return from == 1; 1135 } 1136 } 1137 1138 return 1; 1139 } 1140 1141 void /* PRIVATE */ 1142 png_colorspace_set_gamma(png_const_structrp png_ptr, 1143 png_colorspacerp colorspace, png_fixed_point gAMA) 1144 { 1145 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't 1146 * occur. Since the fixed point representation is asymmetrical it is 1147 * possible for 1/gamma to overflow the limit of 21474 and this means the 1148 * gamma value must be at least 5/100000 and hence at most 20000.0. For 1149 * safety the limits here are a little narrower. The values are 0.00016 to 1150 * 6250.0, which are truly ridiculous gamma values (and will produce 1151 * displays that are all black or all white.) 1152 * 1153 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk 1154 * handling code, which only required the value to be >0. 1155 */ 1156 png_const_charp errmsg; 1157 1158 if (gAMA < 16 || gAMA > 625000000) 1159 errmsg = "gamma value out of range"; 1160 1161 # ifdef PNG_READ_gAMA_SUPPORTED 1162 /* Allow the application to set the gamma value more than once */ 1163 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && 1164 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) 1165 errmsg = "duplicate"; 1166 # endif 1167 1168 /* Do nothing if the colorspace is already invalid */ 1169 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1170 return; 1171 1172 else 1173 { 1174 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA, 1175 1/*from gAMA*/) != 0) 1176 { 1177 /* Store this gamma value. */ 1178 colorspace->gamma = gAMA; 1179 colorspace->flags |= 1180 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA); 1181 } 1182 1183 /* At present if the check_gamma test fails the gamma of the colorspace is 1184 * not updated however the colorspace is not invalidated. This 1185 * corresponds to the case where the existing gamma comes from an sRGB 1186 * chunk or profile. An error message has already been output. 1187 */ 1188 return; 1189 } 1190 1191 /* Error exit - errmsg has been set. */ 1192 colorspace->flags |= PNG_COLORSPACE_INVALID; 1193 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR); 1194 } 1195 1196 void /* PRIVATE */ 1197 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr) 1198 { 1199 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) 1200 { 1201 /* Everything is invalid */ 1202 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB| 1203 PNG_INFO_iCCP); 1204 1205 # ifdef PNG_COLORSPACE_SUPPORTED 1206 /* Clean up the iCCP profile now if it won't be used. */ 1207 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); 1208 # else 1209 PNG_UNUSED(png_ptr) 1210 # endif 1211 } 1212 1213 else 1214 { 1215 # ifdef PNG_COLORSPACE_SUPPORTED 1216 /* Leave the INFO_iCCP flag set if the pngset.c code has already set 1217 * it; this allows a PNG to contain a profile which matches sRGB and 1218 * yet still have that profile retrievable by the application. 1219 */ 1220 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) 1221 info_ptr->valid |= PNG_INFO_sRGB; 1222 1223 else 1224 info_ptr->valid &= ~PNG_INFO_sRGB; 1225 1226 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1227 info_ptr->valid |= PNG_INFO_cHRM; 1228 1229 else 1230 info_ptr->valid &= ~PNG_INFO_cHRM; 1231 # endif 1232 1233 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0) 1234 info_ptr->valid |= PNG_INFO_gAMA; 1235 1236 else 1237 info_ptr->valid &= ~PNG_INFO_gAMA; 1238 } 1239 } 1240 1241 #ifdef PNG_READ_SUPPORTED 1242 void /* PRIVATE */ 1243 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr) 1244 { 1245 if (info_ptr == NULL) /* reduce code size; check here not in the caller */ 1246 return; 1247 1248 info_ptr->colorspace = png_ptr->colorspace; 1249 png_colorspace_sync_info(png_ptr, info_ptr); 1250 } 1251 #endif 1252 #endif /* GAMMA */ 1253 1254 #ifdef PNG_COLORSPACE_SUPPORTED 1255 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for 1256 * cHRM, as opposed to using chromaticities. These internal APIs return 1257 * non-zero on a parameter error. The X, Y and Z values are required to be 1258 * positive and less than 1.0. 1259 */ 1260 static int 1261 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ) 1262 { 1263 png_int_32 d, dwhite, whiteX, whiteY; 1264 1265 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z; 1266 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0) 1267 return 1; 1268 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0) 1269 return 1; 1270 dwhite = d; 1271 whiteX = XYZ->red_X; 1272 whiteY = XYZ->red_Y; 1273 1274 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z; 1275 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0) 1276 return 1; 1277 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0) 1278 return 1; 1279 dwhite += d; 1280 whiteX += XYZ->green_X; 1281 whiteY += XYZ->green_Y; 1282 1283 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z; 1284 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0) 1285 return 1; 1286 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0) 1287 return 1; 1288 dwhite += d; 1289 whiteX += XYZ->blue_X; 1290 whiteY += XYZ->blue_Y; 1291 1292 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors, 1293 * thus: 1294 */ 1295 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0) 1296 return 1; 1297 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0) 1298 return 1; 1299 1300 return 0; 1301 } 1302 1303 static int 1304 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy) 1305 { 1306 png_fixed_point red_inverse, green_inverse, blue_scale; 1307 png_fixed_point left, right, denominator; 1308 1309 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically 1310 * have end points with 0 tristimulus values (these are impossible end 1311 * points, but they are used to cover the possible colors). We check 1312 * xy->whitey against 5, not 0, to avoid a possible integer overflow. 1313 */ 1314 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; 1315 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; 1316 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1; 1317 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1; 1318 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; 1319 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; 1320 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1; 1321 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1; 1322 1323 /* The reverse calculation is more difficult because the original tristimulus 1324 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8 1325 * derived values were recorded in the cHRM chunk; 1326 * (red,green,blue,white)x(x,y). This loses one degree of freedom and 1327 * therefore an arbitrary ninth value has to be introduced to undo the 1328 * original transformations. 1329 * 1330 * Think of the original end-points as points in (X,Y,Z) space. The 1331 * chromaticity values (c) have the property: 1332 * 1333 * C 1334 * c = --------- 1335 * X + Y + Z 1336 * 1337 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the 1338 * three chromaticity values (x,y,z) for each end-point obey the 1339 * relationship: 1340 * 1341 * x + y + z = 1 1342 * 1343 * This describes the plane in (X,Y,Z) space that intersects each axis at the 1344 * value 1.0; call this the chromaticity plane. Thus the chromaticity 1345 * calculation has scaled each end-point so that it is on the x+y+z=1 plane 1346 * and chromaticity is the intersection of the vector from the origin to the 1347 * (X,Y,Z) value with the chromaticity plane. 1348 * 1349 * To fully invert the chromaticity calculation we would need the three 1350 * end-point scale factors, (red-scale, green-scale, blue-scale), but these 1351 * were not recorded. Instead we calculated the reference white (X,Y,Z) and 1352 * recorded the chromaticity of this. The reference white (X,Y,Z) would have 1353 * given all three of the scale factors since: 1354 * 1355 * color-C = color-c * color-scale 1356 * white-C = red-C + green-C + blue-C 1357 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1358 * 1359 * But cHRM records only white-x and white-y, so we have lost the white scale 1360 * factor: 1361 * 1362 * white-C = white-c*white-scale 1363 * 1364 * To handle this the inverse transformation makes an arbitrary assumption 1365 * about white-scale: 1366 * 1367 * Assume: white-Y = 1.0 1368 * Hence: white-scale = 1/white-y 1369 * Or: red-Y + green-Y + blue-Y = 1.0 1370 * 1371 * Notice the last statement of the assumption gives an equation in three of 1372 * the nine values we want to calculate. 8 more equations come from the 1373 * above routine as summarised at the top above (the chromaticity 1374 * calculation): 1375 * 1376 * Given: color-x = color-X / (color-X + color-Y + color-Z) 1377 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0 1378 * 1379 * This is 9 simultaneous equations in the 9 variables "color-C" and can be 1380 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix 1381 * determinants, however this is not as bad as it seems because only 28 of 1382 * the total of 90 terms in the various matrices are non-zero. Nevertheless 1383 * Cramer's rule is notoriously numerically unstable because the determinant 1384 * calculation involves the difference of large, but similar, numbers. It is 1385 * difficult to be sure that the calculation is stable for real world values 1386 * and it is certain that it becomes unstable where the end points are close 1387 * together. 1388 * 1389 * So this code uses the perhaps slightly less optimal but more 1390 * understandable and totally obvious approach of calculating color-scale. 1391 * 1392 * This algorithm depends on the precision in white-scale and that is 1393 * (1/white-y), so we can immediately see that as white-y approaches 0 the 1394 * accuracy inherent in the cHRM chunk drops off substantially. 1395 * 1396 * libpng arithmetic: a simple inversion of the above equations 1397 * ------------------------------------------------------------ 1398 * 1399 * white_scale = 1/white-y 1400 * white-X = white-x * white-scale 1401 * white-Y = 1.0 1402 * white-Z = (1 - white-x - white-y) * white_scale 1403 * 1404 * white-C = red-C + green-C + blue-C 1405 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1406 * 1407 * This gives us three equations in (red-scale,green-scale,blue-scale) where 1408 * all the coefficients are now known: 1409 * 1410 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale 1411 * = white-x/white-y 1412 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1 1413 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale 1414 * = (1 - white-x - white-y)/white-y 1415 * 1416 * In the last equation color-z is (1 - color-x - color-y) so we can add all 1417 * three equations together to get an alternative third: 1418 * 1419 * red-scale + green-scale + blue-scale = 1/white-y = white-scale 1420 * 1421 * So now we have a Cramer's rule solution where the determinants are just 1422 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve 1423 * multiplication of three coefficients so we can't guarantee to avoid 1424 * overflow in the libpng fixed point representation. Using Cramer's rule in 1425 * floating point is probably a good choice here, but it's not an option for 1426 * fixed point. Instead proceed to simplify the first two equations by 1427 * eliminating what is likely to be the largest value, blue-scale: 1428 * 1429 * blue-scale = white-scale - red-scale - green-scale 1430 * 1431 * Hence: 1432 * 1433 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale = 1434 * (white-x - blue-x)*white-scale 1435 * 1436 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale = 1437 * 1 - blue-y*white-scale 1438 * 1439 * And now we can trivially solve for (red-scale,green-scale): 1440 * 1441 * green-scale = 1442 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale 1443 * ----------------------------------------------------------- 1444 * green-x - blue-x 1445 * 1446 * red-scale = 1447 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale 1448 * --------------------------------------------------------- 1449 * red-y - blue-y 1450 * 1451 * Hence: 1452 * 1453 * red-scale = 1454 * ( (green-x - blue-x) * (white-y - blue-y) - 1455 * (green-y - blue-y) * (white-x - blue-x) ) / white-y 1456 * ------------------------------------------------------------------------- 1457 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1458 * 1459 * green-scale = 1460 * ( (red-y - blue-y) * (white-x - blue-x) - 1461 * (red-x - blue-x) * (white-y - blue-y) ) / white-y 1462 * ------------------------------------------------------------------------- 1463 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1464 * 1465 * Accuracy: 1466 * The input values have 5 decimal digits of accuracy. The values are all in 1467 * the range 0 < value < 1, so simple products are in the same range but may 1468 * need up to 10 decimal digits to preserve the original precision and avoid 1469 * underflow. Because we are using a 32-bit signed representation we cannot 1470 * match this; the best is a little over 9 decimal digits, less than 10. 1471 * 1472 * The approach used here is to preserve the maximum precision within the 1473 * signed representation. Because the red-scale calculation above uses the 1474 * difference between two products of values that must be in the range -1..+1 1475 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The 1476 * factor is irrelevant in the calculation because it is applied to both 1477 * numerator and denominator. 1478 * 1479 * Note that the values of the differences of the products of the 1480 * chromaticities in the above equations tend to be small, for example for 1481 * the sRGB chromaticities they are: 1482 * 1483 * red numerator: -0.04751 1484 * green numerator: -0.08788 1485 * denominator: -0.2241 (without white-y multiplication) 1486 * 1487 * The resultant Y coefficients from the chromaticities of some widely used 1488 * color space definitions are (to 15 decimal places): 1489 * 1490 * sRGB 1491 * 0.212639005871510 0.715168678767756 0.072192315360734 1492 * Kodak ProPhoto 1493 * 0.288071128229293 0.711843217810102 0.000085653960605 1494 * Adobe RGB 1495 * 0.297344975250536 0.627363566255466 0.075291458493998 1496 * Adobe Wide Gamut RGB 1497 * 0.258728243040113 0.724682314948566 0.016589442011321 1498 */ 1499 /* By the argument, above overflow should be impossible here. The return 1500 * value of 2 indicates an internal error to the caller. 1501 */ 1502 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0) 1503 return 2; 1504 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0) 1505 return 2; 1506 denominator = left - right; 1507 1508 /* Now find the red numerator. */ 1509 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1510 return 2; 1511 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1512 return 2; 1513 1514 /* Overflow is possible here and it indicates an extreme set of PNG cHRM 1515 * chunk values. This calculation actually returns the reciprocal of the 1516 * scale value because this allows us to delay the multiplication of white-y 1517 * into the denominator, which tends to produce a small number. 