1 
2 /* pngpread.c - read a png file in push mode
3  *
4  * Last changed in libpng 1.6.18 [July 23, 2015]
5  * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #include "pngpriv.h"
15 
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17 
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE   0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE  2
22 #define PNG_READ_tEXt_MODE  4
23 #define PNG_READ_zTXt_MODE  5
24 #define PNG_READ_DONE_MODE  6
25 #define PNG_READ_iTXt_MODE  7
26 #define PNG_ERROR_MODE      8
27 
28 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \
29 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \
30    { png_push_save_buffer(png_ptr); return; }
31 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \
32 if (png_ptr->buffer_size < N) \
33    { png_push_save_buffer(png_ptr); return; }
34 
35 void PNGAPI
png_process_data(png_structrp png_ptr,png_inforp info_ptr,png_bytep buffer,png_size_t buffer_size)36 png_process_data(png_structrp png_ptr, png_inforp info_ptr,
37     png_bytep buffer, png_size_t buffer_size)
38 {
39    if (png_ptr == NULL || info_ptr == NULL)
40       return;
41 
42    png_push_restore_buffer(png_ptr, buffer, buffer_size);
43 
44    while (png_ptr->buffer_size)
45    {
46       png_process_some_data(png_ptr, info_ptr);
47    }
48 }
49 
50 png_size_t PNGAPI
png_process_data_pause(png_structrp png_ptr,int save)51 png_process_data_pause(png_structrp png_ptr, int save)
52 {
53    if (png_ptr != NULL)
54    {
55       /* It's easiest for the caller if we do the save; then the caller doesn't
56        * have to supply the same data again:
57        */
58       if (save != 0)
59          png_push_save_buffer(png_ptr);
60       else
61       {
62          /* This includes any pending saved bytes: */
63          png_size_t remaining = png_ptr->buffer_size;
64          png_ptr->buffer_size = 0;
65 
66          /* So subtract the saved buffer size, unless all the data
67           * is actually 'saved', in which case we just return 0
68           */
69          if (png_ptr->save_buffer_size < remaining)
70             return remaining - png_ptr->save_buffer_size;
71       }
72    }
73 
74    return 0;
75 }
76 
77 png_uint_32 PNGAPI
png_process_data_skip(png_structrp png_ptr)78 png_process_data_skip(png_structrp png_ptr)
79 {
80   /* TODO: Deprecate and remove this API.
81    * Somewhere the implementation of this seems to have been lost,
82    * or abandoned.  It was only to support some internal back-door access
83    * to png_struct) in libpng-1.4.x.
84    */
85    png_app_warning(png_ptr,
86 "png_process_data_skip is not implemented in any current version of libpng");
87    return 0;
88 }
89 
90 /* What we do with the incoming data depends on what we were previously
91  * doing before we ran out of data...
92  */
93 void /* PRIVATE */
png_process_some_data(png_structrp png_ptr,png_inforp info_ptr)94 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
95 {
96    if (png_ptr == NULL)
97       return;
98 
99    switch (png_ptr->process_mode)
100    {
101       case PNG_READ_SIG_MODE:
102       {
103          png_push_read_sig(png_ptr, info_ptr);
104          break;
105       }
106 
107       case PNG_READ_CHUNK_MODE:
108       {
109          png_push_read_chunk(png_ptr, info_ptr);
110          break;
111       }
112 
113       case PNG_READ_IDAT_MODE:
114       {
115          png_push_read_IDAT(png_ptr);
116          break;
117       }
118 
119       default:
120       {
121          png_ptr->buffer_size = 0;
122          break;
123       }
124    }
125 }
126 
127 /* Read any remaining signature bytes from the stream and compare them with
128  * the correct PNG signature.  It is possible that this routine is called
129  * with bytes already read from the signature, either because they have been
130  * checked by the calling application, or because of multiple calls to this
131  * routine.
