1 
2 /* pngpread.c - read a png file in push mode
3  *
4  * Last changed in libpng 1.6.10 [March 6, 2014]
5  * Copyright (c) 1998-2014 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #include "pngpriv.h"
15 
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17 
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE   0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE  2
22 #define PNG_SKIP_MODE       3
23 #define PNG_READ_tEXt_MODE  4
24 #define PNG_READ_zTXt_MODE  5
25 #define PNG_READ_DONE_MODE  6
26 #define PNG_READ_iTXt_MODE  7
27 #define PNG_ERROR_MODE      8
28 
29 void PNGAPI
png_process_data(png_structrp png_ptr,png_inforp info_ptr,png_bytep buffer,png_size_t buffer_size)30 png_process_data(png_structrp png_ptr, png_inforp info_ptr,
31     png_bytep buffer, png_size_t buffer_size)
32 {
33    if (png_ptr == NULL || info_ptr == NULL)
34       return;
35 
36    png_push_restore_buffer(png_ptr, buffer, buffer_size);
37 
38    while (png_ptr->buffer_size)
39    {
40       png_process_some_data(png_ptr, info_ptr);
41    }
42 }
43 
44 png_size_t PNGAPI
png_process_data_pause(png_structrp png_ptr,int save)45 png_process_data_pause(png_structrp png_ptr, int save)
46 {
47    if (png_ptr != NULL)
48    {
49       /* It's easiest for the caller if we do the save, then the caller doesn't
50        * have to supply the same data again:
51        */
52       if (save)
53          png_push_save_buffer(png_ptr);
54       else
55       {
56          /* This includes any pending saved bytes: */
57          png_size_t remaining = png_ptr->buffer_size;
58          png_ptr->buffer_size = 0;
59 
60          /* So subtract the saved buffer size, unless all the data
61           * is actually 'saved', in which case we just return 0
62           */
63          if (png_ptr->save_buffer_size < remaining)
64             return remaining - png_ptr->save_buffer_size;
65       }
66    }
67 
68    return 0;
69 }
70 
71 png_uint_32 PNGAPI
png_process_data_skip(png_structrp png_ptr)72 png_process_data_skip(png_structrp png_ptr)
73 {
74    png_uint_32 remaining = 0;
75 
76    if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE &&
77       png_ptr->skip_length > 0)
78    {
79       /* At the end of png_process_data the buffer size must be 0 (see the loop
80        * above) so we can detect a broken call here:
81        */
82       if (png_ptr->buffer_size != 0)
83          png_error(png_ptr,
84             "png_process_data_skip called inside png_process_data");
85 
86       /* If is impossible for there to be a saved buffer at this point -
87        * otherwise we could not be in SKIP mode.  This will also happen if
88        * png_process_skip is called inside png_process_data (but only very
89        * rarely.)
90        */
91       if (png_ptr->save_buffer_size != 0)
92          png_error(png_ptr, "png_process_data_skip called with saved data");
93 
94       remaining = png_ptr->skip_length;
95       png_ptr->skip_length = 0;
96       png_ptr->process_mode = PNG_READ_CHUNK_MODE;
97    }
98 
99    return remaining;
100 }
101 
102 /* What we do with the incoming data depends on what we were previously
103  * doing before we ran out of data...
104  */
105 void /* PRIVATE */
png_process_some_data(png_structrp png_ptr,png_inforp info_ptr)106 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
107 {
108    if (png_ptr == NULL)
109       return;
110 
111    switch (png_ptr->process_mode)
112    {
113       case PNG_READ_SIG_MODE:
114       {
115          png_push_read_sig(png_ptr, info_ptr);
116          break;
117       }
118 
119       case PNG_READ_CHUNK_MODE:
120       {
121          png_push_read_chunk(png_ptr, info_ptr);
122          break;
123       }
124 
125       case PNG_READ_IDAT_MODE:
126       {
127          png_push_read_IDAT(png_ptr);
128          break;
129       }
130 
131       case PNG_SKIP_MODE:
132       {
133          png_push_crc_finish(png_ptr);
134          break;
135       }
136 
137       default:
138       {
139          png_ptr->buffer_size = 0;
140          break;
141       }
142    }
143 }
144 
145 /* Read any remaining signature bytes from the stream and compare them with
146  * the correct PNG signature.  It is possible that this routine is called
147  * with bytes already read from the signature, either because they have been
148  * checked by the calling application, or because of multiple calls to this
149  * routine.
