rev 55557 : 8217676: Upgrade libpng to 1.6.37
Reviewed-by: prr, jdv

   1 /*
   2  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   3  *
   4  * This code is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License version 2 only, as
   6  * published by the Free Software Foundation.  Oracle designates this
   7  * particular file as subject to the "Classpath" exception as provided
   8  * by Oracle in the LICENSE file that accompanied this code.
   9  *
  10  * This code is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  12  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * version 2 for more details (a copy is included in the LICENSE file that
  14  * accompanied this code).
  15  *
  16  * You should have received a copy of the GNU General Public License version
  17  * 2 along with this work; if not, write to the Free Software Foundation,
  18  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  19  *
  20  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  21  * or visit www.oracle.com if you need additional information or have any
  22  * questions.
  23  */
  24 
  25 /* png.c - location for general purpose libpng functions
  26  *
  27  * This file is available under and governed by the GNU General Public
  28  * License version 2 only, as published by the Free Software Foundation.
  29  * However, the following notice accompanied the original version of this
  30  * file and, per its terms, should not be removed:
  31  *
  32  * Last changed in libpng 1.6.35 [July 15, 2018]
  33  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
  34  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  35  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  36  *
  37  * This code is released under the libpng license.
  38  * For conditions of distribution and use, see the disclaimer
  39  * and license in png.h
  40  */
  41 
  42 #include "pngpriv.h"
  43 
  44 /* Generate a compiler error if there is an old png.h in the search path. */
  45 typedef png_libpng_version_1_6_35 Your_png_h_is_not_version_1_6_35;
  46 
  47 #ifdef __GNUC__
  48 /* The version tests may need to be added to, but the problem warning has
  49  * consistently been fixed in GCC versions which obtain wide-spread release.
  50  * The problem is that many versions of GCC rearrange comparison expressions in
  51  * the optimizer in such a way that the results of the comparison will change
  52  * if signed integer overflow occurs.  Such comparisons are not permitted in
  53  * ANSI C90, however GCC isn't clever enough to work out that that do not occur
  54  * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
  55  * -Wextra.  Unfortunately this is highly dependent on the optimizer and the
  56  * machine architecture so the warning comes and goes unpredictably and is
  57  * impossible to "fix", even were that a good idea.
  58  */
  59 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1
  60 #define GCC_STRICT_OVERFLOW 1
  61 #endif /* GNU 7.1.x */
  62 #endif /* GNU */
  63 #ifndef GCC_STRICT_OVERFLOW
  64 #define GCC_STRICT_OVERFLOW 0
  65 #endif
  66 
  67 /* Tells libpng that we have already handled the first "num_bytes" bytes
  68  * of the PNG file signature.  If the PNG data is embedded into another
  69  * stream we can set num_bytes = 8 so that libpng will not attempt to read
  70  * or write any of the magic bytes before it starts on the IHDR.
  71  */
  72 
  73 #ifdef PNG_READ_SUPPORTED
  74 void PNGAPI
  75 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
  76 {
  77    unsigned int nb = (unsigned int)num_bytes;
  78 
  79    png_debug(1, "in png_set_sig_bytes");
  80 
  81    if (png_ptr == NULL)
  82       return;
  83 
  84    if (num_bytes < 0)
  85       nb = 0;
  86 
  87    if (nb > 8)
  88       png_error(png_ptr, "Too many bytes for PNG signature");
  89 
  90    png_ptr->sig_bytes = (png_byte)nb;
  91 }
  92 
  93 /* Checks whether the supplied bytes match the PNG signature.  We allow
  94  * checking less than the full 8-byte signature so that those apps that
  95  * already read the first few bytes of a file to determine the file type
  96  * can simply check the remaining bytes for extra assurance.  Returns
  97  * an integer less than, equal to, or greater than zero if sig is found,
  98  * respectively, to be less than, to match, or be greater than the correct
  99  * PNG signature (this is the same behavior as strcmp, memcmp, etc).
 100  */
 101 int PNGAPI
 102 png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
 103 {
 104    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
 105 
 106    if (num_to_check > 8)
 107       num_to_check = 8;
 108 
 109    else if (num_to_check < 1)
 110       return (-1);
 111 
 112    if (start > 7)
 113       return (-1);
 114 
 115    if (start + num_to_check > 8)
 116       num_to_check = 8 - start;
 117 
 118    return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
 119 }
 120 
 121 #endif /* READ */
 122 
 123 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 124 /* Function to allocate memory for zlib */
 125 PNG_FUNCTION(voidpf /* PRIVATE */,
 126 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
 127 {
 128    png_alloc_size_t num_bytes = size;
 129 
 130    if (png_ptr == NULL)
 131       return NULL;
 132 
 133    if (items >= (~(png_alloc_size_t)0)/size)
 134    {
 135       png_warning (png_voidcast(png_structrp, png_ptr),
 136           "Potential overflow in png_zalloc()");
 137       return NULL;
 138    }
 139 
 140    num_bytes *= items;
 141    return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
 142 }
 143 
 144 /* Function to free memory for zlib */
 145 void /* PRIVATE */
 146 png_zfree(voidpf png_ptr, voidpf ptr)
 147 {
 148    png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
 149 }
 150 
 151 /* Reset the CRC variable to 32 bits of 1's.  Care must be taken
 152  * in case CRC is > 32 bits to leave the top bits 0.
 153  */
 154 void /* PRIVATE */
 155 png_reset_crc(png_structrp png_ptr)
 156 {
 157    /* The cast is safe because the crc is a 32-bit value. */
 158    png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
 159 }
 160 
 161 /* Calculate the CRC over a section of data.  We can only pass as
 162  * much data to this routine as the largest single buffer size.  We
 163  * also check that this data will actually be used before going to the
 164  * trouble of calculating it.
 165  */
 166 void /* PRIVATE */
 167 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
 168 {
 169    int need_crc = 1;
 170 
 171    if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
 172    {
 173       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
 174           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
 175          need_crc = 0;
 176    }
 177 
 178    else /* critical */
 179    {
 180       if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
 181          need_crc = 0;
 182    }
 183 
 184    /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
 185     * systems it is a 64-bit value.  crc32, however, returns 32 bits so the
 186     * following cast is safe.  'uInt' may be no more than 16 bits, so it is
 187     * necessary to perform a loop here.
 188     */
 189    if (need_crc != 0 && length > 0)
 190    {
 191       uLong crc = png_ptr->crc; /* Should never issue a warning */
 192 
 193       do
 194       {
 195          uInt safe_length = (uInt)length;
 196 #ifndef __COVERITY__
 197          if (safe_length == 0)
 198             safe_length = (uInt)-1; /* evil, but safe */
 199 #endif
 200 
 201          crc = crc32(crc, ptr, safe_length);
 202 
 203          /* The following should never issue compiler warnings; if they do the
 204           * target system has characteristics that will probably violate other
 205           * assumptions within the libpng code.
 206           */
 207          ptr += safe_length;
 208          length -= safe_length;
 209       }
 210       while (length > 0);
 211 
 212       /* And the following is always safe because the crc is only 32 bits. */
 213       png_ptr->crc = (png_uint_32)crc;
 214    }
 215 }
 216 
 217 /* Check a user supplied version number, called from both read and write
 218  * functions that create a png_struct.
 219  */
 220 int
 221 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
 222 {
 223    /* Libpng versions 1.0.0 and later are binary compatible if the version
 224     * string matches through the second '.'; we must recompile any
 225     * applications that use any older library version.
 226     */
 227 
 228    if (user_png_ver != NULL)
 229    {
 230       int i = -1;
 231       int found_dots = 0;
 232 
 233       do
 234       {
 235          i++;
 236          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
 237             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 238          if (user_png_ver[i] == '.')
 239             found_dots++;
 240       } while (found_dots < 2 && user_png_ver[i] != 0 &&
 241             PNG_LIBPNG_VER_STRING[i] != 0);
 242    }
 243 
 244    else
 245       png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 246 
 247    if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
 248    {
 249 #ifdef PNG_WARNINGS_SUPPORTED
 250       size_t pos = 0;
 251       char m[128];
 252 
 253       pos = png_safecat(m, (sizeof m), pos,
 254           "Application built with libpng-");
 255       pos = png_safecat(m, (sizeof m), pos, user_png_ver);
 256       pos = png_safecat(m, (sizeof m), pos, " but running with ");
 257       pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
 258       PNG_UNUSED(pos)
 259 
 260       png_warning(png_ptr, m);
 261 #endif
 262 
 263 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 264       png_ptr->flags = 0;
 265 #endif
 266 
 267       return 0;
 268    }
 269 
 270    /* Success return. */
 271    return 1;
 272 }
 273 
 274 /* Generic function to create a png_struct for either read or write - this
 275  * contains the common initialization.
 276  */
 277 PNG_FUNCTION(png_structp /* PRIVATE */,
 278 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
 279     png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
 280     png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
 281 {
 282    png_struct create_struct;
 283 #  ifdef PNG_SETJMP_SUPPORTED
 284       jmp_buf create_jmp_buf;
 285 #  endif
 286 
 287    /* This temporary stack-allocated structure is used to provide a place to
 288     * build enough context to allow the user provided memory allocator (if any)
 289     * to be called.
 290     */
 291    memset(&create_struct, 0, (sizeof create_struct));
 292 
 293    /* Added at libpng-1.2.6 */
 294 #  ifdef PNG_USER_LIMITS_SUPPORTED
 295       create_struct.user_width_max = PNG_USER_WIDTH_MAX;
 296       create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
 297 
 298 #     ifdef PNG_USER_CHUNK_CACHE_MAX
 299       /* Added at libpng-1.2.43 and 1.4.0 */
 300       create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
 301 #     endif
 302 
 303 #     ifdef PNG_USER_CHUNK_MALLOC_MAX
 304       /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
 305        * in png_struct regardless.
 306        */
 307       create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
 308 #     endif
 309 #  endif
 310 
 311    /* The following two API calls simply set fields in png_struct, so it is safe
 312     * to do them now even though error handling is not yet set up.
 313     */
 314 #  ifdef PNG_USER_MEM_SUPPORTED
 315       png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
 316 #  else
 317       PNG_UNUSED(mem_ptr)
 318       PNG_UNUSED(malloc_fn)
 319       PNG_UNUSED(free_fn)
 320 #  endif
 321 
 322    /* (*error_fn) can return control to the caller after the error_ptr is set,
 323     * this will result in a memory leak unless the error_fn does something
 324     * extremely sophisticated.  The design lacks merit but is implicit in the
 325     * API.
 326     */
 327    png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
 328 
 329 #  ifdef PNG_SETJMP_SUPPORTED
 330       if (!setjmp(create_jmp_buf))
 331 #  endif
 332       {
 333 #  ifdef PNG_SETJMP_SUPPORTED
 334          /* Temporarily fake out the longjmp information until we have
 335           * successfully completed this function.  This only works if we have
 336           * setjmp() support compiled in, but it is safe - this stuff should
 337           * never happen.
 338           */
 339          create_struct.jmp_buf_ptr = &create_jmp_buf;
 340          create_struct.jmp_buf_size = 0; /*stack allocation*/
 341          create_struct.longjmp_fn = longjmp;
 342 #  endif
 343          /* Call the general version checker (shared with read and write code):
 344           */
 345          if (png_user_version_check(&create_struct, user_png_ver) != 0)
 346          {
 347             png_structrp png_ptr = png_voidcast(png_structrp,
 348                 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
 349 
 350             if (png_ptr != NULL)
 351             {
 352                /* png_ptr->zstream holds a back-pointer to the png_struct, so
 353                 * this can only be done now:
 354                 */
 355                create_struct.zstream.zalloc = png_zalloc;
 356                create_struct.zstream.zfree = png_zfree;
 357                create_struct.zstream.opaque = png_ptr;
 358 
 359 #              ifdef PNG_SETJMP_SUPPORTED
 360                /* Eliminate the local error handling: */
 361                create_struct.jmp_buf_ptr = NULL;
 362                create_struct.jmp_buf_size = 0;
 363                create_struct.longjmp_fn = 0;
 364 #              endif
 365 
 366                *png_ptr = create_struct;
 367 
 368                /* This is the successful return point */
 369                return png_ptr;
 370             }
 371          }
 372       }
 373 
 374    /* A longjmp because of a bug in the application storage allocator or a
 375     * simple failure to allocate the png_struct.
 376     */
 377    return NULL;
 378 }
 379 
 380 /* Allocate the memory for an info_struct for the application. */
 381 PNG_FUNCTION(png_infop,PNGAPI
 382 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
 383 {
 384    png_inforp info_ptr;
 385 
 386    png_debug(1, "in png_create_info_struct");
 387 
 388    if (png_ptr == NULL)
 389       return NULL;
 390 
 391    /* Use the internal API that does not (or at least should not) error out, so
 392     * that this call always returns ok.  The application typically sets up the
 393     * error handling *after* creating the info_struct because this is the way it
 394     * has always been done in 'example.c'.
 395     */
 396    info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
 397        (sizeof *info_ptr)));
 398 
 399    if (info_ptr != NULL)
 400       memset(info_ptr, 0, (sizeof *info_ptr));
 401 
 402    return info_ptr;
 403 }
 404 
 405 /* This function frees the memory associated with a single info struct.
 406  * Normally, one would use either png_destroy_read_struct() or
 407  * png_destroy_write_struct() to free an info struct, but this may be
 408  * useful for some applications.  From libpng 1.6.0 this function is also used
 409  * internally to implement the png_info release part of the 'struct' destroy
 410  * APIs.  This ensures that all possible approaches free the same data (all of
 411  * it).
 412  */
 413 void PNGAPI
 414 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
 415 {
 416    png_inforp info_ptr = NULL;
 417 
 418    png_debug(1, "in png_destroy_info_struct");
 419 
 420    if (png_ptr == NULL)
 421       return;
 422 
 423    if (info_ptr_ptr != NULL)
 424       info_ptr = *info_ptr_ptr;
 425 
 426    if (info_ptr != NULL)
 427    {
 428       /* Do this first in case of an error below; if the app implements its own
 429        * memory management this can lead to png_free calling png_error, which
 430        * will abort this routine and return control to the app error handler.
 431        * An infinite loop may result if it then tries to free the same info
 432        * ptr.
 433        */
 434       *info_ptr_ptr = NULL;
 435 
 436       png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
 437       memset(info_ptr, 0, (sizeof *info_ptr));
 438       png_free(png_ptr, info_ptr);
 439    }
 440 }
 441 
 442 /* Initialize the info structure.  This is now an internal function (0.89)
 443  * and applications using it are urged to use png_create_info_struct()
 444  * instead.  Use deprecated in 1.6.0, internal use removed (used internally it
 445  * is just a memset).
 446  *
 447  * NOTE: it is almost inconceivable that this API is used because it bypasses
 448  * the user-memory mechanism and the user error handling/warning mechanisms in
 449  * those cases where it does anything other than a memset.
