1
2 /* pngpread.c - read a png file in push mode
3 *
4 * Last changed in libpng 1.6.10 [March 6, 2014]
5 * Copyright (c) 1998-2014 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE 0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE 2
22 #define PNG_SKIP_MODE 3
23 #define PNG_READ_tEXt_MODE 4
24 #define PNG_READ_zTXt_MODE 5
25 #define PNG_READ_DONE_MODE 6
26 #define PNG_READ_iTXt_MODE 7
27 #define PNG_ERROR_MODE 8
28
29 void PNGAPI
png_process_data(png_structrp png_ptr,png_inforp info_ptr,png_bytep buffer,png_size_t buffer_size)30 png_process_data(png_structrp png_ptr, png_inforp info_ptr,
31 png_bytep buffer, png_size_t buffer_size)
32 {
33 if (png_ptr == NULL || info_ptr == NULL)
34 return;
35
36 png_push_restore_buffer(png_ptr, buffer, buffer_size);
37
38 while (png_ptr->buffer_size)
39 {
40 png_process_some_data(png_ptr, info_ptr);
41 }
42 }
43
44 png_size_t PNGAPI
png_process_data_pause(png_structrp png_ptr,int save)45 png_process_data_pause(png_structrp png_ptr, int save)
46 {
47 if (png_ptr != NULL)
48 {
49 /* It's easiest for the caller if we do the save, then the caller doesn't
50 * have to supply the same data again:
51 */
52 if (save)
53 png_push_save_buffer(png_ptr);
54 else
55 {
56 /* This includes any pending saved bytes: */
57 png_size_t remaining = png_ptr->buffer_size;
58 png_ptr->buffer_size = 0;
59
60 /* So subtract the saved buffer size, unless all the data
61 * is actually 'saved', in which case we just return 0
62 */
63 if (png_ptr->save_buffer_size < remaining)
64 return remaining - png_ptr->save_buffer_size;
65 }
66 }
67
68 return 0;
69 }
70
71 png_uint_32 PNGAPI
png_process_data_skip(png_structrp png_ptr)72 png_process_data_skip(png_structrp png_ptr)
73 {
74 png_uint_32 remaining = 0;
75
76 if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE &&
77 png_ptr->skip_length > 0)
78 {
79 /* At the end of png_process_data the buffer size must be 0 (see the loop
80 * above) so we can detect a broken call here:
81 */
82 if (png_ptr->buffer_size != 0)
83 png_error(png_ptr,
84 "png_process_data_skip called inside png_process_data");
85
86 /* If is impossible for there to be a saved buffer at this point -
87 * otherwise we could not be in SKIP mode. This will also happen if
88 * png_process_skip is called inside png_process_data (but only very
89 * rarely.)
90 */
91 if (png_ptr->save_buffer_size != 0)
92 png_error(png_ptr, "png_process_data_skip called with saved data");
93
94 remaining = png_ptr->skip_length;
95 png_ptr->skip_length = 0;
96 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
97 }
98
99 return remaining;
100 }
101
102 /* What we do with the incoming data depends on what we were previously
103 * doing before we ran out of data...
104 */
105 void /* PRIVATE */
png_process_some_data(png_structrp png_ptr,png_inforp info_ptr)106 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
107 {
108 if (png_ptr == NULL)
109 return;
110
111 switch (png_ptr->process_mode)
112 {
113 case PNG_READ_SIG_MODE:
114 {
115 png_push_read_sig(png_ptr, info_ptr);
116 break;
117 }
118
119 case PNG_READ_CHUNK_MODE:
120 {
121 png_push_read_chunk(png_ptr, info_ptr);
122 break;
123 }
124
125 case PNG_READ_IDAT_MODE:
126 {
127 png_push_read_IDAT(png_ptr);
128 break;
129 }
130
131 case PNG_SKIP_MODE:
132 {
133 png_push_crc_finish(png_ptr);
134 break;
135 }
136
137 default:
138 {
139 png_ptr->buffer_size = 0;
140 break;
141 }
142 }
143 }
144
145 /* Read any remaining signature bytes from the stream and compare them with
146 * the correct PNG signature. It is possible that this routine is called
147 * with bytes already read from the signature, either because they have been
148 * checked by the calling application, or because of multiple calls to this
149 * routine.