150  */
151 void /* PRIVATE */
png_push_read_sig(png_structrp png_ptr,png_inforp info_ptr)152 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
153 {
154    png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */
155              num_to_check = 8 - num_checked;
156 
157    if (png_ptr->buffer_size < num_to_check)
158    {
159       num_to_check = png_ptr->buffer_size;
160    }
161 
162    png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
163        num_to_check);
164    png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
165 
166    if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
167    {
168       if (num_checked < 4 &&
169           png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
170          png_error(png_ptr, "Not a PNG file");
171 
172       else
173          png_error(png_ptr, "PNG file corrupted by ASCII conversion");
174    }
175    else
176    {
177       if (png_ptr->sig_bytes >= 8)
178       {
179          png_ptr->process_mode = PNG_READ_CHUNK_MODE;
180       }
181    }
182 }
183 
184 void /* PRIVATE */
png_push_read_chunk(png_structrp png_ptr,png_inforp info_ptr)185 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
186 {
187    png_uint_32 chunk_name;
188 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
189    int keep; /* unknown handling method */
190 #endif
191 
192    /* First we make sure we have enough data for the 4 byte chunk name
193     * and the 4 byte chunk length before proceeding with decoding the
194     * chunk data.  To fully decode each of these chunks, we also make
195     * sure we have enough data in the buffer for the 4 byte CRC at the
196     * end of every chunk (except IDAT, which is handled separately).
197     */
198    if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
199    {
200       png_byte chunk_length[4];
201       png_byte chunk_tag[4];
202 
203       if (png_ptr->buffer_size < 8)
204       {
205          png_push_save_buffer(png_ptr);
206          return;
207       }
208 
209       png_push_fill_buffer(png_ptr, chunk_length, 4);
210       png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
211       png_reset_crc(png_ptr);
212       png_crc_read(png_ptr, chunk_tag, 4);
213       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
214       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
215       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
216    }
217 
218    chunk_name = png_ptr->chunk_name;
219 
220    if (chunk_name == png_IDAT)
221    {
222       if (png_ptr->mode & PNG_AFTER_IDAT)
223          png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
224 
225       /* If we reach an IDAT chunk, this means we have read all of the
226        * header chunks, and we can start reading the image (or if this
227        * is called after the image has been read - we have an error).
228        */
229       if (!(png_ptr->mode & PNG_HAVE_IHDR))
230          png_error(png_ptr, "Missing IHDR before IDAT");
231 
232       else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
233           !(png_ptr->mode & PNG_HAVE_PLTE))
234          png_error(png_ptr, "Missing PLTE before IDAT");
235 
236       png_ptr->mode |= PNG_HAVE_IDAT;
237       png_ptr->process_mode = PNG_READ_IDAT_MODE;
238 
239       if (!(png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT))
240          if (png_ptr->push_length == 0)
241             return;
242 
243       if (png_ptr->mode & PNG_AFTER_IDAT)
244          png_benign_error(png_ptr, "Too many IDATs found");
245    }
246 
247    if (chunk_name == png_IHDR)
248    {
249       if (png_ptr->push_length != 13)
250          png_error(png_ptr, "Invalid IHDR length");
251 
252       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
253       {
254          png_push_save_buffer(png_ptr);
255          return;
256       }
257 
258       png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
259    }
260 
261    else if (chunk_name == png_IEND)
262    {
263       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
264       {
265          png_push_save_buffer(png_ptr);
266          return;
267       }
268 
269       png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
270 
271       png_ptr->process_mode = PNG_READ_DONE_MODE;
272       png_push_have_end(png_ptr, info_ptr);
273    }
274 
275 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
276    else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
277    {
278       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
279       {
280          png_push_save_buffer(png_ptr);
281          return;
282       }
283 
284       png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
285 
286       if (chunk_name == png_PLTE)
287          png_ptr->mode |= PNG_HAVE_PLTE;
288    }
289 #endif
290 
291    else if (chunk_name == png_PLTE)
292    {
293       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
294       {
295          png_push_save_buffer(png_ptr);
296          return;
297       }
298       png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
299    }
300 
301    else if (chunk_name == png_IDAT)
302    {
303       png_ptr->idat_size = png_ptr->push_length;
304       png_ptr->process_mode = PNG_READ_IDAT_MODE;
305       png_push_have_info(png_ptr, info_ptr);
306       png_ptr->zstream.avail_out =
307           (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
308           png_ptr->iwidth) + 1;
309       png_ptr->zstream.next_out = png_ptr->row_buf;
310       return;
311    }
312 
313 #ifdef PNG_READ_gAMA_SUPPORTED
314    else if (png_ptr->chunk_name == png_gAMA)
315    {
316       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
317       {
318          png_push_save_buffer(png_ptr);
319          return;
320       }
321 
322       png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
323    }
324 
325 #endif
326 #ifdef PNG_READ_sBIT_SUPPORTED
327    else if (png_ptr->chunk_name == png_sBIT)
328    {
329       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
330       {
331          png_push_save_buffer(png_ptr);
332          return;
333       }
334 
335       png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
336    }
337 
338 #endif
339 #ifdef PNG_READ_cHRM_SUPPORTED
340    else if (png_ptr->chunk_name == png_cHRM)
