1
2 /* pngpread.c - read a png file in push mode
3 *
4 * Copyright (c) 2018-2024 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE 0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE 2
22 #define PNG_READ_tEXt_MODE 4
23 #define PNG_READ_zTXt_MODE 5
24 #define PNG_READ_DONE_MODE 6
25 #define PNG_READ_iTXt_MODE 7
26 #define PNG_ERROR_MODE 8
27
28 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \
29 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \
30 { png_push_save_buffer(png_ptr); return; }
31 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \
32 if (png_ptr->buffer_size < N) \
33 { png_push_save_buffer(png_ptr); return; }
34
35 void PNGAPI
png_process_data(png_structrp png_ptr,png_inforp info_ptr,png_bytep buffer,size_t buffer_size)36 png_process_data(png_structrp png_ptr, png_inforp info_ptr,
37 png_bytep buffer, size_t buffer_size)
38 {
39 if (png_ptr == NULL || info_ptr == NULL)
40 return;
41
42 png_push_restore_buffer(png_ptr, buffer, buffer_size);
43
44 while (png_ptr->buffer_size)
45 {
46 png_process_some_data(png_ptr, info_ptr);
47 }
48 }
49
50 size_t PNGAPI
png_process_data_pause(png_structrp png_ptr,int save)51 png_process_data_pause(png_structrp png_ptr, int save)
52 {
53 if (png_ptr != NULL)
54 {
55 /* It's easiest for the caller if we do the save; then the caller doesn't
56 * have to supply the same data again:
57 */
58 if (save != 0)
59 png_push_save_buffer(png_ptr);
60 else
61 {
62 /* This includes any pending saved bytes: */
63 size_t remaining = png_ptr->buffer_size;
64 png_ptr->buffer_size = 0;
65
66 /* So subtract the saved buffer size, unless all the data
67 * is actually 'saved', in which case we just return 0
68 */
69 if (png_ptr->save_buffer_size < remaining)
70 return remaining - png_ptr->save_buffer_size;
71 }
72 }
73
74 return 0;
75 }
76
77 png_uint_32 PNGAPI
png_process_data_skip(png_structrp png_ptr)78 png_process_data_skip(png_structrp png_ptr)
79 {
80 /* TODO: Deprecate and remove this API.
81 * Somewhere the implementation of this seems to have been lost,
82 * or abandoned. It was only to support some internal back-door access
83 * to png_struct) in libpng-1.4.x.
84 */
85 png_app_warning(png_ptr,
86 "png_process_data_skip is not implemented in any current version of libpng");
87 return 0;
88 }
89
90 /* What we do with the incoming data depends on what we were previously
91 * doing before we ran out of data...
92 */
93 void /* PRIVATE */
png_process_some_data(png_structrp png_ptr,png_inforp info_ptr)94 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
95 {
96 if (png_ptr == NULL)
97 return;
98
99 switch (png_ptr->process_mode)
100 {
101 case PNG_READ_SIG_MODE:
102 {
103 png_push_read_sig(png_ptr, info_ptr);
104 break;
105 }
106
107 case PNG_READ_CHUNK_MODE:
108 {
109 png_push_read_chunk(png_ptr, info_ptr);
110 break;
111 }
112
113 case PNG_READ_IDAT_MODE:
114 {
115 png_push_read_IDAT(png_ptr);
116 break;
117 }
118
119 default:
120 {
121 png_ptr->buffer_size = 0;
122 break;
123 }
124 }
125 }
126
127 /* Read any remaining signature bytes from the stream and compare them with
128 * the correct PNG signature. It is possible that this routine is called
129 * with bytes already read from the signature, either because they have been
130 * checked by the calling application, or because of multiple calls to this
131 * routine.
