rev 55557 : 8217676: Upgrade libpng to 1.6.37
Reviewed-by: prr, jdv

   1 /*
   2  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   3  *
   4  * This code is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License version 2 only, as
   6  * published by the Free Software Foundation.  Oracle designates this
   7  * particular file as subject to the "Classpath" exception as provided
   8  * by Oracle in the LICENSE file that accompanied this code.
   9  *
  10  * This code is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  12  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * version 2 for more details (a copy is included in the LICENSE file that
  14  * accompanied this code).
  15  *
  16  * You should have received a copy of the GNU General Public License version
  17  * 2 along with this work; if not, write to the Free Software Foundation,
  18  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  19  *
  20  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  21  * or visit www.oracle.com if you need additional information or have any
  22  * questions.
  23  */
  24 
  25 /* png.c - location for general purpose libpng functions
  26  *
  27  * This file is available under and governed by the GNU General Public
  28  * License version 2 only, as published by the Free Software Foundation.
  29  * However, the following notice accompanied the original version of this
  30  * file and, per its terms, should not be removed:
  31  *
  32  * Copyright (c) 2018-2019 Cosmin Truta
  33  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
  34  * Copyright (c) 1996-1997 Andreas Dilger
  35  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
  36  *
  37  * This code is released under the libpng license.
  38  * For conditions of distribution and use, see the disclaimer
  39  * and license in png.h
  40  */
  41 
  42 #include "pngpriv.h"
  43 
  44 /* Generate a compiler error if there is an old png.h in the search path. */
  45 typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37;
  46 
  47 #ifdef __GNUC__
  48 /* The version tests may need to be added to, but the problem warning has
  49  * consistently been fixed in GCC versions which obtain wide-spread release.
  50  * The problem is that many versions of GCC rearrange comparison expressions in
  51  * the optimizer in such a way that the results of the comparison will change
  52  * if signed integer overflow occurs.  Such comparisons are not permitted in
  53  * ANSI C90, however GCC isn't clever enough to work out that that do not occur
  54  * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
  55  * -Wextra.  Unfortunately this is highly dependent on the optimizer and the
  56  * machine architecture so the warning comes and goes unpredictably and is
  57  * impossible to "fix", even were that a good idea.
  58  */
  59 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1
  60 #define GCC_STRICT_OVERFLOW 1
  61 #endif /* GNU 7.1.x */
  62 #endif /* GNU */
  63 #ifndef GCC_STRICT_OVERFLOW
  64 #define GCC_STRICT_OVERFLOW 0
  65 #endif
  66 
  67 /* Tells libpng that we have already handled the first "num_bytes" bytes
  68  * of the PNG file signature.  If the PNG data is embedded into another
  69  * stream we can set num_bytes = 8 so that libpng will not attempt to read
  70  * or write any of the magic bytes before it starts on the IHDR.
  71  */
  72 
  73 #ifdef PNG_READ_SUPPORTED
  74 void PNGAPI
  75 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
  76 {
  77    unsigned int nb = (unsigned int)num_bytes;
  78 
  79    png_debug(1, "in png_set_sig_bytes");
  80 
  81    if (png_ptr == NULL)
  82       return;
  83 
  84    if (num_bytes < 0)
  85       nb = 0;
  86 
  87    if (nb > 8)
  88       png_error(png_ptr, "Too many bytes for PNG signature");
  89 
  90    png_ptr->sig_bytes = (png_byte)nb;
  91 }
  92 
  93 /* Checks whether the supplied bytes match the PNG signature.  We allow
  94  * checking less than the full 8-byte signature so that those apps that
  95  * already read the first few bytes of a file to determine the file type
  96  * can simply check the remaining bytes for extra assurance.  Returns
  97  * an integer less than, equal to, or greater than zero if sig is found,
  98  * respectively, to be less than, to match, or be greater than the correct
  99  * PNG signature (this is the same behavior as strcmp, memcmp, etc).
 100  */
 101 int PNGAPI
 102 png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
 103 {
 104    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
 105 
 106    if (num_to_check > 8)
 107       num_to_check = 8;
 108 
 109    else if (num_to_check < 1)
 110       return (-1);
 111 
 112    if (start > 7)
 113       return (-1);
 114 
 115    if (start + num_to_check > 8)
 116       num_to_check = 8 - start;
 117 
 118    return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
 119 }
 120 
 121 #endif /* READ */
 122 
 123 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 124 /* Function to allocate memory for zlib */
 125 PNG_FUNCTION(voidpf /* PRIVATE */,
 126 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
 127 {
 128    png_alloc_size_t num_bytes = size;
 129 
 130    if (png_ptr == NULL)
 131       return NULL;
 132 
 133    if (items >= (~(png_alloc_size_t)0)/size)
 134    {
 135       png_warning (png_voidcast(png_structrp, png_ptr),
 136           "Potential overflow in png_zalloc()");
 137       return NULL;
 138    }
 139 
 140    num_bytes *= items;
 141    return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
 142 }
 143 
 144 /* Function to free memory for zlib */
 145 void /* PRIVATE */
 146 png_zfree(voidpf png_ptr, voidpf ptr)
 147 {
 148    png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
 149 }
 150 
 151 /* Reset the CRC variable to 32 bits of 1's.  Care must be taken
 152  * in case CRC is > 32 bits to leave the top bits 0.
 153  */
 154 void /* PRIVATE */
 155 png_reset_crc(png_structrp png_ptr)
 156 {
 157    /* The cast is safe because the crc is a 32-bit value. */
 158    png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
 159 }
 160 
 161 /* Calculate the CRC over a section of data.  We can only pass as
 162  * much data to this routine as the largest single buffer size.  We
 163  * also check that this data will actually be used before going to the
 164  * trouble of calculating it.
 165  */
 166 void /* PRIVATE */
 167 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
 168 {
 169    int need_crc = 1;
 170 
 171    if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
 172    {
 173       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
 174           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
 175          need_crc = 0;
 176    }
 177 
 178    else /* critical */
 179    {
 180       if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
 181          need_crc = 0;
 182    }
 183 
 184    /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
 185     * systems it is a 64-bit value.  crc32, however, returns 32 bits so the
 186     * following cast is safe.  'uInt' may be no more than 16 bits, so it is
 187     * necessary to perform a loop here.
 188     */
 189    if (need_crc != 0 && length > 0)
 190    {
 191       uLong crc = png_ptr->crc; /* Should never issue a warning */
 192 
 193       do
 194       {
 195          uInt safe_length = (uInt)length;
 196 #ifndef __COVERITY__
 197          if (safe_length == 0)
 198             safe_length = (uInt)-1; /* evil, but safe */
 199 #endif
 200 
 201          crc = crc32(crc, ptr, safe_length);
 202 
 203          /* The following should never issue compiler warnings; if they do the
 204           * target system has characteristics that will probably violate other
 205           * assumptions within the libpng code.
 206           */
 207          ptr += safe_length;
 208          length -= safe_length;
 209       }
 210       while (length > 0);
 211 
 212       /* And the following is always safe because the crc is only 32 bits. */
 213       png_ptr->crc = (png_uint_32)crc;
 214    }
 215 }
 216 
 217 /* Check a user supplied version number, called from both read and write
 218  * functions that create a png_struct.
 219  */
 220 int
 221 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
 222 {
 223    /* Libpng versions 1.0.0 and later are binary compatible if the version
 224     * string matches through the second '.'; we must recompile any
 225     * applications that use any older library version.
 226     */
 227 
 228    if (user_png_ver != NULL)
 229    {
 230       int i = -1;
 231       int found_dots = 0;
 232 
 233       do
 234       {
 235          i++;
 236          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
 237             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 238          if (user_png_ver[i] == '.')
 239             found_dots++;
 240       } while (found_dots < 2 && user_png_ver[i] != 0 &&
 241             PNG_LIBPNG_VER_STRING[i] != 0);
 242    }
 243 
 244    else
 245       png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 246 
 247    if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
 248    {
 249 #ifdef PNG_WARNINGS_SUPPORTED
 250       size_t pos = 0;
 251       char m[128];
 252 
 253       pos = png_safecat(m, (sizeof m), pos,
 254           "Application built with libpng-");
 255       pos = png_safecat(m, (sizeof m), pos, user_png_ver);
 256       pos = png_safecat(m, (sizeof m), pos, " but running with ");
 257       pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
 258       PNG_UNUSED(pos)
 259 
 260       png_warning(png_ptr, m);
 261 #endif
 262 
 263 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 264       png_ptr->flags = 0;
 265 #endif
 266 
 267       return 0;
 268    }
 269 
 270    /* Success return. */
 271    return 1;
 272 }
 273 
 274 /* Generic function to create a png_struct for either read or write - this
 275  * contains the common initialization.
 276  */
 277 PNG_FUNCTION(png_structp /* PRIVATE */,
 278 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
 279     png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
 280     png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
 281 {
 282    png_struct create_struct;
 283 #  ifdef PNG_SETJMP_SUPPORTED
 284       jmp_buf create_jmp_buf;
 285 #  endif
 286 
 287    /* This temporary stack-allocated structure is used to provide a place to
 288     * build enough context to allow the user provided memory allocator (if any)
 289     * to be called.
 290     */
 291    memset(&create_struct, 0, (sizeof create_struct));
 292 
 293    /* Added at libpng-1.2.6 */
 294 #  ifdef PNG_USER_LIMITS_SUPPORTED
 295       create_struct.user_width_max = PNG_USER_WIDTH_MAX;
 296       create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
 297 
 298 #     ifdef PNG_USER_CHUNK_CACHE_MAX
 299       /* Added at libpng-1.2.43 and 1.4.0 */
 300       create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
 301 #     endif
 302 
 303 #     ifdef PNG_USER_CHUNK_MALLOC_MAX
 304       /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
 305        * in png_struct regardless.
 306        */
 307       create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
 308 #     endif
 309 #  endif
 310 
 311    /* The following two API calls simply set fields in png_struct, so it is safe
 312     * to do them now even though error handling is not yet set up.
 313     */
 314 #  ifdef PNG_USER_MEM_SUPPORTED
 315       png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
 316 #  else
 317       PNG_UNUSED(mem_ptr)
 318       PNG_UNUSED(malloc_fn)
 319       PNG_UNUSED(free_fn)
 320 #  endif
 321 
 322    /* (*error_fn) can return control to the caller after the error_ptr is set,
 323     * this will result in a memory leak unless the error_fn does something
 324     * extremely sophisticated.  The design lacks merit but is implicit in the
 325     * API.
 326     */
 327    png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
 328 
 329 #  ifdef PNG_SETJMP_SUPPORTED
 330       if (!setjmp(create_jmp_buf))
 331 #  endif
 332       {
 333 #  ifdef PNG_SETJMP_SUPPORTED
 334          /* Temporarily fake out the longjmp information until we have
 335           * successfully completed this function.  This only works if we have
 336           * setjmp() support compiled in, but it is safe - this stuff should
 337           * never happen.
 338           */
 339          create_struct.jmp_buf_ptr = &create_jmp_buf;
 340          create_struct.jmp_buf_size = 0; /*stack allocation*/
 341          create_struct.longjmp_fn = longjmp;
 342 #  endif
 343          /* Call the general version checker (shared with read and write code):
 344           */
 345          if (png_user_version_check(&create_struct, user_png_ver) != 0)
 346          {
 347             png_structrp png_ptr = png_voidcast(png_structrp,
 348                 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
 349 
 350             if (png_ptr != NULL)
 351             {
 352                /* png_ptr->zstream holds a back-pointer to the png_struct, so
 353                 * this can only be done now:
 354                 */
 355                create_struct.zstream.zalloc = png_zalloc;
 356                create_struct.zstream.zfree = png_zfree;
 357                create_struct.zstream.opaque = png_ptr;
 358 
 359 #              ifdef PNG_SETJMP_SUPPORTED
 360                /* Eliminate the local error handling: */
 361                create_struct.jmp_buf_ptr = NULL;
 362                create_struct.jmp_buf_size = 0;
 363                create_struct.longjmp_fn = 0;
 364 #              endif
 365 
 366                *png_ptr = create_struct;
 367 
 368                /* This is the successful return point */
 369                return png_ptr;
 370             }
 371          }
 372       }
 373 
 374    /* A longjmp because of a bug in the application storage allocator or a
 375     * simple failure to allocate the png_struct.
 376     */
 377    return NULL;
 378 }
 379 
 380 /* Allocate the memory for an info_struct for the application. */
 381 PNG_FUNCTION(png_infop,PNGAPI
 382 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
 383 {
 384    png_inforp info_ptr;
 385 
 386    png_debug(1, "in png_create_info_struct");
 387 
 388    if (png_ptr == NULL)
 389       return NULL;
 390 
 391    /* Use the internal API that does not (or at least should not) error out, so
 392     * that this call always returns ok.  The application typically sets up the
 393     * error handling *after* creating the info_struct because this is the way it
 394     * has always been done in 'example.c'.
 395     */
 396    info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
 397        (sizeof *info_ptr)));
 398 
 399    if (info_ptr != NULL)
 400       memset(info_ptr, 0, (sizeof *info_ptr));
 401 
 402    return info_ptr;
 403 }
 404 
 405 /* This function frees the memory associated with a single info struct.
 406  * Normally, one would use either png_destroy_read_struct() or
 407  * png_destroy_write_struct() to free an info struct, but this may be
 408  * useful for some applications.  From libpng 1.6.0 this function is also used
 409  * internally to implement the png_info release part of the 'struct' destroy
 410  * APIs.  This ensures that all possible approaches free the same data (all of
 411  * it).
 412  */
 413 void PNGAPI
 414 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
 415 {
 416    png_inforp info_ptr = NULL;
 417 
 418    png_debug(1, "in png_destroy_info_struct");
 419 
 420    if (png_ptr == NULL)
 421       return;
 422 
 423    if (info_ptr_ptr != NULL)
 424       info_ptr = *info_ptr_ptr;
 425 
 426    if (info_ptr != NULL)
 427    {
 428       /* Do this first in case of an error below; if the app implements its own
 429        * memory management this can lead to png_free calling png_error, which
 430        * will abort this routine and return control to the app error handler.
 431        * An infinite loop may result if it then tries to free the same info
 432        * ptr.
 433        */
 434       *info_ptr_ptr = NULL;
 435 
 436       png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
 437       memset(info_ptr, 0, (sizeof *info_ptr));
 438       png_free(png_ptr, info_ptr);
 439    }
 440 }
 441 
 442 /* Initialize the info structure.  This is now an internal function (0.89)
 443  * and applications using it are urged to use png_create_info_struct()
 444  * instead.  Use deprecated in 1.6.0, internal use removed (used internally it
 445  * is just a memset).
 446  *
 447  * NOTE: it is almost inconceivable that this API is used because it bypasses
 448  * the user-memory mechanism and the user error handling/warning mechanisms in
 449  * those cases where it does anything other than a memset.