132  */
133 void /* PRIVATE */
png_push_read_sig(png_structrp png_ptr,png_inforp info_ptr)134 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
135 {
136    png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */
137        num_to_check = 8 - num_checked;
138 
139    if (png_ptr->buffer_size < num_to_check)
140    {
141       num_to_check = png_ptr->buffer_size;
142    }
143 
144    png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
145        num_to_check);
146    png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
147 
148    if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
149    {
150       if (num_checked < 4 &&
151           png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
152          png_error(png_ptr, "Not a PNG file");
153 
154       else
155          png_error(png_ptr, "PNG file corrupted by ASCII conversion");
156    }
157    else
158    {
159       if (png_ptr->sig_bytes >= 8)
160       {
161          png_ptr->process_mode = PNG_READ_CHUNK_MODE;
162       }
163    }
164 }
165 
166 void /* PRIVATE */
png_push_read_chunk(png_structrp png_ptr,png_inforp info_ptr)167 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
168 {
169    png_uint_32 chunk_name;
170 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
171    int keep; /* unknown handling method */
172 #endif
173 
174    /* First we make sure we have enough data for the 4-byte chunk name
175     * and the 4-byte chunk length before proceeding with decoding the
176     * chunk data.  To fully decode each of these chunks, we also make
177     * sure we have enough data in the buffer for the 4-byte CRC at the
178     * end of every chunk (except IDAT, which is handled separately).
179     */
180    if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
181    {
182       png_byte chunk_length[4];
183       png_byte chunk_tag[4];
184 
185       PNG_PUSH_SAVE_BUFFER_IF_LT(8)
186       png_push_fill_buffer(png_ptr, chunk_length, 4);
187       png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
188       png_reset_crc(png_ptr);
189       png_crc_read(png_ptr, chunk_tag, 4);
190       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
191       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
192       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
193    }
194 
195    chunk_name = png_ptr->chunk_name;
196 
197    if (chunk_name == png_IDAT)
198    {
199       if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
200          png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
201 
202       /* If we reach an IDAT chunk, this means we have read all of the
203        * header chunks, and we can start reading the image (or if this
204        * is called after the image has been read - we have an error).
205        */
206       if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
207          png_error(png_ptr, "Missing IHDR before IDAT");
208 
209       else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
210           (png_ptr->mode & PNG_HAVE_PLTE) == 0)
211          png_error(png_ptr, "Missing PLTE before IDAT");
212 
213       png_ptr->mode |= PNG_HAVE_IDAT;
214       png_ptr->process_mode = PNG_READ_IDAT_MODE;
215 
216       if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
217          if (png_ptr->push_length == 0)
218             return;
219 
220       if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
221          png_benign_error(png_ptr, "Too many IDATs found");
222    }
223 
224    if (chunk_name == png_IHDR)
225    {
226       if (png_ptr->push_length != 13)
227          png_error(png_ptr, "Invalid IHDR length");
228 
229       PNG_PUSH_SAVE_BUFFER_IF_FULL
230       png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
231    }
232 
233    else if (chunk_name == png_IEND)
234    {
235       PNG_PUSH_SAVE_BUFFER_IF_FULL
236       png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
237 
238       png_ptr->process_mode = PNG_READ_DONE_MODE;
239       png_push_have_end(png_ptr, info_ptr);
240    }
241 
242 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
243    else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
244    {
245       PNG_PUSH_SAVE_BUFFER_IF_FULL
246       png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
247 
248       if (chunk_name == png_PLTE)
249          png_ptr->mode |= PNG_HAVE_PLTE;
250    }
251 #endif
252 
253    else if (chunk_name == png_PLTE)
254    {
255       PNG_PUSH_SAVE_BUFFER_IF_FULL
256       png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
257    }
258 
259    else if (chunk_name == png_IDAT)
260    {
261       png_ptr->idat_size = png_ptr->push_length;
262       png_ptr->process_mode = PNG_READ_IDAT_MODE;
263       png_push_have_info(png_ptr, info_ptr);