150 */
151 void /* PRIVATE */
png_push_read_sig(png_structrp png_ptr,png_inforp info_ptr)152 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
153 {
154 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */
155 num_to_check = 8 - num_checked;
156
157 if (png_ptr->buffer_size < num_to_check)
158 {
159 num_to_check = png_ptr->buffer_size;
160 }
161
162 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
163 num_to_check);
164 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
165
166 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
167 {
168 if (num_checked < 4 &&
169 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
170 png_error(png_ptr, "Not a PNG file");
171
172 else
173 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
174 }
175 else
176 {
177 if (png_ptr->sig_bytes >= 8)
178 {
179 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
180 }
181 }
182 }
183
184 void /* PRIVATE */
png_push_read_chunk(png_structrp png_ptr,png_inforp info_ptr)185 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
186 {
187 png_uint_32 chunk_name;
188 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
189 int keep; /* unknown handling method */
190 #endif
191
192 /* First we make sure we have enough data for the 4 byte chunk name
193 * and the 4 byte chunk length before proceeding with decoding the
194 * chunk data. To fully decode each of these chunks, we also make
195 * sure we have enough data in the buffer for the 4 byte CRC at the
196 * end of every chunk (except IDAT, which is handled separately).
197 */
198 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
199 {
200 png_byte chunk_length[4];
201 png_byte chunk_tag[4];
202
203 if (png_ptr->buffer_size < 8)
204 {
205 png_push_save_buffer(png_ptr);
206 return;
207 }
208
209 png_push_fill_buffer(png_ptr, chunk_length, 4);
210 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
211 png_reset_crc(png_ptr);
212 png_crc_read(png_ptr, chunk_tag, 4);
213 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
214 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
215 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
216 }
217
218 chunk_name = png_ptr->chunk_name;
219
220 if (chunk_name == png_IDAT)
221 {
222 if (png_ptr->mode & PNG_AFTER_IDAT)
223 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
224
225 /* If we reach an IDAT chunk, this means we have read all of the
226 * header chunks, and we can start reading the image (or if this
227 * is called after the image has been read - we have an error).
228 */
229 if (!(png_ptr->mode & PNG_HAVE_IHDR))
230 png_error(png_ptr, "Missing IHDR before IDAT");
231
232 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
233 !(png_ptr->mode & PNG_HAVE_PLTE))
234 png_error(png_ptr, "Missing PLTE before IDAT");
235
236 png_ptr->mode |= PNG_HAVE_IDAT;
237 png_ptr->process_mode = PNG_READ_IDAT_MODE;
238
239 if (!(png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT))
240 if (png_ptr->push_length == 0)
241 return;
242
243 if (png_ptr->mode & PNG_AFTER_IDAT)
244 png_benign_error(png_ptr, "Too many IDATs found");
245 }
246
247 if (chunk_name == png_IHDR)
248 {
249 if (png_ptr->push_length != 13)
250 png_error(png_ptr, "Invalid IHDR length");
251
252 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
253 {
254 png_push_save_buffer(png_ptr);
255 return;
256 }
257
258 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
259 }
260
261 else if (chunk_name == png_IEND)
262 {
263 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
264 {
265 png_push_save_buffer(png_ptr);
266 return;
267 }
268
269 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
270
271 png_ptr->process_mode = PNG_READ_DONE_MODE;
272 png_push_have_end(png_ptr, info_ptr);
273 }
274
275 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
276 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
277 {
278 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
279 {
280 png_push_save_buffer(png_ptr);
281 return;
282 }
283
284 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
285
286 if (chunk_name == png_PLTE)
287 png_ptr->mode |= PNG_HAVE_PLTE;
288 }
289 #endif
290
291 else if (chunk_name == png_PLTE)
292 {
293 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
294 {
295 png_push_save_buffer(png_ptr);
296 return;
297 }
298 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
299 }
300
301 else if (chunk_name == png_IDAT)
302 {
303 png_ptr->idat_size = png_ptr->push_length;
304 png_ptr->process_mode = PNG_READ_IDAT_MODE;
305 png_push_have_info(png_ptr, info_ptr);
306 png_ptr->zstream.avail_out =
307 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
308 png_ptr->iwidth) + 1;
309 png_ptr->zstream.next_out = png_ptr->row_buf;
310 return;
311 }
312
313 #ifdef PNG_READ_gAMA_SUPPORTED
314 else if (png_ptr->chunk_name == png_gAMA)
315 {
316 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
317 {
318 png_push_save_buffer(png_ptr);
319 return;
320 }
321
322 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
323 }
324
325 #endif
326 #ifdef PNG_READ_sBIT_SUPPORTED
327 else if (png_ptr->chunk_name == png_sBIT)
328 {
329 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
330 {
331 png_push_save_buffer(png_ptr);
332 return;
333 }
334
335 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
336 }
337
338 #endif
339 #ifdef PNG_READ_cHRM_SUPPORTED