1518 */ 1519 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 || 1520 red_inverse <= xy->whitey /* r+g+b scales = white scale */) 1521 return 1; 1522 1523 /* Similarly for green_inverse: */ 1524 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1525 return 2; 1526 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1527 return 2; 1528 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 || 1529 green_inverse <= xy->whitey) 1530 return 1; 1531 1532 /* And the blue scale, the checks above guarantee this can't overflow but it 1533 * can still produce 0 for extreme cHRM values. 1534 */ 1535 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) - 1536 png_reciprocal(green_inverse); 1537 if (blue_scale <= 0) 1538 return 1; 1539 1540 1541 /* And fill in the png_XYZ: */ 1542 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0) 1543 return 1; 1544 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0) 1545 return 1; 1546 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1, 1547 red_inverse) == 0) 1548 return 1; 1549 1550 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0) 1551 return 1; 1552 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0) 1553 return 1; 1554 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1, 1555 green_inverse) == 0) 1556 return 1; 1557 1558 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0) 1559 return 1; 1560 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0) 1561 return 1; 1562 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale, 1563 PNG_FP_1) == 0) 1564 return 1; 1565 1566 return 0; /*success*/ 1567 } 1568 1569 static int 1570 png_XYZ_normalize(png_XYZ *XYZ) 1571 { 1572 png_int_32 Y; 1573 1574 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 || 1575 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 || 1576 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0) 1577 return 1; 1578 1579 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. 1580 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore 1581 * relying on addition of two positive values producing a negative one is not 1582 * safe. 1583 */ 1584 Y = XYZ->red_Y; 1585 if (0x7fffffff - Y < XYZ->green_X) 1586 return 1; 1587 Y += XYZ->green_Y; 1588 if (0x7fffffff - Y < XYZ->blue_X) 1589 return 1; 1590 Y += XYZ->blue_Y; 1591 1592 if (Y != PNG_FP_1) 1593 { 1594 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0) 1595 return 1; 1596 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0) 1597 return 1; 1598 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0) 1599 return 1; 1600 1601 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0) 1602 return 1; 1603 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0) 1604 return 1; 1605 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0) 1606 return 1; 1607 1608 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0) 1609 return 1; 1610 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0) 1611 return 1; 1612 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0) 1613 return 1; 1614 } 1615 1616 return 0; 1617 } 1618 1619 static int 1620 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta) 1621 { 1622 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */ 1623 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) || 1624 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) || 1625 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) || 1626 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) || 1627 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) || 1628 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) || 1629 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) || 1630 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta)) 1631 return 0; 1632 return 1; 1633 } 1634 1635 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM 1636 * chunk chromaticities. Earlier checks used to simply look for the overflow 1637 * condition (where the determinant of the matrix to solve for XYZ ends up zero 1638 * because the chromaticity values are not all distinct.) Despite this it is 1639 * theoretically possible to produce chromaticities that are apparently valid 1640 * but that rapidly degrade to invalid, potentially crashing, sets because of 1641 * arithmetic inaccuracies when calculations are performed on them. The new 1642 * check is to round-trip xy -> XYZ -> xy and then check that the result is 1643 * within a small percentage of the original. 1644 */ 1645 static int 1646 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy) 1647 { 1648 int result; 1649 png_xy xy_test; 1650 1651 /* As a side-effect this routine also returns the XYZ endpoints. */ 1652 result = png_XYZ_from_xy(XYZ, xy); 1653 if (result != 0) 1654 return result; 1655 1656 result = png_xy_from_XYZ(&xy_test, XYZ); 1657 if (result != 0) 1658 return result; 1659 1660 if (png_colorspace_endpoints_match(xy, &xy_test, 1661 5/*actually, the math is pretty accurate*/) != 0) 1662 return 0; 1663 1664 /* Too much slip */ 1665 return 1; 1666 } 1667 1668 /* This is the check going the other way. The XYZ is modified to normalize it 1669 * (another side-effect) and the xy chromaticities are returned. 1670 */ 1671 static int 1672 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ) 1673 { 1674 int result; 1675 png_XYZ XYZtemp; 1676 1677 result = png_XYZ_normalize(XYZ); 1678 if (result != 0) 1679 return result; 1680 1681 result = png_xy_from_XYZ(xy, XYZ); 1682 if (result != 0) 1683 return result; 1684 1685 XYZtemp = *XYZ; 1686 return png_colorspace_check_xy(&XYZtemp, xy); 1687 } 1688 1689 /* Used to check for an endpoint match against sRGB */ 1690 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */ 1691 { 1692 /* color x y */ 1693 /* red */ 64000, 33000, 1694 /* green */ 30000, 60000, 1695 /* blue */ 15000, 6000, 1696 /* white */ 31270, 32900 1697 }; 1698 1699 static int 1700 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr, 1701 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ, 1702 int preferred) 1703 { 1704 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1705 return 0; 1706 1707 /* The consistency check is performed on the chromaticities; this factors out 1708 * variations because of the normalization (or not) of the end point Y 1709 * values. 1710 */ 1711 if (preferred < 2 && 1712 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1713 { 1714 /* The end points must be reasonably close to any we already have. The 1715 * following allows an error of up to +/-.001 1716 */ 1717 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy, 1718 100) == 0) 1719 { 1720 colorspace->flags |= PNG_COLORSPACE_INVALID; 1721 png_benign_error(png_ptr, "inconsistent chromaticities"); 1722 return 0; /* failed */ 1723 } 1724 1725 /* Only overwrite with preferred values */ 1726 if (preferred == 0) 1727 return 1; /* ok, but no change */ 1728 } 1729 1730 colorspace->end_points_xy = *xy; 1731 colorspace->end_points_XYZ = *XYZ; 1732 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS; 1733 1734 /* The end points are normally quoted to two decimal digits, so allow +/-0.01 1735 * on this test. 1736 */ 1737 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0) 1738 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB; 1739 1740 else 1741 colorspace->flags &= PNG_COLORSPACE_CANCEL( 1742 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1743 1744 return 2; /* ok and changed */ 1745 } 1746 1747 int /* PRIVATE */ 1748 png_colorspace_set_chromaticities(png_const_structrp png_ptr, 1749 png_colorspacerp colorspace, const png_xy *xy, int preferred) 1750 { 1751 /* We must check the end points to ensure they are reasonable - in the past 1752 * color management systems have crashed as a result of getting bogus 1753 * colorant values, while this isn't the fault of libpng it is the 1754 * responsibility of libpng because PNG carries the bomb and libpng is in a 1755 * position to protect against it. 1756 */ 1757 png_XYZ XYZ; 1758 1759 switch (png_colorspace_check_xy(&XYZ, xy)) 1760 { 1761 case 0: /* success */ 1762 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ, 1763 preferred); 1764 1765 case 1: 1766 /* We can't invert the chromaticities so we can't produce value XYZ 1767 * values. Likely as not a color management system will fail too. 1768 */ 1769 colorspace->flags |= PNG_COLORSPACE_INVALID; 1770 png_benign_error(png_ptr, "invalid chromaticities"); 1771 break; 1772 1773 default: 1774 /* libpng is broken; this should be a warning but if it happens we 1775 * want error reports so for the moment it is an error. 1776 */ 1777 colorspace->flags |= PNG_COLORSPACE_INVALID; 1778 png_error(png_ptr, "internal error checking chromaticities"); 1779 } 1780 1781 return 0; /* failed */ 1782 } 1783 1784 int /* PRIVATE */ 1785 png_colorspace_set_endpoints(png_const_structrp png_ptr, 1786 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred) 1787 { 1788 png_XYZ XYZ = *XYZ_in; 1789 png_xy xy; 1790 1791 switch (png_colorspace_check_XYZ(&xy, &XYZ)) 1792 { 1793 case 0: 1794 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ, 1795 preferred); 1796 1797 case 1: 1798 /* End points are invalid. */ 1799 colorspace->flags |= PNG_COLORSPACE_INVALID; 1800 png_benign_error(png_ptr, "invalid end points"); 1801 break; 1802 1803 default: 1804 colorspace->flags |= PNG_COLORSPACE_INVALID; 1805 png_error(png_ptr, "internal error checking chromaticities"); 1806 } 1807 1808 return 0; /* failed */ 1809 } 1810 1811 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED) 1812 /* Error message generation */ 1813 static char 1814 png_icc_tag_char(png_uint_32 byte) 1815 { 1816 byte &= 0xff; 1817 if (byte >= 32 && byte <= 126) 1818 return (char)byte; 1819 else 1820 return '?'; 1821 } 1822 1823 static void 1824 png_icc_tag_name(char *name, png_uint_32 tag) 1825 { 1826 name[0] = '\''; 1827 name[1] = png_icc_tag_char(tag >> 24); 1828 name[2] = png_icc_tag_char(tag >> 16); 1829 name[3] = png_icc_tag_char(tag >> 8); 1830 name[4] = png_icc_tag_char(tag ); 1831 name[5] = '\''; 1832 } 1833 1834 static int 1835 is_ICC_signature_char(png_alloc_size_t it) 1836 { 1837 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) || 1838 (it >= 97 && it <= 122); 1839 } 1840 1841 static int 1842 is_ICC_signature(png_alloc_size_t it) 1843 { 1844 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ && 1845 is_ICC_signature_char((it >> 16) & 0xff) && 1846 is_ICC_signature_char((it >> 8) & 0xff) && 1847 is_ICC_signature_char(it & 0xff); 1848 } 1849 1850 static int 1851 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace, 1852 png_const_charp name, png_alloc_size_t value, png_const_charp reason) 1853 { 1854 size_t pos; 1855 char message[196]; /* see below for calculation */ 1856 1857 if (colorspace != NULL) 1858 colorspace->flags |= PNG_COLORSPACE_INVALID; 1859 1860 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */ 1861 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */ 1862 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */ 1863 if (is_ICC_signature(value) != 0) 1864 { 1865 /* So 'value' is at most 4 bytes and the following cast is safe */ 1866 png_icc_tag_name(message+pos, (png_uint_32)value); 1867 pos += 6; /* total +8; less than the else clause */ 1868 message[pos++] = ':'; 1869 message[pos++] = ' '; 1870 } 1871 # ifdef PNG_WARNINGS_SUPPORTED 1872 else 1873 { 1874 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/ 1875 1876 pos = png_safecat(message, (sizeof message), pos, 1877 png_format_number(number, number+(sizeof number), 1878 PNG_NUMBER_FORMAT_x, value)); 1879 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/ 1880 } 1881 # endif 1882 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */ 1883 pos = png_safecat(message, (sizeof message), pos, reason); 1884 PNG_UNUSED(pos) 1885 1886 /* This is recoverable, but make it unconditionally an app_error on write to 1887 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them 1888 * on read, with a warning, but on write unless the app turns off 1889 * application errors the PNG won't be written.) 1890 */ 1891 png_chunk_report(png_ptr, message, 1892 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR); 1893 1894 return 0; 1895 } 1896 #endif /* sRGB || iCCP */ 1897 1898 #ifdef PNG_sRGB_SUPPORTED 1899 int /* PRIVATE */ 1900 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, 1901 int intent) 1902 { 1903 /* sRGB sets known gamma, end points and (from the chunk) intent. */ 1904 /* IMPORTANT: these are not necessarily the values found in an ICC profile 1905 * because ICC profiles store values adapted to a D50 environment; it is 1906 * expected that the ICC profile mediaWhitePointTag will be D50; see the 1907 * checks and code elsewhere to understand this better. 1908 * 1909 * These XYZ values, which are accurate to 5dp, produce rgb to gray 1910 * coefficients of (6968,23435,2366), which are reduced (because they add up 1911 * to 32769 not 32768) to (6968,23434,2366). These are the values that 1912 * libpng has traditionally used (and are the best values given the 15bit 1913 * algorithm used by the rgb to gray code.) 1914 */ 1915 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */ 1916 { 1917 /* color X Y Z */ 1918 /* red */ 41239, 21264, 1933, 1919 /* green */ 35758, 71517, 11919, 1920 /* blue */ 18048, 7219, 95053 1921 }; 1922 1923 /* Do nothing if the colorspace is already invalidated. */ 1924 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1925 return 0; 1926 1927 /* Check the intent, then check for existing settings. It is valid for the 1928 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must 1929 * be consistent with the correct values. If, however, this function is 1930 * called below because an iCCP chunk matches sRGB then it is quite 1931 * conceivable that an older app recorded incorrect gAMA and cHRM because of 1932 * an incorrect calculation based on the values in the profile - this does 1933 * *not* invalidate the profile (though it still produces an error, which can 1934 * be ignored.) 1935 */ 1936 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST) 1937 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1938 (png_alloc_size_t)intent, "invalid sRGB rendering intent"); 1939 1940 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 && 1941 colorspace->rendering_intent != intent) 1942 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1943 (png_alloc_size_t)intent, "inconsistent rendering intents"); 1944 1945 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0) 1946 { 1947 png_benign_error(png_ptr, "duplicate sRGB information ignored"); 1948 return 0; 1949 } 1950 1951 /* If the standard sRGB cHRM chunk does not match the one from the PNG file 1952 * warn but overwrite the value with the correct one. 1953 */ 1954 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 && 1955 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy, 1956 100)) 1957 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB", 1958 PNG_CHUNK_ERROR); 1959 1960 /* This check is just done for the error reporting - the routine always 1961 * returns true when the 'from' argument corresponds to sRGB (2). 