1 /*
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
3 *
4 * This code is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License version 2 only, as
6 * published by the Free Software Foundation. Oracle designates this
7 * particular file as subject to the "Classpath" exception as provided
8 * by Oracle in the LICENSE file that accompanied this code.
9 *
10 * This code is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * version 2 for more details (a copy is included in the LICENSE file that
14 * accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License version
17 * 2 along with this work; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21 * or visit www.oracle.com if you need additional information or have any
22 * questions.
23 */
24
25 /* png.c - location for general purpose libpng functions
26 *
27 * This file is available under and governed by the GNU General Public
28 * License version 2 only, as published by the Free Software Foundation.
29 * However, the following notice accompanied the original version of this
30 * file and, per its terms, should not be removed:
31 *
32 * Copyright (c) 2018-2019 Cosmin Truta
33 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
34 * Copyright (c) 1996-1997 Andreas Dilger
35 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
36 *
37 * This code is released under the libpng license.
38 * For conditions of distribution and use, see the disclaimer
39 * and license in png.h
40 */
41
42 #include "pngpriv.h"
43
44 /* Generate a compiler error if there is an old png.h in the search path. */
45 typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37;
46
47 #ifdef __GNUC__
48 /* The version tests may need to be added to, but the problem warning has
49 * consistently been fixed in GCC versions which obtain wide-spread release.
50 * The problem is that many versions of GCC rearrange comparison expressions in
51 * the optimizer in such a way that the results of the comparison will change
52 * if signed integer overflow occurs. Such comparisons are not permitted in
53 * ANSI C90, however GCC isn't clever enough to work out that that do not occur
54 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
55 * -Wextra. Unfortunately this is highly dependent on the optimizer and the
56 * machine architecture so the warning comes and goes unpredictably and is
57 * impossible to "fix", even were that a good idea.
58 */
59 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1
60 #define GCC_STRICT_OVERFLOW 1
61 #endif /* GNU 7.1.x */
62 #endif /* GNU */
63 #ifndef GCC_STRICT_OVERFLOW
64 #define GCC_STRICT_OVERFLOW 0
65 #endif
66
67 /* Tells libpng that we have already handled the first "num_bytes" bytes
68 * of the PNG file signature. If the PNG data is embedded into another
69 * stream we can set num_bytes = 8 so that libpng will not attempt to read
70 * or write any of the magic bytes before it starts on the IHDR.
71 */
72
73 #ifdef PNG_READ_SUPPORTED
74 void PNGAPI
75 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
76 {
77 unsigned int nb = (unsigned int)num_bytes;
78
79 png_debug(1, "in png_set_sig_bytes");
80
81 if (png_ptr == NULL)
82 return;
83
84 if (num_bytes < 0)
85 nb = 0;
86
87 if (nb > 8)
88 png_error(png_ptr, "Too many bytes for PNG signature");
89
90 png_ptr->sig_bytes = (png_byte)nb;
91 }
92
93 /* Checks whether the supplied bytes match the PNG signature. We allow
94 * checking less than the full 8-byte signature so that those apps that
95 * already read the first few bytes of a file to determine the file type
96 * can simply check the remaining bytes for extra assurance. Returns
97 * an integer less than, equal to, or greater than zero if sig is found,
98 * respectively, to be less than, to match, or be greater than the correct
99 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
100 */
101 int PNGAPI
102 png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
103 {
104 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
105
106 if (num_to_check > 8)
107 num_to_check = 8;
108
109 else if (num_to_check < 1)
110 return (-1);
111
112 if (start > 7)
113 return (-1);
114
115 if (start + num_to_check > 8)
116 num_to_check = 8 - start;
117
118 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
119 }
120
121 #endif /* READ */
122
123 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
124 /* Function to allocate memory for zlib */
125 PNG_FUNCTION(voidpf /* PRIVATE */,
126 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
127 {
128 png_alloc_size_t num_bytes = size;
129
130 if (png_ptr == NULL)
131 return NULL;
132
133 if (items >= (~(png_alloc_size_t)0)/size)
134 {
135 png_warning (png_voidcast(png_structrp, png_ptr),
136 "Potential overflow in png_zalloc()");
137 return NULL;
138 }
139
140 num_bytes *= items;
141 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
142 }
143
144 /* Function to free memory for zlib */
145 void /* PRIVATE */
146 png_zfree(voidpf png_ptr, voidpf ptr)
147 {
148 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
149 }
150
151 /* Reset the CRC variable to 32 bits of 1's. Care must be taken
152 * in case CRC is > 32 bits to leave the top bits 0.
153 */
154 void /* PRIVATE */
155 png_reset_crc(png_structrp png_ptr)
156 {
157 /* The cast is safe because the crc is a 32-bit value. */
158 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
159 }
160
161 /* Calculate the CRC over a section of data. We can only pass as
162 * much data to this routine as the largest single buffer size. We
163 * also check that this data will actually be used before going to the
164 * trouble of calculating it.
165 */
166 void /* PRIVATE */
167 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
168 {
169 int need_crc = 1;
170
171 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
172 {
173 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
174 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
175 need_crc = 0;
176 }
177
178 else /* critical */
179 {
180 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
181 need_crc = 0;
182 }
183
184 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
185 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
186 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
187 * necessary to perform a loop here.
188 */
189 if (need_crc != 0 && length > 0)
190 {
191 uLong crc = png_ptr->crc; /* Should never issue a warning */
192
193 do
194 {
195 uInt safe_length = (uInt)length;
196 #ifndef __COVERITY__
197 if (safe_length == 0)
198 safe_length = (uInt)-1; /* evil, but safe */
199 #endif
200
201 crc = crc32(crc, ptr, safe_length);
202
203 /* The following should never issue compiler warnings; if they do the
204 * target system has characteristics that will probably violate other
205 * assumptions within the libpng code.
206 */
207 ptr += safe_length;
208 length -= safe_length;
209 }
210 while (length > 0);
211
212 /* And the following is always safe because the crc is only 32 bits. */
213 png_ptr->crc = (png_uint_32)crc;
214 }
215 }
216
217 /* Check a user supplied version number, called from both read and write
218 * functions that create a png_struct.
219 */
220 int
221 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
222 {
223 /* Libpng versions 1.0.0 and later are binary compatible if the version
224 * string matches through the second '.'; we must recompile any
225 * applications that use any older library version.
226 */
227
228 if (user_png_ver != NULL)
229 {
230 int i = -1;
231 int found_dots = 0;
232
233 do
234 {
235 i++;
236 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
237 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
238 if (user_png_ver[i] == '.')
239 found_dots++;
240 } while (found_dots < 2 && user_png_ver[i] != 0 &&
241 PNG_LIBPNG_VER_STRING[i] != 0);
242 }
243
244 else
245 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
246
247 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
248 {
249 #ifdef PNG_WARNINGS_SUPPORTED
250 size_t pos = 0;
251 char m[128];
252
253 pos = png_safecat(m, (sizeof m), pos,
254 "Application built with libpng-");
255 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
256 pos = png_safecat(m, (sizeof m), pos, " but running with ");
257 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
258 PNG_UNUSED(pos)
259
260 png_warning(png_ptr, m);
261 #endif
262
263 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
264 png_ptr->flags = 0;
265 #endif
266
267 return 0;
268 }
269
270 /* Success return. */
271 return 1;
272 }
273
274 /* Generic function to create a png_struct for either read or write - this
275 * contains the common initialization.
276 */
277 PNG_FUNCTION(png_structp /* PRIVATE */,
278 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
279 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
280 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
281 {
282 png_struct create_struct;
283 # ifdef PNG_SETJMP_SUPPORTED
284 jmp_buf create_jmp_buf;
285 # endif
286
287 /* This temporary stack-allocated structure is used to provide a place to
288 * build enough context to allow the user provided memory allocator (if any)
289 * to be called.
290 */
291 memset(&create_struct, 0, (sizeof create_struct));
292
293 /* Added at libpng-1.2.6 */
294 # ifdef PNG_USER_LIMITS_SUPPORTED
295 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
296 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
297
298 # ifdef PNG_USER_CHUNK_CACHE_MAX
299 /* Added at libpng-1.2.43 and 1.4.0 */
300 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
301 # endif
302
303 # ifdef PNG_USER_CHUNK_MALLOC_MAX
304 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
305 * in png_struct regardless.
306 */
307 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
308 # endif
309 # endif
310
311 /* The following two API calls simply set fields in png_struct, so it is safe
312 * to do them now even though error handling is not yet set up.
313 */
314 # ifdef PNG_USER_MEM_SUPPORTED
315 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
316 # else
317 PNG_UNUSED(mem_ptr)
318 PNG_UNUSED(malloc_fn)
319 PNG_UNUSED(free_fn)
320 # endif
321
322 /* (*error_fn) can return control to the caller after the error_ptr is set,
323 * this will result in a memory leak unless the error_fn does something
324 * extremely sophisticated. The design lacks merit but is implicit in the
325 * API.
326 */
327 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
328
329 # ifdef PNG_SETJMP_SUPPORTED
330 if (!setjmp(create_jmp_buf))
331 # endif
332 {
333 # ifdef PNG_SETJMP_SUPPORTED
334 /* Temporarily fake out the longjmp information until we have
335 * successfully completed this function. This only works if we have
336 * setjmp() support compiled in, but it is safe - this stuff should
337 * never happen.
338 */
339 create_struct.jmp_buf_ptr = &create_jmp_buf;
340 create_struct.jmp_buf_size = 0; /*stack allocation*/
341 create_struct.longjmp_fn = longjmp;
342 # endif
343 /* Call the general version checker (shared with read and write code):
344 */
345 if (png_user_version_check(&create_struct, user_png_ver) != 0)
346 {
347 png_structrp png_ptr = png_voidcast(png_structrp,
348 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
349
350 if (png_ptr != NULL)
351 {
352 /* png_ptr->zstream holds a back-pointer to the png_struct, so
353 * this can only be done now:
354 */
355 create_struct.zstream.zalloc = png_zalloc;
356 create_struct.zstream.zfree = png_zfree;
357 create_struct.zstream.opaque = png_ptr;
358
359 # ifdef PNG_SETJMP_SUPPORTED
360 /* Eliminate the local error handling: */
361 create_struct.jmp_buf_ptr = NULL;
362 create_struct.jmp_buf_size = 0;
363 create_struct.longjmp_fn = 0;
364 # endif
365
366 *png_ptr = create_struct;
367
368 /* This is the successful return point */
369 return png_ptr;
370 }
371 }
372 }
373
374 /* A longjmp because of a bug in the application storage allocator or a
375 * simple failure to allocate the png_struct.
376 */
377 return NULL;
378 }
379
380 /* Allocate the memory for an info_struct for the application. */
381 PNG_FUNCTION(png_infop,PNGAPI
382 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
383 {
384 png_inforp info_ptr;
385
386 png_debug(1, "in png_create_info_struct");
387
388 if (png_ptr == NULL)
389 return NULL;
390
391 /* Use the internal API that does not (or at least should not) error out, so
392 * that this call always returns ok. The application typically sets up the
393 * error handling *after* creating the info_struct because this is the way it
394 * has always been done in 'example.c'.
395 */
396 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
397 (sizeof *info_ptr)));
398
399 if (info_ptr != NULL)
400 memset(info_ptr, 0, (sizeof *info_ptr));
401
402 return info_ptr;
403 }
404
405 /* This function frees the memory associated with a single info struct.
406 * Normally, one would use either png_destroy_read_struct() or
407 * png_destroy_write_struct() to free an info struct, but this may be
408 * useful for some applications. From libpng 1.6.0 this function is also used
409 * internally to implement the png_info release part of the 'struct' destroy
410 * APIs. This ensures that all possible approaches free the same data (all of
411 * it).
412 */
413 void PNGAPI
414 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
415 {
416 png_inforp info_ptr = NULL;
417
418 png_debug(1, "in png_destroy_info_struct");
419
420 if (png_ptr == NULL)
421 return;
422
423 if (info_ptr_ptr != NULL)
424 info_ptr = *info_ptr_ptr;
425
426 if (info_ptr != NULL)
427 {
428 /* Do this first in case of an error below; if the app implements its own
429 * memory management this can lead to png_free calling png_error, which
430 * will abort this routine and return control to the app error handler.
431 * An infinite loop may result if it then tries to free the same info
432 * ptr.
433 */
434 *info_ptr_ptr = NULL;
435
436 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
437 memset(info_ptr, 0, (sizeof *info_ptr));
438 png_free(png_ptr, info_ptr);
439 }
440 }
441
442 /* Initialize the info structure. This is now an internal function (0.89)
443 * and applications using it are urged to use png_create_info_struct()
444 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
445 * is just a memset).
446 *
447 * NOTE: it is almost inconceivable that this API is used because it bypasses
448 * the user-memory mechanism and the user error handling/warning mechanisms in
449 * those cases where it does anything other than a memset.
450 */
451 PNG_FUNCTION(void,PNGAPI
452 png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
453 PNG_DEPRECATED)
454 {
455 png_inforp info_ptr = *ptr_ptr;
456
457 png_debug(1, "in png_info_init_3");
458
459 if (info_ptr == NULL)
460 return;
461
462 if ((sizeof (png_info)) > png_info_struct_size)
463 {
464 *ptr_ptr = NULL;
465 /* The following line is why this API should not be used: */
466 free(info_ptr);
467 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
468 (sizeof *info_ptr)));
469 if (info_ptr == NULL)
470 return;
471 *ptr_ptr = info_ptr;
472 }
473
474 /* Set everything to 0 */
475 memset(info_ptr, 0, (sizeof *info_ptr));
476 }
477
478 /* The following API is not called internally */
479 void PNGAPI
480 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
481 int freer, png_uint_32 mask)
482 {
483 png_debug(1, "in png_data_freer");
484
485 if (png_ptr == NULL || info_ptr == NULL)
486 return;
487
488 if (freer == PNG_DESTROY_WILL_FREE_DATA)
489 info_ptr->free_me |= mask;
490
491 else if (freer == PNG_USER_WILL_FREE_DATA)
492 info_ptr->free_me &= ~mask;
493
494 else
495 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
496 }
497
498 void PNGAPI
499 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
500 int num)
501 {
502 png_debug(1, "in png_free_data");
503
504 if (png_ptr == NULL || info_ptr == NULL)
505 return;
506
507 #ifdef PNG_TEXT_SUPPORTED
508 /* Free text item num or (if num == -1) all text items */
509 if (info_ptr->text != NULL &&
510 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
511 {
512 if (num != -1)
513 {
514 png_free(png_ptr, info_ptr->text[num].key);
515 info_ptr->text[num].key = NULL;
516 }
517
518 else
519 {
520 int i;
521
522 for (i = 0; i < info_ptr->num_text; i++)
523 png_free(png_ptr, info_ptr->text[i].key);
524
525 png_free(png_ptr, info_ptr->text);
526 info_ptr->text = NULL;
527 info_ptr->num_text = 0;
528 info_ptr->max_text = 0;
529 }
530 }
531 #endif
532
533 #ifdef PNG_tRNS_SUPPORTED
534 /* Free any tRNS entry */
535 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
536 {
537 info_ptr->valid &= ~PNG_INFO_tRNS;
538 png_free(png_ptr, info_ptr->trans_alpha);
539 info_ptr->trans_alpha = NULL;
540 info_ptr->num_trans = 0;
541 }
542 #endif
543
544 #ifdef PNG_sCAL_SUPPORTED
545 /* Free any sCAL entry */
546 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
547 {
548 png_free(png_ptr, info_ptr->scal_s_width);
549 png_free(png_ptr, info_ptr->scal_s_height);
550 info_ptr->scal_s_width = NULL;
551 info_ptr->scal_s_height = NULL;
552 info_ptr->valid &= ~PNG_INFO_sCAL;
553 }
554 #endif
555
556 #ifdef PNG_pCAL_SUPPORTED
557 /* Free any pCAL entry */
558 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
559 {
560 png_free(png_ptr, info_ptr->pcal_purpose);
561 png_free(png_ptr, info_ptr->pcal_units);
562 info_ptr->pcal_purpose = NULL;
563 info_ptr->pcal_units = NULL;
564
565 if (info_ptr->pcal_params != NULL)
566 {
567 int i;
568
569 for (i = 0; i < info_ptr->pcal_nparams; i++)
570 png_free(png_ptr, info_ptr->pcal_params[i]);
571
572 png_free(png_ptr, info_ptr->pcal_params);
573 info_ptr->pcal_params = NULL;
574 }
575 info_ptr->valid &= ~PNG_INFO_pCAL;
576 }
577 #endif
578
579 #ifdef PNG_iCCP_SUPPORTED
580 /* Free any profile entry */
581 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
582 {
583 png_free(png_ptr, info_ptr->iccp_name);
584 png_free(png_ptr, info_ptr->iccp_profile);
585 info_ptr->iccp_name = NULL;
586 info_ptr->iccp_profile = NULL;
587 info_ptr->valid &= ~PNG_INFO_iCCP;
588 }
589 #endif
590
591 #ifdef PNG_sPLT_SUPPORTED
592 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
593 if (info_ptr->splt_palettes != NULL &&
594 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
595 {
596 if (num != -1)
597 {
598 png_free(png_ptr, info_ptr->splt_palettes[num].name);
599 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
600 info_ptr->splt_palettes[num].name = NULL;
601 info_ptr->splt_palettes[num].entries = NULL;
602 }
603
604 else
605 {
606 int i;
607
608 for (i = 0; i < info_ptr->splt_palettes_num; i++)
609 {
610 png_free(png_ptr, info_ptr->splt_palettes[i].name);
611 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
612 }
613
614 png_free(png_ptr, info_ptr->splt_palettes);
615 info_ptr->splt_palettes = NULL;
616 info_ptr->splt_palettes_num = 0;
617 info_ptr->valid &= ~PNG_INFO_sPLT;
618 }
619 }
620 #endif
621
622 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
623 if (info_ptr->unknown_chunks != NULL &&
624 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
625 {
626 if (num != -1)
627 {
628 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
629 info_ptr->unknown_chunks[num].data = NULL;
630 }
631
632 else
633 {
634 int i;
635
636 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
637 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
638
639 png_free(png_ptr, info_ptr->unknown_chunks);
640 info_ptr->unknown_chunks = NULL;
641 info_ptr->unknown_chunks_num = 0;
642 }
643 }
644 #endif
645
646 #ifdef PNG_eXIf_SUPPORTED
647 /* Free any eXIf entry */
648 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
649 {
650 # ifdef PNG_READ_eXIf_SUPPORTED
651 if (info_ptr->eXIf_buf)
652 {
653 png_free(png_ptr, info_ptr->eXIf_buf);
654 info_ptr->eXIf_buf = NULL;
655 }
656 # endif
657 if (info_ptr->exif)
658 {
659 png_free(png_ptr, info_ptr->exif);
660 info_ptr->exif = NULL;
661 }
662 info_ptr->valid &= ~PNG_INFO_eXIf;
663 }
664 #endif
665
666 #ifdef PNG_hIST_SUPPORTED
667 /* Free any hIST entry */
668 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
669 {
670 png_free(png_ptr, info_ptr->hist);
671 info_ptr->hist = NULL;
672 info_ptr->valid &= ~PNG_INFO_hIST;
673 }
674 #endif
675
676 /* Free any PLTE entry that was internally allocated */
677 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
678 {
679 png_free(png_ptr, info_ptr->palette);
680 info_ptr->palette = NULL;
681 info_ptr->valid &= ~PNG_INFO_PLTE;
682 info_ptr->num_palette = 0;
683 }
684
685 #ifdef PNG_INFO_IMAGE_SUPPORTED
686 /* Free any image bits attached to the info structure */
687 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
688 {
689 if (info_ptr->row_pointers != NULL)
690 {
691 png_uint_32 row;
692 for (row = 0; row < info_ptr->height; row++)
693 png_free(png_ptr, info_ptr->row_pointers[row]);
694
695 png_free(png_ptr, info_ptr->row_pointers);
696 info_ptr->row_pointers = NULL;
697 }
698 info_ptr->valid &= ~PNG_INFO_IDAT;
699 }
700 #endif
701
702 if (num != -1)
703 mask &= ~PNG_FREE_MUL;
704
705 info_ptr->free_me &= ~mask;
706 }
707 #endif /* READ || WRITE */
708
709 /* This function returns a pointer to the io_ptr associated with the user
710 * functions. The application should free any memory associated with this
711 * pointer before png_write_destroy() or png_read_destroy() are called.