340 else if (png_ptr->chunk_name == png_cHRM)
341 {
342 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
343 {
344 png_push_save_buffer(png_ptr);
345 return;
346 }
347
348 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
349 }
350
351 #endif
352 #ifdef PNG_READ_sRGB_SUPPORTED
353 else if (chunk_name == png_sRGB)
354 {
355 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
356 {
357 png_push_save_buffer(png_ptr);
358 return;
359 }
360
361 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
362 }
363
364 #endif
365 #ifdef PNG_READ_iCCP_SUPPORTED
366 else if (png_ptr->chunk_name == png_iCCP)
367 {
368 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
369 {
370 png_push_save_buffer(png_ptr);
371 return;
372 }
373
374 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
375 }
376
377 #endif
378 #ifdef PNG_READ_sPLT_SUPPORTED
379 else if (chunk_name == png_sPLT)
380 {
381 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
382 {
383 png_push_save_buffer(png_ptr);
384 return;
385 }
386
387 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
388 }
389
390 #endif
391 #ifdef PNG_READ_tRNS_SUPPORTED
392 else if (chunk_name == png_tRNS)
393 {
394 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
395 {
396 png_push_save_buffer(png_ptr);
397 return;
398 }
399
400 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
401 }
402
403 #endif
404 #ifdef PNG_READ_bKGD_SUPPORTED
405 else if (chunk_name == png_bKGD)
406 {
407 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
408 {
409 png_push_save_buffer(png_ptr);
410 return;
411 }
412
413 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
414 }
415
416 #endif
417 #ifdef PNG_READ_hIST_SUPPORTED
418 else if (chunk_name == png_hIST)
419 {
420 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
421 {
422 png_push_save_buffer(png_ptr);
423 return;
424 }
425
426 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
427 }
428
429 #endif
430 #ifdef PNG_READ_pHYs_SUPPORTED
431 else if (chunk_name == png_pHYs)
432 {
433 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
434 {
435 png_push_save_buffer(png_ptr);
436 return;
437 }
438
439 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
440 }
441
442 #endif
443 #ifdef PNG_READ_oFFs_SUPPORTED
444 else if (chunk_name == png_oFFs)
445 {
446 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
447 {
448 png_push_save_buffer(png_ptr);
449 return;
450 }
451
452 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
453 }
454 #endif
455
456 #ifdef PNG_READ_pCAL_SUPPORTED
457 else if (chunk_name == png_pCAL)
458 {
459 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
460 {
461 png_push_save_buffer(png_ptr);
462 return;
463 }
464
465 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
466 }
467
468 #endif
469 #ifdef PNG_READ_sCAL_SUPPORTED
470 else if (chunk_name == png_sCAL)
471 {
472 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
473 {
474 png_push_save_buffer(png_ptr);
475 return;
476 }
477
478 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
479 }
480
481 #endif
482 #ifdef PNG_READ_tIME_SUPPORTED
483 else if (chunk_name == png_tIME)
484 {
485 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
486 {
487 png_push_save_buffer(png_ptr);
488 return;
489 }
490
491 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
492 }
493
494 #endif
495 #ifdef PNG_READ_tEXt_SUPPORTED
496 else if (chunk_name == png_tEXt)
497 {
498 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
499 {
500 png_push_save_buffer(png_ptr);
501 return;
502 }
503
504 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
505 }
506
507 #endif
508 #ifdef PNG_READ_zTXt_SUPPORTED
509 else if (chunk_name == png_zTXt)
510 {
511 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
512 {
513 png_push_save_buffer(png_ptr);
514 return;
515 }
516
517 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
518 }
519
520 #endif
521 #ifdef PNG_READ_iTXt_SUPPORTED
522 else if (chunk_name == png_iTXt)
523 {
524 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
525 {
526 png_push_save_buffer(png_ptr);
527 return;
528 }
529
530 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
531 }
532 #endif
533
534 else
535 {
536 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
537 {
538 png_push_save_buffer(png_ptr);
539 return;
540 }
541 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
542 PNG_HANDLE_CHUNK_AS_DEFAULT);
543 }
544
545 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
546 }
547
548 void /* PRIVATE */
png_push_crc_skip(png_structrp png_ptr,png_uint_32 skip)549 png_push_crc_skip(png_structrp png_ptr, png_uint_32 skip)
550 {
551 png_ptr->process_mode = PNG_SKIP_MODE;
552 png_ptr->skip_length = skip;
553 }
554
555 void /* PRIVATE */
png_push_crc_finish(png_structrp png_ptr)556 png_push_crc_finish(png_structrp png_ptr)
557 {
558 if (png_ptr->skip_length && png_ptr->save_buffer_size)
559 {
560 png_size_t save_size = png_ptr->save_buffer_size;
561 png_uint_32 skip_length = png_ptr->skip_length;
562
563 /* We want the smaller of 'skip_length' and 'save_buffer_size', but
564 * they are of different types and we don't know which variable has the
565 * fewest bits. Carefully select the smaller and cast it to the type of
566 * the larger - this cannot overflow. Do not cast in the following test
567 * - it will break on either 16 or 64 bit platforms.