132 */
133 void /* PRIVATE */
png_push_read_sig(png_structrp png_ptr,png_inforp info_ptr)134 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
135 {
136 size_t num_checked = png_ptr->sig_bytes; /* SAFE, does not exceed 8 */
137 size_t num_to_check = 8 - num_checked;
138
139 if (png_ptr->buffer_size < num_to_check)
140 {
141 num_to_check = png_ptr->buffer_size;
142 }
143
144 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
145 num_to_check);
146 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
147
148 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
149 {
150 if (num_checked < 4 &&
151 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4) != 0)
152 png_error(png_ptr, "Not a PNG file");
153
154 else
155 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
156 }
157 else
158 {
159 if (png_ptr->sig_bytes >= 8)
160 {
161 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
162 }
163 }
164 }
165
166 void /* PRIVATE */
png_push_read_chunk(png_structrp png_ptr,png_inforp info_ptr)167 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
168 {
169 png_uint_32 chunk_name;
170 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
171 int keep; /* unknown handling method */
172 #endif
173
174 /* First we make sure we have enough data for the 4-byte chunk name
175 * and the 4-byte chunk length before proceeding with decoding the
176 * chunk data. To fully decode each of these chunks, we also make
177 * sure we have enough data in the buffer for the 4-byte CRC at the
178 * end of every chunk (except IDAT, which is handled separately).
179 */
180 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
181 {
182 png_byte chunk_length[4];
183 png_byte chunk_tag[4];
184
185 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
186 png_push_fill_buffer(png_ptr, chunk_length, 4);
187 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
188 png_reset_crc(png_ptr);
189 png_crc_read(png_ptr, chunk_tag, 4);
190 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
191 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
192 png_check_chunk_length(png_ptr, png_ptr->push_length);
193 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
194 }
195
196 chunk_name = png_ptr->chunk_name;
197
198 if (chunk_name == png_IDAT)
199 {
200 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
201 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
202
203 /* If we reach an IDAT chunk, this means we have read all of the
204 * header chunks, and we can start reading the image (or if this
205 * is called after the image has been read - we have an error).
206 */
207 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
208 png_error(png_ptr, "Missing IHDR before IDAT");
209
210 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
211 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
212 png_error(png_ptr, "Missing PLTE before IDAT");
213
214 png_ptr->process_mode = PNG_READ_IDAT_MODE;
215
216 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
217 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
218 if (png_ptr->push_length == 0)
219 return;
220
221 png_ptr->mode |= PNG_HAVE_IDAT;
222
223 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
224 png_benign_error(png_ptr, "Too many IDATs found");
225 }
226
227 if (chunk_name == png_IHDR)
228 {
229 if (png_ptr->push_length != 13)
230 png_error(png_ptr, "Invalid IHDR length");
231
232 PNG_PUSH_SAVE_BUFFER_IF_FULL
233 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
234 }
235
236 else if (chunk_name == png_IEND)
237 {
238 PNG_PUSH_SAVE_BUFFER_IF_FULL
239 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
240
241 png_ptr->process_mode = PNG_READ_DONE_MODE;
242 png_push_have_end(png_ptr, info_ptr);
243 }
244
245 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
246 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
247 {
248 PNG_PUSH_SAVE_BUFFER_IF_FULL
249 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
250
251 if (chunk_name == png_PLTE)
252 png_ptr->mode |= PNG_HAVE_PLTE;
253 }
254 #endif
255
256 else if (chunk_name == png_PLTE)
257 {
258 PNG_PUSH_SAVE_BUFFER_IF_FULL
259 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
260 }
261
262 else if (chunk_name == png_IDAT)
263 {
264 png_ptr->idat_size = png_ptr->push_length;
265 png_ptr->process_mode = PNG_READ_IDAT_MODE;