712 */
713 png_voidp PNGAPI
714 png_get_io_ptr(png_const_structrp png_ptr)
715 {
716 if (png_ptr == NULL)
717 return (NULL);
718
719 return (png_ptr->io_ptr);
720 }
721
722 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
723 # ifdef PNG_STDIO_SUPPORTED
724 /* Initialize the default input/output functions for the PNG file. If you
725 * use your own read or write routines, you can call either png_set_read_fn()
726 * or png_set_write_fn() instead of png_init_io(). If you have defined
727 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
728 * function of your own because "FILE *" isn't necessarily available.
729 */
730 void PNGAPI
731 png_init_io(png_structrp png_ptr, png_FILE_p fp)
732 {
733 png_debug(1, "in png_init_io");
734
735 if (png_ptr == NULL)
736 return;
737
738 png_ptr->io_ptr = (png_voidp)fp;
739 }
740 # endif
741
742 # ifdef PNG_SAVE_INT_32_SUPPORTED
743 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
744 * defines a cast of a signed integer to an unsigned integer either to preserve
745 * the value, if it is positive, or to calculate:
746 *
747 * (UNSIGNED_MAX+1) + integer
748 *
749 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
750 * negative integral value is added the result will be an unsigned value
751 * correspnding to the 2's complement representation.
752 */
753 void PNGAPI
754 png_save_int_32(png_bytep buf, png_int_32 i)
755 {
756 png_save_uint_32(buf, (png_uint_32)i);
757 }
758 # endif
759
760 # ifdef PNG_TIME_RFC1123_SUPPORTED
761 /* Convert the supplied time into an RFC 1123 string suitable for use in
762 * a "Creation Time" or other text-based time string.
763 */
764 int PNGAPI
765 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
766 {
767 static const char short_months[12][4] =
768 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
769 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
770
771 if (out == NULL)
772 return 0;
773
774 if (ptime->year > 9999 /* RFC1123 limitation */ ||
775 ptime->month == 0 || ptime->month > 12 ||
776 ptime->day == 0 || ptime->day > 31 ||
777 ptime->hour > 23 || ptime->minute > 59 ||
778 ptime->second > 60)
779 return 0;
780
781 {
782 size_t pos = 0;
783 char number_buf[5]; /* enough for a four-digit year */
784
785 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
786 # define APPEND_NUMBER(format, value)\
787 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
788 # define APPEND(ch) if (pos < 28) out[pos++] = (ch)
789
790 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
791 APPEND(' ');
792 APPEND_STRING(short_months[(ptime->month - 1)]);
793 APPEND(' ');
794 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
795 APPEND(' ');
796 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
797 APPEND(':');
798 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
799 APPEND(':');
800 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
801 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
802 PNG_UNUSED (pos)
803
804 # undef APPEND
805 # undef APPEND_NUMBER
806 # undef APPEND_STRING
807 }
808
809 return 1;
810 }
811
812 # if PNG_LIBPNG_VER < 10700
813 /* To do: remove the following from libpng-1.7 */
814 /* Original API that uses a private buffer in png_struct.
815 * Deprecated because it causes png_struct to carry a spurious temporary
816 * buffer (png_struct::time_buffer), better to have the caller pass this in.
817 */
818 png_const_charp PNGAPI
819 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
820 {
821 if (png_ptr != NULL)
822 {
823 /* The only failure above if png_ptr != NULL is from an invalid ptime */
824 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
825 png_warning(png_ptr, "Ignoring invalid time value");
826
827 else
828 return png_ptr->time_buffer;
829 }
830
831 return NULL;
832 }
833 # endif /* LIBPNG_VER < 10700 */
834 # endif /* TIME_RFC1123 */
835
836 #endif /* READ || WRITE */
837
838 png_const_charp PNGAPI
839 png_get_copyright(png_const_structrp png_ptr)
840 {
841 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
842 #ifdef PNG_STRING_COPYRIGHT
843 return PNG_STRING_COPYRIGHT
844 #else
845 return PNG_STRING_NEWLINE \
846 "libpng version 1.6.37" PNG_STRING_NEWLINE \
847 "Copyright (c) 2018-2019 Cosmin Truta" PNG_STRING_NEWLINE \
848 "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
849 PNG_STRING_NEWLINE \
850 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
851 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
852 PNG_STRING_NEWLINE;
853 #endif
854 }
855
856 /* The following return the library version as a short string in the
857 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
858 * used with your application, print out PNG_LIBPNG_VER_STRING, which
859 * is defined in png.h.
860 * Note: now there is no difference between png_get_libpng_ver() and
861 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
862 * it is guaranteed that png.c uses the correct version of png.h.
863 */
864 png_const_charp PNGAPI
865 png_get_libpng_ver(png_const_structrp png_ptr)
866 {
867 /* Version of *.c files used when building libpng */
868 return png_get_header_ver(png_ptr);
869 }
870
871 png_const_charp PNGAPI
872 png_get_header_ver(png_const_structrp png_ptr)
873 {
874 /* Version of *.h files used when building libpng */
875 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
876 return PNG_LIBPNG_VER_STRING;
877 }
878
879 png_const_charp PNGAPI
880 png_get_header_version(png_const_structrp png_ptr)
881 {
882 /* Returns longer string containing both version and date */
883 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
884 #ifdef __STDC__
885 return PNG_HEADER_VERSION_STRING
886 # ifndef PNG_READ_SUPPORTED
887 " (NO READ SUPPORT)"
888 # endif
889 PNG_STRING_NEWLINE;
890 #else
891 return PNG_HEADER_VERSION_STRING;
892 #endif
893 }
894
895 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
896 /* NOTE: this routine is not used internally! */
897 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
898 * large of png_color. This lets grayscale images be treated as
899 * paletted. Most useful for gamma correction and simplification
900 * of code. This API is not used internally.
901 */
902 void PNGAPI
903 png_build_grayscale_palette(int bit_depth, png_colorp palette)
904 {
905 int num_palette;
906 int color_inc;
907 int i;
908 int v;
909
910 png_debug(1, "in png_do_build_grayscale_palette");
911
912 if (palette == NULL)
913 return;
914
915 switch (bit_depth)
916 {
917 case 1:
918 num_palette = 2;
919 color_inc = 0xff;
920 break;
921
922 case 2:
923 num_palette = 4;
924 color_inc = 0x55;
925 break;
926
927 case 4:
928 num_palette = 16;
929 color_inc = 0x11;
930 break;
931
932 case 8:
933 num_palette = 256;
934 color_inc = 1;
935 break;
936
937 default:
938 num_palette = 0;
939 color_inc = 0;
940 break;
941 }
942
943 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
944 {
945 palette[i].red = (png_byte)(v & 0xff);
946 palette[i].green = (png_byte)(v & 0xff);
947 palette[i].blue = (png_byte)(v & 0xff);
948 }
949 }
950 #endif
951
952 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
953 int PNGAPI
954 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
955 {
956 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
957 png_const_bytep p, p_end;
958
959 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
960 return PNG_HANDLE_CHUNK_AS_DEFAULT;
961
962 p_end = png_ptr->chunk_list;
963 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
964
965 /* The code is the fifth byte after each four byte string. Historically this
966 * code was always searched from the end of the list, this is no longer
967 * necessary because the 'set' routine handles duplicate entries correctly.
968 */
969 do /* num_chunk_list > 0, so at least one */
970 {
971 p -= 5;
972
973 if (memcmp(chunk_name, p, 4) == 0)
974 return p[4];
975 }
976 while (p > p_end);
977
978 /* This means that known chunks should be processed and unknown chunks should
979 * be handled according to the value of png_ptr->unknown_default; this can be
980 * confusing because, as a result, there are two levels of defaulting for
981 * unknown chunks.
982 */
983 return PNG_HANDLE_CHUNK_AS_DEFAULT;
984 }
985
986 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
987 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
988 int /* PRIVATE */
989 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
990 {
991 png_byte chunk_string[5];
992
993 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
994 return png_handle_as_unknown(png_ptr, chunk_string);
995 }
996 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
997 #endif /* SET_UNKNOWN_CHUNKS */
998
999 #ifdef PNG_READ_SUPPORTED
1000 /* This function, added to libpng-1.0.6g, is untested. */
1001 int PNGAPI
1002 png_reset_zstream(png_structrp png_ptr)
1003 {
1004 if (png_ptr == NULL)
1005 return Z_STREAM_ERROR;
1006
1007 /* WARNING: this resets the window bits to the maximum! */
1008 return (inflateReset(&png_ptr->zstream));
1009 }
1010 #endif /* READ */
1011
1012 /* This function was added to libpng-1.0.7 */
1013 png_uint_32 PNGAPI
1014 png_access_version_number(void)
1015 {
1016 /* Version of *.c files used when building libpng */
1017 return((png_uint_32)PNG_LIBPNG_VER);
1018 }
1019
1020 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
1021 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
1022 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
1023 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
1024 */
1025 void /* PRIVATE */
1026 png_zstream_error(png_structrp png_ptr, int ret)
1027 {
1028 /* Translate 'ret' into an appropriate error string, priority is given to the
1029 * one in zstream if set. This always returns a string, even in cases like
1030 * Z_OK or Z_STREAM_END where the error code is a success code.
1031 */
1032 if (png_ptr->zstream.msg == NULL) switch (ret)
1033 {
1034 default:
1035 case Z_OK:
1036 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1037 break;
1038
1039 case Z_STREAM_END:
1040 /* Normal exit */
1041 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1042 break;
1043
1044 case Z_NEED_DICT:
1045 /* This means the deflate stream did not have a dictionary; this
1046 * indicates a bogus PNG.
1047 */
1048 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1049 break;
1050
1051 case Z_ERRNO:
1052 /* gz APIs only: should not happen */
1053 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1054 break;
1055
1056 case Z_STREAM_ERROR:
1057 /* internal libpng error */
1058 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1059 break;
1060
1061 case Z_DATA_ERROR:
1062 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1063 break;
1064
1065 case Z_MEM_ERROR:
1066 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1067 break;
1068
1069 case Z_BUF_ERROR:
1070 /* End of input or output; not a problem if the caller is doing
1071 * incremental read or write.
1072 */
1073 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1074 break;
1075
1076 case Z_VERSION_ERROR:
1077 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1078 break;
1079
1080 case PNG_UNEXPECTED_ZLIB_RETURN:
1081 /* Compile errors here mean that zlib now uses the value co-opted in
1082 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1083 * and change pngpriv.h. Note that this message is "... return",
1084 * whereas the default/Z_OK one is "... return code".
1085 */
1086 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1087 break;
1088 }
1089 }
1090
1091 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1092 * at libpng 1.5.5!
1093 */
1094
1095 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1096 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1097 static int
1098 png_colorspace_check_gamma(png_const_structrp png_ptr,
1099 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1100 /* This is called to check a new gamma value against an existing one. The
1101 * routine returns false if the new gamma value should not be written.
1102 *
1103 * 'from' says where the new gamma value comes from:
1104 *
1105 * 0: the new gamma value is the libpng estimate for an ICC profile
1106 * 1: the new gamma value comes from a gAMA chunk
1107 * 2: the new gamma value comes from an sRGB chunk
1108 */
1109 {
1110 png_fixed_point gtest;
1111
1112 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1113 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1114 png_gamma_significant(gtest) != 0))
1115 {
1116 /* Either this is an sRGB image, in which case the calculated gamma
1117 * approximation should match, or this is an image with a profile and the
1118 * value libpng calculates for the gamma of the profile does not match the
1119 * value recorded in the file. The former, sRGB, case is an error, the
1120 * latter is just a warning.
1121 */
1122 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1123 {
1124 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1125 PNG_CHUNK_ERROR);
1126 /* Do not overwrite an sRGB value */
1127 return from == 2;
1128 }
1129
1130 else /* sRGB tag not involved */
1131 {
1132 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1133 PNG_CHUNK_WARNING);
1134 return from == 1;
1135 }
1136 }
1137
1138 return 1;
1139 }
1140
1141 void /* PRIVATE */
1142 png_colorspace_set_gamma(png_const_structrp png_ptr,
1143 png_colorspacerp colorspace, png_fixed_point gAMA)
1144 {
1145 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1146 * occur. Since the fixed point representation is asymmetrical it is
1147 * possible for 1/gamma to overflow the limit of 21474 and this means the
1148 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1149 * safety the limits here are a little narrower. The values are 0.00016 to
1150 * 6250.0, which are truly ridiculous gamma values (and will produce
1151 * displays that are all black or all white.)
1152 *
1153 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1154 * handling code, which only required the value to be >0.
1155 */
1156 png_const_charp errmsg;
1157
1158 if (gAMA < 16 || gAMA > 625000000)
1159 errmsg = "gamma value out of range";
1160
1161 # ifdef PNG_READ_gAMA_SUPPORTED
1162 /* Allow the application to set the gamma value more than once */
1163 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1164 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1165 errmsg = "duplicate";
1166 # endif
1167
1168 /* Do nothing if the colorspace is already invalid */
1169 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1170 return;
1171
1172 else
1173 {
1174 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1175 1/*from gAMA*/) != 0)
1176 {
1177 /* Store this gamma value. */
1178 colorspace->gamma = gAMA;
1179 colorspace->flags |=
1180 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1181 }
1182
1183 /* At present if the check_gamma test fails the gamma of the colorspace is
1184 * not updated however the colorspace is not invalidated. This
1185 * corresponds to the case where the existing gamma comes from an sRGB
1186 * chunk or profile. An error message has already been output.