568 */
569 if (skip_length < save_size)
570 save_size = (png_size_t)skip_length;
571
572 else
573 skip_length = (png_uint_32)save_size;
574
575 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
576
577 png_ptr->skip_length -= skip_length;
578 png_ptr->buffer_size -= save_size;
579 png_ptr->save_buffer_size -= save_size;
580 png_ptr->save_buffer_ptr += save_size;
581 }
582 if (png_ptr->skip_length && png_ptr->current_buffer_size)
583 {
584 png_size_t save_size = png_ptr->current_buffer_size;
585 png_uint_32 skip_length = png_ptr->skip_length;
586
587 /* We want the smaller of 'skip_length' and 'current_buffer_size', here,
588 * the same problem exists as above and the same solution.
589 */
590 if (skip_length < save_size)
591 save_size = (png_size_t)skip_length;
592
593 else
594 skip_length = (png_uint_32)save_size;
595
596 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
597
598 png_ptr->skip_length -= skip_length;
599 png_ptr->buffer_size -= save_size;
600 png_ptr->current_buffer_size -= save_size;
601 png_ptr->current_buffer_ptr += save_size;
602 }
603 if (!png_ptr->skip_length)
604 {
605 if (png_ptr->buffer_size < 4)
606 {
607 png_push_save_buffer(png_ptr);
608 return;
609 }
610
611 png_crc_finish(png_ptr, 0);
612 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
613 }
614 }
615
616 void PNGCBAPI
png_push_fill_buffer(png_structp png_ptr,png_bytep buffer,png_size_t length)617 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length)
618 {
619 png_bytep ptr;
620
621 if (png_ptr == NULL)
622 return;
623
624 ptr = buffer;
625 if (png_ptr->save_buffer_size)
626 {
627 png_size_t save_size;
628
629 if (length < png_ptr->save_buffer_size)
630 save_size = length;
631
632 else
633 save_size = png_ptr->save_buffer_size;
634
635 memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
636 length -= save_size;
637 ptr += save_size;
638 png_ptr->buffer_size -= save_size;
639 png_ptr->save_buffer_size -= save_size;
640 png_ptr->save_buffer_ptr += save_size;
641 }
642 if (length && png_ptr->current_buffer_size)
643 {
644 png_size_t save_size;
645
646 if (length < png_ptr->current_buffer_size)
647 save_size = length;
648
649 else
650 save_size = png_ptr->current_buffer_size;
651
652 memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
653 png_ptr->buffer_size -= save_size;
654 png_ptr->current_buffer_size -= save_size;
655 png_ptr->current_buffer_ptr += save_size;
656 }
657 }
658
659 void /* PRIVATE */
png_push_save_buffer(png_structrp png_ptr)660 png_push_save_buffer(png_structrp png_ptr)
661 {
662 if (png_ptr->save_buffer_size)
663 {
664 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
665 {
666 png_size_t i, istop;
667 png_bytep sp;
668 png_bytep dp;
669
670 istop = png_ptr->save_buffer_size;
671 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
672 i < istop; i++, sp++, dp++)
673 {
674 *dp = *sp;
675 }
676 }
677 }
678 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
679 png_ptr->save_buffer_max)
680 {
681 png_size_t new_max;
682 png_bytep old_buffer;
683
684 if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
685 (png_ptr->current_buffer_size + 256))
686 {
687 png_error(png_ptr, "Potential overflow of save_buffer");
688 }
689
690 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
691 old_buffer = png_ptr->save_buffer;
692 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
693 (png_size_t)new_max);
694
695 if (png_ptr->save_buffer == NULL)
696 {
697 png_free(png_ptr, old_buffer);
698 png_error(png_ptr, "Insufficient memory for save_buffer");
699 }
700
701 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
702 png_free(png_ptr, old_buffer);
703 png_ptr->save_buffer_max = new_max;
704 }
705 if (png_ptr->current_buffer_size)
706 {
707 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
708 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
709 png_ptr->save_buffer_size += png_ptr->current_buffer_size;
710 png_ptr->current_buffer_size = 0;
711 }
712 png_ptr->save_buffer_ptr = png_ptr->save_buffer;
713 png_ptr->buffer_size = 0;
714 }
715