266 png_push_have_info(png_ptr, info_ptr);
267 png_ptr->zstream.avail_out =
268 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
269 png_ptr->iwidth) + 1;
270 png_ptr->zstream.next_out = png_ptr->row_buf;
271 return;
272 }
273
274 #ifdef PNG_READ_gAMA_SUPPORTED
275 else if (png_ptr->chunk_name == png_gAMA)
276 {
277 PNG_PUSH_SAVE_BUFFER_IF_FULL
278 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
279 }
280
281 #endif
282 #ifdef PNG_READ_sBIT_SUPPORTED
283 else if (png_ptr->chunk_name == png_sBIT)
284 {
285 PNG_PUSH_SAVE_BUFFER_IF_FULL
286 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
287 }
288
289 #endif
290 #ifdef PNG_READ_cHRM_SUPPORTED
291 else if (png_ptr->chunk_name == png_cHRM)
292 {
293 PNG_PUSH_SAVE_BUFFER_IF_FULL
294 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
295 }
296
297 #endif
298 #ifdef PNG_READ_eXIf_SUPPORTED
299 else if (png_ptr->chunk_name == png_eXIf)
300 {
301 PNG_PUSH_SAVE_BUFFER_IF_FULL
302 png_handle_eXIf(png_ptr, info_ptr, png_ptr->push_length);
303 }
304
305 #endif
306 #ifdef PNG_READ_sRGB_SUPPORTED
307 else if (chunk_name == png_sRGB)
308 {
309 PNG_PUSH_SAVE_BUFFER_IF_FULL
310 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
311 }
312
313 #endif
314 #ifdef PNG_READ_iCCP_SUPPORTED
315 else if (png_ptr->chunk_name == png_iCCP)
316 {
317 PNG_PUSH_SAVE_BUFFER_IF_FULL
318 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
319 }
320
321 #endif
322 #ifdef PNG_READ_sPLT_SUPPORTED
323 else if (chunk_name == png_sPLT)
324 {
325 PNG_PUSH_SAVE_BUFFER_IF_FULL
326 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
327 }
328
329 #endif
330 #ifdef PNG_READ_tRNS_SUPPORTED
331 else if (chunk_name == png_tRNS)
332 {
333 PNG_PUSH_SAVE_BUFFER_IF_FULL
334 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
335 }
336
337 #endif
338 #ifdef PNG_READ_bKGD_SUPPORTED
339 else if (chunk_name == png_bKGD)
340 {
341 PNG_PUSH_SAVE_BUFFER_IF_FULL
342 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
343 }
344
345 #endif
346 #ifdef PNG_READ_hIST_SUPPORTED
347 else if (chunk_name == png_hIST)
348 {
349 PNG_PUSH_SAVE_BUFFER_IF_FULL
350 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
351 }
352
353 #endif
354 #ifdef PNG_READ_pHYs_SUPPORTED
355 else if (chunk_name == png_pHYs)
356 {
357 PNG_PUSH_SAVE_BUFFER_IF_FULL
358 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
359 }
360
361 #endif
362 #ifdef PNG_READ_oFFs_SUPPORTED
363 else if (chunk_name == png_oFFs)
364 {
365 PNG_PUSH_SAVE_BUFFER_IF_FULL
366 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
367 }
368 #endif
369
370 #ifdef PNG_READ_pCAL_SUPPORTED
371 else if (chunk_name == png_pCAL)
372 {
373 PNG_PUSH_SAVE_BUFFER_IF_FULL
374 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
375 }
376
377 #endif
378 #ifdef PNG_READ_sCAL_SUPPORTED
379 else if (chunk_name == png_sCAL)
380 {
381 PNG_PUSH_SAVE_BUFFER_IF_FULL
382 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
383 }
384
385 #endif
386 #ifdef PNG_READ_tIME_SUPPORTED
387 else if (chunk_name == png_tIME)
388 {
389 PNG_PUSH_SAVE_BUFFER_IF_FULL
390 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
391 }
392
393 #endif
394 #ifdef PNG_READ_tEXt_SUPPORTED
395 else if (chunk_name == png_tEXt)
396 {
397 PNG_PUSH_SAVE_BUFFER_IF_FULL
398 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
399 }
400
401 #endif
402 #ifdef PNG_READ_zTXt_SUPPORTED
403 else if (chunk_name == png_zTXt)
404 {
405 PNG_PUSH_SAVE_BUFFER_IF_FULL
406 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
407 }
408
409 #endif
410 #ifdef PNG_READ_iTXt_SUPPORTED
411 else if (chunk_name == png_iTXt)
412 {
413 PNG_PUSH_SAVE_BUFFER_IF_FULL
414 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
415 }
416 #endif
417
418 else
419 {
420 PNG_PUSH_SAVE_BUFFER_IF_FULL
421 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
422 PNG_HANDLE_CHUNK_AS_DEFAULT);
423 }
424
425 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
426 }
427
428 void PNGCBAPI
png_push_fill_buffer(png_structp png_ptr,png_bytep buffer,size_t length)429 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, size_t length)
430 {
431 png_bytep ptr;
432
433 if (png_ptr == NULL)
434 return;
435
436 ptr = buffer;
437 if (png_ptr->save_buffer_size != 0)
438 {
439 size_t save_size;
440
441 if (length < png_ptr->save_buffer_size)
442 save_size = length;
443
444 else