1187 */
1188 return;
1189 }
1190
1191 /* Error exit - errmsg has been set. */
1192 colorspace->flags |= PNG_COLORSPACE_INVALID;
1193 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1194 }
1195
1196 void /* PRIVATE */
1197 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1198 {
1199 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1200 {
1201 /* Everything is invalid */
1202 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1203 PNG_INFO_iCCP);
1204
1205 # ifdef PNG_COLORSPACE_SUPPORTED
1206 /* Clean up the iCCP profile now if it won't be used. */
1207 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1208 # else
1209 PNG_UNUSED(png_ptr)
1210 # endif
1211 }
1212
1213 else
1214 {
1215 # ifdef PNG_COLORSPACE_SUPPORTED
1216 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1217 * it; this allows a PNG to contain a profile which matches sRGB and
1218 * yet still have that profile retrievable by the application.
1219 */
1220 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1221 info_ptr->valid |= PNG_INFO_sRGB;
1222
1223 else
1224 info_ptr->valid &= ~PNG_INFO_sRGB;
1225
1226 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1227 info_ptr->valid |= PNG_INFO_cHRM;
1228
1229 else
1230 info_ptr->valid &= ~PNG_INFO_cHRM;
1231 # endif
1232
1233 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1234 info_ptr->valid |= PNG_INFO_gAMA;
1235
1236 else
1237 info_ptr->valid &= ~PNG_INFO_gAMA;
1238 }
1239 }
1240
1241 #ifdef PNG_READ_SUPPORTED
1242 void /* PRIVATE */
1243 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1244 {
1245 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1246 return;
1247
1248 info_ptr->colorspace = png_ptr->colorspace;
1249 png_colorspace_sync_info(png_ptr, info_ptr);
1250 }
1251 #endif
1252 #endif /* GAMMA */
1253
1254 #ifdef PNG_COLORSPACE_SUPPORTED
1255 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1256 * cHRM, as opposed to using chromaticities. These internal APIs return
1257 * non-zero on a parameter error. The X, Y and Z values are required to be
1258 * positive and less than 1.0.
1259 */
1260 static int
1261 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1262 {
1263 png_int_32 d, dwhite, whiteX, whiteY;
1264
1265 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1266 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1267 return 1;
1268 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1269 return 1;
1270 dwhite = d;
1271 whiteX = XYZ->red_X;
1272 whiteY = XYZ->red_Y;
1273
1274 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1275 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1276 return 1;
1277 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1278 return 1;
1279 dwhite += d;
1280 whiteX += XYZ->green_X;
1281 whiteY += XYZ->green_Y;
1282
1283 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1284 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1285 return 1;
1286 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1287 return 1;
1288 dwhite += d;
1289 whiteX += XYZ->blue_X;
1290 whiteY += XYZ->blue_Y;
1291
1292 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1293 * thus:
1294 */
1295 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1296 return 1;
1297 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1298 return 1;
1299
1300 return 0;
1301 }
1302
1303 static int
1304 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1305 {
1306 png_fixed_point red_inverse, green_inverse, blue_scale;
1307 png_fixed_point left, right, denominator;
1308
1309 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1310 * have end points with 0 tristimulus values (these are impossible end
1311 * points, but they are used to cover the possible colors). We check
1312 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1313 */
1314 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1315 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1316 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1317 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1318 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1319 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1320 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1321 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1322
1323 /* The reverse calculation is more difficult because the original tristimulus
1324 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1325 * derived values were recorded in the cHRM chunk;
1326 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1327 * therefore an arbitrary ninth value has to be introduced to undo the
1328 * original transformations.
1329 *
1330 * Think of the original end-points as points in (X,Y,Z) space. The
1331 * chromaticity values (c) have the property:
1332 *
1333 * C
1334 * c = ---------
1335 * X + Y + Z
1336 *
1337 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1338 * three chromaticity values (x,y,z) for each end-point obey the
1339 * relationship:
1340 *
1341 * x + y + z = 1
1342 *
1343 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1344 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1345 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1346 * and chromaticity is the intersection of the vector from the origin to the
1347 * (X,Y,Z) value with the chromaticity plane.
1348 *
1349 * To fully invert the chromaticity calculation we would need the three
1350 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1351 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1352 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1353 * given all three of the scale factors since:
1354 *
1355 * color-C = color-c * color-scale
1356 * white-C = red-C + green-C + blue-C
1357 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1358 *
1359 * But cHRM records only white-x and white-y, so we have lost the white scale
1360 * factor:
1361 *
1362 * white-C = white-c*white-scale
1363 *
1364 * To handle this the inverse transformation makes an arbitrary assumption
1365 * about white-scale:
1366 *
1367 * Assume: white-Y = 1.0
1368 * Hence: white-scale = 1/white-y
1369 * Or: red-Y + green-Y + blue-Y = 1.0
1370 *
1371 * Notice the last statement of the assumption gives an equation in three of
1372 * the nine values we want to calculate. 8 more equations come from the
1373 * above routine as summarised at the top above (the chromaticity
1374 * calculation):
1375 *
1376 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1377 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1378 *
1379 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1380 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1381 * determinants, however this is not as bad as it seems because only 28 of
1382 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1383 * Cramer's rule is notoriously numerically unstable because the determinant
1384 * calculation involves the difference of large, but similar, numbers. It is
1385 * difficult to be sure that the calculation is stable for real world values
1386 * and it is certain that it becomes unstable where the end points are close
1387 * together.
1388 *
1389 * So this code uses the perhaps slightly less optimal but more
1390 * understandable and totally obvious approach of calculating color-scale.
1391 *
1392 * This algorithm depends on the precision in white-scale and that is
1393 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1394 * accuracy inherent in the cHRM chunk drops off substantially.
1395 *
1396 * libpng arithmetic: a simple inversion of the above equations
1397 * ------------------------------------------------------------
1398 *
1399 * white_scale = 1/white-y
1400 * white-X = white-x * white-scale
1401 * white-Y = 1.0
1402 * white-Z = (1 - white-x - white-y) * white_scale
1403 *
1404 * white-C = red-C + green-C + blue-C
1405 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1406 *
1407 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1408 * all the coefficients are now known:
1409 *
1410 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1411 * = white-x/white-y
1412 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1413 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1414 * = (1 - white-x - white-y)/white-y
1415 *
1416 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1417 * three equations together to get an alternative third:
1418 *
1419 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1420 *
1421 * So now we have a Cramer's rule solution where the determinants are just
1422 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1423 * multiplication of three coefficients so we can't guarantee to avoid
1424 * overflow in the libpng fixed point representation. Using Cramer's rule in
1425 * floating point is probably a good choice here, but it's not an option for
1426 * fixed point. Instead proceed to simplify the first two equations by
1427 * eliminating what is likely to be the largest value, blue-scale:
1428 *
1429 * blue-scale = white-scale - red-scale - green-scale
1430 *
1431 * Hence:
1432 *
1433 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1434 * (white-x - blue-x)*white-scale
1435 *
1436 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1437 * 1 - blue-y*white-scale
1438 *
1439 * And now we can trivially solve for (red-scale,green-scale):
1440 *
1441 * green-scale =
1442 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1443 * -----------------------------------------------------------
1444 * green-x - blue-x
1445 *
1446 * red-scale =
1447 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1448 * ---------------------------------------------------------
1449 * red-y - blue-y
1450 *
1451 * Hence:
1452 *
1453 * red-scale =
1454 * ( (green-x - blue-x) * (white-y - blue-y) -
1455 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1456 * -------------------------------------------------------------------------
1457 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1458 *
1459 * green-scale =
1460 * ( (red-y - blue-y) * (white-x - blue-x) -
1461 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1462 * -------------------------------------------------------------------------
1463 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1464 *
1465 * Accuracy:
1466 * The input values have 5 decimal digits of accuracy. The values are all in
1467 * the range 0 < value < 1, so simple products are in the same range but may
1468 * need up to 10 decimal digits to preserve the original precision and avoid
1469 * underflow. Because we are using a 32-bit signed representation we cannot
1470 * match this; the best is a little over 9 decimal digits, less than 10.
1471 *
1472 * The approach used here is to preserve the maximum precision within the
1473 * signed representation. Because the red-scale calculation above uses the
1474 * difference between two products of values that must be in the range -1..+1
1475 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1476 * factor is irrelevant in the calculation because it is applied to both
1477 * numerator and denominator.
1478 *
1479 * Note that the values of the differences of the products of the
1480 * chromaticities in the above equations tend to be small, for example for
1481 * the sRGB chromaticities they are:
1482 *
1483 * red numerator: -0.04751
1484 * green numerator: -0.08788
1485 * denominator: -0.2241 (without white-y multiplication)
1486 *
1487 * The resultant Y coefficients from the chromaticities of some widely used
1488 * color space definitions are (to 15 decimal places):
1489 *
1490 * sRGB
1491 * 0.212639005871510 0.715168678767756 0.072192315360734
1492 * Kodak ProPhoto
1493 * 0.288071128229293 0.711843217810102 0.000085653960605
1494 * Adobe RGB
1495 * 0.297344975250536 0.627363566255466 0.075291458493998
1496 * Adobe Wide Gamut RGB
1497 * 0.258728243040113 0.724682314948566 0.016589442011321
1498 */
1499 /* By the argument, above overflow should be impossible here. The return
1500 * value of 2 indicates an internal error to the caller.
1501 */
1502 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1503 return 2;
1504 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1505 return 2;
1506 denominator = left - right;
1507
1508 /* Now find the red numerator. */
1509 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1510 return 2;
1511 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1512 return 2;
1513
1514 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1515 * chunk values. This calculation actually returns the reciprocal of the
1516 * scale value because this allows us to delay the multiplication of white-y
1517 * into the denominator, which tends to produce a small number.
1518 */
1519 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1520 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1521 return 1;
1522
1523 /* Similarly for green_inverse: */
1524 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1525 return 2;
1526 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1527 return 2;
1528 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1529 green_inverse <= xy->whitey)
1530 return 1;
1531
1532 /* And the blue scale, the checks above guarantee this can't overflow but it
1533 * can still produce 0 for extreme cHRM values.
1534 */
1535 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1536 png_reciprocal(green_inverse);
1537 if (blue_scale <= 0)
1538 return 1;
1539
1540
1541 /* And fill in the png_XYZ: */
1542 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1543 return 1;
1544 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1545 return 1;
1546 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1547 red_inverse) == 0)
1548 return 1;
1549
1550 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1551 return 1;
1552 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1553 return 1;
1554 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1555 green_inverse) == 0)
1556 return 1;
1557
1558 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1559 return 1;
1560 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1561 return 1;
1562 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1563 PNG_FP_1) == 0)
1564 return 1;
1565
1566 return 0; /*success*/
1567 }
1568
1569 static int
1570 png_XYZ_normalize(png_XYZ *XYZ)
1571 {
1572 png_int_32 Y;
1573
1574 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1575 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1576 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1577 return 1;
1578
1579 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1580 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1581 * relying on addition of two positive values producing a negative one is not
1582 * safe.
1583 */
1584 Y = XYZ->red_Y;
1585 if (0x7fffffff - Y < XYZ->green_X)
1586 return 1;
1587 Y += XYZ->green_Y;
1588 if (0x7fffffff - Y < XYZ->blue_X)
1589 return 1;
1590 Y += XYZ->blue_Y;
1591
1592 if (Y != PNG_FP_1)
1593 {
1594 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1595 return 1;
1596 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1597 return 1;
1598 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1599 return 1;
1600
1601 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1602 return 1;
1603 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1604 return 1;
1605 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1606 return 1;
1607
1608 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1609 return 1;
1610 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1611 return 1;
1612 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1613 return 1;
1614 }
1615
1616 return 0;
1617 }
1618
1619 static int
1620 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1621 {
1622 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1623 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1624 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1625 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1626 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1627 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1628 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1629 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1630 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1631 return 0;
1632 return 1;
1633 }
1634
1635 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1636 * chunk chromaticities. Earlier checks used to simply look for the overflow
1637 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1638 * because the chromaticity values are not all distinct.) Despite this it is
1639 * theoretically possible to produce chromaticities that are apparently valid
1640 * but that rapidly degrade to invalid, potentially crashing, sets because of
1641 * arithmetic inaccuracies when calculations are performed on them. The new
1642 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1643 * within a small percentage of the original.
1644 */
1645 static int
1646 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1647 {
1648 int result;
1649 png_xy xy_test;
1650
1651 /* As a side-effect this routine also returns the XYZ endpoints. */
1652 result = png_XYZ_from_xy(XYZ, xy);
1653 if (result != 0)
1654 return result;
1655
1656 result = png_xy_from_XYZ(&xy_test, XYZ);
1657 if (result != 0)
1658 return result;
1659
1660 if (png_colorspace_endpoints_match(xy, &xy_test,
1661 5/*actually, the math is pretty accurate*/) != 0)
1662 return 0;
1663
1664 /* Too much slip */
1665 return 1;
1666 }
1667
1668 /* This is the check going the other way. The XYZ is modified to normalize it
1669 * (another side-effect) and the xy chromaticities are returned.
1670 */
1671 static int
1672 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1673 {
1674 int result;
1675 png_XYZ XYZtemp;
1676
1677 result = png_XYZ_normalize(XYZ);
1678 if (result != 0)
1679 return result;
1680
1681 result = png_xy_from_XYZ(xy, XYZ);
1682 if (result != 0)
1683 return result;
1684
1685 XYZtemp = *XYZ;
1686 return png_colorspace_check_xy(&XYZtemp, xy);
1687 }
1688
1689 /* Used to check for an endpoint match against sRGB */
1690 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1691 {
1692 /* color x y */
1693 /* red */ 64000, 33000,
1694 /* green */ 30000, 60000,
1695 /* blue */ 15000, 6000,
1696 /* white */ 31270, 32900
1697 };
1698
1699 static int
1700 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1701 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1702 int preferred)
1703 {
1704 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1705 return 0;
1706
1707 /* The consistency check is performed on the chromaticities; this factors out
1708 * variations because of the normalization (or not) of the end point Y
1709 * values.
1710 */
1711 if (preferred < 2 &&
1712 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1713 {
1714 /* The end points must be reasonably close to any we already have. The
1715 * following allows an error of up to +/-.001
1716 */
1717 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1718 100) == 0)
1719 {
1720 colorspace->flags |= PNG_COLORSPACE_INVALID;
1721 png_benign_error(png_ptr, "inconsistent chromaticities");
1722 return 0; /* failed */
1723 }
1724
1725 /* Only overwrite with preferred values */
1726 if (preferred == 0)
1727 return 1; /* ok, but no change */
1728 }
1729
1730 colorspace->end_points_xy = *xy;
1731 colorspace->end_points_XYZ = *XYZ;
1732 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1733
1734 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1735 * on this test.
1736 */
1737 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1738 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1739
1740 else
1741 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1742 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1743
1744 return 2; /* ok and changed */
1745 }
1746
1747 int /* PRIVATE */
1748 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1749 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1750 {
1751 /* We must check the end points to ensure they are reasonable - in the past
1752 * color management systems have crashed as a result of getting bogus
1753 * colorant values, while this isn't the fault of libpng it is the
1754 * responsibility of libpng because PNG carries the bomb and libpng is in a
1755 * position to protect against it.
1756 */
1757 png_XYZ XYZ;
1758
1759 switch (png_colorspace_check_xy(&XYZ, xy))
1760 {
1761 case 0: /* success */
1762 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1763 preferred);
1764
1765 case 1:
1766 /* We can't invert the chromaticities so we can't produce value XYZ
1767 * values. Likely as not a color management system will fail too.
1768 */
1769 colorspace->flags |= PNG_COLORSPACE_INVALID;
1770 png_benign_error(png_ptr, "invalid chromaticities");
1771 break;
1772
1773 default:
1774 /* libpng is broken; this should be a warning but if it happens we
1775 * want error reports so for the moment it is an error.
