1
2 /* png.c - location for general purpose libpng functions
3 *
4 * Copyright (c) 2018-2024 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 /* Generate a compiler error if there is an old png.h in the search path. */
17 typedef png_libpng_version_1_6_44 Your_png_h_is_not_version_1_6_44;
18
19 /* Tells libpng that we have already handled the first "num_bytes" bytes
20 * of the PNG file signature. If the PNG data is embedded into another
21 * stream we can set num_bytes = 8 so that libpng will not attempt to read
22 * or write any of the magic bytes before it starts on the IHDR.
23 */
24
25 #ifdef PNG_READ_SUPPORTED
26 void PNGAPI
png_set_sig_bytes(png_structrp png_ptr,int num_bytes)27 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
28 {
29 unsigned int nb = (unsigned int)num_bytes;
30
31 png_debug(1, "in png_set_sig_bytes");
32
33 if (png_ptr == NULL)
34 return;
35
36 if (num_bytes < 0)
37 nb = 0;
38
39 if (nb > 8)
40 png_error(png_ptr, "Too many bytes for PNG signature");
41
42 png_ptr->sig_bytes = (png_byte)nb;
43 }
44
45 /* Checks whether the supplied bytes match the PNG signature. We allow
46 * checking less than the full 8-byte signature so that those apps that
47 * already read the first few bytes of a file to determine the file type
48 * can simply check the remaining bytes for extra assurance. Returns
49 * an integer less than, equal to, or greater than zero if sig is found,
50 * respectively, to be less than, to match, or be greater than the correct
51 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
52 */
53 int PNGAPI
png_sig_cmp(png_const_bytep sig,size_t start,size_t num_to_check)54 png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
55 {
56 static const png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
57
58 if (num_to_check > 8)
59 num_to_check = 8;
60
61 else if (num_to_check < 1)
62 return -1;
63
64 if (start > 7)
65 return -1;
66
67 if (start + num_to_check > 8)
68 num_to_check = 8 - start;
69
70 return memcmp(&sig[start], &png_signature[start], num_to_check);
71 }
72
73 #endif /* READ */
74
75 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
76 /* Function to allocate memory for zlib */
77 PNG_FUNCTION(voidpf /* PRIVATE */,
78 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
79 {
80 png_alloc_size_t num_bytes = size;
81
82 if (png_ptr == NULL)
83 return NULL;
84
85 if (items >= (~(png_alloc_size_t)0)/size)
86 {
87 png_warning (png_voidcast(png_structrp, png_ptr),
88 "Potential overflow in png_zalloc()");
89 return NULL;
90 }
91
92 num_bytes *= items;
93 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
94 }
95
96 /* Function to free memory for zlib */
97 void /* PRIVATE */
png_zfree(voidpf png_ptr,voidpf ptr)98 png_zfree(voidpf png_ptr, voidpf ptr)
99 {
100 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
101 }
102
103 /* Reset the CRC variable to 32 bits of 1's. Care must be taken
104 * in case CRC is > 32 bits to leave the top bits 0.
105 */
106 void /* PRIVATE */
png_reset_crc(png_structrp png_ptr)107 png_reset_crc(png_structrp png_ptr)
108 {
109 /* The cast is safe because the crc is a 32-bit value. */
110 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
111 }
112
113 /* Calculate the CRC over a section of data. We can only pass as
114 * much data to this routine as the largest single buffer size. We
115 * also check that this data will actually be used before going to the
116 * trouble of calculating it.
117 */
118 void /* PRIVATE */
png_calculate_crc(png_structrp png_ptr,png_const_bytep ptr,size_t length)119 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
120 {
121 int need_crc = 1;
122
123 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
124 {
125 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
126 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
127 need_crc = 0;
128 }
129
130 else /* critical */
131 {
132 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
133 need_crc = 0;
134 }
135
136 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
137 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
138 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
139 * necessary to perform a loop here.
140 */
141 if (need_crc != 0 && length > 0)
142 {
143 uLong crc = png_ptr->crc; /* Should never issue a warning */
144
145 do
146 {
147 uInt safe_length = (uInt)length;
148 #ifndef __COVERITY__
149 if (safe_length == 0)
150 safe_length = (uInt)-1; /* evil, but safe */
151 #endif
152
153 crc = crc32(crc, ptr, safe_length);
154
155 /* The following should never issue compiler warnings; if they do the
156 * target system has characteristics that will probably violate other
157 * assumptions within the libpng code.
158 */
159 ptr += safe_length;
160 length -= safe_length;
161 }
162 while (length > 0);
163
164 /* And the following is always safe because the crc is only 32 bits. */
165 png_ptr->crc = (png_uint_32)crc;
166 }
167 }
168
169 /* Check a user supplied version number, called from both read and write
170 * functions that create a png_struct.
171 */
172 int
png_user_version_check(png_structrp png_ptr,png_const_charp user_png_ver)173 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
174 {
175 /* Libpng versions 1.0.0 and later are binary compatible if the version
176 * string matches through the second '.'; we must recompile any
177 * applications that use any older library version.
178 */
179
180 if (user_png_ver != NULL)
181 {
182 int i = -1;
183 int found_dots = 0;
184
185 do
186 {
187 i++;
188 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
189 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
190 if (user_png_ver[i] == '.')
191 found_dots++;
192 } while (found_dots < 2 && user_png_ver[i] != 0 &&
193 PNG_LIBPNG_VER_STRING[i] != 0);
194 }
195
196 else
197 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
198
199 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
200 {
201 #ifdef PNG_WARNINGS_SUPPORTED
202 size_t pos = 0;
203 char m[128];
204
205 pos = png_safecat(m, (sizeof m), pos,
206 "Application built with libpng-");
207 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
208 pos = png_safecat(m, (sizeof m), pos, " but running with ");
209 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
210 PNG_UNUSED(pos)
211
212 png_warning(png_ptr, m);
213 #endif
214
215 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
216 png_ptr->flags = 0;
217 #endif
218
219 return 0;
220 }
221
222 /* Success return. */
223 return 1;
224 }
225
226 /* Generic function to create a png_struct for either read or write - this
227 * contains the common initialization.
228 */
229 PNG_FUNCTION(png_structp /* PRIVATE */,
230 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
231 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
232 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
233 {
234 png_struct create_struct;
235 # ifdef PNG_SETJMP_SUPPORTED
236 jmp_buf create_jmp_buf;
237 # endif
238
239 /* This temporary stack-allocated structure is used to provide a place to
240 * build enough context to allow the user provided memory allocator (if any)
241 * to be called.
242 */
243 memset(&create_struct, 0, (sizeof create_struct));
244
245 /* Added at libpng-1.2.6 */
246 # ifdef PNG_USER_LIMITS_SUPPORTED
247 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
248 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
249
250 # ifdef PNG_USER_CHUNK_CACHE_MAX
251 /* Added at libpng-1.2.43 and 1.4.0 */
252 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
253 # endif
254
255 # ifdef PNG_USER_CHUNK_MALLOC_MAX
256 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
257 * in png_struct regardless.
258 */
259 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
260 # endif
261 # endif
262
263 /* The following two API calls simply set fields in png_struct, so it is safe
264 * to do them now even though error handling is not yet set up.
265 */
266 # ifdef PNG_USER_MEM_SUPPORTED
267 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
268 # else
269 PNG_UNUSED(mem_ptr)
270 PNG_UNUSED(malloc_fn)
271 PNG_UNUSED(free_fn)
272 # endif
273
274 /* (*error_fn) can return control to the caller after the error_ptr is set,
275 * this will result in a memory leak unless the error_fn does something
276 * extremely sophisticated. The design lacks merit but is implicit in the
277 * API.
278 */
279 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
280
281 # ifdef PNG_SETJMP_SUPPORTED
282 if (!setjmp(create_jmp_buf))
283 # endif
284 {
285 # ifdef PNG_SETJMP_SUPPORTED
286 /* Temporarily fake out the longjmp information until we have
287 * successfully completed this function. This only works if we have
288 * setjmp() support compiled in, but it is safe - this stuff should
289 * never happen.
290 */
291 create_struct.jmp_buf_ptr = &create_jmp_buf;
292 create_struct.jmp_buf_size = 0; /*stack allocation*/
293 create_struct.longjmp_fn = longjmp;
294 # endif
295 /* Call the general version checker (shared with read and write code):
296 */
297 if (png_user_version_check(&create_struct, user_png_ver) != 0)
298 {
299 png_structrp png_ptr = png_voidcast(png_structrp,
300 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
301
302 if (png_ptr != NULL)
303 {
304 /* png_ptr->zstream holds a back-pointer to the png_struct, so
305 * this can only be done now:
306 */
307 create_struct.zstream.zalloc = png_zalloc;
308 create_struct.zstream.zfree = png_zfree;
309 create_struct.zstream.opaque = png_ptr;
310
311 # ifdef PNG_SETJMP_SUPPORTED
312 /* Eliminate the local error handling: */
313 create_struct.jmp_buf_ptr = NULL;
314 create_struct.jmp_buf_size = 0;
315 create_struct.longjmp_fn = 0;
316 # endif
317
318 *png_ptr = create_struct;
319
320 /* This is the successful return point */
321 return png_ptr;
322 }
323 }
324 }
325
326 /* A longjmp because of a bug in the application storage allocator or a
327 * simple failure to allocate the png_struct.
328 */
329 return NULL;
330 }
331
332 /* Allocate the memory for an info_struct for the application. */
333 PNG_FUNCTION(png_infop,PNGAPI
334 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
335 {
336 png_inforp info_ptr;
337
338 png_debug(1, "in png_create_info_struct");
339
340 if (png_ptr == NULL)
341 return NULL;
342
343 /* Use the internal API that does not (or at least should not) error out, so
344 * that this call always returns ok. The application typically sets up the
345 * error handling *after* creating the info_struct because this is the way it
346 * has always been done in 'example.c'.
347 */
348 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
349 (sizeof *info_ptr)));
350
351 if (info_ptr != NULL)
352 memset(info_ptr, 0, (sizeof *info_ptr));
353
354 return info_ptr;
355 }
356
357 /* This function frees the memory associated with a single info struct.
358 * Normally, one would use either png_destroy_read_struct() or
359 * png_destroy_write_struct() to free an info struct, but this may be
360 * useful for some applications. From libpng 1.6.0 this function is also used
361 * internally to implement the png_info release part of the 'struct' destroy
362 * APIs. This ensures that all possible approaches free the same data (all of
363 * it).
364 */
365 void PNGAPI
png_destroy_info_struct(png_const_structrp png_ptr,png_infopp info_ptr_ptr)366 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
367 {
368 png_inforp info_ptr = NULL;
369
370 png_debug(1, "in png_destroy_info_struct");
371
372 if (png_ptr == NULL)
373 return;
374
375 if (info_ptr_ptr != NULL)
376 info_ptr = *info_ptr_ptr;
377
378 if (info_ptr != NULL)
379 {
380 /* Do this first in case of an error below; if the app implements its own
381 * memory management this can lead to png_free calling png_error, which
382 * will abort this routine and return control to the app error handler.
383 * An infinite loop may result if it then tries to free the same info
384 * ptr.
385 */
386 *info_ptr_ptr = NULL;
387
388 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
389 memset(info_ptr, 0, (sizeof *info_ptr));
390 png_free(png_ptr, info_ptr);
391 }
392 }
393
394 /* Initialize the info structure. This is now an internal function (0.89)
395 * and applications using it are urged to use png_create_info_struct()
396 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
397 * is just a memset).
398 *
399 * NOTE: it is almost inconceivable that this API is used because it bypasses
400 * the user-memory mechanism and the user error handling/warning mechanisms in
401 * those cases where it does anything other than a memset.
402 */
403 PNG_FUNCTION(void,PNGAPI
404 png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
405 PNG_DEPRECATED)
406 {
407 png_inforp info_ptr = *ptr_ptr;
408
409 png_debug(1, "in png_info_init_3");
410
411 if (info_ptr == NULL)
412 return;
413
414 if ((sizeof (png_info)) > png_info_struct_size)
415 {
416 *ptr_ptr = NULL;
417 /* The following line is why this API should not be used: */
418 free(info_ptr);
419 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
420 (sizeof *info_ptr)));
421 if (info_ptr == NULL)
422 return;
423 *ptr_ptr = info_ptr;
424 }
425
426 /* Set everything to 0 */
427 memset(info_ptr, 0, (sizeof *info_ptr));
428 }
429
430 void PNGAPI
png_data_freer(png_const_structrp png_ptr,png_inforp info_ptr,int freer,png_uint_32 mask)431 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
432 int freer, png_uint_32 mask)
433 {
434 png_debug(1, "in png_data_freer");
435
436 if (png_ptr == NULL || info_ptr == NULL)
437 return;
438
439 if (freer == PNG_DESTROY_WILL_FREE_DATA)
440 info_ptr->free_me |= mask;
441
442 else if (freer == PNG_USER_WILL_FREE_DATA)
443 info_ptr->free_me &= ~mask;
444
445 else
446 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
447 }
448
449 void PNGAPI
png_free_data(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 mask,int num)450 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
451 int num)
452 {
453 png_debug(1, "in png_free_data");
454
455 if (png_ptr == NULL || info_ptr == NULL)
456 return;
457
458 #ifdef PNG_TEXT_SUPPORTED
459 /* Free text item num or (if num == -1) all text items */
460 if (info_ptr->text != NULL &&
461 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
462 {
463 if (num != -1)
464 {
465 png_free(png_ptr, info_ptr->text[num].key);
466 info_ptr->text[num].key = NULL;
467 }
468
469 else
470 {
471 int i;
472
473 for (i = 0; i < info_ptr->num_text; i++)
474 png_free(png_ptr, info_ptr->text[i].key);
475
476 png_free(png_ptr, info_ptr->text);
477 info_ptr->text = NULL;
478 info_ptr->num_text = 0;
479 info_ptr->max_text = 0;
480 }
481 }
482 #endif
483
484 #ifdef PNG_tRNS_SUPPORTED
485 /* Free any tRNS entry */
486 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
487 {
488 info_ptr->valid &= ~PNG_INFO_tRNS;
489 png_free(png_ptr, info_ptr->trans_alpha);
490 info_ptr->trans_alpha = NULL;
491 info_ptr->num_trans = 0;
492 }
493 #endif
494
495 #ifdef PNG_sCAL_SUPPORTED
496 /* Free any sCAL entry */
497 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
498 {
499 png_free(png_ptr, info_ptr->scal_s_width);
500 png_free(png_ptr, info_ptr->scal_s_height);
501 info_ptr->scal_s_width = NULL;
502 info_ptr->scal_s_height = NULL;
503 info_ptr->valid &= ~PNG_INFO_sCAL;
504 }
505 #endif
506
507 #ifdef PNG_pCAL_SUPPORTED
508 /* Free any pCAL entry */
509 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
510 {
511 png_free(png_ptr, info_ptr->pcal_purpose);
512 png_free(png_ptr, info_ptr->pcal_units);
513 info_ptr->pcal_purpose = NULL;
514 info_ptr->pcal_units = NULL;
515
516 if (info_ptr->pcal_params != NULL)
517 {
518 int i;
519
520 for (i = 0; i < info_ptr->pcal_nparams; i++)
521 png_free(png_ptr, info_ptr->pcal_params[i]);
522
523 png_free(png_ptr, info_ptr->pcal_params);
524 info_ptr->pcal_params = NULL;
525 }
526 info_ptr->valid &= ~PNG_INFO_pCAL;
527 }
528 #endif
529
530 #ifdef PNG_iCCP_SUPPORTED
531 /* Free any profile entry */
532 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
533 {
534 png_free(png_ptr, info_ptr->iccp_name);
535 png_free(png_ptr, info_ptr->iccp_profile);
536 info_ptr->iccp_name = NULL;
537 info_ptr->iccp_profile = NULL;
538 info_ptr->valid &= ~PNG_INFO_iCCP;
539 }
540 #endif
541
542 #ifdef PNG_sPLT_SUPPORTED
543 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
544 if (info_ptr->splt_palettes != NULL &&
545 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
546 {
547 if (num != -1)
548 {
549 png_free(png_ptr, info_ptr->splt_palettes[num].name);
550 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
551 info_ptr->splt_palettes[num].name = NULL;
552 info_ptr->splt_palettes[num].entries = NULL;
553 }
554
555 else
556 {
557 int i;
558
559 for (i = 0; i < info_ptr->splt_palettes_num; i++)
560 {
561 png_free(png_ptr, info_ptr->splt_palettes[i].name);
562 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
563 }
564
565 png_free(png_ptr, info_ptr->splt_palettes);
566 info_ptr->splt_palettes = NULL;
567 info_ptr->splt_palettes_num = 0;
568 info_ptr->valid &= ~PNG_INFO_sPLT;
569 }
570 }
571 #endif
572
573 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
574 if (info_ptr->unknown_chunks != NULL &&
575 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
576 {
577 if (num != -1)
578 {
579 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
580 info_ptr->unknown_chunks[num].data = NULL;
581 }
582
583 else
584 {
585 int i;
586
587 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
588 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
589
590 png_free(png_ptr, info_ptr->unknown_chunks);
591 info_ptr->unknown_chunks = NULL;
592 info_ptr->unknown_chunks_num = 0;
593 }
594 }
595 #endif
596
597 #ifdef PNG_eXIf_SUPPORTED
598 /* Free any eXIf entry */
599 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
600 {
601 # ifdef PNG_READ_eXIf_SUPPORTED
602 if (info_ptr->eXIf_buf)
603 {
604 png_free(png_ptr, info_ptr->eXIf_buf);
605 info_ptr->eXIf_buf = NULL;
606 }
607 # endif
608 if (info_ptr->exif)
609 {
610 png_free(png_ptr, info_ptr->exif);
611 info_ptr->exif = NULL;
612 }
613 info_ptr->valid &= ~PNG_INFO_eXIf;
614 }
615 #endif
616
617 #ifdef PNG_hIST_SUPPORTED
618 /* Free any hIST entry */
619 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
620 {
621 png_free(png_ptr, info_ptr->hist);
622 info_ptr->hist = NULL;
623 info_ptr->valid &= ~PNG_INFO_hIST;
624 }
625 #endif
626
627 /* Free any PLTE entry that was internally allocated */
628 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
629 {
630 png_free(png_ptr, info_ptr->palette);
631 info_ptr->palette = NULL;
632 info_ptr->valid &= ~PNG_INFO_PLTE;
633 info_ptr->num_palette = 0;
634 }
635
636 #ifdef PNG_INFO_IMAGE_SUPPORTED
637 /* Free any image bits attached to the info structure */
638 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
639 {
640 if (info_ptr->row_pointers != NULL)
641 {
642 png_uint_32 row;
643 for (row = 0; row < info_ptr->height; row++)
644 png_free(png_ptr, info_ptr->row_pointers[row]);
645
646 png_free(png_ptr, info_ptr->row_pointers);
647 info_ptr->row_pointers = NULL;
648 }
649 info_ptr->valid &= ~PNG_INFO_IDAT;
650 }
651 #endif
652
653 if (num != -1)
654 mask &= ~PNG_FREE_MUL;
655
656 info_ptr->free_me &= ~mask;
657 }
658 #endif /* READ || WRITE */
659
660 /* This function returns a pointer to the io_ptr associated with the user
661 * functions. The application should free any memory associated with this
662 * pointer before png_write_destroy() or png_read_destroy() are called.