 450  */
 451 PNG_FUNCTION(void,PNGAPI
 452 png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
 453     PNG_DEPRECATED)
 454 {
 455    png_inforp info_ptr = *ptr_ptr;
 456 
 457    png_debug(1, "in png_info_init_3");
 458 
 459    if (info_ptr == NULL)
 460       return;
 461 
 462    if ((sizeof (png_info)) > png_info_struct_size)
 463    {
 464       *ptr_ptr = NULL;
 465       /* The following line is why this API should not be used: */
 466       free(info_ptr);
 467       info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
 468           (sizeof *info_ptr)));
 469       if (info_ptr == NULL)
 470          return;
 471       *ptr_ptr = info_ptr;
 472    }
 473 
 474    /* Set everything to 0 */
 475    memset(info_ptr, 0, (sizeof *info_ptr));
 476 }
 477 
 478 /* The following API is not called internally */
 479 void PNGAPI
 480 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
 481     int freer, png_uint_32 mask)
 482 {
 483    png_debug(1, "in png_data_freer");
 484 
 485    if (png_ptr == NULL || info_ptr == NULL)
 486       return;
 487 
 488    if (freer == PNG_DESTROY_WILL_FREE_DATA)
 489       info_ptr->free_me |= mask;
 490 
 491    else if (freer == PNG_USER_WILL_FREE_DATA)
 492       info_ptr->free_me &= ~mask;
 493 
 494    else
 495       png_error(png_ptr, "Unknown freer parameter in png_data_freer");
 496 }
 497 
 498 void PNGAPI
 499 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
 500     int num)
 501 {
 502    png_debug(1, "in png_free_data");
 503 
 504    if (png_ptr == NULL || info_ptr == NULL)
 505       return;
 506 
 507 #ifdef PNG_TEXT_SUPPORTED
 508    /* Free text item num or (if num == -1) all text items */
 509    if (info_ptr->text != NULL &&
 510        ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
 511    {
 512       if (num != -1)
 513       {
 514          png_free(png_ptr, info_ptr->text[num].key);
 515          info_ptr->text[num].key = NULL;
 516       }
 517 
 518       else
 519       {
 520          int i;
 521 
 522          for (i = 0; i < info_ptr->num_text; i++)
 523             png_free(png_ptr, info_ptr->text[i].key);
 524 
 525          png_free(png_ptr, info_ptr->text);
 526          info_ptr->text = NULL;
 527          info_ptr->num_text = 0;
 528          info_ptr->max_text = 0;
 529       }
 530    }
 531 #endif
 532 
 533 #ifdef PNG_tRNS_SUPPORTED
 534    /* Free any tRNS entry */
 535    if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
 536    {
 537       info_ptr->valid &= ~PNG_INFO_tRNS;
 538       png_free(png_ptr, info_ptr->trans_alpha);
 539       info_ptr->trans_alpha = NULL;
 540       info_ptr->num_trans = 0;
 541    }
 542 #endif
 543 
 544 #ifdef PNG_sCAL_SUPPORTED
 545    /* Free any sCAL entry */
 546    if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
 547    {
 548       png_free(png_ptr, info_ptr->scal_s_width);
 549       png_free(png_ptr, info_ptr->scal_s_height);
 550       info_ptr->scal_s_width = NULL;
 551       info_ptr->scal_s_height = NULL;
 552       info_ptr->valid &= ~PNG_INFO_sCAL;
 553    }
 554 #endif
 555 
 556 #ifdef PNG_pCAL_SUPPORTED
 557    /* Free any pCAL entry */
 558    if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
 559    {
 560       png_free(png_ptr, info_ptr->pcal_purpose);
 561       png_free(png_ptr, info_ptr->pcal_units);
 562       info_ptr->pcal_purpose = NULL;
 563       info_ptr->pcal_units = NULL;
 564 
 565       if (info_ptr->pcal_params != NULL)
 566          {
 567             int i;
 568 
 569             for (i = 0; i < info_ptr->pcal_nparams; i++)
 570                png_free(png_ptr, info_ptr->pcal_params[i]);
 571 
 572             png_free(png_ptr, info_ptr->pcal_params);
 573             info_ptr->pcal_params = NULL;
 574          }
 575       info_ptr->valid &= ~PNG_INFO_pCAL;
 576    }
 577 #endif
 578 
 579 #ifdef PNG_iCCP_SUPPORTED
 580    /* Free any profile entry */
 581    if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
 582    {
 583       png_free(png_ptr, info_ptr->iccp_name);
 584       png_free(png_ptr, info_ptr->iccp_profile);
 585       info_ptr->iccp_name = NULL;
 586       info_ptr->iccp_profile = NULL;
 587       info_ptr->valid &= ~PNG_INFO_iCCP;
 588    }
 589 #endif
 590 
 591 #ifdef PNG_sPLT_SUPPORTED
 592    /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
 593    if (info_ptr->splt_palettes != NULL &&
 594        ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
 595    {
 596       if (num != -1)
 597       {
 598          png_free(png_ptr, info_ptr->splt_palettes[num].name);
 599          png_free(png_ptr, info_ptr->splt_palettes[num].entries);
 600          info_ptr->splt_palettes[num].name = NULL;
 601          info_ptr->splt_palettes[num].entries = NULL;
 602       }
 603 
 604       else
 605       {
 606          int i;
 607 
 608          for (i = 0; i < info_ptr->splt_palettes_num; i++)
 609          {
 610             png_free(png_ptr, info_ptr->splt_palettes[i].name);
 611             png_free(png_ptr, info_ptr->splt_palettes[i].entries);
 612          }
 613 
 614          png_free(png_ptr, info_ptr->splt_palettes);
 615          info_ptr->splt_palettes = NULL;
 616          info_ptr->splt_palettes_num = 0;
 617          info_ptr->valid &= ~PNG_INFO_sPLT;
 618       }
 619    }
 620 #endif
 621 
 622 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
 623    if (info_ptr->unknown_chunks != NULL &&
 624        ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
 625    {
 626       if (num != -1)
 627       {
 628           png_free(png_ptr, info_ptr->unknown_chunks[num].data);
 629           info_ptr->unknown_chunks[num].data = NULL;
 630       }
 631 
 632       else
 633       {
 634          int i;
 635 
 636          for (i = 0; i < info_ptr->unknown_chunks_num; i++)
 637             png_free(png_ptr, info_ptr->unknown_chunks[i].data);
 638 
 639          png_free(png_ptr, info_ptr->unknown_chunks);
 640          info_ptr->unknown_chunks = NULL;
 641          info_ptr->unknown_chunks_num = 0;
 642       }
 643    }
 644 #endif
 645 
 646 #ifdef PNG_eXIf_SUPPORTED
 647    /* Free any eXIf entry */
 648    if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
 649    {
 650 # ifdef PNG_READ_eXIf_SUPPORTED
 651       if (info_ptr->eXIf_buf)
 652       {
 653          png_free(png_ptr, info_ptr->eXIf_buf);
 654          info_ptr->eXIf_buf = NULL;
 655       }
 656 # endif
 657       if (info_ptr->exif)
 658       {
 659          png_free(png_ptr, info_ptr->exif);
 660          info_ptr->exif = NULL;
 661       }
 662       info_ptr->valid &= ~PNG_INFO_eXIf;
 663    }
 664 #endif
 665 
 666 #ifdef PNG_hIST_SUPPORTED
 667    /* Free any hIST entry */
 668    if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
 669    {
 670       png_free(png_ptr, info_ptr->hist);
 671       info_ptr->hist = NULL;
 672       info_ptr->valid &= ~PNG_INFO_hIST;
 673    }
 674 #endif
 675 
 676    /* Free any PLTE entry that was internally allocated */
 677    if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
 678    {
 679       png_free(png_ptr, info_ptr->palette);
 680       info_ptr->palette = NULL;
 681       info_ptr->valid &= ~PNG_INFO_PLTE;
 682       info_ptr->num_palette = 0;
 683    }
 684 
 685 #ifdef PNG_INFO_IMAGE_SUPPORTED
 686    /* Free any image bits attached to the info structure */
 687    if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
 688    {
 689       if (info_ptr->row_pointers != NULL)
 690       {
 691          png_uint_32 row;
 692          for (row = 0; row < info_ptr->height; row++)
 693             png_free(png_ptr, info_ptr->row_pointers[row]);
 694 
 695          png_free(png_ptr, info_ptr->row_pointers);
 696          info_ptr->row_pointers = NULL;
 697       }
 698       info_ptr->valid &= ~PNG_INFO_IDAT;
 699    }
 700 #endif
 701 
 702    if (num != -1)
 703       mask &= ~PNG_FREE_MUL;
 704 
 705    info_ptr->free_me &= ~mask;
 706 }
 707 #endif /* READ || WRITE */
 708 
 709 /* This function returns a pointer to the io_ptr associated with the user
 710  * functions.  The application should free any memory associated with this
 711  * pointer before png_write_destroy() or png_read_destroy() are called.
 712  */
 713 png_voidp PNGAPI
 714 png_get_io_ptr(png_const_structrp png_ptr)
 715 {
 716    if (png_ptr == NULL)
 717       return (NULL);
 718 
 719    return (png_ptr->io_ptr);
 720 }
 721 
 722 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 723 #  ifdef PNG_STDIO_SUPPORTED
 724 /* Initialize the default input/output functions for the PNG file.  If you
 725  * use your own read or write routines, you can call either png_set_read_fn()
 726  * or png_set_write_fn() instead of png_init_io().  If you have defined
 727  * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
 728  * function of your own because "FILE *" isn't necessarily available.
 729  */
 730 void PNGAPI
 731 png_init_io(png_structrp png_ptr, png_FILE_p fp)
 732 {
 733    png_debug(1, "in png_init_io");
 734 
 735    if (png_ptr == NULL)
 736       return;
 737 
 738    png_ptr->io_ptr = (png_voidp)fp;
 739 }
 740 #  endif
 741 
 742 #  ifdef PNG_SAVE_INT_32_SUPPORTED
 743 /* PNG signed integers are saved in 32-bit 2's complement format.  ANSI C-90
 744  * defines a cast of a signed integer to an unsigned integer either to preserve
 745  * the value, if it is positive, or to calculate:
 746  *
 747  *     (UNSIGNED_MAX+1) + integer
 748  *
 749  * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
 750  * negative integral value is added the result will be an unsigned value
 751  * correspnding to the 2's complement representation.
 752  */
 753 void PNGAPI
 754 png_save_int_32(png_bytep buf, png_int_32 i)
 755 {
 756    png_save_uint_32(buf, (png_uint_32)i);
 757 }
 758 #  endif
 759 
 760 #  ifdef PNG_TIME_RFC1123_SUPPORTED
 761 /* Convert the supplied time into an RFC 1123 string suitable for use in
 762  * a "Creation Time" or other text-based time string.
 763  */
 764 int PNGAPI
 765 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
 766 {
 767    static PNG_CONST char short_months[12][4] =
 768         {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
 769          "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
 770 
 771    if (out == NULL)
 772       return 0;
 773 
 774    if (ptime->year > 9999 /* RFC1123 limitation */ ||
 775        ptime->month == 0    ||  ptime->month > 12  ||
 776        ptime->day   == 0    ||  ptime->day   > 31  ||
 777        ptime->hour  > 23    ||  ptime->minute > 59 ||
 778        ptime->second > 60)
 779       return 0;
 780 
 781    {
 782       size_t pos = 0;
 783       char number_buf[5]; /* enough for a four-digit year */
 784 
 785 #     define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
 786 #     define APPEND_NUMBER(format, value)\
 787          APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
 788 #     define APPEND(ch) if (pos < 28) out[pos++] = (ch)
 789 
 790       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
 791       APPEND(' ');
 792       APPEND_STRING(short_months[(ptime->month - 1)]);
 793       APPEND(' ');
 794       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
 795       APPEND(' ');
 796       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
 797       APPEND(':');
 798       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
 799       APPEND(':');
 800       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
 801       APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
 802       PNG_UNUSED (pos)
 803 
 804 #     undef APPEND
 805 #     undef APPEND_NUMBER
 806 #     undef APPEND_STRING
 807    }
 808 
 809    return 1;
 810 }
 811 
 812 #    if PNG_LIBPNG_VER < 10700
 813 /* To do: remove the following from libpng-1.7 */
 814 /* Original API that uses a private buffer in png_struct.
 815  * Deprecated because it causes png_struct to carry a spurious temporary
 816  * buffer (png_struct::time_buffer), better to have the caller pass this in.
 817  */
 818 png_const_charp PNGAPI
 819 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
 820 {
 821    if (png_ptr != NULL)
 822    {
 823       /* The only failure above if png_ptr != NULL is from an invalid ptime */
 824       if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
 825          png_warning(png_ptr, "Ignoring invalid time value");
 826 
 827       else
 828          return png_ptr->time_buffer;
 829    }
 830 
 831    return NULL;
 832 }
 833 #    endif /* LIBPNG_VER < 10700 */
 834 #  endif /* TIME_RFC1123 */
 835 
 836 #endif /* READ || WRITE */
 837 
 838 png_const_charp PNGAPI
 839 png_get_copyright(png_const_structrp png_ptr)
 840 {
 841    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 842 #ifdef PNG_STRING_COPYRIGHT
 843    return PNG_STRING_COPYRIGHT
 844 #else
 845 #  ifdef __STDC__
 846    return PNG_STRING_NEWLINE \
 847       "libpng version 1.6.35 - July 15, 2018" PNG_STRING_NEWLINE \

 848       "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
 849       PNG_STRING_NEWLINE \
 850       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
 851       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
 852       PNG_STRING_NEWLINE;
 853 #  else
 854    return "libpng version 1.6.35 - July 15, 2018\
 855       Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson\
 856       Copyright (c) 1996-1997 Andreas Dilger\
 857       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
 858 #  endif
 859 #endif
 860 }
 861 
 862 /* The following return the library version as a short string in the
 863  * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
 864  * used with your application, print out PNG_LIBPNG_VER_STRING, which
 865  * is defined in png.h.
 866  * Note: now there is no difference between png_get_libpng_ver() and
 867  * png_get_header_ver().  Due to the version_nn_nn_nn typedef guard,
 868  * it is guaranteed that png.c uses the correct version of png.h.
 869  */
 870 png_const_charp PNGAPI
 871 png_get_libpng_ver(png_const_structrp png_ptr)
 872 {
 873    /* Version of *.c files used when building libpng */
 874    return png_get_header_ver(png_ptr);
 875 }
 876 
 877 png_const_charp PNGAPI
 878 png_get_header_ver(png_const_structrp png_ptr)
 879 {
 880    /* Version of *.h files used when building libpng */
 881    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 882    return PNG_LIBPNG_VER_STRING;
 883 }
 884 
 885 png_const_charp PNGAPI
 886 png_get_header_version(png_const_structrp png_ptr)
 887 {
 888    /* Returns longer string containing both version and date */
 889    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 890 #ifdef __STDC__
 891    return PNG_HEADER_VERSION_STRING
 892 #  ifndef PNG_READ_SUPPORTED
 893       " (NO READ SUPPORT)"
 894 #  endif
 895       PNG_STRING_NEWLINE;
 896 #else
 897    return PNG_HEADER_VERSION_STRING;
 898 #endif
 899 }
 900 
 901 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
 902 /* NOTE: this routine is not used internally! */
 903 /* Build a grayscale palette.  Palette is assumed to be 1 << bit_depth
 904  * large of png_color.  This lets grayscale images be treated as
 905  * paletted.  Most useful for gamma correction and simplification
 906  * of code.  This API is not used internally.
 907  */
 908 void PNGAPI
 909 png_build_grayscale_palette(int bit_depth, png_colorp palette)
 910 {
 911    int num_palette;
 912    int color_inc;
 913    int i;
 914    int v;
 915 
 916    png_debug(1, "in png_do_build_grayscale_palette");
 917 
 918    if (palette == NULL)
 919       return;
 920 
 921    switch (bit_depth)
 922    {
 923       case 1:
 924          num_palette = 2;
 925          color_inc = 0xff;
 926          break;
 927 
 928       case 2:
 929          num_palette = 4;
 930          color_inc = 0x55;
 931          break;
 932 
 933       case 4:
 934          num_palette = 16;
 935          color_inc = 0x11;
 936          break;
 937 
 938       case 8:
 939          num_palette = 256;
 940          color_inc = 1;
 941          break;
 942 
 943       default:
 944          num_palette = 0;
 945          color_inc = 0;
 946          break;
 947    }
 948 
 949    for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
 950    {
 951       palette[i].red = (png_byte)(v & 0xff);
 952       palette[i].green = (png_byte)(v & 0xff);
 953       palette[i].blue = (png_byte)(v & 0xff);
 954    }
 955 }
 956 #endif
 957 
 958 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 959 int PNGAPI
 960 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
 961 {
 962    /* Check chunk_name and return "keep" value if it's on the list, else 0 */
 963    png_const_bytep p, p_end;
 964 
 965    if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
 966       return PNG_HANDLE_CHUNK_AS_DEFAULT;
 967 
 968    p_end = png_ptr->chunk_list;
 969    p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
 970 
 971    /* The code is the fifth byte after each four byte string.  Historically this
 972     * code was always searched from the end of the list, this is no longer
 973     * necessary because the 'set' routine handles duplicate entries correctly.
 974     */
 975    do /* num_chunk_list > 0, so at least one */
 976    {
 977       p -= 5;
 978 
 979       if (memcmp(chunk_name, p, 4) == 0)
 980          return p[4];
 981    }
 982    while (p > p_end);
 983 
 984    /* This means that known chunks should be processed and unknown chunks should
 985     * be handled according to the value of png_ptr->unknown_default; this can be
 986     * confusing because, as a result, there are two levels of defaulting for
 987     * unknown chunks.
 988     */
 989    return PNG_HANDLE_CHUNK_AS_DEFAULT;
 990 }
 991 
 992 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
 993    defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
 994 int /* PRIVATE */
 995 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
 996 {
 997    png_byte chunk_string[5];
 998 
 999    PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
1000    return png_handle_as_unknown(png_ptr, chunk_string);
1001 }
1002 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
1003 #endif /* SET_UNKNOWN_CHUNKS */
1004 
1005 #ifdef PNG_READ_SUPPORTED
1006 /* This function, added to libpng-1.0.6g, is untested. */
1007 int PNGAPI
1008 png_reset_zstream(png_structrp png_ptr)
1009 {
1010    if (png_ptr == NULL)
1011       return Z_STREAM_ERROR;
1012 
1013    /* WARNING: this resets the window bits to the maximum! */
1014    return (inflateReset(&png_ptr->zstream));
1015 }
1016 #endif /* READ */
1017 
1018 /* This function was added to libpng-1.0.7 */
1019 png_uint_32 PNGAPI
1020 png_access_version_number(void)
1021 {
1022    /* Version of *.c files used when building libpng */
1023    return((png_uint_32)PNG_LIBPNG_VER);
1024 }
1025 
1026 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
1027 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
1028  * If it doesn't 'ret' is used to set it to something appropriate, even in cases
1029  * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
1030  */
1031 void /* PRIVATE */
1032 png_zstream_error(png_structrp png_ptr, int ret)
1033 {
1034    /* Translate 'ret' into an appropriate error string, priority is given to the
1035     * one in zstream if set.  This always returns a string, even in cases like
1036     * Z_OK or Z_STREAM_END where the error code is a success code.
1037     */
1038    if (png_ptr->zstream.msg == NULL) switch (ret)
1039    {
1040       default:
1041       case Z_OK:
1042          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1043          break;
1044 
1045       case Z_STREAM_END:
1046          /* Normal exit */
1047          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1048          break;
1049 
1050       case Z_NEED_DICT:
1051          /* This means the deflate stream did not have a dictionary; this
1052           * indicates a bogus PNG.
1053           */
1054          png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1055          break;
1056 
1057       case Z_ERRNO:
1058          /* gz APIs only: should not happen */
1059          png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1060          break;
1061 
1062       case Z_STREAM_ERROR:
1063          /* internal libpng error */
1064          png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1065          break;
1066 
1067       case Z_DATA_ERROR:
1068          png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1069          break;
1070 
1071       case Z_MEM_ERROR:
1072          png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1073          break;
1074 
1075       case Z_BUF_ERROR:
1076          /* End of input or output; not a problem if the caller is doing
1077           * incremental read or write.
1078           */
1079          png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1080          break;
1081 
1082       case Z_VERSION_ERROR:
1083          png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1084          break;
1085 
1086       case PNG_UNEXPECTED_ZLIB_RETURN:
1087          /* Compile errors here mean that zlib now uses the value co-opted in
1088           * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1089           * and change pngpriv.h.  Note that this message is "... return",
1090           * whereas the default/Z_OK one is "... return code".
1091           */
1092          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1093          break;
1094    }
1095 }
1096 
1097 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1098  * at libpng 1.5.5!
1099  */
1100 
1101 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1102 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1103 static int
1104 png_colorspace_check_gamma(png_const_structrp png_ptr,
1105     png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1106    /* This is called to check a new gamma value against an existing one.  The
1107     * routine returns false if the new gamma value should not be written.
1108     *
1109     * 'from' says where the new gamma value comes from:
1110     *
1111     *    0: the new gamma value is the libpng estimate for an ICC profile
1112     *    1: the new gamma value comes from a gAMA chunk
1113     *    2: the new gamma value comes from an sRGB chunk
1114     */
1115 {
1116    png_fixed_point gtest;
1117 
1118    if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1119        (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0  ||
1120       png_gamma_significant(gtest) != 0))
1121    {
1122       /* Either this is an sRGB image, in which case the calculated gamma
1123        * approximation should match, or this is an image with a profile and the
1124        * value libpng calculates for the gamma of the profile does not match the
1125        * value recorded in the file.  The former, sRGB, case is an error, the
1126        * latter is just a warning.