1776 */
1777 colorspace->flags |= PNG_COLORSPACE_INVALID;
1778 png_error(png_ptr, "internal error checking chromaticities");
1779 }
1780
1781 return 0; /* failed */
1782 }
1783
1784 int /* PRIVATE */
1785 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1786 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1787 {
1788 png_XYZ XYZ = *XYZ_in;
1789 png_xy xy;
1790
1791 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1792 {
1793 case 0:
1794 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1795 preferred);
1796
1797 case 1:
1798 /* End points are invalid. */
1799 colorspace->flags |= PNG_COLORSPACE_INVALID;
1800 png_benign_error(png_ptr, "invalid end points");
1801 break;
1802
1803 default:
1804 colorspace->flags |= PNG_COLORSPACE_INVALID;
1805 png_error(png_ptr, "internal error checking chromaticities");
1806 }
1807
1808 return 0; /* failed */
1809 }
1810
1811 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1812 /* Error message generation */
1813 static char
1814 png_icc_tag_char(png_uint_32 byte)
1815 {
1816 byte &= 0xff;
1817 if (byte >= 32 && byte <= 126)
1818 return (char)byte;
1819 else
1820 return '?';
1821 }
1822
1823 static void
1824 png_icc_tag_name(char *name, png_uint_32 tag)
1825 {
1826 name[0] = '\'';
1827 name[1] = png_icc_tag_char(tag >> 24);
1828 name[2] = png_icc_tag_char(tag >> 16);
1829 name[3] = png_icc_tag_char(tag >> 8);
1830 name[4] = png_icc_tag_char(tag );
1831 name[5] = '\'';
1832 }
1833
1834 static int
1835 is_ICC_signature_char(png_alloc_size_t it)
1836 {
1837 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1838 (it >= 97 && it <= 122);
1839 }
1840
1841 static int
1842 is_ICC_signature(png_alloc_size_t it)
1843 {
1844 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1845 is_ICC_signature_char((it >> 16) & 0xff) &&
1846 is_ICC_signature_char((it >> 8) & 0xff) &&
1847 is_ICC_signature_char(it & 0xff);
1848 }
1849
1850 static int
1851 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1852 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1853 {
1854 size_t pos;
1855 char message[196]; /* see below for calculation */
1856
1857 if (colorspace != NULL)
1858 colorspace->flags |= PNG_COLORSPACE_INVALID;
1859
1860 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1861 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1862 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1863 if (is_ICC_signature(value) != 0)
1864 {
1865 /* So 'value' is at most 4 bytes and the following cast is safe */
1866 png_icc_tag_name(message+pos, (png_uint_32)value);
1867 pos += 6; /* total +8; less than the else clause */
1868 message[pos++] = ':';
1869 message[pos++] = ' ';
1870 }
1871 # ifdef PNG_WARNINGS_SUPPORTED
1872 else
1873 {
1874 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1875
1876 pos = png_safecat(message, (sizeof message), pos,
1877 png_format_number(number, number+(sizeof number),
1878 PNG_NUMBER_FORMAT_x, value));
1879 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1880 }
1881 # endif
1882 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1883 pos = png_safecat(message, (sizeof message), pos, reason);
1884 PNG_UNUSED(pos)
1885
1886 /* This is recoverable, but make it unconditionally an app_error on write to
1887 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1888 * on read, with a warning, but on write unless the app turns off
1889 * application errors the PNG won't be written.)
1890 */
1891 png_chunk_report(png_ptr, message,
1892 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1893
1894 return 0;
1895 }
1896 #endif /* sRGB || iCCP */
1897
1898 #ifdef PNG_sRGB_SUPPORTED
1899 int /* PRIVATE */
1900 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1901 int intent)
1902 {
1903 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1904 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1905 * because ICC profiles store values adapted to a D50 environment; it is
1906 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1907 * checks and code elsewhere to understand this better.
1908 *
1909 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1910 * coefficients of (6968,23435,2366), which are reduced (because they add up
1911 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1912 * libpng has traditionally used (and are the best values given the 15bit
1913 * algorithm used by the rgb to gray code.)
1914 */
1915 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1916 {
1917 /* color X Y Z */
1918 /* red */ 41239, 21264, 1933,
1919 /* green */ 35758, 71517, 11919,
1920 /* blue */ 18048, 7219, 95053
1921 };
1922
1923 /* Do nothing if the colorspace is already invalidated. */
1924 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1925 return 0;
1926
1927 /* Check the intent, then check for existing settings. It is valid for the
1928 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1929 * be consistent with the correct values. If, however, this function is
1930 * called below because an iCCP chunk matches sRGB then it is quite
1931 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1932 * an incorrect calculation based on the values in the profile - this does
1933 * *not* invalidate the profile (though it still produces an error, which can
1934 * be ignored.)
1935 */
1936 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1937 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1938 (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1939
1940 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1941 colorspace->rendering_intent != intent)
1942 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1943 (png_alloc_size_t)intent, "inconsistent rendering intents");
1944
1945 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1946 {
1947 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1948 return 0;
1949 }
1950
1951 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1952 * warn but overwrite the value with the correct one.
1953 */
1954 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1955 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1956 100))
1957 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1958 PNG_CHUNK_ERROR);
1959
1960 /* This check is just done for the error reporting - the routine always
1961 * returns true when the 'from' argument corresponds to sRGB (2).
1962 */
1963 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1964 2/*from sRGB*/);
1965
1966 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1967 colorspace->rendering_intent = (png_uint_16)intent;
1968 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1969
1970 /* endpoints */
1971 colorspace->end_points_xy = sRGB_xy;
1972 colorspace->end_points_XYZ = sRGB_XYZ;
1973 colorspace->flags |=
1974 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1975
1976 /* gamma */
1977 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1978 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1979
1980 /* Finally record that we have an sRGB profile */
1981 colorspace->flags |=
1982 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1983
1984 return 1; /* set */
1985 }
1986 #endif /* sRGB */
1987
1988 #ifdef PNG_iCCP_SUPPORTED
1989 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1990 * is XYZ(0.9642,1.0,0.8249), which scales to:
1991 *
1992 * (63189.8112, 65536, 54060.6464)
1993 */
1994 static const png_byte D50_nCIEXYZ[12] =
1995 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1996
1997 static int /* bool */
1998 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1999 png_const_charp name, png_uint_32 profile_length)
2000 {
2001 if (profile_length < 132)
2002 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2003 "too short");
2004 return 1;
2005 }
2006
2007 #ifdef PNG_READ_iCCP_SUPPORTED
2008 int /* PRIVATE */
2009 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
2010 png_const_charp name, png_uint_32 profile_length)
2011 {
2012 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
2013 return 0;
2014
2015 /* This needs to be here because the 'normal' check is in
2016 * png_decompress_chunk, yet this happens after the attempt to
2017 * png_malloc_base the required data. We only need this on read; on write
2018 * the caller supplies the profile buffer so libpng doesn't allocate it. See
2019 * the call to icc_check_length below (the write case).
2020 */
2021 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
2022 else if (png_ptr->user_chunk_malloc_max > 0 &&
2023 png_ptr->user_chunk_malloc_max < profile_length)
2024 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2025 "exceeds application limits");
2026 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
2027 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2028 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2029 "exceeds libpng limits");
2030 # else /* !SET_USER_LIMITS */
2031 /* This will get compiled out on all 32-bit and better systems. */
2032 else if (PNG_SIZE_MAX < profile_length)
2033 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2034 "exceeds system limits");
2035 # endif /* !SET_USER_LIMITS */
2036
2037 return 1;
2038 }
2039 #endif /* READ_iCCP */
2040
2041 int /* PRIVATE */
2042 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2043 png_const_charp name, png_uint_32 profile_length,
2044 png_const_bytep profile/* first 132 bytes only */, int color_type)
2045 {
2046 png_uint_32 temp;
2047
2048 /* Length check; this cannot be ignored in this code because profile_length
2049 * is used later to check the tag table, so even if the profile seems over
2050 * long profile_length from the caller must be correct. The caller can fix
2051 * this up on read or write by just passing in the profile header length.
2052 */
2053 temp = png_get_uint_32(profile);
2054 if (temp != profile_length)
2055 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2056 "length does not match profile");
2057
2058 temp = (png_uint_32) (*(profile+8));
2059 if (temp > 3 && (profile_length & 3))
2060 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2061 "invalid length");
2062
2063 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2064 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2065 profile_length < 132+12*temp) /* truncated tag table */
2066 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2067 "tag count too large");
2068
2069 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2070 * 16 bits.
2071 */
2072 temp = png_get_uint_32(profile+64);
2073 if (temp >= 0xffff) /* The ICC limit */
2074 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2075 "invalid rendering intent");
2076
2077 /* This is just a warning because the profile may be valid in future
2078 * versions.
2079 */
2080 if (temp >= PNG_sRGB_INTENT_LAST)
2081 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2082 "intent outside defined range");
2083
2084 /* At this point the tag table can't be checked because it hasn't necessarily
2085 * been loaded; however, various header fields can be checked. These checks
2086 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2087 * restricts the profiles that can be passed in an iCCP chunk (they must be
2088 * appropriate to processing PNG data!)
2089 */
2090
2091 /* Data checks (could be skipped). These checks must be independent of the
2092 * version number; however, the version number doesn't accommodate changes in
2093 * the header fields (just the known tags and the interpretation of the
2094 * data.)
2095 */
2096 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2097 if (temp != 0x61637370)
2098 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2099 "invalid signature");
2100
2101 /* Currently the PCS illuminant/adopted white point (the computational
2102 * white point) are required to be D50,
2103 * however the profile contains a record of the illuminant so perhaps ICC
2104 * expects to be able to change this in the future (despite the rationale in
2105 * the introduction for using a fixed PCS adopted white.) Consequently the
2106 * following is just a warning.
2107 */
2108 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2109 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2110 "PCS illuminant is not D50");
2111
2112 /* The PNG spec requires this:
2113 * "If the iCCP chunk is present, the image samples conform to the colour
2114 * space represented by the embedded ICC profile as defined by the
2115 * International Color Consortium [ICC]. The colour space of the ICC profile
2116 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2117 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2118 * and 4)."
2119 *
2120 * This checking code ensures the embedded profile (on either read or write)
2121 * conforms to the specification requirements. Notice that an ICC 'gray'
2122 * color-space profile contains the information to transform the monochrome
2123 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2124 * should be used in preference to the standard libpng K channel replication
2125 * into R, G and B channels.
2126 *
2127 * Previously it was suggested that an RGB profile on grayscale data could be
2128 * handled. However it it is clear that using an RGB profile in this context
2129 * must be an error - there is no specification of what it means. Thus it is
2130 * almost certainly more correct to ignore the profile.
2131 */
2132 temp = png_get_uint_32(profile+16); /* data colour space field */
2133 switch (temp)
2134 {
2135 case 0x52474220: /* 'RGB ' */
2136 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2137 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2138 "RGB color space not permitted on grayscale PNG");
2139 break;
2140
2141 case 0x47524159: /* 'GRAY' */
2142 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2143 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2144 "Gray color space not permitted on RGB PNG");
2145 break;
2146
2147 default:
2148 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2149 "invalid ICC profile color space");
2150 }
2151
2152 /* It is up to the application to check that the profile class matches the
2153 * application requirements; the spec provides no guidance, but it's pretty
2154 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2155 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2156 * cases. Issue an error for device link or abstract profiles - these don't
2157 * contain the records necessary to transform the color-space to anything
2158 * other than the target device (and not even that for an abstract profile).
2159 * Profiles of these classes may not be embedded in images.
2160 */
2161 temp = png_get_uint_32(profile+12); /* profile/device class */
2162 switch (temp)
2163 {
2164 case 0x73636e72: /* 'scnr' */
2165 case 0x6d6e7472: /* 'mntr' */
2166 case 0x70727472: /* 'prtr' */
2167 case 0x73706163: /* 'spac' */
2168 /* All supported */
2169 break;
2170
2171 case 0x61627374: /* 'abst' */
2172 /* May not be embedded in an image */
2173 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2174 "invalid embedded Abstract ICC profile");
2175
2176 case 0x6c696e6b: /* 'link' */
2177 /* DeviceLink profiles cannot be interpreted in a non-device specific
2178 * fashion, if an app uses the AToB0Tag in the profile the results are
2179 * undefined unless the result is sent to the intended device,
2180 * therefore a DeviceLink profile should not be found embedded in a
2181 * PNG.
2182 */
2183 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2184 "unexpected DeviceLink ICC profile class");
2185
2186 case 0x6e6d636c: /* 'nmcl' */
2187 /* A NamedColor profile is also device specific, however it doesn't
2188 * contain an AToB0 tag that is open to misinterpretation. Almost
2189 * certainly it will fail the tests below.
2190 */
2191 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2192 "unexpected NamedColor ICC profile class");
2193 break;
2194
2195 default:
2196 /* To allow for future enhancements to the profile accept unrecognized
2197 * profile classes with a warning, these then hit the test below on the
2198 * tag content to ensure they are backward compatible with one of the
2199 * understood profiles.
2200 */
2201 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2202 "unrecognized ICC profile class");
2203 break;
2204 }
2205
2206 /* For any profile other than a device link one the PCS must be encoded
2207 * either in XYZ or Lab.
2208 */
2209 temp = png_get_uint_32(profile+20);
2210 switch (temp)
2211 {
2212 case 0x58595a20: /* 'XYZ ' */
2213 case 0x4c616220: /* 'Lab ' */
2214 break;
2215
2216 default:
2217 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2218 "unexpected ICC PCS encoding");
2219 }
2220
2221 return 1;
2222 }
2223
2224 int /* PRIVATE */
2225 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2226 png_const_charp name, png_uint_32 profile_length,
2227 png_const_bytep profile /* header plus whole tag table */)
2228 {
2229 png_uint_32 tag_count = png_get_uint_32(profile+128);
2230 png_uint_32 itag;
2231 png_const_bytep tag = profile+132; /* The first tag */
2232
2233 /* First scan all the tags in the table and add bits to the icc_info value
2234 * (temporarily in 'tags').
2235 */
2236 for (itag=0; itag < tag_count; ++itag, tag += 12)
2237 {
2238 png_uint_32 tag_id = png_get_uint_32(tag+0);
2239 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2240 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2241
2242 /* The ICC specification does not exclude zero length tags, therefore the
2243 * start might actually be anywhere if there is no data, but this would be
2244 * a clear abuse of the intent of the standard so the start is checked for
2245 * being in range. All defined tag types have an 8 byte header - a 4 byte
2246 * type signature then 0.
2247 */
2248
2249 /* This is a hard error; potentially it can cause read outside the
2250 * profile.
2251 */
2252 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2253 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2254 "ICC profile tag outside profile");
2255
2256 if ((tag_start & 3) != 0)
2257 {
2258 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2259 * only a warning here because libpng does not care about the
2260 * alignment.
2261 */
2262 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2263 "ICC profile tag start not a multiple of 4");
2264 }
2265 }
2266
2267 return 1; /* success, maybe with warnings */
2268 }
2269
2270 #ifdef PNG_sRGB_SUPPORTED
2271 #if PNG_sRGB_PROFILE_CHECKS >= 0
2272 /* Information about the known ICC sRGB profiles */
2273 static const struct
2274 {
2275 png_uint_32 adler, crc, length;
2276 png_uint_32 md5[4];
2277 png_byte have_md5;
2278 png_byte is_broken;
2279 png_uint_16 intent;
2280
2281 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2282 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2283 { adler, crc, length, md5, broke, intent },
2284
2285 } png_sRGB_checks[] =
2286 {
2287 /* This data comes from contrib/tools/checksum-icc run on downloads of
2288 * all four ICC sRGB profiles from www.color.org.
2289 */
2290 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2291 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2292 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2293 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2294
2295 /* ICC sRGB v2 perceptual no black-compensation: */
2296 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2297 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2298 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2299
2300 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2301 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2302 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2303
2304 /* ICC sRGB v4 perceptual */
2305 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2306 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2307 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2308
2309 /* The following profiles have no known MD5 checksum. If there is a match
2310 * on the (empty) MD5 the other fields are used to attempt a match and
2311 * a warning is produced. The first two of these profiles have a 'cprt' tag
2312 * which suggests that they were also made by Hewlett Packard.
2313 */
2314 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2315 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2316 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2317
2318 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2319 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2320 * so the white point is recorded as the un-adapted value.) The profiles
2321 * below only differ in one byte - the intent - and are basically the same as
2322 * the previous profile except for the mediaWhitePointTag error and a missing
2323 * chromaticAdaptationTag.
2324 */
2325 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2326 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2327 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2328
2329 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2330 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2331 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2332 };
2333
2334 static int
2335 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2336 png_const_bytep profile, uLong adler)
2337 {
2338 /* The quick check is to verify just the MD5 signature and trust the
2339 * rest of the data. Because the profile has already been verified for
2340 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2341 * field too, so if the profile has been edited with an intent not defined
2342 * by sRGB (but maybe defined by a later ICC specification) the read of
2343 * the profile will fail at that point.
2344 */
2345
2346 png_uint_32 length = 0;
2347 png_uint_32 intent = 0x10000; /* invalid */
2348 #if PNG_sRGB_PROFILE_CHECKS > 1
2349 uLong crc = 0; /* the value for 0 length data */
2350 #endif
2351 unsigned int i;
2352
2353 #ifdef PNG_SET_OPTION_SUPPORTED
2354 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2355 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2356 PNG_OPTION_ON)
2357 return 0;
2358 #endif
2359
2360 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2361 {
2362 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2363 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2364 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2365 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2366 {
2367 /* This may be one of the old HP profiles without an MD5, in that
2368 * case we can only use the length and Adler32 (note that these
2369 * are not used by default if there is an MD5!)
