1 
2 /* pngrutil.c - utilities to read a PNG file
3  *
4  * Last changed in libpng 1.6.20 [December 3, 2014]
5  * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  *
13  * This file contains routines that are only called from within
14  * libpng itself during the course of reading an image.
15  */
16 
17 #include "pngpriv.h"
18 
19 #ifdef PNG_READ_SUPPORTED
20 
21 png_uint_32 PNGAPI
png_get_uint_31(png_const_structrp png_ptr,png_const_bytep buf)22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
23 {
24    png_uint_32 uval = png_get_uint_32(buf);
25 
26    if (uval > PNG_UINT_31_MAX)
27       png_error(png_ptr, "PNG unsigned integer out of range");
28 
29    return (uval);
30 }
31 
32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
33 /* The following is a variation on the above for use with the fixed
34  * point values used for gAMA and cHRM.  Instead of png_error it
35  * issues a warning and returns (-1) - an invalid value because both
36  * gAMA and cHRM use *unsigned* integers for fixed point values.
37  */
38 #define PNG_FIXED_ERROR (-1)
39 
40 static png_fixed_point /* PRIVATE */
png_get_fixed_point(png_structrp png_ptr,png_const_bytep buf)41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42 {
43    png_uint_32 uval = png_get_uint_32(buf);
44 
45    if (uval <= PNG_UINT_31_MAX)
46       return (png_fixed_point)uval; /* known to be in range */
47 
48    /* The caller can turn off the warning by passing NULL. */
49    if (png_ptr != NULL)
50       png_warning(png_ptr, "PNG fixed point integer out of range");
51 
52    return PNG_FIXED_ERROR;
53 }
54 #endif
55 
56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57 /* NOTE: the read macros will obscure these definitions, so that if
58  * PNG_USE_READ_MACROS is set the library will not use them internally,
59  * but the APIs will still be available externally.
60  *
61  * The parentheses around "PNGAPI function_name" in the following three
62  * functions are necessary because they allow the macros to co-exist with
63  * these (unused but exported) functions.
64  */
65 
66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
png_uint_32(PNGAPI png_get_uint_32)67 png_uint_32 (PNGAPI
68 png_get_uint_32)(png_const_bytep buf)
69 {
70    png_uint_32 uval =
71        ((png_uint_32)(*(buf    )) << 24) +
72        ((png_uint_32)(*(buf + 1)) << 16) +
73        ((png_uint_32)(*(buf + 2)) <<  8) +
74        ((png_uint_32)(*(buf + 3))      ) ;
75 
76    return uval;
77 }
78 
79 /* Grab a signed 32-bit integer from a buffer in big-endian format.  The
80  * data is stored in the PNG file in two's complement format and there
81  * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82  * the following code does a two's complement to native conversion.
83  */
png_int_32(PNGAPI png_get_int_32)84 png_int_32 (PNGAPI
85 png_get_int_32)(png_const_bytep buf)
86 {
87    png_uint_32 uval = png_get_uint_32(buf);
88    if ((uval & 0x80000000) == 0) /* non-negative */
89       return uval;
90 
91    uval = (uval ^ 0xffffffff) + 1;  /* 2's complement: -x = ~x+1 */
92    if ((uval & 0x80000000) == 0) /* no overflow */
93        return -(png_int_32)uval;
94    /* The following has to be safe; this function only gets called on PNG data
95     * and if we get here that data is invalid.  0 is the most safe value and
96     * if not then an attacker would surely just generate a PNG with 0 instead.
97     */
98    return 0;
99 }
100 
101 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
png_uint_16(PNGAPI png_get_uint_16)102 png_uint_16 (PNGAPI
103 png_get_uint_16)(png_const_bytep buf)
104 {
105    /* ANSI-C requires an int value to accomodate at least 16 bits so this
106     * works and allows the compiler not to worry about possible narrowing
107     * on 32-bit systems.  (Pre-ANSI systems did not make integers smaller
108     * than 16 bits either.)
109     */
110    unsigned int val =
111        ((unsigned int)(*buf) << 8) +
112        ((unsigned int)(*(buf + 1)));
113 
114    return (png_uint_16)val;
115 }
116 
117 #endif /* READ_INT_FUNCTIONS */
118 
119 /* Read and check the PNG file signature */
120 void /* PRIVATE */
png_read_sig(png_structrp png_ptr,png_inforp info_ptr)121 png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
122 {
123    png_size_t num_checked, num_to_check;
124 
125    /* Exit if the user application does not expect a signature. */
126    if (png_ptr->sig_bytes >= 8)
127       return;
128 
129    num_checked = png_ptr->sig_bytes;
130    num_to_check = 8 - num_checked;
131 
132 #ifdef PNG_IO_STATE_SUPPORTED
133    png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
134 #endif
135 
136    /* The signature must be serialized in a single I/O call. */
137    png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
138    png_ptr->sig_bytes = 8;
139 
140    if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
141    {
142       if (num_checked < 4 &&
143           png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
144          png_error(png_ptr, "Not a PNG file");
145       else
146          png_error(png_ptr, "PNG file corrupted by ASCII conversion");
147    }
148    if (num_checked < 3)
149       png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
150 }
151 
152 /* Read the chunk header (length + type name).
153  * Put the type name into png_ptr->chunk_name, and return the length.
154  */
155 png_uint_32 /* PRIVATE */
png_read_chunk_header(png_structrp png_ptr)156 png_read_chunk_header(png_structrp png_ptr)
157 {
158    png_byte buf[8];
159    png_uint_32 length;
160 
161 #ifdef PNG_IO_STATE_SUPPORTED
162    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
163 #endif
164 
165    /* Read the length and the chunk name.
166     * This must be performed in a single I/O call.
167     */
168    png_read_data(png_ptr, buf, 8);
169    length = png_get_uint_31(png_ptr, buf);
170 
171    /* Put the chunk name into png_ptr->chunk_name. */
172    png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
173 
174    png_debug2(0, "Reading %lx chunk, length = %lu",
175        (unsigned long)png_ptr->chunk_name, (unsigned long)length);
176 
177    /* Reset the crc and run it over the chunk name. */
178    png_reset_crc(png_ptr);
179    png_calculate_crc(png_ptr, buf + 4, 4);
180 
181    /* Check to see if chunk name is valid. */
182    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
183 
184 #ifdef PNG_IO_STATE_SUPPORTED
185    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
186 #endif
187 
188    return length;
189 }
190 
191 /* Read data, and (optionally) run it through the CRC. */
192 void /* PRIVATE */
png_crc_read(png_structrp png_ptr,png_bytep buf,png_uint_32 length)193 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
194 {
195    if (png_ptr == NULL)
196       return;
197 
198    png_read_data(png_ptr, buf, length);
199    png_calculate_crc(png_ptr, buf, length);
200 }
201 
202 /* Optionally skip data and then check the CRC.  Depending on whether we
203  * are reading an ancillary or critical chunk, and how the program has set
204  * things up, we may calculate the CRC on the data and print a message.
205  * Returns '1' if there was a CRC error, '0' otherwise.
206  */
207 int /* PRIVATE */
png_crc_finish(png_structrp png_ptr,png_uint_32 skip)208 png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
209 {
210    /* The size of the local buffer for inflate is a good guess as to a
211     * reasonable size to use for buffering reads from the application.
212     */
213    while (skip > 0)
214    {
215       png_uint_32 len;
216       png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
217 
218       len = (sizeof tmpbuf);
219       if (len > skip)
220          len = skip;
221       skip -= len;
222 
223       png_crc_read(png_ptr, tmpbuf, len);
224    }
225 
226    if (png_crc_error(png_ptr) != 0)
227    {
228       if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?
229           (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :
230           (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)
231       {
232          png_chunk_warning(png_ptr, "CRC error");
233       }
234 
235       else
236          png_chunk_error(png_ptr, "CRC error");
237 
238       return (1);
239    }
240 
241    return (0);
242 }
243 
244 /* Compare the CRC stored in the PNG file with that calculated by libpng from
245  * the data it has read thus far.
246  */
247 int /* PRIVATE */
png_crc_error(png_structrp png_ptr)248 png_crc_error(png_structrp png_ptr)
249 {
250    png_byte crc_bytes[4];
251    png_uint_32 crc;
252    int need_crc = 1;
253 
254    if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
255    {
256       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
257           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
258          need_crc = 0;
259    }
260 
261    else /* critical */
262    {
263       if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
264          need_crc = 0;
265    }
266 
267 #ifdef PNG_IO_STATE_SUPPORTED
268    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
269 #endif
270 
271    /* The chunk CRC must be serialized in a single I/O call. */
272    png_read_data(png_ptr, crc_bytes, 4);
273 
274    if (need_crc != 0)
275    {
276       crc = png_get_uint_32(crc_bytes);
277       return ((int)(crc != png_ptr->crc));
278    }
279 
280    else
281       return (0);
282 }
283 
284 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
285     defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
286     defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
287     defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
288 /* Manage the read buffer; this simply reallocates the buffer if it is not small
289  * enough (or if it is not allocated).  The routine returns a pointer to the
290  * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
291  * it will call png_error (via png_malloc) on failure.  (warn == 2 means
292  * 'silent').
293  */
294 static png_bytep
png_read_buffer(png_structrp png_ptr,png_alloc_size_t new_size,int warn)295 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
296 {
297    png_bytep buffer = png_ptr->read_buffer;
298 
299    if (buffer != NULL && new_size > png_ptr->read_buffer_size)
300    {
301       png_ptr->read_buffer = NULL;
302       png_ptr->read_buffer = NULL;
303       png_ptr->read_buffer_size = 0;
304       png_free(png_ptr, buffer);
305       buffer = NULL;
306    }
307 
308    if (buffer == NULL)
309    {
310       buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
311 
312       if (buffer != NULL)
313       {
314          png_ptr->read_buffer = buffer;
315          png_ptr->read_buffer_size = new_size;
316       }
317 
318       else if (warn < 2) /* else silent */
319       {
320          if (warn != 0)
321              png_chunk_warning(png_ptr, "insufficient memory to read chunk");
322 
323          else
324              png_chunk_error(png_ptr, "insufficient memory to read chunk");
325       }
326    }
327 
328    return buffer;
329 }
330 #endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
331 
332 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
333  * decompression.  Returns Z_OK on success, else a zlib error code.  It checks
334  * the owner but, in final release builds, just issues a warning if some other
335  * chunk apparently owns the stream.  Prior to release it does a png_error.
336  */
337 static int
png_inflate_claim(png_structrp png_ptr,png_uint_32 owner)338 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
339 {
340    if (png_ptr->zowner != 0)
341    {
342       char msg[64];
343 
344       PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
345       /* So the message that results is "<chunk> using zstream"; this is an
346        * internal error, but is very useful for debugging.  i18n requirements
347        * are minimal.
348        */
349       (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
350 #if PNG_RELEASE_BUILD
351       png_chunk_warning(png_ptr, msg);
352       png_ptr->zowner = 0;
353 #else
354       png_chunk_error(png_ptr, msg);
355 #endif
356    }
357 
358    /* Implementation note: unlike 'png_deflate_claim' this internal function
359     * does not take the size of the data as an argument.  Some efficiency could
360     * be gained by using this when it is known *if* the zlib stream itself does
361     * not record the number; however, this is an illusion: the original writer
362     * of the PNG may have selected a lower window size, and we really must
363     * follow that because, for systems with with limited capabilities, we
364     * would otherwise reject the application's attempts to use a smaller window
365     * size (zlib doesn't have an interface to say "this or lower"!).
366     *
367     * inflateReset2 was added to zlib 1.2.4; before this the window could not be
368     * reset, therefore it is necessary to always allocate the maximum window
369     * size with earlier zlibs just in case later compressed chunks need it.
370     */
371    {
372       int ret; /* zlib return code */
373 #if PNG_ZLIB_VERNUM >= 0x1240
374 
375 # if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
376       int window_bits;
377 
378       if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
379           PNG_OPTION_ON)
380       {
381          window_bits = 15;
382          png_ptr->zstream_start = 0; /* fixed window size */
383       }
384 
385       else
386       {
387          window_bits = 0;
388          png_ptr->zstream_start = 1;
389       }
390 # else
391 #   define window_bits 0
392 # endif
393 #endif
394 
395       /* Set this for safety, just in case the previous owner left pointers to
396        * memory allocations.
397        */
398       png_ptr->zstream.next_in = NULL;
399       png_ptr->zstream.avail_in = 0;
400       png_ptr->zstream.next_out = NULL;
401       png_ptr->zstream.avail_out = 0;
402 
403       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
404       {
405 #if PNG_ZLIB_VERNUM < 0x1240
406          ret = inflateReset(&png_ptr->zstream);
407 #else
408          ret = inflateReset2(&png_ptr->zstream, window_bits);
409 #endif
410       }
411 
412       else
413       {
414 #if PNG_ZLIB_VERNUM < 0x1240
415          ret = inflateInit(&png_ptr->zstream);
416 #else
417          ret = inflateInit2(&png_ptr->zstream, window_bits);
418 #endif
419 
420          if (ret == Z_OK)
421             png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
422       }
423 
424       if (ret == Z_OK)
425          png_ptr->zowner = owner;
426 
427       else
428          png_zstream_error(png_ptr, ret);
429 
430       return ret;
431    }
432 
433 #ifdef window_bits
434 # undef window_bits
435 #endif
436 }
437 
438 #if PNG_ZLIB_VERNUM >= 0x1240
439 /* Handle the start of the inflate stream if we called inflateInit2(strm,0);
440  * in this case some zlib versions skip validation of the CINFO field and, in
441  * certain circumstances, libpng may end up displaying an invalid image, in
442  * contrast to implementations that call zlib in the normal way (e.g. libpng
443  * 1.5).
444  */
445 int /* PRIVATE */
png_zlib_inflate(png_structrp png_ptr,int flush)446 png_zlib_inflate(png_structrp png_ptr, int flush)
447 {
448    if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)
449    {
450       if ((*png_ptr->zstream.next_in >> 4) > 7)
451       {
452          png_ptr->zstream.msg = "invalid window size (libpng)";
453          return Z_DATA_ERROR;
454       }
455 
456       png_ptr->zstream_start = 0;
457    }
458 
459    return inflate(&png_ptr->zstream, flush);
460 }
461 #endif /* Zlib >= 1.2.4 */
462 
463 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
464 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
465  * allow the caller to do multiple calls if required.  If the 'finish' flag is
466  * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
467  * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
468  * Z_OK or Z_STREAM_END will be returned on success.
469  *
470  * The input and output sizes are updated to the actual amounts of data consumed
471  * or written, not the amount available (as in a z_stream).  The data pointers
472  * are not changed, so the next input is (data+input_size) and the next
473  * available output is (output+output_size).
474  */
475 static int
png_inflate(png_structrp png_ptr,png_uint_32 owner,int finish,png_const_bytep input,png_uint_32p input_size_ptr,png_bytep output,png_alloc_size_t * output_size_ptr)476 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
477     /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
478     /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
479 {
480    if (png_ptr->zowner == owner) /* Else not claimed */
481    {
482       int ret;
483       png_alloc_size_t avail_out = *output_size_ptr;
484       png_uint_32 avail_in = *input_size_ptr;
485 
486       /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
487        * can't even necessarily handle 65536 bytes) because the type uInt is
488        * "16 bits or more".  Consequently it is necessary to chunk the input to
489        * zlib.  This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
490        * maximum value that can be stored in a uInt.)  It is possible to set
491        * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
492        * a performance advantage, because it reduces the amount of data accessed
493        * at each step and that may give the OS more time to page it in.
494        */
495       png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
496       /* avail_in and avail_out are set below from 'size' */
497       png_ptr->zstream.avail_in = 0;
498       png_ptr->zstream.avail_out = 0;
499 
500       /* Read directly into the output if it is available (this is set to
501        * a local buffer below if output is NULL).
502        */
503       if (output != NULL)
504          png_ptr->zstream.next_out = output;
505 
506       do
507       {
508          uInt avail;
509          Byte local_buffer[PNG_INFLATE_BUF_SIZE];
510 
511          /* zlib INPUT BUFFER */
512          /* The setting of 'avail_in' used to be outside the loop; by setting it
513           * inside it is possible to chunk the input to zlib and simply rely on
514           * zlib to advance the 'next_in' pointer.  This allows arbitrary
515           * amounts of data to be passed through zlib at the unavoidable cost of
516           * requiring a window save (memcpy of up to 32768 output bytes)
517           * every ZLIB_IO_MAX input bytes.
518           */
519          avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
520 
521          avail = ZLIB_IO_MAX;
522 
523          if (avail_in < avail)
524             avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
525 
526          avail_in -= avail;
527          png_ptr->zstream.avail_in = avail;
528 
529          /* zlib OUTPUT BUFFER */
530          avail_out += png_ptr->zstream.avail_out; /* not written last time */
531 
532          avail = ZLIB_IO_MAX; /* maximum zlib can process */
533 
534          if (output == NULL)
535          {
536             /* Reset the output buffer each time round if output is NULL and
537              * make available the full buffer, up to 'remaining_space'
538              */
539             png_ptr->zstream.next_out = local_buffer;
540             if ((sizeof local_buffer) < avail)
541                avail = (sizeof local_buffer);
542          }
543 
544          if (avail_out < avail)
545             avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
546 
547          png_ptr->zstream.avail_out = avail;
548          avail_out -= avail;
549 
550          /* zlib inflate call */
551          /* In fact 'avail_out' may be 0 at this point, that happens at the end
552           * of the read when the final LZ end code was not passed at the end of
553           * the previous chunk of input data.  Tell zlib if we have reached the
554           * end of the output buffer.