341    {
342       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
343       {
344          png_push_save_buffer(png_ptr);
345          return;
346       }
347 
348       png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
349    }
350 
351 #endif
352 #ifdef PNG_READ_sRGB_SUPPORTED
353    else if (chunk_name == png_sRGB)
354    {
355       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
356       {
357          png_push_save_buffer(png_ptr);
358          return;
359       }
360 
361       png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
362    }
363 
364 #endif
365 #ifdef PNG_READ_iCCP_SUPPORTED
366    else if (png_ptr->chunk_name == png_iCCP)
367    {
368       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
369       {
370          png_push_save_buffer(png_ptr);
371          return;
372       }
373 
374       png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
375    }
376 
377 #endif
378 #ifdef PNG_READ_sPLT_SUPPORTED
379    else if (chunk_name == png_sPLT)
380    {
381       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
382       {
383          png_push_save_buffer(png_ptr);
384          return;
385       }
386 
387       png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
388    }
389 
390 #endif
391 #ifdef PNG_READ_tRNS_SUPPORTED
392    else if (chunk_name == png_tRNS)
393    {
394       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
395       {
396          png_push_save_buffer(png_ptr);
397          return;
398       }
399 
400       png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
401    }
402 
403 #endif
404 #ifdef PNG_READ_bKGD_SUPPORTED
405    else if (chunk_name == png_bKGD)
406    {
407       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
408       {
409          png_push_save_buffer(png_ptr);
410          return;
411       }
412 
413       png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
414    }
415 
416 #endif
417 #ifdef PNG_READ_hIST_SUPPORTED
418    else if (chunk_name == png_hIST)
419    {
420       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
421       {
422          png_push_save_buffer(png_ptr);
423          return;
424       }
425 
426       png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
427    }
428 
429 #endif
430 #ifdef PNG_READ_pHYs_SUPPORTED
431    else if (chunk_name == png_pHYs)
432    {
433       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
434       {
435          png_push_save_buffer(png_ptr);
436          return;
437       }
438 
439       png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
440    }
441 
442 #endif
443 #ifdef PNG_READ_oFFs_SUPPORTED
444    else if (chunk_name == png_oFFs)
445    {
446       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
447       {
448          png_push_save_buffer(png_ptr);
449          return;
450       }
451 
452       png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
453    }
454 #endif
455 
456 #ifdef PNG_READ_pCAL_SUPPORTED
457    else if (chunk_name == png_pCAL)
458    {
459       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
460       {
461          png_push_save_buffer(png_ptr);
462          return;
463       }
464 
465       png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
466    }
467 
468 #endif
469 #ifdef PNG_READ_sCAL_SUPPORTED
470    else if (chunk_name == png_sCAL)
471    {
472       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
473       {
474          png_push_save_buffer(png_ptr);
475          return;
476       }
477 
478       png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
479    }
480 
481 #endif
482 #ifdef PNG_READ_tIME_SUPPORTED
483    else if (chunk_name == png_tIME)
484    {
485       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
486       {
487          png_push_save_buffer(png_ptr);
488          return;
489       }
490 
491       png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
492    }
493 
494 #endif
495 #ifdef PNG_READ_tEXt_SUPPORTED
496    else if (chunk_name == png_tEXt)
497    {
498       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
499       {
500          png_push_save_buffer(png_ptr);
501          return;
502       }
503 
504       png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
505    }
506 
507 #endif
508 #ifdef PNG_READ_zTXt_SUPPORTED
509    else if (chunk_name == png_zTXt)
510    {
511       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
512       {
513          png_push_save_buffer(png_ptr);
514          return;
515       }
516 
517       png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
518    }
519 
520 #endif
521 #ifdef PNG_READ_iTXt_SUPPORTED
522    else if (chunk_name == png_iTXt)
523    {
524       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
525       {
526          png_push_save_buffer(png_ptr);
527          return;
528       }
529 
530       png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
531    }
532 #endif
533 
534    else
535    {
536       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
537       {
538          png_push_save_buffer(png_ptr);
539          return;
540       }
541       png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
542          PNG_HANDLE_CHUNK_AS_DEFAULT);
543    }
544 
545    png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
546 }
547 
548 void /* PRIVATE */
png_push_crc_skip(png_structrp png_ptr,png_uint_32 skip)549 png_push_crc_skip(png_structrp png_ptr, png_uint_32 skip)
550 {
551    png_ptr->process_mode = PNG_SKIP_MODE;
552    png_ptr->skip_length = skip;
553 }
554 
555 void /* PRIVATE */
png_push_crc_finish(png_structrp png_ptr)556 png_push_crc_finish(png_structrp png_ptr)
557 {
558    if (png_ptr->skip_length && png_ptr->save_buffer_size)
559    {
560       png_size_t save_size = png_ptr->save_buffer_size;
561       png_uint_32 skip_length = png_ptr->skip_length;
562 
563       /* We want the smaller of 'skip_length' and 'save_buffer_size', but
564        * they are of different types and we don't know which variable has the
565        * fewest bits.  Carefully select the smaller and cast it to the type of
566        * the larger - this cannot overflow.  Do not cast in the following test
567        * - it will break on either 16 or 64 bit platforms.