445 save_size = png_ptr->save_buffer_size;
446
447 memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
448 length -= save_size;
449 ptr += save_size;
450 png_ptr->buffer_size -= save_size;
451 png_ptr->save_buffer_size -= save_size;
452 png_ptr->save_buffer_ptr += save_size;
453 }
454 if (length != 0 && png_ptr->current_buffer_size != 0)
455 {
456 size_t save_size;
457
458 if (length < png_ptr->current_buffer_size)
459 save_size = length;
460
461 else
462 save_size = png_ptr->current_buffer_size;
463
464 memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
465 png_ptr->buffer_size -= save_size;
466 png_ptr->current_buffer_size -= save_size;
467 png_ptr->current_buffer_ptr += save_size;
468 }
469 }
470
471 void /* PRIVATE */
png_push_save_buffer(png_structrp png_ptr)472 png_push_save_buffer(png_structrp png_ptr)
473 {
474 if (png_ptr->save_buffer_size != 0)
475 {
476 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
477 {
478 size_t i, istop;
479 png_bytep sp;
480 png_bytep dp;
481
482 istop = png_ptr->save_buffer_size;
483 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
484 i < istop; i++, sp++, dp++)
485 {
486 *dp = *sp;
487 }
488 }
489 }
490 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
491 png_ptr->save_buffer_max)
492 {
493 size_t new_max;
494 png_bytep old_buffer;
495
496 if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
497 (png_ptr->current_buffer_size + 256))
498 {
499 png_error(png_ptr, "Potential overflow of save_buffer");
500 }
501
502 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
503 old_buffer = png_ptr->save_buffer;
504 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
505 (size_t)new_max);
506
507 if (png_ptr->save_buffer == NULL)
508 {
509 png_free(png_ptr, old_buffer);
510 png_error(png_ptr, "Insufficient memory for save_buffer");
511 }
512
513 if (old_buffer)
514 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
515 else if (png_ptr->save_buffer_size)
516 png_error(png_ptr, "save_buffer error");
517 png_free(png_ptr, old_buffer);
518 png_ptr->save_buffer_max = new_max;
519 }
520 if (png_ptr->current_buffer_size)
521 {
522 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
523 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
524 png_ptr->save_buffer_size += png_ptr->current_buffer_size;
525 png_ptr->current_buffer_size = 0;
526 }
527 png_ptr->save_buffer_ptr = png_ptr->save_buffer;
528 png_ptr->buffer_size = 0;
529 }
530
531 void /* PRIVATE */
png_push_restore_buffer(png_structrp png_ptr,png_bytep buffer,size_t buffer_length)532 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
533 size_t buffer_length)
534 {
535 png_ptr->current_buffer = buffer;
536 png_ptr->current_buffer_size = buffer_length;
537 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
538 png_ptr->current_buffer_ptr = png_ptr->current_buffer;
539 }
540
541 void /* PRIVATE */
png_push_read_IDAT(png_structrp png_ptr)542 png_push_read_IDAT(png_structrp png_ptr)
543 {
544 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
545 {
546 png_byte chunk_length[4];
547 png_byte chunk_tag[4];
548
549 /* TODO: this code can be commoned up with the same code in push_read */
550 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
551 png_push_fill_buffer(png_ptr, chunk_length, 4);
552 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
553 png_reset_crc(png_ptr);
554 png_crc_read(png_ptr, chunk_tag, 4);
555 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
556 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
557
558 if (png_ptr->chunk_name != png_IDAT)
559 {
560 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
561
562 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
563 png_error(png_ptr, "Not enough compressed data");
564
565 return;
566 }
567
568 png_ptr->idat_size = png_ptr->push_length;
569 }
570
571 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0)
572 {
573 size_t save_size = png_ptr->save_buffer_size;
574 png_uint_32 idat_size = png_ptr->idat_size;
575
576 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
577 * are of different types and we don't know which variable has the fewest
578 * bits. Carefully select the smaller and cast it to the type of the
579 * larger - this cannot overflow. Do not cast in the following test - it
580 * will break on either 16-bit or 64-bit platforms.