555           */
556          ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH :
557              (finish ? Z_FINISH : Z_SYNC_FLUSH));
558       } while (ret == Z_OK);
559 
560       /* For safety kill the local buffer pointer now */
561       if (output == NULL)
562          png_ptr->zstream.next_out = NULL;
563 
564       /* Claw back the 'size' and 'remaining_space' byte counts. */
565       avail_in += png_ptr->zstream.avail_in;
566       avail_out += png_ptr->zstream.avail_out;
567 
568       /* Update the input and output sizes; the updated values are the amount
569        * consumed or written, effectively the inverse of what zlib uses.
570        */
571       if (avail_out > 0)
572          *output_size_ptr -= avail_out;
573 
574       if (avail_in > 0)
575          *input_size_ptr -= avail_in;
576 
577       /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
578       png_zstream_error(png_ptr, ret);
579       return ret;
580    }
581 
582    else
583    {
584       /* This is a bad internal error.  The recovery assigns to the zstream msg
585        * pointer, which is not owned by the caller, but this is safe; it's only
586        * used on errors!
587        */
588       png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
589       return Z_STREAM_ERROR;
590    }
591 }
592 
593 /*
594  * Decompress trailing data in a chunk.  The assumption is that read_buffer
595  * points at an allocated area holding the contents of a chunk with a
596  * trailing compressed part.  What we get back is an allocated area
597  * holding the original prefix part and an uncompressed version of the
598  * trailing part (the malloc area passed in is freed).
599  */
600 static int
png_decompress_chunk(png_structrp png_ptr,png_uint_32 chunklength,png_uint_32 prefix_size,png_alloc_size_t * newlength,int terminate)601 png_decompress_chunk(png_structrp png_ptr,
602    png_uint_32 chunklength, png_uint_32 prefix_size,
603    png_alloc_size_t *newlength /* must be initialized to the maximum! */,
604    int terminate /*add a '\0' to the end of the uncompressed data*/)
605 {
606    /* TODO: implement different limits for different types of chunk.
607     *
608     * The caller supplies *newlength set to the maximum length of the
609     * uncompressed data, but this routine allocates space for the prefix and
610     * maybe a '\0' terminator too.  We have to assume that 'prefix_size' is
611     * limited only by the maximum chunk size.
612     */
613    png_alloc_size_t limit = PNG_SIZE_MAX;
614 
615 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
616    if (png_ptr->user_chunk_malloc_max > 0 &&
617        png_ptr->user_chunk_malloc_max < limit)
618       limit = png_ptr->user_chunk_malloc_max;
619 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
620    if (PNG_USER_CHUNK_MALLOC_MAX < limit)
621       limit = PNG_USER_CHUNK_MALLOC_MAX;
622 # endif
623 
624    if (limit >= prefix_size + (terminate != 0))
625    {
626       int ret;
627 
628       limit -= prefix_size + (terminate != 0);
629 
630       if (limit < *newlength)
631          *newlength = limit;
632 
633       /* Now try to claim the stream. */
634       ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
635 
636       if (ret == Z_OK)
637       {
638          png_uint_32 lzsize = chunklength - prefix_size;
639 
640          ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
641             /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
642             /* output: */ NULL, newlength);
643 
644          if (ret == Z_STREAM_END)
645          {
646             /* Use 'inflateReset' here, not 'inflateReset2' because this
647              * preserves the previously decided window size (otherwise it would
648              * be necessary to store the previous window size.)  In practice
649              * this doesn't matter anyway, because png_inflate will call inflate
650              * with Z_FINISH in almost all cases, so the window will not be
651              * maintained.
652              */
653             if (inflateReset(&png_ptr->zstream) == Z_OK)
654             {
655                /* Because of the limit checks above we know that the new,
656                 * expanded, size will fit in a size_t (let alone an
657                 * png_alloc_size_t).  Use png_malloc_base here to avoid an
658                 * extra OOM message.
659                 */
660                png_alloc_size_t new_size = *newlength;
661                png_alloc_size_t buffer_size = prefix_size + new_size +
662                   (terminate != 0);
663                png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
664                   buffer_size));
665 
666                if (text != NULL)
667                {
668                   ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
669                      png_ptr->read_buffer + prefix_size, &lzsize,
670                      text + prefix_size, newlength);
671 
672                   if (ret == Z_STREAM_END)
673                   {
674                      if (new_size == *newlength)
675                      {
676                         if (terminate != 0)
677                            text[prefix_size + *newlength] = 0;
678 
679                         if (prefix_size > 0)
680                            memcpy(text, png_ptr->read_buffer, prefix_size);
681 
682                         {
683                            png_bytep old_ptr = png_ptr->read_buffer;
684 
685                            png_ptr->read_buffer = text;
686                            png_ptr->read_buffer_size = buffer_size;
687                            text = old_ptr; /* freed below */
688                         }
689                      }
690 
691                      else
692                      {
693                         /* The size changed on the second read, there can be no
694                          * guarantee that anything is correct at this point.
695                          * The 'msg' pointer has been set to "unexpected end of
696                          * LZ stream", which is fine, but return an error code
697                          * that the caller won't accept.
698                          */
699                         ret = PNG_UNEXPECTED_ZLIB_RETURN;
700                      }
701                   }
702 
703                   else if (ret == Z_OK)
704                      ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
705 
706                   /* Free the text pointer (this is the old read_buffer on
707                    * success)
708                    */
709                   png_free(png_ptr, text);
710 
711                   /* This really is very benign, but it's still an error because
712                    * the extra space may otherwise be used as a Trojan Horse.
713                    */
714                   if (ret == Z_STREAM_END &&
715                      chunklength - prefix_size != lzsize)
716                      png_chunk_benign_error(png_ptr, "extra compressed data");
717                }
718 
719                else
720                {
721                   /* Out of memory allocating the buffer */
722                   ret = Z_MEM_ERROR;
723                   png_zstream_error(png_ptr, Z_MEM_ERROR);
724                }
725             }
726 
727             else
728             {
729                /* inflateReset failed, store the error message */
730                png_zstream_error(png_ptr, ret);
731 
732                if (ret == Z_STREAM_END)
733                   ret = PNG_UNEXPECTED_ZLIB_RETURN;
734             }
735          }
736 
737          else if (ret == Z_OK)
738             ret = PNG_UNEXPECTED_ZLIB_RETURN;
739 
740          /* Release the claimed stream */
741          png_ptr->zowner = 0;
742       }
743 
744       else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
745          ret = PNG_UNEXPECTED_ZLIB_RETURN;
746 
747       return ret;
748    }
749 
750    else
751    {
752       /* Application/configuration limits exceeded */
753       png_zstream_error(png_ptr, Z_MEM_ERROR);
754       return Z_MEM_ERROR;
755    }
756 }
757 #endif /* READ_COMPRESSED_TEXT */
758 
759 #ifdef PNG_READ_iCCP_SUPPORTED
760 /* Perform a partial read and decompress, producing 'avail_out' bytes and
761  * reading from the current chunk as required.
762  */
763 static int
png_inflate_read(png_structrp png_ptr,png_bytep read_buffer,uInt read_size,png_uint_32p chunk_bytes,png_bytep next_out,png_alloc_size_t * out_size,int finish)764 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
765    png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
766    int finish)
767 {
768    if (png_ptr->zowner == png_ptr->chunk_name)
769    {
770       int ret;
771 
772       /* next_in and avail_in must have been initialized by the caller. */
773       png_ptr->zstream.next_out = next_out;
774       png_ptr->zstream.avail_out = 0; /* set in the loop */
775 
776       do
777       {
778          if (png_ptr->zstream.avail_in == 0)
779          {
780             if (read_size > *chunk_bytes)
781                read_size = (uInt)*chunk_bytes;
782             *chunk_bytes -= read_size;
783 
784             if (read_size > 0)
785                png_crc_read(png_ptr, read_buffer, read_size);
786 
787             png_ptr->zstream.next_in = read_buffer;
788             png_ptr->zstream.avail_in = read_size;
789          }
790 
791          if (png_ptr->zstream.avail_out == 0)
792          {
793             uInt avail = ZLIB_IO_MAX;
794             if (avail > *out_size)
795                avail = (uInt)*out_size;
796             *out_size -= avail;
797 
798             png_ptr->zstream.avail_out = avail;
799          }
800 
801          /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
802           * the available output is produced; this allows reading of truncated
803           * streams.
804           */
805          ret = PNG_INFLATE(png_ptr,
806             *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
807       }
808       while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
809 
810       *out_size += png_ptr->zstream.avail_out;
811       png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
812 
813       /* Ensure the error message pointer is always set: */
814       png_zstream_error(png_ptr, ret);
815       return ret;
816    }
817 
818    else
819    {
820       png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
821       return Z_STREAM_ERROR;
822    }
823 }
824 #endif
825 
826 /* Read and check the IDHR chunk */
827 
828 void /* PRIVATE */
png_handle_IHDR(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)829 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
830 {
831    png_byte buf[13];
832    png_uint_32 width, height;
833    int bit_depth, color_type, compression_type, filter_type;
834    int interlace_type;
835 
836    png_debug(1, "in png_handle_IHDR");
837 
838    if ((png_ptr->mode & PNG_HAVE_IHDR) != 0)
839       png_chunk_error(png_ptr, "out of place");
840 
841    /* Check the length */
842    if (length != 13)
843       png_chunk_error(png_ptr, "invalid");
844 
845    png_ptr->mode |= PNG_HAVE_IHDR;
846 
847    png_crc_read(png_ptr, buf, 13);
848    png_crc_finish(png_ptr, 0);
849 
850    width = png_get_uint_31(png_ptr, buf);
851    height = png_get_uint_31(png_ptr, buf + 4);
852    bit_depth = buf[8];
853    color_type = buf[9];
854    compression_type = buf[10];
855    filter_type = buf[11];
856    interlace_type = buf[12];
857 
858    /* Set internal variables */
859    png_ptr->width = width;
860    png_ptr->height = height;
861    png_ptr->bit_depth = (png_byte)bit_depth;
862    png_ptr->interlaced = (png_byte)interlace_type;
863    png_ptr->color_type = (png_byte)color_type;
864 #ifdef PNG_MNG_FEATURES_SUPPORTED
865    png_ptr->filter_type = (png_byte)filter_type;
866 #endif
867    png_ptr->compression_type = (png_byte)compression_type;
868 
869    /* Find number of channels */
870    switch (png_ptr->color_type)
871    {
872       default: /* invalid, png_set_IHDR calls png_error */
873       case PNG_COLOR_TYPE_GRAY:
874       case PNG_COLOR_TYPE_PALETTE:
875          png_ptr->channels = 1;
876          break;
877 
878       case PNG_COLOR_TYPE_RGB:
879          png_ptr->channels = 3;
880          break;
881 
882       case PNG_COLOR_TYPE_GRAY_ALPHA:
883          png_ptr->channels = 2;
884          break;
885 
886       case PNG_COLOR_TYPE_RGB_ALPHA:
887          png_ptr->channels = 4;
888          break;
889    }
890 
891    /* Set up other useful info */
892    png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
893    png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
894    png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
895    png_debug1(3, "channels = %d", png_ptr->channels);
896    png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
897    png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
898        color_type, interlace_type, compression_type, filter_type);
899 }
900 
901 /* Read and check the palette */
902 void /* PRIVATE */
png_handle_PLTE(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)903 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
904 {
905    png_color palette[PNG_MAX_PALETTE_LENGTH];
906    int max_palette_length, num, i;
907 #ifdef PNG_POINTER_INDEXING_SUPPORTED
908    png_colorp pal_ptr;
909 #endif
910 
911    png_debug(1, "in png_handle_PLTE");
912 
913    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
914       png_chunk_error(png_ptr, "missing IHDR");
915 
916    /* Moved to before the 'after IDAT' check below because otherwise duplicate
917     * PLTE chunks are potentially ignored (the spec says there shall not be more
918     * than one PLTE, the error is not treated as benign, so this check trumps
919     * the requirement that PLTE appears before IDAT.)
920     */
921    else if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)
922       png_chunk_error(png_ptr, "duplicate");
923 
924    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
925    {
926       /* This is benign because the non-benign error happened before, when an
927        * IDAT was encountered in a color-mapped image with no PLTE.
928        */
929       png_crc_finish(png_ptr, length);
930       png_chunk_benign_error(png_ptr, "out of place");
931       return;
932    }
933 
934    png_ptr->mode |= PNG_HAVE_PLTE;
935 
936    if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
937    {
938       png_crc_finish(png_ptr, length);
939       png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
940       return;
941    }
942 
943 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
944    if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
945    {
946       png_crc_finish(png_ptr, length);
947       return;
948    }
949 #endif
950 
951    if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
952    {
953       png_crc_finish(png_ptr, length);
954 
955       if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
956          png_chunk_benign_error(png_ptr, "invalid");
957 
958       else
959          png_chunk_error(png_ptr, "invalid");
960 
961       return;
962    }
963 
964    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
965    num = (int)length / 3;
966 
967    /* If the palette has 256 or fewer entries but is too large for the bit
968     * depth, we don't issue an error, to preserve the behavior of previous
969     * libpng versions. We silently truncate the unused extra palette entries
970     * here.
971     */
972    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
973       max_palette_length = (1 << png_ptr->bit_depth);
974    else
975       max_palette_length = PNG_MAX_PALETTE_LENGTH;
976 
977    if (num > max_palette_length)
978       num = max_palette_length;
979 
980 #ifdef PNG_POINTER_INDEXING_SUPPORTED
981    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
982    {
983       png_byte buf[3];
984 
985       png_crc_read(png_ptr, buf, 3);
986       pal_ptr->red = buf[0];
987       pal_ptr->green = buf[1];
988       pal_ptr->blue = buf[2];
989    }
990 #else
991    for (i = 0; i < num; i++)
992    {
993       png_byte buf[3];
994 
995       png_crc_read(png_ptr, buf, 3);
996       /* Don't depend upon png_color being any order */
997       palette[i].red = buf[0];
998       palette[i].green = buf[1];
999       palette[i].blue = buf[2];
1000    }
1001 #endif
1002 
1003    /* If we actually need the PLTE chunk (ie for a paletted image), we do
1004     * whatever the normal CRC configuration tells us.  However, if we
1005     * have an RGB image, the PLTE can be considered ancillary, so
1006     * we will act as though it is.
1007     */
1008 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
1009    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1010 #endif
1011    {
1012       png_crc_finish(png_ptr, (int) length - num * 3);
1013    }
1014 
1015 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
1016    else if (png_crc_error(png_ptr) != 0)  /* Only if we have a CRC error */
1017    {
1018       /* If we don't want to use the data from an ancillary chunk,
1019        * we have two options: an error abort, or a warning and we
1020        * ignore the data in this chunk (which should be OK, since
1021        * it's considered ancillary for a RGB or RGBA image).
1022        *
1023        * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
1024        * chunk type to determine whether to check the ancillary or the critical
1025        * flags.
1026        */
1027       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == 0)
1028       {
1029          if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != 0)
1030             return;
1031 
1032          else
1033             png_chunk_error(png_ptr, "CRC error");
1034       }
1035 
1036       /* Otherwise, we (optionally) emit a warning and use the chunk. */
1037       else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0)
1038          png_chunk_warning(png_ptr, "CRC error");
1039    }
1040 #endif
1041 
1042    /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
1043     * own copy of the palette.  This has the side effect that when png_start_row
1044     * is called (this happens after any call to png_read_update_info) the
1045     * info_ptr palette gets changed.  This is extremely unexpected and
1046     * confusing.
1047     *
1048     * Fix this by not sharing the palette in this way.
1049     */
1050    png_set_PLTE(png_ptr, info_ptr, palette, num);
1051 
1052    /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
1053     * IDAT.  Prior to 1.6.0 this was not checked; instead the code merely
1054     * checked the apparent validity of a tRNS chunk inserted before PLTE on a
1055     * palette PNG.  1.6.0 attempts to rigorously follow the standard and
1056     * therefore does a benign error if the erroneous condition is detected *and*
1057     * cancels the tRNS if the benign error returns.  The alternative is to
1058     * amend the standard since it would be rather hypocritical of the standards
1059     * maintainers to ignore it.
1060     */
1061 #ifdef PNG_READ_tRNS_SUPPORTED
1062    if (png_ptr->num_trans > 0 ||
1063        (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
1064    {
1065       /* Cancel this because otherwise it would be used if the transforms
1066        * require it.  Don't cancel the 'valid' flag because this would prevent
1067        * detection of duplicate chunks.