568        */
569       if (skip_length < save_size)
570          save_size = (png_size_t)skip_length;
571 
572       else
573          skip_length = (png_uint_32)save_size;
574 
575       png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
576 
577       png_ptr->skip_length -= skip_length;
578       png_ptr->buffer_size -= save_size;
579       png_ptr->save_buffer_size -= save_size;
580       png_ptr->save_buffer_ptr += save_size;
581    }
582    if (png_ptr->skip_length && png_ptr->current_buffer_size)
583    {
584       png_size_t save_size = png_ptr->current_buffer_size;
585       png_uint_32 skip_length = png_ptr->skip_length;
586 
587       /* We want the smaller of 'skip_length' and 'current_buffer_size', here,
588        * the same problem exists as above and the same solution.
589        */
590       if (skip_length < save_size)
591          save_size = (png_size_t)skip_length;
592 
593       else
594          skip_length = (png_uint_32)save_size;
595 
596       png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
597 
598       png_ptr->skip_length -= skip_length;
599       png_ptr->buffer_size -= save_size;
600       png_ptr->current_buffer_size -= save_size;
601       png_ptr->current_buffer_ptr += save_size;
602    }
603    if (!png_ptr->skip_length)
604    {
605       if (png_ptr->buffer_size < 4)
606       {
607          png_push_save_buffer(png_ptr);
608          return;
609       }
610 
611       png_crc_finish(png_ptr, 0);
612       png_ptr->process_mode = PNG_READ_CHUNK_MODE;
613    }
614 }
615 
616 void PNGCBAPI
png_push_fill_buffer(png_structp png_ptr,png_bytep buffer,png_size_t length)617 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length)
618 {
619    png_bytep ptr;
620 
621    if (png_ptr == NULL)
622       return;
623 
624    ptr = buffer;
625    if (png_ptr->save_buffer_size)
626    {
627       png_size_t save_size;
628 
629       if (length < png_ptr->save_buffer_size)
630          save_size = length;
631 
632       else
633          save_size = png_ptr->save_buffer_size;
634 
635       memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
636       length -= save_size;
637       ptr += save_size;
638       png_ptr->buffer_size -= save_size;
639       png_ptr->save_buffer_size -= save_size;
640       png_ptr->save_buffer_ptr += save_size;
641    }
642    if (length && png_ptr->current_buffer_size)
643    {
644       png_size_t save_size;
645 
646       if (length < png_ptr->current_buffer_size)
647          save_size = length;
648 
649       else
650          save_size = png_ptr->current_buffer_size;
651 
652       memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
653       png_ptr->buffer_size -= save_size;
654       png_ptr->current_buffer_size -= save_size;
655       png_ptr->current_buffer_ptr += save_size;
656    }
657 }
658 
659 void /* PRIVATE */
png_push_save_buffer(png_structrp png_ptr)660 png_push_save_buffer(png_structrp png_ptr)
661 {
662    if (png_ptr->save_buffer_size)
663    {
664       if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
665       {
666          png_size_t i, istop;
667          png_bytep sp;
668          png_bytep dp;
669 
670          istop = png_ptr->save_buffer_size;
671          for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
672              i < istop; i++, sp++, dp++)
673          {
674             *dp = *sp;
675          }
676       }
677    }
678    if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
679        png_ptr->save_buffer_max)
680    {
681       png_size_t new_max;
682       png_bytep old_buffer;
683 
684       if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
685           (png_ptr->current_buffer_size + 256))
686       {
687          png_error(png_ptr, "Potential overflow of save_buffer");
688       }
689 
690       new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
691       old_buffer = png_ptr->save_buffer;
692       png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
693           (png_size_t)new_max);
694 
695       if (png_ptr->save_buffer == NULL)
696       {
697          png_free(png_ptr, old_buffer);
698          png_error(png_ptr, "Insufficient memory for save_buffer");
699       }
700 
701       memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
702       png_free(png_ptr, old_buffer);
703       png_ptr->save_buffer_max = new_max;
704    }
705    if (png_ptr->current_buffer_size)
706    {
707       memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
708          png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
709       png_ptr->save_buffer_size += png_ptr->current_buffer_size;
710       png_ptr->current_buffer_size = 0;
711    }