264       png_ptr->zstream.avail_out =
265           (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
266           png_ptr->iwidth) + 1;
267       png_ptr->zstream.next_out = png_ptr->row_buf;
268       return;
269    }
270 
271 #ifdef PNG_READ_gAMA_SUPPORTED
272    else if (png_ptr->chunk_name == png_gAMA)
273    {
274       PNG_PUSH_SAVE_BUFFER_IF_FULL
275       png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
276    }
277 
278 #endif
279 #ifdef PNG_READ_sBIT_SUPPORTED
280    else if (png_ptr->chunk_name == png_sBIT)
281    {
282       PNG_PUSH_SAVE_BUFFER_IF_FULL
283       png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
284    }
285 
286 #endif
287 #ifdef PNG_READ_cHRM_SUPPORTED
288    else if (png_ptr->chunk_name == png_cHRM)
289    {
290       PNG_PUSH_SAVE_BUFFER_IF_FULL
291       png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
292    }
293 
294 #endif
295 #ifdef PNG_READ_sRGB_SUPPORTED
296    else if (chunk_name == png_sRGB)
297    {
298       PNG_PUSH_SAVE_BUFFER_IF_FULL
299       png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
300    }
301 
302 #endif
303 #ifdef PNG_READ_iCCP_SUPPORTED
304    else if (png_ptr->chunk_name == png_iCCP)
305    {
306       PNG_PUSH_SAVE_BUFFER_IF_FULL
307       png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
308    }
309 
310 #endif
311 #ifdef PNG_READ_sPLT_SUPPORTED
312    else if (chunk_name == png_sPLT)
313    {
314       PNG_PUSH_SAVE_BUFFER_IF_FULL
315       png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
316    }
317 
318 #endif
319 #ifdef PNG_READ_tRNS_SUPPORTED
320    else if (chunk_name == png_tRNS)
321    {
322       PNG_PUSH_SAVE_BUFFER_IF_FULL
323       png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
324    }
325 
326 #endif
327 #ifdef PNG_READ_bKGD_SUPPORTED
328    else if (chunk_name == png_bKGD)
329    {
330       PNG_PUSH_SAVE_BUFFER_IF_FULL
331       png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
332    }
333 
334 #endif
335 #ifdef PNG_READ_hIST_SUPPORTED
336    else if (chunk_name == png_hIST)
337    {
338       PNG_PUSH_SAVE_BUFFER_IF_FULL
339       png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
340    }
341 
342 #endif
343 #ifdef PNG_READ_pHYs_SUPPORTED
344    else if (chunk_name == png_pHYs)
345    {
346       PNG_PUSH_SAVE_BUFFER_IF_FULL
347       png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
348    }
349 
350 #endif
351 #ifdef PNG_READ_oFFs_SUPPORTED
352    else if (chunk_name == png_oFFs)
353    {
354       PNG_PUSH_SAVE_BUFFER_IF_FULL
355       png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
356    }
357 #endif
358 
359 #ifdef PNG_READ_pCAL_SUPPORTED
360    else if (chunk_name == png_pCAL)
361    {
362       PNG_PUSH_SAVE_BUFFER_IF_FULL
363       png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
364    }
365 
366 #endif
367 #ifdef PNG_READ_sCAL_SUPPORTED
368    else if (chunk_name == png_sCAL)
369    {
370       PNG_PUSH_SAVE_BUFFER_IF_FULL
371       png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
372    }
373 
374 #endif
375 #ifdef PNG_READ_tIME_SUPPORTED
376    else if (chunk_name == png_tIME)
377    {
378       PNG_PUSH_SAVE_BUFFER_IF_FULL
379       png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
380    }
381 
382 #endif
383 #ifdef PNG_READ_tEXt_SUPPORTED
384    else if (chunk_name == png_tEXt)
385    {
386       PNG_PUSH_SAVE_BUFFER_IF_FULL
387       png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
388    }
389 
390 #endif
391 #ifdef PNG_READ_zTXt_SUPPORTED
392    else if (chunk_name == png_zTXt)
393    {
394       PNG_PUSH_SAVE_BUFFER_IF_FULL
395       png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
396    }
397 
398 #endif
399 #ifdef PNG_READ_iTXt_SUPPORTED
400    else if (chunk_name == png_iTXt)
401    {
402       PNG_PUSH_SAVE_BUFFER_IF_FULL
403       png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
404    }
405 #endif
406 
407    else
408    {
409       PNG_PUSH_SAVE_BUFFER_IF_FULL
410       png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
411          PNG_HANDLE_CHUNK_AS_DEFAULT);
412    }
413 
414    png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
415 }
416 
417 void PNGCBAPI
png_push_fill_buffer(png_structp png_ptr,png_bytep buffer,png_size_t length)418 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length)
419 {
420    png_bytep ptr;
421 
422    if (png_ptr == NULL)
423       return;
424 
425    ptr = buffer;
426    if (png_ptr->save_buffer_size != 0)
427    {
428       png_size_t save_size;
429 
430       if (length < png_ptr->save_buffer_size)
431          save_size = length;
432 
433       else
434          save_size = png_ptr->save_buffer_size;
435 
436       memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