2370 */
2371 # if PNG_sRGB_PROFILE_CHECKS == 0
2372 if (png_sRGB_checks[i].have_md5 != 0)
2373 return 1+png_sRGB_checks[i].is_broken;
2374 # endif
2375
2376 /* Profile is unsigned or more checks have been configured in. */
2377 if (length == 0)
2378 {
2379 length = png_get_uint_32(profile);
2380 intent = png_get_uint_32(profile+64);
2381 }
2382
2383 /* Length *and* intent must match */
2384 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2385 intent == (png_uint_32) png_sRGB_checks[i].intent)
2386 {
2387 /* Now calculate the adler32 if not done already. */
2388 if (adler == 0)
2389 {
2390 adler = adler32(0, NULL, 0);
2391 adler = adler32(adler, profile, length);
2392 }
2393
2394 if (adler == png_sRGB_checks[i].adler)
2395 {
2396 /* These basic checks suggest that the data has not been
2397 * modified, but if the check level is more than 1 perform
2398 * our own crc32 checksum on the data.
2399 */
2400 # if PNG_sRGB_PROFILE_CHECKS > 1
2401 if (crc == 0)
2402 {
2403 crc = crc32(0, NULL, 0);
2404 crc = crc32(crc, profile, length);
2405 }
2406
2407 /* So this check must pass for the 'return' below to happen.
2408 */
2409 if (crc == png_sRGB_checks[i].crc)
2410 # endif
2411 {
2412 if (png_sRGB_checks[i].is_broken != 0)
2413 {
2414 /* These profiles are known to have bad data that may cause
2415 * problems if they are used, therefore attempt to
2416 * discourage their use, skip the 'have_md5' warning below,
2417 * which is made irrelevant by this error.
2418 */
2419 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2420 PNG_CHUNK_ERROR);
2421 }
2422
2423 /* Warn that this being done; this isn't even an error since
2424 * the profile is perfectly valid, but it would be nice if
2425 * people used the up-to-date ones.
2426 */
2427 else if (png_sRGB_checks[i].have_md5 == 0)
2428 {
2429 png_chunk_report(png_ptr,
2430 "out-of-date sRGB profile with no signature",
2431 PNG_CHUNK_WARNING);
2432 }
2433
2434 return 1+png_sRGB_checks[i].is_broken;
2435 }
2436 }
2437
2438 # if PNG_sRGB_PROFILE_CHECKS > 0
2439 /* The signature matched, but the profile had been changed in some
2440 * way. This probably indicates a data error or uninformed hacking.
2441 * Fall through to "no match".
2442 */
2443 png_chunk_report(png_ptr,
2444 "Not recognizing known sRGB profile that has been edited",
2445 PNG_CHUNK_WARNING);
2446 break;
2447 # endif
2448 }
2449 }
2450 }
2451
2452 return 0; /* no match */
2453 }
2454
2455 void /* PRIVATE */
2456 png_icc_set_sRGB(png_const_structrp png_ptr,
2457 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2458 {
2459 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2460 * the sRGB information.
2461 */
2462 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2463 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2464 (int)/*already checked*/png_get_uint_32(profile+64));
2465 }
2466 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2467 #endif /* sRGB */
2468
2469 int /* PRIVATE */
2470 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2471 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2472 int color_type)
2473 {
2474 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2475 return 0;
2476
2477 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2478 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2479 color_type) != 0 &&
2480 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2481 profile) != 0)
2482 {
2483 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2484 /* If no sRGB support, don't try storing sRGB information */
2485 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2486 # endif
2487 return 1;
2488 }
2489
2490 /* Failure case */
2491 return 0;
2492 }
2493 #endif /* iCCP */
2494
2495 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2496 void /* PRIVATE */
2497 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2498 {
2499 /* Set the rgb_to_gray coefficients from the colorspace. */
2500 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2501 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2502 {
2503 /* png_set_background has not been called, get the coefficients from the Y
2504 * values of the colorspace colorants.
2505 */
2506 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2507 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2508 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2509 png_fixed_point total = r+g+b;
2510
2511 if (total > 0 &&
2512 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2513 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2514 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2515 r+g+b <= 32769)
2516 {
2517 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2518 * all of the coefficients were rounded up. Handle this by
2519 * reducing the *largest* coefficient by 1; this matches the
2520 * approach used for the default coefficients in pngrtran.c
2521 */
2522 int add = 0;
2523
2524 if (r+g+b > 32768)
2525 add = -1;
2526 else if (r+g+b < 32768)
2527 add = 1;
2528
2529 if (add != 0)
2530 {
2531 if (g >= r && g >= b)
2532 g += add;
2533 else if (r >= g && r >= b)
2534 r += add;
2535 else
2536 b += add;
2537 }
2538
2539 /* Check for an internal error. */
2540 if (r+g+b != 32768)
2541 png_error(png_ptr,
2542 "internal error handling cHRM coefficients");
2543
2544 else
2545 {
2546 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2547 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2548 }
2549 }
2550
2551 /* This is a png_error at present even though it could be ignored -
2552 * it should never happen, but it is important that if it does, the
2553 * bug is fixed.
2554 */
2555 else
2556 png_error(png_ptr, "internal error handling cHRM->XYZ");
2557 }
2558 }
2559 #endif /* READ_RGB_TO_GRAY */
2560
2561 #endif /* COLORSPACE */
2562
2563 #ifdef __GNUC__
2564 /* This exists solely to work round a warning from GNU C. */
2565 static int /* PRIVATE */
2566 png_gt(size_t a, size_t b)
2567 {
2568 return a > b;
2569 }
2570 #else
2571 # define png_gt(a,b) ((a) > (b))
2572 #endif
2573
2574 void /* PRIVATE */
2575 png_check_IHDR(png_const_structrp png_ptr,
2576 png_uint_32 width, png_uint_32 height, int bit_depth,
2577 int color_type, int interlace_type, int compression_type,
2578 int filter_type)
2579 {
2580 int error = 0;
2581
2582 /* Check for width and height valid values */
2583 if (width == 0)
2584 {
2585 png_warning(png_ptr, "Image width is zero in IHDR");
2586 error = 1;
2587 }
2588
2589 if (width > PNG_UINT_31_MAX)
2590 {
2591 png_warning(png_ptr, "Invalid image width in IHDR");
2592 error = 1;
2593 }
2594
2595 if (png_gt(((width + 7) & (~7U)),
2596 ((PNG_SIZE_MAX
2597 - 48 /* big_row_buf hack */
2598 - 1) /* filter byte */
2599 / 8) /* 8-byte RGBA pixels */
2600 - 1)) /* extra max_pixel_depth pad */
2601 {
2602 /* The size of the row must be within the limits of this architecture.
2603 * Because the read code can perform arbitrary transformations the
2604 * maximum size is checked here. Because the code in png_read_start_row
2605 * adds extra space "for safety's sake" in several places a conservative
2606 * limit is used here.
2607 *
2608 * NOTE: it would be far better to check the size that is actually used,
2609 * but the effect in the real world is minor and the changes are more
2610 * extensive, therefore much more dangerous and much more difficult to
2611 * write in a way that avoids compiler warnings.
2612 */
2613 png_warning(png_ptr, "Image width is too large for this architecture");
2614 error = 1;
2615 }
2616
2617 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2618 if (width > png_ptr->user_width_max)
2619 #else
2620 if (width > PNG_USER_WIDTH_MAX)
2621 #endif
2622 {
2623 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2624 error = 1;
2625 }
2626
2627 if (height == 0)
2628 {
2629 png_warning(png_ptr, "Image height is zero in IHDR");
2630 error = 1;
2631 }
2632
2633 if (height > PNG_UINT_31_MAX)
2634 {
2635 png_warning(png_ptr, "Invalid image height in IHDR");
2636 error = 1;
2637 }
2638
2639 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2640 if (height > png_ptr->user_height_max)
2641 #else
2642 if (height > PNG_USER_HEIGHT_MAX)
2643 #endif
2644 {
2645 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2646 error = 1;
2647 }
2648
2649 /* Check other values */
2650 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2651 bit_depth != 8 && bit_depth != 16)
2652 {
2653 png_warning(png_ptr, "Invalid bit depth in IHDR");
2654 error = 1;
2655 }
2656
2657 if (color_type < 0 || color_type == 1 ||
2658 color_type == 5 || color_type > 6)
2659 {
2660 png_warning(png_ptr, "Invalid color type in IHDR");
2661 error = 1;
2662 }
2663
2664 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2665 ((color_type == PNG_COLOR_TYPE_RGB ||
2666 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2667 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2668 {
2669 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2670 error = 1;
2671 }
2672
2673 if (interlace_type >= PNG_INTERLACE_LAST)
2674 {
2675 png_warning(png_ptr, "Unknown interlace method in IHDR");
2676 error = 1;
2677 }
2678
2679 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2680 {
2681 png_warning(png_ptr, "Unknown compression method in IHDR");
2682 error = 1;
2683 }
2684
2685 #ifdef PNG_MNG_FEATURES_SUPPORTED
2686 /* Accept filter_method 64 (intrapixel differencing) only if
2687 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2688 * 2. Libpng did not read a PNG signature (this filter_method is only
2689 * used in PNG datastreams that are embedded in MNG datastreams) and
2690 * 3. The application called png_permit_mng_features with a mask that
2691 * included PNG_FLAG_MNG_FILTER_64 and
2692 * 4. The filter_method is 64 and
2693 * 5. The color_type is RGB or RGBA
2694 */
2695 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2696 png_ptr->mng_features_permitted != 0)
2697 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2698
2699 if (filter_type != PNG_FILTER_TYPE_BASE)
2700 {
2701 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2702 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2703 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2704 (color_type == PNG_COLOR_TYPE_RGB ||
2705 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2706 {
2707 png_warning(png_ptr, "Unknown filter method in IHDR");
2708 error = 1;
2709 }
2710
2711 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2712 {
2713 png_warning(png_ptr, "Invalid filter method in IHDR");
2714 error = 1;
2715 }
2716 }
2717
2718 #else
2719 if (filter_type != PNG_FILTER_TYPE_BASE)
2720 {
2721 png_warning(png_ptr, "Unknown filter method in IHDR");
2722 error = 1;
2723 }
2724 #endif
2725
2726 if (error == 1)
2727 png_error(png_ptr, "Invalid IHDR data");
2728 }
2729
2730 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2731 /* ASCII to fp functions */
2732 /* Check an ASCII formatted floating point value, see the more detailed
2733 * comments in pngpriv.h
2734 */
2735 /* The following is used internally to preserve the sticky flags */
2736 #define png_fp_add(state, flags) ((state) |= (flags))
2737 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2738
2739 int /* PRIVATE */
2740 png_check_fp_number(png_const_charp string, size_t size, int *statep,
2741 png_size_tp whereami)
2742 {
2743 int state = *statep;
2744 size_t i = *whereami;
2745
2746 while (i < size)
2747 {
2748 int type;
2749 /* First find the type of the next character */
2750 switch (string[i])
2751 {
2752 case 43: type = PNG_FP_SAW_SIGN; break;
2753 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2754 case 46: type = PNG_FP_SAW_DOT; break;
2755 case 48: type = PNG_FP_SAW_DIGIT; break;
2756 case 49: case 50: case 51: case 52:
2757 case 53: case 54: case 55: case 56:
2758 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2759 case 69:
2760 case 101: type = PNG_FP_SAW_E; break;
2761 default: goto PNG_FP_End;
2762 }
2763
2764 /* Now deal with this type according to the current
2765 * state, the type is arranged to not overlap the
2766 * bits of the PNG_FP_STATE.
2767 */
2768 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2769 {
2770 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2771 if ((state & PNG_FP_SAW_ANY) != 0)
2772 goto PNG_FP_End; /* not a part of the number */
2773
2774 png_fp_add(state, type);
2775 break;
2776
2777 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2778 /* Ok as trailer, ok as lead of fraction. */
2779 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2780 goto PNG_FP_End;
2781
2782 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2783 png_fp_add(state, type);
2784
2785 else
2786 png_fp_set(state, PNG_FP_FRACTION | type);
2787
2788 break;
2789
2790 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2791 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2792 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2793
2794 png_fp_add(state, type | PNG_FP_WAS_VALID);
2795
2796 break;
2797
2798 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2799 if ((state & PNG_FP_SAW_DIGIT) == 0)
2800 goto PNG_FP_End;
2801
2802 png_fp_set(state, PNG_FP_EXPONENT);
2803
2804 break;
2805
2806 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2807 goto PNG_FP_End; ** no sign in fraction */
2808
2809 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2810 goto PNG_FP_End; ** Because SAW_DOT is always set */
2811
2812 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2813 png_fp_add(state, type | PNG_FP_WAS_VALID);
2814 break;
2815
2816 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2817 /* This is correct because the trailing '.' on an
2818 * integer is handled above - so we can only get here
2819 * with the sequence ".E" (with no preceding digits).
2820 */
2821 if ((state & PNG_FP_SAW_DIGIT) == 0)
2822 goto PNG_FP_End;
2823
2824 png_fp_set(state, PNG_FP_EXPONENT);
2825
2826 break;
2827
2828 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2829 if ((state & PNG_FP_SAW_ANY) != 0)
2830 goto PNG_FP_End; /* not a part of the number */
2831
2832 png_fp_add(state, PNG_FP_SAW_SIGN);
2833
2834 break;
2835
2836 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2837 goto PNG_FP_End; */
2838
2839 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2840 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2841
2842 break;
2843
2844 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2845 goto PNG_FP_End; */
2846
2847 default: goto PNG_FP_End; /* I.e. break 2 */
2848 }
2849
2850 /* The character seems ok, continue. */
2851 ++i;
2852 }
2853
2854 PNG_FP_End:
2855 /* Here at the end, update the state and return the correct
2856 * return code.
2857 */
2858 *statep = state;
2859 *whereami = i;
2860
2861 return (state & PNG_FP_SAW_DIGIT) != 0;
2862 }
2863
2864
2865 /* The same but for a complete string. */
2866 int
2867 png_check_fp_string(png_const_charp string, size_t size)
2868 {
2869 int state=0;
2870 size_t char_index=0;
2871
2872 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2873 (char_index == size || string[char_index] == 0))
2874 return state /* must be non-zero - see above */;
2875
2876 return 0; /* i.e. fail */
2877 }
2878 #endif /* pCAL || sCAL */
2879
2880 #ifdef PNG_sCAL_SUPPORTED
2881 # ifdef PNG_FLOATING_POINT_SUPPORTED
2882 /* Utility used below - a simple accurate power of ten from an integral
2883 * exponent.
2884 */
2885 static double
2886 png_pow10(int power)
2887 {
2888 int recip = 0;
2889 double d = 1;
2890
2891 /* Handle negative exponent with a reciprocal at the end because
2892 * 10 is exact whereas .1 is inexact in base 2
2893 */
2894 if (power < 0)
2895 {
2896 if (power < DBL_MIN_10_EXP) return 0;
2897 recip = 1; power = -power;
2898 }
2899
2900 if (power > 0)
2901 {
2902 /* Decompose power bitwise. */
2903 double mult = 10;
2904 do
2905 {
2906 if (power & 1) d *= mult;
2907 mult *= mult;
2908 power >>= 1;
2909 }
2910 while (power > 0);
2911
2912 if (recip != 0) d = 1/d;
2913 }
2914 /* else power is 0 and d is 1 */
2915
2916 return d;
2917 }
2918
2919 /* Function to format a floating point value in ASCII with a given
2920 * precision.
2921 */
2922 #if GCC_STRICT_OVERFLOW
2923 #pragma GCC diagnostic push
2924 /* The problem arises below with exp_b10, which can never overflow because it
2925 * comes, originally, from frexp and is therefore limited to a range which is
2926 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2927 */
2928 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
2929 #endif /* GCC_STRICT_OVERFLOW */
2930 void /* PRIVATE */
2931 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2932 double fp, unsigned int precision)
2933 {
2934 /* We use standard functions from math.h, but not printf because
2935 * that would require stdio. The caller must supply a buffer of
2936 * sufficient size or we will png_error. The tests on size and
2937 * the space in ascii[] consumed are indicated below.
2938 */
2939 if (precision < 1)
2940 precision = DBL_DIG;
2941
2942 /* Enforce the limit of the implementation precision too. */
2943 if (precision > DBL_DIG+1)
2944 precision = DBL_DIG+1;
2945
2946 /* Basic sanity checks */
2947 if (size >= precision+5) /* See the requirements below. */
2948 {
2949 if (fp < 0)
2950 {
2951 fp = -fp;
2952 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2953 --size;
2954 }
2955
2956 if (fp >= DBL_MIN && fp <= DBL_MAX)
2957 {
2958 int exp_b10; /* A base 10 exponent */
2959 double base; /* 10^exp_b10 */
2960
2961 /* First extract a base 10 exponent of the number,
2962 * the calculation below rounds down when converting
2963 * from base 2 to base 10 (multiply by log10(2) -
2964 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2965 * be increased. Note that the arithmetic shift
2966 * performs a floor() unlike C arithmetic - using a
2967 * C multiply would break the following for negative
2968 * exponents.