1127        */
1128       if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1129       {
1130          png_chunk_report(png_ptr, "gamma value does not match sRGB",
1131              PNG_CHUNK_ERROR);
1132          /* Do not overwrite an sRGB value */
1133          return from == 2;
1134       }
1135 
1136       else /* sRGB tag not involved */
1137       {
1138          png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1139              PNG_CHUNK_WARNING);
1140          return from == 1;
1141       }
1142    }
1143 
1144    return 1;
1145 }
1146 
1147 void /* PRIVATE */
1148 png_colorspace_set_gamma(png_const_structrp png_ptr,
1149     png_colorspacerp colorspace, png_fixed_point gAMA)
1150 {
1151    /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1152     * occur.  Since the fixed point representation is asymetrical it is
1153     * possible for 1/gamma to overflow the limit of 21474 and this means the
1154     * gamma value must be at least 5/100000 and hence at most 20000.0.  For
1155     * safety the limits here are a little narrower.  The values are 0.00016 to
1156     * 6250.0, which are truly ridiculous gamma values (and will produce
1157     * displays that are all black or all white.)
1158     *
1159     * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1160     * handling code, which only required the value to be >0.
1161     */
1162    png_const_charp errmsg;
1163 
1164    if (gAMA < 16 || gAMA > 625000000)
1165       errmsg = "gamma value out of range";
1166 
1167 #  ifdef PNG_READ_gAMA_SUPPORTED
1168    /* Allow the application to set the gamma value more than once */
1169    else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1170       (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1171       errmsg = "duplicate";
1172 #  endif
1173 
1174    /* Do nothing if the colorspace is already invalid */
1175    else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1176       return;
1177 
1178    else
1179    {
1180       if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1181           1/*from gAMA*/) != 0)
1182       {
1183          /* Store this gamma value. */
1184          colorspace->gamma = gAMA;
1185          colorspace->flags |=
1186             (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1187       }
1188 
1189       /* At present if the check_gamma test fails the gamma of the colorspace is
1190        * not updated however the colorspace is not invalidated.  This
1191        * corresponds to the case where the existing gamma comes from an sRGB
1192        * chunk or profile.  An error message has already been output.
1193        */
1194       return;
1195    }
1196 
1197    /* Error exit - errmsg has been set. */
1198    colorspace->flags |= PNG_COLORSPACE_INVALID;
1199    png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1200 }
1201 
1202 void /* PRIVATE */
1203 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1204 {
1205    if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1206    {
1207       /* Everything is invalid */
1208       info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1209          PNG_INFO_iCCP);
1210 
1211 #     ifdef PNG_COLORSPACE_SUPPORTED
1212       /* Clean up the iCCP profile now if it won't be used. */
1213       png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1214 #     else
1215       PNG_UNUSED(png_ptr)
1216 #     endif
1217    }
1218 
1219    else
1220    {
1221 #     ifdef PNG_COLORSPACE_SUPPORTED
1222       /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1223        * it; this allows a PNG to contain a profile which matches sRGB and
1224        * yet still have that profile retrievable by the application.
1225        */
1226       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1227          info_ptr->valid |= PNG_INFO_sRGB;
1228 
1229       else
1230          info_ptr->valid &= ~PNG_INFO_sRGB;
1231 
1232       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1233          info_ptr->valid |= PNG_INFO_cHRM;
1234 
1235       else
1236          info_ptr->valid &= ~PNG_INFO_cHRM;
1237 #     endif
1238 
1239       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1240          info_ptr->valid |= PNG_INFO_gAMA;
1241 
1242       else
1243          info_ptr->valid &= ~PNG_INFO_gAMA;
1244    }
1245 }
1246 
1247 #ifdef PNG_READ_SUPPORTED
1248 void /* PRIVATE */
1249 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1250 {
1251    if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1252       return;
1253 
1254    info_ptr->colorspace = png_ptr->colorspace;
1255    png_colorspace_sync_info(png_ptr, info_ptr);
1256 }
1257 #endif
1258 #endif /* GAMMA */
1259 
1260 #ifdef PNG_COLORSPACE_SUPPORTED
1261 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1262  * cHRM, as opposed to using chromaticities.  These internal APIs return
1263  * non-zero on a parameter error.  The X, Y and Z values are required to be
1264  * positive and less than 1.0.
1265  */
1266 static int
1267 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1268 {
1269    png_int_32 d, dwhite, whiteX, whiteY;
1270 
1271    d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1272    if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1273       return 1;
1274    if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1275       return 1;
1276    dwhite = d;
1277    whiteX = XYZ->red_X;
1278    whiteY = XYZ->red_Y;
1279 
1280    d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1281    if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1282       return 1;
1283    if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1284       return 1;
1285    dwhite += d;
1286    whiteX += XYZ->green_X;
1287    whiteY += XYZ->green_Y;
1288 
1289    d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1290    if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1291       return 1;
1292    if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1293       return 1;
1294    dwhite += d;
1295    whiteX += XYZ->blue_X;
1296    whiteY += XYZ->blue_Y;
1297 
1298    /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1299     * thus:
1300     */
1301    if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1302       return 1;
1303    if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1304       return 1;
1305 
1306    return 0;
1307 }
1308 
1309 static int
1310 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1311 {
1312    png_fixed_point red_inverse, green_inverse, blue_scale;
1313    png_fixed_point left, right, denominator;
1314 
1315    /* Check xy and, implicitly, z.  Note that wide gamut color spaces typically
1316     * have end points with 0 tristimulus values (these are impossible end
1317     * points, but they are used to cover the possible colors).  We check
1318     * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1319     */
1320    if (xy->redx   < 0 || xy->redx > PNG_FP_1) return 1;
1321    if (xy->redy   < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1322    if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1323    if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1324    if (xy->bluex  < 0 || xy->bluex > PNG_FP_1) return 1;
1325    if (xy->bluey  < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1326    if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1327    if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1328 
1329    /* The reverse calculation is more difficult because the original tristimulus
1330     * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1331     * derived values were recorded in the cHRM chunk;
1332     * (red,green,blue,white)x(x,y).  This loses one degree of freedom and
1333     * therefore an arbitrary ninth value has to be introduced to undo the
1334     * original transformations.
1335     *
1336     * Think of the original end-points as points in (X,Y,Z) space.  The
1337     * chromaticity values (c) have the property:
1338     *
1339     *           C
1340     *   c = ---------
1341     *       X + Y + Z
1342     *
1343     * For each c (x,y,z) from the corresponding original C (X,Y,Z).  Thus the
1344     * three chromaticity values (x,y,z) for each end-point obey the
1345     * relationship:
1346     *
1347     *   x + y + z = 1
1348     *
1349     * This describes the plane in (X,Y,Z) space that intersects each axis at the
1350     * value 1.0; call this the chromaticity plane.  Thus the chromaticity
1351     * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1352     * and chromaticity is the intersection of the vector from the origin to the
1353     * (X,Y,Z) value with the chromaticity plane.
1354     *
1355     * To fully invert the chromaticity calculation we would need the three
1356     * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1357     * were not recorded.  Instead we calculated the reference white (X,Y,Z) and
1358     * recorded the chromaticity of this.  The reference white (X,Y,Z) would have
1359     * given all three of the scale factors since:
1360     *
1361     *    color-C = color-c * color-scale
1362     *    white-C = red-C + green-C + blue-C
1363     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1364     *
1365     * But cHRM records only white-x and white-y, so we have lost the white scale
1366     * factor:
1367     *
1368     *    white-C = white-c*white-scale
1369     *
1370     * To handle this the inverse transformation makes an arbitrary assumption
1371     * about white-scale:
1372     *
1373     *    Assume: white-Y = 1.0
1374     *    Hence:  white-scale = 1/white-y
1375     *    Or:     red-Y + green-Y + blue-Y = 1.0
1376     *
1377     * Notice the last statement of the assumption gives an equation in three of
1378     * the nine values we want to calculate.  8 more equations come from the
1379     * above routine as summarised at the top above (the chromaticity
1380     * calculation):
1381     *
1382     *    Given: color-x = color-X / (color-X + color-Y + color-Z)
1383     *    Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1384     *
1385     * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1386     * solved by Cramer's rule.  Cramer's rule requires calculating 10 9x9 matrix
1387     * determinants, however this is not as bad as it seems because only 28 of
1388     * the total of 90 terms in the various matrices are non-zero.  Nevertheless
1389     * Cramer's rule is notoriously numerically unstable because the determinant
1390     * calculation involves the difference of large, but similar, numbers.  It is
1391     * difficult to be sure that the calculation is stable for real world values
1392     * and it is certain that it becomes unstable where the end points are close
1393     * together.
1394     *
1395     * So this code uses the perhaps slightly less optimal but more
1396     * understandable and totally obvious approach of calculating color-scale.
1397     *
1398     * This algorithm depends on the precision in white-scale and that is
1399     * (1/white-y), so we can immediately see that as white-y approaches 0 the
1400     * accuracy inherent in the cHRM chunk drops off substantially.
1401     *
1402     * libpng arithmetic: a simple inversion of the above equations
1403     * ------------------------------------------------------------
1404     *
1405     *    white_scale = 1/white-y
1406     *    white-X = white-x * white-scale
1407     *    white-Y = 1.0
1408     *    white-Z = (1 - white-x - white-y) * white_scale
1409     *
1410     *    white-C = red-C + green-C + blue-C
1411     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1412     *
1413     * This gives us three equations in (red-scale,green-scale,blue-scale) where
1414     * all the coefficients are now known:
1415     *
1416     *    red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1417     *       = white-x/white-y
1418     *    red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1419     *    red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1420     *       = (1 - white-x - white-y)/white-y
1421     *
1422     * In the last equation color-z is (1 - color-x - color-y) so we can add all
1423     * three equations together to get an alternative third:
1424     *
1425     *    red-scale + green-scale + blue-scale = 1/white-y = white-scale
1426     *
1427     * So now we have a Cramer's rule solution where the determinants are just
1428     * 3x3 - far more tractible.  Unfortunately 3x3 determinants still involve
1429     * multiplication of three coefficients so we can't guarantee to avoid
1430     * overflow in the libpng fixed point representation.  Using Cramer's rule in
1431     * floating point is probably a good choice here, but it's not an option for
1432     * fixed point.  Instead proceed to simplify the first two equations by
1433     * eliminating what is likely to be the largest value, blue-scale:
1434     *
1435     *    blue-scale = white-scale - red-scale - green-scale
1436     *
1437     * Hence:
1438     *
1439     *    (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1440     *                (white-x - blue-x)*white-scale
1441     *
1442     *    (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1443     *                1 - blue-y*white-scale
1444     *
1445     * And now we can trivially solve for (red-scale,green-scale):
1446     *
1447     *    green-scale =
1448     *                (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1449     *                -----------------------------------------------------------
1450     *                                  green-x - blue-x
1451     *
1452     *    red-scale =
1453     *                1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1454     *                ---------------------------------------------------------
1455     *                                  red-y - blue-y
1456     *
1457     * Hence:
1458     *
1459     *    red-scale =
1460     *          ( (green-x - blue-x) * (white-y - blue-y) -
1461     *            (green-y - blue-y) * (white-x - blue-x) ) / white-y
1462     * -------------------------------------------------------------------------
1463     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1464     *
1465     *    green-scale =
1466     *          ( (red-y - blue-y) * (white-x - blue-x) -
1467     *            (red-x - blue-x) * (white-y - blue-y) ) / white-y
1468     * -------------------------------------------------------------------------
1469     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1470     *
1471     * Accuracy:
1472     * The input values have 5 decimal digits of accuracy.  The values are all in
1473     * the range 0 < value < 1, so simple products are in the same range but may
1474     * need up to 10 decimal digits to preserve the original precision and avoid
1475     * underflow.  Because we are using a 32-bit signed representation we cannot
1476     * match this; the best is a little over 9 decimal digits, less than 10.
1477     *
1478     * The approach used here is to preserve the maximum precision within the
1479     * signed representation.  Because the red-scale calculation above uses the
1480     * difference between two products of values that must be in the range -1..+1
1481     * it is sufficient to divide the product by 7; ceil(100,000/32767*2).  The
1482     * factor is irrelevant in the calculation because it is applied to both
1483     * numerator and denominator.
1484     *
1485     * Note that the values of the differences of the products of the
1486     * chromaticities in the above equations tend to be small, for example for
1487     * the sRGB chromaticities they are:
1488     *
1489     * red numerator:    -0.04751
1490     * green numerator:  -0.08788
1491     * denominator:      -0.2241 (without white-y multiplication)
1492     *
1493     *  The resultant Y coefficients from the chromaticities of some widely used
1494     *  color space definitions are (to 15 decimal places):
1495     *
1496     *  sRGB
1497     *    0.212639005871510 0.715168678767756 0.072192315360734
1498     *  Kodak ProPhoto
1499     *    0.288071128229293 0.711843217810102 0.000085653960605
1500     *  Adobe RGB
1501     *    0.297344975250536 0.627363566255466 0.075291458493998
1502     *  Adobe Wide Gamut RGB
1503     *    0.258728243040113 0.724682314948566 0.016589442011321
1504     */
1505    /* By the argument, above overflow should be impossible here. The return
1506     * value of 2 indicates an internal error to the caller.
1507     */
1508    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1509       return 2;
1510    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1511       return 2;
1512    denominator = left - right;
1513 
1514    /* Now find the red numerator. */
1515    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1516       return 2;
1517    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1518       return 2;
1519 
1520    /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1521     * chunk values.  This calculation actually returns the reciprocal of the
1522     * scale value because this allows us to delay the multiplication of white-y
1523     * into the denominator, which tends to produce a small number.
1524     */
1525    if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1526        red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1527       return 1;
1528 
1529    /* Similarly for green_inverse: */
1530    if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1531       return 2;
1532    if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1533       return 2;
1534    if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1535        green_inverse <= xy->whitey)
1536       return 1;
1537 
1538    /* And the blue scale, the checks above guarantee this can't overflow but it
1539     * can still produce 0 for extreme cHRM values.
1540     */
1541    blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1542        png_reciprocal(green_inverse);
1543    if (blue_scale <= 0)
1544       return 1;
1545 
1546 
1547    /* And fill in the png_XYZ: */
1548    if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1549       return 1;
1550    if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1551       return 1;
1552    if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1553        red_inverse) == 0)
1554       return 1;
1555 
1556    if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1557       return 1;
1558    if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1559       return 1;
1560    if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1561        green_inverse) == 0)
1562       return 1;
1563 
1564    if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1565       return 1;
1566    if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1567       return 1;
1568    if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1569        PNG_FP_1) == 0)
1570       return 1;
1571 
1572    return 0; /*success*/
1573 }
1574 
1575 static int
1576 png_XYZ_normalize(png_XYZ *XYZ)
1577 {
1578    png_int_32 Y;
1579 
1580    if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1581       XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1582       XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1583       return 1;
1584 
1585    /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1586     * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1587     * relying on addition of two positive values producing a negative one is not
1588     * safe.
1589     */
1590    Y = XYZ->red_Y;
1591    if (0x7fffffff - Y < XYZ->green_X)
1592       return 1;
1593    Y += XYZ->green_Y;
1594    if (0x7fffffff - Y < XYZ->blue_X)
1595       return 1;
1596    Y += XYZ->blue_Y;
1597 
1598    if (Y != PNG_FP_1)
1599    {
1600       if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1601          return 1;
1602       if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1603          return 1;
1604       if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1605          return 1;
1606 
1607       if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1608          return 1;
1609       if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1610          return 1;
1611       if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1612          return 1;
1613 
1614       if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1615          return 1;
1616       if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1617          return 1;
1618       if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1619          return 1;
1620    }
1621 
1622    return 0;
1623 }
1624 
1625 static int
1626 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1627 {
1628    /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1629    if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1630        PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1631        PNG_OUT_OF_RANGE(xy1->redx,   xy2->redx,  delta) ||
1632        PNG_OUT_OF_RANGE(xy1->redy,   xy2->redy,  delta) ||
1633        PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1634        PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1635        PNG_OUT_OF_RANGE(xy1->bluex,  xy2->bluex, delta) ||
1636        PNG_OUT_OF_RANGE(xy1->bluey,  xy2->bluey, delta))
1637       return 0;
1638    return 1;
1639 }
1640 
1641 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1642  * chunk chromaticities.  Earlier checks used to simply look for the overflow
1643  * condition (where the determinant of the matrix to solve for XYZ ends up zero
1644  * because the chromaticity values are not all distinct.)  Despite this it is
1645  * theoretically possible to produce chromaticities that are apparently valid
1646  * but that rapidly degrade to invalid, potentially crashing, sets because of
1647  * arithmetic inaccuracies when calculations are performed on them.  The new
1648  * check is to round-trip xy -> XYZ -> xy and then check that the result is
1649  * within a small percentage of the original.
1650  */
1651 static int
1652 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1653 {
1654    int result;
1655    png_xy xy_test;
1656 
1657    /* As a side-effect this routine also returns the XYZ endpoints. */
1658    result = png_XYZ_from_xy(XYZ, xy);
1659    if (result != 0)
1660       return result;
1661 
1662    result = png_xy_from_XYZ(&xy_test, XYZ);
1663    if (result != 0)
1664       return result;
1665 
1666    if (png_colorspace_endpoints_match(xy, &xy_test,
1667        5/*actually, the math is pretty accurate*/) != 0)
1668       return 0;
1669 
1670    /* Too much slip */
1671    return 1;
1672 }
1673 
1674 /* This is the check going the other way.  The XYZ is modified to normalize it
1675  * (another side-effect) and the xy chromaticities are returned.
1676  */
1677 static int
1678 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1679 {
1680    int result;
1681    png_XYZ XYZtemp;
1682 
1683    result = png_XYZ_normalize(XYZ);
1684    if (result != 0)
1685       return result;
1686 
1687    result = png_xy_from_XYZ(xy, XYZ);
1688    if (result != 0)
1689       return result;
1690 
1691    XYZtemp = *XYZ;
1692    return png_colorspace_check_xy(&XYZtemp, xy);
1693 }
1694 
1695 /* Used to check for an endpoint match against sRGB */
1696 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1697 {
1698    /* color      x       y */
1699    /* red   */ 64000, 33000,
1700    /* green */ 30000, 60000,
1701    /* blue  */ 15000,  6000,
1702    /* white */ 31270, 32900
1703 };
1704 
1705 static int
1706 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1707     png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1708     int preferred)
1709 {
1710    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1711       return 0;
1712 
1713    /* The consistency check is performed on the chromaticities; this factors out
1714     * variations because of the normalization (or not) of the end point Y
1715     * values.