437       length -= save_size;
438       ptr += save_size;
439       png_ptr->buffer_size -= save_size;
440       png_ptr->save_buffer_size -= save_size;
441       png_ptr->save_buffer_ptr += save_size;
442    }
443    if (length != 0 && png_ptr->current_buffer_size != 0)
444    {
445       png_size_t save_size;
446 
447       if (length < png_ptr->current_buffer_size)
448          save_size = length;
449 
450       else
451          save_size = png_ptr->current_buffer_size;
452 
453       memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
454       png_ptr->buffer_size -= save_size;
455       png_ptr->current_buffer_size -= save_size;
456       png_ptr->current_buffer_ptr += save_size;
457    }
458 }
459 
460 void /* PRIVATE */
png_push_save_buffer(png_structrp png_ptr)461 png_push_save_buffer(png_structrp png_ptr)
462 {
463    if (png_ptr->save_buffer_size != 0)
464    {
465       if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
466       {
467          png_size_t i, istop;
468          png_bytep sp;
469          png_bytep dp;
470 
471          istop = png_ptr->save_buffer_size;
472          for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
473              i < istop; i++, sp++, dp++)
474          {
475             *dp = *sp;
476          }
477       }
478    }
479    if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
480        png_ptr->save_buffer_max)
481    {
482       png_size_t new_max;
483       png_bytep old_buffer;
484 
485       if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
486           (png_ptr->current_buffer_size + 256))
487       {
488          png_error(png_ptr, "Potential overflow of save_buffer");
489       }
490 
491       new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
492       old_buffer = png_ptr->save_buffer;
493       png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
494           (png_size_t)new_max);
495 
496       if (png_ptr->save_buffer == NULL)
497       {
498          png_free(png_ptr, old_buffer);
499          png_error(png_ptr, "Insufficient memory for save_buffer");
500       }
501 
502       memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
503       png_free(png_ptr, old_buffer);
504       png_ptr->save_buffer_max = new_max;
505    }
506    if (png_ptr->current_buffer_size)
507    {
508       memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
509          png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
510       png_ptr->save_buffer_size += png_ptr->current_buffer_size;
511       png_ptr->current_buffer_size = 0;
512    }
513    png_ptr->save_buffer_ptr = png_ptr->save_buffer;
514    png_ptr->buffer_size = 0;
515 }
516 
517 void /* PRIVATE */
png_push_restore_buffer(png_structrp png_ptr,png_bytep buffer,png_size_t buffer_length)518 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
519    png_size_t buffer_length)
520 {
521    png_ptr->current_buffer = buffer;
522    png_ptr->current_buffer_size = buffer_length;
523    png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
524    png_ptr->current_buffer_ptr = png_ptr->current_buffer;
525 }
526 
527 void /* PRIVATE */
png_push_read_IDAT(png_structrp png_ptr)528 png_push_read_IDAT(png_structrp png_ptr)
529 {
530    if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
531    {
532       png_byte chunk_length[4];
533       png_byte chunk_tag[4];
534 
535       /* TODO: this code can be commoned up with the same code in push_read */
536       PNG_PUSH_SAVE_BUFFER_IF_LT(8)
537       png_push_fill_buffer(png_ptr, chunk_length, 4);
538       png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
539       png_reset_crc(png_ptr);
540       png_crc_read(png_ptr, chunk_tag, 4);
541       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
542       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
543 
544       if (png_ptr->chunk_name != png_IDAT)
545       {
546          png_ptr->process_mode = PNG_READ_CHUNK_MODE;
547 
548          if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
549             png_error(png_ptr, "Not enough compressed data");
550 
551          return;
552       }
553 
554       png_ptr->idat_size = png_ptr->push_length;
555    }
556 
557    if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0)
558    {
559       png_size_t save_size = png_ptr->save_buffer_size;
560       png_uint_32 idat_size = png_ptr->idat_size;
561 
562       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
563        * are of different types and we don't know which variable has the fewest
564        * bits.  Carefully select the smaller and cast it to the type of the
565        * larger - this cannot overflow.  Do not cast in the following test - it
566        * will break on either 16-bit or 64-bit platforms.