 450  */
 451 PNG_FUNCTION(void,PNGAPI
 452 png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
 453     PNG_DEPRECATED)
 454 {
 455    png_inforp info_ptr = *ptr_ptr;
 456 
 457    png_debug(1, "in png_info_init_3");
 458 
 459    if (info_ptr == NULL)
 460       return;
 461 
 462    if ((sizeof (png_info)) > png_info_struct_size)
 463    {
 464       *ptr_ptr = NULL;
 465       /* The following line is why this API should not be used: */
 466       free(info_ptr);
 467       info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
 468           (sizeof *info_ptr)));
 469       if (info_ptr == NULL)
 470          return;
 471       *ptr_ptr = info_ptr;
 472    }
 473 
 474    /* Set everything to 0 */
 475    memset(info_ptr, 0, (sizeof *info_ptr));
 476 }
 477 
 478 /* The following API is not called internally */
 479 void PNGAPI
 480 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
 481     int freer, png_uint_32 mask)
 482 {
 483    png_debug(1, "in png_data_freer");
 484 
 485    if (png_ptr == NULL || info_ptr == NULL)
 486       return;
 487 
 488    if (freer == PNG_DESTROY_WILL_FREE_DATA)
 489       info_ptr->free_me |= mask;
 490 
 491    else if (freer == PNG_USER_WILL_FREE_DATA)
 492       info_ptr->free_me &= ~mask;
 493 
 494    else
 495       png_error(png_ptr, "Unknown freer parameter in png_data_freer");
 496 }
 497 
 498 void PNGAPI
 499 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
 500     int num)
 501 {
 502    png_debug(1, "in png_free_data");
 503 
 504    if (png_ptr == NULL || info_ptr == NULL)
 505       return;
 506 
 507 #ifdef PNG_TEXT_SUPPORTED
 508    /* Free text item num or (if num == -1) all text items */
 509    if (info_ptr->text != NULL &&
 510        ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
 511    {
 512       if (num != -1)
 513       {
 514          png_free(png_ptr, info_ptr->text[num].key);
 515          info_ptr->text[num].key = NULL;
 516       }
 517 
 518       else
 519       {
 520          int i;
 521 
 522          for (i = 0; i < info_ptr->num_text; i++)
 523             png_free(png_ptr, info_ptr->text[i].key);
 524 
 525          png_free(png_ptr, info_ptr->text);
 526          info_ptr->text = NULL;
 527          info_ptr->num_text = 0;
 528          info_ptr->max_text = 0;
 529       }
 530    }
 531 #endif
 532 
 533 #ifdef PNG_tRNS_SUPPORTED
 534    /* Free any tRNS entry */
 535    if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
 536    {
 537       info_ptr->valid &= ~PNG_INFO_tRNS;
 538       png_free(png_ptr, info_ptr->trans_alpha);
 539       info_ptr->trans_alpha = NULL;
 540       info_ptr->num_trans = 0;
 541    }
 542 #endif
 543 
 544 #ifdef PNG_sCAL_SUPPORTED
 545    /* Free any sCAL entry */
 546    if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
 547    {
 548       png_free(png_ptr, info_ptr->scal_s_width);
 549       png_free(png_ptr, info_ptr->scal_s_height);
 550       info_ptr->scal_s_width = NULL;
 551       info_ptr->scal_s_height = NULL;
 552       info_ptr->valid &= ~PNG_INFO_sCAL;
 553    }
 554 #endif
 555 
 556 #ifdef PNG_pCAL_SUPPORTED
 557    /* Free any pCAL entry */
 558    if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
 559    {
 560       png_free(png_ptr, info_ptr->pcal_purpose);
 561       png_free(png_ptr, info_ptr->pcal_units);
 562       info_ptr->pcal_purpose = NULL;
 563       info_ptr->pcal_units = NULL;
 564 
 565       if (info_ptr->pcal_params != NULL)
 566          {
 567             int i;
 568 
 569             for (i = 0; i < info_ptr->pcal_nparams; i++)
 570                png_free(png_ptr, info_ptr->pcal_params[i]);
 571 
 572             png_free(png_ptr, info_ptr->pcal_params);
 573             info_ptr->pcal_params = NULL;
 574          }
 575       info_ptr->valid &= ~PNG_INFO_pCAL;
 576    }
 577 #endif
 578 
 579 #ifdef PNG_iCCP_SUPPORTED
 580    /* Free any profile entry */
 581    if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
 582    {
 583       png_free(png_ptr, info_ptr->iccp_name);
 584       png_free(png_ptr, info_ptr->iccp_profile);
 585       info_ptr->iccp_name = NULL;
 586       info_ptr->iccp_profile = NULL;
 587       info_ptr->valid &= ~PNG_INFO_iCCP;
 588    }
 589 #endif
 590 
 591 #ifdef PNG_sPLT_SUPPORTED
 592    /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
 593    if (info_ptr->splt_palettes != NULL &&
 594        ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
 595    {
 596       if (num != -1)
 597       {
 598          png_free(png_ptr, info_ptr->splt_palettes[num].name);
 599          png_free(png_ptr, info_ptr->splt_palettes[num].entries);
 600          info_ptr->splt_palettes[num].name = NULL;
 601          info_ptr->splt_palettes[num].entries = NULL;
 602       }
 603 
 604       else
 605       {
 606          int i;
 607 
 608          for (i = 0; i < info_ptr->splt_palettes_num; i++)
 609          {
 610             png_free(png_ptr, info_ptr->splt_palettes[i].name);
 611             png_free(png_ptr, info_ptr->splt_palettes[i].entries);
 612          }
 613 
 614          png_free(png_ptr, info_ptr->splt_palettes);
 615          info_ptr->splt_palettes = NULL;
 616          info_ptr->splt_palettes_num = 0;
 617          info_ptr->valid &= ~PNG_INFO_sPLT;
 618       }
 619    }
 620 #endif
 621 
 622 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
 623    if (info_ptr->unknown_chunks != NULL &&
 624        ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
 625    {
 626       if (num != -1)
 627       {
 628           png_free(png_ptr, info_ptr->unknown_chunks[num].data);
 629           info_ptr->unknown_chunks[num].data = NULL;
 630       }
 631 
 632       else
 633       {
 634          int i;
 635 
 636          for (i = 0; i < info_ptr->unknown_chunks_num; i++)
 637             png_free(png_ptr, info_ptr->unknown_chunks[i].data);
 638 
 639          png_free(png_ptr, info_ptr->unknown_chunks);
 640          info_ptr->unknown_chunks = NULL;
 641          info_ptr->unknown_chunks_num = 0;
 642       }
 643    }
 644 #endif
 645 
 646 #ifdef PNG_eXIf_SUPPORTED
 647    /* Free any eXIf entry */
 648    if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
 649    {
 650 # ifdef PNG_READ_eXIf_SUPPORTED
 651       if (info_ptr->eXIf_buf)
 652       {
 653          png_free(png_ptr, info_ptr->eXIf_buf);
 654          info_ptr->eXIf_buf = NULL;
 655       }
 656 # endif
 657       if (info_ptr->exif)
 658       {
 659          png_free(png_ptr, info_ptr->exif);
 660          info_ptr->exif = NULL;
 661       }
 662       info_ptr->valid &= ~PNG_INFO_eXIf;
 663    }
 664 #endif
 665 
 666 #ifdef PNG_hIST_SUPPORTED
 667    /* Free any hIST entry */
 668    if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
 669    {
 670       png_free(png_ptr, info_ptr->hist);
 671       info_ptr->hist = NULL;
 672       info_ptr->valid &= ~PNG_INFO_hIST;
 673    }
 674 #endif
 675 
 676    /* Free any PLTE entry that was internally allocated */
 677    if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
 678    {
 679       png_free(png_ptr, info_ptr->palette);
 680       info_ptr->palette = NULL;
 681       info_ptr->valid &= ~PNG_INFO_PLTE;
 682       info_ptr->num_palette = 0;
 683    }
 684 
 685 #ifdef PNG_INFO_IMAGE_SUPPORTED
 686    /* Free any image bits attached to the info structure */
 687    if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
 688    {
 689       if (info_ptr->row_pointers != NULL)
 690       {
 691          png_uint_32 row;
 692          for (row = 0; row < info_ptr->height; row++)
 693             png_free(png_ptr, info_ptr->row_pointers[row]);
 694 
 695          png_free(png_ptr, info_ptr->row_pointers);
 696          info_ptr->row_pointers = NULL;
 697       }
 698       info_ptr->valid &= ~PNG_INFO_IDAT;
 699    }
 700 #endif
 701 
 702    if (num != -1)
 703       mask &= ~PNG_FREE_MUL;
 704 
 705    info_ptr->free_me &= ~mask;
 706 }
 707 #endif /* READ || WRITE */
 708 
 709 /* This function returns a pointer to the io_ptr associated with the user
 710  * functions.  The application should free any memory associated with this
 711  * pointer before png_write_destroy() or png_read_destroy() are called.
 712  */
 713 png_voidp PNGAPI
 714 png_get_io_ptr(png_const_structrp png_ptr)
 715 {
 716    if (png_ptr == NULL)
 717       return (NULL);
 718 
 719    return (png_ptr->io_ptr);
 720 }
 721 
 722 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 723 #  ifdef PNG_STDIO_SUPPORTED
 724 /* Initialize the default input/output functions for the PNG file.  If you
 725  * use your own read or write routines, you can call either png_set_read_fn()
 726  * or png_set_write_fn() instead of png_init_io().  If you have defined
 727  * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
 728  * function of your own because "FILE *" isn't necessarily available.
 729  */
 730 void PNGAPI
 731 png_init_io(png_structrp png_ptr, png_FILE_p fp)
 732 {
 733    png_debug(1, "in png_init_io");
 734 
 735    if (png_ptr == NULL)
 736       return;
 737 
 738    png_ptr->io_ptr = (png_voidp)fp;
 739 }
 740 #  endif
 741 
 742 #  ifdef PNG_SAVE_INT_32_SUPPORTED
 743 /* PNG signed integers are saved in 32-bit 2's complement format.  ANSI C-90
 744  * defines a cast of a signed integer to an unsigned integer either to preserve
 745  * the value, if it is positive, or to calculate:
 746  *
 747  *     (UNSIGNED_MAX+1) + integer
 748  *
 749  * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
 750  * negative integral value is added the result will be an unsigned value
 751  * correspnding to the 2's complement representation.
 752  */
 753 void PNGAPI
 754 png_save_int_32(png_bytep buf, png_int_32 i)
 755 {
 756    png_save_uint_32(buf, (png_uint_32)i);
 757 }
 758 #  endif
 759 
 760 #  ifdef PNG_TIME_RFC1123_SUPPORTED
 761 /* Convert the supplied time into an RFC 1123 string suitable for use in
 762  * a "Creation Time" or other text-based time string.
 763  */
 764 int PNGAPI
 765 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
 766 {
 767    static const char short_months[12][4] =
 768         {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
 769          "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
 770 
 771    if (out == NULL)
 772       return 0;
 773 
 774    if (ptime->year > 9999 /* RFC1123 limitation */ ||
 775        ptime->month == 0    ||  ptime->month > 12  ||
 776        ptime->day   == 0    ||  ptime->day   > 31  ||
 777        ptime->hour  > 23    ||  ptime->minute > 59 ||
 778        ptime->second > 60)
 779       return 0;
 780 
 781    {
 782       size_t pos = 0;
 783       char number_buf[5]; /* enough for a four-digit year */
 784 
 785 #     define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
 786 #     define APPEND_NUMBER(format, value)\
 787          APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
 788 #     define APPEND(ch) if (pos < 28) out[pos++] = (ch)
 789 
 790       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
 791       APPEND(' ');
 792       APPEND_STRING(short_months[(ptime->month - 1)]);
 793       APPEND(' ');
 794       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
 795       APPEND(' ');
 796       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
 797       APPEND(':');
 798       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
 799       APPEND(':');
 800       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
 801       APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
 802       PNG_UNUSED (pos)
 803 
 804 #     undef APPEND
 805 #     undef APPEND_NUMBER
 806 #     undef APPEND_STRING
 807    }
 808 
 809    return 1;
 810 }
 811 
 812 #    if PNG_LIBPNG_VER < 10700
 813 /* To do: remove the following from libpng-1.7 */
 814 /* Original API that uses a private buffer in png_struct.
 815  * Deprecated because it causes png_struct to carry a spurious temporary
 816  * buffer (png_struct::time_buffer), better to have the caller pass this in.
 817  */
 818 png_const_charp PNGAPI
 819 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
 820 {
 821    if (png_ptr != NULL)
 822    {
 823       /* The only failure above if png_ptr != NULL is from an invalid ptime */
 824       if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
 825          png_warning(png_ptr, "Ignoring invalid time value");
 826 
 827       else
 828          return png_ptr->time_buffer;
 829    }
 830 
 831    return NULL;
 832 }
 833 #    endif /* LIBPNG_VER < 10700 */
 834 #  endif /* TIME_RFC1123 */
 835 
 836 #endif /* READ || WRITE */
 837 
 838 png_const_charp PNGAPI
 839 png_get_copyright(png_const_structrp png_ptr)
 840 {
 841    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 842 #ifdef PNG_STRING_COPYRIGHT
 843    return PNG_STRING_COPYRIGHT
 844 #else

 845    return PNG_STRING_NEWLINE \
 846       "libpng version 1.6.37" PNG_STRING_NEWLINE \
 847       "Copyright (c) 2018-2019 Cosmin Truta" PNG_STRING_NEWLINE \
 848       "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
 849       PNG_STRING_NEWLINE \
 850       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
 851       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
 852       PNG_STRING_NEWLINE;






 853 #endif
 854 }
 855 
 856 /* The following return the library version as a short string in the
 857  * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
 858  * used with your application, print out PNG_LIBPNG_VER_STRING, which
 859  * is defined in png.h.
 860  * Note: now there is no difference between png_get_libpng_ver() and
 861  * png_get_header_ver().  Due to the version_nn_nn_nn typedef guard,
 862  * it is guaranteed that png.c uses the correct version of png.h.
 863  */
 864 png_const_charp PNGAPI
 865 png_get_libpng_ver(png_const_structrp png_ptr)
 866 {
 867    /* Version of *.c files used when building libpng */
 868    return png_get_header_ver(png_ptr);
 869 }
 870 
 871 png_const_charp PNGAPI
 872 png_get_header_ver(png_const_structrp png_ptr)
 873 {
 874    /* Version of *.h files used when building libpng */
 875    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 876    return PNG_LIBPNG_VER_STRING;
 877 }
 878 
 879 png_const_charp PNGAPI
 880 png_get_header_version(png_const_structrp png_ptr)
 881 {
 882    /* Returns longer string containing both version and date */
 883    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 884 #ifdef __STDC__
 885    return PNG_HEADER_VERSION_STRING
 886 #  ifndef PNG_READ_SUPPORTED
 887       " (NO READ SUPPORT)"
 888 #  endif
 889       PNG_STRING_NEWLINE;
 890 #else
 891    return PNG_HEADER_VERSION_STRING;
 892 #endif
 893 }
 894 
 895 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
 896 /* NOTE: this routine is not used internally! */
 897 /* Build a grayscale palette.  Palette is assumed to be 1 << bit_depth
 898  * large of png_color.  This lets grayscale images be treated as
 899  * paletted.  Most useful for gamma correction and simplification
 900  * of code.  This API is not used internally.
 901  */
 902 void PNGAPI
 903 png_build_grayscale_palette(int bit_depth, png_colorp palette)
 904 {
 905    int num_palette;
 906    int color_inc;
 907    int i;
 908    int v;
 909 
 910    png_debug(1, "in png_do_build_grayscale_palette");
 911 
 912    if (palette == NULL)
 913       return;
 914 
 915    switch (bit_depth)
 916    {
 917       case 1:
 918          num_palette = 2;
 919          color_inc = 0xff;
 920          break;
 921 
 922       case 2:
 923          num_palette = 4;
 924          color_inc = 0x55;
 925          break;
 926 
 927       case 4:
 928          num_palette = 16;
 929          color_inc = 0x11;
 930          break;
 931 
 932       case 8:
 933          num_palette = 256;
 934          color_inc = 1;
 935          break;
 936 
 937       default:
 938          num_palette = 0;
 939          color_inc = 0;
 940          break;
 941    }
 942 
 943    for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
 944    {
 945       palette[i].red = (png_byte)(v & 0xff);
 946       palette[i].green = (png_byte)(v & 0xff);
 947       palette[i].blue = (png_byte)(v & 0xff);
 948    }
 949 }
 950 #endif
 951 
 952 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 953 int PNGAPI
 954 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
 955 {
 956    /* Check chunk_name and return "keep" value if it's on the list, else 0 */
 957    png_const_bytep p, p_end;
 958 
 959    if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
 960       return PNG_HANDLE_CHUNK_AS_DEFAULT;
 961 
 962    p_end = png_ptr->chunk_list;
 963    p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
 964 
 965    /* The code is the fifth byte after each four byte string.  Historically this
 966     * code was always searched from the end of the list, this is no longer
 967     * necessary because the 'set' routine handles duplicate entries correctly.
 968     */
 969    do /* num_chunk_list > 0, so at least one */
 970    {
 971       p -= 5;
 972 
 973       if (memcmp(chunk_name, p, 4) == 0)
 974          return p[4];
 975    }
 976    while (p > p_end);
 977 
 978    /* This means that known chunks should be processed and unknown chunks should
 979     * be handled according to the value of png_ptr->unknown_default; this can be
 980     * confusing because, as a result, there are two levels of defaulting for
 981     * unknown chunks.
 982     */
 983    return PNG_HANDLE_CHUNK_AS_DEFAULT;
 984 }
 985 
 986 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
 987    defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
 988 int /* PRIVATE */
 989 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
 990 {
 991    png_byte chunk_string[5];
 992 
 993    PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
 994    return png_handle_as_unknown(png_ptr, chunk_string);
 995 }
 996 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
 997 #endif /* SET_UNKNOWN_CHUNKS */
 998 
 999 #ifdef PNG_READ_SUPPORTED
1000 /* This function, added to libpng-1.0.6g, is untested. */
1001 int PNGAPI
1002 png_reset_zstream(png_structrp png_ptr)
1003 {
1004    if (png_ptr == NULL)
1005       return Z_STREAM_ERROR;
1006 
1007    /* WARNING: this resets the window bits to the maximum! */
1008    return (inflateReset(&png_ptr->zstream));
1009 }
1010 #endif /* READ */
1011 
1012 /* This function was added to libpng-1.0.7 */
1013 png_uint_32 PNGAPI
1014 png_access_version_number(void)
1015 {
1016    /* Version of *.c files used when building libpng */
1017    return((png_uint_32)PNG_LIBPNG_VER);
1018 }
1019 
1020 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
1021 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
1022  * If it doesn't 'ret' is used to set it to something appropriate, even in cases
1023  * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
1024  */
1025 void /* PRIVATE */
1026 png_zstream_error(png_structrp png_ptr, int ret)
1027 {
1028    /* Translate 'ret' into an appropriate error string, priority is given to the
1029     * one in zstream if set.  This always returns a string, even in cases like
1030     * Z_OK or Z_STREAM_END where the error code is a success code.
1031     */
1032    if (png_ptr->zstream.msg == NULL) switch (ret)
1033    {
1034       default:
1035       case Z_OK:
1036          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1037          break;
1038 
1039       case Z_STREAM_END:
1040          /* Normal exit */
1041          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1042          break;
1043 
1044       case Z_NEED_DICT:
1045          /* This means the deflate stream did not have a dictionary; this
1046           * indicates a bogus PNG.
1047           */
1048          png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1049          break;
1050 
1051       case Z_ERRNO:
1052          /* gz APIs only: should not happen */
1053          png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1054          break;
1055 
1056       case Z_STREAM_ERROR:
1057          /* internal libpng error */
1058          png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1059          break;
1060 
1061       case Z_DATA_ERROR:
1062          png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1063          break;
1064 
1065       case Z_MEM_ERROR:
1066          png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1067          break;
1068 
1069       case Z_BUF_ERROR:
1070          /* End of input or output; not a problem if the caller is doing
1071           * incremental read or write.
1072           */
1073          png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1074          break;
1075 
1076       case Z_VERSION_ERROR:
1077          png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1078          break;
1079 
1080       case PNG_UNEXPECTED_ZLIB_RETURN:
1081          /* Compile errors here mean that zlib now uses the value co-opted in
1082           * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1083           * and change pngpriv.h.  Note that this message is "... return",
1084           * whereas the default/Z_OK one is "... return code".
1085           */
1086          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1087          break;
1088    }
1089 }
1090 
1091 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1092  * at libpng 1.5.5!
1093  */
1094 
1095 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1096 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1097 static int
1098 png_colorspace_check_gamma(png_const_structrp png_ptr,
1099     png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1100    /* This is called to check a new gamma value against an existing one.  The
1101     * routine returns false if the new gamma value should not be written.
1102     *
1103     * 'from' says where the new gamma value comes from:
1104     *
1105     *    0: the new gamma value is the libpng estimate for an ICC profile
1106     *    1: the new gamma value comes from a gAMA chunk
1107     *    2: the new gamma value comes from an sRGB chunk
1108     */
1109 {
1110    png_fixed_point gtest;
1111 
1112    if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1113        (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0  ||
1114       png_gamma_significant(gtest) != 0))
1115    {
1116       /* Either this is an sRGB image, in which case the calculated gamma
1117        * approximation should match, or this is an image with a profile and the
1118        * value libpng calculates for the gamma of the profile does not match the
1119        * value recorded in the file.  The former, sRGB, case is an error, the
1120        * latter is just a warning.
1121        */
1122       if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1123       {
1124          png_chunk_report(png_ptr, "gamma value does not match sRGB",
1125              PNG_CHUNK_ERROR);
1126          /* Do not overwrite an sRGB value */
1127          return from == 2;
1128       }
1129 
1130       else /* sRGB tag not involved */
1131       {
1132          png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1133              PNG_CHUNK_WARNING);
1134          return from == 1;
1135       }
1136    }
1137 
1138    return 1;
1139 }
1140 
1141 void /* PRIVATE */
1142 png_colorspace_set_gamma(png_const_structrp png_ptr,
1143     png_colorspacerp colorspace, png_fixed_point gAMA)
1144 {
1145    /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1146     * occur.  Since the fixed point representation is asymmetrical it is
1147     * possible for 1/gamma to overflow the limit of 21474 and this means the
1148     * gamma value must be at least 5/100000 and hence at most 20000.0.  For
1149     * safety the limits here are a little narrower.  The values are 0.00016 to
1150     * 6250.0, which are truly ridiculous gamma values (and will produce
1151     * displays that are all black or all white.)