1962 */ 1963 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE, 1964 2/*from sRGB*/); 1965 1966 /* intent: bugs in GCC force 'int' to be used as the parameter type. */ 1967 colorspace->rendering_intent = (png_uint_16)intent; 1968 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT; 1969 1970 /* endpoints */ 1971 colorspace->end_points_xy = sRGB_xy; 1972 colorspace->end_points_XYZ = sRGB_XYZ; 1973 colorspace->flags |= 1974 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1975 1976 /* gamma */ 1977 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE; 1978 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA; 1979 1980 /* Finally record that we have an sRGB profile */ 1981 colorspace->flags |= 1982 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB); 1983 1984 return 1; /* set */ 1985 } 1986 #endif /* sRGB */ 1987 1988 #ifdef PNG_iCCP_SUPPORTED 1989 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value 1990 * is XYZ(0.9642,1.0,0.8249), which scales to: 1991 * 1992 * (63189.8112, 65536, 54060.6464) 1993 */ 1994 static const png_byte D50_nCIEXYZ[12] = 1995 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; 1996 1997 static int /* bool */ 1998 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 1999 png_const_charp name, png_uint_32 profile_length) 2000 { 2001 if (profile_length < 132) 2002 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2003 "too short"); 2004 return 1; 2005 } 2006 2007 #ifdef PNG_READ_iCCP_SUPPORTED 2008 int /* PRIVATE */ 2009 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 2010 png_const_charp name, png_uint_32 profile_length) 2011 { 2012 if (!icc_check_length(png_ptr, colorspace, name, profile_length)) 2013 return 0; 2014 2015 /* This needs to be here because the 'normal' check is in 2016 * png_decompress_chunk, yet this happens after the attempt to 2017 * png_malloc_base the required data. We only need this on read; on write 2018 * the caller supplies the profile buffer so libpng doesn't allocate it. See 2019 * the call to icc_check_length below (the write case). 2020 */ 2021 # ifdef PNG_SET_USER_LIMITS_SUPPORTED 2022 else if (png_ptr->user_chunk_malloc_max > 0 && 2023 png_ptr->user_chunk_malloc_max < profile_length) 2024 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2025 "exceeds application limits"); 2026 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 2027 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length) 2028 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2029 "exceeds libpng limits"); 2030 # else /* !SET_USER_LIMITS */ 2031 /* This will get compiled out on all 32-bit and better systems. */ 2032 else if (PNG_SIZE_MAX < profile_length) 2033 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2034 "exceeds system limits"); 2035 # endif /* !SET_USER_LIMITS */ 2036 2037 return 1; 2038 } 2039 #endif /* READ_iCCP */ 2040 2041 int /* PRIVATE */ 2042 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, 2043 png_const_charp name, png_uint_32 profile_length, 2044 png_const_bytep profile/* first 132 bytes only */, int color_type) 2045 { 2046 png_uint_32 temp; 2047 2048 /* Length check; this cannot be ignored in this code because profile_length 2049 * is used later to check the tag table, so even if the profile seems over 2050 * long profile_length from the caller must be correct. The caller can fix 2051 * this up on read or write by just passing in the profile header length. 2052 */ 2053 temp = png_get_uint_32(profile); 2054 if (temp != profile_length) 2055 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2056 "length does not match profile"); 2057 2058 temp = (png_uint_32) (*(profile+8)); 2059 if (temp > 3 && (profile_length & 3)) 2060 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2061 "invalid length"); 2062 2063 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */ 2064 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */ 2065 profile_length < 132+12*temp) /* truncated tag table */ 2066 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2067 "tag count too large"); 2068 2069 /* The 'intent' must be valid or we can't store it, ICC limits the intent to 2070 * 16 bits. 2071 */ 2072 temp = png_get_uint_32(profile+64); 2073 if (temp >= 0xffff) /* The ICC limit */ 2074 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2075 "invalid rendering intent"); 2076 2077 /* This is just a warning because the profile may be valid in future 2078 * versions. 2079 */ 2080 if (temp >= PNG_sRGB_INTENT_LAST) 2081 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2082 "intent outside defined range"); 2083 2084 /* At this point the tag table can't be checked because it hasn't necessarily 2085 * been loaded; however, various header fields can be checked. These checks 2086 * are for values permitted by the PNG spec in an ICC profile; the PNG spec 2087 * restricts the profiles that can be passed in an iCCP chunk (they must be 2088 * appropriate to processing PNG data!) 2089 */ 2090 2091 /* Data checks (could be skipped). These checks must be independent of the 2092 * version number; however, the version number doesn't accommodate changes in 2093 * the header fields (just the known tags and the interpretation of the 2094 * data.) 2095 */ 2096 temp = png_get_uint_32(profile+36); /* signature 'ascp' */ 2097 if (temp != 0x61637370) 2098 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2099 "invalid signature"); 2100 2101 /* Currently the PCS illuminant/adopted white point (the computational 2102 * white point) are required to be D50, 2103 * however the profile contains a record of the illuminant so perhaps ICC 2104 * expects to be able to change this in the future (despite the rationale in 2105 * the introduction for using a fixed PCS adopted white.) Consequently the 2106 * following is just a warning. 2107 */ 2108 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0) 2109 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/, 2110 "PCS illuminant is not D50"); 2111 2112 /* The PNG spec requires this: 2113 * "If the iCCP chunk is present, the image samples conform to the colour 2114 * space represented by the embedded ICC profile as defined by the 2115 * International Color Consortium [ICC]. The colour space of the ICC profile 2116 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and 2117 * 6), or a greyscale colour space for greyscale images (PNG colour types 0 2118 * and 4)." 2119 * 2120 * This checking code ensures the embedded profile (on either read or write) 2121 * conforms to the specification requirements. Notice that an ICC 'gray' 2122 * color-space profile contains the information to transform the monochrome 2123 * data to XYZ or L*a*b (according to which PCS the profile uses) and this 2124 * should be used in preference to the standard libpng K channel replication 2125 * into R, G and B channels. 2126 * 2127 * Previously it was suggested that an RGB profile on grayscale data could be 2128 * handled. However it it is clear that using an RGB profile in this context 2129 * must be an error - there is no specification of what it means. Thus it is 2130 * almost certainly more correct to ignore the profile. 2131 */ 2132 temp = png_get_uint_32(profile+16); /* data colour space field */ 2133 switch (temp) 2134 { 2135 case 0x52474220: /* 'RGB ' */ 2136 if ((color_type & PNG_COLOR_MASK_COLOR) == 0) 2137 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2138 "RGB color space not permitted on grayscale PNG"); 2139 break; 2140 2141 case 0x47524159: /* 'GRAY' */ 2142 if ((color_type & PNG_COLOR_MASK_COLOR) != 0) 2143 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2144 "Gray color space not permitted on RGB PNG"); 2145 break; 2146 2147 default: 2148 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2149 "invalid ICC profile color space"); 2150 } 2151 2152 /* It is up to the application to check that the profile class matches the 2153 * application requirements; the spec provides no guidance, but it's pretty 2154 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer 2155 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these 2156 * cases. Issue an error for device link or abstract profiles - these don't 2157 * contain the records necessary to transform the color-space to anything 2158 * other than the target device (and not even that for an abstract profile). 2159 * Profiles of these classes may not be embedded in images. 2160 */ 2161 temp = png_get_uint_32(profile+12); /* profile/device class */ 2162 switch (temp) 2163 { 2164 case 0x73636e72: /* 'scnr' */ 2165 case 0x6d6e7472: /* 'mntr' */ 2166 case 0x70727472: /* 'prtr' */ 2167 case 0x73706163: /* 'spac' */ 2168 /* All supported */ 2169 break; 2170 2171 case 0x61627374: /* 'abst' */ 2172 /* May not be embedded in an image */ 2173 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2174 "invalid embedded Abstract ICC profile"); 2175 2176 case 0x6c696e6b: /* 'link' */ 2177 /* DeviceLink profiles cannot be interpreted in a non-device specific 2178 * fashion, if an app uses the AToB0Tag in the profile the results are 2179 * undefined unless the result is sent to the intended device, 2180 * therefore a DeviceLink profile should not be found embedded in a 2181 * PNG. 2182 */ 2183 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2184 "unexpected DeviceLink ICC profile class"); 2185 2186 case 0x6e6d636c: /* 'nmcl' */ 2187 /* A NamedColor profile is also device specific, however it doesn't 2188 * contain an AToB0 tag that is open to misinterpretation. Almost 2189 * certainly it will fail the tests below. 2190 */ 2191 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2192 "unexpected NamedColor ICC profile class"); 2193 break; 2194 2195 default: 2196 /* To allow for future enhancements to the profile accept unrecognized 2197 * profile classes with a warning, these then hit the test below on the 2198 * tag content to ensure they are backward compatible with one of the 2199 * understood profiles. 2200 */ 2201 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2202 "unrecognized ICC profile class"); 2203 break; 2204 } 2205 2206 /* For any profile other than a device link one the PCS must be encoded 2207 * either in XYZ or Lab. 2208 */ 2209 temp = png_get_uint_32(profile+20); 2210 switch (temp) 2211 { 2212 case 0x58595a20: /* 'XYZ ' */ 2213 case 0x4c616220: /* 'Lab ' */ 2214 break; 2215 2216 default: 2217 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2218 "unexpected ICC PCS encoding"); 2219 } 2220 2221 return 1; 2222 } 2223 2224 int /* PRIVATE */ 2225 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, 2226 png_const_charp name, png_uint_32 profile_length, 2227 png_const_bytep profile /* header plus whole tag table */) 2228 { 2229 png_uint_32 tag_count = png_get_uint_32(profile+128); 2230 png_uint_32 itag; 2231 png_const_bytep tag = profile+132; /* The first tag */ 2232 2233 /* First scan all the tags in the table and add bits to the icc_info value 2234 * (temporarily in 'tags'). 2235 */ 2236 for (itag=0; itag < tag_count; ++itag, tag += 12) 2237 { 2238 png_uint_32 tag_id = png_get_uint_32(tag+0); 2239 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */ 2240 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */ 2241 2242 /* The ICC specification does not exclude zero length tags, therefore the 2243 * start might actually be anywhere if there is no data, but this would be 2244 * a clear abuse of the intent of the standard so the start is checked for 2245 * being in range. All defined tag types have an 8 byte header - a 4 byte 2246 * type signature then 0. 2247 */ 2248 2249 /* This is a hard error; potentially it can cause read outside the 2250 * profile. 2251 */ 2252 if (tag_start > profile_length || tag_length > profile_length - tag_start) 2253 return png_icc_profile_error(png_ptr, colorspace, name, tag_id, 2254 "ICC profile tag outside profile"); 2255 2256 if ((tag_start & 3) != 0) 2257 { 2258 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is 2259 * only a warning here because libpng does not care about the 2260 * alignment. 2261 */ 2262 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id, 2263 "ICC profile tag start not a multiple of 4"); 2264 } 2265 } 2266 2267 return 1; /* success, maybe with warnings */ 2268 } 2269 2270 #ifdef PNG_sRGB_SUPPORTED 2271 #if PNG_sRGB_PROFILE_CHECKS >= 0 2272 /* Information about the known ICC sRGB profiles */ 2273 static const struct 2274 { 2275 png_uint_32 adler, crc, length; 2276 png_uint_32 md5[4]; 2277 png_byte have_md5; 2278 png_byte is_broken; 2279 png_uint_16 intent; 2280 2281 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0) 2282 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\ 2283 { adler, crc, length, md5, broke, intent }, 2284 2285 } png_sRGB_checks[] = 2286 { 2287 /* This data comes from contrib/tools/checksum-icc run on downloads of 2288 * all four ICC sRGB profiles from www.color.org. 2289 */ 2290 /* adler32, crc32, MD5[4], intent, date, length, file-name */ 2291 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9, 2292 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0, 2293 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc") 2294 2295 /* ICC sRGB v2 perceptual no black-compensation: */ 2296 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21, 2297 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0, 2298 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc") 2299 2300 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae, 2301 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0, 2302 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc") 2303 2304 /* ICC sRGB v4 perceptual */ 2305 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812, 2306 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0, 2307 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc") 2308 2309 /* The following profiles have no known MD5 checksum. If there is a match 2310 * on the (empty) MD5 the other fields are used to attempt a match and 2311 * a warning is produced. The first two of these profiles have a 'cprt' tag 2312 * which suggests that they were also made by Hewlett Packard. 2313 */ 2314 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce, 2315 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0, 2316 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc") 2317 2318 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not 2319 * match the D50 PCS illuminant in the header (it is in fact the D65 values, 2320 * so the white point is recorded as the un-adapted value.) The profiles 2321 * below only differ in one byte - the intent - and are basically the same as 2322 * the previous profile except for the mediaWhitePointTag error and a missing 2323 * chromaticAdaptationTag. 