567        */
568       if (idat_size < save_size)
569          save_size = (png_size_t)idat_size;
570 
571       else
572          idat_size = (png_uint_32)save_size;
573 
574       png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
575 
576       png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
577 
578       png_ptr->idat_size -= idat_size;
579       png_ptr->buffer_size -= save_size;
580       png_ptr->save_buffer_size -= save_size;
581       png_ptr->save_buffer_ptr += save_size;
582    }
583 
584    if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0)
585    {
586       png_size_t save_size = png_ptr->current_buffer_size;
587       png_uint_32 idat_size = png_ptr->idat_size;
588 
589       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
590        * are of different types and we don't know which variable has the fewest
591        * bits.  Carefully select the smaller and cast it to the type of the
592        * larger - this cannot overflow.
593        */
594       if (idat_size < save_size)
595          save_size = (png_size_t)idat_size;
596 
597       else
598          idat_size = (png_uint_32)save_size;
599 
600       png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
601 
602       png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
603 
604       png_ptr->idat_size -= idat_size;
605       png_ptr->buffer_size -= save_size;
606       png_ptr->current_buffer_size -= save_size;
607       png_ptr->current_buffer_ptr += save_size;
608    }
609 
610    if (png_ptr->idat_size == 0)
611    {
612       PNG_PUSH_SAVE_BUFFER_IF_LT(4)
613       png_crc_finish(png_ptr, 0);
614       png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
615       png_ptr->mode |= PNG_AFTER_IDAT;
616       png_ptr->zowner = 0;
617    }
618 }
619 
620 void /* PRIVATE */
png_process_IDAT_data(png_structrp png_ptr,png_bytep buffer,png_size_t buffer_length)621 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
622    png_size_t buffer_length)
623 {
624    /* The caller checks for a non-zero buffer length. */
625    if (!(buffer_length > 0) || buffer == NULL)
626       png_error(png_ptr, "No IDAT data (internal error)");
627 
628    /* This routine must process all the data it has been given
629     * before returning, calling the row callback as required to
630     * handle the uncompressed results.
631     */
632    png_ptr->zstream.next_in = buffer;
633    /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
634    png_ptr->zstream.avail_in = (uInt)buffer_length;
635 
636    /* Keep going until the decompressed data is all processed
637     * or the stream marked as finished.
638     */
639    while (png_ptr->zstream.avail_in > 0 &&
640       (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
641    {
642       int ret;
643 
644       /* We have data for zlib, but we must check that zlib
645        * has someplace to put the results.  It doesn't matter
646        * if we don't expect any results -- it may be the input
647        * data is just the LZ end code.
648        */
649       if (!(png_ptr->zstream.avail_out > 0))
650       {
651          /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
652          png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
653              png_ptr->iwidth) + 1);
654 
655          png_ptr->zstream.next_out = png_ptr->row_buf;
656       }
657 
658       /* Using Z_SYNC_FLUSH here means that an unterminated
659        * LZ stream (a stream with a missing end code) can still
660        * be handled, otherwise (Z_NO_FLUSH) a future zlib
661        * implementation might defer output and therefore
662        * change the current behavior (see comments in inflate.c
663        * for why this doesn't happen at present with zlib 1.2.5).
664        */
665       ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH);
666 
667       /* Check for any failure before proceeding. */
668       if (ret != Z_OK && ret != Z_STREAM_END)
669       {
670          /* Terminate the decompression. */
671          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
672          png_ptr->zowner = 0;
673 
674          /* This may be a truncated stream (missing or
675           * damaged end code).  Treat that as a warning.