716 void /* PRIVATE */
png_push_restore_buffer(png_structrp png_ptr,png_bytep buffer,png_size_t buffer_length)717 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
718 png_size_t buffer_length)
719 {
720 png_ptr->current_buffer = buffer;
721 png_ptr->current_buffer_size = buffer_length;
722 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
723 png_ptr->current_buffer_ptr = png_ptr->current_buffer;
724 }
725
726 void /* PRIVATE */
png_push_read_IDAT(png_structrp png_ptr)727 png_push_read_IDAT(png_structrp png_ptr)
728 {
729 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
730 {
731 png_byte chunk_length[4];
732 png_byte chunk_tag[4];
733
734 /* TODO: this code can be commoned up with the same code in push_read */
735 if (png_ptr->buffer_size < 8)
736 {
737 png_push_save_buffer(png_ptr);
738 return;
739 }
740
741 png_push_fill_buffer(png_ptr, chunk_length, 4);
742 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
743 png_reset_crc(png_ptr);
744 png_crc_read(png_ptr, chunk_tag, 4);
745 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
746 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
747
748 if (png_ptr->chunk_name != png_IDAT)
749 {
750 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
751
752 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
753 png_error(png_ptr, "Not enough compressed data");
754
755 return;
756 }
757
758 png_ptr->idat_size = png_ptr->push_length;
759 }
760
761 if (png_ptr->idat_size && png_ptr->save_buffer_size)
762 {
763 png_size_t save_size = png_ptr->save_buffer_size;
764 png_uint_32 idat_size = png_ptr->idat_size;
765
766 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
767 * are of different types and we don't know which variable has the fewest
768 * bits. Carefully select the smaller and cast it to the type of the
769 * larger - this cannot overflow. Do not cast in the following test - it
770 * will break on either 16 or 64 bit platforms.
771 */
772 if (idat_size < save_size)
773 save_size = (png_size_t)idat_size;
774
775 else
776 idat_size = (png_uint_32)save_size;
777
778 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
779
780 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
781
782 png_ptr->idat_size -= idat_size;
783 png_ptr->buffer_size -= save_size;
784 png_ptr->save_buffer_size -= save_size;
785 png_ptr->save_buffer_ptr += save_size;
786 }
787
788 if (png_ptr->idat_size && png_ptr->current_buffer_size)
789 {
790 png_size_t save_size = png_ptr->current_buffer_size;
791 png_uint_32 idat_size = png_ptr->idat_size;
792
793 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
794 * are of different types and we don't know which variable has the fewest
795 * bits. Carefully select the smaller and cast it to the type of the
796 * larger - this cannot overflow.
797 */
798 if (idat_size < save_size)
799 save_size = (png_size_t)idat_size;
800
801 else
802 idat_size = (png_uint_32)save_size;
803
804 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
805
806 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
807
808 png_ptr->idat_size -= idat_size;
809 png_ptr->buffer_size -= save_size;
810 png_ptr->current_buffer_size -= save_size;
811 png_ptr->current_buffer_ptr += save_size;
812 }
813 if (!png_ptr->idat_size)
814 {
815 if (png_ptr->buffer_size < 4)
816 {
817 png_push_save_buffer(png_ptr);
818 return;
819 }
820
821 png_crc_finish(png_ptr, 0);
822 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
823 png_ptr->mode |= PNG_AFTER_IDAT;
824 png_ptr->zowner = 0;
825 }
826 }
827
828 void /* PRIVATE */
png_process_IDAT_data(png_structrp png_ptr,png_bytep buffer,png_size_t buffer_length)829 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
830 png_size_t buffer_length)
831 {
832 /* The caller checks for a non-zero buffer length. */
833 if (!(buffer_length > 0) || buffer == NULL)
834 png_error(png_ptr, "No IDAT data (internal error)");
835
836 /* This routine must process all the data it has been given
837 * before returning, calling the row callback as required to
838 * handle the uncompressed results.