581 */
582 if (idat_size < save_size)
583 save_size = (size_t)idat_size;
584
585 else
586 idat_size = (png_uint_32)save_size;
587
588 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
589
590 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
591
592 png_ptr->idat_size -= idat_size;
593 png_ptr->buffer_size -= save_size;
594 png_ptr->save_buffer_size -= save_size;
595 png_ptr->save_buffer_ptr += save_size;
596 }
597
598 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0)
599 {
600 size_t save_size = png_ptr->current_buffer_size;
601 png_uint_32 idat_size = png_ptr->idat_size;
602
603 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
604 * are of different types and we don't know which variable has the fewest
605 * bits. Carefully select the smaller and cast it to the type of the
606 * larger - this cannot overflow.
607 */
608 if (idat_size < save_size)
609 save_size = (size_t)idat_size;
610
611 else
612 idat_size = (png_uint_32)save_size;
613
614 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
615
616 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
617
618 png_ptr->idat_size -= idat_size;
619 png_ptr->buffer_size -= save_size;
620 png_ptr->current_buffer_size -= save_size;
621 png_ptr->current_buffer_ptr += save_size;
622 }
623
624 if (png_ptr->idat_size == 0)
625 {
626 PNG_PUSH_SAVE_BUFFER_IF_LT(4)
627 png_crc_finish(png_ptr, 0);
628 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
629 png_ptr->mode |= PNG_AFTER_IDAT;
630 png_ptr->zowner = 0;
631 }
632 }
633
634 void /* PRIVATE */
png_process_IDAT_data(png_structrp png_ptr,png_bytep buffer,size_t buffer_length)635 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
636 size_t buffer_length)
637 {
638 /* The caller checks for a non-zero buffer length. */
639 if (!(buffer_length > 0) || buffer == NULL)
640 png_error(png_ptr, "No IDAT data (internal error)");
641
642 /* This routine must process all the data it has been given
643 * before returning, calling the row callback as required to
644 * handle the uncompressed results.
645 */
646 png_ptr->zstream.next_in = buffer;
647 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
648 png_ptr->zstream.avail_in = (uInt)buffer_length;
649
650 /* Keep going until the decompressed data is all processed
651 * or the stream marked as finished.
652 */
653 while (png_ptr->zstream.avail_in > 0 &&
654 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
655 {
656 int ret;
657
658 /* We have data for zlib, but we must check that zlib
659 * has someplace to put the results. It doesn't matter
660 * if we don't expect any results -- it may be the input
661 * data is just the LZ end code.
662 */
663 if (!(png_ptr->zstream.avail_out > 0))
664 {
665 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
666 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
667 png_ptr->iwidth) + 1);
668
669 png_ptr->zstream.next_out = png_ptr->row_buf;
670 }
671
672 /* Using Z_SYNC_FLUSH here means that an unterminated
673 * LZ stream (a stream with a missing end code) can still
674 * be handled, otherwise (Z_NO_FLUSH) a future zlib
675 * implementation might defer output and therefore
676 * change the current behavior (see comments in inflate.c
677 * for why this doesn't happen at present with zlib 1.2.5).