712    png_ptr->save_buffer_ptr = png_ptr->save_buffer;
713    png_ptr->buffer_size = 0;
714 }
715 
716 void /* PRIVATE */
png_push_restore_buffer(png_structrp png_ptr,png_bytep buffer,png_size_t buffer_length)717 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
718    png_size_t buffer_length)
719 {
720    png_ptr->current_buffer = buffer;
721    png_ptr->current_buffer_size = buffer_length;
722    png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
723    png_ptr->current_buffer_ptr = png_ptr->current_buffer;
724 }
725 
726 void /* PRIVATE */
png_push_read_IDAT(png_structrp png_ptr)727 png_push_read_IDAT(png_structrp png_ptr)
728 {
729    if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
730    {
731       png_byte chunk_length[4];
732       png_byte chunk_tag[4];
733 
734       /* TODO: this code can be commoned up with the same code in push_read */
735       if (png_ptr->buffer_size < 8)
736       {
737          png_push_save_buffer(png_ptr);
738          return;
739       }
740 
741       png_push_fill_buffer(png_ptr, chunk_length, 4);
742       png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
743       png_reset_crc(png_ptr);
744       png_crc_read(png_ptr, chunk_tag, 4);
745       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
746       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
747 
748       if (png_ptr->chunk_name != png_IDAT)
749       {
750          png_ptr->process_mode = PNG_READ_CHUNK_MODE;
751 
752          if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
753             png_error(png_ptr, "Not enough compressed data");
754 
755          return;
756       }
757 
758       png_ptr->idat_size = png_ptr->push_length;
759    }
760 
761    if (png_ptr->idat_size && png_ptr->save_buffer_size)
762    {
763       png_size_t save_size = png_ptr->save_buffer_size;
764       png_uint_32 idat_size = png_ptr->idat_size;
765 
766       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
767        * are of different types and we don't know which variable has the fewest
768        * bits.  Carefully select the smaller and cast it to the type of the
769        * larger - this cannot overflow.  Do not cast in the following test - it
770        * will break on either 16 or 64 bit platforms.
771        */
772       if (idat_size < save_size)
773          save_size = (png_size_t)idat_size;
774 
775       else
776          idat_size = (png_uint_32)save_size;
777 
778       png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
779 
780       png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
781 
782       png_ptr->idat_size -= idat_size;
783       png_ptr->buffer_size -= save_size;
784       png_ptr->save_buffer_size -= save_size;
785       png_ptr->save_buffer_ptr += save_size;
786    }
787 
788    if (png_ptr->idat_size && png_ptr->current_buffer_size)
789    {
790       png_size_t save_size = png_ptr->current_buffer_size;
791       png_uint_32 idat_size = png_ptr->idat_size;
792 
793       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
794        * are of different types and we don't know which variable has the fewest
795        * bits.  Carefully select the smaller and cast it to the type of the
796        * larger - this cannot overflow.
797        */
798       if (idat_size < save_size)
799          save_size = (png_size_t)idat_size;
800 
801       else
802          idat_size = (png_uint_32)save_size;
803 
804       png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
805 
806       png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
807 
808       png_ptr->idat_size -= idat_size;
809       png_ptr->buffer_size -= save_size;
810       png_ptr->current_buffer_size -= save_size;
811       png_ptr->current_buffer_ptr += save_size;
812    }
813    if (!png_ptr->idat_size)
814    {
815       if (png_ptr->buffer_size < 4)
816       {
817          png_push_save_buffer(png_ptr);
818          return;
819       }
820 
821       png_crc_finish(png_ptr, 0);
822       png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
823       png_ptr->mode |= PNG_AFTER_IDAT;
824       png_ptr->zowner = 0;
825    }
826 }
827 
828 void /* PRIVATE */
png_process_IDAT_data(png_structrp png_ptr,png_bytep buffer,png_size_t buffer_length)829 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
830    png_size_t buffer_length)
831 {
832    /* The caller checks for a non-zero buffer length. */
833    if (!(buffer_length > 0) || buffer == NULL)
834       png_error(png_ptr, "No IDAT data (internal error)");
835 
836    /* This routine must process all the data it has been given
837     * before returning, calling the row callback as required to
838     * handle the uncompressed results.