839 */
840 png_ptr->zstream.next_in = buffer;
841 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
842 png_ptr->zstream.avail_in = (uInt)buffer_length;
843
844 /* Keep going until the decompressed data is all processed
845 * or the stream marked as finished.
846 */
847 while (png_ptr->zstream.avail_in > 0 &&
848 !(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
849 {
850 int ret;
851
852 /* We have data for zlib, but we must check that zlib
853 * has someplace to put the results. It doesn't matter
854 * if we don't expect any results -- it may be the input
855 * data is just the LZ end code.
856 */
857 if (!(png_ptr->zstream.avail_out > 0))
858 {
859 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
860 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
861 png_ptr->iwidth) + 1);
862
863 png_ptr->zstream.next_out = png_ptr->row_buf;
864 }
865
866 /* Using Z_SYNC_FLUSH here means that an unterminated
867 * LZ stream (a stream with a missing end code) can still
868 * be handled, otherwise (Z_NO_FLUSH) a future zlib
869 * implementation might defer output and therefore
870 * change the current behavior (see comments in inflate.c
871 * for why this doesn't happen at present with zlib 1.2.5).
872 */
873 ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
874
875 /* Check for any failure before proceeding. */
876 if (ret != Z_OK && ret != Z_STREAM_END)
877 {
878 /* Terminate the decompression. */
879 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
880 png_ptr->zowner = 0;
881
882 /* This may be a truncated stream (missing or
883 * damaged end code). Treat that as a warning.
884 */
885 if (png_ptr->row_number >= png_ptr->num_rows ||
886 png_ptr->pass > 6)
887 png_warning(png_ptr, "Truncated compressed data in IDAT");
888
889 else
890 png_error(png_ptr, "Decompression error in IDAT");
891
892 /* Skip the check on unprocessed input */
893 return;
894 }
895
896 /* Did inflate output any data? */
897 if (png_ptr->zstream.next_out != png_ptr->row_buf)
898 {
899 /* Is this unexpected data after the last row?
900 * If it is, artificially terminate the LZ output
901 * here.
902 */
903 if (png_ptr->row_number >= png_ptr->num_rows ||
904 png_ptr->pass > 6)
905 {
906 /* Extra data. */
907 png_warning(png_ptr, "Extra compressed data in IDAT");
908 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
909 png_ptr->zowner = 0;
910
911 /* Do no more processing; skip the unprocessed
912 * input check below.
913 */
914 return;
915 }
916
917 /* Do we have a complete row? */
918 if (png_ptr->zstream.avail_out == 0)
919 png_push_process_row(png_ptr);
920 }
921
922 /* And check for the end of the stream. */
923 if (ret == Z_STREAM_END)
924 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
925 }
926
927 /* All the data should have been processed, if anything
928 * is left at this point we have bytes of IDAT data
929 * after the zlib end code.
930 */
931 if (png_ptr->zstream.avail_in > 0)
932 png_warning(png_ptr, "Extra compression data in IDAT");
933 }
934
935 void /* PRIVATE */
png_push_process_row(png_structrp png_ptr)936 png_push_process_row(png_structrp png_ptr)
937 {
938 /* 1.5.6: row_info moved out of png_struct to a local here. */
939 png_row_info row_info;
940
941 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
942 row_info.color_type = png_ptr->color_type;
943 row_info.bit_depth = png_ptr->bit_depth;
944 row_info.channels = png_ptr->channels;
945 row_info.pixel_depth = png_ptr->pixel_depth;
946 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
947
948 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
949 {
950 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
951 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
952 png_ptr->prev_row + 1, png_ptr->row_buf[0]);
953 else
954 png_error(png_ptr, "bad adaptive filter value");
955 }
956
957 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
958 * 1.5.6, while the buffer really is this big in current versions of libpng
959 * it may not be in the future, so this was changed just to copy the
960 * interlaced row count:
961 */
962 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
963
964 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
965 if (png_ptr->transformations)
966 png_do_read_transformations(png_ptr, &row_info);
967 #endif
968
969 /* The transformed pixel depth should match the depth now in row_info. */