1068        */
1069       png_ptr->num_trans = 0;
1070 
1071       if (info_ptr != NULL)
1072          info_ptr->num_trans = 0;
1073 
1074       png_chunk_benign_error(png_ptr, "tRNS must be after");
1075    }
1076 #endif
1077 
1078 #ifdef PNG_READ_hIST_SUPPORTED
1079    if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
1080       png_chunk_benign_error(png_ptr, "hIST must be after");
1081 #endif
1082 
1083 #ifdef PNG_READ_bKGD_SUPPORTED
1084    if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1085       png_chunk_benign_error(png_ptr, "bKGD must be after");
1086 #endif
1087 }
1088 
1089 void /* PRIVATE */
png_handle_IEND(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1090 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1091 {
1092    png_debug(1, "in png_handle_IEND");
1093 
1094    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0 ||
1095        (png_ptr->mode & PNG_HAVE_IDAT) == 0)
1096       png_chunk_error(png_ptr, "out of place");
1097 
1098    png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
1099 
1100    png_crc_finish(png_ptr, length);
1101 
1102    if (length != 0)
1103       png_chunk_benign_error(png_ptr, "invalid");
1104 
1105    PNG_UNUSED(info_ptr)
1106 }
1107 
1108 #ifdef PNG_READ_gAMA_SUPPORTED
1109 void /* PRIVATE */
png_handle_gAMA(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1110 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1111 {
1112    png_fixed_point igamma;
1113    png_byte buf[4];
1114 
1115    png_debug(1, "in png_handle_gAMA");
1116 
1117    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1118       png_chunk_error(png_ptr, "missing IHDR");
1119 
1120    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1121    {
1122       png_crc_finish(png_ptr, length);
1123       png_chunk_benign_error(png_ptr, "out of place");
1124       return;
1125    }
1126 
1127    if (length != 4)
1128    {
1129       png_crc_finish(png_ptr, length);
1130       png_chunk_benign_error(png_ptr, "invalid");
1131       return;
1132    }
1133 
1134    png_crc_read(png_ptr, buf, 4);
1135 
1136    if (png_crc_finish(png_ptr, 0) != 0)
1137       return;
1138 
1139    igamma = png_get_fixed_point(NULL, buf);
1140 
1141    png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
1142    png_colorspace_sync(png_ptr, info_ptr);
1143 }
1144 #endif
1145 
1146 #ifdef PNG_READ_sBIT_SUPPORTED
1147 void /* PRIVATE */
png_handle_sBIT(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1148 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1149 {
1150    unsigned int truelen, i;
1151    png_byte sample_depth;
1152    png_byte buf[4];
1153 
1154    png_debug(1, "in png_handle_sBIT");
1155 
1156    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1157       png_chunk_error(png_ptr, "missing IHDR");
1158 
1159    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1160    {
1161       png_crc_finish(png_ptr, length);
1162       png_chunk_benign_error(png_ptr, "out of place");
1163       return;
1164    }
1165 
1166    if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != 0)
1167    {
1168       png_crc_finish(png_ptr, length);
1169       png_chunk_benign_error(png_ptr, "duplicate");
1170       return;
1171    }
1172 
1173    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1174    {
1175       truelen = 3;
1176       sample_depth = 8;
1177    }
1178 
1179    else
1180    {
1181       truelen = png_ptr->channels;
1182       sample_depth = png_ptr->bit_depth;
1183    }
1184 
1185    if (length != truelen || length > 4)
1186    {
1187       png_chunk_benign_error(png_ptr, "invalid");
1188       png_crc_finish(png_ptr, length);
1189       return;
1190    }
1191 
1192    buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
1193    png_crc_read(png_ptr, buf, truelen);
1194 
1195    if (png_crc_finish(png_ptr, 0) != 0)
1196       return;
1197 
1198    for (i=0; i<truelen; ++i)
1199    {
1200       if (buf[i] == 0 || buf[i] > sample_depth)
1201       {
1202          png_chunk_benign_error(png_ptr, "invalid");
1203          return;
1204       }
1205    }
1206 
1207    if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1208    {
1209       png_ptr->sig_bit.red = buf[0];
1210       png_ptr->sig_bit.green = buf[1];
1211       png_ptr->sig_bit.blue = buf[2];
1212       png_ptr->sig_bit.alpha = buf[3];
1213    }
1214 
1215    else
1216    {
1217       png_ptr->sig_bit.gray = buf[0];
1218       png_ptr->sig_bit.red = buf[0];
1219       png_ptr->sig_bit.green = buf[0];
1220       png_ptr->sig_bit.blue = buf[0];
1221       png_ptr->sig_bit.alpha = buf[1];
1222    }
1223 
1224    png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
1225 }
1226 #endif
1227 
1228 #ifdef PNG_READ_cHRM_SUPPORTED
1229 void /* PRIVATE */
png_handle_cHRM(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1230 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1231 {
1232    png_byte buf[32];
1233    png_xy xy;
1234 
1235    png_debug(1, "in png_handle_cHRM");
1236 
1237    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1238       png_chunk_error(png_ptr, "missing IHDR");
1239 
1240    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1241    {
1242       png_crc_finish(png_ptr, length);
1243       png_chunk_benign_error(png_ptr, "out of place");
1244       return;
1245    }
1246 
1247    if (length != 32)
1248    {
1249       png_crc_finish(png_ptr, length);
1250       png_chunk_benign_error(png_ptr, "invalid");
1251       return;
1252    }
1253 
1254    png_crc_read(png_ptr, buf, 32);
1255 
1256    if (png_crc_finish(png_ptr, 0) != 0)
1257       return;
1258 
1259    xy.whitex = png_get_fixed_point(NULL, buf);
1260    xy.whitey = png_get_fixed_point(NULL, buf + 4);
1261    xy.redx   = png_get_fixed_point(NULL, buf + 8);
1262    xy.redy   = png_get_fixed_point(NULL, buf + 12);
1263    xy.greenx = png_get_fixed_point(NULL, buf + 16);
1264    xy.greeny = png_get_fixed_point(NULL, buf + 20);
1265    xy.bluex  = png_get_fixed_point(NULL, buf + 24);
1266    xy.bluey  = png_get_fixed_point(NULL, buf + 28);
1267 
1268    if (xy.whitex == PNG_FIXED_ERROR ||
1269        xy.whitey == PNG_FIXED_ERROR ||
1270        xy.redx   == PNG_FIXED_ERROR ||
1271        xy.redy   == PNG_FIXED_ERROR ||
1272        xy.greenx == PNG_FIXED_ERROR ||
1273        xy.greeny == PNG_FIXED_ERROR ||
1274        xy.bluex  == PNG_FIXED_ERROR ||
1275        xy.bluey  == PNG_FIXED_ERROR)
1276    {
1277       png_chunk_benign_error(png_ptr, "invalid values");
1278       return;
1279    }
1280 
1281    /* If a colorspace error has already been output skip this chunk */
1282    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1283       return;
1284 
1285    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0)
1286    {
1287       png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1288       png_colorspace_sync(png_ptr, info_ptr);
1289       png_chunk_benign_error(png_ptr, "duplicate");
1290       return;
1291    }
1292 
1293    png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
1294    (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
1295       1/*prefer cHRM values*/);
1296    png_colorspace_sync(png_ptr, info_ptr);
1297 }
1298 #endif
1299 
1300 #ifdef PNG_READ_sRGB_SUPPORTED
1301 void /* PRIVATE */
png_handle_sRGB(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1302 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1303 {
1304    png_byte intent;
1305 
1306    png_debug(1, "in png_handle_sRGB");
1307 
1308    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1309       png_chunk_error(png_ptr, "missing IHDR");
1310 
1311    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1312    {
1313       png_crc_finish(png_ptr, length);
1314       png_chunk_benign_error(png_ptr, "out of place");
1315       return;
1316    }
1317 
1318    if (length != 1)
1319    {
1320       png_crc_finish(png_ptr, length);
1321       png_chunk_benign_error(png_ptr, "invalid");
1322       return;
1323    }
1324 
1325    png_crc_read(png_ptr, &intent, 1);
1326 
1327    if (png_crc_finish(png_ptr, 0) != 0)
1328       return;
1329 
1330    /* If a colorspace error has already been output skip this chunk */
1331    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1332       return;
1333 
1334    /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1335     * this.
1336     */
1337    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != 0)
1338    {
1339       png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1340       png_colorspace_sync(png_ptr, info_ptr);
1341       png_chunk_benign_error(png_ptr, "too many profiles");
1342       return;
1343    }
1344 
1345    (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1346    png_colorspace_sync(png_ptr, info_ptr);
1347 }
1348 #endif /* READ_sRGB */
1349 
1350 #ifdef PNG_READ_iCCP_SUPPORTED
1351 void /* PRIVATE */
png_handle_iCCP(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1352 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1353 /* Note: this does not properly handle profiles that are > 64K under DOS */
1354 {
1355    png_const_charp errmsg = NULL; /* error message output, or no error */
1356    int finished = 0; /* crc checked */
1357 
1358    png_debug(1, "in png_handle_iCCP");
1359 
1360    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1361       png_chunk_error(png_ptr, "missing IHDR");
1362 
1363    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
1364    {
1365       png_crc_finish(png_ptr, length);
1366       png_chunk_benign_error(png_ptr, "out of place");
1367       return;
1368    }
1369 
1370    /* Consistent with all the above colorspace handling an obviously *invalid*
1371     * chunk is just ignored, so does not invalidate the color space.  An
1372     * alternative is to set the 'invalid' flags at the start of this routine
1373     * and only clear them in they were not set before and all the tests pass.
1374     * The minimum 'deflate' stream is assumed to be just the 2 byte header and
1375     * 4 byte checksum.  The keyword must be at least one character and there is
1376     * a terminator (0) byte and the compression method.
1377     */
1378    if (length < 9)
1379    {
1380       png_crc_finish(png_ptr, length);
1381       png_chunk_benign_error(png_ptr, "too short");
1382       return;
1383    }
1384 
1385    /* If a colorspace error has already been output skip this chunk */
1386    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1387    {
1388       png_crc_finish(png_ptr, length);
1389       return;
1390    }
1391 
1392    /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
1393     * this.
1394     */
1395    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
1396    {
1397       uInt read_length, keyword_length;
1398       char keyword[81];
1399 
1400       /* Find the keyword; the keyword plus separator and compression method
1401        * bytes can be at most 81 characters long.
1402        */
1403       read_length = 81; /* maximum */
1404       if (read_length > length)
1405          read_length = (uInt)length;
1406 
1407       png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1408       length -= read_length;
1409 
1410       keyword_length = 0;
1411       while (keyword_length < 80 && keyword_length < read_length &&
1412          keyword[keyword_length] != 0)
1413          ++keyword_length;
1414 
1415       /* TODO: make the keyword checking common */
1416       if (keyword_length >= 1 && keyword_length <= 79)
1417       {
1418          /* We only understand '0' compression - deflate - so if we get a
1419           * different value we can't safely decode the chunk.
1420           */
1421          if (keyword_length+1 < read_length &&
1422             keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1423          {
1424             read_length -= keyword_length+2;
1425 
1426             if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1427             {
1428                Byte profile_header[132];
1429                Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1430                png_alloc_size_t size = (sizeof profile_header);
1431 
1432                png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1433                png_ptr->zstream.avail_in = read_length;
1434                (void)png_inflate_read(png_ptr, local_buffer,
1435                   (sizeof local_buffer), &length, profile_header, &size,
1436                   0/*finish: don't, because the output is too small*/);
1437 
1438                if (size == 0)
1439                {
1440                   /* We have the ICC profile header; do the basic header checks.
1441                    */
1442                   const png_uint_32 profile_length =
1443                      png_get_uint_32(profile_header);
1444 
1445                   if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1446                      keyword, profile_length) != 0)
1447                   {
1448                      /* The length is apparently ok, so we can check the 132
1449                       * byte header.
1450                       */
1451                      if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1452                         keyword, profile_length, profile_header,
1453                         png_ptr->color_type) != 0)
1454                      {
1455                         /* Now read the tag table; a variable size buffer is
1456                          * needed at this point, allocate one for the whole
1457                          * profile.  The header check has already validated
1458                          * that none of these stuff will overflow.
1459                          */
1460                         const png_uint_32 tag_count = png_get_uint_32(
1461                            profile_header+128);
1462                         png_bytep profile = png_read_buffer(png_ptr,
1463                            profile_length, 2/*silent*/);
1464 
1465                         if (profile != NULL)
1466                         {
1467                            memcpy(profile, profile_header,
1468                               (sizeof profile_header));
1469 
1470                            size = 12 * tag_count;
1471 
1472                            (void)png_inflate_read(png_ptr, local_buffer,
1473                               (sizeof local_buffer), &length,
1474                               profile + (sizeof profile_header), &size, 0);
1475 
1476                            /* Still expect a buffer error because we expect
1477                             * there to be some tag data!
1478                             */
1479                            if (size == 0)
1480                            {
1481                               if (png_icc_check_tag_table(png_ptr,
1482                                  &png_ptr->colorspace, keyword, profile_length,
1483                                  profile) != 0)
1484                               {
1485                                  /* The profile has been validated for basic
1486                                   * security issues, so read the whole thing in.
1487                                   */
1488                                  size = profile_length - (sizeof profile_header)
1489                                     - 12 * tag_count;
1490 
1491                                  (void)png_inflate_read(png_ptr, local_buffer,
1492                                     (sizeof local_buffer), &length,
1493                                     profile + (sizeof profile_header) +
1494                                     12 * tag_count, &size, 1/*finish*/);
1495 
1496                                  if (length > 0 && !(png_ptr->flags &
1497                                        PNG_FLAG_BENIGN_ERRORS_WARN))
1498                                     errmsg = "extra compressed data";
1499 
1500                                  /* But otherwise allow extra data: */
1501                                  else if (size == 0)
1502                                  {
1503                                     if (length > 0)
1504                                     {
1505                                        /* This can be handled completely, so
1506                                         * keep going.
1507                                         */
1508                                        png_chunk_warning(png_ptr,
1509                                           "extra compressed data");
1510                                     }
1511 
1512                                     png_crc_finish(png_ptr, length);
1513                                     finished = 1;
1514 
1515 #                                   ifdef PNG_sRGB_SUPPORTED
1516                                     /* Check for a match against sRGB */
1517                                     png_icc_set_sRGB(png_ptr,
1518                                        &png_ptr->colorspace, profile,
1519                                        png_ptr->zstream.adler);
1520 #                                   endif
1521 
1522                                     /* Steal the profile for info_ptr. */
1523                                     if (info_ptr != NULL)
1524                                     {
1525                                        png_free_data(png_ptr, info_ptr,
1526                                           PNG_FREE_ICCP, 0);
1527 
1528                                        info_ptr->iccp_name = png_voidcast(char*,
1529                                           png_malloc_base(png_ptr,
1530                                           keyword_length+1));
1531                                        if (info_ptr->iccp_name != NULL)
1532                                        {
1533                                           memcpy(info_ptr->iccp_name, keyword,
1534                                              keyword_length+1);
1535                                           info_ptr->iccp_proflen =
1536                                              profile_length;
1537                                           info_ptr->iccp_profile = profile;
1538                                           png_ptr->read_buffer = NULL; /*steal*/
1539                                           info_ptr->free_me |= PNG_FREE_ICCP;
1540                                           info_ptr->valid |= PNG_INFO_iCCP;
1541                                        }
1542 
1543                                        else
1544                                        {
1545                                           png_ptr->colorspace.flags |=
1546                                              PNG_COLORSPACE_INVALID;
1547                                           errmsg = "out of memory";
1548                                        }
1549                                     }
1550 
1551                                     /* else the profile remains in the read
1552                                      * buffer which gets reused for subsequent
1553                                      * chunks.
1554                                      */
1555 
1556                                     if (info_ptr != NULL)
1557                                        png_colorspace_sync(png_ptr, info_ptr);
1558 
1559                                     if (errmsg == NULL)
1560                                     {
1561                                        png_ptr->zowner = 0;
1562                                        return;
1563                                     }
1564                                  }
1565 
1566                                  else if (size > 0)
1567                                     errmsg = "truncated";
1568 
1569 #ifndef __COVERITY__
1570                                  else
1571                                     errmsg = png_ptr->zstream.msg;
1572 #endif
1573                               }
1574 
1575                               /* else png_icc_check_tag_table output an error */
1576                            }
1577 
1578                            else /* profile truncated */
1579                               errmsg = png_ptr->zstream.msg;
1580                         }
1581 
1582                         else
1583                            errmsg = "out of memory";
1584                      }
1585 
1586                      /* else png_icc_check_header output an error */
1587                   }
1588 
1589                   /* else png_icc_check_length output an error */
1590                }
1591 
1592                else /* profile truncated */
1593                   errmsg = png_ptr->zstream.msg;
1594 
1595                /* Release the stream */
1596                png_ptr->zowner = 0;
1597             }
1598 
1599             else /* png_inflate_claim failed */
1600                errmsg = png_ptr->zstream.msg;
1601          }
1602 
1603          else
1604             errmsg = "bad compression method"; /* or missing */
1605       }
1606 
1607       else
1608          errmsg = "bad keyword";
1609    }
1610 
1611    else
1612       errmsg = "too many profiles";
1613 
1614    /* Failure: the reason is in 'errmsg' */
1615    if (finished == 0)
1616       png_crc_finish(png_ptr, length);
1617 
1618    png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
1619    png_colorspace_sync(png_ptr, info_ptr);
1620    if (errmsg != NULL) /* else already output */
1621       png_chunk_benign_error(png_ptr, errmsg);
1622 }
1623 #endif /* READ_iCCP */
1624 
1625 #ifdef PNG_READ_sPLT_SUPPORTED
1626 void /* PRIVATE */
png_handle_sPLT(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1627 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1628 /* Note: this does not properly handle chunks that are > 64K under DOS */
1629 {
1630    png_bytep entry_start, buffer;
1631    png_sPLT_t new_palette;
1632    png_sPLT_entryp pp;
1633    png_uint_32 data_length;
1634    int entry_size, i;
1635    png_uint_32 skip = 0;
1636    png_uint_32 dl;
1637    png_size_t max_dl;
1638 
1639    png_debug(1, "in png_handle_sPLT");
1640 
1641 #ifdef PNG_USER_LIMITS_SUPPORTED
1642    if (png_ptr->user_chunk_cache_max != 0)
1643    {
1644       if (png_ptr->user_chunk_cache_max == 1)
1645       {
1646          png_crc_finish(png_ptr, length);
1647          return;
1648       }
1649 
1650       if (--png_ptr->user_chunk_cache_max == 1)
1651       {
1652          png_warning(png_ptr, "No space in chunk cache for sPLT");
1653          png_crc_finish(png_ptr, length);
1654          return;
1655       }
1656    }
1657 #endif
1658 
1659    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1660       png_chunk_error(png_ptr, "missing IHDR");
1661 
1662    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1663    {
1664       png_crc_finish(png_ptr, length);
1665       png_chunk_benign_error(png_ptr, "out of place");
1666       return;
1667    }
1668 
1669 #ifdef PNG_MAX_MALLOC_64K
1670    if (length > 65535U)
1671    {
1672       png_crc_finish(png_ptr, length);
1673       png_chunk_benign_error(png_ptr, "too large to fit in memory");
1674       return;
1675    }
1676 #endif
1677 
1678    buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
1679    if (buffer == NULL)
1680    {
1681       png_crc_finish(png_ptr, length);
1682       png_chunk_benign_error(png_ptr, "out of memory");
1683       return;
1684    }
1685 
1686 
1687    /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1688     * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1689     * potential breakage point if the types in pngconf.h aren't exactly right.