839     */
840    png_ptr->zstream.next_in = buffer;
841    /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
842    png_ptr->zstream.avail_in = (uInt)buffer_length;
843 
844    /* Keep going until the decompressed data is all processed
845     * or the stream marked as finished.
846     */
847    while (png_ptr->zstream.avail_in > 0 &&
848       !(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
849    {
850       int ret;
851 
852       /* We have data for zlib, but we must check that zlib
853        * has someplace to put the results.  It doesn't matter
854        * if we don't expect any results -- it may be the input
855        * data is just the LZ end code.
856        */
857       if (!(png_ptr->zstream.avail_out > 0))
858       {
859          /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
860          png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
861              png_ptr->iwidth) + 1);
862 
863          png_ptr->zstream.next_out = png_ptr->row_buf;
864       }
865 
866       /* Using Z_SYNC_FLUSH here means that an unterminated
867        * LZ stream (a stream with a missing end code) can still
868        * be handled, otherwise (Z_NO_FLUSH) a future zlib
869        * implementation might defer output and therefore
870        * change the current behavior (see comments in inflate.c
871        * for why this doesn't happen at present with zlib 1.2.5).
872        */
873       ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
874 
875       /* Check for any failure before proceeding. */
876       if (ret != Z_OK && ret != Z_STREAM_END)
877       {
878          /* Terminate the decompression. */
879          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
880          png_ptr->zowner = 0;
881 
882          /* This may be a truncated stream (missing or
883           * damaged end code).  Treat that as a warning.
884           */
885          if (png_ptr->row_number >= png_ptr->num_rows ||
886              png_ptr->pass > 6)
887             png_warning(png_ptr, "Truncated compressed data in IDAT");
888 
889          else
890             png_error(png_ptr, "Decompression error in IDAT");
891 
892          /* Skip the check on unprocessed input */
893          return;
894       }
895 
896       /* Did inflate output any data? */
897       if (png_ptr->zstream.next_out != png_ptr->row_buf)
898       {
899          /* Is this unexpected data after the last row?
900           * If it is, artificially terminate the LZ output
901           * here.
902           */
903          if (png_ptr->row_number >= png_ptr->num_rows ||
904              png_ptr->pass > 6)
905          {
906             /* Extra data. */
907             png_warning(png_ptr, "Extra compressed data in IDAT");
908             png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
909             png_ptr->zowner = 0;
910 
911             /* Do no more processing; skip the unprocessed
912              * input check below.
913              */
914             return;
915          }
916 
917          /* Do we have a complete row? */
918          if (png_ptr->zstream.avail_out == 0)
919             png_push_process_row(png_ptr);
920       }
921 
922       /* And check for the end of the stream. */
923       if (ret == Z_STREAM_END)
924          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
925    }
926 
927    /* All the data should have been processed, if anything
928     * is left at this point we have bytes of IDAT data
929     * after the zlib end code.
930     */
931    if (png_ptr->zstream.avail_in > 0)
932       png_warning(png_ptr, "Extra compression data in IDAT");
933 }
934 
935 void /* PRIVATE */
png_push_process_row(png_structrp png_ptr)936 png_push_process_row(png_structrp png_ptr)
937 {
938    /* 1.5.6: row_info moved out of png_struct to a local here. */
939    png_row_info row_info;
940 
941    row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
942    row_info.color_type = png_ptr->color_type;
943    row_info.bit_depth = png_ptr->bit_depth;
944    row_info.channels = png_ptr->channels;
945    row_info.pixel_depth = png_ptr->pixel_depth;
946    row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
947 
948    if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
949    {
950       if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
951          png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
952             png_ptr->prev_row + 1, png_ptr->row_buf[0]);
953       else
954          png_error(png_ptr, "bad adaptive filter value");
955    }
956 
957    /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
958     * 1.5.6, while the buffer really is this big in current versions of libpng
959     * it may not be in the future, so this was changed just to copy the
960     * interlaced row count:
961     */
962    memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
963 
964 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
965    if (png_ptr->transformations)
966       png_do_read_transformations(png_ptr, &row_info);
967 #endif
968 
969    /* The transformed pixel depth should match the depth now in row_info. */
970    if (png_ptr->transformed_pixel_depth == 0)
971    {
972       png_ptr->transformed_pixel_depth = row_info.pixel_depth;
973       if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
974          png_error(png_ptr, "progressive row overflow");