2969 */
2970 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2971
2972 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2973
2974 /* Avoid underflow here. */
2975 base = png_pow10(exp_b10); /* May underflow */
2976
2977 while (base < DBL_MIN || base < fp)
2978 {
2979 /* And this may overflow. */
2980 double test = png_pow10(exp_b10+1);
2981
2982 if (test <= DBL_MAX)
2983 {
2984 ++exp_b10; base = test;
2985 }
2986
2987 else
2988 break;
2989 }
2990
2991 /* Normalize fp and correct exp_b10, after this fp is in the
2992 * range [.1,1) and exp_b10 is both the exponent and the digit
2993 * *before* which the decimal point should be inserted
2994 * (starting with 0 for the first digit). Note that this
2995 * works even if 10^exp_b10 is out of range because of the
2996 * test on DBL_MAX above.
2997 */
2998 fp /= base;
2999 while (fp >= 1)
3000 {
3001 fp /= 10; ++exp_b10;
3002 }
3003
3004 /* Because of the code above fp may, at this point, be
3005 * less than .1, this is ok because the code below can
3006 * handle the leading zeros this generates, so no attempt
3007 * is made to correct that here.
3008 */
3009
3010 {
3011 unsigned int czero, clead, cdigits;
3012 char exponent[10];
3013
3014 /* Allow up to two leading zeros - this will not lengthen
3015 * the number compared to using E-n.
3016 */
3017 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
3018 {
3019 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
3020 exp_b10 = 0; /* Dot added below before first output. */
3021 }
3022 else
3023 czero = 0; /* No zeros to add */
3024
3025 /* Generate the digit list, stripping trailing zeros and
3026 * inserting a '.' before a digit if the exponent is 0.
3027 */
3028 clead = czero; /* Count of leading zeros */
3029 cdigits = 0; /* Count of digits in list. */
3030
3031 do
3032 {
3033 double d;
3034
3035 fp *= 10;
3036 /* Use modf here, not floor and subtract, so that
3037 * the separation is done in one step. At the end
3038 * of the loop don't break the number into parts so
3039 * that the final digit is rounded.
3040 */
3041 if (cdigits+czero+1 < precision+clead)
3042 fp = modf(fp, &d);
3043
3044 else
3045 {
3046 d = floor(fp + .5);
3047
3048 if (d > 9)
3049 {
3050 /* Rounding up to 10, handle that here. */
3051 if (czero > 0)
3052 {
3053 --czero; d = 1;
3054 if (cdigits == 0) --clead;
3055 }
3056 else
3057 {
3058 while (cdigits > 0 && d > 9)
3059 {
3060 int ch = *--ascii;
3061
3062 if (exp_b10 != (-1))
3063 ++exp_b10;
3064
3065 else if (ch == 46)
3066 {
3067 ch = *--ascii; ++size;
3068 /* Advance exp_b10 to '1', so that the
3069 * decimal point happens after the
3070 * previous digit.
3071 */
3072 exp_b10 = 1;
3073 }
3074
3075 --cdigits;
3076 d = ch - 47; /* I.e. 1+(ch-48) */
3077 }
3078
3079 /* Did we reach the beginning? If so adjust the
3080 * exponent but take into account the leading
3081 * decimal point.
3082 */
3083 if (d > 9) /* cdigits == 0 */
3084 {
3085 if (exp_b10 == (-1))
3086 {
3087 /* Leading decimal point (plus zeros?), if
3088 * we lose the decimal point here it must
3089 * be reentered below.
3090 */
3091 int ch = *--ascii;
3092
3093 if (ch == 46)
3094 {
3095 ++size; exp_b10 = 1;
3096 }
3097
3098 /* Else lost a leading zero, so 'exp_b10' is
3099 * still ok at (-1)
3100 */
3101 }
3102 else
3103 ++exp_b10;
3104
3105 /* In all cases we output a '1' */
3106 d = 1;
3107 }
3108 }
3109 }
3110 fp = 0; /* Guarantees termination below. */
3111 }
3112
3113 if (d == 0)
3114 {
3115 ++czero;
3116 if (cdigits == 0) ++clead;
3117 }
3118 else
3119 {
3120 /* Included embedded zeros in the digit count. */
3121 cdigits += czero - clead;
3122 clead = 0;
3123
3124 while (czero > 0)
3125 {
3126 /* exp_b10 == (-1) means we just output the decimal
3127 * place - after the DP don't adjust 'exp_b10' any
3128 * more!
3129 */
3130 if (exp_b10 != (-1))
3131 {
3132 if (exp_b10 == 0)
3133 {
3134 *ascii++ = 46; --size;
3135 }
3136 /* PLUS 1: TOTAL 4 */
3137 --exp_b10;
3138 }
3139 *ascii++ = 48; --czero;
3140 }
3141
3142 if (exp_b10 != (-1))
3143 {
3144 if (exp_b10 == 0)
3145 {
3146 *ascii++ = 46; --size; /* counted above */
3147 }
3148
3149 --exp_b10;
3150 }
3151 *ascii++ = (char)(48 + (int)d); ++cdigits;
3152 }
3153 }
3154 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3155
3156 /* The total output count (max) is now 4+precision */
3157
3158 /* Check for an exponent, if we don't need one we are
3159 * done and just need to terminate the string. At this
3160 * point, exp_b10==(-1) is effectively a flag: it got
3161 * to '-1' because of the decrement, after outputting
3162 * the decimal point above. (The exponent required is
3163 * *not* -1.)
3164 */
3165 if (exp_b10 >= (-1) && exp_b10 <= 2)
3166 {
3167 /* The following only happens if we didn't output the
3168 * leading zeros above for negative exponent, so this
3169 * doesn't add to the digit requirement. Note that the
3170 * two zeros here can only be output if the two leading
3171 * zeros were *not* output, so this doesn't increase
3172 * the output count.
3173 */
3174 while (exp_b10-- > 0) *ascii++ = 48;
3175
3176 *ascii = 0;
3177
3178 /* Total buffer requirement (including the '\0') is
3179 * 5+precision - see check at the start.
3180 */
3181 return;
3182 }
3183
3184 /* Here if an exponent is required, adjust size for
3185 * the digits we output but did not count. The total
3186 * digit output here so far is at most 1+precision - no
3187 * decimal point and no leading or trailing zeros have
3188 * been output.
3189 */
3190 size -= cdigits;
3191
3192 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */
3193
3194 /* The following use of an unsigned temporary avoids ambiguities in
3195 * the signed arithmetic on exp_b10 and permits GCC at least to do
3196 * better optimization.
3197 */
3198 {
3199 unsigned int uexp_b10;
3200
3201 if (exp_b10 < 0)
3202 {
3203 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3204 uexp_b10 = 0U-exp_b10;
3205 }
3206
3207 else
3208 uexp_b10 = 0U+exp_b10;
3209
3210 cdigits = 0;
3211
3212 while (uexp_b10 > 0)
3213 {
3214 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3215 uexp_b10 /= 10;
3216 }
3217 }
3218
3219 /* Need another size check here for the exponent digits, so
3220 * this need not be considered above.
3221 */
3222 if (size > cdigits)
3223 {
3224 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3225
3226 *ascii = 0;
3227
3228 return;
3229 }
3230 }
3231 }
3232 else if (!(fp >= DBL_MIN))
3233 {
3234 *ascii++ = 48; /* '0' */
3235 *ascii = 0;
3236 return;
3237 }
3238 else
3239 {
3240 *ascii++ = 105; /* 'i' */
3241 *ascii++ = 110; /* 'n' */
3242 *ascii++ = 102; /* 'f' */
3243 *ascii = 0;
3244 return;
3245 }
3246 }
3247
3248 /* Here on buffer too small. */
3249 png_error(png_ptr, "ASCII conversion buffer too small");
3250 }
3251 #if GCC_STRICT_OVERFLOW
3252 #pragma GCC diagnostic pop
3253 #endif /* GCC_STRICT_OVERFLOW */
3254
3255 # endif /* FLOATING_POINT */
3256
3257 # ifdef PNG_FIXED_POINT_SUPPORTED
3258 /* Function to format a fixed point value in ASCII.
3259 */
3260 void /* PRIVATE */
3261 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3262 size_t size, png_fixed_point fp)
3263 {
3264 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3265 * trailing \0, 13 characters:
3266 */
3267 if (size > 12)
3268 {
3269 png_uint_32 num;
3270
3271 /* Avoid overflow here on the minimum integer. */
3272 if (fp < 0)
3273 {
3274 *ascii++ = 45; num = (png_uint_32)(-fp);
3275 }
3276 else
3277 num = (png_uint_32)fp;
3278
3279 if (num <= 0x80000000) /* else overflowed */
3280 {
3281 unsigned int ndigits = 0, first = 16 /* flag value */;
3282 char digits[10];
3283
3284 while (num)
3285 {
3286 /* Split the low digit off num: */
3287 unsigned int tmp = num/10;
3288 num -= tmp*10;
3289 digits[ndigits++] = (char)(48 + num);
3290 /* Record the first non-zero digit, note that this is a number
3291 * starting at 1, it's not actually the array index.
3292 */
3293 if (first == 16 && num > 0)
3294 first = ndigits;
3295 num = tmp;
3296 }
3297
3298 if (ndigits > 0)
3299 {
3300 while (ndigits > 5) *ascii++ = digits[--ndigits];
3301 /* The remaining digits are fractional digits, ndigits is '5' or
3302 * smaller at this point. It is certainly not zero. Check for a
3303 * non-zero fractional digit:
3304 */
3305 if (first <= 5)
3306 {
3307 unsigned int i;
3308 *ascii++ = 46; /* decimal point */
3309 /* ndigits may be <5 for small numbers, output leading zeros
3310 * then ndigits digits to first:
3311 */
3312 i = 5;
3313 while (ndigits < i)
3314 {
3315 *ascii++ = 48; --i;
3316 }
3317 while (ndigits >= first) *ascii++ = digits[--ndigits];
3318 /* Don't output the trailing zeros! */
3319 }
3320 }
3321 else
3322 *ascii++ = 48;
3323
3324 /* And null terminate the string: */
3325 *ascii = 0;
3326 return;
3327 }
3328 }
3329
3330 /* Here on buffer too small. */
3331 png_error(png_ptr, "ASCII conversion buffer too small");
3332 }
3333 # endif /* FIXED_POINT */
3334 #endif /* SCAL */
3335
3336 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3337 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3338 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3339 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3340 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3341 (defined(PNG_sCAL_SUPPORTED) && \
3342 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3343 png_fixed_point
3344 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3345 {
3346 double r = floor(100000 * fp + .5);
3347
3348 if (r > 2147483647. || r < -2147483648.)
3349 png_fixed_error(png_ptr, text);
3350
3351 # ifndef PNG_ERROR_TEXT_SUPPORTED
3352 PNG_UNUSED(text)
3353 # endif
3354
3355 return (png_fixed_point)r;
3356 }
3357 #endif
3358
3359 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3360 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3361 /* muldiv functions */
3362 /* This API takes signed arguments and rounds the result to the nearest
3363 * integer (or, for a fixed point number - the standard argument - to
3364 * the nearest .00001). Overflow and divide by zero are signalled in
3365 * the result, a boolean - true on success, false on overflow.
3366 */
3367 #if GCC_STRICT_OVERFLOW /* from above */
3368 /* It is not obvious which comparison below gets optimized in such a way that
3369 * signed overflow would change the result; looking through the code does not
3370 * reveal any tests which have the form GCC complains about, so presumably the
3371 * optimizer is moving an add or subtract into the 'if' somewhere.
3372 */
3373 #pragma GCC diagnostic push
3374 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
3375 #endif /* GCC_STRICT_OVERFLOW */
3376 int
3377 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3378 png_int_32 divisor)
3379 {
3380 /* Return a * times / divisor, rounded. */
3381 if (divisor != 0)
3382 {
3383 if (a == 0 || times == 0)
3384 {
3385 *res = 0;
3386 return 1;
3387 }
3388 else
3389 {
3390 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3391 double r = a;
3392 r *= times;
3393 r /= divisor;
3394 r = floor(r+.5);
3395
3396 /* A png_fixed_point is a 32-bit integer. */
3397 if (r <= 2147483647. && r >= -2147483648.)
3398 {
3399 *res = (png_fixed_point)r;
3400 return 1;
3401 }
3402 #else
3403 int negative = 0;
3404 png_uint_32 A, T, D;
3405 png_uint_32 s16, s32, s00;
3406
3407 if (a < 0)
3408 negative = 1, A = -a;
3409 else
3410 A = a;
3411
3412 if (times < 0)
3413 negative = !negative, T = -times;
3414 else
3415 T = times;
3416
3417 if (divisor < 0)
3418 negative = !negative, D = -divisor;
3419 else
3420 D = divisor;
3421
3422 /* Following can't overflow because the arguments only
3423 * have 31 bits each, however the result may be 32 bits.
3424 */
3425 s16 = (A >> 16) * (T & 0xffff) +
3426 (A & 0xffff) * (T >> 16);
3427 /* Can't overflow because the a*times bit is only 30
3428 * bits at most.
3429 */
3430 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3431 s00 = (A & 0xffff) * (T & 0xffff);
3432
3433 s16 = (s16 & 0xffff) << 16;
3434 s00 += s16;
3435
3436 if (s00 < s16)
3437 ++s32; /* carry */
3438
3439 if (s32 < D) /* else overflow */
3440 {
3441 /* s32.s00 is now the 64-bit product, do a standard
3442 * division, we know that s32 < D, so the maximum
3443 * required shift is 31.
3444 */
3445 int bitshift = 32;
3446 png_fixed_point result = 0; /* NOTE: signed */
3447
3448 while (--bitshift >= 0)
3449 {
3450 png_uint_32 d32, d00;
3451
3452 if (bitshift > 0)
3453 d32 = D >> (32-bitshift), d00 = D << bitshift;
3454
3455 else
3456 d32 = 0, d00 = D;
3457
3458 if (s32 > d32)
3459 {
3460 if (s00 < d00) --s32; /* carry */
3461 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3462 }
3463
3464 else
3465 if (s32 == d32 && s00 >= d00)
3466 s32 = 0, s00 -= d00, result += 1<<bitshift;
3467 }
3468
3469 /* Handle the rounding. */
3470 if (s00 >= (D >> 1))
3471 ++result;
3472
3473 if (negative != 0)
3474 result = -result;
3475
3476 /* Check for overflow. */
3477 if ((negative != 0 && result <= 0) ||
3478 (negative == 0 && result >= 0))
3479 {
3480 *res = result;
3481 return 1;
3482 }
3483 }
3484 #endif
3485 }
3486 }
3487
3488 return 0;
3489 }
3490 #if GCC_STRICT_OVERFLOW
3491 #pragma GCC diagnostic pop
3492 #endif /* GCC_STRICT_OVERFLOW */
3493 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3494
3495 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3496 /* The following is for when the caller doesn't much care about the
3497 * result.
3498 */
3499 png_fixed_point
3500 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3501 png_int_32 divisor)
3502 {
3503 png_fixed_point result;
3504
3505 if (png_muldiv(&result, a, times, divisor) != 0)
3506 return result;
3507
3508 png_warning(png_ptr, "fixed point overflow ignored");
3509 return 0;
3510 }
3511 #endif
3512
3513 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3514 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3515 png_fixed_point
3516 png_reciprocal(png_fixed_point a)
3517 {
3518 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3519 double r = floor(1E10/a+.5);
3520
3521 if (r <= 2147483647. && r >= -2147483648.)
3522 return (png_fixed_point)r;
3523 #else
3524 png_fixed_point res;
3525
3526 if (png_muldiv(&res, 100000, 100000, a) != 0)
3527 return res;
3528 #endif
3529
3530 return 0; /* error/overflow */
3531 }
3532
3533 /* This is the shared test on whether a gamma value is 'significant' - whether
3534 * it is worth doing gamma correction.
3535 */
3536 int /* PRIVATE */
3537 png_gamma_significant(png_fixed_point gamma_val)
3538 {
3539 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3540 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3541 }
3542 #endif
3543
3544 #ifdef PNG_READ_GAMMA_SUPPORTED
3545 #ifdef PNG_16BIT_SUPPORTED
3546 /* A local convenience routine. */
3547 static png_fixed_point
3548 png_product2(png_fixed_point a, png_fixed_point b)
3549 {
3550 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3551 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3552 double r = a * 1E-5;
3553 r *= b;
3554 r = floor(r+.5);
3555
3556 if (r <= 2147483647. && r >= -2147483648.)
3557 return (png_fixed_point)r;
3558 #else
3559 png_fixed_point res;
3560
3561 if (png_muldiv(&res, a, b, 100000) != 0)
3562 return res;
3563 #endif
3564
3565 return 0; /* overflow */
3566 }
3567 #endif /* 16BIT */
3568
3569 /* The inverse of the above. */
3570 png_fixed_point
3571 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3572 {
3573 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3574 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3575 if (a != 0 && b != 0)
3576 {
3577 double r = 1E15/a;
3578 r /= b;
3579 r = floor(r+.5);
3580
3581 if (r <= 2147483647. && r >= -2147483648.)