1716     */
1717    if (preferred < 2 &&
1718        (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1719    {
1720       /* The end points must be reasonably close to any we already have.  The
1721        * following allows an error of up to +/-.001
1722        */
1723       if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1724           100) == 0)
1725       {
1726          colorspace->flags |= PNG_COLORSPACE_INVALID;
1727          png_benign_error(png_ptr, "inconsistent chromaticities");
1728          return 0; /* failed */
1729       }
1730 
1731       /* Only overwrite with preferred values */
1732       if (preferred == 0)
1733          return 1; /* ok, but no change */
1734    }
1735 
1736    colorspace->end_points_xy = *xy;
1737    colorspace->end_points_XYZ = *XYZ;
1738    colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1739 
1740    /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1741     * on this test.
1742     */
1743    if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1744       colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1745 
1746    else
1747       colorspace->flags &= PNG_COLORSPACE_CANCEL(
1748          PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1749 
1750    return 2; /* ok and changed */
1751 }
1752 
1753 int /* PRIVATE */
1754 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1755     png_colorspacerp colorspace, const png_xy *xy, int preferred)
1756 {
1757    /* We must check the end points to ensure they are reasonable - in the past
1758     * color management systems have crashed as a result of getting bogus
1759     * colorant values, while this isn't the fault of libpng it is the
1760     * responsibility of libpng because PNG carries the bomb and libpng is in a
1761     * position to protect against it.
1762     */
1763    png_XYZ XYZ;
1764 
1765    switch (png_colorspace_check_xy(&XYZ, xy))
1766    {
1767       case 0: /* success */
1768          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1769              preferred);
1770 
1771       case 1:
1772          /* We can't invert the chromaticities so we can't produce value XYZ
1773           * values.  Likely as not a color management system will fail too.
1774           */
1775          colorspace->flags |= PNG_COLORSPACE_INVALID;
1776          png_benign_error(png_ptr, "invalid chromaticities");
1777          break;
1778 
1779       default:
1780          /* libpng is broken; this should be a warning but if it happens we
1781           * want error reports so for the moment it is an error.
1782           */
1783          colorspace->flags |= PNG_COLORSPACE_INVALID;
1784          png_error(png_ptr, "internal error checking chromaticities");
1785    }
1786 
1787    return 0; /* failed */
1788 }
1789 
1790 int /* PRIVATE */
1791 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1792     png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1793 {
1794    png_XYZ XYZ = *XYZ_in;
1795    png_xy xy;
1796 
1797    switch (png_colorspace_check_XYZ(&xy, &XYZ))
1798    {
1799       case 0:
1800          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1801              preferred);
1802 
1803       case 1:
1804          /* End points are invalid. */
1805          colorspace->flags |= PNG_COLORSPACE_INVALID;
1806          png_benign_error(png_ptr, "invalid end points");
1807          break;
1808 
1809       default:
1810          colorspace->flags |= PNG_COLORSPACE_INVALID;
1811          png_error(png_ptr, "internal error checking chromaticities");
1812    }
1813 
1814    return 0; /* failed */
1815 }
1816 
1817 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1818 /* Error message generation */
1819 static char
1820 png_icc_tag_char(png_uint_32 byte)
1821 {
1822    byte &= 0xff;
1823    if (byte >= 32 && byte <= 126)
1824       return (char)byte;
1825    else
1826       return '?';
1827 }
1828 
1829 static void
1830 png_icc_tag_name(char *name, png_uint_32 tag)
1831 {
1832    name[0] = '\'';
1833    name[1] = png_icc_tag_char(tag >> 24);
1834    name[2] = png_icc_tag_char(tag >> 16);
1835    name[3] = png_icc_tag_char(tag >>  8);
1836    name[4] = png_icc_tag_char(tag      );
1837    name[5] = '\'';
1838 }
1839 
1840 static int
1841 is_ICC_signature_char(png_alloc_size_t it)
1842 {
1843    return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1844       (it >= 97 && it <= 122);
1845 }
1846 
1847 static int
1848 is_ICC_signature(png_alloc_size_t it)
1849 {
1850    return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1851       is_ICC_signature_char((it >> 16) & 0xff) &&
1852       is_ICC_signature_char((it >> 8) & 0xff) &&
1853       is_ICC_signature_char(it & 0xff);
1854 }
1855 
1856 static int
1857 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1858     png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1859 {
1860    size_t pos;
1861    char message[196]; /* see below for calculation */
1862 
1863    if (colorspace != NULL)
1864       colorspace->flags |= PNG_COLORSPACE_INVALID;
1865 
1866    pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1867    pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1868    pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1869    if (is_ICC_signature(value) != 0)
1870    {
1871       /* So 'value' is at most 4 bytes and the following cast is safe */
1872       png_icc_tag_name(message+pos, (png_uint_32)value);
1873       pos += 6; /* total +8; less than the else clause */
1874       message[pos++] = ':';
1875       message[pos++] = ' ';
1876    }
1877 #  ifdef PNG_WARNINGS_SUPPORTED
1878    else
1879       {
1880          char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1881 
1882          pos = png_safecat(message, (sizeof message), pos,
1883              png_format_number(number, number+(sizeof number),
1884              PNG_NUMBER_FORMAT_x, value));
1885          pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1886       }
1887 #  endif
1888    /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1889    pos = png_safecat(message, (sizeof message), pos, reason);
1890    PNG_UNUSED(pos)
1891 
1892    /* This is recoverable, but make it unconditionally an app_error on write to
1893     * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1894     * on read, with a warning, but on write unless the app turns off
1895     * application errors the PNG won't be written.)
1896     */
1897    png_chunk_report(png_ptr, message,
1898        (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1899 
1900    return 0;
1901 }
1902 #endif /* sRGB || iCCP */
1903 
1904 #ifdef PNG_sRGB_SUPPORTED
1905 int /* PRIVATE */
1906 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1907     int intent)
1908 {
1909    /* sRGB sets known gamma, end points and (from the chunk) intent. */
1910    /* IMPORTANT: these are not necessarily the values found in an ICC profile
1911     * because ICC profiles store values adapted to a D50 environment; it is
1912     * expected that the ICC profile mediaWhitePointTag will be D50; see the
1913     * checks and code elsewhere to understand this better.
1914     *
1915     * These XYZ values, which are accurate to 5dp, produce rgb to gray
1916     * coefficients of (6968,23435,2366), which are reduced (because they add up
1917     * to 32769 not 32768) to (6968,23434,2366).  These are the values that
1918     * libpng has traditionally used (and are the best values given the 15bit
1919     * algorithm used by the rgb to gray code.)
1920     */
1921    static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1922    {
1923       /* color      X      Y      Z */
1924       /* red   */ 41239, 21264,  1933,
1925       /* green */ 35758, 71517, 11919,
1926       /* blue  */ 18048,  7219, 95053
1927    };
1928 
1929    /* Do nothing if the colorspace is already invalidated. */
1930    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1931       return 0;
1932 
1933    /* Check the intent, then check for existing settings.  It is valid for the
1934     * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1935     * be consistent with the correct values.  If, however, this function is
1936     * called below because an iCCP chunk matches sRGB then it is quite
1937     * conceivable that an older app recorded incorrect gAMA and cHRM because of
1938     * an incorrect calculation based on the values in the profile - this does
1939     * *not* invalidate the profile (though it still produces an error, which can
1940     * be ignored.)
1941     */
1942    if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1943       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1944           (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1945 
1946    if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1947        colorspace->rendering_intent != intent)
1948       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1949          (png_alloc_size_t)intent, "inconsistent rendering intents");
1950 
1951    if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1952    {
1953       png_benign_error(png_ptr, "duplicate sRGB information ignored");
1954       return 0;
1955    }
1956 
1957    /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1958     * warn but overwrite the value with the correct one.
1959     */
1960    if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1961        !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1962        100))
1963       png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1964          PNG_CHUNK_ERROR);
1965 
1966    /* This check is just done for the error reporting - the routine always
1967     * returns true when the 'from' argument corresponds to sRGB (2).
1968     */
1969    (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1970        2/*from sRGB*/);
1971 
1972    /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1973    colorspace->rendering_intent = (png_uint_16)intent;
1974    colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1975 
1976    /* endpoints */
1977    colorspace->end_points_xy = sRGB_xy;
1978    colorspace->end_points_XYZ = sRGB_XYZ;
1979    colorspace->flags |=
1980       (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1981 
1982    /* gamma */
1983    colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1984    colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1985 
1986    /* Finally record that we have an sRGB profile */
1987    colorspace->flags |=
1988       (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1989 
1990    return 1; /* set */
1991 }
1992 #endif /* sRGB */
1993 
1994 #ifdef PNG_iCCP_SUPPORTED
1995 /* Encoded value of D50 as an ICC XYZNumber.  From the ICC 2010 spec the value
1996  * is XYZ(0.9642,1.0,0.8249), which scales to:
1997  *
1998  *    (63189.8112, 65536, 54060.6464)
1999  */
2000 static const png_byte D50_nCIEXYZ[12] =
2001    { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
2002 
2003 static int /* bool */
2004 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
2005     png_const_charp name, png_uint_32 profile_length)
2006 {
2007    if (profile_length < 132)
2008       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2009           "too short");
2010    return 1;
2011 }
2012 
2013 #ifdef PNG_READ_iCCP_SUPPORTED
2014 int /* PRIVATE */
2015 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
2016     png_const_charp name, png_uint_32 profile_length)
2017 {
2018    if (!icc_check_length(png_ptr, colorspace, name, profile_length))
2019       return 0;
2020 
2021    /* This needs to be here because the 'normal' check is in
2022     * png_decompress_chunk, yet this happens after the attempt to
2023     * png_malloc_base the required data.  We only need this on read; on write
2024     * the caller supplies the profile buffer so libpng doesn't allocate it.  See
2025     * the call to icc_check_length below (the write case).
2026     */
2027 #  ifdef PNG_SET_USER_LIMITS_SUPPORTED
2028       else if (png_ptr->user_chunk_malloc_max > 0 &&
2029                png_ptr->user_chunk_malloc_max < profile_length)
2030          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2031              "exceeds application limits");
2032 #  elif PNG_USER_CHUNK_MALLOC_MAX > 0
2033       else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2034          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2035              "exceeds libpng limits");
2036 #  else /* !SET_USER_LIMITS */
2037       /* This will get compiled out on all 32-bit and better systems. */
2038       else if (PNG_SIZE_MAX < profile_length)
2039          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2040              "exceeds system limits");
2041 #  endif /* !SET_USER_LIMITS */
2042 
2043    return 1;
2044 }
2045 #endif /* READ_iCCP */
2046 
2047 int /* PRIVATE */
2048 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2049     png_const_charp name, png_uint_32 profile_length,
2050     png_const_bytep profile/* first 132 bytes only */, int color_type)
2051 {
2052    png_uint_32 temp;
2053 
2054    /* Length check; this cannot be ignored in this code because profile_length
2055     * is used later to check the tag table, so even if the profile seems over
2056     * long profile_length from the caller must be correct.  The caller can fix
2057     * this up on read or write by just passing in the profile header length.
2058     */
2059    temp = png_get_uint_32(profile);
2060    if (temp != profile_length)
2061       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2062           "length does not match profile");
2063 
2064    temp = (png_uint_32) (*(profile+8));
2065    if (temp > 3 && (profile_length & 3))
2066       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2067           "invalid length");
2068 
2069    temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2070    if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2071       profile_length < 132+12*temp) /* truncated tag table */
2072       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2073           "tag count too large");
2074 
2075    /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2076     * 16 bits.
2077     */
2078    temp = png_get_uint_32(profile+64);
2079    if (temp >= 0xffff) /* The ICC limit */
2080       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2081           "invalid rendering intent");
2082 
2083    /* This is just a warning because the profile may be valid in future
2084     * versions.
2085     */
2086    if (temp >= PNG_sRGB_INTENT_LAST)
2087       (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2088           "intent outside defined range");
2089 
2090    /* At this point the tag table can't be checked because it hasn't necessarily
2091     * been loaded; however, various header fields can be checked.  These checks
2092     * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2093     * restricts the profiles that can be passed in an iCCP chunk (they must be
2094     * appropriate to processing PNG data!)
2095     */
2096 
2097    /* Data checks (could be skipped).  These checks must be independent of the
2098     * version number; however, the version number doesn't accommodate changes in
2099     * the header fields (just the known tags and the interpretation of the
2100     * data.)
2101     */
2102    temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2103    if (temp != 0x61637370)
2104       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2105           "invalid signature");
2106 
2107    /* Currently the PCS illuminant/adopted white point (the computational
2108     * white point) are required to be D50,
2109     * however the profile contains a record of the illuminant so perhaps ICC
2110     * expects to be able to change this in the future (despite the rationale in
2111     * the introduction for using a fixed PCS adopted white.)  Consequently the
2112     * following is just a warning.
2113     */
2114    if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2115       (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2116           "PCS illuminant is not D50");
2117 
2118    /* The PNG spec requires this:
2119     * "If the iCCP chunk is present, the image samples conform to the colour
2120     * space represented by the embedded ICC profile as defined by the
2121     * International Color Consortium [ICC]. The colour space of the ICC profile
2122     * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2123     * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2124     * and 4)."
2125     *
2126     * This checking code ensures the embedded profile (on either read or write)
2127     * conforms to the specification requirements.  Notice that an ICC 'gray'
2128     * color-space profile contains the information to transform the monochrome
2129     * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2130     * should be used in preference to the standard libpng K channel replication
2131     * into R, G and B channels.
2132     *
2133     * Previously it was suggested that an RGB profile on grayscale data could be
2134     * handled.  However it it is clear that using an RGB profile in this context
2135     * must be an error - there is no specification of what it means.  Thus it is
2136     * almost certainly more correct to ignore the profile.
2137     */
2138    temp = png_get_uint_32(profile+16); /* data colour space field */
2139    switch (temp)
2140    {
2141       case 0x52474220: /* 'RGB ' */
2142          if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2143             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2144                 "RGB color space not permitted on grayscale PNG");
2145          break;
2146 
2147       case 0x47524159: /* 'GRAY' */
2148          if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2149             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2150                 "Gray color space not permitted on RGB PNG");
2151          break;
2152 
2153       default:
2154          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2155              "invalid ICC profile color space");
2156    }
2157 
2158    /* It is up to the application to check that the profile class matches the
2159     * application requirements; the spec provides no guidance, but it's pretty
2160     * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2161     * ('prtr') or 'spac' (for generic color spaces).  Issue a warning in these
2162     * cases.  Issue an error for device link or abstract profiles - these don't
2163     * contain the records necessary to transform the color-space to anything
2164     * other than the target device (and not even that for an abstract profile).
2165     * Profiles of these classes may not be embedded in images.
2166     */
2167    temp = png_get_uint_32(profile+12); /* profile/device class */
2168    switch (temp)
2169    {
2170       case 0x73636e72: /* 'scnr' */
2171       case 0x6d6e7472: /* 'mntr' */
2172       case 0x70727472: /* 'prtr' */
2173       case 0x73706163: /* 'spac' */
2174          /* All supported */
2175          break;
2176 
2177       case 0x61627374: /* 'abst' */
2178          /* May not be embedded in an image */
2179          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2180              "invalid embedded Abstract ICC profile");
2181 
2182       case 0x6c696e6b: /* 'link' */
2183          /* DeviceLink profiles cannot be interpreted in a non-device specific
2184           * fashion, if an app uses the AToB0Tag in the profile the results are
2185           * undefined unless the result is sent to the intended device,
2186           * therefore a DeviceLink profile should not be found embedded in a
2187           * PNG.
2188           */
2189          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2190              "unexpected DeviceLink ICC profile class");
2191 
2192       case 0x6e6d636c: /* 'nmcl' */
2193          /* A NamedColor profile is also device specific, however it doesn't
2194           * contain an AToB0 tag that is open to misinterpretation.  Almost
2195           * certainly it will fail the tests below.
2196           */
2197          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2198              "unexpected NamedColor ICC profile class");
2199          break;
2200 
2201       default:
2202          /* To allow for future enhancements to the profile accept unrecognized
2203           * profile classes with a warning, these then hit the test below on the
2204           * tag content to ensure they are backward compatible with one of the
2205           * understood profiles.
2206           */
2207          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2208              "unrecognized ICC profile class");
2209          break;
2210    }
2211 
2212    /* For any profile other than a device link one the PCS must be encoded
2213     * either in XYZ or Lab.
2214     */
2215    temp = png_get_uint_32(profile+20);
2216    switch (temp)
2217    {
2218       case 0x58595a20: /* 'XYZ ' */
2219       case 0x4c616220: /* 'Lab ' */
2220          break;
2221 
2222       default:
2223          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2224              "unexpected ICC PCS encoding");
2225    }
2226 
2227    return 1;
2228 }
2229 
2230 int /* PRIVATE */
2231 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2232     png_const_charp name, png_uint_32 profile_length,
2233     png_const_bytep profile /* header plus whole tag table */)
2234 {
2235    png_uint_32 tag_count = png_get_uint_32(profile+128);
2236    png_uint_32 itag;
2237    png_const_bytep tag = profile+132; /* The first tag */
2238 
2239    /* First scan all the tags in the table and add bits to the icc_info value
2240     * (temporarily in 'tags').
2241     */
2242    for (itag=0; itag < tag_count; ++itag, tag += 12)
2243    {
2244       png_uint_32 tag_id = png_get_uint_32(tag+0);
2245       png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2246       png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2247 
2248       /* The ICC specification does not exclude zero length tags, therefore the
2249        * start might actually be anywhere if there is no data, but this would be
2250        * a clear abuse of the intent of the standard so the start is checked for
2251        * being in range.  All defined tag types have an 8 byte header - a 4 byte
2252        * type signature then 0.
2253        */
2254 
2255       /* This is a hard error; potentially it can cause read outside the
2256        * profile.
2257        */
2258       if (tag_start > profile_length || tag_length > profile_length - tag_start)
2259          return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2260              "ICC profile tag outside profile");
2261 
2262       if ((tag_start & 3) != 0)
2263       {
2264          /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2265           * only a warning here because libpng does not care about the
2266           * alignment.
2267           */
2268          (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2269              "ICC profile tag start not a multiple of 4");
2270       }
2271    }
2272 
2273    return 1; /* success, maybe with warnings */
2274 }
2275 
2276 #ifdef PNG_sRGB_SUPPORTED
2277 #if PNG_sRGB_PROFILE_CHECKS >= 0
2278 /* Information about the known ICC sRGB profiles */
2279 static const struct
2280 {
2281    png_uint_32 adler, crc, length;
2282    png_uint_32 md5[4];
2283    png_byte    have_md5;
2284    png_byte    is_broken;
2285    png_uint_16 intent;
2286 
2287 #  define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2288 #  define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2289       { adler, crc, length, md5, broke, intent },
2290 
2291 } png_sRGB_checks[] =
2292 {
2293    /* This data comes from contrib/tools/checksum-icc run on downloads of
2294     * all four ICC sRGB profiles from www.color.org.