2324 */ 2325 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552, 2326 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/, 2327 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual") 2328 2329 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d, 2330 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/, 2331 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative") 2332 }; 2333 2334 static int 2335 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, 2336 png_const_bytep profile, uLong adler) 2337 { 2338 /* The quick check is to verify just the MD5 signature and trust the 2339 * rest of the data. Because the profile has already been verified for 2340 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent' 2341 * field too, so if the profile has been edited with an intent not defined 2342 * by sRGB (but maybe defined by a later ICC specification) the read of 2343 * the profile will fail at that point. 2344 */ 2345 2346 png_uint_32 length = 0; 2347 png_uint_32 intent = 0x10000; /* invalid */ 2348 #if PNG_sRGB_PROFILE_CHECKS > 1 2349 uLong crc = 0; /* the value for 0 length data */ 2350 #endif 2351 unsigned int i; 2352 2353 #ifdef PNG_SET_OPTION_SUPPORTED 2354 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */ 2355 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) == 2356 PNG_OPTION_ON) 2357 return 0; 2358 #endif 2359 2360 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i) 2361 { 2362 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] && 2363 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] && 2364 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] && 2365 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3]) 2366 { 2367 /* This may be one of the old HP profiles without an MD5, in that 2368 * case we can only use the length and Adler32 (note that these 2369 * are not used by default if there is an MD5!) 2370 */ 2371 # if PNG_sRGB_PROFILE_CHECKS == 0 2372 if (png_sRGB_checks[i].have_md5 != 0) 2373 return 1+png_sRGB_checks[i].is_broken; 2374 # endif 2375 2376 /* Profile is unsigned or more checks have been configured in. */ 2377 if (length == 0) 2378 { 2379 length = png_get_uint_32(profile); 2380 intent = png_get_uint_32(profile+64); 2381 } 2382 2383 /* Length *and* intent must match */ 2384 if (length == (png_uint_32) png_sRGB_checks[i].length && 2385 intent == (png_uint_32) png_sRGB_checks[i].intent) 2386 { 2387 /* Now calculate the adler32 if not done already. */ 2388 if (adler == 0) 2389 { 2390 adler = adler32(0, NULL, 0); 2391 adler = adler32(adler, profile, length); 2392 } 2393 2394 if (adler == png_sRGB_checks[i].adler) 2395 { 2396 /* These basic checks suggest that the data has not been 2397 * modified, but if the check level is more than 1 perform 2398 * our own crc32 checksum on the data. 2399 */ 2400 # if PNG_sRGB_PROFILE_CHECKS > 1 2401 if (crc == 0) 2402 { 2403 crc = crc32(0, NULL, 0); 2404 crc = crc32(crc, profile, length); 2405 } 2406 2407 /* So this check must pass for the 'return' below to happen. 2408 */ 2409 if (crc == png_sRGB_checks[i].crc) 2410 # endif 2411 { 2412 if (png_sRGB_checks[i].is_broken != 0) 2413 { 2414 /* These profiles are known to have bad data that may cause 2415 * problems if they are used, therefore attempt to 2416 * discourage their use, skip the 'have_md5' warning below, 2417 * which is made irrelevant by this error. 2418 */ 2419 png_chunk_report(png_ptr, "known incorrect sRGB profile", 2420 PNG_CHUNK_ERROR); 2421 } 2422 2423 /* Warn that this being done; this isn't even an error since 2424 * the profile is perfectly valid, but it would be nice if 2425 * people used the up-to-date ones. 2426 */ 2427 else if (png_sRGB_checks[i].have_md5 == 0) 2428 { 2429 png_chunk_report(png_ptr, 2430 "out-of-date sRGB profile with no signature", 2431 PNG_CHUNK_WARNING); 2432 } 2433 2434 return 1+png_sRGB_checks[i].is_broken; 2435 } 2436 } 2437 2438 # if PNG_sRGB_PROFILE_CHECKS > 0 2439 /* The signature matched, but the profile had been changed in some 2440 * way. This probably indicates a data error or uninformed hacking. 2441 * Fall through to "no match". 2442 */ 2443 png_chunk_report(png_ptr, 2444 "Not recognizing known sRGB profile that has been edited", 2445 PNG_CHUNK_WARNING); 2446 break; 2447 # endif 2448 } 2449 } 2450 } 2451 2452 return 0; /* no match */ 2453 } 2454 2455 void /* PRIVATE */ 2456 png_icc_set_sRGB(png_const_structrp png_ptr, 2457 png_colorspacerp colorspace, png_const_bytep profile, uLong adler) 2458 { 2459 /* Is this profile one of the known ICC sRGB profiles? If it is, just set 2460 * the sRGB information. 2461 */ 2462 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0) 2463 (void)png_colorspace_set_sRGB(png_ptr, colorspace, 2464 (int)/*already checked*/png_get_uint_32(profile+64)); 2465 } 2466 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */ 2467 #endif /* sRGB */ 2468 2469 int /* PRIVATE */ 2470 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, 2471 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, 2472 int color_type) 2473 { 2474 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 2475 return 0; 2476 2477 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 2478 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, 2479 color_type) != 0 && 2480 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, 2481 profile) != 0) 2482 { 2483 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0 2484 /* If no sRGB support, don't try storing sRGB information */ 2485 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); 2486 # endif 2487 return 1; 2488 } 2489 2490 /* Failure case */ 2491 return 0; 2492 } 2493 #endif /* iCCP */ 2494 2495 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED 2496 void /* PRIVATE */ 2497 png_colorspace_set_rgb_coefficients(png_structrp png_ptr) 2498 { 2499 /* Set the rgb_to_gray coefficients from the colorspace. */ 2500 if (png_ptr->rgb_to_gray_coefficients_set == 0 && 2501 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 2502 { 2503 /* png_set_background has not been called, get the coefficients from the Y 2504 * values of the colorspace colorants. 2505 */ 2506 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y; 2507 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y; 2508 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y; 2509 png_fixed_point total = r+g+b; 2510 2511 if (total > 0 && 2512 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 && 2513 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 && 2514 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 && 2515 r+g+b <= 32769) 2516 { 2517 /* We allow 0 coefficients here. r+g+b may be 32769 if two or 2518 * all of the coefficients were rounded up. Handle this by 2519 * reducing the *largest* coefficient by 1; this matches the 2520 * approach used for the default coefficients in pngrtran.c 2521 */ 2522 int add = 0; 2523 2524 if (r+g+b > 32768) 2525 add = -1; 2526 else if (r+g+b < 32768) 2527 add = 1; 2528 2529 if (add != 0) 2530 { 2531 if (g >= r && g >= b) 2532 g += add; 2533 else if (r >= g && r >= b) 2534 r += add; 2535 else 2536 b += add; 2537 } 2538 2539 /* Check for an internal error. */ 2540 if (r+g+b != 32768) 2541 png_error(png_ptr, 2542 "internal error handling cHRM coefficients"); 2543 2544 else 2545 { 2546 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r; 2547 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g; 2548 } 2549 } 2550 2551 /* This is a png_error at present even though it could be ignored - 2552 * it should never happen, but it is important that if it does, the 2553 * bug is fixed. 2554 */ 2555 else 2556 png_error(png_ptr, "internal error handling cHRM->XYZ"); 2557 } 2558 } 2559 #endif /* READ_RGB_TO_GRAY */ 2560 2561 #endif /* COLORSPACE */ 2562 2563 #ifdef __GNUC__ 2564 /* This exists solely to work round a warning from GNU C. */ 2565 static int /* PRIVATE */ 2566 png_gt(size_t a, size_t b) 2567 { 2568 return a > b; 2569 } 2570 #else 2571 # define png_gt(a,b) ((a) > (b)) 2572 #endif 2573 2574 void /* PRIVATE */ 2575 png_check_IHDR(png_const_structrp png_ptr, 2576 png_uint_32 width, png_uint_32 height, int bit_depth, 2577 int color_type, int interlace_type, int compression_type, 2578 int filter_type) 2579 { 2580 int error = 0; 2581 2582 /* Check for width and height valid values */ 2583 if (width == 0) 2584 { 2585 png_warning(png_ptr, "Image width is zero in IHDR"); 2586 error = 1; 2587 } 2588 2589 if (width > PNG_UINT_31_MAX) 2590 { 2591 png_warning(png_ptr, "Invalid image width in IHDR"); 2592 error = 1; 2593 } 2594 2595 if (png_gt(((width + 7) & (~7U)), 2596 ((PNG_SIZE_MAX 2597 - 48 /* big_row_buf hack */ 2598 - 1) /* filter byte */ 2599 / 8) /* 8-byte RGBA pixels */ 2600 - 1)) /* extra max_pixel_depth pad */ 2601 { 2602 /* The size of the row must be within the limits of this architecture. 2603 * Because the read code can perform arbitrary transformations the 2604 * maximum size is checked here. Because the code in png_read_start_row 2605 * adds extra space "for safety's sake" in several places a conservative 2606 * limit is used here. 2607 * 2608 * NOTE: it would be far better to check the size that is actually used, 2609 * but the effect in the real world is minor and the changes are more 2610 * extensive, therefore much more dangerous and much more difficult to 2611 * write in a way that avoids compiler warnings. 2612 */ 2613 png_warning(png_ptr, "Image width is too large for this architecture"); 2614 error = 1; 2615 } 2616 2617 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2618 if (width > png_ptr->user_width_max) 2619 #else 2620 if (width > PNG_USER_WIDTH_MAX) 2621 #endif 2622 { 2623 png_warning(png_ptr, "Image width exceeds user limit in IHDR"); 2624 error = 1; 2625 } 2626 2627 if (height == 0) 2628 { 2629 png_warning(png_ptr, "Image height is zero in IHDR"); 2630 error = 1; 2631 } 2632 2633 if (height > PNG_UINT_31_MAX) 2634 { 2635 png_warning(png_ptr, "Invalid image height in IHDR"); 2636 error = 1; 2637 } 2638 2639 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2640 if (height > png_ptr->user_height_max) 2641 #else 2642 if (height > PNG_USER_HEIGHT_MAX) 2643 #endif 2644 { 2645 png_warning(png_ptr, "Image height exceeds user limit in IHDR"); 2646 error = 1; 2647 } 2648 2649 /* Check other values */ 2650 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && 2651 bit_depth != 8 && bit_depth != 16) 2652 { 2653 png_warning(png_ptr, "Invalid bit depth in IHDR"); 2654 error = 1; 2655 } 2656 2657 if (color_type < 0 || color_type == 1 || 2658 color_type == 5 || color_type > 6) 2659 { 2660 png_warning(png_ptr, "Invalid color type in IHDR"); 2661 error = 1; 2662 } 2663 2664 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || 2665 ((color_type == PNG_COLOR_TYPE_RGB || 2666 color_type == PNG_COLOR_TYPE_GRAY_ALPHA || 2667 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) 2668 { 2669 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR"); 2670 error = 1; 2671 } 2672 2673 if (interlace_type >= PNG_INTERLACE_LAST) 2674 { 2675 png_warning(png_ptr, "Unknown interlace method in IHDR"); 2676 error = 1; 2677 } 2678 2679 if (compression_type != PNG_COMPRESSION_TYPE_BASE) 2680 { 2681 png_warning(png_ptr, "Unknown compression method in IHDR"); 2682 error = 1; 2683 } 2684 2685 #ifdef PNG_MNG_FEATURES_SUPPORTED 2686 /* Accept filter_method 64 (intrapixel differencing) only if 2687 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and 2688 * 2. Libpng did not read a PNG signature (this filter_method is only 2689 * used in PNG datastreams that are embedded in MNG datastreams) and 2690 * 3. The application called png_permit_mng_features with a mask that 2691 * included PNG_FLAG_MNG_FILTER_64 and 2692 * 4. The filter_method is 64 and 2693 * 5. The color_type is RGB or RGBA 2694 */ 2695 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && 2696 png_ptr->mng_features_permitted != 0) 2697 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); 2698 2699 if (filter_type != PNG_FILTER_TYPE_BASE) 2700 { 2701 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 && 2702 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && 2703 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) && 2704 (color_type == PNG_COLOR_TYPE_RGB || 2705 color_type == PNG_COLOR_TYPE_RGB_ALPHA))) 2706 { 2707 png_warning(png_ptr, "Unknown filter method in IHDR"); 2708 error = 1; 2709 } 2710 2711 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0) 2712 { 2713 png_warning(png_ptr, "Invalid filter method in IHDR"); 2714 error = 1; 2715 } 2716 } 2717 2718 #else 2719 if (filter_type != PNG_FILTER_TYPE_BASE) 2720 { 2721 png_warning(png_ptr, "Unknown filter method in IHDR"); 2722 error = 1; 2723 } 2724 #endif 2725 2726 if (error == 1) 2727 png_error(png_ptr, "Invalid IHDR data"); 2728 } 2729 2730 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) 2731 /* ASCII to fp functions */ 2732 /* Check an ASCII formatted floating point value, see the more detailed 2733 * comments in pngpriv.h 2734 */ 2735 /* The following is used internally to preserve the sticky flags */ 2736 #define png_fp_add(state, flags) ((state) |= (flags)) 2737 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY)) 2738 2739 int /* PRIVATE */ 2740 png_check_fp_number(png_const_charp string, size_t size, int *statep, 2741 png_size_tp whereami) 2742 { 2743 int state = *statep; 2744 size_t i = *whereami; 2745 2746 while (i < size) 2747 { 2748 int type; 2749 /* First find the type of the next character */ 2750 switch (string[i]) 2751 { 2752 case 43: type = PNG_FP_SAW_SIGN; break; 2753 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break; 2754 case 46: type = PNG_FP_SAW_DOT; break; 2755 case 48: type = PNG_FP_SAW_DIGIT; break; 2756 case 49: case 50: case 51: case 52: 2757 case 53: case 54: case 55: case 56: 2758 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break; 2759 case 69: 2760 case 101: type = PNG_FP_SAW_E; break; 2761 default: goto PNG_FP_End; 2762 } 2763 2764 /* Now deal with this type according to the current 2765 * state, the type is arranged to not overlap the 2766 * bits of the PNG_FP_STATE. 