1152     *
1153     * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1154     * handling code, which only required the value to be >0.
1155     */
1156    png_const_charp errmsg;
1157 
1158    if (gAMA < 16 || gAMA > 625000000)
1159       errmsg = "gamma value out of range";
1160 
1161 #  ifdef PNG_READ_gAMA_SUPPORTED
1162    /* Allow the application to set the gamma value more than once */
1163    else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1164       (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1165       errmsg = "duplicate";
1166 #  endif
1167 
1168    /* Do nothing if the colorspace is already invalid */
1169    else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1170       return;
1171 
1172    else
1173    {
1174       if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1175           1/*from gAMA*/) != 0)
1176       {
1177          /* Store this gamma value. */
1178          colorspace->gamma = gAMA;
1179          colorspace->flags |=
1180             (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1181       }
1182 
1183       /* At present if the check_gamma test fails the gamma of the colorspace is
1184        * not updated however the colorspace is not invalidated.  This
1185        * corresponds to the case where the existing gamma comes from an sRGB
1186        * chunk or profile.  An error message has already been output.
1187        */
1188       return;
1189    }
1190 
1191    /* Error exit - errmsg has been set. */
1192    colorspace->flags |= PNG_COLORSPACE_INVALID;
1193    png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1194 }
1195 
1196 void /* PRIVATE */
1197 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1198 {
1199    if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1200    {
1201       /* Everything is invalid */
1202       info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1203          PNG_INFO_iCCP);
1204 
1205 #     ifdef PNG_COLORSPACE_SUPPORTED
1206       /* Clean up the iCCP profile now if it won't be used. */
1207       png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1208 #     else
1209       PNG_UNUSED(png_ptr)
1210 #     endif
1211    }
1212 
1213    else
1214    {
1215 #     ifdef PNG_COLORSPACE_SUPPORTED
1216       /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1217        * it; this allows a PNG to contain a profile which matches sRGB and
1218        * yet still have that profile retrievable by the application.
1219        */
1220       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1221          info_ptr->valid |= PNG_INFO_sRGB;
1222 
1223       else
1224          info_ptr->valid &= ~PNG_INFO_sRGB;
1225 
1226       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1227          info_ptr->valid |= PNG_INFO_cHRM;
1228 
1229       else
1230          info_ptr->valid &= ~PNG_INFO_cHRM;
1231 #     endif
1232 
1233       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1234          info_ptr->valid |= PNG_INFO_gAMA;
1235 
1236       else
1237          info_ptr->valid &= ~PNG_INFO_gAMA;
1238    }
1239 }
1240 
1241 #ifdef PNG_READ_SUPPORTED
1242 void /* PRIVATE */
1243 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1244 {
1245    if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1246       return;
1247 
1248    info_ptr->colorspace = png_ptr->colorspace;
1249    png_colorspace_sync_info(png_ptr, info_ptr);
1250 }
1251 #endif
1252 #endif /* GAMMA */
1253 
1254 #ifdef PNG_COLORSPACE_SUPPORTED
1255 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1256  * cHRM, as opposed to using chromaticities.  These internal APIs return
1257  * non-zero on a parameter error.  The X, Y and Z values are required to be
1258  * positive and less than 1.0.
1259  */
1260 static int
1261 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1262 {
1263    png_int_32 d, dwhite, whiteX, whiteY;
1264 
1265    d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1266    if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1267       return 1;
1268    if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1269       return 1;
1270    dwhite = d;
1271    whiteX = XYZ->red_X;
1272    whiteY = XYZ->red_Y;
1273 
1274    d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1275    if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1276       return 1;
1277    if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1278       return 1;
1279    dwhite += d;
1280    whiteX += XYZ->green_X;
1281    whiteY += XYZ->green_Y;
1282 
1283    d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1284    if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1285       return 1;
1286    if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1287       return 1;
1288    dwhite += d;
1289    whiteX += XYZ->blue_X;
1290    whiteY += XYZ->blue_Y;
1291 
1292    /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1293     * thus:
1294     */
1295    if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1296       return 1;
1297    if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1298       return 1;
1299 
1300    return 0;
1301 }
1302 
1303 static int
1304 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1305 {
1306    png_fixed_point red_inverse, green_inverse, blue_scale;
1307    png_fixed_point left, right, denominator;
1308 
1309    /* Check xy and, implicitly, z.  Note that wide gamut color spaces typically
1310     * have end points with 0 tristimulus values (these are impossible end
1311     * points, but they are used to cover the possible colors).  We check
1312     * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1313     */
1314    if (xy->redx   < 0 || xy->redx > PNG_FP_1) return 1;
1315    if (xy->redy   < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1316    if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1317    if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1318    if (xy->bluex  < 0 || xy->bluex > PNG_FP_1) return 1;
1319    if (xy->bluey  < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1320    if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1321    if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1322 
1323    /* The reverse calculation is more difficult because the original tristimulus
1324     * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1325     * derived values were recorded in the cHRM chunk;
1326     * (red,green,blue,white)x(x,y).  This loses one degree of freedom and
1327     * therefore an arbitrary ninth value has to be introduced to undo the
1328     * original transformations.
1329     *
1330     * Think of the original end-points as points in (X,Y,Z) space.  The
1331     * chromaticity values (c) have the property:
1332     *
1333     *           C
1334     *   c = ---------
1335     *       X + Y + Z
1336     *
1337     * For each c (x,y,z) from the corresponding original C (X,Y,Z).  Thus the
1338     * three chromaticity values (x,y,z) for each end-point obey the
1339     * relationship:
1340     *
1341     *   x + y + z = 1
1342     *
1343     * This describes the plane in (X,Y,Z) space that intersects each axis at the
1344     * value 1.0; call this the chromaticity plane.  Thus the chromaticity
1345     * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1346     * and chromaticity is the intersection of the vector from the origin to the
1347     * (X,Y,Z) value with the chromaticity plane.
1348     *
1349     * To fully invert the chromaticity calculation we would need the three
1350     * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1351     * were not recorded.  Instead we calculated the reference white (X,Y,Z) and
1352     * recorded the chromaticity of this.  The reference white (X,Y,Z) would have
1353     * given all three of the scale factors since:
1354     *
1355     *    color-C = color-c * color-scale
1356     *    white-C = red-C + green-C + blue-C
1357     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1358     *
1359     * But cHRM records only white-x and white-y, so we have lost the white scale
1360     * factor:
1361     *
1362     *    white-C = white-c*white-scale
1363     *
1364     * To handle this the inverse transformation makes an arbitrary assumption
1365     * about white-scale:
1366     *
1367     *    Assume: white-Y = 1.0
1368     *    Hence:  white-scale = 1/white-y
1369     *    Or:     red-Y + green-Y + blue-Y = 1.0
1370     *
1371     * Notice the last statement of the assumption gives an equation in three of
1372     * the nine values we want to calculate.  8 more equations come from the
1373     * above routine as summarised at the top above (the chromaticity
1374     * calculation):
1375     *
1376     *    Given: color-x = color-X / (color-X + color-Y + color-Z)
1377     *    Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1378     *
1379     * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1380     * solved by Cramer's rule.  Cramer's rule requires calculating 10 9x9 matrix
1381     * determinants, however this is not as bad as it seems because only 28 of
1382     * the total of 90 terms in the various matrices are non-zero.  Nevertheless
1383     * Cramer's rule is notoriously numerically unstable because the determinant
1384     * calculation involves the difference of large, but similar, numbers.  It is
1385     * difficult to be sure that the calculation is stable for real world values
1386     * and it is certain that it becomes unstable where the end points are close
1387     * together.
1388     *
1389     * So this code uses the perhaps slightly less optimal but more
1390     * understandable and totally obvious approach of calculating color-scale.
1391     *
1392     * This algorithm depends on the precision in white-scale and that is
1393     * (1/white-y), so we can immediately see that as white-y approaches 0 the
1394     * accuracy inherent in the cHRM chunk drops off substantially.
1395     *
1396     * libpng arithmetic: a simple inversion of the above equations
1397     * ------------------------------------------------------------
1398     *
1399     *    white_scale = 1/white-y
1400     *    white-X = white-x * white-scale
1401     *    white-Y = 1.0
1402     *    white-Z = (1 - white-x - white-y) * white_scale
1403     *
1404     *    white-C = red-C + green-C + blue-C
1405     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1406     *
1407     * This gives us three equations in (red-scale,green-scale,blue-scale) where
1408     * all the coefficients are now known:
1409     *
1410     *    red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1411     *       = white-x/white-y
1412     *    red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1413     *    red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1414     *       = (1 - white-x - white-y)/white-y
1415     *
1416     * In the last equation color-z is (1 - color-x - color-y) so we can add all
1417     * three equations together to get an alternative third:
1418     *
1419     *    red-scale + green-scale + blue-scale = 1/white-y = white-scale
1420     *
1421     * So now we have a Cramer's rule solution where the determinants are just
1422     * 3x3 - far more tractible.  Unfortunately 3x3 determinants still involve
1423     * multiplication of three coefficients so we can't guarantee to avoid
1424     * overflow in the libpng fixed point representation.  Using Cramer's rule in
1425     * floating point is probably a good choice here, but it's not an option for
1426     * fixed point.  Instead proceed to simplify the first two equations by
1427     * eliminating what is likely to be the largest value, blue-scale:
1428     *
1429     *    blue-scale = white-scale - red-scale - green-scale
1430     *
1431     * Hence:
1432     *
1433     *    (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1434     *                (white-x - blue-x)*white-scale
1435     *
1436     *    (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1437     *                1 - blue-y*white-scale
1438     *
1439     * And now we can trivially solve for (red-scale,green-scale):
1440     *
1441     *    green-scale =
1442     *                (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1443     *                -----------------------------------------------------------
1444     *                                  green-x - blue-x
1445     *
1446     *    red-scale =
1447     *                1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1448     *                ---------------------------------------------------------
1449     *                                  red-y - blue-y
1450     *
1451     * Hence:
1452     *
1453     *    red-scale =
1454     *          ( (green-x - blue-x) * (white-y - blue-y) -
1455     *            (green-y - blue-y) * (white-x - blue-x) ) / white-y
1456     * -------------------------------------------------------------------------
1457     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1458     *
1459     *    green-scale =
1460     *          ( (red-y - blue-y) * (white-x - blue-x) -
1461     *            (red-x - blue-x) * (white-y - blue-y) ) / white-y
1462     * -------------------------------------------------------------------------
1463     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1464     *
1465     * Accuracy:
1466     * The input values have 5 decimal digits of accuracy.  The values are all in
1467     * the range 0 < value < 1, so simple products are in the same range but may
1468     * need up to 10 decimal digits to preserve the original precision and avoid
1469     * underflow.  Because we are using a 32-bit signed representation we cannot
1470     * match this; the best is a little over 9 decimal digits, less than 10.
1471     *
1472     * The approach used here is to preserve the maximum precision within the
1473     * signed representation.  Because the red-scale calculation above uses the
1474     * difference between two products of values that must be in the range -1..+1
1475     * it is sufficient to divide the product by 7; ceil(100,000/32767*2).  The
1476     * factor is irrelevant in the calculation because it is applied to both
1477     * numerator and denominator.
1478     *
1479     * Note that the values of the differences of the products of the
1480     * chromaticities in the above equations tend to be small, for example for
1481     * the sRGB chromaticities they are:
1482     *
1483     * red numerator:    -0.04751
1484     * green numerator:  -0.08788
1485     * denominator:      -0.2241 (without white-y multiplication)
1486     *
1487     *  The resultant Y coefficients from the chromaticities of some widely used
1488     *  color space definitions are (to 15 decimal places):
1489     *
1490     *  sRGB
1491     *    0.212639005871510 0.715168678767756 0.072192315360734
1492     *  Kodak ProPhoto
1493     *    0.288071128229293 0.711843217810102 0.000085653960605
1494     *  Adobe RGB
1495     *    0.297344975250536 0.627363566255466 0.075291458493998
1496     *  Adobe Wide Gamut RGB
1497     *    0.258728243040113 0.724682314948566 0.016589442011321
1498     */
1499    /* By the argument, above overflow should be impossible here. The return
1500     * value of 2 indicates an internal error to the caller.
1501     */
1502    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1503       return 2;
1504    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1505       return 2;
1506    denominator = left - right;
1507 
1508    /* Now find the red numerator. */
1509    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1510       return 2;
1511    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1512       return 2;
1513 
1514    /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1515     * chunk values.  This calculation actually returns the reciprocal of the
1516     * scale value because this allows us to delay the multiplication of white-y
1517     * into the denominator, which tends to produce a small number.
1518     */
1519    if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1520        red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1521       return 1;
1522 
1523    /* Similarly for green_inverse: */
1524    if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1525       return 2;
1526    if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1527       return 2;
1528    if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1529        green_inverse <= xy->whitey)
1530       return 1;
1531 
1532    /* And the blue scale, the checks above guarantee this can't overflow but it
1533     * can still produce 0 for extreme cHRM values.
1534     */
1535    blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1536        png_reciprocal(green_inverse);
1537    if (blue_scale <= 0)
1538       return 1;
1539 
1540 
1541    /* And fill in the png_XYZ: */
1542    if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1543       return 1;
1544    if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1545       return 1;
1546    if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1547        red_inverse) == 0)
1548       return 1;
1549 
1550    if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1551       return 1;
1552    if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1553       return 1;
1554    if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1555        green_inverse) == 0)
1556       return 1;
1557 
1558    if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1559       return 1;
1560    if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1561       return 1;
1562    if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1563        PNG_FP_1) == 0)
1564       return 1;
1565 
1566    return 0; /*success*/
1567 }
1568 
1569 static int
1570 png_XYZ_normalize(png_XYZ *XYZ)
1571 {
1572    png_int_32 Y;
1573 
1574    if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1575       XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1576       XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1577       return 1;
1578 
1579    /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1580     * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1581     * relying on addition of two positive values producing a negative one is not
1582     * safe.
1583     */
1584    Y = XYZ->red_Y;
1585    if (0x7fffffff - Y < XYZ->green_X)
1586       return 1;
1587    Y += XYZ->green_Y;
1588    if (0x7fffffff - Y < XYZ->blue_X)
1589       return 1;
1590    Y += XYZ->blue_Y;
1591 
1592    if (Y != PNG_FP_1)
1593    {
1594       if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1595          return 1;
1596       if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1597          return 1;
1598       if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1599          return 1;
1600 
1601       if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1602          return 1;
1603       if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1604          return 1;
1605       if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1606          return 1;
1607 
1608       if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1609          return 1;
1610       if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1611          return 1;
1612       if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1613          return 1;
1614    }
1615 
1616    return 0;
1617 }
1618 
1619 static int
1620 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1621 {
1622    /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1623    if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1624        PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1625        PNG_OUT_OF_RANGE(xy1->redx,   xy2->redx,  delta) ||
1626        PNG_OUT_OF_RANGE(xy1->redy,   xy2->redy,  delta) ||
1627        PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1628        PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1629        PNG_OUT_OF_RANGE(xy1->bluex,  xy2->bluex, delta) ||
1630        PNG_OUT_OF_RANGE(xy1->bluey,  xy2->bluey, delta))
1631       return 0;
1632    return 1;
1633 }
1634 
1635 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1636  * chunk chromaticities.  Earlier checks used to simply look for the overflow
1637  * condition (where the determinant of the matrix to solve for XYZ ends up zero
1638  * because the chromaticity values are not all distinct.)  Despite this it is
1639  * theoretically possible to produce chromaticities that are apparently valid
1640  * but that rapidly degrade to invalid, potentially crashing, sets because of
1641  * arithmetic inaccuracies when calculations are performed on them.  The new
1642  * check is to round-trip xy -> XYZ -> xy and then check that the result is
1643  * within a small percentage of the original.
1644  */
1645 static int
1646 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1647 {
1648    int result;
1649    png_xy xy_test;
1650 
1651    /* As a side-effect this routine also returns the XYZ endpoints. */
1652    result = png_XYZ_from_xy(XYZ, xy);
1653    if (result != 0)
1654       return result;
1655 
1656    result = png_xy_from_XYZ(&xy_test, XYZ);
1657    if (result != 0)
1658       return result;
1659 
1660    if (png_colorspace_endpoints_match(xy, &xy_test,
1661        5/*actually, the math is pretty accurate*/) != 0)
1662       return 0;
1663 
1664    /* Too much slip */
1665    return 1;
1666 }
1667 
1668 /* This is the check going the other way.  The XYZ is modified to normalize it
1669  * (another side-effect) and the xy chromaticities are returned.
1670  */
1671 static int
1672 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1673 {
1674    int result;
1675    png_XYZ XYZtemp;
1676 
1677    result = png_XYZ_normalize(XYZ);
1678    if (result != 0)
1679       return result;
1680 
1681    result = png_xy_from_XYZ(xy, XYZ);
1682    if (result != 0)
1683       return result;
1684 
1685    XYZtemp = *XYZ;
1686    return png_colorspace_check_xy(&XYZtemp, xy);
1687 }
1688 
1689 /* Used to check for an endpoint match against sRGB */
1690 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1691 {
1692    /* color      x       y */
1693    /* red   */ 64000, 33000,
1694    /* green */ 30000, 60000,
1695    /* blue  */ 15000,  6000,
1696    /* white */ 31270, 32900
1697 };
1698 
1699 static int
1700 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1701     png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1702     int preferred)
1703 {
1704    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1705       return 0;
1706 
1707    /* The consistency check is performed on the chromaticities; this factors out
1708     * variations because of the normalization (or not) of the end point Y
1709     * values.
1710     */
1711    if (preferred < 2 &&
1712        (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1713    {
1714       /* The end points must be reasonably close to any we already have.  The
1715        * following allows an error of up to +/-.001
1716        */
1717       if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1718           100) == 0)
1719       {
1720          colorspace->flags |= PNG_COLORSPACE_INVALID;
1721          png_benign_error(png_ptr, "inconsistent chromaticities");
1722          return 0; /* failed */
1723       }
1724 
1725       /* Only overwrite with preferred values */
1726       if (preferred == 0)
1727          return 1; /* ok, but no change */
1728    }
1729 
1730    colorspace->end_points_xy = *xy;
1731    colorspace->end_points_XYZ = *XYZ;
1732    colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1733 
1734    /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1735     * on this test.