970 if (png_ptr->transformed_pixel_depth == 0)
971 {
972 png_ptr->transformed_pixel_depth = row_info.pixel_depth;
973 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
974 png_error(png_ptr, "progressive row overflow");
975 }
976
977 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
978 png_error(png_ptr, "internal progressive row size calculation error");
979
980
981 #ifdef PNG_READ_INTERLACING_SUPPORTED
982 /* Blow up interlaced rows to full size */
983 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE))
984 {
985 if (png_ptr->pass < 6)
986 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
987 png_ptr->transformations);
988
989 switch (png_ptr->pass)
990 {
991 case 0:
992 {
993 int i;
994 for (i = 0; i < 8 && png_ptr->pass == 0; i++)
995 {
996 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
997 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
998 }
999
1000 if (png_ptr->pass == 2) /* Pass 1 might be empty */
1001 {
1002 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1003 {
1004 png_push_have_row(png_ptr, NULL);
1005 png_read_push_finish_row(png_ptr);
1006 }
1007 }
1008
1009 if (png_ptr->pass == 4 && png_ptr->height <= 4)
1010 {
1011 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1012 {
1013 png_push_have_row(png_ptr, NULL);
1014 png_read_push_finish_row(png_ptr);
1015 }
1016 }
1017
1018 if (png_ptr->pass == 6 && png_ptr->height <= 4)
1019 {
1020 png_push_have_row(png_ptr, NULL);
1021 png_read_push_finish_row(png_ptr);
1022 }
1023
1024 break;
1025 }
1026
1027 case 1:
1028 {
1029 int i;
1030 for (i = 0; i < 8 && png_ptr->pass == 1; i++)
1031 {
1032 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1033 png_read_push_finish_row(png_ptr);
1034 }
1035
1036 if (png_ptr->pass == 2) /* Skip top 4 generated rows */
1037 {
1038 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1039 {
1040 png_push_have_row(png_ptr, NULL);
1041 png_read_push_finish_row(png_ptr);
1042 }
1043 }
1044
1045 break;
1046 }
1047
1048 case 2:
1049 {
1050 int i;
1051
1052 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1053 {
1054 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1055 png_read_push_finish_row(png_ptr);
1056 }
1057
1058 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1059 {
1060 png_push_have_row(png_ptr, NULL);
1061 png_read_push_finish_row(png_ptr);
1062 }
1063
1064 if (png_ptr->pass == 4) /* Pass 3 might be empty */
1065 {
1066 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1067 {
1068 png_push_have_row(png_ptr, NULL);
1069 png_read_push_finish_row(png_ptr);
1070 }
1071 }
1072
1073 break;
1074 }
1075
1076 case 3:
1077 {
1078 int i;
1079
1080 for (i = 0; i < 4 && png_ptr->pass == 3; i++)
1081 {
1082 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1083 png_read_push_finish_row(png_ptr);
1084 }
1085
1086 if (png_ptr->pass == 4) /* Skip top two generated rows */
1087 {
1088 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1089 {
1090 png_push_have_row(png_ptr, NULL);
1091 png_read_push_finish_row(png_ptr);
1092 }
1093 }
1094
1095 break;
1096 }
1097
1098 case 4:
1099 {
1100 int i;
1101
1102 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1103 {
1104 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1105 png_read_push_finish_row(png_ptr);
1106 }
1107
1108 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1109 {
1110 png_push_have_row(png_ptr, NULL);
1111 png_read_push_finish_row(png_ptr);
1112 }
1113
1114 if (png_ptr->pass == 6) /* Pass 5 might be empty */
1115 {
1116 png_push_have_row(png_ptr, NULL);
1117 png_read_push_finish_row(png_ptr);
1118 }
1119
1120 break;
1121 }
1122
1123 case 5:
1124 {
1125 int i;
1126
1127 for (i = 0; i < 2 && png_ptr->pass == 5; i++)
1128 {
1129 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1130 png_read_push_finish_row(png_ptr);
1131 }
1132
1133 if (png_ptr->pass == 6) /* Skip top generated row */
1134 {
1135 png_push_have_row(png_ptr, NULL);
1136 png_read_push_finish_row(png_ptr);
1137 }
1138
1139 break;
1140 }
1141
1142 default:
1143 case 6:
1144 {
1145 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1146 png_read_push_finish_row(png_ptr);
1147
1148 if (png_ptr->pass != 6)
1149 break;
1150
1151 png_push_have_row(png_ptr, NULL);
1152 png_read_push_finish_row(png_ptr);
1153 }
1154 }
1155 }
1156 else
1157 #endif
1158 {