678 */
679 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH);
680
681 /* Check for any failure before proceeding. */
682 if (ret != Z_OK && ret != Z_STREAM_END)
683 {
684 /* Terminate the decompression. */
685 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
686 png_ptr->zowner = 0;
687
688 /* This may be a truncated stream (missing or
689 * damaged end code). Treat that as a warning.
690 */
691 if (png_ptr->row_number >= png_ptr->num_rows ||
692 png_ptr->pass > 6)
693 png_warning(png_ptr, "Truncated compressed data in IDAT");
694
695 else
696 {
697 if (ret == Z_DATA_ERROR)
698 png_benign_error(png_ptr, "IDAT: ADLER32 checksum mismatch");
699 else
700 png_error(png_ptr, "Decompression error in IDAT");
701 }
702
703 /* Skip the check on unprocessed input */
704 return;
705 }
706
707 /* Did inflate output any data? */
708 if (png_ptr->zstream.next_out != png_ptr->row_buf)
709 {
710 /* Is this unexpected data after the last row?
711 * If it is, artificially terminate the LZ output
712 * here.
713 */
714 if (png_ptr->row_number >= png_ptr->num_rows ||
715 png_ptr->pass > 6)
716 {
717 /* Extra data. */
718 png_warning(png_ptr, "Extra compressed data in IDAT");
719 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
720 png_ptr->zowner = 0;
721
722 /* Do no more processing; skip the unprocessed
723 * input check below.
724 */
725 return;
726 }
727
728 /* Do we have a complete row? */
729 if (png_ptr->zstream.avail_out == 0)
730 png_push_process_row(png_ptr);
731 }
732
733 /* And check for the end of the stream. */
734 if (ret == Z_STREAM_END)
735 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
736 }
737
738 /* All the data should have been processed, if anything
739 * is left at this point we have bytes of IDAT data
740 * after the zlib end code.
741 */
742 if (png_ptr->zstream.avail_in > 0)
743 png_warning(png_ptr, "Extra compression data in IDAT");
744 }
745
746 void /* PRIVATE */
png_push_process_row(png_structrp png_ptr)747 png_push_process_row(png_structrp png_ptr)
748 {
749 /* 1.5.6: row_info moved out of png_struct to a local here. */
750 png_row_info row_info;
751
752 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
753 row_info.color_type = png_ptr->color_type;
754 row_info.bit_depth = png_ptr->bit_depth;
755 row_info.channels = png_ptr->channels;
756 row_info.pixel_depth = png_ptr->pixel_depth;
757 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
758
759 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
760 {
761 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
762 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
763 png_ptr->prev_row + 1, png_ptr->row_buf[0]);
764 else
765 png_error(png_ptr, "bad adaptive filter value");
766 }
767
768 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
769 * 1.5.6, while the buffer really is this big in current versions of libpng
770 * it may not be in the future, so this was changed just to copy the
771 * interlaced row count:
772 */
773 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
774
775 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
776 if (png_ptr->transformations != 0)
777 png_do_read_transformations(png_ptr, &row_info);
778 #endif
779
780 /* The transformed pixel depth should match the depth now in row_info. */
781 if (png_ptr->transformed_pixel_depth == 0)
782 {
783 png_ptr->transformed_pixel_depth = row_info.pixel_depth;
784 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
785 png_error(png_ptr, "progressive row overflow");
786 }
787
788 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
789 png_error(png_ptr, "internal progressive row size calculation error");
790
791
792 #ifdef PNG_READ_INTERLACING_SUPPORTED
793 /* Expand interlaced rows to full size */
794 if (png_ptr->interlaced != 0 &&
795 (png_ptr->transformations & PNG_INTERLACE) != 0)
796 {
797 if (png_ptr->pass < 6)
798 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
799 png_ptr->transformations);