3582 return (png_fixed_point)r;
3583 }
3584 #else
3585 /* This may overflow because the range of png_fixed_point isn't symmetric,
3586 * but this API is only used for the product of file and screen gamma so it
3587 * doesn't matter that the smallest number it can produce is 1/21474, not
3588 * 1/100000
3589 */
3590 png_fixed_point res = png_product2(a, b);
3591
3592 if (res != 0)
3593 return png_reciprocal(res);
3594 #endif
3595
3596 return 0; /* overflow */
3597 }
3598 #endif /* READ_GAMMA */
3599
3600 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3601 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3602 /* Fixed point gamma.
3603 *
3604 * The code to calculate the tables used below can be found in the shell script
3605 * contrib/tools/intgamma.sh
3606 *
3607 * To calculate gamma this code implements fast log() and exp() calls using only
3608 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3609 * or 16-bit sample values.
3610 *
3611 * The tables used here were calculated using simple 'bc' programs, but C double
3612 * precision floating point arithmetic would work fine.
3613 *
3614 * 8-bit log table
3615 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3616 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3617 * mantissa. The numbers are 32-bit fractions.
3618 */
3619 static const png_uint_32
3620 png_8bit_l2[128] =
3621 {
3622 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3623 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3624 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3625 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3626 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3627 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3628 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3629 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3630 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3631 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3632 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3633 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3634 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3635 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3636 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3637 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3638 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3639 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3640 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3641 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3642 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3643 24347096U, 0U
3644
3645 #if 0
3646 /* The following are the values for 16-bit tables - these work fine for the
3647 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3648 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3649 * use these all the shifts below must be adjusted appropriately.
3650 */
3651 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3652 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3653 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3654 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3655 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3656 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3657 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3658 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3659 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3660 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3661 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3662 1119, 744, 372
3663 #endif
3664 };
3665
3666 static png_int_32
3667 png_log8bit(unsigned int x)
3668 {
3669 unsigned int lg2 = 0;
3670 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3671 * because the log is actually negate that means adding 1. The final
3672 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3673 * input), return -1 for the overflow (log 0) case, - so the result is
3674 * always at most 19 bits.
3675 */
3676 if ((x &= 0xff) == 0)
3677 return -1;
3678
3679 if ((x & 0xf0) == 0)
3680 lg2 = 4, x <<= 4;
3681
3682 if ((x & 0xc0) == 0)
3683 lg2 += 2, x <<= 2;
3684
3685 if ((x & 0x80) == 0)
3686 lg2 += 1, x <<= 1;
3687
3688 /* result is at most 19 bits, so this cast is safe: */
3689 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3690 }
3691
3692 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3693 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3694 * get an approximation then multiply the approximation by a correction factor
3695 * determined by the remaining up to 8 bits. This requires an additional step
3696 * in the 16-bit case.
3697 *
3698 * We want log2(value/65535), we have log2(v'/255), where:
3699 *
3700 * value = v' * 256 + v''
3701 * = v' * f
3702 *
3703 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3704 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3705 * than 258. The final factor also needs to correct for the fact that our 8-bit
3706 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3707 *
3708 * This gives a final formula using a calculated value 'x' which is value/v' and
3709 * scaling by 65536 to match the above table:
3710 *
3711 * log2(x/257) * 65536
3712 *
3713 * Since these numbers are so close to '1' we can use simple linear
3714 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3715 * (result 367.179). The values used below are scaled by a further 64 to give
3716 * 16-bit precision in the interpolation:
3717 *
3718 * Start (256): -23591
3719 * Zero (257): 0
3720 * End (258): 23499
3721 */
3722 #ifdef PNG_16BIT_SUPPORTED
3723 static png_int_32
3724 png_log16bit(png_uint_32 x)
3725 {
3726 unsigned int lg2 = 0;
3727
3728 /* As above, but now the input has 16 bits. */
3729 if ((x &= 0xffff) == 0)
3730 return -1;
3731
3732 if ((x & 0xff00) == 0)
3733 lg2 = 8, x <<= 8;
3734
3735 if ((x & 0xf000) == 0)
3736 lg2 += 4, x <<= 4;
3737
3738 if ((x & 0xc000) == 0)
3739 lg2 += 2, x <<= 2;
3740
3741 if ((x & 0x8000) == 0)
3742 lg2 += 1, x <<= 1;
3743
3744 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3745 * value.
3746 */
3747 lg2 <<= 28;
3748 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3749
3750 /* Now we need to interpolate the factor, this requires a division by the top
3751 * 8 bits. Do this with maximum precision.
3752 */
3753 x = ((x << 16) + (x >> 9)) / (x >> 8);
3754
3755 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3756 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3757 * 16 bits to interpolate to get the low bits of the result. Round the
3758 * answer. Note that the end point values are scaled by 64 to retain overall
3759 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3760 * the overall scaling by 6-12. Round at every step.
3761 */
3762 x -= 1U << 24;
3763
3764 if (x <= 65536U) /* <= '257' */
3765 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3766
3767 else
3768 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3769
3770 /* Safe, because the result can't have more than 20 bits: */
3771 return (png_int_32)((lg2 + 2048) >> 12);
3772 }
3773 #endif /* 16BIT */
3774
3775 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3776 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3777 * each case only the low 16 bits are relevant - the fraction - since the
3778 * integer bits (the top 4) simply determine a shift.
3779 *
3780 * The worst case is the 16-bit distinction between 65535 and 65534. This
3781 * requires perhaps spurious accuracy in the decoding of the logarithm to
3782 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3783 * of getting this accuracy in practice.
3784 *
3785 * To deal with this the following exp() function works out the exponent of the
3786 * fractional part of the logarithm by using an accurate 32-bit value from the
3787 * top four fractional bits then multiplying in the remaining bits.
3788 */
3789 static const png_uint_32
3790 png_32bit_exp[16] =
3791 {
3792 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3793 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3794 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3795 2553802834U, 2445529972U, 2341847524U, 2242560872U
3796 };
3797
3798 /* Adjustment table; provided to explain the numbers in the code below. */
3799 #if 0
3800 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3801 11 44937.64284865548751208448
3802 10 45180.98734845585101160448
3803 9 45303.31936980687359311872
3804 8 45364.65110595323018870784
3805 7 45395.35850361789624614912
3806 6 45410.72259715102037508096
3807 5 45418.40724413220722311168
3808 4 45422.25021786898173001728
3809 3 45424.17186732298419044352
3810 2 45425.13273269940811464704
3811 1 45425.61317555035558641664
3812 0 45425.85339951654943850496
3813 #endif
3814
3815 static png_uint_32
3816 png_exp(png_fixed_point x)
3817 {
3818 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3819 {
3820 /* Obtain a 4-bit approximation */
3821 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3822
3823 /* Incorporate the low 12 bits - these decrease the returned value by
3824 * multiplying by a number less than 1 if the bit is set. The multiplier
3825 * is determined by the above table and the shift. Notice that the values
3826 * converge on 45426 and this is used to allow linear interpolation of the
3827 * low bits.
3828 */
3829 if (x & 0x800)
3830 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3831
3832 if (x & 0x400)
3833 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3834
3835 if (x & 0x200)
3836 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3837
3838 if (x & 0x100)
3839 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3840
3841 if (x & 0x080)
3842 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3843
3844 if (x & 0x040)
3845 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3846
3847 /* And handle the low 6 bits in a single block. */
3848 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3849
3850 /* Handle the upper bits of x. */
3851 e >>= x >> 16;
3852 return e;
3853 }
3854
3855 /* Check for overflow */
3856 if (x <= 0)
3857 return png_32bit_exp[0];
3858
3859 /* Else underflow */
3860 return 0;
3861 }
3862
3863 static png_byte
3864 png_exp8bit(png_fixed_point lg2)
3865 {
3866 /* Get a 32-bit value: */
3867 png_uint_32 x = png_exp(lg2);
3868
3869 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3870 * second, rounding, step can't overflow because of the first, subtraction,
3871 * step.
3872 */
3873 x -= x >> 8;
3874 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3875 }
3876
3877 #ifdef PNG_16BIT_SUPPORTED
3878 static png_uint_16
3879 png_exp16bit(png_fixed_point lg2)
3880 {
3881 /* Get a 32-bit value: */
3882 png_uint_32 x = png_exp(lg2);
3883
3884 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3885 x -= x >> 16;
3886 return (png_uint_16)((x + 32767U) >> 16);
3887 }
3888 #endif /* 16BIT */
3889 #endif /* FLOATING_ARITHMETIC */
3890
3891 png_byte
3892 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3893 {
3894 if (value > 0 && value < 255)
3895 {
3896 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3897 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3898 * convert this to a floating point value. This includes values that
3899 * would overflow if 'value' were to be converted to 'int'.
3900 *
3901 * Apparently GCC, however, does an intermediate conversion to (int)
3902 * on some (ARM) but not all (x86) platforms, possibly because of
3903 * hardware FP limitations. (E.g. if the hardware conversion always
3904 * assumes the integer register contains a signed value.) This results
3905 * in ANSI-C undefined behavior for large values.
3906 *
3907 * Other implementations on the same machine might actually be ANSI-C90
3908 * conformant and therefore compile spurious extra code for the large
3909 * values.
3910 *
3911 * We can be reasonably sure that an unsigned to float conversion
3912 * won't be faster than an int to float one. Therefore this code
3913 * assumes responsibility for the undefined behavior, which it knows
3914 * can't happen because of the check above.
3915 *
3916 * Note the argument to this routine is an (unsigned int) because, on
3917 * 16-bit platforms, it is assigned a value which might be out of
3918 * range for an (int); that would result in undefined behavior in the
3919 * caller if the *argument* ('value') were to be declared (int).
3920 */
3921 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3922 return (png_byte)r;
3923 # else
3924 png_int_32 lg2 = png_log8bit(value);
3925 png_fixed_point res;
3926
3927 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3928 return png_exp8bit(res);
3929
3930 /* Overflow. */
3931 value = 0;
3932 # endif
3933 }
3934
3935 return (png_byte)(value & 0xff);
3936 }
3937
3938 #ifdef PNG_16BIT_SUPPORTED
3939 png_uint_16
3940 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3941 {
3942 if (value > 0 && value < 65535)
3943 {
3944 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3945 /* The same (unsigned int)->(double) constraints apply here as above,
3946 * however in this case the (unsigned int) to (int) conversion can
3947 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3948 * that this is not possible.
3949 */
3950 double r = floor(65535*pow((png_int_32)value/65535.,
3951 gamma_val*.00001)+.5);
3952 return (png_uint_16)r;
3953 # else
3954 png_int_32 lg2 = png_log16bit(value);
3955 png_fixed_point res;
3956
3957 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3958 return png_exp16bit(res);
3959
3960 /* Overflow. */
3961 value = 0;
3962 # endif
3963 }
3964
3965 return (png_uint_16)value;
3966 }
3967 #endif /* 16BIT */
3968
3969 /* This does the right thing based on the bit_depth field of the
3970 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3971 * is nominally a 16-bit value if bit depth is 8 then the result is
3972 * 8-bit (as are the arguments.)
3973 */
3974 png_uint_16 /* PRIVATE */
3975 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3976 png_fixed_point gamma_val)
3977 {
3978 if (png_ptr->bit_depth == 8)
3979 return png_gamma_8bit_correct(value, gamma_val);
3980
3981 #ifdef PNG_16BIT_SUPPORTED
3982 else
3983 return png_gamma_16bit_correct(value, gamma_val);
3984 #else
3985 /* should not reach this */
3986 return 0;
3987 #endif /* 16BIT */
3988 }
3989
3990 #ifdef PNG_16BIT_SUPPORTED
3991 /* Internal function to build a single 16-bit table - the table consists of
3992 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3993 * to shift the input values right (or 16-number_of_signifiant_bits).
3994 *
3995 * The caller is responsible for ensuring that the table gets cleaned up on
3996 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3997 * should be somewhere that will be cleaned.
3998 */
3999 static void
4000 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
4001 unsigned int shift, png_fixed_point gamma_val)
4002 {
4003 /* Various values derived from 'shift': */
4004 unsigned int num = 1U << (8U - shift);
4005 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4006 /* CSE the division and work round wacky GCC warnings (see the comments
4007 * in png_gamma_8bit_correct for where these come from.)
4008 */
4009 double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1);
4010 #endif
4011 unsigned int max = (1U << (16U - shift)) - 1U;
4012 unsigned int max_by_2 = 1U << (15U - shift);
4013 unsigned int i;
4014
4015 png_uint_16pp table = *ptable =
4016 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4017
4018 for (i = 0; i < num; i++)
4019 {
4020 png_uint_16p sub_table = table[i] =
4021 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
4022
4023 /* The 'threshold' test is repeated here because it can arise for one of
4024 * the 16-bit tables even if the others don't hit it.
4025 */
4026 if (png_gamma_significant(gamma_val) != 0)
4027 {
4028 /* The old code would overflow at the end and this would cause the
4029 * 'pow' function to return a result >1, resulting in an
4030 * arithmetic error. This code follows the spec exactly; ig is
4031 * the recovered input sample, it always has 8-16 bits.
4032 *
4033 * We want input * 65535/max, rounded, the arithmetic fits in 32
4034 * bits (unsigned) so long as max <= 32767.
4035 */
4036 unsigned int j;
4037 for (j = 0; j < 256; j++)
4038 {
4039 png_uint_32 ig = (j << (8-shift)) + i;
4040 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4041 /* Inline the 'max' scaling operation: */
4042 /* See png_gamma_8bit_correct for why the cast to (int) is
4043 * required here.
4044 */
4045 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4046 sub_table[j] = (png_uint_16)d;
4047 # else
4048 if (shift != 0)
4049 ig = (ig * 65535U + max_by_2)/max;
4050
4051 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4052 # endif
4053 }
4054 }
4055 else
4056 {
4057 /* We must still build a table, but do it the fast way. */
4058 unsigned int j;
4059
4060 for (j = 0; j < 256; j++)
4061 {
4062 png_uint_32 ig = (j << (8-shift)) + i;
4063
4064 if (shift != 0)
4065 ig = (ig * 65535U + max_by_2)/max;
4066
4067 sub_table[j] = (png_uint_16)ig;
4068 }
4069 }
4070 }
4071 }
4072
4073 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4074 * required.
4075 */
4076 static void
4077 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4078 unsigned int shift, png_fixed_point gamma_val)
4079 {
4080 unsigned int num = 1U << (8U - shift);
4081 unsigned int max = (1U << (16U - shift))-1U;
4082 unsigned int i;
4083 png_uint_32 last;
4084
4085 png_uint_16pp table = *ptable =
4086 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4087
4088 /* 'num' is the number of tables and also the number of low bits of low
4089 * bits of the input 16-bit value used to select a table. Each table is
4090 * itself indexed by the high 8 bits of the value.
4091 */
4092 for (i = 0; i < num; i++)
4093 table[i] = (png_uint_16p)png_malloc(png_ptr,
4094 256 * (sizeof (png_uint_16)));
4095
4096 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4097 * pow(out,g) is an *input* value. 'last' is the last input value set.
4098 *
4099 * In the loop 'i' is used to find output values. Since the output is
4100 * 8-bit there are only 256 possible values. The tables are set up to
4101 * select the closest possible output value for each input by finding
4102 * the input value at the boundary between each pair of output values
4103 * and filling the table up to that boundary with the lower output
4104 * value.
4105 *
4106 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4107 * values the code below uses a 16-bit value in i; the values start at
4108 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4109 * entries are filled with 255). Start i at 128 and fill all 'last'
4110 * table entries <= 'max'
4111 */
4112 last = 0;
4113 for (i = 0; i < 255; ++i) /* 8-bit output value */
4114 {
4115 /* Find the corresponding maximum input value */
4116 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4117
4118 /* Find the boundary value in 16 bits: */
4119 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4120
4121 /* Adjust (round) to (16-shift) bits: */
4122 bound = (bound * max + 32768U)/65535U + 1U;
4123
4124 while (last < bound)
4125 {
4126 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4127 last++;
4128 }
4129 }
4130
4131 /* And fill in the final entries. */
4132 while (last < (num << 8))
4133 {
4134 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4135 last++;
4136 }
4137 }
4138 #endif /* 16BIT */
4139
4140 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4141 * typically much faster). Note that libpng currently does no sBIT processing
4142 * (apparently contrary to the spec) so a 256-entry table is always generated.
4143 */
4144 static void
4145 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4146 png_fixed_point gamma_val)
4147 {
4148 unsigned int i;
4149 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4150
4151 if (png_gamma_significant(gamma_val) != 0)
4152 for (i=0; i<256; i++)
4153 table[i] = png_gamma_8bit_correct(i, gamma_val);
4154
4155 else
4156 for (i=0; i<256; ++i)
4157 table[i] = (png_byte)(i & 0xff);
4158 }
4159
4160 /* Used from png_read_destroy and below to release the memory used by the gamma
4161 * tables.