975    }
976 
977    else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
978       png_error(png_ptr, "internal progressive row size calculation error");
979 
980 
981 #ifdef PNG_READ_INTERLACING_SUPPORTED
982    /* Blow up interlaced rows to full size */
983    if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE))
984    {
985       if (png_ptr->pass < 6)
986          png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
987             png_ptr->transformations);
988 
989     switch (png_ptr->pass)
990     {
991          case 0:
992          {
993             int i;
994             for (i = 0; i < 8 && png_ptr->pass == 0; i++)
995             {
996                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
997                png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
998             }
999 
1000             if (png_ptr->pass == 2) /* Pass 1 might be empty */
1001             {
1002                for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1003                {
1004                   png_push_have_row(png_ptr, NULL);
1005                   png_read_push_finish_row(png_ptr);
1006                }
1007             }
1008 
1009             if (png_ptr->pass == 4 && png_ptr->height <= 4)
1010             {
1011                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1012                {
1013                   png_push_have_row(png_ptr, NULL);
1014                   png_read_push_finish_row(png_ptr);
1015                }
1016             }
1017 
1018             if (png_ptr->pass == 6 && png_ptr->height <= 4)
1019             {
1020                 png_push_have_row(png_ptr, NULL);
1021                 png_read_push_finish_row(png_ptr);
1022             }
1023 
1024             break;
1025          }
1026 
1027          case 1:
1028          {
1029             int i;
1030             for (i = 0; i < 8 && png_ptr->pass == 1; i++)
1031             {
1032                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1033                png_read_push_finish_row(png_ptr);
1034             }
1035 
1036             if (png_ptr->pass == 2) /* Skip top 4 generated rows */
1037             {
1038                for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1039                {
1040                   png_push_have_row(png_ptr, NULL);
1041                   png_read_push_finish_row(png_ptr);
1042                }
1043             }
1044 
1045             break;
1046          }
1047 
1048          case 2:
1049          {
1050             int i;
1051 
1052             for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1053             {
1054                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1055                png_read_push_finish_row(png_ptr);
1056             }
1057 
1058             for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1059             {
1060                png_push_have_row(png_ptr, NULL);
1061                png_read_push_finish_row(png_ptr);
1062             }
1063 
1064             if (png_ptr->pass == 4) /* Pass 3 might be empty */
1065             {
1066                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1067                {
1068                   png_push_have_row(png_ptr, NULL);
1069                   png_read_push_finish_row(png_ptr);
1070                }
1071             }
1072 
1073             break;
1074          }
1075 
1076          case 3:
1077          {
1078             int i;
1079 
1080             for (i = 0; i < 4 && png_ptr->pass == 3; i++)
1081             {
1082                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1083                png_read_push_finish_row(png_ptr);
1084             }
1085 
1086             if (png_ptr->pass == 4) /* Skip top two generated rows */
1087             {
1088                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1089                {
1090                   png_push_have_row(png_ptr, NULL);
1091                   png_read_push_finish_row(png_ptr);
1092                }
1093             }
1094 
1095             break;
1096          }
1097 
1098          case 4:
1099          {
1100             int i;
1101 
1102             for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1103             {
1104                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1105                png_read_push_finish_row(png_ptr);
1106             }
1107 
1108             for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1109             {
1110                png_push_have_row(png_ptr, NULL);
1111                png_read_push_finish_row(png_ptr);
1112             }
1113 
1114             if (png_ptr->pass == 6) /* Pass 5 might be empty */
1115             {
1116                png_push_have_row(png_ptr, NULL);
1117                png_read_push_finish_row(png_ptr);
1118             }
1119 
1120             break;
1121          }
1122 
1123          case 5:
1124          {
1125             int i;
1126 
1127             for (i = 0; i < 2 && png_ptr->pass == 5; i++)
1128             {
1129                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1130                png_read_push_finish_row(png_ptr);
1131             }
1132 
1133             if (png_ptr->pass == 6) /* Skip top generated row */
1134             {
1135                png_push_have_row(png_ptr, NULL);
1136                png_read_push_finish_row(png_ptr);