1690     */
1691    png_crc_read(png_ptr, buffer, length);
1692 
1693    if (png_crc_finish(png_ptr, skip) != 0)
1694       return;
1695 
1696    buffer[length] = 0;
1697 
1698    for (entry_start = buffer; *entry_start; entry_start++)
1699       /* Empty loop to find end of name */ ;
1700 
1701    ++entry_start;
1702 
1703    /* A sample depth should follow the separator, and we should be on it  */
1704    if (length < 2U || entry_start > buffer + (length - 2U))
1705    {
1706       png_warning(png_ptr, "malformed sPLT chunk");
1707       return;
1708    }
1709 
1710    new_palette.depth = *entry_start++;
1711    entry_size = (new_palette.depth == 8 ? 6 : 10);
1712    /* This must fit in a png_uint_32 because it is derived from the original
1713     * chunk data length.
1714     */
1715    data_length = length - (png_uint_32)(entry_start - buffer);
1716 
1717    /* Integrity-check the data length */
1718    if ((data_length % entry_size) != 0)
1719    {
1720       png_warning(png_ptr, "sPLT chunk has bad length");
1721       return;
1722    }
1723 
1724    dl = (png_int_32)(data_length / entry_size);
1725    max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1726 
1727    if (dl > max_dl)
1728    {
1729       png_warning(png_ptr, "sPLT chunk too long");
1730       return;
1731    }
1732 
1733    new_palette.nentries = (png_int_32)(data_length / entry_size);
1734 
1735    new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
1736        png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry)));
1737 
1738    if (new_palette.entries == NULL)
1739    {
1740       png_warning(png_ptr, "sPLT chunk requires too much memory");
1741       return;
1742    }
1743 
1744 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1745    for (i = 0; i < new_palette.nentries; i++)
1746    {
1747       pp = new_palette.entries + i;
1748 
1749       if (new_palette.depth == 8)
1750       {
1751          pp->red = *entry_start++;
1752          pp->green = *entry_start++;
1753          pp->blue = *entry_start++;
1754          pp->alpha = *entry_start++;
1755       }
1756 
1757       else
1758       {
1759          pp->red   = png_get_uint_16(entry_start); entry_start += 2;
1760          pp->green = png_get_uint_16(entry_start); entry_start += 2;
1761          pp->blue  = png_get_uint_16(entry_start); entry_start += 2;
1762          pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1763       }
1764 
1765       pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1766    }
1767 #else
1768    pp = new_palette.entries;
1769 
1770    for (i = 0; i < new_palette.nentries; i++)
1771    {
1772 
1773       if (new_palette.depth == 8)
1774       {
1775          pp[i].red   = *entry_start++;
1776          pp[i].green = *entry_start++;
1777          pp[i].blue  = *entry_start++;
1778          pp[i].alpha = *entry_start++;
1779       }
1780 
1781       else
1782       {
1783          pp[i].red   = png_get_uint_16(entry_start); entry_start += 2;
1784          pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
1785          pp[i].blue  = png_get_uint_16(entry_start); entry_start += 2;
1786          pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
1787       }
1788 
1789       pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
1790    }
1791 #endif
1792 
1793    /* Discard all chunk data except the name and stash that */
1794    new_palette.name = (png_charp)buffer;
1795 
1796    png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1797 
1798    png_free(png_ptr, new_palette.entries);
1799 }
1800 #endif /* READ_sPLT */
1801 
1802 #ifdef PNG_READ_tRNS_SUPPORTED
1803 void /* PRIVATE */
png_handle_tRNS(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1804 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1805 {
1806    png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1807 
1808    png_debug(1, "in png_handle_tRNS");
1809 
1810    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1811       png_chunk_error(png_ptr, "missing IHDR");
1812 
1813    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
1814    {
1815       png_crc_finish(png_ptr, length);
1816       png_chunk_benign_error(png_ptr, "out of place");
1817       return;
1818    }
1819 
1820    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0)
1821    {
1822       png_crc_finish(png_ptr, length);
1823       png_chunk_benign_error(png_ptr, "duplicate");
1824       return;
1825    }
1826 
1827    if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1828    {
1829       png_byte buf[2];
1830 
1831       if (length != 2)
1832       {
1833          png_crc_finish(png_ptr, length);
1834          png_chunk_benign_error(png_ptr, "invalid");
1835          return;
1836       }
1837 
1838       png_crc_read(png_ptr, buf, 2);
1839       png_ptr->num_trans = 1;
1840       png_ptr->trans_color.gray = png_get_uint_16(buf);
1841    }
1842 
1843    else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1844    {
1845       png_byte buf[6];
1846 
1847       if (length != 6)
1848       {
1849          png_crc_finish(png_ptr, length);
1850          png_chunk_benign_error(png_ptr, "invalid");
1851          return;
1852       }
1853 
1854       png_crc_read(png_ptr, buf, length);
1855       png_ptr->num_trans = 1;
1856       png_ptr->trans_color.red = png_get_uint_16(buf);
1857       png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1858       png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1859    }
1860 
1861    else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1862    {
1863       if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
1864       {
1865          /* TODO: is this actually an error in the ISO spec? */
1866          png_crc_finish(png_ptr, length);
1867          png_chunk_benign_error(png_ptr, "out of place");
1868          return;
1869       }
1870 
1871       if (length > (unsigned int) png_ptr->num_palette ||
1872          length > (unsigned int) PNG_MAX_PALETTE_LENGTH ||
1873          length == 0)
1874       {
1875          png_crc_finish(png_ptr, length);
1876          png_chunk_benign_error(png_ptr, "invalid");
1877          return;
1878       }
1879 
1880       png_crc_read(png_ptr, readbuf, length);
1881       png_ptr->num_trans = (png_uint_16)length;
1882    }
1883 
1884    else
1885    {
1886       png_crc_finish(png_ptr, length);
1887       png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1888       return;
1889    }
1890 
1891    if (png_crc_finish(png_ptr, 0) != 0)
1892    {
1893       png_ptr->num_trans = 0;
1894       return;
1895    }
1896 
1897    /* TODO: this is a horrible side effect in the palette case because the
1898     * png_struct ends up with a pointer to the tRNS buffer owned by the
1899     * png_info.  Fix this.
1900     */
1901    png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1902        &(png_ptr->trans_color));
1903 }
1904 #endif
1905 
1906 #ifdef PNG_READ_bKGD_SUPPORTED
1907 void /* PRIVATE */
png_handle_bKGD(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)1908 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1909 {
1910    unsigned int truelen;
1911    png_byte buf[6];
1912    png_color_16 background;
1913 
1914    png_debug(1, "in png_handle_bKGD");
1915 
1916    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
1917       png_chunk_error(png_ptr, "missing IHDR");
1918 
1919    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
1920        (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1921        (png_ptr->mode & PNG_HAVE_PLTE) == 0))
1922    {
1923       png_crc_finish(png_ptr, length);
1924       png_chunk_benign_error(png_ptr, "out of place");
1925       return;
1926    }
1927 
1928    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
1929    {
1930       png_crc_finish(png_ptr, length);
1931       png_chunk_benign_error(png_ptr, "duplicate");
1932       return;
1933    }
1934 
1935    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1936       truelen = 1;
1937 
1938    else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1939       truelen = 6;
1940 
1941    else
1942       truelen = 2;
1943 
1944    if (length != truelen)
1945    {
1946       png_crc_finish(png_ptr, length);
1947       png_chunk_benign_error(png_ptr, "invalid");
1948       return;
1949    }
1950 
1951    png_crc_read(png_ptr, buf, truelen);
1952 
1953    if (png_crc_finish(png_ptr, 0) != 0)
1954       return;
1955 
1956    /* We convert the index value into RGB components so that we can allow
1957     * arbitrary RGB values for background when we have transparency, and
1958     * so it is easy to determine the RGB values of the background color
1959     * from the info_ptr struct.
1960     */
1961    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1962    {
1963       background.index = buf[0];
1964 
1965       if (info_ptr != NULL && info_ptr->num_palette != 0)
1966       {
1967          if (buf[0] >= info_ptr->num_palette)
1968          {
1969             png_chunk_benign_error(png_ptr, "invalid index");
1970             return;
1971          }
1972 
1973          background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1974          background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1975          background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1976       }
1977 
1978       else
1979          background.red = background.green = background.blue = 0;
1980 
1981       background.gray = 0;
1982    }
1983 
1984    else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */
1985    {
1986       background.index = 0;
1987       background.red =
1988       background.green =
1989       background.blue =
1990       background.gray = png_get_uint_16(buf);
1991    }
1992 
1993    else
1994    {
1995       background.index = 0;
1996       background.red = png_get_uint_16(buf);
1997       background.green = png_get_uint_16(buf + 2);
1998       background.blue = png_get_uint_16(buf + 4);
1999       background.gray = 0;
2000    }
2001 
2002    png_set_bKGD(png_ptr, info_ptr, &background);
2003 }
2004 #endif
2005 
2006 #ifdef PNG_READ_hIST_SUPPORTED
2007 void /* PRIVATE */
png_handle_hIST(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2008 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2009 {
2010    unsigned int num, i;
2011    png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2012 
2013    png_debug(1, "in png_handle_hIST");
2014 
2015    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2016       png_chunk_error(png_ptr, "missing IHDR");
2017 
2018    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
2019        (png_ptr->mode & PNG_HAVE_PLTE) == 0)
2020    {
2021       png_crc_finish(png_ptr, length);
2022       png_chunk_benign_error(png_ptr, "out of place");
2023       return;
2024    }
2025 
2026    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
2027    {
2028       png_crc_finish(png_ptr, length);
2029       png_chunk_benign_error(png_ptr, "duplicate");
2030       return;
2031    }
2032 
2033    num = length / 2 ;
2034 
2035    if (num != (unsigned int) png_ptr->num_palette ||
2036        num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
2037    {
2038       png_crc_finish(png_ptr, length);
2039       png_chunk_benign_error(png_ptr, "invalid");
2040       return;
2041    }
2042 
2043    for (i = 0; i < num; i++)
2044    {
2045       png_byte buf[2];
2046 
2047       png_crc_read(png_ptr, buf, 2);
2048       readbuf[i] = png_get_uint_16(buf);
2049    }
2050 
2051    if (png_crc_finish(png_ptr, 0) != 0)
2052       return;
2053 
2054    png_set_hIST(png_ptr, info_ptr, readbuf);
2055 }
2056 #endif
2057 
2058 #ifdef PNG_READ_pHYs_SUPPORTED
2059 void /* PRIVATE */
png_handle_pHYs(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2060 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2061 {
2062    png_byte buf[9];
2063    png_uint_32 res_x, res_y;
2064    int unit_type;
2065 
2066    png_debug(1, "in png_handle_pHYs");
2067 
2068    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2069       png_chunk_error(png_ptr, "missing IHDR");
2070 
2071    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2072    {
2073       png_crc_finish(png_ptr, length);
2074       png_chunk_benign_error(png_ptr, "out of place");
2075       return;
2076    }
2077 
2078    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != 0)
2079    {
2080       png_crc_finish(png_ptr, length);
2081       png_chunk_benign_error(png_ptr, "duplicate");
2082       return;
2083    }
2084 
2085    if (length != 9)
2086    {
2087       png_crc_finish(png_ptr, length);
2088       png_chunk_benign_error(png_ptr, "invalid");
2089       return;
2090    }
2091 
2092    png_crc_read(png_ptr, buf, 9);
2093 
2094    if (png_crc_finish(png_ptr, 0) != 0)
2095       return;
2096 
2097    res_x = png_get_uint_32(buf);
2098    res_y = png_get_uint_32(buf + 4);
2099    unit_type = buf[8];
2100    png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
2101 }
2102 #endif
2103 
2104 #ifdef PNG_READ_oFFs_SUPPORTED
2105 void /* PRIVATE */
png_handle_oFFs(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2106 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2107 {
2108    png_byte buf[9];
2109    png_int_32 offset_x, offset_y;
2110    int unit_type;
2111 
2112    png_debug(1, "in png_handle_oFFs");
2113 
2114    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2115       png_chunk_error(png_ptr, "missing IHDR");
2116 
2117    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2118    {
2119       png_crc_finish(png_ptr, length);
2120       png_chunk_benign_error(png_ptr, "out of place");
2121       return;
2122    }
2123 
2124    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != 0)
2125    {
2126       png_crc_finish(png_ptr, length);
2127       png_chunk_benign_error(png_ptr, "duplicate");
2128       return;
2129    }
2130 
2131    if (length != 9)
2132    {
2133       png_crc_finish(png_ptr, length);
2134       png_chunk_benign_error(png_ptr, "invalid");
2135       return;
2136    }
2137 
2138    png_crc_read(png_ptr, buf, 9);
2139 
2140    if (png_crc_finish(png_ptr, 0) != 0)
2141       return;
2142 
2143    offset_x = png_get_int_32(buf);
2144    offset_y = png_get_int_32(buf + 4);
2145    unit_type = buf[8];
2146    png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
2147 }
2148 #endif
2149 
2150 #ifdef PNG_READ_pCAL_SUPPORTED
2151 /* Read the pCAL chunk (described in the PNG Extensions document) */
2152 void /* PRIVATE */
png_handle_pCAL(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2153 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2154 {
2155    png_int_32 X0, X1;
2156    png_byte type, nparams;
2157    png_bytep buffer, buf, units, endptr;
2158    png_charpp params;
2159    int i;
2160 
2161    png_debug(1, "in png_handle_pCAL");
2162 
2163    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2164       png_chunk_error(png_ptr, "missing IHDR");
2165 
2166    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2167    {
2168       png_crc_finish(png_ptr, length);
2169       png_chunk_benign_error(png_ptr, "out of place");
2170       return;
2171    }
2172 
2173    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != 0)
2174    {
2175       png_crc_finish(png_ptr, length);
2176       png_chunk_benign_error(png_ptr, "duplicate");
2177       return;
2178    }
2179 
2180    png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
2181        length + 1);
2182 
2183    buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2184 
2185    if (buffer == NULL)
2186    {
2187       png_crc_finish(png_ptr, length);
2188       png_chunk_benign_error(png_ptr, "out of memory");
2189       return;
2190    }
2191 
2192    png_crc_read(png_ptr, buffer, length);
2193 
2194    if (png_crc_finish(png_ptr, 0) != 0)
2195       return;
2196 
2197    buffer[length] = 0; /* Null terminate the last string */
2198 
2199    png_debug(3, "Finding end of pCAL purpose string");
2200    for (buf = buffer; *buf; buf++)
2201       /* Empty loop */ ;
2202 
2203    endptr = buffer + length;
2204 
2205    /* We need to have at least 12 bytes after the purpose string
2206     * in order to get the parameter information.
2207     */
2208    if (endptr - buf <= 12)
2209    {
2210       png_chunk_benign_error(png_ptr, "invalid");
2211       return;
2212    }
2213 
2214    png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
2215    X0 = png_get_int_32((png_bytep)buf+1);
2216    X1 = png_get_int_32((png_bytep)buf+5);
2217    type = buf[9];
2218    nparams = buf[10];
2219    units = buf + 11;
2220 
2221    png_debug(3, "Checking pCAL equation type and number of parameters");
2222    /* Check that we have the right number of parameters for known
2223     * equation types.
2224     */
2225    if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
2226        (type == PNG_EQUATION_BASE_E && nparams != 3) ||
2227        (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
2228        (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
2229    {
2230       png_chunk_benign_error(png_ptr, "invalid parameter count");
2231       return;
2232    }
2233 
2234    else if (type >= PNG_EQUATION_LAST)
2235    {
2236       png_chunk_benign_error(png_ptr, "unrecognized equation type");
2237    }
2238 
2239    for (buf = units; *buf; buf++)
2240       /* Empty loop to move past the units string. */ ;
2241 
2242    png_debug(3, "Allocating pCAL parameters array");
2243 
2244    params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2245        nparams * (sizeof (png_charp))));
2246 
2247    if (params == NULL)
2248    {
2249       png_chunk_benign_error(png_ptr, "out of memory");
2250       return;
2251    }
2252 
2253    /* Get pointers to the start of each parameter string. */
2254    for (i = 0; i < nparams; i++)
2255    {
2256       buf++; /* Skip the null string terminator from previous parameter. */
2257 
2258       png_debug1(3, "Reading pCAL parameter %d", i);
2259 
2260       for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
2261          /* Empty loop to move past each parameter string */ ;
2262 
2263       /* Make sure we haven't run out of data yet */
2264       if (buf > endptr)
2265       {
2266          png_free(png_ptr, params);
2267          png_chunk_benign_error(png_ptr, "invalid data");
2268          return;
2269       }
2270    }
2271 
2272    png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
2273       (png_charp)units, params);
2274 
2275    png_free(png_ptr, params);
2276 }
2277 #endif
2278 
2279 #ifdef PNG_READ_sCAL_SUPPORTED
2280 /* Read the sCAL chunk */
2281 void /* PRIVATE */
png_handle_sCAL(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2282 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2283 {
2284    png_bytep buffer;
2285    png_size_t i;
2286    int state;
2287 
2288    png_debug(1, "in png_handle_sCAL");
2289 
2290    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2291       png_chunk_error(png_ptr, "missing IHDR");
2292 
2293    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2294    {
2295       png_crc_finish(png_ptr, length);
2296       png_chunk_benign_error(png_ptr, "out of place");
2297       return;
2298    }
2299 
2300    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != 0)
2301    {
2302       png_crc_finish(png_ptr, length);
2303       png_chunk_benign_error(png_ptr, "duplicate");
2304       return;
2305    }
2306 
2307    /* Need unit type, width, \0, height: minimum 4 bytes */
2308    else if (length < 4)
2309    {
2310       png_crc_finish(png_ptr, length);
2311       png_chunk_benign_error(png_ptr, "invalid");
2312       return;
2313    }
2314 
2315    png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2316       length + 1);
2317 
2318    buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
2319 
2320    if (buffer == NULL)
2321    {
2322       png_chunk_benign_error(png_ptr, "out of memory");
2323       png_crc_finish(png_ptr, length);
2324       return;
2325    }
2326 
2327    png_crc_read(png_ptr, buffer, length);
2328    buffer[length] = 0; /* Null terminate the last string */
2329 
2330    if (png_crc_finish(png_ptr, 0) != 0)
2331       return;
2332 
2333    /* Validate the unit. */
2334    if (buffer[0] != 1 && buffer[0] != 2)
2335    {
2336       png_chunk_benign_error(png_ptr, "invalid unit");
2337       return;
2338    }
2339 
2340    /* Validate the ASCII numbers, need two ASCII numbers separated by
2341     * a '\0' and they need to fit exactly in the chunk data.