4162 */
4163 void /* PRIVATE */
4164 png_destroy_gamma_table(png_structrp png_ptr)
4165 {
4166 png_free(png_ptr, png_ptr->gamma_table);
4167 png_ptr->gamma_table = NULL;
4168
4169 #ifdef PNG_16BIT_SUPPORTED
4170 if (png_ptr->gamma_16_table != NULL)
4171 {
4172 int i;
4173 int istop = (1 << (8 - png_ptr->gamma_shift));
4174 for (i = 0; i < istop; i++)
4175 {
4176 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4177 }
4178 png_free(png_ptr, png_ptr->gamma_16_table);
4179 png_ptr->gamma_16_table = NULL;
4180 }
4181 #endif /* 16BIT */
4182
4183 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4184 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4185 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4186 png_free(png_ptr, png_ptr->gamma_from_1);
4187 png_ptr->gamma_from_1 = NULL;
4188 png_free(png_ptr, png_ptr->gamma_to_1);
4189 png_ptr->gamma_to_1 = NULL;
4190
4191 #ifdef PNG_16BIT_SUPPORTED
4192 if (png_ptr->gamma_16_from_1 != NULL)
4193 {
4194 int i;
4195 int istop = (1 << (8 - png_ptr->gamma_shift));
4196 for (i = 0; i < istop; i++)
4197 {
4198 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4199 }
4200 png_free(png_ptr, png_ptr->gamma_16_from_1);
4201 png_ptr->gamma_16_from_1 = NULL;
4202 }
4203 if (png_ptr->gamma_16_to_1 != NULL)
4204 {
4205 int i;
4206 int istop = (1 << (8 - png_ptr->gamma_shift));
4207 for (i = 0; i < istop; i++)
4208 {
4209 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4210 }
4211 png_free(png_ptr, png_ptr->gamma_16_to_1);
4212 png_ptr->gamma_16_to_1 = NULL;
4213 }
4214 #endif /* 16BIT */
4215 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4216 }
4217
4218 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4219 * tables, we don't make a full table if we are reducing to 8-bit in
4220 * the future. Note also how the gamma_16 tables are segmented so that
4221 * we don't need to allocate > 64K chunks for a full 16-bit table.
4222 */
4223 void /* PRIVATE */
4224 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4225 {
4226 png_debug(1, "in png_build_gamma_table");
4227
4228 /* Remove any existing table; this copes with multiple calls to
4229 * png_read_update_info. The warning is because building the gamma tables
4230 * multiple times is a performance hit - it's harmless but the ability to
4231 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4232 * sensible to warn if the app introduces such a hit.
4233 */
4234 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4235 {
4236 png_warning(png_ptr, "gamma table being rebuilt");
4237 png_destroy_gamma_table(png_ptr);
4238 }
4239
4240 if (bit_depth <= 8)
4241 {
4242 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4243 png_ptr->screen_gamma > 0 ?
4244 png_reciprocal2(png_ptr->colorspace.gamma,
4245 png_ptr->screen_gamma) : PNG_FP_1);
4246
4247 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4248 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4249 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4250 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4251 {
4252 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4253 png_reciprocal(png_ptr->colorspace.gamma));
4254
4255 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4256 png_ptr->screen_gamma > 0 ?
4257 png_reciprocal(png_ptr->screen_gamma) :
4258 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4259 }
4260 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4261 }
4262 #ifdef PNG_16BIT_SUPPORTED
4263 else
4264 {
4265 png_byte shift, sig_bit;
4266
4267 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4268 {
4269 sig_bit = png_ptr->sig_bit.red;
4270
4271 if (png_ptr->sig_bit.green > sig_bit)
4272 sig_bit = png_ptr->sig_bit.green;
4273
4274 if (png_ptr->sig_bit.blue > sig_bit)
4275 sig_bit = png_ptr->sig_bit.blue;
4276 }
4277 else
4278 sig_bit = png_ptr->sig_bit.gray;
4279
4280 /* 16-bit gamma code uses this equation:
4281 *
4282 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4283 *
4284 * Where 'iv' is the input color value and 'ov' is the output value -
4285 * pow(iv, gamma).
4286 *
4287 * Thus the gamma table consists of up to 256 256-entry tables. The table
4288 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4289 * of the color value then indexed by the upper 8 bits:
4290 *
4291 * table[low bits][high 8 bits]
4292 *
4293 * So the table 'n' corresponds to all those 'iv' of:
4294 *
4295 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4296 *
4297 */
4298 if (sig_bit > 0 && sig_bit < 16U)
4299 /* shift == insignificant bits */
4300 shift = (png_byte)((16U - sig_bit) & 0xff);
4301
4302 else
4303 shift = 0; /* keep all 16 bits */
4304
4305 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4306 {
4307 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4308 * the significant bits in the *input* when the output will
4309 * eventually be 8 bits. By default it is 11.
4310 */
4311 if (shift < (16U - PNG_MAX_GAMMA_8))
4312 shift = (16U - PNG_MAX_GAMMA_8);
4313 }
4314
4315 if (shift > 8U)
4316 shift = 8U; /* Guarantees at least one table! */
4317
4318 png_ptr->gamma_shift = shift;
4319
4320 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4321 * PNG_COMPOSE). This effectively smashed the background calculation for
4322 * 16-bit output because the 8-bit table assumes the result will be
4323 * reduced to 8 bits.
4324 */
4325 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4326 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4327 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4328 png_ptr->screen_gamma) : PNG_FP_1);
4329
4330 else
4331 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4332 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4333 png_ptr->screen_gamma) : PNG_FP_1);
4334
4335 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4336 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4337 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4338 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4339 {
4340 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4341 png_reciprocal(png_ptr->colorspace.gamma));
4342
4343 /* Notice that the '16 from 1' table should be full precision, however
4344 * the lookup on this table still uses gamma_shift, so it can't be.
4345 * TODO: fix this.
4346 */
4347 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4348 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4349 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4350 }
4351 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4352 }
4353 #endif /* 16BIT */
4354 }
4355 #endif /* READ_GAMMA */
4356
4357 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4358 #ifdef PNG_SET_OPTION_SUPPORTED
4359 int PNGAPI
4360 png_set_option(png_structrp png_ptr, int option, int onoff)
4361 {
4362 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4363 (option & 1) == 0)
4364 {
4365 png_uint_32 mask = 3U << option;
4366 png_uint_32 setting = (2U + (onoff != 0)) << option;
4367 png_uint_32 current = png_ptr->options;
4368
4369 png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4370
4371 return (int)(current & mask) >> option;
4372 }
4373
4374 return PNG_OPTION_INVALID;
4375 }
4376 #endif
4377
4378 /* sRGB support */
4379 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4380 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4381 /* sRGB conversion tables; these are machine generated with the code in
4382 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4383 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4384 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4385 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4386 * The inverse (linear to sRGB) table has accuracies as follows:
4387 *
4388 * For all possible (255*65535+1) input values:
4389 *
4390 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4391 *
4392 * For the input values corresponding to the 65536 16-bit values:
4393 *
4394 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4395 *
4396 * In all cases the inexact readings are only off by one.
4397 */
4398
4399 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4400 /* The convert-to-sRGB table is only currently required for read. */
4401 const png_uint_16 png_sRGB_table[256] =
4402 {
4403 0,20,40,60,80,99,119,139,
4404 159,179,199,219,241,264,288,313,
4405 340,367,396,427,458,491,526,562,
4406 599,637,677,718,761,805,851,898,
4407 947,997,1048,1101,1156,1212,1270,1330,
4408 1391,1453,1517,1583,1651,1720,1790,1863,
4409 1937,2013,2090,2170,2250,2333,2418,2504,
4410 2592,2681,2773,2866,2961,3058,3157,3258,
4411 3360,3464,3570,3678,3788,3900,4014,4129,
4412 4247,4366,4488,4611,4736,4864,4993,5124,
4413 5257,5392,5530,5669,5810,5953,6099,6246,
4414 6395,6547,6700,6856,7014,7174,7335,7500,
4415 7666,7834,8004,8177,8352,8528,8708,8889,
4416 9072,9258,9445,9635,9828,10022,10219,10417,
4417 10619,10822,11028,11235,11446,11658,11873,12090,
4418 12309,12530,12754,12980,13209,13440,13673,13909,
4419 14146,14387,14629,14874,15122,15371,15623,15878,
4420 16135,16394,16656,16920,17187,17456,17727,18001,
4421 18277,18556,18837,19121,19407,19696,19987,20281,
4422 20577,20876,21177,21481,21787,22096,22407,22721,
4423 23038,23357,23678,24002,24329,24658,24990,25325,
4424 25662,26001,26344,26688,27036,27386,27739,28094,
4425 28452,28813,29176,29542,29911,30282,30656,31033,
4426 31412,31794,32179,32567,32957,33350,33745,34143,
4427 34544,34948,35355,35764,36176,36591,37008,37429,
4428 37852,38278,38706,39138,39572,40009,40449,40891,
4429 41337,41785,42236,42690,43147,43606,44069,44534,
4430 45002,45473,45947,46423,46903,47385,47871,48359,
4431 48850,49344,49841,50341,50844,51349,51858,52369,
4432 52884,53401,53921,54445,54971,55500,56032,56567,
4433 57105,57646,58190,58737,59287,59840,60396,60955,
4434 61517,62082,62650,63221,63795,64372,64952,65535
4435 };
4436 #endif /* SIMPLIFIED_READ */
4437
4438 /* The base/delta tables are required for both read and write (but currently
4439 * only the simplified versions.)
4440 */
4441 const png_uint_16 png_sRGB_base[512] =
4442 {
4443 128,1782,3383,4644,5675,6564,7357,8074,
4444 8732,9346,9921,10463,10977,11466,11935,12384,
4445 12816,13233,13634,14024,14402,14769,15125,15473,
4446 15812,16142,16466,16781,17090,17393,17690,17981,
4447 18266,18546,18822,19093,19359,19621,19879,20133,
4448 20383,20630,20873,21113,21349,21583,21813,22041,
4449 22265,22487,22707,22923,23138,23350,23559,23767,
4450 23972,24175,24376,24575,24772,24967,25160,25352,
4451 25542,25730,25916,26101,26284,26465,26645,26823,
4452 27000,27176,27350,27523,27695,27865,28034,28201,
4453 28368,28533,28697,28860,29021,29182,29341,29500,
4454 29657,29813,29969,30123,30276,30429,30580,30730,
4455 30880,31028,31176,31323,31469,31614,31758,31902,
4456 32045,32186,32327,32468,32607,32746,32884,33021,
4457 33158,33294,33429,33564,33697,33831,33963,34095,
4458 34226,34357,34486,34616,34744,34873,35000,35127,
4459 35253,35379,35504,35629,35753,35876,35999,36122,
4460 36244,36365,36486,36606,36726,36845,36964,37083,
4461 37201,37318,37435,37551,37668,37783,37898,38013,
4462 38127,38241,38354,38467,38580,38692,38803,38915,
4463 39026,39136,39246,39356,39465,39574,39682,39790,
4464 39898,40005,40112,40219,40325,40431,40537,40642,
4465 40747,40851,40955,41059,41163,41266,41369,41471,
4466 41573,41675,41777,41878,41979,42079,42179,42279,
4467 42379,42478,42577,42676,42775,42873,42971,43068,
4468 43165,43262,43359,43456,43552,43648,43743,43839,
4469 43934,44028,44123,44217,44311,44405,44499,44592,
4470 44685,44778,44870,44962,45054,45146,45238,45329,
4471 45420,45511,45601,45692,45782,45872,45961,46051,
4472 46140,46229,46318,46406,46494,46583,46670,46758,
4473 46846,46933,47020,47107,47193,47280,47366,47452,
4474 47538,47623,47709,47794,47879,47964,48048,48133,
4475 48217,48301,48385,48468,48552,48635,48718,48801,
4476 48884,48966,49048,49131,49213,49294,49376,49458,
4477 49539,49620,49701,49782,49862,49943,50023,50103,
4478 50183,50263,50342,50422,50501,50580,50659,50738,
4479 50816,50895,50973,51051,51129,51207,51285,51362,
4480 51439,51517,51594,51671,51747,51824,51900,51977,
4481 52053,52129,52205,52280,52356,52432,52507,52582,
4482 52657,52732,52807,52881,52956,53030,53104,53178,
4483 53252,53326,53400,53473,53546,53620,53693,53766,
4484 53839,53911,53984,54056,54129,54201,54273,54345,
4485 54417,54489,54560,54632,54703,54774,54845,54916,
4486 54987,55058,55129,55199,55269,55340,55410,55480,
4487 55550,55620,55689,55759,55828,55898,55967,56036,
4488 56105,56174,56243,56311,56380,56448,56517,56585,
4489 56653,56721,56789,56857,56924,56992,57059,57127,
4490 57194,57261,57328,57395,57462,57529,57595,57662,
4491 57728,57795,57861,57927,57993,58059,58125,58191,
4492 58256,58322,58387,58453,58518,58583,58648,58713,
4493 58778,58843,58908,58972,59037,59101,59165,59230,
4494 59294,59358,59422,59486,59549,59613,59677,59740,
4495 59804,59867,59930,59993,60056,60119,60182,60245,
4496 60308,60370,60433,60495,60558,60620,60682,60744,
4497 60806,60868,60930,60992,61054,61115,61177,61238,
4498 61300,61361,61422,61483,61544,61605,61666,61727,
4499 61788,61848,61909,61969,62030,62090,62150,62211,
4500 62271,62331,62391,62450,62510,62570,62630,62689,
4501 62749,62808,62867,62927,62986,63045,63104,63163,
4502 63222,63281,63340,63398,63457,63515,63574,63632,
4503 63691,63749,63807,63865,63923,63981,64039,64097,
4504 64155,64212,64270,64328,64385,64443,64500,64557,
4505 64614,64672,64729,64786,64843,64900,64956,65013,
4506 65070,65126,65183,65239,65296,65352,65409,65465
4507 };
4508
4509 const png_byte png_sRGB_delta[512] =
4510 {
4511 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4512 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4513 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4514 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4515 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4516 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4517 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4518 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4519 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4520 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4521 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4522 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4523 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4524 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4525 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4526 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4527 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4528 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4529 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4530 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4531 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4532 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4533 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4534 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4535 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4536 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4537 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4538 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4539 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4540 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4541 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4542 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4543 };
4544 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4545
4546 /* SIMPLIFIED READ/WRITE SUPPORT */
4547 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4548 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4549 static int
4550 png_image_free_function(png_voidp argument)
4551 {
4552 png_imagep image = png_voidcast(png_imagep, argument);
4553 png_controlp cp = image->opaque;
4554 png_control c;
4555
4556 /* Double check that we have a png_ptr - it should be impossible to get here
4557 * without one.
4558 */
4559 if (cp->png_ptr == NULL)
4560 return 0;
4561
4562 /* First free any data held in the control structure. */
4563 # ifdef PNG_STDIO_SUPPORTED
4564 if (cp->owned_file != 0)
4565 {
4566 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4567 cp->owned_file = 0;
4568
4569 /* Ignore errors here. */
4570 if (fp != NULL)
4571 {
4572 cp->png_ptr->io_ptr = NULL;
4573 (void)fclose(fp);
4574 }
4575 }
4576 # endif
4577
4578 /* Copy the control structure so that the original, allocated, version can be
4579 * safely freed. Notice that a png_error here stops the remainder of the
4580 * cleanup, but this is probably fine because that would indicate bad memory
4581 * problems anyway.
4582 */
4583 c = *cp;
4584 image->opaque = &c;
4585 png_free(c.png_ptr, cp);
4586
4587 /* Then the structures, calling the correct API. */
4588 if (c.for_write != 0)
4589 {
4590 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4591 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4592 # else
4593 png_error(c.png_ptr, "simplified write not supported");
4594 # endif
4595 }
4596 else
4597 {
4598 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4599 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4600 # else
4601 png_error(c.png_ptr, "simplified read not supported");
4602 # endif
4603 }
4604
4605 /* Success. */
4606 return 1;
4607 }
4608
4609 void PNGAPI
4610 png_image_free(png_imagep image)
4611 {
4612 /* Safely call the real function, but only if doing so is safe at this point
4613 * (if not inside an error handling context). Otherwise assume
4614 * png_safe_execute will call this API after the return.
4615 */
4616 if (image != NULL && image->opaque != NULL &&
4617 image->opaque->error_buf == NULL)
4618 {
4619 png_image_free_function(image);
4620 image->opaque = NULL;
4621 }
4622 }
4623
4624 int /* PRIVATE */
4625 png_image_error(png_imagep image, png_const_charp error_message)
4626 {
4627 /* Utility to log an error. */
4628 png_safecat(image->message, (sizeof image->message), 0, error_message);
4629 image->warning_or_error |= PNG_IMAGE_ERROR;
4630 png_image_free(image);
4631 return 0;
4632 }
4633
4634 #endif /* SIMPLIFIED READ/WRITE */
4635 #endif /* READ || WRITE */