663 */
664 png_voidp PNGAPI
png_get_io_ptr(png_const_structrp png_ptr)665 png_get_io_ptr(png_const_structrp png_ptr)
666 {
667 if (png_ptr == NULL)
668 return NULL;
669
670 return png_ptr->io_ptr;
671 }
672
673 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
674 # ifdef PNG_STDIO_SUPPORTED
675 /* Initialize the default input/output functions for the PNG file. If you
676 * use your own read or write routines, you can call either png_set_read_fn()
677 * or png_set_write_fn() instead of png_init_io(). If you have defined
678 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
679 * function of your own because "FILE *" isn't necessarily available.
680 */
681 void PNGAPI
png_init_io(png_structrp png_ptr,png_FILE_p fp)682 png_init_io(png_structrp png_ptr, png_FILE_p fp)
683 {
684 png_debug(1, "in png_init_io");
685
686 if (png_ptr == NULL)
687 return;
688
689 png_ptr->io_ptr = (png_voidp)fp;
690 }
691 # endif
692
693 # ifdef PNG_SAVE_INT_32_SUPPORTED
694 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
695 * defines a cast of a signed integer to an unsigned integer either to preserve
696 * the value, if it is positive, or to calculate:
697 *
698 * (UNSIGNED_MAX+1) + integer
699 *
700 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
701 * negative integral value is added the result will be an unsigned value
702 * corresponding to the 2's complement representation.
703 */
704 void PNGAPI
png_save_int_32(png_bytep buf,png_int_32 i)705 png_save_int_32(png_bytep buf, png_int_32 i)
706 {
707 png_save_uint_32(buf, (png_uint_32)i);
708 }
709 # endif
710
711 # ifdef PNG_TIME_RFC1123_SUPPORTED
712 /* Convert the supplied time into an RFC 1123 string suitable for use in
713 * a "Creation Time" or other text-based time string.
714 */
715 int PNGAPI
png_convert_to_rfc1123_buffer(char out[29],png_const_timep ptime)716 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
717 {
718 static const char short_months[12][4] =
719 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
720 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
721
722 if (out == NULL)
723 return 0;
724
725 if (ptime->year > 9999 /* RFC1123 limitation */ ||
726 ptime->month == 0 || ptime->month > 12 ||
727 ptime->day == 0 || ptime->day > 31 ||
728 ptime->hour > 23 || ptime->minute > 59 ||
729 ptime->second > 60)
730 return 0;
731
732 {
733 size_t pos = 0;
734 char number_buf[5] = {0, 0, 0, 0, 0}; /* enough for a four-digit year */
735
736 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
737 # define APPEND_NUMBER(format, value)\
738 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
739 # define APPEND(ch) if (pos < 28) out[pos++] = (ch)
740
741 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
742 APPEND(' ');
743 APPEND_STRING(short_months[(ptime->month - 1)]);
744 APPEND(' ');
745 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
746 APPEND(' ');
747 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
748 APPEND(':');
749 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
750 APPEND(':');
751 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
752 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
753 PNG_UNUSED (pos)
754
755 # undef APPEND
756 # undef APPEND_NUMBER
757 # undef APPEND_STRING
758 }
759
760 return 1;
761 }
762
763 # if PNG_LIBPNG_VER < 10700
764 /* To do: remove the following from libpng-1.7 */
765 /* Original API that uses a private buffer in png_struct.
766 * Deprecated because it causes png_struct to carry a spurious temporary
767 * buffer (png_struct::time_buffer), better to have the caller pass this in.
768 */
769 png_const_charp PNGAPI
png_convert_to_rfc1123(png_structrp png_ptr,png_const_timep ptime)770 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
771 {
772 if (png_ptr != NULL)
773 {
774 /* The only failure above if png_ptr != NULL is from an invalid ptime */
775 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
776 png_warning(png_ptr, "Ignoring invalid time value");
777
778 else
779 return png_ptr->time_buffer;
780 }
781
782 return NULL;
783 }
784 # endif /* LIBPNG_VER < 10700 */
785 # endif /* TIME_RFC1123 */
786
787 #endif /* READ || WRITE */
788
789 png_const_charp PNGAPI
png_get_copyright(png_const_structrp png_ptr)790 png_get_copyright(png_const_structrp png_ptr)
791 {
792 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
793 #ifdef PNG_STRING_COPYRIGHT
794 return PNG_STRING_COPYRIGHT
795 #else
796 return PNG_STRING_NEWLINE \
797 "libpng version 1.6.44" PNG_STRING_NEWLINE \
798 "Copyright (c) 2018-2024 Cosmin Truta" PNG_STRING_NEWLINE \
799 "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
800 PNG_STRING_NEWLINE \
801 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
802 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
803 PNG_STRING_NEWLINE;
804 #endif
805 }
806
807 /* The following return the library version as a short string in the
808 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
809 * used with your application, print out PNG_LIBPNG_VER_STRING, which
810 * is defined in png.h.
811 * Note: now there is no difference between png_get_libpng_ver() and
812 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
813 * it is guaranteed that png.c uses the correct version of png.h.
814 */
815 png_const_charp PNGAPI
816 png_get_libpng_ver(png_const_structrp png_ptr)
817 {
818 /* Version of *.c files used when building libpng */
819 return png_get_header_ver(png_ptr);
820 }
821
822 png_const_charp PNGAPI
823 png_get_header_ver(png_const_structrp png_ptr)
824 {
825 /* Version of *.h files used when building libpng */
826 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
827 return PNG_LIBPNG_VER_STRING;
828 }
829
830 png_const_charp PNGAPI
831 png_get_header_version(png_const_structrp png_ptr)
832 {
833 /* Returns longer string containing both version and date */
834 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
835 #ifdef __STDC__
836 return PNG_HEADER_VERSION_STRING
837 # ifndef PNG_READ_SUPPORTED
838 " (NO READ SUPPORT)"
839 # endif
840 PNG_STRING_NEWLINE;
841 #else
842 return PNG_HEADER_VERSION_STRING;
843 #endif
844 }
845
846 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
847 /* NOTE: this routine is not used internally! */
848 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
849 * large of png_color. This lets grayscale images be treated as
850 * paletted. Most useful for gamma correction and simplification
851 * of code. This API is not used internally.
852 */
853 void PNGAPI
854 png_build_grayscale_palette(int bit_depth, png_colorp palette)
855 {
856 int num_palette;
857 int color_inc;
858 int i;
859 int v;
860
861 png_debug(1, "in png_do_build_grayscale_palette");
862
863 if (palette == NULL)
864 return;
865
866 switch (bit_depth)
867 {
868 case 1:
869 num_palette = 2;
870 color_inc = 0xff;
871 break;
872
873 case 2:
874 num_palette = 4;
875 color_inc = 0x55;
876 break;
877
878 case 4:
879 num_palette = 16;
880 color_inc = 0x11;
881 break;
882
883 case 8:
884 num_palette = 256;
885 color_inc = 1;
886 break;
887
888 default:
889 num_palette = 0;
890 color_inc = 0;
891 break;
892 }
893
894 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
895 {
896 palette[i].red = (png_byte)(v & 0xff);
897 palette[i].green = (png_byte)(v & 0xff);
898 palette[i].blue = (png_byte)(v & 0xff);
899 }
900 }
901 #endif
902
903 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
904 int PNGAPI
905 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
906 {
907 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
908 png_const_bytep p, p_end;
909
910 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
911 return PNG_HANDLE_CHUNK_AS_DEFAULT;
912
913 p_end = png_ptr->chunk_list;
914 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
915
916 /* The code is the fifth byte after each four byte string. Historically this
917 * code was always searched from the end of the list, this is no longer
918 * necessary because the 'set' routine handles duplicate entries correctly.
919 */
920 do /* num_chunk_list > 0, so at least one */
921 {
922 p -= 5;
923
924 if (memcmp(chunk_name, p, 4) == 0)
925 return p[4];
926 }
927 while (p > p_end);
928
929 /* This means that known chunks should be processed and unknown chunks should
930 * be handled according to the value of png_ptr->unknown_default; this can be
931 * confusing because, as a result, there are two levels of defaulting for
932 * unknown chunks.
933 */
934 return PNG_HANDLE_CHUNK_AS_DEFAULT;
935 }
936
937 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
938 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
939 int /* PRIVATE */
940 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
941 {
942 png_byte chunk_string[5];
943
944 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
945 return png_handle_as_unknown(png_ptr, chunk_string);
946 }
947 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
948 #endif /* SET_UNKNOWN_CHUNKS */
949
950 #ifdef PNG_READ_SUPPORTED
951 /* This function, added to libpng-1.0.6g, is untested. */
952 int PNGAPI
953 png_reset_zstream(png_structrp png_ptr)
954 {
955 if (png_ptr == NULL)
956 return Z_STREAM_ERROR;
957
958 /* WARNING: this resets the window bits to the maximum! */
959 return inflateReset(&png_ptr->zstream);
960 }
961 #endif /* READ */
962
963 /* This function was added to libpng-1.0.7 */
964 png_uint_32 PNGAPI
965 png_access_version_number(void)
966 {
967 /* Version of *.c files used when building libpng */
968 return (png_uint_32)PNG_LIBPNG_VER;
969 }
970
971 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
972 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
973 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
974 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
975 */
976 void /* PRIVATE */
977 png_zstream_error(png_structrp png_ptr, int ret)
978 {
979 /* Translate 'ret' into an appropriate error string, priority is given to the
980 * one in zstream if set. This always returns a string, even in cases like
981 * Z_OK or Z_STREAM_END where the error code is a success code.
982 */
983 if (png_ptr->zstream.msg == NULL) switch (ret)
984 {
985 default:
986 case Z_OK:
987 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
988 break;
989
990 case Z_STREAM_END:
991 /* Normal exit */
992 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
993 break;
994
995 case Z_NEED_DICT:
996 /* This means the deflate stream did not have a dictionary; this
997 * indicates a bogus PNG.
998 */
999 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1000 break;
1001
1002 case Z_ERRNO:
1003 /* gz APIs only: should not happen */
1004 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1005 break;
1006
1007 case Z_STREAM_ERROR:
1008 /* internal libpng error */
1009 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1010 break;
1011
1012 case Z_DATA_ERROR:
1013 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1014 break;
1015
1016 case Z_MEM_ERROR:
1017 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1018 break;
1019
1020 case Z_BUF_ERROR:
1021 /* End of input or output; not a problem if the caller is doing
1022 * incremental read or write.
1023 */
1024 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1025 break;
1026
1027 case Z_VERSION_ERROR:
1028 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1029 break;
1030
1031 case PNG_UNEXPECTED_ZLIB_RETURN:
1032 /* Compile errors here mean that zlib now uses the value co-opted in
1033 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1034 * and change pngpriv.h. Note that this message is "... return",
1035 * whereas the default/Z_OK one is "... return code".
1036 */
1037 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1038 break;
1039 }
1040 }
1041
1042 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1043 * at libpng 1.5.5!
1044 */
1045
1046 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1047 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1048 static int
1049 png_colorspace_check_gamma(png_const_structrp png_ptr,
1050 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1051 /* This is called to check a new gamma value against an existing one. The
1052 * routine returns false if the new gamma value should not be written.
1053 *
1054 * 'from' says where the new gamma value comes from:
1055 *
1056 * 0: the new gamma value is the libpng estimate for an ICC profile
1057 * 1: the new gamma value comes from a gAMA chunk
1058 * 2: the new gamma value comes from an sRGB chunk
1059 */
1060 {
1061 png_fixed_point gtest;
1062
1063 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1064 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1065 png_gamma_significant(gtest) != 0))
1066 {
1067 /* Either this is an sRGB image, in which case the calculated gamma
1068 * approximation should match, or this is an image with a profile and the
1069 * value libpng calculates for the gamma of the profile does not match the
1070 * value recorded in the file. The former, sRGB, case is an error, the
1071 * latter is just a warning.
1072 */
1073 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1074 {
1075 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1076 PNG_CHUNK_ERROR);
1077 /* Do not overwrite an sRGB value */
1078 return from == 2;
1079 }
1080
1081 else /* sRGB tag not involved */
1082 {
1083 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1084 PNG_CHUNK_WARNING);
1085 return from == 1;
1086 }
1087 }
1088
1089 return 1;
1090 }
1091
1092 void /* PRIVATE */
1093 png_colorspace_set_gamma(png_const_structrp png_ptr,
1094 png_colorspacerp colorspace, png_fixed_point gAMA)
1095 {
1096 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1097 * occur. Since the fixed point representation is asymmetrical it is
1098 * possible for 1/gamma to overflow the limit of 21474 and this means the
1099 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1100 * safety the limits here are a little narrower. The values are 0.00016 to
1101 * 6250.0, which are truly ridiculous gamma values (and will produce
1102 * displays that are all black or all white.)
1103 *
1104 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1105 * handling code, which only required the value to be >0.
1106 */
1107 png_const_charp errmsg;
1108
1109 if (gAMA < 16 || gAMA > 625000000)
1110 errmsg = "gamma value out of range";
1111
1112 # ifdef PNG_READ_gAMA_SUPPORTED
1113 /* Allow the application to set the gamma value more than once */
1114 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1115 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1116 errmsg = "duplicate";
1117 # endif
1118
1119 /* Do nothing if the colorspace is already invalid */
1120 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1121 return;
1122
1123 else
1124 {
1125 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1126 1/*from gAMA*/) != 0)
1127 {
1128 /* Store this gamma value. */
1129 colorspace->gamma = gAMA;
1130 colorspace->flags |=
1131 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1132 }
1133
1134 /* At present if the check_gamma test fails the gamma of the colorspace is
1135 * not updated however the colorspace is not invalidated. This
1136 * corresponds to the case where the existing gamma comes from an sRGB
1137 * chunk or profile. An error message has already been output.
1138 */
1139 return;
1140 }
1141
1142 /* Error exit - errmsg has been set. */
1143 colorspace->flags |= PNG_COLORSPACE_INVALID;
1144 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1145 }
1146
1147 void /* PRIVATE */
1148 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1149 {
1150 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1151 {
1152 /* Everything is invalid */
1153 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1154 PNG_INFO_iCCP);
1155
1156 # ifdef PNG_COLORSPACE_SUPPORTED
1157 /* Clean up the iCCP profile now if it won't be used. */
1158 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1159 # else
1160 PNG_UNUSED(png_ptr)
1161 # endif
1162 }
1163
1164 else
1165 {
1166 # ifdef PNG_COLORSPACE_SUPPORTED
1167 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1168 * it; this allows a PNG to contain a profile which matches sRGB and
1169 * yet still have that profile retrievable by the application.