2342     */
2343    i = 1;
2344    state = 0;
2345 
2346    if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 ||
2347        i >= length || buffer[i++] != 0)
2348       png_chunk_benign_error(png_ptr, "bad width format");
2349 
2350    else if (PNG_FP_IS_POSITIVE(state) == 0)
2351       png_chunk_benign_error(png_ptr, "non-positive width");
2352 
2353    else
2354    {
2355       png_size_t heighti = i;
2356 
2357       state = 0;
2358       if (png_check_fp_number((png_const_charp)buffer, length,
2359           &state, &i) == 0 || i != length)
2360          png_chunk_benign_error(png_ptr, "bad height format");
2361 
2362       else if (PNG_FP_IS_POSITIVE(state) == 0)
2363          png_chunk_benign_error(png_ptr, "non-positive height");
2364 
2365       else
2366          /* This is the (only) success case. */
2367          png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
2368             (png_charp)buffer+1, (png_charp)buffer+heighti);
2369    }
2370 }
2371 #endif
2372 
2373 #ifdef PNG_READ_tIME_SUPPORTED
2374 void /* PRIVATE */
png_handle_tIME(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2375 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2376 {
2377    png_byte buf[7];
2378    png_time mod_time;
2379 
2380    png_debug(1, "in png_handle_tIME");
2381 
2382    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2383       png_chunk_error(png_ptr, "missing IHDR");
2384 
2385    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != 0)
2386    {
2387       png_crc_finish(png_ptr, length);
2388       png_chunk_benign_error(png_ptr, "duplicate");
2389       return;
2390    }
2391 
2392    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2393       png_ptr->mode |= PNG_AFTER_IDAT;
2394 
2395    if (length != 7)
2396    {
2397       png_crc_finish(png_ptr, length);
2398       png_chunk_benign_error(png_ptr, "invalid");
2399       return;
2400    }
2401 
2402    png_crc_read(png_ptr, buf, 7);
2403 
2404    if (png_crc_finish(png_ptr, 0) != 0)
2405       return;
2406 
2407    mod_time.second = buf[6];
2408    mod_time.minute = buf[5];
2409    mod_time.hour = buf[4];
2410    mod_time.day = buf[3];
2411    mod_time.month = buf[2];
2412    mod_time.year = png_get_uint_16(buf);
2413 
2414    png_set_tIME(png_ptr, info_ptr, &mod_time);
2415 }
2416 #endif
2417 
2418 #ifdef PNG_READ_tEXt_SUPPORTED
2419 /* Note: this does not properly handle chunks that are > 64K under DOS */
2420 void /* PRIVATE */
png_handle_tEXt(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2421 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2422 {
2423    png_text  text_info;
2424    png_bytep buffer;
2425    png_charp key;
2426    png_charp text;
2427    png_uint_32 skip = 0;
2428 
2429    png_debug(1, "in png_handle_tEXt");
2430 
2431 #ifdef PNG_USER_LIMITS_SUPPORTED
2432    if (png_ptr->user_chunk_cache_max != 0)
2433    {
2434       if (png_ptr->user_chunk_cache_max == 1)
2435       {
2436          png_crc_finish(png_ptr, length);
2437          return;
2438       }
2439 
2440       if (--png_ptr->user_chunk_cache_max == 1)
2441       {
2442          png_crc_finish(png_ptr, length);
2443          png_chunk_benign_error(png_ptr, "no space in chunk cache");
2444          return;
2445       }
2446    }
2447 #endif
2448 
2449    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2450       png_chunk_error(png_ptr, "missing IHDR");
2451 
2452    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2453       png_ptr->mode |= PNG_AFTER_IDAT;
2454 
2455 #ifdef PNG_MAX_MALLOC_64K
2456    if (length > 65535U)
2457    {
2458       png_crc_finish(png_ptr, length);
2459       png_chunk_benign_error(png_ptr, "too large to fit in memory");
2460       return;
2461    }
2462 #endif
2463 
2464    buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2465 
2466    if (buffer == NULL)
2467    {
2468      png_chunk_benign_error(png_ptr, "out of memory");
2469      return;
2470    }
2471 
2472    png_crc_read(png_ptr, buffer, length);
2473 
2474    if (png_crc_finish(png_ptr, skip) != 0)
2475       return;
2476 
2477    key = (png_charp)buffer;
2478    key[length] = 0;
2479 
2480    for (text = key; *text; text++)
2481       /* Empty loop to find end of key */ ;
2482 
2483    if (text != key + length)
2484       text++;
2485 
2486    text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2487    text_info.key = key;
2488    text_info.lang = NULL;
2489    text_info.lang_key = NULL;
2490    text_info.itxt_length = 0;
2491    text_info.text = text;
2492    text_info.text_length = strlen(text);
2493 
2494    if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) != 0)
2495       png_warning(png_ptr, "Insufficient memory to process text chunk");
2496 }
2497 #endif
2498 
2499 #ifdef PNG_READ_zTXt_SUPPORTED
2500 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2501 void /* PRIVATE */
png_handle_zTXt(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2502 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2503 {
2504    png_const_charp errmsg = NULL;
2505    png_bytep       buffer;
2506    png_uint_32     keyword_length;
2507 
2508    png_debug(1, "in png_handle_zTXt");
2509 
2510 #ifdef PNG_USER_LIMITS_SUPPORTED
2511    if (png_ptr->user_chunk_cache_max != 0)
2512    {
2513       if (png_ptr->user_chunk_cache_max == 1)
2514       {
2515          png_crc_finish(png_ptr, length);
2516          return;
2517       }
2518 
2519       if (--png_ptr->user_chunk_cache_max == 1)
2520       {
2521          png_crc_finish(png_ptr, length);
2522          png_chunk_benign_error(png_ptr, "no space in chunk cache");
2523          return;
2524       }
2525    }
2526 #endif
2527 
2528    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2529       png_chunk_error(png_ptr, "missing IHDR");
2530 
2531    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2532       png_ptr->mode |= PNG_AFTER_IDAT;
2533 
2534    buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
2535 
2536    if (buffer == NULL)
2537    {
2538       png_crc_finish(png_ptr, length);
2539       png_chunk_benign_error(png_ptr, "out of memory");
2540       return;
2541    }
2542 
2543    png_crc_read(png_ptr, buffer, length);
2544 
2545    if (png_crc_finish(png_ptr, 0) != 0)
2546       return;
2547 
2548    /* TODO: also check that the keyword contents match the spec! */
2549    for (keyword_length = 0;
2550       keyword_length < length && buffer[keyword_length] != 0;
2551       ++keyword_length)
2552       /* Empty loop to find end of name */ ;
2553 
2554    if (keyword_length > 79 || keyword_length < 1)
2555       errmsg = "bad keyword";
2556 
2557    /* zTXt must have some LZ data after the keyword, although it may expand to
2558     * zero bytes; we need a '\0' at the end of the keyword, the compression type
2559     * then the LZ data:
2560     */
2561    else if (keyword_length + 3 > length)
2562       errmsg = "truncated";
2563 
2564    else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2565       errmsg = "unknown compression type";
2566 
2567    else
2568    {
2569       png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2570 
2571       /* TODO: at present png_decompress_chunk imposes a single application
2572        * level memory limit, this should be split to different values for iCCP
2573        * and text chunks.
2574        */
2575       if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2576          &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2577       {
2578          png_text text;
2579 
2580          /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
2581           * for the extra compression type byte and the fact that it isn't
2582           * necessarily '\0' terminated.
2583           */
2584          buffer = png_ptr->read_buffer;
2585          buffer[uncompressed_length+(keyword_length+2)] = 0;
2586 
2587          text.compression = PNG_TEXT_COMPRESSION_zTXt;
2588          text.key = (png_charp)buffer;
2589          text.text = (png_charp)(buffer + keyword_length+2);
2590          text.text_length = uncompressed_length;
2591          text.itxt_length = 0;
2592          text.lang = NULL;
2593          text.lang_key = NULL;
2594 
2595          if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2596             errmsg = "insufficient memory";
2597       }
2598 
2599       else
2600          errmsg = png_ptr->zstream.msg;
2601    }
2602 
2603    if (errmsg != NULL)
2604       png_chunk_benign_error(png_ptr, errmsg);
2605 }
2606 #endif
2607 
2608 #ifdef PNG_READ_iTXt_SUPPORTED
2609 /* Note: this does not correctly handle chunks that are > 64K under DOS */
2610 void /* PRIVATE */
png_handle_iTXt(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length)2611 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2612 {
2613    png_const_charp errmsg = NULL;
2614    png_bytep buffer;
2615    png_uint_32 prefix_length;
2616 
2617    png_debug(1, "in png_handle_iTXt");
2618 
2619 #ifdef PNG_USER_LIMITS_SUPPORTED
2620    if (png_ptr->user_chunk_cache_max != 0)
2621    {
2622       if (png_ptr->user_chunk_cache_max == 1)
2623       {
2624          png_crc_finish(png_ptr, length);
2625          return;
2626       }
2627 
2628       if (--png_ptr->user_chunk_cache_max == 1)
2629       {
2630          png_crc_finish(png_ptr, length);
2631          png_chunk_benign_error(png_ptr, "no space in chunk cache");
2632          return;
2633       }
2634    }
2635 #endif
2636 
2637    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
2638       png_chunk_error(png_ptr, "missing IHDR");
2639 
2640    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2641       png_ptr->mode |= PNG_AFTER_IDAT;
2642 
2643    buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
2644 
2645    if (buffer == NULL)
2646    {
2647       png_crc_finish(png_ptr, length);
2648       png_chunk_benign_error(png_ptr, "out of memory");
2649       return;
2650    }
2651 
2652    png_crc_read(png_ptr, buffer, length);
2653 
2654    if (png_crc_finish(png_ptr, 0) != 0)
2655       return;
2656 
2657    /* First the keyword. */
2658    for (prefix_length=0;
2659       prefix_length < length && buffer[prefix_length] != 0;
2660       ++prefix_length)
2661       /* Empty loop */ ;
2662 
2663    /* Perform a basic check on the keyword length here. */
2664    if (prefix_length > 79 || prefix_length < 1)
2665       errmsg = "bad keyword";
2666 
2667    /* Expect keyword, compression flag, compression type, language, translated
2668     * keyword (both may be empty but are 0 terminated) then the text, which may
2669     * be empty.
2670     */
2671    else if (prefix_length + 5 > length)
2672       errmsg = "truncated";
2673 
2674    else if (buffer[prefix_length+1] == 0 ||
2675       (buffer[prefix_length+1] == 1 &&
2676       buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
2677    {
2678       int compressed = buffer[prefix_length+1] != 0;
2679       png_uint_32 language_offset, translated_keyword_offset;
2680       png_alloc_size_t uncompressed_length = 0;
2681 
2682       /* Now the language tag */
2683       prefix_length += 3;
2684       language_offset = prefix_length;
2685 
2686       for (; prefix_length < length && buffer[prefix_length] != 0;
2687          ++prefix_length)
2688          /* Empty loop */ ;
2689 
2690       /* WARNING: the length may be invalid here, this is checked below. */
2691       translated_keyword_offset = ++prefix_length;
2692 
2693       for (; prefix_length < length && buffer[prefix_length] != 0;
2694          ++prefix_length)
2695          /* Empty loop */ ;
2696 
2697       /* prefix_length should now be at the trailing '\0' of the translated
2698        * keyword, but it may already be over the end.  None of this arithmetic
2699        * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2700        * systems the available allocation may overflow.
2701        */
2702       ++prefix_length;
2703 
2704       if (compressed == 0 && prefix_length <= length)
2705          uncompressed_length = length - prefix_length;
2706 
2707       else if (compressed != 0 && prefix_length < length)
2708       {
2709          uncompressed_length = PNG_SIZE_MAX;
2710 
2711          /* TODO: at present png_decompress_chunk imposes a single application
2712           * level memory limit, this should be split to different values for
2713           * iCCP and text chunks.
2714           */
2715          if (png_decompress_chunk(png_ptr, length, prefix_length,
2716             &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2717             buffer = png_ptr->read_buffer;
2718 
2719          else
2720             errmsg = png_ptr->zstream.msg;
2721       }
2722 
2723       else
2724          errmsg = "truncated";
2725 
2726       if (errmsg == NULL)
2727       {
2728          png_text text;
2729 
2730          buffer[uncompressed_length+prefix_length] = 0;
2731 
2732          if (compressed == 0)
2733             text.compression = PNG_ITXT_COMPRESSION_NONE;
2734 
2735          else
2736             text.compression = PNG_ITXT_COMPRESSION_zTXt;
2737 
2738          text.key = (png_charp)buffer;
2739          text.lang = (png_charp)buffer + language_offset;
2740          text.lang_key = (png_charp)buffer + translated_keyword_offset;
2741          text.text = (png_charp)buffer + prefix_length;
2742          text.text_length = 0;
2743          text.itxt_length = uncompressed_length;
2744 
2745          if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
2746             errmsg = "insufficient memory";
2747       }
2748    }
2749 
2750    else
2751       errmsg = "bad compression info";
2752 
2753    if (errmsg != NULL)
2754       png_chunk_benign_error(png_ptr, errmsg);
2755 }
2756 #endif
2757 
2758 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2759 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2760 static int
png_cache_unknown_chunk(png_structrp png_ptr,png_uint_32 length)2761 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2762 {
2763    png_alloc_size_t limit = PNG_SIZE_MAX;
2764 
2765    if (png_ptr->unknown_chunk.data != NULL)
2766    {
2767       png_free(png_ptr, png_ptr->unknown_chunk.data);
2768       png_ptr->unknown_chunk.data = NULL;
2769    }
2770 
2771 #  ifdef PNG_SET_USER_LIMITS_SUPPORTED
2772    if (png_ptr->user_chunk_malloc_max > 0 &&
2773        png_ptr->user_chunk_malloc_max < limit)
2774       limit = png_ptr->user_chunk_malloc_max;
2775 
2776 #  elif PNG_USER_CHUNK_MALLOC_MAX > 0
2777    if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2778       limit = PNG_USER_CHUNK_MALLOC_MAX;
2779 #  endif
2780 
2781    if (length <= limit)
2782    {
2783       PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2784       /* The following is safe because of the PNG_SIZE_MAX init above */
2785       png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/;
2786       /* 'mode' is a flag array, only the bottom four bits matter here */
2787       png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
2788 
2789       if (length == 0)
2790          png_ptr->unknown_chunk.data = NULL;
2791 
2792       else
2793       {
2794          /* Do a 'warn' here - it is handled below. */
2795          png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2796             png_malloc_warn(png_ptr, length));
2797       }
2798    }
2799 
2800    if (png_ptr->unknown_chunk.data == NULL && length > 0)
2801    {
2802       /* This is benign because we clean up correctly */
2803       png_crc_finish(png_ptr, length);
2804       png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2805       return 0;
2806    }
2807 
2808    else
2809    {
2810       if (length > 0)
2811          png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2812       png_crc_finish(png_ptr, 0);
2813       return 1;
2814    }
2815 }
2816 #endif /* READ_UNKNOWN_CHUNKS */
2817 
2818 /* Handle an unknown, or known but disabled, chunk */
2819 void /* PRIVATE */
png_handle_unknown(png_structrp png_ptr,png_inforp info_ptr,png_uint_32 length,int keep)2820 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2821    png_uint_32 length, int keep)
2822 {
2823    int handled = 0; /* the chunk was handled */
2824 
2825    png_debug(1, "in png_handle_unknown");
2826 
2827 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2828    /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2829     * the bug which meant that setting a non-default behavior for a specific
2830     * chunk would be ignored (the default was always used unless a user
2831     * callback was installed).
2832     *
2833     * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2834     * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2835     * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2836     * This is just an optimization to avoid multiple calls to the lookup
2837     * function.
2838     */
2839 #  ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2840 #     ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2841    keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2842 #     endif
2843 #  endif
2844 
2845    /* One of the following methods will read the chunk or skip it (at least one
2846     * of these is always defined because this is the only way to switch on
2847     * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2848     */
2849 #  ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2850    /* The user callback takes precedence over the chunk keep value, but the
2851     * keep value is still required to validate a save of a critical chunk.
2852     */
2853    if (png_ptr->read_user_chunk_fn != NULL)
2854    {
2855       if (png_cache_unknown_chunk(png_ptr, length) != 0)
2856       {
2857          /* Callback to user unknown chunk handler */
2858          int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2859             &png_ptr->unknown_chunk);
2860 
2861          /* ret is:
2862           * negative: An error occurred; png_chunk_error will be called.