1736     */
1737    if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1738       colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1739 
1740    else
1741       colorspace->flags &= PNG_COLORSPACE_CANCEL(
1742          PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1743 
1744    return 2; /* ok and changed */
1745 }
1746 
1747 int /* PRIVATE */
1748 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1749     png_colorspacerp colorspace, const png_xy *xy, int preferred)
1750 {
1751    /* We must check the end points to ensure they are reasonable - in the past
1752     * color management systems have crashed as a result of getting bogus
1753     * colorant values, while this isn't the fault of libpng it is the
1754     * responsibility of libpng because PNG carries the bomb and libpng is in a
1755     * position to protect against it.
1756     */
1757    png_XYZ XYZ;
1758 
1759    switch (png_colorspace_check_xy(&XYZ, xy))
1760    {
1761       case 0: /* success */
1762          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1763              preferred);
1764 
1765       case 1:
1766          /* We can't invert the chromaticities so we can't produce value XYZ
1767           * values.  Likely as not a color management system will fail too.
1768           */
1769          colorspace->flags |= PNG_COLORSPACE_INVALID;
1770          png_benign_error(png_ptr, "invalid chromaticities");
1771          break;
1772 
1773       default:
1774          /* libpng is broken; this should be a warning but if it happens we
1775           * want error reports so for the moment it is an error.
1776           */
1777          colorspace->flags |= PNG_COLORSPACE_INVALID;
1778          png_error(png_ptr, "internal error checking chromaticities");
1779    }
1780 
1781    return 0; /* failed */
1782 }
1783 
1784 int /* PRIVATE */
1785 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1786     png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1787 {
1788    png_XYZ XYZ = *XYZ_in;
1789    png_xy xy;
1790 
1791    switch (png_colorspace_check_XYZ(&xy, &XYZ))
1792    {
1793       case 0:
1794          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1795              preferred);
1796 
1797       case 1:
1798          /* End points are invalid. */
1799          colorspace->flags |= PNG_COLORSPACE_INVALID;
1800          png_benign_error(png_ptr, "invalid end points");
1801          break;
1802 
1803       default:
1804          colorspace->flags |= PNG_COLORSPACE_INVALID;
1805          png_error(png_ptr, "internal error checking chromaticities");
1806    }
1807 
1808    return 0; /* failed */
1809 }
1810 
1811 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1812 /* Error message generation */
1813 static char
1814 png_icc_tag_char(png_uint_32 byte)
1815 {
1816    byte &= 0xff;
1817    if (byte >= 32 && byte <= 126)
1818       return (char)byte;
1819    else
1820       return '?';
1821 }
1822 
1823 static void
1824 png_icc_tag_name(char *name, png_uint_32 tag)
1825 {
1826    name[0] = '\'';
1827    name[1] = png_icc_tag_char(tag >> 24);
1828    name[2] = png_icc_tag_char(tag >> 16);
1829    name[3] = png_icc_tag_char(tag >>  8);
1830    name[4] = png_icc_tag_char(tag      );
1831    name[5] = '\'';
1832 }
1833 
1834 static int
1835 is_ICC_signature_char(png_alloc_size_t it)
1836 {
1837    return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1838       (it >= 97 && it <= 122);
1839 }
1840 
1841 static int
1842 is_ICC_signature(png_alloc_size_t it)
1843 {
1844    return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1845       is_ICC_signature_char((it >> 16) & 0xff) &&
1846       is_ICC_signature_char((it >> 8) & 0xff) &&
1847       is_ICC_signature_char(it & 0xff);
1848 }
1849 
1850 static int
1851 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1852     png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1853 {
1854    size_t pos;
1855    char message[196]; /* see below for calculation */
1856 
1857    if (colorspace != NULL)
1858       colorspace->flags |= PNG_COLORSPACE_INVALID;
1859 
1860    pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1861    pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1862    pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1863    if (is_ICC_signature(value) != 0)
1864    {
1865       /* So 'value' is at most 4 bytes and the following cast is safe */
1866       png_icc_tag_name(message+pos, (png_uint_32)value);
1867       pos += 6; /* total +8; less than the else clause */
1868       message[pos++] = ':';
1869       message[pos++] = ' ';
1870    }
1871 #  ifdef PNG_WARNINGS_SUPPORTED
1872    else
1873       {
1874          char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1875 
1876          pos = png_safecat(message, (sizeof message), pos,
1877              png_format_number(number, number+(sizeof number),
1878              PNG_NUMBER_FORMAT_x, value));
1879          pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1880       }
1881 #  endif
1882    /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1883    pos = png_safecat(message, (sizeof message), pos, reason);
1884    PNG_UNUSED(pos)
1885 
1886    /* This is recoverable, but make it unconditionally an app_error on write to
1887     * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1888     * on read, with a warning, but on write unless the app turns off
1889     * application errors the PNG won't be written.)
1890     */
1891    png_chunk_report(png_ptr, message,
1892        (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1893 
1894    return 0;
1895 }
1896 #endif /* sRGB || iCCP */
1897 
1898 #ifdef PNG_sRGB_SUPPORTED
1899 int /* PRIVATE */
1900 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1901     int intent)
1902 {
1903    /* sRGB sets known gamma, end points and (from the chunk) intent. */
1904    /* IMPORTANT: these are not necessarily the values found in an ICC profile
1905     * because ICC profiles store values adapted to a D50 environment; it is
1906     * expected that the ICC profile mediaWhitePointTag will be D50; see the
1907     * checks and code elsewhere to understand this better.
1908     *
1909     * These XYZ values, which are accurate to 5dp, produce rgb to gray
1910     * coefficients of (6968,23435,2366), which are reduced (because they add up
1911     * to 32769 not 32768) to (6968,23434,2366).  These are the values that
1912     * libpng has traditionally used (and are the best values given the 15bit
1913     * algorithm used by the rgb to gray code.)
1914     */
1915    static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1916    {
1917       /* color      X      Y      Z */
1918       /* red   */ 41239, 21264,  1933,
1919       /* green */ 35758, 71517, 11919,
1920       /* blue  */ 18048,  7219, 95053
1921    };
1922 
1923    /* Do nothing if the colorspace is already invalidated. */
1924    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1925       return 0;
1926 
1927    /* Check the intent, then check for existing settings.  It is valid for the
1928     * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1929     * be consistent with the correct values.  If, however, this function is
1930     * called below because an iCCP chunk matches sRGB then it is quite
1931     * conceivable that an older app recorded incorrect gAMA and cHRM because of
1932     * an incorrect calculation based on the values in the profile - this does
1933     * *not* invalidate the profile (though it still produces an error, which can
1934     * be ignored.)
1935     */
1936    if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1937       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1938           (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1939 
1940    if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1941        colorspace->rendering_intent != intent)
1942       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1943          (png_alloc_size_t)intent, "inconsistent rendering intents");
1944 
1945    if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1946    {
1947       png_benign_error(png_ptr, "duplicate sRGB information ignored");
1948       return 0;
1949    }
1950 
1951    /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1952     * warn but overwrite the value with the correct one.
1953     */
1954    if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1955        !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1956        100))
1957       png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1958          PNG_CHUNK_ERROR);
1959 
1960    /* This check is just done for the error reporting - the routine always
1961     * returns true when the 'from' argument corresponds to sRGB (2).
1962     */
1963    (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1964        2/*from sRGB*/);
1965 
1966    /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1967    colorspace->rendering_intent = (png_uint_16)intent;
1968    colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1969 
1970    /* endpoints */
1971    colorspace->end_points_xy = sRGB_xy;
1972    colorspace->end_points_XYZ = sRGB_XYZ;
1973    colorspace->flags |=
1974       (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1975 
1976    /* gamma */
1977    colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1978    colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1979 
1980    /* Finally record that we have an sRGB profile */
1981    colorspace->flags |=
1982       (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1983 
1984    return 1; /* set */
1985 }
1986 #endif /* sRGB */
1987 
1988 #ifdef PNG_iCCP_SUPPORTED
1989 /* Encoded value of D50 as an ICC XYZNumber.  From the ICC 2010 spec the value
1990  * is XYZ(0.9642,1.0,0.8249), which scales to:
1991  *
1992  *    (63189.8112, 65536, 54060.6464)
1993  */
1994 static const png_byte D50_nCIEXYZ[12] =
1995    { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1996 
1997 static int /* bool */
1998 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1999     png_const_charp name, png_uint_32 profile_length)
2000 {
2001    if (profile_length < 132)
2002       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2003           "too short");
2004    return 1;
2005 }
2006 
2007 #ifdef PNG_READ_iCCP_SUPPORTED
2008 int /* PRIVATE */
2009 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
2010     png_const_charp name, png_uint_32 profile_length)
2011 {
2012    if (!icc_check_length(png_ptr, colorspace, name, profile_length))
2013       return 0;
2014 
2015    /* This needs to be here because the 'normal' check is in
2016     * png_decompress_chunk, yet this happens after the attempt to
2017     * png_malloc_base the required data.  We only need this on read; on write
2018     * the caller supplies the profile buffer so libpng doesn't allocate it.  See
2019     * the call to icc_check_length below (the write case).
2020     */
2021 #  ifdef PNG_SET_USER_LIMITS_SUPPORTED
2022       else if (png_ptr->user_chunk_malloc_max > 0 &&
2023                png_ptr->user_chunk_malloc_max < profile_length)
2024          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2025              "exceeds application limits");
2026 #  elif PNG_USER_CHUNK_MALLOC_MAX > 0
2027       else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2028          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2029              "exceeds libpng limits");
2030 #  else /* !SET_USER_LIMITS */
2031       /* This will get compiled out on all 32-bit and better systems. */
2032       else if (PNG_SIZE_MAX < profile_length)
2033          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2034              "exceeds system limits");
2035 #  endif /* !SET_USER_LIMITS */
2036 
2037    return 1;
2038 }
2039 #endif /* READ_iCCP */
2040 
2041 int /* PRIVATE */
2042 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2043     png_const_charp name, png_uint_32 profile_length,
2044     png_const_bytep profile/* first 132 bytes only */, int color_type)
2045 {
2046    png_uint_32 temp;
2047 
2048    /* Length check; this cannot be ignored in this code because profile_length
2049     * is used later to check the tag table, so even if the profile seems over
2050     * long profile_length from the caller must be correct.  The caller can fix
2051     * this up on read or write by just passing in the profile header length.
2052     */
2053    temp = png_get_uint_32(profile);
2054    if (temp != profile_length)
2055       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2056           "length does not match profile");
2057 
2058    temp = (png_uint_32) (*(profile+8));
2059    if (temp > 3 && (profile_length & 3))
2060       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2061           "invalid length");
2062 
2063    temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2064    if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2065       profile_length < 132+12*temp) /* truncated tag table */
2066       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2067           "tag count too large");
2068 
2069    /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2070     * 16 bits.
2071     */
2072    temp = png_get_uint_32(profile+64);
2073    if (temp >= 0xffff) /* The ICC limit */
2074       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2075           "invalid rendering intent");
2076 
2077    /* This is just a warning because the profile may be valid in future
2078     * versions.
2079     */
2080    if (temp >= PNG_sRGB_INTENT_LAST)
2081       (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2082           "intent outside defined range");
2083 
2084    /* At this point the tag table can't be checked because it hasn't necessarily
2085     * been loaded; however, various header fields can be checked.  These checks
2086     * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2087     * restricts the profiles that can be passed in an iCCP chunk (they must be
2088     * appropriate to processing PNG data!)
2089     */
2090 
2091    /* Data checks (could be skipped).  These checks must be independent of the
2092     * version number; however, the version number doesn't accommodate changes in
2093     * the header fields (just the known tags and the interpretation of the
2094     * data.)
2095     */
2096    temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2097    if (temp != 0x61637370)
2098       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2099           "invalid signature");
2100 
2101    /* Currently the PCS illuminant/adopted white point (the computational
2102     * white point) are required to be D50,
2103     * however the profile contains a record of the illuminant so perhaps ICC
2104     * expects to be able to change this in the future (despite the rationale in
2105     * the introduction for using a fixed PCS adopted white.)  Consequently the
2106     * following is just a warning.
2107     */
2108    if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2109       (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2110           "PCS illuminant is not D50");
2111 
2112    /* The PNG spec requires this:
2113     * "If the iCCP chunk is present, the image samples conform to the colour
2114     * space represented by the embedded ICC profile as defined by the
2115     * International Color Consortium [ICC]. The colour space of the ICC profile
2116     * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2117     * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2118     * and 4)."
2119     *
2120     * This checking code ensures the embedded profile (on either read or write)
2121     * conforms to the specification requirements.  Notice that an ICC 'gray'
2122     * color-space profile contains the information to transform the monochrome
2123     * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2124     * should be used in preference to the standard libpng K channel replication
2125     * into R, G and B channels.
2126     *
2127     * Previously it was suggested that an RGB profile on grayscale data could be
2128     * handled.  However it it is clear that using an RGB profile in this context
2129     * must be an error - there is no specification of what it means.  Thus it is
2130     * almost certainly more correct to ignore the profile.
2131     */
2132    temp = png_get_uint_32(profile+16); /* data colour space field */
2133    switch (temp)
2134    {
2135       case 0x52474220: /* 'RGB ' */
2136          if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2137             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2138                 "RGB color space not permitted on grayscale PNG");
2139          break;
2140 
2141       case 0x47524159: /* 'GRAY' */
2142          if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2143             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2144                 "Gray color space not permitted on RGB PNG");
2145          break;
2146 
2147       default:
2148          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2149              "invalid ICC profile color space");
2150    }
2151 
2152    /* It is up to the application to check that the profile class matches the
2153     * application requirements; the spec provides no guidance, but it's pretty
2154     * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2155     * ('prtr') or 'spac' (for generic color spaces).  Issue a warning in these
2156     * cases.  Issue an error for device link or abstract profiles - these don't
2157     * contain the records necessary to transform the color-space to anything
2158     * other than the target device (and not even that for an abstract profile).
2159     * Profiles of these classes may not be embedded in images.
2160     */
2161    temp = png_get_uint_32(profile+12); /* profile/device class */
2162    switch (temp)
2163    {
2164       case 0x73636e72: /* 'scnr' */
2165       case 0x6d6e7472: /* 'mntr' */
2166       case 0x70727472: /* 'prtr' */
2167       case 0x73706163: /* 'spac' */
2168          /* All supported */
2169          break;
2170 
2171       case 0x61627374: /* 'abst' */
2172          /* May not be embedded in an image */
2173          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2174              "invalid embedded Abstract ICC profile");
2175 
2176       case 0x6c696e6b: /* 'link' */
2177          /* DeviceLink profiles cannot be interpreted in a non-device specific
2178           * fashion, if an app uses the AToB0Tag in the profile the results are
2179           * undefined unless the result is sent to the intended device,
2180           * therefore a DeviceLink profile should not be found embedded in a
2181           * PNG.
2182           */
2183          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2184              "unexpected DeviceLink ICC profile class");
2185 
2186       case 0x6e6d636c: /* 'nmcl' */
2187          /* A NamedColor profile is also device specific, however it doesn't
2188           * contain an AToB0 tag that is open to misinterpretation.  Almost
2189           * certainly it will fail the tests below.
2190           */
2191          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2192              "unexpected NamedColor ICC profile class");
2193          break;
2194 
2195       default:
2196          /* To allow for future enhancements to the profile accept unrecognized
2197           * profile classes with a warning, these then hit the test below on the
2198           * tag content to ensure they are backward compatible with one of the
2199           * understood profiles.
2200           */
2201          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2202              "unrecognized ICC profile class");
2203          break;
2204    }
2205 
2206    /* For any profile other than a device link one the PCS must be encoded
2207     * either in XYZ or Lab.
2208     */
2209    temp = png_get_uint_32(profile+20);
2210    switch (temp)
2211    {
2212       case 0x58595a20: /* 'XYZ ' */
2213       case 0x4c616220: /* 'Lab ' */
2214          break;
2215 
2216       default:
2217          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2218              "unexpected ICC PCS encoding");
2219    }
2220 
2221    return 1;
2222 }
2223 
2224 int /* PRIVATE */
2225 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2226     png_const_charp name, png_uint_32 profile_length,
2227     png_const_bytep profile /* header plus whole tag table */)
2228 {
2229    png_uint_32 tag_count = png_get_uint_32(profile+128);
2230    png_uint_32 itag;
2231    png_const_bytep tag = profile+132; /* The first tag */
2232 
2233    /* First scan all the tags in the table and add bits to the icc_info value
2234     * (temporarily in 'tags').
2235     */
2236    for (itag=0; itag < tag_count; ++itag, tag += 12)
2237    {
2238       png_uint_32 tag_id = png_get_uint_32(tag+0);
2239       png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2240       png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2241 
2242       /* The ICC specification does not exclude zero length tags, therefore the
2243        * start might actually be anywhere if there is no data, but this would be
2244        * a clear abuse of the intent of the standard so the start is checked for
2245        * being in range.  All defined tag types have an 8 byte header - a 4 byte
2246        * type signature then 0.
2247        */
2248 
2249       /* This is a hard error; potentially it can cause read outside the
2250        * profile.
2251        */
2252       if (tag_start > profile_length || tag_length > profile_length - tag_start)
2253          return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2254              "ICC profile tag outside profile");
2255 
2256       if ((tag_start & 3) != 0)
2257       {
2258          /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2259           * only a warning here because libpng does not care about the
2260           * alignment.
2261           */
2262          (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2263              "ICC profile tag start not a multiple of 4");
2264       }
2265    }
2266 
2267    return 1; /* success, maybe with warnings */
2268 }
2269 
2270 #ifdef PNG_sRGB_SUPPORTED
2271 #if PNG_sRGB_PROFILE_CHECKS >= 0
2272 /* Information about the known ICC sRGB profiles */
2273 static const struct
2274 {
2275    png_uint_32 adler, crc, length;
2276    png_uint_32 md5[4];
2277    png_byte    have_md5;
2278    png_byte    is_broken;
2279    png_uint_16 intent;
2280 
2281 #  define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2282 #  define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2283       { adler, crc, length, md5, broke, intent },
2284 
2285 } png_sRGB_checks[] =
2286 {
2287    /* This data comes from contrib/tools/checksum-icc run on downloads of
2288     * all four ICC sRGB profiles from www.color.org.