1170 */
1171 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1172 info_ptr->valid |= PNG_INFO_sRGB;
1173
1174 else
1175 info_ptr->valid &= ~PNG_INFO_sRGB;
1176
1177 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1178 info_ptr->valid |= PNG_INFO_cHRM;
1179
1180 else
1181 info_ptr->valid &= ~PNG_INFO_cHRM;
1182 # endif
1183
1184 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1185 info_ptr->valid |= PNG_INFO_gAMA;
1186
1187 else
1188 info_ptr->valid &= ~PNG_INFO_gAMA;
1189 }
1190 }
1191
1192 #ifdef PNG_READ_SUPPORTED
1193 void /* PRIVATE */
1194 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1195 {
1196 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1197 return;
1198
1199 info_ptr->colorspace = png_ptr->colorspace;
1200 png_colorspace_sync_info(png_ptr, info_ptr);
1201 }
1202 #endif
1203 #endif /* GAMMA */
1204
1205 #ifdef PNG_COLORSPACE_SUPPORTED
1206 static int
1207 png_safe_add(png_int_32 *addend0_and_result, png_int_32 addend1,
1208 png_int_32 addend2) {
1209 /* Safely add three integers. Returns 0 on success, 1 on overlow.
1210 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1211 * relying on addition of two positive values producing a negative one is not
1212 * safe.
1213 */
1214 int addend0 = *addend0_and_result;
1215 if (0x7fffffff - addend0 < addend1)
1216 return 1;
1217 addend0 += addend1;
1218 if (0x7fffffff - addend1 < addend2)
1219 return 1;
1220 *addend0_and_result = addend0 + addend2;
1221 return 0;
1222 }
1223
1224 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1225 * cHRM, as opposed to using chromaticities. These internal APIs return
1226 * non-zero on a parameter error. The X, Y and Z values are required to be
1227 * positive and less than 1.0.
1228 */
1229 static int
1230 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1231 {
1232 png_int_32 d, dred, dgreen, dwhite, whiteX, whiteY;
1233
1234 /* 'd' in each of the blocks below is just X+Y+Z for each component,
1235 * x, y and z are X,Y,Z/(X+Y+Z).
1236 */
1237 d = XYZ->red_X;
1238 if (png_safe_add(&d, XYZ->red_Y, XYZ->red_Z))
1239 return 1;
1240 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1241 return 1;
1242 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1243 return 1;
1244 dred = d;
1245 whiteX = XYZ->red_X;
1246 whiteY = XYZ->red_Y;
1247
1248 d = XYZ->green_X;
1249 if (png_safe_add(&d, XYZ->green_Y, XYZ->green_Z))
1250 return 1;
1251 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1252 return 1;
1253 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1254 return 1;
1255 dgreen = d;
1256 whiteX += XYZ->green_X;
1257 whiteY += XYZ->green_Y;
1258
1259 d = XYZ->blue_X;
1260 if (png_safe_add(&d, XYZ->blue_Y, XYZ->blue_Z))
1261 return 1;
1262 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1263 return 1;
1264 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1265 return 1;
1266 whiteX += XYZ->blue_X;
1267 whiteY += XYZ->blue_Y;
1268
1269 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors so
1270 * the fillowing calculates (X+Y+Z) of the reference white (media white,
1271 * encoding white) itself:
1272 */
1273 if (png_safe_add(&d, dred, dgreen))
1274 return 1;
1275
1276 dwhite = d;
1277
1278 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1279 return 1;
1280 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1281 return 1;
1282
1283 return 0;
1284 }
1285
1286 static int
1287 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1288 {
1289 png_fixed_point red_inverse, green_inverse, blue_scale;
1290 png_fixed_point left, right, denominator;
1291
1292 /* The reverse calculation is more difficult because the original tristimulus
1293 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1294 * derived values were recorded in the cHRM chunk;
1295 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1296 * therefore an arbitrary ninth value has to be introduced to undo the
1297 * original transformations.
1298 *
1299 * Think of the original end-points as points in (X,Y,Z) space. The
1300 * chromaticity values (c) have the property:
1301 *
1302 * C
1303 * c = ---------
1304 * X + Y + Z
1305 *
1306 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1307 * three chromaticity values (x,y,z) for each end-point obey the
1308 * relationship:
1309 *
1310 * x + y + z = 1
1311 *
1312 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1313 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1314 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1315 * and chromaticity is the intersection of the vector from the origin to the
1316 * (X,Y,Z) value with the chromaticity plane.
1317 *
1318 * To fully invert the chromaticity calculation we would need the three
1319 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1320 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1321 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1322 * given all three of the scale factors since:
1323 *
1324 * color-C = color-c * color-scale
1325 * white-C = red-C + green-C + blue-C
1326 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1327 *
1328 * But cHRM records only white-x and white-y, so we have lost the white scale
1329 * factor:
1330 *
1331 * white-C = white-c*white-scale
1332 *
1333 * To handle this the inverse transformation makes an arbitrary assumption
1334 * about white-scale:
1335 *
1336 * Assume: white-Y = 1.0
1337 * Hence: white-scale = 1/white-y
1338 * Or: red-Y + green-Y + blue-Y = 1.0
1339 *
1340 * Notice the last statement of the assumption gives an equation in three of
1341 * the nine values we want to calculate. 8 more equations come from the
1342 * above routine as summarised at the top above (the chromaticity
1343 * calculation):
1344 *
1345 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1346 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1347 *
1348 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1349 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1350 * determinants, however this is not as bad as it seems because only 28 of
1351 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1352 * Cramer's rule is notoriously numerically unstable because the determinant
1353 * calculation involves the difference of large, but similar, numbers. It is
1354 * difficult to be sure that the calculation is stable for real world values
1355 * and it is certain that it becomes unstable where the end points are close
1356 * together.
1357 *
1358 * So this code uses the perhaps slightly less optimal but more
1359 * understandable and totally obvious approach of calculating color-scale.
1360 *
1361 * This algorithm depends on the precision in white-scale and that is
1362 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1363 * accuracy inherent in the cHRM chunk drops off substantially.
1364 *
1365 * libpng arithmetic: a simple inversion of the above equations
1366 * ------------------------------------------------------------
1367 *
1368 * white_scale = 1/white-y
1369 * white-X = white-x * white-scale
1370 * white-Y = 1.0
1371 * white-Z = (1 - white-x - white-y) * white_scale
1372 *
1373 * white-C = red-C + green-C + blue-C
1374 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1375 *
1376 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1377 * all the coefficients are now known:
1378 *
1379 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1380 * = white-x/white-y
1381 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1382 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1383 * = (1 - white-x - white-y)/white-y
1384 *
1385 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1386 * three equations together to get an alternative third:
1387 *
1388 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1389 *
1390 * So now we have a Cramer's rule solution where the determinants are just
1391 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1392 * multiplication of three coefficients so we can't guarantee to avoid
1393 * overflow in the libpng fixed point representation. Using Cramer's rule in
1394 * floating point is probably a good choice here, but it's not an option for
1395 * fixed point. Instead proceed to simplify the first two equations by
1396 * eliminating what is likely to be the largest value, blue-scale:
1397 *
1398 * blue-scale = white-scale - red-scale - green-scale
1399 *
1400 * Hence:
1401 *
1402 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1403 * (white-x - blue-x)*white-scale
1404 *
1405 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1406 * 1 - blue-y*white-scale
1407 *
1408 * And now we can trivially solve for (red-scale,green-scale):
1409 *
1410 * green-scale =
1411 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1412 * -----------------------------------------------------------
1413 * green-x - blue-x
1414 *
1415 * red-scale =
1416 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1417 * ---------------------------------------------------------
1418 * red-y - blue-y
1419 *
1420 * Hence:
1421 *
1422 * red-scale =
1423 * ( (green-x - blue-x) * (white-y - blue-y) -
1424 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1425 * -------------------------------------------------------------------------
1426 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1427 *
1428 * green-scale =
1429 * ( (red-y - blue-y) * (white-x - blue-x) -
1430 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1431 * -------------------------------------------------------------------------
1432 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1433 *
1434 * Accuracy:
1435 * The input values have 5 decimal digits of accuracy. The values are all in
1436 * the range 0 < value < 1, so simple products are in the same range but may
1437 * need up to 10 decimal digits to preserve the original precision and avoid
1438 * underflow. Because we are using a 32-bit signed representation we cannot
1439 * match this; the best is a little over 9 decimal digits, less than 10.
1440 *
1441 * The approach used here is to preserve the maximum precision within the
1442 * signed representation. Because the red-scale calculation above uses the
1443 * difference between two products of values that must be in the range -1..+1
1444 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1445 * factor is irrelevant in the calculation because it is applied to both
1446 * numerator and denominator.
1447 *
1448 * Note that the values of the differences of the products of the
1449 * chromaticities in the above equations tend to be small, for example for
1450 * the sRGB chromaticities they are:
1451 *
1452 * red numerator: -0.04751
1453 * green numerator: -0.08788
1454 * denominator: -0.2241 (without white-y multiplication)
1455 *
1456 * The resultant Y coefficients from the chromaticities of some widely used
1457 * color space definitions are (to 15 decimal places):
1458 *
1459 * sRGB
1460 * 0.212639005871510 0.715168678767756 0.072192315360734
1461 * Kodak ProPhoto
1462 * 0.288071128229293 0.711843217810102 0.000085653960605
1463 * Adobe RGB
1464 * 0.297344975250536 0.627363566255466 0.075291458493998
1465 * Adobe Wide Gamut RGB
1466 * 0.258728243040113 0.724682314948566 0.016589442011321
1467 */
1468 /* By the argument, above overflow should be impossible here. The return
1469 * value of 2 indicates an internal error to the caller.
1470 */
1471 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1472 return 1;
1473 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1474 return 1;
1475 denominator = left - right;
1476
1477 /* Now find the red numerator. */
1478 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1479 return 1;
1480 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1481 return 1;
1482
1483 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1484 * chunk values. This calculation actually returns the reciprocal of the
1485 * scale value because this allows us to delay the multiplication of white-y
1486 * into the denominator, which tends to produce a small number.
1487 */
1488 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1489 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1490 return 1;
1491
1492 /* Similarly for green_inverse: */
1493 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1494 return 1;
1495 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1496 return 1;
1497 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1498 green_inverse <= xy->whitey)
1499 return 1;
1500
1501 /* And the blue scale, the checks above guarantee this can't overflow but it
1502 * can still produce 0 for extreme cHRM values.
1503 */
1504 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1505 png_reciprocal(green_inverse);
1506 if (blue_scale <= 0)
1507 return 1;
1508
1509
1510 /* And fill in the png_XYZ: */
1511 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1512 return 1;
1513 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1514 return 1;
1515 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1516 red_inverse) == 0)
1517 return 1;
1518
1519 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1520 return 1;
1521 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1522 return 1;
1523 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1524 green_inverse) == 0)
1525 return 1;
1526
1527 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1528 return 1;
1529 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1530 return 1;
1531 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1532 PNG_FP_1) == 0)
1533 return 1;
1534
1535 return 0; /*success*/
1536 }
1537
1538 static int
1539 png_XYZ_normalize(png_XYZ *XYZ)
1540 {
1541 png_int_32 Y, Ytemp;
1542
1543 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. */
1544 Ytemp = XYZ->red_Y;
1545 if (png_safe_add(&Ytemp, XYZ->green_Y, XYZ->blue_Y))
1546 return 1;
1547
1548 Y = Ytemp;
1549
1550 if (Y != PNG_FP_1)
1551 {
1552 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1553 return 1;
1554 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1555 return 1;
1556 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1557 return 1;
1558
1559 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1560 return 1;
1561 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1562 return 1;
1563 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1564 return 1;
1565
1566 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1567 return 1;
1568 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1569 return 1;
1570 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1571 return 1;
1572 }
1573
1574 return 0;
1575 }
1576
1577 static int
1578 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1579 {
1580 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1581 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1582 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1583 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1584 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1585 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1586 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1587 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1588 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1589 return 0;
1590 return 1;
1591 }
1592
1593 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1594 * chunk chromaticities. Earlier checks used to simply look for the overflow
1595 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1596 * because the chromaticity values are not all distinct.) Despite this it is
1597 * theoretically possible to produce chromaticities that are apparently valid
1598 * but that rapidly degrade to invalid, potentially crashing, sets because of
1599 * arithmetic inaccuracies when calculations are performed on them. The new
1600 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1601 * within a small percentage of the original.
1602 */
1603 static int
1604 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1605 {
1606 int result;
1607 png_xy xy_test;
1608
1609 /* As a side-effect this routine also returns the XYZ endpoints. */
1610 result = png_XYZ_from_xy(XYZ, xy);
1611 if (result != 0)
1612 return result;
1613
1614 result = png_xy_from_XYZ(&xy_test, XYZ);
1615 if (result != 0)
1616 return result;
1617
1618 if (png_colorspace_endpoints_match(xy, &xy_test,
1619 5/*actually, the math is pretty accurate*/) != 0)
1620 return 0;
1621
1622 /* Too much slip */
1623 return 1;
1624 }
1625
1626 /* This is the check going the other way. The XYZ is modified to normalize it
1627 * (another side-effect) and the xy chromaticities are returned.
1628 */
1629 static int
1630 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1631 {
1632 int result;
1633 png_XYZ XYZtemp;
1634
1635 result = png_XYZ_normalize(XYZ);
1636 if (result != 0)
1637 return result;
1638
1639 result = png_xy_from_XYZ(xy, XYZ);
1640 if (result != 0)
1641 return result;
1642
1643 XYZtemp = *XYZ;
1644 return png_colorspace_check_xy(&XYZtemp, xy);
1645 }
1646
1647 /* Used to check for an endpoint match against sRGB */
1648 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1649 {
1650 /* color x y */
1651 /* red */ 64000, 33000,
1652 /* green */ 30000, 60000,
1653 /* blue */ 15000, 6000,
1654 /* white */ 31270, 32900
1655 };
1656
1657 static int
1658 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1659 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1660 int preferred)
1661 {
1662 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1663 return 0;
1664
1665 /* The consistency check is performed on the chromaticities; this factors out
1666 * variations because of the normalization (or not) of the end point Y
1667 * values.
1668 */
1669 if (preferred < 2 &&
1670 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1671 {
1672 /* The end points must be reasonably close to any we already have. The
1673 * following allows an error of up to +/-.001
1674 */
1675 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1676 100) == 0)
1677 {
1678 colorspace->flags |= PNG_COLORSPACE_INVALID;
1679 png_benign_error(png_ptr, "inconsistent chromaticities");
1680 return 0; /* failed */
1681 }
1682
1683 /* Only overwrite with preferred values */
1684 if (preferred == 0)
1685 return 1; /* ok, but no change */
1686 }
1687
1688 colorspace->end_points_xy = *xy;
1689 colorspace->end_points_XYZ = *XYZ;
1690 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1691
1692 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1693 * on this test.
1694 */
1695 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1696 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1697
1698 else
1699 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1700 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1701
1702 return 2; /* ok and changed */
1703 }
1704
1705 int /* PRIVATE */
1706 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1707 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1708 {
1709 /* We must check the end points to ensure they are reasonable - in the past
1710 * color management systems have crashed as a result of getting bogus
1711 * colorant values, while this isn't the fault of libpng it is the
1712 * responsibility of libpng because PNG carries the bomb and libpng is in a
1713 * position to protect against it.
1714 */
1715 png_XYZ XYZ;
1716
1717 switch (png_colorspace_check_xy(&XYZ, xy))
1718 {
1719 case 0: /* success */
1720 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1721 preferred);
1722
1723 case 1:
1724 /* We can't invert the chromaticities so we can't produce value XYZ
1725 * values. Likely as not a color management system will fail too.
1726 */
1727 colorspace->flags |= PNG_COLORSPACE_INVALID;
1728 png_benign_error(png_ptr, "invalid chromaticities");
1729 break;
1730
1731 default:
1732 /* libpng is broken; this should be a warning but if it happens we
1733 * want error reports so for the moment it is an error.