2767 */ 2768 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY)) 2769 { 2770 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN: 2771 if ((state & PNG_FP_SAW_ANY) != 0) 2772 goto PNG_FP_End; /* not a part of the number */ 2773 2774 png_fp_add(state, type); 2775 break; 2776 2777 case PNG_FP_INTEGER + PNG_FP_SAW_DOT: 2778 /* Ok as trailer, ok as lead of fraction. */ 2779 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */ 2780 goto PNG_FP_End; 2781 2782 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */ 2783 png_fp_add(state, type); 2784 2785 else 2786 png_fp_set(state, PNG_FP_FRACTION | type); 2787 2788 break; 2789 2790 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT: 2791 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */ 2792 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT); 2793 2794 png_fp_add(state, type | PNG_FP_WAS_VALID); 2795 2796 break; 2797 2798 case PNG_FP_INTEGER + PNG_FP_SAW_E: 2799 if ((state & PNG_FP_SAW_DIGIT) == 0) 2800 goto PNG_FP_End; 2801 2802 png_fp_set(state, PNG_FP_EXPONENT); 2803 2804 break; 2805 2806 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN: 2807 goto PNG_FP_End; ** no sign in fraction */ 2808 2809 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT: 2810 goto PNG_FP_End; ** Because SAW_DOT is always set */ 2811 2812 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT: 2813 png_fp_add(state, type | PNG_FP_WAS_VALID); 2814 break; 2815 2816 case PNG_FP_FRACTION + PNG_FP_SAW_E: 2817 /* This is correct because the trailing '.' on an 2818 * integer is handled above - so we can only get here 2819 * with the sequence ".E" (with no preceding digits). 2820 */ 2821 if ((state & PNG_FP_SAW_DIGIT) == 0) 2822 goto PNG_FP_End; 2823 2824 png_fp_set(state, PNG_FP_EXPONENT); 2825 2826 break; 2827 2828 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN: 2829 if ((state & PNG_FP_SAW_ANY) != 0) 2830 goto PNG_FP_End; /* not a part of the number */ 2831 2832 png_fp_add(state, PNG_FP_SAW_SIGN); 2833 2834 break; 2835 2836 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT: 2837 goto PNG_FP_End; */ 2838 2839 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT: 2840 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID); 2841 2842 break; 2843 2844 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E: 2845 goto PNG_FP_End; */ 2846 2847 default: goto PNG_FP_End; /* I.e. break 2 */ 2848 } 2849 2850 /* The character seems ok, continue. */ 2851 ++i; 2852 } 2853 2854 PNG_FP_End: 2855 /* Here at the end, update the state and return the correct 2856 * return code. 2857 */ 2858 *statep = state; 2859 *whereami = i; 2860 2861 return (state & PNG_FP_SAW_DIGIT) != 0; 2862 } 2863 2864 2865 /* The same but for a complete string. */ 2866 int 2867 png_check_fp_string(png_const_charp string, size_t size) 2868 { 2869 int state=0; 2870 size_t char_index=0; 2871 2872 if (png_check_fp_number(string, size, &state, &char_index) != 0 && 2873 (char_index == size || string[char_index] == 0)) 2874 return state /* must be non-zero - see above */; 2875 2876 return 0; /* i.e. fail */ 2877 } 2878 #endif /* pCAL || sCAL */ 2879 2880 #ifdef PNG_sCAL_SUPPORTED 2881 # ifdef PNG_FLOATING_POINT_SUPPORTED 2882 /* Utility used below - a simple accurate power of ten from an integral 2883 * exponent. 2884 */ 2885 static double 2886 png_pow10(int power) 2887 { 2888 int recip = 0; 2889 double d = 1; 2890 2891 /* Handle negative exponent with a reciprocal at the end because 2892 * 10 is exact whereas .1 is inexact in base 2 2893 */ 2894 if (power < 0) 2895 { 2896 if (power < DBL_MIN_10_EXP) return 0; 2897 recip = 1; power = -power; 2898 } 2899 2900 if (power > 0) 2901 { 2902 /* Decompose power bitwise. */ 2903 double mult = 10; 2904 do 2905 { 2906 if (power & 1) d *= mult; 2907 mult *= mult; 2908 power >>= 1; 2909 } 2910 while (power > 0); 2911 2912 if (recip != 0) d = 1/d; 2913 } 2914 /* else power is 0 and d is 1 */ 2915 2916 return d; 2917 } 2918 2919 /* Function to format a floating point value in ASCII with a given 2920 * precision. 2921 */ 2922 #if GCC_STRICT_OVERFLOW 2923 #pragma GCC diagnostic push 2924 /* The problem arises below with exp_b10, which can never overflow because it 2925 * comes, originally, from frexp and is therefore limited to a range which is 2926 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)). 2927 */ 2928 #pragma GCC diagnostic warning "-Wstrict-overflow=2" 2929 #endif /* GCC_STRICT_OVERFLOW */ 2930 void /* PRIVATE */ 2931 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size, 2932 double fp, unsigned int precision) 2933 { 2934 /* We use standard functions from math.h, but not printf because 2935 * that would require stdio. The caller must supply a buffer of 2936 * sufficient size or we will png_error. The tests on size and 2937 * the space in ascii[] consumed are indicated below. 2938 */ 2939 if (precision < 1) 2940 precision = DBL_DIG; 2941 2942 /* Enforce the limit of the implementation precision too. */ 2943 if (precision > DBL_DIG+1) 2944 precision = DBL_DIG+1; 2945 2946 /* Basic sanity checks */ 2947 if (size >= precision+5) /* See the requirements below. */ 2948 { 2949 if (fp < 0) 2950 { 2951 fp = -fp; 2952 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */ 2953 --size; 2954 } 2955 2956 if (fp >= DBL_MIN && fp <= DBL_MAX) 2957 { 2958 int exp_b10; /* A base 10 exponent */ 2959 double base; /* 10^exp_b10 */ 2960 2961 /* First extract a base 10 exponent of the number, 2962 * the calculation below rounds down when converting 2963 * from base 2 to base 10 (multiply by log10(2) - 2964 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to 2965 * be increased. Note that the arithmetic shift 2966 * performs a floor() unlike C arithmetic - using a 2967 * C multiply would break the following for negative 2968 * exponents. 2969 */ 2970 (void)frexp(fp, &exp_b10); /* exponent to base 2 */ 2971 2972 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */ 2973 2974 /* Avoid underflow here. */ 2975 base = png_pow10(exp_b10); /* May underflow */ 2976 2977 while (base < DBL_MIN || base < fp) 2978 { 2979 /* And this may overflow. */ 2980 double test = png_pow10(exp_b10+1); 2981 2982 if (test <= DBL_MAX) 2983 { 2984 ++exp_b10; base = test; 2985 } 2986 2987 else 2988 break; 2989 } 2990 2991 /* Normalize fp and correct exp_b10, after this fp is in the 2992 * range [.1,1) and exp_b10 is both the exponent and the digit 2993 * *before* which the decimal point should be inserted 2994 * (starting with 0 for the first digit). Note that this 2995 * works even if 10^exp_b10 is out of range because of the 2996 * test on DBL_MAX above. 2997 */ 2998 fp /= base; 2999 while (fp >= 1) 3000 { 3001 fp /= 10; ++exp_b10; 3002 } 3003 3004 /* Because of the code above fp may, at this point, be 3005 * less than .1, this is ok because the code below can 3006 * handle the leading zeros this generates, so no attempt 3007 * is made to correct that here. 3008 */ 3009 3010 { 3011 unsigned int czero, clead, cdigits; 3012 char exponent[10]; 3013 3014 /* Allow up to two leading zeros - this will not lengthen 3015 * the number compared to using E-n. 3016 */ 3017 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */ 3018 { 3019 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */ 3020 exp_b10 = 0; /* Dot added below before first output. */ 3021 } 3022 else 3023 czero = 0; /* No zeros to add */ 3024 3025 /* Generate the digit list, stripping trailing zeros and 3026 * inserting a '.' before a digit if the exponent is 0. 3027 */ 3028 clead = czero; /* Count of leading zeros */ 3029 cdigits = 0; /* Count of digits in list. */ 3030 3031 do 3032 { 3033 double d; 3034 3035 fp *= 10; 3036 /* Use modf here, not floor and subtract, so that 3037 * the separation is done in one step. At the end 3038 * of the loop don't break the number into parts so 3039 * that the final digit is rounded. 3040 */ 3041 if (cdigits+czero+1 < precision+clead) 3042 fp = modf(fp, &d); 3043 3044 else 3045 { 3046 d = floor(fp + .5); 3047 3048 if (d > 9) 3049 { 3050 /* Rounding up to 10, handle that here. */ 3051 if (czero > 0) 3052 { 3053 --czero; d = 1; 3054 if (cdigits == 0) --clead; 3055 } 3056 else 3057 { 3058 while (cdigits > 0 && d > 9) 3059 { 3060 int ch = *--ascii; 3061 3062 if (exp_b10 != (-1)) 3063 ++exp_b10; 3064 3065 else if (ch == 46) 3066 { 3067 ch = *--ascii; ++size; 3068 /* Advance exp_b10 to '1', so that the 3069 * decimal point happens after the 3070 * previous digit. 3071 */ 3072 exp_b10 = 1; 3073 } 3074 3075 --cdigits; 3076 d = ch - 47; /* I.e. 1+(ch-48) */ 3077 } 3078 3079 /* Did we reach the beginning? If so adjust the 3080 * exponent but take into account the leading 3081 * decimal point. 3082 */ 3083 if (d > 9) /* cdigits == 0 */ 3084 { 3085 if (exp_b10 == (-1)) 3086 { 3087 /* Leading decimal point (plus zeros?), if 3088 * we lose the decimal point here it must 3089 * be reentered below. 3090 */ 3091 int ch = *--ascii; 3092 3093 if (ch == 46) 3094 { 3095 ++size; exp_b10 = 1; 3096 } 3097 3098 /* Else lost a leading zero, so 'exp_b10' is 3099 * still ok at (-1) 3100 */ 3101 } 3102 else 3103 ++exp_b10; 3104 3105 /* In all cases we output a '1' */ 3106 d = 1; 3107 } 3108 } 3109 } 3110 fp = 0; /* Guarantees termination below. */ 3111 } 3112 3113 if (d == 0) 3114 { 3115 ++czero; 3116 if (cdigits == 0) ++clead; 3117 } 3118 else 3119 { 3120 /* Included embedded zeros in the digit count. */ 3121 cdigits += czero - clead; 3122 clead = 0; 3123 3124 while (czero > 0) 3125 { 3126 /* exp_b10 == (-1) means we just output the decimal 3127 * place - after the DP don't adjust 'exp_b10' any 3128 * more! 3129 */ 3130 if (exp_b10 != (-1)) 3131 { 3132 if (exp_b10 == 0) 3133 { 3134 *ascii++ = 46; --size; 3135 } 3136 /* PLUS 1: TOTAL 4 */ 3137 --exp_b10; 3138 } 3139 *ascii++ = 48; --czero; 3140 } 3141 3142 if (exp_b10 != (-1)) 3143 { 3144 if (exp_b10 == 0) 3145 { 3146 *ascii++ = 46; --size; /* counted above */ 3147 } 3148 3149 --exp_b10; 3150 } 3151 *ascii++ = (char)(48 + (int)d); ++cdigits; 3152 } 3153 } 3154 while (cdigits+czero < precision+clead && fp > DBL_MIN); 3155 3156 /* The total output count (max) is now 4+precision */ 3157 3158 /* Check for an exponent, if we don't need one we are 3159 * done and just need to terminate the string. At this 3160 * point, exp_b10==(-1) is effectively a flag: it got 3161 * to '-1' because of the decrement, after outputting 3162 * the decimal point above. (The exponent required is 3163 * *not* -1.) 3164 */ 3165 if (exp_b10 >= (-1) && exp_b10 <= 2) 3166 { 3167 /* The following only happens if we didn't output the 3168 * leading zeros above for negative exponent, so this 3169 * doesn't add to the digit requirement. Note that the 3170 * two zeros here can only be output if the two leading 3171 * zeros were *not* output, so this doesn't increase 3172 * the output count. 3173 */ 3174 while (exp_b10-- > 0) *ascii++ = 48; 3175 3176 *ascii = 0; 3177 3178 /* Total buffer requirement (including the '\0') is 3179 * 5+precision - see check at the start. 3180 */ 3181 return; 3182 } 3183 3184 /* Here if an exponent is required, adjust size for 3185 * the digits we output but did not count. The total 3186 * digit output here so far is at most 1+precision - no 3187 * decimal point and no leading or trailing zeros have 3188 * been output. 3189 */ 3190 size -= cdigits; 3191 3192 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */ 3193 3194 /* The following use of an unsigned temporary avoids ambiguities in 3195 * the signed arithmetic on exp_b10 and permits GCC at least to do 3196 * better optimization. 3197 */ 3198 { 3199 unsigned int uexp_b10; 3200 3201 if (exp_b10 < 0) 3202 { 3203 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */ 3204 uexp_b10 = 0U-exp_b10; 3205 } 3206 3207 else 3208 uexp_b10 = 0U+exp_b10; 3209 3210 cdigits = 0; 3211 3212 while (uexp_b10 > 0) 3213 { 3214 exponent[cdigits++] = (char)(48 + uexp_b10 % 10); 3215 uexp_b10 /= 10; 3216 } 3217 } 3218 3219 /* Need another size check here for the exponent digits, so 3220 * this need not be considered above. 3221 */ 3222 if (size > cdigits) 3223 { 3224 while (cdigits > 0) *ascii++ = exponent[--cdigits]; 3225 3226 *ascii = 0; 3227 3228 return; 3229 } 3230 } 3231 } 3232 else if (!(fp >= DBL_MIN)) 3233 { 3234 *ascii++ = 48; /* '0' */ 3235 *ascii = 0; 3236 return; 3237 } 3238 else 3239 { 3240 *ascii++ = 105; /* 'i' */ 3241 *ascii++ = 110; /* 'n' */ 3242 *ascii++ = 102; /* 'f' */ 3243 *ascii = 0; 3244 return; 3245 } 3246 } 3247 3248 /* Here on buffer too small. */ 3249 png_error(png_ptr, "ASCII conversion buffer too small"); 3250 } 3251 #if GCC_STRICT_OVERFLOW 3252 #pragma GCC diagnostic pop 3253 #endif /* GCC_STRICT_OVERFLOW */ 3254 3255 # endif /* FLOATING_POINT */ 3256 3257 # ifdef PNG_FIXED_POINT_SUPPORTED 3258 /* Function to format a fixed point value in ASCII. 3259 */ 3260 void /* PRIVATE */ 3261 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii, 3262 size_t size, png_fixed_point fp) 3263 { 3264 /* Require space for 10 decimal digits, a decimal point, a minus sign and a 3265 * trailing \0, 13 characters: 3266 */ 3267 if (size > 12) 3268 { 3269 png_uint_32 num; 3270 3271 /* Avoid overflow here on the minimum integer. */ 3272 if (fp < 0) 3273 { 3274 *ascii++ = 45; num = (png_uint_32)(-fp); 3275 } 3276 else 3277 num = (png_uint_32)fp; 3278 3279 if (num <= 0x80000000) /* else overflowed */ 3280 { 3281 unsigned int ndigits = 0, first = 16 /* flag value */; 3282 char digits[10]; 3283 3284 while (num) 3285 { 3286 /* Split the low digit off num: */ 3287 unsigned int tmp = num/10; 3288 num -= tmp*10; 3289 digits[ndigits++] = (char)(48 + num); 3290 /* Record the first non-zero digit, note that this is a number 3291 * starting at 1, it's not actually the array index. 3292 */ 3293 if (first == 16 && num > 0) 3294 first = ndigits; 3295 num = tmp; 3296 } 3297 3298 if (ndigits > 0) 3299 { 3300 while (ndigits > 5) *ascii++ = digits[--ndigits]; 3301 /* The remaining digits are fractional digits, ndigits is '5' or 3302 * smaller at this point. It is certainly not zero. Check for a 3303 * non-zero fractional digit: 3304 */ 3305 if (first <= 5) 3306 { 3307 unsigned int i; 3308 *ascii++ = 46; /* decimal point */ 3309 /* ndigits may be <5 for small numbers, output leading zeros 3310 * then ndigits digits to first: 3311 */ 3312 i = 5; 3313 while (ndigits < i) 3314 { 3315 *ascii++ = 48; --i; 3316 } 3317 while (ndigits >= first) *ascii++ = digits[--ndigits]; 3318 /* Don't output the trailing zeros! */ 3319 } 3320 } 3321 else 3322 *ascii++ = 48; 3323 3324 /* And null terminate the string: */ 3325 *ascii = 0; 3326 return; 3327 } 3328 } 3329 3330 /* Here on buffer too small. */ 3331 png_error(png_ptr, "ASCII conversion buffer too small"); 3332 } 3333 # endif /* FIXED_POINT */ 3334 #endif /* SCAL */ 3335 3336 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \ 3337 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \ 3338 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \ 3339 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 3340 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \ 3341 (defined(PNG_sCAL_SUPPORTED) && \ 3342 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED)) 3343 png_fixed_point 3344 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text) 3345 { 3346 double r = floor(100000 * fp + .5); 3347 3348 if (r > 2147483647. || r < -2147483648.) 3349 png_fixed_error(png_ptr, text); 3350 3351 # ifndef PNG_ERROR_TEXT_SUPPORTED 3352 PNG_UNUSED(text) 3353 # endif 3354 3355 return (png_fixed_point)r; 3356 } 3357 #endif 3358 3359 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\ 3360 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED) 3361 /* muldiv functions */ 3362 /* This API takes signed arguments and rounds the result to the nearest 3363 * integer (or, for a fixed point number - the standard argument - to 3364 * the nearest .00001). Overflow and divide by zero are signalled in 3365 * the result, a boolean - true on success, false on overflow. 