676           */
677          if (png_ptr->row_number >= png_ptr->num_rows ||
678              png_ptr->pass > 6)
679             png_warning(png_ptr, "Truncated compressed data in IDAT");
680 
681          else
682             png_error(png_ptr, "Decompression error in IDAT");
683 
684          /* Skip the check on unprocessed input */
685          return;
686       }
687 
688       /* Did inflate output any data? */
689       if (png_ptr->zstream.next_out != png_ptr->row_buf)
690       {
691          /* Is this unexpected data after the last row?
692           * If it is, artificially terminate the LZ output
693           * here.
694           */
695          if (png_ptr->row_number >= png_ptr->num_rows ||
696              png_ptr->pass > 6)
697          {
698             /* Extra data. */
699             png_warning(png_ptr, "Extra compressed data in IDAT");
700             png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
701             png_ptr->zowner = 0;
702 
703             /* Do no more processing; skip the unprocessed
704              * input check below.
705              */
706             return;
707          }
708 
709          /* Do we have a complete row? */
710          if (png_ptr->zstream.avail_out == 0)
711             png_push_process_row(png_ptr);
712       }
713 
714       /* And check for the end of the stream. */
715       if (ret == Z_STREAM_END)
716          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
717    }
718 
719    /* All the data should have been processed, if anything
720     * is left at this point we have bytes of IDAT data
721     * after the zlib end code.
722     */
723    if (png_ptr->zstream.avail_in > 0)
724       png_warning(png_ptr, "Extra compression data in IDAT");
725 }
726 
727 void /* PRIVATE */
png_push_process_row(png_structrp png_ptr)728 png_push_process_row(png_structrp png_ptr)
729 {
730    /* 1.5.6: row_info moved out of png_struct to a local here. */
731    png_row_info row_info;
732 
733    row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
734    row_info.color_type = png_ptr->color_type;
735    row_info.bit_depth = png_ptr->bit_depth;
736    row_info.channels = png_ptr->channels;
737    row_info.pixel_depth = png_ptr->pixel_depth;
738    row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
739 
740    if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
741    {
742       if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
743          png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
744             png_ptr->prev_row + 1, png_ptr->row_buf[0]);
745       else
746          png_error(png_ptr, "bad adaptive filter value");
747    }
748 
749    /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
750     * 1.5.6, while the buffer really is this big in current versions of libpng
751     * it may not be in the future, so this was changed just to copy the
752     * interlaced row count:
753     */
754    memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
755 
756 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
757    if (png_ptr->transformations != 0)
758       png_do_read_transformations(png_ptr, &row_info);
759 #endif
760 
761    /* The transformed pixel depth should match the depth now in row_info. */
762    if (png_ptr->transformed_pixel_depth == 0)
763    {
764       png_ptr->transformed_pixel_depth = row_info.pixel_depth;
765       if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
766          png_error(png_ptr, "progressive row overflow");
767    }
768 
769    else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
770       png_error(png_ptr, "internal progressive row size calculation error");
771 
772 
773 #ifdef PNG_READ_INTERLACING_SUPPORTED
774    /* Expand interlaced rows to full size */
775    if (png_ptr->interlaced != 0 &&
776        (png_ptr->transformations & PNG_INTERLACE) != 0)
777    {
778       if (png_ptr->pass < 6)
779          png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
780             png_ptr->transformations);
781 
782       switch (png_ptr->pass)
783       {
784          case 0:
785          {
786             int i;
787             for (i = 0; i < 8 && png_ptr->pass == 0; i++)
788             {
789                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
790                png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
791             }
792 
793             if (png_ptr->pass == 2) /* Pass 1 might be empty */
794             {
795                for (i = 0; i < 4 && png_ptr->pass == 2; i++)
796                {
797                   png_push_have_row(png_ptr, NULL);
798                   png_read_push_finish_row(png_ptr);