1734 */
1735 colorspace->flags |= PNG_COLORSPACE_INVALID;
1736 png_error(png_ptr, "internal error checking chromaticities");
1737 }
1738
1739 return 0; /* failed */
1740 }
1741
1742 int /* PRIVATE */
1743 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1744 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1745 {
1746 png_XYZ XYZ = *XYZ_in;
1747 png_xy xy;
1748
1749 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1750 {
1751 case 0:
1752 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1753 preferred);
1754
1755 case 1:
1756 /* End points are invalid. */
1757 colorspace->flags |= PNG_COLORSPACE_INVALID;
1758 png_benign_error(png_ptr, "invalid end points");
1759 break;
1760
1761 default:
1762 colorspace->flags |= PNG_COLORSPACE_INVALID;
1763 png_error(png_ptr, "internal error checking chromaticities");
1764 }
1765
1766 return 0; /* failed */
1767 }
1768
1769 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1770 /* Error message generation */
1771 static char
1772 png_icc_tag_char(png_uint_32 byte)
1773 {
1774 byte &= 0xff;
1775 if (byte >= 32 && byte <= 126)
1776 return (char)byte;
1777 else
1778 return '?';
1779 }
1780
1781 static void
1782 png_icc_tag_name(char *name, png_uint_32 tag)
1783 {
1784 name[0] = '\'';
1785 name[1] = png_icc_tag_char(tag >> 24);
1786 name[2] = png_icc_tag_char(tag >> 16);
1787 name[3] = png_icc_tag_char(tag >> 8);
1788 name[4] = png_icc_tag_char(tag );
1789 name[5] = '\'';
1790 }
1791
1792 static int
1793 is_ICC_signature_char(png_alloc_size_t it)
1794 {
1795 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1796 (it >= 97 && it <= 122);
1797 }
1798
1799 static int
1800 is_ICC_signature(png_alloc_size_t it)
1801 {
1802 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1803 is_ICC_signature_char((it >> 16) & 0xff) &&
1804 is_ICC_signature_char((it >> 8) & 0xff) &&
1805 is_ICC_signature_char(it & 0xff);
1806 }
1807
1808 static int
1809 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1810 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1811 {
1812 size_t pos;
1813 char message[196]; /* see below for calculation */
1814
1815 if (colorspace != NULL)
1816 colorspace->flags |= PNG_COLORSPACE_INVALID;
1817
1818 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1819 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1820 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1821 if (is_ICC_signature(value) != 0)
1822 {
1823 /* So 'value' is at most 4 bytes and the following cast is safe */
1824 png_icc_tag_name(message+pos, (png_uint_32)value);
1825 pos += 6; /* total +8; less than the else clause */
1826 message[pos++] = ':';
1827 message[pos++] = ' ';
1828 }
1829 # ifdef PNG_WARNINGS_SUPPORTED
1830 else
1831 {
1832 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114 */
1833
1834 pos = png_safecat(message, (sizeof message), pos,
1835 png_format_number(number, number+(sizeof number),
1836 PNG_NUMBER_FORMAT_x, value));
1837 pos = png_safecat(message, (sizeof message), pos, "h: "); /* +2 = 116 */
1838 }
1839 # endif
1840 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1841 pos = png_safecat(message, (sizeof message), pos, reason);
1842 PNG_UNUSED(pos)
1843
1844 /* This is recoverable, but make it unconditionally an app_error on write to
1845 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1846 * on read, with a warning, but on write unless the app turns off
1847 * application errors the PNG won't be written.)
1848 */
1849 png_chunk_report(png_ptr, message,
1850 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1851
1852 return 0;
1853 }
1854 #endif /* sRGB || iCCP */
1855
1856 #ifdef PNG_sRGB_SUPPORTED
1857 int /* PRIVATE */
1858 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1859 int intent)
1860 {
1861 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1862 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1863 * because ICC profiles store values adapted to a D50 environment; it is
1864 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1865 * checks and code elsewhere to understand this better.
1866 *
1867 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1868 * coefficients of (6968,23435,2366), which are reduced (because they add up
1869 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1870 * libpng has traditionally used (and are the best values given the 15bit
1871 * algorithm used by the rgb to gray code.)
1872 */
1873 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1874 {
1875 /* color X Y Z */
1876 /* red */ 41239, 21264, 1933,
1877 /* green */ 35758, 71517, 11919,
1878 /* blue */ 18048, 7219, 95053
1879 };
1880
1881 /* Do nothing if the colorspace is already invalidated. */
1882 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1883 return 0;
1884
1885 /* Check the intent, then check for existing settings. It is valid for the
1886 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1887 * be consistent with the correct values. If, however, this function is
1888 * called below because an iCCP chunk matches sRGB then it is quite
1889 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1890 * an incorrect calculation based on the values in the profile - this does
1891 * *not* invalidate the profile (though it still produces an error, which can
1892 * be ignored.)
1893 */
1894 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1895 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1896 (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1897
1898 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1899 colorspace->rendering_intent != intent)
1900 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1901 (png_alloc_size_t)intent, "inconsistent rendering intents");
1902
1903 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1904 {
1905 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1906 return 0;
1907 }
1908
1909 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1910 * warn but overwrite the value with the correct one.
1911 */
1912 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1913 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1914 100))
1915 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1916 PNG_CHUNK_ERROR);
1917
1918 /* This check is just done for the error reporting - the routine always
1919 * returns true when the 'from' argument corresponds to sRGB (2).
1920 */
1921 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1922 2/*from sRGB*/);
1923
1924 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1925 colorspace->rendering_intent = (png_uint_16)intent;
1926 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1927
1928 /* endpoints */
1929 colorspace->end_points_xy = sRGB_xy;
1930 colorspace->end_points_XYZ = sRGB_XYZ;
1931 colorspace->flags |=
1932 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1933
1934 /* gamma */
1935 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1936 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1937
1938 /* Finally record that we have an sRGB profile */
1939 colorspace->flags |=
1940 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1941
1942 return 1; /* set */
1943 }
1944 #endif /* sRGB */
1945
1946 #ifdef PNG_iCCP_SUPPORTED
1947 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1948 * is XYZ(0.9642,1.0,0.8249), which scales to:
1949 *
1950 * (63189.8112, 65536, 54060.6464)
1951 */
1952 static const png_byte D50_nCIEXYZ[12] =
1953 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1954
1955 static int /* bool */
1956 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1957 png_const_charp name, png_uint_32 profile_length)
1958 {
1959 if (profile_length < 132)
1960 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1961 "too short");
1962 return 1;
1963 }
1964
1965 #ifdef PNG_READ_iCCP_SUPPORTED
1966 int /* PRIVATE */
1967 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1968 png_const_charp name, png_uint_32 profile_length)
1969 {
1970 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1971 return 0;
1972
1973 /* This needs to be here because the 'normal' check is in
1974 * png_decompress_chunk, yet this happens after the attempt to
1975 * png_malloc_base the required data. We only need this on read; on write
1976 * the caller supplies the profile buffer so libpng doesn't allocate it. See
1977 * the call to icc_check_length below (the write case).
1978 */
1979 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
1980 else if (png_ptr->user_chunk_malloc_max > 0 &&
1981 png_ptr->user_chunk_malloc_max < profile_length)
1982 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1983 "exceeds application limits");
1984 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
1985 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
1986 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1987 "exceeds libpng limits");
1988 # else /* !SET_USER_LIMITS */
1989 /* This will get compiled out on all 32-bit and better systems. */
1990 else if (PNG_SIZE_MAX < profile_length)
1991 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1992 "exceeds system limits");
1993 # endif /* !SET_USER_LIMITS */
1994
1995 return 1;
1996 }
1997 #endif /* READ_iCCP */
1998
1999 int /* PRIVATE */
2000 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2001 png_const_charp name, png_uint_32 profile_length,
2002 png_const_bytep profile/* first 132 bytes only */, int color_type)
2003 {
2004 png_uint_32 temp;
2005
2006 /* Length check; this cannot be ignored in this code because profile_length
2007 * is used later to check the tag table, so even if the profile seems over
2008 * long profile_length from the caller must be correct. The caller can fix
2009 * this up on read or write by just passing in the profile header length.
2010 */
2011 temp = png_get_uint_32(profile);
2012 if (temp != profile_length)
2013 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2014 "length does not match profile");
2015
2016 temp = (png_uint_32) (*(profile+8));
2017 if (temp > 3 && (profile_length & 3))
2018 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2019 "invalid length");
2020
2021 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2022 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2023 profile_length < 132+12*temp) /* truncated tag table */
2024 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2025 "tag count too large");
2026
2027 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2028 * 16 bits.
2029 */
2030 temp = png_get_uint_32(profile+64);
2031 if (temp >= 0xffff) /* The ICC limit */
2032 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2033 "invalid rendering intent");
2034
2035 /* This is just a warning because the profile may be valid in future
2036 * versions.
2037 */
2038 if (temp >= PNG_sRGB_INTENT_LAST)
2039 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2040 "intent outside defined range");
2041
2042 /* At this point the tag table can't be checked because it hasn't necessarily
2043 * been loaded; however, various header fields can be checked. These checks
2044 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2045 * restricts the profiles that can be passed in an iCCP chunk (they must be
2046 * appropriate to processing PNG data!)
2047 */
2048
2049 /* Data checks (could be skipped). These checks must be independent of the
2050 * version number; however, the version number doesn't accommodate changes in
2051 * the header fields (just the known tags and the interpretation of the
2052 * data.)
2053 */
2054 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2055 if (temp != 0x61637370)
2056 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2057 "invalid signature");
2058
2059 /* Currently the PCS illuminant/adopted white point (the computational
2060 * white point) are required to be D50,
2061 * however the profile contains a record of the illuminant so perhaps ICC
2062 * expects to be able to change this in the future (despite the rationale in
2063 * the introduction for using a fixed PCS adopted white.) Consequently the
2064 * following is just a warning.
2065 */
2066 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2067 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2068 "PCS illuminant is not D50");
2069
2070 /* The PNG spec requires this:
2071 * "If the iCCP chunk is present, the image samples conform to the colour
2072 * space represented by the embedded ICC profile as defined by the
2073 * International Color Consortium [ICC]. The colour space of the ICC profile
2074 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2075 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2076 * and 4)."
2077 *
2078 * This checking code ensures the embedded profile (on either read or write)
2079 * conforms to the specification requirements. Notice that an ICC 'gray'
2080 * color-space profile contains the information to transform the monochrome
2081 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2082 * should be used in preference to the standard libpng K channel replication
2083 * into R, G and B channels.
2084 *
2085 * Previously it was suggested that an RGB profile on grayscale data could be
2086 * handled. However it it is clear that using an RGB profile in this context
2087 * must be an error - there is no specification of what it means. Thus it is
2088 * almost certainly more correct to ignore the profile.
2089 */
2090 temp = png_get_uint_32(profile+16); /* data colour space field */
2091 switch (temp)
2092 {
2093 case 0x52474220: /* 'RGB ' */
2094 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2095 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2096 "RGB color space not permitted on grayscale PNG");
2097 break;
2098
2099 case 0x47524159: /* 'GRAY' */
2100 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2101 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2102 "Gray color space not permitted on RGB PNG");
2103 break;
2104
2105 default:
2106 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2107 "invalid ICC profile color space");
2108 }
2109
2110 /* It is up to the application to check that the profile class matches the
2111 * application requirements; the spec provides no guidance, but it's pretty
2112 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2113 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2114 * cases. Issue an error for device link or abstract profiles - these don't
2115 * contain the records necessary to transform the color-space to anything
2116 * other than the target device (and not even that for an abstract profile).
2117 * Profiles of these classes may not be embedded in images.
2118 */
2119 temp = png_get_uint_32(profile+12); /* profile/device class */
2120 switch (temp)
2121 {
2122 case 0x73636e72: /* 'scnr' */
2123 case 0x6d6e7472: /* 'mntr' */
2124 case 0x70727472: /* 'prtr' */
2125 case 0x73706163: /* 'spac' */
2126 /* All supported */
2127 break;
2128
2129 case 0x61627374: /* 'abst' */
2130 /* May not be embedded in an image */
2131 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2132 "invalid embedded Abstract ICC profile");
2133
2134 case 0x6c696e6b: /* 'link' */
2135 /* DeviceLink profiles cannot be interpreted in a non-device specific
2136 * fashion, if an app uses the AToB0Tag in the profile the results are
2137 * undefined unless the result is sent to the intended device,
2138 * therefore a DeviceLink profile should not be found embedded in a
2139 * PNG.
2140 */
2141 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2142 "unexpected DeviceLink ICC profile class");
2143
2144 case 0x6e6d636c: /* 'nmcl' */
2145 /* A NamedColor profile is also device specific, however it doesn't
2146 * contain an AToB0 tag that is open to misinterpretation. Almost
2147 * certainly it will fail the tests below.
2148 */
2149 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2150 "unexpected NamedColor ICC profile class");
2151 break;
2152
2153 default:
2154 /* To allow for future enhancements to the profile accept unrecognized
2155 * profile classes with a warning, these then hit the test below on the
2156 * tag content to ensure they are backward compatible with one of the
2157 * understood profiles.
2158 */
2159 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2160 "unrecognized ICC profile class");
2161 break;
2162 }
2163
2164 /* For any profile other than a device link one the PCS must be encoded
2165 * either in XYZ or Lab.
2166 */
2167 temp = png_get_uint_32(profile+20);
2168 switch (temp)
2169 {
2170 case 0x58595a20: /* 'XYZ ' */
2171 case 0x4c616220: /* 'Lab ' */
2172 break;
2173
2174 default:
2175 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2176 "unexpected ICC PCS encoding");
2177 }
2178
2179 return 1;
2180 }
2181
2182 int /* PRIVATE */
2183 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2184 png_const_charp name, png_uint_32 profile_length,
2185 png_const_bytep profile /* header plus whole tag table */)
2186 {
2187 png_uint_32 tag_count = png_get_uint_32(profile+128);
2188 png_uint_32 itag;
2189 png_const_bytep tag = profile+132; /* The first tag */
2190
2191 /* First scan all the tags in the table and add bits to the icc_info value
2192 * (temporarily in 'tags').
2193 */
2194 for (itag=0; itag < tag_count; ++itag, tag += 12)
2195 {
2196 png_uint_32 tag_id = png_get_uint_32(tag+0);
2197 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2198 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2199
2200 /* The ICC specification does not exclude zero length tags, therefore the
2201 * start might actually be anywhere if there is no data, but this would be
2202 * a clear abuse of the intent of the standard so the start is checked for
2203 * being in range. All defined tag types have an 8 byte header - a 4 byte
2204 * type signature then 0.
2205 */
2206
2207 /* This is a hard error; potentially it can cause read outside the
2208 * profile.
2209 */
2210 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2211 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2212 "ICC profile tag outside profile");
2213
2214 if ((tag_start & 3) != 0)
2215 {
2216 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2217 * only a warning here because libpng does not care about the
2218 * alignment.
2219 */
2220 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2221 "ICC profile tag start not a multiple of 4");
2222 }
2223 }
2224
2225 return 1; /* success, maybe with warnings */
2226 }
2227
2228 #ifdef PNG_sRGB_SUPPORTED
2229 #if PNG_sRGB_PROFILE_CHECKS >= 0
2230 /* Information about the known ICC sRGB profiles */
2231 static const struct
2232 {
2233 png_uint_32 adler, crc, length;
2234 png_uint_32 md5[4];
2235 png_byte have_md5;
2236 png_byte is_broken;
2237 png_uint_16 intent;
2238
2239 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2240 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2241 { adler, crc, length, md5, broke, intent },
2242
2243 } png_sRGB_checks[] =
2244 {
2245 /* This data comes from contrib/tools/checksum-icc run on downloads of
2246 * all four ICC sRGB profiles from www.color.org.
2247 */
2248 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2249 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2250 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2251 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2252
2253 /* ICC sRGB v2 perceptual no black-compensation: */
2254 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2255 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2256 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2257
2258 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2259 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2260 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2261
2262 /* ICC sRGB v4 perceptual */
2263 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2264 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2265 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2266
2267 /* The following profiles have no known MD5 checksum. If there is a match
2268 * on the (empty) MD5 the other fields are used to attempt a match and
2269 * a warning is produced. The first two of these profiles have a 'cprt' tag
2270 * which suggests that they were also made by Hewlett Packard.
2271 */
2272 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2273 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2274 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2275
2276 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2277 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2278 * so the white point is recorded as the un-adapted value.) The profiles
2279 * below only differ in one byte - the intent - and are basically the same as
2280 * the previous profile except for the mediaWhitePointTag error and a missing
2281 * chromaticAdaptationTag.
2282 */
2283 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2284 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2285 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2286
2287 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2288 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2289 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2290 };
2291
2292 static int
2293 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2294 png_const_bytep profile, uLong adler)
2295 {
2296 /* The quick check is to verify just the MD5 signature and trust the
2297 * rest of the data. Because the profile has already been verified for
2298 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2299 * field too, so if the profile has been edited with an intent not defined
2300 * by sRGB (but maybe defined by a later ICC specification) the read of
2301 * the profile will fail at that point.
2302 */
2303
2304 png_uint_32 length = 0;
2305 png_uint_32 intent = 0x10000; /* invalid */
2306 #if PNG_sRGB_PROFILE_CHECKS > 1
2307 uLong crc = 0; /* the value for 0 length data */
2308 #endif
2309 unsigned int i;
2310
2311 #ifdef PNG_SET_OPTION_SUPPORTED
2312 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2313 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2314 PNG_OPTION_ON)
2315 return 0;
2316 #endif
2317
2318 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2319 {
2320 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2321 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2322 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2323 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2324 {
2325 /* This may be one of the old HP profiles without an MD5, in that
2326 * case we can only use the length and Adler32 (note that these
2327 * are not used by default if there is an MD5!)