2295     */
2296    /* adler32, crc32, MD5[4], intent, date, length, file-name */
2297    PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2298        PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2299        "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2300 
2301    /* ICC sRGB v2 perceptual no black-compensation: */
2302    PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2303        PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2304        "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2305 
2306    PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2307        PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2308        "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2309 
2310    /* ICC sRGB v4 perceptual */
2311    PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2312        PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2313        "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2314 
2315    /* The following profiles have no known MD5 checksum. If there is a match
2316     * on the (empty) MD5 the other fields are used to attempt a match and
2317     * a warning is produced.  The first two of these profiles have a 'cprt' tag
2318     * which suggests that they were also made by Hewlett Packard.
2319     */
2320    PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2321        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2322        "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2323 
2324    /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2325     * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2326     * so the white point is recorded as the un-adapted value.)  The profiles
2327     * below only differ in one byte - the intent - and are basically the same as
2328     * the previous profile except for the mediaWhitePointTag error and a missing
2329     * chromaticAdaptationTag.
2330     */
2331    PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2332        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2333        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2334 
2335    PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2336        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2337        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2338 };
2339 
2340 static int
2341 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2342     png_const_bytep profile, uLong adler)
2343 {
2344    /* The quick check is to verify just the MD5 signature and trust the
2345     * rest of the data.  Because the profile has already been verified for
2346     * correctness this is safe.  png_colorspace_set_sRGB will check the 'intent'
2347     * field too, so if the profile has been edited with an intent not defined
2348     * by sRGB (but maybe defined by a later ICC specification) the read of
2349     * the profile will fail at that point.
2350     */
2351 
2352    png_uint_32 length = 0;
2353    png_uint_32 intent = 0x10000; /* invalid */
2354 #if PNG_sRGB_PROFILE_CHECKS > 1
2355    uLong crc = 0; /* the value for 0 length data */
2356 #endif
2357    unsigned int i;
2358 
2359 #ifdef PNG_SET_OPTION_SUPPORTED
2360    /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2361    if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2362                PNG_OPTION_ON)
2363       return 0;
2364 #endif
2365 
2366    for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2367    {
2368       if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2369          png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2370          png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2371          png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2372       {
2373          /* This may be one of the old HP profiles without an MD5, in that
2374           * case we can only use the length and Adler32 (note that these
2375           * are not used by default if there is an MD5!)
2376           */
2377 #        if PNG_sRGB_PROFILE_CHECKS == 0
2378             if (png_sRGB_checks[i].have_md5 != 0)
2379                return 1+png_sRGB_checks[i].is_broken;
2380 #        endif
2381 
2382          /* Profile is unsigned or more checks have been configured in. */
2383          if (length == 0)
2384          {
2385             length = png_get_uint_32(profile);
2386             intent = png_get_uint_32(profile+64);
2387          }
2388 
2389          /* Length *and* intent must match */
2390          if (length == (png_uint_32) png_sRGB_checks[i].length &&
2391             intent == (png_uint_32) png_sRGB_checks[i].intent)
2392          {
2393             /* Now calculate the adler32 if not done already. */
2394             if (adler == 0)
2395             {
2396                adler = adler32(0, NULL, 0);
2397                adler = adler32(adler, profile, length);
2398             }
2399 
2400             if (adler == png_sRGB_checks[i].adler)
2401             {
2402                /* These basic checks suggest that the data has not been
2403                 * modified, but if the check level is more than 1 perform
2404                 * our own crc32 checksum on the data.
2405                 */
2406 #              if PNG_sRGB_PROFILE_CHECKS > 1
2407                   if (crc == 0)
2408                   {
2409                      crc = crc32(0, NULL, 0);
2410                      crc = crc32(crc, profile, length);
2411                   }
2412 
2413                   /* So this check must pass for the 'return' below to happen.
2414                    */
2415                   if (crc == png_sRGB_checks[i].crc)
2416 #              endif
2417                {
2418                   if (png_sRGB_checks[i].is_broken != 0)
2419                   {
2420                      /* These profiles are known to have bad data that may cause
2421                       * problems if they are used, therefore attempt to
2422                       * discourage their use, skip the 'have_md5' warning below,
2423                       * which is made irrelevant by this error.
2424                       */
2425                      png_chunk_report(png_ptr, "known incorrect sRGB profile",
2426                          PNG_CHUNK_ERROR);
2427                   }
2428 
2429                   /* Warn that this being done; this isn't even an error since
2430                    * the profile is perfectly valid, but it would be nice if
2431                    * people used the up-to-date ones.
2432                    */
2433                   else if (png_sRGB_checks[i].have_md5 == 0)
2434                   {
2435                      png_chunk_report(png_ptr,
2436                          "out-of-date sRGB profile with no signature",
2437                          PNG_CHUNK_WARNING);
2438                   }
2439 
2440                   return 1+png_sRGB_checks[i].is_broken;
2441                }
2442             }
2443 
2444 # if PNG_sRGB_PROFILE_CHECKS > 0
2445          /* The signature matched, but the profile had been changed in some
2446           * way.  This probably indicates a data error or uninformed hacking.
2447           * Fall through to "no match".
2448           */
2449          png_chunk_report(png_ptr,
2450              "Not recognizing known sRGB profile that has been edited",
2451              PNG_CHUNK_WARNING);
2452          break;
2453 # endif
2454          }
2455       }
2456    }
2457 
2458    return 0; /* no match */
2459 }
2460 
2461 void /* PRIVATE */
2462 png_icc_set_sRGB(png_const_structrp png_ptr,
2463     png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2464 {
2465    /* Is this profile one of the known ICC sRGB profiles?  If it is, just set
2466     * the sRGB information.
2467     */
2468    if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2469       (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2470          (int)/*already checked*/png_get_uint_32(profile+64));
2471 }
2472 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2473 #endif /* sRGB */
2474 
2475 int /* PRIVATE */
2476 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2477     png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2478     int color_type)
2479 {
2480    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2481       return 0;
2482 
2483    if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2484        png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2485            color_type) != 0 &&
2486        png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2487            profile) != 0)
2488    {
2489 #     if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2490          /* If no sRGB support, don't try storing sRGB information */
2491          png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2492 #     endif
2493       return 1;
2494    }
2495 
2496    /* Failure case */
2497    return 0;
2498 }
2499 #endif /* iCCP */
2500 
2501 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2502 void /* PRIVATE */
2503 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2504 {
2505    /* Set the rgb_to_gray coefficients from the colorspace. */
2506    if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2507       (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2508    {
2509       /* png_set_background has not been called, get the coefficients from the Y
2510        * values of the colorspace colorants.
2511        */
2512       png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2513       png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2514       png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2515       png_fixed_point total = r+g+b;
2516 
2517       if (total > 0 &&
2518          r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2519          g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2520          b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2521          r+g+b <= 32769)
2522       {
2523          /* We allow 0 coefficients here.  r+g+b may be 32769 if two or
2524           * all of the coefficients were rounded up.  Handle this by
2525           * reducing the *largest* coefficient by 1; this matches the
2526           * approach used for the default coefficients in pngrtran.c
2527           */
2528          int add = 0;
2529 
2530          if (r+g+b > 32768)
2531             add = -1;
2532          else if (r+g+b < 32768)
2533             add = 1;
2534 
2535          if (add != 0)
2536          {
2537             if (g >= r && g >= b)
2538                g += add;
2539             else if (r >= g && r >= b)
2540                r += add;
2541             else
2542                b += add;
2543          }
2544 
2545          /* Check for an internal error. */
2546          if (r+g+b != 32768)
2547             png_error(png_ptr,
2548                 "internal error handling cHRM coefficients");
2549 
2550          else
2551          {
2552             png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)r;
2553             png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2554          }
2555       }
2556 
2557       /* This is a png_error at present even though it could be ignored -
2558        * it should never happen, but it is important that if it does, the
2559        * bug is fixed.
2560        */
2561       else
2562          png_error(png_ptr, "internal error handling cHRM->XYZ");
2563    }
2564 }
2565 #endif /* READ_RGB_TO_GRAY */
2566 
2567 #endif /* COLORSPACE */
2568 
2569 #ifdef __GNUC__
2570 /* This exists solely to work round a warning from GNU C. */
2571 static int /* PRIVATE */
2572 png_gt(size_t a, size_t b)
2573 {
2574    return a > b;
2575 }
2576 #else
2577 #   define png_gt(a,b) ((a) > (b))
2578 #endif
2579 
2580 void /* PRIVATE */
2581 png_check_IHDR(png_const_structrp png_ptr,
2582     png_uint_32 width, png_uint_32 height, int bit_depth,
2583     int color_type, int interlace_type, int compression_type,
2584     int filter_type)
2585 {
2586    int error = 0;
2587 
2588    /* Check for width and height valid values */
2589    if (width == 0)
2590    {
2591       png_warning(png_ptr, "Image width is zero in IHDR");
2592       error = 1;
2593    }
2594 
2595    if (width > PNG_UINT_31_MAX)
2596    {
2597       png_warning(png_ptr, "Invalid image width in IHDR");
2598       error = 1;
2599    }
2600 
2601    if (png_gt(((width + 7) & (~7U)),
2602        ((PNG_SIZE_MAX
2603            - 48        /* big_row_buf hack */
2604            - 1)        /* filter byte */
2605            / 8)        /* 8-byte RGBA pixels */
2606            - 1))       /* extra max_pixel_depth pad */
2607    {
2608       /* The size of the row must be within the limits of this architecture.
2609        * Because the read code can perform arbitrary transformations the
2610        * maximum size is checked here.  Because the code in png_read_start_row
2611        * adds extra space "for safety's sake" in several places a conservative
2612        * limit is used here.
2613        *
2614        * NOTE: it would be far better to check the size that is actually used,
2615        * but the effect in the real world is minor and the changes are more
2616        * extensive, therefore much more dangerous and much more difficult to
2617        * write in a way that avoids compiler warnings.
2618        */
2619       png_warning(png_ptr, "Image width is too large for this architecture");
2620       error = 1;
2621    }
2622 
2623 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2624    if (width > png_ptr->user_width_max)
2625 #else
2626    if (width > PNG_USER_WIDTH_MAX)
2627 #endif
2628    {
2629       png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2630       error = 1;
2631    }
2632 
2633    if (height == 0)
2634    {
2635       png_warning(png_ptr, "Image height is zero in IHDR");
2636       error = 1;
2637    }
2638 
2639    if (height > PNG_UINT_31_MAX)
2640    {
2641       png_warning(png_ptr, "Invalid image height in IHDR");
2642       error = 1;
2643    }
2644 
2645 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2646    if (height > png_ptr->user_height_max)
2647 #else
2648    if (height > PNG_USER_HEIGHT_MAX)
2649 #endif
2650    {
2651       png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2652       error = 1;
2653    }
2654 
2655    /* Check other values */
2656    if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2657        bit_depth != 8 && bit_depth != 16)
2658    {
2659       png_warning(png_ptr, "Invalid bit depth in IHDR");
2660       error = 1;
2661    }
2662 
2663    if (color_type < 0 || color_type == 1 ||
2664        color_type == 5 || color_type > 6)
2665    {
2666       png_warning(png_ptr, "Invalid color type in IHDR");
2667       error = 1;
2668    }
2669 
2670    if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2671        ((color_type == PNG_COLOR_TYPE_RGB ||
2672          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2673          color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2674    {
2675       png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2676       error = 1;
2677    }
2678 
2679    if (interlace_type >= PNG_INTERLACE_LAST)
2680    {
2681       png_warning(png_ptr, "Unknown interlace method in IHDR");
2682       error = 1;
2683    }
2684 
2685    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2686    {
2687       png_warning(png_ptr, "Unknown compression method in IHDR");
2688       error = 1;
2689    }
2690 
2691 #ifdef PNG_MNG_FEATURES_SUPPORTED
2692    /* Accept filter_method 64 (intrapixel differencing) only if
2693     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2694     * 2. Libpng did not read a PNG signature (this filter_method is only
2695     *    used in PNG datastreams that are embedded in MNG datastreams) and
2696     * 3. The application called png_permit_mng_features with a mask that
2697     *    included PNG_FLAG_MNG_FILTER_64 and
2698     * 4. The filter_method is 64 and
2699     * 5. The color_type is RGB or RGBA
2700     */
2701    if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2702        png_ptr->mng_features_permitted != 0)
2703       png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2704 
2705    if (filter_type != PNG_FILTER_TYPE_BASE)
2706    {
2707       if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2708           (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2709           ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2710           (color_type == PNG_COLOR_TYPE_RGB ||
2711           color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2712       {
2713          png_warning(png_ptr, "Unknown filter method in IHDR");
2714          error = 1;
2715       }
2716 
2717       if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2718       {
2719          png_warning(png_ptr, "Invalid filter method in IHDR");
2720          error = 1;
2721       }
2722    }
2723 
2724 #else
2725    if (filter_type != PNG_FILTER_TYPE_BASE)
2726    {
2727       png_warning(png_ptr, "Unknown filter method in IHDR");
2728       error = 1;
2729    }
2730 #endif
2731 
2732    if (error == 1)
2733       png_error(png_ptr, "Invalid IHDR data");
2734 }
2735 
2736 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2737 /* ASCII to fp functions */
2738 /* Check an ASCII formatted floating point value, see the more detailed
2739  * comments in pngpriv.h
2740  */
2741 /* The following is used internally to preserve the sticky flags */
2742 #define png_fp_add(state, flags) ((state) |= (flags))
2743 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2744 
2745 int /* PRIVATE */
2746 png_check_fp_number(png_const_charp string, size_t size, int *statep,
2747     png_size_tp whereami)
2748 {
2749    int state = *statep;
2750    size_t i = *whereami;
2751 
2752    while (i < size)
2753    {
2754       int type;
2755       /* First find the type of the next character */
2756       switch (string[i])
2757       {
2758       case 43:  type = PNG_FP_SAW_SIGN;                   break;
2759       case 45:  type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2760       case 46:  type = PNG_FP_SAW_DOT;                    break;
2761       case 48:  type = PNG_FP_SAW_DIGIT;                  break;
2762       case 49: case 50: case 51: case 52:
2763       case 53: case 54: case 55: case 56:
2764       case 57:  type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2765       case 69:
2766       case 101: type = PNG_FP_SAW_E;                      break;
2767       default:  goto PNG_FP_End;
2768       }
2769 
2770       /* Now deal with this type according to the current
2771        * state, the type is arranged to not overlap the
2772        * bits of the PNG_FP_STATE.
2773        */
2774       switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2775       {
2776       case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2777          if ((state & PNG_FP_SAW_ANY) != 0)
2778             goto PNG_FP_End; /* not a part of the number */
2779 
2780          png_fp_add(state, type);
2781          break;
2782 
2783       case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2784          /* Ok as trailer, ok as lead of fraction. */
2785          if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2786             goto PNG_FP_End;
2787 
2788          else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2789             png_fp_add(state, type);
2790 
2791          else
2792             png_fp_set(state, PNG_FP_FRACTION | type);
2793 
2794          break;
2795 
2796       case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2797          if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2798             png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2799 
2800          png_fp_add(state, type | PNG_FP_WAS_VALID);
2801 
2802          break;
2803 
2804       case PNG_FP_INTEGER + PNG_FP_SAW_E:
2805          if ((state & PNG_FP_SAW_DIGIT) == 0)
2806             goto PNG_FP_End;
2807 
2808          png_fp_set(state, PNG_FP_EXPONENT);
2809 
2810          break;
2811 
2812    /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2813          goto PNG_FP_End; ** no sign in fraction */
2814 
2815    /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2816          goto PNG_FP_End; ** Because SAW_DOT is always set */
2817 
2818       case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2819          png_fp_add(state, type | PNG_FP_WAS_VALID);
2820          break;
2821 
2822       case PNG_FP_FRACTION + PNG_FP_SAW_E:
2823          /* This is correct because the trailing '.' on an
2824           * integer is handled above - so we can only get here
2825           * with the sequence ".E" (with no preceding digits).
2826           */
2827          if ((state & PNG_FP_SAW_DIGIT) == 0)
2828             goto PNG_FP_End;
2829 
2830          png_fp_set(state, PNG_FP_EXPONENT);
2831 
2832          break;
2833 
2834       case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2835          if ((state & PNG_FP_SAW_ANY) != 0)
2836             goto PNG_FP_End; /* not a part of the number */
2837 
2838          png_fp_add(state, PNG_FP_SAW_SIGN);
2839 
2840          break;
2841 
2842    /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2843          goto PNG_FP_End; */
2844 
2845       case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2846          png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2847 
2848          break;
2849 
2850    /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2851          goto PNG_FP_End; */
2852 
2853       default: goto PNG_FP_End; /* I.e. break 2 */
2854       }
2855 
2856       /* The character seems ok, continue. */
2857       ++i;
2858    }
2859 
2860 PNG_FP_End:
2861    /* Here at the end, update the state and return the correct
2862     * return code.
2863     */
2864    *statep = state;
2865    *whereami = i;
2866 
2867    return (state & PNG_FP_SAW_DIGIT) != 0;
2868 }
2869 
2870 
2871 /* The same but for a complete string. */
2872 int
2873 png_check_fp_string(png_const_charp string, size_t size)
2874 {
2875    int        state=0;
2876    size_t char_index=0;
2877 
2878    if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2879       (char_index == size || string[char_index] == 0))
2880       return state /* must be non-zero - see above */;
2881 
2882    return 0; /* i.e. fail */
2883 }
2884 #endif /* pCAL || sCAL */
2885 
2886 #ifdef PNG_sCAL_SUPPORTED
2887 #  ifdef PNG_FLOATING_POINT_SUPPORTED
2888 /* Utility used below - a simple accurate power of ten from an integral
2889  * exponent.
2890  */
2891 static double
2892 png_pow10(int power)
2893 {
2894    int recip = 0;
2895    double d = 1;
2896 
2897    /* Handle negative exponent with a reciprocal at the end because
2898     * 10 is exact whereas .1 is inexact in base 2
2899     */
2900    if (power < 0)
2901    {
2902       if (power < DBL_MIN_10_EXP) return 0;
2903       recip = 1; power = -power;
2904    }
2905 
2906    if (power > 0)
2907    {
2908       /* Decompose power bitwise. */
2909       double mult = 10;
2910       do
2911       {
2912          if (power & 1) d *= mult;
2913          mult *= mult;
2914          power >>= 1;
2915       }
2916       while (power > 0);
2917 
2918       if (recip != 0) d = 1/d;
2919    }
2920    /* else power is 0 and d is 1 */
2921 
2922    return d;
2923 }
2924 
2925 /* Function to format a floating point value in ASCII with a given
2926  * precision.