2289     */
2290    /* adler32, crc32, MD5[4], intent, date, length, file-name */
2291    PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2292        PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2293        "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2294 
2295    /* ICC sRGB v2 perceptual no black-compensation: */
2296    PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2297        PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2298        "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2299 
2300    PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2301        PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2302        "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2303 
2304    /* ICC sRGB v4 perceptual */
2305    PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2306        PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2307        "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2308 
2309    /* The following profiles have no known MD5 checksum. If there is a match
2310     * on the (empty) MD5 the other fields are used to attempt a match and
2311     * a warning is produced.  The first two of these profiles have a 'cprt' tag
2312     * which suggests that they were also made by Hewlett Packard.
2313     */
2314    PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2315        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2316        "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2317 
2318    /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2319     * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2320     * so the white point is recorded as the un-adapted value.)  The profiles
2321     * below only differ in one byte - the intent - and are basically the same as
2322     * the previous profile except for the mediaWhitePointTag error and a missing
2323     * chromaticAdaptationTag.
2324     */
2325    PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2326        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2327        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2328 
2329    PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2330        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2331        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2332 };
2333 
2334 static int
2335 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2336     png_const_bytep profile, uLong adler)
2337 {
2338    /* The quick check is to verify just the MD5 signature and trust the
2339     * rest of the data.  Because the profile has already been verified for
2340     * correctness this is safe.  png_colorspace_set_sRGB will check the 'intent'
2341     * field too, so if the profile has been edited with an intent not defined
2342     * by sRGB (but maybe defined by a later ICC specification) the read of
2343     * the profile will fail at that point.
2344     */
2345 
2346    png_uint_32 length = 0;
2347    png_uint_32 intent = 0x10000; /* invalid */
2348 #if PNG_sRGB_PROFILE_CHECKS > 1
2349    uLong crc = 0; /* the value for 0 length data */
2350 #endif
2351    unsigned int i;
2352 
2353 #ifdef PNG_SET_OPTION_SUPPORTED
2354    /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2355    if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2356                PNG_OPTION_ON)
2357       return 0;
2358 #endif
2359 
2360    for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2361    {
2362       if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2363          png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2364          png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2365          png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2366       {
2367          /* This may be one of the old HP profiles without an MD5, in that
2368           * case we can only use the length and Adler32 (note that these
2369           * are not used by default if there is an MD5!)
2370           */
2371 #        if PNG_sRGB_PROFILE_CHECKS == 0
2372             if (png_sRGB_checks[i].have_md5 != 0)
2373                return 1+png_sRGB_checks[i].is_broken;
2374 #        endif
2375 
2376          /* Profile is unsigned or more checks have been configured in. */
2377          if (length == 0)
2378          {
2379             length = png_get_uint_32(profile);
2380             intent = png_get_uint_32(profile+64);
2381          }
2382 
2383          /* Length *and* intent must match */
2384          if (length == (png_uint_32) png_sRGB_checks[i].length &&
2385             intent == (png_uint_32) png_sRGB_checks[i].intent)
2386          {
2387             /* Now calculate the adler32 if not done already. */
2388             if (adler == 0)
2389             {
2390                adler = adler32(0, NULL, 0);
2391                adler = adler32(adler, profile, length);
2392             }
2393 
2394             if (adler == png_sRGB_checks[i].adler)
2395             {
2396                /* These basic checks suggest that the data has not been
2397                 * modified, but if the check level is more than 1 perform
2398                 * our own crc32 checksum on the data.
2399                 */
2400 #              if PNG_sRGB_PROFILE_CHECKS > 1
2401                   if (crc == 0)
2402                   {
2403                      crc = crc32(0, NULL, 0);
2404                      crc = crc32(crc, profile, length);
2405                   }
2406 
2407                   /* So this check must pass for the 'return' below to happen.
2408                    */
2409                   if (crc == png_sRGB_checks[i].crc)
2410 #              endif
2411                {
2412                   if (png_sRGB_checks[i].is_broken != 0)
2413                   {
2414                      /* These profiles are known to have bad data that may cause
2415                       * problems if they are used, therefore attempt to
2416                       * discourage their use, skip the 'have_md5' warning below,
2417                       * which is made irrelevant by this error.
2418                       */
2419                      png_chunk_report(png_ptr, "known incorrect sRGB profile",
2420                          PNG_CHUNK_ERROR);
2421                   }
2422 
2423                   /* Warn that this being done; this isn't even an error since
2424                    * the profile is perfectly valid, but it would be nice if
2425                    * people used the up-to-date ones.
2426                    */
2427                   else if (png_sRGB_checks[i].have_md5 == 0)
2428                   {
2429                      png_chunk_report(png_ptr,
2430                          "out-of-date sRGB profile with no signature",
2431                          PNG_CHUNK_WARNING);
2432                   }
2433 
2434                   return 1+png_sRGB_checks[i].is_broken;
2435                }
2436             }
2437 
2438 # if PNG_sRGB_PROFILE_CHECKS > 0
2439          /* The signature matched, but the profile had been changed in some
2440           * way.  This probably indicates a data error or uninformed hacking.
2441           * Fall through to "no match".
2442           */
2443          png_chunk_report(png_ptr,
2444              "Not recognizing known sRGB profile that has been edited",
2445              PNG_CHUNK_WARNING);
2446          break;
2447 # endif
2448          }
2449       }
2450    }
2451 
2452    return 0; /* no match */
2453 }
2454 
2455 void /* PRIVATE */
2456 png_icc_set_sRGB(png_const_structrp png_ptr,
2457     png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2458 {
2459    /* Is this profile one of the known ICC sRGB profiles?  If it is, just set
2460     * the sRGB information.
2461     */
2462    if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2463       (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2464          (int)/*already checked*/png_get_uint_32(profile+64));
2465 }
2466 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2467 #endif /* sRGB */
2468 
2469 int /* PRIVATE */
2470 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2471     png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2472     int color_type)
2473 {
2474    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2475       return 0;
2476 
2477    if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2478        png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2479            color_type) != 0 &&
2480        png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2481            profile) != 0)
2482    {
2483 #     if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2484          /* If no sRGB support, don't try storing sRGB information */
2485          png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2486 #     endif
2487       return 1;
2488    }
2489 
2490    /* Failure case */
2491    return 0;
2492 }
2493 #endif /* iCCP */
2494 
2495 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2496 void /* PRIVATE */
2497 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2498 {
2499    /* Set the rgb_to_gray coefficients from the colorspace. */
2500    if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2501       (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2502    {
2503       /* png_set_background has not been called, get the coefficients from the Y
2504        * values of the colorspace colorants.
2505        */
2506       png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2507       png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2508       png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2509       png_fixed_point total = r+g+b;
2510 
2511       if (total > 0 &&
2512          r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2513          g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2514          b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2515          r+g+b <= 32769)
2516       {
2517          /* We allow 0 coefficients here.  r+g+b may be 32769 if two or
2518           * all of the coefficients were rounded up.  Handle this by
2519           * reducing the *largest* coefficient by 1; this matches the
2520           * approach used for the default coefficients in pngrtran.c
2521           */
2522          int add = 0;
2523 
2524          if (r+g+b > 32768)
2525             add = -1;
2526          else if (r+g+b < 32768)
2527             add = 1;
2528 
2529          if (add != 0)
2530          {
2531             if (g >= r && g >= b)
2532                g += add;
2533             else if (r >= g && r >= b)
2534                r += add;
2535             else
2536                b += add;
2537          }
2538 
2539          /* Check for an internal error. */
2540          if (r+g+b != 32768)
2541             png_error(png_ptr,
2542                 "internal error handling cHRM coefficients");
2543 
2544          else
2545          {
2546             png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)r;
2547             png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2548          }
2549       }
2550 
2551       /* This is a png_error at present even though it could be ignored -
2552        * it should never happen, but it is important that if it does, the
2553        * bug is fixed.
2554        */
2555       else
2556          png_error(png_ptr, "internal error handling cHRM->XYZ");
2557    }
2558 }
2559 #endif /* READ_RGB_TO_GRAY */
2560 
2561 #endif /* COLORSPACE */
2562 
2563 #ifdef __GNUC__
2564 /* This exists solely to work round a warning from GNU C. */
2565 static int /* PRIVATE */
2566 png_gt(size_t a, size_t b)
2567 {
2568    return a > b;
2569 }
2570 #else
2571 #   define png_gt(a,b) ((a) > (b))
2572 #endif
2573 
2574 void /* PRIVATE */
2575 png_check_IHDR(png_const_structrp png_ptr,
2576     png_uint_32 width, png_uint_32 height, int bit_depth,
2577     int color_type, int interlace_type, int compression_type,
2578     int filter_type)
2579 {
2580    int error = 0;
2581 
2582    /* Check for width and height valid values */
2583    if (width == 0)
2584    {
2585       png_warning(png_ptr, "Image width is zero in IHDR");
2586       error = 1;
2587    }
2588 
2589    if (width > PNG_UINT_31_MAX)
2590    {
2591       png_warning(png_ptr, "Invalid image width in IHDR");
2592       error = 1;
2593    }
2594 
2595    if (png_gt(((width + 7) & (~7U)),
2596        ((PNG_SIZE_MAX
2597            - 48        /* big_row_buf hack */
2598            - 1)        /* filter byte */
2599            / 8)        /* 8-byte RGBA pixels */
2600            - 1))       /* extra max_pixel_depth pad */
2601    {
2602       /* The size of the row must be within the limits of this architecture.
2603        * Because the read code can perform arbitrary transformations the
2604        * maximum size is checked here.  Because the code in png_read_start_row
2605        * adds extra space "for safety's sake" in several places a conservative
2606        * limit is used here.
2607        *
2608        * NOTE: it would be far better to check the size that is actually used,
2609        * but the effect in the real world is minor and the changes are more
2610        * extensive, therefore much more dangerous and much more difficult to
2611        * write in a way that avoids compiler warnings.
2612        */
2613       png_warning(png_ptr, "Image width is too large for this architecture");
2614       error = 1;
2615    }
2616 
2617 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2618    if (width > png_ptr->user_width_max)
2619 #else
2620    if (width > PNG_USER_WIDTH_MAX)
2621 #endif
2622    {
2623       png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2624       error = 1;
2625    }
2626 
2627    if (height == 0)
2628    {
2629       png_warning(png_ptr, "Image height is zero in IHDR");
2630       error = 1;
2631    }
2632 
2633    if (height > PNG_UINT_31_MAX)
2634    {
2635       png_warning(png_ptr, "Invalid image height in IHDR");
2636       error = 1;
2637    }
2638 
2639 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2640    if (height > png_ptr->user_height_max)
2641 #else
2642    if (height > PNG_USER_HEIGHT_MAX)
2643 #endif
2644    {
2645       png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2646       error = 1;
2647    }
2648 
2649    /* Check other values */
2650    if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2651        bit_depth != 8 && bit_depth != 16)
2652    {
2653       png_warning(png_ptr, "Invalid bit depth in IHDR");
2654       error = 1;
2655    }
2656 
2657    if (color_type < 0 || color_type == 1 ||
2658        color_type == 5 || color_type > 6)
2659    {
2660       png_warning(png_ptr, "Invalid color type in IHDR");
2661       error = 1;
2662    }
2663 
2664    if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2665        ((color_type == PNG_COLOR_TYPE_RGB ||
2666          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2667          color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2668    {
2669       png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2670       error = 1;
2671    }
2672 
2673    if (interlace_type >= PNG_INTERLACE_LAST)
2674    {
2675       png_warning(png_ptr, "Unknown interlace method in IHDR");
2676       error = 1;
2677    }
2678 
2679    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2680    {
2681       png_warning(png_ptr, "Unknown compression method in IHDR");
2682       error = 1;
2683    }
2684 
2685 #ifdef PNG_MNG_FEATURES_SUPPORTED
2686    /* Accept filter_method 64 (intrapixel differencing) only if
2687     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2688     * 2. Libpng did not read a PNG signature (this filter_method is only
2689     *    used in PNG datastreams that are embedded in MNG datastreams) and
2690     * 3. The application called png_permit_mng_features with a mask that
2691     *    included PNG_FLAG_MNG_FILTER_64 and
2692     * 4. The filter_method is 64 and
2693     * 5. The color_type is RGB or RGBA
2694     */
2695    if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2696        png_ptr->mng_features_permitted != 0)
2697       png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2698 
2699    if (filter_type != PNG_FILTER_TYPE_BASE)
2700    {
2701       if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2702           (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2703           ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2704           (color_type == PNG_COLOR_TYPE_RGB ||
2705           color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2706       {
2707          png_warning(png_ptr, "Unknown filter method in IHDR");
2708          error = 1;
2709       }
2710 
2711       if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2712       {
2713          png_warning(png_ptr, "Invalid filter method in IHDR");
2714          error = 1;
2715       }
2716    }
2717 
2718 #else
2719    if (filter_type != PNG_FILTER_TYPE_BASE)
2720    {
2721       png_warning(png_ptr, "Unknown filter method in IHDR");
2722       error = 1;
2723    }
2724 #endif
2725 
2726    if (error == 1)
2727       png_error(png_ptr, "Invalid IHDR data");
2728 }
2729 
2730 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2731 /* ASCII to fp functions */
2732 /* Check an ASCII formatted floating point value, see the more detailed
2733  * comments in pngpriv.h
2734  */
2735 /* The following is used internally to preserve the sticky flags */
2736 #define png_fp_add(state, flags) ((state) |= (flags))
2737 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2738 
2739 int /* PRIVATE */
2740 png_check_fp_number(png_const_charp string, size_t size, int *statep,
2741     png_size_tp whereami)
2742 {
2743    int state = *statep;
2744    size_t i = *whereami;
2745 
2746    while (i < size)
2747    {
2748       int type;
2749       /* First find the type of the next character */
2750       switch (string[i])
2751       {
2752       case 43:  type = PNG_FP_SAW_SIGN;                   break;
2753       case 45:  type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2754       case 46:  type = PNG_FP_SAW_DOT;                    break;
2755       case 48:  type = PNG_FP_SAW_DIGIT;                  break;
2756       case 49: case 50: case 51: case 52:
2757       case 53: case 54: case 55: case 56:
2758       case 57:  type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2759       case 69:
2760       case 101: type = PNG_FP_SAW_E;                      break;
2761       default:  goto PNG_FP_End;
2762       }
2763 
2764       /* Now deal with this type according to the current
2765        * state, the type is arranged to not overlap the
2766        * bits of the PNG_FP_STATE.
2767        */
2768       switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2769       {
2770       case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2771          if ((state & PNG_FP_SAW_ANY) != 0)
2772             goto PNG_FP_End; /* not a part of the number */
2773 
2774          png_fp_add(state, type);
2775          break;
2776 
2777       case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2778          /* Ok as trailer, ok as lead of fraction. */
2779          if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2780             goto PNG_FP_End;
2781 
2782          else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2783             png_fp_add(state, type);
2784 
2785          else
2786             png_fp_set(state, PNG_FP_FRACTION | type);
2787 
2788          break;
2789 
2790       case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2791          if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2792             png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2793 
2794          png_fp_add(state, type | PNG_FP_WAS_VALID);
2795 
2796          break;
2797 
2798       case PNG_FP_INTEGER + PNG_FP_SAW_E:
2799          if ((state & PNG_FP_SAW_DIGIT) == 0)
2800             goto PNG_FP_End;
2801 
2802          png_fp_set(state, PNG_FP_EXPONENT);
2803 
2804          break;
2805 
2806    /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2807          goto PNG_FP_End; ** no sign in fraction */
2808 
2809    /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2810          goto PNG_FP_End; ** Because SAW_DOT is always set */
2811 
2812       case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2813          png_fp_add(state, type | PNG_FP_WAS_VALID);
2814          break;
2815 
2816       case PNG_FP_FRACTION + PNG_FP_SAW_E:
2817          /* This is correct because the trailing '.' on an
2818           * integer is handled above - so we can only get here
2819           * with the sequence ".E" (with no preceding digits).
2820           */
2821          if ((state & PNG_FP_SAW_DIGIT) == 0)
2822             goto PNG_FP_End;
2823 
2824          png_fp_set(state, PNG_FP_EXPONENT);
2825 
2826          break;
2827 
2828       case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2829          if ((state & PNG_FP_SAW_ANY) != 0)
2830             goto PNG_FP_End; /* not a part of the number */
2831 
2832          png_fp_add(state, PNG_FP_SAW_SIGN);
2833 
2834          break;
2835 
2836    /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2837          goto PNG_FP_End; */
2838 
2839       case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2840          png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2841 
2842          break;
2843 
2844    /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2845          goto PNG_FP_End; */
2846 
2847       default: goto PNG_FP_End; /* I.e. break 2 */
2848       }
2849 
2850       /* The character seems ok, continue. */
2851       ++i;
2852    }
2853 
2854 PNG_FP_End:
2855    /* Here at the end, update the state and return the correct
2856     * return code.
2857     */
2858    *statep = state;
2859    *whereami = i;
2860 
2861    return (state & PNG_FP_SAW_DIGIT) != 0;
2862 }
2863 
2864 
2865 /* The same but for a complete string. */
2866 int
2867 png_check_fp_string(png_const_charp string, size_t size)
2868 {
2869    int        state=0;
2870    size_t char_index=0;
2871 
2872    if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2873       (char_index == size || string[char_index] == 0))
2874       return state /* must be non-zero - see above */;
2875 
2876    return 0; /* i.e. fail */
2877 }
2878 #endif /* pCAL || sCAL */
2879 
2880 #ifdef PNG_sCAL_SUPPORTED
2881 #  ifdef PNG_FLOATING_POINT_SUPPORTED
2882 /* Utility used below - a simple accurate power of ten from an integral
2883  * exponent.
2884  */
2885 static double
2886 png_pow10(int power)
2887 {
2888    int recip = 0;
2889    double d = 1;
2890 
2891    /* Handle negative exponent with a reciprocal at the end because
2892     * 10 is exact whereas .1 is inexact in base 2
2893     */
2894    if (power < 0)
2895    {
2896       if (power < DBL_MIN_10_EXP) return 0;
2897       recip = 1; power = -power;
2898    }
2899 
2900    if (power > 0)
2901    {
2902       /* Decompose power bitwise. */
2903       double mult = 10;
2904       do
2905       {
2906          if (power & 1) d *= mult;
2907          mult *= mult;
2908          power >>= 1;
2909       }
2910       while (power > 0);
2911 
2912       if (recip != 0) d = 1/d;
2913    }
2914    /* else power is 0 and d is 1 */
2915 
2916    return d;
2917 }
2918 
2919 /* Function to format a floating point value in ASCII with a given
2920  * precision.