2328 */
2329 # if PNG_sRGB_PROFILE_CHECKS == 0
2330 if (png_sRGB_checks[i].have_md5 != 0)
2331 return 1+png_sRGB_checks[i].is_broken;
2332 # endif
2333
2334 /* Profile is unsigned or more checks have been configured in. */
2335 if (length == 0)
2336 {
2337 length = png_get_uint_32(profile);
2338 intent = png_get_uint_32(profile+64);
2339 }
2340
2341 /* Length *and* intent must match */
2342 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2343 intent == (png_uint_32) png_sRGB_checks[i].intent)
2344 {
2345 /* Now calculate the adler32 if not done already. */
2346 if (adler == 0)
2347 {
2348 adler = adler32(0, NULL, 0);
2349 adler = adler32(adler, profile, length);
2350 }
2351
2352 if (adler == png_sRGB_checks[i].adler)
2353 {
2354 /* These basic checks suggest that the data has not been
2355 * modified, but if the check level is more than 1 perform
2356 * our own crc32 checksum on the data.
2357 */
2358 # if PNG_sRGB_PROFILE_CHECKS > 1
2359 if (crc == 0)
2360 {
2361 crc = crc32(0, NULL, 0);
2362 crc = crc32(crc, profile, length);
2363 }
2364
2365 /* So this check must pass for the 'return' below to happen.
2366 */
2367 if (crc == png_sRGB_checks[i].crc)
2368 # endif
2369 {
2370 if (png_sRGB_checks[i].is_broken != 0)
2371 {
2372 /* These profiles are known to have bad data that may cause
2373 * problems if they are used, therefore attempt to
2374 * discourage their use, skip the 'have_md5' warning below,
2375 * which is made irrelevant by this error.
2376 */
2377 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2378 PNG_CHUNK_ERROR);
2379 }
2380
2381 /* Warn that this being done; this isn't even an error since
2382 * the profile is perfectly valid, but it would be nice if
2383 * people used the up-to-date ones.
2384 */
2385 else if (png_sRGB_checks[i].have_md5 == 0)
2386 {
2387 png_chunk_report(png_ptr,
2388 "out-of-date sRGB profile with no signature",
2389 PNG_CHUNK_WARNING);
2390 }
2391
2392 return 1+png_sRGB_checks[i].is_broken;
2393 }
2394 }
2395
2396 # if PNG_sRGB_PROFILE_CHECKS > 0
2397 /* The signature matched, but the profile had been changed in some
2398 * way. This probably indicates a data error or uninformed hacking.
2399 * Fall through to "no match".
2400 */
2401 png_chunk_report(png_ptr,
2402 "Not recognizing known sRGB profile that has been edited",
2403 PNG_CHUNK_WARNING);
2404 break;
2405 # endif
2406 }
2407 }
2408 }
2409
2410 return 0; /* no match */
2411 }
2412
2413 void /* PRIVATE */
2414 png_icc_set_sRGB(png_const_structrp png_ptr,
2415 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2416 {
2417 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2418 * the sRGB information.
2419 */
2420 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2421 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2422 (int)/*already checked*/png_get_uint_32(profile+64));
2423 }
2424 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2425 #endif /* sRGB */
2426
2427 int /* PRIVATE */
2428 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2429 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2430 int color_type)
2431 {
2432 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2433 return 0;
2434
2435 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2436 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2437 color_type) != 0 &&
2438 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2439 profile) != 0)
2440 {
2441 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2442 /* If no sRGB support, don't try storing sRGB information */
2443 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2444 # endif
2445 return 1;
2446 }
2447
2448 /* Failure case */
2449 return 0;
2450 }
2451 #endif /* iCCP */
2452
2453 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2454 void /* PRIVATE */
2455 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2456 {
2457 /* Set the rgb_to_gray coefficients from the colorspace. */
2458 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2459 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2460 {
2461 /* png_set_background has not been called, get the coefficients from the Y
2462 * values of the colorspace colorants.
2463 */
2464 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2465 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2466 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2467 png_fixed_point total = r+g+b;
2468
2469 if (total > 0 &&
2470 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2471 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2472 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2473 r+g+b <= 32769)
2474 {
2475 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2476 * all of the coefficients were rounded up. Handle this by
2477 * reducing the *largest* coefficient by 1; this matches the
2478 * approach used for the default coefficients in pngrtran.c
2479 */
2480 int add = 0;
2481
2482 if (r+g+b > 32768)
2483 add = -1;
2484 else if (r+g+b < 32768)
2485 add = 1;
2486
2487 if (add != 0)
2488 {
2489 if (g >= r && g >= b)
2490 g += add;
2491 else if (r >= g && r >= b)
2492 r += add;
2493 else
2494 b += add;
2495 }
2496
2497 /* Check for an internal error. */
2498 if (r+g+b != 32768)
2499 png_error(png_ptr,
2500 "internal error handling cHRM coefficients");
2501
2502 else
2503 {
2504 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2505 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2506 }
2507 }
2508
2509 /* This is a png_error at present even though it could be ignored -
2510 * it should never happen, but it is important that if it does, the
2511 * bug is fixed.
2512 */
2513 else
2514 png_error(png_ptr, "internal error handling cHRM->XYZ");
2515 }
2516 }
2517 #endif /* READ_RGB_TO_GRAY */
2518
2519 #endif /* COLORSPACE */
2520
2521 void /* PRIVATE */
2522 png_check_IHDR(png_const_structrp png_ptr,
2523 png_uint_32 width, png_uint_32 height, int bit_depth,
2524 int color_type, int interlace_type, int compression_type,
2525 int filter_type)
2526 {
2527 int error = 0;
2528
2529 /* Check for width and height valid values */
2530 if (width == 0)
2531 {
2532 png_warning(png_ptr, "Image width is zero in IHDR");
2533 error = 1;
2534 }
2535
2536 if (width > PNG_UINT_31_MAX)
2537 {
2538 png_warning(png_ptr, "Invalid image width in IHDR");
2539 error = 1;
2540 }
2541
2542 /* The bit mask on the first line below must be at least as big as a
2543 * png_uint_32. "~7U" is not adequate on 16-bit systems because it will
2544 * be an unsigned 16-bit value. Casting to (png_alloc_size_t) makes the
2545 * type of the result at least as bit (in bits) as the RHS of the > operator
2546 * which also avoids a common warning on 64-bit systems that the comparison
2547 * of (png_uint_32) against the constant value on the RHS will always be
2548 * false.
2549 */
2550 if (((width + 7) & ~(png_alloc_size_t)7) >
2551 (((PNG_SIZE_MAX
2552 - 48 /* big_row_buf hack */
2553 - 1) /* filter byte */
2554 / 8) /* 8-byte RGBA pixels */
2555 - 1)) /* extra max_pixel_depth pad */
2556 {
2557 /* The size of the row must be within the limits of this architecture.
2558 * Because the read code can perform arbitrary transformations the
2559 * maximum size is checked here. Because the code in png_read_start_row
2560 * adds extra space "for safety's sake" in several places a conservative
2561 * limit is used here.
2562 *
2563 * NOTE: it would be far better to check the size that is actually used,
2564 * but the effect in the real world is minor and the changes are more
2565 * extensive, therefore much more dangerous and much more difficult to
2566 * write in a way that avoids compiler warnings.
2567 */
2568 png_warning(png_ptr, "Image width is too large for this architecture");
2569 error = 1;
2570 }
2571
2572 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2573 if (width > png_ptr->user_width_max)
2574 #else
2575 if (width > PNG_USER_WIDTH_MAX)
2576 #endif
2577 {
2578 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2579 error = 1;
2580 }
2581
2582 if (height == 0)
2583 {
2584 png_warning(png_ptr, "Image height is zero in IHDR");
2585 error = 1;
2586 }
2587
2588 if (height > PNG_UINT_31_MAX)
2589 {
2590 png_warning(png_ptr, "Invalid image height in IHDR");
2591 error = 1;
2592 }
2593
2594 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2595 if (height > png_ptr->user_height_max)
2596 #else
2597 if (height > PNG_USER_HEIGHT_MAX)
2598 #endif
2599 {
2600 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2601 error = 1;
2602 }
2603
2604 /* Check other values */
2605 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2606 bit_depth != 8 && bit_depth != 16)
2607 {
2608 png_warning(png_ptr, "Invalid bit depth in IHDR");
2609 error = 1;
2610 }
2611
2612 if (color_type < 0 || color_type == 1 ||
2613 color_type == 5 || color_type > 6)
2614 {
2615 png_warning(png_ptr, "Invalid color type in IHDR");
2616 error = 1;
2617 }
2618
2619 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2620 ((color_type == PNG_COLOR_TYPE_RGB ||
2621 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2622 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2623 {
2624 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2625 error = 1;
2626 }
2627
2628 if (interlace_type >= PNG_INTERLACE_LAST)
2629 {
2630 png_warning(png_ptr, "Unknown interlace method in IHDR");
2631 error = 1;
2632 }
2633
2634 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2635 {
2636 png_warning(png_ptr, "Unknown compression method in IHDR");
2637 error = 1;
2638 }
2639
2640 #ifdef PNG_MNG_FEATURES_SUPPORTED
2641 /* Accept filter_method 64 (intrapixel differencing) only if
2642 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2643 * 2. Libpng did not read a PNG signature (this filter_method is only
2644 * used in PNG datastreams that are embedded in MNG datastreams) and
2645 * 3. The application called png_permit_mng_features with a mask that
2646 * included PNG_FLAG_MNG_FILTER_64 and
2647 * 4. The filter_method is 64 and
2648 * 5. The color_type is RGB or RGBA
2649 */
2650 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2651 png_ptr->mng_features_permitted != 0)
2652 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2653
2654 if (filter_type != PNG_FILTER_TYPE_BASE)
2655 {
2656 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2657 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2658 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2659 (color_type == PNG_COLOR_TYPE_RGB ||
2660 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2661 {
2662 png_warning(png_ptr, "Unknown filter method in IHDR");
2663 error = 1;
2664 }
2665
2666 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2667 {
2668 png_warning(png_ptr, "Invalid filter method in IHDR");
2669 error = 1;
2670 }
2671 }
2672
2673 #else
2674 if (filter_type != PNG_FILTER_TYPE_BASE)
2675 {
2676 png_warning(png_ptr, "Unknown filter method in IHDR");
2677 error = 1;
2678 }
2679 #endif
2680
2681 if (error == 1)
2682 png_error(png_ptr, "Invalid IHDR data");
2683 }
2684
2685 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2686 /* ASCII to fp functions */
2687 /* Check an ASCII formatted floating point value, see the more detailed
2688 * comments in pngpriv.h
2689 */
2690 /* The following is used internally to preserve the sticky flags */
2691 #define png_fp_add(state, flags) ((state) |= (flags))
2692 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2693
2694 int /* PRIVATE */
2695 png_check_fp_number(png_const_charp string, size_t size, int *statep,
2696 size_t *whereami)
2697 {
2698 int state = *statep;
2699 size_t i = *whereami;
2700
2701 while (i < size)
2702 {
2703 int type;
2704 /* First find the type of the next character */
2705 switch (string[i])
2706 {
2707 case 43: type = PNG_FP_SAW_SIGN; break;
2708 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2709 case 46: type = PNG_FP_SAW_DOT; break;
2710 case 48: type = PNG_FP_SAW_DIGIT; break;
2711 case 49: case 50: case 51: case 52:
2712 case 53: case 54: case 55: case 56:
2713 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2714 case 69:
2715 case 101: type = PNG_FP_SAW_E; break;
2716 default: goto PNG_FP_End;
2717 }
2718
2719 /* Now deal with this type according to the current
2720 * state, the type is arranged to not overlap the
2721 * bits of the PNG_FP_STATE.
2722 */
2723 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2724 {
2725 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2726 if ((state & PNG_FP_SAW_ANY) != 0)
2727 goto PNG_FP_End; /* not a part of the number */
2728
2729 png_fp_add(state, type);
2730 break;
2731
2732 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2733 /* Ok as trailer, ok as lead of fraction. */
2734 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2735 goto PNG_FP_End;
2736
2737 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2738 png_fp_add(state, type);
2739
2740 else
2741 png_fp_set(state, PNG_FP_FRACTION | type);
2742
2743 break;
2744
2745 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2746 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2747 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2748
2749 png_fp_add(state, type | PNG_FP_WAS_VALID);
2750
2751 break;
2752
2753 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2754 if ((state & PNG_FP_SAW_DIGIT) == 0)
2755 goto PNG_FP_End;
2756
2757 png_fp_set(state, PNG_FP_EXPONENT);
2758
2759 break;
2760
2761 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2762 goto PNG_FP_End; ** no sign in fraction */
2763
2764 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2765 goto PNG_FP_End; ** Because SAW_DOT is always set */
2766
2767 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2768 png_fp_add(state, type | PNG_FP_WAS_VALID);
2769 break;
2770
2771 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2772 /* This is correct because the trailing '.' on an
2773 * integer is handled above - so we can only get here
2774 * with the sequence ".E" (with no preceding digits).
2775 */
2776 if ((state & PNG_FP_SAW_DIGIT) == 0)
2777 goto PNG_FP_End;
2778
2779 png_fp_set(state, PNG_FP_EXPONENT);
2780
2781 break;
2782
2783 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2784 if ((state & PNG_FP_SAW_ANY) != 0)
2785 goto PNG_FP_End; /* not a part of the number */
2786
2787 png_fp_add(state, PNG_FP_SAW_SIGN);
2788
2789 break;
2790
2791 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2792 goto PNG_FP_End; */
2793
2794 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2795 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2796
2797 break;
2798
2799 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2800 goto PNG_FP_End; */
2801
2802 default: goto PNG_FP_End; /* I.e. break 2 */
2803 }
2804
2805 /* The character seems ok, continue. */
2806 ++i;
2807 }
2808
2809 PNG_FP_End:
2810 /* Here at the end, update the state and return the correct
2811 * return code.
2812 */
2813 *statep = state;
2814 *whereami = i;
2815
2816 return (state & PNG_FP_SAW_DIGIT) != 0;
2817 }
2818
2819
2820 /* The same but for a complete string. */
2821 int
2822 png_check_fp_string(png_const_charp string, size_t size)
2823 {
2824 int state=0;
2825 size_t char_index=0;
2826
2827 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2828 (char_index == size || string[char_index] == 0))
2829 return state /* must be non-zero - see above */;
2830
2831 return 0; /* i.e. fail */
2832 }
2833 #endif /* pCAL || sCAL */
2834
2835 #ifdef PNG_sCAL_SUPPORTED
2836 # ifdef PNG_FLOATING_POINT_SUPPORTED
2837 /* Utility used below - a simple accurate power of ten from an integral
2838 * exponent.
2839 */
2840 static double
2841 png_pow10(int power)
2842 {
2843 int recip = 0;
2844 double d = 1;
2845
2846 /* Handle negative exponent with a reciprocal at the end because
2847 * 10 is exact whereas .1 is inexact in base 2
2848 */
2849 if (power < 0)
2850 {
2851 if (power < DBL_MIN_10_EXP) return 0;
2852 recip = 1; power = -power;
2853 }
2854
2855 if (power > 0)
2856 {
2857 /* Decompose power bitwise. */
2858 double mult = 10;
2859 do
2860 {
2861 if (power & 1) d *= mult;
2862 mult *= mult;
2863 power >>= 1;
2864 }
2865 while (power > 0);
2866
2867 if (recip != 0) d = 1/d;
2868 }
2869 /* else power is 0 and d is 1 */
2870
2871 return d;
2872 }
2873
2874 /* Function to format a floating point value in ASCII with a given
2875 * precision.
2876 */
2877 void /* PRIVATE */
2878 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2879 double fp, unsigned int precision)
2880 {
2881 /* We use standard functions from math.h, but not printf because
2882 * that would require stdio. The caller must supply a buffer of
2883 * sufficient size or we will png_error. The tests on size and
2884 * the space in ascii[] consumed are indicated below.
2885 */
2886 if (precision < 1)
2887 precision = DBL_DIG;
2888
2889 /* Enforce the limit of the implementation precision too. */
2890 if (precision > DBL_DIG+1)
2891 precision = DBL_DIG+1;
2892
2893 /* Basic sanity checks */
2894 if (size >= precision+5) /* See the requirements below. */
2895 {
2896 if (fp < 0)
2897 {
2898 fp = -fp;
2899 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2900 --size;
2901 }
2902
2903 if (fp >= DBL_MIN && fp <= DBL_MAX)
2904 {
2905 int exp_b10; /* A base 10 exponent */
2906 double base; /* 10^exp_b10 */
2907
2908 /* First extract a base 10 exponent of the number,
2909 * the calculation below rounds down when converting
2910 * from base 2 to base 10 (multiply by log10(2) -
2911 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2912 * be increased. Note that the arithmetic shift
2913 * performs a floor() unlike C arithmetic - using a
2914 * C multiply would break the following for negative
2915 * exponents.