799                }
800             }
801 
802             if (png_ptr->pass == 4 && png_ptr->height <= 4)
803             {
804                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
805                {
806                   png_push_have_row(png_ptr, NULL);
807                   png_read_push_finish_row(png_ptr);
808                }
809             }
810 
811             if (png_ptr->pass == 6 && png_ptr->height <= 4)
812             {
813                 png_push_have_row(png_ptr, NULL);
814                 png_read_push_finish_row(png_ptr);
815             }
816 
817             break;
818          }
819 
820          case 1:
821          {
822             int i;
823             for (i = 0; i < 8 && png_ptr->pass == 1; i++)
824             {
825                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
826                png_read_push_finish_row(png_ptr);
827             }
828 
829             if (png_ptr->pass == 2) /* Skip top 4 generated rows */
830             {
831                for (i = 0; i < 4 && png_ptr->pass == 2; i++)
832                {
833                   png_push_have_row(png_ptr, NULL);
834                   png_read_push_finish_row(png_ptr);
835                }
836             }
837 
838             break;
839          }
840 
841          case 2:
842          {
843             int i;
844 
845             for (i = 0; i < 4 && png_ptr->pass == 2; i++)
846             {
847                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
848                png_read_push_finish_row(png_ptr);
849             }
850 
851             for (i = 0; i < 4 && png_ptr->pass == 2; i++)
852             {
853                png_push_have_row(png_ptr, NULL);
854                png_read_push_finish_row(png_ptr);
855             }
856 
857             if (png_ptr->pass == 4) /* Pass 3 might be empty */
858             {
859                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
860                {
861                   png_push_have_row(png_ptr, NULL);
862                   png_read_push_finish_row(png_ptr);
863                }
864             }
865 
866             break;
867          }
868 
869          case 3:
870          {
871             int i;
872 
873             for (i = 0; i < 4 && png_ptr->pass == 3; i++)
874             {
875                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
876                png_read_push_finish_row(png_ptr);
877             }
878 
879             if (png_ptr->pass == 4) /* Skip top two generated rows */
880             {
881                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
882                {
883                   png_push_have_row(png_ptr, NULL);
884                   png_read_push_finish_row(png_ptr);
885                }
886             }
887 
888             break;
889          }
890 
891          case 4:
892          {
893             int i;
894 
895             for (i = 0; i < 2 && png_ptr->pass == 4; i++)
896             {
897                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
898                png_read_push_finish_row(png_ptr);
899             }
900 
901             for (i = 0; i < 2 && png_ptr->pass == 4; i++)
902             {
903                png_push_have_row(png_ptr, NULL);
904                png_read_push_finish_row(png_ptr);
905             }
906 
907             if (png_ptr->pass == 6) /* Pass 5 might be empty */
908             {
909                png_push_have_row(png_ptr, NULL);
910                png_read_push_finish_row(png_ptr);
911             }
912 
913             break;
914          }
915 
916          case 5:
917          {
918             int i;
919 
920             for (i = 0; i < 2 && png_ptr->pass == 5; i++)
921             {
922                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
923                png_read_push_finish_row(png_ptr);
924             }
925 
926             if (png_ptr->pass == 6) /* Skip top generated row */
927             {
928                png_push_have_row(png_ptr, NULL);
929                png_read_push_finish_row(png_ptr);
930             }
931 
932             break;
933          }
934 
935          default:
936          case 6:
937          {
938             png_push_have_row(png_ptr, png_ptr->row_buf + 1);
939             png_read_push_finish_row(png_ptr);
940 
941             if (png_ptr->pass != 6)
942                break;
943 
944             png_push_have_row(png_ptr, NULL);
945             png_read_push_finish_row(png_ptr);
946          }
947       }
948    }
949    else
950 #endif
951    {
952       png_push_have_row(png_ptr, png_ptr->row_buf + 1);
953       png_read_push_finish_row(png_ptr);