800
801 switch (png_ptr->pass)
802 {
803 case 0:
804 {
805 int i;
806 for (i = 0; i < 8 && png_ptr->pass == 0; i++)
807 {
808 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
809 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
810 }
811
812 if (png_ptr->pass == 2) /* Pass 1 might be empty */
813 {
814 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
815 {
816 png_push_have_row(png_ptr, NULL);
817 png_read_push_finish_row(png_ptr);
818 }
819 }
820
821 if (png_ptr->pass == 4 && png_ptr->height <= 4)
822 {
823 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
824 {
825 png_push_have_row(png_ptr, NULL);
826 png_read_push_finish_row(png_ptr);
827 }
828 }
829
830 if (png_ptr->pass == 6 && png_ptr->height <= 4)
831 {
832 png_push_have_row(png_ptr, NULL);
833 png_read_push_finish_row(png_ptr);
834 }
835
836 break;
837 }
838
839 case 1:
840 {
841 int i;
842 for (i = 0; i < 8 && png_ptr->pass == 1; i++)
843 {
844 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
845 png_read_push_finish_row(png_ptr);
846 }
847
848 if (png_ptr->pass == 2) /* Skip top 4 generated rows */
849 {
850 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
851 {
852 png_push_have_row(png_ptr, NULL);
853 png_read_push_finish_row(png_ptr);
854 }
855 }
856
857 break;
858 }
859
860 case 2:
861 {
862 int i;
863
864 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
865 {
866 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
867 png_read_push_finish_row(png_ptr);
868 }
869
870 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
871 {
872 png_push_have_row(png_ptr, NULL);
873 png_read_push_finish_row(png_ptr);
874 }
875
876 if (png_ptr->pass == 4) /* Pass 3 might be empty */
877 {
878 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
879 {
880 png_push_have_row(png_ptr, NULL);
881 png_read_push_finish_row(png_ptr);
882 }
883 }
884
885 break;
886 }
887
888 case 3:
889 {
890 int i;
891
892 for (i = 0; i < 4 && png_ptr->pass == 3; i++)
893 {
894 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
895 png_read_push_finish_row(png_ptr);
896 }
897
898 if (png_ptr->pass == 4) /* Skip top two generated rows */
899 {
900 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
901 {
902 png_push_have_row(png_ptr, NULL);
903 png_read_push_finish_row(png_ptr);
904 }
905 }
906
907 break;
908 }
909
910 case 4:
911 {
912 int i;
913
914 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
915 {
916 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
917 png_read_push_finish_row(png_ptr);
918 }
919
920 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
921 {
922 png_push_have_row(png_ptr, NULL);
923 png_read_push_finish_row(png_ptr);
924 }
925
926 if (png_ptr->pass == 6) /* Pass 5 might be empty */
927 {
928 png_push_have_row(png_ptr, NULL);
929 png_read_push_finish_row(png_ptr);
930 }
931
932 break;
933 }
934
935 case 5:
936 {
937 int i;
938
939 for (i = 0; i < 2 && png_ptr->pass == 5; i++)
940 {
941 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
942 png_read_push_finish_row(png_ptr);
943 }
944
945 if (png_ptr->pass == 6) /* Skip top generated row */
946 {
947 png_push_have_row(png_ptr, NULL);
948 png_read_push_finish_row(png_ptr);
949 }
950
951 break;
952 }
953
954 default:
955 case 6:
956 {
957 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
958 png_read_push_finish_row(png_ptr);
959
960 if (png_ptr->pass != 6)
961 break;
962
963 png_push_have_row(png_ptr, NULL);
964 png_read_push_finish_row(png_ptr);
965 }
966 }
967 }
968 else
969 #endif
970 {
971 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
972 png_read_push_finish_row(png_ptr);
973 }
974 }
975
976 void /* PRIVATE */
png_read_push_finish_row(png_structrp png_ptr)977 png_read_push_finish_row(png_structrp png_ptr)
978 {
979 #ifdef PNG_READ_INTERLACING_SUPPORTED
980 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
981
982 /* Start of interlace block */
983 static const png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