1137             }
1138 
1139             break;
1140          }
1141 
1142          default:
1143          case 6:
1144          {
1145             png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1146             png_read_push_finish_row(png_ptr);
1147 
1148             if (png_ptr->pass != 6)
1149                break;
1150 
1151             png_push_have_row(png_ptr, NULL);
1152             png_read_push_finish_row(png_ptr);
1153          }
1154       }
1155    }
1156    else
1157 #endif
1158    {
1159       png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1160       png_read_push_finish_row(png_ptr);
1161    }
1162 }
1163 
1164 void /* PRIVATE */
png_read_push_finish_row(png_structrp png_ptr)1165 png_read_push_finish_row(png_structrp png_ptr)
1166 {
1167 #ifdef PNG_READ_INTERLACING_SUPPORTED
1168    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1169 
1170    /* Start of interlace block */
1171    static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
1172 
1173    /* Offset to next interlace block */
1174    static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1175 
1176    /* Start of interlace block in the y direction */
1177    static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1178 
1179    /* Offset to next interlace block in the y direction */
1180    static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1181 
1182    /* Height of interlace block.  This is not currently used - if you need
1183     * it, uncomment it here and in png.h
1184    static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1185    */
1186 #endif
1187 
1188    png_ptr->row_number++;
1189    if (png_ptr->row_number < png_ptr->num_rows)
1190       return;
1191 
1192 #ifdef PNG_READ_INTERLACING_SUPPORTED
1193    if (png_ptr->interlaced)
1194    {
1195       png_ptr->row_number = 0;
1196       memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1197 
1198       do
1199       {
1200          png_ptr->pass++;
1201          if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1202              (png_ptr->pass == 3 && png_ptr->width < 3) ||
1203              (png_ptr->pass == 5 && png_ptr->width < 2))
1204             png_ptr->pass++;
1205 
1206          if (png_ptr->pass > 7)
1207             png_ptr->pass--;
1208 
1209          if (png_ptr->pass >= 7)
1210             break;
1211 
1212          png_ptr->iwidth = (png_ptr->width +
1213              png_pass_inc[png_ptr->pass] - 1 -
1214              png_pass_start[png_ptr->pass]) /
1215              png_pass_inc[png_ptr->pass];
1216 
1217          if (png_ptr->transformations & PNG_INTERLACE)
1218             break;
1219 
1220          png_ptr->num_rows = (png_ptr->height +
1221              png_pass_yinc[png_ptr->pass] - 1 -
1222              png_pass_ystart[png_ptr->pass]) /
1223              png_pass_yinc[png_ptr->pass];
1224 
1225       } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1226    }
1227 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1228 }
1229 
1230 void /* PRIVATE */
png_push_have_info(png_structrp png_ptr,png_inforp info_ptr)1231 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1232 {
1233    if (png_ptr->info_fn != NULL)
1234       (*(png_ptr->info_fn))(png_ptr, info_ptr);
1235 }
1236 
1237 void /* PRIVATE */
png_push_have_end(png_structrp png_ptr,png_inforp info_ptr)1238 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1239 {
1240    if (png_ptr->end_fn != NULL)
1241       (*(png_ptr->end_fn))(png_ptr, info_ptr);
1242 }
1243 
1244 void /* PRIVATE */
png_push_have_row(png_structrp png_ptr,png_bytep row)1245 png_push_have_row(png_structrp png_ptr, png_bytep row)
1246 {
1247    if (png_ptr->row_fn != NULL)
1248       (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1249          (int)png_ptr->pass);
1250 }
1251 
1252 #ifdef PNG_READ_INTERLACING_SUPPORTED
1253 void PNGAPI
png_progressive_combine_row(png_const_structrp png_ptr,png_bytep old_row,png_const_bytep new_row)1254 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1255     png_const_bytep new_row)
1256 {
1257    if (png_ptr == NULL)
1258       return;
1259 
1260    /* new_row is a flag here - if it is NULL then the app callback was called
1261     * from an empty row (see the calls to png_struct::row_fn below), otherwise
1262     * it must be png_ptr->row_buf+1
1263     */
1264    if (new_row != NULL)
1265       png_combine_row(png_ptr, old_row, 1/*display*/);
1266 }
1267 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1268 
1269 void PNGAPI
png_set_progressive_read_fn(png_structrp png_ptr,png_voidp progressive_ptr,png_progressive_info_ptr info_fn,png_progressive_row_ptr row_fn,png_progressive_end_ptr end_fn)1270 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1271     png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1272     png_progressive_end_ptr end_fn)
1273 {
1274    if (png_ptr == NULL)
1275       return;
1276 
1277    png_ptr->info_fn = info_fn;
1278    png_ptr->row_fn = row_fn;
1279    png_ptr->end_fn = end_fn;
1280 
1281    png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1282 }
1283 
1284 png_voidp PNGAPI
png_get_progressive_ptr(png_const_structrp png_ptr)1285 png_get_progressive_ptr(png_const_structrp png_ptr)
1286 {
1287    if (png_ptr == NULL)
1288       return (NULL);
1289 
1290    return png_ptr->io_ptr;
1291 }
1292 #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */
1293