954    }
955 }
956 
957 void /* PRIVATE */
png_read_push_finish_row(png_structrp png_ptr)958 png_read_push_finish_row(png_structrp png_ptr)
959 {
960 #ifdef PNG_READ_INTERLACING_SUPPORTED
961    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
962 
963    /* Start of interlace block */
964    static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
965 
966    /* Offset to next interlace block */
967    static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
968 
969    /* Start of interlace block in the y direction */
970    static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
971 
972    /* Offset to next interlace block in the y direction */
973    static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
974 
975    /* Height of interlace block.  This is not currently used - if you need
976     * it, uncomment it here and in png.h
977    static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
978    */
979 #endif
980 
981    png_ptr->row_number++;
982    if (png_ptr->row_number < png_ptr->num_rows)
983       return;
984 
985 #ifdef PNG_READ_INTERLACING_SUPPORTED
986    if (png_ptr->interlaced != 0)
987    {
988       png_ptr->row_number = 0;
989       memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
990 
991       do
992       {
993          png_ptr->pass++;
994          if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
995              (png_ptr->pass == 3 && png_ptr->width < 3) ||
996              (png_ptr->pass == 5 && png_ptr->width < 2))
997             png_ptr->pass++;
998 
999          if (png_ptr->pass > 7)
1000             png_ptr->pass--;
1001 
1002          if (png_ptr->pass >= 7)
1003             break;
1004 
1005          png_ptr->iwidth = (png_ptr->width +
1006              png_pass_inc[png_ptr->pass] - 1 -
1007              png_pass_start[png_ptr->pass]) /
1008              png_pass_inc[png_ptr->pass];
1009 
1010          if ((png_ptr->transformations & PNG_INTERLACE) != 0)
1011             break;
1012 
1013          png_ptr->num_rows = (png_ptr->height +
1014              png_pass_yinc[png_ptr->pass] - 1 -
1015              png_pass_ystart[png_ptr->pass]) /
1016              png_pass_yinc[png_ptr->pass];
1017 
1018       } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1019    }
1020 #endif /* READ_INTERLACING */
1021 }
1022 
1023 void /* PRIVATE */
png_push_have_info(png_structrp png_ptr,png_inforp info_ptr)1024 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1025 {
1026    if (png_ptr->info_fn != NULL)
1027       (*(png_ptr->info_fn))(png_ptr, info_ptr);
1028 }
1029 
1030 void /* PRIVATE */
png_push_have_end(png_structrp png_ptr,png_inforp info_ptr)1031 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1032 {
1033    if (png_ptr->end_fn != NULL)
1034       (*(png_ptr->end_fn))(png_ptr, info_ptr);
1035 }
1036 
1037 void /* PRIVATE */
png_push_have_row(png_structrp png_ptr,png_bytep row)1038 png_push_have_row(png_structrp png_ptr, png_bytep row)
1039 {
1040    if (png_ptr->row_fn != NULL)
1041       (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1042          (int)png_ptr->pass);
1043 }
1044 
1045 #ifdef PNG_READ_INTERLACING_SUPPORTED
1046 void PNGAPI
png_progressive_combine_row(png_const_structrp png_ptr,png_bytep old_row,png_const_bytep new_row)1047 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1048     png_const_bytep new_row)
1049 {
1050    if (png_ptr == NULL)
1051       return;
1052 
1053    /* new_row is a flag here - if it is NULL then the app callback was called
1054     * from an empty row (see the calls to png_struct::row_fn below), otherwise
1055     * it must be png_ptr->row_buf+1
1056     */
1057    if (new_row != NULL)
1058       png_combine_row(png_ptr, old_row, 1/*blocky display*/);
1059 }
1060 #endif /* READ_INTERLACING */
1061 
1062 void PNGAPI
png_set_progressive_read_fn(png_structrp png_ptr,png_voidp progressive_ptr,png_progressive_info_ptr info_fn,png_progressive_row_ptr row_fn,png_progressive_end_ptr end_fn)1063 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1064     png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1065     png_progressive_end_ptr end_fn)
1066 {
1067    if (png_ptr == NULL)
1068       return;
1069 
1070    png_ptr->info_fn = info_fn;
1071    png_ptr->row_fn = row_fn;
1072    png_ptr->end_fn = end_fn;
1073 
1074    png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1075 }
1076 
1077 png_voidp PNGAPI
png_get_progressive_ptr(png_const_structrp png_ptr)1078 png_get_progressive_ptr(png_const_structrp png_ptr)
1079 {
1080    if (png_ptr == NULL)
1081       return (NULL);
1082 
1083    return png_ptr->io_ptr;
1084 }
1085 #endif /* PROGRESSIVE_READ */
1086