2916 */
2917 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2918
2919 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2920
2921 /* Avoid underflow here. */
2922 base = png_pow10(exp_b10); /* May underflow */
2923
2924 while (base < DBL_MIN || base < fp)
2925 {
2926 /* And this may overflow. */
2927 double test = png_pow10(exp_b10+1);
2928
2929 if (test <= DBL_MAX)
2930 {
2931 ++exp_b10; base = test;
2932 }
2933
2934 else
2935 break;
2936 }
2937
2938 /* Normalize fp and correct exp_b10, after this fp is in the
2939 * range [.1,1) and exp_b10 is both the exponent and the digit
2940 * *before* which the decimal point should be inserted
2941 * (starting with 0 for the first digit). Note that this
2942 * works even if 10^exp_b10 is out of range because of the
2943 * test on DBL_MAX above.
2944 */
2945 fp /= base;
2946 while (fp >= 1)
2947 {
2948 fp /= 10; ++exp_b10;
2949 }
2950
2951 /* Because of the code above fp may, at this point, be
2952 * less than .1, this is ok because the code below can
2953 * handle the leading zeros this generates, so no attempt
2954 * is made to correct that here.
2955 */
2956
2957 {
2958 unsigned int czero, clead, cdigits;
2959 char exponent[10];
2960
2961 /* Allow up to two leading zeros - this will not lengthen
2962 * the number compared to using E-n.
2963 */
2964 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2965 {
2966 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
2967 exp_b10 = 0; /* Dot added below before first output. */
2968 }
2969 else
2970 czero = 0; /* No zeros to add */
2971
2972 /* Generate the digit list, stripping trailing zeros and
2973 * inserting a '.' before a digit if the exponent is 0.
2974 */
2975 clead = czero; /* Count of leading zeros */
2976 cdigits = 0; /* Count of digits in list. */
2977
2978 do
2979 {
2980 double d;
2981
2982 fp *= 10;
2983 /* Use modf here, not floor and subtract, so that
2984 * the separation is done in one step. At the end
2985 * of the loop don't break the number into parts so
2986 * that the final digit is rounded.
2987 */
2988 if (cdigits+czero+1 < precision+clead)
2989 fp = modf(fp, &d);
2990
2991 else
2992 {
2993 d = floor(fp + .5);
2994
2995 if (d > 9)
2996 {
2997 /* Rounding up to 10, handle that here. */
2998 if (czero > 0)
2999 {
3000 --czero; d = 1;
3001 if (cdigits == 0) --clead;
3002 }
3003 else
3004 {
3005 while (cdigits > 0 && d > 9)
3006 {
3007 int ch = *--ascii;
3008
3009 if (exp_b10 != (-1))
3010 ++exp_b10;
3011
3012 else if (ch == 46)
3013 {
3014 ch = *--ascii; ++size;
3015 /* Advance exp_b10 to '1', so that the
3016 * decimal point happens after the
3017 * previous digit.
3018 */
3019 exp_b10 = 1;
3020 }
3021
3022 --cdigits;
3023 d = ch - 47; /* I.e. 1+(ch-48) */
3024 }
3025
3026 /* Did we reach the beginning? If so adjust the
3027 * exponent but take into account the leading
3028 * decimal point.
3029 */
3030 if (d > 9) /* cdigits == 0 */
3031 {
3032 if (exp_b10 == (-1))
3033 {
3034 /* Leading decimal point (plus zeros?), if
3035 * we lose the decimal point here it must
3036 * be reentered below.
3037 */
3038 int ch = *--ascii;
3039
3040 if (ch == 46)
3041 {
3042 ++size; exp_b10 = 1;
3043 }
3044
3045 /* Else lost a leading zero, so 'exp_b10' is
3046 * still ok at (-1)
3047 */
3048 }
3049 else
3050 ++exp_b10;
3051
3052 /* In all cases we output a '1' */
3053 d = 1;
3054 }
3055 }
3056 }
3057 fp = 0; /* Guarantees termination below. */
3058 }
3059
3060 if (d == 0)
3061 {
3062 ++czero;
3063 if (cdigits == 0) ++clead;
3064 }
3065 else
3066 {
3067 /* Included embedded zeros in the digit count. */
3068 cdigits += czero - clead;
3069 clead = 0;
3070
3071 while (czero > 0)
3072 {
3073 /* exp_b10 == (-1) means we just output the decimal
3074 * place - after the DP don't adjust 'exp_b10' any
3075 * more!
3076 */
3077 if (exp_b10 != (-1))
3078 {
3079 if (exp_b10 == 0)
3080 {
3081 *ascii++ = 46; --size;
3082 }
3083 /* PLUS 1: TOTAL 4 */
3084 --exp_b10;
3085 }
3086 *ascii++ = 48; --czero;
3087 }
3088
3089 if (exp_b10 != (-1))
3090 {
3091 if (exp_b10 == 0)
3092 {
3093 *ascii++ = 46; --size; /* counted above */
3094 }
3095
3096 --exp_b10;
3097 }
3098 *ascii++ = (char)(48 + (int)d); ++cdigits;
3099 }
3100 }
3101 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3102
3103 /* The total output count (max) is now 4+precision */
3104
3105 /* Check for an exponent, if we don't need one we are
3106 * done and just need to terminate the string. At this
3107 * point, exp_b10==(-1) is effectively a flag: it got
3108 * to '-1' because of the decrement, after outputting
3109 * the decimal point above. (The exponent required is
3110 * *not* -1.)
3111 */
3112 if (exp_b10 >= (-1) && exp_b10 <= 2)
3113 {
3114 /* The following only happens if we didn't output the
3115 * leading zeros above for negative exponent, so this
3116 * doesn't add to the digit requirement. Note that the
3117 * two zeros here can only be output if the two leading
3118 * zeros were *not* output, so this doesn't increase
3119 * the output count.
3120 */
3121 while (exp_b10-- > 0) *ascii++ = 48;
3122
3123 *ascii = 0;
3124
3125 /* Total buffer requirement (including the '\0') is
3126 * 5+precision - see check at the start.
3127 */
3128 return;
3129 }
3130
3131 /* Here if an exponent is required, adjust size for
3132 * the digits we output but did not count. The total
3133 * digit output here so far is at most 1+precision - no
3134 * decimal point and no leading or trailing zeros have
3135 * been output.
3136 */
3137 size -= cdigits;
3138
3139 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */
3140
3141 /* The following use of an unsigned temporary avoids ambiguities in
3142 * the signed arithmetic on exp_b10 and permits GCC at least to do
3143 * better optimization.
3144 */
3145 {
3146 unsigned int uexp_b10;
3147
3148 if (exp_b10 < 0)
3149 {
3150 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3151 uexp_b10 = 0U-exp_b10;
3152 }
3153
3154 else
3155 uexp_b10 = 0U+exp_b10;
3156
3157 cdigits = 0;
3158
3159 while (uexp_b10 > 0)
3160 {
3161 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3162 uexp_b10 /= 10;
3163 }
3164 }
3165
3166 /* Need another size check here for the exponent digits, so
3167 * this need not be considered above.
3168 */
3169 if (size > cdigits)
3170 {
3171 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3172
3173 *ascii = 0;
3174
3175 return;
3176 }
3177 }
3178 }
3179 else if (!(fp >= DBL_MIN))
3180 {
3181 *ascii++ = 48; /* '0' */
3182 *ascii = 0;
3183 return;
3184 }
3185 else
3186 {
3187 *ascii++ = 105; /* 'i' */
3188 *ascii++ = 110; /* 'n' */
3189 *ascii++ = 102; /* 'f' */
3190 *ascii = 0;
3191 return;
3192 }
3193 }
3194
3195 /* Here on buffer too small. */
3196 png_error(png_ptr, "ASCII conversion buffer too small");
3197 }
3198 # endif /* FLOATING_POINT */
3199
3200 # ifdef PNG_FIXED_POINT_SUPPORTED
3201 /* Function to format a fixed point value in ASCII.
3202 */
3203 void /* PRIVATE */
3204 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3205 size_t size, png_fixed_point fp)
3206 {
3207 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3208 * trailing \0, 13 characters:
3209 */
3210 if (size > 12)
3211 {
3212 png_uint_32 num;
3213
3214 /* Avoid overflow here on the minimum integer. */
3215 if (fp < 0)
3216 {
3217 *ascii++ = 45; num = (png_uint_32)(-fp);
3218 }
3219 else
3220 num = (png_uint_32)fp;
3221
3222 if (num <= 0x80000000) /* else overflowed */
3223 {
3224 unsigned int ndigits = 0, first = 16 /* flag value */;
3225 char digits[10] = {0};
3226
3227 while (num)
3228 {
3229 /* Split the low digit off num: */
3230 unsigned int tmp = num/10;
3231 num -= tmp*10;
3232 digits[ndigits++] = (char)(48 + num);
3233 /* Record the first non-zero digit, note that this is a number
3234 * starting at 1, it's not actually the array index.
3235 */
3236 if (first == 16 && num > 0)
3237 first = ndigits;
3238 num = tmp;
3239 }
3240
3241 if (ndigits > 0)
3242 {
3243 while (ndigits > 5) *ascii++ = digits[--ndigits];
3244 /* The remaining digits are fractional digits, ndigits is '5' or
3245 * smaller at this point. It is certainly not zero. Check for a
3246 * non-zero fractional digit:
3247 */
3248 if (first <= 5)
3249 {
3250 unsigned int i;
3251 *ascii++ = 46; /* decimal point */
3252 /* ndigits may be <5 for small numbers, output leading zeros
3253 * then ndigits digits to first:
3254 */
3255 i = 5;
3256 while (ndigits < i)
3257 {
3258 *ascii++ = 48; --i;
3259 }
3260 while (ndigits >= first) *ascii++ = digits[--ndigits];
3261 /* Don't output the trailing zeros! */
3262 }
3263 }
3264 else
3265 *ascii++ = 48;
3266
3267 /* And null terminate the string: */
3268 *ascii = 0;
3269 return;
3270 }
3271 }
3272
3273 /* Here on buffer too small. */
3274 png_error(png_ptr, "ASCII conversion buffer too small");
3275 }
3276 # endif /* FIXED_POINT */
3277 #endif /* SCAL */
3278
3279 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3280 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3281 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3282 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3283 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3284 (defined(PNG_sCAL_SUPPORTED) && \
3285 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3286 png_fixed_point
3287 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3288 {
3289 double r = floor(100000 * fp + .5);
3290
3291 if (r > 2147483647. || r < -2147483648.)
3292 png_fixed_error(png_ptr, text);
3293
3294 # ifndef PNG_ERROR_TEXT_SUPPORTED
3295 PNG_UNUSED(text)
3296 # endif
3297
3298 return (png_fixed_point)r;
3299 }
3300 #endif
3301
3302 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3303 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3304 /* muldiv functions */
3305 /* This API takes signed arguments and rounds the result to the nearest
3306 * integer (or, for a fixed point number - the standard argument - to
3307 * the nearest .00001). Overflow and divide by zero are signalled in
3308 * the result, a boolean - true on success, false on overflow.
3309 */
3310 int
3311 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3312 png_int_32 divisor)
3313 {
3314 /* Return a * times / divisor, rounded. */
3315 if (divisor != 0)
3316 {
3317 if (a == 0 || times == 0)
3318 {
3319 *res = 0;
3320 return 1;
3321 }
3322 else
3323 {
3324 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3325 double r = a;
3326 r *= times;
3327 r /= divisor;
3328 r = floor(r+.5);
3329
3330 /* A png_fixed_point is a 32-bit integer. */
3331 if (r <= 2147483647. && r >= -2147483648.)
3332 {
3333 *res = (png_fixed_point)r;
3334 return 1;
3335 }
3336 #else
3337 int negative = 0;
3338 png_uint_32 A, T, D;
3339 png_uint_32 s16, s32, s00;
3340
3341 if (a < 0)
3342 negative = 1, A = -a;
3343 else
3344 A = a;
3345
3346 if (times < 0)
3347 negative = !negative, T = -times;
3348 else
3349 T = times;
3350
3351 if (divisor < 0)
3352 negative = !negative, D = -divisor;
3353 else
3354 D = divisor;
3355
3356 /* Following can't overflow because the arguments only
3357 * have 31 bits each, however the result may be 32 bits.
3358 */
3359 s16 = (A >> 16) * (T & 0xffff) +
3360 (A & 0xffff) * (T >> 16);
3361 /* Can't overflow because the a*times bit is only 30
3362 * bits at most.
3363 */
3364 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3365 s00 = (A & 0xffff) * (T & 0xffff);
3366
3367 s16 = (s16 & 0xffff) << 16;
3368 s00 += s16;
3369
3370 if (s00 < s16)
3371 ++s32; /* carry */
3372
3373 if (s32 < D) /* else overflow */
3374 {
3375 /* s32.s00 is now the 64-bit product, do a standard
3376 * division, we know that s32 < D, so the maximum
3377 * required shift is 31.
3378 */
3379 int bitshift = 32;
3380 png_fixed_point result = 0; /* NOTE: signed */
3381
3382 while (--bitshift >= 0)
3383 {
3384 png_uint_32 d32, d00;
3385
3386 if (bitshift > 0)
3387 d32 = D >> (32-bitshift), d00 = D << bitshift;
3388
3389 else
3390 d32 = 0, d00 = D;
3391
3392 if (s32 > d32)
3393 {
3394 if (s00 < d00) --s32; /* carry */
3395 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3396 }
3397
3398 else
3399 if (s32 == d32 && s00 >= d00)
3400 s32 = 0, s00 -= d00, result += 1<<bitshift;
3401 }
3402
3403 /* Handle the rounding. */
3404 if (s00 >= (D >> 1))
3405 ++result;
3406
3407 if (negative != 0)
3408 result = -result;
3409
3410 /* Check for overflow. */
3411 if ((negative != 0 && result <= 0) ||
3412 (negative == 0 && result >= 0))
3413 {
3414 *res = result;
3415 return 1;
3416 }
3417 }
3418 #endif
3419 }
3420 }
3421
3422 return 0;
3423 }
3424 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3425
3426 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3427 /* The following is for when the caller doesn't much care about the
3428 * result.
3429 */
3430 png_fixed_point
3431 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3432 png_int_32 divisor)
3433 {
3434 png_fixed_point result;
3435
3436 if (png_muldiv(&result, a, times, divisor) != 0)
3437 return result;
3438
3439 png_warning(png_ptr, "fixed point overflow ignored");
3440 return 0;
3441 }
3442 #endif
3443
3444 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3445 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3446 png_fixed_point
3447 png_reciprocal(png_fixed_point a)
3448 {
3449 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3450 double r = floor(1E10/a+.5);
3451
3452 if (r <= 2147483647. && r >= -2147483648.)
3453 return (png_fixed_point)r;
3454 #else
3455 png_fixed_point res;
3456
3457 if (png_muldiv(&res, 100000, 100000, a) != 0)
3458 return res;
3459 #endif
3460
3461 return 0; /* error/overflow */
3462 }
3463
3464 /* This is the shared test on whether a gamma value is 'significant' - whether
3465 * it is worth doing gamma correction.
3466 */
3467 int /* PRIVATE */
3468 png_gamma_significant(png_fixed_point gamma_val)
3469 {
3470 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3471 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3472 }
3473 #endif
3474
3475 #ifdef PNG_READ_GAMMA_SUPPORTED
3476 #ifdef PNG_16BIT_SUPPORTED
3477 /* A local convenience routine. */
3478 static png_fixed_point
3479 png_product2(png_fixed_point a, png_fixed_point b)
3480 {
3481 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3482 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3483 double r = a * 1E-5;
3484 r *= b;
3485 r = floor(r+.5);
3486
3487 if (r <= 2147483647. && r >= -2147483648.)
3488 return (png_fixed_point)r;
3489 #else
3490 png_fixed_point res;
3491
3492 if (png_muldiv(&res, a, b, 100000) != 0)
3493 return res;
3494 #endif
3495
3496 return 0; /* overflow */
3497 }
3498 #endif /* 16BIT */
3499
3500 /* The inverse of the above. */
3501 png_fixed_point
3502 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3503 {
3504 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3505 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3506 if (a != 0 && b != 0)
3507 {
3508 double r = 1E15/a;
3509 r /= b;
3510 r = floor(r+.5);
3511
3512 if (r <= 2147483647. && r >= -2147483648.)