2927  */
2928 #if GCC_STRICT_OVERFLOW
2929 #pragma GCC diagnostic push
2930 /* The problem arises below with exp_b10, which can never overflow because it
2931  * comes, originally, from frexp and is therefore limited to a range which is
2932  * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2933  */
2934 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
2935 #endif /* GCC_STRICT_OVERFLOW */
2936 void /* PRIVATE */
2937 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2938     double fp, unsigned int precision)
2939 {
2940    /* We use standard functions from math.h, but not printf because
2941     * that would require stdio.  The caller must supply a buffer of
2942     * sufficient size or we will png_error.  The tests on size and
2943     * the space in ascii[] consumed are indicated below.
2944     */
2945    if (precision < 1)
2946       precision = DBL_DIG;
2947 
2948    /* Enforce the limit of the implementation precision too. */
2949    if (precision > DBL_DIG+1)
2950       precision = DBL_DIG+1;
2951 
2952    /* Basic sanity checks */
2953    if (size >= precision+5) /* See the requirements below. */
2954    {
2955       if (fp < 0)
2956       {
2957          fp = -fp;
2958          *ascii++ = 45; /* '-'  PLUS 1 TOTAL 1 */
2959          --size;
2960       }
2961 
2962       if (fp >= DBL_MIN && fp <= DBL_MAX)
2963       {
2964          int exp_b10;   /* A base 10 exponent */
2965          double base;   /* 10^exp_b10 */
2966 
2967          /* First extract a base 10 exponent of the number,
2968           * the calculation below rounds down when converting
2969           * from base 2 to base 10 (multiply by log10(2) -
2970           * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2971           * be increased.  Note that the arithmetic shift
2972           * performs a floor() unlike C arithmetic - using a
2973           * C multiply would break the following for negative
2974           * exponents.
2975           */
2976          (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2977 
2978          exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2979 
2980          /* Avoid underflow here. */
2981          base = png_pow10(exp_b10); /* May underflow */
2982 
2983          while (base < DBL_MIN || base < fp)
2984          {
2985             /* And this may overflow. */
2986             double test = png_pow10(exp_b10+1);
2987 
2988             if (test <= DBL_MAX)
2989             {
2990                ++exp_b10; base = test;
2991             }
2992 
2993             else
2994                break;
2995          }
2996 
2997          /* Normalize fp and correct exp_b10, after this fp is in the
2998           * range [.1,1) and exp_b10 is both the exponent and the digit
2999           * *before* which the decimal point should be inserted
3000           * (starting with 0 for the first digit).  Note that this
3001           * works even if 10^exp_b10 is out of range because of the
3002           * test on DBL_MAX above.
3003           */
3004          fp /= base;
3005          while (fp >= 1)
3006          {
3007             fp /= 10; ++exp_b10;
3008          }
3009 
3010          /* Because of the code above fp may, at this point, be
3011           * less than .1, this is ok because the code below can
3012           * handle the leading zeros this generates, so no attempt
3013           * is made to correct that here.
3014           */
3015 
3016          {
3017             unsigned int czero, clead, cdigits;
3018             char exponent[10];
3019 
3020             /* Allow up to two leading zeros - this will not lengthen
3021              * the number compared to using E-n.
3022              */
3023             if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
3024             {
3025                czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
3026                exp_b10 = 0;      /* Dot added below before first output. */
3027             }
3028             else
3029                czero = 0;    /* No zeros to add */
3030 
3031             /* Generate the digit list, stripping trailing zeros and
3032              * inserting a '.' before a digit if the exponent is 0.
3033              */
3034             clead = czero; /* Count of leading zeros */
3035             cdigits = 0;   /* Count of digits in list. */
3036 
3037             do
3038             {
3039                double d;
3040 
3041                fp *= 10;
3042                /* Use modf here, not floor and subtract, so that
3043                 * the separation is done in one step.  At the end
3044                 * of the loop don't break the number into parts so
3045                 * that the final digit is rounded.
3046                 */
3047                if (cdigits+czero+1 < precision+clead)
3048                   fp = modf(fp, &d);
3049 
3050                else
3051                {
3052                   d = floor(fp + .5);
3053 
3054                   if (d > 9)
3055                   {
3056                      /* Rounding up to 10, handle that here. */
3057                      if (czero > 0)
3058                      {
3059                         --czero; d = 1;
3060                         if (cdigits == 0) --clead;
3061                      }
3062                      else
3063                      {
3064                         while (cdigits > 0 && d > 9)
3065                         {
3066                            int ch = *--ascii;
3067 
3068                            if (exp_b10 != (-1))
3069                               ++exp_b10;
3070 
3071                            else if (ch == 46)
3072                            {
3073                               ch = *--ascii; ++size;
3074                               /* Advance exp_b10 to '1', so that the
3075                                * decimal point happens after the
3076                                * previous digit.
3077                                */
3078                               exp_b10 = 1;
3079                            }
3080 
3081                            --cdigits;
3082                            d = ch - 47;  /* I.e. 1+(ch-48) */
3083                         }
3084 
3085                         /* Did we reach the beginning? If so adjust the
3086                          * exponent but take into account the leading
3087                          * decimal point.
3088                          */
3089                         if (d > 9)  /* cdigits == 0 */
3090                         {
3091                            if (exp_b10 == (-1))
3092                            {
3093                               /* Leading decimal point (plus zeros?), if
3094                                * we lose the decimal point here it must
3095                                * be reentered below.
3096                                */
3097                               int ch = *--ascii;
3098 
3099                               if (ch == 46)
3100                               {
3101                                  ++size; exp_b10 = 1;
3102                               }
3103 
3104                               /* Else lost a leading zero, so 'exp_b10' is
3105                                * still ok at (-1)
3106                                */
3107                            }
3108                            else
3109                               ++exp_b10;
3110 
3111                            /* In all cases we output a '1' */
3112                            d = 1;
3113                         }
3114                      }
3115                   }
3116                   fp = 0; /* Guarantees termination below. */
3117                }
3118 
3119                if (d == 0)
3120                {
3121                   ++czero;
3122                   if (cdigits == 0) ++clead;
3123                }
3124                else
3125                {
3126                   /* Included embedded zeros in the digit count. */
3127                   cdigits += czero - clead;
3128                   clead = 0;
3129 
3130                   while (czero > 0)
3131                   {
3132                      /* exp_b10 == (-1) means we just output the decimal
3133                       * place - after the DP don't adjust 'exp_b10' any
3134                       * more!
3135                       */
3136                      if (exp_b10 != (-1))
3137                      {
3138                         if (exp_b10 == 0)
3139                         {
3140                            *ascii++ = 46; --size;
3141                         }
3142                         /* PLUS 1: TOTAL 4 */
3143                         --exp_b10;
3144                      }
3145                      *ascii++ = 48; --czero;
3146                   }
3147 
3148                   if (exp_b10 != (-1))
3149                   {
3150                      if (exp_b10 == 0)
3151                      {
3152                         *ascii++ = 46; --size; /* counted above */
3153                      }
3154 
3155                      --exp_b10;
3156                   }
3157                   *ascii++ = (char)(48 + (int)d); ++cdigits;
3158                }
3159             }
3160             while (cdigits+czero < precision+clead && fp > DBL_MIN);
3161 
3162             /* The total output count (max) is now 4+precision */
3163 
3164             /* Check for an exponent, if we don't need one we are
3165              * done and just need to terminate the string.  At
3166              * this point exp_b10==(-1) is effectively a flag - it got
3167              * to '-1' because of the decrement after outputting
3168              * the decimal point above (the exponent required is
3169              * *not* -1!)
3170              */
3171             if (exp_b10 >= (-1) && exp_b10 <= 2)
3172             {
3173                /* The following only happens if we didn't output the
3174                 * leading zeros above for negative exponent, so this
3175                 * doesn't add to the digit requirement.  Note that the
3176                 * two zeros here can only be output if the two leading
3177                 * zeros were *not* output, so this doesn't increase
3178                 * the output count.
3179                 */
3180                while (exp_b10-- > 0) *ascii++ = 48;
3181 
3182                *ascii = 0;
3183 
3184                /* Total buffer requirement (including the '\0') is
3185                 * 5+precision - see check at the start.
3186                 */
3187                return;
3188             }
3189 
3190             /* Here if an exponent is required, adjust size for
3191              * the digits we output but did not count.  The total
3192              * digit output here so far is at most 1+precision - no
3193              * decimal point and no leading or trailing zeros have
3194              * been output.
3195              */
3196             size -= cdigits;
3197 
3198             *ascii++ = 69; --size;    /* 'E': PLUS 1 TOTAL 2+precision */
3199 
3200             /* The following use of an unsigned temporary avoids ambiguities in
3201              * the signed arithmetic on exp_b10 and permits GCC at least to do
3202              * better optimization.
3203              */
3204             {
3205                unsigned int uexp_b10;
3206 
3207                if (exp_b10 < 0)
3208                {
3209                   *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3210                   uexp_b10 = 0U-exp_b10;
3211                }
3212 
3213                else
3214                   uexp_b10 = 0U+exp_b10;
3215 
3216                cdigits = 0;
3217 
3218                while (uexp_b10 > 0)
3219                {
3220                   exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3221                   uexp_b10 /= 10;
3222                }
3223             }
3224 
3225             /* Need another size check here for the exponent digits, so
3226              * this need not be considered above.
3227              */
3228             if (size > cdigits)
3229             {
3230                while (cdigits > 0) *ascii++ = exponent[--cdigits];
3231 
3232                *ascii = 0;
3233 
3234                return;
3235             }
3236          }
3237       }
3238       else if (!(fp >= DBL_MIN))
3239       {
3240          *ascii++ = 48; /* '0' */
3241          *ascii = 0;
3242          return;
3243       }
3244       else
3245       {
3246          *ascii++ = 105; /* 'i' */
3247          *ascii++ = 110; /* 'n' */
3248          *ascii++ = 102; /* 'f' */
3249          *ascii = 0;
3250          return;
3251       }
3252    }
3253 
3254    /* Here on buffer too small. */
3255    png_error(png_ptr, "ASCII conversion buffer too small");
3256 }
3257 #if GCC_STRICT_OVERFLOW
3258 #pragma GCC diagnostic pop
3259 #endif /* GCC_STRICT_OVERFLOW */
3260 
3261 #  endif /* FLOATING_POINT */
3262 
3263 #  ifdef PNG_FIXED_POINT_SUPPORTED
3264 /* Function to format a fixed point value in ASCII.
3265  */
3266 void /* PRIVATE */
3267 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3268     size_t size, png_fixed_point fp)
3269 {
3270    /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3271     * trailing \0, 13 characters:
3272     */
3273    if (size > 12)
3274    {
3275       png_uint_32 num;
3276 
3277       /* Avoid overflow here on the minimum integer. */
3278       if (fp < 0)
3279       {
3280          *ascii++ = 45; num = (png_uint_32)(-fp);
3281       }
3282       else
3283          num = (png_uint_32)fp;
3284 
3285       if (num <= 0x80000000) /* else overflowed */
3286       {
3287          unsigned int ndigits = 0, first = 16 /* flag value */;
3288          char digits[10];
3289 
3290          while (num)
3291          {
3292             /* Split the low digit off num: */
3293             unsigned int tmp = num/10;
3294             num -= tmp*10;
3295             digits[ndigits++] = (char)(48 + num);
3296             /* Record the first non-zero digit, note that this is a number
3297              * starting at 1, it's not actually the array index.
3298              */
3299             if (first == 16 && num > 0)
3300                first = ndigits;
3301             num = tmp;
3302          }
3303 
3304          if (ndigits > 0)
3305          {
3306             while (ndigits > 5) *ascii++ = digits[--ndigits];
3307             /* The remaining digits are fractional digits, ndigits is '5' or
3308              * smaller at this point.  It is certainly not zero.  Check for a
3309              * non-zero fractional digit:
3310              */
3311             if (first <= 5)
3312             {
3313                unsigned int i;
3314                *ascii++ = 46; /* decimal point */
3315                /* ndigits may be <5 for small numbers, output leading zeros
3316                 * then ndigits digits to first:
3317                 */
3318                i = 5;
3319                while (ndigits < i)
3320                {
3321                   *ascii++ = 48; --i;
3322                }
3323                while (ndigits >= first) *ascii++ = digits[--ndigits];
3324                /* Don't output the trailing zeros! */
3325             }
3326          }
3327          else
3328             *ascii++ = 48;
3329 
3330          /* And null terminate the string: */
3331          *ascii = 0;
3332          return;
3333       }
3334    }
3335 
3336    /* Here on buffer too small. */
3337    png_error(png_ptr, "ASCII conversion buffer too small");
3338 }
3339 #   endif /* FIXED_POINT */
3340 #endif /* SCAL */
3341 
3342 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3343    !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3344    (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3345    defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3346    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3347    (defined(PNG_sCAL_SUPPORTED) && \
3348    defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3349 png_fixed_point
3350 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3351 {
3352    double r = floor(100000 * fp + .5);
3353 
3354    if (r > 2147483647. || r < -2147483648.)
3355       png_fixed_error(png_ptr, text);
3356 
3357 #  ifndef PNG_ERROR_TEXT_SUPPORTED
3358    PNG_UNUSED(text)
3359 #  endif
3360 
3361    return (png_fixed_point)r;
3362 }
3363 #endif
3364 
3365 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3366     defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3367 /* muldiv functions */
3368 /* This API takes signed arguments and rounds the result to the nearest
3369  * integer (or, for a fixed point number - the standard argument - to
3370  * the nearest .00001).  Overflow and divide by zero are signalled in
3371  * the result, a boolean - true on success, false on overflow.
3372  */
3373 #if GCC_STRICT_OVERFLOW /* from above */
3374 /* It is not obvious which comparison below gets optimized in such a way that
3375  * signed overflow would change the result; looking through the code does not
3376  * reveal any tests which have the form GCC complains about, so presumably the
3377  * optimizer is moving an add or subtract into the 'if' somewhere.
3378  */
3379 #pragma GCC diagnostic push
3380 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
3381 #endif /* GCC_STRICT_OVERFLOW */
3382 int
3383 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3384     png_int_32 divisor)
3385 {
3386    /* Return a * times / divisor, rounded. */
3387    if (divisor != 0)
3388    {
3389       if (a == 0 || times == 0)
3390       {
3391          *res = 0;
3392          return 1;
3393       }
3394       else
3395       {
3396 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3397          double r = a;
3398          r *= times;
3399          r /= divisor;
3400          r = floor(r+.5);
3401 
3402          /* A png_fixed_point is a 32-bit integer. */
3403          if (r <= 2147483647. && r >= -2147483648.)
3404          {
3405             *res = (png_fixed_point)r;
3406             return 1;
3407          }
3408 #else
3409          int negative = 0;
3410          png_uint_32 A, T, D;
3411          png_uint_32 s16, s32, s00;
3412 
3413          if (a < 0)
3414             negative = 1, A = -a;
3415          else
3416             A = a;
3417 
3418          if (times < 0)
3419             negative = !negative, T = -times;
3420          else
3421             T = times;
3422 
3423          if (divisor < 0)
3424             negative = !negative, D = -divisor;
3425          else
3426             D = divisor;
3427 
3428          /* Following can't overflow because the arguments only
3429           * have 31 bits each, however the result may be 32 bits.
3430           */
3431          s16 = (A >> 16) * (T & 0xffff) +
3432                            (A & 0xffff) * (T >> 16);
3433          /* Can't overflow because the a*times bit is only 30
3434           * bits at most.
3435           */
3436          s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3437          s00 = (A & 0xffff) * (T & 0xffff);
3438 
3439          s16 = (s16 & 0xffff) << 16;
3440          s00 += s16;
3441 
3442          if (s00 < s16)
3443             ++s32; /* carry */
3444 
3445          if (s32 < D) /* else overflow */
3446          {
3447             /* s32.s00 is now the 64-bit product, do a standard
3448              * division, we know that s32 < D, so the maximum
3449              * required shift is 31.
3450              */
3451             int bitshift = 32;
3452             png_fixed_point result = 0; /* NOTE: signed */
3453 
3454             while (--bitshift >= 0)
3455             {
3456                png_uint_32 d32, d00;
3457 
3458                if (bitshift > 0)
3459                   d32 = D >> (32-bitshift), d00 = D << bitshift;
3460 
3461                else
3462                   d32 = 0, d00 = D;
3463 
3464                if (s32 > d32)
3465                {
3466                   if (s00 < d00) --s32; /* carry */
3467                   s32 -= d32, s00 -= d00, result += 1<<bitshift;
3468                }
3469 
3470                else
3471                   if (s32 == d32 && s00 >= d00)
3472                      s32 = 0, s00 -= d00, result += 1<<bitshift;
3473             }
3474 
3475             /* Handle the rounding. */
3476             if (s00 >= (D >> 1))
3477                ++result;
3478 
3479             if (negative != 0)
3480                result = -result;
3481 
3482             /* Check for overflow. */
3483             if ((negative != 0 && result <= 0) ||
3484                 (negative == 0 && result >= 0))
3485             {
3486                *res = result;
3487                return 1;
3488             }
3489          }
3490 #endif
3491       }
3492    }
3493 
3494    return 0;
3495 }
3496 #if GCC_STRICT_OVERFLOW
3497 #pragma GCC diagnostic pop
3498 #endif /* GCC_STRICT_OVERFLOW */
3499 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3500 
3501 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3502 /* The following is for when the caller doesn't much care about the
3503  * result.
3504  */
3505 png_fixed_point
3506 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3507     png_int_32 divisor)
3508 {
3509    png_fixed_point result;
3510 
3511    if (png_muldiv(&result, a, times, divisor) != 0)
3512       return result;
3513 
3514    png_warning(png_ptr, "fixed point overflow ignored");
3515    return 0;
3516 }
3517 #endif
3518 
3519 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3520 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3521 png_fixed_point
3522 png_reciprocal(png_fixed_point a)
3523 {
3524 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3525    double r = floor(1E10/a+.5);
3526 
3527    if (r <= 2147483647. && r >= -2147483648.)
3528       return (png_fixed_point)r;
3529 #else
3530    png_fixed_point res;
3531 
3532    if (png_muldiv(&res, 100000, 100000, a) != 0)
3533       return res;
3534 #endif
3535 
3536    return 0; /* error/overflow */
3537 }
3538 
3539 /* This is the shared test on whether a gamma value is 'significant' - whether
3540  * it is worth doing gamma correction.