1159 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1160 png_read_push_finish_row(png_ptr);
1161 }
1162 }
1163
1164 void /* PRIVATE */
png_read_push_finish_row(png_structrp png_ptr)1165 png_read_push_finish_row(png_structrp png_ptr)
1166 {
1167 #ifdef PNG_READ_INTERLACING_SUPPORTED
1168 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1169
1170 /* Start of interlace block */
1171 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
1172
1173 /* Offset to next interlace block */
1174 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1175
1176 /* Start of interlace block in the y direction */
1177 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1178
1179 /* Offset to next interlace block in the y direction */
1180 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1181
1182 /* Height of interlace block. This is not currently used - if you need
1183 * it, uncomment it here and in png.h
1184 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1185 */
1186 #endif
1187
1188 png_ptr->row_number++;
1189 if (png_ptr->row_number < png_ptr->num_rows)
1190 return;
1191
1192 #ifdef PNG_READ_INTERLACING_SUPPORTED
1193 if (png_ptr->interlaced)
1194 {
1195 png_ptr->row_number = 0;
1196 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1197
1198 do
1199 {
1200 png_ptr->pass++;
1201 if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1202 (png_ptr->pass == 3 && png_ptr->width < 3) ||
1203 (png_ptr->pass == 5 && png_ptr->width < 2))
1204 png_ptr->pass++;
1205
1206 if (png_ptr->pass > 7)
1207 png_ptr->pass--;
1208
1209 if (png_ptr->pass >= 7)
1210 break;
1211
1212 png_ptr->iwidth = (png_ptr->width +
1213 png_pass_inc[png_ptr->pass] - 1 -
1214 png_pass_start[png_ptr->pass]) /
1215 png_pass_inc[png_ptr->pass];
1216
1217 if (png_ptr->transformations & PNG_INTERLACE)
1218 break;
1219
1220 png_ptr->num_rows = (png_ptr->height +
1221 png_pass_yinc[png_ptr->pass] - 1 -
1222 png_pass_ystart[png_ptr->pass]) /
1223 png_pass_yinc[png_ptr->pass];
1224
1225 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1226 }
1227 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1228 }
1229
1230 void /* PRIVATE */
png_push_have_info(png_structrp png_ptr,png_inforp info_ptr)1231 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1232 {
1233 if (png_ptr->info_fn != NULL)
1234 (*(png_ptr->info_fn))(png_ptr, info_ptr);
1235 }
1236
1237 void /* PRIVATE */
png_push_have_end(png_structrp png_ptr,png_inforp info_ptr)1238 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1239 {
1240 if (png_ptr->end_fn != NULL)
1241 (*(png_ptr->end_fn))(png_ptr, info_ptr);
1242 }
1243
1244 void /* PRIVATE */
png_push_have_row(png_structrp png_ptr,png_bytep row)1245 png_push_have_row(png_structrp png_ptr, png_bytep row)
1246 {
1247 if (png_ptr->row_fn != NULL)
1248 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1249 (int)png_ptr->pass);
1250 }
1251
1252 #ifdef PNG_READ_INTERLACING_SUPPORTED
1253 void PNGAPI
png_progressive_combine_row(png_const_structrp png_ptr,png_bytep old_row,png_const_bytep new_row)1254 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1255 png_const_bytep new_row)
1256 {
1257 if (png_ptr == NULL)
1258 return;
1259
1260 /* new_row is a flag here - if it is NULL then the app callback was called
1261 * from an empty row (see the calls to png_struct::row_fn below), otherwise
1262 * it must be png_ptr->row_buf+1
1263 */
1264 if (new_row != NULL)
1265 png_combine_row(png_ptr, old_row, 1/*display*/);
1266 }
1267 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1268
1269 void PNGAPI
png_set_progressive_read_fn(png_structrp png_ptr,png_voidp progressive_ptr,png_progressive_info_ptr info_fn,png_progressive_row_ptr row_fn,png_progressive_end_ptr end_fn)1270 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1271 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1272 png_progressive_end_ptr end_fn)
1273 {
1274 if (png_ptr == NULL)
1275 return;
1276
1277 png_ptr->info_fn = info_fn;
1278 png_ptr->row_fn = row_fn;
1279 png_ptr->end_fn = end_fn;
1280
1281 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1282 }
1283
1284 png_voidp PNGAPI
png_get_progressive_ptr(png_const_structrp png_ptr)1285 png_get_progressive_ptr(png_const_structrp png_ptr)
1286 {
1287 if (png_ptr == NULL)
1288 return (NULL);
1289
1290 return png_ptr->io_ptr;
1291 }
1292 #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */
1293