2921  */
2922 #if GCC_STRICT_OVERFLOW
2923 #pragma GCC diagnostic push
2924 /* The problem arises below with exp_b10, which can never overflow because it
2925  * comes, originally, from frexp and is therefore limited to a range which is
2926  * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2927  */
2928 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
2929 #endif /* GCC_STRICT_OVERFLOW */
2930 void /* PRIVATE */
2931 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2932     double fp, unsigned int precision)
2933 {
2934    /* We use standard functions from math.h, but not printf because
2935     * that would require stdio.  The caller must supply a buffer of
2936     * sufficient size or we will png_error.  The tests on size and
2937     * the space in ascii[] consumed are indicated below.
2938     */
2939    if (precision < 1)
2940       precision = DBL_DIG;
2941 
2942    /* Enforce the limit of the implementation precision too. */
2943    if (precision > DBL_DIG+1)
2944       precision = DBL_DIG+1;
2945 
2946    /* Basic sanity checks */
2947    if (size >= precision+5) /* See the requirements below. */
2948    {
2949       if (fp < 0)
2950       {
2951          fp = -fp;
2952          *ascii++ = 45; /* '-'  PLUS 1 TOTAL 1 */
2953          --size;
2954       }
2955 
2956       if (fp >= DBL_MIN && fp <= DBL_MAX)
2957       {
2958          int exp_b10;   /* A base 10 exponent */
2959          double base;   /* 10^exp_b10 */
2960 
2961          /* First extract a base 10 exponent of the number,
2962           * the calculation below rounds down when converting
2963           * from base 2 to base 10 (multiply by log10(2) -
2964           * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2965           * be increased.  Note that the arithmetic shift
2966           * performs a floor() unlike C arithmetic - using a
2967           * C multiply would break the following for negative
2968           * exponents.
2969           */
2970          (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2971 
2972          exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2973 
2974          /* Avoid underflow here. */
2975          base = png_pow10(exp_b10); /* May underflow */
2976 
2977          while (base < DBL_MIN || base < fp)
2978          {
2979             /* And this may overflow. */
2980             double test = png_pow10(exp_b10+1);
2981 
2982             if (test <= DBL_MAX)
2983             {
2984                ++exp_b10; base = test;
2985             }
2986 
2987             else
2988                break;
2989          }
2990 
2991          /* Normalize fp and correct exp_b10, after this fp is in the
2992           * range [.1,1) and exp_b10 is both the exponent and the digit
2993           * *before* which the decimal point should be inserted
2994           * (starting with 0 for the first digit).  Note that this
2995           * works even if 10^exp_b10 is out of range because of the
2996           * test on DBL_MAX above.
2997           */
2998          fp /= base;
2999          while (fp >= 1)
3000          {
3001             fp /= 10; ++exp_b10;
3002          }
3003 
3004          /* Because of the code above fp may, at this point, be
3005           * less than .1, this is ok because the code below can
3006           * handle the leading zeros this generates, so no attempt
3007           * is made to correct that here.
3008           */
3009 
3010          {
3011             unsigned int czero, clead, cdigits;
3012             char exponent[10];
3013 
3014             /* Allow up to two leading zeros - this will not lengthen
3015              * the number compared to using E-n.
3016              */
3017             if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
3018             {
3019                czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
3020                exp_b10 = 0;      /* Dot added below before first output. */
3021             }
3022             else
3023                czero = 0;    /* No zeros to add */
3024 
3025             /* Generate the digit list, stripping trailing zeros and
3026              * inserting a '.' before a digit if the exponent is 0.
3027              */
3028             clead = czero; /* Count of leading zeros */
3029             cdigits = 0;   /* Count of digits in list. */
3030 
3031             do
3032             {
3033                double d;
3034 
3035                fp *= 10;
3036                /* Use modf here, not floor and subtract, so that
3037                 * the separation is done in one step.  At the end
3038                 * of the loop don't break the number into parts so
3039                 * that the final digit is rounded.
3040                 */
3041                if (cdigits+czero+1 < precision+clead)
3042                   fp = modf(fp, &d);
3043 
3044                else
3045                {
3046                   d = floor(fp + .5);
3047 
3048                   if (d > 9)
3049                   {
3050                      /* Rounding up to 10, handle that here. */
3051                      if (czero > 0)
3052                      {
3053                         --czero; d = 1;
3054                         if (cdigits == 0) --clead;
3055                      }
3056                      else
3057                      {
3058                         while (cdigits > 0 && d > 9)
3059                         {
3060                            int ch = *--ascii;
3061 
3062                            if (exp_b10 != (-1))
3063                               ++exp_b10;
3064 
3065                            else if (ch == 46)
3066                            {
3067                               ch = *--ascii; ++size;
3068                               /* Advance exp_b10 to '1', so that the
3069                                * decimal point happens after the
3070                                * previous digit.
3071                                */
3072                               exp_b10 = 1;
3073                            }
3074 
3075                            --cdigits;
3076                            d = ch - 47;  /* I.e. 1+(ch-48) */
3077                         }
3078 
3079                         /* Did we reach the beginning? If so adjust the
3080                          * exponent but take into account the leading
3081                          * decimal point.
3082                          */
3083                         if (d > 9)  /* cdigits == 0 */
3084                         {
3085                            if (exp_b10 == (-1))
3086                            {
3087                               /* Leading decimal point (plus zeros?), if
3088                                * we lose the decimal point here it must
3089                                * be reentered below.
3090                                */
3091                               int ch = *--ascii;
3092 
3093                               if (ch == 46)
3094                               {
3095                                  ++size; exp_b10 = 1;
3096                               }
3097 
3098                               /* Else lost a leading zero, so 'exp_b10' is
3099                                * still ok at (-1)
3100                                */
3101                            }
3102                            else
3103                               ++exp_b10;
3104 
3105                            /* In all cases we output a '1' */
3106                            d = 1;
3107                         }
3108                      }
3109                   }
3110                   fp = 0; /* Guarantees termination below. */
3111                }
3112 
3113                if (d == 0)
3114                {
3115                   ++czero;
3116                   if (cdigits == 0) ++clead;
3117                }
3118                else
3119                {
3120                   /* Included embedded zeros in the digit count. */
3121                   cdigits += czero - clead;
3122                   clead = 0;
3123 
3124                   while (czero > 0)
3125                   {
3126                      /* exp_b10 == (-1) means we just output the decimal
3127                       * place - after the DP don't adjust 'exp_b10' any
3128                       * more!
3129                       */
3130                      if (exp_b10 != (-1))
3131                      {
3132                         if (exp_b10 == 0)
3133                         {
3134                            *ascii++ = 46; --size;
3135                         }
3136                         /* PLUS 1: TOTAL 4 */
3137                         --exp_b10;
3138                      }
3139                      *ascii++ = 48; --czero;
3140                   }
3141 
3142                   if (exp_b10 != (-1))
3143                   {
3144                      if (exp_b10 == 0)
3145                      {
3146                         *ascii++ = 46; --size; /* counted above */
3147                      }
3148 
3149                      --exp_b10;
3150                   }
3151                   *ascii++ = (char)(48 + (int)d); ++cdigits;
3152                }
3153             }
3154             while (cdigits+czero < precision+clead && fp > DBL_MIN);
3155 
3156             /* The total output count (max) is now 4+precision */
3157 
3158             /* Check for an exponent, if we don't need one we are
3159              * done and just need to terminate the string.  At this
3160              * point, exp_b10==(-1) is effectively a flag: it got
3161              * to '-1' because of the decrement, after outputting
3162              * the decimal point above. (The exponent required is
3163              * *not* -1.)
3164              */
3165             if (exp_b10 >= (-1) && exp_b10 <= 2)
3166             {
3167                /* The following only happens if we didn't output the
3168                 * leading zeros above for negative exponent, so this
3169                 * doesn't add to the digit requirement.  Note that the
3170                 * two zeros here can only be output if the two leading
3171                 * zeros were *not* output, so this doesn't increase
3172                 * the output count.
3173                 */
3174                while (exp_b10-- > 0) *ascii++ = 48;
3175 
3176                *ascii = 0;
3177 
3178                /* Total buffer requirement (including the '\0') is
3179                 * 5+precision - see check at the start.
3180                 */
3181                return;
3182             }
3183 
3184             /* Here if an exponent is required, adjust size for
3185              * the digits we output but did not count.  The total
3186              * digit output here so far is at most 1+precision - no
3187              * decimal point and no leading or trailing zeros have
3188              * been output.
3189              */
3190             size -= cdigits;
3191 
3192             *ascii++ = 69; --size;    /* 'E': PLUS 1 TOTAL 2+precision */
3193 
3194             /* The following use of an unsigned temporary avoids ambiguities in
3195              * the signed arithmetic on exp_b10 and permits GCC at least to do
3196              * better optimization.
3197              */
3198             {
3199                unsigned int uexp_b10;
3200 
3201                if (exp_b10 < 0)
3202                {
3203                   *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3204                   uexp_b10 = 0U-exp_b10;
3205                }
3206 
3207                else
3208                   uexp_b10 = 0U+exp_b10;
3209 
3210                cdigits = 0;
3211 
3212                while (uexp_b10 > 0)
3213                {
3214                   exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3215                   uexp_b10 /= 10;
3216                }
3217             }
3218 
3219             /* Need another size check here for the exponent digits, so
3220              * this need not be considered above.
3221              */
3222             if (size > cdigits)
3223             {
3224                while (cdigits > 0) *ascii++ = exponent[--cdigits];
3225 
3226                *ascii = 0;
3227 
3228                return;
3229             }
3230          }
3231       }
3232       else if (!(fp >= DBL_MIN))
3233       {
3234          *ascii++ = 48; /* '0' */
3235          *ascii = 0;
3236          return;
3237       }
3238       else
3239       {
3240          *ascii++ = 105; /* 'i' */
3241          *ascii++ = 110; /* 'n' */
3242          *ascii++ = 102; /* 'f' */
3243          *ascii = 0;
3244          return;
3245       }
3246    }
3247 
3248    /* Here on buffer too small. */
3249    png_error(png_ptr, "ASCII conversion buffer too small");
3250 }
3251 #if GCC_STRICT_OVERFLOW
3252 #pragma GCC diagnostic pop
3253 #endif /* GCC_STRICT_OVERFLOW */
3254 
3255 #  endif /* FLOATING_POINT */
3256 
3257 #  ifdef PNG_FIXED_POINT_SUPPORTED
3258 /* Function to format a fixed point value in ASCII.
3259  */
3260 void /* PRIVATE */
3261 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3262     size_t size, png_fixed_point fp)
3263 {
3264    /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3265     * trailing \0, 13 characters:
3266     */
3267    if (size > 12)
3268    {
3269       png_uint_32 num;
3270 
3271       /* Avoid overflow here on the minimum integer. */
3272       if (fp < 0)
3273       {
3274          *ascii++ = 45; num = (png_uint_32)(-fp);
3275       }
3276       else
3277          num = (png_uint_32)fp;
3278 
3279       if (num <= 0x80000000) /* else overflowed */
3280       {
3281          unsigned int ndigits = 0, first = 16 /* flag value */;
3282          char digits[10];
3283 
3284          while (num)
3285          {
3286             /* Split the low digit off num: */
3287             unsigned int tmp = num/10;
3288             num -= tmp*10;
3289             digits[ndigits++] = (char)(48 + num);
3290             /* Record the first non-zero digit, note that this is a number
3291              * starting at 1, it's not actually the array index.
3292              */
3293             if (first == 16 && num > 0)
3294                first = ndigits;
3295             num = tmp;
3296          }
3297 
3298          if (ndigits > 0)
3299          {
3300             while (ndigits > 5) *ascii++ = digits[--ndigits];
3301             /* The remaining digits are fractional digits, ndigits is '5' or
3302              * smaller at this point.  It is certainly not zero.  Check for a
3303              * non-zero fractional digit:
3304              */
3305             if (first <= 5)
3306             {
3307                unsigned int i;
3308                *ascii++ = 46; /* decimal point */
3309                /* ndigits may be <5 for small numbers, output leading zeros
3310                 * then ndigits digits to first:
3311                 */
3312                i = 5;
3313                while (ndigits < i)
3314                {
3315                   *ascii++ = 48; --i;
3316                }
3317                while (ndigits >= first) *ascii++ = digits[--ndigits];
3318                /* Don't output the trailing zeros! */
3319             }
3320          }
3321          else
3322             *ascii++ = 48;
3323 
3324          /* And null terminate the string: */
3325          *ascii = 0;
3326          return;
3327       }
3328    }
3329 
3330    /* Here on buffer too small. */
3331    png_error(png_ptr, "ASCII conversion buffer too small");
3332 }
3333 #   endif /* FIXED_POINT */
3334 #endif /* SCAL */
3335 
3336 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3337    !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3338    (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3339    defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3340    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3341    (defined(PNG_sCAL_SUPPORTED) && \
3342    defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3343 png_fixed_point
3344 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3345 {
3346    double r = floor(100000 * fp + .5);
3347 
3348    if (r > 2147483647. || r < -2147483648.)
3349       png_fixed_error(png_ptr, text);
3350 
3351 #  ifndef PNG_ERROR_TEXT_SUPPORTED
3352    PNG_UNUSED(text)
3353 #  endif
3354 
3355    return (png_fixed_point)r;
3356 }
3357 #endif
3358 
3359 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3360     defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3361 /* muldiv functions */
3362 /* This API takes signed arguments and rounds the result to the nearest
3363  * integer (or, for a fixed point number - the standard argument - to
3364  * the nearest .00001).  Overflow and divide by zero are signalled in
3365  * the result, a boolean - true on success, false on overflow.
3366  */
3367 #if GCC_STRICT_OVERFLOW /* from above */
3368 /* It is not obvious which comparison below gets optimized in such a way that
3369  * signed overflow would change the result; looking through the code does not
3370  * reveal any tests which have the form GCC complains about, so presumably the
3371  * optimizer is moving an add or subtract into the 'if' somewhere.
3372  */
3373 #pragma GCC diagnostic push
3374 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
3375 #endif /* GCC_STRICT_OVERFLOW */
3376 int
3377 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3378     png_int_32 divisor)
3379 {
3380    /* Return a * times / divisor, rounded. */
3381    if (divisor != 0)
3382    {
3383       if (a == 0 || times == 0)
3384       {
3385          *res = 0;
3386          return 1;
3387       }
3388       else
3389       {
3390 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3391          double r = a;
3392          r *= times;
3393          r /= divisor;
3394          r = floor(r+.5);
3395 
3396          /* A png_fixed_point is a 32-bit integer. */
3397          if (r <= 2147483647. && r >= -2147483648.)
3398          {
3399             *res = (png_fixed_point)r;
3400             return 1;
3401          }
3402 #else
3403          int negative = 0;
3404          png_uint_32 A, T, D;
3405          png_uint_32 s16, s32, s00;
3406 
3407          if (a < 0)
3408             negative = 1, A = -a;
3409          else
3410             A = a;
3411 
3412          if (times < 0)
3413             negative = !negative, T = -times;
3414          else
3415             T = times;
3416 
3417          if (divisor < 0)
3418             negative = !negative, D = -divisor;
3419          else
3420             D = divisor;
3421 
3422          /* Following can't overflow because the arguments only
3423           * have 31 bits each, however the result may be 32 bits.
3424           */
3425          s16 = (A >> 16) * (T & 0xffff) +
3426                            (A & 0xffff) * (T >> 16);
3427          /* Can't overflow because the a*times bit is only 30
3428           * bits at most.
3429           */
3430          s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3431          s00 = (A & 0xffff) * (T & 0xffff);
3432 
3433          s16 = (s16 & 0xffff) << 16;
3434          s00 += s16;
3435 
3436          if (s00 < s16)
3437             ++s32; /* carry */
3438 
3439          if (s32 < D) /* else overflow */
3440          {
3441             /* s32.s00 is now the 64-bit product, do a standard
3442              * division, we know that s32 < D, so the maximum
3443              * required shift is 31.
3444              */
3445             int bitshift = 32;
3446             png_fixed_point result = 0; /* NOTE: signed */
3447 
3448             while (--bitshift >= 0)
3449             {
3450                png_uint_32 d32, d00;
3451 
3452                if (bitshift > 0)
3453                   d32 = D >> (32-bitshift), d00 = D << bitshift;
3454 
3455                else
3456                   d32 = 0, d00 = D;
3457 
3458                if (s32 > d32)
3459                {
3460                   if (s00 < d00) --s32; /* carry */
3461                   s32 -= d32, s00 -= d00, result += 1<<bitshift;
3462                }
3463 
3464                else
3465                   if (s32 == d32 && s00 >= d00)
3466                      s32 = 0, s00 -= d00, result += 1<<bitshift;
3467             }
3468 
3469             /* Handle the rounding. */
3470             if (s00 >= (D >> 1))
3471                ++result;
3472 
3473             if (negative != 0)
3474                result = -result;
3475 
3476             /* Check for overflow. */
3477             if ((negative != 0 && result <= 0) ||
3478                 (negative == 0 && result >= 0))
3479             {
3480                *res = result;
3481                return 1;
3482             }
3483          }
3484 #endif
3485       }
3486    }
3487 
3488    return 0;
3489 }
3490 #if GCC_STRICT_OVERFLOW
3491 #pragma GCC diagnostic pop
3492 #endif /* GCC_STRICT_OVERFLOW */
3493 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3494 
3495 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3496 /* The following is for when the caller doesn't much care about the
3497  * result.
3498  */
3499 png_fixed_point
3500 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3501     png_int_32 divisor)
3502 {
3503    png_fixed_point result;
3504 
3505    if (png_muldiv(&result, a, times, divisor) != 0)
3506       return result;
3507 
3508    png_warning(png_ptr, "fixed point overflow ignored");
3509    return 0;
3510 }
3511 #endif
3512 
3513 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3514 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3515 png_fixed_point
3516 png_reciprocal(png_fixed_point a)
3517 {
3518 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3519    double r = floor(1E10/a+.5);
3520 
3521    if (r <= 2147483647. && r >= -2147483648.)
3522       return (png_fixed_point)r;
3523 #else
3524    png_fixed_point res;
3525 
3526    if (png_muldiv(&res, 100000, 100000, a) != 0)
3527       return res;
3528 #endif
3529 
3530    return 0; /* error/overflow */
3531 }
3532 
3533 /* This is the shared test on whether a gamma value is 'significant' - whether
3534  * it is worth doing gamma correction.