2863           *     zero: The chunk was not handled, the chunk will be discarded
2864           *           unless png_set_keep_unknown_chunks has been used to set
2865           *           a 'keep' behavior for this particular chunk, in which
2866           *           case that will be used.  A critical chunk will cause an
2867           *           error at this point unless it is to be saved.
2868           * positive: The chunk was handled, libpng will ignore/discard it.
2869           */
2870          if (ret < 0)
2871             png_chunk_error(png_ptr, "error in user chunk");
2872 
2873          else if (ret == 0)
2874          {
2875             /* If the keep value is 'default' or 'never' override it, but
2876              * still error out on critical chunks unless the keep value is
2877              * 'always'  While this is weird it is the behavior in 1.4.12.
2878              * A possible improvement would be to obey the value set for the
2879              * chunk, but this would be an API change that would probably
2880              * damage some applications.
2881              *
2882              * The png_app_warning below catches the case that matters, where
2883              * the application has not set specific save or ignore for this
2884              * chunk or global save or ignore.
2885              */
2886             if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2887             {
2888 #              ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2889                if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2890                {
2891                   png_chunk_warning(png_ptr, "Saving unknown chunk:");
2892                   png_app_warning(png_ptr,
2893                      "forcing save of an unhandled chunk;"
2894                      " please call png_set_keep_unknown_chunks");
2895                      /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2896                }
2897 #              endif
2898                keep = PNG_HANDLE_CHUNK_IF_SAFE;
2899             }
2900          }
2901 
2902          else /* chunk was handled */
2903          {
2904             handled = 1;
2905             /* Critical chunks can be safely discarded at this point. */
2906             keep = PNG_HANDLE_CHUNK_NEVER;
2907          }
2908       }
2909 
2910       else
2911          keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
2912    }
2913 
2914    else
2915    /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
2916 #  endif /* READ_USER_CHUNKS */
2917 
2918 #  ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2919    {
2920       /* keep is currently just the per-chunk setting, if there was no
2921        * setting change it to the global default now (not that this may
2922        * still be AS_DEFAULT) then obtain the cache of the chunk if required,
2923        * if not simply skip the chunk.
2924        */
2925       if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
2926          keep = png_ptr->unknown_default;
2927 
2928       if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2929          (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2930           PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2931       {
2932          if (png_cache_unknown_chunk(png_ptr, length) == 0)
2933             keep = PNG_HANDLE_CHUNK_NEVER;
2934       }
2935 
2936       else
2937          png_crc_finish(png_ptr, length);
2938    }
2939 #  else
2940 #     ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2941 #        error no method to support READ_UNKNOWN_CHUNKS
2942 #     endif
2943 
2944    {
2945       /* If here there is no read callback pointer set and no support is
2946        * compiled in to just save the unknown chunks, so simply skip this
2947        * chunk.  If 'keep' is something other than AS_DEFAULT or NEVER then
2948        * the app has erroneously asked for unknown chunk saving when there
2949        * is no support.
2950        */
2951       if (keep > PNG_HANDLE_CHUNK_NEVER)
2952          png_app_error(png_ptr, "no unknown chunk support available");
2953 
2954       png_crc_finish(png_ptr, length);
2955    }
2956 #  endif
2957 
2958 #  ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2959    /* Now store the chunk in the chunk list if appropriate, and if the limits
2960     * permit it.
2961     */
2962    if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2963       (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2964        PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2965    {
2966 #     ifdef PNG_USER_LIMITS_SUPPORTED
2967       switch (png_ptr->user_chunk_cache_max)
2968       {
2969          case 2:
2970             png_ptr->user_chunk_cache_max = 1;
2971             png_chunk_benign_error(png_ptr, "no space in chunk cache");
2972             /* FALL THROUGH */
2973          case 1:
2974             /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
2975              * chunk being skipped, now there will be a hard error below.
2976              */
2977             break;
2978 
2979          default: /* not at limit */
2980             --(png_ptr->user_chunk_cache_max);
2981             /* FALL THROUGH */
2982          case 0: /* no limit */
2983 #  endif /* USER_LIMITS */
2984             /* Here when the limit isn't reached or when limits are compiled
2985              * out; store the chunk.
2986              */
2987             png_set_unknown_chunks(png_ptr, info_ptr,
2988                &png_ptr->unknown_chunk, 1);
2989             handled = 1;
2990 #  ifdef PNG_USER_LIMITS_SUPPORTED
2991             break;
2992       }
2993 #  endif
2994    }
2995 #  else /* no store support: the chunk must be handled by the user callback */
2996    PNG_UNUSED(info_ptr)
2997 #  endif
2998 
2999    /* Regardless of the error handling below the cached data (if any) can be
3000     * freed now.  Notice that the data is not freed if there is a png_error, but
3001     * it will be freed by destroy_read_struct.
3002     */
3003    if (png_ptr->unknown_chunk.data != NULL)
3004       png_free(png_ptr, png_ptr->unknown_chunk.data);
3005    png_ptr->unknown_chunk.data = NULL;
3006 
3007 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
3008    /* There is no support to read an unknown chunk, so just skip it. */
3009    png_crc_finish(png_ptr, length);
3010    PNG_UNUSED(info_ptr)
3011    PNG_UNUSED(keep)
3012 #endif /* !READ_UNKNOWN_CHUNKS */
3013 
3014    /* Check for unhandled critical chunks */
3015    if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3016       png_chunk_error(png_ptr, "unhandled critical chunk");
3017 }
3018 
3019 /* This function is called to verify that a chunk name is valid.
3020  * This function can't have the "critical chunk check" incorporated
3021  * into it, since in the future we will need to be able to call user
3022  * functions to handle unknown critical chunks after we check that
3023  * the chunk name itself is valid.
3024  */
3025 
3026 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
3027  *
3028  * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
3029  */
3030 
3031 void /* PRIVATE */
png_check_chunk_name(png_structrp png_ptr,png_uint_32 chunk_name)3032 png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
3033 {
3034    int i;
3035 
3036    png_debug(1, "in png_check_chunk_name");
3037 
3038    for (i=1; i<=4; ++i)
3039    {
3040       int c = chunk_name & 0xff;
3041 
3042       if (c < 65 || c > 122 || (c > 90 && c < 97))
3043          png_chunk_error(png_ptr, "invalid chunk type");
3044 
3045       chunk_name >>= 8;
3046    }
3047 }
3048 
3049 /* Combines the row recently read in with the existing pixels in the row.  This
3050  * routine takes care of alpha and transparency if requested.  This routine also
3051  * handles the two methods of progressive display of interlaced images,
3052  * depending on the 'display' value; if 'display' is true then the whole row
3053  * (dp) is filled from the start by replicating the available pixels.  If
3054  * 'display' is false only those pixels present in the pass are filled in.
3055  */
3056 void /* PRIVATE */
png_combine_row(png_const_structrp png_ptr,png_bytep dp,int display)3057 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3058 {
3059    unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3060    png_const_bytep sp = png_ptr->row_buf + 1;
3061    png_alloc_size_t row_width = png_ptr->width;
3062    unsigned int pass = png_ptr->pass;
3063    png_bytep end_ptr = 0;
3064    png_byte end_byte = 0;
3065    unsigned int end_mask;
3066 
3067    png_debug(1, "in png_combine_row");
3068 
3069    /* Added in 1.5.6: it should not be possible to enter this routine until at
3070     * least one row has been read from the PNG data and transformed.
3071     */
3072    if (pixel_depth == 0)
3073       png_error(png_ptr, "internal row logic error");
3074 
3075    /* Added in 1.5.4: the pixel depth should match the information returned by
3076     * any call to png_read_update_info at this point.  Do not continue if we got
3077     * this wrong.
3078     */
3079    if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3080           PNG_ROWBYTES(pixel_depth, row_width))
3081       png_error(png_ptr, "internal row size calculation error");
3082 
3083    /* Don't expect this to ever happen: */
3084    if (row_width == 0)
3085       png_error(png_ptr, "internal row width error");
3086 
3087    /* Preserve the last byte in cases where only part of it will be overwritten,
3088     * the multiply below may overflow, we don't care because ANSI-C guarantees
3089     * we get the low bits.
3090     */
3091    end_mask = (pixel_depth * row_width) & 7;
3092    if (end_mask != 0)
3093    {
3094       /* end_ptr == NULL is a flag to say do nothing */
3095       end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
3096       end_byte = *end_ptr;
3097 #     ifdef PNG_READ_PACKSWAP_SUPPORTED
3098       if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3099          /* little-endian byte */
3100          end_mask = 0xff << end_mask;
3101 
3102       else /* big-endian byte */
3103 #     endif
3104       end_mask = 0xff >> end_mask;
3105       /* end_mask is now the bits to *keep* from the destination row */
3106    }
3107 
3108    /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3109     * will also happen if interlacing isn't supported or if the application
3110     * does not call png_set_interlace_handling().  In the latter cases the
3111     * caller just gets a sequence of the unexpanded rows from each interlace
3112     * pass.
3113     */
3114 #ifdef PNG_READ_INTERLACING_SUPPORTED
3115    if (png_ptr->interlaced != 0 &&
3116        (png_ptr->transformations & PNG_INTERLACE) != 0 &&
3117        pass < 6 && (display == 0 ||
3118        /* The following copies everything for 'display' on passes 0, 2 and 4. */
3119        (display == 1 && (pass & 1) != 0)))
3120    {
3121       /* Narrow images may have no bits in a pass; the caller should handle
3122        * this, but this test is cheap:
3123        */
3124       if (row_width <= PNG_PASS_START_COL(pass))
3125          return;
3126 
3127       if (pixel_depth < 8)
3128       {
3129          /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3130           * into 32 bits, then a single loop over the bytes using the four byte
3131           * values in the 32-bit mask can be used.  For the 'display' option the
3132           * expanded mask may also not require any masking within a byte.  To
3133           * make this work the PACKSWAP option must be taken into account - it
3134           * simply requires the pixels to be reversed in each byte.
3135           *
3136           * The 'regular' case requires a mask for each of the first 6 passes,
3137           * the 'display' case does a copy for the even passes in the range
3138           * 0..6.  This has already been handled in the test above.
3139           *
3140           * The masks are arranged as four bytes with the first byte to use in
3141           * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3142           * not) of the pixels in each byte.
3143           *
3144           * NOTE: the whole of this logic depends on the caller of this function
3145           * only calling it on rows appropriate to the pass.  This function only
3146           * understands the 'x' logic; the 'y' logic is handled by the caller.
3147           *
3148           * The following defines allow generation of compile time constant bit
3149           * masks for each pixel depth and each possibility of swapped or not
3150           * swapped bytes.  Pass 'p' is in the range 0..6; 'x', a pixel index,
3151           * is in the range 0..7; and the result is 1 if the pixel is to be
3152           * copied in the pass, 0 if not.  'S' is for the sparkle method, 'B'
3153           * for the block method.
3154           *
3155           * With some compilers a compile time expression of the general form:
3156           *
3157           *    (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3158           *
3159           * Produces warnings with values of 'shift' in the range 33 to 63
3160           * because the right hand side of the ?: expression is evaluated by
3161           * the compiler even though it isn't used.  Microsoft Visual C (various
3162           * versions) and the Intel C compiler are known to do this.  To avoid
3163           * this the following macros are used in 1.5.6.  This is a temporary
3164           * solution to avoid destabilizing the code during the release process.
3165           */
3166 #        if PNG_USE_COMPILE_TIME_MASKS
3167 #           define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3168 #           define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3169 #        else
3170 #           define PNG_LSR(x,s) ((x)>>(s))
3171 #           define PNG_LSL(x,s) ((x)<<(s))
3172 #        endif
3173 #        define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3174            PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3175 #        define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3176            PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3177 
3178          /* Return a mask for pass 'p' pixel 'x' at depth 'd'.  The mask is
3179           * little endian - the first pixel is at bit 0 - however the extra
3180           * parameter 's' can be set to cause the mask position to be swapped
3181           * within each byte, to match the PNG format.  This is done by XOR of
3182           * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3183           */
3184 #        define PIXEL_MASK(p,x,d,s) \
3185             (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3186 
3187          /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3188           */
3189 #        define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3190 #        define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3191 
3192          /* Combine 8 of these to get the full mask.  For the 1-bpp and 2-bpp
3193           * cases the result needs replicating, for the 4-bpp case the above
3194           * generates a full 32 bits.
3195           */
3196 #        define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3197 
3198 #        define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3199             S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3200             S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3201 
3202 #        define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3203             B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3204             B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3205 
3206 #if PNG_USE_COMPILE_TIME_MASKS
3207          /* Utility macros to construct all the masks for a depth/swap
3208           * combination.  The 's' parameter says whether the format is PNG
3209           * (big endian bytes) or not.  Only the three odd-numbered passes are
3210           * required for the display/block algorithm.
3211           */
3212 #        define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3213             S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3214 
3215 #        define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3216 
3217 #        define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3218 
3219          /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3220           * then pass:
3221           */
3222          static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3223          {
3224             /* Little-endian byte masks for PACKSWAP */
3225             { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3226             /* Normal (big-endian byte) masks - PNG format */
3227             { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3228          };
3229 
3230          /* display_mask has only three entries for the odd passes, so index by
3231           * pass>>1.
3232           */
3233          static PNG_CONST png_uint_32 display_mask[2][3][3] =
3234          {
3235             /* Little-endian byte masks for PACKSWAP */
3236             { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3237             /* Normal (big-endian byte) masks - PNG format */
3238             { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3239          };
3240 
3241 #        define MASK(pass,depth,display,png)\
3242             ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3243                row_mask[png][DEPTH_INDEX(depth)][pass])
3244 
3245 #else /* !PNG_USE_COMPILE_TIME_MASKS */
3246          /* This is the runtime alternative: it seems unlikely that this will
3247           * ever be either smaller or faster than the compile time approach.
3248           */
3249 #        define MASK(pass,depth,display,png)\
3250             ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3251 #endif /* !USE_COMPILE_TIME_MASKS */
3252 
3253          /* Use the appropriate mask to copy the required bits.  In some cases
3254           * the byte mask will be 0 or 0xff; optimize these cases.  row_width is
3255           * the number of pixels, but the code copies bytes, so it is necessary
3256           * to special case the end.
3257           */
3258          png_uint_32 pixels_per_byte = 8 / pixel_depth;
3259          png_uint_32 mask;
3260 
3261 #        ifdef PNG_READ_PACKSWAP_SUPPORTED
3262          if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3263             mask = MASK(pass, pixel_depth, display, 0);
3264 
3265          else
3266 #        endif
3267          mask = MASK(pass, pixel_depth, display, 1);
3268 
3269          for (;;)
3270          {
3271             png_uint_32 m;
3272 
3273             /* It doesn't matter in the following if png_uint_32 has more than
3274              * 32 bits because the high bits always match those in m<<24; it is,
3275              * however, essential to use OR here, not +, because of this.
3276              */
3277             m = mask;
3278             mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3279             m &= 0xff;
3280 
3281             if (m != 0) /* something to copy */
3282             {
3283                if (m != 0xff)
3284                   *dp = (png_byte)((*dp & ~m) | (*sp & m));
3285                else
3286                   *dp = *sp;
3287             }
3288 
3289             /* NOTE: this may overwrite the last byte with garbage if the image
3290              * is not an exact number of bytes wide; libpng has always done
3291              * this.
3292              */
3293             if (row_width <= pixels_per_byte)
3294                break; /* May need to restore part of the last byte */
3295 
3296             row_width -= pixels_per_byte;
3297             ++dp;
3298             ++sp;
3299          }
3300       }
3301 
3302       else /* pixel_depth >= 8 */
3303       {
3304          unsigned int bytes_to_copy, bytes_to_jump;
3305 
3306          /* Validate the depth - it must be a multiple of 8 */
3307          if (pixel_depth & 7)
3308             png_error(png_ptr, "invalid user transform pixel depth");
3309 
3310          pixel_depth >>= 3; /* now in bytes */
3311          row_width *= pixel_depth;
3312 
3313          /* Regardless of pass number the Adam 7 interlace always results in a
3314           * fixed number of pixels to copy then to skip.  There may be a
3315           * different number of pixels to skip at the start though.
3316           */
3317          {
3318             unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3319 
3320             row_width -= offset;
3321             dp += offset;
3322             sp += offset;
3323          }
3324 
3325          /* Work out the bytes to copy. */
3326          if (display != 0)
3327          {
3328             /* When doing the 'block' algorithm the pixel in the pass gets
3329              * replicated to adjacent pixels.  This is why the even (0,2,4,6)
3330              * passes are skipped above - the entire expanded row is copied.
3331              */
3332             bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3333 
3334             /* But don't allow this number to exceed the actual row width. */
3335             if (bytes_to_copy > row_width)
3336                bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3337          }
3338 
3339          else /* normal row; Adam7 only ever gives us one pixel to copy. */
3340             bytes_to_copy = pixel_depth;
3341 
3342          /* In Adam7 there is a constant offset between where the pixels go. */
3343          bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3344 
3345          /* And simply copy these bytes.  Some optimization is possible here,
3346           * depending on the value of 'bytes_to_copy'.  Special case the low
3347           * byte counts, which we know to be frequent.
3348           *
3349           * Notice that these cases all 'return' rather than 'break' - this
3350           * avoids an unnecessary test on whether to restore the last byte
3351           * below.
3352           */
3353          switch (bytes_to_copy)
3354          {
3355             case 1:
3356                for (;;)
3357                {
3358                   *dp = *sp;
3359 
3360                   if (row_width <= bytes_to_jump)
3361                      return;
3362 
3363                   dp += bytes_to_jump;
3364                   sp += bytes_to_jump;
3365                   row_width -= bytes_to_jump;
3366                }
3367 
3368             case 2:
3369                /* There is a possibility of a partial copy at the end here; this
3370                 * slows the code down somewhat.