3366 */ 3367 #if GCC_STRICT_OVERFLOW /* from above */ 3368 /* It is not obvious which comparison below gets optimized in such a way that 3369 * signed overflow would change the result; looking through the code does not 3370 * reveal any tests which have the form GCC complains about, so presumably the 3371 * optimizer is moving an add or subtract into the 'if' somewhere. 3372 */ 3373 #pragma GCC diagnostic push 3374 #pragma GCC diagnostic warning "-Wstrict-overflow=2" 3375 #endif /* GCC_STRICT_OVERFLOW */ 3376 int 3377 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times, 3378 png_int_32 divisor) 3379 { 3380 /* Return a * times / divisor, rounded. */ 3381 if (divisor != 0) 3382 { 3383 if (a == 0 || times == 0) 3384 { 3385 *res = 0; 3386 return 1; 3387 } 3388 else 3389 { 3390 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3391 double r = a; 3392 r *= times; 3393 r /= divisor; 3394 r = floor(r+.5); 3395 3396 /* A png_fixed_point is a 32-bit integer. */ 3397 if (r <= 2147483647. && r >= -2147483648.) 3398 { 3399 *res = (png_fixed_point)r; 3400 return 1; 3401 } 3402 #else 3403 int negative = 0; 3404 png_uint_32 A, T, D; 3405 png_uint_32 s16, s32, s00; 3406 3407 if (a < 0) 3408 negative = 1, A = -a; 3409 else 3410 A = a; 3411 3412 if (times < 0) 3413 negative = !negative, T = -times; 3414 else 3415 T = times; 3416 3417 if (divisor < 0) 3418 negative = !negative, D = -divisor; 3419 else 3420 D = divisor; 3421 3422 /* Following can't overflow because the arguments only 3423 * have 31 bits each, however the result may be 32 bits. 3424 */ 3425 s16 = (A >> 16) * (T & 0xffff) + 3426 (A & 0xffff) * (T >> 16); 3427 /* Can't overflow because the a*times bit is only 30 3428 * bits at most. 3429 */ 3430 s32 = (A >> 16) * (T >> 16) + (s16 >> 16); 3431 s00 = (A & 0xffff) * (T & 0xffff); 3432 3433 s16 = (s16 & 0xffff) << 16; 3434 s00 += s16; 3435 3436 if (s00 < s16) 3437 ++s32; /* carry */ 3438 3439 if (s32 < D) /* else overflow */ 3440 { 3441 /* s32.s00 is now the 64-bit product, do a standard 3442 * division, we know that s32 < D, so the maximum 3443 * required shift is 31. 3444 */ 3445 int bitshift = 32; 3446 png_fixed_point result = 0; /* NOTE: signed */ 3447 3448 while (--bitshift >= 0) 3449 { 3450 png_uint_32 d32, d00; 3451 3452 if (bitshift > 0) 3453 d32 = D >> (32-bitshift), d00 = D << bitshift; 3454 3455 else 3456 d32 = 0, d00 = D; 3457 3458 if (s32 > d32) 3459 { 3460 if (s00 < d00) --s32; /* carry */ 3461 s32 -= d32, s00 -= d00, result += 1<<bitshift; 3462 } 3463 3464 else 3465 if (s32 == d32 && s00 >= d00) 3466 s32 = 0, s00 -= d00, result += 1<<bitshift; 3467 } 3468 3469 /* Handle the rounding. */ 3470 if (s00 >= (D >> 1)) 3471 ++result; 3472 3473 if (negative != 0) 3474 result = -result; 3475 3476 /* Check for overflow. */ 3477 if ((negative != 0 && result <= 0) || 3478 (negative == 0 && result >= 0)) 3479 { 3480 *res = result; 3481 return 1; 3482 } 3483 } 3484 #endif 3485 } 3486 } 3487 3488 return 0; 3489 } 3490 #if GCC_STRICT_OVERFLOW 3491 #pragma GCC diagnostic pop 3492 #endif /* GCC_STRICT_OVERFLOW */ 3493 #endif /* READ_GAMMA || INCH_CONVERSIONS */ 3494 3495 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED) 3496 /* The following is for when the caller doesn't much care about the 3497 * result. 3498 */ 3499 png_fixed_point 3500 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times, 3501 png_int_32 divisor) 3502 { 3503 png_fixed_point result; 3504 3505 if (png_muldiv(&result, a, times, divisor) != 0) 3506 return result; 3507 3508 png_warning(png_ptr, "fixed point overflow ignored"); 3509 return 0; 3510 } 3511 #endif 3512 3513 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */ 3514 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */ 3515 png_fixed_point 3516 png_reciprocal(png_fixed_point a) 3517 { 3518 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3519 double r = floor(1E10/a+.5); 3520 3521 if (r <= 2147483647. && r >= -2147483648.) 3522 return (png_fixed_point)r; 3523 #else 3524 png_fixed_point res; 3525 3526 if (png_muldiv(&res, 100000, 100000, a) != 0) 3527 return res; 3528 #endif 3529 3530 return 0; /* error/overflow */ 3531 } 3532 3533 /* This is the shared test on whether a gamma value is 'significant' - whether 3534 * it is worth doing gamma correction. 3535 */ 3536 int /* PRIVATE */ 3537 png_gamma_significant(png_fixed_point gamma_val) 3538 { 3539 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED || 3540 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED; 3541 } 3542 #endif 3543 3544 #ifdef PNG_READ_GAMMA_SUPPORTED 3545 #ifdef PNG_16BIT_SUPPORTED 3546 /* A local convenience routine. */ 3547 static png_fixed_point 3548 png_product2(png_fixed_point a, png_fixed_point b) 3549 { 3550 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3551 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3552 double r = a * 1E-5; 3553 r *= b; 3554 r = floor(r+.5); 3555 3556 if (r <= 2147483647. && r >= -2147483648.) 3557 return (png_fixed_point)r; 3558 #else 3559 png_fixed_point res; 3560 3561 if (png_muldiv(&res, a, b, 100000) != 0) 3562 return res; 3563 #endif 3564 3565 return 0; /* overflow */ 3566 } 3567 #endif /* 16BIT */ 3568 3569 /* The inverse of the above. */ 3570 png_fixed_point 3571 png_reciprocal2(png_fixed_point a, png_fixed_point b) 3572 { 3573 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3574 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3575 if (a != 0 && b != 0) 3576 { 3577 double r = 1E15/a; 3578 r /= b; 3579 r = floor(r+.5); 3580 3581 if (r <= 2147483647. && r >= -2147483648.) 3582 return (png_fixed_point)r; 3583 } 3584 #else 3585 /* This may overflow because the range of png_fixed_point isn't symmetric, 3586 * but this API is only used for the product of file and screen gamma so it 3587 * doesn't matter that the smallest number it can produce is 1/21474, not 3588 * 1/100000 3589 */ 3590 png_fixed_point res = png_product2(a, b); 3591 3592 if (res != 0) 3593 return png_reciprocal(res); 3594 #endif 3595 3596 return 0; /* overflow */ 3597 } 3598 #endif /* READ_GAMMA */ 3599 3600 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */ 3601 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED 3602 /* Fixed point gamma. 3603 * 3604 * The code to calculate the tables used below can be found in the shell script 3605 * contrib/tools/intgamma.sh 3606 * 3607 * To calculate gamma this code implements fast log() and exp() calls using only 3608 * fixed point arithmetic. This code has sufficient precision for either 8-bit 3609 * or 16-bit sample values. 3610 * 3611 * The tables used here were calculated using simple 'bc' programs, but C double 3612 * precision floating point arithmetic would work fine. 3613 * 3614 * 8-bit log table 3615 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to 3616 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point 3617 * mantissa. The numbers are 32-bit fractions. 3618 */ 3619 static const png_uint_32 3620 png_8bit_l2[128] = 3621 { 3622 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U, 3623 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U, 3624 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U, 3625 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U, 3626 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U, 3627 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U, 3628 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U, 3629 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U, 3630 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U, 3631 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U, 3632 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U, 3633 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U, 3634 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U, 3635 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U, 3636 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U, 3637 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U, 3638 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U, 3639 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U, 3640 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U, 3641 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U, 3642 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U, 3643 24347096U, 0U 3644 3645 #if 0 3646 /* The following are the values for 16-bit tables - these work fine for the 3647 * 8-bit conversions but produce very slightly larger errors in the 16-bit 3648 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To 3649 * use these all the shifts below must be adjusted appropriately. 3650 */ 3651 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054, 3652 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803, 3653 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068, 3654 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782, 3655 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887, 3656 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339, 3657 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098, 3658 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132, 3659 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415, 3660 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523, 3661 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495, 3662 1119, 744, 372 3663 #endif 3664 }; 3665 3666 static png_int_32 3667 png_log8bit(unsigned int x) 3668 { 3669 unsigned int lg2 = 0; 3670 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log, 3671 * because the log is actually negate that means adding 1. The final 3672 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1 3673 * input), return -1 for the overflow (log 0) case, - so the result is 3674 * always at most 19 bits. 3675 */ 3676 if ((x &= 0xff) == 0) 3677 return -1; 3678 3679 if ((x & 0xf0) == 0) 3680 lg2 = 4, x <<= 4; 3681 3682 if ((x & 0xc0) == 0) 3683 lg2 += 2, x <<= 2; 3684 3685 if ((x & 0x80) == 0) 3686 lg2 += 1, x <<= 1; 3687 3688 /* result is at most 19 bits, so this cast is safe: */ 3689 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16)); 3690 } 3691 3692 /* The above gives exact (to 16 binary places) log2 values for 8-bit images, 3693 * for 16-bit images we use the most significant 8 bits of the 16-bit value to 3694 * get an approximation then multiply the approximation by a correction factor 3695 * determined by the remaining up to 8 bits. This requires an additional step 3696 * in the 16-bit case. 3697 * 3698 * We want log2(value/65535), we have log2(v'/255), where: 3699 * 3700 * value = v' * 256 + v'' 3701 * = v' * f 3702 * 3703 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128 3704 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less 3705 * than 258. The final factor also needs to correct for the fact that our 8-bit 3706 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535. 3707 * 3708 * This gives a final formula using a calculated value 'x' which is value/v' and 3709 * scaling by 65536 to match the above table: 3710 * 3711 * log2(x/257) * 65536 3712 * 3713 * Since these numbers are so close to '1' we can use simple linear 3714 * interpolation between the two end values 256/257 (result -368.61) and 258/257 3715 * (result 367.179). The values used below are scaled by a further 64 to give 3716 * 16-bit precision in the interpolation: 3717 * 3718 * Start (256): -23591 3719 * Zero (257): 0 3720 * End (258): 23499 3721 */ 3722 #ifdef PNG_16BIT_SUPPORTED 3723 static png_int_32 3724 png_log16bit(png_uint_32 x) 3725 { 3726 unsigned int lg2 = 0; 3727 3728 /* As above, but now the input has 16 bits. */ 3729 if ((x &= 0xffff) == 0) 3730 return -1; 3731 3732 if ((x & 0xff00) == 0) 3733 lg2 = 8, x <<= 8; 3734 3735 if ((x & 0xf000) == 0) 3736 lg2 += 4, x <<= 4; 3737 3738 if ((x & 0xc000) == 0) 3739 lg2 += 2, x <<= 2; 3740 3741 if ((x & 0x8000) == 0) 3742 lg2 += 1, x <<= 1; 3743 3744 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional 3745 * value. 3746 */ 3747 lg2 <<= 28; 3748 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4; 3749 3750 /* Now we need to interpolate the factor, this requires a division by the top 3751 * 8 bits. Do this with maximum precision. 3752 */ 3753 x = ((x << 16) + (x >> 9)) / (x >> 8); 3754 3755 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24, 3756 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly 3757 * 16 bits to interpolate to get the low bits of the result. Round the 3758 * answer. Note that the end point values are scaled by 64 to retain overall 3759 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust 3760 * the overall scaling by 6-12. Round at every step. 3761 */ 3762 x -= 1U << 24; 3763 3764 if (x <= 65536U) /* <= '257' */ 3765 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12); 3766 3767 else 3768 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12); 3769 3770 /* Safe, because the result can't have more than 20 bits: */ 3771 return (png_int_32)((lg2 + 2048) >> 12); 3772 } 3773 #endif /* 16BIT */ 3774 3775 /* The 'exp()' case must invert the above, taking a 20-bit fixed point 3776 * logarithmic value and returning a 16 or 8-bit number as appropriate. In 3777 * each case only the low 16 bits are relevant - the fraction - since the 3778 * integer bits (the top 4) simply determine a shift. 3779 * 3780 * The worst case is the 16-bit distinction between 65535 and 65534. This 3781 * requires perhaps spurious accuracy in the decoding of the logarithm to 3782 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance 3783 * of getting this accuracy in practice. 