3541  */
3542 int /* PRIVATE */
3543 png_gamma_significant(png_fixed_point gamma_val)
3544 {
3545    return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3546        gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3547 }
3548 #endif
3549 
3550 #ifdef PNG_READ_GAMMA_SUPPORTED
3551 #ifdef PNG_16BIT_SUPPORTED
3552 /* A local convenience routine. */
3553 static png_fixed_point
3554 png_product2(png_fixed_point a, png_fixed_point b)
3555 {
3556    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3557 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3558    double r = a * 1E-5;
3559    r *= b;
3560    r = floor(r+.5);
3561 
3562    if (r <= 2147483647. && r >= -2147483648.)
3563       return (png_fixed_point)r;
3564 #else
3565    png_fixed_point res;
3566 
3567    if (png_muldiv(&res, a, b, 100000) != 0)
3568       return res;
3569 #endif
3570 
3571    return 0; /* overflow */
3572 }
3573 #endif /* 16BIT */
3574 
3575 /* The inverse of the above. */
3576 png_fixed_point
3577 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3578 {
3579    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3580 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3581    if (a != 0 && b != 0)
3582    {
3583       double r = 1E15/a;
3584       r /= b;
3585       r = floor(r+.5);
3586 
3587       if (r <= 2147483647. && r >= -2147483648.)
3588          return (png_fixed_point)r;
3589    }
3590 #else
3591    /* This may overflow because the range of png_fixed_point isn't symmetric,
3592     * but this API is only used for the product of file and screen gamma so it
3593     * doesn't matter that the smallest number it can produce is 1/21474, not
3594     * 1/100000
3595     */
3596    png_fixed_point res = png_product2(a, b);
3597 
3598    if (res != 0)
3599       return png_reciprocal(res);
3600 #endif
3601 
3602    return 0; /* overflow */
3603 }
3604 #endif /* READ_GAMMA */
3605 
3606 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3607 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3608 /* Fixed point gamma.
3609  *
3610  * The code to calculate the tables used below can be found in the shell script
3611  * contrib/tools/intgamma.sh
3612  *
3613  * To calculate gamma this code implements fast log() and exp() calls using only
3614  * fixed point arithmetic.  This code has sufficient precision for either 8-bit
3615  * or 16-bit sample values.
3616  *
3617  * The tables used here were calculated using simple 'bc' programs, but C double
3618  * precision floating point arithmetic would work fine.
3619  *
3620  * 8-bit log table
3621  *   This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3622  *   255, so it's the base 2 logarithm of a normalized 8-bit floating point
3623  *   mantissa.  The numbers are 32-bit fractions.
3624  */
3625 static const png_uint_32
3626 png_8bit_l2[128] =
3627 {
3628    4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3629    3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3630    3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3631    3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3632    3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3633    2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3634    2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3635    2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3636    2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3637    2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3638    1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3639    1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3640    1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3641    1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3642    1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3643    971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3644    803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3645    639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3646    479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3647    324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3648    172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3649    24347096U, 0U
3650 
3651 #if 0
3652    /* The following are the values for 16-bit tables - these work fine for the
3653     * 8-bit conversions but produce very slightly larger errors in the 16-bit
3654     * log (about 1.2 as opposed to 0.7 absolute error in the final value).  To
3655     * use these all the shifts below must be adjusted appropriately.
3656     */
3657    65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3658    57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3659    50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3660    43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3661    37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3662    31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3663    25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3664    20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3665    15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3666    10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3667    6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3668    1119, 744, 372
3669 #endif
3670 };
3671 
3672 static png_int_32
3673 png_log8bit(unsigned int x)
3674 {
3675    unsigned int lg2 = 0;
3676    /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3677     * because the log is actually negate that means adding 1.  The final
3678     * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3679     * input), return -1 for the overflow (log 0) case, - so the result is
3680     * always at most 19 bits.
3681     */
3682    if ((x &= 0xff) == 0)
3683       return -1;
3684 
3685    if ((x & 0xf0) == 0)
3686       lg2  = 4, x <<= 4;
3687 
3688    if ((x & 0xc0) == 0)
3689       lg2 += 2, x <<= 2;
3690 
3691    if ((x & 0x80) == 0)
3692       lg2 += 1, x <<= 1;
3693 
3694    /* result is at most 19 bits, so this cast is safe: */
3695    return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3696 }
3697 
3698 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3699  * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3700  * get an approximation then multiply the approximation by a correction factor
3701  * determined by the remaining up to 8 bits.  This requires an additional step
3702  * in the 16-bit case.
3703  *
3704  * We want log2(value/65535), we have log2(v'/255), where:
3705  *
3706  *    value = v' * 256 + v''
3707  *          = v' * f
3708  *
3709  * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3710  * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3711  * than 258.  The final factor also needs to correct for the fact that our 8-bit
3712  * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3713  *
3714  * This gives a final formula using a calculated value 'x' which is value/v' and
3715  * scaling by 65536 to match the above table:
3716  *
3717  *   log2(x/257) * 65536
3718  *
3719  * Since these numbers are so close to '1' we can use simple linear
3720  * interpolation between the two end values 256/257 (result -368.61) and 258/257
3721  * (result 367.179).  The values used below are scaled by a further 64 to give
3722  * 16-bit precision in the interpolation:
3723  *
3724  * Start (256): -23591
3725  * Zero  (257):      0
3726  * End   (258):  23499
3727  */
3728 #ifdef PNG_16BIT_SUPPORTED
3729 static png_int_32
3730 png_log16bit(png_uint_32 x)
3731 {
3732    unsigned int lg2 = 0;
3733 
3734    /* As above, but now the input has 16 bits. */
3735    if ((x &= 0xffff) == 0)
3736       return -1;
3737 
3738    if ((x & 0xff00) == 0)
3739       lg2  = 8, x <<= 8;
3740 
3741    if ((x & 0xf000) == 0)
3742       lg2 += 4, x <<= 4;
3743 
3744    if ((x & 0xc000) == 0)
3745       lg2 += 2, x <<= 2;
3746 
3747    if ((x & 0x8000) == 0)
3748       lg2 += 1, x <<= 1;
3749 
3750    /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3751     * value.
3752     */
3753    lg2 <<= 28;
3754    lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3755 
3756    /* Now we need to interpolate the factor, this requires a division by the top
3757     * 8 bits.  Do this with maximum precision.
3758     */
3759    x = ((x << 16) + (x >> 9)) / (x >> 8);
3760 
3761    /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3762     * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3763     * 16 bits to interpolate to get the low bits of the result.  Round the
3764     * answer.  Note that the end point values are scaled by 64 to retain overall
3765     * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3766     * the overall scaling by 6-12.  Round at every step.
3767     */
3768    x -= 1U << 24;
3769 
3770    if (x <= 65536U) /* <= '257' */
3771       lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3772 
3773    else
3774       lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3775 
3776    /* Safe, because the result can't have more than 20 bits: */
3777    return (png_int_32)((lg2 + 2048) >> 12);
3778 }
3779 #endif /* 16BIT */
3780 
3781 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3782  * logarithmic value and returning a 16 or 8-bit number as appropriate.  In
3783  * each case only the low 16 bits are relevant - the fraction - since the
3784  * integer bits (the top 4) simply determine a shift.
3785  *
3786  * The worst case is the 16-bit distinction between 65535 and 65534. This
3787  * requires perhaps spurious accuracy in the decoding of the logarithm to
3788  * distinguish log2(65535/65534.5) - 10^-5 or 17 bits.  There is little chance
3789  * of getting this accuracy in practice.
3790  *
3791  * To deal with this the following exp() function works out the exponent of the
3792  * fractional part of the logarithm by using an accurate 32-bit value from the
3793  * top four fractional bits then multiplying in the remaining bits.
3794  */
3795 static const png_uint_32
3796 png_32bit_exp[16] =
3797 {
3798    /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3799    4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3800    3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3801    2553802834U, 2445529972U, 2341847524U, 2242560872U
3802 };
3803 
3804 /* Adjustment table; provided to explain the numbers in the code below. */
3805 #if 0
3806 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3807    11 44937.64284865548751208448
3808    10 45180.98734845585101160448
3809     9 45303.31936980687359311872
3810     8 45364.65110595323018870784
3811     7 45395.35850361789624614912
3812     6 45410.72259715102037508096
3813     5 45418.40724413220722311168
3814     4 45422.25021786898173001728
3815     3 45424.17186732298419044352
3816     2 45425.13273269940811464704
3817     1 45425.61317555035558641664
3818     0 45425.85339951654943850496
3819 #endif
3820 
3821 static png_uint_32
3822 png_exp(png_fixed_point x)
3823 {
3824    if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3825    {
3826       /* Obtain a 4-bit approximation */
3827       png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3828 
3829       /* Incorporate the low 12 bits - these decrease the returned value by
3830        * multiplying by a number less than 1 if the bit is set.  The multiplier
3831        * is determined by the above table and the shift. Notice that the values
3832        * converge on 45426 and this is used to allow linear interpolation of the
3833        * low bits.
3834        */
3835       if (x & 0x800)
3836          e -= (((e >> 16) * 44938U) +  16U) >> 5;
3837 
3838       if (x & 0x400)
3839          e -= (((e >> 16) * 45181U) +  32U) >> 6;
3840 
3841       if (x & 0x200)
3842          e -= (((e >> 16) * 45303U) +  64U) >> 7;
3843 
3844       if (x & 0x100)
3845          e -= (((e >> 16) * 45365U) + 128U) >> 8;
3846 
3847       if (x & 0x080)
3848          e -= (((e >> 16) * 45395U) + 256U) >> 9;
3849 
3850       if (x & 0x040)
3851          e -= (((e >> 16) * 45410U) + 512U) >> 10;
3852 
3853       /* And handle the low 6 bits in a single block. */
3854       e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3855 
3856       /* Handle the upper bits of x. */
3857       e >>= x >> 16;
3858       return e;
3859    }
3860 
3861    /* Check for overflow */
3862    if (x <= 0)
3863       return png_32bit_exp[0];
3864 
3865    /* Else underflow */
3866    return 0;
3867 }
3868 
3869 static png_byte
3870 png_exp8bit(png_fixed_point lg2)
3871 {
3872    /* Get a 32-bit value: */
3873    png_uint_32 x = png_exp(lg2);
3874 
3875    /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3876     * second, rounding, step can't overflow because of the first, subtraction,
3877     * step.
3878     */
3879    x -= x >> 8;
3880    return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3881 }
3882 
3883 #ifdef PNG_16BIT_SUPPORTED
3884 static png_uint_16
3885 png_exp16bit(png_fixed_point lg2)
3886 {
3887    /* Get a 32-bit value: */
3888    png_uint_32 x = png_exp(lg2);
3889 
3890    /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3891    x -= x >> 16;
3892    return (png_uint_16)((x + 32767U) >> 16);
3893 }
3894 #endif /* 16BIT */
3895 #endif /* FLOATING_ARITHMETIC */
3896 
3897 png_byte
3898 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3899 {
3900    if (value > 0 && value < 255)
3901    {
3902 #     ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3903          /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3904           * convert this to a floating point value.  This includes values that
3905           * would overflow if 'value' were to be converted to 'int'.
3906           *
3907           * Apparently GCC, however, does an intermediate conversion to (int)
3908           * on some (ARM) but not all (x86) platforms, possibly because of
3909           * hardware FP limitations.  (E.g. if the hardware conversion always
3910           * assumes the integer register contains a signed value.)  This results
3911           * in ANSI-C undefined behavior for large values.
3912           *
3913           * Other implementations on the same machine might actually be ANSI-C90
3914           * conformant and therefore compile spurious extra code for the large
3915           * values.
3916           *
3917           * We can be reasonably sure that an unsigned to float conversion
3918           * won't be faster than an int to float one.  Therefore this code
3919           * assumes responsibility for the undefined behavior, which it knows
3920           * can't happen because of the check above.
3921           *
3922           * Note the argument to this routine is an (unsigned int) because, on
3923           * 16-bit platforms, it is assigned a value which might be out of
3924           * range for an (int); that would result in undefined behavior in the
3925           * caller if the *argument* ('value') were to be declared (int).
3926           */
3927          double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3928          return (png_byte)r;
3929 #     else
3930          png_int_32 lg2 = png_log8bit(value);
3931          png_fixed_point res;
3932 
3933          if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3934             return png_exp8bit(res);
3935 
3936          /* Overflow. */
3937          value = 0;
3938 #     endif
3939    }
3940 
3941    return (png_byte)(value & 0xff);
3942 }
3943 
3944 #ifdef PNG_16BIT_SUPPORTED
3945 png_uint_16
3946 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3947 {
3948    if (value > 0 && value < 65535)
3949    {
3950 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3951       /* The same (unsigned int)->(double) constraints apply here as above,
3952        * however in this case the (unsigned int) to (int) conversion can
3953        * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3954        * that this is not possible.
3955        */
3956       double r = floor(65535*pow((png_int_32)value/65535.,
3957           gamma_val*.00001)+.5);
3958       return (png_uint_16)r;
3959 # else
3960       png_int_32 lg2 = png_log16bit(value);
3961       png_fixed_point res;
3962 
3963       if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3964          return png_exp16bit(res);
3965 
3966       /* Overflow. */
3967       value = 0;
3968 # endif
3969    }
3970 
3971    return (png_uint_16)value;
3972 }
3973 #endif /* 16BIT */
3974 
3975 /* This does the right thing based on the bit_depth field of the
3976  * png_struct, interpreting values as 8-bit or 16-bit.  While the result
3977  * is nominally a 16-bit value if bit depth is 8 then the result is
3978  * 8-bit (as are the arguments.)
3979  */
3980 png_uint_16 /* PRIVATE */
3981 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3982     png_fixed_point gamma_val)
3983 {
3984    if (png_ptr->bit_depth == 8)
3985       return png_gamma_8bit_correct(value, gamma_val);
3986 
3987 #ifdef PNG_16BIT_SUPPORTED
3988    else
3989       return png_gamma_16bit_correct(value, gamma_val);
3990 #else
3991       /* should not reach this */
3992       return 0;
3993 #endif /* 16BIT */
3994 }
3995 
3996 #ifdef PNG_16BIT_SUPPORTED
3997 /* Internal function to build a single 16-bit table - the table consists of
3998  * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3999  * to shift the input values right (or 16-number_of_signifiant_bits).
4000  *
4001  * The caller is responsible for ensuring that the table gets cleaned up on
4002  * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
4003  * should be somewhere that will be cleaned.
4004  */
4005 static void
4006 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
4007     PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
4008 {
4009    /* Various values derived from 'shift': */
4010    PNG_CONST unsigned int num = 1U << (8U - shift);
4011 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4012    /* CSE the division and work round wacky GCC warnings (see the comments
4013     * in png_gamma_8bit_correct for where these come from.)
4014     */
4015    PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);
4016 #endif
4017    PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
4018    PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
4019    unsigned int i;
4020 
4021    png_uint_16pp table = *ptable =
4022        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4023 
4024    for (i = 0; i < num; i++)
4025    {
4026       png_uint_16p sub_table = table[i] =
4027           (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
4028 
4029       /* The 'threshold' test is repeated here because it can arise for one of
4030        * the 16-bit tables even if the others don't hit it.
4031        */
4032       if (png_gamma_significant(gamma_val) != 0)
4033       {
4034          /* The old code would overflow at the end and this would cause the
4035           * 'pow' function to return a result >1, resulting in an
4036           * arithmetic error.  This code follows the spec exactly; ig is
4037           * the recovered input sample, it always has 8-16 bits.
4038           *
4039           * We want input * 65535/max, rounded, the arithmetic fits in 32
4040           * bits (unsigned) so long as max <= 32767.
4041           */
4042          unsigned int j;
4043          for (j = 0; j < 256; j++)
4044          {
4045             png_uint_32 ig = (j << (8-shift)) + i;
4046 #           ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4047                /* Inline the 'max' scaling operation: */
4048                /* See png_gamma_8bit_correct for why the cast to (int) is
4049                 * required here.
4050                 */
4051                double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4052                sub_table[j] = (png_uint_16)d;
4053 #           else
4054                if (shift != 0)
4055                   ig = (ig * 65535U + max_by_2)/max;
4056 
4057                sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4058 #           endif
4059          }
4060       }
4061       else
4062       {
4063          /* We must still build a table, but do it the fast way. */
4064          unsigned int j;
4065 
4066          for (j = 0; j < 256; j++)
4067          {
4068             png_uint_32 ig = (j << (8-shift)) + i;
4069 
4070             if (shift != 0)
4071                ig = (ig * 65535U + max_by_2)/max;
4072 
4073             sub_table[j] = (png_uint_16)ig;
4074          }
4075       }
4076    }
4077 }
4078 
4079 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4080  * required.
4081  */
4082 static void
4083 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4084     PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
4085 {
4086    PNG_CONST unsigned int num = 1U << (8U - shift);
4087    PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
4088    unsigned int i;
4089    png_uint_32 last;
4090 
4091    png_uint_16pp table = *ptable =
4092        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4093 
4094    /* 'num' is the number of tables and also the number of low bits of low
4095     * bits of the input 16-bit value used to select a table.  Each table is
4096     * itself indexed by the high 8 bits of the value.
4097     */
4098    for (i = 0; i < num; i++)
4099       table[i] = (png_uint_16p)png_malloc(png_ptr,
4100           256 * (sizeof (png_uint_16)));
4101 
4102    /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4103     * pow(out,g) is an *input* value.  'last' is the last input value set.
4104     *
4105     * In the loop 'i' is used to find output values.  Since the output is
4106     * 8-bit there are only 256 possible values.  The tables are set up to
4107     * select the closest possible output value for each input by finding
4108     * the input value at the boundary between each pair of output values
4109     * and filling the table up to that boundary with the lower output
4110     * value.
4111     *
4112     * The boundary values are 0.5,1.5..253.5,254.5.  Since these are 9-bit
4113     * values the code below uses a 16-bit value in i; the values start at
4114     * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4115     * entries are filled with 255).  Start i at 128 and fill all 'last'
4116     * table entries <= 'max'
4117     */
4118    last = 0;
4119    for (i = 0; i < 255; ++i) /* 8-bit output value */
4120    {
4121       /* Find the corresponding maximum input value */
4122       png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4123 
4124       /* Find the boundary value in 16 bits: */
4125       png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4126 
4127       /* Adjust (round) to (16-shift) bits: */
4128       bound = (bound * max + 32768U)/65535U + 1U;
4129 
4130       while (last < bound)
4131       {
4132          table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4133          last++;
4134       }
4135    }
4136 
4137    /* And fill in the final entries. */
4138    while (last < (num << 8))
4139    {
4140       table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4141       last++;
4142    }
4143 }
4144 #endif /* 16BIT */
4145 
4146 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4147  * typically much faster).  Note that libpng currently does no sBIT processing
4148  * (apparently contrary to the spec) so a 256-entry table is always generated.