3371                 */
3372                do
3373                {
3374                   dp[0] = sp[0], dp[1] = sp[1];
3375 
3376                   if (row_width <= bytes_to_jump)
3377                      return;
3378 
3379                   sp += bytes_to_jump;
3380                   dp += bytes_to_jump;
3381                   row_width -= bytes_to_jump;
3382                }
3383                while (row_width > 1);
3384 
3385                /* And there can only be one byte left at this point: */
3386                *dp = *sp;
3387                return;
3388 
3389             case 3:
3390                /* This can only be the RGB case, so each copy is exactly one
3391                 * pixel and it is not necessary to check for a partial copy.
3392                 */
3393                for (;;)
3394                {
3395                   dp[0] = sp[0], dp[1] = sp[1], dp[2] = sp[2];
3396 
3397                   if (row_width <= bytes_to_jump)
3398                      return;
3399 
3400                   sp += bytes_to_jump;
3401                   dp += bytes_to_jump;
3402                   row_width -= bytes_to_jump;
3403                }
3404 
3405             default:
3406 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3407                /* Check for double byte alignment and, if possible, use a
3408                 * 16-bit copy.  Don't attempt this for narrow images - ones that
3409                 * are less than an interlace panel wide.  Don't attempt it for
3410                 * wide bytes_to_copy either - use the memcpy there.
3411                 */
3412                if (bytes_to_copy < 16 /*else use memcpy*/ &&
3413                    png_isaligned(dp, png_uint_16) &&
3414                    png_isaligned(sp, png_uint_16) &&
3415                    bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3416                    bytes_to_jump % (sizeof (png_uint_16)) == 0)
3417                {
3418                   /* Everything is aligned for png_uint_16 copies, but try for
3419                    * png_uint_32 first.
3420                    */
3421                   if (png_isaligned(dp, png_uint_32) != 0 &&
3422                       png_isaligned(sp, png_uint_32) != 0 &&
3423                       bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3424                       bytes_to_jump % (sizeof (png_uint_32)) == 0)
3425                   {
3426                      png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3427                      png_const_uint_32p sp32 = png_aligncastconst(
3428                          png_const_uint_32p, sp);
3429                      size_t skip = (bytes_to_jump-bytes_to_copy) /
3430                          (sizeof (png_uint_32));
3431 
3432                      do
3433                      {
3434                         size_t c = bytes_to_copy;
3435                         do
3436                         {
3437                            *dp32++ = *sp32++;
3438                            c -= (sizeof (png_uint_32));
3439                         }
3440                         while (c > 0);
3441 
3442                         if (row_width <= bytes_to_jump)
3443                            return;
3444 
3445                         dp32 += skip;
3446                         sp32 += skip;
3447                         row_width -= bytes_to_jump;
3448                      }
3449                      while (bytes_to_copy <= row_width);
3450 
3451                      /* Get to here when the row_width truncates the final copy.
3452                       * There will be 1-3 bytes left to copy, so don't try the
3453                       * 16-bit loop below.
3454                       */
3455                      dp = (png_bytep)dp32;
3456                      sp = (png_const_bytep)sp32;
3457                      do
3458                         *dp++ = *sp++;
3459                      while (--row_width > 0);
3460                      return;
3461                   }
3462 
3463                   /* Else do it in 16-bit quantities, but only if the size is
3464                    * not too large.
3465                    */
3466                   else
3467                   {
3468                      png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3469                      png_const_uint_16p sp16 = png_aligncastconst(
3470                         png_const_uint_16p, sp);
3471                      size_t skip = (bytes_to_jump-bytes_to_copy) /
3472                         (sizeof (png_uint_16));
3473 
3474                      do
3475                      {
3476                         size_t c = bytes_to_copy;
3477                         do
3478                         {
3479                            *dp16++ = *sp16++;
3480                            c -= (sizeof (png_uint_16));
3481                         }
3482                         while (c > 0);
3483 
3484                         if (row_width <= bytes_to_jump)
3485                            return;
3486 
3487                         dp16 += skip;
3488                         sp16 += skip;
3489                         row_width -= bytes_to_jump;
3490                      }
3491                      while (bytes_to_copy <= row_width);
3492 
3493                      /* End of row - 1 byte left, bytes_to_copy > row_width: */
3494                      dp = (png_bytep)dp16;
3495                      sp = (png_const_bytep)sp16;
3496                      do
3497                         *dp++ = *sp++;
3498                      while (--row_width > 0);
3499                      return;
3500                   }
3501                }
3502 #endif /* ALIGN_TYPE code */
3503 
3504                /* The true default - use a memcpy: */
3505                for (;;)
3506                {
3507                   memcpy(dp, sp, bytes_to_copy);
3508 
3509                   if (row_width <= bytes_to_jump)
3510                      return;
3511 
3512                   sp += bytes_to_jump;
3513                   dp += bytes_to_jump;
3514                   row_width -= bytes_to_jump;
3515                   if (bytes_to_copy > row_width)
3516                      bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3517                }
3518          }
3519 
3520          /* NOT REACHED*/
3521       } /* pixel_depth >= 8 */
3522 
3523       /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3524    }
3525    else
3526 #endif /* READ_INTERLACING */
3527 
3528    /* If here then the switch above wasn't used so just memcpy the whole row
3529     * from the temporary row buffer (notice that this overwrites the end of the
3530     * destination row if it is a partial byte.)
3531     */
3532    memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3533 
3534    /* Restore the overwritten bits from the last byte if necessary. */
3535    if (end_ptr != NULL)
3536       *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3537 }
3538 
3539 #ifdef PNG_READ_INTERLACING_SUPPORTED
3540 void /* PRIVATE */
png_do_read_interlace(png_row_infop row_info,png_bytep row,int pass,png_uint_32 transformations)3541 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3542    png_uint_32 transformations /* Because these may affect the byte layout */)
3543 {
3544    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
3545    /* Offset to next interlace block */
3546    static PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
3547 
3548    png_debug(1, "in png_do_read_interlace");
3549    if (row != NULL && row_info != NULL)
3550    {
3551       png_uint_32 final_width;
3552 
3553       final_width = row_info->width * png_pass_inc[pass];
3554 
3555       switch (row_info->pixel_depth)
3556       {
3557          case 1:
3558          {
3559             png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3);
3560             png_bytep dp = row + (png_size_t)((final_width - 1) >> 3);
3561             int sshift, dshift;
3562             int s_start, s_end, s_inc;
3563             int jstop = png_pass_inc[pass];
3564             png_byte v;
3565             png_uint_32 i;
3566             int j;
3567 
3568 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3569             if ((transformations & PNG_PACKSWAP) != 0)
3570             {
3571                 sshift = (int)((row_info->width + 7) & 0x07);
3572                 dshift = (int)((final_width + 7) & 0x07);
3573                 s_start = 7;
3574                 s_end = 0;
3575                 s_inc = -1;
3576             }
3577 
3578             else
3579 #endif
3580             {
3581                 sshift = 7 - (int)((row_info->width + 7) & 0x07);
3582                 dshift = 7 - (int)((final_width + 7) & 0x07);
3583                 s_start = 0;
3584                 s_end = 7;
3585                 s_inc = 1;
3586             }
3587 
3588             for (i = 0; i < row_info->width; i++)
3589             {
3590                v = (png_byte)((*sp >> sshift) & 0x01);
3591                for (j = 0; j < jstop; j++)
3592                {
3593                   unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
3594                   tmp |= v << dshift;
3595                   *dp = (png_byte)(tmp & 0xff);
3596 
3597                   if (dshift == s_end)
3598                   {
3599                      dshift = s_start;
3600                      dp--;
3601                   }
3602 
3603                   else
3604                      dshift += s_inc;
3605                }
3606 
3607                if (sshift == s_end)
3608                {
3609                   sshift = s_start;
3610                   sp--;
3611                }
3612 
3613                else
3614                   sshift += s_inc;
3615             }
3616             break;
3617          }
3618 
3619          case 2:
3620          {
3621             png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
3622             png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
3623             int sshift, dshift;
3624             int s_start, s_end, s_inc;
3625             int jstop = png_pass_inc[pass];
3626             png_uint_32 i;
3627 
3628 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3629             if ((transformations & PNG_PACKSWAP) != 0)
3630             {
3631                sshift = (int)(((row_info->width + 3) & 0x03) << 1);
3632                dshift = (int)(((final_width + 3) & 0x03) << 1);
3633                s_start = 6;
3634                s_end = 0;
3635                s_inc = -2;
3636             }
3637 
3638             else
3639 #endif
3640             {
3641                sshift = (int)((3 - ((row_info->width + 3) & 0x03)) << 1);
3642                dshift = (int)((3 - ((final_width + 3) & 0x03)) << 1);
3643                s_start = 0;
3644                s_end = 6;
3645                s_inc = 2;
3646             }
3647 
3648             for (i = 0; i < row_info->width; i++)
3649             {
3650                png_byte v;
3651                int j;
3652 
3653                v = (png_byte)((*sp >> sshift) & 0x03);
3654                for (j = 0; j < jstop; j++)
3655                {
3656                   unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
3657                   tmp |= v << dshift;
3658                   *dp = (png_byte)(tmp & 0xff);
3659 
3660                   if (dshift == s_end)
3661                   {
3662                      dshift = s_start;
3663                      dp--;
3664                   }
3665 
3666                   else
3667                      dshift += s_inc;
3668                }
3669 
3670                if (sshift == s_end)
3671                {
3672                   sshift = s_start;
3673                   sp--;
3674                }
3675 
3676                else
3677                   sshift += s_inc;
3678             }
3679             break;
3680          }
3681 
3682          case 4:
3683          {
3684             png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
3685             png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
3686             int sshift, dshift;
3687             int s_start, s_end, s_inc;
3688             png_uint_32 i;
3689             int jstop = png_pass_inc[pass];
3690 
3691 #ifdef PNG_READ_PACKSWAP_SUPPORTED
3692             if ((transformations & PNG_PACKSWAP) != 0)
3693             {
3694                sshift = (int)(((row_info->width + 1) & 0x01) << 2);
3695                dshift = (int)(((final_width + 1) & 0x01) << 2);
3696                s_start = 4;
3697                s_end = 0;
3698                s_inc = -4;
3699             }
3700 
3701             else
3702 #endif
3703             {
3704                sshift = (int)((1 - ((row_info->width + 1) & 0x01)) << 2);
3705                dshift = (int)((1 - ((final_width + 1) & 0x01)) << 2);
3706                s_start = 0;
3707                s_end = 4;
3708                s_inc = 4;
3709             }
3710 
3711             for (i = 0; i < row_info->width; i++)
3712             {
3713                png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
3714                int j;
3715 
3716                for (j = 0; j < jstop; j++)
3717                {
3718                   unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
3719                   tmp |= v << dshift;
3720                   *dp = (png_byte)(tmp & 0xff);
3721 
3722                   if (dshift == s_end)
3723                   {
3724                      dshift = s_start;
3725                      dp--;
3726                   }
3727 
3728                   else
3729                      dshift += s_inc;
3730                }
3731 
3732                if (sshift == s_end)
3733                {
3734                   sshift = s_start;
3735                   sp--;
3736                }
3737 
3738                else
3739                   sshift += s_inc;
3740             }
3741             break;
3742          }
3743 
3744          default:
3745          {
3746             png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
3747 
3748             png_bytep sp = row + (png_size_t)(row_info->width - 1)
3749                 * pixel_bytes;
3750 
3751             png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
3752 
3753             int jstop = png_pass_inc[pass];
3754             png_uint_32 i;
3755 
3756             for (i = 0; i < row_info->width; i++)
3757             {
3758                png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
3759                int j;
3760 
3761                memcpy(v, sp, pixel_bytes);
3762 
3763                for (j = 0; j < jstop; j++)
3764                {
3765                   memcpy(dp, v, pixel_bytes);
3766                   dp -= pixel_bytes;
3767                }
3768 
3769                sp -= pixel_bytes;
3770             }
3771             break;
3772          }
3773       }
3774 
3775       row_info->width = final_width;
3776       row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3777    }
3778 #ifndef PNG_READ_PACKSWAP_SUPPORTED
3779    PNG_UNUSED(transformations)  /* Silence compiler warning */
3780 #endif
3781 }
3782 #endif /* READ_INTERLACING */
3783 
3784 static void
png_read_filter_row_sub(png_row_infop row_info,png_bytep row,png_const_bytep prev_row)3785 png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3786    png_const_bytep prev_row)
3787 {
3788    png_size_t i;
3789    png_size_t istop = row_info->rowbytes;
3790    unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3791    png_bytep rp = row + bpp;
3792 
3793    PNG_UNUSED(prev_row)
3794 
3795    for (i = bpp; i < istop; i++)
3796    {
3797       *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3798       rp++;
3799    }
3800 }
3801 
3802 static void
png_read_filter_row_up(png_row_infop row_info,png_bytep row,png_const_bytep prev_row)3803 png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3804    png_const_bytep prev_row)
3805 {
3806    png_size_t i;
3807    png_size_t istop = row_info->rowbytes;
3808    png_bytep rp = row;
3809    png_const_bytep pp = prev_row;
3810 
3811    for (i = 0; i < istop; i++)
3812    {
3813       *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
3814       rp++;
3815    }
3816 }
3817 
3818 static void
png_read_filter_row_avg(png_row_infop row_info,png_bytep row,png_const_bytep prev_row)3819 png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3820    png_const_bytep prev_row)
3821 {
3822    png_size_t i;
3823    png_bytep rp = row;
3824    png_const_bytep pp = prev_row;
3825    unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3826    png_size_t istop = row_info->rowbytes - bpp;
3827 
3828    for (i = 0; i < bpp; i++)
3829    {
3830       *rp = (png_byte)(((int)(*rp) +
3831          ((int)(*pp++) / 2 )) & 0xff);
3832 
3833       rp++;
3834    }
3835 
3836    for (i = 0; i < istop; i++)
3837    {
3838       *rp = (png_byte)(((int)(*rp) +
3839          (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
3840 
3841       rp++;
3842    }
3843 }
3844 
3845 static void
png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info,png_bytep row,png_const_bytep prev_row)3846 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3847    png_const_bytep prev_row)
3848 {
3849    png_bytep rp_end = row + row_info->rowbytes;
3850    int a, c;
3851 
3852    /* First pixel/byte */
3853    c = *prev_row++;
3854    a = *row + c;
3855    *row++ = (png_byte)a;
3856 
3857    /* Remainder */
3858    while (row < rp_end)
3859    {
3860       int b, pa, pb, pc, p;
3861 
3862       a &= 0xff; /* From previous iteration or start */
3863       b = *prev_row++;
3864 
3865       p = b - c;
3866       pc = a - c;
3867 
3868 #ifdef PNG_USE_ABS
3869       pa = abs(p);
3870       pb = abs(pc);
3871       pc = abs(p + pc);
3872 #else
3873       pa = p < 0 ? -p : p;
3874       pb = pc < 0 ? -pc : pc;
3875       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3876 #endif
3877 
3878       /* Find the best predictor, the least of pa, pb, pc favoring the earlier
3879        * ones in the case of a tie.
3880        */
3881       if (pb < pa) pa = pb, a = b;
3882       if (pc < pa) a = c;
3883 
3884       /* Calculate the current pixel in a, and move the previous row pixel to c
3885        * for the next time round the loop
3886        */
3887       c = b;
3888       a += *row;
3889       *row++ = (png_byte)a;
3890    }
3891 }
3892 
3893 static void
png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info,png_bytep row,png_const_bytep prev_row)3894 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3895    png_const_bytep prev_row)
3896 {
3897    int bpp = (row_info->pixel_depth + 7) >> 3;
3898    png_bytep rp_end = row + bpp;
3899 
3900    /* Process the first pixel in the row completely (this is the same as 'up'
3901     * because there is only one candidate predictor for the first row).
3902     */
3903    while (row < rp_end)
3904    {
3905       int a = *row + *prev_row++;
3906       *row++ = (png_byte)a;
3907    }
3908 
3909    /* Remainder */
3910    rp_end += row_info->rowbytes - bpp;
3911 
3912    while (row < rp_end)
3913    {
3914       int a, b, c, pa, pb, pc, p;
3915 
3916       c = *(prev_row - bpp);
3917       a = *(row - bpp);
3918       b = *prev_row++;
3919 
3920       p = b - c;
3921       pc = a - c;
3922 
3923 #ifdef PNG_USE_ABS
3924       pa = abs(p);
3925       pb = abs(pc);
3926       pc = abs(p + pc);
3927 #else
3928       pa = p < 0 ? -p : p;
3929       pb = pc < 0 ? -pc : pc;
3930       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
3931 #endif
3932 
3933       if (pb < pa) pa = pb, a = b;
3934       if (pc < pa) a = c;
3935 
3936       a += *row;
3937       *row++ = (png_byte)a;
3938    }
3939 }
3940 
3941 static void
png_init_filter_functions(png_structrp pp)3942 png_init_filter_functions(png_structrp pp)
3943    /* This function is called once for every PNG image (except for PNG images
3944     * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
3945     * implementations required to reverse the filtering of PNG rows.  Reversing
3946     * the filter is the first transformation performed on the row data.  It is
3947     * performed in place, therefore an implementation can be selected based on
3948     * the image pixel format.  If the implementation depends on image width then
3949     * take care to ensure that it works correctly if the image is interlaced -
3950     * interlacing causes the actual row width to vary.