3784 * 3785 * To deal with this the following exp() function works out the exponent of the 3786 * fractional part of the logarithm by using an accurate 32-bit value from the 3787 * top four fractional bits then multiplying in the remaining bits. 3788 */ 3789 static const png_uint_32 3790 png_32bit_exp[16] = 3791 { 3792 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */ 3793 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U, 3794 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U, 3795 2553802834U, 2445529972U, 2341847524U, 2242560872U 3796 }; 3797 3798 /* Adjustment table; provided to explain the numbers in the code below. */ 3799 #if 0 3800 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"} 3801 11 44937.64284865548751208448 3802 10 45180.98734845585101160448 3803 9 45303.31936980687359311872 3804 8 45364.65110595323018870784 3805 7 45395.35850361789624614912 3806 6 45410.72259715102037508096 3807 5 45418.40724413220722311168 3808 4 45422.25021786898173001728 3809 3 45424.17186732298419044352 3810 2 45425.13273269940811464704 3811 1 45425.61317555035558641664 3812 0 45425.85339951654943850496 3813 #endif 3814 3815 static png_uint_32 3816 png_exp(png_fixed_point x) 3817 { 3818 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */ 3819 { 3820 /* Obtain a 4-bit approximation */ 3821 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f]; 3822 3823 /* Incorporate the low 12 bits - these decrease the returned value by 3824 * multiplying by a number less than 1 if the bit is set. The multiplier 3825 * is determined by the above table and the shift. Notice that the values 3826 * converge on 45426 and this is used to allow linear interpolation of the 3827 * low bits. 3828 */ 3829 if (x & 0x800) 3830 e -= (((e >> 16) * 44938U) + 16U) >> 5; 3831 3832 if (x & 0x400) 3833 e -= (((e >> 16) * 45181U) + 32U) >> 6; 3834 3835 if (x & 0x200) 3836 e -= (((e >> 16) * 45303U) + 64U) >> 7; 3837 3838 if (x & 0x100) 3839 e -= (((e >> 16) * 45365U) + 128U) >> 8; 3840 3841 if (x & 0x080) 3842 e -= (((e >> 16) * 45395U) + 256U) >> 9; 3843 3844 if (x & 0x040) 3845 e -= (((e >> 16) * 45410U) + 512U) >> 10; 3846 3847 /* And handle the low 6 bits in a single block. */ 3848 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9; 3849 3850 /* Handle the upper bits of x. */ 3851 e >>= x >> 16; 3852 return e; 3853 } 3854 3855 /* Check for overflow */ 3856 if (x <= 0) 3857 return png_32bit_exp[0]; 3858 3859 /* Else underflow */ 3860 return 0; 3861 } 3862 3863 static png_byte 3864 png_exp8bit(png_fixed_point lg2) 3865 { 3866 /* Get a 32-bit value: */ 3867 png_uint_32 x = png_exp(lg2); 3868 3869 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the 3870 * second, rounding, step can't overflow because of the first, subtraction, 3871 * step. 3872 */ 3873 x -= x >> 8; 3874 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff); 3875 } 3876 3877 #ifdef PNG_16BIT_SUPPORTED 3878 static png_uint_16 3879 png_exp16bit(png_fixed_point lg2) 3880 { 3881 /* Get a 32-bit value: */ 3882 png_uint_32 x = png_exp(lg2); 3883 3884 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */ 3885 x -= x >> 16; 3886 return (png_uint_16)((x + 32767U) >> 16); 3887 } 3888 #endif /* 16BIT */ 3889 #endif /* FLOATING_ARITHMETIC */ 3890 3891 png_byte 3892 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val) 3893 { 3894 if (value > 0 && value < 255) 3895 { 3896 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3897 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly 3898 * convert this to a floating point value. This includes values that 3899 * would overflow if 'value' were to be converted to 'int'. 3900 * 3901 * Apparently GCC, however, does an intermediate conversion to (int) 3902 * on some (ARM) but not all (x86) platforms, possibly because of 3903 * hardware FP limitations. (E.g. if the hardware conversion always 3904 * assumes the integer register contains a signed value.) This results 3905 * in ANSI-C undefined behavior for large values. 3906 * 3907 * Other implementations on the same machine might actually be ANSI-C90 3908 * conformant and therefore compile spurious extra code for the large 3909 * values. 3910 * 3911 * We can be reasonably sure that an unsigned to float conversion 3912 * won't be faster than an int to float one. Therefore this code 3913 * assumes responsibility for the undefined behavior, which it knows 3914 * can't happen because of the check above. 3915 * 3916 * Note the argument to this routine is an (unsigned int) because, on 3917 * 16-bit platforms, it is assigned a value which might be out of 3918 * range for an (int); that would result in undefined behavior in the 3919 * caller if the *argument* ('value') were to be declared (int). 3920 */ 3921 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5); 3922 return (png_byte)r; 3923 # else 3924 png_int_32 lg2 = png_log8bit(value); 3925 png_fixed_point res; 3926 3927 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3928 return png_exp8bit(res); 3929 3930 /* Overflow. */ 3931 value = 0; 3932 # endif 3933 } 3934 3935 return (png_byte)(value & 0xff); 3936 } 3937 3938 #ifdef PNG_16BIT_SUPPORTED 3939 png_uint_16 3940 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val) 3941 { 3942 if (value > 0 && value < 65535) 3943 { 3944 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3945 /* The same (unsigned int)->(double) constraints apply here as above, 3946 * however in this case the (unsigned int) to (int) conversion can 3947 * overflow on an ANSI-C90 compliant system so the cast needs to ensure 3948 * that this is not possible. 3949 */ 3950 double r = floor(65535*pow((png_int_32)value/65535., 3951 gamma_val*.00001)+.5); 3952 return (png_uint_16)r; 3953 # else 3954 png_int_32 lg2 = png_log16bit(value); 3955 png_fixed_point res; 3956 3957 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3958 return png_exp16bit(res); 3959 3960 /* Overflow. */ 3961 value = 0; 3962 # endif 3963 } 3964 3965 return (png_uint_16)value; 3966 } 3967 #endif /* 16BIT */ 3968 3969 /* This does the right thing based on the bit_depth field of the 3970 * png_struct, interpreting values as 8-bit or 16-bit. While the result 3971 * is nominally a 16-bit value if bit depth is 8 then the result is 3972 * 8-bit (as are the arguments.) 3973 */ 3974 png_uint_16 /* PRIVATE */ 3975 png_gamma_correct(png_structrp png_ptr, unsigned int value, 3976 png_fixed_point gamma_val) 3977 { 3978 if (png_ptr->bit_depth == 8) 3979 return png_gamma_8bit_correct(value, gamma_val); 3980 3981 #ifdef PNG_16BIT_SUPPORTED 3982 else 3983 return png_gamma_16bit_correct(value, gamma_val); 3984 #else 3985 /* should not reach this */ 3986 return 0; 3987 #endif /* 16BIT */ 3988 } 3989 3990 #ifdef PNG_16BIT_SUPPORTED 3991 /* Internal function to build a single 16-bit table - the table consists of 3992 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount 3993 * to shift the input values right (or 16-number_of_signifiant_bits). 3994 * 3995 * The caller is responsible for ensuring that the table gets cleaned up on 3996 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument 3997 * should be somewhere that will be cleaned. 3998 */ 3999 static void 4000 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable, 4001 unsigned int shift, png_fixed_point gamma_val) 4002 { 4003 /* Various values derived from 'shift': */ 4004 unsigned int num = 1U << (8U - shift); 4005 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 4006 /* CSE the division and work round wacky GCC warnings (see the comments 4007 * in png_gamma_8bit_correct for where these come from.) 4008 */ 4009 double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1); 4010 #endif 4011 unsigned int max = (1U << (16U - shift)) - 1U; 4012 unsigned int max_by_2 = 1U << (15U - shift); 4013 unsigned int i; 4014 4015 png_uint_16pp table = *ptable = 4016 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 4017 4018 for (i = 0; i < num; i++) 4019 { 4020 png_uint_16p sub_table = table[i] = 4021 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16))); 4022 4023 /* The 'threshold' test is repeated here because it can arise for one of 4024 * the 16-bit tables even if the others don't hit it. 4025 */ 4026 if (png_gamma_significant(gamma_val) != 0) 4027 { 4028 /* The old code would overflow at the end and this would cause the 4029 * 'pow' function to return a result >1, resulting in an 4030 * arithmetic error. This code follows the spec exactly; ig is 4031 * the recovered input sample, it always has 8-16 bits. 4032 * 4033 * We want input * 65535/max, rounded, the arithmetic fits in 32 4034 * bits (unsigned) so long as max <= 32767. 4035 */ 4036 unsigned int j; 4037 for (j = 0; j < 256; j++) 4038 { 4039 png_uint_32 ig = (j << (8-shift)) + i; 4040 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 4041 /* Inline the 'max' scaling operation: */ 4042 /* See png_gamma_8bit_correct for why the cast to (int) is 4043 * required here. 4044 */ 4045 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5); 4046 sub_table[j] = (png_uint_16)d; 4047 # else 4048 if (shift != 0) 4049 ig = (ig * 65535U + max_by_2)/max; 4050 4051 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val); 4052 # endif 4053 } 4054 } 4055 else 4056 { 4057 /* We must still build a table, but do it the fast way. */ 4058 unsigned int j; 4059 4060 for (j = 0; j < 256; j++) 4061 { 4062 png_uint_32 ig = (j << (8-shift)) + i; 4063 4064 if (shift != 0) 4065 ig = (ig * 65535U + max_by_2)/max; 4066 4067 sub_table[j] = (png_uint_16)ig; 4068 } 4069 } 4070 } 4071 } 4072 4073 /* NOTE: this function expects the *inverse* of the overall gamma transformation 4074 * required. 4075 */ 4076 static void 4077 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable, 4078 unsigned int shift, png_fixed_point gamma_val) 4079 { 4080 unsigned int num = 1U << (8U - shift); 4081 unsigned int max = (1U << (16U - shift))-1U; 4082 unsigned int i; 4083 png_uint_32 last; 4084 4085 png_uint_16pp table = *ptable = 4086 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 4087 4088 /* 'num' is the number of tables and also the number of low bits of low 4089 * bits of the input 16-bit value used to select a table. Each table is 4090 * itself indexed by the high 8 bits of the value. 4091 */ 4092 for (i = 0; i < num; i++) 4093 table[i] = (png_uint_16p)png_malloc(png_ptr, 4094 256 * (sizeof (png_uint_16))); 4095 4096 /* 'gamma_val' is set to the reciprocal of the value calculated above, so 4097 * pow(out,g) is an *input* value. 'last' is the last input value set. 4098 * 4099 * In the loop 'i' is used to find output values. Since the output is 4100 * 8-bit there are only 256 possible values. The tables are set up to 4101 * select the closest possible output value for each input by finding 4102 * the input value at the boundary between each pair of output values 4103 * and filling the table up to that boundary with the lower output 4104 * value. 4105 * 4106 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit 4107 * values the code below uses a 16-bit value in i; the values start at 4108 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last 4109 * entries are filled with 255). Start i at 128 and fill all 'last' 4110 * table entries <= 'max' 4111 */ 4112 last = 0; 4113 for (i = 0; i < 255; ++i) /* 8-bit output value */ 4114 { 4115 /* Find the corresponding maximum input value */ 4116 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */ 4117 4118 /* Find the boundary value in 16 bits: */ 4119 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val); 4120 4121 /* Adjust (round) to (16-shift) bits: */ 4122 bound = (bound * max + 32768U)/65535U + 1U; 4123 4124 while (last < bound) 4125 { 4126 table[last & (0xffU >> shift)][last >> (8U - shift)] = out; 4127 last++; 4128 } 4129 } 4130 4131 /* And fill in the final entries. */ 4132 while (last < (num << 8)) 4133 { 4134 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U; 4135 last++; 4136 } 4137 } 4138 #endif /* 16BIT */ 4139 4140 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and 4141 * typically much faster). Note that libpng currently does no sBIT processing 4142 * (apparently contrary to the spec) so a 256-entry table is always generated. 4143 */ 4144 static void 4145 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable, 4146 png_fixed_point gamma_val) 4147 { 4148 unsigned int i; 4149 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256); 4150 4151 if (png_gamma_significant(gamma_val) != 0) 4152 for (i=0; i<256; i++) 4153 table[i] = png_gamma_8bit_correct(i, gamma_val); 4154 4155 else 4156 for (i=0; i<256; ++i) 4157 table[i] = (png_byte)(i & 0xff); 4158 } 4159 4160 /* Used from png_read_destroy and below to release the memory used by the gamma 4161 * tables. 4162 */ 4163 void /* PRIVATE */ 4164 png_destroy_gamma_table(png_structrp png_ptr) 4165 { 4166 png_free(png_ptr, png_ptr->gamma_table); 4167 png_ptr->gamma_table = NULL; 4168 4169 #ifdef PNG_16BIT_SUPPORTED 4170 if (png_ptr->gamma_16_table != NULL) 4171 { 4172 int i; 4173 int istop = (1 << (8 - png_ptr->gamma_shift)); 4174 for (i = 0; i < istop; i++) 4175 { 4176 png_free(png_ptr, png_ptr->gamma_16_table[i]); 4177 } 4178 png_free(png_ptr, png_ptr->gamma_16_table); 4179 png_ptr->gamma_16_table = NULL; 4180 } 4181 #endif /* 16BIT */ 4182 4183 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4184 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4185 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4186 png_free(png_ptr, png_ptr->gamma_from_1); 4187 png_ptr->gamma_from_1 = NULL; 4188 png_free(png_ptr, png_ptr->gamma_to_1); 4189 png_ptr->gamma_to_1 = NULL; 4190 4191 #ifdef PNG_16BIT_SUPPORTED 4192 if (png_ptr->gamma_16_from_1 != NULL) 4193 { 4194 int i; 4195 int istop = (1 << (8 - png_ptr->gamma_shift)); 4196 for (i = 0; i < istop; i++) 4197 { 4198 png_free(png_ptr, png_ptr->gamma_16_from_1[i]); 4199 } 4200 png_free(png_ptr, png_ptr->gamma_16_from_1); 4201 png_ptr->gamma_16_from_1 = NULL; 4202 } 4203 if (png_ptr->gamma_16_to_1 != NULL) 4204 { 4205 int i; 4206 int istop = (1 << (8 - png_ptr->gamma_shift)); 4207 for (i = 0; i < istop; i++) 4208 { 4209 png_free(png_ptr, png_ptr->gamma_16_to_1[i]); 4210 } 4211 png_free(png_ptr, png_ptr->gamma_16_to_1); 4212 png_ptr->gamma_16_to_1 = NULL; 4213 } 4214 #endif /* 16BIT */ 4215 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4216 } 4217 4218 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit 4219 * tables, we don't make a full table if we are reducing to 8-bit in 4220 * the future. Note also how the gamma_16 tables are segmented so that 4221 * we don't need to allocate > 64K chunks for a full 16-bit table. 4222 */ 4223 void /* PRIVATE */ 4224 png_build_gamma_table(png_structrp png_ptr, int bit_depth) 4225 { 4226 png_debug(1, "in png_build_gamma_table"); 4227 4228 /* Remove any existing table; this copes with multiple calls to 4229 * png_read_update_info. The warning is because building the gamma tables 4230 * multiple times is a performance hit - it's harmless but the ability to 4231 * call png_read_update_info() multiple times is new in 1.5.6 so it seems 4232 * sensible to warn if the app introduces such a hit. 4233 */ 4234 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL) 4235 { 4236 png_warning(png_ptr, "gamma table being rebuilt"); 4237 png_destroy_gamma_table(png_ptr); 4238 } 4239 4240 if (bit_depth <= 8) 4241 { 4242 png_build_8bit_table(png_ptr, &png_ptr->gamma_table, 4243 png_ptr->screen_gamma > 0 ? 4244 png_reciprocal2(png_ptr->colorspace.gamma, 4245 png_ptr->screen_gamma) : PNG_FP_1); 4246 4247 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4248 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4249 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4250 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4251 { 4252 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1, 4253 png_reciprocal(png_ptr->colorspace.gamma)); 4254 4255 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1, 4256 png_ptr->screen_gamma > 0 ? 