3535  */
3536 int /* PRIVATE */
3537 png_gamma_significant(png_fixed_point gamma_val)
3538 {
3539    return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3540        gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3541 }
3542 #endif
3543 
3544 #ifdef PNG_READ_GAMMA_SUPPORTED
3545 #ifdef PNG_16BIT_SUPPORTED
3546 /* A local convenience routine. */
3547 static png_fixed_point
3548 png_product2(png_fixed_point a, png_fixed_point b)
3549 {
3550    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3551 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3552    double r = a * 1E-5;
3553    r *= b;
3554    r = floor(r+.5);
3555 
3556    if (r <= 2147483647. && r >= -2147483648.)
3557       return (png_fixed_point)r;
3558 #else
3559    png_fixed_point res;
3560 
3561    if (png_muldiv(&res, a, b, 100000) != 0)
3562       return res;
3563 #endif
3564 
3565    return 0; /* overflow */
3566 }
3567 #endif /* 16BIT */
3568 
3569 /* The inverse of the above. */
3570 png_fixed_point
3571 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3572 {
3573    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3574 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3575    if (a != 0 && b != 0)
3576    {
3577       double r = 1E15/a;
3578       r /= b;
3579       r = floor(r+.5);
3580 
3581       if (r <= 2147483647. && r >= -2147483648.)
3582          return (png_fixed_point)r;
3583    }
3584 #else
3585    /* This may overflow because the range of png_fixed_point isn't symmetric,
3586     * but this API is only used for the product of file and screen gamma so it
3587     * doesn't matter that the smallest number it can produce is 1/21474, not
3588     * 1/100000
3589     */
3590    png_fixed_point res = png_product2(a, b);
3591 
3592    if (res != 0)
3593       return png_reciprocal(res);
3594 #endif
3595 
3596    return 0; /* overflow */
3597 }
3598 #endif /* READ_GAMMA */
3599 
3600 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3601 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3602 /* Fixed point gamma.
3603  *
3604  * The code to calculate the tables used below can be found in the shell script
3605  * contrib/tools/intgamma.sh
3606  *
3607  * To calculate gamma this code implements fast log() and exp() calls using only
3608  * fixed point arithmetic.  This code has sufficient precision for either 8-bit
3609  * or 16-bit sample values.
3610  *
3611  * The tables used here were calculated using simple 'bc' programs, but C double
3612  * precision floating point arithmetic would work fine.
3613  *
3614  * 8-bit log table
3615  *   This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3616  *   255, so it's the base 2 logarithm of a normalized 8-bit floating point
3617  *   mantissa.  The numbers are 32-bit fractions.
3618  */
3619 static const png_uint_32
3620 png_8bit_l2[128] =
3621 {
3622    4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3623    3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3624    3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3625    3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3626    3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3627    2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3628    2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3629    2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3630    2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3631    2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3632    1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3633    1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3634    1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3635    1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3636    1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3637    971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3638    803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3639    639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3640    479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3641    324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3642    172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3643    24347096U, 0U
3644 
3645 #if 0
3646    /* The following are the values for 16-bit tables - these work fine for the
3647     * 8-bit conversions but produce very slightly larger errors in the 16-bit
3648     * log (about 1.2 as opposed to 0.7 absolute error in the final value).  To
3649     * use these all the shifts below must be adjusted appropriately.
3650     */
3651    65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3652    57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3653    50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3654    43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3655    37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3656    31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3657    25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3658    20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3659    15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3660    10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3661    6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3662    1119, 744, 372
3663 #endif
3664 };
3665 
3666 static png_int_32
3667 png_log8bit(unsigned int x)
3668 {
3669    unsigned int lg2 = 0;
3670    /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3671     * because the log is actually negate that means adding 1.  The final
3672     * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3673     * input), return -1 for the overflow (log 0) case, - so the result is
3674     * always at most 19 bits.
3675     */
3676    if ((x &= 0xff) == 0)
3677       return -1;
3678 
3679    if ((x & 0xf0) == 0)
3680       lg2  = 4, x <<= 4;
3681 
3682    if ((x & 0xc0) == 0)
3683       lg2 += 2, x <<= 2;
3684 
3685    if ((x & 0x80) == 0)
3686       lg2 += 1, x <<= 1;
3687 
3688    /* result is at most 19 bits, so this cast is safe: */
3689    return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3690 }
3691 
3692 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3693  * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3694  * get an approximation then multiply the approximation by a correction factor
3695  * determined by the remaining up to 8 bits.  This requires an additional step
3696  * in the 16-bit case.
3697  *
3698  * We want log2(value/65535), we have log2(v'/255), where:
3699  *
3700  *    value = v' * 256 + v''
3701  *          = v' * f
3702  *
3703  * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3704  * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3705  * than 258.  The final factor also needs to correct for the fact that our 8-bit
3706  * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3707  *
3708  * This gives a final formula using a calculated value 'x' which is value/v' and
3709  * scaling by 65536 to match the above table:
3710  *
3711  *   log2(x/257) * 65536
3712  *
3713  * Since these numbers are so close to '1' we can use simple linear
3714  * interpolation between the two end values 256/257 (result -368.61) and 258/257
3715  * (result 367.179).  The values used below are scaled by a further 64 to give
3716  * 16-bit precision in the interpolation:
3717  *
3718  * Start (256): -23591
3719  * Zero  (257):      0
3720  * End   (258):  23499
3721  */
3722 #ifdef PNG_16BIT_SUPPORTED
3723 static png_int_32
3724 png_log16bit(png_uint_32 x)
3725 {
3726    unsigned int lg2 = 0;
3727 
3728    /* As above, but now the input has 16 bits. */
3729    if ((x &= 0xffff) == 0)
3730       return -1;
3731 
3732    if ((x & 0xff00) == 0)
3733       lg2  = 8, x <<= 8;
3734 
3735    if ((x & 0xf000) == 0)
3736       lg2 += 4, x <<= 4;
3737 
3738    if ((x & 0xc000) == 0)
3739       lg2 += 2, x <<= 2;
3740 
3741    if ((x & 0x8000) == 0)
3742       lg2 += 1, x <<= 1;
3743 
3744    /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3745     * value.
3746     */
3747    lg2 <<= 28;
3748    lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3749 
3750    /* Now we need to interpolate the factor, this requires a division by the top
3751     * 8 bits.  Do this with maximum precision.
3752     */
3753    x = ((x << 16) + (x >> 9)) / (x >> 8);
3754 
3755    /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3756     * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3757     * 16 bits to interpolate to get the low bits of the result.  Round the
3758     * answer.  Note that the end point values are scaled by 64 to retain overall
3759     * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3760     * the overall scaling by 6-12.  Round at every step.
3761     */
3762    x -= 1U << 24;
3763 
3764    if (x <= 65536U) /* <= '257' */
3765       lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3766 
3767    else
3768       lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3769 
3770    /* Safe, because the result can't have more than 20 bits: */
3771    return (png_int_32)((lg2 + 2048) >> 12);
3772 }
3773 #endif /* 16BIT */
3774 
3775 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3776  * logarithmic value and returning a 16 or 8-bit number as appropriate.  In
3777  * each case only the low 16 bits are relevant - the fraction - since the
3778  * integer bits (the top 4) simply determine a shift.
3779  *
3780  * The worst case is the 16-bit distinction between 65535 and 65534. This
3781  * requires perhaps spurious accuracy in the decoding of the logarithm to
3782  * distinguish log2(65535/65534.5) - 10^-5 or 17 bits.  There is little chance
3783  * of getting this accuracy in practice.
3784  *
3785  * To deal with this the following exp() function works out the exponent of the
3786  * fractional part of the logarithm by using an accurate 32-bit value from the
3787  * top four fractional bits then multiplying in the remaining bits.
3788  */
3789 static const png_uint_32
3790 png_32bit_exp[16] =
3791 {
3792    /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3793    4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3794    3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3795    2553802834U, 2445529972U, 2341847524U, 2242560872U
3796 };
3797 
3798 /* Adjustment table; provided to explain the numbers in the code below. */
3799 #if 0
3800 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3801    11 44937.64284865548751208448
3802    10 45180.98734845585101160448
3803     9 45303.31936980687359311872
3804     8 45364.65110595323018870784
3805     7 45395.35850361789624614912
3806     6 45410.72259715102037508096
3807     5 45418.40724413220722311168
3808     4 45422.25021786898173001728
3809     3 45424.17186732298419044352
3810     2 45425.13273269940811464704
3811     1 45425.61317555035558641664
3812     0 45425.85339951654943850496
3813 #endif
3814 
3815 static png_uint_32
3816 png_exp(png_fixed_point x)
3817 {
3818    if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3819    {
3820       /* Obtain a 4-bit approximation */
3821       png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3822 
3823       /* Incorporate the low 12 bits - these decrease the returned value by
3824        * multiplying by a number less than 1 if the bit is set.  The multiplier
3825        * is determined by the above table and the shift. Notice that the values
3826        * converge on 45426 and this is used to allow linear interpolation of the
3827        * low bits.
3828        */
3829       if (x & 0x800)
3830          e -= (((e >> 16) * 44938U) +  16U) >> 5;
3831 
3832       if (x & 0x400)
3833          e -= (((e >> 16) * 45181U) +  32U) >> 6;
3834 
3835       if (x & 0x200)
3836          e -= (((e >> 16) * 45303U) +  64U) >> 7;
3837 
3838       if (x & 0x100)
3839          e -= (((e >> 16) * 45365U) + 128U) >> 8;
3840 
3841       if (x & 0x080)
3842          e -= (((e >> 16) * 45395U) + 256U) >> 9;
3843 
3844       if (x & 0x040)
3845          e -= (((e >> 16) * 45410U) + 512U) >> 10;
3846 
3847       /* And handle the low 6 bits in a single block. */
3848       e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3849 
3850       /* Handle the upper bits of x. */
3851       e >>= x >> 16;
3852       return e;
3853    }
3854 
3855    /* Check for overflow */
3856    if (x <= 0)
3857       return png_32bit_exp[0];
3858 
3859    /* Else underflow */
3860    return 0;
3861 }
3862 
3863 static png_byte
3864 png_exp8bit(png_fixed_point lg2)
3865 {
3866    /* Get a 32-bit value: */
3867    png_uint_32 x = png_exp(lg2);
3868 
3869    /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3870     * second, rounding, step can't overflow because of the first, subtraction,
3871     * step.
3872     */
3873    x -= x >> 8;
3874    return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3875 }
3876 
3877 #ifdef PNG_16BIT_SUPPORTED
3878 static png_uint_16
3879 png_exp16bit(png_fixed_point lg2)
3880 {
3881    /* Get a 32-bit value: */
3882    png_uint_32 x = png_exp(lg2);
3883 
3884    /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3885    x -= x >> 16;
3886    return (png_uint_16)((x + 32767U) >> 16);
3887 }
3888 #endif /* 16BIT */
3889 #endif /* FLOATING_ARITHMETIC */
3890 
3891 png_byte
3892 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3893 {
3894    if (value > 0 && value < 255)
3895    {
3896 #     ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3897          /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3898           * convert this to a floating point value.  This includes values that
3899           * would overflow if 'value' were to be converted to 'int'.
3900           *
3901           * Apparently GCC, however, does an intermediate conversion to (int)
3902           * on some (ARM) but not all (x86) platforms, possibly because of
3903           * hardware FP limitations.  (E.g. if the hardware conversion always
3904           * assumes the integer register contains a signed value.)  This results
3905           * in ANSI-C undefined behavior for large values.
3906           *
3907           * Other implementations on the same machine might actually be ANSI-C90
3908           * conformant and therefore compile spurious extra code for the large
3909           * values.
3910           *
3911           * We can be reasonably sure that an unsigned to float conversion
3912           * won't be faster than an int to float one.  Therefore this code
3913           * assumes responsibility for the undefined behavior, which it knows
3914           * can't happen because of the check above.
3915           *
3916           * Note the argument to this routine is an (unsigned int) because, on
3917           * 16-bit platforms, it is assigned a value which might be out of
3918           * range for an (int); that would result in undefined behavior in the
3919           * caller if the *argument* ('value') were to be declared (int).
3920           */
3921          double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3922          return (png_byte)r;
3923 #     else
3924          png_int_32 lg2 = png_log8bit(value);
3925          png_fixed_point res;
3926 
3927          if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3928             return png_exp8bit(res);
3929 
3930          /* Overflow. */
3931          value = 0;
3932 #     endif
3933    }
3934 
3935    return (png_byte)(value & 0xff);
3936 }
3937 
3938 #ifdef PNG_16BIT_SUPPORTED
3939 png_uint_16
3940 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3941 {
3942    if (value > 0 && value < 65535)
3943    {
3944 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3945       /* The same (unsigned int)->(double) constraints apply here as above,
3946        * however in this case the (unsigned int) to (int) conversion can
3947        * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3948        * that this is not possible.
3949        */
3950       double r = floor(65535*pow((png_int_32)value/65535.,
3951           gamma_val*.00001)+.5);
3952       return (png_uint_16)r;
3953 # else
3954       png_int_32 lg2 = png_log16bit(value);
3955       png_fixed_point res;
3956 
3957       if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3958          return png_exp16bit(res);
3959 
3960       /* Overflow. */
3961       value = 0;
3962 # endif
3963    }
3964 
3965    return (png_uint_16)value;
3966 }
3967 #endif /* 16BIT */
3968 
3969 /* This does the right thing based on the bit_depth field of the
3970  * png_struct, interpreting values as 8-bit or 16-bit.  While the result
3971  * is nominally a 16-bit value if bit depth is 8 then the result is
3972  * 8-bit (as are the arguments.)
3973  */
3974 png_uint_16 /* PRIVATE */
3975 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3976     png_fixed_point gamma_val)
3977 {
3978    if (png_ptr->bit_depth == 8)
3979       return png_gamma_8bit_correct(value, gamma_val);
3980 
3981 #ifdef PNG_16BIT_SUPPORTED
3982    else
3983       return png_gamma_16bit_correct(value, gamma_val);
3984 #else
3985       /* should not reach this */
3986       return 0;
3987 #endif /* 16BIT */
3988 }
3989 
3990 #ifdef PNG_16BIT_SUPPORTED
3991 /* Internal function to build a single 16-bit table - the table consists of
3992  * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3993  * to shift the input values right (or 16-number_of_signifiant_bits).
3994  *
3995  * The caller is responsible for ensuring that the table gets cleaned up on
3996  * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3997  * should be somewhere that will be cleaned.
3998  */
3999 static void
4000 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
4001     unsigned int shift, png_fixed_point gamma_val)
4002 {
4003    /* Various values derived from 'shift': */
4004    unsigned int num = 1U << (8U - shift);
4005 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4006    /* CSE the division and work round wacky GCC warnings (see the comments
4007     * in png_gamma_8bit_correct for where these come from.)
4008     */
4009    double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1);
4010 #endif
4011    unsigned int max = (1U << (16U - shift)) - 1U;
4012    unsigned int max_by_2 = 1U << (15U - shift);
4013    unsigned int i;
4014 
4015    png_uint_16pp table = *ptable =
4016        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4017 
4018    for (i = 0; i < num; i++)
4019    {
4020       png_uint_16p sub_table = table[i] =
4021           (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
4022 
4023       /* The 'threshold' test is repeated here because it can arise for one of
4024        * the 16-bit tables even if the others don't hit it.
4025        */
4026       if (png_gamma_significant(gamma_val) != 0)
4027       {
4028          /* The old code would overflow at the end and this would cause the
4029           * 'pow' function to return a result >1, resulting in an
4030           * arithmetic error.  This code follows the spec exactly; ig is
4031           * the recovered input sample, it always has 8-16 bits.
4032           *
4033           * We want input * 65535/max, rounded, the arithmetic fits in 32
4034           * bits (unsigned) so long as max <= 32767.
4035           */
4036          unsigned int j;
4037          for (j = 0; j < 256; j++)
4038          {
4039             png_uint_32 ig = (j << (8-shift)) + i;
4040 #           ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4041                /* Inline the 'max' scaling operation: */
4042                /* See png_gamma_8bit_correct for why the cast to (int) is
4043                 * required here.
4044                 */
4045                double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4046                sub_table[j] = (png_uint_16)d;
4047 #           else
4048                if (shift != 0)
4049                   ig = (ig * 65535U + max_by_2)/max;
4050 
4051                sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4052 #           endif
4053          }
4054       }
4055       else
4056       {
4057          /* We must still build a table, but do it the fast way. */
4058          unsigned int j;
4059 
4060          for (j = 0; j < 256; j++)
4061          {
4062             png_uint_32 ig = (j << (8-shift)) + i;
4063 
4064             if (shift != 0)
4065                ig = (ig * 65535U + max_by_2)/max;
4066 
4067             sub_table[j] = (png_uint_16)ig;
4068          }
4069       }
4070    }
4071 }
4072 
4073 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4074  * required.
4075  */
4076 static void
4077 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4078     unsigned int shift, png_fixed_point gamma_val)
4079 {
4080    unsigned int num = 1U << (8U - shift);
4081    unsigned int max = (1U << (16U - shift))-1U;
4082    unsigned int i;
4083    png_uint_32 last;
4084 
4085    png_uint_16pp table = *ptable =
4086        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4087 
4088    /* 'num' is the number of tables and also the number of low bits of low
4089     * bits of the input 16-bit value used to select a table.  Each table is
4090     * itself indexed by the high 8 bits of the value.
4091     */
4092    for (i = 0; i < num; i++)
4093       table[i] = (png_uint_16p)png_malloc(png_ptr,
4094           256 * (sizeof (png_uint_16)));
4095 
4096    /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4097     * pow(out,g) is an *input* value.  'last' is the last input value set.
4098     *
4099     * In the loop 'i' is used to find output values.  Since the output is
4100     * 8-bit there are only 256 possible values.  The tables are set up to
4101     * select the closest possible output value for each input by finding
4102     * the input value at the boundary between each pair of output values
4103     * and filling the table up to that boundary with the lower output
4104     * value.
4105     *
4106     * The boundary values are 0.5,1.5..253.5,254.5.  Since these are 9-bit
4107     * values the code below uses a 16-bit value in i; the values start at
4108     * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4109     * entries are filled with 255).  Start i at 128 and fill all 'last'
4110     * table entries <= 'max'
4111     */
4112    last = 0;
4113    for (i = 0; i < 255; ++i) /* 8-bit output value */
4114    {
4115       /* Find the corresponding maximum input value */
4116       png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4117 
4118       /* Find the boundary value in 16 bits: */
4119       png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4120 
4121       /* Adjust (round) to (16-shift) bits: */
4122       bound = (bound * max + 32768U)/65535U + 1U;
4123 
4124       while (last < bound)
4125       {
4126          table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4127          last++;
4128       }
4129    }
4130 
4131    /* And fill in the final entries. */
4132    while (last < (num << 8))
4133    {
4134       table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4135       last++;
4136    }
4137 }
4138 #endif /* 16BIT */
4139 
4140 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4141  * typically much faster).  Note that libpng currently does no sBIT processing
4142  * (apparently contrary to the spec) so a 256-entry table is always generated.