3951     */
3952 {
3953    unsigned int bpp = (pp->pixel_depth + 7) >> 3;
3954 
3955    pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
3956    pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
3957    pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
3958    if (bpp == 1)
3959       pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3960          png_read_filter_row_paeth_1byte_pixel;
3961    else
3962       pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
3963          png_read_filter_row_paeth_multibyte_pixel;
3964 
3965 #ifdef PNG_FILTER_OPTIMIZATIONS
3966    /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
3967     * call to install hardware optimizations for the above functions; simply
3968     * replace whatever elements of the pp->read_filter[] array with a hardware
3969     * specific (or, for that matter, generic) optimization.
3970     *
3971     * To see an example of this examine what configure.ac does when
3972     * --enable-arm-neon is specified on the command line.
3973     */
3974    PNG_FILTER_OPTIMIZATIONS(pp, bpp);
3975 #endif
3976 }
3977 
3978 void /* PRIVATE */
png_read_filter_row(png_structrp pp,png_row_infop row_info,png_bytep row,png_const_bytep prev_row,int filter)3979 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
3980    png_const_bytep prev_row, int filter)
3981 {
3982    /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
3983     * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
3984     * implementations.  See png_init_filter_functions above.
3985     */
3986    if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
3987    {
3988       if (pp->read_filter[0] == NULL)
3989          png_init_filter_functions(pp);
3990 
3991       pp->read_filter[filter-1](row_info, row, prev_row);
3992    }
3993 }
3994 
3995 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3996 void /* PRIVATE */
png_read_IDAT_data(png_structrp png_ptr,png_bytep output,png_alloc_size_t avail_out)3997 png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
3998    png_alloc_size_t avail_out)
3999 {
4000    /* Loop reading IDATs and decompressing the result into output[avail_out] */
4001    png_ptr->zstream.next_out = output;
4002    png_ptr->zstream.avail_out = 0; /* safety: set below */
4003 
4004    if (output == NULL)
4005       avail_out = 0;
4006 
4007    do
4008    {
4009       int ret;
4010       png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
4011 
4012       if (png_ptr->zstream.avail_in == 0)
4013       {
4014          uInt avail_in;
4015          png_bytep buffer;
4016 
4017          while (png_ptr->idat_size == 0)
4018          {
4019             png_crc_finish(png_ptr, 0);
4020 
4021             png_ptr->idat_size = png_read_chunk_header(png_ptr);
4022             /* This is an error even in the 'check' case because the code just
4023              * consumed a non-IDAT header.
4024              */
4025             if (png_ptr->chunk_name != png_IDAT)
4026                png_error(png_ptr, "Not enough image data");
4027          }
4028 
4029          avail_in = png_ptr->IDAT_read_size;
4030 
4031          if (avail_in > png_ptr->idat_size)
4032             avail_in = (uInt)png_ptr->idat_size;
4033 
4034          /* A PNG with a gradually increasing IDAT size will defeat this attempt
4035           * to minimize memory usage by causing lots of re-allocs, but
4036           * realistically doing IDAT_read_size re-allocs is not likely to be a
4037           * big problem.
4038           */
4039          buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
4040 
4041          png_crc_read(png_ptr, buffer, avail_in);
4042          png_ptr->idat_size -= avail_in;
4043 
4044          png_ptr->zstream.next_in = buffer;
4045          png_ptr->zstream.avail_in = avail_in;
4046       }
4047 
4048       /* And set up the output side. */
4049       if (output != NULL) /* standard read */
4050       {
4051          uInt out = ZLIB_IO_MAX;
4052 
4053          if (out > avail_out)
4054             out = (uInt)avail_out;
4055 
4056          avail_out -= out;
4057          png_ptr->zstream.avail_out = out;
4058       }
4059 
4060       else /* after last row, checking for end */
4061       {
4062          png_ptr->zstream.next_out = tmpbuf;
4063          png_ptr->zstream.avail_out = (sizeof tmpbuf);
4064       }
4065 
4066       /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4067        * process.  If the LZ stream is truncated the sequential reader will
4068        * terminally damage the stream, above, by reading the chunk header of the
4069        * following chunk (it then exits with png_error).
4070        *
4071        * TODO: deal more elegantly with truncated IDAT lists.
4072        */
4073       ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
4074 
4075       /* Take the unconsumed output back. */
4076       if (output != NULL)
4077          avail_out += png_ptr->zstream.avail_out;
4078 
4079       else /* avail_out counts the extra bytes */
4080          avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4081 
4082       png_ptr->zstream.avail_out = 0;
4083 
4084       if (ret == Z_STREAM_END)
4085       {
4086          /* Do this for safety; we won't read any more into this row. */
4087          png_ptr->zstream.next_out = NULL;
4088 
4089          png_ptr->mode |= PNG_AFTER_IDAT;
4090          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4091 
4092          if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4093             png_chunk_benign_error(png_ptr, "Extra compressed data");
4094          break;
4095       }
4096 
4097       if (ret != Z_OK)
4098       {
4099          png_zstream_error(png_ptr, ret);
4100 
4101          if (output != NULL)
4102             png_chunk_error(png_ptr, png_ptr->zstream.msg);
4103 
4104          else /* checking */
4105          {
4106             png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4107             return;
4108          }
4109       }
4110    } while (avail_out > 0);
4111 
4112    if (avail_out > 0)
4113    {
4114       /* The stream ended before the image; this is the same as too few IDATs so
4115        * should be handled the same way.
4116        */
4117       if (output != NULL)
4118          png_error(png_ptr, "Not enough image data");
4119 
4120       else /* the deflate stream contained extra data */
4121          png_chunk_benign_error(png_ptr, "Too much image data");
4122    }
4123 }
4124 
4125 void /* PRIVATE */
png_read_finish_IDAT(png_structrp png_ptr)4126 png_read_finish_IDAT(png_structrp png_ptr)
4127 {
4128    /* We don't need any more data and the stream should have ended, however the
4129     * LZ end code may actually not have been processed.  In this case we must
4130     * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4131     * may still remain to be consumed.
4132     */
4133    if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4134    {
4135       /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4136        * the compressed stream, but the stream may be damaged too, so even after
4137        * this call we may need to terminate the zstream ownership.
4138        */
4139       png_read_IDAT_data(png_ptr, NULL, 0);
4140       png_ptr->zstream.next_out = NULL; /* safety */
4141 
4142       /* Now clear everything out for safety; the following may not have been
4143        * done.
4144        */
4145       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4146       {
4147          png_ptr->mode |= PNG_AFTER_IDAT;
4148          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4149       }
4150    }
4151 
4152    /* If the zstream has not been released do it now *and* terminate the reading
4153     * of the final IDAT chunk.
4154     */
4155    if (png_ptr->zowner == png_IDAT)
4156    {
4157       /* Always do this; the pointers otherwise point into the read buffer. */
4158       png_ptr->zstream.next_in = NULL;
4159       png_ptr->zstream.avail_in = 0;
4160 
4161       /* Now we no longer own the zstream. */
4162       png_ptr->zowner = 0;
4163 
4164       /* The slightly weird semantics of the sequential IDAT reading is that we
4165        * are always in or at the end of an IDAT chunk, so we always need to do a
4166        * crc_finish here.  If idat_size is non-zero we also need to read the
4167        * spurious bytes at the end of the chunk now.
4168        */
4169       (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4170    }
4171 }
4172 
4173 void /* PRIVATE */
png_read_finish_row(png_structrp png_ptr)4174 png_read_finish_row(png_structrp png_ptr)
4175 {
4176    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4177 
4178    /* Start of interlace block */
4179    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4180 
4181    /* Offset to next interlace block */
4182    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4183 
4184    /* Start of interlace block in the y direction */
4185    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4186 
4187    /* Offset to next interlace block in the y direction */
4188    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4189 
4190    png_debug(1, "in png_read_finish_row");
4191    png_ptr->row_number++;
4192    if (png_ptr->row_number < png_ptr->num_rows)
4193       return;
4194 
4195    if (png_ptr->interlaced != 0)
4196    {
4197       png_ptr->row_number = 0;
4198 
4199       /* TO DO: don't do this if prev_row isn't needed (requires
4200        * read-ahead of the next row's filter byte.
4201        */
4202       memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4203 
4204       do
4205       {
4206          png_ptr->pass++;
4207 
4208          if (png_ptr->pass >= 7)
4209             break;
4210 
4211          png_ptr->iwidth = (png_ptr->width +
4212             png_pass_inc[png_ptr->pass] - 1 -
4213             png_pass_start[png_ptr->pass]) /
4214             png_pass_inc[png_ptr->pass];
4215 
4216          if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4217          {
4218             png_ptr->num_rows = (png_ptr->height +
4219                 png_pass_yinc[png_ptr->pass] - 1 -
4220                 png_pass_ystart[png_ptr->pass]) /
4221                 png_pass_yinc[png_ptr->pass];
4222          }
4223 
4224          else  /* if (png_ptr->transformations & PNG_INTERLACE) */
4225             break; /* libpng deinterlacing sees every row */
4226 
4227       } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
4228 
4229       if (png_ptr->pass < 7)
4230          return;
4231    }
4232 
4233    /* Here after at the end of the last row of the last pass. */
4234    png_read_finish_IDAT(png_ptr);
4235 }
4236 #endif /* SEQUENTIAL_READ */
4237 
4238 void /* PRIVATE */
png_read_start_row(png_structrp png_ptr)4239 png_read_start_row(png_structrp png_ptr)
4240 {
4241    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
4242 
4243    /* Start of interlace block */
4244    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
4245 
4246    /* Offset to next interlace block */
4247    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
4248 
4249    /* Start of interlace block in the y direction */
4250    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
4251 
4252    /* Offset to next interlace block in the y direction */
4253    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
4254 
4255    int max_pixel_depth;
4256    png_size_t row_bytes;
4257 
4258    png_debug(1, "in png_read_start_row");
4259 
4260 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
4261    png_init_read_transformations(png_ptr);
4262 #endif
4263    if (png_ptr->interlaced != 0)
4264    {
4265       if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4266          png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
4267              png_pass_ystart[0]) / png_pass_yinc[0];
4268 
4269       else
4270          png_ptr->num_rows = png_ptr->height;
4271 
4272       png_ptr->iwidth = (png_ptr->width +
4273           png_pass_inc[png_ptr->pass] - 1 -
4274           png_pass_start[png_ptr->pass]) /
4275           png_pass_inc[png_ptr->pass];
4276    }
4277 
4278    else
4279    {
4280       png_ptr->num_rows = png_ptr->height;
4281       png_ptr->iwidth = png_ptr->width;
4282    }
4283 
4284    max_pixel_depth = png_ptr->pixel_depth;
4285 
4286    /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4287     * calculations to calculate the final pixel depth, then
4288     * png_do_read_transforms actually does the transforms.  This means that the
4289     * code which effectively calculates this value is actually repeated in three
4290     * separate places.  They must all match.  Innocent changes to the order of
4291     * transformations can and will break libpng in a way that causes memory
4292     * overwrites.
4293     *
4294     * TODO: fix this.
4295     */
4296 #ifdef PNG_READ_PACK_SUPPORTED
4297    if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8)
4298       max_pixel_depth = 8;
4299 #endif
4300 
4301 #ifdef PNG_READ_EXPAND_SUPPORTED
4302    if ((png_ptr->transformations & PNG_EXPAND) != 0)
4303    {
4304       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4305       {
4306          if (png_ptr->num_trans != 0)
4307             max_pixel_depth = 32;
4308 
4309          else
4310             max_pixel_depth = 24;
4311       }
4312 
4313       else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4314       {
4315          if (max_pixel_depth < 8)
4316             max_pixel_depth = 8;
4317 
4318          if (png_ptr->num_trans != 0)
4319             max_pixel_depth *= 2;
4320       }
4321 
4322       else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4323       {
4324          if (png_ptr->num_trans != 0)
4325          {
4326             max_pixel_depth *= 4;
4327             max_pixel_depth /= 3;
4328          }
4329       }
4330    }
4331 #endif
4332 
4333 #ifdef PNG_READ_EXPAND_16_SUPPORTED
4334    if ((png_ptr->transformations & PNG_EXPAND_16) != 0)
4335    {
4336 #  ifdef PNG_READ_EXPAND_SUPPORTED
4337       /* In fact it is an error if it isn't supported, but checking is
4338        * the safe way.
4339        */
4340       if ((png_ptr->transformations & PNG_EXPAND) != 0)
4341       {
4342          if (png_ptr->bit_depth < 16)
4343             max_pixel_depth *= 2;
4344       }
4345       else
4346 #  endif
4347       png_ptr->transformations &= ~PNG_EXPAND_16;
4348    }
4349 #endif
4350 
4351 #ifdef PNG_READ_FILLER_SUPPORTED
4352    if ((png_ptr->transformations & (PNG_FILLER)) != 0)
4353    {
4354       if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4355       {
4356          if (max_pixel_depth <= 8)
4357             max_pixel_depth = 16;
4358 
4359          else
4360             max_pixel_depth = 32;
4361       }
4362 
4363       else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4364          png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4365       {
4366          if (max_pixel_depth <= 32)
4367             max_pixel_depth = 32;
4368 
4369          else
4370             max_pixel_depth = 64;
4371       }
4372    }
4373 #endif
4374 
4375 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4376    if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0)
4377    {
4378       if (
4379 #ifdef PNG_READ_EXPAND_SUPPORTED
4380           (png_ptr->num_trans != 0 &&
4381           (png_ptr->transformations & PNG_EXPAND) != 0) ||
4382 #endif
4383 #ifdef PNG_READ_FILLER_SUPPORTED
4384           (png_ptr->transformations & (PNG_FILLER)) != 0 ||
4385 #endif
4386           png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4387       {
4388          if (max_pixel_depth <= 16)
4389             max_pixel_depth = 32;
4390 
4391          else
4392             max_pixel_depth = 64;
4393       }
4394 
4395       else
4396       {
4397          if (max_pixel_depth <= 8)
4398          {
4399             if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4400                max_pixel_depth = 32;
4401 
4402             else
4403                max_pixel_depth = 24;
4404          }
4405 
4406          else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4407             max_pixel_depth = 64;
4408 
4409          else
4410             max_pixel_depth = 48;
4411       }
4412    }
4413 #endif
4414 
4415 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4416 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4417    if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0)
4418    {
4419       int user_pixel_depth = png_ptr->user_transform_depth *
4420          png_ptr->user_transform_channels;
4421 
4422       if (user_pixel_depth > max_pixel_depth)
4423          max_pixel_depth = user_pixel_depth;
4424    }
4425 #endif
4426 
4427    /* This value is stored in png_struct and double checked in the row read
4428     * code.
4429     */
4430    png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4431    png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4432 
4433    /* Align the width on the next larger 8 pixels.  Mainly used
4434     * for interlacing
4435     */
4436    row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
4437    /* Calculate the maximum bytes needed, adding a byte and a pixel
4438     * for safety's sake
4439     */
4440    row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4441        1 + ((max_pixel_depth + 7) >> 3);
4442 
4443 #ifdef PNG_MAX_MALLOC_64K
4444    if (row_bytes > (png_uint_32)65536L)
4445       png_error(png_ptr, "This image requires a row greater than 64KB");
4446 #endif
4447 
4448    if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
4449    {
4450      png_free(png_ptr, png_ptr->big_row_buf);
4451      png_free(png_ptr, png_ptr->big_prev_row);
4452 
4453      if (png_ptr->interlaced != 0)
4454         png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4455             row_bytes + 48);
4456 
4457      else
4458         png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4459 
4460      png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4461 
4462 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4463      /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4464       * of padding before and after row_buf; treat prev_row similarly.
4465       * NOTE: the alignment is to the start of the pixels, one beyond the start
4466       * of the buffer, because of the filter byte.  Prior to libpng 1.5.6 this
4467       * was incorrect; the filter byte was aligned, which had the exact
4468       * opposite effect of that intended.
4469       */
4470      {
4471         png_bytep temp = png_ptr->big_row_buf + 32;
4472         int extra = (int)((temp - (png_bytep)0) & 0x0f);
4473         png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4474 
4475         temp = png_ptr->big_prev_row + 32;
4476         extra = (int)((temp - (png_bytep)0) & 0x0f);
4477         png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4478      }
4479 
4480 #else
4481      /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4482      png_ptr->row_buf = png_ptr->big_row_buf + 31;
4483      png_ptr->prev_row = png_ptr->big_prev_row + 31;
4484 #endif
4485      png_ptr->old_big_row_buf_size = row_bytes + 48;
4486    }
4487 
4488 #ifdef PNG_MAX_MALLOC_64K
4489    if (png_ptr->rowbytes > 65535)
4490       png_error(png_ptr, "This image requires a row greater than 64KB");
4491 
4492 #endif
4493    if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
4494       png_error(png_ptr, "Row has too many bytes to allocate in memory");
4495 
4496    memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4497 
4498    png_debug1(3, "width = %u,", png_ptr->width);
4499    png_debug1(3, "height = %u,", png_ptr->height);
4500    png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4501    png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4502    png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4503    png_debug1(3, "irowbytes = %lu",
4504        (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4505 
4506    /* The sequential reader needs a buffer for IDAT, but the progressive reader
4507     * does not, so free the read buffer now regardless; the sequential reader
4508     * reallocates it on demand.
4509     */
4510    if (png_ptr->read_buffer != 0)
4511    {
4512       png_bytep buffer = png_ptr->read_buffer;
4513 
4514       png_ptr->read_buffer_size = 0;
4515       png_ptr->read_buffer = NULL;
4516       png_free(png_ptr, buffer);
4517    }
4518 
4519    /* Finally claim the zstream for the inflate of the IDAT data, use the bits
4520     * value from the stream (note that this will result in a fatal error if the
4521     * IDAT stream has a bogus deflate header window_bits value, but this should
4522     * not be happening any longer!)
4523     */
4524    if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
4525       png_error(png_ptr, png_ptr->zstream.msg);
4526 
4527    png_ptr->flags |= PNG_FLAG_ROW_INIT;
4528 }
4529 #endif /* READ */
4530