3513 return (png_fixed_point)r;
3514 }
3515 #else
3516 /* This may overflow because the range of png_fixed_point isn't symmetric,
3517 * but this API is only used for the product of file and screen gamma so it
3518 * doesn't matter that the smallest number it can produce is 1/21474, not
3519 * 1/100000
3520 */
3521 png_fixed_point res = png_product2(a, b);
3522
3523 if (res != 0)
3524 return png_reciprocal(res);
3525 #endif
3526
3527 return 0; /* overflow */
3528 }
3529 #endif /* READ_GAMMA */
3530
3531 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3532 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3533 /* Fixed point gamma.
3534 *
3535 * The code to calculate the tables used below can be found in the shell script
3536 * contrib/tools/intgamma.sh
3537 *
3538 * To calculate gamma this code implements fast log() and exp() calls using only
3539 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3540 * or 16-bit sample values.
3541 *
3542 * The tables used here were calculated using simple 'bc' programs, but C double
3543 * precision floating point arithmetic would work fine.
3544 *
3545 * 8-bit log table
3546 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3547 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3548 * mantissa. The numbers are 32-bit fractions.
3549 */
3550 static const png_uint_32
3551 png_8bit_l2[128] =
3552 {
3553 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3554 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3555 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3556 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3557 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3558 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3559 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3560 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3561 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3562 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3563 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3564 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3565 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3566 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3567 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3568 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3569 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3570 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3571 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3572 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3573 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3574 24347096U, 0U
3575
3576 #if 0
3577 /* The following are the values for 16-bit tables - these work fine for the
3578 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3579 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3580 * use these all the shifts below must be adjusted appropriately.
3581 */
3582 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3583 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3584 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3585 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3586 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3587 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3588 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3589 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3590 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3591 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3592 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3593 1119, 744, 372
3594 #endif
3595 };
3596
3597 static png_int_32
3598 png_log8bit(unsigned int x)
3599 {
3600 unsigned int lg2 = 0;
3601 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3602 * because the log is actually negate that means adding 1. The final
3603 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3604 * input), return -1 for the overflow (log 0) case, - so the result is
3605 * always at most 19 bits.
3606 */
3607 if ((x &= 0xff) == 0)
3608 return -1;
3609
3610 if ((x & 0xf0) == 0)
3611 lg2 = 4, x <<= 4;
3612
3613 if ((x & 0xc0) == 0)
3614 lg2 += 2, x <<= 2;
3615
3616 if ((x & 0x80) == 0)
3617 lg2 += 1, x <<= 1;
3618
3619 /* result is at most 19 bits, so this cast is safe: */
3620 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3621 }
3622
3623 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3624 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3625 * get an approximation then multiply the approximation by a correction factor
3626 * determined by the remaining up to 8 bits. This requires an additional step
3627 * in the 16-bit case.
3628 *
3629 * We want log2(value/65535), we have log2(v'/255), where:
3630 *
3631 * value = v' * 256 + v''
3632 * = v' * f
3633 *
3634 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3635 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3636 * than 258. The final factor also needs to correct for the fact that our 8-bit
3637 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3638 *
3639 * This gives a final formula using a calculated value 'x' which is value/v' and
3640 * scaling by 65536 to match the above table:
3641 *
3642 * log2(x/257) * 65536
3643 *
3644 * Since these numbers are so close to '1' we can use simple linear
3645 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3646 * (result 367.179). The values used below are scaled by a further 64 to give
3647 * 16-bit precision in the interpolation:
3648 *
3649 * Start (256): -23591
3650 * Zero (257): 0
3651 * End (258): 23499
3652 */
3653 #ifdef PNG_16BIT_SUPPORTED
3654 static png_int_32
3655 png_log16bit(png_uint_32 x)
3656 {
3657 unsigned int lg2 = 0;
3658
3659 /* As above, but now the input has 16 bits. */
3660 if ((x &= 0xffff) == 0)
3661 return -1;
3662
3663 if ((x & 0xff00) == 0)
3664 lg2 = 8, x <<= 8;
3665
3666 if ((x & 0xf000) == 0)
3667 lg2 += 4, x <<= 4;
3668
3669 if ((x & 0xc000) == 0)
3670 lg2 += 2, x <<= 2;
3671
3672 if ((x & 0x8000) == 0)
3673 lg2 += 1, x <<= 1;
3674
3675 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3676 * value.
3677 */
3678 lg2 <<= 28;
3679 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3680
3681 /* Now we need to interpolate the factor, this requires a division by the top
3682 * 8 bits. Do this with maximum precision.
3683 */
3684 x = ((x << 16) + (x >> 9)) / (x >> 8);
3685
3686 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3687 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3688 * 16 bits to interpolate to get the low bits of the result. Round the
3689 * answer. Note that the end point values are scaled by 64 to retain overall
3690 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3691 * the overall scaling by 6-12. Round at every step.
3692 */
3693 x -= 1U << 24;
3694
3695 if (x <= 65536U) /* <= '257' */
3696 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3697
3698 else
3699 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3700
3701 /* Safe, because the result can't have more than 20 bits: */
3702 return (png_int_32)((lg2 + 2048) >> 12);
3703 }
3704 #endif /* 16BIT */
3705
3706 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3707 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3708 * each case only the low 16 bits are relevant - the fraction - since the
3709 * integer bits (the top 4) simply determine a shift.
3710 *
3711 * The worst case is the 16-bit distinction between 65535 and 65534. This
3712 * requires perhaps spurious accuracy in the decoding of the logarithm to
3713 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3714 * of getting this accuracy in practice.
3715 *
3716 * To deal with this the following exp() function works out the exponent of the
3717 * fractional part of the logarithm by using an accurate 32-bit value from the
3718 * top four fractional bits then multiplying in the remaining bits.
3719 */
3720 static const png_uint_32
3721 png_32bit_exp[16] =
3722 {
3723 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3724 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3725 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3726 2553802834U, 2445529972U, 2341847524U, 2242560872U
3727 };
3728
3729 /* Adjustment table; provided to explain the numbers in the code below. */
3730 #if 0
3731 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3732 11 44937.64284865548751208448
3733 10 45180.98734845585101160448
3734 9 45303.31936980687359311872
3735 8 45364.65110595323018870784
3736 7 45395.35850361789624614912
3737 6 45410.72259715102037508096
3738 5 45418.40724413220722311168
3739 4 45422.25021786898173001728
3740 3 45424.17186732298419044352
3741 2 45425.13273269940811464704
3742 1 45425.61317555035558641664
3743 0 45425.85339951654943850496
3744 #endif
3745
3746 static png_uint_32
3747 png_exp(png_fixed_point x)
3748 {
3749 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3750 {
3751 /* Obtain a 4-bit approximation */
3752 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3753
3754 /* Incorporate the low 12 bits - these decrease the returned value by
3755 * multiplying by a number less than 1 if the bit is set. The multiplier
3756 * is determined by the above table and the shift. Notice that the values
3757 * converge on 45426 and this is used to allow linear interpolation of the
3758 * low bits.
3759 */
3760 if (x & 0x800)
3761 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3762
3763 if (x & 0x400)
3764 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3765
3766 if (x & 0x200)
3767 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3768
3769 if (x & 0x100)
3770 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3771
3772 if (x & 0x080)
3773 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3774
3775 if (x & 0x040)
3776 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3777
3778 /* And handle the low 6 bits in a single block. */
3779 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3780
3781 /* Handle the upper bits of x. */
3782 e >>= x >> 16;
3783 return e;
3784 }
3785
3786 /* Check for overflow */
3787 if (x <= 0)
3788 return png_32bit_exp[0];
3789
3790 /* Else underflow */
3791 return 0;
3792 }
3793
3794 static png_byte
3795 png_exp8bit(png_fixed_point lg2)
3796 {
3797 /* Get a 32-bit value: */
3798 png_uint_32 x = png_exp(lg2);
3799
3800 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3801 * second, rounding, step can't overflow because of the first, subtraction,
3802 * step.
3803 */
3804 x -= x >> 8;
3805 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3806 }
3807
3808 #ifdef PNG_16BIT_SUPPORTED
3809 static png_uint_16
3810 png_exp16bit(png_fixed_point lg2)
3811 {
3812 /* Get a 32-bit value: */
3813 png_uint_32 x = png_exp(lg2);
3814
3815 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3816 x -= x >> 16;
3817 return (png_uint_16)((x + 32767U) >> 16);
3818 }
3819 #endif /* 16BIT */
3820 #endif /* FLOATING_ARITHMETIC */
3821
3822 png_byte
3823 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3824 {
3825 if (value > 0 && value < 255)
3826 {
3827 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3828 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3829 * convert this to a floating point value. This includes values that
3830 * would overflow if 'value' were to be converted to 'int'.
3831 *
3832 * Apparently GCC, however, does an intermediate conversion to (int)
3833 * on some (ARM) but not all (x86) platforms, possibly because of
3834 * hardware FP limitations. (E.g. if the hardware conversion always
3835 * assumes the integer register contains a signed value.) This results
3836 * in ANSI-C undefined behavior for large values.
3837 *
3838 * Other implementations on the same machine might actually be ANSI-C90
3839 * conformant and therefore compile spurious extra code for the large
3840 * values.
3841 *
3842 * We can be reasonably sure that an unsigned to float conversion
3843 * won't be faster than an int to float one. Therefore this code
3844 * assumes responsibility for the undefined behavior, which it knows
3845 * can't happen because of the check above.
3846 *
3847 * Note the argument to this routine is an (unsigned int) because, on
3848 * 16-bit platforms, it is assigned a value which might be out of
3849 * range for an (int); that would result in undefined behavior in the
3850 * caller if the *argument* ('value') were to be declared (int).
3851 */
3852 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3853 return (png_byte)r;
3854 # else
3855 png_int_32 lg2 = png_log8bit(value);
3856 png_fixed_point res;
3857
3858 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3859 return png_exp8bit(res);
3860
3861 /* Overflow. */
3862 value = 0;
3863 # endif
3864 }
3865
3866 return (png_byte)(value & 0xff);
3867 }
3868
3869 #ifdef PNG_16BIT_SUPPORTED
3870 png_uint_16
3871 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3872 {
3873 if (value > 0 && value < 65535)
3874 {
3875 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3876 /* The same (unsigned int)->(double) constraints apply here as above,
3877 * however in this case the (unsigned int) to (int) conversion can
3878 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3879 * that this is not possible.
3880 */
3881 double r = floor(65535*pow((png_int_32)value/65535.,
3882 gamma_val*.00001)+.5);
3883 return (png_uint_16)r;
3884 # else
3885 png_int_32 lg2 = png_log16bit(value);
3886 png_fixed_point res;
3887
3888 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3889 return png_exp16bit(res);
3890
3891 /* Overflow. */
3892 value = 0;
3893 # endif
3894 }
3895
3896 return (png_uint_16)value;
3897 }
3898 #endif /* 16BIT */
3899
3900 /* This does the right thing based on the bit_depth field of the
3901 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3902 * is nominally a 16-bit value if bit depth is 8 then the result is
3903 * 8-bit (as are the arguments.)
3904 */
3905 png_uint_16 /* PRIVATE */
3906 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3907 png_fixed_point gamma_val)
3908 {
3909 if (png_ptr->bit_depth == 8)
3910 return png_gamma_8bit_correct(value, gamma_val);
3911
3912 #ifdef PNG_16BIT_SUPPORTED
3913 else
3914 return png_gamma_16bit_correct(value, gamma_val);
3915 #else
3916 /* should not reach this */
3917 return 0;
3918 #endif /* 16BIT */
3919 }
3920
3921 #ifdef PNG_16BIT_SUPPORTED
3922 /* Internal function to build a single 16-bit table - the table consists of
3923 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3924 * to shift the input values right (or 16-number_of_signifiant_bits).
3925 *
3926 * The caller is responsible for ensuring that the table gets cleaned up on
3927 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3928 * should be somewhere that will be cleaned.
3929 */
3930 static void
3931 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3932 unsigned int shift, png_fixed_point gamma_val)
3933 {
3934 /* Various values derived from 'shift': */
3935 unsigned int num = 1U << (8U - shift);
3936 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3937 /* CSE the division and work round wacky GCC warnings (see the comments
3938 * in png_gamma_8bit_correct for where these come from.)
3939 */
3940 double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1);
3941 #endif
3942 unsigned int max = (1U << (16U - shift)) - 1U;
3943 unsigned int max_by_2 = 1U << (15U - shift);
3944 unsigned int i;
3945
3946 png_uint_16pp table = *ptable =
3947 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3948
3949 for (i = 0; i < num; i++)
3950 {
3951 png_uint_16p sub_table = table[i] =
3952 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3953
3954 /* The 'threshold' test is repeated here because it can arise for one of
3955 * the 16-bit tables even if the others don't hit it.
3956 */
3957 if (png_gamma_significant(gamma_val) != 0)
3958 {
3959 /* The old code would overflow at the end and this would cause the
3960 * 'pow' function to return a result >1, resulting in an
3961 * arithmetic error. This code follows the spec exactly; ig is
3962 * the recovered input sample, it always has 8-16 bits.
3963 *
3964 * We want input * 65535/max, rounded, the arithmetic fits in 32
3965 * bits (unsigned) so long as max <= 32767.
3966 */
3967 unsigned int j;
3968 for (j = 0; j < 256; j++)
3969 {
3970 png_uint_32 ig = (j << (8-shift)) + i;
3971 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3972 /* Inline the 'max' scaling operation: */
3973 /* See png_gamma_8bit_correct for why the cast to (int) is
3974 * required here.
3975 */
3976 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
3977 sub_table[j] = (png_uint_16)d;
3978 # else
3979 if (shift != 0)
3980 ig = (ig * 65535U + max_by_2)/max;
3981
3982 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
3983 # endif
3984 }
3985 }
3986 else
3987 {
3988 /* We must still build a table, but do it the fast way. */
3989 unsigned int j;
3990
3991 for (j = 0; j < 256; j++)
3992 {
3993 png_uint_32 ig = (j << (8-shift)) + i;
3994
3995 if (shift != 0)
3996 ig = (ig * 65535U + max_by_2)/max;
3997
3998 sub_table[j] = (png_uint_16)ig;
3999 }
4000 }
4001 }
4002 }
4003
4004 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4005 * required.
4006 */
4007 static void
4008 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4009 unsigned int shift, png_fixed_point gamma_val)
4010 {
4011 unsigned int num = 1U << (8U - shift);
4012 unsigned int max = (1U << (16U - shift))-1U;
4013 unsigned int i;
4014 png_uint_32 last;
4015
4016 png_uint_16pp table = *ptable =
4017 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4018
4019 /* 'num' is the number of tables and also the number of low bits of low
4020 * bits of the input 16-bit value used to select a table. Each table is
4021 * itself indexed by the high 8 bits of the value.
4022 */
4023 for (i = 0; i < num; i++)
4024 table[i] = (png_uint_16p)png_malloc(png_ptr,
4025 256 * (sizeof (png_uint_16)));
4026
4027 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4028 * pow(out,g) is an *input* value. 'last' is the last input value set.
4029 *
4030 * In the loop 'i' is used to find output values. Since the output is
4031 * 8-bit there are only 256 possible values. The tables are set up to
4032 * select the closest possible output value for each input by finding
4033 * the input value at the boundary between each pair of output values
4034 * and filling the table up to that boundary with the lower output
4035 * value.
4036 *
4037 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4038 * values the code below uses a 16-bit value in i; the values start at
4039 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4040 * entries are filled with 255). Start i at 128 and fill all 'last'
4041 * table entries <= 'max'
4042 */
4043 last = 0;
4044 for (i = 0; i < 255; ++i) /* 8-bit output value */
4045 {
4046 /* Find the corresponding maximum input value */
4047 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4048
4049 /* Find the boundary value in 16 bits: */
4050 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4051
4052 /* Adjust (round) to (16-shift) bits: */
4053 bound = (bound * max + 32768U)/65535U + 1U;
4054
4055 while (last < bound)
4056 {
4057 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4058 last++;
4059 }
4060 }
4061
4062 /* And fill in the final entries. */
4063 while (last < (num << 8))
4064 {
4065 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4066 last++;
4067 }
4068 }
4069 #endif /* 16BIT */
4070
4071 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4072 * typically much faster). Note that libpng currently does no sBIT processing
4073 * (apparently contrary to the spec) so a 256-entry table is always generated.
4074 */
4075 static void
4076 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4077 png_fixed_point gamma_val)
4078 {
4079 unsigned int i;
4080 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4081
4082 if (png_gamma_significant(gamma_val) != 0)
4083 for (i=0; i<256; i++)
4084 table[i] = png_gamma_8bit_correct(i, gamma_val);
4085
4086 else
4087 for (i=0; i<256; ++i)
4088 table[i] = (png_byte)(i & 0xff);
4089 }
4090
4091 /* Used from png_read_destroy and below to release the memory used by the gamma
4092 * tables.