984
985 /* Offset to next interlace block */
986 static const png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
987
988 /* Start of interlace block in the y direction */
989 static const png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
990
991 /* Offset to next interlace block in the y direction */
992 static const png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
993
994 /* Height of interlace block. This is not currently used - if you need
995 * it, uncomment it here and in png.h
996 static const png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
997 */
998 #endif
999
1000 png_ptr->row_number++;
1001 if (png_ptr->row_number < png_ptr->num_rows)
1002 return;
1003
1004 #ifdef PNG_READ_INTERLACING_SUPPORTED
1005 if (png_ptr->interlaced != 0)
1006 {
1007 png_ptr->row_number = 0;
1008 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1009
1010 do
1011 {
1012 png_ptr->pass++;
1013 if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1014 (png_ptr->pass == 3 && png_ptr->width < 3) ||
1015 (png_ptr->pass == 5 && png_ptr->width < 2))
1016 png_ptr->pass++;
1017
1018 if (png_ptr->pass > 7)
1019 png_ptr->pass--;
1020
1021 if (png_ptr->pass >= 7)
1022 break;
1023
1024 png_ptr->iwidth = (png_ptr->width +
1025 png_pass_inc[png_ptr->pass] - 1 -
1026 png_pass_start[png_ptr->pass]) /
1027 png_pass_inc[png_ptr->pass];
1028
1029 if ((png_ptr->transformations & PNG_INTERLACE) != 0)
1030 break;
1031
1032 png_ptr->num_rows = (png_ptr->height +
1033 png_pass_yinc[png_ptr->pass] - 1 -
1034 png_pass_ystart[png_ptr->pass]) /
1035 png_pass_yinc[png_ptr->pass];
1036
1037 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1038 }
1039 #endif /* READ_INTERLACING */
1040 }
1041
1042 void /* PRIVATE */
png_push_have_info(png_structrp png_ptr,png_inforp info_ptr)1043 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1044 {
1045 if (png_ptr->info_fn != NULL)
1046 (*(png_ptr->info_fn))(png_ptr, info_ptr);
1047 }
1048
1049 void /* PRIVATE */
png_push_have_end(png_structrp png_ptr,png_inforp info_ptr)1050 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1051 {
1052 if (png_ptr->end_fn != NULL)
1053 (*(png_ptr->end_fn))(png_ptr, info_ptr);
1054 }
1055
1056 void /* PRIVATE */
png_push_have_row(png_structrp png_ptr,png_bytep row)1057 png_push_have_row(png_structrp png_ptr, png_bytep row)
1058 {
1059 if (png_ptr->row_fn != NULL)
1060 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1061 (int)png_ptr->pass);
1062 }
1063
1064 #ifdef PNG_READ_INTERLACING_SUPPORTED
1065 void PNGAPI
png_progressive_combine_row(png_const_structrp png_ptr,png_bytep old_row,png_const_bytep new_row)1066 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1067 png_const_bytep new_row)
1068 {
1069 if (png_ptr == NULL)
1070 return;
1071
1072 /* new_row is a flag here - if it is NULL then the app callback was called
1073 * from an empty row (see the calls to png_struct::row_fn below), otherwise
1074 * it must be png_ptr->row_buf+1
1075 */
1076 if (new_row != NULL)
1077 png_combine_row(png_ptr, old_row, 1/*blocky display*/);
1078 }
1079 #endif /* READ_INTERLACING */
1080
1081 void PNGAPI
png_set_progressive_read_fn(png_structrp png_ptr,png_voidp progressive_ptr,png_progressive_info_ptr info_fn,png_progressive_row_ptr row_fn,png_progressive_end_ptr end_fn)1082 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1083 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1084 png_progressive_end_ptr end_fn)
1085 {
1086 if (png_ptr == NULL)
1087 return;
1088
1089 png_ptr->info_fn = info_fn;
1090 png_ptr->row_fn = row_fn;
1091 png_ptr->end_fn = end_fn;
1092
1093 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1094 }
1095
1096 png_voidp PNGAPI
png_get_progressive_ptr(png_const_structrp png_ptr)1097 png_get_progressive_ptr(png_const_structrp png_ptr)
1098 {
1099 if (png_ptr == NULL)
1100 return NULL;
1101
1102 return png_ptr->io_ptr;
1103 }
1104 #endif /* PROGRESSIVE_READ */
1105