4257 png_reciprocal(png_ptr->screen_gamma) : 4258 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4259 } 4260 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4261 } 4262 #ifdef PNG_16BIT_SUPPORTED 4263 else 4264 { 4265 png_byte shift, sig_bit; 4266 4267 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) 4268 { 4269 sig_bit = png_ptr->sig_bit.red; 4270 4271 if (png_ptr->sig_bit.green > sig_bit) 4272 sig_bit = png_ptr->sig_bit.green; 4273 4274 if (png_ptr->sig_bit.blue > sig_bit) 4275 sig_bit = png_ptr->sig_bit.blue; 4276 } 4277 else 4278 sig_bit = png_ptr->sig_bit.gray; 4279 4280 /* 16-bit gamma code uses this equation: 4281 * 4282 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8] 4283 * 4284 * Where 'iv' is the input color value and 'ov' is the output value - 4285 * pow(iv, gamma). 4286 * 4287 * Thus the gamma table consists of up to 256 256-entry tables. The table 4288 * is selected by the (8-gamma_shift) most significant of the low 8 bits 4289 * of the color value then indexed by the upper 8 bits: 4290 * 4291 * table[low bits][high 8 bits] 4292 * 4293 * So the table 'n' corresponds to all those 'iv' of: 4294 * 4295 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1> 4296 * 4297 */ 4298 if (sig_bit > 0 && sig_bit < 16U) 4299 /* shift == insignificant bits */ 4300 shift = (png_byte)((16U - sig_bit) & 0xff); 4301 4302 else 4303 shift = 0; /* keep all 16 bits */ 4304 4305 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4306 { 4307 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively 4308 * the significant bits in the *input* when the output will 4309 * eventually be 8 bits. By default it is 11. 4310 */ 4311 if (shift < (16U - PNG_MAX_GAMMA_8)) 4312 shift = (16U - PNG_MAX_GAMMA_8); 4313 } 4314 4315 if (shift > 8U) 4316 shift = 8U; /* Guarantees at least one table! */ 4317 4318 png_ptr->gamma_shift = shift; 4319 4320 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now 4321 * PNG_COMPOSE). This effectively smashed the background calculation for 4322 * 16-bit output because the 8-bit table assumes the result will be 4323 * reduced to 8 bits. 4324 */ 4325 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4326 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift, 4327 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma, 4328 png_ptr->screen_gamma) : PNG_FP_1); 4329 4330 else 4331 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift, 4332 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4333 png_ptr->screen_gamma) : PNG_FP_1); 4334 4335 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4336 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4337 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4338 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4339 { 4340 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift, 4341 png_reciprocal(png_ptr->colorspace.gamma)); 4342 4343 /* Notice that the '16 from 1' table should be full precision, however 4344 * the lookup on this table still uses gamma_shift, so it can't be. 4345 * TODO: fix this. 4346 */ 4347 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift, 4348 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4349 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4350 } 4351 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4352 } 4353 #endif /* 16BIT */ 4354 } 4355 #endif /* READ_GAMMA */ 4356 4357 /* HARDWARE OR SOFTWARE OPTION SUPPORT */ 4358 #ifdef PNG_SET_OPTION_SUPPORTED 4359 int PNGAPI 4360 png_set_option(png_structrp png_ptr, int option, int onoff) 4361 { 4362 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT && 4363 (option & 1) == 0) 4364 { 4365 png_uint_32 mask = 3U << option; 4366 png_uint_32 setting = (2U + (onoff != 0)) << option; 4367 png_uint_32 current = png_ptr->options; 4368 4369 png_ptr->options = (png_uint_32)((current & ~mask) | setting); 4370 4371 return (int)(current & mask) >> option; 4372 } 4373 4374 return PNG_OPTION_INVALID; 4375 } 4376 #endif 4377 4378 /* sRGB support */ 4379 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4380 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4381 /* sRGB conversion tables; these are machine generated with the code in 4382 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the 4383 * specification (see the article at https://en.wikipedia.org/wiki/SRGB) 4384 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng. 4385 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction). 4386 * The inverse (linear to sRGB) table has accuracies as follows: 4387 * 4388 * For all possible (255*65535+1) input values: 4389 * 4390 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact 4391 * 4392 * For the input values corresponding to the 65536 16-bit values: 4393 * 4394 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact 4395 * 4396 * In all cases the inexact readings are only off by one. 4397 */ 4398 4399 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4400 /* The convert-to-sRGB table is only currently required for read. */ 4401 const png_uint_16 png_sRGB_table[256] = 4402 { 4403 0,20,40,60,80,99,119,139, 4404 159,179,199,219,241,264,288,313, 4405 340,367,396,427,458,491,526,562, 4406 599,637,677,718,761,805,851,898, 4407 947,997,1048,1101,1156,1212,1270,1330, 4408 1391,1453,1517,1583,1651,1720,1790,1863, 4409 1937,2013,2090,2170,2250,2333,2418,2504, 4410 2592,2681,2773,2866,2961,3058,3157,3258, 4411 3360,3464,3570,3678,3788,3900,4014,4129, 4412 4247,4366,4488,4611,4736,4864,4993,5124, 4413 5257,5392,5530,5669,5810,5953,6099,6246, 4414 6395,6547,6700,6856,7014,7174,7335,7500, 4415 7666,7834,8004,8177,8352,8528,8708,8889, 4416 9072,9258,9445,9635,9828,10022,10219,10417, 4417 10619,10822,11028,11235,11446,11658,11873,12090, 4418 12309,12530,12754,12980,13209,13440,13673,13909, 4419 14146,14387,14629,14874,15122,15371,15623,15878, 4420 16135,16394,16656,16920,17187,17456,17727,18001, 4421 18277,18556,18837,19121,19407,19696,19987,20281, 4422 20577,20876,21177,21481,21787,22096,22407,22721, 4423 23038,23357,23678,24002,24329,24658,24990,25325, 4424 25662,26001,26344,26688,27036,27386,27739,28094, 4425 28452,28813,29176,29542,29911,30282,30656,31033, 4426 31412,31794,32179,32567,32957,33350,33745,34143, 4427 34544,34948,35355,35764,36176,36591,37008,37429, 4428 37852,38278,38706,39138,39572,40009,40449,40891, 4429 41337,41785,42236,42690,43147,43606,44069,44534, 4430 45002,45473,45947,46423,46903,47385,47871,48359, 4431 48850,49344,49841,50341,50844,51349,51858,52369, 4432 52884,53401,53921,54445,54971,55500,56032,56567, 4433 57105,57646,58190,58737,59287,59840,60396,60955, 4434 61517,62082,62650,63221,63795,64372,64952,65535 4435 }; 4436 #endif /* SIMPLIFIED_READ */ 4437 4438 /* The base/delta tables are required for both read and write (but currently 4439 * only the simplified versions.) 4440 */ 4441 const png_uint_16 png_sRGB_base[512] = 4442 { 4443 128,1782,3383,4644,5675,6564,7357,8074, 4444 8732,9346,9921,10463,10977,11466,11935,12384, 4445 12816,13233,13634,14024,14402,14769,15125,15473, 4446 15812,16142,16466,16781,17090,17393,17690,17981, 4447 18266,18546,18822,19093,19359,19621,19879,20133, 4448 20383,20630,20873,21113,21349,21583,21813,22041, 4449 22265,22487,22707,22923,23138,23350,23559,23767, 4450 23972,24175,24376,24575,24772,24967,25160,25352, 4451 25542,25730,25916,26101,26284,26465,26645,26823, 4452 27000,27176,27350,27523,27695,27865,28034,28201, 4453 28368,28533,28697,28860,29021,29182,29341,29500, 4454 29657,29813,29969,30123,30276,30429,30580,30730, 4455 30880,31028,31176,31323,31469,31614,31758,31902, 4456 32045,32186,32327,32468,32607,32746,32884,33021, 4457 33158,33294,33429,33564,33697,33831,33963,34095, 4458 34226,34357,34486,34616,34744,34873,35000,35127, 4459 35253,35379,35504,35629,35753,35876,35999,36122, 4460 36244,36365,36486,36606,36726,36845,36964,37083, 4461 37201,37318,37435,37551,37668,37783,37898,38013, 4462 38127,38241,38354,38467,38580,38692,38803,38915, 4463 39026,39136,39246,39356,39465,39574,39682,39790, 4464 39898,40005,40112,40219,40325,40431,40537,40642, 4465 40747,40851,40955,41059,41163,41266,41369,41471, 4466 41573,41675,41777,41878,41979,42079,42179,42279, 4467 42379,42478,42577,42676,42775,42873,42971,43068, 4468 43165,43262,43359,43456,43552,43648,43743,43839, 4469 43934,44028,44123,44217,44311,44405,44499,44592, 4470 44685,44778,44870,44962,45054,45146,45238,45329, 4471 45420,45511,45601,45692,45782,45872,45961,46051, 4472 46140,46229,46318,46406,46494,46583,46670,46758, 4473 46846,46933,47020,47107,47193,47280,47366,47452, 4474 47538,47623,47709,47794,47879,47964,48048,48133, 4475 48217,48301,48385,48468,48552,48635,48718,48801, 4476 48884,48966,49048,49131,49213,49294,49376,49458, 4477 49539,49620,49701,49782,49862,49943,50023,50103, 4478 50183,50263,50342,50422,50501,50580,50659,50738, 4479 50816,50895,50973,51051,51129,51207,51285,51362, 4480 51439,51517,51594,51671,51747,51824,51900,51977, 4481 52053,52129,52205,52280,52356,52432,52507,52582, 4482 52657,52732,52807,52881,52956,53030,53104,53178, 4483 53252,53326,53400,53473,53546,53620,53693,53766, 4484 53839,53911,53984,54056,54129,54201,54273,54345, 4485 54417,54489,54560,54632,54703,54774,54845,54916, 4486 54987,55058,55129,55199,55269,55340,55410,55480, 4487 55550,55620,55689,55759,55828,55898,55967,56036, 4488 56105,56174,56243,56311,56380,56448,56517,56585, 4489 56653,56721,56789,56857,56924,56992,57059,57127, 4490 57194,57261,57328,57395,57462,57529,57595,57662, 4491 57728,57795,57861,57927,57993,58059,58125,58191, 4492 58256,58322,58387,58453,58518,58583,58648,58713, 4493 58778,58843,58908,58972,59037,59101,59165,59230, 4494 59294,59358,59422,59486,59549,59613,59677,59740, 4495 59804,59867,59930,59993,60056,60119,60182,60245, 4496 60308,60370,60433,60495,60558,60620,60682,60744, 4497 60806,60868,60930,60992,61054,61115,61177,61238, 4498 61300,61361,61422,61483,61544,61605,61666,61727, 4499 61788,61848,61909,61969,62030,62090,62150,62211, 4500 62271,62331,62391,62450,62510,62570,62630,62689, 4501 62749,62808,62867,62927,62986,63045,63104,63163, 4502 63222,63281,63340,63398,63457,63515,63574,63632, 4503 63691,63749,63807,63865,63923,63981,64039,64097, 4504 64155,64212,64270,64328,64385,64443,64500,64557, 4505 64614,64672,64729,64786,64843,64900,64956,65013, 4506 65070,65126,65183,65239,65296,65352,65409,65465 4507 }; 4508 4509 const png_byte png_sRGB_delta[512] = 4510 { 4511 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54, 4512 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36, 4513 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28, 4514 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24, 4515 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21, 4516 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19, 4517 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17, 4518 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16, 4519 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15, 4520 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14, 4521 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13, 4522 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12, 4523 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12, 4524 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11, 4525 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4526 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4527 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4528 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4529 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4530 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4531 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4532 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4533 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4534 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4535 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4536 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4537 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4538 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4539 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7, 4540 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4541 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4542 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7 4543 }; 4544 #endif /* SIMPLIFIED READ/WRITE sRGB support */ 4545 4546 /* SIMPLIFIED READ/WRITE SUPPORT */ 4547 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4548 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4549 static int 4550 png_image_free_function(png_voidp argument) 4551 { 4552 png_imagep image = png_voidcast(png_imagep, argument); 4553 png_controlp cp = image->opaque; 4554 png_control c; 4555 4556 /* Double check that we have a png_ptr - it should be impossible to get here 4557 * without one. 4558 */ 4559 if (cp->png_ptr == NULL) 4560 return 0; 4561 4562 /* First free any data held in the control structure. */ 4563 # ifdef PNG_STDIO_SUPPORTED 4564 if (cp->owned_file != 0) 4565 { 4566 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr); 4567 cp->owned_file = 0; 4568 4569 /* Ignore errors here. */ 4570 if (fp != NULL) 4571 { 4572 cp->png_ptr->io_ptr = NULL; 4573 (void)fclose(fp); 4574 } 4575 } 4576 # endif 4577 4578 /* Copy the control structure so that the original, allocated, version can be 4579 * safely freed. Notice that a png_error here stops the remainder of the 4580 * cleanup, but this is probably fine because that would indicate bad memory 4581 * problems anyway. 4582 */ 4583 c = *cp; 4584 image->opaque = &c; 4585 png_free(c.png_ptr, cp); 4586 4587 /* Then the structures, calling the correct API. */ 4588 if (c.for_write != 0) 4589 { 4590 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED 4591 png_destroy_write_struct(&c.png_ptr, &c.info_ptr); 4592 # else 4593 png_error(c.png_ptr, "simplified write not supported"); 4594 # endif 4595 } 4596 else 4597 { 4598 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4599 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL); 4600 # else 4601 png_error(c.png_ptr, "simplified read not supported"); 4602 # endif 4603 } 4604 4605 /* Success. */ 4606 return 1; 4607 } 4608 4609 void PNGAPI 4610 png_image_free(png_imagep image) 4611 { 4612 /* Safely call the real function, but only if doing so is safe at this point 4613 * (if not inside an error handling context). Otherwise assume 4614 * png_safe_execute will call this API after the return. 4615 */ 4616 if (image != NULL && image->opaque != NULL && 4617 image->opaque->error_buf == NULL) 4618 { 4619 png_image_free_function(image); 4620 image->opaque = NULL; 4621 } 4622 } 4623 4624 int /* PRIVATE */ 4625 png_image_error(png_imagep image, png_const_charp error_message) 4626 { 4627 /* Utility to log an error. */ 4628 png_safecat(image->message, (sizeof image->message), 0, error_message); 4629 image->warning_or_error |= PNG_IMAGE_ERROR; 4630 png_image_free(image); 4631 return 0; 4632 } 4633 4634 #endif /* SIMPLIFIED READ/WRITE */ 4635 #endif /* READ || WRITE */