4093 */
4094 void /* PRIVATE */
4095 png_destroy_gamma_table(png_structrp png_ptr)
4096 {
4097 png_free(png_ptr, png_ptr->gamma_table);
4098 png_ptr->gamma_table = NULL;
4099
4100 #ifdef PNG_16BIT_SUPPORTED
4101 if (png_ptr->gamma_16_table != NULL)
4102 {
4103 int i;
4104 int istop = (1 << (8 - png_ptr->gamma_shift));
4105 for (i = 0; i < istop; i++)
4106 {
4107 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4108 }
4109 png_free(png_ptr, png_ptr->gamma_16_table);
4110 png_ptr->gamma_16_table = NULL;
4111 }
4112 #endif /* 16BIT */
4113
4114 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4115 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4116 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4117 png_free(png_ptr, png_ptr->gamma_from_1);
4118 png_ptr->gamma_from_1 = NULL;
4119 png_free(png_ptr, png_ptr->gamma_to_1);
4120 png_ptr->gamma_to_1 = NULL;
4121
4122 #ifdef PNG_16BIT_SUPPORTED
4123 if (png_ptr->gamma_16_from_1 != NULL)
4124 {
4125 int i;
4126 int istop = (1 << (8 - png_ptr->gamma_shift));
4127 for (i = 0; i < istop; i++)
4128 {
4129 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4130 }
4131 png_free(png_ptr, png_ptr->gamma_16_from_1);
4132 png_ptr->gamma_16_from_1 = NULL;
4133 }
4134 if (png_ptr->gamma_16_to_1 != NULL)
4135 {
4136 int i;
4137 int istop = (1 << (8 - png_ptr->gamma_shift));
4138 for (i = 0; i < istop; i++)
4139 {
4140 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4141 }
4142 png_free(png_ptr, png_ptr->gamma_16_to_1);
4143 png_ptr->gamma_16_to_1 = NULL;
4144 }
4145 #endif /* 16BIT */
4146 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4147 }
4148
4149 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4150 * tables, we don't make a full table if we are reducing to 8-bit in
4151 * the future. Note also how the gamma_16 tables are segmented so that
4152 * we don't need to allocate > 64K chunks for a full 16-bit table.
4153 */
4154 void /* PRIVATE */
4155 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4156 {
4157 png_debug(1, "in png_build_gamma_table");
4158
4159 /* Remove any existing table; this copes with multiple calls to
4160 * png_read_update_info. The warning is because building the gamma tables
4161 * multiple times is a performance hit - it's harmless but the ability to
4162 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4163 * sensible to warn if the app introduces such a hit.
4164 */
4165 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4166 {
4167 png_warning(png_ptr, "gamma table being rebuilt");
4168 png_destroy_gamma_table(png_ptr);
4169 }
4170
4171 if (bit_depth <= 8)
4172 {
4173 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4174 png_ptr->screen_gamma > 0 ?
4175 png_reciprocal2(png_ptr->colorspace.gamma,
4176 png_ptr->screen_gamma) : PNG_FP_1);
4177
4178 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4179 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4180 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4181 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4182 {
4183 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4184 png_reciprocal(png_ptr->colorspace.gamma));
4185
4186 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4187 png_ptr->screen_gamma > 0 ?
4188 png_reciprocal(png_ptr->screen_gamma) :
4189 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4190 }
4191 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4192 }
4193 #ifdef PNG_16BIT_SUPPORTED
4194 else
4195 {
4196 png_byte shift, sig_bit;
4197
4198 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4199 {
4200 sig_bit = png_ptr->sig_bit.red;
4201
4202 if (png_ptr->sig_bit.green > sig_bit)
4203 sig_bit = png_ptr->sig_bit.green;
4204
4205 if (png_ptr->sig_bit.blue > sig_bit)
4206 sig_bit = png_ptr->sig_bit.blue;
4207 }
4208 else
4209 sig_bit = png_ptr->sig_bit.gray;
4210
4211 /* 16-bit gamma code uses this equation:
4212 *
4213 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4214 *
4215 * Where 'iv' is the input color value and 'ov' is the output value -
4216 * pow(iv, gamma).
4217 *
4218 * Thus the gamma table consists of up to 256 256-entry tables. The table
4219 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4220 * of the color value then indexed by the upper 8 bits:
4221 *
4222 * table[low bits][high 8 bits]
4223 *
4224 * So the table 'n' corresponds to all those 'iv' of:
4225 *
4226 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4227 *
4228 */
4229 if (sig_bit > 0 && sig_bit < 16U)
4230 /* shift == insignificant bits */
4231 shift = (png_byte)((16U - sig_bit) & 0xff);
4232
4233 else
4234 shift = 0; /* keep all 16 bits */
4235
4236 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4237 {
4238 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4239 * the significant bits in the *input* when the output will
4240 * eventually be 8 bits. By default it is 11.
4241 */
4242 if (shift < (16U - PNG_MAX_GAMMA_8))
4243 shift = (16U - PNG_MAX_GAMMA_8);
4244 }
4245
4246 if (shift > 8U)
4247 shift = 8U; /* Guarantees at least one table! */
4248
4249 png_ptr->gamma_shift = shift;
4250
4251 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4252 * PNG_COMPOSE). This effectively smashed the background calculation for
4253 * 16-bit output because the 8-bit table assumes the result will be
4254 * reduced to 8 bits.
4255 */
4256 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4257 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4258 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4259 png_ptr->screen_gamma) : PNG_FP_1);
4260
4261 else
4262 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4263 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4264 png_ptr->screen_gamma) : PNG_FP_1);
4265
4266 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4267 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4268 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4269 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4270 {
4271 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4272 png_reciprocal(png_ptr->colorspace.gamma));
4273
4274 /* Notice that the '16 from 1' table should be full precision, however
4275 * the lookup on this table still uses gamma_shift, so it can't be.
4276 * TODO: fix this.
4277 */
4278 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4279 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4280 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4281 }
4282 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4283 }
4284 #endif /* 16BIT */
4285 }
4286 #endif /* READ_GAMMA */
4287
4288 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4289 #ifdef PNG_SET_OPTION_SUPPORTED
4290 int PNGAPI
4291 png_set_option(png_structrp png_ptr, int option, int onoff)
4292 {
4293 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4294 (option & 1) == 0)
4295 {
4296 png_uint_32 mask = 3U << option;
4297 png_uint_32 setting = (2U + (onoff != 0)) << option;
4298 png_uint_32 current = png_ptr->options;
4299
4300 png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4301
4302 return (int)(current & mask) >> option;
4303 }
4304
4305 return PNG_OPTION_INVALID;
4306 }
4307 #endif
4308
4309 /* sRGB support */
4310 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4311 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4312 /* sRGB conversion tables; these are machine generated with the code in
4313 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4314 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4315 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4316 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4317 * The inverse (linear to sRGB) table has accuracies as follows:
4318 *
4319 * For all possible (255*65535+1) input values:
4320 *
4321 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4322 *
4323 * For the input values corresponding to the 65536 16-bit values:
4324 *
4325 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4326 *
4327 * In all cases the inexact readings are only off by one.
4328 */
4329
4330 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4331 /* The convert-to-sRGB table is only currently required for read. */
4332 const png_uint_16 png_sRGB_table[256] =
4333 {
4334 0,20,40,60,80,99,119,139,
4335 159,179,199,219,241,264,288,313,
4336 340,367,396,427,458,491,526,562,
4337 599,637,677,718,761,805,851,898,
4338 947,997,1048,1101,1156,1212,1270,1330,
4339 1391,1453,1517,1583,1651,1720,1790,1863,
4340 1937,2013,2090,2170,2250,2333,2418,2504,
4341 2592,2681,2773,2866,2961,3058,3157,3258,
4342 3360,3464,3570,3678,3788,3900,4014,4129,
4343 4247,4366,4488,4611,4736,4864,4993,5124,
4344 5257,5392,5530,5669,5810,5953,6099,6246,
4345 6395,6547,6700,6856,7014,7174,7335,7500,
4346 7666,7834,8004,8177,8352,8528,8708,8889,
4347 9072,9258,9445,9635,9828,10022,10219,10417,
4348 10619,10822,11028,11235,11446,11658,11873,12090,
4349 12309,12530,12754,12980,13209,13440,13673,13909,
4350 14146,14387,14629,14874,15122,15371,15623,15878,
4351 16135,16394,16656,16920,17187,17456,17727,18001,
4352 18277,18556,18837,19121,19407,19696,19987,20281,
4353 20577,20876,21177,21481,21787,22096,22407,22721,
4354 23038,23357,23678,24002,24329,24658,24990,25325,
4355 25662,26001,26344,26688,27036,27386,27739,28094,
4356 28452,28813,29176,29542,29911,30282,30656,31033,
4357 31412,31794,32179,32567,32957,33350,33745,34143,
4358 34544,34948,35355,35764,36176,36591,37008,37429,
4359 37852,38278,38706,39138,39572,40009,40449,40891,
4360 41337,41785,42236,42690,43147,43606,44069,44534,
4361 45002,45473,45947,46423,46903,47385,47871,48359,
4362 48850,49344,49841,50341,50844,51349,51858,52369,
4363 52884,53401,53921,54445,54971,55500,56032,56567,
4364 57105,57646,58190,58737,59287,59840,60396,60955,
4365 61517,62082,62650,63221,63795,64372,64952,65535
4366 };
4367 #endif /* SIMPLIFIED_READ */
4368
4369 /* The base/delta tables are required for both read and write (but currently
4370 * only the simplified versions.)
4371 */
4372 const png_uint_16 png_sRGB_base[512] =
4373 {
4374 128,1782,3383,4644,5675,6564,7357,8074,
4375 8732,9346,9921,10463,10977,11466,11935,12384,
4376 12816,13233,13634,14024,14402,14769,15125,15473,
4377 15812,16142,16466,16781,17090,17393,17690,17981,
4378 18266,18546,18822,19093,19359,19621,19879,20133,
4379 20383,20630,20873,21113,21349,21583,21813,22041,
4380 22265,22487,22707,22923,23138,23350,23559,23767,
4381 23972,24175,24376,24575,24772,24967,25160,25352,
4382 25542,25730,25916,26101,26284,26465,26645,26823,
4383 27000,27176,27350,27523,27695,27865,28034,28201,
4384 28368,28533,28697,28860,29021,29182,29341,29500,
4385 29657,29813,29969,30123,30276,30429,30580,30730,
4386 30880,31028,31176,31323,31469,31614,31758,31902,
4387 32045,32186,32327,32468,32607,32746,32884,33021,
4388 33158,33294,33429,33564,33697,33831,33963,34095,
4389 34226,34357,34486,34616,34744,34873,35000,35127,
4390 35253,35379,35504,35629,35753,35876,35999,36122,
4391 36244,36365,36486,36606,36726,36845,36964,37083,
4392 37201,37318,37435,37551,37668,37783,37898,38013,
4393 38127,38241,38354,38467,38580,38692,38803,38915,
4394 39026,39136,39246,39356,39465,39574,39682,39790,
4395 39898,40005,40112,40219,40325,40431,40537,40642,
4396 40747,40851,40955,41059,41163,41266,41369,41471,
4397 41573,41675,41777,41878,41979,42079,42179,42279,
4398 42379,42478,42577,42676,42775,42873,42971,43068,
4399 43165,43262,43359,43456,43552,43648,43743,43839,
4400 43934,44028,44123,44217,44311,44405,44499,44592,
4401 44685,44778,44870,44962,45054,45146,45238,45329,
4402 45420,45511,45601,45692,45782,45872,45961,46051,
4403 46140,46229,46318,46406,46494,46583,46670,46758,
4404 46846,46933,47020,47107,47193,47280,47366,47452,
4405 47538,47623,47709,47794,47879,47964,48048,48133,
4406 48217,48301,48385,48468,48552,48635,48718,48801,
4407 48884,48966,49048,49131,49213,49294,49376,49458,
4408 49539,49620,49701,49782,49862,49943,50023,50103,
4409 50183,50263,50342,50422,50501,50580,50659,50738,
4410 50816,50895,50973,51051,51129,51207,51285,51362,
4411 51439,51517,51594,51671,51747,51824,51900,51977,
4412 52053,52129,52205,52280,52356,52432,52507,52582,
4413 52657,52732,52807,52881,52956,53030,53104,53178,
4414 53252,53326,53400,53473,53546,53620,53693,53766,
4415 53839,53911,53984,54056,54129,54201,54273,54345,
4416 54417,54489,54560,54632,54703,54774,54845,54916,
4417 54987,55058,55129,55199,55269,55340,55410,55480,
4418 55550,55620,55689,55759,55828,55898,55967,56036,
4419 56105,56174,56243,56311,56380,56448,56517,56585,
4420 56653,56721,56789,56857,56924,56992,57059,57127,
4421 57194,57261,57328,57395,57462,57529,57595,57662,
4422 57728,57795,57861,57927,57993,58059,58125,58191,
4423 58256,58322,58387,58453,58518,58583,58648,58713,
4424 58778,58843,58908,58972,59037,59101,59165,59230,
4425 59294,59358,59422,59486,59549,59613,59677,59740,
4426 59804,59867,59930,59993,60056,60119,60182,60245,
4427 60308,60370,60433,60495,60558,60620,60682,60744,
4428 60806,60868,60930,60992,61054,61115,61177,61238,
4429 61300,61361,61422,61483,61544,61605,61666,61727,
4430 61788,61848,61909,61969,62030,62090,62150,62211,
4431 62271,62331,62391,62450,62510,62570,62630,62689,
4432 62749,62808,62867,62927,62986,63045,63104,63163,
4433 63222,63281,63340,63398,63457,63515,63574,63632,
4434 63691,63749,63807,63865,63923,63981,64039,64097,
4435 64155,64212,64270,64328,64385,64443,64500,64557,
4436 64614,64672,64729,64786,64843,64900,64956,65013,
4437 65070,65126,65183,65239,65296,65352,65409,65465
4438 };
4439
4440 const png_byte png_sRGB_delta[512] =
4441 {
4442 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4443 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4444 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4445 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4446 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4447 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4448 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4449 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4450 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4451 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4452 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4453 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4454 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4455 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4456 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4457 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4458 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4459 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4460 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4461 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4462 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4463 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4464 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4465 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4466 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4467 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4468 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4469 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4470 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4471 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4472 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4473 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4474 };
4475 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4476
4477 /* SIMPLIFIED READ/WRITE SUPPORT */
4478 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4479 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4480 static int
4481 png_image_free_function(png_voidp argument)
4482 {
4483 png_imagep image = png_voidcast(png_imagep, argument);
4484 png_controlp cp = image->opaque;
4485 png_control c;
4486
4487 /* Double check that we have a png_ptr - it should be impossible to get here
4488 * without one.
4489 */
4490 if (cp->png_ptr == NULL)
4491 return 0;
4492
4493 /* First free any data held in the control structure. */
4494 # ifdef PNG_STDIO_SUPPORTED
4495 if (cp->owned_file != 0)
4496 {
4497 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4498 cp->owned_file = 0;
4499
4500 /* Ignore errors here. */
4501 if (fp != NULL)
4502 {
4503 cp->png_ptr->io_ptr = NULL;
4504 (void)fclose(fp);
4505 }
4506 }
4507 # endif
4508
4509 /* Copy the control structure so that the original, allocated, version can be
4510 * safely freed. Notice that a png_error here stops the remainder of the
4511 * cleanup, but this is probably fine because that would indicate bad memory
4512 * problems anyway.
4513 */
4514 c = *cp;
4515 image->opaque = &c;
4516 png_free(c.png_ptr, cp);
4517
4518 /* Then the structures, calling the correct API. */
4519 if (c.for_write != 0)
4520 {
4521 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4522 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4523 # else
4524 png_error(c.png_ptr, "simplified write not supported");
4525 # endif
4526 }
4527 else
4528 {
4529 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4530 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4531 # else
4532 png_error(c.png_ptr, "simplified read not supported");
4533 # endif
4534 }
4535
4536 /* Success. */
4537 return 1;
4538 }
4539
4540 void PNGAPI
4541 png_image_free(png_imagep image)
4542 {
4543 /* Safely call the real function, but only if doing so is safe at this point
4544 * (if not inside an error handling context). Otherwise assume
4545 * png_safe_execute will call this API after the return.
4546 */
4547 if (image != NULL && image->opaque != NULL &&
4548 image->opaque->error_buf == NULL)
4549 {
4550 png_image_free_function(image);
4551 image->opaque = NULL;
4552 }
4553 }
4554
4555 int /* PRIVATE */
4556 png_image_error(png_imagep image, png_const_charp error_message)
4557 {
4558 /* Utility to log an error. */
4559 png_safecat(image->message, (sizeof image->message), 0, error_message);
4560 image->warning_or_error |= PNG_IMAGE_ERROR;
4561 png_image_free(image);
4562 return 0;
4563 }
4564
4565 #endif /* SIMPLIFIED READ/WRITE */
4566 #endif /* READ || WRITE */
4567