4143  */
4144 static void
4145 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4146     png_fixed_point gamma_val)
4147 {
4148    unsigned int i;
4149    png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4150 
4151    if (png_gamma_significant(gamma_val) != 0)
4152       for (i=0; i<256; i++)
4153          table[i] = png_gamma_8bit_correct(i, gamma_val);
4154 
4155    else
4156       for (i=0; i<256; ++i)
4157          table[i] = (png_byte)(i & 0xff);
4158 }
4159 
4160 /* Used from png_read_destroy and below to release the memory used by the gamma
4161  * tables.
4162  */
4163 void /* PRIVATE */
4164 png_destroy_gamma_table(png_structrp png_ptr)
4165 {
4166    png_free(png_ptr, png_ptr->gamma_table);
4167    png_ptr->gamma_table = NULL;
4168 
4169 #ifdef PNG_16BIT_SUPPORTED
4170    if (png_ptr->gamma_16_table != NULL)
4171    {
4172       int i;
4173       int istop = (1 << (8 - png_ptr->gamma_shift));
4174       for (i = 0; i < istop; i++)
4175       {
4176          png_free(png_ptr, png_ptr->gamma_16_table[i]);
4177       }
4178    png_free(png_ptr, png_ptr->gamma_16_table);
4179    png_ptr->gamma_16_table = NULL;
4180    }
4181 #endif /* 16BIT */
4182 
4183 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4184    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4185    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4186    png_free(png_ptr, png_ptr->gamma_from_1);
4187    png_ptr->gamma_from_1 = NULL;
4188    png_free(png_ptr, png_ptr->gamma_to_1);
4189    png_ptr->gamma_to_1 = NULL;
4190 
4191 #ifdef PNG_16BIT_SUPPORTED
4192    if (png_ptr->gamma_16_from_1 != NULL)
4193    {
4194       int i;
4195       int istop = (1 << (8 - png_ptr->gamma_shift));
4196       for (i = 0; i < istop; i++)
4197       {
4198          png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4199       }
4200    png_free(png_ptr, png_ptr->gamma_16_from_1);
4201    png_ptr->gamma_16_from_1 = NULL;
4202    }
4203    if (png_ptr->gamma_16_to_1 != NULL)
4204    {
4205       int i;
4206       int istop = (1 << (8 - png_ptr->gamma_shift));
4207       for (i = 0; i < istop; i++)
4208       {
4209          png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4210       }
4211    png_free(png_ptr, png_ptr->gamma_16_to_1);
4212    png_ptr->gamma_16_to_1 = NULL;
4213    }
4214 #endif /* 16BIT */
4215 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4216 }
4217 
4218 /* We build the 8- or 16-bit gamma tables here.  Note that for 16-bit
4219  * tables, we don't make a full table if we are reducing to 8-bit in
4220  * the future.  Note also how the gamma_16 tables are segmented so that
4221  * we don't need to allocate > 64K chunks for a full 16-bit table.
4222  */
4223 void /* PRIVATE */
4224 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4225 {
4226    png_debug(1, "in png_build_gamma_table");
4227 
4228    /* Remove any existing table; this copes with multiple calls to
4229     * png_read_update_info. The warning is because building the gamma tables
4230     * multiple times is a performance hit - it's harmless but the ability to
4231     * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4232     * sensible to warn if the app introduces such a hit.
4233     */
4234    if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4235    {
4236       png_warning(png_ptr, "gamma table being rebuilt");
4237       png_destroy_gamma_table(png_ptr);
4238    }
4239 
4240    if (bit_depth <= 8)
4241    {
4242       png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4243           png_ptr->screen_gamma > 0 ?
4244           png_reciprocal2(png_ptr->colorspace.gamma,
4245           png_ptr->screen_gamma) : PNG_FP_1);
4246 
4247 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4248    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4249    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4250       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4251       {
4252          png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4253              png_reciprocal(png_ptr->colorspace.gamma));
4254 
4255          png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4256              png_ptr->screen_gamma > 0 ?
4257              png_reciprocal(png_ptr->screen_gamma) :
4258              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4259       }
4260 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4261    }
4262 #ifdef PNG_16BIT_SUPPORTED
4263    else
4264    {
4265       png_byte shift, sig_bit;
4266 
4267       if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4268       {
4269          sig_bit = png_ptr->sig_bit.red;
4270 
4271          if (png_ptr->sig_bit.green > sig_bit)
4272             sig_bit = png_ptr->sig_bit.green;
4273 
4274          if (png_ptr->sig_bit.blue > sig_bit)
4275             sig_bit = png_ptr->sig_bit.blue;
4276       }
4277       else
4278          sig_bit = png_ptr->sig_bit.gray;
4279 
4280       /* 16-bit gamma code uses this equation:
4281        *
4282        *   ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4283        *
4284        * Where 'iv' is the input color value and 'ov' is the output value -
4285        * pow(iv, gamma).
4286        *
4287        * Thus the gamma table consists of up to 256 256-entry tables.  The table
4288        * is selected by the (8-gamma_shift) most significant of the low 8 bits
4289        * of the color value then indexed by the upper 8 bits:
4290        *
4291        *   table[low bits][high 8 bits]
4292        *
4293        * So the table 'n' corresponds to all those 'iv' of:
4294        *
4295        *   <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4296        *
4297        */
4298       if (sig_bit > 0 && sig_bit < 16U)
4299          /* shift == insignificant bits */
4300          shift = (png_byte)((16U - sig_bit) & 0xff);
4301 
4302       else
4303          shift = 0; /* keep all 16 bits */
4304 
4305       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4306       {
4307          /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4308           * the significant bits in the *input* when the output will
4309           * eventually be 8 bits.  By default it is 11.
4310           */
4311          if (shift < (16U - PNG_MAX_GAMMA_8))
4312             shift = (16U - PNG_MAX_GAMMA_8);
4313       }
4314 
4315       if (shift > 8U)
4316          shift = 8U; /* Guarantees at least one table! */
4317 
4318       png_ptr->gamma_shift = shift;
4319 
4320       /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4321        * PNG_COMPOSE).  This effectively smashed the background calculation for
4322        * 16-bit output because the 8-bit table assumes the result will be
4323        * reduced to 8 bits.
4324        */
4325       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4326           png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4327           png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4328           png_ptr->screen_gamma) : PNG_FP_1);
4329 
4330       else
4331           png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4332           png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4333           png_ptr->screen_gamma) : PNG_FP_1);
4334 
4335 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4336    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4337    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4338       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4339       {
4340          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4341              png_reciprocal(png_ptr->colorspace.gamma));
4342 
4343          /* Notice that the '16 from 1' table should be full precision, however
4344           * the lookup on this table still uses gamma_shift, so it can't be.
4345           * TODO: fix this.
4346           */
4347          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4348              png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4349              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4350       }
4351 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4352    }
4353 #endif /* 16BIT */
4354 }
4355 #endif /* READ_GAMMA */
4356 
4357 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4358 #ifdef PNG_SET_OPTION_SUPPORTED
4359 int PNGAPI
4360 png_set_option(png_structrp png_ptr, int option, int onoff)
4361 {
4362    if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4363       (option & 1) == 0)
4364    {
4365       png_uint_32 mask = 3U << option;
4366       png_uint_32 setting = (2U + (onoff != 0)) << option;
4367       png_uint_32 current = png_ptr->options;
4368 
4369       png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4370 
4371       return (int)(current & mask) >> option;
4372    }
4373 
4374    return PNG_OPTION_INVALID;
4375 }
4376 #endif
4377 
4378 /* sRGB support */
4379 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4380    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4381 /* sRGB conversion tables; these are machine generated with the code in
4382  * contrib/tools/makesRGB.c.  The actual sRGB transfer curve defined in the
4383  * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4384  * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4385  * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4386  * The inverse (linear to sRGB) table has accuracies as follows:
4387  *
4388  * For all possible (255*65535+1) input values:
4389  *
4390  *    error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4391  *
4392  * For the input values corresponding to the 65536 16-bit values:
4393  *
4394  *    error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4395  *
4396  * In all cases the inexact readings are only off by one.
4397  */
4398 
4399 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4400 /* The convert-to-sRGB table is only currently required for read. */
4401 const png_uint_16 png_sRGB_table[256] =
4402 {
4403    0,20,40,60,80,99,119,139,
4404    159,179,199,219,241,264,288,313,
4405    340,367,396,427,458,491,526,562,
4406    599,637,677,718,761,805,851,898,
4407    947,997,1048,1101,1156,1212,1270,1330,
4408    1391,1453,1517,1583,1651,1720,1790,1863,
4409    1937,2013,2090,2170,2250,2333,2418,2504,
4410    2592,2681,2773,2866,2961,3058,3157,3258,
4411    3360,3464,3570,3678,3788,3900,4014,4129,
4412    4247,4366,4488,4611,4736,4864,4993,5124,
4413    5257,5392,5530,5669,5810,5953,6099,6246,
4414    6395,6547,6700,6856,7014,7174,7335,7500,
4415    7666,7834,8004,8177,8352,8528,8708,8889,
4416    9072,9258,9445,9635,9828,10022,10219,10417,
4417    10619,10822,11028,11235,11446,11658,11873,12090,
4418    12309,12530,12754,12980,13209,13440,13673,13909,
4419    14146,14387,14629,14874,15122,15371,15623,15878,
4420    16135,16394,16656,16920,17187,17456,17727,18001,
4421    18277,18556,18837,19121,19407,19696,19987,20281,
4422    20577,20876,21177,21481,21787,22096,22407,22721,
4423    23038,23357,23678,24002,24329,24658,24990,25325,
4424    25662,26001,26344,26688,27036,27386,27739,28094,
4425    28452,28813,29176,29542,29911,30282,30656,31033,
4426    31412,31794,32179,32567,32957,33350,33745,34143,
4427    34544,34948,35355,35764,36176,36591,37008,37429,
4428    37852,38278,38706,39138,39572,40009,40449,40891,
4429    41337,41785,42236,42690,43147,43606,44069,44534,
4430    45002,45473,45947,46423,46903,47385,47871,48359,
4431    48850,49344,49841,50341,50844,51349,51858,52369,
4432    52884,53401,53921,54445,54971,55500,56032,56567,
4433    57105,57646,58190,58737,59287,59840,60396,60955,
4434    61517,62082,62650,63221,63795,64372,64952,65535
4435 };
4436 #endif /* SIMPLIFIED_READ */
4437 
4438 /* The base/delta tables are required for both read and write (but currently
4439  * only the simplified versions.)
4440  */
4441 const png_uint_16 png_sRGB_base[512] =
4442 {
4443    128,1782,3383,4644,5675,6564,7357,8074,
4444    8732,9346,9921,10463,10977,11466,11935,12384,
4445    12816,13233,13634,14024,14402,14769,15125,15473,
4446    15812,16142,16466,16781,17090,17393,17690,17981,
4447    18266,18546,18822,19093,19359,19621,19879,20133,
4448    20383,20630,20873,21113,21349,21583,21813,22041,
4449    22265,22487,22707,22923,23138,23350,23559,23767,
4450    23972,24175,24376,24575,24772,24967,25160,25352,
4451    25542,25730,25916,26101,26284,26465,26645,26823,
4452    27000,27176,27350,27523,27695,27865,28034,28201,
4453    28368,28533,28697,28860,29021,29182,29341,29500,
4454    29657,29813,29969,30123,30276,30429,30580,30730,
4455    30880,31028,31176,31323,31469,31614,31758,31902,
4456    32045,32186,32327,32468,32607,32746,32884,33021,
4457    33158,33294,33429,33564,33697,33831,33963,34095,
4458    34226,34357,34486,34616,34744,34873,35000,35127,
4459    35253,35379,35504,35629,35753,35876,35999,36122,
4460    36244,36365,36486,36606,36726,36845,36964,37083,
4461    37201,37318,37435,37551,37668,37783,37898,38013,
4462    38127,38241,38354,38467,38580,38692,38803,38915,
4463    39026,39136,39246,39356,39465,39574,39682,39790,
4464    39898,40005,40112,40219,40325,40431,40537,40642,
4465    40747,40851,40955,41059,41163,41266,41369,41471,
4466    41573,41675,41777,41878,41979,42079,42179,42279,
4467    42379,42478,42577,42676,42775,42873,42971,43068,
4468    43165,43262,43359,43456,43552,43648,43743,43839,
4469    43934,44028,44123,44217,44311,44405,44499,44592,
4470    44685,44778,44870,44962,45054,45146,45238,45329,
4471    45420,45511,45601,45692,45782,45872,45961,46051,
4472    46140,46229,46318,46406,46494,46583,46670,46758,
4473    46846,46933,47020,47107,47193,47280,47366,47452,
4474    47538,47623,47709,47794,47879,47964,48048,48133,
4475    48217,48301,48385,48468,48552,48635,48718,48801,
4476    48884,48966,49048,49131,49213,49294,49376,49458,
4477    49539,49620,49701,49782,49862,49943,50023,50103,
4478    50183,50263,50342,50422,50501,50580,50659,50738,
4479    50816,50895,50973,51051,51129,51207,51285,51362,
4480    51439,51517,51594,51671,51747,51824,51900,51977,
4481    52053,52129,52205,52280,52356,52432,52507,52582,
4482    52657,52732,52807,52881,52956,53030,53104,53178,
4483    53252,53326,53400,53473,53546,53620,53693,53766,
4484    53839,53911,53984,54056,54129,54201,54273,54345,
4485    54417,54489,54560,54632,54703,54774,54845,54916,
4486    54987,55058,55129,55199,55269,55340,55410,55480,
4487    55550,55620,55689,55759,55828,55898,55967,56036,
4488    56105,56174,56243,56311,56380,56448,56517,56585,
4489    56653,56721,56789,56857,56924,56992,57059,57127,
4490    57194,57261,57328,57395,57462,57529,57595,57662,
4491    57728,57795,57861,57927,57993,58059,58125,58191,
4492    58256,58322,58387,58453,58518,58583,58648,58713,
4493    58778,58843,58908,58972,59037,59101,59165,59230,
4494    59294,59358,59422,59486,59549,59613,59677,59740,
4495    59804,59867,59930,59993,60056,60119,60182,60245,
4496    60308,60370,60433,60495,60558,60620,60682,60744,
4497    60806,60868,60930,60992,61054,61115,61177,61238,
4498    61300,61361,61422,61483,61544,61605,61666,61727,
4499    61788,61848,61909,61969,62030,62090,62150,62211,
4500    62271,62331,62391,62450,62510,62570,62630,62689,
4501    62749,62808,62867,62927,62986,63045,63104,63163,
4502    63222,63281,63340,63398,63457,63515,63574,63632,
4503    63691,63749,63807,63865,63923,63981,64039,64097,
4504    64155,64212,64270,64328,64385,64443,64500,64557,
4505    64614,64672,64729,64786,64843,64900,64956,65013,
4506    65070,65126,65183,65239,65296,65352,65409,65465
4507 };
4508 
4509 const png_byte png_sRGB_delta[512] =
4510 {
4511    207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4512    52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4513    35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4514    28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4515    23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4516    21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4517    19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4518    17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4519    16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4520    15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4521    14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4522    13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4523    12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4524    12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4525    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4526    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4527    11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4528    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4529    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4530    10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4531    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4532    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4533    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4534    9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4535    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4536    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4537    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4538    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4539    8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4540    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4541    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4542    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4543 };
4544 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4545 
4546 /* SIMPLIFIED READ/WRITE SUPPORT */
4547 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4548    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4549 static int
4550 png_image_free_function(png_voidp argument)
4551 {
4552    png_imagep image = png_voidcast(png_imagep, argument);
4553    png_controlp cp = image->opaque;
4554    png_control c;
4555 
4556    /* Double check that we have a png_ptr - it should be impossible to get here
4557     * without one.
4558     */
4559    if (cp->png_ptr == NULL)
4560       return 0;
4561 
4562    /* First free any data held in the control structure. */
4563 #  ifdef PNG_STDIO_SUPPORTED
4564       if (cp->owned_file != 0)
4565       {
4566          FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4567          cp->owned_file = 0;
4568 
4569          /* Ignore errors here. */
4570          if (fp != NULL)
4571          {
4572             cp->png_ptr->io_ptr = NULL;
4573             (void)fclose(fp);
4574          }
4575       }
4576 #  endif
4577 
4578    /* Copy the control structure so that the original, allocated, version can be
4579     * safely freed.  Notice that a png_error here stops the remainder of the
4580     * cleanup, but this is probably fine because that would indicate bad memory
4581     * problems anyway.
4582     */
4583    c = *cp;
4584    image->opaque = &c;
4585    png_free(c.png_ptr, cp);
4586 
4587    /* Then the structures, calling the correct API. */
4588    if (c.for_write != 0)
4589    {
4590 #     ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4591          png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4592 #     else
4593          png_error(c.png_ptr, "simplified write not supported");
4594 #     endif
4595    }
4596    else
4597    {
4598 #     ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4599          png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4600 #     else
4601          png_error(c.png_ptr, "simplified read not supported");
4602 #     endif
4603    }
4604 
4605    /* Success. */
4606    return 1;
4607 }
4608 
4609 void PNGAPI
4610 png_image_free(png_imagep image)
4611 {
4612    /* Safely call the real function, but only if doing so is safe at this point
4613     * (if not inside an error handling context).  Otherwise assume
4614     * png_safe_execute will call this API after the return.
4615     */
4616    if (image != NULL && image->opaque != NULL &&
4617       image->opaque->error_buf == NULL)
4618    {
4619       png_image_free_function(image);
4620       image->opaque = NULL;
4621    }
4622 }
4623 
4624 int /* PRIVATE */
4625 png_image_error(png_imagep image, png_const_charp error_message)
4626 {
4627    /* Utility to log an error. */
4628    png_safecat(image->message, (sizeof image->message), 0, error_message);
4629    image->warning_or_error |= PNG_IMAGE_ERROR;
4630    png_image_free(image);
4631    return 0;
4632 }
4633 
4634 #endif /* SIMPLIFIED READ/WRITE */
4635 #endif /* READ || WRITE */
--- EOF ---