4149  */
4150 static void
4151 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4152     PNG_CONST png_fixed_point gamma_val)
4153 {
4154    unsigned int i;
4155    png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4156 
4157    if (png_gamma_significant(gamma_val) != 0)
4158       for (i=0; i<256; i++)
4159          table[i] = png_gamma_8bit_correct(i, gamma_val);
4160 
4161    else
4162       for (i=0; i<256; ++i)
4163          table[i] = (png_byte)(i & 0xff);
4164 }
4165 
4166 /* Used from png_read_destroy and below to release the memory used by the gamma
4167  * tables.
4168  */
4169 void /* PRIVATE */
4170 png_destroy_gamma_table(png_structrp png_ptr)
4171 {
4172    png_free(png_ptr, png_ptr->gamma_table);
4173    png_ptr->gamma_table = NULL;
4174 
4175 #ifdef PNG_16BIT_SUPPORTED
4176    if (png_ptr->gamma_16_table != NULL)
4177    {
4178       int i;
4179       int istop = (1 << (8 - png_ptr->gamma_shift));
4180       for (i = 0; i < istop; i++)
4181       {
4182          png_free(png_ptr, png_ptr->gamma_16_table[i]);
4183       }
4184    png_free(png_ptr, png_ptr->gamma_16_table);
4185    png_ptr->gamma_16_table = NULL;
4186    }
4187 #endif /* 16BIT */
4188 
4189 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4190    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4191    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4192    png_free(png_ptr, png_ptr->gamma_from_1);
4193    png_ptr->gamma_from_1 = NULL;
4194    png_free(png_ptr, png_ptr->gamma_to_1);
4195    png_ptr->gamma_to_1 = NULL;
4196 
4197 #ifdef PNG_16BIT_SUPPORTED
4198    if (png_ptr->gamma_16_from_1 != NULL)
4199    {
4200       int i;
4201       int istop = (1 << (8 - png_ptr->gamma_shift));
4202       for (i = 0; i < istop; i++)
4203       {
4204          png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4205       }
4206    png_free(png_ptr, png_ptr->gamma_16_from_1);
4207    png_ptr->gamma_16_from_1 = NULL;
4208    }
4209    if (png_ptr->gamma_16_to_1 != NULL)
4210    {
4211       int i;
4212       int istop = (1 << (8 - png_ptr->gamma_shift));
4213       for (i = 0; i < istop; i++)
4214       {
4215          png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4216       }
4217    png_free(png_ptr, png_ptr->gamma_16_to_1);
4218    png_ptr->gamma_16_to_1 = NULL;
4219    }
4220 #endif /* 16BIT */
4221 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4222 }
4223 
4224 /* We build the 8- or 16-bit gamma tables here.  Note that for 16-bit
4225  * tables, we don't make a full table if we are reducing to 8-bit in
4226  * the future.  Note also how the gamma_16 tables are segmented so that
4227  * we don't need to allocate > 64K chunks for a full 16-bit table.
4228  */
4229 void /* PRIVATE */
4230 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4231 {
4232    png_debug(1, "in png_build_gamma_table");
4233 
4234    /* Remove any existing table; this copes with multiple calls to
4235     * png_read_update_info. The warning is because building the gamma tables
4236     * multiple times is a performance hit - it's harmless but the ability to
4237     * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4238     * sensible to warn if the app introduces such a hit.
4239     */
4240    if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4241    {
4242       png_warning(png_ptr, "gamma table being rebuilt");
4243       png_destroy_gamma_table(png_ptr);
4244    }
4245 
4246    if (bit_depth <= 8)
4247    {
4248       png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4249           png_ptr->screen_gamma > 0 ?
4250           png_reciprocal2(png_ptr->colorspace.gamma,
4251           png_ptr->screen_gamma) : PNG_FP_1);
4252 
4253 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4254    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4255    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4256       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4257       {
4258          png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4259              png_reciprocal(png_ptr->colorspace.gamma));
4260 
4261          png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4262              png_ptr->screen_gamma > 0 ?
4263              png_reciprocal(png_ptr->screen_gamma) :
4264              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4265       }
4266 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4267    }
4268 #ifdef PNG_16BIT_SUPPORTED
4269    else
4270    {
4271       png_byte shift, sig_bit;
4272 
4273       if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4274       {
4275          sig_bit = png_ptr->sig_bit.red;
4276 
4277          if (png_ptr->sig_bit.green > sig_bit)
4278             sig_bit = png_ptr->sig_bit.green;
4279 
4280          if (png_ptr->sig_bit.blue > sig_bit)
4281             sig_bit = png_ptr->sig_bit.blue;
4282       }
4283       else
4284          sig_bit = png_ptr->sig_bit.gray;
4285 
4286       /* 16-bit gamma code uses this equation:
4287        *
4288        *   ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4289        *
4290        * Where 'iv' is the input color value and 'ov' is the output value -
4291        * pow(iv, gamma).
4292        *
4293        * Thus the gamma table consists of up to 256 256-entry tables.  The table
4294        * is selected by the (8-gamma_shift) most significant of the low 8 bits
4295        * of the color value then indexed by the upper 8 bits:
4296        *
4297        *   table[low bits][high 8 bits]
4298        *
4299        * So the table 'n' corresponds to all those 'iv' of:
4300        *
4301        *   <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4302        *
4303        */
4304       if (sig_bit > 0 && sig_bit < 16U)
4305          /* shift == insignificant bits */
4306          shift = (png_byte)((16U - sig_bit) & 0xff);
4307 
4308       else
4309          shift = 0; /* keep all 16 bits */
4310 
4311       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4312       {
4313          /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4314           * the significant bits in the *input* when the output will
4315           * eventually be 8 bits.  By default it is 11.
4316           */
4317          if (shift < (16U - PNG_MAX_GAMMA_8))
4318             shift = (16U - PNG_MAX_GAMMA_8);
4319       }
4320 
4321       if (shift > 8U)
4322          shift = 8U; /* Guarantees at least one table! */
4323 
4324       png_ptr->gamma_shift = shift;
4325 
4326       /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4327        * PNG_COMPOSE).  This effectively smashed the background calculation for
4328        * 16-bit output because the 8-bit table assumes the result will be
4329        * reduced to 8 bits.
4330        */
4331       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4332           png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4333           png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4334           png_ptr->screen_gamma) : PNG_FP_1);
4335 
4336       else
4337           png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4338           png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4339           png_ptr->screen_gamma) : PNG_FP_1);
4340 
4341 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4342    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4343    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4344       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4345       {
4346          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4347              png_reciprocal(png_ptr->colorspace.gamma));
4348 
4349          /* Notice that the '16 from 1' table should be full precision, however
4350           * the lookup on this table still uses gamma_shift, so it can't be.
4351           * TODO: fix this.
4352           */
4353          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4354              png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4355              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4356       }
4357 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4358    }
4359 #endif /* 16BIT */
4360 }
4361 #endif /* READ_GAMMA */
4362 
4363 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4364 #ifdef PNG_SET_OPTION_SUPPORTED
4365 int PNGAPI
4366 png_set_option(png_structrp png_ptr, int option, int onoff)
4367 {
4368    if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4369       (option & 1) == 0)
4370    {
4371       png_uint_32 mask = 3U << option;
4372       png_uint_32 setting = (2U + (onoff != 0)) << option;
4373       png_uint_32 current = png_ptr->options;
4374 
4375       png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4376 
4377       return (int)(current & mask) >> option;
4378    }
4379 
4380    return PNG_OPTION_INVALID;
4381 }
4382 #endif
4383 
4384 /* sRGB support */
4385 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4386    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4387 /* sRGB conversion tables; these are machine generated with the code in
4388  * contrib/tools/makesRGB.c.  The actual sRGB transfer curve defined in the
4389  * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4390  * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4391  * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4392  * The inverse (linear to sRGB) table has accuracies as follows:
4393  *
4394  * For all possible (255*65535+1) input values:
4395  *
4396  *    error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4397  *
4398  * For the input values corresponding to the 65536 16-bit values:
4399  *
4400  *    error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4401  *
4402  * In all cases the inexact readings are only off by one.
4403  */
4404 
4405 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4406 /* The convert-to-sRGB table is only currently required for read. */
4407 const png_uint_16 png_sRGB_table[256] =
4408 {
4409    0,20,40,60,80,99,119,139,
4410    159,179,199,219,241,264,288,313,
4411    340,367,396,427,458,491,526,562,
4412    599,637,677,718,761,805,851,898,
4413    947,997,1048,1101,1156,1212,1270,1330,
4414    1391,1453,1517,1583,1651,1720,1790,1863,
4415    1937,2013,2090,2170,2250,2333,2418,2504,
4416    2592,2681,2773,2866,2961,3058,3157,3258,
4417    3360,3464,3570,3678,3788,3900,4014,4129,
4418    4247,4366,4488,4611,4736,4864,4993,5124,
4419    5257,5392,5530,5669,5810,5953,6099,6246,
4420    6395,6547,6700,6856,7014,7174,7335,7500,
4421    7666,7834,8004,8177,8352,8528,8708,8889,
4422    9072,9258,9445,9635,9828,10022,10219,10417,
4423    10619,10822,11028,11235,11446,11658,11873,12090,
4424    12309,12530,12754,12980,13209,13440,13673,13909,
4425    14146,14387,14629,14874,15122,15371,15623,15878,
4426    16135,16394,16656,16920,17187,17456,17727,18001,
4427    18277,18556,18837,19121,19407,19696,19987,20281,
4428    20577,20876,21177,21481,21787,22096,22407,22721,
4429    23038,23357,23678,24002,24329,24658,24990,25325,
4430    25662,26001,26344,26688,27036,27386,27739,28094,
4431    28452,28813,29176,29542,29911,30282,30656,31033,
4432    31412,31794,32179,32567,32957,33350,33745,34143,
4433    34544,34948,35355,35764,36176,36591,37008,37429,
4434    37852,38278,38706,39138,39572,40009,40449,40891,
4435    41337,41785,42236,42690,43147,43606,44069,44534,
4436    45002,45473,45947,46423,46903,47385,47871,48359,
4437    48850,49344,49841,50341,50844,51349,51858,52369,
4438    52884,53401,53921,54445,54971,55500,56032,56567,
4439    57105,57646,58190,58737,59287,59840,60396,60955,
4440    61517,62082,62650,63221,63795,64372,64952,65535
4441 };
4442 #endif /* SIMPLIFIED_READ */
4443 
4444 /* The base/delta tables are required for both read and write (but currently
4445  * only the simplified versions.)
4446  */
4447 const png_uint_16 png_sRGB_base[512] =
4448 {
4449    128,1782,3383,4644,5675,6564,7357,8074,
4450    8732,9346,9921,10463,10977,11466,11935,12384,
4451    12816,13233,13634,14024,14402,14769,15125,15473,
4452    15812,16142,16466,16781,17090,17393,17690,17981,
4453    18266,18546,18822,19093,19359,19621,19879,20133,
4454    20383,20630,20873,21113,21349,21583,21813,22041,
4455    22265,22487,22707,22923,23138,23350,23559,23767,
4456    23972,24175,24376,24575,24772,24967,25160,25352,
4457    25542,25730,25916,26101,26284,26465,26645,26823,
4458    27000,27176,27350,27523,27695,27865,28034,28201,
4459    28368,28533,28697,28860,29021,29182,29341,29500,
4460    29657,29813,29969,30123,30276,30429,30580,30730,
4461    30880,31028,31176,31323,31469,31614,31758,31902,
4462    32045,32186,32327,32468,32607,32746,32884,33021,
4463    33158,33294,33429,33564,33697,33831,33963,34095,
4464    34226,34357,34486,34616,34744,34873,35000,35127,
4465    35253,35379,35504,35629,35753,35876,35999,36122,
4466    36244,36365,36486,36606,36726,36845,36964,37083,
4467    37201,37318,37435,37551,37668,37783,37898,38013,
4468    38127,38241,38354,38467,38580,38692,38803,38915,
4469    39026,39136,39246,39356,39465,39574,39682,39790,
4470    39898,40005,40112,40219,40325,40431,40537,40642,
4471    40747,40851,40955,41059,41163,41266,41369,41471,
4472    41573,41675,41777,41878,41979,42079,42179,42279,
4473    42379,42478,42577,42676,42775,42873,42971,43068,
4474    43165,43262,43359,43456,43552,43648,43743,43839,
4475    43934,44028,44123,44217,44311,44405,44499,44592,
4476    44685,44778,44870,44962,45054,45146,45238,45329,
4477    45420,45511,45601,45692,45782,45872,45961,46051,
4478    46140,46229,46318,46406,46494,46583,46670,46758,
4479    46846,46933,47020,47107,47193,47280,47366,47452,
4480    47538,47623,47709,47794,47879,47964,48048,48133,
4481    48217,48301,48385,48468,48552,48635,48718,48801,
4482    48884,48966,49048,49131,49213,49294,49376,49458,
4483    49539,49620,49701,49782,49862,49943,50023,50103,
4484    50183,50263,50342,50422,50501,50580,50659,50738,
4485    50816,50895,50973,51051,51129,51207,51285,51362,
4486    51439,51517,51594,51671,51747,51824,51900,51977,
4487    52053,52129,52205,52280,52356,52432,52507,52582,
4488    52657,52732,52807,52881,52956,53030,53104,53178,
4489    53252,53326,53400,53473,53546,53620,53693,53766,
4490    53839,53911,53984,54056,54129,54201,54273,54345,
4491    54417,54489,54560,54632,54703,54774,54845,54916,
4492    54987,55058,55129,55199,55269,55340,55410,55480,
4493    55550,55620,55689,55759,55828,55898,55967,56036,
4494    56105,56174,56243,56311,56380,56448,56517,56585,
4495    56653,56721,56789,56857,56924,56992,57059,57127,
4496    57194,57261,57328,57395,57462,57529,57595,57662,
4497    57728,57795,57861,57927,57993,58059,58125,58191,
4498    58256,58322,58387,58453,58518,58583,58648,58713,
4499    58778,58843,58908,58972,59037,59101,59165,59230,
4500    59294,59358,59422,59486,59549,59613,59677,59740,
4501    59804,59867,59930,59993,60056,60119,60182,60245,
4502    60308,60370,60433,60495,60558,60620,60682,60744,
4503    60806,60868,60930,60992,61054,61115,61177,61238,
4504    61300,61361,61422,61483,61544,61605,61666,61727,
4505    61788,61848,61909,61969,62030,62090,62150,62211,
4506    62271,62331,62391,62450,62510,62570,62630,62689,
4507    62749,62808,62867,62927,62986,63045,63104,63163,
4508    63222,63281,63340,63398,63457,63515,63574,63632,
4509    63691,63749,63807,63865,63923,63981,64039,64097,
4510    64155,64212,64270,64328,64385,64443,64500,64557,
4511    64614,64672,64729,64786,64843,64900,64956,65013,
4512    65070,65126,65183,65239,65296,65352,65409,65465
4513 };
4514 
4515 const png_byte png_sRGB_delta[512] =
4516 {
4517    207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4518    52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4519    35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4520    28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4521    23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4522    21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4523    19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4524    17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4525    16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4526    15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4527    14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4528    13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4529    12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4530    12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4531    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4532    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4533    11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4534    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4535    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4536    10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4537    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4538    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4539    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4540    9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4541    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4542    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4543    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4544    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4545    8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4546    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4547    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4548    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4549 };
4550 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4551 
4552 /* SIMPLIFIED READ/WRITE SUPPORT */
4553 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4554    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4555 static int
4556 png_image_free_function(png_voidp argument)
4557 {
4558    png_imagep image = png_voidcast(png_imagep, argument);
4559    png_controlp cp = image->opaque;
4560    png_control c;
4561 
4562    /* Double check that we have a png_ptr - it should be impossible to get here
4563     * without one.
4564     */
4565    if (cp->png_ptr == NULL)
4566       return 0;
4567 
4568    /* First free any data held in the control structure. */
4569 #  ifdef PNG_STDIO_SUPPORTED
4570       if (cp->owned_file != 0)
4571       {
4572          FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4573          cp->owned_file = 0;
4574 
4575          /* Ignore errors here. */
4576          if (fp != NULL)
4577          {
4578             cp->png_ptr->io_ptr = NULL;
4579             (void)fclose(fp);
4580          }
4581       }
4582 #  endif
4583 
4584    /* Copy the control structure so that the original, allocated, version can be
4585     * safely freed.  Notice that a png_error here stops the remainder of the
4586     * cleanup, but this is probably fine because that would indicate bad memory
4587     * problems anyway.
4588     */
4589    c = *cp;
4590    image->opaque = &c;
4591    png_free(c.png_ptr, cp);
4592 
4593    /* Then the structures, calling the correct API. */
4594    if (c.for_write != 0)
4595    {
4596 #     ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4597          png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4598 #     else
4599          png_error(c.png_ptr, "simplified write not supported");
4600 #     endif
4601    }
4602    else
4603    {
4604 #     ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4605          png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4606 #     else
4607          png_error(c.png_ptr, "simplified read not supported");
4608 #     endif
4609    }
4610 
4611    /* Success. */
4612    return 1;
4613 }
4614 
4615 void PNGAPI
4616 png_image_free(png_imagep image)
4617 {
4618    /* Safely call the real function, but only if doing so is safe at this point
4619     * (if not inside an error handling context).  Otherwise assume
4620     * png_safe_execute will call this API after the return.
4621     */
4622    if (image != NULL && image->opaque != NULL &&
4623       image->opaque->error_buf == NULL)
4624    {
4625       png_image_free_function(image);
4626       image->opaque = NULL;
4627    }
4628 }
4629 
4630 int /* PRIVATE */
4631 png_image_error(png_imagep image, png_const_charp error_message)
4632 {
4633    /* Utility to log an error. */
4634    png_safecat(image->message, (sizeof image->message), 0, error_message);
4635    image->warning_or_error |= PNG_IMAGE_ERROR;
4636    png_image_free(image);
4637    return 0;
4638 }
4639 
4640 #endif /* SIMPLIFIED READ/WRITE */
4641 #endif /* READ || WRITE */
--- EOF ---